@forwardimpact/libeval 0.1.63 → 0.1.64

package/src/commands/trace.js

@@ -1,6 +1,6 @@
 import { join, dirname } from "node:path";
 import { isoTimestamp } from "@forwardimpact/libutil";
-import { createTraceCollector } from "@forwardimpact/libeval";
+import { createTraceCollector, sumTraceCost } from "@forwardimpact/libeval";
 import { createTraceQuery } from "../trace-query.js";
 import { createTraceGitHub } from "../trace-github.js";
 import { stripSignatures } from "../signature-filter.js";
@@ -26,11 +26,33 @@ export async function runRunsCommand(ctx) {
     runtime,
   });
   const lookback = ctx.options.lookback ?? "7d";
-  const runs = await gh.listRuns({ pattern: ctx.args.pattern, lookback });
+  const runs = await gh.listRuns({
+    pattern: ctx.args.pattern,
+    lookback,
+    participant: ctx.options.participant,
+  });
   writeJSON(runtime, runs, ctx.options);
   return { ok: true };
 }
 
+/**
+ * Resolve a participant's lane trace for a known run id in one keyed lookup.
+ * @param {import("@forwardimpact/libcli").InvocationContext} ctx
+ */
+export async function runFindCommand(ctx) {
+  const { runtime, config } = ctx.deps;
+  const gh = await createTraceGitHub({
+    token: config.ghToken(),
+    repo: ctx.options.repo,
+    runtime,
+  });
+  const result = await gh.findByKey(ctx.args["run-id"], ctx.args.participant, {
+    dir: ctx.options.dir,
+  });
+  writeJSON(runtime, result, ctx.options);
+  return { ok: true };
+}
+
 /**
  * Download a trace artifact and auto-convert to structured JSON.
  * @param {import("@forwardimpact/libcli").InvocationContext} ctx
@@ -193,6 +215,51 @@ export async function runStatsCommand(ctx) {
   return { ok: true };
 }
 
+/**
+ * Total run cost across every participant (agent, supervisor, judge, and any
+ * named profile), summed from each `result` event in the trace and attributed
+ * per source. The combined trace from a supervised, facilitated, or discuss
+ * session already interleaves all participants, so one file yields the whole
+ * run's spend. Default output is `{totalCostUsd, bySource}` JSON; `--markdown`
+ * emits a GitHub-flavored block to redirect into `$GITHUB_STEP_SUMMARY`.
+ *
+ * @param {import("@forwardimpact/libcli").InvocationContext} ctx
+ */
+export async function runCostCommand(ctx) {
+  const { runtime } = ctx.deps;
+  const cost = computeTraceCost(
+    runtime.fsSync.readFileSync(ctx.args.file, "utf8"),
+  );
+  if (ctx.options.markdown) {
+    runtime.proc.stdout.write(renderCostMarkdown(cost));
+  } else {
+    writeJSON(runtime, cost, ctx.options);
+  }
+  return { ok: true };
+}
+
+/**
+ * Render a cost summary as a GitHub-flavored markdown block for a CI step
+ * summary: a headline total plus a per-participant table (descending).
+ * @param {{totalCostUsd: number, bySource: Record<string, number>}} cost
+ * @returns {string}
+ */
+function renderCostMarkdown(cost) {
+  const lines = [
+    `### 💰 Run cost: $${cost.totalCostUsd.toFixed(4)}`,
+    "",
+    "Summed across every participant (agent, supervisor, judge, named profiles).",
+  ];
+  const sources = Object.entries(cost.bySource).sort((a, b) => b[1] - a[1]);
+  if (sources.length > 0) {
+    lines.push("", "| Participant | Cost (USD) |", "| --- | --- |");
+    for (const [source, usd] of sources) {
+      lines.push(`| ${source} | ${usd.toFixed(4)} |`);
+    }
+  }
+  return lines.join("\n") + "\n";
+}
+
 /** @param {import("@forwardimpact/libcli").InvocationContext} ctx */
 export async function runInitCommand(ctx) {
   const { runtime } = ctx.deps;
@@ -309,6 +376,25 @@ function parseBuckets(content) {
 
