npm - @basou/core - Versions diffs - 0.8.0 → 0.10.0 - Mend

@basou/core 0.8.0 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts +425 -5
package/dist/index.js +706 -229
package/dist/index.js.map +1 -1
package/package.json +1 -1
package/schemas/event.schema.json +57 -0
package/schemas/session-import.schema.json +75 -0
package/schemas/session.schema.json +18 -0

package/dist/index.js CHANGED Viewed

@@ -767,7 +767,7 @@ function isLazyExpired(approval, now) {
 // src/decisions/decisions-renderer.ts
 import { lstat } from "fs/promises";
-import { dirname, join as join4, resolve } from "path";
+import { dirname as dirname2, join as join6, resolve } from "path";
 // src/events/event-replay.ts
 import { createReadStream } from "fs";
@@ -781,7 +781,14 @@ var BaseEventSchema = z3.object({
   id: EventIdSchema,
   session_id: SessionIdSchema,
   occurred_at: IsoTimestampSchema,
-  source: EventSourceSchema
+  source: EventSourceSchema,
+  // Tamper-evidence back-pointer (hex sha-256 of the PREVIOUS event line's
+  // written bytes; the first line carries the session-bound genesis hash).
+  // Present only on sessions written with chaining enabled (import paths);
+  // live/ad-hoc sessions omit it. Declared on the base so the `.strict()`
+  // variants below treat it as a known key. Additive optional => no
+  // schema_version bump.
+  prev_hash: z3.string().optional()
 });
 var SessionStartedEventSchema = BaseEventSchema.extend({
   type: z3.literal("session_started")
@@ -1006,7 +1013,208 @@ async function readAllEvents(sessionDir, options = {}) {
 // src/storage/sessions.ts
 import { readdir as readdir2 } from "fs/promises";
-import { join as join3 } from "path";
+import { join as join5 } from "path";
+// src/events/chained-append.ts
+import { appendFile, readFile as readFile3 } from "fs/promises";
+import { join as join4 } from "path";
+// src/storage/lockfile.ts
+import { mkdir, readFile as readFile2, unlink as unlink2 } from "fs/promises";
+import { dirname, join as join3 } from "path";
+var STALE_LOCK_MAX_AGE_MS = 60 * 60 * 1e3;
+async function acquireLock(paths, scope, resourceId) {
+  const lockPath = lockfilePath(paths, scope, resourceId);
+  const body = {
+    pid: process.pid,
+    acquired_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const serialised = JSON.stringify(body);
+  try {
+    await atomicCreate(lockPath, serialised);
+  } catch (error) {
+    if (findErrorCode(error, "ENOENT")) {
+      try {
+        await mkdir(dirname(lockPath), { recursive: true });
+        await atomicCreate(lockPath, serialised);
+        return {
+          release: async () => {
+            await unlink2(lockPath).catch(() => void 0);
+          }
+        };
+      } catch (retryError) {
+        throw new Error("Failed to acquire lock", { cause: retryError });
+      }
+    }
+    if (!findErrorCode(error, "EEXIST")) {
+      throw error;
+    }
+    const stale = await isStaleLock(lockPath);
+    if (!stale) {
+      throw new Error("Lock is held by another process", { cause: error });
+    }
+    await unlink2(lockPath).catch(() => void 0);
+    try {
+      await atomicCreate(lockPath, serialised);
+    } catch (retryError) {
+      throw new Error("Lock is held by another process", { cause: retryError });
+    }
+  }
+  return {
+    release: async () => {
+      await unlink2(lockPath).catch(() => void 0);
+    }
+  };
+}
+async function isStaleLock(lockPath) {
+  let body;
+  try {
+    const raw = await readFile2(lockPath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== "object" || parsed === null) return true;
+    const candidate = parsed;
+    if (typeof candidate.pid !== "number" || typeof candidate.acquired_at !== "string") {
+      return true;
+    }
+    body = { pid: candidate.pid, acquired_at: candidate.acquired_at };
+  } catch {
+    return true;
+  }
+  const ageMs = Date.now() - Date.parse(body.acquired_at);
+  if (!Number.isFinite(ageMs) || ageMs > STALE_LOCK_MAX_AGE_MS) {
+    return true;
+  }
+  try {
+    process.kill(body.pid, 0);
+    return false;
+  } catch (error) {
+    if (findErrorCode(error, "ESRCH")) return true;
+    return false;
+  }
+}
+function lockfilePath(paths, scope, resourceId) {
+  const sep = resourceId.indexOf("_");
+  const ulid2 = sep >= 0 ? resourceId.slice(sep + 1) : resourceId;
+  return join3(paths.locks, `${scope}_${ulid2}.lock`);
+}
+// src/events/chain.ts
+import { createHash } from "crypto";
+var GENESIS_PREFIX = "basou:event-chain:v1:";
+function genesisHash(sessionId) {
+  return createHash("sha256").update(`${GENESIS_PREFIX}${sessionId}`, "utf8").digest("hex");
+}
+function lineHash(rawLine) {
+  const hash = createHash("sha256");
+  if (typeof rawLine === "string") {
+    hash.update(rawLine, "utf8");
+  } else {
+    hash.update(rawLine);
+  }
+  return hash.digest("hex");
+}
+function serializeEventLine(event) {
+  return JSON.stringify(event);
+}
+function chainEvents(events, sessionId) {
+  let prev = genesisHash(sessionId);
+  const lines = [];
+  for (const event of events) {
+    const chained = { ...event, prev_hash: prev };
+    const line = serializeEventLine(chained);
+    lines.push(line);
+    prev = lineHash(line);
+  }
+  return { lines, headHash: prev, count: lines.length };
+}
+function chainRawJsonLines(rawLines, sessionId) {
+  let prev = genesisHash(sessionId);
+  const lines = [];
+  for (const rawLine of rawLines) {
+    const parsed = JSON.parse(rawLine);
+    const line = JSON.stringify({ ...parsed, prev_hash: prev });
+    lines.push(line);
+    prev = lineHash(line);
+  }
+  return { lines, headHash: prev, count: lines.length };
+}
+// src/events/chained-append.ts
+function splitLinesBytes(buf) {
+  const out = [];
+  let start = 0;
+  for (let i = 0; i < buf.length; i++) {
+    if (buf[i] === 10) {
+      out.push(buf.subarray(start, i));
+      start = i + 1;
+    }
+  }
+  if (start < buf.length) out.push(buf.subarray(start));
+  return out;
+}
+function carriesPrevHash(line) {
+  try {
+    const obj = JSON.parse(line.toString("utf8"));
