@intentsolutions/audit-harness 1.1.8 → 1.2.1

package/CHANGELOG.md

@@ -4,6 +4,56 @@ All notable changes are recorded here. Format follows [Keep a Changelog](https:/
 
 ## [Unreleased]
 
+_Nothing yet._
+
+### Riding a future v2.1 routine release (descoped from 1.2.0)
+
+- **OTel event-name polish (iah-E07b/c).** The `agent.rollout.gate.evaluated` and `gate.decision.emitted` event names are already locked + tested on main (PRs #78, #81 per NORMATIVE `intent-eval-lab/000-docs/067-AT-SPEC`). Any further attribute-schema polish on those events is deferred to a routine v2.1 release rather than headlined here — it is additive telemetry refinement, not a 1.2.0 capability boundary.
+
+## [1.2.1] - 2026-06-16
+
+A patch release: release-pipeline supply-chain hardening (polyglot signing) plus
+dev-dependency bumps. No CLI surface, runtime behavior, or API boundary changes —
+the published artifacts are byte-identical in behavior to 1.2.0; only the release
+machinery and dev tooling moved.
+
+### Changed — polyglot release signing wired into the publish pipeline (#90)
+
+- **crates.io build-provenance attestation.** The `publish-crates` leg now emits a
+  GitHub build-provenance attestation for the published crate artifact, extending the
+  signed-supply-chain guarantee to the Rust distribution.
+- **sigstore-python wheel + sdist signing.** The `publish-pypi` leg now signs the built
+  wheel and sdist with `sigstore-python` (keyless Fulcio OIDC + Rekor), so the PyPI
+  distribution carries verifiable provenance alongside the existing npm sigstore path.
+- **crates.io publish is now active.** With `CARGO_REGISTRY_TOKEN` provisioned as a
+  repository secret, the `publish-crates` leg goes live on this tag — closing the
+  polyglot publish loop (npm + PyPI + crates.io all publish + sign from one tag).
+
+### Changed — dev-dependency bumps
+
+- Bump `eslint` from 9.39.4 to 10.5.0 (#71).
+- Bump `jeremylongshore/intent-rollout-gate` GitHub Action pin (#86).
+- Bump `crate-ci/typos` from 1.29.4 to 1.47.2 (#87).
+
+## [1.2.0] - 2026-06-15
+
+A minor release: the read-only "comprehensive audit, on any repo" brain (`classify` → `conform` → `audit` → `scan` → `currency`), the kernel-emitting evidence path (`emit-evidence` Evidence Bundle, E04), the provider credential gate (`cred-gate`, E08), shared vendorable lint configs (#85), and a golden-master fitness function — all additive, with the zero-runtime-dependency guarantee preserved.
+
+### Release narrative (what shipped since 1.1.8)
+
+- **`emit-evidence` Evidence Bundle emitter (E04).** The CI-only signed-evidence path emits the harness's own deterministic self-gate as a kernel `gate-result/v1` row inside an `EvidenceBundle`, cosign-signs the canonical bytes (Fulcio OIDC + Rekor), and publishes a `report-manifest.json` the dashboard re-verifies at ingest. Detail under "CI-only signed evidence emit" below.
+- **Provider credential gate (`cred-gate`, E08).** A new gate that asserts provider credentials PASS/FAIL with full redaction + spillover coverage (`scripts/cred-gate.sh`, fixtures via PR #80).
+- **Shared, vendorable lint configs (#85).** `.audit-harness-configs/` (markdownlint / yamllint / ruff / shellcheck) is the canonical config set the IEP repos vendor + extend; `install.sh` now vendors both `scripts/` and `configs/`.
+- **Dogfood AAR (iah-E10d).** First-downstream-adopter run captured at `000-docs/013-AA-AACR-rollout-gate-dogfood-iah-E10-2026-06-15.md`.
+
+### Apache-2.0 §4(d) NOTICE obligation — satisfied
+
+`NOTICE` is present at the repo root, listed in `package.json#files` (ships in the npm tarball), included in the Python sdist + Rust crate distributions, AND vendored into `.audit-harness/` by `install.sh` (see "`install.sh` vendors NOTICE" below). The §4(d) attribution-travels-with-distribution obligation holds across npm, PyPI, crates.io, and the vendored-install path.
+
+### Why minor, not patch
+
+Multiple new CLI verbs (`classify`, `conform`, `audit`, `scan`, `currency`, `cred-gate`) and new authored feature surfaces (shared lint configs, golden-master suite, the CI-only evidence emit). Per SemVer this is a minor bump. No CLI command was renamed or removed; the change is purely additive and the published tarball stays zero-runtime-dependency.
+
 ### Added — golden-master suite for gherkin-lint + crap-score stdout shapes (iah-golden-master)
 
 A fitness function that pins the raw stdout of the two scorers whose output is a downstream contract.

