@hongmaple0820/scale-engine 0.19.0 → 0.21.0

package/docs/CONTEXT_BUDGET.md

@@ -0,0 +1,87 @@
+# Context Budget And Progressive Governance
+
+Status: implemented baseline
+Since: v0.20 development branch
+
+This feature keeps SCALE from becoming its own context pollution source. It separates always-loaded rules from on-demand documents, runtime evidence, historical archives, and generated artifacts.
+
+## Commands
+
+Report token cost by context category:
+
+```bash
+scale context budget --json
+```
+
+Write the report to `.scale/context-budget.json`:
+
+```bash
+scale context budget --write
+```
+
+Check thresholds:
+
+```bash
+scale context doctor --max-always 2500 --max-task 8000
+```
+
+Build a lazy-loaded task context pack:
+
+```bash
+scale context pack \
+  --task "Review frontend route with browser evidence" \
+  --level L \
+  --files src/routes/upload.tsx \
+  --budget 4000 \
+  --json
+```
+
+Evaluate progressive governance mode:
+
+```bash
+scale governance mode \
+  --task "Change auth permissions and database migration" \
+  --files src/auth/user.ts,migrations/001.sql \
+  --requested-mode minimal \
+  --json
+```
+
+Report governance benefit and overhead:
+
+```bash
+scale governance roi \
+  --task-id TASK-123 \
+  --task "Review frontend route with browser evidence" \
+  --files src/routes/upload.tsx \
+  --json
+```
+
+## Categories
+
+| Category | Meaning | Loading Policy |
+| --- | --- | --- |
+| `always` | Tiny entrypoint rules and source-of-truth governance config | Keep under strict token budget |
+| `on-demand` | Domain docs and governance guides | Load only when task trigger matches |
+| `evidence` | Runtime evidence and task artifacts | Summarize and reference by path |
+| `archive` | Historical plans and old roadmap context | Do not load unless explicitly requested |
+| `generated` | HTML reports, screenshots, graph outputs, generated artifacts | Keep manifest-only by default |
+
+## Progressive Governance
+
+SCALE now has a baseline risk classifier. It keeps low-risk documentation work in `minimal` mode and escalates risky tasks to `standard`, `expanded`, or `critical`.
+
+Examples:
+
+| Signal | Mode |
+| --- | --- |
+| README typo | `minimal` |
+| normal implementation task | `standard` |
+| UI, browser, E2E, public interface, or cross-module work | `expanded` |
+| auth, permission, secret, database, migration, production config, release, or destructive operation | `critical` |
+
+This is not a replacement for verification. It only decides which governance behavior should activate.
+
+## Governance ROI
+
+`scale governance roi` reports both benefit and overhead. Early ROI is estimated from context budget and risk signals. Later versions should replace estimates with measured eval data such as file reads saved, tool calls saved, fix iterations reduced, and human corrections avoided.
+

package/docs/GOVERNANCE_DASHBOARD.md

@@ -0,0 +1,69 @@
+# Governance Dashboard
+
+Status: implemented baseline
+Since: v0.25 development branch
+
+Governance Dashboard turns existing SCALE evidence into a single reviewable HTML page. It does not replace Markdown, JSON, runtime evidence, eval records, or memory. It is a human-facing view over those sources.
+
+## Command
+
+```bash
+scale artifact dashboard
+scale artifact dashboard --task-id <task-id>
+scale artifact dashboard --dir /path/to/project
+scale artifact dashboard --output docs/worklog/tasks/<task-id>/artifacts/governance-dashboard.html
+scale artifact dashboard --json
+```
+
+Default output:
+
+```text
+.scale/reports/governance-dashboard.html
+.scale/reports/governance-dashboard-manifest.json
+```
+
+The default lifecycle is `generated-report` and the default Git policy is `ignore`. Promote or commit only dashboards that are intentionally used as reviewed task evidence or release evidence.
+
+When `--dir` is used and `SCALE_DIR` is not set, the default `.scale` directory is resolved inside the target project directory, not inside the shell's current working directory. This matters for scaffold and multi-repo validation runs.
+
+## Inputs
+
+The dashboard reads existing local evidence:
+
+| Area | Source |
+| --- | --- |
+| Runtime evidence | `.scale/evidence/runtime/` |
+| Workflow eval | `.scale/evals/runs/` and `.scale/evals/failures/` |
+| Memory Brain | `.scale/memory/brain.sqlite` |
+| Resource Governance | workspace files plus `.scale/resource-policy.json` and `.scale/assets.json` |
+| HTML artifacts | task artifact manifests and rendered HTML files |
+
+## Status Model
+
+- Runtime evidence failures are blocking.
+- Memory contradictions are blocking.
+- Resource Governance failures are blocking.
+- Open eval failure replays are warnings, because they may be intentional baseline failures or pending improvement work.
+- Missing task HTML artifacts are informational.
+
+This keeps the dashboard useful as a review surface without turning every observation into a hard gate.
+
+## Recommended Use
+
+For M/L/CRITICAL work:
+
+```bash
+scale verify <task-id>
+scale eval run --suite workflow-baseline
+scale memory dream --json
+scale artifact dashboard --task-id <task-id>
+```
+
+For release review:
+
+```bash
+scale artifact dashboard
+scale artifact open --artifact-dir .scale/reports --type governance-dashboard --print-only
+```
+
+The dashboard should be attached to a release or PR only when it is deliberately selected as a review artifact. Routine generated dashboards should stay local.

