@besales/ops-framework 0.1.0

package/bin/validate-check-artifacts.mjs

@@ -0,0 +1,418 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import {
+  ALLOWED_CLAIM_CATEGORIES,
+  ALLOWED_FAILURE_REASONS,
+  ALLOWED_REF_TYPES,
+  ALLOWED_RESOLUTION_DECISIONS,
+  ALLOWED_RISK_PROFILES,
+  ALLOWED_RISK_TRIGGERS,
+  ALLOWED_SEVERITIES,
+  ALLOWED_VERDICTS,
+  RISK_CONFIG,
+  buildCheckContext,
+  computeTaskContextInputs,
+  readJsonFile,
+  resolveTaskDir,
+} from './lib/check-context-utils.mjs';
+
+const INVALID_JSON = Symbol('invalid-json');
+
+function main() {
+  const taskArg = process.argv[2];
+  if (!taskArg) {
+    fail('Usage: node ops/agent-pipeline/bin/validate-check-artifacts.mjs <TASK-id-or-task-path> [--skip-resolution]');
+  }
+  const skipResolution = process.argv.includes('--skip-resolution');
+
+  const errors = [];
+  const warnings = [];
+
+  try {
+    const taskDir = resolveTaskDir(taskArg);
+    const taskId = path.basename(taskDir);
+    const inputs = computeTaskContextInputs(taskDir);
+    const expectedContext = buildCheckContext({
+      taskId,
+      inputs,
+      createdAt: null,
+    });
+
+    validateCheckContext({
+      taskDir,
+      expectedContext,
+      errors,
+    });
+
+    const result = readOptionalJson(path.join(taskDir, 'check.result.json'), errors);
+    if (result === null) {
+      warnings.push('Check incomplete: check.result.json is missing.');
+    } else if (result !== INVALID_JSON) {
+      validateCheckResult({
+        result,
+        expectedContext,
+        qualityGates: inputs.qualityGates,
+        errors,
+      });
+
+      if (result.verdict === 'return_to_plan' && !skipResolution) {
+        validateCheckResolution({
+          taskDir,
+          result,
+          errors,
+        });
+      }
+    }
+
+    printResult({ taskId, errors, warnings });
+  } catch (error) {
+    errors.push(error.message);
+    printResult({ taskId: 'unknown', errors, warnings });
+  }
+}
+
+function validateCheckContext({ taskDir, expectedContext, errors }) {
+  const contextPath = path.join(taskDir, 'check-context.json');
+  if (!fs.existsSync(contextPath)) {
+    errors.push('Missing check-context.json. Run agent:build-check-context first.');
+    return;
+  }
+
+  let context;
+  try {
+    context = readJsonFile(contextPath);
+  } catch (error) {
+    errors.push(`Invalid check-context.json: ${error.message}`);
+    return;
+  }
+
+  requireString(context, 'taskId', errors);
+  expectEqual(context.taskId, expectedContext.taskId, 'check-context.taskId', errors);
+  expectEqual(context.stage, 'Check', 'check-context.stage', errors);
+  expectEqual(context.planSha, expectedContext.planSha, 'check-context.planSha', errors);
+  expectEqual(context.planFingerprintVersion, expectedContext.planFingerprintVersion, 'check-context.planFingerprintVersion', errors);
+  expectEqual(context.memorySha, expectedContext.memorySha, 'check-context.memorySha', errors);
+  expectArrayEqual(context.riskTriggers, expectedContext.riskTriggers, 'check-context.riskTriggers', errors);
+  expectEqual(context.riskProfile, expectedContext.riskProfile, 'check-context.riskProfile', errors);
+  expectEqual(context.memoryDeliveryMode, 'inline', 'check-context.memoryDeliveryMode', errors);
+  expectEqual(context.contextBudgetTokens, RISK_CONFIG[expectedContext.riskProfile].contextBudgetTokens, 'check-context.contextBudgetTokens', errors);
+  expectEqual(context.maxRepoReads, RISK_CONFIG[expectedContext.riskProfile].maxRepoReads, 'check-context.maxRepoReads', errors);
+  expectEqual(context.evidenceFile, 'check-evidence.md', 'check-context.evidenceFile', errors);
+  expectEqual(context.checkerContextPackFile, expectedContext.checkerContextPackFile, 'check-context.checkerContextPackFile', errors);
+  expectEqual(context.checkerContextPackSha, expectedContext.checkerContextPackSha, 'check-context.checkerContextPackSha', errors);
+  expectArrayEqual(context.referencedFiles, expectedContext.referencedFiles, 'check-context.referencedFiles', errors);
+
+  validateRiskProfile(context.riskProfile, errors, 'check-context.riskProfile');
+  validateRiskTriggers(context.riskTriggers, errors, 'check-context.riskTriggers');
