@meetless/mla 0.1.4

package/dist/lib/rules/inert-rule-families.js

@@ -0,0 +1,51 @@
+"use strict";
+// The generalized-R4 inert-family registry. The live PreToolUse enforce dispatch (enforce-notes-version.ts)
+// loads EVERY live rule in scope and must decide what each one means for the attempt. Today it knows two
+// answers: a rule it can face (the PROHIBIT forbidden-root family) or "I do not understand this", which
+// fails the WHOLE attempt open. That binary is too coarse: it cannot tell a genuinely unknown rule apart
+// from a rule it understands well enough to prove imposes NO effect on a tool attempt.
+//
+// This module owns that third answer. A rule is INERT-NON-ENFORCING when its maximum authority on a tool
+// attempt is RECORD_ONLY: it observes and records, it never injects, steers, asks, or denies. Per P0.13
+// (INV-CONFLICT-NEVER-SILENTLY-DENIES, NT:20260615 consolidated proposal), a conflict is two LIVE rules
+// imposing INCOMPATIBLE effects. A rule that imposes no effect at all cannot be incompatible with a
+// PROHIBIT's deny, so it is provably non-conflicting and the dispatch is safe to SKIP it rather than fail
+// the attempt open. That skip is exactly what lets a CE0 consult-evidence RECORD_ONLY rule coexist in the
+// same scope as the live notes-location DENY pilot without disarming it.
+//
+// SAFETY CONTRACT (why this is recognition, not a wildcard):
+//   * POSITIVE: each inert family is named by its EXACT schema tag. An unrecognized schema returns false,
+//     so the dispatch's fail-open boundary for the genuinely-unknown is preserved unchanged. The dangerous
+//     inversion ("anything we do not understand is inert") is precisely what this must never become.
+//   * NARROW: recognizing the schema is necessary but NOT sufficient. Within a recognized family the
+//     predicate re-derives that THIS version's response ceiling is RECORD_ONLY. The same ce0-rule-v1 schema
+//     can carry an AUTO_CORRECT ceiling (a CE2 concern that steers/injects and demands a new immutable rule
+//     version); that version is NOT inert and must NOT be skipped. The ceiling proof, not the schema tag,
+//     is the load-bearing safety property.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isInertNonEnforcingRule = isInertNonEnforcingRule;
+/** The closed registry of provably non-enforcing rule families. One entry today: the CE0 consult-evidence
+ *  forcing function at its RECORD_ONLY ceiling. New families are added here deliberately, each with its own
+ *  ceiling proof; membership is never inferred. */
+const INERT_RULE_FAMILIES = [
+    {
+        schemaVersion: "ce0-rule-v1",
+        // Inert iff the ceiling is RECORD_ONLY. An AUTO_CORRECT version of the same schema can steer/inject and
+        // is therefore enforcing, not inert.
+        isInertVersion: (payload) => payload.responseCeiling === "RECORD_ONLY",
+    },
+];
+/**
+ * True iff `payload` is a LIVE rule the enforce dispatch can prove imposes NO effect on a tool attempt and
+ * may therefore SKIP (treat as inert) instead of failing the attempt open. Returns false for anything
+ * unrecognized, so an unknown rule still trips the dispatch's fail-open boundary. See the safety contract
+ * above: recognition is positive (exact schema) AND narrow (per-version ceiling proof).
+ */
+function isInertNonEnforcingRule(payload) {
+    if (typeof payload !== "object" || payload === null) {
+        return false;
+    }
+    const obj = payload;
+    const family = INERT_RULE_FAMILIES.find((f) => f.schemaVersion === obj.schemaVersion);
+    return family ? family.isInertVersion(obj) : false;
+}

package/dist/lib/rules/input-authority-resolver.js

@@ -0,0 +1,241 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.INPUT_AUTHORITY_CONFIG_DOMAIN = exports.HOOK_CONFIG_LAYERS = void 0;
+exports.resolveInputAuthority = resolveInputAuthority;
+const crypto_1 = require("crypto");
+const path = __importStar(require("path"));
+const canonical_json_1 = require("./canonical-json");
+const wire_1 = require("../wire");
+// The effective-hook-config resolver (R1 foundation), the mechanical proof behind
+// INV-R1-SINGLE-INPUT-AUTHORITY (P0.19) made continuous by INV-R1-INPUT-AUTHORITY-IS-CONTINUOUS
+// (P0.58) in notes/20260615-rules-as-node-and-action-interception-consolidated-proposal.md (§2.4).
