@agentique.io/validator 0.1.0 → 0.2.0

package/README.md

@@ -2,7 +2,7 @@
 
 Static local upload-preparation validator for Agentique resource packages.
 
-`agentique-validator` is a no-execution checker that validates public manifests, package inventory, path safety, and upload-prep metadata without uploading, publishing, installing dependencies, or executing submitted code.
+`agentique-validator` is a no-execution checker that validates public manifests, package inventory, path safety, registry trust metadata, parser/variant metadata, and upload-prep metadata without uploading, publishing, installing dependencies, or executing submitted code.
 
 Local validation is not platform approval and is not safety certification. `agentique.io` remains the source of truth for upload, scan, review, moderation, publication, distribution state, and readback.
 
@@ -28,6 +28,8 @@ Exit codes:
 - Blocked executable extension rejection.
 - Secret-like value detection with redacted findings.
 - Forbidden public-content path and term checks.
+- Registry trust checks for creator-safe package context, creator checkpoints, generated draft boundaries, and explicit patch/delta metadata.
+- Parser/variant checks for static parser evidence, sanitized resource graph summaries, compatibility reasons, and source-only variant states.
 
 ## External Intake
 
@@ -49,8 +51,8 @@ The report includes:
 - Secret findings with redacted previews and stable fingerprints.
 - License inventory with missing, unknown, and conflict findings.
 
-External intake output is advisory review evidence. It is not publication approval, safety assurance, moderation status, or legal review.
+External intake output is advisory review evidence. Registry trust and parser/variant findings are local preparation findings. Neither output is publication approval, safety assurance, moderation status, runtime compatibility proof, platform download availability, or legal review.
 
 ## Status
 
-Local monorepo implementation exists for review. Package publishing remains blocked until release review passes.
+Published as `@agentique.io/validator`. Local validation output is not platform approval and is not safety certification.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentique.io/validator",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Static local upload-preparation validator for Agentique resource packages.",
   "license": "Apache-2.0",
   "type": "module",

package/src/intake/scanner.mjs

@@ -46,7 +46,11 @@ const DANGEROUS_CAPABILITY_RULES = Object.freeze([
   }),
   Object.freeze({
     category: "credential-environment-access",
-    pattern: /\b(?:process\.env|os\.environ|getenv\(|GITHUB_TOKEN|AWS_SECRET_ACCESS_KEY|npm_token|pypi_token|\.env)\b/i
+    pattern: /\b(?:process\.env|os\.environ|getenv\(|GITHUB_TOKEN|AWS_SECRET_ACCESS_KEY|npm_token|pypi_token)\b/i
+  }),
+  Object.freeze({
+    category: "dotenv-file-reference",
+    pattern: /(?:^|[\s"'=:\/\\])\.env(?:\.[A-Za-z0-9_-]+)?(?:\b|$)/i
   }),
   Object.freeze({
     category: "encoded-payload",
@@ -222,7 +226,8 @@ async function applyLicenseInventory({ filePath, rel, findings, licenses }) {
       source: "license-file",
       expression: null,
       normalized,
-      status: normalized ? "recognized" : "unknown"
+      status: normalized ? "recognized" : "unknown",
+      policy: licensePolicyForExpression(normalized)
     })
   );
 }
@@ -255,7 +260,8 @@ async function collectPackageLicense({ filePath, rel, findings, licenses }) {
       source: "package-json",
       expression,
       normalized,
-      status: normalized ? "recognized" : "unknown"
+      status: normalized ? "recognized" : "unknown",
+      policy: licensePolicyForExpression(normalized)
     })
   );
 }
@@ -274,20 +280,123 @@ function isLicenseFileName(basename) {
   return basename === "license" || basename === "licence" || basename.startsWith("license.") || basename.startsWith("licence.") || basename === "copying";
 }
 