package/bin/audit-harness.js

@@ -17,6 +17,7 @@ const COMMANDS = {
   'init':          { script: 'harness-hash.sh',  args: ['--init'] },
   'list':          { script: 'harness-hash.sh',  args: ['--list'] },
   'escape-scan':   { script: 'escape-scan.sh',   args: [] },
+  'cred-gate':     { script: 'cred-gate.sh',     args: [] },
   'arch':          { script: 'arch-check.sh',    args: [] },
   'bias':          { script: 'bias-count.sh',    args: [] },
   'gherkin-lint':  { script: 'gherkin-lint.sh',  args: [] },
@@ -35,7 +36,7 @@ const COMMANDS = {
 // classify is intentionally NOT here: it emits a meaningful kill-switched profile
 // itself (every gate enforcement=disabled). verify/init/list always run.
 const KILLABLE_GATES = new Set([
-  'escape-scan', 'arch', 'bias', 'gherkin-lint', 'crap', 'emit-evidence',
+  'escape-scan', 'cred-gate', 'arch', 'bias', 'gherkin-lint', 'crap', 'emit-evidence',
 ]);
 
 function usage() {
@@ -50,6 +51,15 @@ Commands:
   list                     List currently pinned files
   escape-scan <source>     Scan a diff for escape attempts
                            source: --staged | --range A..B | - (stdin) | path.patch
+  cred-gate [args...]      Provider credential PASS/FAIL gate (iah-E08, CISO
+                           binding DR-010 S1Q5). Reads a candidate artifact (the
+                           JSON about to be signed/emitted) on stdin or --input and
+                           FAILs (exit 1) if a declared secret value leaks verbatim,
+                           a known provider-key shape is embedded, or the artifact
+                           serializes the process environment (env-var spillover).
+                           Offline + read-only. --secret-env NAME (repeatable)
+                           declares a secret by env-var name; --json emits a
+                           gate-result/v1 envelope. See docs/cred-gate.md.
   arch                     Run architecture-rule checks (Wall 7)
   bias                     Count test-bias patterns (tautology, smoke-only, etc.)
   gherkin-lint             Advisory Gherkin quality check

