@adammcarter/use-cases 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (704) hide show
  1. package/.agents/skills/migration/SKILL.md +85 -0
  2. package/.agents/skills/showcase/SKILL.md +60 -0
  3. package/.agents/skills/use-cases/SKILL.md +161 -0
  4. package/.agents/skills/walkthrough/SKILL.md +48 -0
  5. package/.claude-plugin/plugin.json +14 -0
  6. package/.codex-plugin/plugin.json +33 -0
  7. package/.mcp.json +8 -0
  8. package/.opencode/plugin/use-cases.js +32 -0
  9. package/CHANGELOG.md +125 -0
  10. package/LICENSE +21 -0
  11. package/README.md +112 -0
  12. package/bootstrap/use-cases.md +60 -0
  13. package/docs/README.md +51 -0
  14. package/docs/acceptance.md +16 -0
  15. package/docs/activation.md +89 -0
  16. package/docs/adr/0001-p0-bootstrap-decisions.md +107 -0
  17. package/docs/adr/0002-p1-schema-contracts.md +136 -0
  18. package/docs/adr/0003-p2-use-case-matrix-contracts.md +67 -0
  19. package/docs/adr/0004-p3-evidence-ledger-contracts.md +85 -0
  20. package/docs/adr/0005-p4-cli-contract.md +70 -0
  21. package/docs/adr/0006-trusted-user-approval-path.md +125 -0
  22. package/docs/cli.md +108 -0
  23. package/docs/data-model.md +56 -0
  24. package/docs/getting-started.md +296 -0
  25. package/docs/hosts.md +30 -0
  26. package/docs/markers-adoption.md +100 -0
  27. package/docs/mcp.md +114 -0
  28. package/docs/migration.md +90 -0
  29. package/docs/reference/error-codes.md +123 -0
  30. package/docs/reference/stability.md +123 -0
  31. package/docs/release.md +26 -0
  32. package/docs/security/ci-hardening.md +144 -0
  33. package/docs/security/key-management.md +158 -0
  34. package/docs/security.md +66 -0
  35. package/docs/showcase.md +39 -0
  36. package/docs/tutorials/python-pytest.md +188 -0
  37. package/examples/basic-product/demo-capsules/product-search.yml +23 -0
  38. package/examples/basic-product/evidence/by-id/ev/evidence-basic-search.jsonl +1 -0
  39. package/examples/basic-product/showcase-runs/run.basic.product.search/events.jsonl +4 -0
  40. package/examples/basic-product/use-cases/product.yml +85 -0
  41. package/examples/basic-product/use-cases.yml +9 -0
  42. package/examples/damaged-product/evidence/broken.jsonl +1 -0
  43. package/examples/damaged-product/use-cases/duplicate-a.yml +28 -0
  44. package/examples/damaged-product/use-cases/duplicate-b.yml +28 -0
  45. package/examples/damaged-product/use-cases/malformed.yml +14 -0
  46. package/examples/damaged-product/use-cases/valid-sibling.yml +28 -0
  47. package/examples/damaged-product/use-cases.yml +9 -0
  48. package/examples/host-projections/use-cases.yml +9 -0
  49. package/examples/python-pytest/README.md +39 -0
  50. package/examples/python-pytest/pytest.ini +8 -0
  51. package/examples/python-pytest/src/coupon.py +32 -0
  52. package/examples/python-pytest/tests/use_cases/example.checkout.apply_coupon_test.py +31 -0
  53. package/examples/python-pytest/use-cases/checkout.yml +47 -0
  54. package/examples/python-pytest/use-cases.yml +19 -0
  55. package/hooks/hooks-codex.json +16 -0
  56. package/hooks/hooks.json +16 -0
  57. package/hooks/session-start +42 -0
  58. package/hosts/claude.yml +29 -0
  59. package/hosts/codex.yml +29 -0
  60. package/hosts/copilot.yml +29 -0
  61. package/hosts/opencode.yml +29 -0
  62. package/package.json +81 -0
  63. package/packages/cli/README.md +37 -0
  64. package/packages/cli/dist/args/parse.d.ts +6 -0
  65. package/packages/cli/dist/args/parse.d.ts.map +1 -0
  66. package/packages/cli/dist/args/parse.js +55 -0
  67. package/packages/cli/dist/args/parse.js.map +1 -0
  68. package/packages/cli/dist/args/validate.d.ts +3 -0
  69. package/packages/cli/dist/args/validate.d.ts.map +1 -0
  70. package/packages/cli/dist/args/validate.js +80 -0
  71. package/packages/cli/dist/args/validate.js.map +1 -0
  72. package/packages/cli/dist/builtins.d.ts +2 -0
  73. package/packages/cli/dist/builtins.d.ts.map +1 -0
  74. package/packages/cli/dist/builtins.js +235 -0
  75. package/packages/cli/dist/builtins.js.map +1 -0
  76. package/packages/cli/dist/command/dispatch.d.ts +4 -0
  77. package/packages/cli/dist/command/dispatch.d.ts.map +1 -0
  78. package/packages/cli/dist/command/dispatch.js +45 -0
  79. package/packages/cli/dist/command/dispatch.js.map +1 -0
  80. package/packages/cli/dist/command/help-catalog.d.ts +13 -0
  81. package/packages/cli/dist/command/help-catalog.d.ts.map +1 -0
  82. package/packages/cli/dist/command/help-catalog.js +42 -0
  83. package/packages/cli/dist/command/help-catalog.js.map +1 -0
  84. package/packages/cli/dist/command/registry.d.ts +3 -0
  85. package/packages/cli/dist/command/registry.d.ts.map +1 -0
  86. package/packages/cli/dist/command/registry.js +33 -0
  87. package/packages/cli/dist/command/registry.js.map +1 -0
  88. package/packages/cli/dist/command/types.d.ts +32 -0
  89. package/packages/cli/dist/command/types.d.ts.map +1 -0
  90. package/packages/cli/dist/command/types.js +6 -0
  91. package/packages/cli/dist/command/types.js.map +1 -0
  92. package/packages/cli/dist/commands/capsule.d.ts +7 -0
  93. package/packages/cli/dist/commands/capsule.d.ts.map +1 -0
  94. package/packages/cli/dist/commands/capsule.js +178 -0
  95. package/packages/cli/dist/commands/capsule.js.map +1 -0
  96. package/packages/cli/dist/commands/common.d.ts +7 -0
  97. package/packages/cli/dist/commands/common.d.ts.map +1 -0
  98. package/packages/cli/dist/commands/common.js +32 -0
  99. package/packages/cli/dist/commands/common.js.map +1 -0
  100. package/packages/cli/dist/commands/doctor.d.ts +6 -0
  101. package/packages/cli/dist/commands/doctor.d.ts.map +1 -0
  102. package/packages/cli/dist/commands/doctor.js +133 -0
  103. package/packages/cli/dist/commands/doctor.js.map +1 -0
  104. package/packages/cli/dist/commands/evidence.d.ts +6 -0
  105. package/packages/cli/dist/commands/evidence.d.ts.map +1 -0
  106. package/packages/cli/dist/commands/evidence.js +191 -0
  107. package/packages/cli/dist/commands/evidence.js.map +1 -0
  108. package/packages/cli/dist/commands/host.d.ts +6 -0
  109. package/packages/cli/dist/commands/host.d.ts.map +1 -0
  110. package/packages/cli/dist/commands/host.js +180 -0
  111. package/packages/cli/dist/commands/host.js.map +1 -0
  112. package/packages/cli/dist/commands/keygen.d.ts +4 -0
  113. package/packages/cli/dist/commands/keygen.d.ts.map +1 -0
  114. package/packages/cli/dist/commands/keygen.js +132 -0
  115. package/packages/cli/dist/commands/keygen.js.map +1 -0
  116. package/packages/cli/dist/commands/markers.d.ts +8 -0
  117. package/packages/cli/dist/commands/markers.d.ts.map +1 -0
  118. package/packages/cli/dist/commands/markers.js +455 -0
  119. package/packages/cli/dist/commands/markers.js.map +1 -0
  120. package/packages/cli/dist/commands/matrix.d.ts +8 -0
  121. package/packages/cli/dist/commands/matrix.d.ts.map +1 -0
  122. package/packages/cli/dist/commands/matrix.js +237 -0
  123. package/packages/cli/dist/commands/matrix.js.map +1 -0
  124. package/packages/cli/dist/commands/migrate.d.ts +4 -0
  125. package/packages/cli/dist/commands/migrate.d.ts.map +1 -0
  126. package/packages/cli/dist/commands/migrate.js +82 -0
  127. package/packages/cli/dist/commands/migrate.js.map +1 -0
  128. package/packages/cli/dist/commands/plan.d.ts +6 -0
  129. package/packages/cli/dist/commands/plan.d.ts.map +1 -0
  130. package/packages/cli/dist/commands/plan.js +129 -0
  131. package/packages/cli/dist/commands/plan.js.map +1 -0
  132. package/packages/cli/dist/commands/recover.d.ts +4 -0
  133. package/packages/cli/dist/commands/recover.d.ts.map +1 -0
  134. package/packages/cli/dist/commands/recover.js +352 -0
  135. package/packages/cli/dist/commands/recover.js.map +1 -0
  136. package/packages/cli/dist/commands/schema.d.ts +5 -0
  137. package/packages/cli/dist/commands/schema.d.ts.map +1 -0
  138. package/packages/cli/dist/commands/schema.js +51 -0
  139. package/packages/cli/dist/commands/schema.js.map +1 -0
  140. package/packages/cli/dist/commands/showcase.d.ts +14 -0
  141. package/packages/cli/dist/commands/showcase.d.ts.map +1 -0
  142. package/packages/cli/dist/commands/showcase.js +638 -0
  143. package/packages/cli/dist/commands/showcase.js.map +1 -0
  144. package/packages/cli/dist/commands/workflow.d.ts +5 -0
  145. package/packages/cli/dist/commands/workflow.d.ts.map +1 -0
  146. package/packages/cli/dist/commands/workflow.js +107 -0
  147. package/packages/cli/dist/commands/workflow.js.map +1 -0
  148. package/packages/cli/dist/coreLoader.d.ts +6 -0
  149. package/packages/cli/dist/coreLoader.d.ts.map +1 -0
  150. package/packages/cli/dist/coreLoader.js +34 -0
  151. package/packages/cli/dist/coreLoader.js.map +1 -0
  152. package/packages/cli/dist/index.d.ts +5 -0
  153. package/packages/cli/dist/index.d.ts.map +1 -0
  154. package/packages/cli/dist/index.js +83 -0
  155. package/packages/cli/dist/index.js.map +1 -0
  156. package/packages/cli/dist/render.d.ts +2 -0
  157. package/packages/cli/dist/render.d.ts.map +1 -0
  158. package/packages/cli/dist/render.js +88 -0
  159. package/packages/cli/dist/render.js.map +1 -0
  160. package/packages/cli/dist/runtime.d.ts +25 -0
  161. package/packages/cli/dist/runtime.d.ts.map +1 -0
  162. package/packages/cli/dist/runtime.js +89 -0
  163. package/packages/cli/dist/runtime.js.map +1 -0
  164. package/packages/cli/package.json +38 -0
  165. package/packages/core/README.md +37 -0
  166. package/packages/core/dist/capsules/index.d.ts +4 -0
  167. package/packages/core/dist/capsules/index.d.ts.map +1 -0
  168. package/packages/core/dist/capsules/index.js +4 -0
  169. package/packages/core/dist/capsules/index.js.map +1 -0
  170. package/packages/core/dist/capsules/loadCapsule.d.ts +11 -0
  171. package/packages/core/dist/capsules/loadCapsule.d.ts.map +1 -0
  172. package/packages/core/dist/capsules/loadCapsule.js +167 -0
