@blamejs/exceptd-skills 0.12.11 → 0.12.15

package/scripts/check-test-coverage.js

@@ -89,10 +89,49 @@ function git(args, cwd) {
 // findings masked. Codex P1 flag on PR #2 of v0.12.8.
 function resolveBaseRef(opts, cwd) {
   if (opts.staged) return null; // staged mode uses --cached / HEAD throughout
+  // F14 — fall back gracefully when origin/main is unreachable. The
+  // original implementation tried `merge-base HEAD <opts.base>` and, on
+  // failure, returned opts.base verbatim — which then failed every
+  // subsequent git invocation, surfacing as a runner-level error. In CI
+  // (full clones) the original ref usually resolves; on a developer
+  // laptop without `origin/main` configured (fresh clone, detached
+  // worktree, alternative remote name) the gate would fail entirely.
+  //
+  // Order of preference:
+  //   1. merge-base against the requested base
+  //   2. requested base verbatim, if `git rev-parse --verify` resolves it
+  //   3. local `main` HEAD if it exists
+  //   4. HEAD~1 as a last resort (single-commit diff)
+  const tryResolve = (ref) => {
+    try {
+      git(["merge-base", "HEAD", ref], cwd).trim();
+      return ref;
+    } catch { /* not resolvable */ }
+    try {
+      git(["rev-parse", "--verify", ref], cwd).trim();
+      return ref;
+    } catch { return null; }
+  };
   try {
     const mb = git(["merge-base", "HEAD", opts.base], cwd).trim();
     if (mb) return mb;
-  } catch { /* base may not exist locally; fall back to ref literal */ }
+  } catch { /* fall through */ }
+  const direct = tryResolve(opts.base);
+  if (direct) return direct;
+  const local = tryResolve("main");
+  if (local) {
+    process.stderr.write(
+      `[check-test-coverage] WARN: ${opts.base} unreachable; falling back to local main\n`
+    );
+    return local;
+  }
+  const parent = tryResolve("HEAD~1");
+  if (parent) {
+    process.stderr.write(
+      `[check-test-coverage] WARN: ${opts.base} unreachable and no local main; falling back to HEAD~1\n`
+    );
+    return parent;
+  }
   return opts.base;
 }
 
@@ -165,6 +204,23 @@ function categorize(file) {
   if (norm.startsWith("scripts/") && norm.endsWith(".js")) return "lib";
   if (norm.startsWith("data/playbooks/") && norm.endsWith(".json")) return "playbook";
   if (norm === "data/cve-catalog.json") return "cve-catalog";
+  // F11 — files matching catalog/schema/SBOM shapes are surfaced for manual
+  // review rather than silent allowlist. These changes (manifest.json,
+  // schemas/*, data/*.json, sbom.cdx.json, manifest-snapshot.*) can carry
+  // semantic surface but the analyzer has no syntactic surface extractor
+  // for them — humans should look.
+  if (norm === "manifest.json") return "manual-review";
+  if (norm === "manifest-snapshot.json") return "manual-review";
+  if (norm === "manifest-snapshot.sha256") return "manual-review";
+  if (norm === "sbom.cdx.json") return "manual-review";
+  if (norm.startsWith("lib/schemas/")) return "manual-review";
+  // v0.12.14: data/_indexes/ is auto-regenerated from data/ + manifest by
+  // `npm run build-indexes`; the source-of-truth diff is in the data/
+  // files themselves. Allowlist the derived index files so they don't
+  // perpetually surface as manual-review on every release commit.
+  if (norm.startsWith("data/_indexes/")) return "allowlist-derived";
+  if (norm.startsWith("data/") && norm.endsWith(".json")) return "manual-review";
+  if (norm === "package.json") return "manual-review";
   return "other";
 }
 
