@meetless/mla 0.1.4

package/dist/lib/rules/requirement-subject.js

@@ -0,0 +1,240 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONSULTATION_SOURCES = exports.SUBJECT_TERM_OVERLAP_THRESHOLD_VERSION = exports.SUBJECT_TERM_OVERLAP_THRESHOLD = exports.SUBJECT_MATCH_VERSION = exports.SUBJECT_STOPWORDS = exports.SUBJECT_STOPWORD_SET_VERSION = exports.SUBJECT_FINGERPRINT_SCHEMA_VERSION = exports.REQUIREMENT_SUBJECT_EXTRACTOR_VERSION = void 0;
+exports.normalizeSubjectTerms = normalizeSubjectTerms;
+exports.buildRequirementSubjectPayload = buildRequirementSubjectPayload;
+exports.requirementSubjectFingerprint = requirementSubjectFingerprint;
+exports.extractRequirementSubject = extractRequirementSubject;
+exports.buildRequiredSubjectFromPrompt = buildRequiredSubjectFromPrompt;
+exports.buildConsultationSubjectFromQuery = buildConsultationSubjectFromQuery;
+exports.matchConsultationSubject = matchConsultationSubject;
+exports.consultationContributesProof = consultationContributesProof;
+exports.selectEligibleConsultations = selectEligibleConsultations;
+exports.recomputeSubjectSatisfaction = recomputeSubjectSatisfaction;
+exports.isObligationSatisfied = isObligationSatisfied;
+const canonical_json_1 = require("./canonical-json");
+exports.REQUIREMENT_SUBJECT_EXTRACTOR_VERSION = "prompt-terms-v1";
+exports.SUBJECT_FINGERPRINT_SCHEMA_VERSION = "requirement-subject-v1";
+exports.SUBJECT_STOPWORD_SET_VERSION = "seed-v1";
+/** Minimum length for a kept term; drops single-character noise left by punctuation /
+ * contraction splits ("don't" -> "don","t" -> "don"). */
+const MIN_TERM_LENGTH = 2;
+const sortedFrozen = (words) => Object.freeze(Array.from(new Set(words)).sort());
+/** The versioned seed stopword set: English function words plus the question and
+ * governance scaffolding that wraps a governed subject ("what did we decide about X",
+ * "why did we choose Y", "who owns Z", "are we still doing W"). Content nouns that ARE
+ * the subject (policy, canonical, architecture, decision, model, ...) are deliberately
+ * absent. Frozen so identity is byte-stable; the corpus pins the exact behavior. */
+exports.SUBJECT_STOPWORDS = sortedFrozen([
+    "a", "about", "an", "and", "any", "are", "as", "at",
+    "be", "been", "being", "between", "but", "by",
+    "can", "choose", "chose", "chosen", "could",
+    "decide", "decided", "did", "do", "does", "doing",
+    "for", "from",
+    "had", "has", "have", "how",
+    "i", "in", "into", "is", "it", "its",
+    "my", "nor", "of", "on", "or", "our", "over",
+    "own", "owned", "owns",
+    "approve", "approved", "approves",
+    "should", "so", "still",
+    "that", "the", "their", "them", "then", "there", "these", "this", "those", "to",
+    "under", "us",
+    "was", "we", "were", "what", "when", "where", "which", "who", "why", "will", "with", "would",
+    "you", "your",
+]);
+const STOPWORD_SET = new Set(exports.SUBJECT_STOPWORDS);
+/**
+ * Lift the deterministic subject terms from a prompt: lowercase, split on any
+ * non-alphanumeric run, drop stopwords and sub-`MIN_TERM_LENGTH` tokens, then return the
+ * sorted, deduped set. Order-independent and idempotent.
+ */
+function normalizeSubjectTerms(text) {
+    const tokens = text.toLowerCase().split(/[^a-z0-9]+/);
+    const kept = new Set();
+    for (const tok of tokens) {
+        if (tok.length < MIN_TERM_LENGTH)
+            continue;
+        if (STOPWORD_SET.has(tok))
+            continue;
+        kept.add(tok);
+    }
+    return Array.from(kept).sort();
+}
+const sortedUniq = (xs) => Array.from(new Set(xs)).sort();
+/**
+ * Build the closed canonical fingerprint payload. Every id / term set is sorted +
+ * deduped so the digest is a pure function of SET content (identity), and the schema
+ * version is pinned so a version bump rotates every digest.