  173. package/packages/core/dist/capsules/loadCapsule.js.map +1 -0
  174. package/packages/core/dist/capsules/runCapsule.d.ts +3 -0
  175. package/packages/core/dist/capsules/runCapsule.d.ts.map +1 -0
  176. package/packages/core/dist/capsules/runCapsule.js +333 -0
  177. package/packages/core/dist/capsules/runCapsule.js.map +1 -0
  178. package/packages/core/dist/capsules/types.d.ts +106 -0
  179. package/packages/core/dist/capsules/types.d.ts.map +1 -0
  180. package/packages/core/dist/capsules/types.js +2 -0
  181. package/packages/core/dist/capsules/types.js.map +1 -0
  182. package/packages/core/dist/durableWrite.d.ts +2 -0
  183. package/packages/core/dist/durableWrite.d.ts.map +1 -0
  184. package/packages/core/dist/durableWrite.js +34 -0
  185. package/packages/core/dist/durableWrite.js.map +1 -0
  186. package/packages/core/dist/errors/registry.d.ts +122 -0
  187. package/packages/core/dist/errors/registry.d.ts.map +1 -0
  188. package/packages/core/dist/errors/registry.js +206 -0
  189. package/packages/core/dist/errors/registry.js.map +1 -0
  190. package/packages/core/dist/errors/render.d.ts +3 -0
  191. package/packages/core/dist/errors/render.d.ts.map +1 -0
  192. package/packages/core/dist/errors/render.js +64 -0
  193. package/packages/core/dist/errors/render.js.map +1 -0
  194. package/packages/core/dist/errors.d.ts +5 -0
  195. package/packages/core/dist/errors.d.ts.map +1 -0
  196. package/packages/core/dist/errors.js +9 -0
  197. package/packages/core/dist/errors.js.map +1 -0
  198. package/packages/core/dist/evidence/appendEvidenceEvent.d.ts +27 -0
  199. package/packages/core/dist/evidence/appendEvidenceEvent.d.ts.map +1 -0
  200. package/packages/core/dist/evidence/appendEvidenceEvent.js +218 -0
  201. package/packages/core/dist/evidence/appendEvidenceEvent.js.map +1 -0
  202. package/packages/core/dist/evidence/assurance.d.ts +18 -0
  203. package/packages/core/dist/evidence/assurance.d.ts.map +1 -0
  204. package/packages/core/dist/evidence/assurance.js +38 -0
  205. package/packages/core/dist/evidence/assurance.js.map +1 -0
  206. package/packages/core/dist/evidence/index.d.ts +8 -0
  207. package/packages/core/dist/evidence/index.d.ts.map +1 -0
  208. package/packages/core/dist/evidence/index.js +8 -0
  209. package/packages/core/dist/evidence/index.js.map +1 -0
  210. package/packages/core/dist/evidence/jsonlLedger.d.ts +13 -0
  211. package/packages/core/dist/evidence/jsonlLedger.d.ts.map +1 -0
  212. package/packages/core/dist/evidence/jsonlLedger.js +171 -0
  213. package/packages/core/dist/evidence/jsonlLedger.js.map +1 -0
  214. package/packages/core/dist/evidence/linkEvidence.d.ts +4 -0
  215. package/packages/core/dist/evidence/linkEvidence.d.ts.map +1 -0
  216. package/packages/core/dist/evidence/linkEvidence.js +53 -0
  217. package/packages/core/dist/evidence/linkEvidence.js.map +1 -0
  218. package/packages/core/dist/evidence/replayEvidence.d.ts +6 -0
  219. package/packages/core/dist/evidence/replayEvidence.d.ts.map +1 -0
  220. package/packages/core/dist/evidence/replayEvidence.js +216 -0
  221. package/packages/core/dist/evidence/replayEvidence.js.map +1 -0
  222. package/packages/core/dist/evidence/results.d.ts +4 -0
  223. package/packages/core/dist/evidence/results.d.ts.map +1 -0
  224. package/packages/core/dist/evidence/results.js +32 -0
  225. package/packages/core/dist/evidence/results.js.map +1 -0
  226. package/packages/core/dist/evidence/types.d.ts +149 -0
  227. package/packages/core/dist/evidence/types.d.ts.map +1 -0
  228. package/packages/core/dist/evidence/types.js +2 -0
  229. package/packages/core/dist/evidence/types.js.map +1 -0
  230. package/packages/core/dist/host-profiles/claude.yml +29 -0
  231. package/packages/core/dist/host-profiles/codex.yml +29 -0
  232. package/packages/core/dist/host-profiles/copilot.yml +29 -0
  233. package/packages/core/dist/host-profiles/opencode.yml +29 -0
  234. package/packages/core/dist/hosts/conformanceStatus.d.ts +16 -0
  235. package/packages/core/dist/hosts/conformanceStatus.d.ts.map +1 -0
  236. package/packages/core/dist/hosts/conformanceStatus.js +160 -0
  237. package/packages/core/dist/hosts/conformanceStatus.js.map +1 -0
  238. package/packages/core/dist/hosts/index.d.ts +5 -0
  239. package/packages/core/dist/hosts/index.d.ts.map +1 -0
  240. package/packages/core/dist/hosts/index.js +5 -0
  241. package/packages/core/dist/hosts/index.js.map +1 -0
  242. package/packages/core/dist/hosts/loadHostProfile.d.ts +6 -0
  243. package/packages/core/dist/hosts/loadHostProfile.d.ts.map +1 -0
  244. package/packages/core/dist/hosts/loadHostProfile.js +41 -0
  245. package/packages/core/dist/hosts/loadHostProfile.js.map +1 -0
  246. package/packages/core/dist/hosts/projectHostFiles.d.ts +16 -0
  247. package/packages/core/dist/hosts/projectHostFiles.d.ts.map +1 -0
  248. package/packages/core/dist/hosts/projectHostFiles.js +272 -0
  249. package/packages/core/dist/hosts/projectHostFiles.js.map +1 -0
  250. package/packages/core/dist/hosts/types.d.ts +122 -0
  251. package/packages/core/dist/hosts/types.d.ts.map +1 -0
  252. package/packages/core/dist/hosts/types.js +2 -0
  253. package/packages/core/dist/hosts/types.js.map +1 -0
  254. package/packages/core/dist/index.d.ts +26 -0
  255. package/packages/core/dist/index.d.ts.map +1 -0
  256. package/packages/core/dist/index.js +31 -0
  257. package/packages/core/dist/index.js.map +1 -0
  258. package/packages/core/dist/init/index.d.ts +2 -0
  259. package/packages/core/dist/init/index.d.ts.map +1 -0
  260. package/packages/core/dist/init/index.js +3 -0
  261. package/packages/core/dist/init/index.js.map +1 -0
  262. package/packages/core/dist/init/scaffold.d.ts +28 -0
  263. package/packages/core/dist/init/scaffold.d.ts.map +1 -0
  264. package/packages/core/dist/init/scaffold.js +293 -0
  265. package/packages/core/dist/init/scaffold.js.map +1 -0
  266. package/packages/core/dist/markers/appendOnly.d.ts +23 -0
  267. package/packages/core/dist/markers/appendOnly.d.ts.map +1 -0
  268. package/packages/core/dist/markers/appendOnly.js +75 -0
  269. package/packages/core/dist/markers/appendOnly.js.map +1 -0
  270. package/packages/core/dist/markers/bindingSetHash.d.ts +28 -0
  271. package/packages/core/dist/markers/bindingSetHash.d.ts.map +1 -0
  272. package/packages/core/dist/markers/bindingSetHash.js +33 -0
  273. package/packages/core/dist/markers/bindingSetHash.js.map +1 -0
  274. package/packages/core/dist/markers/canonicalJson.d.ts +4 -0
  275. package/packages/core/dist/markers/canonicalJson.d.ts.map +1 -0
  276. package/packages/core/dist/markers/canonicalJson.js +51 -0
  277. package/packages/core/dist/markers/canonicalJson.js.map +1 -0
  278. package/packages/core/dist/markers/ciAuthority.d.ts +17 -0
  279. package/packages/core/dist/markers/ciAuthority.d.ts.map +1 -0
  280. package/packages/core/dist/markers/ciAuthority.js +131 -0
  281. package/packages/core/dist/markers/ciAuthority.js.map +1 -0
  282. package/packages/core/dist/markers/cli/bind.d.ts +48 -0
  283. package/packages/core/dist/markers/cli/bind.d.ts.map +1 -0
  284. package/packages/core/dist/markers/cli/bind.js +198 -0
  285. package/packages/core/dist/markers/cli/bind.js.map +1 -0
  286. package/packages/core/dist/markers/cli/index.d.ts +9 -0
  287. package/packages/core/dist/markers/cli/index.d.ts.map +1 -0
  288. package/packages/core/dist/markers/cli/index.js +15 -0
  289. package/packages/core/dist/markers/cli/index.js.map +1 -0
  290. package/packages/core/dist/markers/cli/io.d.ts +18 -0
  291. package/packages/core/dist/markers/cli/io.d.ts.map +1 -0
  292. package/packages/core/dist/markers/cli/io.js +62 -0
  293. package/packages/core/dist/markers/cli/io.js.map +1 -0
  294. package/packages/core/dist/markers/cli/precommit.d.ts +32 -0
  295. package/packages/core/dist/markers/cli/precommit.d.ts.map +1 -0
  296. package/packages/core/dist/markers/cli/precommit.js +174 -0
  297. package/packages/core/dist/markers/cli/precommit.js.map +1 -0
  298. package/packages/core/dist/markers/cli/prove.d.ts +69 -0
  299. package/packages/core/dist/markers/cli/prove.d.ts.map +1 -0
  300. package/packages/core/dist/markers/cli/prove.js +381 -0
  301. package/packages/core/dist/markers/cli/prove.js.map +1 -0
  302. package/packages/core/dist/markers/cli/scan.d.ts +63 -0
  303. package/packages/core/dist/markers/cli/scan.d.ts.map +1 -0
  304. package/packages/core/dist/markers/cli/scan.js +233 -0
  305. package/packages/core/dist/markers/cli/scan.js.map +1 -0
  306. package/packages/core/dist/markers/cli/shared.d.ts +25 -0
  307. package/packages/core/dist/markers/cli/shared.d.ts.map +1 -0
  308. package/packages/core/dist/markers/cli/shared.js +123 -0
  309. package/packages/core/dist/markers/cli/shared.js.map +1 -0
  310. package/packages/core/dist/markers/cli/validateLedger.d.ts +38 -0
  311. package/packages/core/dist/markers/cli/validateLedger.d.ts.map +1 -0
  312. package/packages/core/dist/markers/cli/validateLedger.js +81 -0
  313. package/packages/core/dist/markers/cli/validateLedger.js.map +1 -0
  314. package/packages/core/dist/markers/cli/verify.d.ts +65 -0
  315. package/packages/core/dist/markers/cli/verify.d.ts.map +1 -0
  316. package/packages/core/dist/markers/cli/verify.js +245 -0
  317. package/packages/core/dist/markers/cli/verify.js.map +1 -0
  318. package/packages/core/dist/markers/commentPrefix.d.ts +7 -0
  319. package/packages/core/dist/markers/commentPrefix.d.ts.map +1 -0
  320. package/packages/core/dist/markers/commentPrefix.js +79 -0
  321. package/packages/core/dist/markers/commentPrefix.js.map +1 -0
  322. package/packages/core/dist/markers/constants.d.ts +10 -0
  323. package/packages/core/dist/markers/constants.d.ts.map +1 -0
  324. package/packages/core/dist/markers/constants.js +13 -0
  325. package/packages/core/dist/markers/constants.js.map +1 -0
