@neurcode-ai/cli 0.10.0 → 0.12.0

package/.telemetry-bundle/dist/__tests__/harvest-verify.test.d.ts

@@ -0,0 +1 @@
+export {};

package/.telemetry-bundle/dist/__tests__/harvest-verify.test.js

@@ -0,0 +1,86 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Run: npx tsx packages/telemetry/src/__tests__/harvest-verify.test.ts
+ */
+const node_test_1 = require("node:test");
+const strict_1 = __importDefault(require("node:assert/strict"));
+const harvest_verify_1 = require("../harvest-verify");
+const trust_scoring_1 = require("../trust-scoring");
+const leaderboards_1 = require("../precision/leaderboards");
+const contracts_1 = require("../contracts");
+(0, node_test_1.describe)('harvestGovernanceVerifyCompleted', () => {
+    (0, node_test_1.test)('aggregates counts without leaking excerpts', () => {
+        const canonical = {
+            verdict: 'FAIL',
+            ciMode: true,
+            policyOnly: false,
+            governanceVerification: {
+                schemaVersion: 'v1',
+                generatedAt: '2026-01-01T00:00:00.000Z',
+                compressedDuplicateCount: 2,
+                replayIntegrity: { status: 'exact', missingArtifacts: [], provenanceMismatches: [], graphMismatches: [], semanticTruncationMismatches: [], notes: [] },
+                findings: [
+                    {
+                        id: 'a',
+                        severity: 'BLOCKING',
+                        determinismClassification: 'deterministic-structural',
+                        suppressionMetadata: { suppressed: true, directive: 'suppress' },
+                        structuralMetadata: { ruleId: 'SR001' },
+                    },
+                    {
+                        id: 'b',
+                        severity: 'ADVISORY',
+                        determinismClassification: 'heuristic-advisory',
+                        structuralMetadata: { ruleId: 'SR002' },
+                    },
+                ],
+            },
+        };
+        const out = (0, harvest_verify_1.harvestGovernanceVerifyCompleted)(canonical);
+        strict_1.default.ok(out);
+        strict_1.default.equal(out.payload.governanceFindingCount, 2);
+        strict_1.default.equal(out.payload.suppressedFindingCount, 1);
+        strict_1.default.equal(out.payload.structuralRuleTriggerHistogram.SR001, 1);
+        strict_1.default.equal(out.payload.structuralRuleSuppressionHistogram.SR001, 1);
+        strict_1.default.equal(out.payload.replayIntegrityStatus, 'exact');
+        strict_1.default.ok(out.findingSetDigest.length === 64);
+    });
+});
+(0, node_test_1.describe)('trust and leaderboards', () => {
+    (0, node_test_1.test)('bounded scores', () => {
+        const canonical = (0, harvest_verify_1.harvestGovernanceVerifyCompleted)({
+            verdict: 'PASS',
+            governanceVerification: {
+                findings: [
+                    {
+                        id: 'x',
+                        severity: 'BLOCKING',
+                        determinismClassification: 'deterministic-structural',
+                        suppressionMetadata: { suppressed: false },
+                        structuralMetadata: { ruleId: 'SR010' },
+                    },
+                ],
+                compressedDuplicateCount: 0,
+                replayIntegrity: { status: 'bounded-degradation', missingArtifacts: ['a'], provenanceMismatches: [], graphMismatches: [], semanticTruncationMismatches: [], notes: [] },
+            },
+        });
+        strict_1.default.ok(canonical);
+        const t = (0, trust_scoring_1.trustFromVerifyPayload)(canonical.payload);
+        strict_1.default.ok(t.governanceUsefulnessScore >= 0 && t.governanceUsefulnessScore <= 1);
+        strict_1.default.equal(t.replayTrustScore, 0.65);
+        const ev = {
+            schemaVersion: contracts_1.GOVERNANCE_TELEMETRY_SCHEMA_VERSION,
+            emittedAt: '2026-01-01T00:00:00.000Z',
+            eventType: 'governance.verify.completed',
+            findingSetDigest: 'x'.repeat(64),
+            payload: canonical.payload,
+        };
+        const rollup = (0, leaderboards_1.rollupRulePrecisionFromEvents)([ev]);
+        const noisy = (0, leaderboards_1.noisyRuleLeaderboard)(rollup);
+        strict_1.default.ok(Array.isArray(noisy));
+    });
+});

