@basou/core 0.7.0 → 0.9.0

package/dist/index.js

@@ -224,7 +224,8 @@ function claudeTranscriptToImportPayload(records, options) {
       source: {
         kind: CLAUDE_IMPORT_SOURCE,
         version: "0.1.0",
-        ...externalId !== void 0 ? { external_id: externalId } : {}
+        ...externalId !== void 0 ? { external_id: externalId } : {},
+        ...options.sourceSizeBytes !== void 0 ? { source_size_bytes: options.sourceSizeBytes } : {}
       },
       started_at: minTs,
       ended_at: maxTs,
@@ -457,7 +458,8 @@ function codexRolloutToImportPayload(records, options) {
       source: {
         kind: CODEX_IMPORT_SOURCE,
         version: "0.1.0",
-        ...externalId !== void 0 ? { external_id: externalId } : {}
+        ...externalId !== void 0 ? { external_id: externalId } : {},
+        ...options.sourceSizeBytes !== void 0 ? { source_size_bytes: options.sourceSizeBytes } : {}
       },
       started_at: minTs,
       ended_at: maxTs,
@@ -779,7 +781,14 @@ var BaseEventSchema = z3.object({
   id: EventIdSchema,
   session_id: SessionIdSchema,
   occurred_at: IsoTimestampSchema,
-  source: EventSourceSchema
+  source: EventSourceSchema,
+  // Tamper-evidence back-pointer (hex sha-256 of the PREVIOUS event line's
+  // written bytes; the first line carries the session-bound genesis hash).
+  // Present only on sessions written with chaining enabled (import paths);
+  // live/ad-hoc sessions omit it. Declared on the base so the `.strict()`
+  // variants below treat it as a known key. Additive optional => no
+  // schema_version bump.
+  prev_hash: z3.string().optional()
 });
 var SessionStartedEventSchema = BaseEventSchema.extend({
   type: z3.literal("session_started")
@@ -1032,7 +1041,15 @@ var SessionSourceSchema = z4.object({
   // Optional id of the originating session in the SOURCE tool's own
   // namespace (e.g. the Claude Code session UUID for a `claude-code-import`).
   // Lets re-imports of the same source be deduplicated; absent for live runs.
-  external_id: z4.string().optional()
+  external_id: z4.string().optional(),
+  // Byte size of the source native log at import time, recorded so a later
+  // import can detect that an append-only transcript GREW and re-import it
+  // (scoped, preserving the session id) instead of skipping it as already
+  // imported. Additive optional => no schema_version bump (precedent:
+  // external_id, metrics). Absent on sessions imported before this field
+  // existed (treated as legacy: never auto-re-imported, populated on the next
+  // fresh import or `--force`).
+  source_size_bytes: z4.number().int().nonnegative().optional()
 });
 var InvocationSchema = z4.object({
   command: z4.string().min(1),
@@ -1052,6 +1069,10 @@ var SessionMetricsSchema = z4.object({
   active_time_method: z4.string().optional(),
   machine_active_time_ms: z4.number().int().nonnegative().optional()
 });
+var SessionIntegritySchema = z4.object({
+  head_hash: z4.string(),
+  event_count: z4.number().int().nonnegative()
+}).strict();
 var SessionInnerSchema = z4.object({
   id: SessionIdSchema,
   label: z4.string().optional(),
@@ -1067,7 +1088,8 @@ var SessionInnerSchema = z4.object({
   related_files: z4.array(z4.string()).default([]),
   events_log: z4.string().default("events.jsonl"),
   summary: z4.string().nullable().optional(),
-  metrics: SessionMetricsSchema.optional()
+  metrics: SessionMetricsSchema.optional(),
+  integrity: SessionIntegritySchema.optional()
 });
 var SessionSchema = z4.object({
   schema_version: SchemaVersionSchema,
@@ -1276,9 +1298,50 @@ function shortDecisionSessionId(sessionId) {
   return sessionId.slice(0, 10);
 }
 
