@intentsolutions/jrig-cli 0.1.0

package/dist/index.js

@@ -0,0 +1,4234 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+
+// ../core/dist/index.js
+import { z } from "zod";
+import { z as z2 } from "zod";
+import { z as z3 } from "zod";
+import { z as z4 } from "zod";
+import { z as z5 } from "zod";
+import {
+  SkillFrontmatterSchema,
+  skillFrontmatterIssues,
+  SKILL_FRONTMATTER_BASE_REQUIRED,
+  SKILL_FRONTMATTER_OVERLAY_REQUIRED,
+  SKILL_FRONTMATTER_REQUIRED_FIELDS,
+  SKILL_NAME_PATTERN,
+  SKILL_NAME_MAX,
+  SKILL_COMPATIBILITY_MAX,
+  SKILL_DESCRIPTION_MAX
+} from "@intentsolutions/core/validators/v1/authoring";
+import {
+  SkillFrontmatterSchema as KernelSkillFrontmatterSchemaInternal,
+  attach,
+  universalFoldsIssues
+} from "@intentsolutions/core/validators/v1/authoring";
+import { upstreamBaseIssues } from "@intentsolutions/core/validators/v1/authoring/skill-frontmatter";
+import { parse as parseYaml } from "yaml";
+import matter from "gray-matter";
+import matter2 from "gray-matter";
+import { existsSync, readFileSync, statSync } from "fs";
+import { join, resolve } from "path";
+import { z as z6 } from "zod";
+import {
+  EvidenceStatementSchema,
+  EvidenceBundlePayloadSchema,
+  IN_TOTO_STATEMENT_V1_TYPE
+} from "@intentsolutions/core/validators/v1/evidence-statement";
+import {
+  GateResultV1Schema,
+  GateDecisionSchema,
+  AdvisorySeveritySchema,
+  ReplayFidelityLevelSchema,
+  SubjectSideSchema,
+  GATE_RESULT_V1_URI
+} from "@intentsolutions/core/validators/v1/gate-result-v1";
+import { InTotoSubjectSchema } from "@intentsolutions/core/validators/v1/evidence-bundle";
+import {
+  EvidenceStatementSchema as KernelEvidenceStatementSchemaInternal,
+  EvidenceBundlePayloadSchema as EvidenceBundlePayloadSchema2,
+  IN_TOTO_STATEMENT_V1_TYPE as IN_TOTO_STATEMENT_V1_TYPE2
+} from "@intentsolutions/core/validators/v1/evidence-statement";
+import {
+  GateResultV1Schema as GateResultV1Schema2,
+  GateDecisionSchema as GateDecisionSchema2,
+  AdvisorySeveritySchema as AdvisorySeveritySchema2,
+  GATE_RESULT_V1_URI as GATE_RESULT_V1_URI2
+} from "@intentsolutions/core/validators/v1/gate-result-v1";
+import { InTotoSubjectSchema as InTotoSubjectSchema2 } from "@intentsolutions/core/validators/v1/evidence-bundle";
+import { trace } from "@opentelemetry/api";
+import {
+  BasicTracerProvider,
+  InMemorySpanExporter,
+  SimpleSpanProcessor
+} from "@opentelemetry/sdk-trace-base";
+import { z as z7 } from "zod";
+import { z as z8 } from "zod";
+import { trace as trace2, SpanStatusCode } from "@opentelemetry/api";
+import { randomBytes } from "crypto";
+var CriterionMethod = z.enum(["deterministic", "judge"]);
+var CriterionSchema = z.object({
+  id: z.string().min(1).describe("Unique identifier within the spec"),
+  description: z.string().min(1).describe("Human-readable description of what is being checked"),
+  method: CriterionMethod,
+  blocker: z.boolean().default(false).describe("If true, failure blocks release"),
+  regression_critical: z.boolean().default(false).describe("If true, regression on this criterion blocks release"),
+  baseline_sensitive: z.boolean().default(false).describe("If true, compare against naked model performance"),
+  pack_sensitive: z.boolean().default(false).describe("If true, evaluate in context of sibling skills"),
+  judge_prompt: z.string().optional().describe("Prompt template for judge-based criteria"),
+  deterministic_check: z.string().optional().describe("Check identifier for deterministic criteria (e.g. 'file_exists', 'regex_match')"),
+  deterministic_check_params: z.record(z.string(), z.unknown()).optional().describe(
+    "Parameters forwarded to the deterministic check (e.g. { value: 'needle' } for 'contains', { pattern: '\\\\d+' } for 'regex_match')"
+  )
+});
+var TestCaseTier = z2.enum(["core", "edge", "regression", "adversarial"]);
+var TriggerExpectation = z2.enum(["should_trigger", "should_not_trigger"]);
+var TestCaseSchema = z2.object({
+  id: z2.string().min(1).describe("Unique identifier within the spec"),
+  description: z2.string().min(1).describe("What this test case checks"),
+  tier: TestCaseTier,
+  prompt: z2.string().min(1).describe("The user prompt to send"),
+  trigger_expectation: TriggerExpectation.optional().describe(
+    "Whether the skill should or should not trigger"
+  ),
+  expected_artifacts: z2.array(z2.string()).optional().describe("Expected output files or artifacts"),
+  expected_output_contains: z2.array(z2.string()).optional().describe("Strings that must appear in the output"),
+  context_hints: z2.record(z2.string(), z2.unknown()).optional().describe("Additional context for the test runner"),
+  criteria_ids: z2.array(z2.string()).optional().describe("Which criteria this test case evaluates (defaults to all)")
+});
+var ModelTarget = z3.string().min(1).describe(
+  "Model id: a Claude alias (haiku|sonnet|opus) or any concrete provider model id (e.g. deepseek-chat, kimi-k2-0711-preview, deepseek/deepseek-chat, claude-sonnet-4-5)."
+);
+var SiblingSkillSchema = z3.object({
+  name: z3.string().min(1).describe("Sibling skill name (kebab-case)"),
+  description: z3.string().min(1).describe("What the sibling does"),
+  trigger_patterns: z3.array(z3.string()).optional().describe("Prompts that should trigger the sibling instead")
+});
+var EvalSpecSchema = z3.object({
+  spec_version: z3.literal("1.0").describe("Schema version for forward compatibility"),
+  skill_name: z3.string().min(1).regex(/^[a-z][a-z0-9-]*[a-z0-9]$/, "Must be kebab-case").describe("Name of the skill being evaluated"),
+  description: z3.string().min(1).describe("What this eval spec covers"),
+  criteria: z3.array(CriterionSchema).min(1).describe("Binary criteria to evaluate"),
+  test_cases: z3.array(TestCaseSchema).min(1).describe("Test cases to run"),
+  models: z3.array(ModelTarget).default(["sonnet"]).describe("Models to test independently"),
+  siblings: z3.array(SiblingSkillSchema).optional().describe("Sibling skills for pack-sensitive evaluation"),
+  tags: z3.array(z3.string()).optional().describe("Categorization tags")
+});
+var EvalContractSchema = z4.object({
+  contract_version: z4.literal("1.0").describe("Schema version for forward compatibility"),
+  skill_name: z4.string().min(1).regex(/^[a-z][a-z0-9-]*[a-z0-9]$/, "Must be kebab-case").describe("Name of the skill this contract governs"),
+  purpose: z4.string().min(1).describe("What the skill is for \u2014 one clear sentence"),
+  trigger_boundary: z4.object({
+    should_trigger: z4.array(z4.string()).min(1).describe("Prompt patterns that should activate the skill"),
+    should_not_trigger: z4.array(z4.string()).min(1).describe("Prompt patterns that should NOT activate the skill")
+  }),
+  success_criteria: z4.array(z4.string()).min(1).describe("What counts as successful execution \u2014 observable outcomes"),
+  blockers: z4.array(z4.string()).min(1).describe("Sacred failures that block release regardless of average score"),
+  safety_boundaries: z4.array(z4.string()).optional().describe("What the skill must never do (prompt leakage, overreach, etc.)"),
+  baseline_expectation: z4.string().optional().describe("What the naked model does without this skill \u2014 for obsolete review"),
+  evidence_rules: z4.object({
+    require_artifacts: z4.boolean().default(false).describe("Whether the skill must produce artifacts"),
+    require_output_validation: z4.boolean().default(true).describe("Whether output must be validated against expectations")
+  }).optional()
+});
+var SkillModel = z5.enum(["inherit", "sonnet", "haiku", "opus"]);
+var SkillEffort = z5.enum(["low", "medium", "high", "max"]);
+var DESCRIPTION_ANTI_PATTERNS = [
+  /\b(I can|I will|I'm|I help)\b/i,
+  /\b(You can|You should|You will)\b/i
+];
+function thirdPersonDescriptionIssues(artifact) {
+  const description = artifact["description"];
+  if (typeof description !== "string") {
+    return [];
+  }
+  if (DESCRIPTION_ANTI_PATTERNS.some((p) => p.test(description))) {
+    return [
+      {
+        message: "Description must use third person \u2014 avoid 'I can', 'You should', etc.",
+        path: ["description"]
+      }
+    ];
+  }
+  return [];
+}
+function withEvalDomainChecks(schema) {
+  return schema.superRefine((artifact, ctx) => {
+    for (const issue of thirdPersonDescriptionIssues(artifact)) {
+      ctx.addIssue({ code: "custom", message: issue.message, path: [...issue.path] });
+    }
+  });
+}
+function kernelBaseCompositionIssues(artifact) {
+  return [...upstreamBaseIssues(artifact), ...universalFoldsIssues(artifact)];
+}
+var SkillFrontmatterSchema2 = withEvalDomainChecks(
+  attach(kernelBaseCompositionIssues)
+).pipe(z5.custom());
+var SkillFrontmatterEnterpriseSchema = withEvalDomainChecks(
+  KernelSkillFrontmatterSchemaInternal
+).pipe(z5.custom());
+function parseAndValidateYaml(yamlString, schema) {
+  let raw;
+  try {
+    raw = parseYaml(yamlString);
+  } catch (err) {
+    return {
+      success: false,
+      errors: [
+        {
+          path: "",
+          message: `Invalid YAML: ${err instanceof Error ? err.message : String(err)}`
+        }
+      ]
+    };
+  }
+  if (raw === null || raw === void 0) {
+    return {
+      success: false,
+      errors: [{ path: "", message: "YAML document is empty" }]
+    };
+  }
+  const result = schema.safeParse(raw);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  const errors = result.error.issues.map((issue) => ({
+    path: issue.path.join("."),
+    message: issue.message
+  }));
+  return { success: false, errors };
+}
+function parseSkillMd(content) {
+  let parsed;
+  try {
+    parsed = matter(content);
+  } catch (err) {
+    return {
+      success: false,
+      errors: [
+        {
+          path: "",
+          message: `Failed to parse SKILL.md frontmatter: ${err instanceof Error ? err.message : String(err)}`
+        }
+      ]
+    };
+  }
+  if (!parsed.data || Object.keys(parsed.data).length === 0) {
+    return {
+      success: false,
+      errors: [
+        {
+          path: "",
+          message: "SKILL.md has no frontmatter. Expected YAML frontmatter between --- delimiters."
+        }
+      ]
+    };
+  }
+  const result = SkillFrontmatterSchema2.safeParse(parsed.data);
+  if (!result.success) {
+    const errors = result.error.issues.map((issue) => ({
+      path: `frontmatter.${issue.path.join(".")}`,
+      message: issue.message
+    }));
+    return { success: false, errors };
+  }
+  return {
+    success: true,
+    data: {
+      frontmatter: result.data,
+      body: parsed.content.trim()
+    }
+  };
+}
+function parseSkillMdEnterprise(content) {
+  let parsed;
+  try {
+    parsed = matter(content);
+  } catch (err) {
+    return {
+      success: false,
+      errors: [
+        {
+          path: "",
+          message: `Failed to parse SKILL.md frontmatter: ${err instanceof Error ? err.message : String(err)}`
+        }
+      ]
+    };
+  }
+  if (!parsed.data || Object.keys(parsed.data).length === 0) {
+    return {
+      success: false,
+      errors: [
+        {
+          path: "",
+          message: "SKILL.md has no frontmatter. Expected YAML frontmatter between --- delimiters."
+        }
+      ]
+    };
+  }
+  const result = SkillFrontmatterEnterpriseSchema.safeParse(parsed.data);
+  if (!result.success) {
+    const errors = result.error.issues.map((issue) => ({
+      path: `frontmatter.${issue.path.join(".")}`,
+      message: issue.message
+    }));
+    return { success: false, errors };
+  }
+  return {
+    success: true,
+    data: {
+      frontmatter: result.data,
+      body: parsed.content.trim()
+    }
+  };
+}
+var COMMAND_HEADING_REGEXES = {
+  build: /\bbuild\b/i,
+  test: /\btest(s|ing)?\b/i,
+  lint: /\blint(ing|er)?\b/i,
+  setup: /\b(setup|install|bootstrap|getting started)\b/i,
+  style: /\b(code\s*style|conventions?)\b/i,
+  format: /\b(format|formatter|formatting|prettier)\b/i
+};
+var TOOL_HEADING_RE = /\btools?\b|\bcapabilit(y|ies)\b/i;
+var CAPABILITY_HEADING_RE = /\bcapabilit(y|ies)\b|\bbehaviors?\b|\babilit(y|ies)\b/i;
+var CONSTRAINT_HEADING_RE = /\bconstraints?\b|\bdon'?ts?\b|\bmust\s*not\b|\bguardrails?\b/i;
+function parseAgentsMd(content) {
+  matter2.clearCache?.();
+  let parsed;
+  try {
+    parsed = matter2(content);
+  } catch (err) {
+    const errors = [
+      {
+        path: "",
+        message: `Failed to parse AGENTS.md frontmatter: ${err instanceof Error ? err.message : String(err)}`
+      }
+    ];
+    return { success: false, errors };
+  }
+  const frontmatter = parsed.data ?? {};
+  const body = parsed.content;
+  const title = extractTitle(body);
+  const sections = extractSections(body);
+  const commands = {};
+  for (const kind of Object.keys(COMMAND_HEADING_REGEXES)) {
+    const cmds = extractCommandsForKind(sections, kind);
+    if (cmds.length > 0) commands[kind] = cmds;
+  }
+  const tools = extractBulletsForHeading(sections, TOOL_HEADING_RE);
+  const capabilities = extractBulletsForHeading(sections, CAPABILITY_HEADING_RE);
+  const constraints = extractBulletsForHeading(sections, CONSTRAINT_HEADING_RE);
+  return {
+    success: true,
+    data: { frontmatter, title, sections, commands, tools, capabilities, constraints, body }
+  };
+}
+function extractTitle(body) {
+  const m = body.match(/^#\s+(.+?)\s*$/m);
+  return m ? m[1].trim() : "";
+}
+function extractSections(body) {
+  const lines = body.split(/\r?\n/);
+  const sections = [];
+  let current = null;
+  let inFence = false;
+  let fenceMarker = "";
+  const flush = (endLineExclusive) => {
+    if (current === null) return;
+    const content = lines.slice(current.startLine + 1, endLineExclusive).join("\n").trim();
+    sections.push({ heading: current.heading, level: current.level, content });
+  };
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const fenceMatch = line.match(/^```+(\S*)\s*$/);
+    if (fenceMatch) {
+      const marker = fenceMatch[0].match(/^`+/)[0];
+      if (!inFence) {
+        inFence = true;
+        fenceMarker = marker;
+      } else if (marker.length >= fenceMarker.length) {
+        inFence = false;
+        fenceMarker = "";
+      }
+      continue;
+    }
+    if (inFence) continue;
+    const h2 = line.match(/^##\s+(.+?)\s*$/);
+    const h3 = line.match(/^###\s+(.+?)\s*$/);
+    if (h2) {
+      flush(i);
+      current = { heading: h2[1].trim(), level: 2, startLine: i };
+    } else if (h3) {
+      flush(i);
+      current = { heading: h3[1].trim(), level: 3, startLine: i };
+    }
+  }
+  flush(lines.length);
+  return sections;
+}
+function extractCommandsForKind(sections, kind) {
+  const re = COMMAND_HEADING_REGEXES[kind];
+  const matches = sections.filter((s) => re.test(s.heading));
+  const cmds = [];
+  for (const sec of matches) {
+    cmds.push(...extractShellCommandsFromBlock(sec.content));
+  }
+  return cmds;
+}
+var SHELL_INFO_STRINGS = /* @__PURE__ */ new Set(["", "bash", "sh", "shell", "zsh", "console"]);
+function extractShellCommandsFromBlock(md) {
+  const lines = md.split(/\r?\n/);
+  const cmds = [];
+  let inShellBlock = false;
+  let currentMarker = "";
+  for (const line of lines) {
+    const fenceMatch = line.match(/^```+(\S*)\s*$/);
+    if (fenceMatch) {
+      const marker = fenceMatch[0].match(/^`+/)[0];
+      if (!inShellBlock) {
+        const info = (fenceMatch[1] ?? "").toLowerCase();
+        if (SHELL_INFO_STRINGS.has(info)) {
+          inShellBlock = true;
+          currentMarker = marker;
+        }
+      } else if (marker.length >= currentMarker.length) {
+        inShellBlock = false;
+        currentMarker = "";
+      }
+      continue;
+    }
+    if (!inShellBlock) continue;
+    const stripped = line.replace(/^[\s]*[$>]\s+/, "").trim();
+    if (!stripped) continue;
+    if (stripped.startsWith("#")) continue;
+    cmds.push(stripped);
+  }
+  return cmds;
+}
+function extractBulletsForHeading(sections, headingRe) {
+  const matches = sections.filter((s) => headingRe.test(s.heading));
+  const out = [];
+  for (const sec of matches) {
+    for (const line of sec.content.split(/\r?\n/)) {
+      const m = line.match(/^[-*+]\s+(.+?)\s*$/);
+      if (m) out.push(m[1].trim());
+    }
+  }
+  return out;
+}
+function summarize(results) {
+  return {
+    total: results.length,
+    passed: results.filter((r) => r.severity === "pass").length,
+    warnings: results.filter((r) => r.severity === "warning").length,
+    errors: results.filter((r) => r.severity === "error").length
+  };
+}
+var FILE_REF_PATTERN = /\$\{CLAUDE_SKILL_DIR\}\/([\w./-]+)/g;
+var PATH_LIKE_PATTERN = /(?:^|\s)(\.\/[\w./-]+)/gm;
+var MIN_DESCRIPTION_LENGTH = 20;
+var MIN_DESCRIPTION_WORDS = 4;
+var MAX_BODY_LINES = 500;
+var MIN_BODY_LINES = 3;
+var XML_TAG_PATTERN = /[<>]/;
+var TIME_SENSITIVE_PATTERNS = [
+  /\b(20\d{2}[-/]\d{2}[-/]\d{2})\b/,
+  // dates like 2025-01-01
+  /\b(v\d+\.\d+\.\d+)\b/i,
+  // version numbers like v1.2.3 (outside code blocks)
+  /\b(as of|since|after|before) (January|February|March|April|May|June|July|August|September|October|November|December)\b/i
+];
+function checkPackage(packageDir) {
+  const results = [];
+  const absDir = resolve(packageDir);
+  const skillPath = join(absDir, "SKILL.md");
+  if (!existsSync(skillPath)) {
+    results.push({
+      id: "pkg:skill-md-exists",
+      description: "SKILL.md file exists in package",
+      severity: "error",
+      message: "SKILL.md not found",
+      details: `Expected at: ${skillPath}`
+    });
+    return buildReport(null, results);
+  }
+  results.push({
+    id: "pkg:skill-md-exists",
+    description: "SKILL.md file exists in package",
+    severity: "pass",
+    message: "SKILL.md found"
+  });
+  const content = readFileSync(skillPath, "utf-8");
+  const parseResult = parseSkillMd(content);
+  if (!parseResult.success) {
+    results.push({
+      id: "pkg:skill-md-parses",
+      description: "SKILL.md frontmatter parses successfully",
+      severity: "error",
+      message: "SKILL.md failed to parse",
+      details: parseResult.errors.map((e) => `${e.path}: ${e.message}`).join("; ")
+    });
+    return buildReport(null, results);
+  }
+  const { frontmatter, body } = parseResult.data;
+  results.push({
+    id: "pkg:skill-md-parses",
+    description: "SKILL.md frontmatter parses successfully",
+    severity: "pass",
+    message: "SKILL.md parsed successfully"
+  });
+  results.push(...checkRequiredFields(frontmatter));
+  results.push(...checkDescriptionQuality(frontmatter.description));
+  results.push(...checkBodySize(body));
+  results.push(...checkReferencedFiles(body, absDir));
+  results.push(...checkXmlTags(frontmatter));
+  results.push(...checkTimeSensitiveInfo(body));
+  return buildReport(frontmatter.name, results);
+}
+function checkRequiredFields(fm) {
+  const results = [];
