@neurcode-ai/cli 0.10.1 → 0.12.0

package/dist/governance/pipeline/computation-trace.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Governance computation trace surface.
+ *
+ * Produces a compact, human-readable summary of HOW a verify run computed
+ * its governance verdict. The trace is derived entirely from the pipeline
+ * ledger — no re-computation, no re-inspection. Pure observability.
+ *
+ * Audience:
+ *   - dashboards rendering an explainability column
+ *   - audit / replay reviewers who want a one-screen narrative
+ *   - operators triaging degraded or failed governance runs
+ *
+ * Constraints:
+ *   - Deterministic given the same ledger.
+ *   - No PII or excerpts — only stage IDs, statuses, fingerprints.
+ *   - Bounded length: at most one line per stage plus a header.
+ */
+import type { GovernanceStageId, GovernanceStageResult, GovernanceStageStatus } from '@neurcode-ai/contracts';
+export interface GovernanceComputationTrace {
+    /** One-line summary suitable for a dashboard header. */
+    headline: string;
+    /** Detail rows; one per stage, in canonical execution order. */
+    rows: GovernanceComputationTraceRow[];
+    /** Stage IDs of stages that did not reach 'succeeded'. */
+    notableStages: GovernanceStageId[];
+}
+export interface GovernanceComputationTraceRow {
+    stageId: GovernanceStageId;
+    status: GovernanceStageStatus;
+    determinism: string;
+    durationMs: number;
+    outputFingerprintShort: string | null;
+    dependsOn: GovernanceStageId[];
+    failureCategory?: string;
+}
+/**
+ * Build a deterministic computation trace from a pipeline ledger.
+ *
+ * The trace renders the same way for the same ledger across runs and
+ * machines. Wall-clock durations are reported but never used in headlines
+ * (they would non-determinize the trace).
+ */
+export declare function buildComputationTrace(ledger: readonly GovernanceStageResult[]): GovernanceComputationTrace;
+/**
+ * Render a computation trace as a deterministic multi-line text block.
+ *
+ * Output format is stable across runs given the same ledger (durations are
+ * truncated to integer milliseconds; nothing else is wall-clock-dependent).
+ * Suitable for embedding in --explain output or in CI logs.
+ */
+export declare function renderComputationTrace(trace: GovernanceComputationTrace): string;
+//# sourceMappingURL=computation-trace.d.ts.map

package/dist/governance/pipeline/computation-trace.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"computation-trace.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/computation-trace.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,qBAAqB,EACrB,qBAAqB,EACtB,MAAM,wBAAwB,CAAC;AAEhC,MAAM,WAAW,0BAA0B;IACzC,wDAAwD;IACxD,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,IAAI,EAAE,6BAA6B,EAAE,CAAC;IACtC,0DAA0D;IAC1D,aAAa,EAAE,iBAAiB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,iBAAiB,CAAC;IAC3B,MAAM,EAAE,qBAAqB,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,sBAAsB,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,SAAS,EAAE,iBAAiB,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,SAAS,qBAAqB,EAAE,GACvC,0BAA0B,CAgC5B;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,0BAA0B,GAChC,MAAM,CAaR"}

package/dist/governance/pipeline/computation-trace.js

@@ -0,0 +1,79 @@
+"use strict";
+/**
+ * Governance computation trace surface.
+ *
+ * Produces a compact, human-readable summary of HOW a verify run computed
+ * its governance verdict. The trace is derived entirely from the pipeline
+ * ledger — no re-computation, no re-inspection. Pure observability.
+ *
+ * Audience:
+ *   - dashboards rendering an explainability column
+ *   - audit / replay reviewers who want a one-screen narrative
+ *   - operators triaging degraded or failed governance runs
+ *
+ * Constraints:
+ *   - Deterministic given the same ledger.
+ *   - No PII or excerpts — only stage IDs, statuses, fingerprints.
+ *   - Bounded length: at most one line per stage plus a header.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildComputationTrace = buildComputationTrace;
+exports.renderComputationTrace = renderComputationTrace;
+/**
+ * Build a deterministic computation trace from a pipeline ledger.
+ *
+ * The trace renders the same way for the same ledger across runs and
+ * machines. Wall-clock durations are reported but never used in headlines
+ * (they would non-determinize the trace).
