@lcv-ideas-software/cross-review 4.2.3 → 4.2.5

package/CHANGELOG.md

@@ -7,6 +7,63 @@ standard `v00.00.00`; npm package versions remain SemVer.
 
 ## [Unreleased]
 
+## [v04.02.05] — 2026-06-05
+
+**Patch — session audit hardening.** This release closes follow-ups from the
+2026-06-05 GitHub/tooling and on-disk session audit: terminal events are now
+durably recorded at the store boundary, cost reporting separates peer calls from
+lead-generation artifacts, and evidence/checklist diagnostics make
+`not_resurfaced` and relator provenance risks harder to misread.
+
+### Added
+
+- `SessionStore.finalize`, `markCancelled`, and idle sweeps now persist
+  terminal events (`session.finalized` / `session.cancelled`) alongside
+  `meta.json` outcome changes.
+- `session_doctor` now reports real-vs-stub session counts, aggregate cost
+  breakdown (`total_cost_usd`, `peer_call_cost_usd`, `generation_cost_usd`),
+  sessions missing terminal events, and sessions carrying
+  `not_resurfaced` evidence checklist items.
+- `session_report` now shows total cost as peer-call cost plus generation cost
+  and includes an Evidence Checklist section explaining that
+  `not_resurfaced` is inference-only, not proof of satisfaction.
+
+### Changed
+
+- Truthfulness preflight failure reasons now include `source_marker_found` and
+  `runtime_facts_available` in addition to attachment/structured-evidence
+  visibility.
+- The relator evidence-provenance detector now treats net-new session UUIDs and
+  GitHub URLs as provenance-bound operational references, preventing final text
+  from introducing unverified session/repository evidence.
+
+## [v04.02.04] — 2026-06-05
+
+**Patch — truthfulness preflight auditability.** This release tightens the
+guardrails added after the v4.2.x session audit so unsupported runtime/history
+claims fail with clearer classes and can be retested after evidence is attached.
+
+### Added
+
+- Added `session_truthfulness_preflight_check`, a read-only MCP tool that
+  re-runs the local truthfulness preflight for an existing session without
+  calling providers.
+- Added `issue_classes` to truthfulness preflight results and abort events for
+  `runtime_contradiction`, `unsupported_current_state_claim`,
+  `unsupported_historical_claim`, and `fabrication_pattern`.
+- Added durable `failed_attempts` metadata for `run_until_unanimous` preflight
+  aborts that happen before a peer-review round is appended.
+
+### Changed
+
+- Re-runs truthfulness preflight on lead-generated initial drafts and revisions
+  before dispatching reviewer peer calls, blocking unsupported generated
+  runtime claims before they propagate through the panel.
+- Parser diagnostics now distinguish empty verified `evidence_sources` from
+  non-empty but generic evidence sources, and recognize attached-evidence
+  labels, `evidence/` paths, log lines, line labels, and command/test-output
+  citations as concrete evidence markers.
+
 ## [v04.02.03] — 2026-06-03
 
 **Patch — Gemini replacement pin and rate-card refresh.** This release follows

package/README.md

@@ -24,7 +24,7 @@ npm install -g @lcv-ideas-software/cross-review
 npm install -g @lcv-ideas-software/cross-review --registry=https://npm.pkg.github.com
 ```
 
-**Status.** Stable. Current release: **v04.02.03** (npm package `4.2.3`). See [CHANGELOG.md](./CHANGELOG.md) for the full release history.
+**Status.** Stable. Current release: **v04.02.05** (npm package `4.2.5`). See [CHANGELOG.md](./CHANGELOG.md) for the full release history.
