@martinloop/mcp 0.2.7 → 0.3.1

package/dist/vendor/core/index.js

@@ -13,7 +13,7 @@ export { runContextIntegrityPrecheck } from "./context-integrity.js";
 // ─── Prompt packet compiler ──────────────────────────────────────────────────
 export { compilePromptPacket } from "./compiler.js";
 // ─── Persistence (RunStore, LedgerEvent, FileRunStore) ──────────────────────
-export { createFileRunStore, makeLedgerEvent, readAllLoopRecords, readLatestLoopRecord, readLatestLoopRecordFromFile, readLoopRecordsFromFile, resolveRunsRoot } from "./persistence/index.js";
+export { createFileRunStore, makeLedgerEvent, readAllLoopRecords, readLatestLoopRecord, readLatestLoopRecordFromFile, readLoopRecordsFromFile, resolveRunsRoot, resolveReceiptIntegrityPath, verifyReceiptIntegrityFromFiles, writeReceiptIntegrityMaterial } from "./persistence/index.js";
 export { compileAndPersistContext } from "./persistence/index.js";
 /**
  * Admission gate — must pass before any attempt is executed.
@@ -101,6 +101,7 @@ export async function runMartin(input) {
         projectId: input.projectId,
         task: input.task,
         budget: input.budget,
+        ...(input.receiptScope ? { receiptScope: input.receiptScope } : {}),
         ...(input.teamId ? { teamId: input.teamId } : {}),
         ...(input.metadata ? { metadata: input.metadata } : {})
     }, { now: now(), idFactory });
@@ -270,8 +271,20 @@ export async function runMartin(input) {
         // GATHER → ADMIT: run admission control before executing
         currentPhase = "ADMIT";
         // T05: Context Integrity Pre-gate — blocks authority inversion / injection before reasoning
-        const contextPrecheck = await runContextIntegrityPrecheck(loop.loopId, loop.attempts.length + 1, runDir(resolveRunsRoot(), loop.loopId), {
+        //
+        // Untrusted "tool output" re-entering the loop is verifier command output from prior
+        // attempts (e.g. test runners echoing attacker-controlled strings). Pull that text from
+        // already-persisted verification.completed events so the gate scans what actually
+        // re-enters subsequent prompts, matching the documented "tool output / test output" scope.
+        const priorVerifierOutput = loop.events
+            .filter((event) => event.type === "verification.completed")
+            .flatMap((event) => event.payload.steps ?? [])
+            .map((step) => step.detail)
+            .filter((detail) => Boolean(detail))
+            .join("\n---\n");
+        const contextPrecheck = await runContextIntegrityPrecheck(loop.loopId, loop.attempts.length + 1, runDir(resolveActiveRunsRoot(input.store), loop.loopId), {
             userPrompt: distilled.focus,
+            toolOutput: priorVerifierOutput || undefined,
             history: loop.attempts.map(a => a.summary).join("\n")
         });
         if (contextPrecheck.verdict === "context_poisoning_block") {
@@ -411,13 +424,18 @@ export async function runMartin(input) {
             },
             previousAttempts: loop.attempts
         };
-        const rollbackBoundary = await captureRollbackBoundary({
-            repoRoot: request.context.repoRoot,
-            capturedAt: attemptStartedAt
-        });
+        const tracksWorkspaceMutations = request.context.repoRoot !== undefined &&
+            executingAdapter.metadata.capabilities?.workspaceMutations !== false;
+        const rollbackBoundary = tracksWorkspaceMutations
+            ? await captureRollbackBoundary({
+                repoRoot: request.context.repoRoot,
+                capturedAt: attemptStartedAt
+            })
+            : undefined;
         const result = await executingAdapter.execute(request);
         const attemptCompletedAt = now();
         const compiledContext = compilePromptPacket(request);
+        const verification = normalizeVerificationOutcome(result);
         // PATCH → VERIFY
         currentPhase = "VERIFY";
         let failure = result.status === "failed"
@@ -444,7 +462,16 @@ export async function runMartin(input) {
                 actualUsd: roundUsd(loop.cost.actualUsd + getUsageUsd(result.usage)),
                 avoidedUsd: loop.cost.avoidedUsd,
                 tokensIn: loop.cost.tokensIn + result.usage.tokensIn,
-                tokensOut: loop.cost.tokensOut + result.usage.tokensOut
+                tokensOut: loop.cost.tokensOut + result.usage.tokensOut,
+                ...(result.usage.estimatedUsd !== undefined
+                    ? {
