@mc-and-his-agents/loom-installer 0.1.21 → 0.1.23

package/payload/skills/loom-pre-review/.loom-runtime/shared/scripts/loom_init.py

@@ -4,6 +4,7 @@
 from __future__ import annotations
 
 import argparse
+import hashlib
 import json
 import os
 import re
@@ -27,6 +28,17 @@ TOOL_VERSION = "1.3.0"
 CONTRACT_VERSION = "1.3.0"
 WORK_ITEM_ID = "INIT-0001"
 
+RUNTIME_ARTIFACT_SOURCES = {
+    ".loom/bin/loom_init.py": RUNTIME_SOURCE,
+    ".loom/bin/fact_chain_support.py": FACT_CHAIN_RUNTIME_SOURCE,
+    ".loom/bin/governance_surface.py": GOVERNANCE_RUNTIME_SOURCE,
+    ".loom/bin/loom_flow.py": FLOW_RUNTIME_SOURCE,
+    ".loom/bin/loom_status.py": STATUS_RUNTIME_SOURCE,
+    ".loom/bin/runtime_paths.py": "skills/shared/scripts/runtime_paths.py",
+    ".loom/bin/runtime_state.py": "skills/shared/scripts/runtime_state.py",
+    ".loom/bin/loom_check.py": CHECK_RUNTIME_SOURCE,
+}
+
 ROOT_BOUNDARY_FILES = (
     "AGENTS.md",
     "WORKFLOW.md",
@@ -816,46 +828,14 @@ def initial_artifacts(target_root: Path, install_pr_template: bool, adoption_pat
             "kind": "capability-map",
             "source": "generated",
         },
-        {
-            "path": ".loom/bin/loom_init.py",
-            "kind": "loom-tool",
-            "source": RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/fact_chain_support.py",
-            "kind": "loom-tool-support",
-            "source": FACT_CHAIN_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/governance_surface.py",
-            "kind": "loom-tool-support",
-            "source": GOVERNANCE_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_flow.py",
-            "kind": "loom-tool",
-            "source": FLOW_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_status.py",
-            "kind": "loom-tool",
-            "source": STATUS_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/runtime_paths.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_paths.py",
-        },
-        {
-            "path": ".loom/bin/runtime_state.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_state.py",
-        },
-        {
-            "path": ".loom/bin/loom_check.py",
-            "kind": "loom-tool",
-            "source": CHECK_RUNTIME_SOURCE,
-        },
+        runtime_artifact(".loom/bin/loom_init.py", "loom-tool", RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/fact_chain_support.py", "loom-tool-support", FACT_CHAIN_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/governance_surface.py", "loom-tool-support", GOVERNANCE_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_flow.py", "loom-tool", FLOW_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_status.py", "loom-tool", STATUS_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/runtime_paths.py", "loom-tool-support", "skills/shared/scripts/runtime_paths.py"),
+        runtime_artifact(".loom/bin/runtime_state.py", "loom-tool-support", "skills/shared/scripts/runtime_state.py"),
+        runtime_artifact(".loom/bin/loom_check.py", "loom-tool", CHECK_RUNTIME_SOURCE),
     ]
     if uses_attach_only_path(adoption_path):
         artifacts.extend(
@@ -1362,6 +1342,34 @@ def copy_file(source: Path, target: Path, force: bool) -> bool:
     return write_text(target, content, force=force)
 