 
 > **Project renamed 2026-05-15.** This project was previously published as
 > [`@lcv-ideas-software/cross-review-v2`](https://www.npmjs.com/package/@lcv-ideas-software/cross-review-v2)
@@ -38,6 +38,8 @@ The version history at a glance:
 
 | Release              | Scope                                                                                                                                                                                                              |
 | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **`v04.02.05`**      | Patch — harden session auditability with terminal events, cost split reporting, `not_resurfaced` visibility, and relator provenance checks for session IDs/GitHub URLs.                                            |
+| **`v04.02.04`**      | Patch — harden truthfulness preflight auditability, add a read-only preflight retest tool, and reduce false parser warnings for attached/log evidence.                                                             |
 | **`v04.02.03`**      | Patch — promote the Gemini canonical default to `gemini-3.1-pro-preview` and refresh the active local Gemini rate card.                                                                                            |
 | **`v04.02.02`**      | Patch — provider-doc refresh, Perplexity probe repair, current model pins, and rate-card guidance.                                                                                                                 |
 | **`v04.02.01`**      | Patch — publish the workspace hard-gate cleanup as a package release.                                                                                                                                              |
@@ -210,6 +212,7 @@ these environment variables before running real sessions (example):
 - `session_doctor`
 - `session_report`
 - `session_check_convergence`
+- `session_truthfulness_preflight_check`
 - `session_attach_evidence`
 - `session_evidence_checklist_update`
 - `session_evidence_judge_pass`
@@ -221,6 +224,12 @@ these environment variables before running real sessions (example):
 - `session_sweep`
 - `session_finalize`
 
+`session_doctor` separates real and stub sessions, flags terminal outcomes that
+lack terminal events, and reports peer-call cost separately from generation
+artifact cost. `session_report` uses the same split and calls out
+`not_resurfaced` evidence checklist items as inference-only, not proof that the
+requested evidence was satisfied.
+
 ## Repository conventions
 
 - **License**: [Apache-2.0](./LICENSE). See [NOTICE](./NOTICE) and [THIRDPARTY](./THIRDPARTY.md).

package/dist/scripts/smoke.js

@@ -1096,6 +1096,158 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
     assert.equal(entry?.chronic_blockers?.[0], "ask-codex-1", "chronic_blockers must contain the codex round_count=4 item id");
     console.log("[smoke] evidence_checklist_drilldown_test: PASS");
 }
+// v4.2.5 — terminal events, cost split and not_resurfaced audit visibility.
+// The 2026-06-05 disk audit found sessions whose meta.json had a terminal
+// outcome without a matching terminal event, cost reports that blurred peer
+// calls with lead-generation artifacts, and converged sessions with
+// not_resurfaced checklist items that were too easy to misread as satisfied.
+{
+    const { SessionStore } = await import("../src/core/session-store.js");
+    const { sessionReportMarkdown } = await import("../src/core/reports.js");
+    const auditStore = new SessionStore({
+        ...config,
+        data_dir: smokeTmpDir("terminal-cost-evidence-audit"),
+    });
+    const finalizedSession = await auditStore.init("terminal event fixture", "operator", []);
+    await auditStore.finalize(finalizedSession.session_id, "aborted", "smoke_terminal_abort");
+    const finalizedEvents = auditStore.readEvents(finalizedSession.session_id);
+    assert.ok(finalizedEvents.some((event) => event.type === "session.finalized" &&
+        event.data?.outcome === "aborted" &&
+        event.data?.reason === "smoke_terminal_abort"), "v4.2.5 / terminal_events: finalize() must persist a session.finalized event");
+    const cancelledSession = await auditStore.init("cancelled terminal event fixture", "operator", []);
+    await auditStore.markCancelled(cancelledSession.session_id, "session_cancelled");
+    const cancelledEvents = auditStore.readEvents(cancelledSession.session_id);
+    assert.ok(cancelledEvents.some((event) => event.type === "session.cancelled" && event.data?.reason === "session_cancelled"), "v4.2.5 / terminal_events: markCancelled() must persist a session.cancelled event");
+    const sweptSession = await auditStore.init("idle sweep terminal event fixture", "operator", []);
+    const sweptMeta = auditStore.read(sweptSession.session_id);
+    sweptMeta.updated_at = new Date(Date.now() - 25 * 60 * 60 * 1000).toISOString();
