@codeledger/cli 0.2.1 → 0.5.1

package/dist/session-paths.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session-paths.d.ts","sourceRoot":"","sources":["../src/session-paths.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAK3E;AAED,2DAA2D;AAC3D,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAElF;AAED,6DAA6D;AAC7D,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAEnF;AAED,qEAAqE;AACrE,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAEhF;AAED,6CAA6C;AAC7C,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAEpF;AAED,wCAAwC;AACxC,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAExF;AAED,yEAAyE;AACzE,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED,+BAA+B;AAC/B,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED,0BAA0B;AAC1B,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEhD"}
+{"version":3,"file":"session-paths.d.ts","sourceRoot":"","sources":["../src/session-paths.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAK3E;AAED,2DAA2D;AAC3D,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAElF;AAED,6DAA6D;AAC7D,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAEnF;AAED,qEAAqE;AACrE,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAEhF;AAED,6CAA6C;AAC7C,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAEpF;AAED,wCAAwC;AACxC,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAExF;AAED,qFAAqF;AACrF,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAEvF;AAED,yEAAyE;AACzE,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED,+BAA+B;AAC/B,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED,0BAA0B;AAC1B,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,8DAA8D;AAC9D,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAEnF;AAED,sEAAsE;AACtE,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAExF;AAED,sEAAsE;AACtE,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,IAAI,GAAG,MAAM,CAE1F"}

package/dist/session-paths.js

@@ -29,6 +29,10 @@ export function sessionProgressPath(cwd, sessionId) {
 export function sessionHookRemindedPath(cwd, sessionId) {
     return join(sessionDir(cwd, sessionId), '.hook-reminded');
 }
+/** Path to the per-task activation history (JSONL, one record per activate call). */
+export function sessionTaskHistoryPath(cwd, sessionId) {
+    return join(sessionDir(cwd, sessionId), '.task-history.jsonl');
+}
 /** Legacy fallback bundle path (always .codeledger/active-bundle.md). */
 export function legacyBundlePath(cwd) {
     return join(cwd, '.codeledger', 'active-bundle.md');
@@ -41,4 +45,16 @@ export function sessionsRootDir(cwd) {
 export function registryPath(cwd) {
     return join(cwd, '.codeledger', 'sessions', 'registry.json');
 }
+/** Path to the read log (JSONL, one record per file read). */
+export function sessionReadLogPath(cwd, sessionId) {
+    return join(sessionDir(cwd, sessionId), '.read-log.jsonl');
+}
+/** Path to the review config (written when --mode review is used). */
+export function sessionReviewConfigPath(cwd, sessionId) {
+    return join(sessionDir(cwd, sessionId), '.review-config.json');
+}
+/** Path to the coverage report checkpoint (written by gatekeeper). */
+export function sessionCoverageReportPath(cwd, sessionId) {
+    return join(sessionDir(cwd, sessionId), '.coverage-report.json');
+}
 //# sourceMappingURL=session-paths.js.map

package/dist/session-paths.js.map

@@ -1 +1 @@
-{"version":3,"file":"session-paths.js","sourceRoot":"","sources":["../src/session-paths.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,SAA2B;IACjE,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;AAClC,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,iBAAiB,CAAC,GAAW,EAAE,SAA2B;IACxE,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,kBAAkB,CAAC,CAAC;AAC9D,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,kBAAkB,CAAC,GAAW,EAAE,SAA2B;IACzE,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,eAAe,CAAC,CAAC;AAC3D,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,SAA2B;IACtE,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,oBAAoB,CAAC,CAAC;AAChE,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,mBAAmB,CAAC,GAAW,EAAE,SAA2B;IAC1E,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,qBAAqB,CAAC,CAAC;AACjE,CAAC;AAED,wCAAwC;AACxC,MAAM,UAAU,uBAAuB,CAAC,GAAW,EAAE,SAA2B;IAC9E,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,gBAAgB,CAAC,CAAC;AAC5D,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,kBAAkB,CAAC,CAAC;AACtD,CAAC;AAED,+BAA+B;AAC/B,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC;AAC9C,CAAC;AAED,0BAA0B;AAC1B,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;AAC/D,CAAC"}
+{"version":3,"file":"session-paths.js","sourceRoot":"","sources":["../src/session-paths.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,SAA2B;IACjE,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;AAClC,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,iBAAiB,CAAC,GAAW,EAAE,SAA2B;IACxE,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,kBAAkB,CAAC,CAAC;AAC9D,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,kBAAkB,CAAC,GAAW,EAAE,SAA2B;IACzE,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,eAAe,CAAC,CAAC;AAC3D,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,SAA2B;IACtE,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,oBAAoB,CAAC,CAAC;AAChE,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,mBAAmB,CAAC,GAAW,EAAE,SAA2B;IAC1E,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,qBAAqB,CAAC,CAAC;AACjE,CAAC;AAED,wCAAwC;AACxC,MAAM,UAAU,uBAAuB,CAAC,GAAW,EAAE,SAA2B;IAC9E,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,gBAAgB,CAAC,CAAC;AAC5D,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,sBAAsB,CAAC,GAAW,EAAE,SAA2B;IAC7E,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,qBAAqB,CAAC,CAAC;AACjE,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,kBAAkB,CAAC,CAAC;AACtD,CAAC;AAED,+BAA+B;AAC/B,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC;AAC9C,CAAC;AAED,0BAA0B;AAC1B,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,OAAO,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;AAC/D,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,kBAAkB,CAAC,GAAW,EAAE,SAA2B;IACzE,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,iBAAiB,CAAC,CAAC;AAC7D,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,uBAAuB,CAAC,GAAW,EAAE,SAA2B;IAC9E,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,qBAAqB,CAAC,CAAC;AACjE,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,yBAAyB,CAAC,GAAW,EAAE,SAA2B;IAChF,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,uBAAuB,CAAC,CAAC;AACnE,CAAC"}