+    return typeof obj === "object" && obj !== null && "prev_hash" in obj;
+  } catch {
+    return false;
+  }
+}
+async function inspectChainTail(paths, sessionId) {
+  const filePath = join4(paths.sessions, sessionId, "events.jsonl");
+  let raw;
+  try {
+    raw = await readFile3(filePath);
+  } catch (error) {
+    if (findErrorCode(error, "ENOENT")) {
+      return { chained: true, head: genesisHash(sessionId), count: 0 };
+    }
+    throw new Error("Failed to read events.jsonl", { cause: error });
+  }
+  if (raw.length === 0) {
+    return { chained: true, head: genesisHash(sessionId), count: 0 };
+  }
+  if (raw[raw.length - 1] !== 10) {
+    throw new Error("Unterminated final line in events.jsonl");
+  }
+  const lines = splitLinesBytes(raw);
+  const first = lines[0];
+  const last = lines[lines.length - 1];
+  const firstChained = carriesPrevHash(first);
+  if (firstChained !== carriesPrevHash(last)) {
+    throw new Error("events.jsonl is partially chained");
+  }
+  return {
+    chained: firstChained,
+    head: firstChained ? lineHash(last) : genesisHash(sessionId),
+    count: lines.length
+  };
+}
+async function appendChainedEventLocked(paths, sessionId, event) {
+  let validated;
+  try {
+    validated = EventSchema.parse(event);
+  } catch (error) {
+    throw new Error("Invalid Basou event payload", { cause: error });
+  }
+  const tail = await inspectChainTail(paths, sessionId);
+  const line = tail.chained ? serializeEventLine({ ...validated, prev_hash: tail.head }) : serializeEventLine(validated);
+  try {
+    await appendFile(join4(paths.sessions, sessionId, "events.jsonl"), `${line}
+`, "utf8");
+  } catch (error) {
+    throw new Error("Failed to append event to events.jsonl", { cause: error });
+  }
+  return { chained: tail.chained };
+}
+async function appendChainedEvent(paths, sessionId, event) {
+  const lock = await acquireLock(paths, "session", sessionId);
+  try {
+    return await appendChainedEventLocked(paths, sessionId, event);
+  } finally {
+    await lock.release();
+  }
+}
 // src/schemas/session.schema.ts
 import { z as z4 } from "zod";
@@ -1062,6 +1270,10 @@ var SessionMetricsSchema = z4.object({
   active_time_method: z4.string().optional(),
   machine_active_time_ms: z4.number().int().nonnegative().optional()
 });
+var SessionIntegritySchema = z4.object({
+  head_hash: z4.string(),
+  event_count: z4.number().int().nonnegative()
+}).strict();
 var SessionInnerSchema = z4.object({
   id: SessionIdSchema,
   label: z4.string().optional(),
@@ -1077,7 +1289,8 @@ var SessionInnerSchema = z4.object({
   related_files: z4.array(z4.string()).default([]),
   events_log: z4.string().default("events.jsonl"),
   summary: z4.string().nullable().optional(),
-  metrics: SessionMetricsSchema.optional()
+  metrics: SessionMetricsSchema.optional(),
+  integrity: SessionIntegritySchema.optional()
 });
 var SessionSchema = z4.object({
   schema_version: SchemaVersionSchema,
@@ -1096,7 +1309,7 @@ async function enumerateSessionDirs(paths) {
   }
 }
 async function readSessionYaml(paths, sessionId) {
-  const filePath = join3(paths.sessions, sessionId, "session.yaml");
+  const filePath = join5(paths.sessions, sessionId, "session.yaml");
   let raw;
   try {
     raw = await readYamlFile(filePath);
@@ -1110,11 +1323,26 @@ async function readSessionYaml(paths, sessionId) {
   }
   return result.data;
 }
+async function finalizeSessionYaml(paths, sessionId, mutate) {
+  const lock = await acquireLock(paths, "session", sessionId);
+  try {
+    const session = await readSessionYaml(paths, sessionId);
+    mutate(session);
+    const tail = await inspectChainTail(paths, sessionId);
+    if (tail.chained && tail.count > 0) {
+      session.session.integrity = { head_hash: tail.head, event_count: tail.count };
+    }
+    const validated = SessionSchema.parse(session);
+    await overwriteYamlFile(join5(paths.sessions, sessionId, "session.yaml"), validated);
+  } finally {
+    await lock.release();
+  }
+}
 async function classifySuspect(paths, sessionId, session, now, onWarning) {
   if (session.session.status !== "running") {
     return { suspect: false, suspectReason: null };
   }
-  const sessionDir = join3(paths.sessions, sessionId);
+  const sessionDir = join5(paths.sessions, sessionId);
   let endedFound = false;
   let lastEventOccurredAt = null;
   const replayOpts = onWarning !== void 0 ? { onWarning } : {};
@@ -1182,7 +1410,7 @@ async function renderDecisions(input) {
   const decisions = [];
   const knownEventIds = /* @__PURE__ */ new Set();
   for (const entry of entries) {
-    const sessionDir = join4(input.paths.sessions, entry.sessionId);
+    const sessionDir = join6(input.paths.sessions, entry.sessionId);
     try {
       for await (const ev of replayEvents(sessionDir, {
         onWarning: (w) => input.onWarning?.(w, entry.sessionId)
@@ -1212,7 +1440,7 @@ async function renderDecisions(input) {
     const c = Date.parse(a.occurredAt) - Date.parse(b.occurredAt);
     return c !== 0 ? c : a.decisionId.localeCompare(b.decisionId);
   });
-  const repoRoot = dirname(input.paths.root);
+  const repoRoot = dirname2(input.paths.root);
   const fileExistenceCache = /* @__PURE__ */ new Map();
   async function fileExists(relPath) {
     const cached = fileExistenceCache.get(relPath);
@@ -1287,8 +1515,8 @@ function shortDecisionSessionId(sessionId) {
 }
 // src/events/event-writer.ts
-import { appendFile } from "fs/promises";
-import { join as join5 } from "path";
+import { appendFile as appendFile2 } from "fs/promises";
+import { basename, join as join7 } from "path";
 async function appendEvent(sessionDir, event) {
   let validated;
   try {
@@ -1296,15 +1524,15 @@ async function appendEvent(sessionDir, event) {
   } catch (error) {
     throw new Error("Invalid Basou event payload", { cause: error });
   }
-  const line = `${JSON.stringify(validated)}
+  const line = `${serializeEventLine(validated)}
 `;
   try {
-    await appendFile(join5(sessionDir, "events.jsonl"), line, "utf8");