+    fs.writeFileSync(auditStore.metaPath(sweptSession.session_id), JSON.stringify(sweptMeta));
+    const swept = await auditStore.sweepIdle(0, "aborted", "smoke_idle_sweep");
+    assert.equal(swept.some((session) => session.session_id === sweptSession.session_id), true, "v4.2.5 / terminal_events: sweepIdle() must finalize stale sessions");
+    const sweptEvents = auditStore.readEvents(sweptSession.session_id);
+    assert.ok(sweptEvents.some((event) => event.type === "session.finalized" &&
+        event.data?.outcome === "aborted" &&
+        event.data?.reason === "smoke_idle_sweep" &&
+        typeof event.data?.idle_ms === "number"), "v4.2.5 / terminal_events: sweepIdle() must persist a session.finalized event");
+    const reportSession = await auditStore.init("cost split report fixture", "operator", []);
+    const reportMeta = auditStore.read(reportSession.session_id);
+    const nowIso = new Date().toISOString();
+    reportMeta.rounds = [
+        {
+            round: 1,
+            started_at: nowIso,
+            completed_at: nowIso,
+            caller_status: "READY",
+            prompt_file: "agent-runs/round-1-prompt.md",
+            peers: [
+                {
+                    peer: "codex",
+                    provider: "openai",
+                    model: "gpt-5",
+                    status: "READY",
+                    structured: { status: "READY", summary: "ready", confidence: "verified" },
+                    text: '{"status":"READY","summary":"ready","confidence":"verified"}',
+                    raw: { fixture: true },
+                    decision_quality: "clean",
+                    parser_warnings: [],
+                    attempts: 1,
+                    latency_ms: 10,
+                    usage: { input_tokens: 10, output_tokens: 5, total_tokens: 15 },
+                    cost: {
+                        currency: "USD",
+                        estimated: false,
+                        source: "configured-rate",
+                        total_cost: 14.652426,
+                    },
+                },
+            ],
+            rejected: [],
+            convergence: {
+                converged: true,
+                reason: "unanimous",
+                ready_peers: ["codex"],
+                not_ready_peers: [],
+                needs_evidence_peers: [],
+                rejected_peers: [],
+                skipped_peers: [],
+                decision_quality: {
+                    codex: "clean",
+                    claude: "clean",
+                    gemini: "clean",
+                    deepseek: "clean",
+                    grok: "clean",
+                    perplexity: "clean",
+                },
+                blocking_details: [],
+            },
+        },
+    ];
+    reportMeta.generation_files = [
+        {
+            round: 0,
+            peer: "gemini",
+            label: "initial_draft",
+            path: "agent-runs/round-0-initial-draft.md",
+            ts: nowIso,
+            usage: { input_tokens: 6, output_tokens: 4, total_tokens: 10 },
+            cost: {
+                currency: "USD",
+                estimated: false,
+                source: "configured-rate",
+                total_cost: 1.876718,
+            },
+        },
+    ];
+    reportMeta.totals.cost = {
+        currency: "USD",
+        estimated: false,
+        source: "configured-rate",
+        total_cost: 16.529144,
+    };
+    fs.writeFileSync(auditStore.metaPath(reportSession.session_id), JSON.stringify(reportMeta));
+    const reportMarkdown = sessionReportMarkdown(auditStore.read(reportSession.session_id), []);
+    assert.ok(reportMarkdown.includes("- Peer call cost: $14.652426 USD"), "v4.2.5 / cost_split: session report must show peer-call cost separately");
+    assert.ok(reportMarkdown.includes("- Generation cost: $1.876718 USD"), "v4.2.5 / cost_split: session report must show lead-generation cost separately");
+    assert.ok(reportMarkdown.includes("$16.529144 USD = $14.652426 peer + $1.876718 generation"), "v4.2.5 / cost_split: session report must explicitly reconcile total = peer + generation");
+    const notResurfacedSession = await auditStore.init("not resurfaced visibility fixture", "operator", []);
+    const notResurfacedMeta = auditStore.read(notResurfacedSession.session_id);
+    notResurfacedMeta.evidence_checklist = [
+        {
+            id: "nr-1",
+            peer: "deepseek",
+            first_round: 1,
+            last_round: 1,
+            round_count: 1,
+            ask: "attach raw npm ci output",
+            first_seen_at: nowIso,
+            last_seen_at: nowIso,
+            status: "not_resurfaced",
+            addressed_at_round: 2,
+            address_method: "resurfacing",
+        },
+    ];
+    fs.writeFileSync(auditStore.metaPath(notResurfacedSession.session_id), JSON.stringify(notResurfacedMeta));
+    const legacyGapSession = await auditStore.init("legacy terminal event gap fixture", "operator", []);