package/.telemetry-bundle/dist/contracts.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Governance telemetry contracts — deterministic, privacy-bounded, replay-friendly.
+ * No hidden network analytics; all persistence is explicit local files under .neurcode/telemetry.
+ */
+export declare const GOVERNANCE_TELEMETRY_SCHEMA_VERSION: "2026-05-11.telemetry.v1";
+/** High-level event kinds (extend additively). */
+export type GovernanceTelemetryEventType = 'governance.verify.completed' | 'finding.viewed' | 'finding.acknowledged' | 'finding.suppressed' | 'finding.waived' | 'finding.ignored' | 'finding.fixed' | 'merge.after_blocking' | 'replay.artifact.opened' | 'replay.artifact.ignored' | 'ci.bypass_attempt' | 'rule.trigger' | 'reviewer.interaction';
+export interface GovernanceTelemetryEnvelope {
+    schemaVersion: typeof GOVERNANCE_TELEMETRY_SCHEMA_VERSION;
+    /** ISO-8601; wall clock for ordering only — replays must not depend on exact instant. */
+    emittedAt: string;
+    eventType: GovernanceTelemetryEventType;
+    /** Optional correlation to provenance when caller has a run id (UUID). */
+    runId?: string | null;
+    /** Stable digest of finding ids for this batch (sha256 hex, 64 chars). */
+    findingSetDigest?: string;
+    payload: GovernanceTelemetryPayload;
+}
+export type GovernanceTelemetryPayload = GovernanceVerifyCompletedPayload | FindingLifecyclePayload | RuleTriggerPayload | ReplayArtifactPayload | CiBypassPayload | ReviewerInteractionPayload | Record<string, never>;
+/** Emitted once per verify exit path when canonical JSON is available. */
+export interface GovernanceVerifyCompletedPayload {
+    verdict: 'PASS' | 'FAIL' | 'WARN' | string;
+    governanceFindingCount: number;
+    blockingFindingCount: number;
+    advisoryFindingCount: number;
+    determinismHistogram: Record<string, number>;
+    suppressedFindingCount: number;
+    waivedFindingCount: number;
+    structuralRuleTriggerHistogram: Record<string, number>;
+    structuralRuleSuppressionHistogram: Record<string, number>;
+    compressedDuplicateCount: number;
+    replayIntegrityStatus?: 'exact' | 'bounded-degradation' | 'invalidated' | null;
+    ciMode: boolean;
+    policyOnly: boolean;
+    /** Counts only — never file paths or code excerpts. */
+    mergeAfterBlocking?: boolean;
+}
+export interface FindingLifecyclePayload {
+    findingId: string;
+    ruleId?: string;
+    action: 'viewed' | 'acknowledged' | 'suppressed' | 'waived' | 'ignored' | 'fixed';
+}
+export interface RuleTriggerPayload {
+    ruleId: string;
+    count: number;
+}
+export interface ReplayArtifactPayload {
+    artifactKind: 'evidence' | 'execution' | 'digest';
+    action: 'opened' | 'ignored';
+}
+export interface CiBypassPayload {
+    channel: 'env' | 'flag' | 'workflow' | 'unknown';
+    detail?: string;
+}
+export interface ReviewerInteractionPayload {
+    kind: 'summary_expand' | 'summary_collapse' | 'comment_reply' | 'other';
+    signal?: string;
+}