+  if (!fm.name || fm.name.trim().length === 0) {
+    results.push({
+      id: "pkg:name-present",
+      description: "Skill name is present",
+      severity: "error",
+      message: "Skill name is missing or empty"
+    });
+  } else {
+    results.push({
+      id: "pkg:name-present",
+      description: "Skill name is present",
+      severity: "pass",
+      message: `Skill name: ${fm.name}`
+    });
+  }
+  if (!fm.description || fm.description.trim().length === 0) {
+    results.push({
+      id: "pkg:description-present",
+      description: "Skill description is present",
+      severity: "error",
+      message: "Skill description is missing or empty"
+    });
+  } else {
+    results.push({
+      id: "pkg:description-present",
+      description: "Skill description is present",
+      severity: "pass",
+      message: "Skill description present"
+    });
+  }
+  return results;
+}
+function checkDescriptionQuality(description) {
+  const results = [];
+  if (description.length < MIN_DESCRIPTION_LENGTH) {
+    results.push({
+      id: "heuristic:description-length",
+      description: "Description meets minimum length",
+      severity: "warning",
+      message: `Description is very short (${description.length} chars, min recommended: ${MIN_DESCRIPTION_LENGTH})`
+    });
+  } else {
+    results.push({
+      id: "heuristic:description-length",
+      description: "Description meets minimum length",
+      severity: "pass",
+      message: "Description length is adequate"
+    });
+  }
+  const wordCount = description.split(/\s+/).filter(Boolean).length;
+  if (wordCount < MIN_DESCRIPTION_WORDS) {
+    results.push({
+      id: "heuristic:description-words",
+      description: "Description has enough words",
+      severity: "warning",
+      message: `Description has only ${wordCount} words (min recommended: ${MIN_DESCRIPTION_WORDS})`
+    });
+  } else {
+    results.push({
+      id: "heuristic:description-words",
+      description: "Description has enough words",
+      severity: "pass",
+      message: "Description word count is adequate"
+    });
+  }
+  const vaguePatterns = [
+    /^(does|handles|manages|processes|works with)\b/i,
+    /^(a|an|the) (tool|helper|utility)\b/i,
+    /\b(stuff|things|etc\.?)\b/i
+  ];
+  const isVague = vaguePatterns.some((p) => p.test(description));
+  if (isVague) {
+    results.push({
+      id: "heuristic:description-specificity",
+      description: "Description is specific enough",
+      severity: "warning",
+      message: "Description appears vague or generic",
+      details: "Consider adding what the skill does, when it triggers, and what it produces"
+    });
+  } else {
+    results.push({
+      id: "heuristic:description-specificity",
+      description: "Description is specific enough",
+      severity: "pass",
+      message: "Description appears specific"
+    });
+  }
+  return results;
+}
+function checkBodySize(body) {
+  const results = [];
+  const lineCount = body.split("\n").length;
+  if (lineCount > MAX_BODY_LINES) {
+    results.push({
+      id: "heuristic:body-oversized",
+      description: "Body is not excessively large",
+      severity: "warning",
+      message: `Body is ${lineCount} lines (max recommended: ${MAX_BODY_LINES})`,
+      details: "Very large skill bodies may indicate scope creep or embedded data that should be externalized"
+    });
+  } else {
+    results.push({
+      id: "heuristic:body-oversized",
+      description: "Body is not excessively large",
+      severity: "pass",
+      message: `Body size is reasonable (${lineCount} lines)`
+    });
+  }
+  if (lineCount < MIN_BODY_LINES) {
+    results.push({
+      id: "heuristic:body-underspecified",
+      description: "Body has sufficient content",
+      severity: "warning",
+      message: `Body is very thin (${lineCount} lines, min recommended: ${MIN_BODY_LINES})`,
+      details: "Skills with minimal instructions may not provide enough guidance for the model"
+    });
+  } else {
+    results.push({
+      id: "heuristic:body-underspecified",
+      description: "Body has sufficient content",
+      severity: "pass",
+      message: "Body has sufficient content"
+    });
+  }
+  return results;
+}
+function checkReferencedFiles(body, packageDir) {
+  const results = [];
+  const refs = /* @__PURE__ */ new Set();
+  for (const match of body.matchAll(FILE_REF_PATTERN)) {
+    refs.add(match[1]);
+  }
+  for (const match of body.matchAll(PATH_LIKE_PATTERN)) {
+    refs.add(match[1]);
+  }
+  if (refs.size === 0) {
+    return results;
+  }
+  for (const ref of refs) {
+    const absPath = resolve(packageDir, ref);
+    if (existsSync(absPath)) {
+      try {
+        const stat = statSync(absPath);
+        results.push({
+          id: `ref:${ref}`,
+          description: `Referenced file exists: ${ref}`,
+          severity: "pass",
+          message: `Referenced ${stat.isDirectory() ? "directory" : "file"} exists: ${ref}`
+        });
+      } catch {
+        results.push({
+          id: `ref:${ref}`,
+          description: `Referenced file exists: ${ref}`,
+          severity: "pass",
+          message: `Referenced path exists: ${ref}`
+        });
+      }
+    } else {
+      results.push({
+        id: `ref:${ref}`,
+        description: `Referenced file exists: ${ref}`,
+        severity: "error",
+        message: `Referenced file not found: ${ref}`,
+        details: `Expected at: ${absPath}`
+      });
+    }
+  }
+  return results;
+}
+function checkXmlTags(fm) {
+  const results = [];
+  if (fm.name && XML_TAG_PATTERN.test(fm.name)) {
+    results.push({
+      id: "anthropic:name-no-xml",
+      description: "Name does not contain XML tags",
+      severity: "error",
+      message: "Name contains XML tags (< or >) \u2014 prohibited by Anthropic spec"
+    });
+  } else {
+    results.push({
+      id: "anthropic:name-no-xml",
+      description: "Name does not contain XML tags",
+      severity: "pass",
+      message: "Name is free of XML tags"
+    });
+  }
+  if (fm.description && XML_TAG_PATTERN.test(fm.description)) {
+    results.push({
+      id: "anthropic:description-no-xml",
+      description: "Description does not contain XML tags",
+      severity: "error",
+      message: "Description contains XML tags (< or >) \u2014 prohibited by Anthropic spec"
+    });
+  } else {
+    results.push({
+      id: "anthropic:description-no-xml",
+      description: "Description does not contain XML tags",
+      severity: "pass",
+      message: "Description is free of XML tags"
+    });
+  }
+  return results;
+}
+function checkTimeSensitiveInfo(body) {
+  const stripped = body.replace(/```[\s\S]*?```/g, "").replace(/`[^`]+`/g, "");
+  const hasTimeSensitive = TIME_SENSITIVE_PATTERNS.some((p) => p.test(stripped));
+  if (hasTimeSensitive) {
+    return [
+      {
+        id: "anthropic:no-time-sensitive",
+        description: "No time-sensitive information in body",
+        severity: "warning",
+        message: "Body may contain time-sensitive information (dates, versions) that could go stale",
+        details: 'Consider using an "old patterns" section or the compatibility field instead'
+      }
+    ];
+  }
+  return [
+    {
+      id: "anthropic:no-time-sensitive",
+      description: "No time-sensitive information in body",
+      severity: "pass",
+      message: "No time-sensitive information detected"
+    }
+  ];
+}
+function buildReport(skillName, results) {
+  return {
+    skill_name: skillName,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    results,
+    summary: summarize(results)
+  };
+}
+var registry = /* @__PURE__ */ new Map();
+function registerCheck(name, fn) {
+  registry.set(name, fn);
+}
+function runCheck(checkName, input, params) {
+  const fn = registry.get(checkName);
+  if (!fn) {
+    return {
+      id: `deterministic:${checkName}`,
+      description: `Deterministic check: ${checkName}`,
+      severity: "error",
+      message: `Unknown deterministic check: "${checkName}"`,
+      details: `Available checks: ${[...registry.keys()].join(", ")}`
+    };
+  }
+  let passed;
+  try {
+    passed = fn(input, params);
+  } catch (err) {
+    return {
+      id: `deterministic:${checkName}`,
+      description: `Deterministic check: ${checkName}`,
+      severity: "error",
+      message: `Check "${checkName}" errored: ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+  return {
+    id: `deterministic:${checkName}`,
+    description: `Deterministic check: ${checkName}`,
+    severity: passed ? "pass" : "error",
+    message: passed ? `Check "${checkName}" passed` : `Check "${checkName}" failed`
+  };
+}
+function requireParam(params, key, checkName) {
+  const value = params?.[key];
+  if (value === void 0 || value === null) {
+    throw new Error(`check "${checkName}" requires params.${key}; refusing to evaluate without it`);
+  }
+  return value;
+}
+registerCheck("contains", (input, params) => {
+  const needle = String(requireParam(params, "value", "contains"));
+  return input.includes(needle);
+});
+registerCheck("not_contains", (input, params) => {
+  const needle = String(requireParam(params, "value", "not_contains"));
+  return !input.includes(needle);
+});
+registerCheck("regex_match", (input, params) => {
+  const pattern = String(requireParam(params, "pattern", "regex_match"));
+  const flags = String(params?.["flags"] ?? "");
+  try {
+    return new RegExp(pattern, flags).test(input);
+  } catch {
+    return false;
+  }
+});
+registerCheck("min_length", (input, params) => {
+  const min = Number(requireParam(params, "min", "min_length"));
+  return input.length >= min;
+});
+registerCheck("max_length", (input, params) => {
+  const max = Number(requireParam(params, "max", "max_length"));
+  return input.length <= max;
+});
+registerCheck("not_empty", (input) => {
+  return input.trim().length > 0;
+});
+function buildRoster(targetFrontmatter, siblings) {
+  const target = {
+    name: targetFrontmatter.name,
+    description: targetFrontmatter.description,
+    isTarget: true
+  };
+  const siblingEntries = (siblings ?? []).map((s) => ({
+    name: s.name,
+    description: s.description,
+    isTarget: false
+  }));
+  return {
+    target,
+    siblings: siblingEntries,
+    all: [target, ...siblingEntries]
+  };
+}
+async function runTriggerTests(testCases, roster, provider) {
+  const results = [];
+  const triggerCases = testCases.filter((tc) => tc.trigger_expectation);
+  for (const tc of triggerCases) {
+    try {
+      const { selected, reasoning } = await provider.selectSkill(
+        tc.prompt,
+        roster.all.map((e) => ({ name: e.name, description: e.description }))
+      );
+      const outcome = classifyOutcome(selected, tc.trigger_expectation, roster.target.name);
+      results.push({
+        test_case_id: tc.id,
+        prompt: tc.prompt,
+        expected: tc.trigger_expectation,
+        outcome,
+        selected_skill: selected,
+        reasoning
+      });
+    } catch (err) {
+      results.push({
+        test_case_id: tc.id,
+        prompt: tc.prompt,
+        expected: tc.trigger_expectation,
+        outcome: "error",
+        selected_skill: null,
+        reasoning: err instanceof Error ? err.message : String(err)
+      });
+    }
+  }
+  return results;
+}
+function classifyOutcome(selectedSkill, expected, targetName) {
+  const targetSelected = selectedSkill === targetName;
+  const noneSelected = selectedSkill === null;
+  const siblingSelected = !noneSelected && !targetSelected;
+  if (expected === "should_trigger") {
+    if (targetSelected) return "correct_trigger";
+    if (siblingSelected) return "sibling_confusion";
+    return "false_negative";
+  }
+  if (noneSelected) return "correct_no_trigger";
+  if (targetSelected) return "false_positive";
+  return "correct_no_trigger";
+}
+function computeMetrics(results) {
+  let tp = 0, tn = 0, fp = 0, fn = 0, confusions = 0, errors = 0;
+  for (const r of results) {
+    switch (r.outcome) {
+      case "correct_trigger":
+        tp++;
+        break;
+      case "correct_no_trigger":
+        tn++;
+        break;
+      case "false_positive":
+        fp++;
+        break;
+      case "false_negative":
+        fn++;
+        break;
+      case "sibling_confusion":
+        confusions++;
+        break;
+      case "error":
+        errors++;
+        break;
+    }
+  }
+  const precision = tp + fp > 0 ? tp / (tp + fp) : 1;
+  const recall = tp + fn > 0 ? tp / (tp + fn) : 1;
+  const fpr = fp + tn > 0 ? fp / (fp + tn) : 0;
+  const fnr = fn + tp > 0 ? fn / (fn + tp) : 0;
+  return {
+    total_cases: results.length,
+    true_positives: tp,
+    true_negatives: tn,
+    false_positives: fp,
+    false_negatives: fn,
+    sibling_confusions: confusions,
+    errors,
+    precision,
+    recall,
+    false_positive_rate: fpr,
+    false_negative_rate: fnr
+  };
+}
+async function runFunctionalTests(testCases, skill, provider, options) {
+  const outcomes = [];
+  const functionalCases = testCases.filter(
+    (tc) => tc.tier !== "adversarial" || tc.expected_output_contains || tc.expected_artifacts
+  );
+  for (const tc of functionalCases) {
+    const context = {
+      skill_body: skill.body,
+      base_path: options?.base_path,
+      file_contents: options?.file_contents,
+      context_hints: tc.context_hints
+    };
+    try {
+      const result = await provider.execute(tc.prompt, context, {
+        timeout_ms: options?.timeout_ms,
+        model: options?.model
+      });
+      outcomes.push({
+        test_case_id: tc.id,
+        prompt: tc.prompt,
+        output: {
+          text: result.text,
+          artifacts: result.artifacts,
+          tool_calls: result.tool_calls,
+          error: result.error
+        },
+        meta: result.meta,
+        status: result.meta.timed_out ? "timed_out" : "completed"
+      });
+    } catch (err) {
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      outcomes.push({
+        test_case_id: tc.id,
+        prompt: tc.prompt,
+        output: {
+          text: "",
+          artifacts: [],
+          tool_calls: 0,
+          error: err instanceof Error ? err.message : String(err)
+        },
+        meta: {
+          started_at: now,
+          completed_at: now,
+          duration_ms: 0,
+          timed_out: false
+        },
+        status: "failed"
+      });
+    }
+  }
+  return outcomes;
+}
+async function judgeCriteria(criteria, outcome, judgeProvider, options) {
+  const results = [];
+  for (const criterion of criteria) {
+    if (criterion.method === "deterministic") {
+      results.push(judgeDeterministic(criterion, outcome));
+    } else {
+      results.push(await judgeWithLLM(criterion, outcome, judgeProvider, options?.model));
+    }
+  }
+  return results;
+}
+function judgeDeterministic(criterion, outcome) {
+  if (!criterion.deterministic_check) {
+    return {
+      criterion_id: criterion.id,
+      verdict: "no",
+      confidence: 1,
+      reasoning: "Deterministic criterion has no check defined",
+      method: "deterministic"
+    };
+  }
+  const checkResult = runCheck(
+    criterion.deterministic_check,
+    outcome.output.text,
+    criterion.deterministic_check_params
+  );
+  return {
+    criterion_id: criterion.id,
+    verdict: checkResult.severity === "pass" ? "yes" : "no",
+    confidence: 1,
+    reasoning: checkResult.message,
+    method: "deterministic"
+  };
+}
+async function judgeWithLLM(criterion, outcome, provider, model) {
+  try {
+    const { verdict, confidence, reasoning } = await provider.judge(
+      criterion.description,
+      outcome.prompt,
+      outcome.output.text,
+      criterion.judge_prompt
+    );
+    return {
+      criterion_id: criterion.id,
+      verdict,
+      confidence,
+      reasoning,
+      method: "judge",
+      judge_model: model
+    };
+  } catch (err) {
+    return {
+      criterion_id: criterion.id,
+      verdict: "unsure",
+      confidence: 0,
+      reasoning: `Judge error: ${err instanceof Error ? err.message : String(err)}`,
+      method: "judge",
+      judge_model: model
+    };
+  }
+}
+function computeScoreCard(results, criteria, regressions = []) {
+  const criteriaMap = new Map(criteria.map((c) => [c.id, c]));
+  let passed = 0, failed = 0, unsure = 0, blockerFailures = 0;
+  for (const r of results) {
+    if (r.verdict === "yes") passed++;
+    else if (r.verdict === "no") {
+      failed++;
+      const criterion = criteriaMap.get(r.criterion_id);
+      if (criterion?.blocker) blockerFailures++;
+    } else {
+      unsure++;
+    }
+  }
+  const sacredRegressions = regressions.filter((r) => r.is_sacred).length;
+  return {
+    total_criteria: results.length,
+    passed,
+    failed,
+    unsure,
+    blocker_failures: blockerFailures,
+    sacred_regressions: sacredRegressions,
+    pass_rate: results.length > 0 ? passed / results.length : 0
+  };
+}
+function decideRollout(score, isObsolete = false) {
+  if (score.blocker_failures > 0) return "block";
+  if (score.sacred_regressions > 0) return "block";
+  if (isObsolete) return "obsolete_review";
+  if (score.failed > 0 || score.unsure > 0) return "warn";
+  return "ship";
+}
+function buildLaunchReport(skillName, score, regressions, baseline, isObsolete, opts = {}) {
+  const decision = decideRollout(score, isObsolete);
+  const blockers = [];
+  const warnings = [];
+  if (score.blocker_failures > 0) {
+    blockers.push(`${score.blocker_failures} blocker criteria failed`);
+  }
+  if (score.sacred_regressions > 0) {
+    blockers.push(`${score.sacred_regressions} sacred regressions detected`);
+  }
+  if (isObsolete) {
+    warnings.push("Skill may be obsolete \u2014 baseline matches skill on most criteria");
+  }
+  if (score.unsure > 0) {
+    warnings.push(`${score.unsure} criteria could not be judged (unsure)`);
+  }
+  if (score.failed > 0 && score.blocker_failures === 0) {
+    warnings.push(`${score.failed} non-blocker criteria failed`);
+  }
+  const reasoning = decision === "ship" ? `All ${score.total_criteria} criteria passed. Ready to ship.` : decision === "block" ? `Release blocked: ${blockers.join("; ")}` : decision === "obsolete_review" ? "Skill flagged for obsolete review \u2014 baseline model matches skill performance." : `${score.passed}/${score.total_criteria} criteria passed with warnings.`;
+  return {
+    skill_name: skillName,
+    // DR-103 D5 B5.1: injected clock for replayability; falls back to wall clock
+    // only for legacy callers that have not yet adopted injection.
+    timestamp: opts.now ?? (/* @__PURE__ */ new Date()).toISOString(),
+    decision,
+    score,
+    regressions,
+    baseline,
+    blockers,
+    warnings,
+    reasoning,
+    // DR-103 D4 B4.2: additive advisory field; present only when opted in.