  326. package/packages/core/dist/markers/evidenceLedger.d.ts +150 -0
  327. package/packages/core/dist/markers/evidenceLedger.d.ts.map +1 -0
  328. package/packages/core/dist/markers/evidenceLedger.js +391 -0
  329. package/packages/core/dist/markers/evidenceLedger.js.map +1 -0
  330. package/packages/core/dist/markers/freshness.d.ts +125 -0
  331. package/packages/core/dist/markers/freshness.d.ts.map +1 -0
  332. package/packages/core/dist/markers/freshness.js +605 -0
  333. package/packages/core/dist/markers/freshness.js.map +1 -0
  334. package/packages/core/dist/markers/index.d.ts +26 -0
  335. package/packages/core/dist/markers/index.d.ts.map +1 -0
  336. package/packages/core/dist/markers/index.js +38 -0
  337. package/packages/core/dist/markers/index.js.map +1 -0
  338. package/packages/core/dist/markers/keygen.d.ts +6 -0
  339. package/packages/core/dist/markers/keygen.d.ts.map +1 -0
  340. package/packages/core/dist/markers/keygen.js +18 -0
  341. package/packages/core/dist/markers/keygen.js.map +1 -0
  342. package/packages/core/dist/markers/keyring.d.ts +23 -0
  343. package/packages/core/dist/markers/keyring.d.ts.map +1 -0
  344. package/packages/core/dist/markers/keyring.js +93 -0
  345. package/packages/core/dist/markers/keyring.js.map +1 -0
  346. package/packages/core/dist/markers/markerLine.d.ts +35 -0
  347. package/packages/core/dist/markers/markerLine.d.ts.map +1 -0
  348. package/packages/core/dist/markers/markerLine.js +125 -0
  349. package/packages/core/dist/markers/markerLine.js.map +1 -0
  350. package/packages/core/dist/markers/physicalLines.d.ts +10 -0
  351. package/packages/core/dist/markers/physicalLines.d.ts.map +1 -0
  352. package/packages/core/dist/markers/physicalLines.js +48 -0
  353. package/packages/core/dist/markers/physicalLines.js.map +1 -0
  354. package/packages/core/dist/markers/policyHash.d.ts +4 -0
  355. package/packages/core/dist/markers/policyHash.d.ts.map +1 -0
  356. package/packages/core/dist/markers/policyHash.js +14 -0
  357. package/packages/core/dist/markers/policyHash.js.map +1 -0
  358. package/packages/core/dist/markers/proofSignature.d.ts +29 -0
  359. package/packages/core/dist/markers/proofSignature.d.ts.map +1 -0
  360. package/packages/core/dist/markers/proofSignature.js +106 -0
  361. package/packages/core/dist/markers/proofSignature.js.map +1 -0
  362. package/packages/core/dist/markers/reconcile.d.ts +26 -0
  363. package/packages/core/dist/markers/reconcile.d.ts.map +1 -0
  364. package/packages/core/dist/markers/reconcile.js +52 -0
  365. package/packages/core/dist/markers/reconcile.js.map +1 -0
  366. package/packages/core/dist/markers/registry.d.ts +53 -0
  367. package/packages/core/dist/markers/registry.d.ts.map +1 -0
  368. package/packages/core/dist/markers/registry.js +161 -0
  369. package/packages/core/dist/markers/registry.js.map +1 -0
  370. package/packages/core/dist/markers/rowHash.d.ts +2 -0
  371. package/packages/core/dist/markers/rowHash.d.ts.map +1 -0
  372. package/packages/core/dist/markers/rowHash.js +10 -0
  373. package/packages/core/dist/markers/rowHash.js.map +1 -0
  374. package/packages/core/dist/markers/scanner.d.ts +67 -0
  375. package/packages/core/dist/markers/scanner.d.ts.map +1 -0
  376. package/packages/core/dist/markers/scanner.js +292 -0
  377. package/packages/core/dist/markers/scanner.js.map +1 -0
  378. package/packages/core/dist/markers/schemas/binding-registry-event.schema.json +41 -0
  379. package/packages/core/dist/markers/schemas/freshness-status.schema.json +134 -0
  380. package/packages/core/dist/markers/schemas/proof-event.schema.json +170 -0
  381. package/packages/core/dist/markers/spanCanon.d.ts +4 -0
  382. package/packages/core/dist/markers/spanCanon.d.ts.map +1 -0
  383. package/packages/core/dist/markers/spanCanon.js +42 -0
  384. package/packages/core/dist/markers/spanCanon.js.map +1 -0
  385. package/packages/core/dist/markers/swiftFuncRecognizer.d.ts +36 -0
  386. package/packages/core/dist/markers/swiftFuncRecognizer.d.ts.map +1 -0
  387. package/packages/core/dist/markers/swiftFuncRecognizer.js +638 -0
  388. package/packages/core/dist/markers/swiftFuncRecognizer.js.map +1 -0
  389. package/packages/core/dist/markers/validators.d.ts +13 -0
  390. package/packages/core/dist/markers/validators.d.ts.map +1 -0
  391. package/packages/core/dist/markers/validators.js +64 -0
  392. package/packages/core/dist/markers/validators.js.map +1 -0
  393. package/packages/core/dist/markers/verificationContextHash.d.ts +23 -0
  394. package/packages/core/dist/markers/verificationContextHash.d.ts.map +1 -0
  395. package/packages/core/dist/markers/verificationContextHash.js +96 -0
  396. package/packages/core/dist/markers/verificationContextHash.js.map +1 -0
  397. package/packages/core/dist/markers/verifierPresets.d.ts +18 -0
  398. package/packages/core/dist/markers/verifierPresets.d.ts.map +1 -0
  399. package/packages/core/dist/markers/verifierPresets.js +71 -0
  400. package/packages/core/dist/markers/verifierPresets.js.map +1 -0
  401. package/packages/core/dist/markers/verifierResolver.d.ts +27 -0
  402. package/packages/core/dist/markers/verifierResolver.d.ts.map +1 -0
  403. package/packages/core/dist/markers/verifierResolver.js +151 -0
  404. package/packages/core/dist/markers/verifierResolver.js.map +1 -0
  405. package/packages/core/dist/migration/index.d.ts +2 -0
  406. package/packages/core/dist/migration/index.d.ts.map +1 -0
  407. package/packages/core/dist/migration/index.js +2 -0
  408. package/packages/core/dist/migration/index.js.map +1 -0
  409. package/packages/core/dist/migration/testMatrix.d.ts +42 -0
  410. package/packages/core/dist/migration/testMatrix.d.ts.map +1 -0
  411. package/packages/core/dist/migration/testMatrix.js +351 -0
  412. package/packages/core/dist/migration/testMatrix.js.map +1 -0
  413. package/packages/core/dist/package/index.d.ts +2 -0
  414. package/packages/core/dist/package/index.d.ts.map +1 -0
  415. package/packages/core/dist/package/index.js +2 -0
  416. package/packages/core/dist/package/index.js.map +1 -0
  417. package/packages/core/dist/package/inspectPackage.d.ts +67 -0
  418. package/packages/core/dist/package/inspectPackage.d.ts.map +1 -0
  419. package/packages/core/dist/package/inspectPackage.js +371 -0
  420. package/packages/core/dist/package/inspectPackage.js.map +1 -0
  421. package/packages/core/dist/presentation/candidates.d.ts +13 -0
  422. package/packages/core/dist/presentation/candidates.d.ts.map +1 -0
  423. package/packages/core/dist/presentation/candidates.js +86 -0
  424. package/packages/core/dist/presentation/candidates.js.map +1 -0
  425. package/packages/core/dist/presentation/index.d.ts +8 -0
  426. package/packages/core/dist/presentation/index.d.ts.map +1 -0
  427. package/packages/core/dist/presentation/index.js +8 -0
  428. package/packages/core/dist/presentation/index.js.map +1 -0
  429. package/packages/core/dist/presentation/items.d.ts +18 -0
  430. package/packages/core/dist/presentation/items.d.ts.map +1 -0
  431. package/packages/core/dist/presentation/items.js +228 -0
  432. package/packages/core/dist/presentation/items.js.map +1 -0
  433. package/packages/core/dist/presentation/ordering.d.ts +8 -0
  434. package/packages/core/dist/presentation/ordering.d.ts.map +1 -0
  435. package/packages/core/dist/presentation/ordering.js +31 -0
  436. package/packages/core/dist/presentation/ordering.js.map +1 -0
  437. package/packages/core/dist/presentation/planHelpers.d.ts +26 -0
  438. package/packages/core/dist/presentation/planHelpers.d.ts.map +1 -0
  439. package/packages/core/dist/presentation/planHelpers.js +62 -0
  440. package/packages/core/dist/presentation/planHelpers.js.map +1 -0
  441. package/packages/core/dist/presentation/presentationFormat.d.ts +39 -0
  442. package/packages/core/dist/presentation/presentationFormat.d.ts.map +1 -0
  443. package/packages/core/dist/presentation/presentationFormat.js +58 -0
  444. package/packages/core/dist/presentation/presentationFormat.js.map +1 -0
  445. package/packages/core/dist/presentation/renderCard.d.ts +37 -0
  446. package/packages/core/dist/presentation/renderCard.d.ts.map +1 -0
  447. package/packages/core/dist/presentation/renderCard.js +129 -0
  448. package/packages/core/dist/presentation/renderCard.js.map +1 -0
  449. package/packages/core/dist/presentation/scoring.d.ts +10 -0
  450. package/packages/core/dist/presentation/scoring.d.ts.map +1 -0
  451. package/packages/core/dist/presentation/scoring.js +82 -0
  452. package/packages/core/dist/presentation/scoring.js.map +1 -0
  453. package/packages/core/dist/presentation/selectPlan.d.ts +4 -0
  454. package/packages/core/dist/presentation/selectPlan.d.ts.map +1 -0
  455. package/packages/core/dist/presentation/selectPlan.js +122 -0
  456. package/packages/core/dist/presentation/selectPlan.js.map +1 -0
  457. package/packages/core/dist/presentation/selectShowcasePlan.d.ts +3 -0
  458. package/packages/core/dist/presentation/selectShowcasePlan.d.ts.map +1 -0
  459. package/packages/core/dist/presentation/selectShowcasePlan.js +6 -0
  460. package/packages/core/dist/presentation/selectShowcasePlan.js.map +1 -0
  461. package/packages/core/dist/presentation/selectWalkthroughPlan.d.ts +3 -0
  462. package/packages/core/dist/presentation/selectWalkthroughPlan.d.ts.map +1 -0
  463. package/packages/core/dist/presentation/selectWalkthroughPlan.js +6 -0
  464. package/packages/core/dist/presentation/selectWalkthroughPlan.js.map +1 -0
  465. package/packages/core/dist/presentation/selection.d.ts +7 -0
  466. package/packages/core/dist/presentation/selection.d.ts.map +1 -0
  467. package/packages/core/dist/presentation/selection.js +20 -0
  468. package/packages/core/dist/presentation/selection.js.map +1 -0
  469. package/packages/core/dist/presentation/snapshot.d.ts +12 -0
  470. package/packages/core/dist/presentation/snapshot.d.ts.map +1 -0