 // --- Shared helpers ---
 
+/**
+ * Compute total + per-source cost from raw file content. A structured JSON
+ * trace (from `fit-trace download`) carries its total in `summary.totalCostUsd`
+ * but no per-source split; raw NDJSON is summed via `sumTraceCost`.
+ * @param {string} content - Raw file content (structured JSON or NDJSON).
+ * @returns {{totalCostUsd: number, bySource: Record<string, number>}}
+ */
+function computeTraceCost(content) {
+  try {
+    const parsed = JSON.parse(content);
+    if (parsed && typeof parsed.summary?.totalCostUsd === "number") {
+      return { totalCostUsd: parsed.summary.totalCostUsd, bySource: {} };
+    }
+  } catch {
+    // Not a single JSON object — treat as NDJSON below.
+  }
+  return sumTraceCost(content.split("\n"));
+}
+
 /**
  * Load a trace file. Supports structured JSON and raw NDJSON.
  * @param {import("@forwardimpact/libutil/runtime").Runtime} runtime

package/src/cost.js

@@ -0,0 +1,79 @@
+/**
+ * Cost aggregation over Claude Code NDJSON traces — the single source of
+ * truth for "how much did this run cost, across every participant?".
+ *
+ * The SDK reports the cumulative session cost on each `result` event as
+ * `total_cost_usd`. Supervised, facilitated, and discuss sessions interleave
+ * one runner's events with another's in a single combined trace, wrapping
+ * each in a `{source, seq, event}` envelope; a plain `run` trace carries bare
+ * events with no envelope. A judge runs as its own session in a separate
+ * trace. In every case the rule is the same: sum the `total_cost_usd` of each
+ * `result` event, and keep a per-source breakdown so callers can attribute
+ * spend to the agent, supervisor, judge, or any named participant.
+ *
+ * This mirrors `TraceCollector.handleResult`, which accumulates the same
+ * figure for its summary footer — kept as a standalone pure helper so the
+ * benchmark runner, the callback command, and `fit-trace cost` share one
+ * implementation rather than each re-deriving it (and drifting).
+ */
+
+/** Bucket key for bare (un-enveloped) `run`-mode events: a lone agent session. */
+export const UNSOURCED = "agent";
+
+/**
+ * Sum `total_cost_usd` across every `result` event in an NDJSON trace.
+ *
+ * @param {Iterable<string>} lines - NDJSON lines (e.g. `content.split("\n")`).
+ *   Blank and malformed lines are skipped.
+ * @returns {{totalCostUsd: number, bySource: Record<string, number>}}
+ *   `totalCostUsd` is the sum across all participants; `bySource` maps each
+ *   envelope `source` (or {@link UNSOURCED} for bare events) to its subtotal.
+ */
+export function sumTraceCost(lines) {
+  let totalCostUsd = 0;
+  /** @type {Record<string, number>} */
+  const bySource = {};
+
+  for (const line of lines) {
+    const parsed = parseCostLine(line);
+    if (!parsed) continue;
+    const { source, cost } = parsed;
+    totalCostUsd += cost;
+    bySource[source] = (bySource[source] ?? 0) + cost;
+  }
+
+  return { totalCostUsd, bySource };
+}
+
+/**
+ * Parse a single NDJSON line and return its `result`-event cost contribution,
+ * or null when the line is blank, malformed, not a result event, or carries
+ * no numeric `total_cost_usd`.
+ *
+ * @param {string} line
+ * @returns {{source: string, cost: number} | null}
+ */
+function parseCostLine(line) {
+  const trimmed = line.trim();
+  if (!trimmed) return null;
+
+  let event;
+  try {
+    event = JSON.parse(trimmed);
+  } catch {
+    return null;
+  }
+
+  // Unwrap the combined-trace envelope {source, seq, event}; bare events
+  // (plain `run` traces) have a `type` and no `source`.
+  let source = UNSOURCED;
+  if (event.event && !event.type && typeof event.source === "string") {
+    source = event.source;
+    event = event.event;
+  }
+
+  if (event.type !== "result") return null;
+  if (typeof event.total_cost_usd !== "number") return null;
+
+  return { source, cost: event.total_cost_usd };
+}

package/src/index.js

@@ -1,11 +1,13 @@
 export { TraceCollector, createTraceCollector } from "./trace-collector.js";
 export { TraceQuery, createTraceQuery } from "./trace-query.js";
+export { sumTraceCost, UNSOURCED } from "./cost.js";
 export { stripSignatures } from "./signature-filter.js";
 export {
   TraceGitHub,
   createTraceGitHub,
   detectRepoSlug,
   parseGitRemote,
+  participantInNames,
   pickTraceArtifact,
 } from "./trace-github.js";
 export { AgentRunner, createAgentRunner } from "./agent-runner.js";