+//
+// Claude Code runs every matching PreToolUse hook in PARALLEL and an `updatedInput` REPLACES the whole
+// tool input, so there is no safe composition contract when two hooks both rewrite input. R1 may only
+// emit a deny while it can mechanically prove the NARROW v1 condition: MLA is the SOLE effective
+// PreToolUse hook that matches Write or Edit across the entire config hierarchy. This module is the
+// PURE core of that proof. It is given the five already-loaded settings layers (user, project, local,
+// plugin, managed) and:
+//   - enumerates every effective PreToolUse command hook,
+//   - identifies which ones match the governed tools (Write / Edit),
+//   - classifies each as MLA-owned or foreign (reusing the installer's own ownership predicate so the
+//     resolver can never drift from what `mla init` writes),
+//   - returns MLA_SOLE_AUTHORITY, or a typed unavailable reason,
+//   - and emits a deterministic, order-independent canonical snapshot + hash for the
+//     `inputAuthorityConfigHash` audit field on tool_attempt.
+//
+// It touches no network and no filesystem (the IO shell that reads the settings files and calls this
+// lives in the runtime / `mla doctor`, which both reuse this resolver). It emits NO deny: it only
+// reports whether a deny would be admissible. Every ambiguity fails CLOSED to UNAVAILABLE, never to a
+// silent OBSERVE downgrade (P0.15).
+exports.HOOK_CONFIG_LAYERS = ["user", "project", "local", "plugin", "managed"];
+/** Domain tag for the snapshot hash; the single 0x00 separator (P0.53) prevents cross-domain collision. */
+exports.INPUT_AUTHORITY_CONFIG_DOMAIN = "effective-hook-config-v1";
+/** The script `mla init` registers as the managed PreToolUse hook; the MLA-ownership probe. */
+const MLA_PRE_TOOL_USE_SCRIPT = "pre-tool-use.sh";
+/** The tools the R1 pilot governs. Only a PreToolUse hook matching one of these can threaten deny. */
+const GOVERNED_TOOLS = ["Write", "Edit"];
+function isUnreadable(layer) {
+    return layer.unreadable === true;
+}
+/**
+ * Interpret a Claude Code matcher against the governed tools. `""` is the catch-all (matches every
+ * tool). A non-empty matcher is a regex matched partially (Claude Code semantics). Returns null when
+ * the matcher is not a valid regex, so the caller can fail closed.
+ */
+function interpretMatcher(matcher) {
+    if (matcher === "")
+        return { write: true, edit: true };
+    let re;
+    try {
+        re = new RegExp(matcher);
+    }
+    catch {
+        return null;
+    }
+    return { write: re.test("Write"), edit: re.test("Edit") };
+}
+/** Defensively pull every PreToolUse command hook out of one readable layer's settings. */
+function extractPreToolUse(layerName, settings, problems) {
+    const out = [];
+    if (!settings || typeof settings !== "object")
+        return out;
+    const hooks = settings.hooks;
+    if (!hooks || typeof hooks !== "object")
+        return out;
+    const pre = hooks.PreToolUse;
+    if (pre === undefined)
+        return out;
+    if (!Array.isArray(pre)) {
+        problems.push(`${layerName}: PreToolUse is not an array`);
+        return out;
+    }
+    for (const entry of pre) {
+        if (!entry || typeof entry !== "object") {
+            problems.push(`${layerName}: a PreToolUse entry is not an object`);
+            continue;
+        }
+        const rawMatcher = entry.matcher;
+        const matcher = rawMatcher === undefined ? "" : rawMatcher;
+        if (typeof matcher !== "string") {
+            problems.push(`${layerName}: a PreToolUse matcher is not a string`);
+            continue;
+        }
+        const inner = entry.hooks;
+        if (inner === undefined)
+            continue;
+        if (!Array.isArray(inner)) {
+            problems.push(`${layerName}: a PreToolUse entry's hooks is not an array`);
+            continue;
+        }
+        for (const h of inner) {
+            if (!h || typeof h !== "object") {
+                problems.push(`${layerName}: a hook is not an object`);
+                continue;
+            }
+            // Only command hooks run a script that can return updatedInput; ignore any other type.