package/docs/cred-gate.md

@@ -0,0 +1,131 @@
+# `cred-gate` — provider credential PASS/FAIL gate (iah-E08)
+
+CISO non-negotiable per DR-010 S1Q5. Before any provider abstraction is allowed
+to flow data into an Evidence Bundle / OTel signal / gate-result envelope, the
+`cred-gate` gate proves — deterministically and offline — that:
+
+1. **Credential redaction** — no provider secret VALUE appears verbatim in the
+   candidate artifact (the JSON the runner is about to sign, the OTel line it is
+   about to emit, any log it captures). A leaked API key in a signed,
+   Rekor-anchored in-toto Statement is irreversible.
+2. **No env-var spillover** — the candidate artifact does not blindly serialize
+   the process environment. A provider key need not be named to leak: a wholesale
+   `env` dump spills every secret at once.
+
+## Usage
+
+```bash
+# Candidate on stdin (the artifact about to be emitted/signed):
+producer | audit-harness cred-gate
+
+# Candidate from a file:
+audit-harness cred-gate --input candidate.json
+
+# Declare secrets by env-var NAME (the VALUE is read from the environment and
+# never appears on the command line / in `ps`):
+audit-harness cred-gate --secret-env ANTHROPIC_API_KEY --secret-env OPENAI_API_KEY < cand.json
+
+# Emit a gate-result/v1 envelope, pipe-ready for emit-evidence:
+audit-harness cred-gate --json < candidate.json | audit-harness emit-evidence
+```
+
+## Exit codes
+
+| Code | Meaning |
+| ---- | ------- |
+| `0`  | **PASS** — no secret value present, no provider-key shape, no env-var spillover |
+| `1`  | **FAIL** — a secret value leaked OR a provider-key shape matched OR env-var spillover detected |
+| `2`  | usage / input error (no candidate, unreadable `--input`) |
+
+## What it detects
+
+### Detected provider-key shapes (value-agnostic catalog)
+
+These match the on-the-wire SHAPE of a known provider key, so a raw key is caught
+even when it was not declared via `--secret-env`. Patterns are intentionally
+specific to keep the false-positive rate low.
+
+| Name | Shape (regex fragment) |
+| ---- | ---------------------- |
+| `anthropic-key` | `sk-ant-…` |
+| `openai-key` | `sk-…` / `sk-proj-…` (excludes `sk-ant-`) |
+| `groq-key` | `gsk_…` |
+| `nvidia-key` | `nvapi-…` |
+| `aws-access-key-id` | `AKIA…` |
+| `google-api-key` | `AIza…` |
+| `github-token` | `ghp_` / `gho_` / `ghs_` / `ghr_` / `ghu_…` |
+| `slack-token` | `xoxb-` / `xoxa-` / `xoxp-` / `xoxr-` / `xoxs-…` |
+| `private-key-block` | `-----BEGIN … PRIVATE KEY-----` |
+
+### Env-var spillover heuristics
+
+| Name | What it catches |
+| ---- | --------------- |
+| `process-env-spread` | `...process.env` (JS object spread of the whole environment) |
+| `os-environ-dump` | `dict(os.environ)` / a bare `os.environ` serialized into JSON |
+| `env-block-key` | an `"env"` / `"environ"` / `"environment"` object key whose value is a `{…}` block |
+| `printenv-capture` | a `printenv` / `/usr/bin/env` invocation captured into the artifact |
+
+A spillover match is a hard **FAIL**: an environment dump inside a to-be-signed
+artifact is exactly the irreversible leak this gate exists to stop.
+
+## False-positive posture
+
+- **Declared secrets shorter than 8 chars are ignored** — a 1-char "secret"
+  would false-positive on virtually any artifact and is not a real credential.
+- **The word "environment" in prose is NOT a spillover** — only the structural
+  `"env"/"environment": { … }` block shape, the `...process.env` spread, the
+  `os.environ` dump, or a `printenv` capture flag. (See the `tests/cred-gate`
+  FP-guard assertion.)
+- The shape catalog is conservative by design; promotion from advisory to
+  blocking elsewhere in the harness follows `docs/gate-promotion.md`.
+
+## No re-leak guarantee
+
+When a declared secret leaks, the FAIL finding **never echoes the secret value
+back**. It reports only the value's length and a non-reversible SHA-256
+fingerprint prefix, so the finding is actionable without re-leaking. The
+`tests/cred-gate` suite asserts this explicitly.
+
+## Remediation when the gate FAILs
+
+| Finding kind | Fix |
+| ------------ | --- |
+| `secret-value-leak` | Remove the literal secret from the artifact. Pass an opaque reference (key NAME, a hash, or a vault path) instead of the value. |
+| `secret-shape-match` | A raw provider key is embedded. Strip it; if it is a real credential, treat it as compromised and rotate. |
+| `env-spillover` | Stop serializing the whole environment. Allowlist the specific non-secret fields you actually need (`os.getenv("X")` per key), never `dict(os.environ)` / `{...process.env}`. |
+
+## Safety + scope
+
+- **Offline + read-only**: never contacts a provider, never reads a real key
+  from disk, never writes.
+- **Secret values via env-var NAME only**: `--secret-env NAME` reads `$NAME`
+  through indirect expansion; the value never appears on `argv` (so it is not
+  visible to `ps`), and the candidate + secret blob are passed to the python
+  analyzer through the environment, not the command line.
+- **Kill-switch aware**: `cred-gate` is in `KILLABLE_GATES`, so
+  `AUDIT_HARNESS_DISABLE=1` no-ops it (exit 0, banner) like the other gates.
+- **Timeout aware**: `AUDIT_HARNESS_TIMEOUT=N` supervises it like every gate.
+
+## CI (iah-E08c)
+
+The `cred-gate` CI lane in `.github/workflows/ci.yml` runs
+`tests/cred-gate/run-cred-gate-tests.sh`, which proves the credential-redaction
+fixtures (E08a), the env-var spillover fixtures (E08b), the `--json` envelope
+round-trip, and — because the same suite also exercises `emit-evidence.sh` — the
+`gate.decision.emitted` OTel event (iah-E07b), which fires per the NORMATIVE
+runtime event taxonomy (intent-eval-lab `067-AT-SPEC` § 2.2) with the
+`gate.decision` enum `{pass, fail, advisory, error}` and the kernel-pinned
+attribute spelling. Both the redaction group AND the spillover group must pass
+for the lane to be green (iah-E08c "both must pass").
+
+The fixture suite covers the **full catalog**: every provider-key shape in
+`SHAPE_PATTERNS` (anthropic, openai, groq, nvidia, AWS, Google, GitHub, Slack,
+private-key block) has a FAILing fixture built from a **synthetic, non-real**
+value, and every `SPILLOVER_PATTERNS` heuristic (`process-env-spread`,
+`os-environ-dump`, `env-block-key`, `printenv-capture`) has its own fixture — so
+a regression in any single regex cannot ship silently green. Two PASS guards
+(a non-matching value, and benign "environment" prose) pin the false-positive
+posture. All fixtures are inline in the runner: synthetic secret values are
+injected into the local environment for the duration of one assertion and never
+touch `argv` (passed by env-var NAME via `--secret-env`).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentsolutions/audit-harness",
-  "version": "1.1.8",
+  "version": "1.2.1",
   "description": "Deterministic test-enforcement harness — escape-scan, hash-pinning, CRAP, architecture checks, bias detection, Gherkin lint. Companion to the audit-tests and implement-tests Claude Code skills.",
   "license": "Apache-2.0",
   "author": "Jeremy Longshore <jeremy@intentsolutions.io>",
@@ -46,7 +46,7 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.39.4",
-    "eslint": "^9.39.4",
+    "eslint": "^10.5.0",
     "lefthook": "^1.13.6"
   },
   "publishConfig": {