+const LICENSE_ID_NORMALIZATION = new Map([
+  ["0BSD", "0BSD"],
+  ["AGPL-3.0", "AGPL-3.0-only"],
+  ["AGPL-3.0-ONLY", "AGPL-3.0-only"],
+  ["AGPL-3.0-OR-LATER", "AGPL-3.0-or-later"],
+  ["APACHE-2.0", "Apache-2.0"],
+  ["ARTISTIC-2.0", "Artistic-2.0"],
+  ["BSD-2-CLAUSE", "BSD-2-Clause"],
+  ["BSD-3-CLAUSE", "BSD-3-Clause"],
+  ["BSL-1.1", "BSL-1.1"],
+  ["CC-BY-4.0", "CC-BY-4.0"],
+  ["CC0-1.0", "CC0-1.0"],
+  ["GPL-2.0", "GPL-2.0-only"],
+  ["GPL-2.0-ONLY", "GPL-2.0-only"],
+  ["GPL-2.0-OR-LATER", "GPL-2.0-or-later"],
+  ["GPL-3.0", "GPL-3.0-only"],
+  ["GPL-3.0-ONLY", "GPL-3.0-only"],
+  ["GPL-3.0-OR-LATER", "GPL-3.0-or-later"],
+  ["ISC", "ISC"],
+  ["LGPL-2.1", "LGPL-2.1-only"],
+  ["LGPL-2.1-ONLY", "LGPL-2.1-only"],
+  ["LGPL-2.1-OR-LATER", "LGPL-2.1-or-later"],
+  ["LGPL-3.0", "LGPL-3.0-only"],
+  ["LGPL-3.0-ONLY", "LGPL-3.0-only"],
+  ["LGPL-3.0-OR-LATER", "LGPL-3.0-or-later"],
+  ["MIT", "MIT"],
+  ["MPL-2.0", "MPL-2.0"],
+  ["UNLICENSE", "Unlicense"]
+]);
+
+const LICENSE_POLICY = new Map([
+  ["0BSD", "allowed"],
+  ["AGPL-3.0-only", "blocked"],
+  ["AGPL-3.0-or-later", "blocked"],
+  ["Apache-2.0", "allowed"],
+  ["Artistic-2.0", "needs-review"],
+  ["BSD-2-Clause", "allowed"],
+  ["BSD-3-Clause", "allowed"],
+  ["BSL-1.1", "allowed"],
+  ["CC-BY-4.0", "needs-review"],
+  ["CC0-1.0", "allowed"],
+  ["GPL-2.0-only", "needs-review"],
+  ["GPL-2.0-or-later", "needs-review"],
+  ["GPL-3.0-only", "needs-review"],
+  ["GPL-3.0-or-later", "needs-review"],
+  ["ISC", "allowed"],
+  ["LGPL-2.1-only", "needs-review"],
+  ["LGPL-2.1-or-later", "needs-review"],
+  ["LGPL-3.0-only", "needs-review"],
+  ["LGPL-3.0-or-later", "needs-review"],
+  ["MIT", "allowed"],
+  ["MPL-2.0", "allowed"],
+  ["Unlicense", "allowed"]
+]);
+
 function normalizeLicenseExpression(expression) {
-  const normalized = expression.trim().replace(/[()]/g, "").toUpperCase();
-  const map = new Map([
-    ["MIT", "MIT"],
-    ["APACHE-2.0", "Apache-2.0"],
-    ["GPL-2.0", "GPL-2.0"],
-    ["GPL-2.0-ONLY", "GPL-2.0"],
-    ["GPL-3.0", "GPL-3.0"],
-    ["GPL-3.0-ONLY", "GPL-3.0"],
-    ["BSD-3-CLAUSE", "BSD-3-Clause"],
-    ["ISC", "ISC"],
-    ["MPL-2.0", "MPL-2.0"]
-  ]);
-  return map.get(normalized) ?? null;
+  const trimmed = expression.trim();
+  if (!trimmed) {
+    return null;
+  }
+
+  const single = normalizeLicenseIdentifier(trimmed);
+  if (single) {
+    return single;
+  }
+
+  const tokens = trimmed.replace(/[()]/g, " ").trim().split(/\s+(AND|OR)\s+/i);
+  if (tokens.length < 3 || tokens.length % 2 === 0) {
+    return null;
+  }
+
+  const normalizedTokens = [];
+  for (const [index, token] of tokens.entries()) {
+    const value = token.trim();
+    if (!value) {
+      return null;
+    }
+
+    if (index % 2 === 1) {
+      const operator = value.toUpperCase();
+      if (operator !== "AND" && operator !== "OR") {
+        return null;
+      }
+      normalizedTokens.push(operator);
+      continue;
+    }
+
+    const normalized = normalizeLicenseIdentifier(value);
+    if (!normalized) {
+      return null;
+    }
+    normalizedTokens.push(normalized);
+  }
+
+  return normalizedTokens.join(" ");
+}
+
+function normalizeLicenseIdentifier(value) {
+  return LICENSE_ID_NORMALIZATION.get(value.trim().toUpperCase()) ?? null;
+}
+
+function licensePolicyForExpression(normalized) {
+  if (!normalized) {
+    return "unknown";
+  }
+
+  const identifiers = normalized.split(/\s+(?:AND|OR)\s+/).map((value) => value.trim()).filter(Boolean);
+  if (identifiers.some((identifier) => LICENSE_POLICY.get(identifier) === "blocked")) {
+    return "blocked";
+  }
+  if (identifiers.some((identifier) => LICENSE_POLICY.get(identifier) === "needs-review")) {
+    return "needs-review";
+  }
+  if (identifiers.every((identifier) => LICENSE_POLICY.get(identifier) === "allowed")) {
+    return "allowed";
+  }
+  return "unknown";
 }
 