+            if (h.type !== "command")
+                continue;
+            const command = h.command;
+            if (typeof command !== "string" || command.length === 0) {
+                problems.push(`${layerName}: a command hook has no string command`);
+                continue;
+            }
+            out.push({ layer: layerName, matcher, command });
+        }
+    }
+    return out;
+}
+/** Stable ordering over (command, matcher, layer) so the snapshot is independent of input order. */
+function compareEntries(a, b) {
+    return (cmp(a.command, b.command) || cmp(a.matcher, b.matcher) || cmp(a.layer, b.layer));
+}
+function cmp(a, b) {
+    return a < b ? -1 : a > b ? 1 : 0;
+}
+function classify(command, mlaHooksDir) {
+    const cmd = path.join(mlaHooksDir, MLA_PRE_TOOL_USE_SCRIPT);
+    return (0, wire_1.isManagedHookCommand)(command, MLA_PRE_TOOL_USE_SCRIPT, cmd) ? "MLA" : "FOREIGN";
+}
+/** Build the canonical snapshot object that is serialized and hashed. */
+function buildSnapshot(rawEntries, unreadableLayers) {
+    const preToolUse = [...rawEntries]
+        .sort(compareEntries)
+        .map((e) => ({ layer: e.layer, matcher: e.matcher, command: e.command }));
+    return {
+        schemaVersion: exports.INPUT_AUTHORITY_CONFIG_DOMAIN,
+        preToolUse,
+        unreadableLayers: [...unreadableLayers].sort(),
+    };
+}
+/** SHA-256(domainTag || 0x00 || JCS(snapshot)), lowercase hex. Mirrors observed-rule-hash.ts. */
+function hashSnapshot(jcs) {
+    const h = (0, crypto_1.createHash)("sha256");
+    h.update(exports.INPUT_AUTHORITY_CONFIG_DOMAIN, "utf8");
+    h.update(Buffer.from([0x00]));
+    h.update(jcs, "utf8");
+    return h.digest("hex");
+}
+// ---------------------------------------------------------------------------
+// resolver
+// ---------------------------------------------------------------------------
+/**
+ * Resolve whether MLA is the sole effective Write/Edit input authority across the given config
+ * layers. Pure: no IO, no network, no deny. The result always carries the deterministic snapshot +
+ * hash (computed over whatever was readable) for the audit field; the `kind` decides admissibility.
+ */
+function resolveInputAuthority(layers, opts) {
+    const unreadableLayers = [];
+    const problems = [];
+    const rawEntries = [];
+    for (const layer of layers) {
+        if (isUnreadable(layer)) {
+            unreadableLayers.push(layer.name);
+            continue;
+        }
+        rawEntries.push(...extractPreToolUse(layer.name, layer.settings, problems));
+    }
+    // Any matcher that does not compile is uninterpretable; fail closed rather than guess its scope.
+    for (const e of rawEntries) {
+        if (interpretMatcher(e.matcher) === null) {
+            problems.push(`${e.layer}: matcher ${JSON.stringify(e.matcher)} is not a valid regex`);
+        }
+    }
+    // The interpreted set of hooks matching a governed tool (skips uninterpretable matchers defensively).
+    const matchedCommands = [];
+    for (const e of rawEntries) {
+        const m = interpretMatcher(e.matcher);
+        if (!m)
+            continue;
+        if (!m.write && !m.edit)
+            continue;
+        matchedCommands.push({
+            layer: e.layer,
+            matcher: e.matcher,
+            command: e.command,
+            matchesWrite: m.write,
+            matchesEdit: m.edit,
+            mutatorClass: classify(e.command, opts.mlaHooksDir),
+        });
+    }
+    matchedCommands.sort((a, b) => cmp(a.command, b.command) || cmp(a.matcher, b.matcher) || cmp(a.layer, b.layer));
+    const snapshot = (0, canonical_json_1.canonicalize)(buildSnapshot(rawEntries, unreadableLayers));
+    const configHash = hashSnapshot(snapshot);
+    const unavailable = (reason, detail) => ({
+        kind: "UNAVAILABLE",
+        reason,
+        detail,
+        configHash,
+        snapshot,
+        matchedCommands,
+    });
+    // Severity order: an incomplete or uninterpretable picture beats any conclusion drawn from it.