package/docs/MEMORY_BRAIN.md

@@ -0,0 +1,104 @@
+# Memory Brain
+
+Memory Brain is SCALE's project-scoped long-term memory layer. It is separate from Memory Fabric:
+
+- Memory Fabric builds a compact context pack for the current task.
+- Memory Brain stores reviewed project knowledge with evidence, confidence, scope, and contradiction checks.
+
+The first version is local-first and uses SQLite:
+
+```text
+.scale/memory/brain.sqlite
+.scale/memory/brain-manifest.json
+```
+
+## Commands
+
+```bash
+scale memory ingest --from evidence --task-id <task-id>
+scale memory ingest --from candidate --candidate-id <candidate-id>
+scale memory ingest --from failure --failure-id <failure-replay-id>
+scale memory query "OAuth callback state design"
+scale memory contradictions
+scale memory dream
+scale memory promote <memory-node-id-or-candidate-id>
+scale memory export --output .scale/memory/export.jsonl
+scale memory import .scale/memory/export.jsonl
+```
+
+## Node Contract
+
+```ts
+interface MemoryNode {
+  id: string
+  type: 'fact' | 'decision' | 'incident' | 'relation' | 'contradiction'
+  title: string
+  summary: string
+  entities: string[]
+  source: 'runtime-evidence' | 'task-artifact' | 'docs' | 'git' | 'manual'
+  evidencePaths: string[]
+  confidence: number
+  scope: 'project' | 'workspace' | 'global-candidate'
+  status: 'candidate' | 'active' | 'stale' | 'rejected'
+  createdAt: string
+  updatedAt: string
+  lastVerifiedAt?: string
+}
+```
+
+## Evidence Rule
+
+Active memory must have at least one evidence path. SCALE blocks promotion when this is not true.
+
+Runtime evidence and learning candidates are ingested as `candidate` records first. `scale memory promote` is the explicit boundary where reviewed memory becomes active.
+
+Failure replay records can also be ingested as `incident` candidates:
+
+```bash
+scale eval run --suite workflow-baseline
+scale eval failures --since 30d
+scale memory ingest --from failure --failure-id <failure-replay-id>
+scale memory promote <memory-node-id>
+```
+
+This connects Eval Harness failures to long-term memory without automatically rewriting project standards. A failure becomes active memory only after promotion and only if the replay artifact is present as evidence.
+
+## Scope Rule
+
+Project memory stays project-scoped by default. `global-candidate` is allowed for export and review, but it cannot be activated inside a project brain. This prevents one project's temporary truth from becoming a global rule.
+
+## Contradiction Rule
+
+`scale memory contradictions` reports conflicts instead of resolving them automatically. Examples:
+
+- one memory says a provider is enabled, another says it is disabled
+- one memory says a route exists, another says it is missing
+- one memory says an operation is allowed, another says it is blocked
+
+The command exits non-zero when active contradictions exist.
+
+## Dream Maintenance
+
+`scale memory dream` is a maintenance pass. It reports:
+
+- promotion candidates
+- stale active memories
+- duplicate groups
+- contradictions
+- suggested docs to update
+- active memories missing evidence
+
+It does not auto-promote standards, rewrite docs, or delete memories.
+
+## Resource Lifecycle
+
+Memory Brain files under `.scale/memory/` are local runtime state by default. Commit only curated exports, documented decisions, or task artifacts that were intentionally reviewed.
+
+Recommended flow:
+
+```text
+runtime evidence -> memory settle -> memory ingest -> memory promote -> docs/standards update when stable
+eval failure replay -> memory ingest --from failure -> memory promote -> workflow rule update when stable
+```
+
+This keeps memory useful without turning every session observation into permanent project truth.