 function normalizeLicenseText(content) {
@@ -298,20 +407,41 @@ function normalizeLicenseText(content) {
     return "Apache-2.0";
   }
   if (/GNU GENERAL PUBLIC LICENSE[\s\S]{0,800}Version 3/i.test(content)) {
-    return "GPL-3.0";
+    return "GPL-3.0-only";
   }
   if (/GNU GENERAL PUBLIC LICENSE[\s\S]{0,800}Version 2/i.test(content)) {
-    return "GPL-2.0";
+    return "GPL-2.0-only";
+  }
+  if (/GNU LESSER GENERAL PUBLIC LICENSE[\s\S]{0,800}Version 3/i.test(content)) {
+    return "LGPL-3.0-only";
+  }
+  if (/GNU LESSER GENERAL PUBLIC LICENSE[\s\S]{0,800}Version 2\.1/i.test(content)) {
+    return "LGPL-2.1-only";
+  }
+  if (/GNU AFFERO GENERAL PUBLIC LICENSE[\s\S]{0,800}Version 3/i.test(content)) {
+    return "AGPL-3.0-only";
   }
   if (/Redistribution and use in source and binary forms/i.test(content) && /Neither the name/i.test(content)) {
     return "BSD-3-Clause";
   }
+  if (/Redistribution and use in source and binary forms/i.test(content)) {
+    return "BSD-2-Clause";
+  }
   if (/ISC License/i.test(content)) {
     return "ISC";
   }
   if (/Mozilla Public License Version 2\.0/i.test(content)) {
     return "MPL-2.0";
   }
+  if (/This is free and unencumbered software released into the public domain/i.test(content)) {
+    return "Unlicense";
+  }
+  if (/Creative Commons CC0 1\.0 Universal/i.test(content)) {
+    return "CC0-1.0";
+  }
+  if (/Boost Software License[\s\S]{0,200}Version 1\.1/i.test(content)) {
+    return "BSL-1.1";
+  }
   return null;
 }
 
@@ -329,17 +459,26 @@ function applyLicenseGates({ licenses, findings }) {
   }
 
   for (const item of licenses) {
+    const policy = item.policy ?? "unknown";
+    const known = item.status === "recognized" && policy !== "unknown";
     findings.push(
       createFinding({
-        code: item.status === "recognized" ? "license.detected" : "license.unknown",
-        severity: item.status === "recognized" ? "low" : "high",
-        message: item.status === "recognized" ? "License signal was detected." : "Unknown license signal requires manual review.",
+        code: known ? `license.${policy}` : "license.unknown",
+        severity: policy === "allowed" ? "low" : "high",
+        message: known
+          ? policy === "allowed"
+            ? "License signal is recognized and allowed by public intake policy."
+            : policy === "needs-review"
+              ? "License signal is recognized but requires review by public intake policy."
+              : "License signal is recognized but blocked by public intake policy."
+          : "Unknown license signal requires manual review.",
         path: item.path,
-        blocking: item.status !== "recognized",
+        blocking: policy !== "allowed",
         details: {
           source: item.source,
           expression: item.expression ?? undefined,
-          normalized: item.normalized ?? undefined
+          normalized: item.normalized ?? undefined,
+          policy
         }
       })
     );
@@ -884,9 +1023,54 @@ async function readTextPrefix({ filePath, rel, maxBytes, findings, purpose }) {
   return buffer ? buffer.toString("utf8") : "";
 }
 