+                        estimatedUsd: roundUsd((loop.cost.estimatedUsd ?? loop.cost.actualUsd) + result.usage.estimatedUsd)
+                    }
+                    : {}),
+                provenance: getUsageProvenance(result.usage),
+                ...(result.usage.providerSettlement
+                    ? { providerSettlement: result.usage.providerSettlement }
+                    : {})
             },
             updatedAt: attemptCompletedAt
         };
@@ -503,11 +530,14 @@ export async function runMartin(input) {
         }
         loop = appendLoopEvent(loop, {
             type: "verification.completed",
-            lifecycleState: result.verification.passed ? "completed" : "verifying",
+            lifecycleState: verification.passed ? "completed" : "verifying",
             payload: {
                 attemptId,
-                passed: result.verification.passed,
-                summary: result.verification.summary
+                attemptIndex: currentAttemptIndex,
+                passed: verification.passed,
+                summary: verification.summary,
+                ...(verification.steps?.length ? { steps: verification.steps } : {}),
+                ...(verification.warnings?.length ? { warnings: verification.warnings } : {})
             }
         }, { now: attemptCompletedAt, idFactory });
         const costState = evaluateCostGovernor({
@@ -521,7 +551,8 @@ export async function runMartin(input) {
             payload: {
                 actualUsd: loop.cost.actualUsd,
                 remainingBudgetUsd: costState.remainingBudgetUsd,
-                pressure: costState.pressure
+                pressure: costState.pressure,
+                provenance: getUsageProvenance(result.usage)
             }
         }, { now: now(), idFactory });
         if (input.store) {
@@ -534,6 +565,7 @@ export async function runMartin(input) {
             });
             await input.store.writeAttemptArtifacts(loop.loopId, currentAttemptIndex, {
                 compiledContext,
+                verification,
                 ...(rollbackBoundary ? { rollbackBoundary } : {})
             });
             await input.store.appendLedger(loop.loopId, makeLedgerEvent({
@@ -546,7 +578,13 @@ export async function runMartin(input) {
                 kind: "verification.completed",
                 runId: loop.loopId,
                 attemptIndex: currentAttemptIndex,
-                payload: { passed: result.verification.passed, summary: result.verification.summary }
+                payload: {
+                    attemptId,
+                    passed: verification.passed,
+                    summary: verification.summary,
+                    ...(verification.steps?.length ? { steps: verification.steps } : {}),
+                    ...(verification.warnings?.length ? { warnings: verification.warnings } : {})
+                }
             }));
             await input.store.appendLedger(loop.loopId, makeLedgerEvent({
                 kind: "budget.settled",
@@ -557,10 +595,13 @@ export async function runMartin(input) {
                     estimatedUsd: result.usage.estimatedUsd,
                     tokensIn: result.usage.tokensIn,
                     tokensOut: result.usage.tokensOut,
+                    cachedInputTokens: result.usage.cachedInputTokens,
+                    reasoningTokensOut: result.usage.reasoningTokensOut,
                     provenance: getUsageProvenance(result.usage),
                     transport: getAdapterTransport(executingAdapter),
                     providerId: executingAdapter.metadata.providerId,
                     model: executingAdapter.metadata.model,
+                    providerSettlement: result.usage.providerSettlement,
                     patchCost: settlement.patchCost,
                     verificationCost: settlement.verificationCost,
                     varianceUsd: settlement.varianceUsd,
@@ -568,16 +609,20 @@ export async function runMartin(input) {
                 }
             }));
         }
-        const changedFiles = resolveChangedFiles(result, request.context.repoRoot);
+        const changedFiles = tracksWorkspaceMutations
+            ? resolveChangedFiles(result, request.context.repoRoot)
+            : [];
         // Evidence is only reliable when the adapter explicitly reported files OR git actually
         // returned a non-empty list. A repoRoot alone is insufficient — git may fail (e.g. not
         // a git repo) and silently return [], which would falsely trigger no_code_change.