+// src/events/chain.ts
+import { createHash } from "crypto";
+var GENESIS_PREFIX = "basou:event-chain:v1:";
+function genesisHash(sessionId) {
+  return createHash("sha256").update(`${GENESIS_PREFIX}${sessionId}`, "utf8").digest("hex");
+}
+function lineHash(rawLine) {
+  const hash = createHash("sha256");
+  if (typeof rawLine === "string") {
+    hash.update(rawLine, "utf8");
+  } else {
+    hash.update(rawLine);
+  }
+  return hash.digest("hex");
+}
+function serializeEventLine(event) {
+  return JSON.stringify(event);
+}
+function chainEvents(events, sessionId) {
+  let prev = genesisHash(sessionId);
+  const lines = [];
+  for (const event of events) {
+    const chained = { ...event, prev_hash: prev };
+    const line = serializeEventLine(chained);
+    lines.push(line);
+    prev = lineHash(line);
+  }
+  return { lines, headHash: prev, count: lines.length };
+}
+function chainRawJsonLines(rawLines, sessionId) {
+  let prev = genesisHash(sessionId);
+  const lines = [];
+  for (const rawLine of rawLines) {
+    const parsed = JSON.parse(rawLine);
+    const line = JSON.stringify({ ...parsed, prev_hash: prev });
+    lines.push(line);
+    prev = lineHash(line);
+  }
+  return { lines, headHash: prev, count: lines.length };
+}
+
 // src/events/event-writer.ts
 import { appendFile } from "fs/promises";
-import { join as join5 } from "path";
+import { basename, join as join5 } from "path";
 async function appendEvent(sessionDir, event) {
   let validated;
   try {
@@ -1286,7 +1349,7 @@ async function appendEvent(sessionDir, event) {
   } catch (error) {
     throw new Error("Invalid Basou event payload", { cause: error });
   }
-  const line = `${JSON.stringify(validated)}
+  const line = `${serializeEventLine(validated)}
 `;
   try {
     await appendFile(join5(sessionDir, "events.jsonl"), line, "utf8");
@@ -1294,7 +1357,7 @@ async function appendEvent(sessionDir, event) {
     throw new Error("Failed to append event to events.jsonl", { cause: error });
   }
 }
-async function writeEventsBulk(sessionDir, events) {
+async function writeEventsBulk(sessionDir, events, options = {}) {
   const validated = [];
   try {
     for (const event of events) {
@@ -1304,13 +1367,153 @@ async function writeEventsBulk(sessionDir, events) {
     throw new Error("Invalid Basou event payload", { cause: error });
   }
   const filePath = join5(sessionDir, "events.jsonl");
-  const body = validated.length > 0 ? `${validated.map((e) => JSON.stringify(e)).join("\n")}
+  let body;
+  let result = null;
+  if (options.chain === true) {
+    const { lines, headHash, count } = chainEvents(validated, basename(sessionDir));
+    body = lines.length > 0 ? `${lines.join("\n")}
+` : "";
+    result = count > 0 ? { headHash, count } : null;
+  } else {
+    body = validated.length > 0 ? `${validated.map(serializeEventLine).join("\n")}
 ` : "";
+  }
   try {
     await atomicReplace(filePath, body);
   } catch (error) {
     throw new Error("Failed to write events.jsonl", { cause: error });
   }
+  return result;
+}
+
+// src/events/verify.ts
+import { readFile as readFile2 } from "fs/promises";
+import { join as join6 } from "path";
+async function verifyEventsChain(paths, sessionId) {
+  const sessionDir = join6(paths.sessions, sessionId);
+  let raw = null;
+  try {
+    raw = await readFile2(join6(sessionDir, "events.jsonl"));
+  } catch (error) {
+    if (!findErrorCode(error, "ENOENT")) {
+      throw new Error("Failed to read events.jsonl", { cause: error });
+    }
+  }
+  let anchor;
+  try {
+    const session = await readSessionYaml(paths, sessionId);
+    anchor = { kind: "present", integrity: session.session.integrity };
+  } catch (error) {
+    if (error instanceof Error && error.message === "YAML file not found") {
+      anchor = { kind: "absent" };
+    } else {
+      anchor = { kind: "unreadable" };
+    }
+  }
+  const terminated = raw === null || raw.length === 0 || raw[raw.length - 1] === 10;
+  const segments = raw === null ? [] : splitLinesBytes(raw);
+  const tailFragment = !terminated && segments.length > 0 ? segments.pop() : null;
+  const lines = segments;
+  const carriesPrevHash = (s) => {
+    try {
+      const obj = JSON.parse(s.toString("utf8"));
+      return typeof obj === "object" && obj !== null && "prev_hash" in obj;
+    } catch {
+      return false;
+    }
+  };
+  const chained = lines.some((l) => l.length > 0 && carriesPrevHash(l)) || tailFragment !== null && carriesPrevHash(tailFragment);
+  if (!chained) {
+    if (anchor.kind === "present" && anchor.integrity !== void 0) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "anchor_without_chain"
+      };
+    }
+    if (raw === null || raw.length === 0) {
+      return { status: "empty", eventCount: 0 };
+    }
+    return { status: "unchained", eventCount: lines.length };
+  }
+  let expected = genesisHash(sessionId);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const lineNo = i + 1;
+    if (line.length === 0) {
+      return { status: "tampered", eventCount: lines.length, reason: "blank_line", line: lineNo };
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(line.toString("utf8"));
+    } catch {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "malformed_line",
+        line: lineNo
+      };
+    }
+    const record = parsed;
+    if (typeof record.prev_hash !== "string") {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "missing_prev_hash",
+        line: lineNo
+      };
+    }
+    if (record.prev_hash !== expected) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: i === 0 ? "genesis_mismatch" : "broken_link",
+        line: lineNo
+      };
+    }
+    if (record.session_id !== sessionId) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "session_id_mismatch",
+        line: lineNo
+      };
+    }
+    expected = lineHash(line);
+  }
+  if (tailFragment !== null || !terminated) {
+    return {
+      status: "tampered",
+      eventCount: lines.length,
+      reason: "torn_tail",
+      line: lines.length + 1
+    };
+  }
+  if (anchor.kind === "absent") {
+    return { status: "incomplete", eventCount: lines.length, reason: "yaml_missing" };
+  }
+  if (anchor.kind === "unreadable") {
+    return { status: "tampered", eventCount: lines.length, reason: "yaml_unreadable" };
+  }
+  if (anchor.integrity === void 0) {
+    return { status: "tampered", eventCount: lines.length, reason: "anchor_missing" };
+  }
+  if (anchor.integrity.event_count !== lines.length || anchor.integrity.head_hash !== expected) {
+    return { status: "tampered", eventCount: lines.length, reason: "anchor_mismatch" };
+  }
+  return { status: "verified", eventCount: lines.length };
+}
+function splitLinesBytes(buf) {
+  const out = [];
+  let start = 0;
+  for (let i = 0; i < buf.length; i++) {
+    if (buf[i] === 10) {
+      out.push(buf.subarray(start, i));
+      start = i + 1;
+    }
+  }
+  if (start < buf.length) out.push(buf.subarray(start));
+  return out;
 }
 