+ */
+function buildRequirementSubjectPayload(fields) {
+    return {
+        schemaVersion: exports.SUBJECT_FINGERPRINT_SCHEMA_VERSION,
+        normalizedTerms: sortedUniq(fields.normalizedTerms),
+        entityIds: sortedUniq(fields.entityIds),
+        decisionIds: sortedUniq(fields.decisionIds),
+        conceptIds: sortedUniq(fields.conceptIds),
+    };
+}
+/** Identity fingerprint over the structured fields (sha256 hex). Identity only. */
+function requirementSubjectFingerprint(fields) {
+    return (0, canonical_json_1.sha256Hex)((0, canonical_json_1.canonicalize)(buildRequirementSubjectPayload(fields)));
+}
+/**
+ * Extract a structured RequirementSubject from a raw prompt. The term set is lifted
+ * deterministically here; entity / decision / concept ids are accepted from an upstream
+ * resolver (none wired in v1, so they default empty) rather than fabricated. `subjectId`
+ * is derived from the identity fingerprint, so the same structured content always yields
+ * the same handle.
+ */
+function extractRequirementSubject(prompt, resolved = {}) {
+    const fields = {
+        normalizedTerms: normalizeSubjectTerms(prompt),
+        entityIds: sortedUniq(resolved.entityIds ?? []),
+        decisionIds: sortedUniq(resolved.decisionIds ?? []),
+        conceptIds: sortedUniq(resolved.conceptIds ?? []),
+    };
+    const fingerprint = requirementSubjectFingerprint(fields);
+    return { subjectId: `subj:${fingerprint}`, ...fields, fingerprint };
+}
+/**
+ * The obligation's required subject, lifted from the user prompt. A thin, named call
+ * site over the single `extractRequirementSubject` normalizer: both the obligation side
+ * and the consultation side share ONE normalizer, never a second extractor. It takes no
+ * resolved-ids argument by construction, because the proactive-enrich path surfaces no
+ * resolved ids at prompt-submit time; a required subject is strictly terms-only and
+ * cannot carry fabricated ids.
+ */
+function buildRequiredSubjectFromPrompt(prompt) {
+    return extractRequirementSubject(prompt, {});
+}
+exports.SUBJECT_MATCH_VERSION = "deterministic-intersection-v1";
+/** Fraction of the REQUIRED subject's terms that a consultation must contain for a
+ * term-based FULL match. Directional: it measures whether the consultation COVERS the
+ * required subject, not mutual similarity. */
+exports.SUBJECT_TERM_OVERLAP_THRESHOLD = 0.5;
+exports.SUBJECT_TERM_OVERLAP_THRESHOLD_VERSION = "required-containment-half-v1";
+/**
+ * A consultation's query subject, lifted from the retrieval query the agent issued. The
+ * SAME normalizer as `buildRequiredSubjectFromPrompt`, so identical text yields a
+ * byte-identical subject (the two sides can never silently diverge). Resolved ids are
+ * admitted ONLY when the call already surfaced them (e.g. a kb_doc_detail citation id);
+ * they default empty, never invented here.
+ */
+function buildConsultationSubjectFromQuery(query, resolved = {}) {
+    return extractRequirementSubject(query, resolved);
+}
+function intersects(a, b) {
+    if (a.length === 0 || b.length === 0)
+        return false;
+    const set = new Set(a);
+    return b.some((x) => set.has(x));
+}
+/** Fraction of `required`'s terms present in `consultation` (directional containment).