package/dist/signing/canonicalize.d.ts

@@ -0,0 +1,17 @@
+/**
+ * JCS-compatible canonical JSON serialization (RFC 8785).
+ *
+ * Rules:
+ * - Objects: keys sorted lexicographically by Unicode code point
+ * - Arrays: preserve element order
+ * - Numbers: shortest JSON numeric form (no trailing zeros, no leading +, no NaN/Infinity)
+ * - Strings: standard JSON string escaping
+ * - No whitespace between tokens
+ * - Output is UTF-8
+ *
+ * This is a standalone, pure function. It will be reimplemented by the
+ * ingestion worker (potentially in a different language). The algorithm
+ * must be documented and deterministic.
+ */
+export declare function canonicalize(value: unknown): string;
+//# sourceMappingURL=canonicalize.d.ts.map

package/dist/signing/canonicalize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonicalize.d.ts","sourceRoot":"","sources":["../../src/signing/canonicalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAqCnD"}

package/dist/signing/canonicalize.js

@@ -0,0 +1,50 @@
+/**
+ * JCS-compatible canonical JSON serialization (RFC 8785).
+ *
+ * Rules:
+ * - Objects: keys sorted lexicographically by Unicode code point
+ * - Arrays: preserve element order
+ * - Numbers: shortest JSON numeric form (no trailing zeros, no leading +, no NaN/Infinity)
+ * - Strings: standard JSON string escaping
+ * - No whitespace between tokens
+ * - Output is UTF-8
+ *
+ * This is a standalone, pure function. It will be reimplemented by the
+ * ingestion worker (potentially in a different language). The algorithm
+ * must be documented and deterministic.
+ */
+export function canonicalize(value) {
+    if (value === null)
+        return 'null';
+    if (value === undefined)
+        return 'null';
+    switch (typeof value) {
+        case 'boolean':
+            return value ? 'true' : 'false';
+        case 'number': {
+            if (!Number.isFinite(value)) {
+                throw new Error(`Cannot canonicalize non-finite number: ${value}`);
+            }
+            // JSON.stringify produces shortest form for finite numbers
+            return JSON.stringify(value);
+        }
+        case 'string':
+            return JSON.stringify(value);
+        case 'object': {
+            if (Array.isArray(value)) {
+                const items = value.map((item) => canonicalize(item));
+                return '[' + items.join(',') + ']';
+            }
+            // Object: sort keys lexicographically by Unicode code point
+            const obj = value;
+            const keys = Object.keys(obj).sort();
+            const pairs = keys.map((key) => {
+                return JSON.stringify(key) + ':' + canonicalize(obj[key]);
+            });
+            return '{' + pairs.join(',') + '}';
+        }
+        default:
+            throw new Error(`Cannot canonicalize type: ${typeof value}`);
+    }
+}
+//# sourceMappingURL=canonicalize.js.map

package/dist/signing/canonicalize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonicalize.js","sourceRoot":"","sources":["../../src/signing/canonicalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IAEvC,QAAQ,OAAO,KAAK,EAAE,CAAC;QACrB,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;QAElC,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,0CAA0C,KAAK,EAAE,CAAC,CAAC;YACrE,CAAC;YACD,2DAA2D;YAC3D,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,KAAK,QAAQ;YACX,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAE/B,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;gBACtD,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;YACrC,CAAC;YAED,4DAA4D;YAC5D,MAAM,GAAG,GAAG,KAAgC,CAAC;YAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC7B,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;YAC5D,CAAC,CAAC,CAAC;YACH,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QACrC,CAAC;QAED;YACE,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,KAAK,EAAE,CAAC,CAAC;IACjE,CAAC;AACH,CAAC"}

package/dist/signing/hmac.d.ts

@@ -0,0 +1,8 @@
+import type { ManifestSigner } from './signer.js';
+/**
+ * HMAC-SHA256 signer using a shared secret from env var.
+ *
+ * Signature value is base64-encoded.
+ */
+export declare function createHmacSigner(secret: string): ManifestSigner;
+//# sourceMappingURL=hmac.d.ts.map

package/dist/signing/hmac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac.d.ts","sourceRoot":"","sources":["../../src/signing/hmac.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,CAQ/D"}

package/dist/signing/hmac.js

@@ -0,0 +1,16 @@
+import { createHmac } from 'node:crypto';
+/**
+ * HMAC-SHA256 signer using a shared secret from env var.
+ *
+ * Signature value is base64-encoded.
+ */
+export function createHmacSigner(secret) {
+    return {
+        alg: 'HS256',
+        keyId: 'env:CODELEDGER_SIGNING_SECRET',
+        async sign(data) {
+            return createHmac('sha256', secret).update(data).digest('base64');
+        },
+    };
+}
+//# sourceMappingURL=hmac.js.map

package/dist/signing/hmac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac.js","sourceRoot":"","sources":["../../src/signing/hmac.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,OAAO;QACL,GAAG,EAAE,OAAO;QACZ,KAAK,EAAE,+BAA+B;QACtC,KAAK,CAAC,IAAI,CAAC,IAAY;YACrB,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpE,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/signing/signer.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Abstract signer interface for manifest signing.
+ *
+ * Mustang v1 uses HMAC-SHA256 with a shared secret. The interface is
+ * abstract to support future KMS-backed signers without changing the
+ * signing pipeline.
+ */
+export interface ManifestSigner {
+    /** Sign the given data and return a base64-encoded signature. */
+    sign(data: Buffer): Promise<string>;
+    /** Algorithm identifier (e.g., "HS256" for HMAC-SHA256). */
+    alg: string;
+    /** Key identifier for provenance (e.g., "env:CODELEDGER_SIGNING_SECRET"). */
+    keyId: string;
+}
+//# sourceMappingURL=signer.d.ts.map

package/dist/signing/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/signing/signer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,WAAW,cAAc;IAC7B,iEAAiE;IACjE,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACpC,4DAA4D;IAC5D,GAAG,EAAE,MAAM,CAAC;IACZ,6EAA6E;IAC7E,KAAK,EAAE,MAAM,CAAC;CACf"}