 
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
+def runtime_artifact(path: str, kind: str, source: str) -> dict[str, str]:
+    runtime_sources = {
+        ".loom/bin/loom_init.py": Path(__file__),
+        ".loom/bin/fact_chain_support.py": Path(__file__).with_name("fact_chain_support.py"),
+        ".loom/bin/governance_surface.py": Path(__file__).with_name("governance_surface.py"),
+        ".loom/bin/loom_flow.py": Path(__file__).with_name("loom_flow.py"),
+        ".loom/bin/loom_status.py": Path(__file__).with_name("loom_status.py"),
+        ".loom/bin/runtime_paths.py": Path(__file__).with_name("runtime_paths.py"),
+        ".loom/bin/runtime_state.py": Path(__file__).with_name("runtime_state.py"),
+        ".loom/bin/loom_check.py": Path(__file__).with_name("loom_check.py"),
+    }
+    source_path = runtime_sources[path]
+    return {
+        "path": path,
+        "kind": kind,
+        "source": source,
+        "sha256": sha256_file(source_path),
+    }
+
+
 def manifest_payload(result: dict[str, object]) -> dict[str, object]:
     return {
         "schema_version": "loom-bootstrap-manifest/v1",
@@ -1619,24 +1627,23 @@ def verify_target(target_root: Path, output_path: Path) -> list[str]:
                 ):
                     if field not in runtime_evidence_report:
                         errors.append(f"fact-chain: runtime_evidence is missing `{field}`")
-            matching_work_item = None
-            for work_item in validated_work_items:
-                if work_item.get("id") == current_item_id:
-                    matching_work_item = work_item
-                    break
-            if matching_work_item is None:
-                errors.append(f"init-result is missing the current work item `{current_item_id}`")
-            else:
+            bootstrap_work_item = next(
+                (work_item for work_item in validated_work_items if work_item.get("id") == WORK_ITEM_ID),
+                None,
+            )
+            if bootstrap_work_item is None:
+                errors.append(f"init-result is missing the bootstrap work item `{WORK_ITEM_ID}`")
+            elif current_item_id == WORK_ITEM_ID:
                 expected_init_fields = {
                     "recovery_entry": fact_chain_report["fact_chain"]["entry_points"]["recovery_entry"],
                     "validation_entry": fact_chain_report["facts"]["validation_entry"]["value"],
                     "workspace_entry": fact_chain_report["facts"]["workspace_entry"]["value"],
                 }
                 for field, expected_value in expected_init_fields.items():
-                    actual_value = matching_work_item.get(field)
+                    actual_value = bootstrap_work_item.get(field)
                     if actual_value != expected_value:
                         errors.append(
-                            f"init-result work item `{current_item_id}` has inconsistent `{field}`: "
+                            f"init-result bootstrap work item `{WORK_ITEM_ID}` has inconsistent `{field}`: "
                             f"expected `{expected_value}`, got `{actual_value}`"
                         )
 

package/payload/skills/loom-pre-review/.loom-runtime/shared/scripts/runtime_state.py

@@ -4,6 +4,7 @@
 from __future__ import annotations
 
 import json
+import hashlib
 import os
 from pathlib import Path
 from typing import Any
@@ -85,6 +86,14 @@ def detect_carrier(caller_file: str) -> str | None:
     return None
 
 
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
 def _default_scene_for_carrier(carrier: str) -> str:
     if carrier == "repo-local-wrapper":
         return "repo-local-demo"
@@ -284,6 +293,14 @@ def _validate_bootstrapped_runtime(caller_file: str) -> tuple[dict[str, Any], li
         runtime_file = runtime_root / Path(relative).name
         if not runtime_file.exists():
             errors.append(f"bootstrapped runtime file is missing: `{relative}`")
+            continue
+        expected_hash = artifact.get("sha256")
+        if not isinstance(expected_hash, str) or not expected_hash.strip():
+            errors.append(f"bootstrap runtime artifact `{relative}` must declare sha256 provenance")
+            continue
+        actual_hash = sha256_file(runtime_file)
+        if actual_hash != expected_hash:
+            errors.append(f"bootstrap runtime artifact `{relative}` sha256 drifted")
 
     status = "pass" if not errors else "block"
     summary = (

package/payload/skills/loom-resume/.loom-runtime/shared/scripts/governance_surface.py

@@ -893,18 +893,60 @@ def first_match(directory: Path, suffix: str, root: Path) -> str:
     return ""
 