  471. package/packages/core/dist/presentation/snapshot.js +53 -0
  472. package/packages/core/dist/presentation/snapshot.js.map +1 -0
  473. package/packages/core/dist/presentation/types.d.ts +172 -0
  474. package/packages/core/dist/presentation/types.d.ts.map +1 -0
  475. package/packages/core/dist/presentation/types.js +2 -0
  476. package/packages/core/dist/presentation/types.js.map +1 -0
  477. package/packages/core/dist/redact.d.ts +11 -0
  478. package/packages/core/dist/redact.d.ts.map +1 -0
  479. package/packages/core/dist/redact.js +17 -0
  480. package/packages/core/dist/redact.js.map +1 -0
  481. package/packages/core/dist/roots.d.ts +81 -0
  482. package/packages/core/dist/roots.d.ts.map +1 -0
  483. package/packages/core/dist/roots.js +220 -0
  484. package/packages/core/dist/roots.js.map +1 -0
  485. package/packages/core/dist/schema/cliResult.d.ts +34 -0
  486. package/packages/core/dist/schema/cliResult.d.ts.map +1 -0
  487. package/packages/core/dist/schema/cliResult.js +35 -0
  488. package/packages/core/dist/schema/cliResult.js.map +1 -0
  489. package/packages/core/dist/schema/diagnostic.d.ts +26 -0
  490. package/packages/core/dist/schema/diagnostic.d.ts.map +1 -0
  491. package/packages/core/dist/schema/diagnostic.js +28 -0
  492. package/packages/core/dist/schema/diagnostic.js.map +1 -0
  493. package/packages/core/dist/schema/index.d.ts +8 -0
  494. package/packages/core/dist/schema/index.d.ts.map +1 -0
  495. package/packages/core/dist/schema/index.js +9 -0
  496. package/packages/core/dist/schema/index.js.map +1 -0
  497. package/packages/core/dist/schema/registry.d.ts +15 -0
  498. package/packages/core/dist/schema/registry.d.ts.map +1 -0
  499. package/packages/core/dist/schema/registry.js +206 -0
  500. package/packages/core/dist/schema/registry.js.map +1 -0
  501. package/packages/core/dist/schema/syntheticContracts.d.ts +3 -0
  502. package/packages/core/dist/schema/syntheticContracts.d.ts.map +1 -0
  503. package/packages/core/dist/schema/syntheticContracts.js +342 -0
  504. package/packages/core/dist/schema/syntheticContracts.js.map +1 -0
  505. package/packages/core/dist/schema/validate.d.ts +21 -0
  506. package/packages/core/dist/schema/validate.d.ts.map +1 -0
  507. package/packages/core/dist/schema/validate.js +210 -0
  508. package/packages/core/dist/schema/validate.js.map +1 -0
  509. package/packages/core/dist/schemas/v1/authority.schema.json +70 -0
  510. package/packages/core/dist/schemas/v1/cli-result.schema.json +30 -0
  511. package/packages/core/dist/schemas/v1/common.schema.json +274 -0
  512. package/packages/core/dist/schemas/v1/demo-capsule.schema.json +78 -0
  513. package/packages/core/dist/schemas/v1/evidence-append-result.schema.json +14 -0
  514. package/packages/core/dist/schemas/v1/evidence-event.schema.json +181 -0
  515. package/packages/core/dist/schemas/v1/evidence-status-result.schema.json +68 -0
  516. package/packages/core/dist/schemas/v1/host-profile.schema.json +94 -0
  517. package/packages/core/dist/schemas/v1/host-status-result.schema.json +49 -0
  518. package/packages/core/dist/schemas/v1/keyring.schema.json +77 -0
  519. package/packages/core/dist/schemas/v1/ledger.schema.json +99 -0
  520. package/packages/core/dist/schemas/v1/marker.schema.json +84 -0
  521. package/packages/core/dist/schemas/v1/matrix-list-result.schema.json +67 -0
  522. package/packages/core/dist/schemas/v1/matrix-mutation-result.schema.json +49 -0
  523. package/packages/core/dist/schemas/v1/matrix-validation-result.schema.json +77 -0
  524. package/packages/core/dist/schemas/v1/mcp-tool-results.schema.json +34 -0
  525. package/packages/core/dist/schemas/v1/migration-test-matrix-result.schema.json +76 -0
  526. package/packages/core/dist/schemas/v1/presentation-plan-result.schema.json +62 -0
  527. package/packages/core/dist/schemas/v1/presentation-plan.schema.json +259 -0
  528. package/packages/core/dist/schemas/v1/release-gate-result.schema.json +136 -0
  529. package/packages/core/dist/schemas/v1/showcase-approval-result.schema.json +5 -0
  530. package/packages/core/dist/schemas/v1/showcase-event-append-result.schema.json +17 -0
  531. package/packages/core/dist/schemas/v1/showcase-event.schema.json +235 -0
  532. package/packages/core/dist/schemas/v1/showcase-finish-result.schema.json +5 -0
  533. package/packages/core/dist/schemas/v1/showcase-run-status-result.schema.json +70 -0
  534. package/packages/core/dist/schemas/v1/showcase-start-result.schema.json +5 -0
  535. package/packages/core/dist/schemas/v1/use-case-file.schema.json +178 -0
  536. package/packages/core/dist/schemas/v1/workflow-mode.schema.json +16 -0
  537. package/packages/core/dist/schemas/v1/workspace-config.schema.json +58 -0
  538. package/packages/core/dist/showcase/appendShowcaseEvent.d.ts +116 -0
  539. package/packages/core/dist/showcase/appendShowcaseEvent.d.ts.map +1 -0
  540. package/packages/core/dist/showcase/appendShowcaseEvent.js +353 -0
  541. package/packages/core/dist/showcase/appendShowcaseEvent.js.map +1 -0
  542. package/packages/core/dist/showcase/approval.d.ts +2 -0
  543. package/packages/core/dist/showcase/approval.d.ts.map +1 -0
  544. package/packages/core/dist/showcase/approval.js +2 -0
  545. package/packages/core/dist/showcase/approval.js.map +1 -0
  546. package/packages/core/dist/showcase/approvalAuthority.d.ts +19 -0
  547. package/packages/core/dist/showcase/approvalAuthority.d.ts.map +1 -0
  548. package/packages/core/dist/showcase/approvalAuthority.js +46 -0
  549. package/packages/core/dist/showcase/approvalAuthority.js.map +1 -0
  550. package/packages/core/dist/showcase/index.d.ts +11 -0
  551. package/packages/core/dist/showcase/index.d.ts.map +1 -0
  552. package/packages/core/dist/showcase/index.js +11 -0
  553. package/packages/core/dist/showcase/index.js.map +1 -0
  554. package/packages/core/dist/showcase/jsonlLedger.d.ts +11 -0
  555. package/packages/core/dist/showcase/jsonlLedger.d.ts.map +1 -0
  556. package/packages/core/dist/showcase/jsonlLedger.js +50 -0
  557. package/packages/core/dist/showcase/jsonlLedger.js.map +1 -0
  558. package/packages/core/dist/showcase/planBinding.d.ts +5 -0
  559. package/packages/core/dist/showcase/planBinding.d.ts.map +1 -0
  560. package/packages/core/dist/showcase/planBinding.js +33 -0
  561. package/packages/core/dist/showcase/planBinding.js.map +1 -0
  562. package/packages/core/dist/showcase/replayRun.d.ts +5 -0
  563. package/packages/core/dist/showcase/replayRun.d.ts.map +1 -0
  564. package/packages/core/dist/showcase/replayRun.js +199 -0
  565. package/packages/core/dist/showcase/replayRun.js.map +1 -0
  566. package/packages/core/dist/showcase/results.d.ts +3 -0
  567. package/packages/core/dist/showcase/results.d.ts.map +1 -0
  568. package/packages/core/dist/showcase/results.js +4 -0
  569. package/packages/core/dist/showcase/results.js.map +1 -0
  570. package/packages/core/dist/showcase/revisionEpochs.d.ts +2 -0
  571. package/packages/core/dist/showcase/revisionEpochs.d.ts.map +1 -0
  572. package/packages/core/dist/showcase/revisionEpochs.js +2 -0
  573. package/packages/core/dist/showcase/revisionEpochs.js.map +1 -0
  574. package/packages/core/dist/showcase/startRun.d.ts +2 -0
  575. package/packages/core/dist/showcase/startRun.d.ts.map +1 -0
  576. package/packages/core/dist/showcase/startRun.js +2 -0
  577. package/packages/core/dist/showcase/startRun.js.map +1 -0
  578. package/packages/core/dist/showcase/types.d.ts +66 -0
  579. package/packages/core/dist/showcase/types.d.ts.map +1 -0
  580. package/packages/core/dist/showcase/types.js +2 -0
  581. package/packages/core/dist/showcase/types.js.map +1 -0
  582. package/packages/core/dist/skills/canonicalSkills.d.ts +3 -0
  583. package/packages/core/dist/skills/canonicalSkills.d.ts.map +1 -0
  584. package/packages/core/dist/skills/canonicalSkills.js +7 -0
  585. package/packages/core/dist/skills/canonicalSkills.js.map +1 -0
  586. package/packages/core/dist/skills/index.d.ts +4 -0
  587. package/packages/core/dist/skills/index.d.ts.map +1 -0
  588. package/packages/core/dist/skills/index.js +4 -0
  589. package/packages/core/dist/skills/index.js.map +1 -0
  590. package/packages/core/dist/skills/types.d.ts +26 -0
  591. package/packages/core/dist/skills/types.d.ts.map +1 -0
  592. package/packages/core/dist/skills/types.js +2 -0
  593. package/packages/core/dist/skills/types.js.map +1 -0
  594. package/packages/core/dist/skills/validateSkillAssets.d.ts +6 -0
  595. package/packages/core/dist/skills/validateSkillAssets.d.ts.map +1 -0
  596. package/packages/core/dist/skills/validateSkillAssets.js +218 -0
  597. package/packages/core/dist/skills/validateSkillAssets.js.map +1 -0
  598. package/packages/core/dist/useCases/integrity.d.ts +11 -0
  599. package/packages/core/dist/useCases/integrity.d.ts.map +1 -0
  600. package/packages/core/dist/useCases/integrity.js +178 -0
  601. package/packages/core/dist/useCases/integrity.js.map +1 -0
  602. package/packages/core/dist/useCases/loadUseCaseMatrix.d.ts +7 -0
  603. package/packages/core/dist/useCases/loadUseCaseMatrix.d.ts.map +1 -0
  604. package/packages/core/dist/useCases/loadUseCaseMatrix.js +74 -0
  605. package/packages/core/dist/useCases/loadUseCaseMatrix.js.map +1 -0
  606. package/packages/core/dist/useCases/mutateUseCaseMatrix.d.ts +25 -0
  607. package/packages/core/dist/useCases/mutateUseCaseMatrix.d.ts.map +1 -0
  608. package/packages/core/dist/useCases/mutateUseCaseMatrix.js +198 -0
  609. package/packages/core/dist/useCases/mutateUseCaseMatrix.js.map +1 -0
  610. package/packages/core/dist/useCases/query.d.ts +12 -0
  611. package/packages/core/dist/useCases/query.d.ts.map +1 -0
  612. package/packages/core/dist/useCases/query.js +47 -0
  613. package/packages/core/dist/useCases/query.js.map +1 -0
  614. package/packages/core/dist/useCases/types.d.ts +149 -0