+ * Zero when `required` has no terms (nothing to cover). */
+function requiredTermContainment(required, consultation) {
+    if (required.length === 0)
+        return 0;
+    const set = new Set(consultation);
+    const hit = required.reduce((n, t) => (set.has(t) ? n + 1 : n), 0);
+    return hit / required.length;
+}
+/**
+ * The CE0 deterministic coverage ladder (§1.6). candidateMatch is true iff a non-empty id
+ * intersection on entityIds / decisionIds / conceptIds, OR a required-term containment at
+ * or above the versioned threshold. Anything uncertain (including a disjoint pair or a
+ * degenerate required subject) fails toward silence: result UNKNOWN, candidateMatch false,
+ * which neither satisfies nor violates. This grader never asserts PARTIAL or NONE; the
+ * crude term test is not entitled to claim non-coverage, so a non-match is UNKNOWN, not NONE.
+ *
+ * Source-independent by design: a PROACTIVE_PUSH does NOT blanket match. A push is graded
+ * by this same per-subject test; it contributes a proof to a required subject only when its
+ * query subjects cover that subject, exactly as `recomputeSubjectSatisfaction` attributes proofs.
+ */
+function matchConsultationSubject(required, consultation) {
+    const idIntersect = intersects(required.entityIds, consultation.entityIds) ||
+        intersects(required.decisionIds, consultation.decisionIds) ||
+        intersects(required.conceptIds, consultation.conceptIds);
+    const termMatch = requiredTermContainment(required.normalizedTerms, consultation.normalizedTerms) >=
+        exports.SUBJECT_TERM_OVERLAP_THRESHOLD;
+    const candidateMatch = idIntersect || termMatch;
+    return {
+        subjectId: required.subjectId,
+        result: candidateMatch ? "FULL" : "UNKNOWN",
+        candidateMatch,
+    };
+}
+/** How a governed-memory consultation was initiated. The tuple is the SINGLE source of both
+ * the closed value set and the stable sort order the offline projector resolves a finalized
+ * obligation's `satisfiedBySources` into. CE0 emits only PROACTIVE_PUSH and AGENT_PULL; today
+ * only AGENT_PULL is written (the PostToolUse capture seam). STOP_RECOVERY_PULL is a held seam:
+ * it lives in the enum so its ordering is fixed up front, but CE0 (RECORD_ONLY) never writes
+ * it. */
+exports.CONSULTATION_SOURCES = ["PROACTIVE_PUSH", "AGENT_PULL", "STOP_RECOVERY_PULL"];
+/**
+ * A consultation contributes proofs iff it COMPLETED and its evidence reached the parent
+ * answering context. Result (RESULTS_RETURNED vs NO_MATCH) does NOT gate: asking governed
+ * memory about a subject and completing, even with zero hits, is a consultation of that
+ * subject. FAILED, UNKNOWN, and undelivered consultations never contribute (we cannot
+ * attest they consulted).
+ */
+function consultationContributesProof(c) {
+    return c.execution === "COMPLETE" && c.deliveredToAnsweringContext === true;
+}
+/**
+ * The eligible consultation set for an obligation: contributing consultations (above)
+ * recorded on or before the claimed deadline. Pass `deadlineOrderingToken = null` while the
+ * obligation has no deadline yet (the first Stop has not claimed it), so every contributing
+ * consultation is on time. Once the deadline is claimed at orderingToken D, a consultation at
+ * orderingToken > D is late: it stays factual telemetry but can never produce an on-time proof.
+ */
+function selectEligibleConsultations(consultations, deadlineOrderingToken) {
+    return consultations.filter((c) => consultationContributesProof(c) &&
+        (deadlineOrderingToken === null || c.orderingToken <= deadlineOrderingToken));
+}
+/**
+ * Accumulate one SubjectSatisfactionProof per COVERED required subject across all ELIGIBLE
+ * consultations: a required subject is covered iff some eligible consultation's query
+ * subjects match it (via `matchConsultationSubject`), and the proof records the consultation
+ * that covered it. Two consultations can jointly satisfy two subjects; one consultation can
+ * satisfy several. This is NOT a coverage table: there is no per-subject grade, only the
+ * presence or absence of a proof.
+ *
+ * Deterministic and idempotent: consultations are considered in ascending (orderingToken,
+ * then consultationId), so the EARLIEST eligible consultation wins a subject's proof
+ * regardless of input order, and a duplicated consultation yields the identical proof. Proofs
+ * are emitted in `requiredSubjects` order, at most one per subjectId (a subject listed twice
+ * still yields one proof). Uncovered required subjects yield no proof.