package/.telemetry-bundle/dist/contracts.js

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * Governance telemetry contracts — deterministic, privacy-bounded, replay-friendly.
+ * No hidden network analytics; all persistence is explicit local files under .neurcode/telemetry.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GOVERNANCE_TELEMETRY_SCHEMA_VERSION = void 0;
+exports.GOVERNANCE_TELEMETRY_SCHEMA_VERSION = '2026-05-11.telemetry.v1';

package/.telemetry-bundle/dist/harvest-verify.d.ts

@@ -0,0 +1,9 @@
+import type { GovernanceVerifyCompletedPayload } from './contracts';
+/**
+ * Derive a privacy-safe, bounded payload from canonical verify JSON.
+ * Does not copy excerpts, titles, or file paths.
+ */
+export declare function harvestGovernanceVerifyCompleted(canonical: Record<string, unknown> | null): {
+    payload: GovernanceVerifyCompletedPayload;
+    findingSetDigest: string;
+} | null;

package/.telemetry-bundle/dist/harvest-verify.js

@@ -0,0 +1,128 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.harvestGovernanceVerifyCompleted = harvestGovernanceVerifyCompleted;
+const crypto_1 = require("crypto");
+function isRecord(x) {
+    return typeof x === 'object' && x !== null && !Array.isArray(x);
+}
+function asString(x) {
+    return typeof x === 'string' ? x : undefined;
+}
+function asBoolean(x) {
+    return typeof x === 'boolean' ? x : undefined;
+}
+function asNumber(x) {
+    return typeof x === 'number' && Number.isFinite(x) ? x : undefined;
+}
+/**
+ * Derive a privacy-safe, bounded payload from canonical verify JSON.
+ * Does not copy excerpts, titles, or file paths.
+ */
+function harvestGovernanceVerifyCompleted(canonical) {
+    if (!canonical) {
+        return null;
+    }
+    const verdict = asString(canonical.verdict) ?? 'UNKNOWN';
+    const ciMode = asBoolean(canonical.ciMode) ?? false;
+    const policyOnly = asBoolean(canonical.policyOnly) ?? false;
+    const gv = canonical.governanceVerification;
+    if (!isRecord(gv)) {
+        const payload = {
+            verdict,
+            governanceFindingCount: 0,
+            blockingFindingCount: 0,
+            advisoryFindingCount: 0,
+            determinismHistogram: {},
+            suppressedFindingCount: 0,
+            waivedFindingCount: 0,
+            structuralRuleTriggerHistogram: {},
+            structuralRuleSuppressionHistogram: {},
+            compressedDuplicateCount: 0,
+            replayIntegrityStatus: null,
+            ciMode,
+            policyOnly,
+        };
+        const findingSetDigest = digestFindingIds([]);
+        return { payload, findingSetDigest };
+    }
+    const findingsRaw = gv.findings;
+    const findings = Array.isArray(findingsRaw) ? findingsRaw.filter(isRecord) : [];
