npm - @basou/core - Versions diffs - 0.8.0 → 0.9.0 - Mend

@basou/core 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts +293 -3
package/dist/index.js +423 -80
package/dist/index.js.map +1 -1
package/package.json +1 -1
package/schemas/event.schema.json +57 -0
package/schemas/session-import.schema.json +75 -0
package/schemas/session.schema.json +18 -0

package/dist/index.js CHANGED Viewed

@@ -781,7 +781,14 @@ var BaseEventSchema = z3.object({
   id: EventIdSchema,
   session_id: SessionIdSchema,
   occurred_at: IsoTimestampSchema,
-  source: EventSourceSchema
+  source: EventSourceSchema,
+  // Tamper-evidence back-pointer (hex sha-256 of the PREVIOUS event line's
+  // written bytes; the first line carries the session-bound genesis hash).
+  // Present only on sessions written with chaining enabled (import paths);
+  // live/ad-hoc sessions omit it. Declared on the base so the `.strict()`
+  // variants below treat it as a known key. Additive optional => no
+  // schema_version bump.
+  prev_hash: z3.string().optional()
 });
 var SessionStartedEventSchema = BaseEventSchema.extend({
   type: z3.literal("session_started")
@@ -1062,6 +1069,10 @@ var SessionMetricsSchema = z4.object({
   active_time_method: z4.string().optional(),
   machine_active_time_ms: z4.number().int().nonnegative().optional()
 });
+var SessionIntegritySchema = z4.object({
+  head_hash: z4.string(),
+  event_count: z4.number().int().nonnegative()
+}).strict();
 var SessionInnerSchema = z4.object({
   id: SessionIdSchema,
   label: z4.string().optional(),
@@ -1077,7 +1088,8 @@ var SessionInnerSchema = z4.object({
   related_files: z4.array(z4.string()).default([]),
   events_log: z4.string().default("events.jsonl"),
   summary: z4.string().nullable().optional(),
-  metrics: SessionMetricsSchema.optional()
+  metrics: SessionMetricsSchema.optional(),
+  integrity: SessionIntegritySchema.optional()
 });
 var SessionSchema = z4.object({
   schema_version: SchemaVersionSchema,
@@ -1286,9 +1298,50 @@ function shortDecisionSessionId(sessionId) {
   return sessionId.slice(0, 10);
 }
+// src/events/chain.ts
+import { createHash } from "crypto";
+var GENESIS_PREFIX = "basou:event-chain:v1:";
+function genesisHash(sessionId) {
+  return createHash("sha256").update(`${GENESIS_PREFIX}${sessionId}`, "utf8").digest("hex");
+}
+function lineHash(rawLine) {
+  const hash = createHash("sha256");
+  if (typeof rawLine === "string") {
+    hash.update(rawLine, "utf8");
+  } else {
+    hash.update(rawLine);
+  }
+  return hash.digest("hex");
+}
+function serializeEventLine(event) {
+  return JSON.stringify(event);
+}
+function chainEvents(events, sessionId) {
+  let prev = genesisHash(sessionId);
+  const lines = [];
+  for (const event of events) {
+    const chained = { ...event, prev_hash: prev };
+    const line = serializeEventLine(chained);
+    lines.push(line);
+    prev = lineHash(line);
+  }
+  return { lines, headHash: prev, count: lines.length };
+}
+function chainRawJsonLines(rawLines, sessionId) {
+  let prev = genesisHash(sessionId);
+  const lines = [];
+  for (const rawLine of rawLines) {
+    const parsed = JSON.parse(rawLine);
+    const line = JSON.stringify({ ...parsed, prev_hash: prev });
+    lines.push(line);
+    prev = lineHash(line);
+  }
+  return { lines, headHash: prev, count: lines.length };
+}
 // src/events/event-writer.ts
 import { appendFile } from "fs/promises";
-import { join as join5 } from "path";
+import { basename, join as join5 } from "path";
 async function appendEvent(sessionDir, event) {
   let validated;
   try {
@@ -1296,7 +1349,7 @@ async function appendEvent(sessionDir, event) {
   } catch (error) {
     throw new Error("Invalid Basou event payload", { cause: error });
   }
-  const line = `${JSON.stringify(validated)}
+  const line = `${serializeEventLine(validated)}
 `;
   try {
     await appendFile(join5(sessionDir, "events.jsonl"), line, "utf8");
@@ -1304,7 +1357,7 @@ async function appendEvent(sessionDir, event) {
     throw new Error("Failed to append event to events.jsonl", { cause: error });
   }
 }
-async function writeEventsBulk(sessionDir, events) {
+async function writeEventsBulk(sessionDir, events, options = {}) {
   const validated = [];
   try {