+  expectObjectArrayEqual(context.memoryFiles, expectedContext.memoryFiles, 'check-context.memoryFiles', errors);
+  expectObjectArrayEqual(context.taskArtifacts, expectedContext.taskArtifacts, 'check-context.taskArtifacts', errors);
+  validateSha(context.planSha, errors, 'check-context.planSha');
+  validateSha(context.memorySha, errors, 'check-context.memorySha');
+  validateSha(context.checkerContextPackSha, errors, 'check-context.checkerContextPackSha');
+  if (context.checkerContextPackFile && !fs.existsSync(path.join(taskDir, context.checkerContextPackFile))) {
+    errors.push(`Missing ${context.checkerContextPackFile}. Run agent:build-check-context first.`);
+  }
+}
+
+function validateCheckResult({ result, expectedContext, qualityGates, errors }) {
+  requireString(result, 'checkerProvider', errors, 'check.result');
+  requireString(result, 'checkerModel', errors, 'check.result');
+  requireString(result, 'createdAt', errors, 'check.result');
+  expectEqual(result.stage, 'Check', 'check.result.stage', errors);
+  expectEqual(result.taskId, expectedContext.taskId, 'check.result.taskId', errors);
+  expectEqual(result.planSha, expectedContext.planSha, 'check.result.planSha', errors);
+  expectEqual(result.memorySha, expectedContext.memorySha, 'check.result.memorySha', errors);
+  expectEqual(result.riskProfile, expectedContext.riskProfile, 'check.result.riskProfile', errors);
+  validateSha(result.planSha, errors, 'check.result.planSha');
+  validateSha(result.memorySha, errors, 'check.result.memorySha');
+
+  if (!ALLOWED_VERDICTS.includes(result.verdict)) {
+    errors.push(`check.result.verdict is not allowed: ${formatValue(result.verdict)}`);
+  }
+
+  if (result.verdict === 'checker_failed') {
+    if (!ALLOWED_FAILURE_REASONS.includes(result.failureReason)) {
+      errors.push(`check.result.failureReason is required and must be allowed when verdict=checker_failed: ${formatValue(result.failureReason)}`);
+    }
+  } else if (result.verdict === 'context_insufficient') {
+    if (result.failureReason !== null && result.failureReason !== 'context_insufficient') {
+      errors.push('check.result.failureReason must be null or context_insufficient when verdict=context_insufficient.');
+    }
+  } else if (result.failureReason !== null) {
+    errors.push('check.result.failureReason must be null unless verdict=checker_failed.');
+  }
+
+  if (!Array.isArray(result.findings)) {
+    errors.push('check.result.findings must be an array.');
+    return;
+  }
+
+  const seenIds = new Set();
+  result.findings.forEach((finding, index) => {
+    validateFinding(finding, index, seenIds, errors);
+  });
+
+  const blockingFindings = result.findings.filter((finding) => finding.severity === 'blocking').length;
+  const nonBlockingFindings = result.findings.filter((finding) => finding.severity === 'non_blocking').length;
+  const humanQuestions = result.findings.filter((finding) => finding.severity === 'question').length;
+  expectEqual(result.blockingFindings, blockingFindings, 'check.result.blockingFindings', errors);
+  expectEqual(result.nonBlockingFindings, nonBlockingFindings, 'check.result.nonBlockingFindings', errors);
+  expectEqual(result.humanQuestions, humanQuestions, 'check.result.humanQuestions', errors);
+
+  const expectedReady = result.verdict === 'ready_for_human_gate';
+  expectEqual(result.readyForHumanGate, expectedReady, 'check.result.readyForHumanGate', errors);
+
+  if (result.verdict === 'ready_for_human_gate' && blockingFindings > 0) {
+    errors.push('check.result.verdict cannot be ready_for_human_gate while blocking findings are present.');
+  }
+  if (result.verdict === 'ready_for_human_gate' && qualityGates?.missingSignals?.length > 0) {
+    for (const signal of qualityGates.missingSignals) {
+      errors.push(`check.result.verdict cannot be ready_for_human_gate while deterministic quality gate is missing: ${signal}`);
+    }
+  }
+  if (result.verdict === 'return_to_plan' && blockingFindings === 0) {
+    errors.push('check.result.verdict return_to_plan requires at least one blocking finding.');
+  }
+}
+
+function validateFinding(finding, index, seenIds, errors) {
+  const prefix = `check.result.findings[${index}]`;