 
+def existing_locator(root: Path, relative: str | None) -> str:
+    if not relative:
+        return ""
+    return relative if (root / relative).exists() else ""
+
+
+def active_or_first(root: Path, relative: str | None, directory: Path, suffix: str) -> str:
+    return existing_locator(root, relative) or (first_match(directory, suffix, root) if directory.exists() else "")
+
+
+def current_review_locator(root: Path, review_dir: Path, item_id: str) -> str:
+    review_path = review_dir / f"{item_id}.json"
+    if review_path.exists():
+        return relative_locator(review_path, root)
+    return first_match(review_dir, ".json", root) if review_dir.exists() else ""
+
+
+def active_entry_points(root: Path) -> dict[str, str]:
+    init_result = root / ".loom/bootstrap/init-result.json"
+    try:
+        payload = json.loads(init_result.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return {}
+    if not isinstance(payload, dict):
+        return {}
+    fact_chain = payload.get("fact_chain")
+    if not isinstance(fact_chain, dict):
+        return {}
+    entry_points = fact_chain.get("entry_points")
+    if not isinstance(entry_points, dict):
+        return {}
+    active: dict[str, str] = {}
+    for key in ("current_item_id", "work_item", "recovery_entry", "status_surface"):
+        value = entry_points.get(key)
+        if isinstance(value, str) and value.strip():
+            active[key] = value.strip()
+    return active
+
+
 def detect_carrier_summary(root: Path, *, repository_mode: str, planning_mode: bool) -> dict[str, dict[str, str]]:
+    active = active_entry_points(root)
+    active_item_id = active.get("current_item_id") or "INIT-0001"
     item_dir = root / ".loom/work-items"
     recovery_dir = root / ".loom/progress"
     review_dir = root / ".loom/reviews"
-    status_path = root / ".loom/status/current.md"
-    spec_path = root / ".loom/specs/INIT-0001/spec.md"
-    plan_path = root / ".loom/specs/INIT-0001/plan.md"
+    status_locator = active.get("status_surface") or ".loom/status/current.md"
+    status_path = root / status_locator
+    spec_path = root / f".loom/specs/{active_item_id}/spec.md"
+    plan_path = root / f".loom/specs/{active_item_id}/plan.md"
 
     present_locators = {
-        "work_item": first_match(item_dir, ".md", root) if item_dir.exists() else "",
-        "recovery": first_match(recovery_dir, ".md", root) if recovery_dir.exists() else "",
-        "review": first_match(review_dir, ".json", root) if review_dir.exists() else "",
+        "work_item": active_or_first(root, active.get("work_item"), item_dir, ".md"),
+        "recovery": active_or_first(root, active.get("recovery_entry"), recovery_dir, ".md"),
+        "review": current_review_locator(root, review_dir, active_item_id),
         "status_surface": relative_locator(status_path, root) if status_path.exists() else "",
         "spec_path": relative_locator(spec_path, root) if spec_path.exists() else "",
         "plan_path": relative_locator(plan_path, root) if plan_path.exists() else "",
@@ -922,11 +964,11 @@ def detect_carrier_summary(root: Path, *, repository_mode: str, planning_mode: b
     return summary
 
 
-def detect_execution_entry(root: Path, loom_state: str, *, bootstrap_mode: bool) -> str:
+def detect_execution_entry(root: Path, loom_state: str, *, bootstrap_mode: bool, active_item_id: str = "INIT-0001") -> str:
     if bootstrap_mode:
-        return "python3 .loom/bin/loom_flow.py flow resume --target . --item INIT-0001"
+        return f"python3 .loom/bin/loom_flow.py flow resume --target . --item {active_item_id}"
     if loom_state == "active":
-        return f"{command_prefix(root, 'loom_flow.py')} flow resume --target . --item INIT-0001"
+        return f"{command_prefix(root, 'loom_flow.py')} flow resume --target . --item {active_item_id}"
     if loom_state == "partial":
         return f"{command_prefix(root, 'loom_init.py')} route --target <repo> --task \"请接手当前事项并恢复上下文后继续推进\""
     return "unknown"
@@ -942,16 +984,16 @@ def detect_validation_entry(loom_state: str, *, bootstrap_mode: bool) -> str:
     return "unknown"
 