package/dist/signing/signer.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=signer.js.map

package/dist/signing/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../src/signing/signer.ts"],"names":[],"mappings":""}

package/dist/templates/claude-md.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"claude-md.d.ts","sourceRoot":"","sources":["../../src/templates/claude-md.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,wBAAgB,eAAe,IAAI,MAAM,CAiGxC"}
+{"version":3,"file":"claude-md.d.ts","sourceRoot":"","sources":["../../src/templates/claude-md.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,wBAAgB,eAAe,IAAI,MAAM,CAwGxC"}

package/dist/templates/claude-md.js

@@ -40,12 +40,19 @@ export function claudeMdSection() {
         '',
         '| Command | What It Does |',
         '|---------|-------------|',
-        '| `npx codeledger activate --task "..."` | Scan repo (if stale), generate context bundle, write `.codeledger/active-bundle.md` |',
+        '| `npx codeledger init [--force]` | Initialize CodeLedger in a repo (creates `.codeledger/`, config, hooks) |',
         '| `npx codeledger scan` | Rebuild the repo index (dependency graph, churn, test map) |',
+        '| `npx codeledger activate --task "..."` | Scan repo (if stale), generate context bundle, write `.codeledger/active-bundle.md` |',
         '| `npx codeledger bundle --task "..."` | Generate a context bundle (JSON only, no active-bundle write) |',
+        '| `npx codeledger refine --learned "..."` | Re-score bundle mid-session with new context, keywords, or file exclusions |',
         '| `npx codeledger session-progress` | Write a ground-truth session progress snapshot |',
         '| `npx codeledger session-summary` | Show session-end value recap (recall, precision, token savings) |',
-        '| `npx codeledger init` | Initialize CodeLedger in a repo (creates `.codeledger/`, config, hooks) |',
+        '| `npx codeledger doctor` | Integration health check (config, hooks, index, ledger) |',
+        '| `npx codeledger setup-ci [--mode ...]` | Generate GitHub Actions workflow + policy for CI integration |',
+        '| `npx codeledger manifest --task "..."` | Generate deterministic context manifest (evidence payload) |',
+        '| `npx codeledger verify --task "..."` | CI enforcement: evaluate policy, emit artifacts, return exit code |',
+        '| `npx codeledger intent init\\|show\\|set\\|ack` | Intent governance (deterministic drift detection) |',
+        '| `npx codeledger checkpoint create\\|restore\\|list` | Save/restore incremental session checkpoints |',
         '',
         '**Trigger phrases:** If the user asks for a "session summary", "session recap", "codeledger summary", "how did the bundle do", or anything similar — run `npx codeledger session-summary` in your shell. Do not construct the output yourself.',
         '',

package/dist/templates/claude-md.js.map

@@ -1 +1 @@
-{"version":3,"file":"claude-md.js","sourceRoot":"","sources":["../../src/templates/claude-md.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,UAAU,eAAe;IAC7B,OAAO;QACL,2BAA2B;QAC3B,EAAE;QACF,wHAAwH;QACxH,kGAAkG;QAClG,EAAE;QACF,sCAAsC;QACtC,EAAE;QACF,oGAAoG;QACpG,oCAAoC;QACpC,EAAE;QACF,6CAA6C;QAC7C,4DAA4D;QAC5D,mDAAmD;QACnD,iEAAiE;QACjE,4DAA4D;QAC5D,6DAA6D;QAC7D,EAAE;QACF,0EAA0E;QAC1E,EAAE;QACF,4CAA4C;QAC5C,EAAE;QACF,yEAAyE;QACzE,iEAAiE;QACjE,EAAE;QACF,2CAA2C;QAC3C,+CAA+C;QAC/C,uEAAuE;QACvE,EAAE;QACF,wBAAwB;QACxB,EAAE;QACF,4BAA4B;QAC5B,2BAA2B;QAC3B,kIAAkI;QAClI,wFAAwF;QACxF,0GAA0G;QAC1G,wFAAwF;QACxF,wGAAwG;QACxG,qGAAqG;QACrG,EAAE;QACF,gPAAgP;QAChP,EAAE;QACF,iDAAiD;QACjD,EAAE;QACF,oEAAoE;QACpE,0GAA0G;QAC1G,EAAE;QACF,iDAAiD;QACjD,gDAAgD;QAChD,6EAA6E;QAC7E,2EAA2E;QAC3E,wFAAwF;QACxF,+DAA+D;QAC/D,EAAE;QACF,uBAAuB;QACvB,EAAE;QACF,4DAA4D;QAC5D,EAAE;QACF,8EAA8E;QAC9E,yEAAyE;QACzE,kFAAkF;QAClF,mDAAmD;QACnD,EAAE;QACF,gJAAgJ;QAChJ,EAAE;QACF,8BAA8B;QAC9B,EAAE;QACF,6IAA6I;QAC7I,iJAAiJ;QACjJ,EAAE;QACF,uCAAuC;QACvC,EAAE;QACF,SAAS;QACT,yDAAyD;QACzD,KAAK;QACL,EAAE;QACF,6BAA6B;QAC7B,EAAE;QACF,6FAA6F;QAC7F,+EAA+E;QAC/E,0FAA0F;QAC1F,2EAA2E;QAC3E,EAAE;QACF,uDAAuD;QACvD,EAAE;QACF,wBAAwB;QACxB,EAAE;QACF,gDAAgD;QAChD,EAAE;QACF,SAAS;QACT,0BAA0B;QAC1B,KAAK;QACL,EAAE;QACF,8FAA8F;QAC9F,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}
+{"version":3,"file":"claude-md.js","sourceRoot":"","sources":["../../src/templates/claude-md.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,UAAU,eAAe;IAC7B,OAAO;QACL,2BAA2B;QAC3B,EAAE;QACF,wHAAwH;QACxH,kGAAkG;QAClG,EAAE;QACF,sCAAsC;QACtC,EAAE;QACF,oGAAoG;QACpG,oCAAoC;QACpC,EAAE;QACF,6CAA6C;QAC7C,4DAA4D;QAC5D,mDAAmD;QACnD,iEAAiE;QACjE,4DAA4D;QAC5D,6DAA6D;QAC7D,EAAE;QACF,0EAA0E;QAC1E,EAAE;QACF,4CAA4C;QAC5C,EAAE;QACF,yEAAyE;QACzE,iEAAiE;QACjE,EAAE;QACF,2CAA2C;QAC3C,+CAA+C;QAC/C,uEAAuE;QACvE,EAAE;QACF,wBAAwB;QACxB,EAAE;QACF,4BAA4B;QAC5B,2BAA2B;QAC3B,+GAA+G;QAC/G,wFAAwF;QACxF,kIAAkI;QAClI,0GAA0G;QAC1G,0HAA0H;QAC1H,wFAAwF;QACxF,wGAAwG;QACxG,uFAAuF;QACvF,2GAA2G;QAC3G,yGAAyG;QACzG,8GAA8G;QAC9G,yGAAyG;QACzG,wGAAwG;QACxG,EAAE;QACF,gPAAgP;QAChP,EAAE;QACF,iDAAiD;QACjD,EAAE;QACF,oEAAoE;QACpE,0GAA0G;QAC1G,EAAE;QACF,iDAAiD;QACjD,gDAAgD;QAChD,6EAA6E;QAC7E,2EAA2E;QAC3E,wFAAwF;QACxF,+DAA+D;QAC/D,EAAE;QACF,uBAAuB;QACvB,EAAE;QACF,4DAA4D;QAC5D,EAAE;QACF,8EAA8E;QAC9E,yEAAyE;QACzE,kFAAkF;QAClF,mDAAmD;QACnD,EAAE;QACF,gJAAgJ;QAChJ,EAAE;QACF,8BAA8B;QAC9B,EAAE;QACF,6IAA6I;QAC7I,iJAAiJ;QACjJ,EAAE;QACF,uCAAuC;QACvC,EAAE;QACF,SAAS;QACT,yDAAyD;QACzD,KAAK;QACL,EAAE;QACF,6BAA6B;QAC7B,EAAE;QACF,6FAA6F;QAC7F,+EAA+E;QAC/E,0FAA0F;QAC1F,2EAA2E;QAC3E,EAAE;QACF,uDAAuD;QACvD,EAAE;QACF,wBAAwB;QACxB,EAAE;QACF,gDAAgD;QAChD,EAAE;QACF,SAAS;QACT,0BAA0B;QAC1B,KAAK;QACL,EAAE;QACF,8FAA8F;QAC9F,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}