+    ...opts.adoptionVerdict !== void 0 ? { adoptionVerdict: opts.adoptionVerdict } : {}
+  };
+}
+function clusterFailures(results, criteria) {
+  const criteriaMap = new Map(criteria.map((c) => [c.id, c]));
+  const failures = results.filter((r) => r.verdict === "no");
+  if (failures.length === 0) return [];
+  const groups = /* @__PURE__ */ new Map();
+  for (const f of failures) {
+    const criterion = criteriaMap.get(f.criterion_id);
+    const key = criterion?.method ?? "unknown";
+    const group = groups.get(key) ?? [];
+    group.push(f);
+    groups.set(key, group);
+  }
+  const clusters = [];
+  for (const [method, group] of groups) {
+    const hasBlocker = group.some((f) => {
+      const c = criteriaMap.get(f.criterion_id);
+      return c?.blocker ?? false;
+    });
+    clusters.push({
+      pattern: `${method} failures`,
+      criterion_ids: group.map((f) => f.criterion_id),
+      count: group.length,
+      severity: hasBlocker ? "critical" : group.length > 2 ? "high" : "medium"
+    });
+  }
+  return clusters.sort((a, b) => {
+    const severityOrder = { critical: 0, high: 1, medium: 2 };
+    const diff = severityOrder[a.severity] - severityOrder[b.severity];
+    return diff !== 0 ? diff : b.count - a.count;
+  });
+}
+function selectWeakest(results, criteria) {
+  const criteriaMap = new Map(criteria.map((c) => [c.id, c]));
+  const failures = results.filter((r) => r.verdict === "no");
+  if (failures.length === 0) return null;
+  const blockerFailure = failures.find((f) => criteriaMap.get(f.criterion_id)?.blocker);
+  if (blockerFailure) return blockerFailure.criterion_id;
+  const regressionFailure = failures.find(
+    (f) => criteriaMap.get(f.criterion_id)?.regression_critical
+  );
+  if (regressionFailure) return regressionFailure.criterion_id;
+  return failures[0].criterion_id;
+}
+function needsReevaluation(lastRunTimestamp, maxAgeDays = 30) {
+  const lastRun = new Date(lastRunTimestamp);
+  const now = /* @__PURE__ */ new Date();
+  const ageMs = now.getTime() - lastRun.getTime();
+  const ageDays = ageMs / (1e3 * 60 * 60 * 24);
+  return ageDays > maxAgeDays;
+}
+var PREDICATE_URI = GATE_RESULT_V1_URI2;
+var STATEMENT_TYPE = IN_TOTO_STATEMENT_V1_TYPE2;
+var GateResultEnum = GateDecisionSchema2;
+var AdvisorySeverityEnum = AdvisorySeveritySchema2;
+var PipelineSideEnum = z6.enum(["client", "server", "ci", "sandbox", "local"]);
+var EvidenceStatementSchema2 = KernelEvidenceStatementSchemaInternal.superRefine(
+  (stmt, ctx) => {
+    const subject0 = stmt.subject[0];
+    if (subject0 === void 0) return;
+    if (subject0.name !== stmt.predicate.gate_id) {
+      ctx.addIssue({
+        code: "custom",
+        path: ["subject", 0, "name"],
+        message: "j-rig secondary check I1: subject[0].name must equal predicate.gate_id"
+      });
+    }
+    const SHA256_PREFIX_LEN = "sha256:".length;
+    if (subject0.digest.sha256 !== stmt.predicate.input_hash.slice(SHA256_PREFIX_LEN)) {
+      ctx.addIssue({
+        code: "custom",
+        path: ["subject", 0, "digest", "sha256"],
+        message: "j-rig secondary check I2: subject[0].digest.sha256 must equal predicate.input_hash without sha256: prefix"
+      });
+    }
+  }
+);
+var LegacyBundleContainerSchema = z6.object({
+  bundle_format: z6.literal("json-array"),
+  rows: z6.array(EvidenceStatementSchema2)
+}).strict();
+function composeStatement(input) {
+  if (!input.inputHash.startsWith("sha256:")) {
+    throw new Error(
+      `composeStatement: inputHash must be sha256:-prefixed (got: ${input.inputHash})`
+    );
+  }
+  const digestHex = input.inputHash.slice("sha256:".length);
+  const evaluatedAt = input.evaluatedAt ?? (/* @__PURE__ */ new Date()).toISOString();
+  const predicate = {
+    gate_id: input.gateId,
+    gate_name: input.gateName,
+    gate_version: input.gateVersion,
+    gate_decision: input.gateDecision,
+    gate_reasons: input.gateReasons,
+    coverage: {
+      dimensions_evaluated: input.coverage.dimensionsEvaluated,
+      dimensions_skipped: input.coverage.dimensionsSkipped
+    },
+    policy_ref: input.policyRef,
+    policy_hash: input.policyHash,
+    input_hash: input.inputHash,
+    evaluated_at: evaluatedAt,
+    runner: input.runner,
+    commit_sha: input.commitSha
+  };
+  if (input.metadata !== void 0) predicate.metadata = input.metadata;
+  if (input.failureMode !== void 0) predicate.failure_mode = input.failureMode;
+  if (input.advisorySeverity !== void 0) predicate.advisory_severity = input.advisorySeverity;
+  const candidate = {
+    _type: STATEMENT_TYPE,
+    subject: [
+      {
+        name: input.gateId,
+        digest: { sha256: digestHex }
+      }
+    ],
+    predicateType: PREDICATE_URI,
+    predicate
+  };
+  const parsed = EvidenceStatementSchema2.safeParse(candidate);
+  if (!parsed.success) {
+    throw new Error(
+      `composeStatement: validation failed: ${parsed.error.issues.map((i) => `${i.path.join(".") || "<root>"}: ${i.message}`).join("; ")}`
+    );
+  }
+  return parsed.data;
+}
+function serializeStatement(stmt) {
+  const check = EvidenceStatementSchema2.safeParse(stmt);
+  if (!check.success) {
+    throw new Error(
+      `serializeStatement: validation failed: ${check.error.issues.map((i) => i.message).join("; ")}`
+    );
+  }
+  return JSON.stringify(stmt);
+}
+var ProviderError = class _ProviderError extends Error {
+  category;
+  providerName;
+  retryable;
+  originalError;
+  constructor(args) {
+    super(args.message);
+    this.name = "ProviderError";
+    this.category = args.category;
+    this.providerName = args.providerName;
+    this.retryable = args.retryable ?? defaultRetryableFor(args.category);
+    this.originalError = args.originalError;
+    Object.setPrototypeOf(this, _ProviderError.prototype);
+  }
+};
+function defaultRetryableFor(c) {
+  switch (c) {
+    case "rate_limit":
+    case "network_timeout":
+      return true;
+    case "authentication":
+    case "model_not_found":
+    case "content_policy_refusal":
+    case "schema_violation":
+    case "unknown":
+      return false;
+  }
+}
+var RESPONSE_ZOD = z7.object({
+  verdict: z7.enum(["yes", "no", "unsure"]),
+  reasoning: z7.string()
+}).strict();
+var SAMPLE_TOOL_ARGS_ZOD = z8.object({
+  title: z8.string(),
+  start_time: z8.string().datetime({ message: "start_time must be RFC 3339 date-time" }),
+  duration_minutes: z8.number().int().min(1).max(480)
+}).strict();
+var OtelEvents = {
+  // EXECUTION events (067 § 1.1, category `runtime.*`).
+  /** A worker leases an EvalRun and transitions it to `running`. */
+  RUNTIME_RUN_STARTED: "runtime.run.started",
+  /** The EvalRun reaches a terminal state. */
+  RUNTIME_RUN_FINISHED: "runtime.run.finished",
+  /** One matcher/criterion is scored within a SessionTrace. */
+  RUNTIME_CRITERION_EVALUATED: "runtime.criterion.evaluated",
+  // JUDGE events (067 § 1.2, category `judge.*`).
+  /** An LLM judge is dialed for a matching event. */
+  JUDGE_INVOKED: "judge.invoked",
+  /** A JudgeDecision is finalized for a matching event. */
+  JUDGE_VERDICT: "judge.verdict",
+  // GOVERNANCE events (067 § 2.2, category `gate.*`).
+  /**
+   * A RolloutGate decision row is emitted under `gate-result/v1`. The NORMATIVE
+   * end-of-evaluation event a ship-gate dashboard alerts on. Identical spelling
+   * to the audit-harness iah-E07 emitter.
+   */
+  GATE_DECISION_EMITTED: "gate.decision.emitted"
+};
+var OtelAttrs = {
+  // Shared correlation metadata — every event MUST carry eval.run_id (067 § 4.2;
+  // kernel YAML `shared_attributes`). An event without it is malformed, not
+  // "partial" (067 § 5).
+  EVAL_RUN_ID: "eval.run_id",
+  EVAL_SESSION_TRACE_ID: "eval.session_trace_id",
+  TRACE_ID: "trace.id",
+  // runtime.run.started payload (067 § 1.1).
+  RUNTIME_RUN_SPEC_CONTENT_HASH: "runtime.run.spec_content_hash",
+  RUNTIME_RUN_SKILL_SNAPSHOT_SHA: "runtime.run.skill_snapshot_sha",
+  // runtime.run.finished payload (067 § 1.1).
+  RUNTIME_RUN_TERMINAL_STATE: "runtime.run.terminal_state",
+  RUNTIME_RUN_DURATION_MS: "runtime.run.duration_ms",
+  // runtime.criterion.evaluated payload (067 § 1.1).
+  RUNTIME_CRITERION_MATCHER_CLASS: "runtime.criterion.matcher_class",
+  RUNTIME_CRITERION_OUTCOME: "runtime.criterion.outcome",
+  // judge.invoked payload (067 § 1.2).
+  JUDGE_ID: "judge.id",
+  JUDGE_MODEL_ID: "judge.model_id",
+  JUDGE_MODEL_VERSION: "judge.model_version",
+  // judge.verdict payload (067 § 1.2).
+  JUDGE_VERDICT: "judge.verdict",
+  JUDGE_VERDICT_SOURCE: "judge.verdict_source",
+  JUDGE_SEED: "judge.seed",
+  // gate.decision.emitted payload (067 § 2.2). Identical to iah-E07 spelling.
+  GATE_NAME: "gate.name",
+  GATE_DECISION: "gate.decision",
+  GATE_POLICY_REF: "gate.policy_ref"
+};
+var RuntimeTerminalState = {
+  JUDGED: "judged",
+  ARCHIVED_SUCCESS: "archived_success",
+  ARCHIVED_FAILED: "archived_failed"
+};
+var CriterionOutcome = {
+  PASS: "pass",
+  FAIL: "fail",
+  SKIP: "skip"
+};
+var JudgeVerdictSource = {
+  LLM_WITH_SEED: "llm_with_seed",
+  LLM_NO_SEED: "llm_no_seed",
+  DETERMINISTIC: "deterministic"
+};
+var GateDecision = {
+  PASS: "pass",
+  FAIL: "fail",
+  ADVISORY: "advisory",
+  ERROR: "error"
+};
+var TRACER_NAME = "@j-rig/core";
+var TRACER_VERSION = "2.1.0";
+function stderrEmissionActive() {
+  return process.env.J_RIG_OTEL === "1" || (process.env.OTEL_EXPORTER_OTLP_ENDPOINT?.length ?? 0) > 0;
+}
+function toAttributes(payload) {
+  const attrs = {};
+  for (const [k, v] of Object.entries(payload)) {
+    if (v === null || v === void 0) continue;
+    attrs[k] = v;
+  }
+  return attrs;
+}
+function emitOtelEvent(name, payload, span) {
+  try {
+    const runId = payload[OtelAttrs.EVAL_RUN_ID];
+    if (typeof runId !== "string" || runId.length === 0) {
+      if (stderrEmissionActive()) {
+        process.stderr.write(
+          `[OTEL-DROP] event '${name}' missing required eval.run_id; dropped (067 \xA7 4.2)
+`
+        );
+      }
+      return;
+    }
+    const attrs = toAttributes(payload);
+    const targetSpan = span ?? trace2.getActiveSpan();
+    if (targetSpan) {
+      targetSpan.addEvent(name, attrs);
+    } else {
+      const tracer = trace2.getTracer(TRACER_NAME, TRACER_VERSION);
+      const s = tracer.startSpan(name);
+      s.addEvent(name, attrs);
+      s.end();
+    }
+    if (stderrEmissionActive()) {
+      const line = JSON.stringify({ name, attributes: attrs });
+      process.stderr.write(`[OTEL] ${line}
+`);
+    }
+  } catch {
+  }
+}
+function correlationAttrs(c) {
+  return {
+    [OtelAttrs.EVAL_RUN_ID]: c.evalRunId,
+    [OtelAttrs.EVAL_SESSION_TRACE_ID]: c.sessionTraceId,
+    [OtelAttrs.TRACE_ID]: c.traceId
+  };
+}
+function emitRuntimeRunStarted(c, payload) {
+  emitOtelEvent(OtelEvents.RUNTIME_RUN_STARTED, {
+    ...correlationAttrs(c),
+    [OtelAttrs.RUNTIME_RUN_SPEC_CONTENT_HASH]: payload.specContentHash,
+    [OtelAttrs.RUNTIME_RUN_SKILL_SNAPSHOT_SHA]: payload.skillSnapshotSha
+  });
+}
+function emitRuntimeRunFinished(c, payload) {
+  emitOtelEvent(OtelEvents.RUNTIME_RUN_FINISHED, {
+    ...correlationAttrs(c),
+    [OtelAttrs.RUNTIME_RUN_TERMINAL_STATE]: payload.terminalState,
+    [OtelAttrs.RUNTIME_RUN_DURATION_MS]: payload.durationMs
+  });
+}
+function emitRuntimeCriterionEvaluated(c, payload) {
+  emitOtelEvent(OtelEvents.RUNTIME_CRITERION_EVALUATED, {
+    ...correlationAttrs(c),
+    [OtelAttrs.RUNTIME_CRITERION_MATCHER_CLASS]: payload.matcherClass,
+    [OtelAttrs.RUNTIME_CRITERION_OUTCOME]: payload.outcome
+  });
+}
+function emitJudgeInvoked(c, payload) {
+  emitOtelEvent(OtelEvents.JUDGE_INVOKED, {
+    ...correlationAttrs(c),
+    [OtelAttrs.JUDGE_ID]: payload.judgeId,
+    [OtelAttrs.JUDGE_MODEL_ID]: payload.modelId,
+    [OtelAttrs.JUDGE_MODEL_VERSION]: payload.modelVersion
+  });
+}
+function emitJudgeVerdict(c, payload) {
+  emitOtelEvent(OtelEvents.JUDGE_VERDICT, {
+    ...correlationAttrs(c),
+    [OtelAttrs.JUDGE_VERDICT]: payload.verdict,
+    [OtelAttrs.JUDGE_VERDICT_SOURCE]: payload.verdictSource,
+    [OtelAttrs.JUDGE_SEED]: payload.seed
+  });
+}
+function emitGateDecisionEmitted(c, payload) {
+  emitOtelEvent(OtelEvents.GATE_DECISION_EMITTED, {
+    ...correlationAttrs(c),
+    [OtelAttrs.GATE_NAME]: payload.gateName,
+    [OtelAttrs.GATE_DECISION]: payload.decision,
+    [OtelAttrs.GATE_POLICY_REF]: payload.policyRef
+  });
+}
+function uuidv7(nowMs = Date.now()) {
+  const bytes = randomBytes(16);
+  const ts = Math.max(0, Math.floor(nowMs));
+  bytes[0] = ts / 2 ** 40 & 255;
+  bytes[1] = ts / 2 ** 32 & 255;
+  bytes[2] = ts / 2 ** 24 & 255;
+  bytes[3] = ts / 2 ** 16 & 255;
+  bytes[4] = ts / 2 ** 8 & 255;
+  bytes[5] = ts & 255;
+  bytes[6] = bytes[6] & 15 | 112;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = bytes.toString("hex");
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
+}
+
+// src/lib/output.ts
+import chalk from "chalk";
+function icon(severity) {
+  switch (severity) {
+    case "pass":
+      return chalk.green("\u2713");
+    case "error":
+      return chalk.red("\u2717");
+    case "warning":
+      return chalk.yellow("!");
+    case "info":
+      return chalk.blue("\xB7");
+    default: {
+      const _exhaustive = severity;
+      return _exhaustive;
+    }
+  }
+}
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  return `${(ms / 1e3).toFixed(1)}s`;
+}
+function formatDecision(decision) {
+  switch (decision) {
+    case "ship":
+      return chalk.green.bold("SHIP");
+    case "block":
+      return chalk.red.bold("BLOCK");
+    case "warn":
+      return chalk.yellow.bold("WARN");
+    case "obsolete_review":
+      return chalk.magenta.bold("OBSOLETE_REVIEW");
+    default: {
+      const _exhaustive = decision;
+      return _exhaustive;
+    }
+  }
+}
+function formatScore(passed, total) {
+  const pct = total > 0 ? (passed / total * 100).toFixed(0) : "0";
+  const color = passed === total ? chalk.green : passed / total >= 0.5 ? chalk.yellow : chalk.red;
+  return color(`${passed}/${total} (${pct}%)`);
+}
+function header(text2) {
+  return chalk.bold.underline(text2);
+}
+function printReport(report) {
+  const { summary } = report;
+  const name = report.skill_name ?? "unknown";
+  console.log(header(`Package Check: ${name}`));
+  console.log(
+    `  ${summary.passed} passed, ${summary.warnings} warnings, ${summary.errors} errors
+`
+  );
+  for (const r of report.results) {
+    if (r.severity === "pass") continue;
+    console.log(`  ${icon(r.severity)} ${chalk.dim(r.id)}: ${r.message}`);
+    if (r.details) console.log(`    ${chalk.dim(r.details)}`);
+  }
+  if (summary.errors === 0) {
+    console.log(chalk.green("\n  All checks passed."));
+  } else {
+    console.log(chalk.red(`
+  ${summary.errors} error(s) must be fixed.`));
+  }
+}
+
+// src/commands/check.ts
+function registerCheckCommand(program) {
+  program.command("check").description("Run package integrity checks on a skill directory").argument("<skill-dir>", "Path to skill directory containing SKILL.md").option("--json", "Output as JSON").action(async (skillDir, opts) => {
+    try {
+      const report = checkPackage(skillDir);
+      if (opts.json) {
+        console.log(JSON.stringify(report, null, 2));
+      } else {
+        printReport(report);
+      }
+      process.exit(report.summary.errors > 0 ? 1 : 0);
+    } catch (err) {
+      console.error(`Error: ${err instanceof Error ? err.message : err}`);
+      process.exit(1);
+    }
+  });
+}
+
+// src/commands/validate.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2 } from "path";
+import chalk2 from "chalk";
+function registerValidateCommand(program) {
+  program.command("validate").description("Validate an eval spec or eval contract YAML file").argument("<file>", "Path to YAML file").option("--contract", "Validate as eval contract instead of eval spec").option("--json", "Output as JSON").action(async (file, opts) => {
+    try {
+      const content = readFileSync2(resolve2(file), "utf-8");
+      const isContract = opts.contract === true || content.includes("contract_version:");
+      const label = isContract ? "eval contract" : "eval spec";
+      const result = isContract ? parseAndValidateYaml(content, EvalContractSchema) : parseAndValidateYaml(content, EvalSpecSchema);
+      if (opts.json) {
+        console.log(
+          JSON.stringify(
+            {
+              valid: result.success,
+              type: label,
+              errors: result.success ? [] : result.errors
+            },
+            null,
+            2
+          )
+        );
+        process.exit(result.success ? 0 : 1);
+        return;
+      }
+      if (result.success) {
+        const data = result.data;
+        const name = data.skill_name || "unknown";
+        console.log(chalk2.green(`\u2713 Valid ${label}: ${name}`));
+        if (!isContract) {
+          const spec = data;
+          const criteria = spec.criteria?.length ?? 0;
+          const cases = spec.test_cases?.length ?? 0;
+          const models = (spec.models ?? ["sonnet"]).join(", ");
+          console.log(`  ${criteria} criteria, ${cases} test cases, models: ${models}`);
+        }
+        process.exit(0);
+      } else {
+        console.error(chalk2.red(`\u2717 Invalid ${label}:`));
+        for (const e of result.errors) {
+          console.error(`  ${e.path}: ${e.message}`);
+        }
+        process.exit(1);
+      }
+    } catch (err) {
+      console.error(`Error: ${err instanceof Error ? err.message : err}`);
+      process.exit(1);
+    }
+  });
+}
+
+// src/commands/eval.ts
+import chalk3 from "chalk";
+import { resolve as resolve4 } from "path";
+import { createHash as createHash2 } from "crypto";
+
+// ../db/dist/index.js
+import Database from "better-sqlite3";
+import { drizzle } from "drizzle-orm/better-sqlite3";
+import { sqliteTable, text, integer, real } from "drizzle-orm/sqlite-core";
+import { eq, desc } from "drizzle-orm";
+import { createHash } from "crypto";
+import { eq as eq2 } from "drizzle-orm";
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var schema_exports = {};
+__export(schema_exports, {
+  artifacts: () => artifacts,
+  criterionResults: () => criterionResults,
+  runSummaries: () => runSummaries,
+  runs: () => runs,
+  skillHumanReviews: () => skillHumanReviews,
+  skillUsageEvents: () => skillUsageEvents,
+  skillVersions: () => skillVersions
+});
+var skillVersions = sqliteTable("skill_versions", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  skill_name: text("skill_name").notNull(),
+  version: text("version").notNull(),
+  skill_md_hash: text("skill_md_hash").notNull(),
+  created_at: text("created_at").notNull().default("(datetime('now'))")
+});
+var runs = sqliteTable("runs", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  skill_version_id: integer("skill_version_id").notNull(),
+  status: text("status").notNull().$type().default("pending"),
+  run_type: text("run_type").notNull().default("deterministic"),
+  model: text("model"),
+  started_at: text("started_at"),
+  completed_at: text("completed_at"),
+  duration_ms: integer("duration_ms"),
+  created_at: text("created_at").notNull().default("(datetime('now'))"),
+  error_message: text("error_message")
+});
+var criterionResults = sqliteTable("criterion_results", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  run_id: integer("run_id").notNull(),
+  criterion_id: text("criterion_id").notNull(),
+  passed: integer("passed", { mode: "boolean" }).notNull(),
+  severity: text("severity").notNull(),
+  message: text("message").notNull(),
+  details: text("details"),
+  method: text("method")
+});
+var runSummaries = sqliteTable("run_summaries", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  run_id: integer("run_id").notNull().unique(),
+  total: integer("total").notNull(),
+  passed: integer("passed").notNull(),
+  warnings: integer("warnings").notNull(),
+  errors: integer("errors").notNull(),
+  score: real("score")
+});
+var artifacts = sqliteTable("artifacts", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  run_id: integer("run_id").notNull(),
+  artifact_type: text("artifact_type").notNull(),
+  filename: text("filename").notNull(),
+  relative_path: text("relative_path").notNull(),
+  size_bytes: integer("size_bytes"),
+  created_at: text("created_at").notNull().default("(datetime('now'))")
+});
+var skillUsageEvents = sqliteTable("skill_usage_events", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  skill_id: text("skill_id").notNull(),
+  session_id: text("session_id").notNull(),
+  source: text("source").notNull().$type(),
+  cass_score: real("cass_score").notNull(),
+  cass_passed: integer("cass_passed", { mode: "boolean" }).notNull(),
+  tenant_id: text("tenant_id"),
+  recorded_at: text("recorded_at").notNull()
+});
+var skillHumanReviews = sqliteTable("skill_human_reviews", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  skill_id: text("skill_id").notNull(),
+  thumbs_up: integer("thumbs_up", { mode: "boolean" }).notNull(),
+  rationale: text("rationale"),
+  reviewer: text("reviewer").notNull(),
+  governance_class: text("governance_class").notNull().$type(),
+  tenant_id: text("tenant_id"),
+  recorded_at: text("recorded_at").notNull()
+});
+var CREATE_TABLES = `
+  CREATE TABLE IF NOT EXISTS skill_versions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    skill_name TEXT NOT NULL,
+    version TEXT NOT NULL,
+    skill_md_hash TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS runs (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    skill_version_id INTEGER NOT NULL,
+    status TEXT NOT NULL DEFAULT 'pending',
+    run_type TEXT NOT NULL DEFAULT 'deterministic',
+    model TEXT,
+    started_at TEXT,
+    completed_at TEXT,
+    duration_ms INTEGER,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    error_message TEXT,
+    FOREIGN KEY (skill_version_id) REFERENCES skill_versions(id)
+  );
+
+  CREATE TABLE IF NOT EXISTS criterion_results (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    run_id INTEGER NOT NULL,
+    criterion_id TEXT NOT NULL,
+    passed INTEGER NOT NULL,
+    severity TEXT NOT NULL,
+    message TEXT NOT NULL,
+    details TEXT,
+    method TEXT,
+    FOREIGN KEY (run_id) REFERENCES runs(id)
+  );
+
+  CREATE TABLE IF NOT EXISTS run_summaries (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    run_id INTEGER NOT NULL UNIQUE,
+    total INTEGER NOT NULL,
+    passed INTEGER NOT NULL,
+    warnings INTEGER NOT NULL,
+    errors INTEGER NOT NULL,
+    score REAL,
+    FOREIGN KEY (run_id) REFERENCES runs(id)
+  );
+
+  CREATE TABLE IF NOT EXISTS artifacts (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    run_id INTEGER NOT NULL,
+    artifact_type TEXT NOT NULL,
+    filename TEXT NOT NULL,
+    relative_path TEXT NOT NULL,
+    size_bytes INTEGER,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    FOREIGN KEY (run_id) REFERENCES runs(id)
+  );
+
+  -- Skill usage events \u2014 intake fact table for the j-rig ingest-skill verb
+  -- (ISEDC DR-103 D1/D2/D5). The tenant_id column lands in this FIRST CREATE
+  -- TABLE per DR-103 D2 B2.1 (database.ts is CREATE-IF-NOT-EXISTS only \u2014 no ALTER
+  -- path \u2014 so a future column add cannot retrofit cleanly; the multi-tenancy slot
+  -- is reserved now). NULL tenant_id = the single-tenant/global bucket, never
+  -- pooled cross-tenant (D2 B2.2). cass_passed = 0 rows are persisted-but-excluded.