+ */
+function buildComputationTrace(ledger) {
+    const rows = ledger.map((entry) => ({
+        stageId: entry.stageId,
+        status: entry.status,
+        determinism: entry.replay.determinism,
+        durationMs: entry.metrics.durationMs,
+        outputFingerprintShort: entry.replay.outputFingerprint
+            ? entry.replay.outputFingerprint.slice(0, 12)
+            : null,
+        dependsOn: [...entry.replay.dependsOn],
+        failureCategory: entry.failure?.category,
+    }));
+    const notableStages = ledger
+        .filter((e) => e.status !== 'succeeded')
+        .map((e) => e.stageId);
+    const succeededCount = ledger.filter((e) => e.status === 'succeeded').length;
+    const totalCount = ledger.length;
+    let headline;
+    if (totalCount === 0) {
+        headline = 'governance pipeline: no stages executed';
+    }
+    else if (notableStages.length === 0) {
+        headline = `governance pipeline: ${totalCount} stage(s) succeeded`;
+    }
+    else {
+        headline =
+            `governance pipeline: ${succeededCount}/${totalCount} succeeded; ` +
+                `${notableStages.length} stage(s) did not succeed`;
+    }
+    return { headline, rows, notableStages };
+}
+/**
+ * Render a computation trace as a deterministic multi-line text block.
+ *
+ * Output format is stable across runs given the same ledger (durations are
+ * truncated to integer milliseconds; nothing else is wall-clock-dependent).
+ * Suitable for embedding in --explain output or in CI logs.
+ */
+function renderComputationTrace(trace) {
+    const lines = [];
+    lines.push(trace.headline);
+    for (const row of trace.rows) {
+        const fp = row.outputFingerprintShort ?? '-';
+        const deps = row.dependsOn.length > 0 ? ` ← [${row.dependsOn.join(', ')}]` : '';
+        const failure = row.failureCategory ? ` (failure: ${row.failureCategory})` : '';
+        lines.push(`  • ${row.stageId.padEnd(28)} ${row.status.padEnd(10)} ` +
+            `${row.determinism.padEnd(28)} fp=${fp}${deps}${failure}`);
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=computation-trace.js.map

package/dist/governance/pipeline/computation-trace.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"computation-trace.js","sourceRoot":"","sources":["../../../src/governance/pipeline/computation-trace.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;AAkCH,sDAkCC;AASD,wDAeC;AAjED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,MAAwC;IAExC,MAAM,IAAI,GAAoC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACnE,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,WAAW;QACrC,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,UAAU;QACpC,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,iBAAiB;YACpD,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAC7C,CAAC,CAAC,IAAI;QACR,SAAS,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC;QACtC,eAAe,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ;KACzC,CAAC,CAAC,CAAC;IAEJ,MAAM,aAAa,GAAwB,MAAM;SAC9C,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC;SACvC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAEzB,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,MAAM,CAAC;IAC7E,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC;IAEjC,IAAI,QAAgB,CAAC;IACrB,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;QACrB,QAAQ,GAAG,yCAAyC,CAAC;IACvD,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,QAAQ,GAAG,wBAAwB,UAAU,qBAAqB,CAAC;IACrE,CAAC;SAAM,CAAC;QACN,QAAQ;YACN,wBAAwB,cAAc,IAAI,UAAU,cAAc;gBAClE,GAAG,aAAa,CAAC,MAAM,2BAA2B,CAAC;IACvD,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CACpC,KAAiC;IAEjC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC3B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,GAAG,CAAC,sBAAsB,IAAI,GAAG,CAAC;QAC7C,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,cAAc,GAAG,CAAC,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,KAAK,CAAC,IAAI,CACR,OAAO,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG;YACzD,GAAG,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,GAAG,OAAO,EAAE,CAC1D,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/governance/pipeline/envelope-assembly.d.ts

@@ -0,0 +1,132 @@
+/**
+ * Shared canonical-payload assembly.
+ *
+ * Both `verifyCommand` and `executePolicyOnlyMode` build a "canonical payload"
+ * — the dict that becomes the verify JSON output (and, via
+ * `synthesizeGovernance`, the canonical governance envelope).
+ *
+ * The two orchestrators previously inlined this assembly with mostly-identical
+ * fields and small mode-specific differences. This module extracts the
+ * shared core into a single helper that takes a typed input describing the
+ * mode-specific extras.