+function truncationFindingForPurpose(purpose) {
+  if (purpose === "secret-scan") {
+    return {
+      code: "secret.truncated",
+      severity: "critical",
+      message: "Secret scan input exceeded inspected prefix."
+    };
+  }
+  if (purpose === "dangerous-capability") {
+    return {
+      code: "dangerous.truncated",
+      severity: "high",
+      message: "Dangerous capability input exceeded inspected prefix."
+    };
+  }
+  if (purpose.startsWith("script-")) {
+    return {
+      code: "script.truncated",
+      severity: "high",
+      message: "Script or workflow input exceeded inspected prefix."
+    };
+  }
+  return null;
+}
+
 async function readBufferPrefix({ filePath, rel, maxBytes, findings, purpose }) {
   let handle;
   try {
+    const stat = await fs.stat(filePath);
+    const truncationFinding = truncationFindingForPurpose(purpose);
+    // IMPORTANT: high-risk external intake reads must fail closed when bounded prefix inspection is incomplete.
+    if (truncationFinding && stat.size > maxBytes) {
+      findings.push(
+        createFinding({
+          code: truncationFinding.code,
+          severity: truncationFinding.severity,
+          message: truncationFinding.message,
+          path: rel,
+          blocking: true,
+          details: {
+            purpose,
+            bytes: stat.size,
+            maxBytes
+          }
+        })
+      );
+    }
+
     handle = await fs.open(filePath, "r");
     const buffer = Buffer.alloc(maxBytes);
     const result = await handle.read(buffer, 0, maxBytes, 0);

package/src/validator.mjs

@@ -1,5 +1,5 @@
 import { createHash } from "node:crypto";
-import { promises as fs } from "node:fs";
+import { createReadStream, promises as fs } from "node:fs";
 import path from "node:path";
 import Ajv from "ajv/dist/2020.js";
 import addFormats from "ajv-formats";
@@ -9,8 +9,10 @@ const schemaFiles = [
   "context-bundle.schema.json",
   "output-contract.schema.json",
   "package-manifest.schema.json",
+  "parser-variant.schema.json",
   "permission-risk.schema.json",
   "public-readback.schema.json",
+  "registry-trust.schema.json",
   "resource-manifest.schema.json",
   "skill-metadata.schema.json",
   "surfacing-metadata.schema.json",
@@ -28,6 +30,10 @@ const blockedExtensions = new Set([
   ".sh"
 ]);
 
+// IMPORTANT: keep these gates before package text/JSON reads; they bound memory use for untrusted package inputs.
+const MAX_VALIDATOR_JSON_BYTES = 1024 * 1024;
+const MAX_PACKAGE_FILE_BYTES = 1024 * 1024;
+
 const sensitivePathSegments = new Set(["private", ".env", ".git", ".cache", "node_modules"]);
 
 const internalDotDirs = ["planning", "sessions"].map((name) => `\\.${name}`).join("|");
@@ -71,6 +77,30 @@ const secretLikePatterns = [
   { id: "credential-url", pattern: /\b[a-z][a-z0-9+.-]*:\/\/[^/\s"'<>:]+:[^@\s"'<>]+@[^\s"'<>]+/i }
 ];
 
+const safeSecretExamplePatterns = [
+  {
+    id: "database-url",
+    pattern: /^(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis):\/\/(?:<user>|user|root|default):(?:<password>|password)@(?:localhost|127\.0\.0\.1)(?::\d+)?(?:\/[A-Za-z0-9._/-]*)?$/i
+  },
+  {
+    id: "credential-url",
+    pattern: /^https?:\/\/(?:<user>|user):(?:<password>|password)@example\.(?:com|org|net)(?:\/[^\s"'<>]*)?$/i
+  }
+];
+
+const platformManagedCreatorKeys = new Set([
+  "approved",
+  "listed",
+  "latestVersion",
+  "platformManaged",
+  "platformProjection",
+  "platformTrustScore",
+  "publishedAt",
+  "publicationState",
+  "scanPassed",
+  "verifiedBadge"
+]);
+
 export async function validatePackage(options) {
   const command = options.command ?? "validate";
   const packageDir = path.resolve(options.packageDir);
@@ -119,11 +149,12 @@ export async function validatePackage(options) {
     const filePath = resolveInside(packageDir, rel);
     if (!filePath) continue;
     try {
-      const bytes = await fs.readFile(filePath);
+      const stat = await fs.stat(filePath);
+      const digest = await hashFileSha256(filePath);
       inventory.push({
         path: rel,
-        sha256: createHash("sha256").update(bytes).digest("hex"),
-        bytes: bytes.length
+        sha256: digest,
+        bytes: stat.size
       });
     } catch {
       // Missing files are already reported by inspectPackageFile.
@@ -134,12 +165,7 @@ export async function validatePackage(options) {
     ok: findings.length === 0,
     command,
     packageDir,
-    manifest: manifest
-      ? {
-          name: typeof manifest.name === "string" ? manifest.name : null,
-          formatVersion: typeof manifest.formatVersion === "string" ? manifest.formatVersion : null
-        }
-      : null,
+    manifest: summarizeManifest(manifest),
     inventory,
     findings
   });
@@ -178,8 +204,19 @@ async function readRequiredJson(filePath) {
 }
 