+    await appendFile2(join7(sessionDir, "events.jsonl"), line, "utf8");
   } catch (error) {
     throw new Error("Failed to append event to events.jsonl", { cause: error });
   }
 }
-async function writeEventsBulk(sessionDir, events) {
+async function writeEventsBulk(sessionDir, events, options = {}) {
   const validated = [];
   try {
     for (const event of events) {
@@ -1313,14 +1541,182 @@ async function writeEventsBulk(sessionDir, events) {
   } catch (error) {
     throw new Error("Invalid Basou event payload", { cause: error });
   }
-  const filePath = join5(sessionDir, "events.jsonl");
-  const body = validated.length > 0 ? `${validated.map((e) => JSON.stringify(e)).join("\n")}
+  const filePath = join7(sessionDir, "events.jsonl");
+  let body;
+  let result = null;
+  if (options.chain === true) {
+    const { lines, headHash, count } = chainEvents(validated, basename(sessionDir));
+    body = lines.length > 0 ? `${lines.join("\n")}
+` : "";
+    result = count > 0 ? { headHash, count } : null;
+  } else {
+    body = validated.length > 0 ? `${validated.map(serializeEventLine).join("\n")}
 ` : "";
+  }
   try {
     await atomicReplace(filePath, body);
   } catch (error) {
     throw new Error("Failed to write events.jsonl", { cause: error });
   }
+  return result;
+}
+// src/events/verify.ts
+import { readFile as readFile4 } from "fs/promises";
+import { join as join8 } from "path";
+var STRICT_STATUSES = /* @__PURE__ */ new Set([
+  "completed",
+  "failed",
+  "interrupted",
+  "imported",
+  "archived"
+]);
+function isLiveStatus(status) {
+  return !STRICT_STATUSES.has(status);
+}
+async function verifyEventsChain(paths, sessionId) {
+  const first = await verifyOnce(paths, sessionId);
+  if (first.status === "tampered" && first.reason === "anchor_mismatch") {
+    return await verifyOnce(paths, sessionId);
+  }
+  return first;
+}
+async function verifyOnce(paths, sessionId) {
+  const sessionDir = join8(paths.sessions, sessionId);
+  let raw = null;
+  try {
+    raw = await readFile4(join8(sessionDir, "events.jsonl"));
+  } catch (error) {
+    if (!findErrorCode(error, "ENOENT")) {
+      throw new Error("Failed to read events.jsonl", { cause: error });
+    }
+  }
+  let anchor;
+  try {
+    const session = await readSessionYaml(paths, sessionId);
+    anchor = {
+      kind: "present",
+      integrity: session.session.integrity,
+      status: session.session.status
+    };
+  } catch (error) {
+    if (error instanceof Error && error.message === "YAML file not found") {
+      anchor = { kind: "absent" };
+    } else {
+      anchor = { kind: "unreadable" };
+    }
+  }
+  const terminated = raw === null || raw.length === 0 || raw[raw.length - 1] === 10;
+  const segments = raw === null ? [] : splitLinesBytes2(raw);
+  const tailFragment = !terminated && segments.length > 0 ? segments.pop() : null;
+  const lines = segments;
+  const carriesPrevHash2 = (s) => {
+    try {
+      const obj = JSON.parse(s.toString("utf8"));
+      return typeof obj === "object" && obj !== null && "prev_hash" in obj;
+    } catch {
+      return false;
+    }
+  };
+  const chained = lines.some((l) => l.length > 0 && carriesPrevHash2(l)) || tailFragment !== null && carriesPrevHash2(tailFragment);
+  if (!chained) {
+    if (anchor.kind === "present" && anchor.integrity !== void 0) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "anchor_without_chain"
+      };
+    }
+    if (raw === null || raw.length === 0) {
+      return { status: "empty", eventCount: 0 };
+    }
+    return { status: "unchained", eventCount: lines.length };
+  }
+  let expected = genesisHash(sessionId);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const lineNo = i + 1;
+    if (line.length === 0) {
+      return { status: "tampered", eventCount: lines.length, reason: "blank_line", line: lineNo };
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(line.toString("utf8"));
+    } catch {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "malformed_line",
+        line: lineNo
+      };
+    }
+    const record = parsed;
+    if (typeof record.prev_hash !== "string") {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "missing_prev_hash",
+        line: lineNo
+      };
+    }
+    if (record.prev_hash !== expected) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: i === 0 ? "genesis_mismatch" : "broken_link",
+        line: lineNo
+      };
+    }
+    if (record.session_id !== sessionId) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "session_id_mismatch",
+        line: lineNo
+      };
+    }
+    expected = lineHash(line);
+  }
+  const live = anchor.kind === "present" && isLiveStatus(anchor.status);
+  if (tailFragment !== null || !terminated) {
+    if (live) {
+      return { status: "in_progress", eventCount: lines.length };
+    }
+    return {
+      status: "tampered",
+      eventCount: lines.length,
+      reason: "torn_tail",
+      line: lines.length + 1
+    };
+  }
+  if (anchor.kind === "absent") {
+    return { status: "incomplete", eventCount: lines.length, reason: "yaml_missing" };
+  }
+  if (anchor.kind === "unreadable") {
+    return { status: "tampered", eventCount: lines.length, reason: "yaml_unreadable" };
+  }
+  if (live) {
+    return { status: "in_progress", eventCount: lines.length };
+  }
+  if (anchor.integrity === void 0) {
+    return { status: "tampered", eventCount: lines.length, reason: "anchor_missing" };
+  }
+  if (anchor.integrity.event_count !== lines.length || anchor.integrity.head_hash !== expected) {
+    return { status: "tampered", eventCount: lines.length, reason: "anchor_mismatch" };
+  }
+  return { status: "verified", eventCount: lines.length };
+}
+function splitLinesBytes2(buf) {
+  const out = [];
+  let start = 0;
+  for (let i = 0; i < buf.length; i++) {
+    if (buf[i] === 10) {
+      out.push(buf.subarray(start, i));
+      start = i + 1;
+    }
+  }
+  if (start < buf.length) out.push(buf.subarray(start));
+  return out;
 }
 // src/git/snapshot.ts
