@kontourai/flow-agents 2.1.0 → 2.1.1

package/.github/workflows/ci.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -99,7 +99,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -160,7 +160,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -292,7 +292,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

package/.github/workflows/docs-pages.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Configure Pages
         uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0

package/.github/workflows/kit-gates-demo.yml

@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -103,7 +103,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

package/.github/workflows/publish-npm.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0
 
@@ -58,7 +58,7 @@ jobs:
       id-token: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0
 

package/.github/workflows/runtime-compat.yml

@@ -37,7 +37,7 @@ jobs:
             version: pi --version
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -67,7 +67,7 @@ jobs:
     timeout-minutes: 20
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

package/.github/workflows/trust-reconcile.yml

@@ -62,7 +62,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [2.1.1](https://github.com/kontourai/flow-agents/compare/v2.1.0...v2.1.1) (2026-06-29)
+
+
+### Refactoring
+
+* **flow-agents:** one shared module for command-log chain helpers (ops[#20](https://github.com/kontourai/flow-agents/issues/20)) ([#249](https://github.com/kontourai/flow-agents/issues/249)) ([67af85f](https://github.com/kontourai/flow-agents/commit/67af85f5010dace3f33b36b86245e0c7aad95f77))
+
 ## [2.1.0](https://github.com/kontourai/flow-agents/compare/v2.0.1...v2.1.0) (2026-06-29)
 
 

package/evals/integration/test_gate_lockdown.sh

@@ -790,6 +790,15 @@ echo "=== AC3.1 — Surface unavailable fail-closed ==="
 echo ""
 echo "--- AC3.1a: Isolated (no @kontourai/surface) with high-impact claim → BLOCKS ---"
 
+# The gate imports the shared scripts/lib/command-log-chain.js helpers. A real
+# install rsyncs the whole tree, so the lib always sits beside the hooks. Mirror that:
+# the isolated gates live at "$TMP/surface-iso*/stop-goal-fit.js", so "../lib" resolves
+# to "$TMP/lib" for both. This keeps the test exercising surface-unavailable fail-closed
+# (not a spurious module-not-found crash).
+ISO_LIBDIR="$TMP/lib"
+mkdir -p "$ISO_LIBDIR"
+cp "$ROOT/scripts/lib/command-log-chain.js" "$ISO_LIBDIR/"
+
 # Create isolated node context that can't find @kontourai/surface
 ISO_DIR="$TMP/surface-iso"
 mkdir -p "$ISO_DIR/repo/.flow-agents/surftest"
@@ -1014,13 +1023,19 @@ else
 fi
 
 echo ""
-echo "--- AC3.3c: Both files use the SAME genesis constant value ---"
-genesis_ec=$(grep "const CHAIN_GENESIS = " "$ROOT/scripts/hooks/evidence-capture.js" | sed "s/.*= '//;s/'.*//")
-genesis_sg=$(grep "const CHAIN_GENESIS_VERIFY = " "$ROOT/scripts/hooks/stop-goal-fit.js" | sed "s/.*= '//;s/'.*//")
-if [ "$genesis_ec" = "$genesis_sg" ] && [ -n "$genesis_ec" ]; then
-  _pass "AC3.3: Both files use the same genesis constant ($genesis_ec)"
+echo "--- AC3.3c: genesis is single-sourced and imported by writer + verifier (cannot diverge) ---"
+# Stronger than the old "two literals match" check: the genesis literal now lives in
+# exactly ONE module, and both the writer and verifier import it — so divergence is
+# structurally impossible rather than merely currently-equal.
+genesis_lib=$(grep "const CHAIN_GENESIS = " "$ROOT/scripts/lib/command-log-chain.js" | sed "s/.*= '//;s/'.*//")
+if [ -n "$genesis_lib" ] \
+   && grep -q "require.*command-log-chain" "$ROOT/scripts/hooks/evidence-capture.js" \
+   && grep -q "require.*command-log-chain" "$ROOT/scripts/hooks/stop-goal-fit.js" \
+   && ! grep -qE "const CHAIN_GENESIS = '" "$ROOT/scripts/hooks/evidence-capture.js" \
+   && ! grep -qE "const CHAIN_GENESIS_VERIFY = '" "$ROOT/scripts/hooks/stop-goal-fit.js"; then
+  _pass "AC3.3: genesis single-sourced in scripts/lib/command-log-chain.js ($genesis_lib); writer + verifier import it, no divergent literal"
 else
-  _fail "AC3.3: Genesis constant mismatch: evidence-capture=$genesis_ec stop-goal-fit=$genesis_sg"
+  _fail "AC3.3: genesis not single-sourced (lib='$genesis_lib') or a divergent literal remains in a consumer"
 fi
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kontourai/flow-agents",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "Flow Agents — a Kontour product that applies Flow and Veritas discipline as a portable process layer inside the agent tools you already use: Claude Code, Codex, Kiro, opencode, pi, and GitHub Actions — with framework adapters (AWS Strands preview) on the same policy-engine contract.",
   "keywords": [
     "agents",