+  CREATE TABLE IF NOT EXISTS skill_usage_events (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    skill_id TEXT NOT NULL,
+    session_id TEXT NOT NULL,
+    source TEXT NOT NULL,
+    cass_score REAL NOT NULL,
+    cass_passed INTEGER NOT NULL,
+    tenant_id TEXT,
+    recorded_at TEXT NOT NULL
+  );
+
+  -- Skill human reviews \u2014 intake fact table for the j-rig review verb.
+  -- governance_class is always 'curated-signal' (NOT a signed human-review/v1
+  -- predicate; DR-103 D3 B3.2 / doc 072 R6). tenant_id reserved here per D2 B2.1.
+  CREATE TABLE IF NOT EXISTS skill_human_reviews (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    skill_id TEXT NOT NULL,
+    thumbs_up INTEGER NOT NULL,
+    rationale TEXT,
+    reviewer TEXT NOT NULL,
+    governance_class TEXT NOT NULL,
+    tenant_id TEXT,
+    recorded_at TEXT NOT NULL
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_runs_skill_version ON runs(skill_version_id);
+  CREATE INDEX IF NOT EXISTS idx_runs_status ON runs(status);
+  CREATE INDEX IF NOT EXISTS idx_criterion_results_run ON criterion_results(run_id);
+  CREATE INDEX IF NOT EXISTS idx_artifacts_run ON artifacts(run_id);
+  CREATE INDEX IF NOT EXISTS idx_skill_usage_skill ON skill_usage_events(skill_id);
+  CREATE INDEX IF NOT EXISTS idx_skill_usage_skill_passed ON skill_usage_events(skill_id, cass_passed);
+  CREATE INDEX IF NOT EXISTS idx_skill_reviews_skill ON skill_human_reviews(skill_id);
+`;
+function createDatabase(dbPath) {
+  const sqlite = new Database(dbPath);
+  sqlite.pragma("journal_mode = WAL");
+  sqlite.pragma("foreign_keys = ON");
+  sqlite.exec(CREATE_TABLES);
+  const db = drizzle(sqlite, { schema: schema_exports });
+  return {
+    db,
+    sqlite,
+    close: () => sqlite.close()
+  };
+}
+var TRANSITIONS = {
+  pending: ["running", "canceled"],
+  running: ["completed", "failed", "timed_out", "canceled"],
+  completed: [],
+  failed: [],
+  timed_out: [],
+  canceled: []
+};
+function isValidTransition(from, to) {
+  return TRANSITIONS[from]?.includes(to) ?? false;
+}
+function getOrCreateSkillVersion({ db }, skillName, version, skillMdContent) {
+  const hash = createHash("sha256").update(skillMdContent).digest("hex").slice(0, 16);
+  const existing = db.select().from(skillVersions).where(eq(skillVersions.skill_md_hash, hash)).get();
+  if (existing) return existing.id;
+  const result = db.insert(skillVersions).values({ skill_name: skillName, version, skill_md_hash: hash }).returning({ id: skillVersions.id }).get();
+  return result.id;
+}
+function createRun({ db }, skillVersionId, runType = "deterministic", model) {
+  const result = db.insert(runs).values({
+    skill_version_id: skillVersionId,
+    run_type: runType,
+    model: model ?? null,
+    status: "pending"
+  }).returning({ id: runs.id }).get();
+  return result.id;
+}
+function transitionRun({ db }, runId, newStatus) {
+  const run = db.select().from(runs).where(eq(runs.id, runId)).get();
+  if (!run) throw new Error(`Run ${runId} not found`);
+  const currentStatus = run.status;
+  if (!isValidTransition(currentStatus, newStatus)) {
+    throw new Error(`Invalid transition: ${currentStatus} \u2192 ${newStatus}`);
+  }
+  const updates = { status: newStatus };
+  if (newStatus === "running") {
+    updates["started_at"] = (/* @__PURE__ */ new Date()).toISOString();
+  }
+  if (["completed", "failed", "timed_out", "canceled"].includes(newStatus)) {
+    updates["completed_at"] = (/* @__PURE__ */ new Date()).toISOString();
+    if (run.started_at) {
+      updates["duration_ms"] = (/* @__PURE__ */ new Date()).getTime() - new Date(run.started_at).getTime();
+    }
+  }
+  db.update(runs).set(updates).where(eq(runs.id, runId)).run();
+}
+function storeCriterionResults({ db }, runId, results) {
+  for (const r of results) {
+    db.insert(criterionResults).values({
+      run_id: runId,
+      criterion_id: r.criterion_id,
+      passed: r.passed,
+      severity: r.severity,
+      message: r.message,
+      details: r.details ?? null,
+      method: r.method ?? null
+    }).run();
+  }
+}
+function storeRunSummary({ db }, runId, summary) {
+  const score = summary.total > 0 ? summary.passed / summary.total : 0;
+  db.insert(runSummaries).values({ run_id: runId, ...summary, score }).run();
+}
+function getRun({ db }, runId) {
+  const run = db.select().from(runs).where(eq(runs.id, runId)).get();
+  if (!run) return null;
+  const summary = db.select().from(runSummaries).where(eq(runSummaries.run_id, runId)).get();
+  return { ...run, summary: summary ?? null };
+}
+function getRecentRuns(database, options = {}) {
+  const { db } = database;
+  const limit = options.limit ?? 10;
+  if (options.skillName) {
+    return db.select().from(runs).innerJoin(skillVersions, eq(runs.skill_version_id, skillVersions.id)).where(eq(skillVersions.skill_name, options.skillName)).orderBy(desc(runs.id)).limit(limit).all();
+  }
+  return db.select().from(runs).innerJoin(skillVersions, eq(runs.skill_version_id, skillVersions.id)).orderBy(desc(runs.id)).limit(limit).all();
+}
+function getRunResults({ db }, runId) {
+  return db.select().from(criterionResults).where(eq(criterionResults.run_id, runId)).all();
+}
+function getRunArtifacts({ db }, runId) {
+  return db.select().from(artifacts).where(eq(artifacts.run_id, runId)).all();
+}
+var CASS_PASS_THRESHOLD = 0.3;
+var CASS_WEIGHTS = {
+  testsPassed: 0.25,
+  clearResolution: 0.25,
+  codeChanges: 0.15,
+  userConfirmed: 0.15,
+  backtracking: -0.1,
+  abandoned: -0.2
+};
+function scoreCass(inputs) {
+  let score = 0;
+  if (inputs.testsPassed) score += CASS_WEIGHTS.testsPassed;
+  if (inputs.clearResolution) score += CASS_WEIGHTS.clearResolution;
+  if (inputs.codeChanges) score += CASS_WEIGHTS.codeChanges;
+  if (inputs.userConfirmed) score += CASS_WEIGHTS.userConfirmed;
+  if (inputs.backtracking) score += CASS_WEIGHTS.backtracking;
+  if (inputs.abandoned) score += CASS_WEIGHTS.abandoned;
+  return { score, passed: score >= CASS_PASS_THRESHOLD };
+}
+function recordSkillUsage({ db }, input) {
+  const cass = scoreCass(input.cass);
+  const row = db.insert(skillUsageEvents).values({
+    skill_id: input.skillId,
+    session_id: input.sessionId,
+    source: input.source,
+    cass_score: cass.score,
+    cass_passed: cass.passed,
+    tenant_id: input.tenantId ?? null,
+    recorded_at: input.recordedAt
+  }).returning().get();
+  return toUsageRecord(row);
+}
+function recordSkillReview({ db }, input) {
+  const row = db.insert(skillHumanReviews).values({
+    skill_id: input.skillId,
+    thumbs_up: input.thumbsUp,
+    rationale: input.rationale ?? null,
+    reviewer: input.reviewer,
+    governance_class: "curated-signal",
+    tenant_id: input.tenantId ?? null,
+    recorded_at: input.recordedAt
+  }).returning().get();
+  return toReviewRecord(row);
+}
+function toUsageRecord(row) {
+  return {
+    id: row.id,
+    skillId: row.skill_id,
+    sessionId: row.session_id,
+    source: row.source,
+    cassScore: row.cass_score,
+    cassPassed: row.cass_passed,
+    tenantId: row.tenant_id ?? null,
+    recordedAt: row.recorded_at
+  };
+}
+function toReviewRecord(row) {
+  return {
+    id: row.id,
+    skillId: row.skill_id,
+    thumbsUp: row.thumbs_up,
+    rationale: row.rationale ?? null,
+    reviewer: row.reviewer,
+    governanceClass: "curated-signal",
+    tenantId: row.tenant_id ?? null,
+    recordedAt: row.recorded_at
+  };
+}
+
+// src/lib/db.ts
+var DEFAULT_DB_PATH = "j-rig.db";
+function openDb(path) {
+  return createDatabase(path ?? DEFAULT_DB_PATH);
+}
+
+// src/lib/loaders.ts
+import { readFileSync as readFileSync3, existsSync as existsSync2 } from "fs";
+import { join as join2, resolve as resolve3 } from "path";
+function loadEvalSpec(specPath, skillDir) {
+  let filePath;
+  if (specPath) {
+    filePath = resolve3(specPath);
+  } else if (skillDir) {
+    const candidates = ["eval-spec.yaml", "eval-spec.yml"];
+    const found = candidates.map((c) => join2(resolve3(skillDir), c)).find(existsSync2);
+    if (!found) {
+      throw new Error(
+        `No eval spec found. Tried: ${candidates.join(", ")} in ${skillDir}. Use --spec to provide a path.`
+      );
+    }
+    filePath = found;
+  } else {
+    throw new Error("Either specPath or skillDir must be provided");
+  }
+  const content = readFileSync3(filePath, "utf-8");
+  const result = parseAndValidateYaml(content, EvalSpecSchema);
+  if (!result.success) {
+    const msgs = result.errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
+    throw new Error(`Invalid eval spec:
+${msgs}`);
+  }
+  return result.data;
+}
+function loadSkillMd(skillDir, enterprise = false) {
+  const absDir = resolve3(skillDir);
+  const skillPath = join2(absDir, "SKILL.md");
+  if (!existsSync2(skillPath)) {
+    throw new Error(`SKILL.md not found at: ${skillPath}`);
+  }
+  const raw = readFileSync3(skillPath, "utf-8");
+  const parser = enterprise ? parseSkillMdEnterprise : parseSkillMd;
+  const result = parser(raw);
+  if (!result.success) {
+    const msgs = result.errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
+    throw new Error(`SKILL.md parse error:
+${msgs}`);
+  }
+  return { parsed: result.data, raw };
+}
+
+// src/providers/anthropic.ts
+var stubBannerEmitted = false;
+function emitStubBanner() {
+  if (stubBannerEmitted) return;
+  stubBannerEmitted = true;
+  process.stderr.write(
+    [
+      "",
+      "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557",
+      "\u2551  WARNING \u2014 j-rig STUB PROVIDER MODE                                        \u2551",
+      "\u2551                                                                            \u2551",
+      "\u2551  This run is using STUB providers. Output is NOT ground truth.             \u2551",
+      "\u2551  Stub Trigger:    always selects the first available skill                 \u2551",
+      "\u2551  Stub Execution:  returns a synthetic response with zero latency           \u2551",
+      "\u2551  Stub Judgment:   always returns 'yes' with confidence 0.7                 \u2551",
+      "\u2551                                                                            \u2551",
+      "\u2551  These outputs are placeholder values for pipeline plumbing only.          \u2551",
+      "\u2551  Do NOT treat any metric, decision, or rollout verdict from this run as    \u2551",
+      "\u2551  evidence of skill quality. CI gates that consume j-rig output MUST        \u2551",
+      "\u2551  refuse rows produced under stub mode.                                     \u2551",
+      "\u2551                                                                            \u2551",
+      "\u2551  To run against a real provider: implement the Anthropic SDK adapter       \u2551",
+      "\u2551  (see STUB-PROVIDERS.md). To acknowledge stub mode: set the env var        \u2551",
+      "\u2551  J_RIG_ALLOW_STUB=1 before invocation.                                     \u2551",
+      "\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D",
+      ""
+    ].join("\n")
+  );
+}
+function assertStubAllowed() {
+  if (process.env.J_RIG_ALLOW_STUB === "1") return;
+  throw new Error(
+    [
+      "REFUSED: j-rig cannot run without a real provider implementation.",
+      "",
+      "The Anthropic SDK adapter is not yet wired (iaj-stub-provider, PB-7). To opt",
+      "into stub mode for pipeline-plumbing development, set:",
+      "",
+      "    J_RIG_ALLOW_STUB=1",
+      "",
+      "BEFORE running the CLI. Stub-mode results are NOT ground truth \u2014 see",
+      "STUB-PROVIDERS.md for the full discipline."