@@ -1617,12 +2013,12 @@ function parseDiffNameStatus(raw) {
 }
 // src/handoff/handoff-renderer.ts
-import { join as join10 } from "path";
+import { join as join12 } from "path";
 // src/storage/tasks.ts
-import { createHash } from "crypto";
-import { mkdir as mkdir2, readdir as readdir3, readFile as readFile5, rename as rename2, stat as stat2, unlink as unlink3 } from "fs/promises";
-import { join as join9 } from "path";
+import { createHash as createHash2 } from "crypto";
+import { mkdir as mkdir3, readdir as readdir3, readFile as readFile7, rename as rename2, stat as stat2, unlink as unlink3 } from "fs/promises";
+import { join as join11 } from "path";
 import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
 import { z as z8 } from "zod";
@@ -1664,9 +2060,9 @@ var TaskSchema = z6.object({
 });
 // src/storage/ad-hoc-session.ts
-import { mkdir, rm } from "fs/promises";
+import { mkdir as mkdir2, rm } from "fs/promises";
 import { homedir } from "os";
-import { join as join6 } from "path";
+import { join as join9 } from "path";
 // src/lib/path-sanitizer.ts
 import { posix as path } from "path";
@@ -1746,87 +2142,94 @@ async function createAdHocSessionWithEvent(input) {
       taskId: input.taskId ?? null
     })
   );
-  const sessionDir = join6(input.paths.sessions, sessionId);
+  const sessionDir = join9(input.paths.sessions, sessionId);
+  const sessionYamlPath = join9(sessionDir, "session.yaml");
+  const lock = await acquireLock(input.paths, "session", sessionId);
+  let bulkResult = null;
   try {
-    await mkdir(sessionDir, { recursive: true });
-  } catch (error) {
-    throw new Error("Failed to create session directory", { cause: error });
-  }
-  const sessionYamlPath = join6(sessionDir, "session.yaml");
-  try {
-    await linkYamlFile(sessionYamlPath, initialSession);
-  } catch (error) {
-    await rm(sessionDir, { recursive: true, force: true }).catch(() => void 0);
-    if (findErrorCode(error, "EEXIST")) {
-      throw new Error("Session directory collision (retry the command)", {
-        cause: error
-      });
+    try {
+      await mkdir2(sessionDir, { recursive: true });
+    } catch (error) {
+      throw new Error("Failed to create session directory", { cause: error });
     }
-    throw error;
-  }
-  try {
-    const targetEvents = input.targetEventBuilders.map((build, index) => {
-      const targetEventId = targetEventIds[index];
-      return assertTargetEventIdentity(build(sessionId, targetEventId), sessionId, targetEventId);
-    });
-    const events = [
-      {
-        schema_version: "0.1.0",
-        id: startedEventId,
-        session_id: sessionId,
-        occurred_at: input.occurredAt,
-        source: "local-cli",
-        type: "session_started"
-      },
-      {
-        schema_version: "0.1.0",
-        id: statusToRunningEventId,
-        session_id: sessionId,
-        occurred_at: input.occurredAt,
-        source: "local-cli",
-        type: "session_status_changed",
-        from: "initialized",
-        to: "running"
-      },
-      ...targetEvents,
-      {
-        schema_version: "0.1.0",
-        id: statusToCompletedEventId,
-        session_id: sessionId,
-        occurred_at: input.occurredAt,
-        source: "local-cli",
-        type: "session_status_changed",
-        from: "running",
-        to: "completed"
-      },
-      {
-        schema_version: "0.1.0",
-        id: endedEventId,
-        session_id: sessionId,
-        occurred_at: input.occurredAt,
-        source: "local-cli",
-        type: "session_ended",
-        exit_code: 0
-      }
-    ];
-    await writeEventsBulk(sessionDir, events);
-  } catch (error) {
-    await rm(sessionDir, { recursive: true, force: true }).catch(() => void 0);
-    throw error;
-  }
-  try {
-    const finalSession = SessionSchema.parse({
-      ...initialSession,
-      session: {
-        ...initialSession.session,
-        status: "completed",
-        ended_at: input.occurredAt,
-        invocation: { ...initialSession.session.invocation, exit_code: 0 }
+    try {
+      await linkYamlFile(sessionYamlPath, initialSession);
+    } catch (error) {
+      await rm(sessionDir, { recursive: true, force: true }).catch(() => void 0);
+      if (findErrorCode(error, "EEXIST")) {
+        throw new Error("Session directory collision (retry the command)", {
+          cause: error
+        });
       }
-    });
-    await overwriteYamlFile(sessionYamlPath, finalSession);
-  } catch (error) {
-    throw new FailedToFinalizeError(sessionId, targetEventIds, error);
+      throw error;
+    }
+    try {
+      const targetEvents = input.targetEventBuilders.map((build, index) => {
+        const targetEventId = targetEventIds[index];
+        return assertTargetEventIdentity(build(sessionId, targetEventId), sessionId, targetEventId);
+      });
+      const events = [
+        {
+          schema_version: "0.1.0",
+          id: startedEventId,
+          session_id: sessionId,
+          occurred_at: input.occurredAt,
+          source: "local-cli",
+          type: "session_started"
+        },
+        {
+          schema_version: "0.1.0",
+          id: statusToRunningEventId,
+          session_id: sessionId,
+          occurred_at: input.occurredAt,
+          source: "local-cli",
+          type: "session_status_changed",
+          from: "initialized",
+          to: "running"
+        },
+        ...targetEvents,
+        {
+          schema_version: "0.1.0",
+          id: statusToCompletedEventId,
+          session_id: sessionId,
+          occurred_at: input.occurredAt,
+          source: "local-cli",
+          type: "session_status_changed",
+          from: "running",
+          to: "completed"
+        },
+        {
+          schema_version: "0.1.0",
+          id: endedEventId,
+          session_id: sessionId,
+          occurred_at: input.occurredAt,
+          source: "local-cli",
+          type: "session_ended",
+          exit_code: 0
+        }
+      ];
+      bulkResult = await writeEventsBulk(sessionDir, events, { chain: true });