+ *
+ * Replay invariant:
+ *   The resulting payload, after `synthesizeGovernance`, MUST produce the same
+ *   `replayChecksum` it did under the prior inline implementation, for any
+ *   given input. The fields that contribute to the checksum (canonical sorted
+ *   findings) flow through `payload.structuralViolations` and the various
+ *   issue arrays — exactly as before.
+ *
+ * What this module does NOT do:
+ *   - It does not emit JSON.
+ *   - It does not call `synthesizeGovernance` (caller does that).
+ *   - It does not finalize evidence (caller does that).
+ *   - It does not record telemetry (caller does that).
+ *   - It is not a generic builder pattern; it is a typed extraction of a
+ *     duplicated literal-object construction.
+ */
+import type { StructuralViolation } from '../../structural-rules/types';
+import type { PolicyOnlySource } from './shared-types';
+/**
+ * Minimal "governance payload" surface — the parts of the canonical payload
+ * that are produced by the governance evaluator and threaded into both modes.
+ * Caller passes in an opaque object; we spread it.
+ */
+export type GovernancePayloadFragment = Record<string, unknown>;
+/**
+ * Policy-pack fragment — present when an installed pack contributed rules.
+ */
+export interface PolicyPackFragment {
+    id: string;
+    name: string;
+    version: string;
+    ruleCount: number;
+}
+export interface PolicyLockSummaryFragment {
+    enforced: boolean;
+    matched: boolean;
+    path: string;
+    mismatches: ReadonlyArray<unknown>;
+}
+export interface PolicyOnlyCanonicalPayloadInput {
+    grade: string;
+    score: number;
+    verdict: string;
+    message: string;
+    violations: ReadonlyArray<unknown>;
+    structuralViolations: ReadonlyArray<StructuralViolation>;
+    structuralRulesApplied: ReadonlyArray<string>;
+    structuralSuppressedCount: number;
+    source: PolicyOnlySource;
+    replayChecksum: string;
+    governancePayload: GovernancePayloadFragment;
+    policyLock: PolicyLockSummaryFragment;
+    policyExceptions: unknown;
+    policyGovernance: unknown;
+    policyPack?: PolicyPackFragment | null;
+}
+/**
+ * Assemble the policy-only canonical payload. Replaces the inline literal
+ * previously at `commands/verify.ts:2685–2724`.
+ *
+ * Field order is preserved byte-for-byte from the prior implementation so
+ * `JSON.stringify` output (and therefore stdout writes, evidence captures,
+ * and any string-equality fixtures) remains identical.
+ */
+export declare function buildPolicyOnlyCanonicalPayload(input: PolicyOnlyCanonicalPayloadInput): Record<string, unknown>;
+/**
+ * AI-debt summary fragment — pass-through; consumed by buildAiDebtReportViolations
+ * in the caller. The verify.ts payload includes this as an explicit `aiDebt` key.
+ */
+export type AiDebtSummaryFragment = unknown;
+/** Change-contract summary fragment — pass-through. */
+export type ChangeContractSummaryFragment = unknown;
+/** Compiled policy metadata fragment — pass-through. */
+export type CompiledPolicyMetadataFragment = Record<string, unknown> | null;
+/** Runtime guard summary fragment — pass-through. */
+export interface RuntimeGuardSummaryFragment {
+    required: boolean;
+    [key: string]: unknown;
+}
+/** Intent proof summary fragment — pass-through. */
+export type IntentProofSummaryFragment = unknown;
+/** Policy decision fragment — pass-through, only emitted when violations exist. */
+export type PolicyDecisionFragment = unknown;
+export interface VerifyCanonicalPayloadInput {
+    grade: string;
+    score: number;
+    verdict: string;
+    message: string;
+    violations: ReadonlyArray<unknown>;
+    scopeGuardPassed: boolean;
+    bloatCount: number;
+    bloatFiles: ReadonlyArray<string>;
+    plannedFilesModified: number;
+    totalPlannedFiles: number;
+    verificationSource: string;
+    structuralViolations: ReadonlyArray<StructuralViolation>;
+    structuralRulesApplied: ReadonlyArray<string>;
+    structuralSuppressedCount: number;
+    aiDebt: AiDebtSummaryFragment;
+    changeContract: ChangeContractSummaryFragment;
+    compiledPolicyMetadata: CompiledPolicyMetadataFragment;
+    governancePayload: GovernancePayloadFragment | undefined;
+    policyLock: PolicyLockSummaryFragment;
+    policyExceptions: unknown;
+    policyGovernance: unknown;
+    intentProof: IntentProofSummaryFragment;
+    runtimeGuard?: RuntimeGuardSummaryFragment | null;
+    policyDecision?: PolicyDecisionFragment;
+    policyPack?: PolicyPackFragment | null;
+}
+/**
+ * Assemble the main-flow (plan_enforced) canonical payload. Twin of
+ * `buildPolicyOnlyCanonicalPayload` for the verifyCommand main path.