     for (const event of events) {
@@ -1314,13 +1367,153 @@ async function writeEventsBulk(sessionDir, events) {
     throw new Error("Invalid Basou event payload", { cause: error });
   }
   const filePath = join5(sessionDir, "events.jsonl");
-  const body = validated.length > 0 ? `${validated.map((e) => JSON.stringify(e)).join("\n")}
+  let body;
+  let result = null;
+  if (options.chain === true) {
+    const { lines, headHash, count } = chainEvents(validated, basename(sessionDir));
+    body = lines.length > 0 ? `${lines.join("\n")}
 ` : "";
+    result = count > 0 ? { headHash, count } : null;
+  } else {
+    body = validated.length > 0 ? `${validated.map(serializeEventLine).join("\n")}
+` : "";
+  }
   try {
     await atomicReplace(filePath, body);
   } catch (error) {
     throw new Error("Failed to write events.jsonl", { cause: error });
   }
+  return result;
+}
+// src/events/verify.ts
+import { readFile as readFile2 } from "fs/promises";
+import { join as join6 } from "path";
+async function verifyEventsChain(paths, sessionId) {
+  const sessionDir = join6(paths.sessions, sessionId);
+  let raw = null;
+  try {
+    raw = await readFile2(join6(sessionDir, "events.jsonl"));
+  } catch (error) {
+    if (!findErrorCode(error, "ENOENT")) {
+      throw new Error("Failed to read events.jsonl", { cause: error });
+    }
+  }
+  let anchor;
+  try {
+    const session = await readSessionYaml(paths, sessionId);
+    anchor = { kind: "present", integrity: session.session.integrity };
+  } catch (error) {
+    if (error instanceof Error && error.message === "YAML file not found") {
+      anchor = { kind: "absent" };
+    } else {
+      anchor = { kind: "unreadable" };
+    }
+  }
+  const terminated = raw === null || raw.length === 0 || raw[raw.length - 1] === 10;
+  const segments = raw === null ? [] : splitLinesBytes(raw);
+  const tailFragment = !terminated && segments.length > 0 ? segments.pop() : null;
+  const lines = segments;
+  const carriesPrevHash = (s) => {
+    try {
+      const obj = JSON.parse(s.toString("utf8"));
+      return typeof obj === "object" && obj !== null && "prev_hash" in obj;
+    } catch {
+      return false;
+    }
+  };
+  const chained = lines.some((l) => l.length > 0 && carriesPrevHash(l)) || tailFragment !== null && carriesPrevHash(tailFragment);
+  if (!chained) {
+    if (anchor.kind === "present" && anchor.integrity !== void 0) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "anchor_without_chain"
+      };
+    }
+    if (raw === null || raw.length === 0) {
+      return { status: "empty", eventCount: 0 };
+    }
+    return { status: "unchained", eventCount: lines.length };
+  }
+  let expected = genesisHash(sessionId);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const lineNo = i + 1;
+    if (line.length === 0) {
+      return { status: "tampered", eventCount: lines.length, reason: "blank_line", line: lineNo };
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(line.toString("utf8"));
+    } catch {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "malformed_line",
+        line: lineNo
+      };
+    }
+    const record = parsed;
+    if (typeof record.prev_hash !== "string") {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "missing_prev_hash",
+        line: lineNo
+      };
+    }
+    if (record.prev_hash !== expected) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: i === 0 ? "genesis_mismatch" : "broken_link",
+        line: lineNo
+      };
+    }
+    if (record.session_id !== sessionId) {
+      return {
+        status: "tampered",
+        eventCount: lines.length,
+        reason: "session_id_mismatch",
+        line: lineNo
+      };
+    }
+    expected = lineHash(line);
+  }
+  if (tailFragment !== null || !terminated) {
+    return {
+      status: "tampered",
+      eventCount: lines.length,
+      reason: "torn_tail",
+      line: lines.length + 1
+    };
+  }
+  if (anchor.kind === "absent") {
+    return { status: "incomplete", eventCount: lines.length, reason: "yaml_missing" };
+  }
+  if (anchor.kind === "unreadable") {
+    return { status: "tampered", eventCount: lines.length, reason: "yaml_unreadable" };
+  }
+  if (anchor.integrity === void 0) {
+    return { status: "tampered", eventCount: lines.length, reason: "anchor_missing" };