package/dist/templates/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/templates/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAG1D,wBAAgB,aAAa,IAAI,gBAAgB,CAgFhD"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/templates/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAG1D,wBAAgB,aAAa,IAAI,gBAAgB,CAsHhD"}

package/dist/templates/config.js

@@ -10,31 +10,66 @@ export function defaultConfig() {
             worktree_root: '.codeledger/worktrees',
         },
         repo: {
-            include: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx', '**/*.mjs', '**/*.cjs'],
+            include: ['**/*'],
             exclude: [
+                // Version control
+                '.git/**',
+                // Package managers / vendored deps
                 'node_modules/**',
+                'vendor/**',
+                '.venv/**',
+                'venv/**',
+                // Build output
                 'dist/**',
                 'build/**',
-                '.git/**',
+                'out/**',
+                'target/**',
+                'bin/**',
+                // Caches
                 '.codeledger/**',
                 'coverage/**',
+                '__pycache__/**',
+                '.tox/**',
+                '.mypy_cache/**',
+                '.pytest_cache/**',
+                // Generated / minified
                 '*.min.js',
                 '*.bundle.js',
+                '*.pyc',
+                '*.pyo',
+                // IDE
+                '.idea/**',
+                '.vscode/**',
+                // Lock files (large, not useful for context)
+                'package-lock.json',
+                'yarn.lock',
+                'pnpm-lock.yaml',
+                'Pipfile.lock',
+                'poetry.lock',
+                'go.sum',
+                'Cargo.lock',
             ],
             test_patterns: [
+                // JS/TS
                 '**/*.test.*',
                 '**/*.spec.*',
                 '**/__tests__/**',
                 '**/test/**',
+                // Python
+                '**/test_*.py',
+                '**/*_test.py',
+                '**/tests/**/*.py',
+                // Go
+                '**/*_test.go',
+                // Java/Kotlin
+                '**/src/test/**',
+                // Rust
+                '**/tests/**/*.rs',
+                // Ruby
+                '**/spec/**/*_spec.rb',
+                '**/test/**/*_test.rb',
             ],
-            language_extensions: {
-                '.ts': 'typescript',
-                '.tsx': 'typescript-react',
-                '.js': 'javascript',
-                '.jsx': 'javascript-react',
-                '.mjs': 'javascript',
-                '.cjs': 'javascript',
-            },
+            language_extensions: {},
         },
         selector: {
             weights: {
@@ -78,6 +113,9 @@ export function defaultConfig() {
             badge: true,
             share_pack: false,
         },
+        suggestions: {
+            prefill_task: false,
+        },
     };
 }
 //# sourceMappingURL=config.js.map