 
-def detect_review_merge_surface(root: Path, loom_state: str, *, bootstrap_mode: bool) -> dict[str, str]:
+def detect_review_merge_surface(root: Path, loom_state: str, *, bootstrap_mode: bool, active_item_id: str = "INIT-0001") -> dict[str, str]:
     pr_template = ".github/PULL_REQUEST_TEMPLATE.md" if file_exists(root, ".github/PULL_REQUEST_TEMPLATE.md") else "unknown"
     validation_surface = ".loom/status/current.md" if file_exists(root, ".loom/status/current.md") else "unknown"
     if bootstrap_mode and validation_surface == "unknown":
         validation_surface = ".loom/status/current.md"
 
     if bootstrap_mode:
-        merge_surface = "python3 .loom/bin/loom_flow.py checkpoint merge --target . --item INIT-0001"
+        merge_surface = f"python3 .loom/bin/loom_flow.py checkpoint merge --target . --item {active_item_id}"
     elif loom_state == "active":
-        merge_surface = f"{command_prefix(root, 'loom_flow.py')} checkpoint merge --target . [--item <id>]"
+        merge_surface = f"{command_prefix(root, 'loom_flow.py')} checkpoint merge --target . --item {active_item_id}"
     else:
         merge_surface = "unknown"
     return {
@@ -1207,11 +1249,12 @@ def build_governance_surface(
     loom_state = detect_loom_state(root)
     repository_mode = detect_repository_mode(root, loom_state, scenario_override=scenario_override)
     planning_mode = bootstrap_mode and repository_mode == "new" and loom_state != "active"
+    active_item_id = active_entry_points(root).get("current_item_id", "INIT-0001")
     carrier_summary = detect_carrier_summary(root, repository_mode=repository_mode, planning_mode=planning_mode)
     github_control_plane, github_missing = detect_github_control_plane(root)
-    execution_entry = detect_execution_entry(root, loom_state, bootstrap_mode=bootstrap_mode)
+    execution_entry = detect_execution_entry(root, loom_state, bootstrap_mode=bootstrap_mode, active_item_id=active_item_id)
     validation_entry = detect_validation_entry(loom_state, bootstrap_mode=bootstrap_mode)
-    review_merge_surface = detect_review_merge_surface(root, loom_state, bootstrap_mode=bootstrap_mode)
+    review_merge_surface = detect_review_merge_surface(root, loom_state, bootstrap_mode=bootstrap_mode, active_item_id=active_item_id)
     repo_interface, repo_interface_missing = detect_repo_interface(root)
     repo_interop, repo_interop_missing = detect_repo_interop(root)
     host_binding = detect_host_binding_surface(

package/payload/skills/loom-resume/.loom-runtime/shared/scripts/loom_check.py

@@ -3468,6 +3468,72 @@ def check_daily_execution_cli(root: Path) -> list[Failure]:
         elif payload.get("result") != "pass":
             failures.append(Failure("daily-execution-cli", "`work-item update` must pass on a clean temp copy"))
 