+  }
+  if (anchor.integrity.event_count !== lines.length || anchor.integrity.head_hash !== expected) {
+    return { status: "tampered", eventCount: lines.length, reason: "anchor_mismatch" };
+  }
+  return { status: "verified", eventCount: lines.length };
+}
+function splitLinesBytes(buf) {
+  const out = [];
+  let start = 0;
+  for (let i = 0; i < buf.length; i++) {
+    if (buf[i] === 10) {
+      out.push(buf.subarray(start, i));
+      start = i + 1;
+    }
+  }
+  if (start < buf.length) out.push(buf.subarray(start));
+  return out;
 }
 // src/git/snapshot.ts
@@ -1617,12 +1810,12 @@ function parseDiffNameStatus(raw) {
 }
 // src/handoff/handoff-renderer.ts
-import { join as join10 } from "path";
+import { join as join11 } from "path";
 // src/storage/tasks.ts
-import { createHash } from "crypto";
-import { mkdir as mkdir2, readdir as readdir3, readFile as readFile5, rename as rename2, stat as stat2, unlink as unlink3 } from "fs/promises";
-import { join as join9 } from "path";
+import { createHash as createHash2 } from "crypto";
+import { mkdir as mkdir3, readdir as readdir3, readFile as readFile6, rename as rename2, stat as stat2, unlink as unlink3 } from "fs/promises";
+import { join as join10 } from "path";
 import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
 import { z as z8 } from "zod";
@@ -1666,7 +1859,7 @@ var TaskSchema = z6.object({
 // src/storage/ad-hoc-session.ts
 import { mkdir, rm } from "fs/promises";
 import { homedir } from "os";
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 // src/lib/path-sanitizer.ts
 import { posix as path } from "path";
@@ -1746,13 +1939,13 @@ async function createAdHocSessionWithEvent(input) {
       taskId: input.taskId ?? null
     })
   );
-  const sessionDir = join6(input.paths.sessions, sessionId);
+  const sessionDir = join7(input.paths.sessions, sessionId);
   try {
     await mkdir(sessionDir, { recursive: true });
   } catch (error) {
     throw new Error("Failed to create session directory", { cause: error });
   }
-  const sessionYamlPath = join6(sessionDir, "session.yaml");
+  const sessionYamlPath = join7(sessionDir, "session.yaml");
   try {
     await linkYamlFile(sessionYamlPath, initialSession);
   } catch (error) {
@@ -1875,7 +2068,7 @@ async function appendEventToExistingSession(input) {
   }
   const eventId = prefixedUlid("evt");
   const event = assertTargetEventIdentity(input.eventBuilder(eventId), input.sessionId, eventId);
-  const sessionDir = join6(input.paths.sessions, input.sessionId);
+  const sessionDir = join7(input.paths.sessions, input.sessionId);
   await appendEvent(sessionDir, event);
   return { eventId, sessionStatus: status };
 }
@@ -1890,8 +2083,8 @@ function assertTargetEventIdentity(event, expectedSessionId, expectedEventId) {
 }
 // src/storage/lockfile.ts
-import { readFile as readFile3, unlink as unlink2 } from "fs/promises";
-import { join as join7 } from "path";
+import { mkdir as mkdir2, readFile as readFile4, unlink as unlink2 } from "fs/promises";
+import { dirname as dirname2, join as join8 } from "path";
 var STALE_LOCK_MAX_AGE_MS = 60 * 60 * 1e3;
 async function acquireLock(paths, scope, resourceId) {
   const lockPath = lockfilePath(paths, scope, resourceId);
@@ -1903,6 +2096,19 @@ async function acquireLock(paths, scope, resourceId) {
   try {
     await atomicCreate(lockPath, serialised);
   } catch (error) {
+    if (findErrorCode(error, "ENOENT")) {
+      try {
+        await mkdir2(dirname2(lockPath), { recursive: true });
+        await atomicCreate(lockPath, serialised);
+        return {
+          release: async () => {
+            await unlink2(lockPath).catch(() => void 0);
+          }
+        };
+      } catch (retryError) {
+        throw new Error("Failed to acquire lock", { cause: retryError });
+      }
+    }
     if (!findErrorCode(error, "EEXIST")) {
       throw error;
     }
@@ -1926,7 +2132,7 @@ async function acquireLock(paths, scope, resourceId) {
 async function isStaleLock(lockPath) {
   let body;
   try {
-    const raw = await readFile3(lockPath, "utf8");
+    const raw = await readFile4(lockPath, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed !== "object" || parsed === null) return true;