  615. package/packages/core/dist/useCases/types.d.ts.map +1 -0
  616. package/packages/core/dist/useCases/types.js +2 -0
  617. package/packages/core/dist/useCases/types.js.map +1 -0
  618. package/packages/core/dist/useCases/validateUseCaseFile.d.ts +9 -0
  619. package/packages/core/dist/useCases/validateUseCaseFile.d.ts.map +1 -0
  620. package/packages/core/dist/useCases/validateUseCaseFile.js +107 -0
  621. package/packages/core/dist/useCases/validateUseCaseFile.js.map +1 -0
  622. package/packages/core/dist/version.d.ts +9 -0
  623. package/packages/core/dist/version.d.ts.map +1 -0
  624. package/packages/core/dist/version.js +17 -0
  625. package/packages/core/dist/version.js.map +1 -0
  626. package/packages/core/package.json +39 -0
  627. package/packages/mcp/README.md +48 -0
  628. package/packages/mcp/dist/index.d.ts +20 -0
  629. package/packages/mcp/dist/index.d.ts.map +1 -0
  630. package/packages/mcp/dist/index.js +180 -0
  631. package/packages/mcp/dist/index.js.map +1 -0
  632. package/packages/mcp/dist/prompts.d.ts +32 -0
  633. package/packages/mcp/dist/prompts.d.ts.map +1 -0
  634. package/packages/mcp/dist/prompts.js +199 -0
  635. package/packages/mcp/dist/prompts.js.map +1 -0
  636. package/packages/mcp/dist/resources.d.ts +22 -0
  637. package/packages/mcp/dist/resources.d.ts.map +1 -0
  638. package/packages/mcp/dist/resources.js +342 -0
  639. package/packages/mcp/dist/resources.js.map +1 -0
  640. package/packages/mcp/dist/toolHandlers.d.ts +28 -0
  641. package/packages/mcp/dist/toolHandlers.d.ts.map +1 -0
  642. package/packages/mcp/dist/toolHandlers.js +592 -0
  643. package/packages/mcp/dist/toolHandlers.js.map +1 -0
  644. package/packages/mcp/dist/toolSchemas.d.ts +23 -0
  645. package/packages/mcp/dist/toolSchemas.d.ts.map +1 -0
  646. package/packages/mcp/dist/toolSchemas.js +223 -0
  647. package/packages/mcp/dist/toolSchemas.js.map +1 -0
  648. package/packages/mcp/dist/tools.d.ts +22 -0
  649. package/packages/mcp/dist/tools.d.ts.map +1 -0
  650. package/packages/mcp/dist/tools.js +65 -0
  651. package/packages/mcp/dist/tools.js.map +1 -0
  652. package/packages/mcp/package.json +38 -0
  653. package/plugin.json +6 -0
  654. package/schemas/v1/authority.schema.json +70 -0
  655. package/schemas/v1/cli-result.schema.json +30 -0
  656. package/schemas/v1/common.schema.json +274 -0
  657. package/schemas/v1/demo-capsule.schema.json +78 -0
  658. package/schemas/v1/evidence-append-result.schema.json +14 -0
  659. package/schemas/v1/evidence-event.schema.json +181 -0
  660. package/schemas/v1/evidence-status-result.schema.json +68 -0
  661. package/schemas/v1/host-profile.schema.json +94 -0
  662. package/schemas/v1/host-status-result.schema.json +49 -0
  663. package/schemas/v1/keyring.schema.json +77 -0
  664. package/schemas/v1/ledger.schema.json +99 -0
  665. package/schemas/v1/marker.schema.json +84 -0
  666. package/schemas/v1/matrix-list-result.schema.json +67 -0
  667. package/schemas/v1/matrix-mutation-result.schema.json +49 -0
  668. package/schemas/v1/matrix-validation-result.schema.json +77 -0
  669. package/schemas/v1/mcp-tool-results.schema.json +34 -0
  670. package/schemas/v1/migration-test-matrix-result.schema.json +76 -0
  671. package/schemas/v1/presentation-plan-result.schema.json +62 -0
  672. package/schemas/v1/presentation-plan.schema.json +259 -0
  673. package/schemas/v1/release-gate-result.schema.json +136 -0
  674. package/schemas/v1/showcase-approval-result.schema.json +5 -0
  675. package/schemas/v1/showcase-event-append-result.schema.json +17 -0
  676. package/schemas/v1/showcase-event.schema.json +235 -0
  677. package/schemas/v1/showcase-finish-result.schema.json +5 -0
  678. package/schemas/v1/showcase-run-status-result.schema.json +70 -0
  679. package/schemas/v1/showcase-start-result.schema.json +5 -0
  680. package/schemas/v1/use-case-file.schema.json +178 -0
  681. package/schemas/v1/workflow-mode.schema.json +16 -0
  682. package/schemas/v1/workspace-config.schema.json +58 -0
  683. package/use-cases/capsule/demos.yml +212 -0
  684. package/use-cases/capsule/runner.yml +49 -0
  685. package/use-cases/diagnostics/contracts.yml +239 -0
  686. package/use-cases/evidence/core.yml +32 -0
  687. package/use-cases/evidence/ledger.yml +330 -0
  688. package/use-cases/hosts/profiles.yml +365 -0
  689. package/use-cases/hosts/projections.yml +96 -0
  690. package/use-cases/lifecycle/loop.yml +229 -0
  691. package/use-cases/matrix/core.yml +92 -0
  692. package/use-cases/matrix/product.yml +289 -0
  693. package/use-cases/mcp/surface.yml +257 -0
  694. package/use-cases/mcp/wrapper.yml +100 -0
  695. package/use-cases/migration/importer.yml +171 -0
  696. package/use-cases/migration/test-matrix.yml +32 -0
  697. package/use-cases/planning/cards.yml +215 -0
  698. package/use-cases/release/package.yml +80 -0
  699. package/use-cases/release/proof.yml +180 -0
  700. package/use-cases/roadmap/deferred.yml +184 -0
  701. package/use-cases/showcase/flow.yml +269 -0
  702. package/use-cases/showcase/live.yml +44 -0
  703. package/use-cases/skills/assets.yml +92 -0
  704. package/use-cases.yml +9 -0
@@ -0,0 +1,123 @@
1
+ <!-- GENERATED FILE — do not edit by hand.
2
+ Regenerate with `node packages/core/scripts/generate-error-codes.mjs`
3
+ (source of truth: packages/core/src/errors/registry.ts). -->
4
+
5
+ # Error Codes
6
+
7
+ Stable `UCM_*` error codes are part of the [public API](./stability.md). Each
8
+ code below is a versioned contract: a code is only removed or repurposed in a
9
+ **major** release; new codes ship additively in a **minor**. Diagnostics carry
10
+ the code in their `code` field.
11
+
12
+ There are **66** codes across **9** surfaces.
13
+
14
+ ## Marker grammar
15
+
16
+ | Code | Severity | Message |
17
+ |---|---|---|
18
+ | `UCM_MARKER_DUPLICATE_BINDING_SLUG` | error | Duplicate binding slug within the same source. |
19
+ | `UCM_MARKER_END_MALFORMED` | error | Marker end line is malformed. |
20
+ | `UCM_MARKER_END_MISMATCHED` | error | Marker end line does not match its open marker. |
21
+ | `UCM_MARKER_END_WITHOUT_START` | error | Marker end line has no matching start. |
22
+ | `UCM_MARKER_FORBIDDEN_PAYLOAD` | error | Marker line carries a forbidden payload. |
23
+ | `UCM_MARKER_MALFORMED` | error | Marker line is malformed. |
24
+ | `UCM_MARKER_NESTED_SPAN` | error | Marker spans may not be nested. |
25
+ | `UCM_MARKER_UNSUPPORTED_INFERENCE` | error | Marker span uses an unsupported inference. |
26
+
27
+ ## Binding registry
28
+
29
+ | Code | Severity | Message |
30
+ |---|---|---|
31
+ | `UCM_REGISTRY_DUPLICATE_REGISTRATION` | error | Duplicate registration in the binding registry. |
32
+ | `UCM_REGISTRY_JSON_PARSE` | error | Binding registry is not valid JSON. |
33
+ | `UCM_REGISTRY_ROW_MISSING` | error | Referenced registry row is missing. |
34
+ | `UCM_REGISTRY_SCHEMA_INVALID` | error | Binding registry does not match its schema. |
35
+ | `UCM_REGISTRY_SLUG_PREFIX_MISMATCH` | error | Binding slug prefix does not match the registry. |
36
+ | `UCM_REGISTRY_SLUG_ROW_CONFLICT` | error | Binding slug conflicts with an existing registry row. |
37
+
38
+ ## Evidence ledger
39
+
40
+ | Code | Severity | Message |
41
+ |---|---|---|
42
+ | `UCM_EVIDENCE_APPEND_ONLY_VIOLATION` | error | Evidence ledger is append-only; rewrite rejected. |
43
+ | `UCM_EVIDENCE_BINDING_SET_HASH_MISMATCH` | error | Evidence binding-set hash does not match. |
44
+ | `UCM_EVIDENCE_EXPECTED_HEAD_MISMATCH` | error | Expected head event does not match current head. |
45
+ | `UCM_EVIDENCE_IDEMPOTENCY_CONFLICT` | error | Idempotency key was reused with different intent. |
46
+ | `UCM_EVIDENCE_INVALID_TRANSITION` | error | Evidence aggregate is not in a state that allows this transition. |
47
+ | `UCM_EVIDENCE_JSON_PARSE` | error | Evidence ledger line is not valid JSON. |
48
+ | `UCM_EVIDENCE_LEDGER_DAMAGED` | error | Refusing to append to damaged evidence history. |
49
+ | `UCM_EVIDENCE_LOCK_TIMEOUT` | error | Timed out acquiring evidence append lock. |
50
+ | `UCM_EVIDENCE_PRODUCER_NOT_TRUSTED` | error | Evidence producer is not trusted. |
51
+ | `UCM_EVIDENCE_ROW_MISSING` | error | Referenced evidence row is missing. |
52
+ | `UCM_EVIDENCE_SCHEMA_INVALID` | error | Evidence event does not match its schema. |
53
+ | `UCM_EVIDENCE_VERIFICATION_NOT_PASS` | error | Evidence verification did not pass. |
54
+ | `UCM_LEDGER_CHAIN_BROKEN` | error | Evidence ledger hash chain is broken: an entry's previous_entry_hash does not match the preceding entry. |
55
+ | `UCM_LEDGER_DUPLICATE_INDEX` | error | Evidence ledger contains a duplicate entry_index. |
56
+ | `UCM_LEDGER_INDEX_GAP` | error | Evidence ledger entry_index does not match its actual position (gap, reorder, or truncation). |
57
+
58
+ ## Signature / proof verification
59
+
60
+ | Code | Severity | Message |
61
+ |---|---|---|
62
+ | `UCM_SIGNATURE_ALG_UNSUPPORTED` | error | Proof signature algorithm is unsupported. |
63
+ | `UCM_SIGNATURE_BAD` | error | Proof signature is invalid. |
64
+ | `UCM_SIGNATURE_MISSING` | error | Proof event is missing a signature. |
65
+ | `UCM_SIGNATURE_UNKNOWN_KEY_ID` | error | Proof signature references an unknown key id. |
66
+
67
+ ## Swift function recognizer
68
+
69
+ | Code | Severity | Message |
70
+ |---|---|---|
71
+ | `UCM_SWIFT_CONDITIONAL_COMPILATION` | error | Conditional compilation directive inside a marked span. |
72
+ | `UCM_SWIFT_FUNC_NO_BODY` | error | Marked function has no body. |
73
+ | `UCM_SWIFT_FUNC_NO_CLOSING_BRACE` | error | Marked function body has no closing brace. |
74
+ | `UCM_SWIFT_MARKER_INSIDE_ATTACHED` | error | Marker is inside an attached declaration. |
75
+ | `UCM_SWIFT_MARKER_INSIDE_SPAN` | error | Another marker appears inside a marked span. |
76
+ | `UCM_SWIFT_MARKER_NOT_ADJACENT` | error | Marker is not adjacent to a declaration. |