 // src/git/snapshot.ts
@@ -1607,12 +1810,12 @@ function parseDiffNameStatus(raw) {
 }
 
 // src/handoff/handoff-renderer.ts
-import { join as join10 } from "path";
+import { join as join11 } from "path";
 
 // src/storage/tasks.ts
-import { createHash } from "crypto";
-import { mkdir as mkdir2, readdir as readdir3, readFile as readFile5, rename as rename2, stat as stat2, unlink as unlink3 } from "fs/promises";
-import { join as join9 } from "path";
+import { createHash as createHash2 } from "crypto";
+import { mkdir as mkdir3, readdir as readdir3, readFile as readFile6, rename as rename2, stat as stat2, unlink as unlink3 } from "fs/promises";
+import { join as join10 } from "path";
 import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
 import { z as z8 } from "zod";
 
@@ -1656,7 +1859,7 @@ var TaskSchema = z6.object({
 // src/storage/ad-hoc-session.ts
 import { mkdir, rm } from "fs/promises";
 import { homedir } from "os";
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 
 // src/lib/path-sanitizer.ts
 import { posix as path } from "path";
@@ -1736,13 +1939,13 @@ async function createAdHocSessionWithEvent(input) {
       taskId: input.taskId ?? null
     })
   );
-  const sessionDir = join6(input.paths.sessions, sessionId);
+  const sessionDir = join7(input.paths.sessions, sessionId);
   try {
     await mkdir(sessionDir, { recursive: true });
   } catch (error) {
     throw new Error("Failed to create session directory", { cause: error });
   }
-  const sessionYamlPath = join6(sessionDir, "session.yaml");
+  const sessionYamlPath = join7(sessionDir, "session.yaml");
   try {
     await linkYamlFile(sessionYamlPath, initialSession);
   } catch (error) {
@@ -1865,7 +2068,7 @@ async function appendEventToExistingSession(input) {
   }
   const eventId = prefixedUlid("evt");
   const event = assertTargetEventIdentity(input.eventBuilder(eventId), input.sessionId, eventId);
-  const sessionDir = join6(input.paths.sessions, input.sessionId);
+  const sessionDir = join7(input.paths.sessions, input.sessionId);
   await appendEvent(sessionDir, event);
   return { eventId, sessionStatus: status };
 }
@@ -1880,8 +2083,8 @@ function assertTargetEventIdentity(event, expectedSessionId, expectedEventId) {
 }
 
 // src/storage/lockfile.ts
-import { readFile as readFile3, unlink as unlink2 } from "fs/promises";
-import { join as join7 } from "path";
+import { mkdir as mkdir2, readFile as readFile4, unlink as unlink2 } from "fs/promises";
+import { dirname as dirname2, join as join8 } from "path";
 var STALE_LOCK_MAX_AGE_MS = 60 * 60 * 1e3;
 async function acquireLock(paths, scope, resourceId) {
   const lockPath = lockfilePath(paths, scope, resourceId);
@@ -1893,6 +2096,19 @@ async function acquireLock(paths, scope, resourceId) {
   try {
     await atomicCreate(lockPath, serialised);
   } catch (error) {
+    if (findErrorCode(error, "ENOENT")) {
+      try {
+        await mkdir2(dirname2(lockPath), { recursive: true });
+        await atomicCreate(lockPath, serialised);
+        return {
+          release: async () => {
+            await unlink2(lockPath).catch(() => void 0);
+          }
+        };
+      } catch (retryError) {
+        throw new Error("Failed to acquire lock", { cause: retryError });
+      }
+    }
     if (!findErrorCode(error, "EEXIST")) {
       throw error;
     }
@@ -1916,7 +2132,7 @@ async function acquireLock(paths, scope, resourceId) {
 async function isStaleLock(lockPath) {
   let body;
   try {
-    const raw = await readFile3(lockPath, "utf8");
+    const raw = await readFile4(lockPath, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed !== "object" || parsed === null) return true;
     const candidate = parsed;
@@ -1942,12 +2158,12 @@ async function isStaleLock(lockPath) {
 function lockfilePath(paths, scope, resourceId) {
   const sep = resourceId.indexOf("_");
   const ulid2 = sep >= 0 ? resourceId.slice(sep + 1) : resourceId;
-  return join7(paths.locks, `${scope}_${ulid2}.lock`);
+  return join8(paths.locks, `${scope}_${ulid2}.lock`);
 }
 
 // src/storage/task-index.ts
-import { readFile as readFile4 } from "fs/promises";
-import { join as join8 } from "path";
+import { readFile as readFile5 } from "fs/promises";
+import { join as join9 } from "path";
 