@@ -271,15 +327,20 @@ function safeParse(s) { try { return s ? JSON.parse(s) : null; } catch { return
 
 function loadTestCorpus(cwd) {
   const root = path.join(cwd, "tests");
-  if (!fs.existsSync(root)) return "";
+  if (!fs.existsSync(root)) return { joined: "", files: [] };
   const acc = [];
+  const files = [];
   walk(root, p => {
     const norm = p.replace(/\\/g, "/");
     if (/\.(js|json)$/.test(norm)) {
-      try { acc.push(fs.readFileSync(p, "utf8")); } catch { /* ignore unreadable */ }
+      try {
+        const content = fs.readFileSync(p, "utf8");
+        acc.push(content);
+        files.push({ path: norm, content });
+      } catch { /* ignore unreadable */ }
     }
   });
-  return acc.join("\n\x00\n");
+  return { joined: acc.join("\n\x00\n"), files };
 }
 
 function walk(dir, fn) {
@@ -302,22 +363,76 @@ function coversCliFlag(corpus, flag) {
   return corpus.includes(flag);
 }
 
+// F10 — same-file context check. A test corpus is no longer treated as
+// one giant string for lib-export coverage: the identifier must appear
+// inside a real test block (`test(`, `it(`, `describe(`, or an `assert(`
+// argument) within the SAME file that issues the matching require().
+// Pre-fix: an `assert.equal(...)` mention in one test file plus a stray
+// `require('../lib/x')` in a completely different test file counted as
+// coverage. That's not coverage — it's textual coincidence.
+//
+// `corpus` may be either a string (legacy joined corpus, used by
+// CLI/playbook/CVE coverage probes) or the structured shape
+// `{ joined, files }` produced by loadTestCorpus().
 function coversLibExport(corpus, libRel, ident) {
   const baseName = path.basename(libRel).replace(/\.js$/, "");
   const baseFile = path.basename(libRel); // e.g. "check-sbom-currency.js"
   const identRe = new RegExp("\\b" + escapeRe(ident) + "\\b");
-  // Primary: a `require()` that mentions the module name AND a reference
-  // to the identifier anywhere in the test corpus. Catches the canonical
-  // `const { foo } = require('../lib/x')` test shape.
   const requireRe = new RegExp("require\\([^)]*" + escapeRe(baseName) + "[^)]*\\)");
-  if (requireRe.test(corpus) && identRe.test(corpus)) return true;
-  // v0.12.9: a test that spawns the script under test (e.g.
-  // `spawnSync(node, [".../scripts/check-sbom-currency.js", ...])`) is
-  // real coverage too. Accept that shape when the corpus references the
-  // full filename AND the identifier elsewhere. The `.js` suffix is what
-  // distinguishes a real spawn-path from an arbitrary mention of the
-  // module base name.
-  if (corpus.includes(baseFile) && identRe.test(corpus)) return true;
+  // Accept the structured shape (preferred). Walk files individually.
+  if (corpus && Array.isArray(corpus.files)) {
+    for (const f of corpus.files) {
+      const hasRequire = requireRe.test(f.content);
+      const mentionsSpawnPath = f.content.includes(baseFile);
+      if (!hasRequire && !mentionsSpawnPath) continue;
+      if (!identRe.test(f.content)) continue;
+      // F10 — require the identifier appears inside a test block in this
+      // file. Recognise `test(`, `it(`, `describe(`, or `assert(` (or any
+      // `assert.<member>(`) bracketed argument that mentions the ident.
+      if (mentionsIdentInTestContext(f.content, ident)) return true;
+    }
+    return false;
+  }
+  // Fallback: legacy joined-string corpus.
+  const joined = typeof corpus === "string" ? corpus : (corpus && corpus.joined) || "";
+  if (requireRe.test(joined) && identRe.test(joined)) return true;
+  if (joined.includes(baseFile) && identRe.test(joined)) return true;
+  return false;
+}
+
+// Returns true when `ident` appears as a token inside the body of any
+// `test( ... )`, `it( ... )`, `describe( ... )`, `assert( ... )` or
+// `assert.<member>( ... )` call in the file. We approximate "the body of
+// the call" by finding the opening paren after the keyword, then walking
+// matched parens until the call closes. This is a syntactic-enough check
+// for vanilla JavaScript tests; the goal is to refuse "ident only appears
+// in a top-level comment" while still accepting `assert.deepEqual(foo, ...)`.
+function mentionsIdentInTestContext(content, ident) {
+  const tokenRe = new RegExp("\\b" + escapeRe(ident) + "\\b");
+  // Quick reject: file does not mention the identifier at all.
+  if (!tokenRe.test(content)) return false;
+  const callRe = /\b(test|it|describe|assert(?:\.[A-Za-z_$][\w$]*)?)\s*\(/g;
+  let m;
+  while ((m = callRe.exec(content)) !== null) {
+    const start = m.index + m[0].length; // pointer to first char inside (
+    let depth = 1;
+    let i = start;
+    let inStr = null;
+    while (i < content.length && depth > 0) {
+      const c = content[i];
+      if (inStr) {
+        if (c === "\\") { i += 2; continue; }
+        if (c === inStr) inStr = null;
+      } else {
+        if (c === '"' || c === "'" || c === "`") inStr = c;
+        else if (c === "(") depth++;
+        else if (c === ")") depth--;
+      }
+      i++;
+    }
+    const body = content.slice(start, i - 1);
+    if (tokenRe.test(body)) return true;
+  }
   return false;
 }
 