         const changedFileEvidenceAvailable = result.execution?.changedFiles !== undefined || changedFiles.length > 0;
+        const isVerifierOnlyAdapter = executingAdapter.adapterId === "direct:verifier:verify-only";
+        const patchTruthCountsEdits = !isVerifyOnly && !isVerifierOnlyAdapter && changedFileEvidenceAvailable;
         if (isVerifyOnly && changedFiles.length > 0) {
             const patchDecision = evaluatePatchDecision({
-                verificationPassed: result.verification.passed,
+                verificationPassed: verification.passed,
                 previousVerifierScore,
-                verifierScore: result.verification.passed ? 1 : 0,
+                verifierScore: verification.passed ? 1 : 0,
                 scopeViolationCount: changedFiles.length,
                 changedFileCount: changedFiles.length,
                 diffNovelty: 1,
@@ -842,12 +887,12 @@ export async function runMartin(input) {
         let patchDecision;
         if (result.status === "completed") {
             patchDecision = evaluatePatchDecision({
-                verificationPassed: result.verification.passed,
+                verificationPassed: verification.passed,
                 previousVerifierScore,
-                verifierScore: result.verification.passed ? 1 : 0,
+                verifierScore: verification.passed ? 1 : 0,
                 groundingViolationCount: groundingScanResult?.violations.length ?? 0,
-                changedFileCount: !isVerifyOnly && changedFileEvidenceAvailable ? changedFiles.length : undefined,
-                diffNovelty: !isVerifyOnly && changedFileEvidenceAvailable ? (changedFiles.length > 0 ? 1 : 0) : undefined,
+                changedFileCount: patchTruthCountsEdits ? changedFiles.length : undefined,
+                diffNovelty: patchTruthCountsEdits ? (changedFiles.length > 0 ? 1 : 0) : undefined,
                 diffStats: result.execution?.diffStats,
                 costUsd: getUsageUsd(result.usage),
                 summary: result.summary
@@ -897,10 +942,10 @@ export async function runMartin(input) {
             }
             else {
                 await input.store.appendLedger(loop.loopId, makeLedgerEvent({
-                    kind: result.verification.passed ? "attempt.kept" : "attempt.discarded",
+                    kind: verification.passed ? "attempt.kept" : "attempt.discarded",
                     runId: loop.loopId,
                     attemptIndex: currentAttemptIndex,
-                    payload: { reason: result.verification.summary }
+                    payload: { reason: verification.summary }
                 }));
             }
         }
@@ -1145,6 +1190,9 @@ function createBudgetSettlement(input) {
             usd: 0,
             provenance: "unavailable"
         },
+        ...(input.usage.providerSettlement
+            ? { providerSettlement: input.usage.providerSettlement }
+            : {}),
         totalActualUsd,
         preflightEstimateUsd: input.estimate.estimatedAttemptCostUsd,
         varianceUsd: roundUsd(totalActualUsd - input.estimate.estimatedAttemptCostUsd),
@@ -1185,6 +1233,50 @@ function getLastVerifierScore(loop) {
     }
     return 0;
 }
+function truncateVerificationDetail(text, maxLength) {
+    return text.length <= maxLength ? text : `${text.slice(0, maxLength - 1)}…`;
+}
+function normalizeVerificationOutcome(result) {
+    const warnings = [...(result.verification.warnings ?? [])];