+ */
+function recomputeSubjectSatisfaction(requiredSubjects, eligibleConsultations) {
+    const ordered = [...eligibleConsultations].sort((a, b) => a.orderingToken !== b.orderingToken
+        ? a.orderingToken - b.orderingToken
+        : a.consultationId < b.consultationId
+            ? -1
+            : a.consultationId > b.consultationId
+                ? 1
+                : 0);
+    const proofs = [];
+    const proven = new Set();
+    for (const required of requiredSubjects) {
+        if (proven.has(required.subjectId))
+            continue;
+        const hit = ordered.find((c) => c.consultationSubjects.some((qs) => matchConsultationSubject(required, qs).candidateMatch));
+        if (hit) {
+            proofs.push({ subjectId: required.subjectId, consultationId: hit.consultationId });
+            proven.add(required.subjectId);
+        }
+    }
+    return proofs;
+}
+/**
+ * SATISFIED iff every required subject has a proof. An empty required set does NOT vacuously
+ * satisfy (fail toward silence): satisfaction requires demonstrated consultation of at least
+ * one subject. On-time-ness is already enforced by `selectEligibleConsultations`, so a proof
+ * set built from eligible consultations is on time by construction.
+ */
+function isObligationSatisfied(requiredSubjects, proofs) {
+    if (requiredSubjects.length === 0)
+        return false;
+    const proven = new Set(proofs.map((p) => p.subjectId));
+    return requiredSubjects.every((r) => proven.has(r.subjectId));
+}

package/dist/lib/rules/rule-activity.js

@@ -0,0 +1,67 @@
+"use strict";
+// R2-LOCAL accountability projection: the §2.6 "observed N, violated M" measurement.
+//
+// The terminal-outcome half of R2 (project a COMMITTED violation, ie "the action the deny named
+// actually happened") is BLOCKED BY DESIGN: the supported Claude Code PreToolUse payload carries no
+// tool_use_id (§9.10), and heuristic post correlation by timestamp / tool name / input hash / transcript
+// position is FORBIDDEN because parallel identical calls make it unsound (§2.6, lines 2209-2221). So this
+// module does NOT correlate anything. It projects ONLY the records MLA already owns at the moment it
+// evaluates a rule at PreToolUse: the tool_attempt and the per-rule rule_evaluation_record.
+//
+// That projection is exactly the measurement §2.6 (lines 2224-2231) says licenses promoting a rule out of
+// DRY_RUN: "you cannot justify promoting a rule from DRY_RUN to ask or deny until you can show 'this rule
+// was observed N times and violated M of them.' The violation log IS that measurement." It needs no
+// correlation and is not blocked. §3.7 ("Phase R2 (still local): accountability and instrumentation")
+// scopes it to first-class local violation events and a console summary, which is this.
+//
+// The measurement is keyed on each LIVE version. A version's track record starts when it goes live: when a
+// rule is superseded and re-attested, the new LIVE version's version_id is fresh, so its counts honestly
+// start at zero (the old version's history is not silently inherited). Pure core over a real ce0 store.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.summarizeRuleActivity = summarizeRuleActivity;
+/**
+ * Project the §2.6 observed/violated measurement for every LIVE rule version in `runtimeScopeId`.
+ *
+ * Each LIVE version is LEFT JOINed to its version-arm evaluations (so a brand-new LIVE rule with no
+ * activity still surfaces as an all-zero row, the floor the operator sees), and each evaluation to its
+ * attempt (to tell a violation that emitted a deny from one that was only observed). The join keys on
+ * rule_version_id, so observed-only arms (rule_version_id IS NULL, recorded for never-attested rules) and
+ * superseded versions never inflate a LIVE version's count. Scope-isolated and ordered by ruleId so the
+ * result is deterministic across runs.
