@meetless/mla 0.1.4

package/dist/commands/rules.js

@@ -0,0 +1,728 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RULES_PUBLISH_USAGE = exports.RULES_USAGE = void 0;
+exports.runRulesList = runRulesList;
+exports.runRulesActivity = runRulesActivity;
+exports.runRulesAttest = runRulesAttest;
+exports.runRulesRevoke = runRulesRevoke;
+exports.runRulesPublish = runRulesPublish;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const config_1 = require("../lib/config");
+const http_1 = require("../lib/http");
+const attest_notes_location_1 = require("../lib/rules/attest-notes-location");
+const attest_code_rule_version_1 = require("../lib/rules/attest-code-rule-version");
+const attest_rule_version_1 = require("../lib/rules/attest-rule-version");
+const ce0_store_1 = require("../lib/rules/ce0-store");
+const code_rule_registry_1 = require("../lib/rules/code-rule-registry");
+const interception_store_1 = require("../lib/rules/interception-store");
+const local_rule_version_repo_1 = require("../lib/rules/local-rule-version-repo");
+const rule_version_hash_1 = require("../lib/rules/rule-version-hash");
+const rule_activity_1 = require("../lib/rules/rule-activity");
+const runtime_scope_1 = require("../lib/rules/runtime-scope");
+const ulid_1 = require("../lib/rules/ulid");
+const evidence_1 = require("./evidence");
+// `mla rules list`: the read-only window onto what R0 has durably observed in the ACTIVE runtime
+// scope (proposal §10.2 R0 readiness). The runtime hooks only RECORD; this command never mutates a
+// row, never calls the backend, and never crosses into another scope. It lists one entry per distinct
+// observed rule: the observed-rule-v1 hash, the scanned directive text, the latest verdict and when
+// it was last seen, how many times it has been observed, and whether a local attested version derives
+// from that observed hash. It is a thin IO shell over listObservedRulesInScope; the runtime-scope
+// resolver and the store path are injectable so the workflow is testable end to end.
+const USAGE = "usage: mla rules <list|activity|attest|revoke|publish> [...]";
+exports.RULES_USAGE = USAGE;
+const PUBLISH_USAGE = "usage: mla rules publish [--json]";
+exports.RULES_PUBLISH_USAGE = PUBLISH_USAGE;
+const ATTEST_USAGE = "usage: mla rules attest --from-observed <observedRuleHash> " +
+    "[--new-rule <ruleId> | --rule <ruleId>] [--agent-on-user-request --yes] [--no-publish]";
+const CODE_RULE_ATTEST_USAGE = "usage: mla rules attest --from-code-rule <name> [--agent-on-user-request --yes] [--no-publish] " +
+    "(the rule id is pinned by the registry; --from-observed / --new-rule / --rule are not allowed here)";
+const REVOKE_USAGE = "usage: mla rules revoke [--rule <ruleId>] [--yes] [--no-publish]";
+/** `mla rules list [--json]`: list the observed rules R0 has recorded in the active runtime scope. */
+async function runRulesList(argv, deps = {}) {
+    const out = deps.out ?? ((line) => console.log(line));
+    const json = argv.includes("--json");
+    const resolveScope = deps.resolveRuntimeScopeId ?? runtime_scope_1.resolveActiveRuntimeScopeId;
+    const runtimeScopeId = resolveScope(deps.cwd);
+    const dbPath = deps.storePath ?? (0, evidence_1.defaultCe0StorePath)();
+    fs.mkdirSync(path.dirname(dbPath), { recursive: true });
+    const open = deps.openStore ?? ce0_store_1.openCe0Store;
+    const store = open(dbPath);
+    try {
+        const rules = (0, interception_store_1.listObservedRulesInScope)(store, runtimeScopeId);
+        out(json ? JSON.stringify({ runtimeScopeId, rules }) : formatRulesText(runtimeScopeId, rules));
+        return 0;
+    }
+    finally {
+        (0, ce0_store_1.closeCe0Store)(store);
+    }
+}
+/** Render the listing as a compact, stable text block (one record per observed rule). */
+function formatRulesText(runtimeScopeId, rules) {
+    const lines = [`runtime scope: ${runtimeScopeId}`];
+    if (rules.length === 0) {
+        lines.push("no observed rules recorded in this scope");
+        return lines.join("\n");
+    }
+    lines.push(`${rules.length} observed rule(s)`, "");
+    for (const r of rules) {
+        lines.push(r.observedRuleHash);
+        lines.push(`  text:    ${r.ruleText}`);
+        lines.push(`  latest:  ${r.latestResult} at ${r.latestObservedAt} (${r.observationCount} observation(s))`);
+        lines.push(`  version: ${r.hasLocalVersion ? "attested" : "none"}`);
+        lines.push("");
+    }
+    return lines.join("\n").trimEnd();
+}
+// ---------------------------------------------------------------------------
+// mla rules activity: the R2-LOCAL accountability projection (proposal §2.6 / §3.7 "still local")
+// ---------------------------------------------------------------------------
+/**
+ * `mla rules activity [--json]`: the §2.6 "observed N, violated M" measurement per LIVE rule in the
+ * active scope. This is the SHIPPABLE half of R2: the terminal-outcome half (project a COMMITTED
+ * violation, ie "the action the deny named actually happened") is BLOCKED BY DESIGN because the supported
+ * PreToolUse payload carries no tool_use_id and heuristic post correlation is forbidden (§9.10, §2.6).