+        payload, error = load_command_json(
+            root,
+            [
+                "python3",
+                "tools/loom_init.py",
+                "verify",
+                "--target",
+                str(authoring_target),
+            ],
+        )
+        if error:
+            failures.append(Failure("daily-execution-cli", f"`loom-init verify` active item rollover failed: {error}"))
+        elif payload.get("ok") is not True:
+            failures.append(Failure("daily-execution-cli", "`loom-init verify` must pass after active item rollover"))
+
+        payload, error = load_command_json(
+            root,
+            [
+                "python3",
+                "tools/loom_status.py",
+                "--target",
+                str(authoring_target),
+                "--item",
+                "NEXT-0001",
+            ],
+        )
+        if error:
+            failures.append(Failure("daily-execution-cli", f"`loom-status` active item rollover failed: {error}"))
+        else:
+            current_item = payload.get("item", {}).get("id") if isinstance(payload.get("item"), dict) else None
+            if current_item != "NEXT-0001":
+                failures.append(Failure("daily-execution-cli", "`loom-status` must report the rolled-over active item"))
+            governance_surface = payload.get("governance_surface")
+            if isinstance(governance_surface, dict):
+                carrier_summary = governance_surface.get("carrier_summary")
+                if isinstance(carrier_summary, dict):
+                    work_item = carrier_summary.get("work_item")
+                    recovery = carrier_summary.get("recovery")
+                    if isinstance(work_item, dict) and work_item.get("locator") != ".loom/work-items/NEXT-0001.md":
+                        failures.append(Failure("daily-execution-cli", "`loom-status` carrier summary must point to the active Work Item"))
+                    if isinstance(recovery, dict) and recovery.get("locator") != ".loom/progress/NEXT-0001.md":
+                        failures.append(Failure("daily-execution-cli", "`loom-status` carrier summary must point to the active recovery entry"))
+                execution_entry = str(governance_surface.get("execution_entry", ""))
+                if "--item NEXT-0001" not in execution_entry:
+                    failures.append(Failure("daily-execution-cli", "`loom-status` execution entry must resume the active Work Item"))
+
+        payload, error = load_command_json(
+            root,
+            [
+                "python3",
+                "tools/loom_flow.py",
+                "flow",
+                "spec-review",
+                "--target",
+                str(authoring_target),
+                "--item",
+                "NEXT-0001",
+            ],
+        )
+        if error:
+            failures.append(Failure("daily-execution-cli", f"`flow spec-review` active item rollover failed: {error}"))
+        elif payload.get("result") not in {"block", "fallback"}:
+            failures.append(Failure("daily-execution-cli", "`flow spec-review` must not pass when the active item has no spec suite"))
+        elif ".loom/specs/INIT-0001/spec.md" in json.dumps(payload, ensure_ascii=False):
+            failures.append(Failure("daily-execution-cli", "`flow spec-review` must not fall back to the bootstrap spec suite for a rolled-over active item"))
+
         findings_path = authoring_target / ".loom" / "review-findings.json"
         findings_path.parent.mkdir(parents=True, exist_ok=True)
         findings_path.write_text(
@@ -3711,6 +3777,27 @@ def check_daily_execution_cli(root: Path) -> list[Failure]:
         elif payload.get("result") != "block":
             failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when the bootstrap manifest drifts"))
 
+        hash_drift_bootstrap = tmp_root / "hash-drift-bootstrapped-target"
+        shutil.copytree(example_target, hash_drift_bootstrap)
+        manifest_path = hash_drift_bootstrap / ".loom" / "bootstrap" / "manifest.json"
+        manifest = load_json_file(manifest_path)
+        if isinstance(manifest, dict):
+            artifacts = manifest.get("artifacts")
+            if isinstance(artifacts, list):
+                for artifact in artifacts:
+                    if isinstance(artifact, dict) and artifact.get("path") == ".loom/bin/runtime_state.py":
+                        artifact["sha256"] = "0" * 64
+            manifest_path.write_text(json.dumps(manifest, ensure_ascii=False, indent=2) + "\n", encoding="utf-8")
+        payload, error = load_command_json(
+            root,
+            ["python3", ".loom/bin/loom_init.py", "runtime-state", "--target", "."],
+            cwd=hash_drift_bootstrap,
+        )
+        if error:
+            failures.append(Failure("daily-execution-cli", f"`bootstrapped runtime-state` provenance hash drift failed unexpectedly: {error}"))
+        elif payload.get("result") != "block":
+            failures.append(Failure("daily-execution-cli", "`bootstrapped runtime-state` must block when runtime provenance hashes drift"))
+
     if shutil.which("git") is not None:
         with tempfile.TemporaryDirectory(prefix="loom-check-installed-pre-merge-") as tmp:
             tmp_root = Path(tmp)

package/payload/skills/loom-resume/.loom-runtime/shared/scripts/loom_flow.py

@@ -1169,7 +1169,7 @@ def formal_spec_path(context: dict[str, Any]) -> str | None:
             return artifact
 
     fallback = context["target_root"] / ".loom/specs/INIT-0001/spec.md"
-    if fallback.exists():
+    if context["item_id"] == "INIT-0001" and fallback.exists():
         return ".loom/specs/INIT-0001/spec.md"
     return None
 