+ */
+function summarizeRuleActivity(store, runtimeScopeId) {
+    const rows = store.db
+        .prepare(`SELECT
+         v.rule_id    AS rule_id,
+         v.version_id AS version_id,
+         COUNT(e.evaluation_id) AS observed,
+         COALESCE(SUM(CASE WHEN e.result = 'COMPLIANT' THEN 1 ELSE 0 END), 0) AS compliant,
+         COALESCE(SUM(CASE WHEN e.result = 'VIOLATION' THEN 1 ELSE 0 END), 0) AS violation,
+         COALESCE(SUM(CASE WHEN e.effective_enforcement = 'DENY'
+                            AND a.deny_emission_status = 'RESPONSE_EMITTED'
+                       THEN 1 ELSE 0 END), 0) AS denied_emitted,
+         COALESCE(SUM(CASE WHEN e.result = 'VIOLATION'
+                            AND e.effective_enforcement = 'NONE'
+                       THEN 1 ELSE 0 END), 0) AS enforcement_unavailable
+       FROM local_rule_version v
+       LEFT JOIN rule_evaluation_record e
+              ON e.rule_version_id = v.version_id
+             AND e.runtime_scope_id = v.runtime_scope_id
+       LEFT JOIN tool_attempt a
+              ON a.attempt_id = e.attempt_id
+             AND a.runtime_scope_id = e.runtime_scope_id
+       WHERE v.runtime_scope_id = ?
+         AND v.lifecycle_status = 'LIVE'
+       GROUP BY v.rule_id, v.version_id
+       ORDER BY v.rule_id`)
+        .all(runtimeScopeId);
+    return rows.map((r) => ({
+        ruleId: r.rule_id,
+        versionId: r.version_id,
+        observed: r.observed,
+        compliant: r.compliant,
+        violation: r.violation,
+        deniedEmitted: r.denied_emitted,
+        enforcementUnavailable: r.enforcement_unavailable,
+    }));
+}

package/dist/lib/rules/rule-version-hash.js

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RuleVersionHashError = exports.RULE_VERSION_HASH_DOMAIN = void 0;
+exports.buildRuleVersionPayload = buildRuleVersionPayload;
+exports.serializeRuleVersion = serializeRuleVersion;
+exports.ruleVersionHash = ruleVersionHash;
+const crypto_1 = require("crypto");
+const canonical_json_1 = require("./canonical-json");
+/**
+ * The `rule-version-v1` canonical hash domain (proposal P0.36, sharpened by P0.53; RulePayloadV1
+ * at §3.6).
+ *
+ * It computes the content identity of an ATTESTED rule version. The digest is
+ *
+ *     SHA-256( domainTag || 0x00 || JCS(payload) )   (lowercase hex)
+ *
+ * over the IMMUTABLE `RulePayloadV1` ONLY. The version ENVELOPE (ruleId, versionId,
+ * lifecycleStatus, supersedesVersionId, derivedFromObservedRuleHash, attestedBy, attestedAt,
+ * attestationMethod) is deliberately OUTSIDE the hash: a hash cannot include itself, and issuance
+ * metadata is not enforcement-relevant (P0.16, P0.54). JCS is the repo's existing RFC 8785
+ * canonicalizer (canonical-json.ts); the domain tag + single 0x00 separator (P0.53) guarantee this
+ * digest can NEVER collide with an observed rule (`observed-rule-v1`), an action-input snapshot
+ * (`evaluation-input-v1`), or any other hashed artifact, even when two bodies are byte-identical.
+ * JCS escapes control characters, so the only raw 0x00 byte in the hash input is the separator.
+ *
+ * `runtimeScopeId` is INSIDE the hash (P0.51): the same rule bound to a different checkout scope is
+ * a different payload with a different digest, which is what makes the payload-scope == envelope-scope
+ * rule (§3.6) checkable. Because every field except `text`, `applicability`, and the carried
+ * `forbiddenRootRelativePath` is fixed by the notes-location pilot contract (§2.4), two operators
+ * attesting the same observed snapshot in the same runtime scope mint a byte-identical payload and the
+ * same digest.