77
+ | `UCM_SWIFT_MULTIPLE_CANDIDATES` | error | Multiple candidate declarations for the marker. |
78
+ | `UCM_SWIFT_NESTED_FUNC_UNSUPPORTED` | error | Nested functions are unsupported in a marked span. |
79
+ | `UCM_SWIFT_NEXT_NODE_NOT_FUNC` | error | The node following the marker is not a function. |
80
+ | `UCM_SWIFT_NO_PARSER` | error | No Swift parser is available. |
81
+ | `UCM_SWIFT_PARSE_ERROR` | error | Swift parse error within the marker region. |
82
+
83
+ ## Workspace config
84
+
85
+ | Code | Severity | Message |
86
+ |---|---|---|
87
+ | `UCM_WORKSPACE_COMPONENT_UNKNOWN` | error | Unknown component '...'; does not match the declared component. |
88
+ | `UCM_WORKSPACE_CONFIG_INVALID` | error | Invalid use-cases.yml. |
89
+ | `UCM_WORKSPACE_CONFIG_PARSE` | error | Unable to parse use-cases.yml. |
90
+
91
+ ## Migration
92
+
93
+ | Code | Severity | Message |
94
+ |---|---|---|
95
+ | `UCM_MIGRATION_UNSAFE_OUTPUT_PATH` | error | Migration output path must stay inside the data root. |
96
+ | `UCM_MIGRATION_UNSAFE_SOURCE_PATH` | error | Migration source path must stay inside the repository. |
97
+
98
+ ## Showcase lifecycle
99
+
100
+ | Code | Severity | Message |
101
+ |---|---|---|
102
+ | `UCM_SHOWCASE_FAILURE_DECISION_REQUIRED` | error | Cannot finish until each failed or blocked verdict has a failure decision. |
103
+ | `UCM_SHOWCASE_FINISH_REQUIRED` | error | User approval/rejection requires a finished showcase run. |
104
+ | `UCM_SHOWCASE_IDEMPOTENCY_CONFLICT` | error | Idempotency key was reused with different intent. |
105
+ | `UCM_SHOWCASE_INVALID_CORRECTION_TARGET` | error | Correction target must be a verdict event. |
106
+ | `UCM_SHOWCASE_INVALID_FAILURE_DECISION_TARGET` | error | Failure decision target must be a failed or blocked verdict event. |
107
+ | `UCM_SHOWCASE_KNOWN_GAP_ACK_REQUIRED` | error | Partial plan requires known-gap acknowledgement. |
108
+ | `UCM_SHOWCASE_LEDGER_DAMAGED` | error | Refusing to append to damaged showcase history. |
109
+ | `UCM_SHOWCASE_PLAN_HASH_MISMATCH` | error | Plan content hash does not match plan body. |
110
+ | `UCM_SHOWCASE_PLAN_INVALID` | error | Presentation plan file is not a v1 plan. |
111
+ | `UCM_SHOWCASE_PLAN_PLACEHOLDER_HASH` | error | Plan content hash must not be a placeholder. |
112
+ | `UCM_SHOWCASE_PLAN_UNREADABLE` | error | Presentation plan file could not be read. |
113
+ | `UCM_SHOWCASE_RUN_ID_CONFLICT` | error | Showcase run id already exists. |
114
+ | `UCM_SHOWCASE_TRUSTED_CONFIRMATION_REQUIRED` | error | User approval requires a trusted interactive user confirmation path. |
115
+ | `UCM_SHOWCASE_USER_APPROVAL_REQUIRED` | error | Agent cannot record user-required approval. |
116
+ | `UCM_SHOWCASE_VERDICT_REQUIRES_OBSERVATION` | error | Verdict requires a prior observation. |
117
+
118
+ ## Path safety
119
+
120
+ | Code | Severity | Message |
121
+ |---|---|---|
122
+ | `UCM_INVALID_ID` | error | Identifier is not a canonical id; refusing to use it as a path segment. |
123
+ | `UCM_PATH_ESCAPE` | error | Unsafe relative path escapes its root boundary. |
@@ -0,0 +1,123 @@
1
+ # Stability & Versioning Policy
2
+
3
+ use-cases follows [Semantic Versioning](https://semver.org). At
4
+ `1.0.0` the surfaces listed under **Public API** below are a contract: they only
5
+ change in breaking ways across a **major** version bump. This page is the
6
+ authoritative declaration of what is stable, what is experimental, and how
7
+ versions move.
8
+
9
+ > **Pre-1.0 (beta).** The current release line is `0.0.x` — beta software. The
10
+ > contracts below describe the *intended* shape that becomes binding **at
11
+ > `1.0.0`**; until then they may still change between `0.0.x` releases. Adopt
12
+ > with that in mind.
13
+
14
+ > Ships as a single package, `use-cases` (binaries `uc` and `uc-mcp`);
15
+ > the `core` / `cli` / `mcp` workspaces are bundled inside it, not published
16
+ > separately. See the [publishing runbook](../release/publishing.md) for how a
17
+ > release is cut (npm Trusted Publishing + provenance) and the owner one-time npm
18
+ > setup.
19
+
20
+ ## SemVer policy
21
+
22
+ | Bump | What may change |
23
+ |---|---|
24
+ | **patch** (`1.0.x`) | Bug fixes. No schema, CLI, MCP, or output-shape changes. Human-readable text may change. |
25
+ | **minor** (`1.x.0`) | Additive only: new commands, new MCP tools/resources/prompts, new **optional** schema fields, new error codes, new exit-code *meanings* for previously-unused codes. Existing contracts keep working. |
26
+ | **major** (`x.0.0`) | Anything removed, renamed, or changed in meaning: a command/flag/tool/field/error-code removed or repurposed, an output shape changed, a schema field made required, exit-code semantics changed. |
27
+
28
+ A change is "breaking" if a correct integration written against `1.0.0` could
29
+ observe different behaviour. When in doubt, treat it as major.
30
+
31
+ ## Public API (stable at 1.0.0)
32
+
33
+ These are versioned contracts:
34
+
35
+ - **CLI command + subcommand names and their flags** — e.g. `uc matrix validate`, `uc verify`, `uc prove`, `uc bind`, `uc scan`. Renames/removals are breaking.
36
+ - **CLI `--json` output** — the envelope and every command's `data` shape (see below). Human/text output is **not** part of the contract.
37
+ - **CLI exit codes** and their meanings (see below).
38
+ - **The result envelope** shared by CLI `--json` and MCP structured results.
39
+ - **MCP tool names** and their input/output schemas, plus the MCP **safety policy** defaults (mutations gated, no signing/`prove`, no generic shell, workspace-root locking).
40
+ - **Persisted file formats**, each carrying `schema_version`: the matrix / use-case files, the binding registry (`bindings.jsonl`), the proof/evidence ledger (`proofs.jsonl`), evidence events, showcase specs/runs, capsules, plans, host profiles, and workspace config.
41
+ - **JSON Schemas** published under the `https://use-cases.dev/schemas/v1/...` `$id` namespace (resolved locally; not fetched).
42
+ - **The use-case marker grammar** (`//: @use-case: <slug>` … `//: @use-case: end <slug>`) and slug rules.
43
+ - **The proof/trust model**: ed25519 signed proof events, the hashed inputs (row, binding-set, span, verification-context), and the freshness states (`FRESH`, `SUSPECT`, `UNPROVEN`, `UNBOUND`, `INVALID`). Signing-key management — the single `--public-key` path, the opt-in `--keyring` registry, and key rotation/revocation — is documented in [key management](../security/key-management.md).
44
+ - **Error codes** declared in the [error-code registry](./error-codes.md) (`UCM_*`).
45
+
46
+ ### Result envelope
47
+
48
+ Every CLI `--json` response and MCP structured result uses this envelope:
49
+
50
+ ```json
51
+ {
52
+ "schema_version": 1,
53
+ "protocol_version": 1,
54
+ "command": "matrix.validate",
55
+ "ok": true,
56
+ "complete": true,
57
+ "data": { },
58
+ "diagnostics": [],
59
+ "context": { }
60
+ }
61
+ ```
62
+
63
+ - `schema_version` / `protocol_version` — bumped only on breaking envelope changes.
64
+ - `command` — stable dotted command id.
65
+ - `ok` — success boolean. `complete` — whether the operation ran to completion.
66
+ - `data` — the command-specific payload (validated against that command's schema).
67
+ - `diagnostics` — array of structured items, each with a stable `code` (see [error codes](./error-codes.md)).
68
+ - `context` — workspace/component metadata.
69
+
70
+ ### Exit codes
71
+
72
+ | Code | Meaning |
73
+ |---:|---|
74
+ | `0` | Success. |
75
+ | `1` | Command failed / validation issues / required rows not FRESH. |
76
+ | `2` | Unknown command or invalid arguments. |
77
+ | `3` | Integrity blocked (matrix/evidence/ledger integrity failure). |
78
+ | `4` | Unsafe path escape (data-root / repo boundary violation). |
79
+
80
+ Additional trust-engine exit codes used by `prove` (e.g. untrusted append,
81
+ signing-key missing) are documented in the CLI reference and are stable.
82
+
83
+ ## Experimental / not yet covered by the v1 contract
84
+
85
+ These ship and work, but their **shape** may change in a minor release until
86
+ promoted. They are called out here so adopters can depend on them with eyes open:
87
+
88
+ - MCP **resources** (`uc://…`) and **prompts** are exposed and read-only, but
89
+ the exact URI/prompt set may grow in minor releases; treat the MCP *tool*
90
+ surface as the most stable MCP contract.
91
+ - MCP output **rate-limiting** and **size caps**.
92
+ - **Host profiles are a fixed built-in set for v1** (`claude`, `codex`,
93
+ `copilot`, `opencode`). The host-applicability/projection engine is generic,
94
+ but registering *custom* host profiles is a post-v1 extension; the trust core
95
+ (bind/verify/prove/freshness) is host-independent and unaffected.
96
+ - The **trust-engine commands** (`bind`, `scan`, `verify`, `prove`,
97
+ `validate-ledger`) always emit JSON — they are machine/CI-oriented and have no
98
+ separate human-formatted mode (other commands gate JSON behind `--json`).
99
+ - Non-GitHub-Actions CI authority adapters (the proof model is CI-neutral; only
100
+ the GitHub Actions reference workflow is a supported path at 1.0.0). The
101
+ CI-neutral authority contract, per-provider authority population, and the
102
+ opt-in release-gate authority requirement are documented in
103
+ [CI hardening](../security/ci-hardening.md).
104
+ - Any other CLI command's **human-readable** (non-`--json`) formatting.
105
+ - The `core` / `cli` / `mcp` workspaces are an internal implementation detail: they are bundled into the `use-cases` package, **not** a published programmatic import surface. The stable contract is the CLI, the MCP tools, the JSON envelope, the schemas, and the persisted file formats — not TypeScript imports.
106
+
107
+ ## Supported environments
108
+
109
+ - **Node**: active LTS lines.