+    if (unreadableLayers.length > 0) {
+        return unavailable("CONFIG_LAYER_UNREADABLE", `config layers unreadable: ${[...unreadableLayers].sort().join(", ")}`);
+    }
+    if (problems.length > 0) {
+        return unavailable("HOOK_ENTRY_UNINTERPRETABLE", problems.join("; "));
+    }
+    const foreign = matchedCommands.filter((c) => c.mutatorClass === "FOREIGN");
+    if (foreign.length > 0) {
+        return unavailable("FOREIGN_MUTATOR_PRESENT", `foreign Write/Edit PreToolUse mutators present: ${foreign.map((c) => c.command).join(", ")}`);
+    }
+    const mla = matchedCommands.filter((c) => c.mutatorClass === "MLA");
+    if (mla.length === 0) {
+        return unavailable("MLA_HOOK_ABSENT", `no MLA PreToolUse hook matches ${GOVERNED_TOOLS.join(" or ")}`);
+    }
+    return { kind: "MLA_SOLE_AUTHORITY", configHash, snapshot, matchedCommands };
+}

package/dist/lib/rules/interception-schema.js

@@ -0,0 +1,170 @@
+"use strict";
+// The final local interception schema (R0), applied into the one canonical CE0
+// evidence database by the existing opener. There is no second database and no
+// second migration framework: this DDL is the second db.exec() of openCe0Store's
+// single bootstrap, alongside the CE0 forcing-function schema in ce0-store.ts.
+//
+// Source of truth: notes/20260615-rules-as-node-and-action-interception-consolidated
+// -proposal.md §10.1 step 1. The schema is the FINAL state from a fresh database:
+// all three tables exist from the first open (no R0-to-R1 schema delta), every
+// invariant the proposal claims is a real SQLite mechanism (partial unique index,
+// composite runtime-scope-safe foreign key, CHECK, or trigger), and SQLite is the
+// sole local authority (decision 4: the hook never reads a bundle file off disk).
+//
+//   local_rule_version      The attested rule version (R1). The table is created up
+//                           front so the evaluation record's version arm resolves at
+//                           creation time, but R0 never writes a row here.
+//   tool_attempt            One locally-minted ULID per intercepted tool call. PreToolUse
+//                           carries no tool_use_id, so the attempt id is the local key.
+//   rule_evaluation_record  One verdict per applicable rule per attempt. The observed
+//                           arm (R0) carries the frozen observed-rule snapshot + hash;
+//                           the version arm (R1) references local_rule_version.
+//
+// Comments are SQL block comments deliberately: this string is exec'd verbatim, and a
+// leading double-hyphen line comment is a forbidden token in this codebase.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.INTERCEPTION_SCHEMA = exports.CE0_INTERCEPTION_SCHEMA_VERSION = void 0;
+// The schema version stamped into the database's user_version pragma. There is no R0-to-R1
+// delta (the schema is created in its final state), so this is 1 from the first open. mla doctor
+// reads user_version back and fails if it does not match this constant, which is how a stale or
+// foreign database is caught before the deny pilot ever evaluates a rule (slice 9, §10.1 step 1(d)).
+exports.CE0_INTERCEPTION_SCHEMA_VERSION = 1;
+exports.INTERCEPTION_SCHEMA = `
+CREATE TABLE IF NOT EXISTS local_rule_version (
+  version_id                 TEXT NOT NULL PRIMARY KEY,  /* ULID */
+  rule_id                    TEXT NOT NULL,              /* logical identity, minted at first attestation */
+  runtime_scope_id           TEXT NOT NULL,
+  rule_payload               TEXT NOT NULL,              /* immutable canonical rule-version-v1 JSON; SOLE authority (decision 6) */
+  canonical_payload_hash     TEXT NOT NULL,              /* rule-version-v1 digest, SHA-256 lowercase-hex */