+ * The measurement that licenses promoting a rule out of DRY_RUN needs no correlation: it is a pure
+ * projection of the records MLA already owns at evaluation time (tool_attempt + rule_evaluation_record),
+ * so this command reads them with one local query and never calls the backend or crosses scope. A thin IO
+ * shell over summarizeRuleActivity; the runtime-scope resolver and the store path are injectable.
+ */
+async function runRulesActivity(argv, deps = {}) {
+    const out = deps.out ?? ((line) => console.log(line));
+    const json = argv.includes("--json");
+    const resolveScope = deps.resolveRuntimeScopeId ?? runtime_scope_1.resolveActiveRuntimeScopeId;
+    const runtimeScopeId = resolveScope(deps.cwd);
+    const dbPath = deps.storePath ?? (0, evidence_1.defaultCe0StorePath)();
+    fs.mkdirSync(path.dirname(dbPath), { recursive: true });
+    const open = deps.openStore ?? ce0_store_1.openCe0Store;
+    const store = open(dbPath);
+    try {
+        const rules = (0, rule_activity_1.summarizeRuleActivity)(store, runtimeScopeId);
+        out(json ? JSON.stringify({ runtimeScopeId, rules }) : formatActivityText(runtimeScopeId, rules));
+        return 0;
+    }
+    finally {
+        (0, ce0_store_1.closeCe0Store)(store);
+    }
+}
+/** Render the per-rule measurement as a compact, stable text block (one record per LIVE rule). */
+function formatActivityText(runtimeScopeId, rules) {
+    const lines = [`runtime scope: ${runtimeScopeId}`];
+    if (rules.length === 0) {
+        lines.push("no LIVE rules attested in this scope");
+        return lines.join("\n");
+    }
+    lines.push(`${rules.length} LIVE rule(s)`, "");
+    for (const r of rules) {
+        lines.push(`${r.ruleId} (${r.versionId})`);
+        lines.push(`  observed ${r.observed}, compliant ${r.compliant}, ` +
+            `violation ${r.violation}, denied ${r.deniedEmitted}, ` +
+            `enforcement-unavailable ${r.enforcementUnavailable}`);
+        lines.push("");
+    }
+    return lines.join("\n").trimEnd();
+}
+/** Read the audited operator from the authenticated session; only a user-token is a human attestor. */
+function defaultResolveOperator() {
+    const cfg = (0, config_1.readConfig)();
+    if (cfg.auth.mode !== "user-token")
+        return null;
+    return { attestedBy: cfg.auth.user.id, displayName: cfg.auth.user.displayName || cfg.auth.user.id };
+}
+/** Synchronously read one line of confirmation from stdin (the interactive default). */
+function defaultConfirm(prompt) {
+    process.stderr.write(`${prompt} [y/N] `);
+    const buf = Buffer.alloc(256);
+    try {
+        const n = fs.readSync(0, buf, 0, buf.length, null);
+        const answer = buf.toString("utf8", 0, n).trim().toLowerCase();
+        return answer === "y" || answer === "yes";
+    }
+    catch {
+        return false;
+    }
+}
+/** Render the normalized payload P IN FULL so the human confirms the matcher + ceiling, not the prose
+ * line alone (proposal lines 2102-2107). */
+function formatAttestPayload(payload, canonicalPayloadHash, ruleId) {
+    const a = payload.applicability;
+    const matcher = a.mode === "action"
+        ? `${a.tools.join(", ")} on ${a.matcher.field}${a.matcher.glob ? ` matching ${a.matcher.glob}` : ""}`
+        : "(ambient)";
+    return [
+        `rule:        ${ruleId}`,
+        `scope:       ${payload.runtimeScopeId}`,
+        `hash:        ${canonicalPayloadHash}`,
+        `text:        ${payload.text}`,
+        `applies to:  ${matcher}`,
+        `effect:      ${payload.effect}`,
+        `strength:    ${payload.strength}`,
+        `delivery:    ${payload.deliveryChannels.join(", ")}`,
+        `ceiling:     ${payload.enforcementCeiling}`,
+        `on failure:  ${payload.infrastructureFailurePolicy}`,
+        `evaluator:   ${payload.compliance.evaluatorContractVersion} / ` +
+            `${payload.compliance.matcherSchemaVersion} / ${payload.compliance.pathCanonicalizerVersion}`,
+        `forbids:     ${payload.compliance.config.forbiddenRootRelativePath}`,
+    ].join("\n");
+}
+function parseAttestIdentity(argv) {
+    const newRuleIdx = argv.indexOf("--new-rule");
+    const ruleIdx = argv.indexOf("--rule");
+    const newRuleGiven = newRuleIdx >= 0;
+    const ruleGiven = ruleIdx >= 0;
+    if (newRuleGiven && ruleGiven)
+        return { kind: "usage-error" };
+    if (!newRuleGiven && !ruleGiven)
+        return { kind: "default" };
+    if (newRuleGiven) {
+        const id = argv[newRuleIdx + 1];
+        if (!id || id.startsWith("--"))
+            return { kind: "usage-error" };
+        return { kind: "explicit", identity: { mode: "NEW_RULE", ruleId: id } };
+    }
+    const id = argv[ruleIdx + 1];
