npm - @mc-and-his-agents/loom-installer - Versions diffs - 0.1.21 → 0.1.22 - Mend

@mc-and-his-agents/loom-installer 0.1.21 → 0.1.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/payload/skills/loom-merge-ready/.loom-runtime/shared/scripts/runtime_state.py CHANGED Viewed

@@ -4,6 +4,7 @@
 from __future__ import annotations
 import json
+import hashlib
 import os
 from pathlib import Path
 from typing import Any
@@ -85,6 +86,14 @@ def detect_carrier(caller_file: str) -> str | None:
     return None
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
 def _default_scene_for_carrier(carrier: str) -> str:
     if carrier == "repo-local-wrapper":
         return "repo-local-demo"
@@ -284,6 +293,14 @@ def _validate_bootstrapped_runtime(caller_file: str) -> tuple[dict[str, Any], li
         runtime_file = runtime_root / Path(relative).name
         if not runtime_file.exists():
             errors.append(f"bootstrapped runtime file is missing: `{relative}`")
+            continue
+        expected_hash = artifact.get("sha256")
+        if not isinstance(expected_hash, str) or not expected_hash.strip():
+            errors.append(f"bootstrap runtime artifact `{relative}` must declare sha256 provenance")
+            continue
+        actual_hash = sha256_file(runtime_file)
+        if actual_hash != expected_hash:
+            errors.append(f"bootstrap runtime artifact `{relative}` sha256 drifted")
     status = "pass" if not errors else "block"
     summary = (

package/payload/skills/loom-pre-review/.loom-runtime/shared/scripts/loom_check.py CHANGED Viewed

@@ -3711,6 +3711,27 @@ def check_daily_execution_cli(root: Path) -> list[Failure]:
         elif payload.get("result") != "block":
             failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when the bootstrap manifest drifts"))
+        hash_drift_bootstrap = tmp_root / "hash-drift-bootstrapped-target"
+        shutil.copytree(example_target, hash_drift_bootstrap)
+        manifest_path = hash_drift_bootstrap / ".loom" / "bootstrap" / "manifest.json"
+        manifest = load_json_file(manifest_path)
+        if isinstance(manifest, dict):
+            artifacts = manifest.get("artifacts")
+            if isinstance(artifacts, list):
+                for artifact in artifacts:
+                    if isinstance(artifact, dict) and artifact.get("path") == ".loom/bin/runtime_state.py":
+                        artifact["sha256"] = "0" * 64
+            manifest_path.write_text(json.dumps(manifest, ensure_ascii=False, indent=2) + "\n", encoding="utf-8")
+        payload, error = load_command_json(
+            root,
+            ["python3", ".loom/bin/loom_init.py", "runtime-state", "--target", "."],
+            cwd=hash_drift_bootstrap,
+        )
+        if error:
+            failures.append(Failure("daily-execution-cli", f"`bootstrapped runtime-state` provenance hash drift failed unexpectedly: {error}"))
+        elif payload.get("result") != "block":
+            failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when runtime provenance hashes drift"))
     if shutil.which("git") is not None:
         with tempfile.TemporaryDirectory(prefix="loom-check-installed-pre-merge-") as tmp:
             tmp_root = Path(tmp)

package/payload/skills/loom-pre-review/.loom-runtime/shared/scripts/loom_init.py CHANGED Viewed