+ * Replaces the inline literal previously at `commands/verify.ts:5542–5585`.
+ *
+ * Field order MUST be preserved byte-for-byte from the prior inline
+ * implementation. Replay consumers (audit dashboards, action JSON parsers)
+ * may depend on JSON serialization order.
+ */
+export declare function buildVerifyCanonicalPayload(input: VerifyCanonicalPayloadInput): Record<string, unknown>;
+//# sourceMappingURL=envelope-assembly.d.ts.map

package/dist/governance/pipeline/envelope-assembly.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope-assembly.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/envelope-assembly.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACxE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAEvD;;;;GAIG;AACH,MAAM,MAAM,yBAAyB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,+BAA+B;IAE9C,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAEhB,UAAU,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC;IACnC,oBAAoB,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAC;IACzD,sBAAsB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,yBAAyB,EAAE,MAAM,CAAC;IAElC,MAAM,EAAE,gBAAgB,CAAC;IAEzB,cAAc,EAAE,MAAM,CAAC;IAEvB,iBAAiB,EAAE,yBAAyB,CAAC;IAC7C,UAAU,EAAE,yBAAyB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,UAAU,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACxC;AAED;;;;;;;GAOG;AACH,wBAAgB,+BAA+B,CAC7C,KAAK,EAAE,+BAA+B,GACrC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAyCzB;AAMD;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG,OAAO,CAAC;AAE5C,uDAAuD;AACvD,MAAM,MAAM,6BAA6B,GAAG,OAAO,CAAC;AAEpD,wDAAwD;AACxD,MAAM,MAAM,8BAA8B,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;AAE5E,qDAAqD;AACrD,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,oDAAoD;AACpD,MAAM,MAAM,0BAA0B,GAAG,OAAO,CAAC;AAEjD,mFAAmF;AACnF,MAAM,MAAM,sBAAsB,GAAG,OAAO,CAAC;AAE7C,MAAM,WAAW,2BAA2B;IAE1C,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAEhB,UAAU,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC;IAEnC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAElC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,iBAAiB,EAAE,MAAM,CAAC;IAE1B,kBAAkB,EAAE,MAAM,CAAC;IAE3B,oBAAoB,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAC;IACzD,sBAAsB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,yBAAyB,EAAE,MAAM,CAAC;IAElC,MAAM,EAAE,qBAAqB,CAAC;IAC9B,cAAc,EAAE,6BAA6B,CAAC;IAC9C,sBAAsB,EAAE,8BAA8B,CAAC;IACvD,iBAAiB,EAAE,yBAAyB,GAAG,SAAS,CAAC;IACzD,UAAU,EAAE,yBAAyB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,0BAA0B,CAAC;IACxC,YAAY,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;IAClD,cAAc,CAAC,EAAE,sBAAsB,CAAC;IACxC,UAAU,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACxC;AAED;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,2BAA2B,GACjC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgDzB"}

package/dist/governance/pipeline/envelope-assembly.js

@@ -0,0 +1,140 @@
+"use strict";
+/**
+ * Shared canonical-payload assembly.
+ *
+ * Both `verifyCommand` and `executePolicyOnlyMode` build a "canonical payload"
+ * — the dict that becomes the verify JSON output (and, via
+ * `synthesizeGovernance`, the canonical governance envelope).
+ *
+ * The two orchestrators previously inlined this assembly with mostly-identical
+ * fields and small mode-specific differences. This module extracts the
+ * shared core into a single helper that takes a typed input describing the
+ * mode-specific extras.
+ *
+ * Replay invariant:
+ *   The resulting payload, after `synthesizeGovernance`, MUST produce the same
+ *   `replayChecksum` it did under the prior inline implementation, for any
+ *   given input. The fields that contribute to the checksum (canonical sorted
+ *   findings) flow through `payload.structuralViolations` and the various
+ *   issue arrays — exactly as before.
+ *
+ * What this module does NOT do:
+ *   - It does not emit JSON.
+ *   - It does not call `synthesizeGovernance` (caller does that).