 // src/schemas/task-index.schema.ts
 import { z as z7 } from "zod";
@@ -1966,13 +2182,13 @@ var TASK_INDEX_SCHEMA_VERSION = "0.1.0";
 
 // src/storage/task-index.ts
 function taskIndexPath(paths) {
-  return join8(paths.tasks, "index.json");
+  return join9(paths.tasks, "index.json");
 }
 async function readTaskIndex(paths) {
   const filePath = taskIndexPath(paths);
   let raw;
   try {
-    raw = await readFile4(filePath, "utf8");
+    raw = await readFile5(filePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task index not found", { cause: error });
@@ -2080,10 +2296,10 @@ function splitFrontMatter(raw) {
   return { yamlText, body };
 }
 async function readTaskFile(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join10(paths.tasks, `${taskId}.md`);
   let raw;
   try {
-    raw = await readFile5(filePath, "utf8");
+    raw = await readFile6(filePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2113,7 +2329,7 @@ async function readTaskFile(paths, taskId) {
 }
 async function writeTaskFile(paths, taskId, doc, options) {
   const validated = TaskSchema.parse(doc.task);
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join10(paths.tasks, `${taskId}.md`);
   const yamlText = stringifyYaml(validated);
   const trimmedBody = doc.body.length === 0 ? "" : `
 ${doc.body.endsWith("\n") ? doc.body : `${doc.body}
@@ -2198,7 +2414,7 @@ async function safeUpdateTaskIndex(paths, op) {
 }
 var ARCHIVE_DIR_NAME = "archive";
 function archiveTasksDir(paths) {
-  return join9(paths.tasks, ARCHIVE_DIR_NAME);
+  return join10(paths.tasks, ARCHIVE_DIR_NAME);
 }
 async function enumerateArchivedTaskIds(paths) {
   let entries;
@@ -2228,10 +2444,10 @@ async function readTaskFileWithArchiveFallback(paths, taskId) {
       throw error;
     }
   }
-  const archiveFilePath = join9(archiveTasksDir(paths), `${taskId}.md`);
+  const archiveFilePath = join10(archiveTasksDir(paths), `${taskId}.md`);
   let raw;
   try {
-    raw = await readFile5(archiveFilePath, "utf8");
+    raw = await readFile6(archiveFilePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2522,7 +2738,7 @@ async function createTaskAttachLocked(input) {
       ...sessionDoc,
       session: { ...sessionDoc.session, task_id: input.taskId }
     };
-    await overwriteYamlFile(join9(input.paths.sessions, input.sessionId, "session.yaml"), updated);
+    await overwriteYamlFile(join10(input.paths.sessions, input.sessionId, "session.yaml"), updated);
   } catch (error) {
     throw new TaskWriteAfterEventError({
       taskId: input.taskId,
@@ -2781,17 +2997,17 @@ function buildUpdatedDoc(input) {
   return { task: next, body: input.currentDoc.body };
 }
 async function computeTaskMdSnapshot(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
-  const [stats, raw] = await Promise.all([stat2(filePath), readFile5(filePath)]);
-  const hash = createHash("sha256").update(raw).digest("hex");
+  const filePath = join10(paths.tasks, `${taskId}.md`);
+  const [stats, raw] = await Promise.all([stat2(filePath), readFile6(filePath)]);
+  const hash = createHash2("sha256").update(raw).digest("hex");
   return { mtimeMs: stats.mtimeMs, hash };
 }
 async function readTaskFileWithSnapshot(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join10(paths.tasks, `${taskId}.md`);
   let rawBuffer;
   let stats;
   try {
-    [rawBuffer, stats] = await Promise.all([readFile5(filePath), stat2(filePath)]);
+    [rawBuffer, stats] = await Promise.all([readFile6(filePath), stat2(filePath)]);
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2799,7 +3015,7 @@ async function readTaskFileWithSnapshot(paths, taskId) {
     throw new Error("Failed to read task file", { cause: error });
   }
   const raw = rawBuffer.toString("utf8");
-  const hash = createHash("sha256").update(rawBuffer).digest("hex");
+  const hash = createHash2("sha256").update(rawBuffer).digest("hex");
   let split;
   try {
     split = splitFrontMatter(raw);
@@ -3279,7 +3495,7 @@ async function deleteTaskLocked(input) {
   });
   const eventId = adHoc.targetEventIds[0];
   try {
-    await unlink3(join9(input.paths.tasks, `${input.taskId}.md`));
+    await unlink3(join10(input.paths.tasks, `${input.taskId}.md`));
   } catch (error) {
     throw new TaskWriteAfterEventError({
       taskId: input.taskId,
@@ -3349,10 +3565,10 @@ async function archiveTaskLocked(input) {
       { task: next, body: doc.body },
       { mode: "overwrite" }
     );
-    await mkdir2(archiveTasksDir(input.paths), { recursive: true });
+    await mkdir3(archiveTasksDir(input.paths), { recursive: true });
     await rename2(
-      join9(input.paths.tasks, `${input.taskId}.md`),
-      join9(archiveTasksDir(input.paths), `${input.taskId}.md`)
+      join10(input.paths.tasks, `${input.taskId}.md`),
+      join10(archiveTasksDir(input.paths), `${input.taskId}.md`)
     );
   } catch (error) {
     throw new TaskWriteAfterEventError({
@@ -3388,7 +3604,7 @@ async function renderHandoff(input) {
   const tasksCreated = [];
   const tasksStatusChanged = [];
   for (const entry of entries) {
-    const sessionDir = join10(input.paths.sessions, entry.sessionId);
+    const sessionDir = join11(input.paths.sessions, entry.sessionId);
     try {
       for await (const ev of replayEvents(sessionDir, {
         onWarning: (w) => input.onWarning?.(w, entry.sessionId)
@@ -3922,7 +4138,13 @@ var SessionInnerImportSchema = z10.object({
     version: z10.literal("0.1.0"),
     // Source-tool-native id (e.g. Claude Code session UUID), retained so
     // re-imports of the same source can be deduplicated.
-    external_id: z10.string().optional()
+    external_id: z10.string().optional(),
+    // Byte size of the source native log at import time. Declared here too
+    // (not only in session.schema.ts) because this inner `source` object is
+    // a plain z.object: zod strips keys it does not declare, so a field
+    // absent here would be dropped from the parsed payload before persist
+    // and the size could never be stored.
+    source_size_bytes: z10.number().int().nonnegative().optional()
   }),
   started_at: IsoTimestampSchema,
   ended_at: IsoTimestampSchema.optional(),
@@ -3936,7 +4158,12 @@ var SessionInnerImportSchema = z10.object({
   related_files: z10.array(z10.string()).default([]),
   events_log: z10.string().optional(),
   summary: z10.string().nullable().optional(),
-  metrics: SessionMetricsSchema.optional()
+  metrics: SessionMetricsSchema.optional(),
+  // Accepted so a payload assembled from an on-disk chained session.yaml
+  // round-trips, and DISCARDED by the importer (buildSessionRecord never
+  // copies it): the integrity anchor is computed at write time, never
+  // imported. Mirrors the accept-and-discard of `prev_hash` on events.
+  integrity: SessionIntegritySchema.optional()
 }).strict();
 var SessionImportPayloadSchema = z10.object({
   schema_version: z10.string(),
@@ -4018,7 +4245,7 @@ function serializeJsonSchema(schema) {
 }
 