+  if (!finding || typeof finding !== 'object' || Array.isArray(finding)) {
+    errors.push(`${prefix} must be an object.`);
+    return;
+  }
+
+  const expectedId = `F-${String(index + 1).padStart(3, '0')}`;
+  if (!/^F-\d{3}$/.test(finding.id ?? '')) {
+    errors.push(`${prefix}.id must match F-001 format.`);
+  } else if (finding.id !== expectedId) {
+    errors.push(`${prefix}.id must be consecutive; expected ${expectedId}, got ${finding.id}.`);
+  } else if (seenIds.has(finding.id)) {
+    errors.push(`${prefix}.id duplicates ${finding.id}.`);
+  } else {
+    seenIds.add(finding.id);
+  }
+
+  if (!ALLOWED_SEVERITIES.includes(finding.severity)) {
+    errors.push(`${prefix}.severity is not allowed: ${formatValue(finding.severity)}`);
+  }
+  if (!ALLOWED_CLAIM_CATEGORIES.includes(finding.claimCategory)) {
+    errors.push(`${prefix}.claimCategory is not allowed: ${formatValue(finding.claimCategory)}`);
+  }
+  requireString(finding, 'claim', errors, prefix);
+  requireString(finding, 'expectedCorrection', errors, prefix);
+  validateRefs(finding.evidenceRefs, `${prefix}.evidenceRefs`, errors, {
+    allowEmpty: finding.severity === 'blocking' && finding.claimCategory === 'missing_evidence',
+  });
+  if (!Array.isArray(finding.affectedPlanSections) || finding.affectedPlanSections.some((value) => typeof value !== 'string' || !value.trim())) {
+    errors.push(`${prefix}.affectedPlanSections must be a non-empty string array.`);
+  }
+}
+
+function validateCheckResolution({ taskDir, result, errors }) {
+  const resolutionPath = path.join(taskDir, 'check-resolution.md');
+  if (!fs.existsSync(resolutionPath)) {
+    errors.push('check.result verdict is return_to_plan but check-resolution.md is missing.');
+    return;
+  }
+
+  const resolutionJson = extractStructuredResolution(fs.readFileSync(resolutionPath, 'utf8'));
+  if (!resolutionJson) {
+    errors.push('check-resolution.md must contain a fenced JSON block after "Structured Resolution".');
+    return;
+  }
+
+  let resolution;
+  try {
+    resolution = JSON.parse(resolutionJson);
+  } catch (error) {
+    errors.push(`Invalid Structured Resolution JSON: ${error.message}`);
+    return;
+  }
+
+  expectEqual(resolution.taskId, result.taskId, 'check-resolution.taskId', errors);
+  expectEqual(resolution.checkerPlanSha, result.planSha, 'check-resolution.checkerPlanSha', errors);
+  validateSha(resolution.checkerPlanSha, errors, 'check-resolution.checkerPlanSha');
+
+  if (!Array.isArray(resolution.responses)) {
+    errors.push('check-resolution Structured Resolution responses must be an array.');
+    return;
+  }
+
+  const blockingFindingIds = new Set(result.findings.filter((item) => item.severity === 'blocking').map((finding) => finding.id));
+  const responsesByFindingId = new Map();
+  resolution.responses.forEach((response, index) => {
+    validateResolutionResponse(response, index, responsesByFindingId, errors);
+    if (response?.findingId && !blockingFindingIds.has(response.findingId)) {
+      errors.push(`check-resolution response references non-blocking or unknown finding ${response.findingId}.`);
+    }
+  });
+
+  for (const findingId of blockingFindingIds) {
+    if (!responsesByFindingId.has(findingId)) {
+      errors.push(`Missing check-resolution response for blocking finding ${findingId}.`);
+    }
+  }
+}
+
+function validateResolutionResponse(response, index, responsesByFindingId, errors) {
+  const prefix = `check-resolution.responses[${index}]`;
+  if (!response || typeof response !== 'object' || Array.isArray(response)) {
+    errors.push(`${prefix} must be an object.`);
+    return;
+  }
+
+  if (!/^F-\d{3}$/.test(response.findingId ?? '')) {
+    errors.push(`${prefix}.findingId must match F-001 format.`);
+  } else if (responsesByFindingId.has(response.findingId)) {
+    errors.push(`${prefix}.findingId duplicates ${response.findingId}.`);
+  } else {
+    responsesByFindingId.set(response.findingId, response);
+  }
+
+  if (!ALLOWED_RESOLUTION_DECISIONS.includes(response.decision)) {
+    errors.push(`${prefix}.decision is not allowed: ${formatValue(response.decision)}`);
+  }
+
+  requireString(response, 'rationale', errors, prefix);