+    const contradiction = detectVerificationContradiction(result);
+    if (contradiction && !warnings.includes(contradiction)) {
+        warnings.push(contradiction);
+    }
+    return {
+        passed: result.verification.passed,
+        summary: result.verification.summary,
+        ...(result.verification.steps?.length ? { steps: result.verification.steps } : {}),
+        ...(warnings.length ? { warnings } : {})
+    };
+}
+function detectVerificationContradiction(result) {
+    if (!result.verification.passed) {
+        return undefined;
+    }
+    const sources = [result.summary, result.failure?.message]
+        .filter((value) => typeof value === "string" && value.trim().length > 0);
+    const contradictionPatterns = [
+        /createprocessasuserw failed:\s*\d+/iu,
+        /\bverifier not run\b/iu,
+        /\bfailed before verifier\b/iu,
+        /\bnever launched\b/iu,
+        /\bfailed to launch\b/iu,
+        /\bcould not launch\b/iu
+    ];
+    for (const source of sources) {
+        const match = contradictionPatterns.find((pattern) => pattern.test(source));
+        if (!match) {
+            continue;
+        }
+        const excerpt = truncateVerificationDetail(source.trim().replace(/\s+/gu, " "), 220);
+        return `Adapter output reported a tool-launch problem before MartinLoop ran its own verifier: ${excerpt}`;
+    }
+    return undefined;
+}
+function resolveActiveRunsRoot(store) {
+    const configuredRunsRoot = store?.runsRoot?.trim();
+    return configuredRunsRoot && configuredRunsRoot.length > 0 ? configuredRunsRoot : resolveRunsRoot();
+}
 function toPatchDecisionArtifact(decision) {
     return {
         decision: decision.decision,

package/dist/vendor/core/leash.js

@@ -1,20 +1,51 @@
 import { isAbsolute, relative, resolve } from "node:path";
 const BLOCKED_PATTERNS = [
-    /(^|\s)rm\s+-rf(\s|$)/u,
+    /(^|[\s;&|`(])rm\s+-rf(\s|$)/iu,
     /git\s+reset\s+--hard/iu,
     /git\s+clean\s+-fd/iu,
     /curl\b[^\n|]*\|\s*(sh|bash)/iu,
     /wget\b[^\n|]*\|\s*(sh|bash)/iu,
-    /(^|\s)sudo(\s|$)/u,
-    /(^|\s)mkfs(\.|\s|$)/u,
-    /(^|\s)dd\s+if=/u,
+    /(^|[\s;&|`(])sudo(\s|$)/iu,
+    /(^|[\s;&|`(])mkfs(\.|\s|$)/iu,
+    /(^|[\s;&|`(])dd\s+if=/iu,
     /(shutdown|reboot)(\s|$)/iu,
-    /:\(\)\s*\{\s*:\|:&\s*\}\s*;\s*:/u,
+    /:\(\)\s*\{\s*:\|:&\s*\}\s*;\s*:/iu,
     /chmod\s+-R\s+777\s+\//iu,
     /(kubectl|docker)\s+.*\b(delete|prune|rm)\b/iu,
     /ssh\s+/iu,
-    /scp\s+/iu
+    /scp\s+/iu,
+    // bash/sh -c "<destructive command>" wrappers — flags the wrapper shape directly,
+    // since a naive regex on the outer command misses the destructive inner command.
+    /\b(?:bash|sh|zsh)\s+-c\s+["'`]/iu,
+    // recursive directory deletion via `find ... -delete` / `find ... -exec rm`
+    /\bfind\s+\S+(?:\s+-[a-z-]+(?:\s+\S+)?)*\s+-delete\b/iu,
+    /\bfind\s+\S+(?:\s+-[a-z-]+(?:\s+\S+)?)*\s+-exec\s+rm\b/iu,
+    // scripting-language recursive deletion one-liners
+    /\bshutil\.rmtree\s*\(/iu,
+    /\bos\.(?:remove|rmdir|removedirs|unlink)\s*\(/iu,
+    /\.(?:rm|rmdir|unlink)(?:Sync)?\s*\(/iu,
+    /\brimraf\s*\(/iu
 ];
+/**
+ * Detects `rm` invocations that combine recursive + force flags regardless of
+ * flag ordering/grouping (`-rf`, `-fr`, `-r -f`, `--recursive --force`),
+ * absolute-path invocation (`/bin/rm`, `/usr/bin/rm`), case, or `${IFS}`-style
+ * shell obfuscation — all of which slip past the literal `rm\s+-rf` pattern.