+    if (!id || id.startsWith("--"))
+        return { kind: "usage-error" };
+    return { kind: "explicit", identity: { mode: "SUCCESSOR", ruleId: id } };
+}
+/**
+ * `mla rules attest --from-observed <observedRuleHash>`: mint the LIVE notes-location version from an
+ * R0 observed snapshot (proposal worked attest flow lines 2037-2069). It resolves the EXACT observed
+ * snapshot in the active scope (A.3), runs the §2.4 admission gate + conversion (the pure core),
+ * resolves the accountable operator from the authenticated session, short-circuits an idempotent
+ * re-attest, displays the full normalized payload, selects the attestation method from the terminal /
+ * agent flags, and mints (superseding any prior LIVE version) in the A.4 repo's single transaction. It
+ * mints the attested DENY ceiling regardless of the runtime deny-admission gates (§10.2): attestation
+ * and effective enforcement are separate (lines 2117-2124). A miss at any step mints nothing.
+ */
+async function runRulesAttest(argv, deps = {}) {
+    const out = deps.out ?? ((line) => console.log(line));
+    const err = deps.err ?? ((line) => console.error(line));
+    // `--from-code-rule <name>` is a distinct attest source from `--from-observed <hash>`: it mints a LIVE
+    // version of a PRODUCT-SHIPPED code rule (e.g. CE0 consult-evidence) rather than an R0 observed snapshot.
+    // It is dispatched FIRST and owns the whole invocation; the two sources never combine.
+    if (argv.includes("--from-code-rule")) {
+        return attestCodeRule(argv, deps, out, err);
+    }
+    const flagIdx = argv.indexOf("--from-observed");
+    const observedRuleHash = flagIdx >= 0 ? argv[flagIdx + 1] : undefined;
+    if (!observedRuleHash || observedRuleHash.startsWith("--")) {
+        err(ATTEST_USAGE);
+        return 2;
+    }
+    const agentOnUserRequest = argv.includes("--agent-on-user-request");
+    const yes = argv.includes("--yes");
+    const noPublish = argv.includes("--no-publish");
+    const identityChoice = parseAttestIdentity(argv);
+    if (identityChoice.kind === "usage-error") {
+        err(ATTEST_USAGE);
+        return 2;
+    }
+    const ruleId = identityChoice.kind === "explicit" ? identityChoice.identity.ruleId : attest_notes_location_1.NOTES_LOCATION_RULE_ID;
+    const resolveScope = deps.resolveRuntimeScopeId ?? runtime_scope_1.resolveActiveRuntimeScopeId;
+    const runtimeScopeId = resolveScope(deps.cwd);
+    const dbPath = deps.storePath ?? (0, evidence_1.defaultCe0StorePath)();
+    fs.mkdirSync(path.dirname(dbPath), { recursive: true });
+    const open = deps.openStore ?? ce0_store_1.openCe0Store;
+    const store = open(dbPath);
+    let stateChanged = false;
+    try {
+        const resolution = (0, interception_store_1.resolveObservedSnapshotInScope)(store, runtimeScopeId, observedRuleHash);
+        if (resolution.kind === "NOT_FOUND") {
+            err(`no observed rule with hash ${observedRuleHash} in runtime scope ${runtimeScopeId}: ` +
+                `not found, nothing to attest`);
+            return 1;
+        }
+        if (resolution.kind === "COLLISION") {
+            err(`observed hash ${observedRuleHash} is a collision in scope ${runtimeScopeId}: ` +
+                `${resolution.distinctSnapshotCount} distinct snapshots share it; refusing to attest`);
+            return 1;
+        }
+        const conversion = identityChoice.kind === "explicit"
+            ? (0, attest_notes_location_1.convertForbiddenRootSnapshot)(resolution.observedRuleSnapshot, runtimeScopeId)
+            : (0, attest_notes_location_1.convertNotesLocationSnapshot)(resolution.observedRuleSnapshot, runtimeScopeId);
+        if (!conversion.admitted) {
+            err(`snapshot is not a supported forbidden-root rule (${conversion.reason}): ${conversion.detail}`);
+            return 1;
+        }
+        const payload = conversion.payload;
+        const resolveOperator = deps.resolveOperator ?? defaultResolveOperator;
+        const operator = resolveOperator();
+        if (!operator) {
+            err("refusing to attest: not logged in as a human operator (run `mla login`); " +
+                "attestation requires an authenticated MLA operator");
+            return 1;
+        }
+        const canonicalPayloadHash = (0, rule_version_hash_1.ruleVersionHash)(payload);
+        // The idempotent re-attest short-circuit is valid ONLY when this attest could legitimately match an
+        // existing LIVE version (the notes default or an explicit SUCCESSOR). A NEW_RULE must never no-op on a
+        // hash match: an id that is already taken is a COLLISION the mint rejects (P0.55), never a silent reuse.