+    const legacyGapMeta = auditStore.read(legacyGapSession.session_id);
+    legacyGapMeta.outcome = "aborted";
+    legacyGapMeta.outcome_reason = "legacy_without_terminal_event";
+    legacyGapMeta.updated_at = nowIso;
+    legacyGapMeta.convergence_health = {
+        state: "stale",
+        last_event_at: nowIso,
+        detail: "legacy_without_terminal_event",
+    };
+    fs.writeFileSync(auditStore.metaPath(legacyGapSession.session_id), JSON.stringify(legacyGapMeta));
+    const notResurfacedDoctor = await auditStore.sessionDoctor(20);
+    assert.equal(notResurfacedDoctor.totals.not_resurfaced_evidence_sessions, 1, "v4.2.5 / not_resurfaced: session_doctor totals must count not_resurfaced sessions separately");
+    assert.equal(notResurfacedDoctor.findings.not_resurfaced_evidence_sessions[0]?.session_id, notResurfacedSession.session_id, "v4.2.5 / not_resurfaced: session_doctor must enumerate not_resurfaced sessions");
+    assert.equal(notResurfacedDoctor.totals.terminal_event_missing_sessions, 1, "v4.2.5 / terminal_event_missing: session_doctor totals must count legacy terminal-event gaps");
+    assert.equal(notResurfacedDoctor.findings.terminal_event_missing_sessions[0]?.session_id, legacyGapSession.session_id, "v4.2.5 / terminal_event_missing: session_doctor must enumerate legacy terminal-event gaps");
+    assert.equal(notResurfacedDoctor.findings.terminal_event_missing_sessions[0]?.terminal_event_expected, "session.finalized", "v4.2.5 / terminal_event_missing: session_doctor must report the expected terminal event");
+    const notResurfacedReport = sessionReportMarkdown(auditStore.read(notResurfacedSession.session_id), []);
+    assert.ok(notResurfacedReport.includes("not_resurfaced means the ask was not repeated; it is not proof that evidence was satisfied."), "v4.2.5 / not_resurfaced: session report must state the not_resurfaced semantics");
+    console.log("[smoke] terminal_cost_evidence_audit_test: PASS");
+}
 // v2.22.0 (B.P3): session.budget_warning event emit + idempotency. The
 // orchestrator emits a one-shot warning when cumulative cost crosses
 // 75% of cost_ceiling_usd; the budget_warning_emitted flag persists
@@ -1374,6 +1526,19 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
         follow_ups: [],
     }));
     assert.ok(!grounded.parser_warnings.includes("verified_without_evidence_sources"), "v4.2.2 / truthfulness_guardrails: concrete evidence_sources must satisfy verified confidence");
+    const attachedEvidenceGrounded = parseStatusForTruth(JSON.stringify({
+        status: "READY",
+        summary: "The raw gate proves the fix.",
+        confidence: "verified",
+        evidence_sources: [
+            "Attachment: RAW clean-room CI-equivalent gate (Node 24.14.0): npm ci exit 0; npm test 22 passed.",
+            "evidence/2026-06-05T09-55-29-249Z-RAW-clean-room-CI-equivalent-gate.txt: Test Files 4 passed (4)",
+            "L7001 jsdom dependency undici ^7.25.0; L9544 resolved undici 6.24.0",
+        ],
+        caller_requests: [],
+        follow_ups: [],
+    }));
+    assert.ok(!attachedEvidenceGrounded.parser_warnings.includes("verified_without_evidence_sources"), "v4.2.4 / truthfulness_guardrails: attachment paths, raw gate logs, and line-number labels are evidence_sources, not empty-evidence warnings");
     assert.ok(/confidence.*verified[\s\S]+evidence_sources/i.test(statusInstruction()), "v4.2.2 / truthfulness_guardrails: statusInstruction must tie verified confidence to concrete evidence_sources");
     console.log("[smoke] verified_requires_evidence_sources_test: PASS");
 }
@@ -5251,6 +5416,16 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
         narrativeCorpus: "",
     });
     assert.equal(genericConfirmation.fabricated, false, "v4.2.2 / truthfulness_guardrails: generic 'confirmed' prose without a dispatch/authorization claim must not trip fabrication detection");
+    const fabricatedReviewReferences = detectFabricatedEvidence([
+        "R2 evidence confirms sessions 604dcecc-df8d-483c-b598-733b8cbb64b0 and 37929ed7-3b71-454c-8231-5e1657ad17af.",
+        "The external comparison used https://github.com/qhjqhj00/GossipCat and https://github.com/alibaba/mira.",
+    ].join("\n"), {
+        provenanceCorpus: "",
+        priorDraftCorpus: "The prior artifact did not contain session IDs or GitHub repository URLs.",
+        narrativeCorpus: "Audit cross-review improvements.",
+    });
+    assert.ok(fabricatedReviewReferences.fabricated === true &&
+        fabricatedReviewReferences.suspicious_assertion_count >= 2, `v4.2.5 / fabrication_lock: net-new session IDs and GitHub URLs in relator text must trip fabricated=true (got count=${fabricatedReviewReferences.suspicious_assertion_count}, fabricated=${fabricatedReviewReferences.fabricated})`);
     // Source-level: threshold constants pinned at the documented values.