+ */
+function commandContainsDestructiveRemoval(command) {
+    const normalized = command.replace(/\$\{?IFS\}?/giu, " ").toLowerCase();
+    const rmInvocation = /(?:^|[\s;&|`(])(?:\/(?:usr\/(?:local\/)?)?s?bin\/)?rm\s+([^\n;|`]+)/giu;
+    let match;
+    while ((match = rmInvocation.exec(normalized)) !== null) {
+        const args = match[1] ?? "";
+        const hasRecursive = /(?:^|\s)-[a-z]*r[a-z]*(?:\s|$)|--recursive\b/u.test(args);
+        const hasForce = /(?:^|\s)-[a-z]*f[a-z]*(?:\s|$)|--force\b/u.test(args);
+        if (hasRecursive && hasForce) {
+            return true;
+        }
+    }
+    return false;
+}
 const SECRET_PATTERNS = [
     {
         kind: "secret_value",
@@ -28,7 +59,52 @@ const SECRET_PATTERNS = [
     },
     {
         kind: "secret_value",
-        pattern: /\bghp_[A-Za-z0-9_]{8,}\b/gu,
+        pattern: /\bghp_[A-Za-z0-9_]{16,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\bgithub_pat_[A-Za-z0-9_]{20,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\b(?:gho|ghu|ghs|ghr)_[A-Za-z0-9_]{16,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\bAKIA[0-9A-Z]{16}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\b(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[:=]\s*[^\s"'`]+/giu,
+        replacement: "AWS_SECRET_ACCESS_KEY=[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/giu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\bAIza[0-9A-Za-z_-]{30,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /-----BEGIN(?:\s+[A-Z0-9]+)*\s+PRIVATE KEY-----[\s\S]*?-----END(?:\s+[A-Z0-9]+)*\s+PRIVATE KEY-----/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\b(?:api[_-]?key|secret|password|passwd|token)\s*[:=]\s*["']?[A-Za-z0-9_\-/+=]{12,}["']?/giu,
         replacement: "[REDACTED_SECRET]"
     }
 ];
@@ -55,7 +131,8 @@ export function evaluateVerificationLeash(task) {
         ...((task.verificationStack ?? []).map((step) => step.command))
     ].filter(Boolean);
     const profile = resolveExecutionProfile(task);
-    const blockedCommands = commands.filter((command) => BLOCKED_PATTERNS.some((pattern) => pattern.test(command)));
+    const blockedCommands = commands.filter((command) => BLOCKED_PATTERNS.some((pattern) => pattern.test(command)) ||
+        commandContainsDestructiveRemoval(command));
     const violations = blockedCommands.map((command) => ({
         kind: "command_blocked",
         command,

package/dist/vendor/core/persistence/index.d.ts

@@ -1,5 +1,7 @@
 export { makeLedgerEvent } from "./ledger.js";
 export type { LedgerEvent, LedgerEventDraft, LedgerEventKind } from "./ledger.js";
+export { resolveReceiptIntegrityPath, verifyReceiptIntegrityFromFiles, writeReceiptIntegrityMaterial } from "./integrity.js";
+export type { ReceiptIntegrityChainEntry, StoredReceiptIntegrityMaterial } from "./integrity.js";
 export { artifactDir, createFileRunStore, resolveRunsRoot, runDir } from "./store.js";
 export type { AttemptArtifacts, RunContract, RunStore } from "./store.js";
 export { readAllLoopRecords, readLatestLoopRecord, readLatestLoopRecordFromFile, readLoopRecordsFromFile } from "./runs-reader.js";

package/dist/vendor/core/persistence/index.js

@@ -1,4 +1,5 @@
 export { makeLedgerEvent } from "./ledger.js";
+export { resolveReceiptIntegrityPath, verifyReceiptIntegrityFromFiles, writeReceiptIntegrityMaterial } from "./integrity.js";
 export { artifactDir, createFileRunStore, resolveRunsRoot, runDir } from "./store.js";
 export { readAllLoopRecords, readLatestLoopRecord, readLatestLoopRecordFromFile, readLoopRecordsFromFile } from "./runs-reader.js";
 export { compileAndPersistContext } from "./compiler.js";

package/dist/vendor/core/persistence/integrity.d.ts

@@ -0,0 +1,38 @@