+
+  if (response.decision === 'rejected') {
+    validateRefs(response.evidenceRefs, `${prefix}.evidenceRefs`, errors);
+  }
+  if (response.decision === 'accepted') {
+    validateRefs(response.artifactChangeRefs, `${prefix}.artifactChangeRefs`, errors);
+  }
+  if (response.decision === 'partially_accepted') {
+    validateRefs(response.artifactChangeRefs, `${prefix}.artifactChangeRefs`, errors);
+    validateRefs(response.evidenceRefs, `${prefix}.evidenceRefs`, errors);
+  }
+  if ((response.decision === 'needs_research' || response.decision === 'needs_human_decision') && !String(response.rationale ?? '').trim()) {
+    errors.push(`${prefix}.rationale is required for ${response.decision}.`);
+  }
+}
+
+function validateRefs(refs, label, errors, options = {}) {
+  const allowEmpty = options.allowEmpty === true;
+  if (!Array.isArray(refs)) {
+    errors.push(`${label} must be an array.`);
+    return;
+  }
+  if (!allowEmpty && refs.length === 0) {
+    errors.push(`${label} must not be empty.`);
+    return;
+  }
+
+  refs.forEach((ref, index) => {
+    const prefix = `${label}[${index}]`;
+    if (!ref || typeof ref !== 'object' || Array.isArray(ref)) {
+      errors.push(`${prefix} must be an object.`);
+      return;
+    }
+    if (!ALLOWED_REF_TYPES.includes(ref.type)) {
+      errors.push(`${prefix}.type is not allowed: ${formatValue(ref.type)}`);
+    }
+    requireString(ref, 'ref', errors, prefix);
+  });
+}
+
+function extractStructuredResolution(markdown) {
+  const markerIndex = markdown.indexOf('## Structured Resolution');
+  if (markerIndex === -1) {
+    return null;
+  }
+
+  const afterMarker = markdown.slice(markerIndex);
+  const match = /```json\s*([\s\S]*?)```/.exec(afterMarker);
+  return match?.[1] ?? null;
+}
+
+function readOptionalJson(filePath, errors) {
+  if (!fs.existsSync(filePath)) {
+    return null;
+  }
+  try {
+    return readJsonFile(filePath);
+  } catch (error) {
+    errors.push(`Invalid ${path.basename(filePath)}: ${error.message}`);
+    return INVALID_JSON;
+  }
+}
+
+function validateRiskProfile(value, errors, label) {
+  if (!ALLOWED_RISK_PROFILES.includes(value)) {
+    errors.push(`${label} is not allowed: ${formatValue(value)}`);
+  }
+}
+
+function validateRiskTriggers(value, errors, label) {
+  if (!Array.isArray(value)) {
+    errors.push(`${label} must be an array.`);
+    return;
+  }
+  for (const trigger of value) {
+    if (!ALLOWED_RISK_TRIGGERS.includes(trigger)) {
+      errors.push(`${label} contains unknown trigger: ${formatValue(trigger)}`);
+    }
+  }
+}
+
+function requireString(object, key, errors, prefix = '') {
+  const label = prefix ? `${prefix}.${key}` : key;
+  if (typeof object?.[key] !== 'string' || !object[key].trim()) {
+    errors.push(`${label} must be a non-empty string.`);
+  }
+}
+
+function validateSha(value, errors, label) {
+  if (typeof value !== 'string' || !/^sha256:[a-f0-9]{64}$/.test(value)) {
+    errors.push(`${label} must match sha256:<64 lowercase hex chars>.`);
+  }
+}
+
+function expectEqual(actual, expected, label, errors) {
+  if (actual !== expected) {
+    errors.push(`${label} mismatch: expected ${formatValue(expected)}, got ${formatValue(actual)}.`);
+  }
+}
+
+function expectArrayEqual(actual, expected, label, errors) {
+  if (!Array.isArray(actual)) {
+    errors.push(`${label} must be an array.`);
+    return;
+  }
+
+  if (JSON.stringify(actual) !== JSON.stringify(expected)) {
+    errors.push(`${label} mismatch.`);
+  }
+}
+
+function expectObjectArrayEqual(actual, expected, label, errors) {
+  expectArrayEqual(actual, expected, label, errors);
+}
+
+function formatValue(value) {
+  return JSON.stringify(value);
+}
+
+function printResult({ taskId, errors, warnings }) {
+  for (const warning of warnings) {
+    console.warn(`Warning: ${warning}`);
+  }
+
+  if (errors.length > 0) {
+    console.error(`Check artifact validation failed for ${taskId}:`);
+    for (const error of errors) {
+      console.error(`- ${error}`);
+    }
+    process.exit(1);
+  }
+
+  console.log(`Check artifact validation ok for ${taskId}`);
+}
+
+function fail(message) {
+  console.error(`Error: ${message}`);
+  process.exit(1);
+}
+
+main();