@@ -4,6 +4,7 @@
 from __future__ import annotations
 import argparse
+import hashlib
 import json
 import os
 import re
@@ -27,6 +28,17 @@ TOOL_VERSION = "1.3.0"
 CONTRACT_VERSION = "1.3.0"
 WORK_ITEM_ID = "INIT-0001"
+RUNTIME_ARTIFACT_SOURCES = {
+    ".loom/bin/loom_init.py": RUNTIME_SOURCE,
+    ".loom/bin/fact_chain_support.py": FACT_CHAIN_RUNTIME_SOURCE,
+    ".loom/bin/governance_surface.py": GOVERNANCE_RUNTIME_SOURCE,
+    ".loom/bin/loom_flow.py": FLOW_RUNTIME_SOURCE,
+    ".loom/bin/loom_status.py": STATUS_RUNTIME_SOURCE,
+    ".loom/bin/runtime_paths.py": "skills/shared/scripts/runtime_paths.py",
+    ".loom/bin/runtime_state.py": "skills/shared/scripts/runtime_state.py",
+    ".loom/bin/loom_check.py": CHECK_RUNTIME_SOURCE,
+}
 ROOT_BOUNDARY_FILES = (
     "AGENTS.md",
     "WORKFLOW.md",
@@ -816,46 +828,14 @@ def initial_artifacts(target_root: Path, install_pr_template: bool, adoption_pat
             "kind": "capability-map",
             "source": "generated",
         },
-        {
-            "path": ".loom/bin/loom_init.py",
-            "kind": "loom-tool",
-            "source": RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/fact_chain_support.py",
-            "kind": "loom-tool-support",
-            "source": FACT_CHAIN_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/governance_surface.py",
-            "kind": "loom-tool-support",
-            "source": GOVERNANCE_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_flow.py",
-            "kind": "loom-tool",
-            "source": FLOW_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_status.py",
-            "kind": "loom-tool",
-            "source": STATUS_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/runtime_paths.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_paths.py",
-        },
-        {
-            "path": ".loom/bin/runtime_state.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_state.py",
-        },
-        {
-            "path": ".loom/bin/loom_check.py",
-            "kind": "loom-tool",
-            "source": CHECK_RUNTIME_SOURCE,
-        },
+        runtime_artifact(".loom/bin/loom_init.py", "loom-tool", RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/fact_chain_support.py", "loom-tool-support", FACT_CHAIN_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/governance_surface.py", "loom-tool-support", GOVERNANCE_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_flow.py", "loom-tool", FLOW_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_status.py", "loom-tool", STATUS_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/runtime_paths.py", "loom-tool-support", "skills/shared/scripts/runtime_paths.py"),
+        runtime_artifact(".loom/bin/runtime_state.py", "loom-tool-support", "skills/shared/scripts/runtime_state.py"),
+        runtime_artifact(".loom/bin/loom_check.py", "loom-tool", CHECK_RUNTIME_SOURCE),
     ]
     if uses_attach_only_path(adoption_path):
         artifacts.extend(
@@ -1362,6 +1342,34 @@ def copy_file(source: Path, target: Path, force: bool) -> bool:
     return write_text(target, content, force=force)
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+def runtime_artifact(path: str, kind: str, source: str) -> dict[str, str]:
+    runtime_sources = {
+        ".loom/bin/loom_init.py": Path(__file__),
+        ".loom/bin/fact_chain_support.py": Path(__file__).with_name("fact_chain_support.py"),
+        ".loom/bin/governance_surface.py": Path(__file__).with_name("governance_surface.py"),
+        ".loom/bin/loom_flow.py": Path(__file__).with_name("loom_flow.py"),
+        ".loom/bin/loom_status.py": Path(__file__).with_name("loom_status.py"),
+        ".loom/bin/runtime_paths.py": Path(__file__).with_name("runtime_paths.py"),
+        ".loom/bin/runtime_state.py": Path(__file__).with_name("runtime_state.py"),
+        ".loom/bin/loom_check.py": Path(__file__).with_name("loom_check.py"),
+    }
+    source_path = runtime_sources[path]
+    return {
+        "path": path,
+        "kind": kind,
+        "source": source,
+        "sha256": sha256_file(source_path),
+    }
 def manifest_payload(result: dict[str, object]) -> dict[str, object]:
     return {
         "schema_version": "loom-bootstrap-manifest/v1",

package/payload/skills/loom-pre-review/.loom-runtime/shared/scripts/runtime_state.py CHANGED Viewed

@@ -4,6 +4,7 @@
 from __future__ import annotations
 import json
+import hashlib
 import os
 from pathlib import Path
 from typing import Any
@@ -85,6 +86,14 @@ def detect_carrier(caller_file: str) -> str | None:
     return None
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
 def _default_scene_for_carrier(carrier: str) -> str:
     if carrier == "repo-local-wrapper":
         return "repo-local-demo"
@@ -284,6 +293,14 @@ def _validate_bootstrapped_runtime(caller_file: str) -> tuple[dict[str, Any], li
         runtime_file = runtime_root / Path(relative).name
         if not runtime_file.exists():
             errors.append(f"bootstrapped runtime file is missing: `{relative}`")
+            continue
+        expected_hash = artifact.get("sha256")
+        if not isinstance(expected_hash, str) or not expected_hash.strip():
+            errors.append(f"bootstrap runtime artifact `{relative}` must declare sha256 provenance")
+            continue
+        actual_hash = sha256_file(runtime_file)
+        if actual_hash != expected_hash:
+            errors.append(f"bootstrap runtime artifact `{relative}` sha256 drifted")
     status = "pass" if not errors else "block"
     summary = (

package/payload/skills/loom-resume/.loom-runtime/shared/scripts/loom_check.py CHANGED Viewed