package/dist/templates/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/templates/config.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,MAAM,UAAU,aAAa;IAC3B,OAAO;QACL,OAAO,EAAE,WAAW;QACpB,SAAS,EAAE;YACT,OAAO,EAAE,uBAAuB;YAChC,SAAS,EAAE,mBAAmB;YAC9B,aAAa,EAAE,uBAAuB;YACtC,WAAW,EAAE,qBAAqB;YAClC,aAAa,EAAE,uBAAuB;SACvC;QACD,IAAI,EAAE;YACJ,OAAO,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC;YAC/E,OAAO,EAAE;gBACP,iBAAiB;gBACjB,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,gBAAgB;gBAChB,aAAa;gBACb,UAAU;gBACV,aAAa;aACd;YACD,aAAa,EAAE;gBACb,aAAa;gBACb,aAAa;gBACb,iBAAiB;gBACjB,YAAY;aACb;YACD,mBAAmB,EAAE;gBACnB,KAAK,EAAE,YAAY;gBACnB,MAAM,EAAE,kBAAkB;gBAC1B,KAAK,EAAE,YAAY;gBACnB,MAAM,EAAE,kBAAkB;gBAC1B,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE,YAAY;aACrB;SACF;QACD,QAAQ,EAAE;YACR,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI;gBACb,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,IAAI;gBAClB,cAAc,EAAE,IAAI;gBACpB,YAAY,EAAE,IAAI;gBAClB,aAAa,EAAE,IAAI;gBACnB,UAAU,EAAE,IAAI;gBAChB,oBAAoB,EAAE,IAAI;gBAC1B,cAAc,EAAE,IAAI;aACrB;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,IAAI;gBACZ,SAAS,EAAE,EAAE;aACd;YACD,qBAAqB,EAAE,IAAI;YAC3B,cAAc,EAAE,EAAE;YAClB,gBAAgB,EAAE,CAAC;YACnB,uBAAuB,EAAE,EAAE;YAC3B,2BAA2B,EAAE,GAAG;YAChC,oBAAoB,EAAE,EAAE;SACzB;QACD,SAAS,EAAE;YACT,YAAY,EAAE,gBAAgB;YAC9B,cAAc,EAAE,8BAA8B;SAC/C;QACD,OAAO,EAAE;YACP,eAAe,EAAE,CAAC;YAClB,mBAAmB,EAAE,IAAI;YACzB,kBAAkB,EAAE,GAAG;YACvB,wBAAwB,EAAE,SAAS;SACpC;QACD,SAAS,EAAE;YACT,gBAAgB,EAAE,KAAK;SACxB;QACD,SAAS,EAAE;YACT,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,IAAI;YACX,UAAU,EAAE,KAAK;SAClB;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/templates/config.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,MAAM,UAAU,aAAa;IAC3B,OAAO;QACL,OAAO,EAAE,WAAW;QACpB,SAAS,EAAE;YACT,OAAO,EAAE,uBAAuB;YAChC,SAAS,EAAE,mBAAmB;YAC9B,aAAa,EAAE,uBAAuB;YACtC,WAAW,EAAE,qBAAqB;YAClC,aAAa,EAAE,uBAAuB;SACvC;QACD,IAAI,EAAE;YACJ,OAAO,EAAE,CAAC,MAAM,CAAC;YACjB,OAAO,EAAE;gBACP,kBAAkB;gBAClB,SAAS;gBACT,mCAAmC;gBACnC,iBAAiB;gBACjB,WAAW;gBACX,UAAU;gBACV,SAAS;gBACT,eAAe;gBACf,SAAS;gBACT,UAAU;gBACV,QAAQ;gBACR,WAAW;gBACX,QAAQ;gBACR,SAAS;gBACT,gBAAgB;gBAChB,aAAa;gBACb,gBAAgB;gBAChB,SAAS;gBACT,gBAAgB;gBAChB,kBAAkB;gBAClB,uBAAuB;gBACvB,UAAU;gBACV,aAAa;gBACb,OAAO;gBACP,OAAO;gBACP,MAAM;gBACN,UAAU;gBACV,YAAY;gBACZ,6CAA6C;gBAC7C,mBAAmB;gBACnB,WAAW;gBACX,gBAAgB;gBAChB,cAAc;gBACd,aAAa;gBACb,QAAQ;gBACR,YAAY;aACb;YACD,aAAa,EAAE;gBACb,QAAQ;gBACR,aAAa;gBACb,aAAa;gBACb,iBAAiB;gBACjB,YAAY;gBACZ,SAAS;gBACT,cAAc;gBACd,cAAc;gBACd,kBAAkB;gBAClB,KAAK;gBACL,cAAc;gBACd,cAAc;gBACd,gBAAgB;gBAChB,OAAO;gBACP,kBAAkB;gBAClB,OAAO;gBACP,sBAAsB;gBACtB,sBAAsB;aACvB;YACD,mBAAmB,EAAE,EAAE;SACxB;QACD,QAAQ,EAAE;YACR,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI;gBACb,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,IAAI;gBAClB,cAAc,EAAE,IAAI;gBACpB,YAAY,EAAE,IAAI;gBAClB,aAAa,EAAE,IAAI;gBACnB,UAAU,EAAE,IAAI;gBAChB,oBAAoB,EAAE,IAAI;gBAC1B,cAAc,EAAE,IAAI;aACrB;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,IAAI;gBACZ,SAAS,EAAE,EAAE;aACd;YACD,qBAAqB,EAAE,IAAI;YAC3B,cAAc,EAAE,EAAE;YAClB,gBAAgB,EAAE,CAAC;YACnB,uBAAuB,EAAE,EAAE;YAC3B,2BAA2B,EAAE,GAAG;YAChC,oBAAoB,EAAE,EAAE;SACzB;QACD,SAAS,EAAE;YACT,YAAY,EAAE,gBAAgB;YAC9B,cAAc,EAAE,8BAA8B;SAC/C;QACD,OAAO,EAAE;YACP,eAAe,EAAE,CAAC;YAClB,mBAAmB,EAAE,IAAI;YACzB,kBAAkB,EAAE,GAAG;YACvB,wBAAwB,EAAE,SAAS;SACpC;QACD,SAAS,EAAE;YACT,gBAAgB,EAAE,KAAK;SACxB;QACD,SAAS,EAAE;YACT,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,IAAI;YACX,UAAU,EAAE,KAAK;SAClB;QACD,WAAW,EAAE;YACX,YAAY,EAAE,KAAK;SACpB;KACF,CAAC;AACJ,CAAC"}