package/docs/README.md

@@ -1,6 +1,6 @@
 # SCALE Engine 文档地图
 
-这个目录同时包含用户指南、参考文档、历史规划和推广材料。为了避免新用户迷路，请按下面的分层阅读。
+这个目录同时包含用户指南、治理能力说明、架构参考、历史规划和推广素材。新用户应优先阅读入门入口和当前治理能力文档，历史规划仅作为背景材料。
 
 ## 新用户入口
 
@@ -20,10 +20,17 @@
 | [TOOL_ORCHESTRATION.md](TOOL_ORCHESTRATION.md) | skills、MCP、CLI、浏览器、桌面自动化的编排策略 |
 | [RUNTIME_EVIDENCE.md](RUNTIME_EVIDENCE.md) | 会话 ledger、运行时证据和最终交付检查 |
 | [MEMORY_FABRIC.md](MEMORY_FABRIC.md) | Runtime evidence、session events、knowledge recall 和 graph status 的预算化上下文包 |
+| [MEMORY_BRAIN.md](MEMORY_BRAIN.md) | 证据驱动的长期记忆、矛盾检测、dream 整理和 failure replay 沉淀 |
+| [CONTEXT_BUDGET.md](CONTEXT_BUDGET.md) | Context Budget、Progressive Governance、Lazy Loading 和 Governance ROI |
+| [CODE_INTELLIGENCE.md](CODE_INTELLIGENCE.md) | CodeGraph、Graphify 和显式 fallback 的代码智能与探索 ROI |
+| [WORKFLOW_EVAL.md](WORKFLOW_EVAL.md) | Workflow Eval、pass@k 指标、Failure Replay 和改进候选 |
+| [SKILL_RADAR.md](SKILL_RADAR.md) | Skill Radar、能力置信度、证据要求和供应链安全检查 |
+| [UPGRADE_MANAGEMENT.md](UPGRADE_MANAGEMENT.md) | SCALE CLI、governance pack、skills、MCP 和 CLI 工具的安全升级流程 |
+| [GOVERNANCE_DASHBOARD.md](GOVERNANCE_DASHBOARD.md) | Runtime、eval、memory、resource、HTML artifact 的统一治理面板 |
 | [RELEASE_READINESS.md](RELEASE_READINESS.md) | 发版前质量门槛、官方 demo 和真实项目落地验收 |
 | [SKILL-REPOSITORY.md](SKILL-REPOSITORY.md) | 受治理 skill repository 和安装安全策略 |
 | [VIBE-TEMPLATES.md](VIBE-TEMPLATES.md) | 可复制的 Vibe Coding 提示词模板 |
-| [LEADERSHIP-PRESETS.md](LEADERSHIP-PRESETS.md) | CEO/CTO/PM/Architect 等内置领导者角色预设 |
+| [LEADERSHIP-PRESETS.md](LEADERSHIP-PRESETS.md) | CEO、CTO、PM、Architect 等内置领导者角色预设 |
 
 ## 架构与参考
 
@@ -47,6 +54,7 @@
 | [WEEK1-2-REPORT.md](WEEK1-2-REPORT.md) | 阶段报告 |
 | [TASK_GUARD_SUMMARY.md](TASK_GUARD_SUMMARY.md) | Task Guard 总结 |
 | [TASK_GUARD_WORKFLOW_DEMO.md](TASK_GUARD_WORKFLOW_DEMO.md) | 早期 workflow demo |
+| [plans/2026-05-19-agent-engineering-os-upgrade-plan.md](plans/2026-05-19-agent-engineering-os-upgrade-plan.md) | Agent Engineering OS 升级审核稿：Context Budget、CodeGraph、Memory Brain、Skill Radar、HTML Artifact 和 Eval Harness |
 | [plans/](plans/) | 规划方案和技术方案归档 |
 | [superpowers/](superpowers/) | 外部方法论对照和计划归档 |
 