 async function readJsonFile(filePath, findings, location) {
+  const raw = await readTextFileWithinLimit({
+    filePath,
+    findings,
+    location,
+    maxBytes: MAX_VALIDATOR_JSON_BYTES,
+    oversizedCode: "json-too-large",
+    readErrorCode: "json-read"
+  });
+  if (raw === null) {
+    return null;
+  }
+
   try {
-    const raw = await fs.readFile(filePath, "utf8");
     return JSON.parse(raw);
   } catch (error) {
     findings.push(finding("json-read", `Unable to read valid JSON: ${error.code ?? "parse_error"}`, location));
@@ -212,24 +249,69 @@ async function inspectPackageFile({ packageDir, rel, expectedHash, findings, ajv
     return;
   }
 
-  let bytes;
+  let stat;
   try {
-    bytes = await fs.readFile(filePath);
+    stat = await fs.stat(filePath);
   } catch {
     findings.push(finding("missing-file", "Package file listed in manifest is missing.", rel));
     return;
   }
 
-  const actualHash = `sha256:${createHash("sha256").update(bytes).digest("hex")}`;
+  if (stat.size > MAX_PACKAGE_FILE_BYTES) {
+    findings.push(finding("file-too-large", `Package file exceeds ${MAX_PACKAGE_FILE_BYTES} byte limit.`, rel));
+    return;
+  }
+
+  let actualHash;
+  try {
+    actualHash = `sha256:${await hashFileSha256(filePath)}`;
+  } catch {
+    findings.push(finding("hash-read", "Unable to hash package file.", rel));
+    return;
+  }
+
   if (expectedHash && expectedHash !== actualHash) {
     findings.push(finding("hash-mismatch", "Package file hash does not match manifest.", rel));
   }
 
-  const text = bytes.toString("utf8");
+  const text = await fs.readFile(filePath, "utf8");
   scanText(text, rel, findings);
   inspectStructuredPackageFile({ rel, text, findings, ajv });
 }
 
+async function readTextFileWithinLimit({ filePath, findings, location, maxBytes, oversizedCode, readErrorCode }) {
+  let stat;
+  try {
+    stat = await fs.stat(filePath);
+  } catch (error) {
+    findings.push(finding(readErrorCode, `Unable to read valid JSON: ${error.code ?? "read_error"}`, location));
+    return null;
+  }
+
+  if (stat.size > maxBytes) {
+    findings.push(finding(oversizedCode, `File exceeds ${maxBytes} byte limit.`, location));
+    return null;
+  }
+
+  try {
+    return await fs.readFile(filePath, "utf8");
+  } catch (error) {
+    findings.push(finding(readErrorCode, `Unable to read valid JSON: ${error.code ?? "read_error"}`, location));
+    return null;
+  }
+}
+
+async function hashFileSha256(filePath) {
+  const hash = createHash("sha256");
+  await new Promise((resolve, reject) => {
+    const stream = createReadStream(filePath);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("error", reject);
+    stream.on("end", resolve);
+  });
+  return hash.digest("hex");
+}
+
 function validateManifestContracts(manifest, findings) {
   if (!isRecord(manifest)) return;
 