@@ -3711,6 +3711,27 @@ def check_daily_execution_cli(root: Path) -> list[Failure]:
         elif payload.get("result") != "block":
             failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when the bootstrap manifest drifts"))
+        hash_drift_bootstrap = tmp_root / "hash-drift-bootstrapped-target"
+        shutil.copytree(example_target, hash_drift_bootstrap)
+        manifest_path = hash_drift_bootstrap / ".loom" / "bootstrap" / "manifest.json"
+        manifest = load_json_file(manifest_path)
+        if isinstance(manifest, dict):
+            artifacts = manifest.get("artifacts")
+            if isinstance(artifacts, list):
+                for artifact in artifacts:
+                    if isinstance(artifact, dict) and artifact.get("path") == ".loom/bin/runtime_state.py":
+                        artifact["sha256"] = "0" * 64
+            manifest_path.write_text(json.dumps(manifest, ensure_ascii=False, indent=2) + "\n", encoding="utf-8")
+        payload, error = load_command_json(
+            root,
+            ["python3", ".loom/bin/loom_init.py", "runtime-state", "--target", "."],
+            cwd=hash_drift_bootstrap,
+        )
+        if error:
+            failures.append(Failure("daily-execution-cli", f"`bootstrapped runtime-state` provenance hash drift failed unexpectedly: {error}"))
+        elif payload.get("result") != "block":
+            failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when runtime provenance hashes drift"))
     if shutil.which("git") is not None:
         with tempfile.TemporaryDirectory(prefix="loom-check-installed-pre-merge-") as tmp:
             tmp_root = Path(tmp)

package/payload/skills/loom-resume/.loom-runtime/shared/scripts/loom_init.py CHANGED Viewed