+ *
+ * Per-field NFC caveat (honest, P0.53). The vendored JCS primitive applies NFC to EVERY string,
+ * while the contract reserves NFC for prose. For the notes-location pilot every non-prose field (the
+ * tool names, the effect / strength / ceiling / policy tokens, the version tags, the relative
+ * forbidden root, the runtime scope) is ASCII and therefore NFC-stable, so universal NFC is
+ * byte-identical to the per-field rule and the golden vectors are contract-correct. A future payload
+ * carrying a non-prose field that can hold non-NFC Unicode (for instance a forbidden path with
+ * combining marks) must switch to a per-field-NFC encoder; that boundary is recorded in the ledger.
+ */
+exports.RULE_VERSION_HASH_DOMAIN = "rule-version-v1";
+/** Thrown when a payload carries a field outside the rule-version-v1 schema (fail-closed). */
+class RuleVersionHashError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "RuleVersionHashError";
+    }
+}
+exports.RuleVersionHashError = RuleVersionHashError;
+// The closed key sets for each object in the payload schema. Unknown fields are an error (P0.53),
+// so a forward-incompatible producer cannot silently mint a hash a consumer would compute
+// differently. `rationale` is the only optional top-level key; it is omitted, never null, when absent.
+const RULE_PAYLOAD_KEYS = new Set([
+    "text",
+    "rationale",
+    "applicability",
+    "compliance",
+    "effect",
+    "strength",
+    "deliveryChannels",
+    "enforcementCeiling",
+    "infrastructureFailurePolicy",
+    "runtimeScopeId",
+    "payloadSchemaVersion",
+    "canonicalSerializationVersion",
+]);
+const COMPLIANCE_KEYS = new Set([
+    "evaluatorContractVersion",
+    "matcherSchemaVersion",
+    "pathCanonicalizerVersion",
+    "config",
+]);
+const COMPLIANCE_CONFIG_KEYS = new Set(["forbiddenRootRelativePath"]);
+const APPLICABILITY_AMBIENT_KEYS = new Set(["mode"]);
+const APPLICABILITY_ACTION_KEYS = new Set(["mode", "tools", "matcher"]);
+const MATCHER_KEYS = new Set(["field", "glob"]);
+function rejectUnknownKeys(obj, allowed, context) {
+    for (const key of Object.keys(obj)) {
+        if (!allowed.has(key)) {
+            throw new RuleVersionHashError(`unknown field '${key}' in ${context} is outside the ${exports.RULE_VERSION_HASH_DOMAIN} schema`);
+        }
+    }
+}
+/** Sort + dedupe a SET-valued field by code unit (P0.53). The pilot's tool names and delivery
+ * channels are ASCII, so code unit and code point coincide and the order matches JCS key ordering. */
+function sortedDedupedSet(values) {
+    return Array.from(new Set(values)).sort((a, b) => (a < b ? -1 : a > b ? 1 : 0));
+}
+function buildApplicabilityPayload(a) {
+    if (a.mode === "ambient") {
+        rejectUnknownKeys(a, APPLICABILITY_AMBIENT_KEYS, "applicability(ambient)");
+        return { mode: "ambient" };
+    }
+    rejectUnknownKeys(a, APPLICABILITY_ACTION_KEYS, "applicability(action)");
+    rejectUnknownKeys(a.matcher, MATCHER_KEYS, "applicability.matcher");
+    const matcher = { field: a.matcher.field };
+    if (a.matcher.glob !== undefined) {
+        matcher.glob = a.matcher.glob;
+    }
+    return {
+        mode: "action",
+        tools: sortedDedupedSet(a.tools),
+        matcher,
+    };
+}
+/**
+ * Build the closed canonical payload for a RulePayloadV1: the exact object that gets canonicalized
+ * and hashed. Rejects unknown fields at every level, applies set discipline to deliveryChannels and
+ * applicability.tools, and omits an absent rationale (and matcher glob). Field NFC (prose) is applied
+ * by the JCS encoder on the way out; see the per-field caveat in the file header.