package/src/redaction.js

@@ -3,6 +3,14 @@
  * the trace artifact. Composes two layers: an env-var value allowlist and a
  * set of credential-shape regexes. Both run on every primitive string.
  *
+ * Coverage includes encoded credential forms, not only raw bytes: the env
+ * layer matches each allowlisted secret both raw and in its **standard
+ * base64** form at any byte offset within the encoded plaintext, and the
+ * pattern layer covers the git `extraheader` basic-auth wrapper. Boundary:
+ * **standard base64 only** — URL-safe base64, hex, and percent-encoding are
+ * not covered — and the **trace-write sink only**; content an agent authors
+ * into a wiki commit is never passed through this redactor.
+ *
  * Stateless after construction: `env` is captured once so in-process
  * `process.env` writes (e.g. agent-runner.js LIBEVAL_SKILL, commands/run.js
  * LIBEVAL_AGENT_PROFILE) cannot smuggle a value past the redactor.
@@ -52,15 +60,55 @@ const ENV_PLACEHOLDER = (name) => `[REDACTED:env:${name}]`;
 const PATTERN_PLACEHOLDER = (kind) => `[REDACTED:pattern:${kind}]`;
 
 /**
- * Build a frozen { name → value } snapshot of the requested env vars.
- * Empty strings are skipped — a leaked empty env var would otherwise
- * cause every empty string in the trace to be replaced.
+ * Minimum secret byte length for encoded-form matching. At 9 bytes the
+ * shortest offset core is exactly 8 chars; below 9 it drops under 8 — too
+ * short to be a sound needle against ordinary base64 trace content (margin of
+ * safety, false positives). Every DEFAULT_ENV_ALLOWLIST value (token, key,
+ * password) far exceeds it.
+ */
+const MIN_ENCODED_SECRET_BYTES = 9;
+
+// Leading base64 chars contaminated by the k filler bytes, per alignment.
+const ENCODED_LEAD_STRIP = [0, 2, 3];
+
+/**
+ * The three offset-invariant standard-base64 core substrings of `secret`, one
+ * per byte alignment (k = 0/1/2). base64 maps disjoint 3-byte groups to 4 chars
+ * independently, so the chars covering a secret's interior groups depend only
+ * on the secret's bytes — never on the bytes surrounding it. Only the partial
+ * groups at each edge are neighbour-dependent; stripping them leaves a core
+ * that appears in the base64 of any plaintext placing `secret` at that
+ * alignment. Padding lives only in the final partial group, which is stripped,
+ * so each core is padding-free and one needle matches padded and unpadded
+ * haystack content. Returns [] below MIN_ENCODED_SECRET_BYTES.
+ * @param {string} secret
+ * @returns {string[]}
+ */
+function encodedNeedles(secret) {
+  if (Buffer.byteLength(secret, "utf8") < MIN_ENCODED_SECRET_BYTES) return [];
+  const needles = [];
+  for (let k = 0; k < 3; k++) {
+    const enc = Buffer.from("\0".repeat(k) + secret, "utf8")
+      .toString("base64")
+      .replace(/=+$/, "");
+    needles.push(enc.slice(ENCODED_LEAD_STRIP[k], enc.length - 4));
+  }
+  return needles;
+}
+
+/**
+ * Build a frozen { name → { secret, needles } } snapshot of the requested env
+ * vars. Empty strings are skipped — a leaked empty env var would otherwise
+ * cause every empty string in the trace to be replaced. `needles` are the
+ * precomputed standard-base64 cores (empty for sub-floor secrets).
  */
 function snapshotEnv(env, allowlist) {
   const snap = {};
   for (const name of allowlist) {
     const v = env[name];
-    if (typeof v === "string" && v.length > 0) snap[name] = v;
+    if (typeof v === "string" && v.length > 0) {
+      snap[name] = { secret: v, needles: encodedNeedles(v) };
+    }
   }
   return Object.freeze(snap);
 }
@@ -81,7 +129,7 @@ function walk(value, redactString) {
 export class Redactor {
   /**
    * @param {object} deps
-   * @param {Readonly<Record<string, string>>} deps.envSnapshot - Frozen { name → secret } map captured at construction time.
+   * @param {Readonly<Record<string, {secret: string, needles: string[]}>>} deps.envSnapshot - Frozen { name → { secret, needles } } map captured at construction time; `needles` are the precomputed standard-base64 cores of `secret`.
    * @param {ReadonlyArray<{kind: string, regex: RegExp}>} deps.patterns - Credential-shape regexes; each match becomes `[REDACTED:pattern:KIND]`.
    * @param {boolean} deps.enabled - When false, `redactValue` returns its input by reference.
    */
@@ -109,10 +157,21 @@ export class Redactor {
    */
   #redactString(s) {
     let out = s;
-    for (const [name, secret] of Object.entries(this.envSnapshot)) {
+    for (const [name, { secret, needles }] of Object.entries(
+      this.envSnapshot,
+    )) {
       if (out.includes(secret)) {
         out = out.split(secret).join(ENV_PLACEHOLDER(name));
       }
+      // Standard-base64 form at any byte offset. Order among the three needles
+      // is irrelevant: once a region is replaced by the placeholder (which
+      // shares no base64 run with any needle) those bytes are gone, so a later
+      // needle cannot re-match them. The floor keeps every needle ≥ 8 chars.
+      for (const needle of needles) {
+        if (out.includes(needle)) {
+          out = out.split(needle).join(ENV_PLACEHOLDER(name));
+        }
+      }
     }
     for (const { kind, regex } of this.patterns) {
       out = out.replace(regex, PATTERN_PLACEHOLDER(kind));