@@ -4,6 +4,7 @@
 from __future__ import annotations
 import argparse
+import hashlib
 import json
 import os
 import re
@@ -27,6 +28,17 @@ TOOL_VERSION = "1.3.0"
 CONTRACT_VERSION = "1.3.0"
 WORK_ITEM_ID = "INIT-0001"
+RUNTIME_ARTIFACT_SOURCES = {
+    ".loom/bin/loom_init.py": RUNTIME_SOURCE,
+    ".loom/bin/fact_chain_support.py": FACT_CHAIN_RUNTIME_SOURCE,
+    ".loom/bin/governance_surface.py": GOVERNANCE_RUNTIME_SOURCE,
+    ".loom/bin/loom_flow.py": FLOW_RUNTIME_SOURCE,
+    ".loom/bin/loom_status.py": STATUS_RUNTIME_SOURCE,
+    ".loom/bin/runtime_paths.py": "skills/shared/scripts/runtime_paths.py",
+    ".loom/bin/runtime_state.py": "skills/shared/scripts/runtime_state.py",
+    ".loom/bin/loom_check.py": CHECK_RUNTIME_SOURCE,
+}
 ROOT_BOUNDARY_FILES = (
     "AGENTS.md",
     "WORKFLOW.md",
@@ -816,46 +828,14 @@ def initial_artifacts(target_root: Path, install_pr_template: bool, adoption_pat
             "kind": "capability-map",
             "source": "generated",
         },
-        {
-            "path": ".loom/bin/loom_init.py",
-            "kind": "loom-tool",
-            "source": RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/fact_chain_support.py",
-            "kind": "loom-tool-support",
-            "source": FACT_CHAIN_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/governance_surface.py",
-            "kind": "loom-tool-support",
-            "source": GOVERNANCE_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_flow.py",
-            "kind": "loom-tool",
-            "source": FLOW_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_status.py",
-            "kind": "loom-tool",
-            "source": STATUS_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/runtime_paths.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_paths.py",
-        },
-        {
-            "path": ".loom/bin/runtime_state.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_state.py",
-        },
-        {
-            "path": ".loom/bin/loom_check.py",
-            "kind": "loom-tool",
-            "source": CHECK_RUNTIME_SOURCE,
-        },
+        runtime_artifact(".loom/bin/loom_init.py", "loom-tool", RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/fact_chain_support.py", "loom-tool-support", FACT_CHAIN_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/governance_surface.py", "loom-tool-support", GOVERNANCE_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_flow.py", "loom-tool", FLOW_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_status.py", "loom-tool", STATUS_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/runtime_paths.py", "loom-tool-support", "skills/shared/scripts/runtime_paths.py"),
+        runtime_artifact(".loom/bin/runtime_state.py", "loom-tool-support", "skills/shared/scripts/runtime_state.py"),
+        runtime_artifact(".loom/bin/loom_check.py", "loom-tool", CHECK_RUNTIME_SOURCE),
     ]
     if uses_attach_only_path(adoption_path):
         artifacts.extend(
@@ -1362,6 +1342,34 @@ def copy_file(source: Path, target: Path, force: bool) -> bool:
     return write_text(target, content, force=force)
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+def runtime_artifact(path: str, kind: str, source: str) -> dict[str, str]:
+    runtime_sources = {
+        ".loom/bin/loom_init.py": Path(__file__),
+        ".loom/bin/fact_chain_support.py": Path(__file__).with_name("fact_chain_support.py"),
+        ".loom/bin/governance_surface.py": Path(__file__).with_name("governance_surface.py"),
+        ".loom/bin/loom_flow.py": Path(__file__).with_name("loom_flow.py"),
+        ".loom/bin/loom_status.py": Path(__file__).with_name("loom_status.py"),
+        ".loom/bin/runtime_paths.py": Path(__file__).with_name("runtime_paths.py"),
+        ".loom/bin/runtime_state.py": Path(__file__).with_name("runtime_state.py"),
+        ".loom/bin/loom_check.py": Path(__file__).with_name("loom_check.py"),
+    }
+    source_path = runtime_sources[path]
+    return {
+        "path": path,
+        "kind": kind,
+        "source": source,
+        "sha256": sha256_file(source_path),
+    }
 def manifest_payload(result: dict[str, object]) -> dict[str, object]:
     return {
         "schema_version": "loom-bootstrap-manifest/v1",

package/payload/skills/loom-resume/.loom-runtime/shared/scripts/runtime_state.py CHANGED Viewed

@@ -4,6 +4,7 @@
 from __future__ import annotations
 import json
+import hashlib
 import os
 from pathlib import Path
 from typing import Any
@@ -85,6 +86,14 @@ def detect_carrier(caller_file: str) -> str | None:
     return None
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
 def _default_scene_for_carrier(carrier: str) -> str:
     if carrier == "repo-local-wrapper":
         return "repo-local-demo"
@@ -284,6 +293,14 @@ def _validate_bootstrapped_runtime(caller_file: str) -> tuple[dict[str, Any], li
         runtime_file = runtime_root / Path(relative).name
         if not runtime_file.exists():
             errors.append(f"bootstrapped runtime file is missing: `{relative}`")
+            continue
+        expected_hash = artifact.get("sha256")
+        if not isinstance(expected_hash, str) or not expected_hash.strip():
+            errors.append(f"bootstrap runtime artifact `{relative}` must declare sha256 provenance")
+            continue
+        actual_hash = sha256_file(runtime_file)
+        if actual_hash != expected_hash:
+            errors.append(f"bootstrap runtime artifact `{relative}` sha256 drifted")
     status = "pass" if not errors else "block"
     summary = (

package/payload/skills/loom-retire/.loom-runtime/shared/scripts/loom_check.py CHANGED Viewed