@@ -262,6 +344,272 @@ function validateManifestContracts(manifest, findings) {
       )
     );
   }
+
+  validateRegistryTrustContracts(manifest.registryTrust, findings);
+  validateParserVariantContracts(manifest.parserVariant, findings);
+}
+
+function validateRegistryTrustContracts(registryTrust, findings) {
+  if (!isRecord(registryTrust)) return;
+
+  collectPlatformManagedCreatorKeys(registryTrust, "manifest.registryTrust", findings);
+
+  const packageContext = registryTrust.packageContext;
+  if (isRecord(packageContext)) {
+    const version = typeof packageContext.version === "string" ? packageContext.version : "";
+    const sourceUrl = typeof packageContext.sourceUrl === "string" ? packageContext.sourceUrl : "";
+
+    if (/[\s<>=*xX]/.test(version) || version.startsWith("^") || version.startsWith("~") || !sourceUrl.startsWith("https://")) {
+      findings.push(
+        finding(
+          "package-context-unsafe",
+          "Package context must use an exact public version and HTTPS source URL.",
+          "manifest.registryTrust.packageContext"
+        )
+      );
+    }
+
+    if (typeof packageContext.packageDigest !== "string") {
+      findings.push(
+        finding(
+          "desired-state-fingerprint-missing",
+          "Registry trust package context must include a public package digest for desired-state comparison.",
+          "manifest.registryTrust.packageContext.packageDigest"
+        )
+      );
+    }
+
+    if (typeof packageContext.ownershipEvidenceVersion !== "string") {
+      findings.push(
+        finding(
+          "scanner-policy-missing",
+          "Registry trust package context must include an ownership evidence version for policy freshness comparison.",
+          "manifest.registryTrust.packageContext.ownershipEvidenceVersion"
+        )
+      );
+    }
+  }
+
+  if (isRecord(registryTrust.generatedDraft) && registryTrust.generatedDraft.draftOnly !== true) {
+    findings.push(
+      finding(
+        "generated-draft-boundary",
+        "Generated draft metadata must remain draft-only.",
+        "manifest.registryTrust.generatedDraft"
+      )
+    );
+  }
+
+  if (isRecord(registryTrust.patchDelta)) {
+    const operations = Array.isArray(registryTrust.patchDelta.operations) ? registryTrust.patchDelta.operations : [];
+    const ambiguousOperation = operations.find(
+      (operation) =>
+        !isRecord(operation) ||
+        operation.path === "/" ||
+        (["add", "replace"].includes(operation.op) && typeof operation.valueSummary !== "string")
+    );
+    if (ambiguousOperation || operations.length === 0) {
+      findings.push(
+        finding(
+          "patch-delta-ambiguous",
+          "Patch and delta metadata must describe explicit partial-update operations.",
+          "manifest.registryTrust.patchDelta"
+        )
+      );
+    }
+  }
+}
+
+function validateParserVariantContracts(parserVariant, findings) {
+  if (!isRecord(parserVariant)) return;
+
+  const parserEvidence = parserVariant.parserEvidence;
+  if (isRecord(parserEvidence)) {
+    const parseStatus = typeof parserEvidence.parseStatus === "string" ? parserEvidence.parseStatus : "";
+    const parseConfidence = typeof parserEvidence.parseConfidence === "string" ? parserEvidence.parseConfidence : "";
+
+    if (parserEvidence.noExecution !== true) {
+      findings.push(
+        finding(
+          "parser-evidence-review-required",
+          "Parser evidence must include a no-execution proof before public use.",
+          "manifest.parserVariant.parserEvidence"
+        )
+      );
+    }
+
+    if (
+      ["partial", "unsupported", "blocked", "failed"].includes(parseStatus) ||
+      ["low", "unknown"].includes(parseConfidence)
+    ) {
+      findings.push(
+        finding(
+          "parser-evidence-review-required",
+          "Parser evidence requires review before parser or variant availability claims.",
+          "manifest.parserVariant.parserEvidence"
+        )
+      );
+    }
+  }
+
+  const platformVariants = Array.isArray(parserVariant.platformVariants) ? parserVariant.platformVariants : [];
+  platformVariants.forEach((variant, index) => {
+    if (!isRecord(variant)) return;
+    const location = `manifest.parserVariant.platformVariants[${index}]`;
+    const download = isRecord(variant.download) ? variant.download : {};
+
+    if (variant.managedBy === "platform" || download.availability === "available") {
+      findings.push(
+        finding(
+          "platform-variant-overclaim",
+          "Creator manifests cannot claim platform-managed variant state or platform download availability.",
+          location
+        )
+      );
+    }
+
+    if (variant.state === "unsupported") {
+      findings.push(
+        finding(
+          "variant-unsupported",
+          "Variant metadata declares an unsupported platform target.",
+          location
+        )
+      );
+    }
+
+    if (variant.state === "stale" || variant.validationState === "stale") {
+      findings.push(
+        finding(
+          "variant-stale",
+          "Variant metadata declares stale parser or platform evidence.",
+          location
+        )
+      );
+    }
+  });
+}
+
+function collectPlatformManagedCreatorKeys(value, location, findings) {
+  if (Array.isArray(value)) {
+    value.forEach((item, index) => collectPlatformManagedCreatorKeys(item, `${location}[${index}]`, findings));
+    return;
+  }
+  if (!isRecord(value)) return;
+
+  for (const [key, nested] of Object.entries(value)) {
+    if (platformManagedCreatorKeys.has(key)) {