+import type { LoopRecord, ReceiptIntegritySummary, ReceiptScope } from "../../contracts/index.js";
+export interface ReceiptIntegrityChainEntry {
+    index: number;
+    eventId?: string;
+    type?: string;
+    kind?: string;
+    timestamp?: string;
+    prevHash: string;
+    entryHash: string;
+}
+export interface StoredReceiptIntegrityMaterial {
+    schemaVersion: "martin.receipt-integrity.v1";
+    runId: string;
+    keyId: string;
+    signedAt: string;
+    scope?: ReceiptScope;
+    loopRecordSha256: string;
+    ledgerSha256: string;
+    ledgerHeadHash: string;
+    entryCount: number;
+    chain: ReceiptIntegrityChainEntry[];
+    signatureHmacSha256: string;
+}
+export declare function writeReceiptIntegrityMaterial(input: {
+    runId: string;
+    runsRoot: string;
+    loopRecord: LoopRecord;
+    ledgerEntries: unknown[];
+    scope?: ReceiptScope;
+    signedAt?: string;
+}): Promise<StoredReceiptIntegrityMaterial | undefined>;
+export declare function verifyReceiptIntegrityFromFiles(input: {
+    runId: string;
+    runsRoot: string;
+    loopRecordPath: string;
+    ledgerPath: string;
+}): Promise<ReceiptIntegritySummary>;
+export declare function resolveReceiptIntegrityPath(runsRoot: string, runId: string): string;

package/dist/vendor/core/persistence/integrity.js

@@ -0,0 +1,248 @@
+import { createHash, createHmac, randomBytes } from "node:crypto";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+const RECEIPT_INTEGRITY_SCHEMA_VERSION = "martin.receipt-integrity.v1";
+const RECEIPT_INTEGRITY_KEY_DIR_MODE = 0o700;
+const RECEIPT_INTEGRITY_KEY_FILE_MODE = 0o600;
+export async function writeReceiptIntegrityMaterial(input) {
+    const signedAt = input.signedAt ?? new Date().toISOString();
+    const keyMaterial = await ensureReceiptIntegrityKey(input.runsRoot, input.runId);
+    if (!keyMaterial) {
+        return undefined;
+    }
+    const [key, keyId] = keyMaterial;
+    const chain = buildReceiptIntegrityChain(input.ledgerEntries);
+    const loopRecordRaw = serializeStoredJson(input.loopRecord);
+    const ledgerRaw = serializeStoredJsonl(input.ledgerEntries);
+    const materialBase = {
+        schemaVersion: RECEIPT_INTEGRITY_SCHEMA_VERSION,
+        runId: input.runId,
+        keyId,
+        signedAt,
+        ...(input.scope ? { scope: input.scope } : {}),
+        loopRecordSha256: sha256(loopRecordRaw),
+        ledgerSha256: sha256(ledgerRaw),
+        ledgerHeadHash: chain.at(-1)?.entryHash ?? "root",
+        entryCount: chain.length,
+        chain
+    };
+    const material = {
+        ...materialBase,
+        signatureHmacSha256: createReceiptIntegritySignature(key, materialBase)
+    };
+    await mkdir(join(input.runsRoot, input.runId), { recursive: true });
+    await writeFile(resolveReceiptIntegrityPath(input.runsRoot, input.runId), serializeStoredJson(material), "utf8");
+    return material;
+}
+export async function verifyReceiptIntegrityFromFiles(input) {
+    const integrityPath = resolveReceiptIntegrityPath(input.runsRoot, input.runId);
+    const [rawMaterial, rawLoopRecord, rawLedger, key] = await Promise.all([
+        readFile(integrityPath, "utf8").catch(() => null),
+        readFile(input.loopRecordPath, "utf8").catch(() => null),
+        readFile(input.ledgerPath, "utf8").catch(() => null),
+        readReceiptIntegrityKey(input.runsRoot, input.runId).catch(() => null)
+    ]);
+    if (!rawMaterial || !rawLoopRecord || rawLedger === null || !key) {
+        return {
+            state: "unsigned",
+            reason: "Receipt integrity material is missing for this run.",
+            warnings: ["Receipts are local-only and unsigned; trust claims are unavailable."]