@@ -341,7 +456,8 @@ function analyze(opts) {
   // between calls produces false add/remove findings.
   const resolvedBase = resolveBaseRef(opts, cwd);
   const changed = listChangedFiles(opts, cwd, resolvedBase);
-  const corpus = loadTestCorpus(cwd);
+  const corpusObj = loadTestCorpus(cwd);
+  const corpus = corpusObj.joined;
 
   const findings = [];
   const allowlisted = [];
@@ -355,7 +471,12 @@ function analyze(opts) {
     }
     if (cat === "skill") { allowlisted.push({ file: ch.file, reason: "skill-signed" }); continue; }
     if (cat === "workflow") { manualReview.push({ file: ch.file, reason: "workflow" }); continue; }
-    if (cat === "other") { allowlisted.push({ file: ch.file, reason: "out-of-scope" }); continue; }
+    // F11 — data catalogs, schemas, manifests, SBOM go to manual review
+    // instead of being silently allowlisted. They show up in CI output.
+    if (cat === "manual-review") { manualReview.push({ file: ch.file, reason: "manual-review" }); continue; }
+    // v0.12.14: derived index files allowlist (auto-regenerated artifacts).
+    if (cat === "allowlist-derived") { allowlisted.push({ file: ch.file, reason: "derived-artifact" }); continue; }
+    if (cat === "other") { manualReview.push({ file: ch.file, reason: "unclassified" }); continue; }
     if (ch.status !== "D" && isWhitespaceOnly(opts, ch.file, cwd, resolvedBase)) {
       allowlisted.push({ file: ch.file, reason: "whitespace-only" });
       continue;
@@ -381,9 +502,11 @@ function analyze(opts) {
       const b = extractLibExports(before);
       const a = extractLibExports(after);
       const d = diffSets(b, a);
-      for (const id of d.added) if (!coversLibExport(corpus, ch.file, id))
+      // F10 — pass the structured corpus so coversLibExport can enforce
+      // same-file require()+identifier-in-test-context coverage.
+      for (const id of d.added) if (!coversLibExport(corpusObj, ch.file, id))
         findings.push({ file: ch.file, kind: "lib-export", surface: id, change: "added" });
-      for (const id of d.removed) if (coversLibExport(corpus, ch.file, id))
+      for (const id of d.removed) if (coversLibExport(corpusObj, ch.file, id))
         findings.push({ file: ch.file, kind: "lib-export", surface: id, change: "removed-but-test-remains" });
     } else if (cat === "playbook") {
       const b = extractPlaybookIds(before);

package/scripts/predeploy.js

@@ -19,6 +19,15 @@
  * Single-source-of-truth: the GATES list below mirrors the job sequence
  * in .github/workflows/ci.yml. Test coverage in tests/predeploy.test.js
  * asserts the two stay in sync.
+ *
+ * Audit G F5 — when the manifest-snapshot gate fails, the fix is NOT to
+ * run `npm run refresh-snapshot` blindly. The refresh script now refuses
+ * unless the operator passes `--commit-only` or sets
+ * EXCEPTD_SNAPSHOT_AUDIT_ACK=1. This is intentional: a failing snapshot
+ * gate means a breaking change was detected, and an accidental refresh
+ * would silently rewrite the baseline. Read the breaking-change list
+ * first, then run `node scripts/refresh-manifest-snapshot.js --commit-only`
+ * if the change is intentional.
  */
 