+      findings.push(
+        finding(
+          "platform-managed-overclaim",
+          "Creator manifests cannot set platform-managed trust, scan, publication, or badge state.",
+          location
+        )
+      );
+    }
+    collectPlatformManagedCreatorKeys(nested, `${location}.${key}`, findings);
+  }
+}
+
+function summarizeManifest(manifest) {
+  if (!isRecord(manifest)) return null;
+
+  return {
+    name: typeof manifest.name === "string" ? manifest.name : null,
+    formatVersion: typeof manifest.formatVersion === "string" ? manifest.formatVersion : null,
+    ...(isRecord(manifest.parserVariant) ? { parserVariant: summarizeParserVariant(manifest.parserVariant) } : {}),
+    ...(isRecord(manifest.registryTrust) ? { registryTrust: summarizeRegistryTrust(manifest.registryTrust) } : {})
+  };
+}
+
+function summarizeParserVariant(parserVariant) {
+  const parserEvidence = isRecord(parserVariant.parserEvidence) ? parserVariant.parserEvidence : null;
+  const resourceGraphSummary = isRecord(parserVariant.resourceGraphSummary) ? parserVariant.resourceGraphSummary : null;
+  const compatibility = isRecord(parserVariant.compatibility) ? parserVariant.compatibility : null;
+  const platformVariants = Array.isArray(parserVariant.platformVariants) ? parserVariant.platformVariants : [];
+
+  return {
+    parserEvidence: parserEvidence
+      ? {
+          sourceEcosystem: typeof parserEvidence.sourceEcosystem === "string" ? parserEvidence.sourceEcosystem : null,
+          sourceFormat: typeof parserEvidence.sourceFormat === "string" ? parserEvidence.sourceFormat : null,
+          parseStatus: typeof parserEvidence.parseStatus === "string" ? parserEvidence.parseStatus : null,
+          parseConfidence: typeof parserEvidence.parseConfidence === "string" ? parserEvidence.parseConfidence : null,
+          sanitizerStatus: typeof parserEvidence.sanitizerStatus === "string" ? parserEvidence.sanitizerStatus : null,
+          noExecution: parserEvidence.noExecution === true,
+          outputDigestPresent: typeof parserEvidence.outputDigest === "string"
+        }
+      : null,
+    resourceGraphSummary: resourceGraphSummary
+      ? {
+          sanitized: resourceGraphSummary.sanitized === true,
+          nodeCount: numberOrNull(resourceGraphSummary.nodeCount),
+          edgeCount: numberOrNull(resourceGraphSummary.edgeCount),
+          capabilityCount: numberOrNull(resourceGraphSummary.capabilityCount),
+          sourceFileCount: numberOrNull(resourceGraphSummary.sourceFileCount)
+        }
+      : null,
+    compatibility: compatibility
+      ? {
+          status: typeof compatibility.status === "string" ? compatibility.status : null,
+          reasons: stringArrayOrEmpty(compatibility.reasons),
+          reasonCount: Array.isArray(compatibility.reasons) ? compatibility.reasons.length : 0
+        }
+      : null,
+    platformVariants: platformVariants.filter(isRecord).map((variant) => {
+      const download = isRecord(variant.download) ? variant.download : {};
+      return {
+        platformId: typeof variant.platformId === "string" ? variant.platformId : null,
+        artifactKind: typeof variant.artifactKind === "string" ? variant.artifactKind : null,
+        state: typeof variant.state === "string" ? variant.state : null,
+        validationState: typeof variant.validationState === "string" ? variant.validationState : null,
+        downloadAvailability: typeof download.availability === "string" ? download.availability : null,
+        reasons: stringArrayOrEmpty(variant.reasons),
+        reasonCount: Array.isArray(variant.reasons) ? variant.reasons.length : 0
+      };
+    })
+  };
+}
+
+function summarizeRegistryTrust(registryTrust) {
+  const packageContext = isRecord(registryTrust.packageContext) ? registryTrust.packageContext : null;
+  const generatedDraft = isRecord(registryTrust.generatedDraft) ? registryTrust.generatedDraft : null;
+  const patchDelta = isRecord(registryTrust.patchDelta) ? registryTrust.patchDelta : null;
+  const creatorCheckpoints = Array.isArray(registryTrust.creatorCheckpoints) ? registryTrust.creatorCheckpoints : [];
+
+  return {
+    packageContext: packageContext
+      ? {
+          packageName: typeof packageContext.packageName === "string" ? packageContext.packageName : null,
+          version: typeof packageContext.version === "string" ? packageContext.version : null,
+          sourceUrl: typeof packageContext.sourceUrl === "string" ? packageContext.sourceUrl : null,
+          packageDigestPresent: typeof packageContext.packageDigest === "string"
+        }
+      : null,
+    desiredStateFingerprintPresent: packageContext ? typeof packageContext.packageDigest === "string" : false,
+    scannerPolicyVersionExpectation: "platform-managed-readback",
+    creatorCheckpointCount: creatorCheckpoints.length,
+    generatedDraft: generatedDraft
+      ? {
+          draftOnly: generatedDraft.draftOnly === true,
+          kind: typeof generatedDraft.kind === "string" ? generatedDraft.kind : null
+        }
+      : null,
+    patchDelta: patchDelta
+      ? {
+          mode: typeof patchDelta.mode === "string" ? patchDelta.mode : null,
+          operationCount: Array.isArray(patchDelta.operations) ? patchDelta.operations.length : 0
+        }
+      : null
+  };
+}
+
+function numberOrNull(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : null;
+}
+
+function stringArrayOrEmpty(value) {
+  return Array.isArray(value) ? value.filter((entry) => typeof entry === "string") : [];
 }
 