package/scripts/ci/trust-reconcile.js

@@ -61,6 +61,10 @@ const { spawnSync } = require('child_process');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
+// One normative definition shared with scripts/hooks/stop-goal-fit.js — the local
+// copy here had drifted (it was missing the trailing `/bin/true` check), which is
+// exactly why this is now imported rather than duplicated.
+const { hasLaunderingOperator } = require('../lib/command-log-chain.js');
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -80,29 +84,9 @@ function isPassingValue(v) {
   return v === true || v === 1 || v === 'true' || v === 'pass';
 }
 
-/**
- * Returns true when a command string contains an exit-code-laundering operator.
- * These operators mask real exit codes so the real sub-command may have failed silently.
- *
- * Rules (applied to claimed verification commands only):
- *   - ANY || operator — verify commands must not contain ||. This catches:
- *     || exit 0, || echo ok, || /bin/true, || true, || :, etc.
- *   - ; or newline followed by true / : / exit 0 — trailing success injection
- *
- * NOTE: Logic must stay identical to scripts/hooks/stop-goal-fit.js hasLaunderingOperator.
- * Centralize into a shared module as a follow-up (coordinate-free duplication for now).
- */
-function hasLaunderingOperator(cmd) {
-  // Flag ANY || operator — masks the exit code of the left-hand command.
-  if (/\|\|/.test(cmd)) return true;
-  // Flag ; or newline followed by true / : / exit 0
-  if (/[;\n]\s*true\b/.test(cmd)) return true;
-  if (/[;\n]\s*:\s*(?:$|\s|;|\n)/.test(cmd)) return true;
-  if (/[;\n]\s*exit\s+0\b/.test(cmd)) return true;
-  // Flag pipe to true (pipeline absorbs exit code)
-  if (/\|\s*true\b/.test(cmd)) return true;
-  return false;
-}
+// hasLaunderingOperator is imported from ../lib/command-log-chain.js (above) so this
+// CI reconciler and the stop-goal-fit verifier apply the identical exit-code-mask
+// heuristic — see that module for the rules.
 
 /**
  * Run a single shell command under bash, capturing exit code.

package/scripts/hooks/evidence-capture.js

@@ -62,43 +62,16 @@ const COMMAND_TOOL_NAME = /(^|[^a-z])(bash|shell|sh|exec|run|command|terminal|cm
 
 // ─── Hash-chain integrity (tamper-EVIDENCE) ───────────────────────────────────
 //
-// Genesis prevHash: a fixed arbitrary sentinel used when the log is empty or
-// the last entry has no _chain field (legacy record). This is NOT the SHA256 of
-// any specific input string — it is a fixed constant chosen for the original
-// implementation. (A previous comment incorrectly claimed it was
-// sha256("flow-agents:command-log:genesis"); that is wrong.)
-//
-// Writer (this file, CHAIN_GENESIS) and verifier (stop-goal-fit.js,
-// CHAIN_GENESIS_VERIFY) MUST use the same value. Do not change one without
-// changing the other — existing chained logs depend on this constant.
-//
-// HONEST FRAMING: this makes alteration DETECTABLE, not impossible. An agent
-// that rewrites all hashes can still forge the chain. The real tamper-proof
-// boundary is the signed checkpoint (B1). We do not oversell this boundary.
-const CHAIN_GENESIS = 'a3f9e2b7d5c84f1e6a0d2c3b9f7e1a4d8c6b5f2e9a0d3c7b1f4e8a2d6c0b9f3';
-
-/**
- * Stable canonical JSON for the chain input: the record WITHOUT the `_chain`
- * field, keys sorted alphabetically. This ensures the hash is independent of
- * key insertion order and that `_chain` itself does not contribute to its own
- * hash (circular dependency).
- */
-function canonicalJsonForChain(record) {
-  // Strip _chain if present (should not be, but defensive).
-  const keys = Object.keys(record).filter(k => k !== '_chain').sort();
-  const obj = {};
-  for (const k of keys) obj[k] = record[k];
-  return JSON.stringify(obj);
-}
-
-/**
- * Compute the sha256 hex hash for this chain link.
- * hash = sha256(prevHash + canonicalJson(record))
- */
-function computeChainHash(prevHash, record) {
-  const input = prevHash + canonicalJsonForChain(record);
-  return crypto.createHash('sha256').update(input, 'utf8').digest('hex');
-}
+// CHAIN_GENESIS is a fixed arbitrary sentinel — NOT the SHA256 of any specific
+// input string (a previous comment incorrectly claimed sha256("…:genesis")). The
+// writer here and the verifier in stop-goal-fit.js MUST canonicalize and seed
+// identically, so the genesis constant and the canonicalJson/hash helpers live in
+// ONE shared module that both import — divergence is structurally impossible.
+const {
+  CHAIN_GENESIS,
+  canonicalJsonForChain,
+  computeChainHash,
+} = require('../lib/command-log-chain.js');
 