+        const isNewRule = identityChoice.kind === "explicit" && identityChoice.identity.mode === "NEW_RULE";
+        const current = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, runtimeScopeId, ruleId);
+        if (!isNewRule && current && current.canonicalPayloadHash === canonicalPayloadHash) {
+            out(`already attested: LIVE version ${current.versionId} already carries ` +
+                `${canonicalPayloadHash}; no-op`);
+            return 0;
+        }
+        out("note: enforcementCeiling is DENY. The live PreToolUse deny is armed: when this version is LIVE and " +
+            "the deny-admission gates pass (check `mla doctor`), a VIOLATION is denied on the wire; otherwise it " +
+            "degrades to observe-only. Attestation mints the DENY-ceiling authority; effective enforcement is " +
+            "the separate runtime decision (§10.2).");
+        out(formatAttestPayload(payload, canonicalPayloadHash, ruleId));
+        let attestationMethod;
+        if (agentOnUserRequest && yes) {
+            attestationMethod = "AGENT_ON_USER_REQUEST";
+        }
+        else if (deps.isInteractive ? deps.isInteractive() : Boolean(process.stdin.isTTY && process.stdout.isTTY)) {
+            const confirm = deps.confirm ?? defaultConfirm;
+            const ok = await confirm(`Attest this notes-location DENY rule for scope ${runtimeScopeId}?`);
+            if (!ok) {
+                err("attestation not confirmed; nothing minted");
+                return 1;
+            }
+            attestationMethod = "HUMAN_DIRECT";
+        }
+        else {
+            err("refusing to attest non-interactively without confirmation; pass " +
+                "--agent-on-user-request --yes to attest on the operator's explicit instruction");
+            return 1;
+        }
+        const newVersionId = deps.newVersionId ?? (() => `ver:${(0, ulid_1.ulid)()}`);
+        const now = deps.now ?? (() => new Date().toISOString());
+        let outcome;
+        try {
+            const mintBase = {
+                payload,
+                observedRuleHash,
+                attestedBy: operator.attestedBy,
+                attestationMethod,
+                versionId: newVersionId(),
+                attestedAt: now(),
+            };
+            outcome =
+                identityChoice.kind === "explicit"
+                    ? (0, attest_rule_version_1.mintAttestedRuleVersion)(store, { ...mintBase, identity: identityChoice.identity })
+                    : (0, attest_notes_location_1.mintAttestedNotesLocationVersion)(store, mintBase);
+        }
+        catch (e) {
+            // P0.55 identity faults are operator errors, not crashes: a NEW_RULE collision or a SUCCESSOR with
+            // no prior LIVE version mints nothing and exits 1 with the writer's exact, actionable message.
+            if (e instanceof attest_rule_version_1.RuleIdentityCollisionError || e instanceof local_rule_version_repo_1.NoLiveVersionToSupersedeError) {
+                err(e.message);
+                return 1;
+            }
+            throw e;
+        }
+        if (outcome.outcome === "SUPERSEDED") {
+            out(`SUPERSEDED ${outcome.supersededVersionId} -> MINTED version ${outcome.version.versionId} ` +
+                `(${outcome.version.canonicalPayloadHash}) LIVE in scope ${runtimeScopeId}`);
+            stateChanged = true;
+        }
+        else if (outcome.outcome === "MINTED") {
+            out(`MINTED version ${outcome.version.versionId} ` +
+                `(${outcome.version.canonicalPayloadHash}) LIVE in scope ${runtimeScopeId}`);
+            stateChanged = true;
+        }
+        else {
+            out(`already attested: ${outcome.version.versionId}; no-op`);
+        }
+    }
+    finally {
+        (0, ce0_store_1.closeCe0Store)(store);
+    }
+    // A successful mint changed local truth: best-effort project it to control so the console Rules surface
+    // stays in sync without a manual `mla rules publish`. The sync NEVER fails the attest (it already
+    // committed locally); a missing workspace / logged-out CLI / unreachable backend is reported, not fatal.