+    } catch (error) {
+      await rm(sessionDir, { recursive: true, force: true }).catch(() => void 0);
+      throw error;
+    }
+    try {
+      const finalSession = SessionSchema.parse({
+        ...initialSession,
+        session: {
+          ...initialSession.session,
+          status: "completed",
+          ended_at: input.occurredAt,
+          invocation: { ...initialSession.session.invocation, exit_code: 0 },
+          ...bulkResult !== null ? { integrity: { head_hash: bulkResult.headHash, event_count: bulkResult.count } } : {}
+        }
+      });
+      await overwriteYamlFile(sessionYamlPath, finalSession);
+    } catch (error) {
+      throw new FailedToFinalizeError(sessionId, targetEventIds, error);
+    }
+  } finally {
+    await lock.release();
   }
   return {
     sessionId,
@@ -1875,8 +2278,7 @@ async function appendEventToExistingSession(input) {
   }
   const eventId = prefixedUlid("evt");
   const event = assertTargetEventIdentity(input.eventBuilder(eventId), input.sessionId, eventId);
-  const sessionDir = join6(input.paths.sessions, input.sessionId);
-  await appendEvent(sessionDir, event);
+  await appendChainedEventLocked(input.paths, input.sessionId, event);
   return { eventId, sessionStatus: status };
 }
 function assertTargetEventIdentity(event, expectedSessionId, expectedEventId) {
@@ -1889,75 +2291,9 @@ function assertTargetEventIdentity(event, expectedSessionId, expectedEventId) {
   return event;
 }
-// src/storage/lockfile.ts
-import { readFile as readFile3, unlink as unlink2 } from "fs/promises";
-import { join as join7 } from "path";
-var STALE_LOCK_MAX_AGE_MS = 60 * 60 * 1e3;
-async function acquireLock(paths, scope, resourceId) {
-  const lockPath = lockfilePath(paths, scope, resourceId);
-  const body = {
-    pid: process.pid,
-    acquired_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  const serialised = JSON.stringify(body);
-  try {
-    await atomicCreate(lockPath, serialised);
-  } catch (error) {
-    if (!findErrorCode(error, "EEXIST")) {
-      throw error;
-    }
-    const stale = await isStaleLock(lockPath);
-    if (!stale) {
-      throw new Error("Lock is held by another process", { cause: error });
-    }
-    await unlink2(lockPath).catch(() => void 0);
-    try {
-      await atomicCreate(lockPath, serialised);
-    } catch (retryError) {
-      throw new Error("Lock is held by another process", { cause: retryError });
-    }
-  }
-  return {
-    release: async () => {
-      await unlink2(lockPath).catch(() => void 0);
-    }
-  };
-}
-async function isStaleLock(lockPath) {
-  let body;
-  try {
-    const raw = await readFile3(lockPath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (typeof parsed !== "object" || parsed === null) return true;
-    const candidate = parsed;
-    if (typeof candidate.pid !== "number" || typeof candidate.acquired_at !== "string") {
-      return true;
-    }
-    body = { pid: candidate.pid, acquired_at: candidate.acquired_at };
-  } catch {
-    return true;
-  }
-  const ageMs = Date.now() - Date.parse(body.acquired_at);
-  if (!Number.isFinite(ageMs) || ageMs > STALE_LOCK_MAX_AGE_MS) {
-    return true;
-  }
-  try {
-    process.kill(body.pid, 0);
-    return false;
-  } catch (error) {
-    if (findErrorCode(error, "ESRCH")) return true;
-    return false;
-  }
-}
-function lockfilePath(paths, scope, resourceId) {
-  const sep = resourceId.indexOf("_");
-  const ulid2 = sep >= 0 ? resourceId.slice(sep + 1) : resourceId;
-  return join7(paths.locks, `${scope}_${ulid2}.lock`);
-}
 // src/storage/task-index.ts
-import { readFile as readFile4 } from "fs/promises";
-import { join as join8 } from "path";
+import { readFile as readFile6 } from "fs/promises";
+import { join as join10 } from "path";
 // src/schemas/task-index.schema.ts
 import { z as z7 } from "zod";
@@ -1976,13 +2312,13 @@ var TASK_INDEX_SCHEMA_VERSION = "0.1.0";
 // src/storage/task-index.ts
 function taskIndexPath(paths) {
-  return join8(paths.tasks, "index.json");
+  return join10(paths.tasks, "index.json");
 }
 async function readTaskIndex(paths) {
   const filePath = taskIndexPath(paths);
   let raw;
   try {
-    raw = await readFile4(filePath, "utf8");
+    raw = await readFile6(filePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task index not found", { cause: error });
@@ -2090,10 +2426,10 @@ function splitFrontMatter(raw) {
   return { yamlText, body };
 }
 async function readTaskFile(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join11(paths.tasks, `${taskId}.md`);
   let raw;
   try {
-    raw = await readFile5(filePath, "utf8");
+    raw = await readFile7(filePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2123,7 +2459,7 @@ async function readTaskFile(paths, taskId) {
 }
 async function writeTaskFile(paths, taskId, doc, options) {
   const validated = TaskSchema.parse(doc.task);
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join11(paths.tasks, `${taskId}.md`);
   const yamlText = stringifyYaml(validated);
   const trimmedBody = doc.body.length === 0 ? "" : `
 ${doc.body.endsWith("\n") ? doc.body : `${doc.body}
@@ -2208,7 +2544,7 @@ async function safeUpdateTaskIndex(paths, op) {
 }
 var ARCHIVE_DIR_NAME = "archive";
 function archiveTasksDir(paths) {
-  return join9(paths.tasks, ARCHIVE_DIR_NAME);
+  return join11(paths.tasks, ARCHIVE_DIR_NAME);
 }
 async function enumerateArchivedTaskIds(paths) {
   let entries;
@@ -2238,10 +2574,10 @@ async function readTaskFileWithArchiveFallback(paths, taskId) {
       throw error;
     }
   }
-  const archiveFilePath = join9(archiveTasksDir(paths), `${taskId}.md`);
+  const archiveFilePath = join11(archiveTasksDir(paths), `${taskId}.md`);
   let raw;
   try {
-    raw = await readFile5(archiveFilePath, "utf8");
+    raw = await readFile7(archiveFilePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2532,7 +2868,7 @@ async function createTaskAttachLocked(input) {
       ...sessionDoc,
       session: { ...sessionDoc.session, task_id: input.taskId }