+ *   - It does not finalize evidence (caller does that).
+ *   - It does not record telemetry (caller does that).
+ *   - It is not a generic builder pattern; it is a typed extraction of a
+ *     duplicated literal-object construction.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildPolicyOnlyCanonicalPayload = buildPolicyOnlyCanonicalPayload;
+exports.buildVerifyCanonicalPayload = buildVerifyCanonicalPayload;
+/**
+ * Assemble the policy-only canonical payload. Replaces the inline literal
+ * previously at `commands/verify.ts:2685–2724`.
+ *
+ * Field order is preserved byte-for-byte from the prior implementation so
+ * `JSON.stringify` output (and therefore stdout writes, evidence captures,
+ * and any string-equality fixtures) remains identical.
+ */
+function buildPolicyOnlyCanonicalPayload(input) {
+    return {
+        grade: input.grade,
+        score: input.score,
+        verdict: input.verdict,
+        violations: input.violations,
+        message: input.message,
+        scopeGuardPassed: true, // N/A in policy-only mode
+        bloatCount: 0,
+        bloatFiles: [],
+        plannedFilesModified: 0,
+        totalPlannedFiles: 0,
+        adherenceScore: input.score,
+        structuralViolations: input.structuralViolations,
+        structuralRulesApplied: input.structuralRulesApplied,
+        structuralSuppressedCount: input.structuralSuppressedCount,
+        mode: 'policy_only',
+        policyOnly: true,
+        policyOnlySource: input.source,
+        replayChecksum: input.replayChecksum,
+        replayMode: 'local-structural',
+        ...input.governancePayload,
+        policyLock: {
+            enforced: input.policyLock.enforced,
+            matched: input.policyLock.matched,
+            path: input.policyLock.path,
+            mismatches: input.policyLock.mismatches,
+        },
+        policyExceptions: input.policyExceptions,
+        policyGovernance: input.policyGovernance,
+        ...(input.policyPack
+            ? {
+                policyPack: {
+                    id: input.policyPack.id,
+                    name: input.policyPack.name,
+                    version: input.policyPack.version,
+                    ruleCount: input.policyPack.ruleCount,
+                },
+            }
+            : {}),
+    };
+}
+/**
+ * Assemble the main-flow (plan_enforced) canonical payload. Twin of
+ * `buildPolicyOnlyCanonicalPayload` for the verifyCommand main path.
+ * Replaces the inline literal previously at `commands/verify.ts:5542–5585`.
+ *
+ * Field order MUST be preserved byte-for-byte from the prior inline
+ * implementation. Replay consumers (audit dashboards, action JSON parsers)
+ * may depend on JSON serialization order.
+ */
+function buildVerifyCanonicalPayload(input) {
+    const payload = {
+        grade: input.grade,
+        score: input.score,
+        verdict: input.verdict,
+        violations: input.violations,
+        message: input.message,
+        adherenceScore: input.score,
+        scopeGuardPassed: input.scopeGuardPassed,
+        bloatCount: input.bloatCount,
+        bloatFiles: input.bloatFiles,
+        plannedFilesModified: input.plannedFilesModified,
+        totalPlannedFiles: input.totalPlannedFiles,
+        verificationSource: input.verificationSource,
+        structuralViolations: input.structuralViolations,
+        structuralRulesApplied: input.structuralRulesApplied,
+        structuralSuppressedCount: input.structuralSuppressedCount,
+        mode: 'plan_enforced',
+        policyOnly: false,
+        aiDebt: input.aiDebt,
+        changeContract: input.changeContract,
+        ...(input.compiledPolicyMetadata ? { policyCompilation: input.compiledPolicyMetadata } : {}),
+        ...(input.governancePayload || {}),
+        policyLock: {
+            enforced: input.policyLock.enforced,
+            matched: input.policyLock.matched,
+            path: input.policyLock.path,
+            mismatches: input.policyLock.mismatches,
+        },
+        policyExceptions: input.policyExceptions,
+        policyGovernance: input.policyGovernance,
+        intentProof: input.intentProof,
+        ...(input.runtimeGuard && input.runtimeGuard.required
+            ? { runtimeGuard: input.runtimeGuard }
+            : {}),
+        ...(input.policyDecision !== undefined ? { policyDecision: input.policyDecision } : {}),
+        ...(input.policyPack
+            ? {
+                policyPack: {
+                    id: input.policyPack.id,
+                    name: input.policyPack.name,
+                    version: input.policyPack.version,