 const { execFileSync } = require("child_process");
@@ -62,28 +71,15 @@ const GATES = [
     args: [path.join(ROOT, "lib", "validate-cve-catalog.js")],
     ciJobName: "Data integrity (catalog + manifest snapshot)",
   },
-  {
-    name: "Validate offline CVE catalog state",
-    command: process.execPath,
-    args: [
-      path.join(ROOT, "orchestrator", "index.js"),
-      "validate-cves",
-      "--offline",
-      "--no-fail",
-    ],
-    ciJobName: "Data integrity (catalog + manifest snapshot)",
-  },
-  {
-    name: "Validate offline RFC catalog state",
-    command: process.execPath,
-    args: [
-      path.join(ROOT, "orchestrator", "index.js"),
-      "validate-rfcs",
-      "--offline",
-      "--no-fail",
-    ],
-    ciJobName: "Data integrity (catalog + manifest snapshot)",
-  },
+  // Audit G F13 — the "validate-cves --offline --no-fail" and
+  // "validate-rfcs --offline --no-fail" gates were enumeration-only sanity
+  // checks: `--no-fail` forced them to always exit 0, so they never blocked
+  // a release on a real catalog problem. The deep catalog validation is
+  // already performed by the gate above (`lib/validate-cve-catalog.js`),
+  // including cross-catalog reference resolution after this same audit.
+  // Keeping the no-op gates as predeploy steps inflated the gate count for
+  // no marginal value and risked false confidence ("X gates passed"). They
+  // are removed in v0.12.14; document the removal in CHANGELOG.
   {
     name: "Manifest snapshot gate (breaking-change detector)",
     command: process.execPath,
@@ -97,9 +93,13 @@ const GATES = [
     ciJobName: "Lint skill files",
   },
   {
-    // Informational only — surfaces the forward_watch horizon across all
-    // skills as a sanity signal. Emits the count but never fails the run;
-    // a parse problem is reported, not blocking.
+    // Informational — surfaces the forward_watch horizon across all skills.
+    // Audit G F12: an exit code of 0 means "ok", 1 means "items present
+    // (informational)", 2+ means a runtime error in the gate itself.
+    // The runner now distinguishes the two: 0/1 stay informational, 2+
+    // surface as a real failure. Pre-fix, any non-zero exit was rolled up
+    // as informational, which hid crashes (a 137 OOM looked the same as
+    // "found 12 items to review").
     name: "Forward-watch aggregator (informational)",
     command: process.execPath,
     args: [
@@ -108,6 +108,7 @@ const GATES = [
     ],
     ciJobName: "Data integrity (catalog + manifest snapshot)",
     informational: true,
+    informationalMaxExitCode: 1,
   },
   {
     name: "Validate catalog _meta (tlp + source_confidence + freshness_policy)",
@@ -164,6 +165,19 @@ const GATES = [
     args: [path.join(ROOT, "scripts", "check-test-coverage.js")],
     ciJobName: "Diff coverage",
   },
+  {
+    // v0.12.12 — Validate every playbook in data/playbooks/ against the
+    // JSON schema + cross-playbook + cross-catalog references. Runs as
+    // informational (warnings, not failures) for v0.12.12 so the patch-
+    // class release can land without retroactively breaking schema-drift
+    // cases that operators have not yet reconciled. v0.13.0 will flip
+    // `informational: false`.
+    name: "Validate playbooks (schema + cross-refs, informational)",
+    command: process.execPath,
+    args: [path.join(ROOT, "lib", "validate-playbooks.js")],
+    ciJobName: "Validate playbooks",
+    informational: true,
+  },
 ];
 