+    const determinismHistogram = {};
+    let blockingFindingCount = 0;
+    let advisoryFindingCount = 0;
+    let suppressedFindingCount = 0;
+    let waivedFindingCount = 0;
+    const structuralRuleTriggerHistogram = {};
+    const structuralRuleSuppressionHistogram = {};
+    const findingIds = [];
+    for (const f of findings) {
+        const id = asString(f.id);
+        if (id) {
+            findingIds.push(id);
+        }
+        const sev = asString(f.severity);
+        if (sev === 'BLOCKING') {
+            blockingFindingCount += 1;
+        }
+        else if (sev === 'ADVISORY') {
+            advisoryFindingCount += 1;
+        }
+        const det = asString(f.determinismClassification) ?? 'unknown';
+        determinismHistogram[det] = (determinismHistogram[det] ?? 0) + 1;
+        const sup = f.suppressionMetadata;
+        let suppressed = false;
+        let waived = false;
+        if (isRecord(sup)) {
+            suppressed = sup.suppressed === true;
+            const directive = asString(sup.directive);
+            waived = directive === 'waive' || directive === 'waiver';
+        }
+        if (suppressed) {
+            suppressedFindingCount += 1;
+        }
+        if (waived) {
+            waivedFindingCount += 1;
+        }
+        const sm = f.structuralMetadata;
+        const ruleId = isRecord(sm) ? asString(sm.ruleId) : undefined;
+        if (ruleId) {
+            structuralRuleTriggerHistogram[ruleId] = (structuralRuleTriggerHistogram[ruleId] ?? 0) + 1;
+            if (suppressed) {
+                structuralRuleSuppressionHistogram[ruleId] =
+                    (structuralRuleSuppressionHistogram[ruleId] ?? 0) + 1;
+            }
+        }
+    }
+    const compressedDuplicateCount = asNumber(gv.compressedDuplicateCount) ?? 0;
+    let replayIntegrityStatus = null;
+    const ri = gv.replayIntegrity;
+    if (isRecord(ri)) {
+        const st = asString(ri.status);
+        if (st === 'exact' || st === 'bounded-degradation') {
+            replayIntegrityStatus = st;
+        }
+    }
+    const payload = {
+        verdict,
+        governanceFindingCount: findings.length,
+        blockingFindingCount,
+        advisoryFindingCount,
+        determinismHistogram,
+        suppressedFindingCount,
+        waivedFindingCount,
+        structuralRuleTriggerHistogram,
+        structuralRuleSuppressionHistogram,
+        compressedDuplicateCount,
+        replayIntegrityStatus,
+        ciMode,
+        policyOnly,
+    };
+    return {
+        payload,
+        findingSetDigest: digestFindingIds(findingIds),
+    };
+}
+function digestFindingIds(ids) {
+    const sorted = [...ids].sort();
+    return (0, crypto_1.createHash)('sha256').update(sorted.join('|'), 'utf8').digest('hex');
+}