package/src/trace-collector.js

@@ -171,6 +171,7 @@ export class TraceCollector {
       index: this.turnIndex++,
       role: "assistant",
       source,
+      messageId: message.id ?? null,
       content,
       usage,
     });
@@ -235,7 +236,7 @@ export class TraceCollector {
       durationMs: prev.durationMs + (event.duration_ms ?? 0),
       numTurns: prev.numTurns + (event.num_turns ?? 0),
       tokenUsage: sumTokenUsage(prev.tokenUsage, normalizeUsage(event.usage)),
-      modelUsage: event.modelUsage ?? prev.modelUsage,
+      modelUsage: mergeModelUsage(prev.modelUsage, event.modelUsage),
     };
   }
 
@@ -245,7 +246,7 @@ export class TraceCollector {
    */
   toJSON() {
     return {
-      version: "1.1.0",
+      version: "1.2.0",
       metadata: this.metadata ?? {
         timestamp: this.now(),
         sessionId: null,
@@ -363,6 +364,61 @@ function sumTokenUsage(a, b) {
   };
 }
 
+/**
+ * Per-model fields that sum additively across result events — token counts,
+ * per-model cost, and request counters. Every other per-model field (e.g. a
+ * context-window size) is carried first-seen, never summed.
+ */
+const ADDITIVE_MODEL_FIELDS = [
+  "inputTokens",
+  "outputTokens",
+  "cacheReadInputTokens",
+  "cacheCreationInputTokens",
+  "costUSD",
+  "webSearchRequests",
+];
+
+/**
+ * Merge two per-model usage maps across result events. Additive fields
+ * (token counts, cost, request counters) sum; non-additive fields are carried
+ * from the first event that set them (prev wins). Either side may be null.
+ * @param {object|null} prevMU
+ * @param {object|null} nextMU
+ * @returns {object|null}
+ */
+function mergeModelUsage(prevMU, nextMU) {
+  if (!prevMU) return nextMU ?? null;
+  if (!nextMU) return prevMU;
+
+  const merged = {};
+  for (const model of new Set([
+    ...Object.keys(prevMU),
+    ...Object.keys(nextMU),
+  ])) {
+    merged[model] = mergeOneModel(prevMU[model] ?? {}, nextMU[model] ?? {});
+  }
+  return merged;
+}
+
+/**
+ * Merge one model's usage: additive fields sum, others carry first-seen (a).
+ * @param {object} a - First-seen (prev) per-model usage.
+ * @param {object} b - Next per-model usage.
+ * @returns {object}
+ */
+function mergeOneModel(a, b) {
+  const entry = { ...a, ...b };
+  for (const field of ADDITIVE_MODEL_FIELDS) {
+    if (field in a || field in b) {
+      entry[field] = (a[field] ?? 0) + (b[field] ?? 0);
+    }
+  }
+  for (const field of Object.keys(a)) {
+    if (!ADDITIVE_MODEL_FIELDS.includes(field)) entry[field] = a[field];
+  }
+  return entry;
+}
+
 /**
  * Format milliseconds into a human-readable duration.
  * @param {number} ms - Duration in milliseconds