     const candidate = parsed;
@@ -1952,12 +2158,12 @@ async function isStaleLock(lockPath) {
 function lockfilePath(paths, scope, resourceId) {
   const sep = resourceId.indexOf("_");
   const ulid2 = sep >= 0 ? resourceId.slice(sep + 1) : resourceId;
-  return join7(paths.locks, `${scope}_${ulid2}.lock`);
+  return join8(paths.locks, `${scope}_${ulid2}.lock`);
 }
 // src/storage/task-index.ts
-import { readFile as readFile4 } from "fs/promises";
-import { join as join8 } from "path";
+import { readFile as readFile5 } from "fs/promises";
+import { join as join9 } from "path";
 // src/schemas/task-index.schema.ts
 import { z as z7 } from "zod";
@@ -1976,13 +2182,13 @@ var TASK_INDEX_SCHEMA_VERSION = "0.1.0";
 // src/storage/task-index.ts
 function taskIndexPath(paths) {
-  return join8(paths.tasks, "index.json");
+  return join9(paths.tasks, "index.json");
 }
 async function readTaskIndex(paths) {
   const filePath = taskIndexPath(paths);
   let raw;
   try {
-    raw = await readFile4(filePath, "utf8");
+    raw = await readFile5(filePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task index not found", { cause: error });
@@ -2090,10 +2296,10 @@ function splitFrontMatter(raw) {
   return { yamlText, body };
 }
 async function readTaskFile(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join10(paths.tasks, `${taskId}.md`);
   let raw;
   try {
-    raw = await readFile5(filePath, "utf8");
+    raw = await readFile6(filePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2123,7 +2329,7 @@ async function readTaskFile(paths, taskId) {
 }
 async function writeTaskFile(paths, taskId, doc, options) {
   const validated = TaskSchema.parse(doc.task);
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join10(paths.tasks, `${taskId}.md`);
   const yamlText = stringifyYaml(validated);
   const trimmedBody = doc.body.length === 0 ? "" : `
 ${doc.body.endsWith("\n") ? doc.body : `${doc.body}
@@ -2208,7 +2414,7 @@ async function safeUpdateTaskIndex(paths, op) {
 }
 var ARCHIVE_DIR_NAME = "archive";
 function archiveTasksDir(paths) {
-  return join9(paths.tasks, ARCHIVE_DIR_NAME);
+  return join10(paths.tasks, ARCHIVE_DIR_NAME);
 }
 async function enumerateArchivedTaskIds(paths) {
   let entries;
@@ -2238,10 +2444,10 @@ async function readTaskFileWithArchiveFallback(paths, taskId) {
       throw error;
     }
   }
-  const archiveFilePath = join9(archiveTasksDir(paths), `${taskId}.md`);
+  const archiveFilePath = join10(archiveTasksDir(paths), `${taskId}.md`);
   let raw;
   try {
-    raw = await readFile5(archiveFilePath, "utf8");
+    raw = await readFile6(archiveFilePath, "utf8");
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2532,7 +2738,7 @@ async function createTaskAttachLocked(input) {
       ...sessionDoc,
       session: { ...sessionDoc.session, task_id: input.taskId }
     };
-    await overwriteYamlFile(join9(input.paths.sessions, input.sessionId, "session.yaml"), updated);
+    await overwriteYamlFile(join10(input.paths.sessions, input.sessionId, "session.yaml"), updated);
   } catch (error) {
     throw new TaskWriteAfterEventError({
       taskId: input.taskId,
@@ -2791,17 +2997,17 @@ function buildUpdatedDoc(input) {
   return { task: next, body: input.currentDoc.body };
 }
 async function computeTaskMdSnapshot(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
-  const [stats, raw] = await Promise.all([stat2(filePath), readFile5(filePath)]);
-  const hash = createHash("sha256").update(raw).digest("hex");
+  const filePath = join10(paths.tasks, `${taskId}.md`);
+  const [stats, raw] = await Promise.all([stat2(filePath), readFile6(filePath)]);
+  const hash = createHash2("sha256").update(raw).digest("hex");
   return { mtimeMs: stats.mtimeMs, hash };
 }
 async function readTaskFileWithSnapshot(paths, taskId) {
-  const filePath = join9(paths.tasks, `${taskId}.md`);
+  const filePath = join10(paths.tasks, `${taskId}.md`);
   let rawBuffer;
   let stats;
   try {
-    [rawBuffer, stats] = await Promise.all([readFile5(filePath), stat2(filePath)]);
+    [rawBuffer, stats] = await Promise.all([readFile6(filePath), stat2(filePath)]);
   } catch (error) {
     if (findErrorCode(error, "ENOENT")) {
       throw new Error("Task file not found", { cause: error });