package/.telemetry-bundle/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { GOVERNANCE_TELEMETRY_SCHEMA_VERSION } from './contracts';
+export type { GovernanceTelemetryEnvelope, GovernanceTelemetryEventType, GovernanceTelemetryPayload, GovernanceVerifyCompletedPayload, FindingLifecyclePayload, RuleTriggerPayload, ReplayArtifactPayload, CiBypassPayload, ReviewerInteractionPayload, } from './contracts';
+export { stableStringify } from './stable-json';
+export { harvestGovernanceVerifyCompleted } from './harvest-verify';
+export { appendGovernanceTelemetryEvent, appendVerifyCompletedFromCanonical, telemetryEventsPath, } from './store';
+export { readGovernanceTelemetryEvents } from './reader';
+export { rollupRulePrecisionFromEvents, noisyRuleLeaderboard, highTrustRuleLeaderboard, } from './precision/leaderboards';
+export type { RulePrecisionRollup, TelemetryRollup } from './precision/leaderboards';
+export { trustFromVerifyPayload, trustFromRollups } from './trust-scoring';
+export type { BoundedTrustScores } from './trust-scoring';

package/.telemetry-bundle/dist/index.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.trustFromRollups = exports.trustFromVerifyPayload = exports.highTrustRuleLeaderboard = exports.noisyRuleLeaderboard = exports.rollupRulePrecisionFromEvents = exports.readGovernanceTelemetryEvents = exports.telemetryEventsPath = exports.appendVerifyCompletedFromCanonical = exports.appendGovernanceTelemetryEvent = exports.harvestGovernanceVerifyCompleted = exports.stableStringify = exports.GOVERNANCE_TELEMETRY_SCHEMA_VERSION = void 0;
+var contracts_1 = require("./contracts");
+Object.defineProperty(exports, "GOVERNANCE_TELEMETRY_SCHEMA_VERSION", { enumerable: true, get: function () { return contracts_1.GOVERNANCE_TELEMETRY_SCHEMA_VERSION; } });
+var stable_json_1 = require("./stable-json");
+Object.defineProperty(exports, "stableStringify", { enumerable: true, get: function () { return stable_json_1.stableStringify; } });
+var harvest_verify_1 = require("./harvest-verify");
+Object.defineProperty(exports, "harvestGovernanceVerifyCompleted", { enumerable: true, get: function () { return harvest_verify_1.harvestGovernanceVerifyCompleted; } });
+var store_1 = require("./store");
+Object.defineProperty(exports, "appendGovernanceTelemetryEvent", { enumerable: true, get: function () { return store_1.appendGovernanceTelemetryEvent; } });
+Object.defineProperty(exports, "appendVerifyCompletedFromCanonical", { enumerable: true, get: function () { return store_1.appendVerifyCompletedFromCanonical; } });
+Object.defineProperty(exports, "telemetryEventsPath", { enumerable: true, get: function () { return store_1.telemetryEventsPath; } });
+var reader_1 = require("./reader");
+Object.defineProperty(exports, "readGovernanceTelemetryEvents", { enumerable: true, get: function () { return reader_1.readGovernanceTelemetryEvents; } });
+var leaderboards_1 = require("./precision/leaderboards");
+Object.defineProperty(exports, "rollupRulePrecisionFromEvents", { enumerable: true, get: function () { return leaderboards_1.rollupRulePrecisionFromEvents; } });
+Object.defineProperty(exports, "noisyRuleLeaderboard", { enumerable: true, get: function () { return leaderboards_1.noisyRuleLeaderboard; } });
+Object.defineProperty(exports, "highTrustRuleLeaderboard", { enumerable: true, get: function () { return leaderboards_1.highTrustRuleLeaderboard; } });
+var trust_scoring_1 = require("./trust-scoring");
+Object.defineProperty(exports, "trustFromVerifyPayload", { enumerable: true, get: function () { return trust_scoring_1.trustFromVerifyPayload; } });
+Object.defineProperty(exports, "trustFromRollups", { enumerable: true, get: function () { return trust_scoring_1.trustFromRollups; } });

package/.telemetry-bundle/dist/precision/leaderboards.d.ts

@@ -0,0 +1,20 @@
+import type { GovernanceTelemetryEnvelope } from '../contracts';
+export interface RulePrecisionRollup {
+    ruleId: string;
+    triggerCount: number;
+    suppressionCount: number;
+    suppressionRate: number;
+}
+export interface TelemetryRollup {
+    verifyCompletedEvents: number;
+    ruleRollups: RulePrecisionRollup[];
+}
+/**
+ * Aggregate rule-level signals from governance.verify.completed events only.
+ * Deterministic: rules sorted by ruleId for stable output order.
+ */
+export declare function rollupRulePrecisionFromEvents(events: GovernanceTelemetryEnvelope[]): TelemetryRollup;
+/** Higher score = more noise (suppressions relative to triggers). */
+export declare function noisyRuleLeaderboard(rollup: TelemetryRollup, limit?: number): RulePrecisionRollup[];
+/** Higher score = fewer suppressions per trigger (reviewer trust proxy). */
+export declare function highTrustRuleLeaderboard(rollup: TelemetryRollup, limit?: number): RulePrecisionRollup[];