package/dist/verify/evaluate.d.ts

@@ -0,0 +1,10 @@
+import type { ResolvedPolicyV1, ContextManifestV1, ViolationV1, CoverageAttestationV1 } from '@codeledger/types';
+/**
+ * Evaluate a manifest against a resolved policy. Returns violations sorted
+ * by code then path for deterministic output.
+ *
+ * This function does NOT make pass/fail decisions — it only detects violations.
+ * The calling code decides exit codes based on policy mode.
+ */
+export declare function evaluatePolicy(manifest: ContextManifestV1, policy: ResolvedPolicyV1, coverageAttestation?: CoverageAttestationV1): ViolationV1[];
+//# sourceMappingURL=evaluate.d.ts.map

package/dist/verify/evaluate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/verify/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,gBAAgB,EAChB,iBAAiB,EACjB,WAAW,EACX,qBAAqB,EACtB,MAAM,mBAAmB,CAAC;AAE3B;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,EAAE,gBAAgB,EACxB,mBAAmB,CAAC,EAAE,qBAAqB,GAC1C,WAAW,EAAE,CAsGf"}

package/dist/verify/evaluate.js

@@ -0,0 +1,117 @@
+/**
+ * Evaluate a manifest against a resolved policy. Returns violations sorted
+ * by code then path for deterministic output.
+ *
+ * This function does NOT make pass/fail decisions — it only detects violations.
+ * The calling code decides exit codes based on policy mode.
+ */
+export function evaluatePolicy(manifest, policy, coverageAttestation) {
+    const violations = [];
+    // LOW_CONFIDENCE — overall_confidence < min_confidence
+    if (manifest.confidence.overall < policy.min_confidence) {
+        violations.push({
+            code: 'LOW_CONFIDENCE',
+            message: `Overall confidence ${manifest.confidence.overall.toFixed(2)} below minimum ${policy.min_confidence.toFixed(2)}`,
+            value: manifest.confidence.overall,
+            threshold: policy.min_confidence,
+        });
+    }
+    // HIGH_DRIFT — drift_score > max_drift
+    if (manifest.intent.drift_score > policy.max_drift) {
+        violations.push({
+            code: 'HIGH_DRIFT',
+            message: `Drift score ${manifest.intent.drift_score.toFixed(2)} exceeds maximum ${policy.max_drift.toFixed(2)}`,
+            value: manifest.intent.drift_score,
+            threshold: policy.max_drift,
+        });
+    }
+    // DENY_PATH_MATCH — selected file matches deny_paths pattern
+    for (const file of manifest.bundle.files) {
+        for (const pattern of policy.deny_paths) {
+            if (matchDenyPattern(file.path, pattern)) {
+                violations.push({
+                    code: 'DENY_PATH_MATCH',
+                    message: `Selected file ${file.path} matches deny pattern ${pattern}`,
+                    path: file.path,
+                    pattern,
+                });
+            }
+        }
+    }
+    // MISSING_TESTS — test_presence below threshold when require_tests is true
+    if (policy.require_tests) {
+        const testPresence = manifest.confidence.envelope.test_presence;
+        // require_tests uses a fixed threshold of 0.50
+        const threshold = 0.50;
+        if (testPresence < threshold) {
+            violations.push({
+                code: 'MISSING_TESTS',
+                message: `Test presence ${testPresence.toFixed(2)} below required threshold ${threshold.toFixed(2)}`,
+                value: testPresence,
+                threshold,
+            });
+        }
+    }
+    // BUNDLE_TOO_LARGE — file count or byte count exceeds policy limits
+    if (manifest.bundle.file_count > policy.bundle_max_files) {
+        violations.push({
+            code: 'BUNDLE_TOO_LARGE',
+            message: `Bundle file count ${manifest.bundle.file_count} exceeds limit ${policy.bundle_max_files}`,
+            dimension: 'file_count',
+            value: manifest.bundle.file_count,
+            threshold: policy.bundle_max_files,
+        });
+    }
+    if (manifest.bundle.total_bytes > policy.bundle_max_bytes) {
+        violations.push({
+            code: 'BUNDLE_TOO_LARGE',
+            message: `Bundle byte size ${manifest.bundle.total_bytes} exceeds limit ${policy.bundle_max_bytes}`,
+            dimension: 'byte_size',
+            value: manifest.bundle.total_bytes,
+            threshold: policy.bundle_max_bytes,
+        });
+    }
+    // INSUFFICIENT_COVERAGE — review coverage below policy minimum
+    if (coverageAttestation && policy.min_review_coverage !== undefined) {
+        if (coverageAttestation.file_coverage < policy.min_review_coverage) {
+            violations.push({
+                code: 'INSUFFICIENT_COVERAGE',
+                message: `Review file coverage ${coverageAttestation.file_coverage.toFixed(2)} below minimum ${policy.min_review_coverage.toFixed(2)}`,
+                value: coverageAttestation.file_coverage,
+                threshold: policy.min_review_coverage,
+            });
+        }
+    }
+    // POST_HOC_READS — reads that occurred after claims were written
+    if (coverageAttestation && policy.block_post_hoc_reads && coverageAttestation.post_hoc_read_count > 0) {
+        violations.push({
+            code: 'POST_HOC_READS',
+            message: `${coverageAttestation.post_hoc_read_count} file(s) were read after review claims were written`,
+            value: coverageAttestation.post_hoc_read_count,
+        });
+    }
+    // Sort by code, then by path (if present) for deterministic output
+    violations.sort((a, b) => {
+        const codeCmp = a.code.localeCompare(b.code);
+        if (codeCmp !== 0)
+            return codeCmp;
+        return (a.path ?? '').localeCompare(b.path ?? '');
+    });
+    return violations;
+}
+/**
+ * Match a file path against a deny pattern.
+ * Supports simple glob patterns with * wildcard.
+ */
+function matchDenyPattern(filePath, pattern) {
+    // Convert glob pattern to regex
+    const escaped = pattern
+        .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+        .replace(/\*/g, '.*');
+    const regex = new RegExp(`^${escaped}$|/${escaped}$|^${escaped}/|/${escaped}/`);
+    // Also match against the basename
+    const basename = filePath.split('/').pop() ?? filePath;
+    const baseRegex = new RegExp(`^${escaped}$`);
+    return regex.test(filePath) || baseRegex.test(basename);
+}
+//# sourceMappingURL=evaluate.js.map