 // src/stats/work-stats.ts
-import { join as join11 } from "path";
+import { join as join12 } from "path";
 function resolveTimeZone(timeZone) {
   if (timeZone !== void 0 && timeZone.length > 0) return timeZone;
   return Intl.DateTimeFormat().resolvedOptions().timeZone;
@@ -4049,7 +4276,7 @@ async function computeWorkStats(input) {
     const events = [];
     let eventsUnreadable = false;
     try {
-      for await (const ev of replayEvents(join11(input.paths.sessions, entry.sessionId), {
+      for await (const ev of replayEvents(join12(input.paths.sessions, entry.sessionId), {
         onWarning: (w) => input.onWarning?.(w, entry.sessionId)
       })) {
         events.push(ev);
@@ -4304,28 +4531,28 @@ function tzDate(ms, timeZone) {
 }
 
 // src/storage/basou-dir.ts
-import { lstat as lstat3, mkdir as mkdir3 } from "fs/promises";
-import { join as join12 } from "path";
+import { lstat as lstat3, mkdir as mkdir4 } from "fs/promises";
+import { join as join13 } from "path";
 function basouPaths(repositoryRoot) {
-  const root = join12(repositoryRoot, ".basou");
-  const approvalsBase = join12(root, "approvals");
+  const root = join13(repositoryRoot, ".basou");
+  const approvalsBase = join13(root, "approvals");
   return {
     root,
-    sessions: join12(root, "sessions"),
-    tasks: join12(root, "tasks"),
+    sessions: join13(root, "sessions"),
+    tasks: join13(root, "tasks"),
     approvals: {
-      pending: join12(approvalsBase, "pending"),
-      resolved: join12(approvalsBase, "resolved")
+      pending: join13(approvalsBase, "pending"),
+      resolved: join13(approvalsBase, "resolved")
     },
-    locks: join12(root, "locks"),
-    logs: join12(root, "logs"),
-    raw: join12(root, "raw"),
-    tmp: join12(root, "tmp"),
+    locks: join13(root, "locks"),
+    logs: join13(root, "logs"),
+    raw: join13(root, "raw"),
+    tmp: join13(root, "tmp"),
     files: {
-      manifest: join12(root, "manifest.yaml"),
-      status: join12(root, "status.json"),
-      handoff: join12(root, "handoff.md"),
-      decisions: join12(root, "decisions.md")
+      manifest: join13(root, "manifest.yaml"),
+      status: join13(root, "status.json"),
+      handoff: join13(root, "handoff.md"),
+      decisions: join13(root, "decisions.md")
     }
   };
 }
@@ -4366,7 +4593,7 @@ async function ensureBasouDirectory(repositoryRoot) {
 }
 async function mkdirLabeled(target, label) {
   try {
-    await mkdir3(target, { recursive: true });
+    await mkdir4(target, { recursive: true });
   } catch (error) {
     if (hasErrorCode3(error) && (error.code === "ENOTDIR" || error.code === "EEXIST")) {
       throw new Error(`${label} exists but is not a directory`, { cause: error });
@@ -4381,16 +4608,16 @@ function hasErrorCode3(error) {
 }
 