package/.telemetry-bundle/dist/precision/leaderboards.js

@@ -0,0 +1,72 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rollupRulePrecisionFromEvents = rollupRulePrecisionFromEvents;
+exports.noisyRuleLeaderboard = noisyRuleLeaderboard;
+exports.highTrustRuleLeaderboard = highTrustRuleLeaderboard;
+function isVerifyCompletedPayload(p) {
+    return (typeof p === 'object' &&
+        p !== null &&
+        'structuralRuleTriggerHistogram' in p &&
+        'structuralRuleSuppressionHistogram' in p);
+}
+/**
+ * Aggregate rule-level signals from governance.verify.completed events only.
+ * Deterministic: rules sorted by ruleId for stable output order.
+ */
+function rollupRulePrecisionFromEvents(events) {
+    const triggers = {};
+    const suppressions = {};
+    let verifyCompletedEvents = 0;
+    for (const ev of events) {
+        if (ev.eventType !== 'governance.verify.completed') {
+            continue;
+        }
+        if (!isVerifyCompletedPayload(ev.payload)) {
+            continue;
+        }
+        verifyCompletedEvents += 1;
+        const p = ev.payload;
+        for (const [ruleId, c] of Object.entries(p.structuralRuleTriggerHistogram)) {
+            triggers[ruleId] = (triggers[ruleId] ?? 0) + c;
+        }
+        for (const [ruleId, c] of Object.entries(p.structuralRuleSuppressionHistogram)) {
+            suppressions[ruleId] = (suppressions[ruleId] ?? 0) + c;
+        }
+    }
+    const ruleIds = new Set([...Object.keys(triggers), ...Object.keys(suppressions)]);
+    const ruleRollups = [...ruleIds]
+        .sort()
+        .map(ruleId => {
+        const triggerCount = triggers[ruleId] ?? 0;
+        const suppressionCount = suppressions[ruleId] ?? 0;
+        const suppressionRate = triggerCount > 0 ? suppressionCount / triggerCount : 0;
+        return { ruleId, triggerCount, suppressionCount, suppressionRate };
+    });
+    return { verifyCompletedEvents, ruleRollups };
+}
+/** Higher score = more noise (suppressions relative to triggers). */
+function noisyRuleLeaderboard(rollup, limit = 20) {
+    return [...rollup.ruleRollups]
+        .filter(r => r.triggerCount > 0)
+        .sort((a, b) => {
+        const dr = b.suppressionRate - a.suppressionRate;
+        if (dr !== 0) {
+            return dr;
+        }
+        return b.triggerCount - a.triggerCount;
+    })
+        .slice(0, limit);
+}
+/** Higher score = fewer suppressions per trigger (reviewer trust proxy). */
+function highTrustRuleLeaderboard(rollup, limit = 20) {
+    return [...rollup.ruleRollups]
+        .filter(r => r.triggerCount >= 3)
+        .sort((a, b) => {
+        const dr = a.suppressionRate - b.suppressionRate;
+        if (dr !== 0) {
+            return dr;
+        }
+        return b.triggerCount - a.triggerCount;
+    })
+        .slice(0, limit);
+}

package/.telemetry-bundle/dist/reader.d.ts

@@ -0,0 +1,5 @@
+import type { GovernanceTelemetryEnvelope } from './contracts';
+/**
+ * Load all telemetry envelopes from the local JSONL store (newest lines last).
+ */
+export declare function readGovernanceTelemetryEvents(repoRoot: string): GovernanceTelemetryEnvelope[];

package/.telemetry-bundle/dist/reader.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readGovernanceTelemetryEvents = readGovernanceTelemetryEvents;
+const fs_1 = require("fs");
+const contracts_1 = require("./contracts");
+const store_1 = require("./store");
+function isRecord(x) {
+    return typeof x === 'object' && x !== null && !Array.isArray(x);
+}
+/**
+ * Load all telemetry envelopes from the local JSONL store (newest lines last).
+ */
+function readGovernanceTelemetryEvents(repoRoot) {
+    const path = (0, store_1.telemetryEventsPath)(repoRoot);
+    if (!(0, fs_1.existsSync)(path)) {
+        return [];
+    }
+    let raw;
+    try {
+        raw = (0, fs_1.readFileSync)(path, 'utf8');
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const line of raw.split('\n')) {
+        const t = line.trim();
+        if (!t) {
+            continue;
+        }
+        try {
+            const parsed = JSON.parse(t);
+            if (!isRecord(parsed)) {
+                continue;
+            }
+            if (parsed.schemaVersion !== contracts_1.GOVERNANCE_TELEMETRY_SCHEMA_VERSION) {
+                continue;
+            }
+            out.push(parsed);
+        }
+        catch {
+            continue;
+        }
+    }
+    return out;
+}