package/dist/verify/evaluate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluate.js","sourceRoot":"","sources":["../../src/verify/evaluate.ts"],"names":[],"mappings":"AAOA;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA2B,EAC3B,MAAwB,EACxB,mBAA2C;IAE3C,MAAM,UAAU,GAAkB,EAAE,CAAC;IAErC,uDAAuD;IACvD,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;QACxD,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE,sBAAsB,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;YACzH,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,OAAO;YAClC,SAAS,EAAE,MAAM,CAAC,cAAc;SACjC,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,IAAI,QAAQ,CAAC,MAAM,CAAC,WAAW,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QACnD,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,eAAe,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,oBAAoB,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;YAC/G,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,WAAW;YAClC,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,CAAC,CAAC;IACL,CAAC;IAED,6DAA6D;IAC7D,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QACzC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACxC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gBACzC,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,iBAAiB;oBACvB,OAAO,EAAE,iBAAiB,IAAI,CAAC,IAAI,yBAAyB,OAAO,EAAE;oBACrE,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,OAAO;iBACR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,YAAY,GAAG,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC;QAChE,+CAA+C;QAC/C,MAAM,SAAS,GAAG,IAAI,CAAC;QACvB,IAAI,YAAY,GAAG,SAAS,EAAE,CAAC;YAC7B,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,iBAAiB,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,6BAA6B,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;gBACpG,KAAK,EAAE,YAAY;gBACnB,SAAS;aACV,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,IAAI,QAAQ,CAAC,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACzD,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,kBAAkB;YACxB,OAAO,EAAE,qBAAqB,QAAQ,CAAC,MAAM,CAAC,UAAU,kBAAkB,MAAM,CAAC,gBAAgB,EAAE;YACnG,SAAS,EAAE,YAAY;YACvB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;YACjC,SAAS,EAAE,MAAM,CAAC,gBAAgB;SACnC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,CAAC,WAAW,GAAG,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC1D,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,kBAAkB;YACxB,OAAO,EAAE,oBAAoB,QAAQ,CAAC,MAAM,CAAC,WAAW,kBAAkB,MAAM,CAAC,gBAAgB,EAAE;YACnG,SAAS,EAAE,WAAW;YACtB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,WAAW;YAClC,SAAS,EAAE,MAAM,CAAC,gBAAgB;SACnC,CAAC,CAAC;IACL,CAAC;IAED,+DAA+D;IAC/D,IAAI,mBAAmB,IAAI,MAAM,CAAC,mBAAmB,KAAK,SAAS,EAAE,CAAC;QACpE,IAAI,mBAAmB,CAAC,aAAa,GAAG,MAAM,CAAC,mBAAmB,EAAE,CAAC;YACnE,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,uBAAuB;gBAC7B,OAAO,EAAE,wBAAwB,mBAAmB,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,MAAM,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;gBACtI,KAAK,EAAE,mBAAmB,CAAC,aAAa;gBACxC,SAAS,EAAE,MAAM,CAAC,mBAAmB;aACtC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,iEAAiE;IACjE,IAAI,mBAAmB,IAAI,MAAM,CAAC,oBAAoB,IAAI,mBAAmB,CAAC,mBAAmB,GAAG,CAAC,EAAE,CAAC;QACtG,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE,GAAG,mBAAmB,CAAC,mBAAmB,qDAAqD;YACxG,KAAK,EAAE,mBAAmB,CAAC,mBAAmB;SAC/C,CAAC,CAAC;IACL,CAAC;IAED,mEAAmE;IACnE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACvB,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,OAAO,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAClC,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,QAAgB,EAAE,OAAe;IACzD,gCAAgC;IAChC,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACxB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,OAAO,MAAM,OAAO,MAAM,OAAO,MAAM,OAAO,GAAG,CAAC,CAAC;IAEhF,kCAAkC;IAClC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;IACvD,MAAM,SAAS,GAAG,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC;IAE7C,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAC1D,CAAC"}

package/dist/verify/policy-snapshot.d.ts

@@ -0,0 +1,7 @@
+import type { ResolvedPolicyV1 } from '@codeledger/types';
+/**
+ * Build and write a policy snapshot — records the resolved policy used
+ * during a verify run, including its hash for audit trail.
+ */
+export declare function writePolicySnapshot(policy: ResolvedPolicyV1, outPath: string): void;
+//# sourceMappingURL=policy-snapshot.d.ts.map

package/dist/verify/policy-snapshot.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-snapshot.d.ts","sourceRoot":"","sources":["../../src/verify/policy-snapshot.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAqC,MAAM,mBAAmB,CAAC;AAG7F;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,MAAM,GACd,IAAI,CA6BN"}

package/dist/verify/policy-snapshot.js

@@ -0,0 +1,36 @@
+import { createHash } from 'node:crypto';
+import { writeFileSync, mkdirSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { canonicalize } from '../signing/canonicalize.js';
+/**
+ * Build and write a policy snapshot — records the resolved policy used
+ * during a verify run, including its hash for audit trail.
+ */
+export function writePolicySnapshot(policy, outPath) {
+    // Strip resolved_from to get the base policy for hashing
+    const basePolicyForHash = {
+        schema_version: policy.schema_version,
+        mode: policy.mode,
+        min_confidence: policy.min_confidence,
+        max_drift: policy.max_drift,
+        require_tests: policy.require_tests,
+        deny_paths: policy.deny_paths,
+        bundle_max_files: policy.bundle_max_files,
+        bundle_max_bytes: policy.bundle_max_bytes,
+        redact_actor_identity: policy.redact_actor_identity,
+        store_file_paths: policy.store_file_paths,
+    };
+    const hash = createHash('sha256')
+        .update(canonicalize(basePolicyForHash))
+        .digest('hex');
+    const snapshot = {
+        schema_version: 'mustang/policy-snapshot/v1',
+        policy: basePolicyForHash,
+        hash,
+        resolved_from: policy.resolved_from,
+        resolved_at: new Date().toISOString(),
+    };
+    mkdirSync(dirname(outPath), { recursive: true });
+    writeFileSync(outPath, JSON.stringify(snapshot, null, 2) + '\n');
+}
+//# sourceMappingURL=policy-snapshot.js.map