 function inspectStructuredPackageFile({ rel, text, findings, ajv }) {
@@ -301,12 +649,18 @@ function schemaIdForPackageJson(normalizedRel) {
   if (normalizedRel.startsWith("tools/")) {
     return "https://schemas.agentique.io/tool-listing.schema.json";
   }
-  if (normalizedRel.includes("context-bundle")) {
+  if (isContextBundlePackageJson(normalizedRel)) {
     return "https://schemas.agentique.io/context-bundle.schema.json";
   }
   return null;
 }
 
+function isContextBundlePackageJson(normalizedRel) {
+  const parts = normalizedRel.split("/");
+  const basename = parts.at(-1) ?? "";
+  return normalizedRel.startsWith("bundle/") || (parts.length === 1 && basename.startsWith("context-bundle"));
+}
+
 function resolveInside(root, rel) {
   const resolved = path.resolve(root, rel);
   const rootWithSep = root.endsWith(path.sep) ? root : `${root}${path.sep}`;
@@ -337,12 +691,25 @@ function scanText(text, location, findings) {
     }
   }
   for (const rule of secretLikePatterns) {
-    if (rule.pattern.test(text)) {
+    const unsafeMatch = [...matchPattern(text, rule.pattern)].find((match) => !isSafeSecretExample(rule.id, match[0]));
+    if (unsafeMatch) {
       findings.push(finding(rule.id, "Secret-like value detected and redacted.", location));
     }
   }
 }
 
+function* matchPattern(text, pattern) {
+  const flags = pattern.flags.includes("g") ? pattern.flags : `${pattern.flags}g`;
+  const globalPattern = new RegExp(pattern.source, flags);
+  yield* text.matchAll(globalPattern);
+}
+
+function isSafeSecretExample(ruleId, matchText) {
+  return safeSecretExamplePatterns.some(
+    (safe) => (safe.id === ruleId || (ruleId === "credential-url" && safe.id === "database-url")) && safe.pattern.test(matchText)
+  );
+}
+
 function createReport({ ok, command, packageDir, manifest, inventory, findings }) {
   return {
     ok,