+ */
+function buildRuleVersionPayload(payload) {
+    rejectUnknownKeys(payload, RULE_PAYLOAD_KEYS, "rule payload");
+    rejectUnknownKeys(payload.compliance, COMPLIANCE_KEYS, "compliance");
+    rejectUnknownKeys(payload.compliance.config, COMPLIANCE_CONFIG_KEYS, "compliance.config");
+    const base = {
+        text: payload.text,
+        applicability: buildApplicabilityPayload(payload.applicability),
+        compliance: {
+            evaluatorContractVersion: payload.compliance.evaluatorContractVersion,
+            matcherSchemaVersion: payload.compliance.matcherSchemaVersion,
+            pathCanonicalizerVersion: payload.compliance.pathCanonicalizerVersion,
+            config: { forbiddenRootRelativePath: payload.compliance.config.forbiddenRootRelativePath },
+        },
+        effect: payload.effect,
+        strength: payload.strength,
+        deliveryChannels: sortedDedupedSet(payload.deliveryChannels),
+        enforcementCeiling: payload.enforcementCeiling,
+        infrastructureFailurePolicy: payload.infrastructureFailurePolicy,
+        runtimeScopeId: payload.runtimeScopeId,
+        payloadSchemaVersion: payload.payloadSchemaVersion,
+        canonicalSerializationVersion: payload.canonicalSerializationVersion,
+    };
+    // Absent optional: OMIT the key (never null). Present: include verbatim. Key ORDER is irrelevant
+    // (JCS sorts), so a conditional spread is the canonical builder, never a mutation.
+    return payload.rationale !== undefined ? { ...base, rationale: payload.rationale } : base;
+}
+/** The exact RFC 8785 canonical JSON string that is hashed (UTF-8). Exposed for golden vectors and
+ * debugging; the digest is over these bytes prefixed by the domain. */
+function serializeRuleVersion(payload) {
+    return (0, canonical_json_1.canonicalize)(buildRuleVersionPayload(payload));
+}
+/** The rule-version-v1 content hash: SHA-256(domainTag || 0x00 || JCS(payload)), lowercase hex. */
+function ruleVersionHash(payload) {
+    const jcs = serializeRuleVersion(payload);
+    const h = (0, crypto_1.createHash)("sha256");
+    h.update(exports.RULE_VERSION_HASH_DOMAIN, "utf8");
+    h.update(Buffer.from([0x00]));
+    h.update(jcs, "utf8");
+    return h.digest("hex");
+}

package/dist/lib/rules/runtime-scope.js

@@ -0,0 +1,55 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveActiveRuntimeScopeId = resolveActiveRuntimeScopeId;
+const fs = __importStar(require("fs"));
+const wire_1 = require("../wire");
+// The active runtime scope id (proposal §2.3 / §10.1, P0.51 / decision 7). Every local interception
+// row, the tool attempts, the evaluation records, and the attested versions, is keyed by
+// runtime_scope_id, NEVER by a bare workspaceId. The id is the realpath-resolved checkout root of the
+// activated runtime project: from the working directory, walk to the repo root and canonicalize. For
+// R0/R1 there is NO runtime-scope table (decision 2); the resolved path string IS the identity, so a
+// read or write derives it deterministically from the cwd rather than reading a row. resolveProjectRoot
+// performs the git-toplevel walk (falling back to the cwd outside a repo); realpath then canonicalizes
+// it so worktrees and symlinked paths resolve to one stable identity.
+function resolveActiveRuntimeScopeId(cwd) {
+    const root = (0, wire_1.resolveProjectRoot)(cwd);
+    try {
+        return fs.realpathSync(root);
+    }
+    catch {
+        return root;
+    }
+}

package/dist/lib/rules/stop-adapter.js

@@ -0,0 +1,116 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseStopInput = parseStopInput;
+exports.observeStop = observeStop;
+const ce0_store_1 = require("./ce0-store");
+const stop_response_snapshot_1 = require("./stop-response-snapshot");
+function isPlainObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function describeError(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+/**
+ * Parse the raw Stop payload. Accepts either an already parsed object or the raw JSON string.
+ * A Stop has no required payload field beyond being an object, so the only null case is a shape
+ * that is not a plain object (or an unparseable string); the adapter maps that null to INFRA.
+ * The session coordinate and transcript_path are read but not required here, so their absence gets a
+ * distinct diagnostic / disposition at the adapter rather than collapsing into "malformed".