package/src/trace-github.js

@@ -28,13 +28,28 @@ export class TraceGitHub {
   }
 
   /**
-   * List recent workflow runs, optionally filtered by name pattern.
+   * List recent workflow runs, optionally filtered by name pattern and by the
+   * participant whose trace lane a run carries.
+   *
+   * Without `participant`, behaviour is unchanged: the workflow-name pattern is
+   * the only filter. With `participant`, each name-matched run is resolved
+   * against its trace lane (see {@link runMatchesParticipant}) and annotated
+   * with a `match` field:
+   *   - `"confirmed"` — the participant's lane is present in the run's
+   *     artifacts (matrix artifact name, or a member filename in the shared
+   *     dispatch artifact).
+   *   - `"unconfirmed-pending-artifacts"` — the run's workflow mints trace
+   *     artifacts but none exist yet (still running, or completed-but-not-yet
+   *     uploaded); reported as a candidate, never silently dropped.
+   * Runs that have artifacts but no matching lane are omitted. Participant
+   * identity is read from artifact/file *names* only, never from trace content.
    *
    * @param {object} [opts]
    * @param {string} [opts.pattern] - Case-insensitive regex to match workflow name (default: "kata|agent" — covers `Kata: Shift`, `Kata: Dispatch`, and any `agent`-named workflow)
    * @param {number} [opts.limit=50] - Max runs to return from GitHub API
    * @param {string} [opts.lookback="7d"] - How far back to search (e.g. "7d", "24h", "2w")
-   * @returns {Promise<object[]>} Array of {workflow, runId, status, conclusion, createdAt, branch, url}
+   * @param {string} [opts.participant] - Participant name; when set, filter/annotate runs by trace lane
+   * @returns {Promise<object[]>} Array of {workflow, runId, status, conclusion, createdAt, branch, url[, match]}
    */
   async listRuns(opts = {}) {
     const { pattern = "kata|agent", limit = 50, lookback = "7d" } = opts;
@@ -52,7 +67,7 @@ export class TraceGitHub {
     const runs = data.workflow_runs ?? [];
 