 /**
  * Read the last entry from command-log.jsonl that has a `_chain` block.

package/scripts/hooks/stop-goal-fit.js

@@ -29,6 +29,16 @@ const path = require('path');
 const { spawnSync } = require('child_process');
 const crypto = require('crypto');
 
+// Hash-chain primitives + the exit-code-laundering heuristic come from ONE shared
+// module, so this verifier can never drift from the writer (evidence-capture.js).
+// CHAIN_GENESIS is re-aliased to CHAIN_GENESIS_VERIFY to preserve the long-standing
+// export name consumed by repair-command-log.js and the fork-classification eval.
+const {
+  CHAIN_GENESIS: CHAIN_GENESIS_VERIFY,
+  canonicalJsonForChain,
+  hasLaunderingOperator,
+} = require('../lib/command-log-chain.js');
+
 const MAX_STDIN = 1024 * 1024;
 const ACTIVE_STATUSES = new Set([
   'planning',
@@ -733,36 +743,10 @@ function claimAcknowledgesFailure(status, value) {
     || v === 'fail' || v === 'failed' || v === 'not_verified' || v === 'failing';
 }
 
-/**
- * Returns true when a command string contains an exit-code-neutralizing operator.
- * A claimed-pass check whose captured command uses one of these cannot be accepted as a
- * deterministic pass — the real sub-command may have failed silently.
- *
- * R6 extended logic (identical patterns used by scripts/ci/trust-reconcile.js — centralize
- * as a follow-up if drift becomes a maintenance concern):
- *   - ANY || operator is flagged. A legitimate verification command never needs || — its
- *     only purpose in a verification command is to mask the real exit code (e.g.
- *     `npm test || exit 0`, `npm test || echo ok`, `npm test || /bin/true`, `npm test || (exit 0)`).
- *   - | true  (single pipe into true — always exits 0)
- *   - Trailing ; or newline followed by: true  :  exit 0  /bin/true
- *
- * Fix D: applied in captureCrossReference's satisfied path and capturedFailReconciliation.
- */
-function hasLaunderingOperator(cmd) {
-  // ANY || in a claimed verification command is an exit-code mask.
-  // Legitimate verification commands never need || — its only purpose there is to
-  // suppress the real exit code (|| exit 0, || echo ok, || /bin/true, || (exit 0), etc.).
-  if (/\|\|/.test(cmd)) return true;
-  // | true  — single-pipe into true: `cmd | true` always exits 0 regardless of left-side exit code.
-  if (/\|\s*true\b/.test(cmd)) return true;
-  // Trailing ; or \n followed by exit-neutralizing commands (same threat, appended after the real cmd):
-  //   ; true    ; :    ; exit 0    ; /bin/true    (and \n variants)
-  if (/[;\n]\s*true\b/.test(cmd)) return true;
-  if (/[;\n]\s*:\s*(?:$|\s|;)/.test(cmd)) return true;
-  if (/[;\n]\s*exit\s+0\b/.test(cmd)) return true;
-  if (/[;\n]\s*\/bin\/true\b/.test(cmd)) return true;
-  return false;
-}
+// hasLaunderingOperator (the exit-code-mask heuristic) is imported from
+// ../lib/command-log-chain.js so this verifier and scripts/ci/trust-reconcile.js
+// share one normative definition. Applied in captureCrossReference's satisfied
+// path and capturedFailReconciliation.
 