@@ -1182,12 +1182,15 @@ def spec_suite_paths(context: dict[str, Any]) -> dict[str, str]:
             "plan": f".loom/specs/{item_id}/plan.md",
             "implementation_contract": f".loom/specs/{item_id}/implementation-contract.md",
         },
-        {
-            "spec": ".loom/specs/INIT-0001/spec.md",
-            "plan": ".loom/specs/INIT-0001/plan.md",
-            "implementation_contract": ".loom/specs/INIT-0001/implementation-contract.md",
-        },
     ]
+    if item_id == "INIT-0001":
+        candidates.append(
+            {
+                "spec": ".loom/specs/INIT-0001/spec.md",
+                "plan": ".loom/specs/INIT-0001/plan.md",
+                "implementation_contract": ".loom/specs/INIT-0001/implementation-contract.md",
+            }
+        )
     for suite in candidates:
         if (context["target_root"] / suite["spec"]).exists():
             return suite

package/payload/skills/loom-resume/.loom-runtime/shared/scripts/loom_init.py

@@ -4,6 +4,7 @@
 from __future__ import annotations
 
 import argparse
+import hashlib
 import json
 import os
 import re
@@ -27,6 +28,17 @@ TOOL_VERSION = "1.3.0"
 CONTRACT_VERSION = "1.3.0"
 WORK_ITEM_ID = "INIT-0001"
 
+RUNTIME_ARTIFACT_SOURCES = {
+    ".loom/bin/loom_init.py": RUNTIME_SOURCE,
+    ".loom/bin/fact_chain_support.py": FACT_CHAIN_RUNTIME_SOURCE,
+    ".loom/bin/governance_surface.py": GOVERNANCE_RUNTIME_SOURCE,
+    ".loom/bin/loom_flow.py": FLOW_RUNTIME_SOURCE,
+    ".loom/bin/loom_status.py": STATUS_RUNTIME_SOURCE,
+    ".loom/bin/runtime_paths.py": "skills/shared/scripts/runtime_paths.py",
+    ".loom/bin/runtime_state.py": "skills/shared/scripts/runtime_state.py",
+    ".loom/bin/loom_check.py": CHECK_RUNTIME_SOURCE,
+}
+
 ROOT_BOUNDARY_FILES = (
     "AGENTS.md",
     "WORKFLOW.md",
@@ -816,46 +828,14 @@ def initial_artifacts(target_root: Path, install_pr_template: bool, adoption_pat
             "kind": "capability-map",
             "source": "generated",
         },
-        {
-            "path": ".loom/bin/loom_init.py",
-            "kind": "loom-tool",
-            "source": RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/fact_chain_support.py",
-            "kind": "loom-tool-support",
-            "source": FACT_CHAIN_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/governance_surface.py",
-            "kind": "loom-tool-support",
-            "source": GOVERNANCE_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_flow.py",
-            "kind": "loom-tool",
-            "source": FLOW_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/loom_status.py",
-            "kind": "loom-tool",
-            "source": STATUS_RUNTIME_SOURCE,
-        },
-        {
-            "path": ".loom/bin/runtime_paths.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_paths.py",
-        },
-        {
-            "path": ".loom/bin/runtime_state.py",
-            "kind": "loom-tool-support",
-            "source": "skills/shared/scripts/runtime_state.py",
-        },
-        {
-            "path": ".loom/bin/loom_check.py",
-            "kind": "loom-tool",
-            "source": CHECK_RUNTIME_SOURCE,
-        },
+        runtime_artifact(".loom/bin/loom_init.py", "loom-tool", RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/fact_chain_support.py", "loom-tool-support", FACT_CHAIN_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/governance_surface.py", "loom-tool-support", GOVERNANCE_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_flow.py", "loom-tool", FLOW_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/loom_status.py", "loom-tool", STATUS_RUNTIME_SOURCE),
+        runtime_artifact(".loom/bin/runtime_paths.py", "loom-tool-support", "skills/shared/scripts/runtime_paths.py"),
+        runtime_artifact(".loom/bin/runtime_state.py", "loom-tool-support", "skills/shared/scripts/runtime_state.py"),
+        runtime_artifact(".loom/bin/loom_check.py", "loom-tool", CHECK_RUNTIME_SOURCE),
     ]
     if uses_attach_only_path(adoption_path):
         artifacts.extend(
@@ -1362,6 +1342,34 @@ def copy_file(source: Path, target: Path, force: bool) -> bool:
     return write_text(target, content, force=force)
 