+    ].join("\n")
+  );
+}
+var StubTriggerProvider = class {
+  constructor(model) {
+    this.model = model;
+    assertStubAllowed();
+    emitStubBanner();
+  }
+  async selectSkill(prompt, availableSkills) {
+    const first = availableSkills[0]?.name ?? null;
+    return {
+      selected: first,
+      reasoning: `[stub] Would call ${this.model} to select from [${availableSkills.map((s) => s.name).join(", ")}] for: "${prompt.slice(0, 50)}..."`
+    };
+  }
+};
+var StubExecutionProvider = class {
+  constructor(model) {
+    this.model = model;
+    assertStubAllowed();
+    emitStubBanner();
+  }
+  async execute(prompt, context, options) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const effectiveModel = options?.model ?? this.model;
+    return {
+      text: `[stub] Would call ${effectiveModel} with skill body (${context.skill_body.length} chars) and prompt: "${prompt.slice(0, 50)}..."`,
+      artifacts: [],
+      tool_calls: 0,
+      meta: {
+        started_at: now,
+        completed_at: now,
+        duration_ms: 0,
+        timed_out: false
+      }
+    };
+  }
+};
+var StubJudgeProvider = class {
+  constructor(model) {
+    this.model = model;
+    assertStubAllowed();
+    emitStubBanner();
+  }
+  async judge(criterion_description, prompt, output, judge_prompt) {
+    void prompt;
+    void output;
+    void judge_prompt;
+    return {
+      verdict: "yes",
+      confidence: 0.7,
+      reasoning: `[stub] Would call ${this.model} to judge: "${criterion_description.slice(0, 60)}...". Defaulting to yes.`
+    };
+  }
+};
+
+// src/providers/transport.ts
+function createFetchTransport() {
+  return async (req) => {
+    const res = await fetch(req.url, {
+      method: req.method,
+      headers: req.headers,
+      body: JSON.stringify(req.body),
+      signal: req.signal
+    });
+    let json = null;
+    try {
+      json = await res.json();
+    } catch {
+      json = null;
+    }
+    return { status: res.status, json };
+  };
+}
+
+// src/providers/anthropic-real.ts
+var ADAPTER_NAME = "anthropic";
+var ADAPTER_VERSION = "1.0.0";
+var DEFAULT_BASE_URL = "https://api.anthropic.com/v1/messages";
+var ANTHROPIC_VERSION = "2023-06-01";
+var DEFAULT_MAX_TOKENS = 1024;
+var MODEL_ALIASES = {
+  haiku: "claude-haiku-4-5",
+  sonnet: "claude-sonnet-4-5",
+  opus: "claude-opus-4-1"
+};
+function resolveAnthropicModel(model) {
+  if (model.startsWith("claude-")) return model;
+  const stripped = model.startsWith("anthropic/") ? model.slice("anthropic/".length) : model;
+  return MODEL_ALIASES[stripped] ?? stripped;
+}
+function mapFinishReason(raw) {
+  switch (raw) {
+    case "end_turn":
+    case "stop_sequence":
+      return "stop";
+    case "max_tokens":
+      return "length";
+    case "tool_use":
+      return "tool_use";
+    case "refusal":
+      return "refusal";
+    default:
+      return "stop";
+  }
+}
+function mapUsage(raw) {
+  const u = raw ?? {};
+  const usage = {
+    inputTokens: typeof u.input_tokens === "number" ? u.input_tokens : 0,
+    outputTokens: typeof u.output_tokens === "number" ? u.output_tokens : 0
+  };
+  if (typeof u.cache_read_input_tokens === "number") {
+    usage.cachedInputTokens = u.cache_read_input_tokens;
+  }
+  return usage;
+}
+function toAnthropicPayload(messages) {
+  const systemParts = [];
+  const out = [];
+  for (const m of messages) {
+    if (m.role === "system") {
+      systemParts.push(m.content);
+      continue;
+    }
+    if (m.role === "tool") {
+      out.push({
+        role: "user",
+        content: [
+          {
+            type: "tool_result",
+            tool_use_id: m.toolCallId ?? "",
+            content: m.content
+          }
+        ]
+      });
+      continue;
+    }
+    out.push({ role: m.role, content: m.content });
+  }
+  return {
+    system: systemParts.length > 0 ? systemParts.join("\n\n") : void 0,
+    messages: out
+  };
+}
+function errorForStatus(status, body) {
+  const message = body?.error?.message ?? `Anthropic API returned HTTP ${status}`;
+  if (status === 401 || status === 403) {
+    return new ProviderError({ category: "authentication", providerName: ADAPTER_NAME, message });
+  }
+  if (status === 404) {
+    return new ProviderError({ category: "model_not_found", providerName: ADAPTER_NAME, message });
+  }
+  if (status === 429) {
+    return new ProviderError({ category: "rate_limit", providerName: ADAPTER_NAME, message });
+  }
+  if (status === 408 || status === 504 || status === 529) {
+    return new ProviderError({ category: "network_timeout", providerName: ADAPTER_NAME, message });
+  }
+  return new ProviderError({ category: "unknown", providerName: ADAPTER_NAME, message });
+}
+function errorForThrow(err) {
+  if (err instanceof ProviderError) return err;
+  if (err instanceof Error && (err.name === "AbortError" || /abort|timeout/i.test(err.message))) {
+    return new ProviderError({
+      category: "network_timeout",
+      providerName: ADAPTER_NAME,
+      message: err.message,
+      originalError: err
+    });
+  }
+  return new ProviderError({
+    category: "unknown",
+    providerName: ADAPTER_NAME,
+    message: err instanceof Error ? err.message : String(err),
+    originalError: err
+  });
+}
+function extractText(json) {
+  const blocks = json?.content;
+  if (!Array.isArray(blocks)) return "";
+  return blocks.filter((b) => typeof b === "object" && b !== null).filter((b) => b.type === "text" && typeof b.text === "string").map((b) => b.text).join("");
+}
+var RealAnthropicProvider = class {
+  name = ADAPTER_NAME;
+  version = ADAPTER_VERSION;
+  #apiKey;
+  #baseUrl;
+  #transport;
+  constructor(opts) {
+    this.#apiKey = opts.apiKey;
+    this.#baseUrl = opts.baseUrl ?? DEFAULT_BASE_URL;
+    this.#transport = opts.transport ?? createFetchTransport();
+  }
+  #headers() {
+    return {
+      "content-type": "application/json",
+      "x-api-key": this.#apiKey,
+      "anthropic-version": ANTHROPIC_VERSION
+    };
+  }
+  async complete(req) {
+    this.#assertKey();
+    const { system, messages } = toAnthropicPayload(req.messages);
+    const body = {
+      model: resolveAnthropicModel(req.model),
+      max_tokens: req.maxTokens ?? DEFAULT_MAX_TOKENS,
+      messages,
+      ...system !== void 0 ? { system } : {},
+      ...req.temperature !== void 0 ? { temperature: req.temperature } : {},
+      ...req.stop !== void 0 ? { stop_sequences: req.stop } : {}
+    };
+    const res = await this.#send(body, req.signal);
+    if (res.status < 200 || res.status >= 300) {
+      throw errorForStatus(res.status, res.json);
+    }
+    const text2 = extractText(res.json);
+    const result = {
+      text: text2,
+      model: req.model,
+      usage: mapUsage(res.json.usage),
+      finishReason: mapFinishReason(res.json.stop_reason)
+    };
+    if (req.responseSchema !== void 0) {
+      result.structuredOutput = this.#parseStructured(text2);
+    }
+    return result;
+  }
+  async *completeStream(req) {
+    const completion = await this.complete(req);
+    if (completion.text.length > 0) {
+      yield { type: "text_delta", delta: completion.text };
+    }
+    yield { type: "finish", finishReason: completion.finishReason, usage: completion.usage };
+  }
+  async callTool(req) {
+    this.#assertKey();
+    const { system, messages } = toAnthropicPayload(req.messages);
+    const body = {
+      model: resolveAnthropicModel(req.model),
+      max_tokens: req.maxTokens ?? DEFAULT_MAX_TOKENS,
+      messages,
+      ...system !== void 0 ? { system } : {},
+      tools: req.tools.map((t) => ({
+        name: t.name,
+        description: t.description,
+        input_schema: t.inputSchema
+      }))
+    };
+    const res = await this.#send(body, req.signal);
+    if (res.status < 200 || res.status >= 300) {
+      throw errorForStatus(res.status, res.json);
+    }
+    const json = res.json ?? {};
+    const text2 = extractText(json);
+    const usage = mapUsage(json.usage);
+    const blocks = Array.isArray(json.content) ? json.content : [];
+    const toolUse = blocks.find(
+      (b) => typeof b === "object" && b !== null && b.type === "tool_use"
+    );
+    if (!toolUse) {
+      return {
+        toolName: null,
+        toolArguments: null,
+        toolCallId: null,
+        text: text2,
+        finishReason: mapFinishReason(json.stop_reason),
+        usage
+      };
+    }
+    return {
+      toolName: typeof toolUse.name === "string" ? toolUse.name : null,
+      toolArguments: typeof toolUse.input === "object" && toolUse.input !== null ? toolUse.input : null,
+      toolCallId: typeof toolUse.id === "string" ? toolUse.id : null,
+      text: text2,
+      finishReason: "tool_use",
+      usage
+    };
+  }
+  async batch(reqs) {
+    return Promise.all(
+      reqs.map(
+        (r) => this.complete(r).catch(
+          (err) => err instanceof ProviderError ? err : errorForThrow(err)
+        )
+      )
+    );
+  }
+  // --- internals ---------------------------------------------------------
+  #assertKey() {
+    if (this.#apiKey.length < 8) {
+      throw new ProviderError({
+        category: "authentication",
+        providerName: this.name,
+        message: "apiKey missing or too short"
+      });
+    }
+  }
+  async #send(body, signal) {
+    try {
+      return await this.#transport({
+        url: this.#baseUrl,
+        method: "POST",
+        headers: this.#headers(),
+        body,
+        signal
+      });
+    } catch (err) {
+      throw errorForThrow(err);
+    }
+  }
+  #parseStructured(text2) {
+    try {
+      return JSON.parse(text2);
+    } catch {
+      throw new ProviderError({
+        category: "schema_violation",
+        providerName: this.name,
+        message: "responseSchema requested but model output was not valid JSON"
+      });
+    }
+  }
+};
+var AnthropicTriggerProvider = class {
+  #provider;
+  #model;
+  constructor(model, provider) {
+    this.#model = model;
+    this.#provider = provider;
+  }
+  async selectSkill(prompt, availableSkills) {
+    const roster = availableSkills.map((s) => `- ${s.name}: ${s.description}`).join("\n");
+    const system = 'You are a skill router. Given a user prompt and a roster of available skills, decide which single skill (if any) should handle the prompt. Respond ONLY with a JSON object {"selected": "<skill-name-or-null>", "reasoning": "<one sentence>"}. Use null for selected when no skill fits.';
+    const user = `Available skills:
+${roster}
+
+User prompt: "${prompt}"`;
+    const result = await this.#provider.complete({
+      model: this.#model,
+      messages: [
+        { role: "system", content: system },
+        { role: "user", content: user }
+      ],
+      maxTokens: 256,
+      temperature: 0
+    });
+    const parsed = parseJsonObject(result.text);
+    const rawSelected = parsed?.selected;
+    const selected = typeof rawSelected === "string" && rawSelected !== "null" && rawSelected.length > 0 ? rawSelected : null;
+    const reasoning = typeof parsed?.reasoning === "string" ? parsed.reasoning : result.text.slice(0, 200);
+    return { selected, reasoning };
+  }
+};
+var AnthropicExecutionProvider = class {
+  #provider;
+  #model;
+  constructor(model, provider) {
+    this.#model = model;
+    this.#provider = provider;
+  }
+  async execute(prompt, context, options) {
+    const started = /* @__PURE__ */ new Date();
+    const model = options?.model ?? this.#model;
+    const controller = options?.timeout_ms ? new AbortController() : void 0;
+    const timer = controller ? setTimeout(() => controller.abort(), options.timeout_ms) : void 0;
+    try {
+      const result = await this.#provider.complete({
+        model,
+        messages: [
+          { role: "system", content: context.skill_body },
+          { role: "user", content: prompt }
+        ],
+        maxTokens: 1024,
+        ...controller ? { signal: controller.signal } : {}
+      });
+      const completed = /* @__PURE__ */ new Date();
+      const meta = {
+        started_at: started.toISOString(),
+        completed_at: completed.toISOString(),
+        duration_ms: completed.getTime() - started.getTime(),
+        timed_out: false
+      };
+      return { text: result.text, artifacts: [], tool_calls: 0, meta };
+    } finally {
+      if (timer) clearTimeout(timer);
+    }
+  }
+};
+var AnthropicJudgeProvider = class {
+  #provider;
+  #model;
+  constructor(model, provider) {
+    this.#model = model;
+    this.#provider = provider;
+  }
+  async judge(criterion_description, prompt, output, judge_prompt) {
+    const system = 'You are a strict binary evaluator. Decide whether the OUTPUT satisfies the CRITERION for the given PROMPT. Respond ONLY with a JSON object {"verdict": "yes"|"no"|"unsure", "confidence": <0..1>, "reasoning": "<one sentence>"}.';
+    const question = judge_prompt ?? `Does the output satisfy: ${criterion_description}?`;
+    const user = `CRITERION: ${criterion_description}
+
+QUESTION: ${question}
+
+PROMPT: ${prompt}
+
+OUTPUT:
+${output}`;
+    const result = await this.#provider.complete({
+      model: this.#model,
+      messages: [
+        { role: "system", content: system },
+        { role: "user", content: user }
+      ],
+      maxTokens: 256,
+      temperature: 0
+    });
+    const parsed = parseJsonObject(result.text);
+    const rawVerdict = typeof parsed?.verdict === "string" ? parsed.verdict.toLowerCase() : "";
+    const verdict = rawVerdict === "yes" ? "yes" : rawVerdict === "no" ? "no" : "unsure";
+    const confidence = typeof parsed?.confidence === "number" ? Math.max(0, Math.min(1, parsed.confidence)) : 0.5;
+    const reasoning = typeof parsed?.reasoning === "string" ? parsed.reasoning : result.text.slice(0, 200);
+    return { verdict, confidence, reasoning };
+  }
+};
+function parseJsonObject(text2) {
+  const fenced = text2.match(/```(?:json)?\s*([\s\S]*?)```/);
+  const candidate = fenced ? fenced[1] : text2;
+  const start = candidate.indexOf("{");
+  const end = candidate.lastIndexOf("}");
+  if (start === -1 || end === -1 || end < start) return null;
+  try {
+    const parsed = JSON.parse(candidate.slice(start, end + 1));
+    return typeof parsed === "object" && parsed !== null ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+
+// src/providers/openai-compatible.ts
+var ADAPTER_VERSION2 = "1.0.0";
+var PROVIDER_PRESETS = {
+  deepseek: {
+    id: "deepseek",
+    baseUrl: "https://api.deepseek.com",
+    // deepseek-v4-flash (V4 Lite) is the current fast coding/general model
+    // (1M context, 13B-active MoE); deepseek-reasoner is the reasoning model.
+    // The legacy "deepseek-chat" alias deprecates 2026-07-24 — it just maps to
+    // v4-flash non-thinking mode. Override via LLM_MODEL/--model to switch.
+    defaultModel: "deepseek-v4-flash",
+    keyEnv: "DEEPSEEK_API_KEY"
+  },
+  kimi: {
+    id: "kimi",
+    // Moonshot's international endpoint. platform.kimi.ai is the console;
+    // api.moonshot.ai/v1 is the OpenAI-compatible API surface.
+    baseUrl: "https://api.moonshot.ai/v1",
+    // Kimi K2.6 (latest, April 2026 — 1M ctx, coding/agentic). Model ids churn
+    // on the vendor side — override via LLM_MODEL/--model when needed.
+    defaultModel: "kimi-k2.6",
+    keyEnv: "MOONSHOT_API_KEY"
+  },
+  openrouter: {
+    id: "openrouter",
+    baseUrl: "https://openrouter.ai/api/v1",
+    // OpenRouter namespaces models as <org>/<model>. Pick Kimi or DeepSeek by
+    // overriding LLM_MODEL/--model.
+    defaultModel: "deepseek/deepseek-chat",
+    keyEnv: "OPENROUTER_API_KEY"
+  }
+};
+var PRESET_ALIASES = {
+  moonshot: "kimi"
+};
+function resolveOpenAICompatConfig(env = process.env, preferred) {
+  const llmBase = env.LLM_BASE_URL?.trim();
+  const llmModel = env.LLM_MODEL?.trim();
+  const llmKey = env.LLM_API_KEY?.trim();
+  const fromPreset = (presetId) => {
+    const id = PRESET_ALIASES[presetId] ?? presetId;
+    const preset = PROVIDER_PRESETS[id];
+    if (!preset) return null;
+    const key = (env[preset.keyEnv] ?? llmKey)?.trim();
+    if (!key || key.length < 8) return null;
+    return {
+      name: preset.id,
+      baseUrl: llmBase || preset.baseUrl,
+      apiKey: key,
+      defaultModel: llmModel || preset.defaultModel
+    };
+  };
+  if (preferred) {
+    const explicit = fromPreset(preferred);
+    if (explicit) return explicit;
+    return null;
+  }
+  if (llmKey && llmKey.length >= 8 && llmBase) {
+    return {
+      name: env.LLM_PROVIDER?.trim() || "openai-compatible",
+      baseUrl: llmBase,
+      apiKey: llmKey,
+      defaultModel: llmModel || ""
+    };
+  }
+  for (const presetId of ["deepseek", "kimi", "openrouter"]) {
+    const cfg = fromPreset(presetId);
+    if (cfg) return cfg;
+  }
+  return null;
+}
+function mapFinishReason2(raw) {
+  switch (raw) {
+    case "stop":
+      return "stop";
+    case "length":
+      return "length";
+    case "tool_calls":
+    case "function_call":
+      return "tool_use";
+    case "content_filter":
+      return "refusal";
+    default:
+      return "stop";
+  }
+}
+function mapUsage2(raw) {
+  const u = raw ?? {};
+  const usage = {
+    inputTokens: typeof u.prompt_tokens === "number" ? u.prompt_tokens : 0,
+    outputTokens: typeof u.completion_tokens === "number" ? u.completion_tokens : 0
+  };
+  const cached = u.prompt_tokens_details?.cached_tokens;
+  if (typeof cached === "number") {
+    usage.cachedInputTokens = cached;
+  }
+  return usage;
+}
+function toWireMessages(messages) {
+  return messages.map((m) => {
+    if (m.role === "tool") {
+      return {
+        role: "tool",
+        content: m.content,
+        tool_call_id: m.toolCallId ?? "",
+        ...m.toolName ? { name: m.toolName } : {}
+      };
+    }
+    return { role: m.role, content: m.content };
+  });
+}
+function errorForStatus2(name, status, body) {
+  const message = body?.error?.message ?? `${name} API returned HTTP ${status}`;
+  if (status === 401 || status === 403) {
+    return new ProviderError({ category: "authentication", providerName: name, message });
+  }
+  if (status === 404) {
+    return new ProviderError({ category: "model_not_found", providerName: name, message });
+  }
+  if (status === 429) {
+    return new ProviderError({ category: "rate_limit", providerName: name, message });
+  }
+  if (status === 408 || status === 504 || status === 529 || status === 503) {
+    return new ProviderError({ category: "network_timeout", providerName: name, message });
+  }
+  return new ProviderError({ category: "unknown", providerName: name, message });
+}
+function errorForThrow2(name, err) {
+  if (err instanceof ProviderError) return err;
+  if (err instanceof Error && (err.name === "AbortError" || /abort|timeout/i.test(err.message))) {
+    return new ProviderError({
+      category: "network_timeout",
+      providerName: name,
+      message: err.message,
+      originalError: err
+    });
+  }
+  return new ProviderError({
+    category: "unknown",
+    providerName: name,
+    message: err instanceof Error ? err.message : String(err),
+    originalError: err
+  });
+}
+var RealOpenAICompatProvider = class {
+  name;
+  version = ADAPTER_VERSION2;
+  #apiKey;
+  #baseUrl;
+  #transport;
+  constructor(opts) {
+    this.#apiKey = opts.apiKey;
+    this.#baseUrl = opts.baseUrl.replace(/\/+$/, "");
+    this.name = opts.name ?? "openai-compatible";
+    this.#transport = opts.transport ?? createFetchTransport();
+  }
+  #headers() {
+    return {
+      "content-type": "application/json",
+      authorization: `Bearer ${this.#apiKey}`
+    };
+  }
+  async complete(req) {
+    this.#assertKey();
+    const body = {
+      model: req.model,
+      messages: toWireMessages(req.messages),
+      ...req.maxTokens !== void 0 ? { max_tokens: req.maxTokens } : {},
+      ...req.temperature !== void 0 ? { temperature: req.temperature } : {},
+      ...req.stop !== void 0 ? { stop: req.stop } : {},
+      ...req.responseSchema !== void 0 ? {
+        response_format: {
+          type: "json_schema",
+          json_schema: { name: "response", schema: req.responseSchema, strict: true }
+        }
+      } : {}
+    };
+    const res = await this.#send(body, req.signal);
+    if (res.status < 200 || res.status >= 300) {
+      throw errorForStatus2(this.name, res.status, res.json);
+    }
+    const choice = this.#firstChoice(res.json);
+    const message = choice.message ?? {};
+    const text2 = typeof message.content === "string" ? message.content : "";
+    const result = {
+      text: text2,
+      model: req.model,
+      usage: mapUsage2(res.json.usage),
+      finishReason: mapFinishReason2(choice.finish_reason)
+    };
+    if (req.responseSchema !== void 0) {
+      result.structuredOutput = this.#parseStructured(text2);
+    }
+    return result;
+  }
+  async *completeStream(req) {