+                    ruleCount: input.policyPack.ruleCount,
+                },
+            }
+            : {}),
+    };
+    return payload;
+}
+//# sourceMappingURL=envelope-assembly.js.map

package/dist/governance/pipeline/envelope-assembly.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope-assembly.js","sourceRoot":"","sources":["../../../src/governance/pipeline/envelope-assembly.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;;AA4DH,0EA2CC;AA0ED,kEAkDC;AA/KD;;;;;;;GAOG;AACH,SAAgB,+BAA+B,CAC7C,KAAsC;IAEtC,OAAO;QACL,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,gBAAgB,EAAE,IAAI,EAAE,0BAA0B;QAClD,UAAU,EAAE,CAAC;QACb,UAAU,EAAE,EAAE;QACd,oBAAoB,EAAE,CAAC;QACvB,iBAAiB,EAAE,CAAC;QACpB,cAAc,EAAE,KAAK,CAAC,KAAK;QAC3B,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;QAChD,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;QACpD,yBAAyB,EAAE,KAAK,CAAC,yBAAyB;QAC1D,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,IAAI;QAChB,gBAAgB,EAAE,KAAK,CAAC,MAAM;QAC9B,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,UAAU,EAAE,kBAAkB;QAC9B,GAAG,KAAK,CAAC,iBAAiB;QAC1B,UAAU,EAAE;YACV,QAAQ,EAAE,KAAK,CAAC,UAAU,CAAC,QAAQ;YACnC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,OAAO;YACjC,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;YAC3B,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,UAAU;SACxC;QACD,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,GAAG,CAAC,KAAK,CAAC,UAAU;YAClB,CAAC,CAAC;gBACE,UAAU,EAAE;oBACV,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE;oBACvB,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;oBAC3B,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,OAAO;oBACjC,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,SAAS;iBACtC;aACF;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAiED;;;;;;;;GAQG;AACH,SAAgB,2BAA2B,CACzC,KAAkC;IAElC,MAAM,OAAO,GAA4B;QACvC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,cAAc,EAAE,KAAK,CAAC,KAAK;QAC3B,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;QAChD,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;QAC5C,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;QAChD,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;QACpD,yBAAyB,EAAE,KAAK,CAAC,yBAAyB;QAC1D,IAAI,EAAE,eAAe;QACrB,UAAU,EAAE,KAAK;QACjB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,GAAG,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,KAAK,CAAC,sBAAsB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5F,GAAG,CAAC,KAAK,CAAC,iBAAiB,IAAI,EAAE,CAAC;QAClC,UAAU,EAAE;YACV,QAAQ,EAAE,KAAK,CAAC,UAAU,CAAC,QAAQ;YACnC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,OAAO;YACjC,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;YAC3B,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,UAAU;SACxC;QACD,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,KAAK,CAAC,YAAY,CAAC,QAAQ;YACnD,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE;YACtC,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,KAAK,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvF,GAAG,CAAC,KAAK,CAAC,UAAU;YAClB,CAAC,CAAC;gBACE,UAAU,EAAE;oBACV,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE;oBACvB,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;oBAC3B,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,OAAO;oBACjC,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,SAAS;iBACtC;aACF;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;IACF,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/governance/pipeline/fingerprint.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Deterministic stage fingerprinting.
+ *
+ * A stage fingerprint is a SHA-256 over the stable identifiers of the stage's
+ * input or output. It MUST be:
+ *   - Independent of wall-clock time, run IDs, and process state
+ *   - Stable across operating systems and Node versions
+ *   - Computed only from canonical fields (no excerpts, no PII)
+ *
+ * Callers should provide a `signal` object containing the minimum stable
+ * descriptors. Anything not present in the signal is ignored by the fingerprint.
+ */
+/**
+ * Compute a deterministic SHA-256 fingerprint from a stage signal object.
+ *
+ * The signal is serialized via stable key ordering so logically identical inputs
+ * always produce the same hash, regardless of source object key insertion order.
+ *
+ * @param signal  An object containing stable, PII-free identifiers.
+ * @returns       64-char hex SHA-256 digest, or undefined when signal is empty.
+ */
+export declare function fingerprintStageSignal(signal: unknown): string | undefined;
+/**
+ * Deterministic JSON serialization with sorted object keys.