     assert.ok(/FABRICATED_NET_NEW_HEX_THRESHOLD\s*=\s*3/.test(orchSrc), "v2.24.0 / fabrication_lock: net-new hex threshold pinned at 3");
     assert.ok(/FABRICATED_SUSPICIOUS_ASSERTION_THRESHOLD\s*=\s*2/.test(orchSrc), "v2.24.0 / fabrication_lock: suspicious assertion threshold pinned at 2");
@@ -5740,6 +5915,7 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
     });
     assert.equal(contradictedByRuntime.pass, false, "v4.2.2 / truthfulness_preflight: current-runtime version claim contradicting runtime facts must trip even when server_info text is present");
     assert.ok(contradictedByRuntime.contradictions.some((item) => item.includes("4.2.0")), "v4.2.2 / truthfulness_preflight: mismatch diagnostics must include the contradicted version token");
+    assert.ok(contradictedByRuntime.issue_classes?.includes("runtime_contradiction"), "v4.2.4 / truthfulness_preflight: runtime contradictions must surface issue_classes=runtime_contradiction");
     const backedByRuntime = truthfulnessPreflight({
         task: "Audit all sessions generated with the current cross-review version.",
         initialDraft: 'Live server_info: {"version":"4.2.1","release_date":"2026-05-21"}\nAudit report for cross-review v4.2.1 current production, released 2026-05-21.',
@@ -5754,6 +5930,7 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
         attachmentsPresent: false,
     });
     assert.equal(unsupportedCurrentState.pass, false, "v4.2.2 / truthfulness_preflight: current-runtime claim without runtime facts or source evidence must trip");
+    assert.ok(unsupportedCurrentState.issue_classes?.includes("unsupported_current_state_claim"), "v4.2.4 / truthfulness_preflight: unsupported current-state claims must have their own issue class");
     const historicalChangelog = truthfulnessPreflight({
         task: "Review this changelog text.",
         initialDraft: "v4.2.0 was released on 2026-05-17. v4.2.1 was released on 2026-05-21.",
@@ -5768,6 +5945,17 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
         attachmentsPresent: false,
     });
     assert.equal(fabricatedTiming.pass, false, "v4.2.2 / truthfulness_preflight: historical runtime timing narrative without snapshot evidence must trip");
+    assert.ok(fabricatedTiming.issue_classes?.includes("unsupported_historical_claim"), "v4.2.4 / truthfulness_preflight: historical timing claims without snapshot evidence must surface unsupported_historical_claim");
+    assert.ok(/attachments_present=false/.test(fabricatedTiming.reason) &&
+        /session_attach_evidence/.test(fabricatedTiming.reason), "v4.2.4 / truthfulness_preflight: failure reason must tell operators that no attachment was visible and how to fix it");
+    const fabricatedWorkflowClaim = truthfulnessPreflight({
+        task: "Summarize the release closure.",
+        initialDraft: "I triggered the workflow dispatch after operator authorization and confirmed the remote deployment succeeded.",
+        runtimeFacts,
+        attachmentsPresent: false,
+    });
+    assert.equal(fabricatedWorkflowClaim.pass, false, "v4.2.4 / truthfulness_preflight: fabricated workflow or authorization claims must trip before paid calls");
+    assert.ok(fabricatedWorkflowClaim.issue_classes?.includes("fabrication_pattern"), "v4.2.4 / truthfulness_preflight: fabricated workflow/authorization claims must surface issue_classes=fabrication_pattern");
     const withStructuredEvidence = truthfulnessPreflight({