package/scripts/check-wrapper-sync.sh

@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+# check-wrapper-sync.sh — assert the bundled wrapper-script mirrors are byte-identical
+# to their canonical source under scripts/.
+#
+# WHY THIS EXISTS
+# ---------------
+# The Node package (bin/audit-harness.js) dispatches to the CANONICAL scripts under
+# scripts/. The Python wrapper (intent-audit-harness on PyPI) and the Rust wrapper
+# (intent-audit-harness on crates.io) cannot reach those canonical files at install
+# time, so each BUNDLES a copy:
+#
+#   * python/src/intent_audit_harness/scripts/<name>   (packaged into the wheel)
+#   * rust/scripts/<name>                              (include_bytes!'d into the binary)
+#
+# Those copies are hand-maintained. On 2026-05-24 they were found ~1 month stale:
+# the bundled crap-score.py was missing v1.1.1's --json evidence envelope, the
+# `which_or_none("go")` PATH guard (silent crash on Go-less hosts), and the
+# rglob->os.walk directory pruning. A user running
+# `pip install intent-audit-harness && audit-harness crap` got the OLD gate.
+# (Tracking bead: iah-python-wrapper-scripts-sync / bd_000-projects-65k4.)
+#
+# This gate makes that class of drift IMPOSSIBLE to merge silently: every bundled
+# mirror MUST be a byte-for-byte copy of its canonical source. There is no
+# wrapper-only delta — both wrappers invoke the script verbatim via bash/python3.
+#
+# RESYNC (when this gate REDs)
+# ----------------------------
+#   bash scripts/check-wrapper-sync.sh --fix     # copy canonical -> both mirrors
+# then review + commit the result.
+#
+# Exit codes:
+#   0  all mirrors in sync (or --fix completed)
+#   1  drift detected (and not in --fix mode)
+set -euo pipefail
+
+# Resolve repo root from this script's own location so the gate works regardless
+# of the caller's CWD (CI runs it from the repo root; a dev may run it elsewhere).
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+CANONICAL_DIR="${REPO_ROOT}/scripts"
+
+# The set of scripts the Python + Rust wrappers DISPATCH. Keep this in lock-step
+# with:
+#   * python/src/intent_audit_harness/cli.py     (COMMANDS dict)
+#   * rust/src/main.rs                           (SCRIPTS array)
+# If a wrapper starts dispatching a new canonical script, add it here AND to both
+# wrapper sources, and copy it into both mirror dirs.
+MIRRORED_SCRIPTS=(
+  "harness-hash.sh"
+  "escape-scan.sh"
+  "arch-check.sh"
+  "bias-count.sh"
+  "gherkin-lint.sh"
+  "crap-score.py"
+)
+
+# Each mirror directory that bundles a copy of the canonical scripts.
+MIRROR_DIRS=(
+  "python/src/intent_audit_harness/scripts"
+  "rust/scripts"
+)
+
+FIX=0
+if [[ "${1:-}" == "--fix" ]]; then
+  FIX=1
+fi
+
+drift_found=0
+missing_canonical=0
+
+for name in "${MIRRORED_SCRIPTS[@]}"; do
+  canonical="${CANONICAL_DIR}/${name}"
+  if [[ ! -f "${canonical}" ]]; then
+    echo "ERROR: canonical source missing: scripts/${name}" >&2
+    missing_canonical=1
+    continue
+  fi
+  for mdir in "${MIRROR_DIRS[@]}"; do
+    mirror="${REPO_ROOT}/${mdir}/${name}"
+    if [[ ! -f "${mirror}" ]]; then
+      echo "DRIFT: missing mirror ${mdir}/${name} (expected a copy of scripts/${name})" >&2
+      drift_found=1
+      if [[ "${FIX}" -eq 1 ]]; then
+        cp -f "${canonical}" "${mirror}"
+        echo "  fixed: created ${mdir}/${name}"
+      fi
+      continue
+    fi
+    if ! diff -q "${canonical}" "${mirror}" >/dev/null 2>&1; then
+      echo "DRIFT: ${mdir}/${name} differs from canonical scripts/${name}" >&2
+      drift_found=1
+      if [[ "${FIX}" -eq 1 ]]; then
+        cp -f "${canonical}" "${mirror}"
+        echo "  fixed: resynced ${mdir}/${name}"
+      fi
+    fi
+  done
+done
+
+if [[ "${missing_canonical}" -eq 1 ]]; then
+  echo "FAIL: one or more canonical scripts are missing — cannot verify mirror sync." >&2
+  exit 1
+fi
+
+if [[ "${FIX}" -eq 1 ]]; then
+  echo "check-wrapper-sync: --fix complete. Review + commit the resynced mirrors."
+  exit 0
+fi
+
+if [[ "${drift_found}" -eq 1 ]]; then
+  echo "" >&2
+  echo "FAIL: bundled wrapper mirrors are out of sync with canonical scripts/." >&2
+  echo "      The Python (PyPI) and Rust (crates.io) packages would ship STALE gates." >&2
+  echo "      Resync with:  bash scripts/check-wrapper-sync.sh --fix" >&2
+  echo "      then review + commit the result." >&2
+  exit 1
+fi
+
+echo "check-wrapper-sync: OK — all ${#MIRRORED_SCRIPTS[@]} bundled mirrors match canonical in ${#MIRROR_DIRS[@]} wrapper dirs."
+exit 0