     };
-    await overwriteYamlFile(join9(input.paths.sessions, input.sessionId, "session.yaml"), updated);
+    await overwriteYamlFile(join11(input.paths.sessions, input.sessionId, "session.yaml"), updated);
   } catch (error) {
     throw new TaskWriteAfterEventError({
       taskId: input.taskId,
@@ -2791,17 +3127,17 @@ function buildUpdatedDoc(input) {
   return { task: next, body: input.currentDoc.body };
 }
 async function computeTaskMdSnapshot(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
-  const [stats, raw] = await Promise.all([stat2(filePath), readFile5(filePath)]);
-  const hash = createHash("sha256").update(raw).digest("hex");
+  const filePath = join11(paths.tasks, `${taskId}.md`);
+  const [stats, raw] = await Promise.all([stat2(filePath), readFile7(filePath)]);
+  const hash = createHash2("sha256").update(raw).digest("hex");
   return { mtimeMs: stats.mtimeMs, hash };
 }
 async function readTaskFileWithSnapshot(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join11(paths.tasks, `${taskId}.md`);
   let rawBuffer;
   let stats;
   try {
-    [rawBuffer, stats] = await Promise.all([readFile5(filePath), stat2(filePath)]);
+    [rawBuffer, stats] = await Promise.all([readFile7(filePath), stat2(filePath)]);
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2809,7 +3145,7 @@ async function readTaskFileWithSnapshot(paths, taskId) {
     throw new Error("Failed to read task file", { cause: error });
   }
   const raw = rawBuffer.toString("utf8");
-  const hash = createHash("sha256").update(rawBuffer).digest("hex");
+  const hash = createHash2("sha256").update(rawBuffer).digest("hex");
   let split;
   try {
     split = splitFrontMatter(raw);
@@ -3289,7 +3625,7 @@ async function deleteTaskLocked(input) {
   });
   const eventId = adHoc.targetEventIds[0];
   try {
-    await unlink3(join9(input.paths.tasks, `${input.taskId}.md`));
+    await unlink3(join11(input.paths.tasks, `${input.taskId}.md`));
   } catch (error) {
     throw new TaskWriteAfterEventError({
       taskId: input.taskId,
@@ -3359,10 +3695,10 @@ async function archiveTaskLocked(input) {
       { task: next, body: doc.body },
       { mode: "overwrite" }
     );
-    await mkdir2(archiveTasksDir(input.paths), { recursive: true });
+    await mkdir3(archiveTasksDir(input.paths), { recursive: true });
     await rename2(
-      join9(input.paths.tasks, `${input.taskId}.md`),
-      join9(archiveTasksDir(input.paths), `${input.taskId}.md`)
+      join11(input.paths.tasks, `${input.taskId}.md`),
+      join11(archiveTasksDir(input.paths), `${input.taskId}.md`)
     );
   } catch (error) {
     throw new TaskWriteAfterEventError({
@@ -3398,7 +3734,7 @@ async function renderHandoff(input) {
   const tasksCreated = [];
   const tasksStatusChanged = [];
   for (const entry of entries) {
-    const sessionDir = join10(input.paths.sessions, entry.sessionId);
+    const sessionDir = join12(input.paths.sessions, entry.sessionId);
     try {
       for await (const ev of replayEvents(sessionDir, {
         onWarning: (w) => input.onWarning?.(w, entry.sessionId)
@@ -3952,7 +4288,12 @@ var SessionInnerImportSchema = z10.object({
   related_files: z10.array(z10.string()).default([]),
   events_log: z10.string().optional(),
   summary: z10.string().nullable().optional(),
-  metrics: SessionMetricsSchema.optional()
+  metrics: SessionMetricsSchema.optional(),
+  // Accepted so a payload assembled from an on-disk chained session.yaml
+  // round-trips, and DISCARDED by the importer (buildSessionRecord never
+  // copies it): the integrity anchor is computed at write time, never
+  // imported. Mirrors the accept-and-discard of `prev_hash` on events.
+  integrity: SessionIntegritySchema.optional()
 }).strict();
 var SessionImportPayloadSchema = z10.object({
   schema_version: z10.string(),
@@ -4034,7 +4375,7 @@ function serializeJsonSchema(schema) {
 }
 // src/stats/work-stats.ts
-import { join as join11 } from "path";
+import { join as join13 } from "path";
 function resolveTimeZone(timeZone) {
   if (timeZone !== void 0 && timeZone.length > 0) return timeZone;
   return Intl.DateTimeFormat().resolvedOptions().timeZone;
@@ -4065,7 +4406,7 @@ async function computeWorkStats(input) {
     const events = [];
     let eventsUnreadable = false;
     try {
-      for await (const ev of replayEvents(join11(input.paths.sessions, entry.sessionId), {
+      for await (const ev of replayEvents(join13(input.paths.sessions, entry.sessionId), {
         onWarning: (w) => input.onWarning?.(w, entry.sessionId)
       })) {
         events.push(ev);
@@ -4320,28 +4661,28 @@ function tzDate(ms, timeZone) {
 }
 // src/storage/basou-dir.ts
-import { lstat as lstat3, mkdir as mkdir3 } from "fs/promises";
-import { join as join12 } from "path";
+import { lstat as lstat3, mkdir as mkdir4 } from "fs/promises";
+import { join as join14 } from "path";
 function basouPaths(repositoryRoot) {
-  const root = join12(repositoryRoot, ".basou");
-  const approvalsBase = join12(root, "approvals");
+  const root = join14(repositoryRoot, ".basou");
+  const approvalsBase = join14(root, "approvals");
   return {
     root,
-    sessions: join12(root, "sessions"),
-    tasks: join12(root, "tasks"),
+    sessions: join14(root, "sessions"),
+    tasks: join14(root, "tasks"),
     approvals: {
-      pending: join12(approvalsBase, "pending"),
-      resolved: join12(approvalsBase, "resolved")
+      pending: join14(approvalsBase, "pending"),
+      resolved: join14(approvalsBase, "resolved")
     },
-    locks: join12(root, "locks"),
-    logs: join12(root, "logs"),
-    raw: join12(root, "raw"),
-    tmp: join12(root, "tmp"),
+    locks: join14(root, "locks"),
+    logs: join14(root, "logs"),
+    raw: join14(root, "raw"),
+    tmp: join14(root, "tmp"),
     files: {
-      manifest: join12(root, "manifest.yaml"),
-      status: join12(root, "status.json"),
-      handoff: join12(root, "handoff.md"),
-      decisions: join12(root, "decisions.md")
+      manifest: join14(root, "manifest.yaml"),