+    if (stateChanged) {
+        await autoPublishAfterMutation(runtimeScopeId, noPublish, deps, out, err);
+    }
+    return 0;
+}
+/** Render the code-rule's frozen payload IN FULL so the human confirms what identity they are arming. It
+ *  is RECORD_ONLY by construction (a CE0 forcing function, not a forbidden-root deny), so there is no
+ *  matcher/effect/ceiling to negotiate: arming changes NO runtime behavior, it only gives the rule's
+ *  obligations a durable, attested version identity to bind to. */
+function formatCodeRuleAttest(codeRule, runtimeScopeId) {
+    return [
+        `rule:        ${codeRule.ruleId}`,
+        `scope:       ${runtimeScopeId}`,
+        `hash:        ${codeRule.canonicalPayloadHash}`,
+        `ceiling:     RECORD_ONLY (no deny; arming changes no runtime behavior)`,
+        `payload:     ${codeRule.serializedPayload}`,
+    ].join("\n");
+}
+/**
+ * `mla rules attest --from-code-rule <name>`: mint the LIVE LocalRuleVersion of a product-shipped code
+ * rule (the GAP 3 slice-2 arm that gives the CE0 consult-evidence obligation a durable attested identity to
+ * bind to). The logical id is PINNED by the registry (P0.55 is satisfied because no logical-identity choice
+ * is being MADE here -- the registry already pinned it), so `--new-rule` / `--rule` and the `--from-observed`
+ * source are all rejected as usage errors. NEW_RULE vs SUCCESSOR is auto-derived from store state (a LIVE
+ * version present -> SUCCESSOR, else NEW_RULE); a re-attest whose frozen hash matches the LIVE version is an
+ * idempotent no-op. The rule is RECORD_ONLY, so arming it is provably inert under the R4 three-class
+ * partition (INV-CONFLICT / P0.13): it cannot silently disarm an out-of-family PROHIBIT deny. It reuses the
+ * operator resolution, confirmation, and attestation-method selection of the observed arm; a miss at any
+ * step mints nothing.
+ */
+async function attestCodeRule(argv, deps, out, err) {
+    const flagIdx = argv.indexOf("--from-code-rule");
+    const name = flagIdx >= 0 ? argv[flagIdx + 1] : undefined;
+    if (!name || name.startsWith("--")) {
+        err(CODE_RULE_ATTEST_USAGE);
+        return 2;
+    }
+    // A code rule's logical id is pinned by the registry; an operator may not choose it, nor mix in the
+    // observed source. These are usage errors (exit 2), distinct from a clean miss that mints nothing.
+    if (argv.includes("--from-observed") || argv.includes("--new-rule") || argv.includes("--rule")) {
+        err(CODE_RULE_ATTEST_USAGE);
+        return 2;
+    }
+    const agentOnUserRequest = argv.includes("--agent-on-user-request");
+    const yes = argv.includes("--yes");
+    const noPublish = argv.includes("--no-publish");
+    const codeRule = (0, code_rule_registry_1.getCodeRule)(name);
+    if (!codeRule) {
+        err(`no code rule named '${name}' ships in this build; nothing to attest`);
+        return 1;
+    }
+    const resolveScope = deps.resolveRuntimeScopeId ?? runtime_scope_1.resolveActiveRuntimeScopeId;
+    const runtimeScopeId = resolveScope(deps.cwd);
+    const dbPath = deps.storePath ?? (0, evidence_1.defaultCe0StorePath)();
+    fs.mkdirSync(path.dirname(dbPath), { recursive: true });
+    const open = deps.openStore ?? ce0_store_1.openCe0Store;
+    const store = open(dbPath);
+    let stateChanged = false;
+    try {
+        const resolveOperator = deps.resolveOperator ?? defaultResolveOperator;
+        const operator = resolveOperator();
+        if (!operator) {
+            err("refusing to attest: not logged in as a human operator (run `mla login`); " +
+                "attestation requires an authenticated MLA operator");
+            return 1;
+        }
+        // The idempotent short-circuit before we display anything or prompt: a re-attest of the same frozen
+        // bytes is a clean no-op (the writer would also catch it, but short-circuiting keeps the UX quiet).