@@ -54,15 +62,16 @@
 
 | 文档 | 说明 |
 | --- | --- |
-| [promote-article-v3.md](promote-article-v3.md) | 推广文章草稿 |
-| [promote-article-v3.html](promote-article-v3.html) | 推广文章 HTML 版本 |
+| [promote-article-v2.md](promote-article-v2.md) | 推广文章草稿 v2 |
+| [promote-article-v2.html](promote-article-v2.html) | 推广文章 HTML v2 |
+| [promote-article-v3.md](promote-article-v3.md) | 推广文章草稿 v3 |
+| [promote-article-v3.html](promote-article-v3.html) | 推广文章 HTML v3 |
 | [imgs/](imgs/) | 社群二维码和推广图片 |
 
 ## 维护规则
 
 - 面向新用户的文档优先放在 `docs/start/`。
 - 当前可执行能力放在根 README 和当前治理能力文档中。
-- 历史规划不要混入新手教程，避免用户把旧计划当当前事实。
-- 如果 CLI 行为变化，必须同步更新 README、`docs/start/quickstart.md` 和相关 reference 文档。
-- 如果新增 governance pack，必须同时更新 README、`docs/start/README.md` 和对应测试。
-
+- 历史规划不要混入新手教程，避免用户把旧计划当成当前事实。
+- 如果 CLI 行为变化，必须同步更新 `README.md`、`docs/start/quickstart.md` 和相关 reference 文档。
+- 如果新增 governance pack，必须同时更新 `README.md`、`docs/start/README.md` 和对应测试。

package/docs/SKILL_RADAR.md

@@ -0,0 +1,115 @@
+# Skill Radar
+
+Skill Radar is the active capability selection layer for SCALE. It does not auto-install or blindly run skills. It scores relevant skills, MCP servers, browser tools, desktop automation, and external CLIs against the current task, then returns:
+
+- why the capability matches
+- confidence score
+- safety level
+- required evidence
+- fallback path
+- supply-chain checks before installation or promotion
+
+The goal is to make agents actively use useful tools without turning the project into an unsafe prompt or tool bundle.
+
+## Commands
+
+```bash
+scale skill radar --task "Design upload UI and run browser E2E checks" --files src/pages/upload.tsx
+scale skill radar --task "Automate WPS desktop workflow with CUA" --json
+scale skill radar --task "Review release PR" --phase review --level L --output docs/worklog/tasks/release/skill-radar.md
+scale skill doctor --supply-chain
+scale skill doctor --supply-chain --json
+```
+
+## Safety Levels
+
+| Level | Meaning | Default action |
+| --- | --- | --- |
+| `trusted` | Official or low-risk capability with policy enabled | May be recommended when confidence is high |
+| `review-required` | Third-party or ecosystem capability | Require source, license, scripts, and revision review |
+| `restricted` | Browser, desktop, or external execution boundary | Require explicit evidence and side-effect boundaries |
+| `blocked` | Disabled by policy or failed safety review | Do not run; use fallback |
+
+## Confidence
+
+Skill Radar combines:
+
+- task keywords and workflow phase
+- changed file patterns
+- local skill installation
+- tool availability
+- trust level
+- policy status
+- frontend/package evidence
+- safety penalties
+
+The score is not a promise that the tool will work. It is a routing signal. Any recommendation still needs real evidence before the agent can claim success.
+
+## Default Domains
+
+| Domain | Typical triggers | Recommended capability types |
+| --- | --- | --- |
+| `ui` | UI, UX, frontend, component, visual, layout | design skills, visual review, screenshot evidence |
+| `browserAutomation` | browser, E2E, Playwright, Chrome, DevTools | web access, browser automation, DevTools evidence |
+| `desktopAutomation` | desktop, GUI, WPS, WeChat, CUA | disabled by default; manual operator fallback |
+| `externalCli` | Codex, Gemini, OpenCode, external agent CLI | disabled by default; dry-run and output evidence |
+| `review` | PR, merge, release, code review | reviewer skills, severity findings |
+| `docs` | docs, README, ADR, governance asset | doc impact and source-of-truth evidence |
+| `discovery` | skill, MCP, tool, capability discovery | find-skills plus safety review |
+
+## Evidence Contract
+
+Each recommendation carries required evidence. Examples:
+
+- UI work: `ui-spec`, `design-rationale`, `screenshot`, `visual-review`
+- Browser work: `browser-evidence`, `console-summary`, `network-summary`, `scenario-result`
+- Desktop work: `operator-boundary`, `desktop-screenshot`, `affected-app`
+- External CLI work: `cli-version-check`, `command`, `exit-code`, `output-summary`
+- Review work: `review-report`, `finding-list`, `severity`
+
+If evidence is missing, the final delivery should list the capability as unverified rather than claiming it was used successfully.
+
+## Supply-Chain Doctor
+
+`scale skill doctor --supply-chain` reviews known skill sources and install commands for:
+
+- HTTPS source requirement
+- `curl | bash`, `wget | sh`, `Invoke-Expression`, and `iex` blocking
+- destructive install patterns
+- npm/npx lifecycle script review
+- required source, license, and revision checks
+
+This is intentionally conservative. Third-party skills should start in review-required mode and be promoted only after inspection.
+
+## Policy Integration
+
+Skill Radar reads `.scale/tools.json` through the Tool Policy layer. Defaults:
+
+- UI and browser capabilities are enabled but evidence-required.
+- Desktop CUA is disabled by default.
+- External agent CLIs are disabled by default.
+- Browser tools require captured evidence and should stay in approved domains.
+
+Use Tool Policy to enable a restricted capability deliberately rather than relying on an agent's assumption.
+
+## Fallback Rule
+
+Every recommendation must include a fallback. This prevents tool theater:
+
+```text
+If the capability is missing, unsafe, low-confidence, or policy-blocked,
+the agent must use the fallback and record why the capability was not used.
+```
+
+## Artifact Lifecycle
+
+Skill Radar reports can be written into task artifacts:
+
+```bash
+scale skill radar \
+  --task "Refactor upload page and verify browser flow" \
+  --files src/pages/upload.tsx \
+  --output docs/worklog/tasks/2026-05-19-upload-refactor/skill-radar.md
+```
+
+Keep the report when it is evidence for an M/L/CRITICAL task. Do not commit transient local detection output unless it is part of the reviewed task artifact set.