+      status: join14(root, "status.json"),
+      handoff: join14(root, "handoff.md"),
+      decisions: join14(root, "decisions.md")
     }
   };
 }
@@ -4382,7 +4723,7 @@ async function ensureBasouDirectory(repositoryRoot) {
 }
 async function mkdirLabeled(target, label) {
   try {
-    await mkdir3(target, { recursive: true });
+    await mkdir4(target, { recursive: true });
   } catch (error) {
     if (hasErrorCode3(error) && (error.code === "ENOTDIR" || error.code === "EEXIST")) {
       throw new Error(`${label} exists but is not a directory`, { cause: error });
@@ -4397,16 +4738,16 @@ function hasErrorCode3(error) {
 }
 // src/storage/gitignore.ts
-import { readFile as readFile6, writeFile as writeFile2 } from "fs/promises";
-import { join as join13 } from "path";
+import { readFile as readFile8, writeFile as writeFile2 } from "fs/promises";
+import { join as join15 } from "path";
 var MARKER = "# Basou - default ignore";
 var BASOU_GITIGNORE_BLOCK = "# Basou - default ignore\n.basou/logs/\n.basou/raw/\n.basou/tmp/\n.basou/locks/\n.basou/status.json\n.basou/sessions/*/events.jsonl\n.basou/sessions/*/artifacts/\n.basou/approvals/pending/\n.basou/approvals/resolved/\n\n# Basou - default commit\n# .basou/manifest.yaml\n# .basou/handoff.md\n# .basou/decisions.md\n# .basou/tasks/\n# .basou/sessions/*/session.yaml\n# .basou/sessions/*/transcript.md\n# .basou/sessions/*/changed-files.json\n";
 async function appendBasouGitignore(repositoryRoot) {
-  const gitignorePath = join13(repositoryRoot, ".gitignore");
+  const gitignorePath = join15(repositoryRoot, ".gitignore");
   let body;
   let existed;
   try {
-    body = await readFile6(gitignorePath, "utf8");
+    body = await readFile8(gitignorePath, "utf8");
     existed = true;
   } catch (error) {
     if (hasErrorCode4(error) && error.code === "ENOENT") {
@@ -4512,12 +4853,12 @@ function hasErrorCode5(error) {
 }
 // src/storage/markdown-store.ts
-import { readFile as readFile7 } from "fs/promises";
+import { readFile as readFile9 } from "fs/promises";
 var GENERATED_START = "<!-- BASOU:GENERATED:START -->";
 var GENERATED_END = "<!-- BASOU:GENERATED:END -->";
 async function readMarkdownFile(filePath) {
   try {
-    return await readFile7(filePath, "utf8");
+    return await readFile9(filePath, "utf8");
   } catch (error) {
     if (hasErrorCode6(error) && error.code === "ENOENT") return null;
     throw new Error("Failed to read markdown file", { cause: error });
@@ -4615,9 +4956,9 @@ function hasErrorCode6(error) {
 }
 // src/storage/session-import.ts
-import { mkdir as mkdir4, rm as rm2 } from "fs/promises";
+import { mkdir as mkdir5, readFile as readFile10, rm as rm2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
-import { join as join14 } from "path";
+import { join as join16 } from "path";
 async function importSessionFromJson(paths, manifest, payload, options) {
   if (options.taskIdOverride !== void 0 && !TaskIdSchema.safeParse(options.taskIdOverride).success) {
     throw new Error(`Invalid task_id: ${options.taskIdOverride}`);
@@ -4642,21 +4983,22 @@ async function importSessionFromJson(paths, manifest, payload, options) {
       pathSanitizeReport
     };
   }
-  const sessionDir = join14(paths.sessions, newSessionId);
+  const sessionDir = join16(paths.sessions, newSessionId);
   try {
-    await mkdir4(sessionDir, { recursive: true });
+    await mkdir5(sessionDir, { recursive: true });
   } catch (error) {
     throw new Error("Failed to create session directory", { cause: error });
   }
+  let chainResult;
   try {
-    await writeEventsBulk(sessionDir, rewrittenEvents);
+    chainResult = await writeEventsBulk(sessionDir, rewrittenEvents, { chain: true });
   } catch (error) {
     await rm2(sessionDir, { recursive: true, force: true }).catch(() => void 0);
     throw error;
   }
   try {
-    const sessionYamlPath = join14(sessionDir, "session.yaml");
-    await linkYamlFile(sessionYamlPath, sessionRecord);
+    const sessionYamlPath = join16(sessionDir, "session.yaml");
+    await linkYamlFile(sessionYamlPath, withIntegrity(sessionRecord, chainResult));
   } catch (error) {
     await rm2(sessionDir, { recursive: true, force: true }).catch(() => void 0);
     if (findErrorCode(error, "EEXIST")) {
@@ -4713,6 +5055,16 @@ function assertChronologicalOrder(events) {
     }
   }
 }
+function withIntegrity(record, chainResult) {
+  if (chainResult === null) return record;
+  return {
+    ...record,
+    session: {
+      ...record.session,
+      integrity: { head_hash: chainResult.headHash, event_count: chainResult.count }
+    }
+  };
+}
 function buildSessionRecord(input, manifest, newSessionId, options) {
   const home = homedir2();
   const workingDirectoryRaw = input.working_directory;
@@ -4813,9 +5165,13 @@ function reuseDerivedIds(priorDerived, freshDerived, sessionId) {
 async function reimportPreservingId(paths, manifest, priorSessionId, freshPayload, options = {}) {
   const sessionId = priorSessionId;
   const importSource = freshPayload.session.source.kind;
-  const sessionDir = join14(paths.sessions, priorSessionId);
+  const sessionDir = join16(paths.sessions, priorSessionId);
   const lock = options.dryRun === true ? null : await acquireLock(paths, "session", priorSessionId);
   try {
+    const priorVerdict = await verifyEventsChain(paths, priorSessionId);
+    if (priorVerdict.status === "tampered") {
+      return { status: "skipped", reason: "prior_chain_broken" };
+    }
     let priorUnreadable = false;
     const priorEvents = await readAllEvents(sessionDir, {
       onWarning: () => {
@@ -4843,20 +5199,35 @@ async function reimportPreservingId(paths, manifest, priorSessionId, freshPayloa
     const { record } = buildSessionRecord(freshPayload.session, manifest, sessionId, {});
     const preservedInner = {
       ...record.session,
-      // A human may have linked this imported session to a task
-      // (`basou task link` updates session.yaml.task_id even for imported
-      // sessions); never drop that link on a re-derive.