+  lifecycle_status           TEXT NOT NULL
+                               CHECK (lifecycle_status IN ('LIVE','SUPERSEDED','DEPRECATED','REVOKED')),
+  attestation_method         TEXT NOT NULL
+                               CHECK (attestation_method IN ('HUMAN_DIRECT','AGENT_ON_USER_REQUEST')),
+  attested_by                TEXT NOT NULL,
+  supersedes_version_id      TEXT REFERENCES local_rule_version(version_id),
+  derived_from_observed_hash TEXT,
+  attested_at                TEXT NOT NULL,
+  CHECK (supersedes_version_id IS NULL OR supersedes_version_id <> version_id)
+) STRICT;
+
+CREATE UNIQUE INDEX IF NOT EXISTS ux_one_live_version ON local_rule_version (runtime_scope_id, rule_id)
+  WHERE lifecycle_status = 'LIVE';
+CREATE UNIQUE INDEX IF NOT EXISTS ux_version_payload ON local_rule_version (runtime_scope_id, rule_id, canonical_payload_hash);
+CREATE UNIQUE INDEX IF NOT EXISTS ux_version_scope ON local_rule_version (version_id, runtime_scope_id);
+
+CREATE TABLE IF NOT EXISTS tool_attempt (
+  attempt_id                  TEXT NOT NULL PRIMARY KEY,   /* ULID minted locally */
+  runtime_scope_id            TEXT NOT NULL,
+  session_id                  TEXT NOT NULL,
+  tool_name                   TEXT NOT NULL,
+  evaluation_input_snapshot   TEXT NOT NULL,               /* canonical evaluation-input-v1 JSON (decision 4) */
+  evaluation_input_hash       TEXT NOT NULL,
+  aggregate_decision          TEXT NOT NULL DEFAULT 'NO_DECISION'
+                                CHECK (aggregate_decision IN ('NO_DECISION','DENY')),
+  deny_emission_status        TEXT NOT NULL DEFAULT 'NOT_APPLICABLE'
+                                CHECK (deny_emission_status IN ('NOT_APPLICABLE','DECISION_RECORDED','RESPONSE_EMITTED')),
+  input_authority_config_hash TEXT,
+  created_at                  TEXT NOT NULL,
+  CHECK ((aggregate_decision = 'NO_DECISION' AND deny_emission_status =  'NOT_APPLICABLE')
+      OR (aggregate_decision = 'DENY'        AND deny_emission_status IN ('DECISION_RECORDED','RESPONSE_EMITTED')))
+) STRICT;
+
+CREATE UNIQUE INDEX IF NOT EXISTS ux_attempt_scope ON tool_attempt (attempt_id, runtime_scope_id);
+
+CREATE TABLE IF NOT EXISTS rule_evaluation_record (
+  evaluation_id          TEXT    NOT NULL PRIMARY KEY,   /* ULID */
+  attempt_id             TEXT    NOT NULL,
+  runtime_scope_id       TEXT    NOT NULL,
+  result                 TEXT    NOT NULL
+                           CHECK (result IN ('COMPLIANT','VIOLATION','UNKNOWN')),
+  eligible_enforcement   TEXT    NOT NULL
+                           CHECK (eligible_enforcement IN ('OBSERVE','ASK','DENY')),
+  effective_enforcement  TEXT    NOT NULL                /* NONE when infra is unavailable (decision 5) */
+                           CHECK (effective_enforcement IN ('NONE','OBSERVE','ASK','DENY')),
+  verdict_reason_code    TEXT    NOT NULL,
+  gate_reason_code       TEXT,
+  evaluator_contract_version TEXT NOT NULL,
+  observed_rule_snapshot TEXT,                           /* canonical observed-rule-v1 JSON */
+  observed_rule_hash     TEXT,                           /* observed-rule-v1 digest */
+  rule_version_id        TEXT,
+  canonical_payload_hash TEXT,
+  created_at             TEXT    NOT NULL,
+  CHECK ((rule_version_id IS NULL) = (observed_rule_hash IS NOT NULL)),
+  CHECK ((observed_rule_hash IS NULL) = (observed_rule_snapshot IS NULL)),
+  CHECK ((rule_version_id IS NULL) = (canonical_payload_hash IS NULL)),
+  FOREIGN KEY (attempt_id, runtime_scope_id)
+    REFERENCES tool_attempt (attempt_id, runtime_scope_id) ON DELETE CASCADE,
+  FOREIGN KEY (rule_version_id, runtime_scope_id)
+    REFERENCES local_rule_version (version_id, runtime_scope_id)
+) STRICT;
+
+CREATE INDEX IF NOT EXISTS        ix_eval_attempt  ON rule_evaluation_record (attempt_id);