package/docs/WORKFLOW_EVAL.md

@@ -0,0 +1,151 @@
+# Workflow Eval Harness
+
+Status: implemented baseline
+Since: v0.22 development branch
+
+Workflow Eval Harness 用来证明工作流是否真的提升了 Agent 的工程交付质量，而不是只依赖主观感觉。它会运行轻量 eval suite，记录 pass@k、修复迭代、工具调用、token 估算、人类纠偏次数，并在失败时保留 Failure Replay。
+
+## Commands
+
+初始化默认基线套件：
+
+```bash
+scale eval init
+scale eval init --suite workflow-baseline --json
+```
+
+运行套件：
+
+```bash
+scale eval run --suite workflow-baseline
+scale eval run --suite workflow-baseline --json
+```
+
+对比两次运行：
+
+```bash
+scale eval compare --baseline <run-id> --candidate <run-id>
+scale eval compare --baseline <run-id> --candidate <run-id> --json
+```
+
+生成 Markdown 报告：
+
+```bash
+scale eval report --run <run-id>
+scale eval report --run <run-id> --output docs/worklog/eval-report.md
+```
+
+查看和提升失败重放：
+
+```bash
+scale eval failures --since 30d
+scale eval replay <failure-id>
+scale eval replay --task-id <task-id>
+scale eval promote-failure <failure-id>
+```
+
+## Failure Replay To Memory
+
+Failure Replay is local eval evidence first. When a failure pattern is useful for future work, ingest it into Memory Brain as an `incident` candidate:
+
+```bash
+scale memory ingest --from failure --failure-id <failure-id>
+scale memory query "missing verification evidence"
+scale memory promote <memory-node-id>
+```
+
+This does not auto-change standards or hooks. It only makes the failure queryable and evidence-backed so repeated mistakes can be promoted deliberately after review.
+
+## Storage
+
+```text
+.scale/evals/
+├── suites/
+├── runs/
+├── failures/
+└── improvements/
+```
+
+These files are local runtime evidence by default. Commit only curated summaries or intentional benchmark fixtures.
+
+## Suite Shape
+
+```json
+{
+  "version": "1.0",
+  "id": "workflow-baseline",
+  "name": "SCALE workflow baseline",
+  "cases": [
+    {
+      "id": "governance-command-smoke",
+      "type": "bugfix",
+      "title": "Command evidence smoke",
+      "task": "Verify that a local command can produce concrete eval evidence.",
+      "phase": "verify",
+      "successCriteria": ["command exits 0"],
+      "attempts": [
+        {
+          "id": "attempt-1",
+          "command": "node -e \"console.log('scale-eval-ok')\"",
+          "expectedExitCode": 0,
+          "outputContains": "scale-eval-ok"
+        }
+      ]
+    }
+  ]
+}
+```
+
+## Metrics
+
+| Metric | Meaning |
+| --- | --- |
+| `passAt1Rate` | 一次完整尝试就通过的比例 |
+| `passAt3Rate` | 三次以内通过的比例 |
+| `averageFixIterations` | 首次失败后的平均修复循环 |
+| `totalToolCalls` | eval attempts 数量，可近似衡量工具调用成本 |
+| `estimatedTokens` | task 与输出摘要的估算 token 成本 |
+| `humanCorrections` | 人类纠偏次数 |