package/dist/verify/policy-snapshot.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-snapshot.js","sourceRoot":"","sources":["../../src/verify/policy-snapshot.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE1D;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAwB,EACxB,OAAe;IAEf,yDAAyD;IACzD,MAAM,iBAAiB,GAAoB;QACzC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,qBAAqB,EAAE,MAAM,CAAC,qBAAqB;QACnD,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;KAC1C,CAAC;IAEF,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC;SAC9B,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;SACvC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEjB,MAAM,QAAQ,GAAqB;QACjC,cAAc,EAAE,4BAA4B;QAC5C,MAAM,EAAE,iBAAiB;QACzB,IAAI;QACJ,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACtC,CAAC;IAEF,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AACnE,CAAC"}

package/dist/verify/report.d.ts

@@ -0,0 +1,11 @@
+import type { ContextManifestV1, ResolvedPolicyV1, ViolationV1, VerifyReportV1 } from '@codeledger/types';
+/**
+ * Build a verify report from manifest, policy, and violations.
+ */
+export declare function buildVerifyReport(opts: {
+    manifest: ContextManifestV1;
+    policy: ResolvedPolicyV1;
+    violations: ViolationV1[];
+    codeledgerVersion: string;
+}): VerifyReportV1;
+//# sourceMappingURL=report.d.ts.map

package/dist/verify/report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../src/verify/report.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,cAAc,EAEf,MAAM,mBAAmB,CAAC;AAI3B;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE;IACtC,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,MAAM,EAAE,gBAAgB,CAAC;IACzB,UAAU,EAAE,WAAW,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC;CAC3B,GAAG,cAAc,CA+CjB"}

package/dist/verify/report.js

@@ -0,0 +1,64 @@
+import { createHash } from 'node:crypto';
+import { canonicalize } from '../signing/canonicalize.js';
+/**
+ * Build a verify report from manifest, policy, and violations.
+ */
+export function buildVerifyReport(opts) {
+    const { manifest, policy, violations, codeledgerVersion } = opts;
+    // Compute policy hash using Phase 2 canonicalization
+    const policyForHash = {
+        schema_version: policy.schema_version,
+        mode: policy.mode,
+        min_confidence: policy.min_confidence,
+        max_drift: policy.max_drift,
+        require_tests: policy.require_tests,
+        deny_paths: policy.deny_paths,
+        bundle_max_files: policy.bundle_max_files,
+        bundle_max_bytes: policy.bundle_max_bytes,
+        redact_actor_identity: policy.redact_actor_identity,
+        store_file_paths: policy.store_file_paths,
+    };
+    const policyHash = createHash('sha256')
+        .update(canonicalize(policyForHash))
+        .digest('hex');
+    // Determine decision based on mode
+    const passed = determineDecision(policy.mode, violations);
+    return {
+        schema_version: 'mustang/verify-report/v1',
+        codeledger_version: codeledgerVersion,
+        repo: {
+            name: manifest.repo.name,
+            commit_sha: manifest.repo.commit_sha,
+        },
+        policy: {
+            schema_version: 'mustang/policy/v1',
+            mode: policy.mode,
+            hash: policyHash,
+        },
+        metrics: {
+            overall_confidence: manifest.confidence.overall,
+            drift_score: manifest.intent.drift_score,
+            bundle_file_count: manifest.bundle.file_count,
+            bundle_total_bytes: manifest.bundle.total_bytes,
+        },
+        decision: {
+            passed,
+            mode: policy.mode,
+        },
+        violations,
+    };
+}
+/**
+ * Determine pass/fail based on mode and violations.
+ *
+ * - observe: always true (violations are informational only)
+ * - warn: always true (violations printed as warnings)
+ * - block: true only if no violations
+ */
+function determineDecision(mode, violations) {
+    if (mode === 'block') {
+        return violations.length === 0;
+    }
+    return true; // observe and warn always pass
+}
+//# sourceMappingURL=report.js.map

package/dist/verify/report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.js","sourceRoot":"","sources":["../../src/verify/report.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE1D;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAKjC;IACC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC;IAEjE,qDAAqD;IACrD,MAAM,aAAa,GAA4B;QAC7C,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,qBAAqB,EAAE,MAAM,CAAC,qBAAqB;QACnD,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;KAC1C,CAAC;IACF,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC;SACpC,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;SACnC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEjB,mCAAmC;IACnC,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAE1D,OAAO;QACL,cAAc,EAAE,0BAA0B;QAC1C,kBAAkB,EAAE,iBAAiB;QACrC,IAAI,EAAE;YACJ,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,IAAI;YACxB,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,UAAU;SACrC;QACD,MAAM,EAAE;YACN,cAAc,EAAE,mBAAmB;YACnC,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,IAAI,EAAE,UAAU;SACjB;QACD,OAAO,EAAE;YACP,kBAAkB,EAAE,QAAQ,CAAC,UAAU,CAAC,OAAO;YAC/C,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,WAAW;YACxC,iBAAiB,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;YAC7C,kBAAkB,EAAE,QAAQ,CAAC,MAAM,CAAC,WAAW;SAChD;QACD,QAAQ,EAAE;YACR,MAAM;YACN,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB;QACD,UAAU;KACX,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,IAAgB,EAAE,UAAyB;IACpE,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC;IACjC,CAAC;IACD,OAAO,IAAI,CAAC,CAAC,+BAA+B;AAC9C,CAAC"}