@@ -2809,7 +3015,7 @@ async function readTaskFileWithSnapshot(paths, taskId) {
     throw new Error("Failed to read task file", { cause: error });
   }
   const raw = rawBuffer.toString("utf8");
-  const hash = createHash("sha256").update(rawBuffer).digest("hex");
+  const hash = createHash2("sha256").update(rawBuffer).digest("hex");
   let split;
   try {
     split = splitFrontMatter(raw);
@@ -3289,7 +3495,7 @@ async function deleteTaskLocked(input) {
   });
   const eventId = adHoc.targetEventIds[0];
   try {
-    await unlink3(join9(input.paths.tasks, `${input.taskId}.md`));
+    await unlink3(join10(input.paths.tasks, `${input.taskId}.md`));
   } catch (error) {
     throw new TaskWriteAfterEventError({
       taskId: input.taskId,
@@ -3359,10 +3565,10 @@ async function archiveTaskLocked(input) {
       { task: next, body: doc.body },
       { mode: "overwrite" }
     );
-    await mkdir2(archiveTasksDir(input.paths), { recursive: true });
+    await mkdir3(archiveTasksDir(input.paths), { recursive: true });
     await rename2(
-      join9(input.paths.tasks, `${input.taskId}.md`),
-      join9(archiveTasksDir(input.paths), `${input.taskId}.md`)
+      join10(input.paths.tasks, `${input.taskId}.md`),
+      join10(archiveTasksDir(input.paths), `${input.taskId}.md`)
     );
   } catch (error) {
     throw new TaskWriteAfterEventError({
@@ -3398,7 +3604,7 @@ async function renderHandoff(input) {
   const tasksCreated = [];
   const tasksStatusChanged = [];
   for (const entry of entries) {
-    const sessionDir = join10(input.paths.sessions, entry.sessionId);
+    const sessionDir = join11(input.paths.sessions, entry.sessionId);
     try {
       for await (const ev of replayEvents(sessionDir, {
         onWarning: (w) => input.onWarning?.(w, entry.sessionId)
@@ -3952,7 +4158,12 @@ var SessionInnerImportSchema = z10.object({
   related_files: z10.array(z10.string()).default([]),
   events_log: z10.string().optional(),
   summary: z10.string().nullable().optional(),
-  metrics: SessionMetricsSchema.optional()
+  metrics: SessionMetricsSchema.optional(),
+  // Accepted so a payload assembled from an on-disk chained session.yaml
+  // round-trips, and DISCARDED by the importer (buildSessionRecord never
+  // copies it): the integrity anchor is computed at write time, never
+  // imported. Mirrors the accept-and-discard of `prev_hash` on events.
+  integrity: SessionIntegritySchema.optional()
 }).strict();
 var SessionImportPayloadSchema = z10.object({
   schema_version: z10.string(),
@@ -4034,7 +4245,7 @@ function serializeJsonSchema(schema) {
 }
 // src/stats/work-stats.ts
-import { join as join11 } from "path";
+import { join as join12 } from "path";
 function resolveTimeZone(timeZone) {
   if (timeZone !== void 0 && timeZone.length > 0) return timeZone;
   return Intl.DateTimeFormat().resolvedOptions().timeZone;
@@ -4065,7 +4276,7 @@ async function computeWorkStats(input) {
     const events = [];
     let eventsUnreadable = false;
     try {
-      for await (const ev of replayEvents(join11(input.paths.sessions, entry.sessionId), {
+      for await (const ev of replayEvents(join12(input.paths.sessions, entry.sessionId), {
         onWarning: (w) => input.onWarning?.(w, entry.sessionId)
       })) {
         events.push(ev);
@@ -4320,28 +4531,28 @@ function tzDate(ms, timeZone) {
 }
 // src/storage/basou-dir.ts
-import { lstat as lstat3, mkdir as mkdir3 } from "fs/promises";
-import { join as join12 } from "path";
+import { lstat as lstat3, mkdir as mkdir4 } from "fs/promises";
+import { join as join13 } from "path";
 function basouPaths(repositoryRoot) {
-  const root = join12(repositoryRoot, ".basou");
-  const approvalsBase = join12(root, "approvals");
+  const root = join13(repositoryRoot, ".basou");
+  const approvalsBase = join13(root, "approvals");
   return {
     root,
-    sessions: join12(root, "sessions"),
-    tasks: join12(root, "tasks"),
+    sessions: join13(root, "sessions"),
+    tasks: join13(root, "tasks"),
     approvals: {
-      pending: join12(approvalsBase, "pending"),
-      resolved: join12(approvalsBase, "resolved")
+      pending: join13(approvalsBase, "pending"),
+      resolved: join13(approvalsBase, "resolved")
     },
-    locks: join12(root, "locks"),