+CREATE UNIQUE INDEX IF NOT EXISTS ux_eval_observed ON rule_evaluation_record (attempt_id, observed_rule_hash)
+  WHERE observed_rule_hash IS NOT NULL;
+CREATE UNIQUE INDEX IF NOT EXISTS ux_eval_version  ON rule_evaluation_record (attempt_id, rule_version_id)
+  WHERE rule_version_id IS NOT NULL;
+
+CREATE TRIGGER IF NOT EXISTS trg_version_immutable
+BEFORE UPDATE ON local_rule_version
+FOR EACH ROW WHEN NOT (
+      NEW.version_id = OLD.version_id
+  AND NEW.rule_id = OLD.rule_id
+  AND NEW.runtime_scope_id = OLD.runtime_scope_id
+  AND NEW.rule_payload = OLD.rule_payload
+  AND NEW.canonical_payload_hash = OLD.canonical_payload_hash
+  AND NEW.attestation_method = OLD.attestation_method
+  AND NEW.attested_by = OLD.attested_by
+  AND NEW.supersedes_version_id IS OLD.supersedes_version_id
+  AND NEW.derived_from_observed_hash IS OLD.derived_from_observed_hash
+  AND NEW.attested_at = OLD.attested_at
+  AND OLD.lifecycle_status = 'LIVE'
+  AND NEW.lifecycle_status IN ('SUPERSEDED','DEPRECATED','REVOKED'))
+BEGIN
+  SELECT RAISE(ABORT, 'local_rule_version is immutable except a LIVE->SUPERSEDED/DEPRECATED/REVOKED lifecycle transition');
+END;
+
+CREATE TRIGGER IF NOT EXISTS trg_attempt_frozen
+BEFORE UPDATE ON tool_attempt
+FOR EACH ROW WHEN NOT (
+      OLD.aggregate_decision = 'DENY' AND NEW.aggregate_decision = 'DENY'
+  AND OLD.deny_emission_status = 'DECISION_RECORDED'
+  AND NEW.deny_emission_status = 'RESPONSE_EMITTED'
+  AND NEW.attempt_id = OLD.attempt_id
+  AND NEW.runtime_scope_id = OLD.runtime_scope_id
+  AND NEW.session_id = OLD.session_id
+  AND NEW.tool_name = OLD.tool_name
+  AND NEW.evaluation_input_snapshot = OLD.evaluation_input_snapshot
+  AND NEW.evaluation_input_hash = OLD.evaluation_input_hash
+  AND NEW.input_authority_config_hash IS OLD.input_authority_config_hash
+  AND NEW.created_at = OLD.created_at)
+BEGIN
+  SELECT RAISE(ABORT, 'tool_attempt is immutable except the deny emission advance DECISION_RECORDED->RESPONSE_EMITTED');
+END;
+
+CREATE TRIGGER IF NOT EXISTS trg_eval_no_update
+BEFORE UPDATE ON rule_evaluation_record
+BEGIN
+  SELECT RAISE(ABORT, 'rule_evaluation_record is append-only (no UPDATE)');
+END;
+
+/* The proposal §10.1 names a temp sentinel (temp.sqlite_master / CREATE TEMP TABLE        */
+/* _ce0_retention). That form is unimplementable in SQLite 3.49.2: a trigger may not        */
+/* reference the temp database (temp.sqlite_master is rejected at CREATE TRIGGER), and the   */
+/* unqualified sqlite_temp_master binds to the trigger's own database (main.sqlite_temp_     */
+/* master, which never exists) so it always raises. The sentinel is therefore a MAIN-schema  */
+/* table. Privacy and transaction-scoping are preserved by SQLite isolation: the retention   */
+/* pass runs ONE transaction that creates _ce0_retention, DELETEs the owning tool_attempt    */
+/* rows (the cascade reaches the evaluation rows while the sentinel is visible), then drops   */
+/* _ce0_retention. The table is never committed, so no other connection can ever observe it   */
+/* or piggyback on it; a direct DELETE on any other path finds no sentinel and aborts.        */
+CREATE TRIGGER IF NOT EXISTS trg_eval_no_direct_delete
+BEFORE DELETE ON rule_evaluation_record
+WHEN NOT EXISTS (SELECT 1 FROM sqlite_master WHERE type = 'table' AND name = '_ce0_retention')
+BEGIN
+  SELECT RAISE(ABORT, 'rule_evaluation_record delete only via tool_attempt retention cascade (open the retention sentinel)');
+END;
+
+/* Stamp the schema version last, after every object exists, so a half-applied schema never reads */
+/* back as the current version. mla doctor compares this against CE0_INTERCEPTION_SCHEMA_VERSION.  */
+PRAGMA user_version = ${exports.CE0_INTERCEPTION_SCHEMA_VERSION};
+`;