package/scripts/cred-gate.sh

@@ -0,0 +1,238 @@
+#!/usr/bin/env bash
+# cred-gate.sh — Provider credential PASS/FAIL gate (iah-E08).
+#
+# CISO non-negotiable per DR-010 S1Q5: before any provider abstraction is allowed
+# to flow data into an Evidence Bundle / OTel signal / gate-result envelope, two
+# things MUST hold and are gated here, deterministically and offline:
+#
+#   1. CREDENTIAL REDACTION — no provider secret VALUE appears verbatim in the
+#      candidate artifact (the JSON the runner is about to sign, the OTel line it
+#      is about to emit, any log it captures). A leaked API key in a signed,
+#      Rekor-anchored Statement is irreversible.
+#
+#   2. ENV-VAR SPILLOVER — the candidate artifact does not blindly serialize the
+#      process environment (e.g. an `env` dump, a `process.env` spread, or a
+#      "context": {<all env>} block). A provider key need not be named to leak:
+#      a wholesale env dump spills every secret at once.
+#
+# This gate is READ-ONLY and OFFLINE. It never contacts a provider, never reads
+# a real key from disk, and never writes. It inspects the candidate artifact you
+# hand it (stdin or --input) against the secret values present in the environment
+# (referenced by NAME via --secret-env, so the values never appear on the command
+# line) plus a built-in catalog of provider-key SHAPES.
+#
+# It emits a gate-result/v1 envelope on stdout (--json) suitable for piping to
+# emit-evidence, OR a human-readable PASS/FAIL summary (default).
+#
+# Usage:
+#   bash cred-gate.sh --input candidate.json
+#   <producer> | bash cred-gate.sh                      # candidate on stdin
+#   bash cred-gate.sh --secret-env ANTHROPIC_API_KEY --secret-env OPENAI_API_KEY < cand.json
+#   bash cred-gate.sh --json < candidate.json | bash emit-evidence.sh
+#
+# Flags:
+#   --input PATH       Read the candidate artifact from PATH instead of stdin.
+#   --secret-env NAME  Treat $NAME's VALUE as a secret that must NOT appear in the
+#                      candidate. Repeatable. The value is read from the
+#                      environment by name — it is never passed on argv.
+#   --json             Emit a gate-result/v1 envelope (JSON) instead of text.
+#   --gate-id ID       Override the gate_id in the envelope (default: provider-cred-gate).
+#   --help, -h         Print help.
+#
+# Exit codes:
+#   0 — PASS (no secret value present; no env-var spillover detected)
+#   1 — FAIL (a secret value leaked OR an env-var spillover pattern matched)
+#   2 — usage / input error (no candidate, unreadable --input)
+#
+# Failure-mode docs (iah-E08d): see docs/cred-gate.md for the catalog of detected
+# shapes, the spillover heuristics, the false-positive posture, and remediation.
+
+set -euo pipefail
+
+# Bash version floor: align with the rest of the harness (jcgw).
+[ "${BASH_VERSINFO:-0}" -ge 4 ] || { echo 'audit-harness requires bash >= 4' >&2; exit 2; }
+
+INPUT="-"
+EMIT_JSON=0
+GATE_ID="provider-cred-gate"
+SECRET_ENVS=()
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --input)       INPUT="$2"; shift 2 ;;
+    --secret-env)  SECRET_ENVS+=("$2"); shift 2 ;;
+    --json)        EMIT_JSON=1; shift ;;
+    --gate-id)     GATE_ID="$2"; shift 2 ;;
+    --help|-h)     sed -n '2,46p' "$0"; exit 0 ;;
+    *) echo "cred-gate: unknown flag $1" >&2; exit 2 ;;
+  esac
+done
+
+# --- Read the candidate artifact ---
+if [[ "$INPUT" == "-" ]]; then
+  CANDIDATE=$(cat)
+else
+  if [[ ! -r "$INPUT" ]]; then
+    echo "cred-gate: cannot read $INPUT" >&2
+    exit 2
+  fi
+  CANDIDATE=$(cat "$INPUT")
+fi
+
+if [[ -z "$CANDIDATE" ]]; then
+  echo "cred-gate: empty candidate artifact" >&2
+  exit 2
+fi
+
+# Resolve the gate input hash (sha256 of the candidate bytes) so the emitted
+# envelope's input_hash is coherent with what was actually inspected.
+INPUT_HASH="sha256:$(printf '%s' "$CANDIDATE" | sha256sum | cut -d' ' -f1)"
+# The policy is this script's own bytes — a content address of the gate logic.
+POLICY_HASH="sha256:$(sha256sum "$0" | cut -d' ' -f1)"
+
+# --- Collect the secret VALUES to redaction-check (by env-var name) ---
+# Built as a NUL-delimited blob so values with newlines/spaces stay intact and
+# never touch argv.
+SECRET_VALUES_BLOB=""
+for name in "${SECRET_ENVS[@]:-}"; do
+  [[ -z "$name" ]] && continue
+  # Indirect expansion: read $name's value without it ever appearing on argv.
+  val="${!name:-}"
+  # Skip empty / trivially short values: a 1-char "secret" would false-positive
+  # on virtually any artifact and is not a real credential.
+  [[ ${#val} -lt 8 ]] && continue
+  SECRET_VALUES_BLOB+="$val"$'\0'
+done
+
+# --- Deterministic analysis in python (offline; values via env, not argv) ---
+# We pass the candidate + the secret blob + the catalog knobs through the
+# environment so no secret value is ever visible in `ps`.
+RESULT=$(
+  CANDIDATE="$CANDIDATE" \
+  SECRET_VALUES_BLOB="$SECRET_VALUES_BLOB" \
+  GATE_ID="$GATE_ID" \
+  python3 - <<'PY'
+import json
+import os
+import re
+import sys