 // ─── Hash-chain integrity verification (Increment B2, tamper-EVIDENCE) ────────
 //
@@ -786,20 +770,9 @@ function hasLaunderingOperator(cmd) {
 // The genesis prevHash is a fixed arbitrary sentinel — NOT the SHA256 of any
 // specific input string. The comment in evidence-capture.js previously (and
 // incorrectly) claimed it was sha256("flow-agents:command-log:genesis"); it is not.
-// Writer (evidence-capture.js CHAIN_GENESIS) and verifier (CHAIN_GENESIS_VERIFY here)
-// MUST use the same value. Do not change one without changing the other.
-const CHAIN_GENESIS_VERIFY = 'a3f9e2b7d5c84f1e6a0d2c3b9f7e1a4d8c6b5f2e9a0d3c7b1f4e8a2d6c0b9f3';
-
-/**
- * Canonical JSON for chain verification: record WITHOUT `_chain`, keys sorted.
- * Must be byte-identical to canonicalJsonForChain() in evidence-capture.js.
- */
-function canonicalJsonForVerify(record) {
-  const keys = Object.keys(record).filter(k => k !== '_chain').sort();
-  const obj = {};
-  for (const k of keys) obj[k] = record[k];
-  return JSON.stringify(obj);
-}
+// Both the genesis (CHAIN_GENESIS_VERIFY, imported above) and the canonical-JSON
+// helper (canonicalJsonForChain) come from ../lib/command-log-chain.js, the single
+// source the writer in evidence-capture.js imports too — so they cannot diverge.
 
 /**
  * Verify the hash chain of command-log.jsonl.
@@ -870,7 +843,7 @@ function verifyCommandLogChain(artifactDir) {
     // (a) Self-consistency. A content edit without rehashing fails here.
     if (typeof chain.prevHash !== 'string') return { status: 'broken', brokenAt: i, forkAt: null };
     const selfHash = crypto.createHash('sha256')
-      .update(chain.prevHash + canonicalJsonForVerify(entry), 'utf8')
+      .update(chain.prevHash + canonicalJsonForChain(entry), 'utf8')
       .digest('hex');
     if (chain.hash !== selfHash) return { status: 'broken', brokenAt: i, forkAt: null };
 

package/scripts/lib/command-log-chain.js

@@ -0,0 +1,73 @@
+'use strict';
+//
+// Single normative source for the command-log hash-chain primitives and the
+// exit-code-laundering heuristic.
+//
+// These were previously copy-pasted across the writer (hooks/evidence-capture.js),
+// the verifier (hooks/stop-goal-fit.js), the repair tool (repair-command-log.js),
+// and CI reconcile (ci/trust-reconcile.js) under "keep byte-identical" comments —
+// the most security-sensitive path in the bundle, since the chain's integrity
+// claim rests on writer and verifier canonicalizing identically. The copies had
+// ALREADY drifted (ci/trust-reconcile's hasLaunderingOperator was missing the
+// trailing `/bin/true` check), which is exactly the failure mode duplication
+// invites. Importing from one module makes that divergence structurally impossible.
+//
+const crypto = require('crypto');
+
+// The genesis prevHash is a FIXED ARBITRARY SENTINEL — NOT the SHA256 of any
+// specific input string. (An earlier comment incorrectly claimed it was
+// sha256("flow-agents:command-log:genesis"); that is wrong.) Writer and verifier
+// MUST share this exact value — existing chained logs depend on it.
+//
+// HONEST FRAMING: this makes alteration DETECTABLE, not impossible. An agent that
+// rewrites all hashes can still forge the chain. The real tamper-proof boundary is
+// the signed checkpoint (B1). We do not oversell this boundary.
+const CHAIN_GENESIS = 'a3f9e2b7d5c84f1e6a0d2c3b9f7e1a4d8c6b5f2e9a0d3c7b1f4e8a2d6c0b9f3';
+
+/**
+ * Stable canonical JSON for a chain link: the record WITHOUT its `_chain` field,
+ * keys sorted alphabetically. This makes the hash independent of key insertion
+ * order and keeps `_chain` from contributing to its own hash.
+ */
+function canonicalJsonForChain(record) {
+  const keys = Object.keys(record).filter((k) => k !== '_chain').sort();
+  const obj = {};
+  for (const k of keys) obj[k] = record[k];
+  return JSON.stringify(obj);
+}
+
+/** Chain link hash: sha256(prevHash + canonicalJsonForChain(record)), hex. */
+function computeChainHash(prevHash, record) {
+  return crypto
+    .createHash('sha256')
+    .update(prevHash + canonicalJsonForChain(record), 'utf8')
+    .digest('hex');
+}
+
+/**
+ * True when a claimed verification command contains an exit-code-laundering
+ * operator. Legitimate verification commands never need these — their only
+ * purpose is to suppress a real non-zero exit:
+ *   - ANY `||`             (e.g. `npm test || exit 0`, `|| echo ok`, `|| /bin/true`)
+ *   - `| true`             (pipe into true — the pipeline absorbs the exit code)
+ *   - trailing `; true` / `; :` / `; exit 0` / `; /bin/true` (and `\n` variants)
+ */
+function hasLaunderingOperator(cmd) {
+  // ANY || in a claimed verification command is an exit-code mask.
+  if (/\|\|/.test(cmd)) return true;
+  // | true — single-pipe into true always exits 0 regardless of the left side.
+  if (/\|\s*true\b/.test(cmd)) return true;
+  // Trailing ; or \n followed by an exit-neutralizing command:
+  if (/[;\n]\s*true\b/.test(cmd)) return true;
+  if (/[;\n]\s*:\s*(?:$|\s|;)/.test(cmd)) return true;
+  if (/[;\n]\s*exit\s+0\b/.test(cmd)) return true;
+  if (/[;\n]\s*\/bin\/true\b/.test(cmd)) return true;
+  return false;
+}
+
+module.exports = {
+  CHAIN_GENESIS,
+  canonicalJsonForChain,
+  computeChainHash,
+  hasLaunderingOperator,
+};