+        };
+    }
+    let material;
+    try {
+        material = JSON.parse(rawMaterial);
+    }
+    catch {
+        return {
+            state: "tamper_detected",
+            reason: "Receipt integrity metadata is unreadable."
+        };
+    }
+    const actualLoopRecordSha256 = sha256(rawLoopRecord);
+    if (actualLoopRecordSha256 !== material.loopRecordSha256) {
+        return {
+            state: "tamper_detected",
+            keyId: material.keyId,
+            signedAt: material.signedAt,
+            loopRecordSha256: material.loopRecordSha256,
+            ledgerSha256: material.ledgerSha256,
+            ledgerHeadHash: material.ledgerHeadHash,
+            entryCount: material.entryCount,
+            reason: "loop_record_hash_mismatch"
+        };
+    }
+    const actualLedgerSha256 = sha256(rawLedger);
+    if (actualLedgerSha256 !== material.ledgerSha256) {
+        return {
+            state: "tamper_detected",
+            keyId: material.keyId,
+            signedAt: material.signedAt,
+            loopRecordSha256: material.loopRecordSha256,
+            ledgerSha256: material.ledgerSha256,
+            ledgerHeadHash: material.ledgerHeadHash,
+            entryCount: material.entryCount,
+            reason: "ledger_hash_mismatch"
+        };
+    }
+    let parsedLedgerEntries;
+    try {
+        parsedLedgerEntries = rawLedger
+            .split(/\r?\n/u)
+            .map((line) => line.trim())
+            .filter(Boolean)
+            .map((line) => JSON.parse(line));
+    }
+    catch {
+        return {
+            state: "tamper_detected",
+            keyId: material.keyId,
+            signedAt: material.signedAt,
+            loopRecordSha256: material.loopRecordSha256,
+            ledgerSha256: material.ledgerSha256,
+            ledgerHeadHash: material.ledgerHeadHash,
+            entryCount: material.entryCount,
+            reason: "ledger_entry_parse_error"
+        };
+    }
+    const actualChain = buildReceiptIntegrityChain(parsedLedgerEntries);
+    if (actualChain.length !== material.chain.length) {
+        return {
+            state: "tamper_detected",
+            keyId: material.keyId,
+            signedAt: material.signedAt,
+            loopRecordSha256: material.loopRecordSha256,
+            ledgerSha256: material.ledgerSha256,
+            ledgerHeadHash: material.ledgerHeadHash,
+            entryCount: material.entryCount,
+            reason: "ledger_entry_count_mismatch"
+        };
+    }
+    for (let index = 0; index < actualChain.length; index += 1) {
+        const expected = material.chain[index];
+        const actual = actualChain[index];
+        if (!expected ||
+            !actual ||
+            expected.entryHash !== actual.entryHash ||
+            expected.prevHash !== actual.prevHash) {
+            return {
+                state: "tamper_detected",
+                keyId: material.keyId,
+                signedAt: material.signedAt,
+                loopRecordSha256: material.loopRecordSha256,
+                ledgerSha256: material.ledgerSha256,
+                ledgerHeadHash: material.ledgerHeadHash,
+                entryCount: material.entryCount,
+                reason: `ledger_chain_mismatch:${index}`
+            };
+        }
+    }
+    const signatureBase = {
+        schemaVersion: material.schemaVersion,
+        runId: material.runId,
+        keyId: material.keyId,
+        signedAt: material.signedAt,
+        ...(material.scope ? { scope: material.scope } : {}),
+        loopRecordSha256: material.loopRecordSha256,
+        ledgerSha256: material.ledgerSha256,
+        ledgerHeadHash: material.ledgerHeadHash,