 function runGate(gate) {
@@ -174,26 +188,70 @@ function runGate(gate) {
         status: "skipped",
         reason:
           "keys/public.pem missing — run `npm run bootstrap` to generate keys + sign skills.",
+        durationMs: 0,
       };
     }
   }
-  try {
-    execFileSync(gate.command, gate.args, { stdio: "inherit", cwd: ROOT });
-    return { status: "passed" };
-  } catch (e) {
-    if (gate.informational) {
+  const t0 = Date.now();
+  // Audit G F21 — spawn the child with piped stdio + tee to the parent so we
+  // can count `WARN ` lines for the summary table. We still want the live
+  // output, so each chunk is forwarded as it arrives.
+  const { spawnSync } = require("child_process");
+  const r = spawnSync(gate.command, gate.args, {
+    cwd: ROOT,
+    encoding: "utf8",
+    maxBuffer: 64 * 1024 * 1024,
+  });
+  const durationMs = Date.now() - t0;
+  if (r.stdout) process.stdout.write(r.stdout);
+  if (r.stderr) process.stderr.write(r.stderr);
+  // Count WARN-labelled lines in the combined stream so the summary table
+  // can surface them. Lint / validate output uses "WARN  " at line start;
+  // count both the table form and an inline "[warn]" form.
+  const combined = (r.stdout || "") + (r.stderr || "");
+  const warnCount = (
+    combined.match(/^WARN\b/gm) || []
+  ).length + (
+    combined.match(/\[warn\]/g) || []
+  ).length;
+  if (r.status === 0) {
+    return { status: "passed", durationMs, warnCount };
+  }
+  // Audit G F12 — gates may declare informationalMaxExitCode to distinguish
+  // "soft signal" (exit codes 0..N) from "crash" (> N). Default behaviour
+  // for an informational gate without that field stays the same.
+  if (gate.informational) {
+    const ceil = typeof gate.informationalMaxExitCode === "number"
+      ? gate.informationalMaxExitCode
+      : Infinity;
+    if (r.status !== null && r.status > ceil) {
       return {
-        status: "informational",
-        exitCode: e.status ?? null,
-        message: e.message,
+        status: "failed",
+        exitCode: r.status,
+        message: `informational gate crashed (exit ${r.status} > informationalMaxExitCode=${ceil})`,
+        durationMs,
+        warnCount,
       };
     }
     return {
-      status: "failed",
-      exitCode: e.status ?? null,
-      message: e.message,
+      status: "informational",
+      exitCode: r.status ?? null,
+      durationMs,
+      warnCount,
     };
   }
+  return {
+    status: "failed",
+    exitCode: r.status ?? null,
+    message: r.error ? r.error.message : `exit ${r.status}`,
+    durationMs,
+    warnCount,
+  };
+}
+
+function fmtMs(ms) {
+  if (typeof ms !== "number" || !Number.isFinite(ms)) return "";
+  return `${ms} ms`;
 }
 
 function main() {
@@ -202,17 +260,19 @@ function main() {
     process.stdout.write(`\n=== ${gate.name} ===\n`);
     const outcome = runGate(gate);
     results.push({ gate, outcome });
+    const timing = fmtMs(outcome.durationMs);
+    const timingSuffix = timing ? ` (${timing})` : "";
     if (outcome.status === "skipped") {
       process.stdout.write(`  ⊘ skipped — ${outcome.reason}\n`);
     } else if (outcome.status === "passed") {
-      process.stdout.write(`  ✓ passed\n`);
+      process.stdout.write(`  ✓ passed${timingSuffix}\n`);
     } else if (outcome.status === "informational") {
       process.stdout.write(
-        `  ℹ informational (exit ${outcome.exitCode ?? "?"}) — not failing the run\n`
+        `  ℹ informational (exit ${outcome.exitCode ?? "?"})${timingSuffix} — not failing the run\n`
       );
     } else {
       process.stdout.write(
-        `  ✗ failed (exit ${outcome.exitCode ?? "?"}): ${outcome.message}\n`
+        `  ✗ failed (exit ${outcome.exitCode ?? "?"})${timingSuffix}: ${outcome.message}\n`
       );
     }
   }
@@ -232,8 +292,18 @@ function main() {
         : outcome.status === "informational"
         ? "ℹ"
         : "✗";
+    const timing = fmtMs(outcome.durationMs);
+    const timingSuffix = timing ? `  (${timing})` : "";
+    // F21 — surface WARN counts so a gate that "passed (3 warnings)" is
+    // distinguishable from one that passed cleanly. Pre-fix, warnings
+    // printed by individual gates (validate-cve-catalog, lint-skills,
+    // validate-playbooks) scrolled past invisible in the summary.
+    const warnSuffix =
+      outcome.warnCount && outcome.warnCount > 0
+        ? ` (${outcome.warnCount} warning${outcome.warnCount === 1 ? "" : "s"})`
+        : "";
     process.stdout.write(
-      `  ${icon} ${gate.name.padEnd(widest)}  ${outcome.status}\n`
+      `  ${icon} ${gate.name.padEnd(widest)}  ${outcome.status}${warnSuffix}${timingSuffix}\n`
     );
   }
 