@@ -3711,6 +3711,27 @@ def check_daily_execution_cli(root: Path) -> list[Failure]:
         elif payload.get("result") != "block":
             failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when the bootstrap manifest drifts"))
+        hash_drift_bootstrap = tmp_root / "hash-drift-bootstrapped-target"
+        shutil.copytree(example_target, hash_drift_bootstrap)
+        manifest_path = hash_drift_bootstrap / ".loom" / "bootstrap" / "manifest.json"
+        manifest = load_json_file(manifest_path)
+        if isinstance(manifest, dict):
+            artifacts = manifest.get("artifacts")
+            if isinstance(artifacts, list):
+                for artifact in artifacts:
+                    if isinstance(artifact, dict) and artifact.get("path") == ".loom/bin/runtime_state.py":
+                        artifact["sha256"] = "0" * 64
+            manifest_path.write_text(json.dumps(manifest, ensure_ascii=False, indent=2) + "\n", encoding="utf-8")
+        payload, error = load_command_json(
+            root,
+            ["python3", ".loom/bin/loom_init.py", "runtime-state", "--target", "."],
+            cwd=hash_drift_bootstrap,
+        )
+        if error:
+            failures.append(Failure("daily-execution-cli", f"`bootstrapped runtime-state` provenance hash drift failed unexpectedly: {error}"))
+        elif payload.get("result") != "block":
+            failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when runtime provenance hashes drift"))
     if shutil.which("git") is not None:
         with tempfile.TemporaryDirectory(prefix="loom-check-installed-pre-merge-") as tmp:
             tmp_root = Path(tmp)

package/payload/skills/loom-retire/.loom-runtime/shared/scripts/loom_init.py CHANGED Viewed

@@ -4,6 +4,7 @@
 from __future__ import annotations
 import argparse
+import hashlib
 import json
 import os
 import re
@@ -27,6 +28,17 @@ TOOL_VERSION = "1.3.0"
 CONTRACT_VERSION = "1.3.0"
 WORK_ITEM_ID = "INIT-0001"
+RUNTIME_ARTIFACT_SOURCES = {
+    ".loom/bin/loom_init.py": RUNTIME_SOURCE,
+    ".loom/bin/fact_chain_support.py": FACT_CHAIN_RUNTIME_SOURCE,
+    ".loom/bin/governance_surface.py": GOVERNANCE_RUNTIME_SOURCE,
+    ".loom/bin/loom_flow.py": FLOW_RUNTIME_SOURCE,
+    ".loom/bin/loom_status.py": STATUS_RUNTIME_SOURCE,
+    ".loom/bin/runtime_paths.py": "skills/shared/scripts/runtime_paths.py",
+    ".loom/bin/runtime_state.py": "skills/shared/scripts/runtime_state.py",
+    ".loom/bin/loom_check.py": CHECK_RUNTIME_SOURCE,
+}
 ROOT_BOUNDARY_FILES = (
     "AGENTS.md",
     "WORKFLOW.md",
@@ -816,46 +828,14 @@ def initial_artifacts(target_root: Path, install_pr_template: bool, adoption_pat
             "kind": "capability-map",
             "source": "generated",
         },
-        {
-            "path": ".loom/bin/loom_init.py",
-            "kind": "loom-tool",
-            "source": RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/fact_chain_support.py",
-            "kind": "loom-tool-support",
-            "source": FACT_CHAIN_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/governance_surface.py",
-            "kind": "loom-tool-support",
-            "source": GOVERNANCE_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_flow.py",
-            "kind": "loom-tool",
-            "source": FLOW_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_status.py",
-            "kind": "loom-tool",
-            "source": STATUS_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/runtime_paths.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_paths.py",
-        },
-        {
-            "path": ".loom/bin/runtime_state.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_state.py",
-        },
-        {
-            "path": ".loom/bin/loom_check.py",
-            "kind": "loom-tool",
-            "source": CHECK_RUNTIME_SOURCE,
-        },
+        runtime_artifact(".loom/bin/loom_init.py", "loom-tool", RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/fact_chain_support.py", "loom-tool-support", FACT_CHAIN_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/governance_surface.py", "loom-tool-support", GOVERNANCE_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_flow.py", "loom-tool", FLOW_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_status.py", "loom-tool", STATUS_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/runtime_paths.py", "loom-tool-support", "skills/shared/scripts/runtime_paths.py"),
+        runtime_artifact(".loom/bin/runtime_state.py", "loom-tool-support", "skills/shared/scripts/runtime_state.py"),
+        runtime_artifact(".loom/bin/loom_check.py", "loom-tool", CHECK_RUNTIME_SOURCE),
     ]
     if uses_attach_only_path(adoption_path):
         artifacts.extend(
@@ -1362,6 +1342,34 @@ def copy_file(source: Path, target: Path, force: bool) -> bool:
     return write_text(target, content, force=force)
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+def runtime_artifact(path: str, kind: str, source: str) -> dict[str, str]:
+    runtime_sources = {
+        ".loom/bin/loom_init.py": Path(__file__),
+        ".loom/bin/fact_chain_support.py": Path(__file__).with_name("fact_chain_support.py"),
+        ".loom/bin/governance_surface.py": Path(__file__).with_name("governance_surface.py"),
+        ".loom/bin/loom_flow.py": Path(__file__).with_name("loom_flow.py"),
+        ".loom/bin/loom_status.py": Path(__file__).with_name("loom_status.py"),
+        ".loom/bin/runtime_paths.py": Path(__file__).with_name("runtime_paths.py"),
+        ".loom/bin/runtime_state.py": Path(__file__).with_name("runtime_state.py"),
+        ".loom/bin/loom_check.py": Path(__file__).with_name("loom_check.py"),
+    }
+    source_path = runtime_sources[path]
+    return {
+        "path": path,
+        "kind": kind,
+        "source": source,
+        "sha256": sha256_file(source_path),
+    }
 def manifest_payload(result: dict[str, object]) -> dict[str, object]:
     return {
         "schema_version": "loom-bootstrap-manifest/v1",