+
+candidate = os.environ["CANDIDATE"]
+
+findings = []  # list of {"kind": ..., "detail": ...}
+
+# --- 1. Credential redaction: explicit secret VALUES must not appear verbatim ---
+blob = os.environ.get("SECRET_VALUES_BLOB", "")
+secret_values = [v for v in blob.split("\0") if v]
+for val in secret_values:
+    if val in candidate:
+        # NEVER echo the secret. Report only its length + a non-reversible
+        # fingerprint so the finding is actionable without re-leaking.
+        import hashlib
+
+        fp = hashlib.sha256(val.encode("utf-8")).hexdigest()[:12]
+        findings.append(
+            {
+                "kind": "secret-value-leak",
+                "detail": (
+                    "a declared secret value (len=%d, sha256:%s...) appears "
+                    "verbatim in the candidate artifact" % (len(val), fp)
+                ),
+            }
+        )
+
+# --- 2. Credential redaction: provider-key SHAPES (value-agnostic catalog) ---
+# Each pattern matches the literal on-the-wire shape of a known provider key.
+# A match means a raw key is embedded even if it was not declared via
+# --secret-env. Patterns are intentionally specific to keep the FP rate low.
+SHAPE_PATTERNS = [
+    ("anthropic-key", r"sk-ant-[A-Za-z0-9_-]{20,}"),
+    # OpenAI keys start sk- but NOT sk-ant- (that's anthropic, matched above).
+    # The negative lookahead keeps the two findings disjoint.
+    ("openai-key", r"sk-(?!ant-)(?:proj-)?[A-Za-z0-9_-]{20,}"),
+    ("groq-key", r"gsk_[A-Za-z0-9]{20,}"),
+    ("nvidia-key", r"nvapi-[A-Za-z0-9_-]{20,}"),
+    ("aws-access-key-id", r"AKIA[0-9A-Z]{16}"),
+    ("google-api-key", r"AIza[0-9A-Za-z_-]{35}"),
+    ("github-token", r"gh[posru]_[A-Za-z0-9]{36,}"),
+    ("slack-token", r"xox[baprs]-[A-Za-z0-9-]{10,}"),
+    ("private-key-block", r"-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----"),
+]
+for name, pattern in SHAPE_PATTERNS:
+    if re.search(pattern, candidate):
+        findings.append(
+            {
+                "kind": "secret-shape-match",
+                "detail": "candidate contains a value matching the %s key shape"
+                % name,
+            }
+        )
+
+# --- 3. Env-var spillover: wholesale environment serialization ---
+# A provider key need not be NAMED to leak — a blanket env dump spills every
+# secret at once. We flag the structural patterns that serialize the whole
+# environment into the artifact.
+SPILLOVER_PATTERNS = [
+    ("process-env-spread", r"\.\.\.\s*process\.env\b"),
+    ("os-environ-dump", r"\bdict\(\s*os\.environ\s*\)|\bos\.environ\b\s*[,}\]]"),
+    ("env-block-key", r'"(?:env|environ|environment)"\s*:\s*\{'),
+    ("printenv-capture", r"\b(?:printenv|/usr/bin/env)\b"),
+]
+# These are heuristics: matching one is an ADVISORY-grade structural smell, but
+# combined with an actual secret leak it is a hard FAIL. We treat any spillover
+# match as a finding so the gate FAILs — an env dump in a to-be-signed artifact
+# is exactly the irreversible leak this gate exists to stop.
+for name, pattern in SPILLOVER_PATTERNS:
+    if re.search(pattern, candidate):
+        findings.append(
+            {
+                "kind": "env-spillover",
+                "detail": "candidate serializes the process environment via "
+                "the %s pattern" % name,
+            }
+        )
+
+result = "FAIL" if findings else "PASS"
+print(json.dumps({"result": result, "findings": findings}))
+PY
+)
+
+# --- Parse the python result ---
+GATE_RESULT=$(printf '%s' "$RESULT" | python3 -c "import json,sys; print(json.load(sys.stdin)['result'])")
+FINDINGS_JSON=$(printf '%s' "$RESULT" | python3 -c "import json,sys; print(json.dumps(json.load(sys.stdin)['findings']))")
+FINDING_COUNT=$(printf '%s' "$RESULT" | python3 -c "import json,sys; print(len(json.load(sys.stdin)['findings']))")
+
+# --- Emit ---
+if [[ "$EMIT_JSON" -eq 1 ]]; then
+  GATE_ID="$GATE_ID" GATE_RESULT="$GATE_RESULT" INPUT_HASH="$INPUT_HASH" \
+  POLICY_HASH="$POLICY_HASH" FINDINGS_JSON="$FINDINGS_JSON" \
+  python3 - <<'PY'
+import json
+import os
+
+env = {
+    "gate_id": os.environ["GATE_ID"],
+    "result": os.environ["GATE_RESULT"],
+    "input_hash": os.environ["INPUT_HASH"],
+    "policy_hash": os.environ["POLICY_HASH"],
+    "metadata": {"findings": json.loads(os.environ["FINDINGS_JSON"])},
+}
+if env["result"] == "FAIL":
+    env["failure_mode"] = "provider_credential_leak"
+print(json.dumps(env, separators=(",", ":")))
+PY
+else
+  if [[ "$GATE_RESULT" == "PASS" ]]; then
+    echo "cred-gate: PASS — no provider secret value present, no env-var spillover detected"
+  else
+    echo "cred-gate: FAIL — $FINDING_COUNT credential finding(s):" >&2
+    printf '%s' "$FINDINGS_JSON" | python3 -c "
+import json, sys
+for f in json.load(sys.stdin):
+    sys.stderr.write('  ⛔ [%s] %s\n' % (f['kind'], f['detail']))
+"
+    echo "cred-gate: see docs/cred-gate.md for remediation (iah-E08d)." >&2
+  fi
+fi
+
+[[ "$GATE_RESULT" == "PASS" ]] && exit 0 || exit 1