package/scripts/repair-command-log.js

@@ -26,17 +26,10 @@ const path = require('path');
 const crypto = require('crypto');
 
 const gate = require(path.join(__dirname, 'hooks', 'stop-goal-fit.js'));
-const GENESIS = gate.CHAIN_GENESIS_VERIFY;
-
-function canon(rec) {
-  const keys = Object.keys(rec).filter((k) => k !== '_chain').sort();
-  const obj = {};
-  for (const k of keys) obj[k] = rec[k];
-  return JSON.stringify(obj);
-}
-function hashLink(prev, rec) {
-  return crypto.createHash('sha256').update(prev + canon(rec), 'utf8').digest('hex');
-}
+// Genesis + canonicalization/hash come from the single shared module, so a repaired
+// chain is re-linked byte-identically to how the writer/verifier compute it.
+const { CHAIN_GENESIS, canonicalJsonForChain, computeChainHash } = require('./lib/command-log-chain.js');
+const GENESIS = CHAIN_GENESIS;
 
 function main() {
   const dir = process.argv[2];
@@ -77,8 +70,8 @@ function main() {
   records.sort((a, b) => {
     const ta = String(a.capturedAt || ''), tb = String(b.capturedAt || '');
     if (ta !== tb) return ta < tb ? -1 : 1;
-    const ha = crypto.createHash('sha256').update(canon(a)).digest('hex');
-    const hb = crypto.createHash('sha256').update(canon(b)).digest('hex');
+    const ha = crypto.createHash('sha256').update(canonicalJsonForChain(a)).digest('hex');
+    const hb = crypto.createHash('sha256').update(canonicalJsonForChain(b)).digest('hex');
     return ha < hb ? -1 : ha > hb ? 1 : 0;
   });
 
@@ -87,7 +80,7 @@ function main() {
   let prev = GENESIS;
   let seq = 0;
   for (const rec of records) {
-    const h = hashLink(prev, rec);
+    const h = computeChainHash(prev, rec);
     out.push(JSON.stringify({ ...rec, _chain: { seq, prevHash: prev, hash: h } }));
     prev = h; seq += 1;
   }
@@ -100,7 +93,7 @@ function main() {
     source: 'chain-repair',
     repair: { reason, entries: records.length, forkAt: verdict.forkAt },
   };
-  const mh = hashLink(prev, marker);
+  const mh = computeChainHash(prev, marker);
   out.push(JSON.stringify({ ...marker, _chain: { seq, prevHash: prev, hash: mh } }));
 
   fs.copyFileSync(file, file + '.prebackup-repair');