package/config/default-agents.json

@@ -0,0 +1,100 @@
+{
+  "planner": {
+    "provider": "openai",
+    "model": "${PLANNER_MODEL}"
+  },
+  "checker": {
+    "provider": "codex-cli",
+    "model": "gpt-5.5",
+    "reasoningEffort": "medium",
+    "isolatedContext": true,
+    "readOnly": true
+  },
+  "verifier": {
+    "mode": "internal_supervisor",
+    "provider": "codex-cli",
+    "model": "gpt-5.5",
+    "reasoningEffort": "medium",
+    "isolatedContext": true,
+    "readOnly": true
+  },
+  "checkerProviders": {
+    "codex-cli": {
+      "command": "${CODEX_CLI_COMMAND}",
+      "model": "gpt-5.5",
+      "reasoningEffort": "medium",
+      "args": [
+        "exec",
+        "--sandbox",
+        "read-only",
+        "-c",
+        "model_reasoning_effort=\"$REASONING_EFFORT\"",
+        "--output-last-message",
+        "$OUTPUT_FILE",
+        "--model",
+        "$MODEL",
+        "-"
+      ],
+      "input": "stdin",
+      "output": "file"
+    },
+    "claude-cli": {
+      "command": "${CLAUDE_CLI_COMMAND}",
+      "model": "claude-opus-4-7",
+      "reasoningEffort": "medium",
+      "args": [
+        "-p",
+        "--no-session-persistence",
+        "--tools",
+        "",
+        "--model",
+        "$MODEL",
+        "--effort",
+        "$REASONING_EFFORT"
+      ],
+      "input": "stdin",
+      "output": "stdout"
+    },
+    "cloud-cli": {
+      "command": "${CLOUD_CLI_COMMAND}",
+      "model": "claude-opus-4-7",
+      "reasoningEffort": "medium",
+      "args": [
+        "-p",
+        "--no-session-persistence",
+        "--tools",
+        "",
+        "--model",
+        "$MODEL",
+        "--effort",
+        "$REASONING_EFFORT"
+      ],
+      "input": "stdin",
+      "output": "stdout"
+    },
+    "custom-cli": {
+      "command": "${CHECKER_CLI_COMMAND}",
+      "args": [],
+      "input": "stdin",
+      "output": "stdout"
+    }
+  },
+  "planCheckLoop": {
+    "maxIterations": {
+      "low": 2,
+      "medium": 3,
+      "high": 5
+    },
+    "defaultRiskProfile": "medium",
+    "contextBudgetTokens": {
+      "low": 6000,
+      "medium": 15000,
+      "high": 30000
+    },
+    "maxRepoReads": {
+      "low": 5,
+      "medium": 12,
+      "high": 25
+    }
+  }
+}