package/payload/skills/loom-retire/.loom-runtime/shared/scripts/runtime_state.py CHANGED Viewed

@@ -4,6 +4,7 @@
 from __future__ import annotations
 import json
+import hashlib
 import os
 from pathlib import Path
 from typing import Any
@@ -85,6 +86,14 @@ def detect_carrier(caller_file: str) -> str | None:
     return None
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
 def _default_scene_for_carrier(carrier: str) -> str:
     if carrier == "repo-local-wrapper":
         return "repo-local-demo"
@@ -284,6 +293,14 @@ def _validate_bootstrapped_runtime(caller_file: str) -> tuple[dict[str, Any], li
         runtime_file = runtime_root / Path(relative).name
         if not runtime_file.exists():
             errors.append(f"bootstrapped runtime file is missing: `{relative}`")
+            continue
+        expected_hash = artifact.get("sha256")
+        if not isinstance(expected_hash, str) or not expected_hash.strip():
+            errors.append(f"bootstrap runtime artifact `{relative}` must declare sha256 provenance")
+            continue
+        actual_hash = sha256_file(runtime_file)
+        if actual_hash != expected_hash:
+            errors.append(f"bootstrap runtime artifact `{relative}` sha256 drifted")
     status = "pass" if not errors else "block"
     summary = (

package/payload/skills/loom-review/.loom-runtime/shared/scripts/loom_check.py CHANGED Viewed

@@ -3711,6 +3711,27 @@ def check_daily_execution_cli(root: Path) -> list[Failure]:
         elif payload.get("result") != "block":
             failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when the bootstrap manifest drifts"))
+        hash_drift_bootstrap = tmp_root / "hash-drift-bootstrapped-target"
+        shutil.copytree(example_target, hash_drift_bootstrap)
+        manifest_path = hash_drift_bootstrap / ".loom" / "bootstrap" / "manifest.json"
+        manifest = load_json_file(manifest_path)
+        if isinstance(manifest, dict):
+            artifacts = manifest.get("artifacts")
+            if isinstance(artifacts, list):
+                for artifact in artifacts:
+                    if isinstance(artifact, dict) and artifact.get("path") == ".loom/bin/runtime_state.py":
+                        artifact["sha256"] = "0" * 64
+            manifest_path.write_text(json.dumps(manifest, ensure_ascii=False, indent=2) + "\n", encoding="utf-8")
+        payload, error = load_command_json(
+            root,
+            ["python3", ".loom/bin/loom_init.py", "runtime-state", "--target", "."],
+            cwd=hash_drift_bootstrap,
+        )
+        if error:
+            failures.append(Failure("daily-execution-cli", f"`bootstrapped runtime-state` provenance hash drift failed unexpectedly: {error}"))
+        elif payload.get("result") != "block":
+            failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when runtime provenance hashes drift"))
     if shutil.which("git") is not None:
         with tempfile.TemporaryDirectory(prefix="loom-check-installed-pre-merge-") as tmp:
             tmp_root = Path(tmp)