         task: "Explain why the report said v4.2.0.",
         initialDraft: "When the workflow began, cross-review was running v4.2.0. It was bumped to v4.2.1 between R1 and R3.",
@@ -5782,9 +5970,36 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
     assert.ok(/truthfulness_preflight_enabled/.test(orchSrcTruth) &&
         /askPeers[\s\S]+truthfulnessPreflight/.test(orchSrcTruth) &&
         /runUntilUnanimous[\s\S]+truthfulnessPreflight/.test(orchSrcTruth), "v4.2.2 / truthfulness_preflight: both askPeers and runUntilUnanimous must gate on config.truthfulness_preflight_enabled");
+    assert.ok(/recordPreflightFailure/.test(orchSrcTruth), "v4.2.4 / truthfulness_preflight: preflight aborts without rounds must still persist failed_attempts metadata");
     assert.ok(/boolEnv\("CROSS_REVIEW_TRUTHFULNESS_PREFLIGHT", true\)/.test(configSrcTruth), "v4.2.2 / truthfulness_preflight: CROSS_REVIEW_TRUTHFULNESS_PREFLIGHT env var must default ON");
     console.log("[smoke] truthfulness_preflight_test: PASS");
 }
+// v4.2.4 — truthfulness_preflight_runtime_contract_test.
+// A failed preflight should be inspectable without scraping events, and
+// operators should be able to re-run the same read-only preflight after
+// attaching evidence instead of starting duplicate sessions.
+{
+    const orchSrcTruth = fs.readFileSync(new URL("../src/core/orchestrator.ts", import.meta.url), "utf8");
+    const storeSrcTruth = fs.readFileSync(new URL("../src/core/session-store.ts", import.meta.url), "utf8");
+    const serverSrcTruth = fs.readFileSync(new URL("../src/mcp/server.ts", import.meta.url), "utf8");
+    assert.ok(/recordPreflightFailure/.test(storeSrcTruth) &&
+        /failed_attempts/.test(storeSrcTruth) &&
+        /truthfulness_preflight/.test(storeSrcTruth), "v4.2.4 / truthfulness_preflight: SessionStore must persist preflight failed_attempts even when no round is appended");
+    const runUntilIndex = orchSrcTruth.indexOf("async runUntilUnanimous");
+    const truthfulnessIndex = orchSrcTruth.indexOf("const truthfulness = truthfulnessPreflight", runUntilIndex);
+    const evidenceIndex = orchSrcTruth.indexOf("const preflight = evidencePreflight", runUntilIndex);
+    const leadGenerationIndex = orchSrcTruth.indexOf("const generation = await adapters[leadPeer].generate", runUntilIndex);
+    assert.ok(runUntilIndex >= 0 &&
+        truthfulnessIndex > runUntilIndex &&
+        evidenceIndex > truthfulnessIndex &&
+        leadGenerationIndex > evidenceIndex, "v4.2.4 / truthfulness_preflight: runUntilUnanimous must run truthfulness/evidence preflight before paid lead generation");
+    assert.ok(/"session_truthfulness_preflight_check"/.test(serverSrcTruth) &&
+        /readEvidenceAttachments/.test(serverSrcTruth) &&
+        /truthfulnessPreflight/.test(serverSrcTruth), "v4.2.4 / truthfulness_preflight: MCP must expose a read-only session_truthfulness_preflight_check retest tool");
+    assert.ok(/"session_truthfulness_preflight_check"/.test(serverSrcTruth) &&
+        /TOOL_NAMES[\s\S]*session_truthfulness_preflight_check/.test(serverSrcTruth), "v4.2.4 / truthfulness_preflight: server_info tool list must include session_truthfulness_preflight_check");
+    console.log("[smoke] truthfulness_preflight_runtime_contract_test: PASS");
+}
 // v3.5.0 (CRV2-1 + CRV2-6) — budget + max_rounds traceability.
 //
 // setSessionTraceability persists requested-vs-effective max_rounds and