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@besales/ops-framework",
+  "version": "0.1.0",
+  "type": "module",
+  "bin": {
+    "ops-agent": "bin/ops-agent.mjs"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "bin",
+    "config",
+    "playbooks",
+    "prompts",
+    "templates",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "scripts": {
+    "test": "vitest run --config vitest.config.ts",
+    "lint": "node bin/self-lint.mjs",
+    "lint:fix": "node bin/self-lint.mjs --fix"
+  },
+  "devDependencies": {
+    "vitest": "^3.1.1"
+  }
+}

package/playbooks/checker-context.md

@@ -0,0 +1,9 @@
+# Checker Context Playbook
+
+Use this to keep independent checks cheap and accurate.
+
+- `checker-context-pack.md` is the compact decision packet for Checker.
+- It must name decision, active slice, risk triggers, required repo files, prior failures and exact questions.
+- Checker should read only the listed files first, then expand context only when a claim cannot be judged.
+- If the pack is stale, regenerate it before Check or transition.
+- `task-manifest.json` records mode, phase, gates and loop detector status for automation.

package/playbooks/complexity-performance.md

@@ -0,0 +1,13 @@
+# Complexity / Performance Playbook
+
+Use this for read models, materializers, workers, table/dashboard UI, replay/backfill and production hot paths.
+
+- Plan must include `## Complexity / Performance Budget`.
+- Name hot paths, expected data size or row count, complexity risks, mitigation and budget/stop rule.
+- O2/O3 hot-path work must also include `## Optimization Strategy`.
+- O0: none; O1: quick checklist; O2: focused optimizer review on touched hot paths; O3: measured review with timing/rows/EXPLAIN/benchmark.
+- Keep optimization bounded: one focused pass for O2, one focused pass plus one representative measurement for O3; defer nice-to-have ideas.
+- Prefer bounded queries, maps/sets, batching and indexed access over repeated scans or N+1 calls.
+- Execution must include `## Complexity / Performance Evidence`.
+- Execution must include `## Optimization Review Evidence` when O2/O3 strategy is present.
+- Acceptable evidence includes timing, row counts, EXPLAIN, no-N+1 review, hot-path code review or representative benchmark.

package/playbooks/production-rollout.md

@@ -0,0 +1,9 @@
+# Production Rollout Playbook
+
+Use this for migrations, env vars, cron/workers, billing/auth, external APIs, deploy/runtime behavior and production-readiness claims.
+
+- Plan must include `## Production Rollout Gate`.
+- Name impact/blast radius, environment or deploy variables, rollback/disable path and post-deploy evidence.
+- Do not hide production risk behind a generic smoke test.
+- Execution must include `## Production Rollout Evidence`.
+- Acceptable evidence includes deploy/env facts, logs, metrics, smoke results, monitor links or explicit rollback verification.

package/playbooks/source-sync-provider.md

@@ -0,0 +1,9 @@
+# Source Sync / Provider Playbook
+
+Use this for sync/import/provider pipelines, raw records, retries, pagination, rate limits, idempotency, replay/backfill and partial failure recovery.
+
+- Plan must include `## Source Sync / Provider Gate`.
+- Name scope/provider window, idempotency or duplicate handling, retry/failure boundaries and coverage/parity evidence.
+- Keep provider credentials, queue ownership and affected windows explicit.
+- Execution must include `## Source Sync / Provider Evidence`.
+- Acceptable evidence includes raw-record samples, counts/parity, replay/audit output, retry/idempotency checks and partial-failure recovery proof.

package/playbooks/ui-acceptance.md

@@ -0,0 +1,9 @@
+# UI Acceptance Playbook
+
+Use this when a task touches configured frontend/UI roots or any user-visible API contract.
+
+- Plan must include `## UI Acceptance Scenarios`.
+- Each scenario needs `UI-xxx`, user intent, setup/data, steps, expected visible result and must-catch regression.
+- Page-load-only smoke is not enough.
+- Execution must include `## UI Acceptance Evidence` with scenario id, pass/fail/blocked/human-owned result and observed screenshot/payload/rendered evidence.
+- If browser/auth/env is blocked, record API/payload/rendered fallback or mark the scenario human-owned.