-    logs: join12(root, "logs"),
-    raw: join12(root, "raw"),
-    tmp: join12(root, "tmp"),
+    locks: join13(root, "locks"),
+    logs: join13(root, "logs"),
+    raw: join13(root, "raw"),
+    tmp: join13(root, "tmp"),
     files: {
-      manifest: join12(root, "manifest.yaml"),
-      status: join12(root, "status.json"),
-      handoff: join12(root, "handoff.md"),
-      decisions: join12(root, "decisions.md")
+      manifest: join13(root, "manifest.yaml"),
+      status: join13(root, "status.json"),
+      handoff: join13(root, "handoff.md"),
+      decisions: join13(root, "decisions.md")
     }
   };
 }
@@ -4382,7 +4593,7 @@ async function ensureBasouDirectory(repositoryRoot) {
 }
 async function mkdirLabeled(target, label) {
   try {
-    await mkdir3(target, { recursive: true });
+    await mkdir4(target, { recursive: true });
   } catch (error) {
     if (hasErrorCode3(error) && (error.code === "ENOTDIR" || error.code === "EEXIST")) {
       throw new Error(`${label} exists but is not a directory`, { cause: error });
@@ -4397,16 +4608,16 @@ function hasErrorCode3(error) {
 }
 // src/storage/gitignore.ts
-import { readFile as readFile6, writeFile as writeFile2 } from "fs/promises";
-import { join as join13 } from "path";
+import { readFile as readFile7, writeFile as writeFile2 } from "fs/promises";
+import { join as join14 } from "path";
 var MARKER = "# Basou - default ignore";
 var BASOU_GITIGNORE_BLOCK = "# Basou - default ignore\n.basou/logs/\n.basou/raw/\n.basou/tmp/\n.basou/locks/\n.basou/status.json\n.basou/sessions/*/events.jsonl\n.basou/sessions/*/artifacts/\n.basou/approvals/pending/\n.basou/approvals/resolved/\n\n# Basou - default commit\n# .basou/manifest.yaml\n# .basou/handoff.md\n# .basou/decisions.md\n# .basou/tasks/\n# .basou/sessions/*/session.yaml\n# .basou/sessions/*/transcript.md\n# .basou/sessions/*/changed-files.json\n";
 async function appendBasouGitignore(repositoryRoot) {
-  const gitignorePath = join13(repositoryRoot, ".gitignore");
+  const gitignorePath = join14(repositoryRoot, ".gitignore");
   let body;
   let existed;
   try {
-    body = await readFile6(gitignorePath, "utf8");
+    body = await readFile7(gitignorePath, "utf8");
     existed = true;
   } catch (error) {
     if (hasErrorCode4(error) && error.code === "ENOENT") {
@@ -4512,12 +4723,12 @@ function hasErrorCode5(error) {
 }
 // src/storage/markdown-store.ts
-import { readFile as readFile7 } from "fs/promises";
+import { readFile as readFile8 } from "fs/promises";
 var GENERATED_START = "<!-- BASOU:GENERATED:START -->";
 var GENERATED_END = "<!-- BASOU:GENERATED:END -->";
 async function readMarkdownFile(filePath) {
   try {
-    return await readFile7(filePath, "utf8");
+    return await readFile8(filePath, "utf8");
   } catch (error) {
     if (hasErrorCode6(error) && error.code === "ENOENT") return null;
     throw new Error("Failed to read markdown file", { cause: error });
@@ -4615,9 +4826,9 @@ function hasErrorCode6(error) {
 }
 // src/storage/session-import.ts
-import { mkdir as mkdir4, rm as rm2 } from "fs/promises";
+import { mkdir as mkdir5, readFile as readFile9, rm as rm2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
-import { join as join14 } from "path";
+import { join as join15 } from "path";
 async function importSessionFromJson(paths, manifest, payload, options) {
   if (options.taskIdOverride !== void 0 && !TaskIdSchema.safeParse(options.taskIdOverride).success) {
     throw new Error(`Invalid task_id: ${options.taskIdOverride}`);
@@ -4642,21 +4853,22 @@ async function importSessionFromJson(paths, manifest, payload, options) {
       pathSanitizeReport
     };
   }
-  const sessionDir = join14(paths.sessions, newSessionId);
+  const sessionDir = join15(paths.sessions, newSessionId);
   try {
-    await mkdir4(sessionDir, { recursive: true });
+    await mkdir5(sessionDir, { recursive: true });
   } catch (error) {
     throw new Error("Failed to create session directory", { cause: error });
   }
+  let chainResult;
   try {
-    await writeEventsBulk(sessionDir, rewrittenEvents);
+    chainResult = await writeEventsBulk(sessionDir, rewrittenEvents, { chain: true });
   } catch (error) {
     await rm2(sessionDir, { recursive: true, force: true }).catch(() => void 0);