 // src/storage/gitignore.ts
-import { readFile as readFile6, writeFile as writeFile2 } from "fs/promises";
-import { join as join13 } from "path";
+import { readFile as readFile7, writeFile as writeFile2 } from "fs/promises";
+import { join as join14 } from "path";
 var MARKER = "# Basou - default ignore";
 var BASOU_GITIGNORE_BLOCK = "# Basou - default ignore\n.basou/logs/\n.basou/raw/\n.basou/tmp/\n.basou/locks/\n.basou/status.json\n.basou/sessions/*/events.jsonl\n.basou/sessions/*/artifacts/\n.basou/approvals/pending/\n.basou/approvals/resolved/\n\n# Basou - default commit\n# .basou/manifest.yaml\n# .basou/handoff.md\n# .basou/decisions.md\n# .basou/tasks/\n# .basou/sessions/*/session.yaml\n# .basou/sessions/*/transcript.md\n# .basou/sessions/*/changed-files.json\n";
 async function appendBasouGitignore(repositoryRoot) {
-  const gitignorePath = join13(repositoryRoot, ".gitignore");
+  const gitignorePath = join14(repositoryRoot, ".gitignore");
   let body;
   let existed;
   try {
-    body = await readFile6(gitignorePath, "utf8");
+    body = await readFile7(gitignorePath, "utf8");
     existed = true;
   } catch (error) {
     if (hasErrorCode4(error) && error.code === "ENOENT") {
@@ -4496,12 +4723,12 @@ function hasErrorCode5(error) {
 }
 
 // src/storage/markdown-store.ts
-import { readFile as readFile7 } from "fs/promises";
+import { readFile as readFile8 } from "fs/promises";
 var GENERATED_START = "<!-- BASOU:GENERATED:START -->";
 var GENERATED_END = "<!-- BASOU:GENERATED:END -->";
 async function readMarkdownFile(filePath) {
   try {
-    return await readFile7(filePath, "utf8");
+    return await readFile8(filePath, "utf8");
   } catch (error) {
     if (hasErrorCode6(error) && error.code === "ENOENT") return null;
     throw new Error("Failed to read markdown file", { cause: error });
@@ -4599,9 +4826,9 @@ function hasErrorCode6(error) {
 }
 