+ *
+ * Mirrors the contract of `@neurcode-ai/telemetry`'s `stableStringify` to avoid
+ * a cross-package dependency at this layer. Identical implementation invariants:
+ *   - Objects: keys sorted lexicographically
+ *   - Arrays: order preserved
+ *   - Numbers: NaN/Infinity become null (JSON-compatible)
+ *   - Functions / undefined values: omitted
+ */
+export declare function stableStringify(value: unknown): string;
+//# sourceMappingURL=fingerprint.d.ts.map

package/dist/governance/pipeline/fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAS1E;AAED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEtD"}

package/dist/governance/pipeline/fingerprint.js

@@ -0,0 +1,78 @@
+"use strict";
+/**
+ * Deterministic stage fingerprinting.
+ *
+ * A stage fingerprint is a SHA-256 over the stable identifiers of the stage's
+ * input or output. It MUST be:
+ *   - Independent of wall-clock time, run IDs, and process state
+ *   - Stable across operating systems and Node versions
+ *   - Computed only from canonical fields (no excerpts, no PII)
+ *
+ * Callers should provide a `signal` object containing the minimum stable
+ * descriptors. Anything not present in the signal is ignored by the fingerprint.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fingerprintStageSignal = fingerprintStageSignal;
+exports.stableStringify = stableStringify;
+const crypto_1 = require("crypto");
+/**
+ * Compute a deterministic SHA-256 fingerprint from a stage signal object.
+ *
+ * The signal is serialized via stable key ordering so logically identical inputs
+ * always produce the same hash, regardless of source object key insertion order.
+ *
+ * @param signal  An object containing stable, PII-free identifiers.
+ * @returns       64-char hex SHA-256 digest, or undefined when signal is empty.
+ */
+function fingerprintStageSignal(signal) {
+    if (signal === null || signal === undefined) {
+        return undefined;
+    }
+    const stable = stableStringify(signal);
+    if (!stable || stable === '{}' || stable === '[]') {
+        return undefined;
+    }
+    return (0, crypto_1.createHash)('sha256').update(stable, 'utf-8').digest('hex');
+}
+/**
+ * Deterministic JSON serialization with sorted object keys.
+ *
+ * Mirrors the contract of `@neurcode-ai/telemetry`'s `stableStringify` to avoid
+ * a cross-package dependency at this layer. Identical implementation invariants:
+ *   - Objects: keys sorted lexicographically
+ *   - Arrays: order preserved
+ *   - Numbers: NaN/Infinity become null (JSON-compatible)
+ *   - Functions / undefined values: omitted
+ */
+function stableStringify(value) {
+    return JSON.stringify(canonicalize(value));
+}
+function canonicalize(value) {
+    if (value === null || value === undefined) {
+        return null;
+    }
+    if (typeof value === 'number') {
+        return Number.isFinite(value) ? value : null;
+    }
+    if (typeof value === 'string' || typeof value === 'boolean') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map(canonicalize);
+    }
+    if (typeof value === 'object') {
+        const obj = value;
+        const keys = Object.keys(obj).sort();
+        const out = {};
+        for (const k of keys) {
+            const v = obj[k];
+            if (v === undefined || typeof v === 'function')
+                continue;
+            out[k] = canonicalize(v);
+        }
+        return out;
+    }
+    // bigint, symbol, etc. — drop
+    return null;
+}
+//# sourceMappingURL=fingerprint.js.map

package/dist/governance/pipeline/fingerprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../../src/governance/pipeline/fingerprint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAaH,wDASC;AAYD,0CAEC;AAlCD,mCAAoC;AAEpC;;;;;;;;GAQG;AACH,SAAgB,sBAAsB,CAAC,MAAe;IACpD,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5C,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,eAAe,CAAC,KAAc;IAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;QAC5D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;YACjB,IAAI,CAAC,KAAK,SAAS,IAAI,OAAO,CAAC,KAAK,UAAU;gBAAE,SAAS;YACzD,GAAG,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,8BAA8B;IAC9B,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/governance/pipeline/helpers.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Pipeline execution helpers.
+ *
+ * Compresses the repetitive verify.ts wire-in pattern:
+ *
+ *   const stageResult = await runStage(stage, input, ctx);
+ *   const value = stageResult.output ?? fallback(...);
+ *
+ * into a single named helper, while preserving:
+ *   - the underlying determinism of the wrapped function
+ *   - the staged-pipeline ledger receipt
+ *   - the byte-for-byte fallback semantics on isolated stage failure
+ *
+ * These are explicitly NOT a generic workflow engine. They are minimal,
+ * typed helpers for the four governance-pipeline wire-in patterns we
+ * encountered in verify.ts.