+        const current = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, runtimeScopeId, codeRule.ruleId);
+        if (current && current.canonicalPayloadHash === codeRule.canonicalPayloadHash) {
+            out(`already attested: LIVE version ${current.versionId} already carries ` +
+                `${codeRule.canonicalPayloadHash}; no-op`);
+            return 0;
+        }
+        out("note: this rule is RECORD_ONLY. Arming it changes NO runtime behavior; it only gives the rule's " +
+            "obligations a durable, attested version identity to bind to (the CE0 measurement is identical " +
+            "armed or unarmed).");
+        out(formatCodeRuleAttest(codeRule, runtimeScopeId));
+        let attestationMethod;
+        if (agentOnUserRequest && yes) {
+            attestationMethod = "AGENT_ON_USER_REQUEST";
+        }
+        else if (deps.isInteractive ? deps.isInteractive() : Boolean(process.stdin.isTTY && process.stdout.isTTY)) {
+            const confirm = deps.confirm ?? defaultConfirm;
+            const ok = await confirm(`Attest this RECORD_ONLY code rule ${codeRule.ruleId} for scope ${runtimeScopeId}?`);
+            if (!ok) {
+                err("attestation not confirmed; nothing minted");
+                return 1;
+            }
+            attestationMethod = "HUMAN_DIRECT";
+        }
+        else {
+            err("refusing to attest non-interactively without confirmation; pass " +
+                "--agent-on-user-request --yes to attest on the operator's explicit instruction");
+            return 1;
+        }
+        // NEW_RULE on a fresh id, SUCCESSOR once a LIVE version exists (a seed bump rotated the frozen hash).
+        // The registry pins the id, so this is auto-derived, never an operator choice. A re-arm after a revoke
+        // (history present, nothing LIVE) surfaces the writer's RuleIdentityCollisionError honestly.
+        const mode = current ? "SUCCESSOR" : "NEW_RULE";
+        const newVersionId = deps.newVersionId ?? (() => `ver:${(0, ulid_1.ulid)()}`);
+        const now = deps.now ?? (() => new Date().toISOString());
+        let outcome;
+        try {
+            outcome = (0, attest_code_rule_version_1.mintAttestedCodeRuleVersion)(store, {
+                mode,
+                codeRule,
+                runtimeScopeId,
+                attestedBy: operator.attestedBy,
+                attestationMethod,
+                versionId: newVersionId(),
+                attestedAt: now(),
+            });
+        }
+        catch (e) {
+            if (e instanceof attest_rule_version_1.RuleIdentityCollisionError || e instanceof local_rule_version_repo_1.NoLiveVersionToSupersedeError) {
+                err(e.message);
+                return 1;
+            }
+            throw e;
+        }
+        if (outcome.outcome === "SUPERSEDED") {
+            out(`SUPERSEDED ${outcome.supersededVersionId} -> MINTED version ${outcome.version.versionId} ` +
+                `(${outcome.version.canonicalPayloadHash}) LIVE in scope ${runtimeScopeId}`);
+            stateChanged = true;
+        }
+        else if (outcome.outcome === "MINTED") {
+            out(`MINTED version ${outcome.version.versionId} ` +
+                `(${outcome.version.canonicalPayloadHash}) LIVE in scope ${runtimeScopeId}`);
+            stateChanged = true;
+        }
+        else {
+            out(`already attested: ${outcome.version.versionId}; no-op`);
+        }
+    }
+    finally {
+        (0, ce0_store_1.closeCe0Store)(store);
+    }
+    // A successful arm changed local truth: best-effort project it to control (see runRulesAttest). Sync is
+    // never fatal to the attest, which already committed; `--no-publish` opts out for local-only operators.
+    if (stateChanged) {
+        await autoPublishAfterMutation(runtimeScopeId, noPublish, deps, out, err);
+    }
+    return 0;
+}
+/**
+ * `mla rules revoke [--rule <ruleId>] [--yes]`: the kill switch (the answer to "what's the harm" of
+ * wiring the deny live). It flips the current LIVE version of a (scope, rule) to REVOKED in the A.4
+ * repo's single transaction. After this the (scope, rule) has NO LIVE version, so the enforce seam
+ * finds NO_LIVE_VERSION and fails open: enforcement stops cleanly without deleting any history. The
+ * rule defaults to the notes-location pilot; --rule names another logical rule in this scope (the
+ * revoke path is rule-agnostic, it needs only a ruleId, never a payload). Disarming governance must be
+ * deliberate, so it confirms exactly like attest: an explicit --yes, or an interactive prompt. Pulling
+ * an already-pulled switch (nothing LIVE) is an idempotent success, never an error. Best-effort names
+ * the operator who pulled it; it never blocks the disarm on being logged in.