 // src/storage/session-import.ts
-import { mkdir as mkdir4, rm as rm2 } from "fs/promises";
+import { mkdir as mkdir5, readFile as readFile9, rm as rm2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
-import { join as join14 } from "path";
+import { join as join15 } from "path";
 async function importSessionFromJson(paths, manifest, payload, options) {
   if (options.taskIdOverride !== void 0 && !TaskIdSchema.safeParse(options.taskIdOverride).success) {
     throw new Error(`Invalid task_id: ${options.taskIdOverride}`);
@@ -4626,21 +4853,22 @@ async function importSessionFromJson(paths, manifest, payload, options) {
       pathSanitizeReport
     };
   }
-  const sessionDir = join14(paths.sessions, newSessionId);
+  const sessionDir = join15(paths.sessions, newSessionId);
   try {
-    await mkdir4(sessionDir, { recursive: true });
+    await mkdir5(sessionDir, { recursive: true });
   } catch (error) {
     throw new Error("Failed to create session directory", { cause: error });
   }
+  let chainResult;
   try {
-    await writeEventsBulk(sessionDir, rewrittenEvents);
+    chainResult = await writeEventsBulk(sessionDir, rewrittenEvents, { chain: true });
   } catch (error) {
     await rm2(sessionDir, { recursive: true, force: true }).catch(() => void 0);
     throw error;
   }
   try {
-    const sessionYamlPath = join14(sessionDir, "session.yaml");
-    await linkYamlFile(sessionYamlPath, sessionRecord);
+    const sessionYamlPath = join15(sessionDir, "session.yaml");
+    await linkYamlFile(sessionYamlPath, withIntegrity(sessionRecord, chainResult));
   } catch (error) {
     await rm2(sessionDir, { recursive: true, force: true }).catch(() => void 0);
     if (findErrorCode(error, "EEXIST")) {
@@ -4697,6 +4925,16 @@ function assertChronologicalOrder(events) {
     }
   }
 }
+function withIntegrity(record, chainResult) {
+  if (chainResult === null) return record;
+  return {
+    ...record,
+    session: {
+      ...record.session,
+      integrity: { head_hash: chainResult.headHash, event_count: chainResult.count }
+    }
+  };
+}
 function buildSessionRecord(input, manifest, newSessionId, options) {
   const home = homedir2();
   const workingDirectoryRaw = input.working_directory;
@@ -4731,6 +4969,243 @@ function buildSessionRecord(input, manifest, newSessionId, options) {
     }
   };
 }
+var IMPORT_DERIVED_SOURCES = /* @__PURE__ */ new Set([
+  "claude-code-import",
+  "codex-import"
+]);
+function isImportDerivedSource(source) {
+  return IMPORT_DERIVED_SOURCES.has(source);
+}
+function derivedEventContentKey(event) {
+  const base = `${event.type}\0${event.occurred_at}`;
+  switch (event.type) {
+    case "command_executed":
+      return `${base}\0${event.command}\0${event.args.join("
")}\0${event.cwd}`;
+    case "file_changed":
+      return `${base}\0${event.path}\0${event.change_type}`;
+    case "decision_recorded":
+      return `${base}\0${event.title}`;
+    default:
+      return base;
+  }
+}
+function reuseDerivedIds(priorDerived, freshDerived, sessionId) {
+  const priorStarted = priorDerived.find((e) => e.type === "session_started");
+  const priorEnded = priorDerived.find((e) => e.type === "session_ended");
+  let startedUsed = false;
+  let endedUsed = false;
+  const middleByKey = /* @__PURE__ */ new Map();
+  for (const e of priorDerived) {
+    if (e.type === "session_started" || e.type === "session_ended") continue;
+    const key = derivedEventContentKey(e);
+    const list = middleByKey.get(key);
+    if (list === void 0) middleByKey.set(key, [e]);
+    else list.push(e);
+  }
+  let reusedIdCount = 0;
+  const withReusedId = (fresh, prior) => {
+    reusedIdCount++;
+    if (fresh.type === "decision_recorded" && prior.type === "decision_recorded") {
+      return { ...fresh, id: prior.id, session_id: sessionId, decision_id: prior.decision_id };
+    }
+    return { ...fresh, id: prior.id, session_id: sessionId };
+  };
+  const events = freshDerived.map((fresh) => {
+    if (fresh.type === "session_started") {
+      if (priorStarted !== void 0) {
+        startedUsed = true;
+        return withReusedId(fresh, priorStarted);
+      }
+      return { ...fresh, id: prefixedUlid("evt"), session_id: sessionId };
+    }
+    if (fresh.type === "session_ended") {
+      if (priorEnded !== void 0) {
+        endedUsed = true;
+        return withReusedId(fresh, priorEnded);
+      }
+      return { ...fresh, id: prefixedUlid("evt"), session_id: sessionId };
+    }
+    const match = middleByKey.get(derivedEventContentKey(fresh))?.shift();
+    if (match !== void 0) return withReusedId(fresh, match);
+    return { ...fresh, id: prefixedUlid("evt"), session_id: sessionId };
+  });
+  const droppedPriorDerived = priorStarted !== void 0 && !startedUsed || priorEnded !== void 0 && !endedUsed || [...middleByKey.values()].some((q) => q.length > 0);
+  return { events, reusedIdCount, droppedPriorDerived };
+}
+async function reimportPreservingId(paths, manifest, priorSessionId, freshPayload, options = {}) {
+  const sessionId = priorSessionId;
+  const importSource = freshPayload.session.source.kind;
+  const sessionDir = join15(paths.sessions, priorSessionId);
+  const lock = options.dryRun === true ? null : await acquireLock(paths, "session", priorSessionId);
+  try {
+    const priorVerdict = await verifyEventsChain(paths, priorSessionId);
+    if (priorVerdict.status === "tampered") {
+      return { status: "skipped", reason: "prior_chain_broken" };
+    }
+    let priorUnreadable = false;
+    const priorEvents = await readAllEvents(sessionDir, {
+      onWarning: () => {
+        priorUnreadable = true;
+      }
+    });
+    if (priorUnreadable) {
+      return { status: "skipped", reason: "prior_events_unreadable" };
+    }
+    const priorDerived = priorEvents.filter((e) => e.source === importSource);
+    const preserved = priorEvents.filter((e) => e.source !== importSource);
+    const {
+      events: rederived,
+      reusedIdCount,
+      droppedPriorDerived
+    } = reuseDerivedIds(priorDerived, freshPayload.events, sessionId);
+    if (droppedPriorDerived) {
+      return { status: "skipped", reason: "prior_derived_dropped" };
+    }
+    const mergedEvents = [...rederived, ...preserved].sort(
+      (a, b) => Date.parse(a.occurred_at) - Date.parse(b.occurred_at)
+    );
+    assertChronologicalOrder(mergedEvents);
+    const prior = await readSessionYaml(paths, priorSessionId);
+    const { record } = buildSessionRecord(freshPayload.session, manifest, sessionId, {});
+    const preservedInner = {
+      ...record.session,
+      // Defensive: keep any task_id already present on the prior yaml so a
+      // re-derive never drops a link, whatever wrote it.
+      task_id: prior.session.task_id ?? null,
+      // Re-derivation always yields a null summary; keep a prior non-null one.
+      summary: prior.session.summary ?? record.session.summary ?? null
+    };
+    const updatedRecord = { schema_version: "0.1.0", session: preservedInner };
+    if (options.dryRun !== true) {
+      const eventsPath = join15(sessionDir, "events.jsonl");
+      let priorEventsRaw = null;
+      try {
+        priorEventsRaw = await readFile9(eventsPath);
+      } catch (error) {
+        if (!findErrorCode(error, "ENOENT")) {
+          throw new Error("Failed to read events.jsonl", { cause: error });
+        }
+      }
+      const chainResult = await writeEventsBulk(sessionDir, mergedEvents, { chain: true });
+      try {
+        await overwriteYamlFile(
+          join15(sessionDir, "session.yaml"),
+          withIntegrity(updatedRecord, chainResult)
+        );
+      } catch (error) {
+        if (priorEventsRaw !== null) {
+          await atomicReplace(eventsPath, priorEventsRaw).catch(() => void 0);
+        } else {
+          await rm2(eventsPath, { force: true }).catch(() => void 0);
+        }
+        throw error;
+      }
+    }
+    return {
+      status: "reimported",
+      sessionId,
+      eventCount: mergedEvents.length,
+      preservedCount: preserved.length,
+      reusedIdCount
+    };
+  } finally {
+    await lock?.release();
+  }
+}
+async function rechainSessionInPlace(paths, sessionId, options = {}) {
+  const sessionDir = join15(paths.sessions, sessionId);
+  let lock;
+  try {
+    lock = await acquireLock(paths, "session", sessionId);
+  } catch (error) {
+    if (error instanceof Error && error.message === "Lock is held by another process") {
+      throw error;
+    }
+    throw new Error("Failed to acquire lock", { cause: error });
+  }
+  try {
+    let record;
+    try {
+      record = await readSessionYaml(paths, sessionId);
+    } catch (error) {
+      if (error instanceof Error && error.message === "YAML file not found") {
+        return { status: "skipped", reason: "yaml_missing" };
+      }
+      return { status: "skipped", reason: "yaml_unreadable" };
+    }
+    if (record.session.status !== "imported") {
+      return { status: "skipped", reason: "not_imported" };
+    }
+    const verdict = await verifyEventsChain(paths, sessionId);
+    if (verdict.status === "verified") {
+      return { status: "skipped", reason: "already_chained" };
+    }
+    if (verdict.status === "empty") {
+      return { status: "skipped", reason: "empty" };
+    }
+    if (verdict.status !== "unchained") {
+      return { status: "skipped", reason: "tampered" };
+    }
+    const eventsPath = join15(sessionDir, "events.jsonl");
+    let priorRaw;
+    try {
+      priorRaw = await readFile9(eventsPath);
+    } catch (error) {
+      throw new Error("Failed to read events.jsonl", { cause: error });
+    }
+    if (priorRaw.length === 0 || priorRaw[priorRaw.length - 1] !== 10) {
+      return { status: "skipped", reason: "events_unreadable" };
+    }
+    const text = priorRaw.toString("utf8");
+    if (!priorRaw.equals(Buffer.from(text, "utf8"))) {
+      return { status: "skipped", reason: "events_unreadable" };
+    }
+    const rawLines = text.slice(0, -1).split("\n");
+    for (const line of rawLines) {
+      if (line.trim().length === 0) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(line);
+      } catch {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (JSON.stringify(parsed) !== line) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (!EventSchema.safeParse(parsed).success) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (parsed.session_id !== sessionId) {
+        return { status: "skipped", reason: "session_id_mismatch" };
+      }
+    }
+    if (options.dryRun === true) {
+      return { status: "rechained", eventCount: rawLines.length };
+    }
+    const chainResult = chainRawJsonLines(rawLines, sessionId);
+    const body = `${chainResult.lines.join("\n")}
+`;
+    try {
+      await atomicReplace(eventsPath, body);
+    } catch (error) {
+      throw new Error("Failed to write events.jsonl", { cause: error });
+    }
+    try {
+      await overwriteYamlFile(
+        join15(sessionDir, "session.yaml"),
+        withIntegrity(record, { headHash: chainResult.headHash, count: chainResult.count })
+      );
+    } catch (error) {
+      await atomicReplace(eventsPath, priorRaw).catch(() => void 0);
+      throw error;
+    }
+    return { status: "rechained", eventCount: chainResult.count };
+  } finally {
+    await lock.release();
+  }
+}
 