package/.telemetry-bundle/dist/stable-json.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Deterministic JSON serialization: sorted object keys at every depth.
+ * Used so identical logical events stringify identically across Node versions.
+ */
+export declare function stableStringify(value: unknown): string;

package/.telemetry-bundle/dist/stable-json.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stableStringify = stableStringify;
+/**
+ * Deterministic JSON serialization: sorted object keys at every depth.
+ * Used so identical logical events stringify identically across Node versions.
+ */
+function stableStringify(value) {
+    return JSON.stringify(sortKeysDeep(value));
+}
+function sortKeysDeep(value) {
+    if (value === null || typeof value !== 'object') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map(sortKeysDeep);
+    }
+    const obj = value;
+    const out = {};
+    for (const key of Object.keys(obj).sort()) {
+        out[key] = sortKeysDeep(obj[key]);
+    }
+    return out;
+}

package/.telemetry-bundle/dist/store.d.ts

@@ -0,0 +1,10 @@
+import type { GovernanceTelemetryEnvelope } from './contracts';
+export declare function telemetryEventsPath(repoRoot: string): string;
+/**
+ * Append one telemetry line. Never throws — calibration must not break verify.
+ */
+export declare function appendGovernanceTelemetryEvent(repoRoot: string, envelope: GovernanceTelemetryEnvelope): void;
+/**
+ * Record verify completion from canonical CLI verify JSON (already normalized).
+ */
+export declare function appendVerifyCompletedFromCanonical(repoRoot: string, canonical: Record<string, unknown> | null, runId?: string | null): void;

package/.telemetry-bundle/dist/store.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.telemetryEventsPath = telemetryEventsPath;
+exports.appendGovernanceTelemetryEvent = appendGovernanceTelemetryEvent;
+exports.appendVerifyCompletedFromCanonical = appendVerifyCompletedFromCanonical;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const contracts_1 = require("./contracts");
+const harvest_verify_1 = require("./harvest-verify");
+const stable_json_1 = require("./stable-json");
+const REL_DIR = (0, path_1.join)('.neurcode', 'telemetry');
+const EVENTS_FILE = 'governance-events.jsonl';
+function telemetryEventsPath(repoRoot) {
+    return (0, path_1.join)(repoRoot, REL_DIR, EVENTS_FILE);
+}
+/**
+ * Append one telemetry line. Never throws — calibration must not break verify.
+ */
+function appendGovernanceTelemetryEvent(repoRoot, envelope) {
+    try {
+        const dir = (0, path_1.join)(repoRoot, REL_DIR);
+        if (!(0, fs_1.existsSync)(dir)) {
+            (0, fs_1.mkdirSync)(dir, { recursive: true });
+        }
+        const line = (0, stable_json_1.stableStringify)({
+            ...envelope,
+            schemaVersion: contracts_1.GOVERNANCE_TELEMETRY_SCHEMA_VERSION,
+        });
+        (0, fs_1.appendFileSync)(telemetryEventsPath(repoRoot), `${line}\n`, 'utf8');
+    }
+    catch {
+        // intentional swallow
+    }
+}
+/**
+ * Record verify completion from canonical CLI verify JSON (already normalized).
+ */
+function appendVerifyCompletedFromCanonical(repoRoot, canonical, runId) {
+    const harvested = (0, harvest_verify_1.harvestGovernanceVerifyCompleted)(canonical);
+    if (!harvested) {
+        return;
+    }
+    const envelope = {
+        schemaVersion: contracts_1.GOVERNANCE_TELEMETRY_SCHEMA_VERSION,
+        emittedAt: new Date().toISOString(),
+        eventType: 'governance.verify.completed',
+        runId: runId ?? null,
+        findingSetDigest: harvested.findingSetDigest,
+        payload: harvested.payload,
+    };
+    appendGovernanceTelemetryEvent(repoRoot, envelope);
+}