+    const completion = await this.complete(req);
+    if (completion.text.length > 0) {
+      yield { type: "text_delta", delta: completion.text };
+    }
+    yield { type: "finish", finishReason: completion.finishReason, usage: completion.usage };
+  }
+  async callTool(req) {
+    this.#assertKey();
+    const body = {
+      model: req.model,
+      messages: toWireMessages(req.messages),
+      tools: req.tools.map((t) => ({
+        type: "function",
+        function: { name: t.name, description: t.description, parameters: t.inputSchema }
+      })),
+      ...req.maxTokens !== void 0 ? { max_tokens: req.maxTokens } : {}
+    };
+    const res = await this.#send(body, req.signal);
+    if (res.status < 200 || res.status >= 300) {
+      throw errorForStatus2(this.name, res.status, res.json);
+    }
+    const choice = this.#firstChoice(res.json);
+    const message = choice.message ?? {};
+    const text2 = typeof message.content === "string" ? message.content : "";
+    const usage = mapUsage2(res.json.usage);
+    const toolCalls = Array.isArray(message.tool_calls) ? message.tool_calls : [];
+    const first = toolCalls[0];
+    if (!first) {
+      return {
+        toolName: null,
+        toolArguments: null,
+        toolCallId: null,
+        text: text2,
+        finishReason: mapFinishReason2(choice.finish_reason),
+        usage
+      };
+    }
+    const fn = first.function ?? {};
+    return {
+      toolName: typeof fn.name === "string" ? fn.name : null,
+      toolArguments: this.#parseToolArgs(fn.arguments),
+      toolCallId: typeof first.id === "string" ? first.id : null,
+      text: text2,
+      finishReason: "tool_use",
+      usage
+    };
+  }
+  async batch(reqs) {
+    return Promise.all(
+      reqs.map(
+        (r) => this.complete(r).catch(
+          (err) => err instanceof ProviderError ? err : errorForThrow2(this.name, err)
+        )
+      )
+    );
+  }
+  // --- internals ---------------------------------------------------------
+  #assertKey() {
+    if (this.#apiKey.length < 8) {
+      throw new ProviderError({
+        category: "authentication",
+        providerName: this.name,
+        message: "apiKey missing or too short"
+      });
+    }
+  }
+  async #send(body, signal) {
+    try {
+      return await this.#transport({
+        url: `${this.#baseUrl}/chat/completions`,
+        method: "POST",
+        headers: this.#headers(),
+        body,
+        signal
+      });
+    } catch (err) {
+      throw errorForThrow2(this.name, err);
+    }
+  }
+  #firstChoice(json) {
+    const choices = json?.choices;
+    if (!Array.isArray(choices) || choices.length === 0) {
+      throw new ProviderError({
+        category: "unknown",
+        providerName: this.name,
+        message: `${this.name} response contained no choices`
+      });
+    }
+    return choices[0];
+  }
+  #parseStructured(text2) {
+    try {
+      return JSON.parse(text2);
+    } catch {
+      throw new ProviderError({
+        category: "schema_violation",
+        providerName: this.name,
+        message: "responseSchema requested but model output was not valid JSON"
+      });
+    }
+  }
+  #parseToolArgs(raw) {
+    if (raw == null) return null;
+    if (typeof raw === "object") return raw;
+    if (typeof raw === "string") {
+      try {
+        const parsed = JSON.parse(raw);
+        return typeof parsed === "object" && parsed !== null ? parsed : {};
+      } catch {
+        return {};
+      }
+    }
+    return null;
+  }
+};
+function parseJsonObject2(text2) {
+  const fenced = text2.match(/```(?:json)?\s*([\s\S]*?)```/);
+  const candidate = fenced ? fenced[1] : text2;
+  const start = candidate.indexOf("{");
+  const end = candidate.lastIndexOf("}");
+  if (start === -1 || end === -1 || end < start) return null;
+  try {
+    const parsed = JSON.parse(candidate.slice(start, end + 1));
+    return typeof parsed === "object" && parsed !== null ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+var OpenAICompatTriggerProvider = class {
+  #provider;
+  #model;
+  constructor(model, provider) {
+    this.#model = model;
+    this.#provider = provider;
+  }
+  async selectSkill(prompt, availableSkills) {
+    const roster = availableSkills.map((s) => `- ${s.name}: ${s.description}`).join("\n");
+    const system = 'You are a skill router. Given a user prompt and a roster of available skills, decide which single skill (if any) should handle the prompt. Respond ONLY with a JSON object {"selected": "<skill-name-or-null>", "reasoning": "<one sentence>"}. Use null for selected when no skill fits.';
+    const user = `Available skills:
+${roster}
+
+User prompt: "${prompt}"`;
+    const result = await this.#provider.complete({
+      model: this.#model,
+      messages: [
+        { role: "system", content: system },
+        { role: "user", content: user }
+      ],
+      maxTokens: 256,
+      temperature: 0
+    });
+    const parsed = parseJsonObject2(result.text);
+    const rawSelected = parsed?.selected;
+    const selected = typeof rawSelected === "string" && rawSelected !== "null" && rawSelected.length > 0 ? rawSelected : null;
+    const reasoning = typeof parsed?.reasoning === "string" ? parsed.reasoning : result.text.slice(0, 200);
+    return { selected, reasoning };
+  }
+};
+var OpenAICompatExecutionProvider = class {
+  #provider;
+  #model;
+  constructor(model, provider) {
+    this.#model = model;
+    this.#provider = provider;
+  }
+  async execute(prompt, context, options) {
+    const started = /* @__PURE__ */ new Date();
+    const model = options?.model ?? this.#model;
+    const controller = options?.timeout_ms ? new AbortController() : void 0;
+    const timer = controller ? setTimeout(() => controller.abort(), options.timeout_ms) : void 0;
+    try {
+      const result = await this.#provider.complete({
+        model,
+        messages: [
+          { role: "system", content: context.skill_body },
+          { role: "user", content: prompt }
+        ],
+        maxTokens: 1024,
+        ...controller ? { signal: controller.signal } : {}
+      });
+      const completed = /* @__PURE__ */ new Date();
+      const meta = {
+        started_at: started.toISOString(),
+        completed_at: completed.toISOString(),
+        duration_ms: completed.getTime() - started.getTime(),
+        timed_out: false
+      };
+      return { text: result.text, artifacts: [], tool_calls: 0, meta };
+    } finally {
+      if (timer) clearTimeout(timer);
+    }
+  }
+};
+var OpenAICompatJudgeProvider = class {
+  #provider;
+  #model;
+  constructor(model, provider) {
+    this.#model = model;
+    this.#provider = provider;
+  }
+  async judge(criterion_description, prompt, output, judge_prompt) {
+    const system = 'You are a strict binary evaluator. Decide whether the OUTPUT satisfies the CRITERION for the given PROMPT. Respond ONLY with a JSON object {"verdict": "yes"|"no"|"unsure", "confidence": <0..1>, "reasoning": "<one sentence>"}.';
+    const question = judge_prompt ?? `Does the output satisfy: ${criterion_description}?`;
+    const user = `CRITERION: ${criterion_description}
+
+QUESTION: ${question}
+
+PROMPT: ${prompt}
+
+OUTPUT:
+${output}`;
+    const result = await this.#provider.complete({
+      model: this.#model,
+      messages: [
+        { role: "system", content: system },
+        { role: "user", content: user }
+      ],
+      maxTokens: 256,
+      temperature: 0
+    });
+    const parsed = parseJsonObject2(result.text);
+    const rawVerdict = typeof parsed?.verdict === "string" ? parsed.verdict.toLowerCase() : "";
+    const verdict = rawVerdict === "yes" ? "yes" : rawVerdict === "no" ? "no" : "unsure";
+    const confidence = typeof parsed?.confidence === "number" ? Math.max(0, Math.min(1, parsed.confidence)) : 0.5;
+    const reasoning = typeof parsed?.reasoning === "string" ? parsed.reasoning : result.text.slice(0, 200);
+    return { verdict, confidence, reasoning };
+  }
+};
+
+// src/commands/eval.ts
+function selectProviders(model, preferred) {
+  const want = preferred?.trim().toLowerCase();
+  if (want === "stub") {
+    return {
+      trigger: new StubTriggerProvider(model),
+      execution: new StubExecutionProvider(model),
+      judge: new StubJudgeProvider(model),
+      real: false,
+      providerName: "stub"
+    };
+  }
+  if (want !== "anthropic") {
+    const cfg = resolveOpenAICompatConfig(process.env, want);
+    if (cfg) {
+      const effectiveModel = cfg.defaultModel && cfg.defaultModel.length > 0 ? cfg.defaultModel : model;
+      const provider = new RealOpenAICompatProvider({
+        apiKey: cfg.apiKey,
+        baseUrl: cfg.baseUrl,
+        name: cfg.name
+      });
+      return {
+        trigger: new OpenAICompatTriggerProvider(effectiveModel, provider),
+        execution: new OpenAICompatExecutionProvider(effectiveModel, provider),
+        judge: new OpenAICompatJudgeProvider(effectiveModel, provider),
+        real: true,
+        providerName: cfg.name
+      };
+    }
+  }
+  const apiKey = process.env.ANTHROPIC_API_KEY;
+  if (apiKey && apiKey.length >= 8) {
+    const provider = new RealAnthropicProvider({ apiKey });
+    return {
+      trigger: new AnthropicTriggerProvider(model, provider),
+      execution: new AnthropicExecutionProvider(model, provider),
+      judge: new AnthropicJudgeProvider(model, provider),
+      real: true,
+      providerName: "anthropic"
+    };
+  }
+  return {
+    trigger: new StubTriggerProvider(model),
+    execution: new StubExecutionProvider(model),
+    judge: new StubJudgeProvider(model),
+    real: false,
+    providerName: "stub"
+  };
+}
+function hasAnyRealKey(preferred) {
+  const want = preferred?.trim().toLowerCase();
+  if (want === "stub") return false;
+  if (want !== "anthropic" && resolveOpenAICompatConfig(process.env, want)) return true;
+  if (want === "anthropic" || want === void 0 || want === "") {
+    return (process.env.ANTHROPIC_API_KEY?.length ?? 0) >= 8;
+  }
+  return false;
+}
+function registerEvalCommand(program) {
+  program.command("eval").description("Run full 7-layer binary evaluation on a skill").argument("<skill-dir>", "Path to skill directory containing SKILL.md").option("--spec <path>", "Path to eval spec YAML").option("--models <list>", "Comma-separated model list", "sonnet").option("--db <path>", "SQLite DB path", "j-rig.db").option("--json", "Output as JSON").option("--no-trigger", "Skip trigger tests").option("--no-functional", "Skip functional tests").option(
+    "--provider <name>",
+    "Force a provider: deepseek | kimi | moonshot | openrouter | anthropic | stub (default: auto-detect from env keys, preferring an OpenAI-compatible endpoint)"
+  ).action(async (skillDir, opts) => {
+    const startTime = Date.now();
+    try {
+      const hasRealKey = hasAnyRealKey(opts.provider);
+      if (!hasRealKey) assertStubAllowed();
+      const absDir = resolve4(skillDir);
+      const { parsed: skill, raw: skillContent } = loadSkillMd(absDir);
+      const spec = loadEvalSpec(opts.spec, absDir);
+      const models = opts.models.split(",").map((m) => m.trim());
+      const database = openDb(opts.db);
+      const skillName = skill.frontmatter.name;
+      const skillVersion = typeof skill.frontmatter.version === "string" ? skill.frontmatter.version : "0.0.0";
+      const skillSnapshotSha = "sha256:" + createHash2("sha256").update(skillContent).digest("hex");
+      const specContentHash = "sha256:" + createHash2("sha256").update(JSON.stringify(spec)).digest("hex");
+      if (!opts.json) {
+        console.log(header(`j-rig eval: ${skillName}`));
+        console.log(`  Models: ${models.join(", ")}
+`);
+      }
+      const pkgReport = checkPackage(absDir);
+      if (!opts.json) {
+        console.log(header("--- Package Integrity ---"));
+        const { summary } = pkgReport;
+        console.log(`  ${summary.passed}/${summary.passed + summary.errors} checks passed`);
+      }
+      if (pkgReport.summary.errors > 0) {
+        if (!opts.json) {
+          printReport(pkgReport);
+          console.error(chalk3.red("\nPackage integrity failed. Fix errors before evaluation."));
+        } else {
+          console.log(JSON.stringify({ error: "Package integrity failed", pkgReport }, null, 2));
+        }
+        process.exit(1);
+      }
+      if (!opts.json) console.log("");
+      const allResults = {};
+      for (const model of models) {
+        const modelStart = Date.now();
+        const svId = getOrCreateSkillVersion(database, skillName, skillVersion, skillContent);
+        const runId = createRun(database, svId, "full", model);
+        transitionRun(database, runId, "running");
+        const providers = selectProviders(model, opts.provider);
+        const correlation = { evalRunId: uuidv7() };
+        emitRuntimeRunStarted(correlation, {
+          specContentHash,
+          skillSnapshotSha
+        });
+        let runHadFailure = false;
+        if (!opts.json) {
+          console.log(header(`--- Model: ${model} ---`));
+          console.log(
+            `  Provider: ${providers.real ? `${providers.providerName} (REAL \u2014 ground truth)` : `${providers.providerName.toUpperCase()} (not ground truth)`}`
+          );
+        }
+        if (opts.trigger !== false) {
+          const roster = buildRoster(skill.frontmatter, spec.siblings);
+          const triggerResults = await runTriggerTests(
+            spec.test_cases,
+            roster,
+            providers.trigger
+          );
+          const metrics = computeMetrics(triggerResults);
+          if (!opts.json) {
+            console.log(
+              `  Trigger: precision=${metrics.precision.toFixed(2)} recall=${metrics.recall.toFixed(2)} (${metrics.total_cases} cases)`
+            );
+          }
+        }
+        if (opts.functional !== false) {
+          const outcomes = await runFunctionalTests(
+            spec.test_cases,
+            skill,
+            providers.execution,
+            { model }
+          );
+          if (!opts.json) {
+            console.log(
+              `  Functional: ${outcomes.length}/${spec.test_cases.length} test case(s) executed`
+            );
+          }
+          const allJudgments = [];
+          for (const outcome of outcomes) {
+            const judgments = await judgeCriteria(spec.criteria, outcome, providers.judge, {
+              model
+            });
+            for (const j of judgments) {
+              if (j.method === "judge") {
+                emitJudgeInvoked(correlation, {
+                  judgeId: `j-rig:judge:${j.criterion_id}`,
+                  modelId: j.judge_model ?? model,
+                  modelVersion: skillVersion
+                });
+                emitJudgeVerdict(correlation, {
+                  verdict: j.verdict,
+                  verdictSource: JudgeVerdictSource.LLM_NO_SEED,
+                  seed: null
+                });
+              }
+              const criterionOutcome = j.verdict === "yes" ? CriterionOutcome.PASS : j.verdict === "unsure" ? CriterionOutcome.SKIP : CriterionOutcome.FAIL;
+              if (criterionOutcome === CriterionOutcome.FAIL) runHadFailure = true;
+              emitRuntimeCriterionEvaluated(correlation, {
+                matcherClass: j.method,
+                outcome: criterionOutcome
+              });
+            }
+            allJudgments.push(...judgments);
+          }
+          const passed = allJudgments.filter((j) => j.verdict === "yes").length;
+          const total = allJudgments.length;
+          if (!opts.json) {
+            console.log(`  Judgment: ${formatScore(passed, total)}`);
+            for (const j of allJudgments) {
+              const verdictIcon = j.verdict === "yes" ? icon("pass") : j.verdict === "unsure" ? icon("warning") : icon("error");
+              console.log(`    ${verdictIcon} ${j.criterion_id}: ${j.reasoning.slice(0, 80)}`);
+            }
+          }
+          const dbResults = allJudgments.map((j) => ({
+            criterion_id: j.criterion_id,
+            passed: j.verdict === "yes",
+            severity: j.verdict === "yes" ? "pass" : j.verdict === "unsure" ? "warning" : "error",
+            message: j.reasoning,
+            method: j.method
+          }));
+          storeCriterionResults(database, runId, dbResults);
+          const errors = allJudgments.filter((j) => j.verdict === "no").length;
+          const warnings = allJudgments.filter((j) => j.verdict === "unsure").length;
+          storeRunSummary(database, runId, {
+            total,
+            passed,
+            warnings,
+            errors
+          });
+          const scoreCard = computeScoreCard(allJudgments, spec.criteria);
+          const decision = decideRollout(scoreCard);
+          const report = buildLaunchReport(
+            skillName,
+            scoreCard,
+            [],
+            // regressions: none in a standalone run
+            [],
+            // baseline: none without a baseline comparison run
+            false,
+            // isObsolete: not computed here
+            // DR-103 D5 B5.1: inject `now` so the launch-report artifact is
+            // replayable (the determinism the adoption signal's bandit-rejection
+            // rests on). One timestamp per model run.
+            { now: new Date(modelStart).toISOString() }
+          );
+          allResults[model] = {
+            provider: providers.providerName,
+            model,
+            ground_truth: providers.real,
+            pkgReport,
+            scoreCard,
+            decision,
+            report
+          };
+          const gateDecisionValue = report.decision === "ship" ? GateDecision.PASS : report.decision === "block" ? GateDecision.FAIL : GateDecision.ADVISORY;
+          if (gateDecisionValue === GateDecision.FAIL) runHadFailure = true;
+          emitGateDecisionEmitted(correlation, {
+            gateName: "j-rig-rollout-gate",
+            decision: gateDecisionValue,
+            policyRef: specContentHash
+          });
+          if (!opts.json) {
+            console.log(`  Decision: ${formatDecision(report.decision)}`);
+            if (report.blockers.length > 0) {
+              for (const b of report.blockers) {
+                console.log(`    ${icon("error")} ${b}`);
+              }
+            }
+            if (report.warnings.length > 0) {
+              for (const w of report.warnings) {
+                console.log(`    ${icon("warning")} ${w}`);
+              }
+            }
+            console.log("");
+          }
+          transitionRun(database, runId, "completed");
+        } else {
+          transitionRun(database, runId, "completed");
+        }
+        emitRuntimeRunFinished(correlation, {
+          terminalState: runHadFailure ? RuntimeTerminalState.ARCHIVED_FAILED : RuntimeTerminalState.JUDGED,
+          durationMs: Date.now() - modelStart
+        });
+      }
+      const duration = Date.now() - startTime;
+      if (opts.json) {
+        console.log(JSON.stringify(allResults, null, 2));
+      } else {
+        console.log(chalk3.dim(`Duration: ${formatDuration(duration)} | DB: ${opts.db}`));
+      }
+    } catch (err) {
+      console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
+      process.exit(1);
+    }
+  });
+}
+
+// src/commands/report.ts
+import chalk4 from "chalk";
+function registerReportCommand(program) {
+  program.command("report").description("Show evaluation results from the database").option("--db <path>", "SQLite DB path", "j-rig.db").option("--skill <name>", "Filter by skill name").option("--run-id <id>", "Show detailed results for a specific run", parseInt).option("--limit <n>", "Max runs to show", parseInt, 10).option("--json", "Output as JSON").action(
+    async (opts) => {
+      try {
+        const database = openDb(opts.db);
+        if (opts.runId) {
+          const run = getRun(database, opts.runId);
+          if (!run) {
+            console.error(`Run #${opts.runId} not found`);
+            process.exit(1);
+          }
+          const results = getRunResults(database, opts.runId);
+          const arts = getRunArtifacts(database, opts.runId);
+          if (opts.json) {
+            console.log(JSON.stringify({ run, results, artifacts: arts }, null, 2));
+          } else {
+            const summary = run.summary;
+            console.log(header(`Run #${run.id}`));
+            console.log(
+              `  Status: ${run.status} | Model: ${run.model ?? "n/a"} | Type: ${run.run_type}`
+            );
+            if (run.duration_ms != null) {
+              console.log(`  Duration: ${formatDuration(run.duration_ms)}`);
+            }
+            if (summary) {
+              console.log(`  Score: ${formatScore(summary.passed, summary.total)}`);
+            }