     throw error;
   }
   try {
-    const sessionYamlPath = join14(sessionDir, "session.yaml");
-    await linkYamlFile(sessionYamlPath, sessionRecord);
+    const sessionYamlPath = join15(sessionDir, "session.yaml");
+    await linkYamlFile(sessionYamlPath, withIntegrity(sessionRecord, chainResult));
   } catch (error) {
     await rm2(sessionDir, { recursive: true, force: true }).catch(() => void 0);
     if (findErrorCode(error, "EEXIST")) {
@@ -4713,6 +4925,16 @@ function assertChronologicalOrder(events) {
     }
   }
 }
+function withIntegrity(record, chainResult) {
+  if (chainResult === null) return record;
+  return {
+    ...record,
+    session: {
+      ...record.session,
+      integrity: { head_hash: chainResult.headHash, event_count: chainResult.count }
+    }
+  };
+}
 function buildSessionRecord(input, manifest, newSessionId, options) {
   const home = homedir2();
   const workingDirectoryRaw = input.working_directory;
@@ -4813,9 +5035,13 @@ function reuseDerivedIds(priorDerived, freshDerived, sessionId) {
 async function reimportPreservingId(paths, manifest, priorSessionId, freshPayload, options = {}) {
   const sessionId = priorSessionId;
   const importSource = freshPayload.session.source.kind;
-  const sessionDir = join14(paths.sessions, priorSessionId);
+  const sessionDir = join15(paths.sessions, priorSessionId);
   const lock = options.dryRun === true ? null : await acquireLock(paths, "session", priorSessionId);
   try {
+    const priorVerdict = await verifyEventsChain(paths, priorSessionId);
+    if (priorVerdict.status === "tampered") {
+      return { status: "skipped", reason: "prior_chain_broken" };
+    }
     let priorUnreadable = false;
     const priorEvents = await readAllEvents(sessionDir, {
       onWarning: () => {
@@ -4843,20 +5069,35 @@ async function reimportPreservingId(paths, manifest, priorSessionId, freshPayloa
     const { record } = buildSessionRecord(freshPayload.session, manifest, sessionId, {});
     const preservedInner = {
       ...record.session,
-      // A human may have linked this imported session to a task
-      // (`basou task link` updates session.yaml.task_id even for imported
-      // sessions); never drop that link on a re-derive.
+      // Defensive: keep any task_id already present on the prior yaml so a
+      // re-derive never drops a link, whatever wrote it.
       task_id: prior.session.task_id ?? null,
       // Re-derivation always yields a null summary; keep a prior non-null one.
       summary: prior.session.summary ?? record.session.summary ?? null
     };
     const updatedRecord = { schema_version: "0.1.0", session: preservedInner };
     if (options.dryRun !== true) {
-      await writeEventsBulk(sessionDir, mergedEvents);
+      const eventsPath = join15(sessionDir, "events.jsonl");
+      let priorEventsRaw = null;
+      try {
+        priorEventsRaw = await readFile9(eventsPath);
+      } catch (error) {
+        if (!findErrorCode(error, "ENOENT")) {
+          throw new Error("Failed to read events.jsonl", { cause: error });
+        }
+      }
+      const chainResult = await writeEventsBulk(sessionDir, mergedEvents, { chain: true });
       try {
-        await overwriteYamlFile(join14(sessionDir, "session.yaml"), updatedRecord);
+        await overwriteYamlFile(
+          join15(sessionDir, "session.yaml"),
+          withIntegrity(updatedRecord, chainResult)
+        );
       } catch (error) {
-        await writeEventsBulk(sessionDir, priorEvents).catch(() => void 0);
+        if (priorEventsRaw !== null) {
+          await atomicReplace(eventsPath, priorEventsRaw).catch(() => void 0);
+        } else {
+          await rm2(eventsPath, { force: true }).catch(() => void 0);
+        }
         throw error;
       }
     }
@@ -4871,6 +5112,100 @@ async function reimportPreservingId(paths, manifest, priorSessionId, freshPayloa
     await lock?.release();
   }
 }
+async function rechainSessionInPlace(paths, sessionId, options = {}) {
+  const sessionDir = join15(paths.sessions, sessionId);
+  let lock;
+  try {
+    lock = await acquireLock(paths, "session", sessionId);
+  } catch (error) {
+    if (error instanceof Error && error.message === "Lock is held by another process") {