 
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
+def runtime_artifact(path: str, kind: str, source: str) -> dict[str, str]:
+    runtime_sources = {
+        ".loom/bin/loom_init.py": Path(__file__),
+        ".loom/bin/fact_chain_support.py": Path(__file__).with_name("fact_chain_support.py"),
+        ".loom/bin/governance_surface.py": Path(__file__).with_name("governance_surface.py"),
+        ".loom/bin/loom_flow.py": Path(__file__).with_name("loom_flow.py"),
+        ".loom/bin/loom_status.py": Path(__file__).with_name("loom_status.py"),
+        ".loom/bin/runtime_paths.py": Path(__file__).with_name("runtime_paths.py"),
+        ".loom/bin/runtime_state.py": Path(__file__).with_name("runtime_state.py"),
+        ".loom/bin/loom_check.py": Path(__file__).with_name("loom_check.py"),
+    }
+    source_path = runtime_sources[path]
+    return {
+        "path": path,
+        "kind": kind,
+        "source": source,
+        "sha256": sha256_file(source_path),
+    }
+
+
 def manifest_payload(result: dict[str, object]) -> dict[str, object]:
     return {
         "schema_version": "loom-bootstrap-manifest/v1",
@@ -1619,24 +1627,23 @@ def verify_target(target_root: Path, output_path: Path) -> list[str]:
                 ):
                     if field not in runtime_evidence_report:
                         errors.append(f"fact-chain: runtime_evidence is missing `{field}`")
-            matching_work_item = None
-            for work_item in validated_work_items:
-                if work_item.get("id") == current_item_id:
-                    matching_work_item = work_item
-                    break
-            if matching_work_item is None:
-                errors.append(f"init-result is missing the current work item `{current_item_id}`")
-            else:
+            bootstrap_work_item = next(
+                (work_item for work_item in validated_work_items if work_item.get("id") == WORK_ITEM_ID),
+                None,
+            )
+            if bootstrap_work_item is None:
+                errors.append(f"init-result is missing the bootstrap work item `{WORK_ITEM_ID}`")
+            elif current_item_id == WORK_ITEM_ID:
                 expected_init_fields = {
                     "recovery_entry": fact_chain_report["fact_chain"]["entry_points"]["recovery_entry"],
                     "validation_entry": fact_chain_report["facts"]["validation_entry"]["value"],
                     "workspace_entry": fact_chain_report["facts"]["workspace_entry"]["value"],
                 }
                 for field, expected_value in expected_init_fields.items():
-                    actual_value = matching_work_item.get(field)
+                    actual_value = bootstrap_work_item.get(field)
                     if actual_value != expected_value:
                         errors.append(
-                            f"init-result work item `{current_item_id}` has inconsistent `{field}`: "
+                            f"init-result bootstrap work item `{WORK_ITEM_ID}` has inconsistent `{field}`: "
                             f"expected `{expected_value}`, got `{actual_value}`"
                         )
 

package/payload/skills/loom-resume/.loom-runtime/shared/scripts/runtime_state.py

@@ -4,6 +4,7 @@
 from __future__ import annotations
 
 import json
+import hashlib
 import os
 from pathlib import Path
 from typing import Any
@@ -85,6 +86,14 @@ def detect_carrier(caller_file: str) -> str | None:
     return None
 
 
+def sha256_file(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
 def _default_scene_for_carrier(carrier: str) -> str:
     if carrier == "repo-local-wrapper":
         return "repo-local-demo"
@@ -284,6 +293,14 @@ def _validate_bootstrapped_runtime(caller_file: str) -> tuple[dict[str, Any], li
         runtime_file = runtime_root / Path(relative).name
         if not runtime_file.exists():
             errors.append(f"bootstrapped runtime file is missing: `{relative}`")
+            continue
+        expected_hash = artifact.get("sha256")
+        if not isinstance(expected_hash, str) or not expected_hash.strip():
+            errors.append(f"bootstrap runtime artifact `{relative}` must declare sha256 provenance")
+            continue
+        actual_hash = sha256_file(runtime_file)
+        if actual_hash != expected_hash:
+            errors.append(f"bootstrap runtime artifact `{relative}` sha256 drifted")
 
     status = "pass" if not errors else "block"
     summary = (