     const re = new RegExp(pattern, "i");
-    return runs
+    const matched = runs
       .filter((r) => re.test(r.name))
       .map((r) => ({
         workflow: r.name,
@@ -63,6 +78,133 @@ export class TraceGitHub {
         branch: r.head_branch,
         url: r.html_url,
       }));
+
+    if (!opts.participant) return matched;
+
+    const out = [];
+    for (const run of matched) {
+      const verdict = await this.runMatchesParticipant(
+        run.runId,
+        opts.participant,
+      );
+      if (verdict === "omit") continue;
+      out.push({ ...run, match: verdict });
+    }
+    return out;
+  }
+
+  /**
+   * Decide whether a run carries a participant's trace lane.
+   *
+   * Matrix hosts name the participant in an artifact name
+   * (`trace--<participant>`); dispatch hosts name it in a member filename
+   * (`trace--<case>--<participant>.<role>.ndjson`) inside one shared `trace--*`
+   * artifact. The GitHub artifacts API exposes only artifact-level metadata, so
+   * a matrix lane confirms from the inventory alone, while a dispatch lane
+   * requires downloading the shared artifact and listing its extracted member
+   * filenames — names only, never trace content.
+   *
+   * A run whose trace artifacts are absent (still running, or
+   * completed-but-not-yet-uploaded) is a candidate, not a drop.
+   *
+   * @param {number|string} runId
+   * @param {string} participant
+   * @returns {Promise<"confirmed"|"unconfirmed-pending-artifacts"|"omit">}
+   */
+  async runMatchesParticipant(runId, participant) {
+    const url = `${API}/repos/${this.owner}/${this.repo}/actions/runs/${runId}/artifacts`;
+    const data = await this.#get(url);
+    const artifacts = data.artifacts ?? [];
+    const traceArtifacts = artifacts.filter((a) =>
+      a.name.startsWith("trace--"),
+    );
+
+    // No trace artifacts yet: a candidate the matcher must report, not drop —
+    // the lane may upload when the host completes.
+    if (traceArtifacts.length === 0) return "unconfirmed-pending-artifacts";
+
+    // Matrix host: the participant is an artifact name. No download.
+    if (
+      participantInNames(
+        traceArtifacts.map((a) => a.name),
+        participant,
+      )
+    ) {
+      return "confirmed";
+    }
+
+    // Dispatch host: one shared artifact whose members name the participant.
+    // Download and list member filenames (names only).
+    for (const artifact of traceArtifacts) {
+      const { files } = await this.downloadTrace(runId, {
+        name: artifact.name,
+      });
+      if (participantInNames(files, participant)) return "confirmed";
+    }
+    return "omit";
+  }
+
+  /**
+   * Resolve a participant's lane trace path for a known run in one keyed
+   * lookup — no run enumeration, no trace-content inspection.
+   *
+   * Matrix host: the artifact name carries the participant (no download).
+   * Dispatch host: download the shared `trace--*` artifact and return the
+   * extracted member file whose name carries the participant.
+   *
+   * @param {number|string} runId
+   * @param {string} participant
+   * @param {object} [opts]
+   * @param {string} [opts.dir] - Output directory for a downloaded dispatch artifact
+   * @returns {Promise<{runId: (number|string), participant: string, host: "matrix"|"dispatch", artifact: string, path: string}>}
+   * @throws {Error} when the run has no trace artifacts, or none carries the participant's lane.
+   */
+  async findByKey(runId, participant, opts = {}) {
+    const url = `${API}/repos/${this.owner}/${this.repo}/actions/runs/${runId}/artifacts`;
+    const data = await this.#get(url);
+    const artifacts = data.artifacts ?? [];
+    const traceArtifacts = artifacts.filter((a) =>
+      a.name.startsWith("trace--"),
+    );
+    if (traceArtifacts.length === 0) {
+      throw new Error(`No trace artifacts for run ${runId}`);
+    }
+
+    // Matrix host: the artifact name carries the participant. No download.
+    const matrix = traceArtifacts.find((a) =>
+      participantInNames([a.name], participant),
+    );
+    if (matrix) {
+      return {
+        runId,
+        participant,
+        host: "matrix",
+        artifact: matrix.name,
+        path: matrix.name,
+      };
+    }
+
+    // Dispatch host: download the shared artifact and match a member filename.
+    for (const artifact of traceArtifacts) {
+      const { dir, files } = await this.downloadTrace(runId, {
+        name: artifact.name,
+        dir: opts.dir,
+      });
+      const member = files.find((f) => participantInNames([f], participant));
+      if (member) {
+        return {
+          runId,
+          participant,
+          host: "dispatch",
+          artifact: artifact.name,
+          path: path.join(dir, member),
+        };
+      }
+    }
+
+    throw new Error(
+      `No trace lane for participant "${participant}" in run ${runId}`,
+    );
   }
 
   /**
@@ -151,6 +293,36 @@ export class TraceGitHub {
   }
 }
 
+/**
+ * Test whether a participant's trace lane is present in a list of names.
+ *
+ * Matches the two trace-naming shapes by *name* only (never by content):
+ *   - matrix artifact name: `trace--<participant>`
+ *   - dispatch member filename: `trace--<case>--<participant>.<role>.ndjson`
+ *
+ * The participant segment is delimited by `--` and ends at the next `--`, `.`,
+ * or end-of-string, so a substring like `release` does not match
+ * `release-engineer` and vice versa.
+ *
+ * @param {string[]} names - Artifact names or extracted member filenames.
+ * @param {string} participant - Participant name to look for.
+ * @returns {boolean}
+ */
+export function participantInNames(names, participant) {
+  return names.some((name) => {
+    if (!name.startsWith("trace--")) return false;
+    const rest = name.slice("trace--".length);
+    // Matrix: `<participant>` is the whole remainder (artifact name).
+    if (rest === participant) return true;
+    // Dispatch: `<case>--<participant>.<role>.ndjson`.
+    const sep = rest.indexOf("--");
+    if (sep === -1) return false;
+    const afterCase = rest.slice(sep + 2);
+    const participantSegment = afterCase.split(".")[0];
+    return participantSegment === participant;
+  });
+}
+
 /**
  * Pick the trace artifact to download from a workflow run's artifact list.
  *