package/scripts/emit-evidence.sh

@@ -191,36 +191,138 @@ if [[ -z "$STATEMENT" ]]; then
   exit 1
 fi
 
-# --- OTel event (best-effort no-op if collector absent) ---
-# Fire agent.rollout.gate.evaluated per intent-eval-lab/000-docs/001-DR-RFC-...md.
-# We emit a single OTLP-shaped JSON line to stderr when AUDIT_HARNESS_OTEL=1
-# OR an OTEL_EXPORTER_OTLP_ENDPOINT is set. Real exporter wiring is consumer-side;
-# we emit a structured signal that any collector can scrape via stderr capture.
+# --- OTel events (best-effort no-op if collector absent) ---
+# The gate-decision event fires per the NORMATIVE runtime event taxonomy
+# intent-eval-lab/000-docs/067-AT-SPEC-runtime-event-taxonomy-2026-06-12.md § 2.2
+# (GOVERNANCE events, `gate.*`):
+#
+#   1. agent.rollout.gate.evaluated — observability signal fired at the
+#      start/observation of a gate evaluation. NON-NORMATIVE: 067-AT-SPEC closes
+#      the `gate.*` category and does NOT define a gate-evaluated event, so this
+#      carries the legacy raw gate identity + result for collectors that already
+#      scrape it. It is NOT a 067-pinned name and a future taxonomy extension may
+#      retire or rename it; nothing should pin to it. The normative signal is (2).
+#   2. gate.decision.emitted (iah-E07b) — fired at the END of the gate
+#      evaluation. This is the NORMATIVE name from 067-AT-SPEC § 2.2: "a
+#      RolloutGate decision row is emitted under gate-result/v1". Payload per
+#      § 2.2: gate.name (string), gate.decision (enum pass|fail|advisory|error),
+#      gate.policy_ref (string). This is the one a ship-gate dashboard alerts on.
+#
+# ATTRIBUTE-SPELLING AUTHORITY (do NOT redefine here): the canonical attribute
+# names are pinned by the kernel at
+# intent-eval-core/schemas/v1/otel-attributes.yaml — OTel-idiomatic dotted
+# lowercase (e.g. gate.decision). We spell every attribute to match that file.
+# 067-AT-SPEC § 2.2 is the EVENT-NAME authority for gate.decision.emitted and its
+# payload schema; the gate.decision enum {pass, fail, advisory, error} is the
+# closed gate-result/v1 verdict enum (Blueprint B § 7.4 / kernel gate-result
+# schema) — NOT the RolloutGateDecision ship/no_ship vocabulary.
+#
+# We emit OTLP-shaped JSON lines to stderr when AUDIT_HARNESS_OTEL=1 OR an
+# OTEL_EXPORTER_OTLP_ENDPOINT is set. Real exporter wiring is consumer-side; we
+# emit a structured signal any collector can scrape via stderr capture. The path
+# is fully best-effort: a collector being absent is the no-op default, and a
+# python failure (||) degrades to an empty line that is simply not printed —
+# the gate's own exit status is never affected by OTel emission (iah-E07c).
 if [[ "${AUDIT_HARNESS_OTEL:-0}" == "1" ]] || [[ -n "${OTEL_EXPORTER_OTLP_ENDPOINT:-}" ]]; then
   # Compose the JSON via python so every attribute value is JSON-escaped.
   # printf-interpolating gate_id/result/runner into a JSON format string
   # emitted structurally invalid JSON whenever a value carried a double quote
   # (e.g. AUDIT_HARNESS_SIDE='ci"injection' flowing into gate_id).
-  OTEL_LINE=$(GATE_JSON="$GATE_JSON" RUNNER="$RUNNER" COMMIT_SHA="$COMMIT_SHA" TIMESTAMP="$TIMESTAMP" \
+  OTEL_LINES=$(GATE_JSON="$GATE_JSON" RUNNER="$RUNNER" COMMIT_SHA="$COMMIT_SHA" TIMESTAMP="$TIMESTAMP" \
     python3 - <<'PY' 2>/dev/null || echo ""
 import json, os
 try:
     gate = json.loads(os.environ["GATE_JSON"])
 except (json.JSONDecodeError, ValueError):
     gate = {}
-print(json.dumps({
+
+runner = os.environ["RUNNER"]
+commit_sha = os.environ["COMMIT_SHA"]
+timestamp = os.environ["TIMESTAMP"]
+gate_id = str(gate.get("gate_id", ""))