+ */
+async function runRulesRevoke(argv, deps = {}) {
+    const out = deps.out ?? ((line) => console.log(line));
+    const err = deps.err ?? ((line) => console.error(line));
+    const ruleFlagIdx = argv.indexOf("--rule");
+    const ruleId = ruleFlagIdx >= 0 ? argv[ruleFlagIdx + 1] : attest_notes_location_1.NOTES_LOCATION_RULE_ID;
+    if (!ruleId || ruleId.startsWith("--")) {
+        err(REVOKE_USAGE);
+        return 2;
+    }
+    const yes = argv.includes("--yes");
+    const noPublish = argv.includes("--no-publish");
+    const resolveScope = deps.resolveRuntimeScopeId ?? runtime_scope_1.resolveActiveRuntimeScopeId;
+    const runtimeScopeId = resolveScope(deps.cwd);
+    const dbPath = deps.storePath ?? (0, evidence_1.defaultCe0StorePath)();
+    fs.mkdirSync(path.dirname(dbPath), { recursive: true });
+    const open = deps.openStore ?? ce0_store_1.openCe0Store;
+    const store = open(dbPath);
+    let stateChanged = false;
+    try {
+        const current = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, runtimeScopeId, ruleId);
+        if (!current) {
+            out(`nothing LIVE to revoke for rule ${ruleId} in scope ${runtimeScopeId}; already disarmed`);
+            return 0;
+        }
+        out(`about to disarm rule ${ruleId} in scope ${runtimeScopeId}: ` +
+            `LIVE version ${current.versionId} (${current.canonicalPayloadHash})`);
+        if (!yes) {
+            const interactive = deps.isInteractive
+                ? deps.isInteractive()
+                : Boolean(process.stdin.isTTY && process.stdout.isTTY);
+            if (!interactive) {
+                err("refusing to disarm non-interactively without confirmation; pass --yes to revoke");
+                return 1;
+            }
+            const confirm = deps.confirm ?? defaultConfirm;
+            const ok = await confirm(`Revoke (disarm) rule ${ruleId} for scope ${runtimeScopeId}? It will then fail open.`);
+            if (!ok) {
+                err("revoke not confirmed; the rule stays LIVE");
+                return 1;
+            }
+        }
+        const revoked = (0, local_rule_version_repo_1.revokeLiveLocalRuleVersion)(store, runtimeScopeId, ruleId);
+        const resolveOperator = deps.resolveOperator ?? defaultResolveOperator;
+        const operator = resolveOperator();
+        const by = operator ? ` by ${operator.displayName ?? operator.attestedBy}` : "";
+        out(`REVOKED version ${revoked.versionId} (${revoked.canonicalPayloadHash})${by}; ` +
+            `enforcement disarmed for rule ${ruleId} in scope ${runtimeScopeId}; the rule now fails open`);
+        stateChanged = true;
+    }
+    finally {
+        (0, ce0_store_1.closeCe0Store)(store);
+    }
+    // A revoke drops the rule from the scope's LIVE set: best-effort re-project so control reconciles the
+    // now-absent rule to STALE and it leaves the console Active tab. Never fatal to the local disarm.
+    if (stateChanged) {
+        await autoPublishAfterMutation(runtimeScopeId, noPublish, deps, out, err);
+    }
+    return 0;
+}
+/** The console renders evidenceJson.statement verbatim as the rule headline; pull the human-readable rule
+ *  text out of the opaque payload, falling back to the logical id for code rules with no `.text` field. */
+function ruleHeadline(record) {
+    try {
+        const parsed = JSON.parse(record.rulePayload);
+        if (typeof parsed.text === "string" && parsed.text.trim())
+            return parsed.text.trim();
+    }
+    catch {
+        // opaque / non-JSON payload (should not happen for a stored version); fall through to the id.
+    }
+    return record.ruleId;
+}
+/** The default network seam: POST the batch to control with the session bearer the rest of the CLI uses. */
+function defaultPublish(cfg, body) {
+    return (0, http_1.post)(cfg, "/internal/v1/relationship-candidates/publish-rules", body, 15000);
+}
+/** Map one LIVE LocalRuleVersion to its control publish item (headline pulled from the opaque payload). */
+function buildPublishItem(r) {
+    return {
+        ruleId: r.ruleId,
+        versionId: r.versionId,
+        text: ruleHeadline(r),
+        payloadHash: r.canonicalPayloadHash,
+        lifecycleStatus: "LIVE",
+        attestedBy: r.attestedBy ?? null,
+        attestedAt: r.attestedAt ?? null,
+        attestationMethod: r.attestationMethod ?? null,
+    };
+}
+/**
+ * Project the LIVE attested rules in `runtimeScopeId` to control (the exact batch `mla rules publish`
+ * sends). It is the single projection path shared by the explicit publish command and the auto-publish
+ * hooks on attest/revoke. It NEVER throws: an unbound workspace / logged-out CLI is reported as `skipped`
+ * (loadConfig threw before any network call), an unreachable backend as `failed`; only a real POST that
+ * returns is `synced`. The store is opened read-only and always closed; an empty LIVE set still posts so a
+ * revoked-to-nothing scope reconciles away on the backend.