+        entryCount: material.entryCount,
+        chain: material.chain
+    };
+    const expectedSignature = createReceiptIntegritySignature(key, signatureBase);
+    if (expectedSignature !== material.signatureHmacSha256) {
+        return {
+            state: "tamper_detected",
+            keyId: material.keyId,
+            signedAt: material.signedAt,
+            loopRecordSha256: material.loopRecordSha256,
+            ledgerSha256: material.ledgerSha256,
+            ledgerHeadHash: material.ledgerHeadHash,
+            entryCount: material.entryCount,
+            reason: "signature_mismatch"
+        };
+    }
+    return {
+        state: "verified",
+        keyId: material.keyId,
+        signedAt: material.signedAt,
+        loopRecordSha256: material.loopRecordSha256,
+        ledgerSha256: material.ledgerSha256,
+        ledgerHeadHash: material.ledgerHeadHash,
+        entryCount: material.entryCount
+    };
+}
+export function resolveReceiptIntegrityPath(runsRoot, runId) {
+    return join(runsRoot, runId, "receipt-integrity.json");
+}
+function buildReceiptIntegrityChain(entries) {
+    let previousHash = "root";
+    return entries.map((entry, index) => {
+        const normalizedEntry = JSON.stringify(entry);
+        const entryHash = sha256(`${previousHash}\n${normalizedEntry}`);
+        const candidate = entry;
+        const chainEntry = {
+            index,
+            prevHash: previousHash,
+            entryHash
+        };
+        if (typeof candidate.eventId === "string") {
+            chainEntry.eventId = candidate.eventId;
+        }
+        if (typeof candidate.type === "string") {
+            chainEntry.type = candidate.type;
+        }
+        if (typeof candidate.kind === "string") {
+            chainEntry.kind = candidate.kind;
+        }
+        if (typeof candidate.timestamp === "string") {
+            chainEntry.timestamp = candidate.timestamp;
+        }
+        previousHash = entryHash;
+        return chainEntry;
+    });
+}
+function createReceiptIntegritySignature(key, material) {
+    return createHmac("sha256", key).update(JSON.stringify(material)).digest("hex");
+}
+async function ensureReceiptIntegrityKey(runsRoot, runId) {
+    const keyPath = resolveReceiptIntegrityKeyPath(runsRoot, runId);
+    const existing = await readFile(keyPath, "utf8").catch(() => null);
+    if (existing) {
+        const trimmed = existing.trim();
+        return [trimmed, sha256(trimmed).slice(0, 16)];
+    }
+    const generated = randomBytes(32).toString("hex");
+    try {
+        await mkdir(dirname(keyPath), { recursive: true, mode: RECEIPT_INTEGRITY_KEY_DIR_MODE });
+        await writeFile(keyPath, `${generated}\n`, {
+            encoding: "utf8",
+            mode: RECEIPT_INTEGRITY_KEY_FILE_MODE
+        });
+    }
+    catch {
+        return undefined;
+    }
+    return [generated, sha256(generated).slice(0, 16)];
+}
+async function readReceiptIntegrityKey(runsRoot, runId) {
+    const raw = await readFile(resolveReceiptIntegrityKeyPath(runsRoot, runId), "utf8");
+    return raw.trim();
+}
+function resolveReceiptIntegrityKeyPath(runsRoot, runId) {
+    const rootHash = sha256(runsRoot).slice(0, 16);
+    return join(homedir(), ".martin", "receipt-integrity", rootHash, `${runId}.key`);
+}
+function serializeStoredJson(value) {
+    return `${JSON.stringify(value, null, 2)}\n`;
+}
+function serializeStoredJsonl(entries) {
+    if (entries.length === 0) {
+        return "";
+    }
+    return `${entries.map((entry) => JSON.stringify(entry)).join("\n")}\n`;
+}
+function sha256(value) {
+    return createHash("sha256").update(value).digest("hex");
+}