+# The canonical gate-result/v1 verdict field is gate_decision (lowercase enum,
+# Blueprint B § 7.4); the legacy draft envelope used `result` (UPPERCASE). Read
+# the canonical field first, fall back to the legacy field.
+gate_decision_raw = str(gate.get("gate_decision", gate.get("result", "")))
+
+# gate.name / gate.policy_ref per 067-AT-SPEC § 2.2 payload schema. The canonical
+# envelope carries gate_name (kebab-case) + policy_ref; fall back to gate_id /
+# policy_hash for legacy draft envelopes that predate Blueprint B § 7.4.
+gate_name = str(gate.get("gate_name", gate_id))
+policy_ref = str(gate.get("policy_ref", gate.get("policy_hash", "")))
+
+# Map the inbound verdict to the closed gate.decision enum {pass, fail,
+# advisory, error} (gate-result/v1 / kernel gate-result schema). This is the
+# 067-AT-SPEC § 2.2 enum — NOT the RolloutGateDecision ship/no_ship vocabulary.
+# Canonical lowercase values pass straight through; legacy UPPERCASE results map
+# down; an unrecognized/missing verdict is `error` (the gate could not affirm a
+# decision — an error condition, not a clean `fail`).
+_DECISION_MAP = {
+    "pass": "pass",
+    "fail": "fail",
+    "advisory": "advisory",
+    "error": "error",
+}
+decision = _DECISION_MAP.get(gate_decision_raw.strip().lower(), "error")
+# An advisory_severity hint on a non-fail/non-error row signals an advisory row
+# even when the legacy `result` field only said PASS.
+if decision in ("pass",) and gate.get("advisory_severity"):
+    decision = "advisory"
+
+reasons = []
+if decision == "pass":
+    reasons.append(f"gate '{gate_id}' decision: pass")
+else:
+    reasons.append(
+        f"gate '{gate_id}' decision: {decision} "
+        f"(verdict={gate_decision_raw or 'NO_VERDICT'})"
+    )
+fm = gate.get("failure_mode")
+if fm:
+    reasons.append(f"failure_mode: {fm}")
+
+# Event 1: agent.rollout.gate.evaluated (NON-NORMATIVE observability signal;
+# unchanged shape — not a 067-AT-SPEC-pinned name, see header note).
+evaluated = {
     "name": "agent.rollout.gate.evaluated",
     "attributes": {
-        "gate.id": str(gate.get("gate_id", "")),
-        "gate.result": str(gate.get("result", "")),
-        "gate.runner": os.environ["RUNNER"],
-        "gate.commit_sha": os.environ["COMMIT_SHA"],
+        "gate.id": gate_id,
+        "gate.result": gate_decision_raw,
+        "gate.runner": runner,
+        "gate.commit_sha": commit_sha,
+    },
+    "timestamp": timestamp,
+}
+
+# Event 2: gate.decision.emitted (iah-E07b) — NORMATIVE per 067-AT-SPEC § 2.2.
+# Payload: gate.name (string) + gate.decision (enum pass|fail|advisory|error) +
+# gate.policy_ref (string). The reasons / runner / commit_sha are additive
+# diagnostic attributes carried for dashboards; they do not contradict the
+# § 2.2 required payload.
+decision_event = {
+    "name": "gate.decision.emitted",
+    "attributes": {
+        "gate.name": gate_name,
+        "gate.decision": decision,
+        "gate.policy_ref": policy_ref,
+        "gate.id": gate_id,
+        "gate.reasons": reasons,
+        "gate.runner": runner,
+        "gate.commit_sha": commit_sha,
     },
-    "timestamp": os.environ["TIMESTAMP"],
-}, separators=(",", ":")))
+    "timestamp": timestamp,
+}
+
+for ev in (evaluated, decision_event):
+    print(json.dumps(ev, separators=(",", ":")))
 PY
 )
-  [[ -n "$OTEL_LINE" ]] && printf '[OTEL] %s\n' "$OTEL_LINE" >&2
+  # Print each emitted OTLP line with the [OTEL] marker the collector scrapes.
+  if [[ -n "$OTEL_LINES" ]]; then
+    while IFS= read -r _otel_line; do
+      [[ -n "$_otel_line" ]] && printf '[OTEL] %s\n' "$_otel_line" >&2
+    done <<< "$OTEL_LINES"
+  fi
 fi
 
 # --- Sign + emit ---