 // src/index.ts
 var BASOU_CORE_VERSION = "0.1.0";
@@ -4760,6 +5235,7 @@ export {
   SessionIdSchema,
   SessionImportPayloadSchema,
   SessionInnerImportSchema,
+  SessionIntegritySchema,
   SessionMetricsSchema,
   SessionSchema,
   SessionSourceKindSchema,
@@ -4779,6 +5255,8 @@ export {
   basouPaths,
   buildJsonSchemas,
   buildStatusSnapshot,
+  chainEvents,
+  chainRawJsonLines,
   classifySuspect,
   claudeCodeAdapterMetadata,
   claudeTranscriptToImportPayload,
@@ -4795,11 +5273,14 @@ export {
   enumerateSessionDirs,
   enumerateTaskIds,
   findErrorCode,
+  genesisHash,
   getDiff,
   getSnapshot,
   importSessionFromJson,
+  isImportDerivedSource,
   isLazyExpired,
   isValidPrefixedId,
+  lineHash,
   linkYamlFile,
   loadApproval,
   loadSessionEntries,
@@ -4816,9 +5297,11 @@ export {
   readTaskFile,
   readTaskFileWithArchiveFallback,
   readYamlFile,
+  rechainSessionInPlace,
   reconcileAllTasks,
   reconcileTask,
   refreshTaskLinkedSessions,
+  reimportPreservingId,
   renderDecisions,
   renderHandoff,
   renderWithMarkers,
@@ -4830,12 +5313,14 @@ export {
   sanitizePath,
   sanitizeRelatedFiles,
   sanitizeWorkingDirectory,
+  serializeEventLine,
   serializeJsonSchema,
   sessionWorkStatsFromEvents,
   summarizeAdapterOutput,
   tryRemoteUrl,
   ulid,
   updateTaskStatusWithEvent,
+  verifyEventsChain,
   writeEventsBulk,
   writeManifest,
   writeMarkdownFile,