+            console.log(`
+  ${header("Criterion Results:")}`);
+            for (const r of results) {
+              const sev = r.severity;
+              const ic = r.passed ? icon("pass") : icon("error");
+              const sevIcon = sev === "warning" ? ` ${icon("warning")}` : "";
+              console.log(`    ${ic}${sevIcon} ${r.criterion_id}: ${r.message}`);
+            }
+            if (arts.length > 0) {
+              console.log(`
+  ${header("Artifacts:")}`);
+              for (const a of arts) {
+                console.log(`    ${a.filename} (${a.artifact_type})`);
+              }
+            }
+          }
+        } else {
+          const rows = getRecentRuns(database, {
+            limit: opts.limit,
+            skillName: opts.skill
+          });
+          if (opts.json) {
+            console.log(JSON.stringify(rows, null, 2));
+          } else {
+            console.log(header("Recent Runs:"));
+            console.log(
+              chalk4.dim("  ID   Skill                       Model    Status      Date")
+            );
+            for (const row of rows) {
+              const r = row.runs;
+              const sv = row.skill_versions;
+              console.log(
+                `  ${String(r.id).padEnd(5)} ${sv.skill_name.padEnd(28)} ${(r.model ?? "n/a").padEnd(9)} ${r.status.padEnd(12)} ${r.created_at?.slice(0, 10) ?? ""}`
+              );
+            }
+            if (rows.length === 0) {
+              console.log(chalk4.dim("  No runs found."));
+            }
+          }
+        }
+      } catch (err) {
+        console.error(`Error: ${err instanceof Error ? err.message : err}`);
+        process.exit(1);
+      }
+    }
+  );
+}
+
+// src/commands/optimize.ts
+import chalk5 from "chalk";
+function toJudgmentResult(row) {
+  return {
+    criterion_id: row.criterion_id,
+    verdict: row.passed ? "yes" : "no",
+    confidence: 1,
+    reasoning: row.message,
+    method: row.method === "judge" ? "judge" : "deterministic"
+  };
+}
+function toCriterion(row) {
+  return {
+    id: row.criterion_id,
+    description: row.criterion_id,
+    method: row.method === "judge" ? "judge" : "deterministic",
+    blocker: false,
+    regression_critical: false,
+    baseline_sensitive: false,
+    pack_sensitive: false
+  };
+}
+function registerOptimizeCommand(program) {
+  program.command("optimize").description("Analyze failures and suggest improvements for a skill").requiredOption("--skill <name>", "Skill name to optimize").option("--db <path>", "SQLite DB path", "j-rig.db").option("--run-id <id>", "Optimize from a specific run", parseInt).option("--json", "Output as JSON").action(async (opts) => {
+    try {
+      const database = openDb(opts.db);
+      let runId = opts.runId;
+      if (runId == null) {
+        const runs2 = getRecentRuns(database, { skillName: opts.skill, limit: 1 });
+        if (runs2.length === 0) {
+          console.error(`No runs found for skill: ${opts.skill}`);
+          process.exit(1);
+        }
+        runId = runs2[0].runs.id;
+      }
+      const dbResults = getRunResults(database, runId);
+      if (dbResults.length === 0) {
+        console.error(`No results found for run #${runId}`);
+        process.exit(1);
+      }
+      const judgmentResults = dbResults.map(toJudgmentResult);
+      const criteria = dbResults.map(toCriterion);
+      const clusters = clusterFailures(judgmentResults, criteria);
+      const weakest = selectWeakest(judgmentResults, criteria);
+      if (opts.json) {
+        console.log(JSON.stringify({ runId, clusters, weakest }, null, 2));
+      } else {
+        console.log(header(`Optimization Analysis: ${opts.skill} (Run #${runId})`));
+        if (clusters.length === 0) {
+          console.log(chalk5.green("\n  No failures to cluster. All criteria passed."));
+        } else {
+          console.log("\n  Failure Clusters:");
+          for (const c of clusters) {
+            const color = c.severity === "critical" ? chalk5.red : c.severity === "high" ? chalk5.yellow : chalk5.dim;
+            console.log(
+              `    ${color(`[${c.severity.toUpperCase()}]`)} ${c.pattern} (${c.criterion_ids.length} criteria)`
+            );
+            for (const id of c.criterion_ids) {
+              console.log(`      - ${id}`);
+            }
+          }
+        }
+        if (weakest != null) {
+          console.log(`
+  Weakest Criterion: ${chalk5.red.bold(weakest)}`);
+          console.log(chalk5.dim("  Focus improvement efforts here first."));
+        } else {
+          console.log(chalk5.dim("\n  No single weakest criterion identified."));
+        }
+      }
+    } catch (err) {
+      console.error(`Error: ${err instanceof Error ? err.message : err}`);
+      process.exit(1);
+    }
+  });
+}
+
+// src/commands/drift.ts
+import chalk6 from "chalk";
+function registerDriftCommand(program) {
+  program.command("drift").description("Check if a skill needs reevaluation").requiredOption("--skill <name>", "Skill name to check").option("--db <path>", "SQLite DB path", "j-rig.db").option("--max-age <days>", "Days before flagging stale", parseInt, 30).option("--json", "Output as JSON").action(async (opts) => {
+    try {
+      const database = openDb(opts.db);
+      const runs2 = getRecentRuns(database, { skillName: opts.skill, limit: 2 });
+      if (runs2.length === 0) {
+        if (opts.json) {
+          console.log(JSON.stringify({ skill: opts.skill, status: "no_data", stale: true }));
+        } else {
+          console.log(header(`Drift Check: ${opts.skill}`));
+          console.log(chalk6.yellow("\n  No evaluation history found."));
+          console.log(chalk6.dim("  Run: j-rig eval <skill-dir>"));
+        }
+        process.exit(0);
+        return;
+      }
+      const latest = runs2[0].runs;
+      const createdAt = latest.created_at ?? (/* @__PURE__ */ new Date()).toISOString();
+      const stale = needsReevaluation(createdAt, opts.maxAge);
+      const daysAgo = Math.floor((Date.now() - new Date(createdAt).getTime()) / 864e5);
+      if (opts.json) {
+        console.log(
+          JSON.stringify(
+            {
+              skill: opts.skill,
+              lastEval: createdAt,
+              daysAgo,
+              stale,
+              maxAge: opts.maxAge,
+              status: latest.status
+            },
+            null,
+            2
+          )
+        );
+      } else {
+        console.log(header(`Drift Check: ${opts.skill}`));
+        console.log(`
+  Last Eval: ${createdAt.slice(0, 10)} (${daysAgo} days ago)`);
+        console.log(
+          `  Status: ${stale ? chalk6.red("STALE") : chalk6.green("CURRENT")} (threshold: ${opts.maxAge} days)`
+        );
+        console.log(`  Last Run: #${latest.id} (${latest.status})`);
+        if (stale) {
+          console.log(chalk6.yellow("\n  Recommendation: Re-run evaluation with `j-rig eval`"));
+        }
+      }
+    } catch (err) {
+      console.error(`Error: ${err instanceof Error ? err.message : err}`);
+      process.exit(1);
+    }
+  });
+}
+
+// src/commands/emit-evidence.ts
+import { readFileSync as readFileSync4, writeFileSync, mkdirSync, existsSync as existsSync3, mkdtempSync, rmSync } from "fs";
+import { dirname, resolve as resolve5, join as join3 } from "path";
+import { tmpdir } from "os";
+import { execSync, spawnSync } from "child_process";
+import { createHash as createHash3 } from "crypto";
+var NOT_APPLICABLE_SENTINEL = "NOT_APPLICABLE";
+var DEFAULT_RUNNER_VERSION = "j-rig@0.0.0-dev";
+function registerEmitEvidenceCommand(program) {
+  program.command("emit-evidence").description(
+    "Wrap a gate-result envelope into a signed in-toto Statement v1 (https://evals.intentsolutions.io/gate-result/v1)"
+  ).option("--input <path>", "Read gate-result JSON from <path> instead of stdin").option("--output <path>", "Write Statement to <path> instead of stdout").option(
+    "--runner-version <ver>",
+    'Override runner identifier (default: "j-rig@<package version>")'
+  ).option("--commit-sha <sha>", "Override commit SHA (default: git rev-parse HEAD)").option("--gate-id <id>", "Direct mode: gate id (e.g. 'j-rig:server:MM-1')").option(
+    "--gate-decision <d>",
+    "Direct mode: pass|fail|advisory|error (or NOT_APPLICABLE for backward-compat; routes to coverage.dimensions_skipped)"
+  ).option(
+    "--gate-name <name>",
+    "Direct mode: gate name in lowercase kebab-case (e.g. 'coverage-check')"
+  ).option("--gate-version <ver>", "Direct mode: gate SemVer (e.g. '2.0.0')").option(
+    "--gate-reason <reason>",
+    "Direct mode: reason string (repeatable; at least one for non-pass decisions)",
+    (val, acc) => {
+      acc.push(val);
+      return acc;
+    },
+    []
+  ).option(
+    "--coverage-evaluated <dim>",
+    "Direct mode: dimension that was evaluated (repeatable)",
+    (val, acc) => {
+      acc.push(val);
+      return acc;
+    },
+    []
+  ).option(
+    "--coverage-skipped <dim>",
+    "Direct mode: dimension that was skipped / not applicable (repeatable)",
+    (val, acc) => {
+      acc.push(val);
+      return acc;
+    },
+    []
+  ).option("--policy-ref <ref>", "Direct mode: policy reference sha256:<hex>:<path>").option("--input-hash <h>", "Direct mode: sha256:<64-hex>").option("--policy-hash <h>", "Direct mode: sha256:<64-hex>").option("--failure-mode <m>", "Direct mode: failure_mode (when gate-decision=fail)").option("--advisory-severity <s>", "Direct mode: info|warn|error (when gate-decision=advisory)").option("--metadata <json>", "Direct mode: free-form metadata as a JSON object string").option(
+    "--sign",
+    "Sign the Statement via cosign (requires --key OR --keyless). Without this flag, emits unsigned Statement."
+  ).option("--key <ref>", "cosign key reference (file path, KMS URI, etc). Implies --sign.").option(
+    "--keyless",
+    "cosign keyless signing via Fulcio OIDC (requires terminal). Implies --sign."
+  ).option(
+    "--rekor-url [url]",
+    "Push the signed attestation to Rekor at <url> (defaults to https://rekor.sigstore.dev when flag is used without a value). Implies --sign."
+  ).option(
+    "--predicate-body-only",
+    "Plain (unsigned) mode: emit ONLY the predicate body instead of the full v1 Statement. The signing path ALWAYS sends the predicate body to cosign (which wraps it in its own Statement envelope) unless --full-statement is given."
+  ).option(
+    "--full-statement",
+    "Signing mode: pass the full pre-formed in-toto Statement to cosign's --predicate instead of the predicate body. cosign attest-blob will then NEST it inside its own Statement (double-wrapped); only for consumers that expect the nested form."
+  ).option("--cosign-bin <path>", "Path to cosign binary (default: cosign on PATH).", "cosign").option(
+    "--artifact <path>",
+    "Path to the artifact whose sha256 must equal predicate.input_hash. Required when --sign is requested so the DSSE envelope's subject digest is cryptographically bound to the gate's input. Without this, the link between attestation and artifact cannot be verified by standard tooling."
+  ).action(async (opts) => {
+    try {
+      const composed = await buildComposeInput(opts);
+      const statement = composeStatement(composed);
+      if (process.env.AUDIT_HARNESS_OTEL === "1" || process.env.OTEL_EXPORTER_OTLP_ENDPOINT) {
+        const evt = {
+          name: "agent.rollout.gate.evaluated",
+          attributes: {
+            "gate.id": composed.gateId,
+            "gate.decision": composed.gateDecision,
+            "gate.runner": composed.runner,
+            "gate.commit_sha": composed.commitSha
+          },
+          timestamp: statement.predicate.evaluated_at
+        };
+        process.stderr.write(`[OTEL] ${JSON.stringify(evt)}
+`);
+      }
+      const wantsSigning = opts.sign === true || opts.key !== void 0 || opts.keyless === true || opts.rekorUrl !== void 0;
+      if (!wantsSigning) {
+        const out = opts.predicateBodyOnly ? JSON.stringify(statement.predicate) : serializeStatement(statement);
+        writeOut(out, opts);
+        process.exit(0);
+      }
+      const exitCode = signAndEmit(statement, composed, opts);
+      process.exit(exitCode);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`j-rig emit-evidence: ${msg}
+`);
+      process.exit(1);
+    }
+  });
+}
+function writeOut(content, opts) {
+  if (opts.output) {
+    const outAbs = resolve5(opts.output);
+    if (!existsSync3(dirname(outAbs))) mkdirSync(dirname(outAbs), { recursive: true });
+    writeFileSync(outAbs, content + "\n");
+    process.stderr.write(`emit-evidence: wrote ${outAbs}
+`);
+  } else {
+    process.stdout.write(content + "\n");
+  }
+}
+function signAndEmit(statement, composed, opts) {
+  if (!opts.key && !opts.keyless) {
+    process.stderr.write("j-rig emit-evidence: --sign requires --key <ref> OR --keyless\n");
+    return 1;
+  }
+  if (opts.fullStatement && opts.predicateBodyOnly) {
+    process.stderr.write(
+      "j-rig emit-evidence: --full-statement and --predicate-body-only are mutually exclusive\n"
+    );
+    return 1;
+  }
+  if (!opts.artifact) {
+    process.stderr.write(
+      "j-rig emit-evidence: --sign requires --artifact <path> pointing at the file whose sha256 equals predicate.input_hash. Without --artifact the attestation's subject digest cannot match the predicate, breaking standard verification.\n"
+    );
+    return 1;
+  }
+  const artifactAbs = resolve5(opts.artifact);
+  if (!existsSync3(artifactAbs)) {
+    process.stderr.write(`j-rig emit-evidence: --artifact path does not exist: ${artifactAbs}
+`);
+    return 1;
+  }
+  const artifactBytes = readFileSync4(artifactAbs);
+  const actualHash = `sha256:${createHash3("sha256").update(artifactBytes).digest("hex")}`;
+  if (actualHash !== composed.inputHash) {
+    process.stderr.write(
+      `j-rig emit-evidence: --artifact sha256 mismatch:
+  computed: ${actualHash}
+  predicate.input_hash: ${composed.inputHash}
+The artifact passed to --sign must be the exact file whose hash the gate recorded.
+`
+    );
+    return 1;
+  }
+  const rekorUrlStr = opts.rekorUrl === true ? "https://rekor.sigstore.dev" : typeof opts.rekorUrl === "string" ? opts.rekorUrl : void 0;
+  const tmp = mkdtempSync(join3(tmpdir(), "j-rig-emit-evidence-"));
+  try {
+    const predicatePath = join3(tmp, "predicate.json");
+    const predicateContent = opts.fullStatement ? JSON.stringify(statement, null, 2) : JSON.stringify(statement.predicate, null, 2);
+    writeFileSync(predicatePath, predicateContent);
+    const sigPath = join3(tmp, "attestation.sig");
+    const args = [
+      "attest-blob",
+      "--predicate",
+      predicatePath,
+      "--type",
+      "https://evals.intentsolutions.io/gate-result/v1",
+      "--output-signature",
+      sigPath,
+      `--tlog-upload=${rekorUrlStr || opts.keyless ? "true" : "false"}`
+    ];
+    if (opts.key) args.push("--key", opts.key);
+    else if (opts.keyless) args.push("--yes");
+    if (rekorUrlStr) args.push("--rekor-url", rekorUrlStr);
+    args.push(artifactAbs);
+    const cosignBin = opts.cosignBin ?? "cosign";
+    const result = spawnSync(cosignBin, args, {
+      env: process.env,
+      stdio: ["inherit", "pipe", "pipe"]
+    });
+    if (result.error) {
+      process.stderr.write(
+        `j-rig emit-evidence: failed to spawn cosign (${cosignBin}): ${result.error.message}
+`
+      );
+      return 2;
+    }
+    if (result.status !== 0) {
+      process.stderr.write(
+        `j-rig emit-evidence: cosign signing failed (exit ${result.status}):
+${result.stderr.toString()}
+`
+      );
+      return 3;
+    }
+    const sig = readFileSync4(sigPath, "utf-8").trim();
+    writeOut(sig, opts);
+    process.stderr.write(
+      `emit-evidence: signed envelope emitted${rekorUrlStr ? ` (Rekor: ${rekorUrlStr})` : ""}
+`
+    );
+    return 0;
+  } finally {
+    rmSync(tmp, { recursive: true, force: true });
+  }
+}
+async function buildComposeInput(opts) {
+  const runner = opts.runnerVersion ?? DEFAULT_RUNNER_VERSION;
+  const commitSha = opts.commitSha ?? safeGitHead();
+  if (opts.gateId || opts.gateDecision || opts.gateName || opts.gateVersion || opts.policyRef || opts.inputHash || opts.policyHash) {
+    const missing2 = [];
+    if (!opts.gateId) missing2.push("--gate-id");
+    if (!opts.gateDecision) missing2.push("--gate-decision");
+    if (!opts.inputHash) missing2.push("--input-hash");
+    if (!opts.policyHash) missing2.push("--policy-hash");
+    if (!opts.gateName) missing2.push("--gate-name");
+    if (!opts.gateVersion) missing2.push("--gate-version");
+    if (!opts.policyRef) missing2.push("--policy-ref");
+    if (missing2.length) {
+      throw new Error(`direct mode requires: ${missing2.join(", ")}`);
+    }
+    return buildFromDirectFlags(opts, runner, commitSha);
+  }
+  const raw = await readInputJson(opts.input);
+  if (!raw) {
+    throw new Error(
+      "no input received \u2014 pipe a gate-result JSON envelope on stdin OR pass --input <path> OR use direct-mode flags"
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`input is not valid JSON: ${err.message}`);
+  }
+  const required = ["gate_id", "input_hash", "policy_hash"];
+  const missing = required.filter((k) => !(k in parsed));
+  if (!("gate_decision" in parsed) && !("result" in parsed)) {
+    missing.push("gate_decision");
+  }
+  if (!("gate_name" in parsed)) missing.push("gate_name");
+  if (!("gate_version" in parsed)) missing.push("gate_version");
+  if (!("gate_reasons" in parsed)) missing.push("gate_reasons");
+  if (!("policy_ref" in parsed)) missing.push("policy_ref");
+  if (missing.length) {
+    throw new Error(
+      `gate-result envelope missing required v2 field(s): ${missing.join(", ")}. A v1-shaped envelope (lacking gate_name/gate_version/gate_reasons/policy_ref) must be re-emitted via the gate that produced it with the --gate-name/--gate-version/--gate-reasons/--policy-ref flags set. Pipeline mode will not synthesize these fields because doing so produces fabricated provenance in the signed statement.`
+    );
+  }
+  const rawDecision = "gate_decision" in parsed ? String(parsed.gate_decision) : mapV1ResultToV2Decision(String(parsed.result ?? ""));
+  const { gateDecision, extraSkipped, extraReasons } = resolveDecision(rawDecision);
+  const coverageObj = parsed.coverage && typeof parsed.coverage === "object" ? parsed.coverage : void 0;
+  const coverageEvaluated = Array.isArray(coverageObj?.dimensions_evaluated) ? coverageObj.dimensions_evaluated : Array.isArray(parsed.coverage_evaluated) ? parsed.coverage_evaluated : [];
+  const coverageSkipped = [
+    ...extraSkipped,
+    ...Array.isArray(coverageObj?.dimensions_skipped) ? coverageObj.dimensions_skipped : Array.isArray(parsed.coverage_skipped) ? parsed.coverage_skipped : []
+  ];
+  const gateReasons = [
+    ...Array.isArray(parsed.gate_reasons) ? parsed.gate_reasons : [],
+    ...extraReasons
+  ];
+  return {
+    gateId: String(parsed.gate_id),
+    gateDecision,
+    gateName: String(parsed.gate_name),
+    gateVersion: String(parsed.gate_version),
+    gateReasons,
+    coverage: { dimensionsEvaluated: coverageEvaluated, dimensionsSkipped: coverageSkipped },
+    policyRef: String(parsed.policy_ref),
+    policyHash: String(parsed.policy_hash),
+    inputHash: String(parsed.input_hash),
+    runner,
+    commitSha,
+    metadata: parsed.metadata,
+    failureMode: parsed.failure_mode,
+    advisorySeverity: typeof parsed.advisory_severity === "string" ? parseSeverity(parsed.advisory_severity) : void 0
+  };
+}
+function buildFromDirectFlags(opts, runner, commitSha) {
+  const rawDecision = opts.gateDecision;
+  const { gateDecision, extraSkipped, extraReasons } = resolveDecision(rawDecision);
+  const coverageSkipped = [...extraSkipped, ...opts.coverageSkipped ?? []];
+  const gateReasons = [...opts.gateReason ?? [], ...extraReasons];
+  return {
+    gateId: opts.gateId,
+    gateDecision,
+    gateName: opts.gateName,
+    gateVersion: opts.gateVersion,
+    gateReasons,
+    coverage: {
+      dimensionsEvaluated: opts.coverageEvaluated ?? [],
+      dimensionsSkipped: coverageSkipped
+    },
+    policyRef: opts.policyRef,
+    policyHash: opts.policyHash,
+    inputHash: opts.inputHash,
+    runner,
+    commitSha,
+    metadata: opts.metadata ? parseMetadata(opts.metadata) : void 0,
+    failureMode: opts.failureMode,
+    advisorySeverity: opts.advisorySeverity ? parseSeverity(opts.advisorySeverity) : void 0
+  };
+}
+var NOT_APPLICABLE_SKIPPED_TOKEN = "__not_applicable__";
+function resolveDecision(raw) {
+  if (raw === NOT_APPLICABLE_SENTINEL || raw.toUpperCase() === NOT_APPLICABLE_SENTINEL) {
+    return {
+      gateDecision: "pass",
+      extraSkipped: [NOT_APPLICABLE_SKIPPED_TOKEN],
+      extraReasons: ["routed from NOT_APPLICABLE per DR-018 \xA7279 \u2014 non-verdict, not a pass"]