+| `failureReplayCount` | 失败重放记录数量 |
+
+## Failure Replay
+
+失败不只记录最终失败状态，还会保存：
+
+- task and success criteria
+- phase
+- wrong turn
+- evidence
+- correction
+- prevention
+- replay command
+- redaction status
+
+Failure category 当前包括：
+
+- `wrong-exploration-path`
+- `hallucinated-project-fact`
+- `missing-codegraph-or-graph-fallback`
+- `over-broad-context-load`
+- `bad-skill-recommendation`
+- `missing-verification-evidence`
+- `failed-security-or-resource-gate`
+- `human-correction-after-agent-confidence`
+- `command-failure`
+- `unknown`
+
+`scale eval promote-failure` 会把失败重放提升为 improvement candidate，但不会自动修改项目规范。是否进入长期标准仍需要人工或后续 review 确认。
+
+## Governance Use
+
+- v0.22 的默认 suite 是轻量 smoke baseline，用来验证 eval 管线可运行。
+- 真实项目应逐步增加 bugfix、feature、security、frontend、release、resource 类型案例。
+- Failure Replay 应与 Resource Governance 配合：默认本地保留，只有总结、基准或明确要长期维护的案例才提交。
+- Workflow Eval 的数据可以进入后续 Governance ROI，用来判断某个治理模块是否真的减少 rework、tool calls、token 或人类纠偏。
+
+## Policy
+
+- 不允许用 eval 通过率替代真实项目验证。
+- 失败记录中的命令输出会做基础脱敏，但仍应避免把敏感原始日志写入 suite。
+- 低成本 smoke suite 可以频繁运行；重型项目 suite 应按需运行。
+- 没有 eval 证据时，不应宣称工作流能力已经提升。

package/docs/start/README.md

@@ -13,7 +13,10 @@
 3. 回到根目录 [README](../../README.md)
    理解 SCALE Engine 的核心能力和 governance pack 选择。
 
-4. 查看 [文档地图](../README.md)
+4. [升级管理](../UPGRADE_MANAGEMENT.md)
+   理解工作流更新、第三方 skills/MCP/CLI 更新时如何先检查、生成计划、避免覆盖本地改动。
+
+5. 查看 [文档地图](../README.md)
    区分哪些文档是用户指南、哪些是参考资料、哪些是历史规划和过程记录。
 
 ## 你应该先看到什么
@@ -39,4 +42,5 @@
 | Go 多服务后端 | `scale init --governance-pack go-service-matrix` |
 | 多仓库/MOE 工作区 | `scale init --governance-pack moe-workspace` |
 | 文档、报告、截图、脚本混乱 | `scale init --governance-pack resource-governance` |
+| 工作流或第三方能力要升级 | `scale upgrade check && scale upgrade plan --html` |
 

package/examples/demo-projects/agent-governance-demo/CONTEXT.md

@@ -0,0 +1,14 @@
+# CONTEXT.md
+
+Project: Agent Governance Demo
+
+| Term | Definition | Examples | Aliases | Source |
+|------|------------|----------|---------|--------|
+| OAuth state | One-time callback correlation value that binds authorization return traffic to a user session | `state-123` | callback state | `src/oauth-state.ts` |
+| Consumed state | A state record that has already been used and must not be accepted again | `consumedAt: 900` | replayed state | `tests/oauth-state.test.ts` |
+| Evidence | A command result or artifact that proves what was verified | `npm test`, eval report, dashboard | verification proof | SCALE workflow |
+
+## Rejected Meanings
+
+- Do not treat an expired state as recoverable without a new authorization flow.
+- Do not treat a dashboard or eval report as a substitute for the business test.