110
+ - **CI**: GitHub Actions is the reference, first-class path. The verify/prove
111
+ contract is CI-neutral and documented for other providers (best-effort) in
112
+ [CI hardening](../security/ci-hardening.md), which also covers the opt-in
113
+ release-gate authority requirement (`release_gate.required_authority` /
114
+ `require_protected_ref`).
115
+ - **Verifiers**: command verifiers for any language/toolchain. `pnpm`/`vitest`
116
+ is one preset, not an assumption.
117
+ - **MCP transport**: local stdio. Remote/HTTP transport is **not** a v1 contract.
118
+
119
+ ## Changing a contract
120
+
121
+ A breaking change to anything above requires: a major version bump, a CHANGELOG
122
+ entry, and a migration note under `docs/migration/`. Additive changes ship in a
123
+ minor with a CHANGELOG entry.
@@ -0,0 +1,26 @@
1
+ # Release Checklist
2
+
3
+ Run the production release gate from the repository root:
4
+
5
+ ```bash
6
+ node scripts/release-gate.mjs
7
+ ```
8
+
9
+ The gate is intentionally sequential. Do not run `build` concurrently with
10
+ `test`; tests import built workspace package outputs.
11
+
12
+ Before release, inspect:
13
+
14
+ - CI runs `node scripts/release-gate.mjs` on Node 22.
15
+ - `doctor package` is complete and has no diagnostics. By default it builds and
16
+ inspects the real root package tarball, not just the checkout.
17
+ - For external artifacts, use `doctor package --tarball <path> --json`.
18
+ - For installed artifacts, use `doctor package --installed-root <path> --json`;
19
+ this also runs installed CLI and MCP smoke checks.
20
+ - Root package contents include `.agents/skills`, `.codex-plugin/plugin.json`,
21
+ `.mcp.json`, built CLI/MCP/Core `dist`, schemas, docs, examples, and use cases.
22
+ - Root package contents omit tests, TypeScript source, local session state,
23
+ build locks, `node_modules`, and coverage output.
24
+ - Host docs do not claim verified support unless evidence IDs exist.
25
+ - A real showcase run on this plugin is recorded if the release changes user
26
+ workflow.
@@ -0,0 +1,144 @@
1
+ # CI hardening: the CI-neutral authority contract & release-gate requirement
2
+
3
+ Use Cases proofs record **where and how they were produced** in a
4
+ provider-agnostic `authority` block, and a repo can **require a minimum
5
+ authority** before a `required_for_release` row is allowed to ship. This page
6
+ covers the CI-neutral authority contract, the GitHub Actions reference path, how
7
+ other CI providers populate authority, and the release-gate authority
8
+ requirement.
9
+
10
+ > Authority is about **provenance**, not freshness. A row is `FRESH` when scan
11
+ > can verify a signed proof matching the current row / binding-set / verification
12
+ > context (see [key management](./key-management.md)). The `authority` block is
13
+ > **additive** and never changes that: legacy proofs minted before authority
14
+ > existed still validate and stay `FRESH`. Authority only matters when a repo
15
+ > **opts into** the release-gate requirement below.
16
+
17
+ ## The CI-neutral authority contract
18
+
19
+ The trust model is **CI-neutral**: GitHub Actions is only the *reference*
20
+ provider. Every proof event may carry an OPTIONAL `authority` block
21
+ ([`schemas/v1/authority.schema.json`](../../schemas/v1/authority.schema.json),
22
+ `$id: …/schemas/v1/authority.schema.json`) describing who/where minted it:
23
+
24
+ | Field | Meaning |
25
+ |---|---|
26
+ | `type` | `"ci"` when produced inside a recognised CI provider; `"local"` otherwise. |
27
+ | `provider` | `github-actions` \| `gitlab-ci` \| `circleci` \| `generic`. `generic` is the local / unrecognised fallback. |
28
+ | `repository` | Provider-shaped repo identifier (e.g. `owner/repo`). Best-effort. |
29
+ | `ref` | The git ref / branch the run executed against. Best-effort. |
30
+ | `commit` | The commit SHA the run executed against. Best-effort. |
31
+ | `run_id` | The provider's run / pipeline / build id. Best-effort. |
32
+ | `actor` | The login that triggered the run, when exposed. Best-effort. |
33
+ | `event` | The triggering event name (`push`, `pull_request`, `merge_request`, …). |
34
+ | `protected_ref` | **Tri-state**: `true`/`false` when the provider attests the protected-branch state, `null` when **unknown**. |
35
+
36
+ The block is built **into the event before signing**, so the signature covers it
37
+ — authority cannot be forged or altered after minting without breaking the
38
+ proof's signature. The existing GitHub-shaped `producer` block is unchanged;
39
+ `authority` is the CI-neutral trust record beside it.
40
+
41
+ > **Honest about `protected_ref`.** It is **provider-attested where available and
42
+ > otherwise unknown** (`null`). GitHub Actions does not expose a branch-protection
43
+ > signal in the runner environment, so the reference path reports `null` unless
44
+ > you supply the value out of band (see overrides below). GitLab CI exposes
45
+ > `CI_COMMIT_REF_PROTECTED` and is read directly. A `null` (unknown) value never
46
+ > satisfies a `require_protected_ref` gate — the gate fails closed.
47
+
48
+ ## How authority is populated
49
+
50
+ `prove` fills the `authority` block automatically by auto-detecting the CI
51
+ environment (pure `detectCiAuthority(env)` in `markers/ciAuthority.ts`), or you
52
+ can supply it explicitly.
53
+
54
+ ### GitHub Actions (the reference path)
55
+
56
+ Detected via `GITHUB_ACTIONS`. Fields are read from the standard runner env:
57
+
58
+ | Authority field | Env var |
59
+ |---|---|
60
+ | `repository` | `GITHUB_REPOSITORY` |
61
+ | `ref` | `GITHUB_REF` |
62
+ | `commit` | `GITHUB_SHA` |
63
+ | `run_id` | `GITHUB_RUN_ID` |
64
+ | `actor` | `GITHUB_ACTOR` |
65
+ | `event` | `GITHUB_EVENT_NAME` |
66
+ | `protected_ref` | unknowable from the runner env → `null` (override to set) |
67
+
68
+ No configuration is needed: running `uc prove …` inside a GitHub Actions job
69
+ yields `type: "ci"`, `provider: "github-actions"`.
70
+
71
+ ### Other CI providers (auto-detected)
72
+
73
+ The same auto-detection recognises:
74
+
75
+ - **GitLab CI** (`GITLAB_CI`): `CI_PROJECT_PATH`, `CI_COMMIT_REF_NAME`,
76
+ `CI_COMMIT_SHA`, `CI_PIPELINE_ID`, `GITLAB_USER_LOGIN`, `CI_PIPELINE_SOURCE`,
77
+ and the explicit `CI_COMMIT_REF_PROTECTED` → `protected_ref`.
78
+ - **CircleCI** (`CIRCLECI`): `CIRCLE_PROJECT_USERNAME`/`CIRCLE_PROJECT_REPONAME`
79
+ → `owner/repo`, `CIRCLE_BRANCH`, `CIRCLE_SHA1`, `CIRCLE_BUILD_NUM`,
80
+ `CIRCLE_USERNAME`. No protected-branch signal → `protected_ref: null`.
81
+ - **Anything else** → `{ type: "local", provider: "generic" }`.
82
+
83
+ ### Unknown providers & overrides: `--authority-file`
84
+
85
+ For a CI provider that is not auto-detected, or to attest a value the runner
86
+ cannot expose (e.g. `protected_ref` on GitHub), pass a JSON authority record:
87
+
88
+ ```sh
89
+ uc prove --all --trusted-ci \
90
+ --verification-results "$UCM_VERIFICATION_RESULTS" \
91
+ --signing-key-env UCM_CI_SIGNING_KEY --key-id ci-key-1 \
92
+ --authority-file authority.json
93
+ ```
94
+
95
+ `--verification-results` is required — it is the unsigned results ledger written
96
+ earlier by `uc verify --out "$UCM_VERIFICATION_RESULTS"`.
97
+
98
+ ```json
99
+ {
100
+ "type": "ci",
101
+ "provider": "generic",
102
+ "repository": "owner/repo",
103
+ "ref": "refs/heads/main",
104
+ "commit": "0123…",
105
+ "run_id": "4242",
106
+ "protected_ref": true
107
+ }
108
+ ```
109
+
110
+ The file is validated against `authority.schema.json`, embedded, and signed.
111
+
112
+ ## The release-gate authority requirement
113
+
114
+ By default the release gate does **not** look at authority — a `FRESH` required
115
+ row passes regardless of how it was proved. A repo can **opt in** to a minimum
116
+ authority via the OPTIONAL `release_gate` section of `use-cases.yml`:
117
+
118
+ ```yaml
119
+ # use-cases.yml
120
+ release_gate:
121
+ required_authority: ci # matching proof must have authority.type === "ci"
122
+ require_protected_ref: true # ...and authority.protected_ref === true
123
+ ```
124
+
125
+ Semantics, in **release mode only**:
126
+
127
+ - A `required_for_release` row whose only `FRESH` proof was minted with
128
+ **insufficient authority** — `type: "local"` when `required_authority: ci`, or
129
+ `protected_ref` not exactly `true` when `require_protected_ref: true`, or **no
130
+ authority block at all** — is **POLICY-BLOCKED**. It is surfaced in the
131
+ freshness / gate output with an `AUTHORITY_INSUFFICIENT` reason and counted in
132
+ `summary.policy_blocked`.
133
+ - A required row that is already not `FRESH` is blocked exactly as before; the
134
+ authority gate is **purely additive** — it can only ever block an
135
+ *otherwise-`FRESH`* required row, never relax existing blocking.
136
+ - **Feature mode is never affected**, and non-`required_for_release` rows are
137
+ never authority-blocked.
138
+ - **Off by default.** Omit `release_gate`, or leave its fields unset, and gating
139
+ is exactly as it was — nothing changes for repos that do not configure it.
140
+
141
+ This is the hardening lever: require that everything you ship was proved by **CI
142
+ on a protected branch**, not on someone's laptop, while keeping the whole trust
143
+ model CI-neutral (any provider that produces a `type: "ci"` /
144
+ provider-attested-`protected_ref` proof satisfies the gate).
@@ -0,0 +1,158 @@
1
+ # Key management: signing keys, the keyring, rotation & revocation
2
+
3
+ Use Cases proofs are **ed25519-signed** trusted-CI events. A row is only
4
+ `FRESH` when scan/validate-ledger can verify the signature on a matching proof
5
+ against a **trusted public key**. This page covers how those keys are managed:
6
+ generating a keypair, the keyring file, rotating keys, revoking them, and the
7
+ fail-closed guarantee that ties it all together.
8
+
9
+ There are two ways to tell the tool which public key(s) to trust:
10
+
11
+ | Flag | Trust model | Use when |
12
+ |---|---|---|
13
+ | `--public-key <file.pem>` | A **single** key, trusted unconditionally — only as safe as the file the verifier is pointed at, so commit it where the agent cannot swap it (see [threat model](../security.md#threat-model--what-holds-on-its-own-and-what-needs-setup)). | One signer, no rotation. The original, simplest path. |
14
+ | `--keyring <file.json>` | A **registry** of keys, each with a status and validity window. | You need rotation and/or revocation. **Opt-in**, additive. |
15
+
16
+ Both flags are accepted by `scan`, `verify`, `prove`, and `validate-ledger`.
17
+ `--keyring` is strictly additive: if you never pass it, nothing changes. When
18
+ both are present, the keyring wins.