+    };
+  }
+  return { gateDecision: parseDecision(raw), extraSkipped: [], extraReasons: [] };
+}
+function mapV1ResultToV2Decision(v1) {
+  switch (v1.toUpperCase()) {
+    case "PASS":
+      return "pass";
+    case "FAIL":
+      return "fail";
+    case "ADVISORY":
+      return "advisory";
+    case "NOT_APPLICABLE":
+      return NOT_APPLICABLE_SENTINEL;
+    default:
+      return v1.toLowerCase();
+  }
+}
+function parseDecision(s) {
+  const check = GateResultEnum.safeParse(s);
+  if (!check.success) {
+    throw new Error(
+      `invalid gate_decision '${s}' (expected one of: ${GateResultEnum.options.join(", ")})`
+    );
+  }
+  return check.data;
+}
+function parseSeverity(s) {
+  const check = AdvisorySeverityEnum.safeParse(s);
+  if (!check.success) {
+    throw new Error(
+      `invalid advisory_severity '${s}' (expected one of: ${AdvisorySeverityEnum.options.join(", ")})`
+    );
+  }
+  return check.data;
+}
+function parseMetadata(s) {
+  try {
+    const obj = JSON.parse(s);
+    if (typeof obj !== "object" || obj === null || Array.isArray(obj)) {
+      throw new Error("metadata must be a JSON object");
+    }
+    return obj;
+  } catch (err) {
+    throw new Error(`--metadata is not a valid JSON object: ${err.message}`);
+  }
+}
+async function readInputJson(inputPath) {
+  if (inputPath) {
+    return readFileSync4(resolve5(inputPath), "utf-8");
+  }
+  if (process.stdin.isTTY) {
+    return "";
+  }
+  return new Promise((resolveP, rejectP) => {
+    const chunks = [];
+    process.stdin.on("data", (c) => chunks.push(Buffer.from(c)));
+    process.stdin.on("end", () => resolveP(Buffer.concat(chunks).toString("utf-8")));
+    process.stdin.on("error", rejectP);
+  });
+}
+function safeGitHead() {
+  try {
+    return execSync("git rev-parse HEAD", { stdio: ["ignore", "pipe", "ignore"] }).toString().trim();
+  } catch {
+    process.stderr.write(
+      "j-rig emit-evidence: warning: could not resolve git HEAD (not a git repository?); embedding sentinel commit_sha '0000000' \u2014 pass --commit-sha to record the real commit\n"
+    );
+    return "0000000";
+  }
+}
+
+// src/commands/parse-agents.ts
+import { readFileSync as readFileSync5 } from "fs";
+import { resolve as resolve6 } from "path";
+import chalk7 from "chalk";
+function registerParseAgentsCommand(program) {
+  program.command("parse-agents").description("Parse an AGENTS.md file into a typed structure").argument("[file]", "Path to AGENTS.md", "AGENTS.md").option("--json", "Output the full parsed structure as JSON").action((file, opts) => {
+    process.exit(runParseAgents(file, opts));
+  });
+}
+function runParseAgents(file, opts) {
+  let content;
+  try {
+    content = readFileSync5(resolve6(file), "utf-8");
+  } catch (err) {
+    console.error(`Error: ${err instanceof Error ? err.message : err}`);
+    return 1;
+  }
+  const result = parseAgentsMd(content);
+  if (opts.json) {
+    console.log(
+      JSON.stringify(
+        {
+          ok: result.success,
+          data: result.success ? result.data : null,
+          errors: result.success ? [] : result.errors
+        },
+        null,
+        2
+      )
+    );
+    return result.success ? 0 : 1;
+  }
+  if (!result.success) {
+    console.error(chalk7.red(`\u2717 Failed to parse ${file}:`));
+    for (const e of result.errors) {
+      console.error(`  ${e.path || "<root>"}: ${e.message}`);
+    }
+    return 1;
+  }
+  const d = result.data;
+  console.log(chalk7.green(`\u2713 Parsed ${file}`));
+  console.log(`  Title: ${d.title || chalk7.dim("(none)")}`);
+  console.log(`  Sections: ${d.sections.length}`);
+  const commandKinds = Object.keys(d.commands);
+  if (commandKinds.length > 0) {
+    console.log(`  Commands:`);
+    for (const kind of commandKinds) {
+      const cmds = d.commands[kind] ?? [];
+      console.log(`    ${kind}: ${cmds.length} command${cmds.length === 1 ? "" : "s"}`);
+    }
+  }
+  if (d.tools.length > 0) console.log(`  Tools: ${d.tools.length}`);
+  if (d.capabilities.length > 0) console.log(`  Capabilities: ${d.capabilities.length}`);
+  if (d.constraints.length > 0) console.log(`  Constraints: ${d.constraints.length}`);
+  return 0;
+}
+
+// src/commands/migrate.ts
+import { resolve as resolve7 } from "path";
+import chalk8 from "chalk";
+
+// ../migrate/dist/index.js
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync2, readdirSync, statSync as statSync2 } from "fs";
+import { join as join4 } from "path";
+var NOT_APPLICABLE_TOKEN = "__not_applicable__";
+var NOT_APPLICABLE_REASON = "routed from NOT_APPLICABLE per DR-018 \xA7279 \u2014 non-verdict, not a pass";
+var MIGRATED_NON_PASS_REASON = "migrated from v1 result field \u2014 original row predated gate_reasons requirement";
+var V1_DECISION_MAP = {
+  PASS: "pass",
+  FAIL: "fail",
+  ADVISORY: "advisory"
+};
+function isObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function migrateBundle(input) {
+  if (Array.isArray(input)) {
+    const rows = [];
+    const migrated = input.map((row, index) => {
+      const r = migrateStatement(row, index);
+      rows.push(r.report);
+      return r.value;
+    });
+    return { migrated, rows, changed: rows.some((r) => r.outcome === "migrated") };
+  }
+  if (isObject(input) && Array.isArray(input.rows)) {
+    const rows = [];
+    const migratedRows = input.rows.map((row, index) => {
+      const r = migrateStatement(row, index);
+      rows.push(r.report);
+      return r.value;
+    });
+    const migrated = { ...input, rows: migratedRows };
+    return { migrated, rows, changed: rows.some((r) => r.outcome === "migrated") };
+  }
+  const single = migrateStatement(input, 0);
+  return {
+    migrated: single.value,
+    rows: [single.report],
+    changed: single.report.outcome === "migrated"
+  };
+}
+function migrateStatement(input, index) {
+  if (!isObject(input) || !isObject(input.predicate)) {
+    return {
+      value: input,
+      report: { index, outcome: "not-a-statement", gateId: null, note: null }
+    };
+  }
+  const predicate = input.predicate;
+  const gateId = typeof predicate.gate_id === "string" ? predicate.gate_id : null;
+  if ("gate_decision" in predicate) {
+    return {
+      value: input,
+      report: { index, outcome: "already-v2", gateId, note: null }
+    };
+  }
+  if (!("result" in predicate)) {
+    return {
+      value: input,
+      report: {
+        index,
+        outcome: "error",
+        gateId,
+        note: "predicate has neither gate_decision (v2) nor result (v1) \u2014 cannot migrate"
+      }
+    };
+  }
+  const migrated = migratePredicate(predicate);
+  if (migrated.error !== null) {
+    return {
+      value: input,
+      report: { index, outcome: "error", gateId, note: migrated.error }
+    };
+  }
+  return {
+    value: { ...input, predicate: migrated.predicate },
+    report: { index, outcome: "migrated", gateId, note: migrated.note }
+  };
+}
+function migratePredicate(v1) {
+  const rawResult = v1.result;
+  if (typeof rawResult !== "string") {
+    return {
+      predicate: v1,
+      error: `v1 'result' must be a string (got ${typeof rawResult})`,
+      note: null
+    };
+  }
+  const gateReasons = Array.isArray(v1.gate_reasons) ? v1.gate_reasons.filter((r) => typeof r === "string") : [];
+  const dimsEvaluated = [];
+  const dimsSkipped = [];
+  let note = null;
+  let gateDecision;
+  if (rawResult === "NOT_APPLICABLE") {
+    gateDecision = "pass";
+    dimsSkipped.push(NOT_APPLICABLE_TOKEN);
+    gateReasons.push(NOT_APPLICABLE_REASON);
+    note = "routed NOT_APPLICABLE via coverage.dimensions_skipped";
+  } else {
+    const mapped = V1_DECISION_MAP[rawResult];
+    if (mapped === void 0) {
+      return {
+        predicate: v1,
+        error: `unknown v1 result value '${rawResult}' (expected PASS|FAIL|ADVISORY|NOT_APPLICABLE)`,
+        note: null
+      };
+    }
+    gateDecision = mapped;
+    if (gateDecision !== "pass" && gateReasons.length === 0) {
+      gateReasons.push(MIGRATED_NON_PASS_REASON);
+    }
+  }
+  const gateId = typeof v1.gate_id === "string" ? v1.gate_id : "";
+  const runner = typeof v1.runner === "string" ? v1.runner : "";
+  const v2 = {
+    gate_id: gateId,
+    gate_name: deriveGateName(gateId),
+    gate_version: deriveGateVersion(runner),
+    gate_decision: gateDecision,
+    gate_reasons: gateReasons,
+    coverage: {
+      dimensions_evaluated: dimsEvaluated,
+      dimensions_skipped: dimsSkipped
+    },
+    policy_ref: derivePolicyRef(v1.policy_hash),
+    policy_hash: v1.policy_hash,
+    input_hash: v1.input_hash,
+    // RENAME: timestamp → evaluated_at (value unchanged).
+    evaluated_at: v1.timestamp,
+    runner: v1.runner,
+    commit_sha: v1.commit_sha
+  };
+  if ("metadata" in v1) v2.metadata = v1.metadata;
+  if ("failure_mode" in v1) v2.failure_mode = v1.failure_mode;
+  if ("advisory_severity" in v1) v2.advisory_severity = v1.advisory_severity;
+  return { predicate: v2, error: null, note };
+}
+function deriveGateName(gateId) {
+  const parts = gateId.split(":");
+  const last = parts.length >= 3 ? parts[parts.length - 1] : "";
+  const kebab = last.replace(/([a-z0-9])([A-Z])/g, "$1-$2").toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+  return kebab.length > 0 ? kebab : "migrated-gate";
+}
+function deriveGateVersion(runner) {
+  const m = runner.match(/@(\d+\.\d+\.\d+(?:-[A-Za-z0-9.-]+)?(?:\+[A-Za-z0-9.-]+)?)$/);
+  return m ? m[1] : "0.0.0";
+}
+function derivePolicyRef(policyHash) {
+  if (typeof policyHash === "string" && policyHash.startsWith("sha256:")) {
+    return `${policyHash}:unknown`;
+  }
+  return `sha256:${"0".repeat(64)}:unknown`;
+}
+var DEFAULT_INCLUDE = (p) => p.endsWith(".json");
+function runCodemod(dir, fs, options = {}) {
+  const include = options.include ?? DEFAULT_INCLUDE;
+  const doWrite = options.write === true;
+  const files = [];
+  for (const path of fs.walk(dir)) {
+    if (!include(path)) continue;
+    files.push(migrateFile(path, fs, doWrite));
+  }
+  return {
+    files,
+    changedCount: files.filter((f) => f.changed).length,
+    errorCount: files.filter((f) => f.parseError !== null).length
+  };
+}
+function migrateFile(path, fs, doWrite) {
+  const original = fs.read(path);
+  let parsed;
+  try {
+    parsed = JSON.parse(original);
+  } catch (err) {
+    return {
+      path,
+      changed: false,
+      parseError: err instanceof Error ? err.message : String(err),
+      rows: [],
+      diff: "",
+      written: false
+    };
+  }
+  const result = migrateBundle(parsed);
+  if (!result.changed) {
+    return { path, changed: false, parseError: null, rows: result.rows, diff: "", written: false };
+  }
+  const trailingNewline = original.endsWith("\n") ? "\n" : "";
+  const next = JSON.stringify(result.migrated, null, 2) + trailingNewline;
+  const diff = unifiedDiff(path, original, next);
+  let written = false;
+  if (doWrite) {
+    fs.write(path, next);
+    written = true;
+  }
+  return { path, changed: true, parseError: null, rows: result.rows, diff, written };
+}
+function unifiedDiff(path, before, after) {
+  const a = before.split("\n");
+  const b = after.split("\n");
+  const lines = [`--- a/${path}`, `+++ b/${path}`];
+  const max = Math.max(a.length, b.length);
+  for (let i = 0; i < max; i++) {
+    const la = a[i];
+    const lb = b[i];
+    if (la === lb) {
+      if (la !== void 0) lines.push(` ${la}`);
+      continue;
+    }
+    if (la !== void 0) lines.push(`-${la}`);
+    if (lb !== void 0) lines.push(`+${lb}`);
+  }
+  return lines.join("\n");
+}
+var nodeFs = {
+  walk(dir) {
+    const out = [];
+    walkInto(dir, out);
+    return out.sort();
+  },
+  read(path) {
+    return readFileSync6(path, "utf-8");
+  },
+  write(path, content) {
+    writeFileSync2(path, content);
+  }
+};
+function walkInto(dir, out) {
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (entry === "node_modules" || entry === ".git") continue;
+    const full = join4(dir, entry);
+    let isDir = false;
+    try {
+      isDir = statSync2(full).isDirectory();
+    } catch {
+      continue;
+    }
+    if (isDir) {
+      walkInto(full, out);
+    } else {
+      out.push(full);
+    }
+  }
+}
+
+// src/commands/migrate.ts
+function registerMigrateCommand(program) {
+  program.command("migrate").description("Rewrite v0.1.0-draft Evidence Bundle fixtures to the v2.0 gate-result/v1 shape").argument("<dir>", "Directory to scan for *.json Evidence Bundle fixtures").option("--write", "Apply the migration in place (default: dry run / diff only)").option("--json", "Output the per-file report as JSON").action((dir, opts) => {
+    process.exit(runMigrate(dir, opts));
+  });
+}
+function runMigrate(dir, opts) {
+  let result;
+  const target = resolve7(dir);
+  try {
+    result = runCodemod(target, nodeFs, { write: opts.write === true });
+  } catch (err) {
+    console.error(`Error: ${err instanceof Error ? err.message : err}`);
+    return 1;
+  }
+  if (opts.json) {
+    console.log(
+      JSON.stringify(
+        {
+          dir: target,
+          wrote: opts.write === true,
+          changedCount: result.changedCount,
+          errorCount: result.errorCount,
+          files: result.files.map((f) => ({
+            path: f.path,
+            changed: f.changed,
+            written: f.written,
+            parseError: f.parseError,
+            rows: f.rows
+          }))
+        },
+        null,
+        2
+      )
+    );
+    return result.errorCount > 0 ? 1 : 0;
+  }
+  if (result.files.length === 0) {
+    console.log(chalk8.yellow(`No JSON fixtures found under ${target}`));
+    return 0;
+  }
+  for (const f of result.files) {
+    if (f.parseError !== null) {
+      console.error(chalk8.red(`\u2717 ${f.path}: parse error \u2014 ${f.parseError}`));
+      continue;
+    }
+    if (!f.changed) continue;
+    console.log(
+      opts.write ? chalk8.green(`\u2713 migrated ${f.path}`) : chalk8.cyan(`~ would migrate ${f.path}`)
+    );
+    if (!opts.write) console.log(f.diff);
+  }
+  const verb = opts.write ? "migrated" : "would migrate";
+  console.log(
+    `
+${result.changedCount} file(s) ${verb}` + (result.errorCount > 0 ? chalk8.red(`, ${result.errorCount} parse error(s)`) : "") + (opts.write ? "" : chalk8.dim("  (dry run \u2014 pass --write to apply)"))
+  );
+  return result.errorCount > 0 ? 1 : 0;
+}
+
+// src/commands/skill-signals.ts
+import chalk9 from "chalk";
+function collectCass(opts) {
+  return {
+    testsPassed: opts.testsPassed === true,
+    clearResolution: opts.clearResolution === true,
+    codeChanges: opts.codeChanges === true,
+    userConfirmed: opts.userConfirmed === true,
+    backtracking: opts.backtracking === true,
+    abandoned: opts.abandoned === true
+  };
+}
+function registerSkillSignalCommands(program) {
+  program.command("ingest-skill").description(
+    "Record one CASS-gated skill usage event (verified-session-gated; never raw loads)"
+  ).argument("<skill-id>", "kebab-slug skill id the usage is for").requiredOption("--session-id <id>", "Opaque id of the CASS-gated session").option(
+    "--source <ci|plugin>",
+    "Provenance: ci (gate-anchored, trusted) | plugin (unverified)",
+    "plugin"
+  ).option("--tests-passed", "CASS signal: tests ran and passed (+0.25)").option("--clear-resolution", "CASS signal: session reached a clear resolution (+0.25)").option("--code-changes", "CASS signal: session produced code changes (+0.15)").option("--user-confirmed", "CASS signal: user confirmed the result was useful (+0.15)").option("--backtracking", "CASS signal: session involved backtracking (-0.10)").option("--abandoned", "CASS signal: session was abandoned (-0.20)").option("--tenant <id>", "Tenant bucket (omit for the single-tenant/global bucket)").option("--db <path>", "SQLite DB path", "j-rig.db").option("--json", "Output as JSON").action(
+    (skillId, opts) => {
+      try {
+        const source = (opts.source ?? "plugin").trim().toLowerCase();
+        if (source !== "ci" && source !== "plugin") {
+          console.error(`Error: --source must be 'ci' or 'plugin' (got '${opts.source}')`);
+          process.exit(1);
+        }
+        const cass = collectCass(opts);
+        const database = openDb(opts.db);
+        try {
+          const rec = recordSkillUsage(database, {
+            skillId,
+            sessionId: opts.sessionId,
+            source,
+            cass,
+            ...opts.tenant !== void 0 ? { tenantId: opts.tenant } : {},
+            // Timestamp at the I/O edge — the CLI is the wall-clock boundary; the
+            // persistence + rollup layers stay deterministic on injected values.
+            recordedAt: (/* @__PURE__ */ new Date()).toISOString()
+          });
+          if (opts.json) {
+            console.log(JSON.stringify(rec, null, 2));
+            return;
+          }
+          console.log(header(`j-rig ingest-skill: ${skillId}`));
+          console.log(
+            `  CASS: ${rec.cassScore.toFixed(2)} (threshold ${CASS_PASS_THRESHOLD}) \u2014 ` + (rec.cassPassed ? `${icon("pass")} PASS \u2014 counts toward verified adoption` : `${icon("warning")} FAIL \u2014 persisted but EXCLUDED from adoption (anti-gaming)`)
+          );
+          console.log(
+            `  source: ${rec.source}${rec.tenantId ? ` | tenant: ${rec.tenantId}` : ""}`
+          );
+          if (!rec.cassPassed) {
+            console.log(
+              chalk9.dim(
+                "  Note: a low-quality session is recorded but never counted. There is no force-count flag."
+              )
+            );
+          }
+        } finally {
+          database.close();
+        }
+      } catch (err) {
+        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+    }
+  );
+  program.command("review").description(
+    "Record a curated-signal human thumb + open-ended rationale (NOT a signed predicate)"
+  ).argument("<skill-id>", "kebab-slug skill id the review is for").requiredOption("--verdict <up|down>", "Coarse thumb: up | down").option("--rationale <text>", "Open-ended free-text rationale (non-comparable; never parsed)").option("--reviewer <id>", "Reviewer identity (email/handle)", "unknown").option("--tenant <id>", "Tenant bucket (omit for the single-tenant/global bucket)").option("--db <path>", "SQLite DB path", "j-rig.db").option("--json", "Output as JSON").action(
+    (skillId, opts) => {
+      try {
+        const v = opts.verdict.trim().toLowerCase();
+        if (v !== "up" && v !== "down") {
+          console.error(`Error: --verdict must be 'up' or 'down' (got '${opts.verdict}')`);
+          process.exit(1);
+        }
+        const database = openDb(opts.db);
+        try {
+          const rec = recordSkillReview(database, {
+            skillId,
+            thumbsUp: v === "up",
+            ...opts.rationale !== void 0 ? { rationale: opts.rationale } : {},
+            reviewer: opts.reviewer,
+            ...opts.tenant !== void 0 ? { tenantId: opts.tenant } : {},
+            recordedAt: (/* @__PURE__ */ new Date()).toISOString()
+          });
+          if (opts.json) {
+            console.log(JSON.stringify(rec, null, 2));
+            return;
+          }
+          console.log(header(`j-rig review: ${skillId}`));
+          console.log(
+            `  ${rec.thumbsUp ? icon("pass") : icon("error")} thumb ${rec.thumbsUp ? "up" : "down"} by ${rec.reviewer} (${rec.governanceClass})`
+          );
+          if (rec.rationale) console.log(`  rationale: ${rec.rationale}`);
+          console.log(
+            chalk9.dim(
+              "  Note: curated-signal \u2014 NOT a signed human-review/v1 predicate, never a trust root."
+            )
+          );
+        } finally {
+          database.close();
+        }
+      } catch (err) {
+        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+    }
+  );
+}
+
+// src/index.ts
+import { registerRefineCommand } from "@intentsolutions/refiner";
+function createProgram() {
+  const program = new Command();
+  program.name("j-rig").description("Seven-layer binary evaluation harness for Claude Skills").version("0.1.0");
+  registerCheckCommand(program);
+  registerValidateCommand(program);
+  registerEvalCommand(program);
+  registerReportCommand(program);
+  registerOptimizeCommand(program);
+  registerDriftCommand(program);
+  registerEmitEvidenceCommand(program);
+  registerParseAgentsCommand(program);
+  registerMigrateCommand(program);
+  registerSkillSignalCommands(program);
+  registerRefineCommand(program);
+  return program;
+}
+function main(argv) {
+  const program = createProgram();
+  program.parse(argv ?? process.argv);
+}
+var isDirectRun = process.argv[1]?.endsWith("index.js") || process.argv[1]?.endsWith("index.ts") || process.argv[1]?.endsWith("j-rig");
+if (isDirectRun) {
+  main();
+}
+export {
+  main
+};