+      throw error;
+    }
+    throw new Error("Failed to acquire lock", { cause: error });
+  }
+  try {
+    let record;
+    try {
+      record = await readSessionYaml(paths, sessionId);
+    } catch (error) {
+      if (error instanceof Error && error.message === "YAML file not found") {
+        return { status: "skipped", reason: "yaml_missing" };
+      }
+      return { status: "skipped", reason: "yaml_unreadable" };
+    }
+    if (record.session.status !== "imported") {
+      return { status: "skipped", reason: "not_imported" };
+    }
+    const verdict = await verifyEventsChain(paths, sessionId);
+    if (verdict.status === "verified") {
+      return { status: "skipped", reason: "already_chained" };
+    }
+    if (verdict.status === "empty") {
+      return { status: "skipped", reason: "empty" };
+    }
+    if (verdict.status !== "unchained") {
+      return { status: "skipped", reason: "tampered" };
+    }
+    const eventsPath = join15(sessionDir, "events.jsonl");
+    let priorRaw;
+    try {
+      priorRaw = await readFile9(eventsPath);
+    } catch (error) {
+      throw new Error("Failed to read events.jsonl", { cause: error });
+    }
+    if (priorRaw.length === 0 || priorRaw[priorRaw.length - 1] !== 10) {
+      return { status: "skipped", reason: "events_unreadable" };
+    }
+    const text = priorRaw.toString("utf8");
+    if (!priorRaw.equals(Buffer.from(text, "utf8"))) {
+      return { status: "skipped", reason: "events_unreadable" };
+    }
+    const rawLines = text.slice(0, -1).split("\n");
+    for (const line of rawLines) {
+      if (line.trim().length === 0) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(line);
+      } catch {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (JSON.stringify(parsed) !== line) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (!EventSchema.safeParse(parsed).success) {
+        return { status: "skipped", reason: "events_unreadable" };
+      }
+      if (parsed.session_id !== sessionId) {
+        return { status: "skipped", reason: "session_id_mismatch" };
+      }
+    }
+    if (options.dryRun === true) {
+      return { status: "rechained", eventCount: rawLines.length };
+    }
+    const chainResult = chainRawJsonLines(rawLines, sessionId);
+    const body = `${chainResult.lines.join("\n")}
+`;
+    try {
+      await atomicReplace(eventsPath, body);
+    } catch (error) {
+      throw new Error("Failed to write events.jsonl", { cause: error });
+    }
+    try {
+      await overwriteYamlFile(
+        join15(sessionDir, "session.yaml"),
+        withIntegrity(record, { headHash: chainResult.headHash, count: chainResult.count })
+      );
+    } catch (error) {
+      await atomicReplace(eventsPath, priorRaw).catch(() => void 0);
+      throw error;
+    }
+    return { status: "rechained", eventCount: chainResult.count };
+  } finally {
+    await lock.release();
+  }
+}
 // src/index.ts
 var BASOU_CORE_VERSION = "0.1.0";
@@ -4900,6 +5235,7 @@ export {
   SessionIdSchema,
   SessionImportPayloadSchema,
   SessionInnerImportSchema,
+  SessionIntegritySchema,
   SessionMetricsSchema,
   SessionSchema,
   SessionSourceKindSchema,
@@ -4919,6 +5255,8 @@ export {
   basouPaths,
   buildJsonSchemas,
   buildStatusSnapshot,
+  chainEvents,
+  chainRawJsonLines,
   classifySuspect,
   claudeCodeAdapterMetadata,
   claudeTranscriptToImportPayload,
@@ -4935,12 +5273,14 @@ export {
   enumerateSessionDirs,
   enumerateTaskIds,
   findErrorCode,
+  genesisHash,
   getDiff,
   getSnapshot,
   importSessionFromJson,
   isImportDerivedSource,
   isLazyExpired,
   isValidPrefixedId,
+  lineHash,
   linkYamlFile,
   loadApproval,
   loadSessionEntries,
@@ -4957,6 +5297,7 @@ export {
   readTaskFile,
   readTaskFileWithArchiveFallback,
   readYamlFile,
+  rechainSessionInPlace,
   reconcileAllTasks,
   reconcileTask,
   refreshTaskLinkedSessions,
@@ -4972,12 +5313,14 @@ export {
   sanitizePath,
   sanitizeRelatedFiles,
   sanitizeWorkingDirectory,
+  serializeEventLine,
   serializeJsonSchema,
   sessionWorkStatsFromEvents,
   summarizeAdapterOutput,
   tryRemoteUrl,
   ulid,
   updateTaskStatusWithEvent,
+  verifyEventsChain,
   writeEventsBulk,
   writeManifest,
   writeMarkdownFile,