+      // Defensive: keep any task_id already present on the prior yaml so a
+      // re-derive never drops a link, whatever wrote it.
       task_id: prior.session.task_id ?? null,
       // Re-derivation always yields a null summary; keep a prior non-null one.
       summary: prior.session.summary ?? record.session.summary ?? null
     };
     const updatedRecord = { schema_version: "0.1.0", session: preservedInner };
     if (options.dryRun !== true) {
-      await writeEventsBulk(sessionDir, mergedEvents);
+      const eventsPath = join16(sessionDir, "events.jsonl");
+      let priorEventsRaw = null;
       try {
-        await overwriteYamlFile(join14(sessionDir, "session.yaml"), updatedRecord);
+        priorEventsRaw = await readFile10(eventsPath);
       } catch (error) {
-        await writeEventsBulk(sessionDir, priorEvents).catch(() => void 0);
+        if (!findErrorCode(error, "ENOENT")) {
+          throw new Error("Failed to read events.jsonl", { cause: error });
+        }
+      }
+      const chainResult = await writeEventsBulk(sessionDir, mergedEvents, { chain: true });
+      try {
+        await overwriteYamlFile(
+          join16(sessionDir, "session.yaml"),
+          withIntegrity(updatedRecord, chainResult)
+        );
+      } catch (error) {
+        if (priorEventsRaw !== null) {
+          await atomicReplace(eventsPath, priorEventsRaw).catch(() => void 0);
+        } else {
+          await rm2(eventsPath, { force: true }).catch(() => void 0);
+        }
         throw error;
       }
     }
@@ -4871,6 +5242,100 @@ async function reimportPreservingId(paths, manifest, priorSessionId, freshPayloa
     await lock?.release();
   }
 }
+async function rechainSessionInPlace(paths, sessionId, options = {}) {
+  const sessionDir = join16(paths.sessions, sessionId);
+  let lock;
+  try {
+    lock = await acquireLock(paths, "session", sessionId);
+  } catch (error) {
+    if (error instanceof Error && error.message === "Lock is held by another process") {
+      throw error;
+    }
+    throw new Error("Failed to acquire lock", { cause: error });
+  }
+  try {
+    let record;
+    try {
+      record = await readSessionYaml(paths, sessionId);
+    } catch (error) {
+      if (error instanceof Error && error.message === "YAML file not found") {
+        return { status: "skipped", reason: "yaml_missing" };
+      }
+      return { status: "skipped", reason: "yaml_unreadable" };
+    }
+    if (record.session.status !== "imported") {
+      return { status: "skipped", reason: "not_imported" };
+    }
+    const verdict = await verifyEventsChain(paths, sessionId);
+    if (verdict.status === "verified") {
+      return { status: "skipped", reason: "already_chained" };
+    }
+    if (verdict.status === "empty") {
+      return { status: "skipped", reason: "empty" };
+    }
+    if (verdict.status !== "unchained") {
+      return { status: "skipped", reason: "tampered" };
+    }
+    const eventsPath = join16(sessionDir, "events.jsonl");
+    let priorRaw;
+    try {
+      priorRaw = await readFile10(eventsPath);
+    } catch (error) {
+      throw new Error("Failed to read events.jsonl", { cause: error });
+    }
+    if (priorRaw.length === 0 || priorRaw[priorRaw.length - 1] !== 10) {
+      return { status: "skipped", reason: "events_unreadable" };
+    }
+    const text = priorRaw.toString("utf8");
+    if (!priorRaw.equals(Buffer.from(text, "utf8"))) {
+      return { status: "skipped", reason: "events_unreadable" };
+    }
+    const rawLines = text.slice(0, -1).split("\n");
+    for (const line of rawLines) {
+      if (line.trim().length === 0) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(line);
+      } catch {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (JSON.stringify(parsed) !== line) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (!EventSchema.safeParse(parsed).success) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (parsed.session_id !== sessionId) {
+        return { status: "skipped", reason: "session_id_mismatch" };
+      }
+    }
+    if (options.dryRun === true) {
+      return { status: "rechained", eventCount: rawLines.length };
+    }
+    const chainResult = chainRawJsonLines(rawLines, sessionId);
+    const body = `${chainResult.lines.join("\n")}
+`;
+    try {
+      await atomicReplace(eventsPath, body);
+    } catch (error) {
+      throw new Error("Failed to write events.jsonl", { cause: error });
+    }
+    try {
+      await overwriteYamlFile(
+        join16(sessionDir, "session.yaml"),
+        withIntegrity(record, { headHash: chainResult.headHash, count: chainResult.count })
+      );
+    } catch (error) {
+      await atomicReplace(eventsPath, priorRaw).catch(() => void 0);
+      throw error;
+    }
+    return { status: "rechained", eventCount: chainResult.count };
+  } finally {
+    await lock.release();
+  }
+}
 // src/index.ts
 var BASOU_CORE_VERSION = "0.1.0";
@@ -4900,6 +5365,7 @@ export {
   SessionIdSchema,
   SessionImportPayloadSchema,
   SessionInnerImportSchema,
+  SessionIntegritySchema,
   SessionMetricsSchema,
   SessionSchema,
   SessionSourceKindSchema,
@@ -4912,6 +5378,8 @@ export {
   WorkspaceIdSchema,
   acquireLock,
   appendBasouGitignore,
+  appendChainedEvent,
+  appendChainedEventLocked,
   appendEvent,
   appendEventToExistingSession,
   archiveTask,
@@ -4919,6 +5387,8 @@ export {
   basouPaths,
   buildJsonSchemas,
   buildStatusSnapshot,
+  chainEvents,
+  chainRawJsonLines,
   classifySuspect,
   claudeCodeAdapterMetadata,
   claudeTranscriptToImportPayload,
@@ -4934,13 +5404,17 @@ export {
   enumerateArchivedTaskIds,
   enumerateSessionDirs,
   enumerateTaskIds,
+  finalizeSessionYaml,
   findErrorCode,
+  genesisHash,
   getDiff,
   getSnapshot,
   importSessionFromJson,
+  inspectChainTail,
   isImportDerivedSource,
   isLazyExpired,
   isValidPrefixedId,
+  lineHash,
   linkYamlFile,
   loadApproval,
   loadSessionEntries,
@@ -4957,6 +5431,7 @@ export {
   readTaskFile,
   readTaskFileWithArchiveFallback,
   readYamlFile,
+  rechainSessionInPlace,
   reconcileAllTasks,
   reconcileTask,
   refreshTaskLinkedSessions,
@@ -4972,12 +5447,14 @@ export {
   sanitizePath,
   sanitizeRelatedFiles,
   sanitizeWorkingDirectory,
+  serializeEventLine,
   serializeJsonSchema,
   sessionWorkStatsFromEvents,
   summarizeAdapterOutput,
   tryRemoteUrl,
   ulid,
   updateTaskStatusWithEvent,
+  verifyEventsChain,
   writeEventsBulk,
   writeManifest,
   writeMarkdownFile,