+ */
+function parseStopInput(raw) {
+    let obj = raw;
+    if (typeof raw === "string") {
+        try {
+            obj = JSON.parse(raw);
+        }
+        catch {
+            return null;
+        }
+    }
+    if (!isPlainObject(obj))
+        return null;
+    const session = obj.session_id;
+    const transcript = obj.transcript_path;
+    return {
+        session_id: typeof session === "string" ? session : undefined,
+        transcript_path: typeof transcript === "string" ? transcript : undefined,
+    };
+}
+/** Map a Stage A deadline-claim result onto the adapter's Stage A outcome. */
+function stageAOutcome(result, identity) {
+    switch (result.status) {
+        case "NO_OBLIGATION":
+            return { kind: "NOT_APPLICABLE" };
+        case "CLAIMED":
+            return {
+                kind: "CLAIMED",
+                obligationId: result.claim.obligationId,
+                localTurnSequence: identity.localTurnSequence,
+                deadlineClaimedAt: result.claim.deadlineClaimedAt,
+                deadlineClaimedVersion: result.claim.deadlineClaimedVersion,
+                stateVersion: result.claim.stateVersion,
+            };
+        case "ALREADY_CLAIMED":
+            return {
+                kind: "ALREADY_CLAIMED",
+                obligationId: result.claim.obligationId,
+                localTurnSequence: identity.localTurnSequence,
+                deadlineClaimedAt: result.claim.deadlineClaimedAt,
+            };
+    }
+}
+/**
+ * Stage B: best-effort, outside the Stage A transaction. Read the transcript snapshot and, when it
+ * succeeds, record the response pair idempotently onto the turn's assessment. readStopResponseSnapshot
+ * never throws; a transcript failure resolves to UNLABELABLE with a stable reason and the snapshot
+ * fields stay null. A Stage B store-write fault is the same DB-fault class Stage A already surfaces as
+ * INFRA, so it is left to propagate to the adapter's outer catch rather than masked here.
+ */
+function recordStageB(store, identity, transcriptPath) {
+    const snap = (0, stop_response_snapshot_1.readStopResponseSnapshot)(transcriptPath);
+    if (!snap.ok)
+        return { kind: "UNLABELABLE", reason: snap.reason };
+    const written = (0, ce0_store_1.recordStopResponseSnapshot)(store, identity, {
+        responseHash: snap.responseHash,
+        responseSourceRef: snap.responseSourceRef,
+    });
+    return { kind: written.status };
+}
+/**
+ * Observe one Stop. Resolves the turn's LocalTurnIdentity, runs Stage A (freeze the obligation's
+ * eligibility boundary and stamp the observation) and Stage B (best-effort response snapshot), and
+ * returns an empty (injection-free) hook response.
+ */
+function observeStop(rawInput, config) {
+    const NO_INJECTION = {};
+    const now = config.now ?? Date.now;
+    const parsed = parseStopInput(rawInput);
+    if (!parsed) {
+        return { response: NO_INJECTION, outcome: { kind: "INFRA", diagnostic: "malformed hook input" } };
+    }
+    if (!parsed.session_id) {
+        return {
+            response: NO_INJECTION,
+            outcome: { kind: "INFRA", diagnostic: "missing session_id coordinate" },
+        };
+    }
+    try {
+        const identity = (0, ce0_store_1.resolveLatestTurnIdentity)(config.store, {
+            workspaceId: config.workspaceId,
+            sessionId: parsed.session_id,
+        });
+        if (!identity) {
+            return { response: NO_INJECTION, outcome: { kind: "NOT_APPLICABLE" } };
+        }
+        const claim = (0, ce0_store_1.claimFirstStop)(config.store, identity, config.ruleVersionId, now);
+        const outcome = stageAOutcome(claim, identity);
+        const snapshot = recordStageB(config.store, identity, parsed.transcript_path);
+        return { response: NO_INJECTION, outcome, snapshot };
+    }
+    catch (err) {
+        return {
+            response: NO_INJECTION,
+            outcome: { kind: "INFRA", diagnostic: `persistence failure: ${describeError(err)}` },
+        };
+    }
+}