package/.telemetry-bundle/dist/trust-scoring.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Bounded, explainable trust signals — no opaque ML.
+ * All outputs are in [0, 1] unless noted.
+ */
+import type { GovernanceVerifyCompletedPayload } from './contracts';
+import type { TelemetryRollup } from './precision/leaderboards';
+export interface BoundedTrustScores {
+    /** 1 − (suppressed findings / max(1, total findings)) from the last completed verify slice. */
+    findingTrustScore: number;
+    /** Mean of per-rule (1 − suppressionRate) over rules with ≥1 trigger, from rollups. */
+    ruleTrustScore: number;
+    /** 1 if replay exact, 0.65 if bounded degradation, 0.5 if unknown/missing. */
+    replayTrustScore: number;
+    /** Density of blocking findings vs advisory (blocking / max(1, total)). */
+    reviewerTrustDensity: number;
+    /** Harmonic-style blend of finding + rule trust (operational usefulness proxy). */
+    governanceUsefulnessScore: number;
+}
+export declare function trustFromVerifyPayload(p: GovernanceVerifyCompletedPayload): BoundedTrustScores;
+export declare function trustFromRollups(rollup: TelemetryRollup): Pick<BoundedTrustScores, 'ruleTrustScore'>;

package/.telemetry-bundle/dist/trust-scoring.js

@@ -0,0 +1,58 @@
+"use strict";
+/**
+ * Bounded, explainable trust signals — no opaque ML.
+ * All outputs are in [0, 1] unless noted.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.trustFromVerifyPayload = trustFromVerifyPayload;
+exports.trustFromRollups = trustFromRollups;
+function trustFromVerifyPayload(p) {
+    const n = Math.max(1, p.governanceFindingCount);
+    const findingTrustScore = clamp01(1 - p.suppressedFindingCount / n);
+    const ruleIds = Object.keys(p.structuralRuleTriggerHistogram);
+    let sum = 0;
+    let count = 0;
+    for (const ruleId of ruleIds) {
+        const t = p.structuralRuleTriggerHistogram[ruleId] ?? 0;
+        const s = p.structuralRuleSuppressionHistogram[ruleId] ?? 0;
+        if (t <= 0) {
+            continue;
+        }
+        sum += 1 - s / t;
+        count += 1;
+    }
+    const ruleTrustScore = count > 0 ? clamp01(sum / count) : 1;
+    let replayTrustScore = 0.5;
+    if (p.replayIntegrityStatus === 'exact') {
+        replayTrustScore = 1;
+    }
+    else if (p.replayIntegrityStatus === 'bounded-degradation') {
+        replayTrustScore = 0.65;
+    }
+    const reviewerTrustDensity = clamp01(p.blockingFindingCount / n);
+    const governanceUsefulnessScore = clamp01(0.45 * findingTrustScore + 0.35 * ruleTrustScore + 0.2 * replayTrustScore);
+    return {
+        findingTrustScore,
+        ruleTrustScore,
+        replayTrustScore,
+        reviewerTrustDensity,
+        governanceUsefulnessScore,
+    };
+}
+function trustFromRollups(rollup) {
+    const rows = rollup.ruleRollups.filter(r => r.triggerCount > 0);
+    if (rows.length === 0) {
+        return { ruleTrustScore: 1 };
+    }
+    const acc = rows.reduce((s, r) => s + (1 - r.suppressionRate), 0) / rows.length;
+    return { ruleTrustScore: clamp01(acc) };
+}
+function clamp01(x) {
+    if (x < 0) {
+        return 0;
+    }
+    if (x > 1) {
+        return 1;
+    }
+    return x;
+}

package/.telemetry-bundle/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "@neurcode-ai/telemetry",
+  "version": "0.1.0",
+  "description": "Deterministic, local governance telemetry for calibration and pilot intelligence",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "license": "MIT"
+}