+ */
+async function publishLiveRulesForScope(runtimeScopeId, deps) {
+    let cfg;
+    try {
+        cfg = deps.loadConfig ? deps.loadConfig() : (0, config_1.loadWorkspaceConfig)();
+    }
+    catch (e) {
+        return { kind: "skipped", reason: e.message };
+    }
+    const dbPath = deps.storePath ?? (0, evidence_1.defaultCe0StorePath)();
+    fs.mkdirSync(path.dirname(dbPath), { recursive: true });
+    const open = deps.openStore ?? ce0_store_1.openCe0Store;
+    const store = open(dbPath);
+    let live;
+    try {
+        live = (0, local_rule_version_repo_1.listLiveLocalRuleVersions)(store, runtimeScopeId);
+    }
+    finally {
+        (0, ce0_store_1.closeCe0Store)(store);
+    }
+    const rules = live.map(buildPublishItem);
+    const body = { workspaceId: cfg.workspaceId, runtimeScopeId, rules };
+    const publish = deps.publish ?? defaultPublish;
+    try {
+        const result = await publish(cfg, body);
+        return { kind: "synced", sent: rules.length, workspaceId: cfg.workspaceId, result };
+    }
+    catch (e) {
+        return { kind: "failed", reason: e.message };
+    }
+}
+/**
+ * After a state-changing attest/revoke, best-effort sync the scope's LIVE rules into control so the console
+ * Rules surface stays current without a manual `mla rules publish`. This is the auto-publish hook: the local
+ * mutation has ALREADY committed, so a sync miss is reported (skip/warn) but never changes the command's
+ * success. `--no-publish` opts out entirely (offline / local-only operators, or a CI run with no workspace).
+ */
+async function autoPublishAfterMutation(runtimeScopeId, noPublish, deps, out, err) {
+    if (noPublish) {
+        out("note: --no-publish set; skipped the console sync. The change is attested locally; run " +
+            "`mla rules publish` to surface it on the console Rules page.");
+        return;
+    }
+    const outcome = await publishLiveRulesForScope(runtimeScopeId, deps);
+    if (outcome.kind === "synced") {
+        out(`synced to console: workspace ${outcome.workspaceId} now reflects ${outcome.result.published} ` +
+            `published, ${outcome.result.retired} retired (from ${outcome.sent} LIVE rule(s) in this scope).`);
+    }
+    else if (outcome.kind === "skipped") {
+        out(`note: skipped console sync (${outcome.reason}). The change is attested locally; run ` +
+            "`mla rules publish` once a workspace is bound to surface it.");
+    }
+    else {
+        err(`warning: console sync failed (${outcome.reason}). The change IS attested locally; run ` +
+            "`mla rules publish` to retry the sync.");
+    }
+}
+/** Render the publish outcome as a compact, stable text block. */
+function formatPublishText(runtimeScopeId, workspaceId, sent, result) {
+    const lines = [
+        `runtime scope: ${runtimeScopeId}`,
+        `workspace:     ${workspaceId}`,
+        `sent ${sent} LIVE rule(s); published ${result.published}, retired ${result.retired}`,
+    ];
+    if (result.items.length > 0) {
+        lines.push("");
+        for (const it of result.items) {
+            lines.push(`  ${it.action.padEnd(9)} ${it.ruleId}  (${it.candidateId})`);
+        }
+    }
+    return lines.join("\n");
+}
+/**
+ * `mla rules publish [--json]`: project the LIVE attested rule versions in the ACTIVE runtime scope into
+ * control so they surface on the console Rules page. It is the bridge half of the local-first rules engine:
+ * `attest` / `revoke` only ever mutate the local CE0 store, and this command is the one place that pushes
+ * that local truth to the backend. It reads EVERY LIVE LocalRuleVersion in the scope, maps each to a publish
+ * item (the human-readable headline pulled from the opaque payload), and POSTs the whole set to control,
+ * which upserts each as an ACCEPTED workspace-scoped rule-kind candidate (idempotent by workspace + ruleId)
+ * and reconciles-by-omission: any rule it published from THIS scope before that is no longer LIVE is driven
+ * to STALE so a revoked rule disappears from the Active tab. An empty LIVE set is NOT a no-op: it still posts
+ * (with the scope) so the last-revoked rule reconciles away. Read-only on the local store; one network call.
+ */
+async function runRulesPublish(argv, deps = {}) {
+    const out = deps.out ?? ((line) => console.log(line));
+    const err = deps.err ?? ((line) => console.error(line));
+    const json = argv.includes("--json");
+    const resolveScope = deps.resolveRuntimeScopeId ?? runtime_scope_1.resolveActiveRuntimeScopeId;
+    const runtimeScopeId = resolveScope(deps.cwd);
+    // The explicit command shares the ONE projection path with the auto-publish hooks, but maps the outcome
+    // to its own hard exit codes: an unbound workspace is a usage error (2), a failed POST is a failure (1).
+    const outcome = await publishLiveRulesForScope(runtimeScopeId, deps);
+    if (outcome.kind === "skipped") {
+        err(outcome.reason);
+        return 2;
+    }
+    if (outcome.kind === "failed") {
+        err(`failed to publish rules to control: ${outcome.reason}`);
+        return 1;
+    }
+    if (json) {
+        out(JSON.stringify({ runtimeScopeId, workspaceId: outcome.workspaceId, ...outcome.result }));
+    }
+    else {
+        out(formatPublishText(runtimeScopeId, outcome.workspaceId, outcome.sent, outcome.result));
+    }
+    return 0;
+}