19
+
20
+ > The private signing key lives **only in trusted CI** (passed to `prove` via
21
+ > `--signing-key-env <ENV>`, never written to the repo). The repo/config holds
22
+ > only **public** keys.
23
+
24
+ ## Generating an ed25519 keypair
25
+
26
+ The signing key is a **PKCS8 ed25519 PEM**; the public key is an **SPKI ed25519
27
+ PEM**. Generate the pair with Node — this works everywhere the CLI runs and needs
28
+ no external tools (macOS's bundled LibreSSL cannot `genpkey -algorithm ed25519`):
29
+
30
+ ```sh
31
+ node -e 'const c=require("crypto"),f=require("fs");const{publicKey,privateKey}=c.generateKeyPairSync("ed25519");f.writeFileSync("ci-signing-key.pem",privateKey.export({type:"pkcs8",format:"pem"}));f.writeFileSync("ci-signing-key.pub.pem",publicKey.export({type:"spki",format:"pem"}));'
32
+ ```
33
+
34
+ This writes `ci-signing-key.pem` (the **private** key — keep in CI secrets only,
35
+ never commit) and `ci-signing-key.pub.pem` (the **public** key, for `--public-key`
36
+ or the keyring). If you have OpenSSL ≥ 3 (not macOS LibreSSL) you can instead run:
37
+
38
+ ```sh
39
+ openssl genpkey -algorithm ed25519 -out ci-signing-key.pem
40
+ openssl pkey -in ci-signing-key.pem -pubout -out ci-signing-key.pub.pem
41
+ ```
42
+
43
+ In CI, load the **private** PEM into an environment variable and point `prove`
44
+ at it; tag the proof with the matching key id:
45
+
46
+ ```sh
47
+ export UCM_CI_SIGNING_KEY="$(cat ci-signing-key.pem)"
48
+ uc prove --all --trusted-ci \
49
+ --signing-key-env UCM_CI_SIGNING_KEY \
50
+ --key-id ci-key-1
51
+ ```
52
+
53
+ The `--key-id` you sign with must match a `key_id` in the keyring (or be
54
+ irrelevant under the single `--public-key` path, which ignores it).
55
+
56
+ ## The keyring file
57
+
58
+ A keyring is a JSON file conforming to
59
+ [`schemas/v1/keyring.schema.json`](../../schemas/v1/keyring.schema.json)
60
+ (`$id: https://use-cases.dev/schemas/v1/keyring.schema.json`). It is a
61
+ list of keys; each carries a stable id, the PEM public key, a validity window,
62
+ and a status:
63
+
64
+ ```json
65
+ {
66
+ "keyring_schema_id": "ucase-public-key-registry-v1",
67
+ "keys": [
68
+ {
69
+ "key_id": "ci-key-1",
70
+ "algorithm": "ed25519",
71
+ "public_key": "-----BEGIN PUBLIC KEY-----\n…\n-----END PUBLIC KEY-----\n",
72
+ "valid_from": "2026-01-01T00:00:00Z",
73
+ "valid_until": null,
74
+ "status": "active"
75
+ }
76
+ ]
77
+ }
78
+ ```
79
+
80
+ | Field | Meaning |
81
+ |---|---|
82
+ | `key_id` | Stable id referenced by a proof signature's `key_id`. |
83
+ | `algorithm` | Always `ed25519`. |
84
+ | `public_key` | PEM-encoded ed25519 public key. |
85
+ | `valid_from` | Start of the validity window (inclusive). |
86
+ | `valid_until` | End of the window (inclusive), or `null` for open-ended. |
87
+ | `status` | `active` (may verify proofs) or `revoked` (must not). |
88
+
89
+ A `key_id` resolves to its public key **only when** the key exists, its status
90
+ is `active`, and the **proof's `created_at`** falls inside
91
+ `[valid_from, valid_until]`. The validity window is checked against the moment
92
+ the proof was signed, not "now" — so a proof minted while a key was valid keeps
93
+ verifying after the window closes only if you keep the key active; once the
94
+ window closes or the key is revoked, the proof no longer verifies.
95
+
96
+ Pass it to any verifying command:
97
+
98
+ ```sh
99
+ uc scan --keyring keyring.json
100
+ uc validate-ledger --keyring keyring.json
101
+ ```
102
+
103
+ ## Rotation
104
+
105
+ Rotation introduces a new signing key without invalidating proofs already in the
106
+ ledger. The order matters — **add then re-prove, revoke last**:
107
+
108
+ 1. **Generate** a new keypair (`ci-key-2`).
109
+ 2. **Add** `ci-key-2` to the keyring as `active`, and **keep `ci-key-1` active**.
110
+ At this point both keys verify, so every existing `ci-key-1` proof stays
111
+ `FRESH`.
112
+ 3. **Re-prove** the rows under `ci-key-2` (`prove … --key-id ci-key-2`). Because
113
+ the ledger is append-only, this appends fresh proofs signed by the new key;
114
+ the old proofs remain.
115
+ 4. **Revoke** `ci-key-1` (flip its `status` to `revoked`) only after every row
116
+ you care about has a current-key proof.
117
+
118
+ A proof minted under an old key that is **still active** stays `FRESH`. The
119
+ moment you revoke that old key, any row whose only proof was signed by it drops
120
+ out of `FRESH` — which is exactly why you re-prove (step 3) before revoking
121
+ (step 4).
122
+
123
+ > Because the evidence ledger is append-only and **fail-closed**, revoking a key
124
+ > that signed earlier, still-present ledger entries makes those specific entries
125
+ > fail verification (a ledger-integrity error). Re-prove the affected rows under
126
+ > a current key so each row again has a verifiable proof.
127
+
128
+ ## Revocation
129
+
130
+ To stop trusting a key immediately (e.g. it leaked), set its `status` to
131
+ `revoked` in the keyring. From that point:
132
+
133
+ - Any proof signed by the revoked key no longer verifies.
134
+ - A row whose only proof was that key falls to `UNPROVEN`/`SUSPECT` — **never
135
+ `FRESH`**.
136
+ - Re-prove the row under a current, `active` key to restore `FRESH`.
137
+
138
+ You do not delete the revoked entry: keeping it (as `revoked`) documents that
139
+ the key was once known and is now untrusted.
140
+
141
+ ## The fail-closed guarantee
142
+
143
+ Verification is **fail-closed**. A proof is `FRESH` only when the keyring
144
+ positively vouches for its signing key at signing time. Every other case yields
145
+ **not `FRESH`**:
146
+
147
+ | Situation | Result |
148
+ |---|---|
149
+ | `key_id` not in the keyring | not FRESH (`UNKNOWN_KEY_ID`) |
150
+ | key present but `status: revoked` | not FRESH |
151
+ | proof `created_at` before `valid_from` | not FRESH |
152
+ | proof `created_at` after `valid_until` | not FRESH |
153
+ | signature does not verify | not FRESH (`BAD_SIGNATURE`) |
154
+ | **active key, in window, valid signature** | **FRESH** |
155
+
156
+ There is no "unknown key, allow anyway" path: an unrecognised, revoked, or
157
+ out-of-window key resolves to nothing, so the proof cannot verify and the row
158
+ cannot be `FRESH`.
@@ -0,0 +1,66 @@
1
+ # Security And Trust
2
+
3
+ Generated plans, migration output, capsules, and host projections are prepared
4
+ material only. They are not proof.
5
+
6
+ ## Threat model — what holds on its own, and what needs setup
7
+
8
+ The freshness guarantee is cryptographic, but it is only ever as strong as the
9
+ trust anchor you give it. This tool's whole point is to keep claims honest, so it
10
+ is precise about what it enforces *by itself* versus what depends on how you
11
+ deploy it. The adversary worth naming is an **autonomous agent with full shell
12
+ access to the workspace** — the same actor the tool exists to keep honest.
13
+
14
+ | Property | Enforced by the tool alone | Also requires |
15
+ |---|---|---|
16
+ | A `FRESH` row carries a valid signature over the current row / binding-set / verifier hashes — any drift flips it to `SUSPECT` | ✅ `scan` fails closed on drift, bad/unknown/revoked/out-of-window signatures | — |
17
+ | That signature came from **trusted CI**, not a local actor | ❌ not on its own | The verifier must check against a **public key (or keyring) committed to the repo that the agent cannot swap**, *and* the private signing key must live **only** in a CI secret. Given a key it supplies or can generate, an actor with shell access can `prove` its own proof and `scan` it `FRESH`. |
18
+ | The proof ledger has not been rewritten | ❌ not on its own — a local rewrite re-chains the hashes consistently | `validate-ledger --base-ref <ref>` against a **protected** branch the agent cannot force-push (branch protection on that ref). |
19
+ | A required row was proven **on a protected branch** | ❌ | The release-gate authority requirement + the `protected_ref` attestation — see [CI hardening](./security/ci-hardening.md). |
20
+ | "Approved by a human" on a showcase run | ❌ in v1 | The showcase approval ledger is **unsigned**; sign-off is **operationally** enforced (process / review), not cryptographically. See *Trusted user approval* below. |
21
+
22
+ In short: **the cryptography proves "this proof was signed by the key you chose to
23
+ trust."** Making that key mean *trusted CI rather than the local agent* is your
24
+ deployment's job — commit the public key, keep the private key CI-only, protect
25
+ the branch, and verify with `--base-ref` / a keyring. With that setup in place a
26
+ local actor cannot manufacture `FRESH`. Without it the proofs are still useful
27
+ integrity signals, but they are not a defence against an actor who controls the
28
+ shell. See [key management](./security/key-management.md) for the keyring, the
29
+ fail-closed table, and rotation/revocation.
30
+
31
+ ## Trusted user approval
32
+
33
+ An agent can **request** approval but must not be able to **mint** it. In v1 only
34
+ the negative half of that is real: `showcase approve` records an
35
+ `untrusted_automation` authority, and the showcase run ledger is **not signed** —
36
+ so a user-required run stays `pending` until approved out of band, and approval is
37
+ enforced **operationally** (your review process), not cryptographically. There is
38
+ no v1 code path that produces a cryptographically trusted user sign-off, and
39
+ interactive-CLI confirmation is **not** one (an agent that drives the terminal can
40
+ satisfy it). The signed-token approval path that closes this gap is specified in
41
+ [ADR 0006](./adr/0006-trusted-user-approval-path.md); it is planned, not shipped.
42
+ MCP tools can request approval but cannot fabricate it.
43
+
44
+ Approval proof, once it exists, is bound to the generated plan hash and the finish
45
+ event for the run. Generated plans, capsules, and runbooks are prepared material
46
+ until a run records events against them.
47
+
48
+ ## Ledgers and history
49
+
50
+ Append-only ledgers preserve accidental or disputed history through correction
51
+ events. Normal commands do not physically delete evidence or showcase history.
52
+ Physical purge for secrets or legal requirements needs a separate destructive
53
+ workflow with explicit audit output. The append-only and hash-chain properties
54
+ are **verifiable**, not self-enforcing: validate them against a trusted prior
55
+ state (`validate-ledger --base-ref`) so a wholesale local rewrite is caught.
56
+
57
+ ## Hosts and packages
58
+
59
+ Host profiles are expectation data. A host executable smoke result or projection
60
+ manifest can help diagnose setup, but verified host support requires recorded
61
+ evidence IDs.
62
+
63
+ Package checks inspect real tarballs or installed package roots. They reject
64
+ local/session state such as local agent cache and receipt directories, build
65
+ locks, packaged `node_modules/`, coverage output, local absolute paths, and
66
+ secret-looking values.