package/scripts/refresh-manifest-snapshot.js

@@ -11,10 +11,22 @@
  * blindly — read the breaking-change list first. A breaking change is
  * a surface narrowing every downstream consumer needs to know about.
  *
+ * Audit G F5 — commitOnly mode. Pass `--commit-only` (or set the env
+ * EXCEPTD_SNAPSHOT_AUDIT_ACK=1) to acknowledge that the operator
+ * deliberately wants to overwrite the committed snapshot. When neither
+ * flag nor env is set AND the snapshot would actually change, the
+ * script refuses and emits a structured diff hint. This stops an
+ * accidental `npm run refresh-snapshot` (run as muscle-memory while
+ * triaging a failing gate) from masking a real breaking change.
+ *
  * Usage:
- *   node scripts/refresh-manifest-snapshot.js
- *   git add manifest-snapshot.json
- *   git commit -m "refresh manifest snapshot: <what changed>"
+ *   node scripts/refresh-manifest-snapshot.js              # dry-shows the diff
+ *   EXCEPTD_SNAPSHOT_AUDIT_ACK=1 \
+ *     node scripts/refresh-manifest-snapshot.js            # writes the new snapshot
+ *   node scripts/refresh-manifest-snapshot.js --commit-only   # same thing, on argv
+ *
+ * The flag is documented in scripts/predeploy.js so contributors see it
+ * the moment the snapshot gate fails.
  */
 
 const fs = require("fs");
@@ -50,8 +62,47 @@ function captureSurface(manifest) {
 
 const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, "utf8"));
 const snapshot = captureSurface(manifest);
+const newJson = JSON.stringify(snapshot, null, 2) + "\n";
+
+// F5 — refuse to overwrite an existing snapshot unless the operator
+// has explicitly acknowledged the rewrite (env or --commit-only flag).
+const argv = process.argv.slice(2);
+const commitOnly =
+  argv.includes("--commit-only") ||
+  process.env.EXCEPTD_SNAPSHOT_AUDIT_ACK === "1";
 
-fs.writeFileSync(SNAPSHOT_PATH, JSON.stringify(snapshot, null, 2) + "\n", "utf8");
+if (fs.existsSync(SNAPSHOT_PATH) && !commitOnly) {
+  const current = fs.readFileSync(SNAPSHOT_PATH, "utf8");
+  // Normalise the _generated_at timestamp for comparison — that field
+  // changes every run and shouldn't trigger the guard.
+  const stripGenerated = (s) => s.replace(
+    /"_generated_at":\s*"[^"]+",?\s*\n?/, ""
+  );
+  if (stripGenerated(current) === stripGenerated(newJson)) {
+    console.log("[refresh-manifest-snapshot] snapshot unchanged — nothing to do.");
+    process.exit(0);
+  }
+  process.stderr.write(
+    "[refresh-manifest-snapshot] REFUSING to overwrite manifest-snapshot.json — " +
+    "the captured surface differs from the committed snapshot.\n" +
+    "  Re-run with `--commit-only` (or EXCEPTD_SNAPSHOT_AUDIT_ACK=1) to confirm " +
+    "the rewrite is intentional. The check-manifest-snapshot.js gate exists to " +
+    "force a deliberate decision about removed skills / triggers / refs before " +
+    "the baseline is rewritten.\n"
+  );
+  process.exit(1);
+}
+
+fs.writeFileSync(SNAPSHOT_PATH, newJson, "utf8");
 
 console.log(`[refresh-manifest-snapshot] wrote ${snapshot.skill_count} skills to manifest-snapshot.json`);
 console.log("[refresh-manifest-snapshot] commit this file alongside the surface change.");
+
+// Audit G F23 — write a tracked SHA-256 of the snapshot so the
+// check-manifest-snapshot.js gate can verify integrity (no hand edits
+// after refresh).
+const crypto = require("crypto");
+const snapshotSha = crypto.createHash("sha256").update(newJson).digest("hex");
+const snapshotShaPath = path.join(ROOT, "manifest-snapshot.sha256");
+fs.writeFileSync(snapshotShaPath, snapshotSha + "  manifest-snapshot.json\n", "utf8");
+console.log(`[refresh-manifest-snapshot] wrote integrity hash to manifest-snapshot.sha256`);