+ *
+ *   - runStageOrFallback        — "stage failed, compute the same thing without staging"
+ *   - runStageWithDegradedFallback — "stage succeeded but output was null; fall back"
+ *   - stageReceiptOrCompute     — "you only want a value; the receipt is bookkeeping"
+ *   - getLastStageOutput        — "read the most recent ledger entry for a stage"
+ *
+ * Replay invariant: when the stage succeeds, the helper returns the stage's
+ * output; the fallback is only used when the stage failed or produced null.
+ * The fallback MUST be byte-equivalent to the stage's execute body — that
+ * way semantics are preserved regardless of which branch ran.
+ */
+import type { GovernanceStageId, GovernanceStageResult } from '@neurcode-ai/contracts';
+import type { GovernancePipelineContext, GovernancePipelineStage } from './types';
+/**
+ * Run a stage and unwrap its output. If the stage failed or returned null,
+ * invoke the supplied fallback synchronously and use that value instead.
+ *
+ * The ledger always receives a receipt regardless of outcome — the fallback
+ * does not produce its own receipt (that would double-count).
+ */
+export declare function runStageOrFallback<TIn, TOut>(stage: GovernancePipelineStage<TIn, TOut>, input: TIn, ctx: GovernancePipelineContext, fallback: () => TOut): Promise<TOut>;
+/**
+ * Same as `runStageOrFallback`, but the fallback may be async (e.g. when it
+ * has to re-read from disk or call out to a sibling helper).
+ */
+export declare function runStageOrAsyncFallback<TIn, TOut>(stage: GovernancePipelineStage<TIn, TOut>, input: TIn, ctx: GovernancePipelineContext, fallback: () => Promise<TOut>): Promise<TOut>;
+/**
+ * Run a stage and return both the unwrapped output AND the full receipt.
+ * Useful when the caller needs to consult the receipt (e.g. for failure
+ * surfacing) but doesn't want to write the unwrap boilerplate.
+ */
+export declare function runStageWithReceipt<TIn, TOut>(stage: GovernancePipelineStage<TIn, TOut>, input: TIn, ctx: GovernancePipelineContext, fallback: () => TOut): Promise<{
+    value: TOut;
+    result: GovernanceStageResult<TOut>;
+}>;
+/**
+ * If a stage has already run and produced output, return that. Otherwise run
+ * the supplied compute function (and DO NOT append a ledger entry — this is
+ * "look up or compute"). Used when verify.ts has already invoked a stage
+ * elsewhere and a later code path needs the same value without re-emitting.
+ */
+export declare function stageReceiptOrCompute<T>(ctx: GovernancePipelineContext, stageId: GovernanceStageId, compute: () => T): T;
+/**
+ * Convenience: did a given stage record any non-success status in the ledger?
+ *
+ * Returns true when the stage ran and its status is `degraded` or `failed`.
+ * Returns false when the stage succeeded OR has not yet run.
+ */
+export declare function stageDegradedOrFailed(ctx: GovernancePipelineContext, stageId: GovernanceStageId): boolean;
+/**
+ * Convenience: enumerate all stages in the ledger that are NOT 'succeeded'.
+ * Used by computation-trace explainability helpers.
+ */
+export declare function enumerateNonSuccessStages(ctx: GovernancePipelineContext): Array<{
+    stageId: GovernanceStageId;
+    status: 'skipped' | 'degraded' | 'failed';
+}>;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/governance/pipeline/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,qBAAqB,EACtB,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EACV,yBAAyB,EACzB,uBAAuB,EACxB,MAAM,SAAS,CAAC;AAGjB;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,IAAI,EAChD,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,EACzC,KAAK,EAAE,GAAG,EACV,GAAG,EAAE,yBAAyB,EAC9B,QAAQ,EAAE,MAAM,IAAI,GACnB,OAAO,CAAC,IAAI,CAAC,CAMf;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,IAAI,EACrD,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,EACzC,KAAK,EAAE,GAAG,EACV,GAAG,EAAE,yBAAyB,EAC9B,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAC5B,OAAO,CAAC,IAAI,CAAC,CAMf;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,IAAI,EACjD,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,EACzC,KAAK,EAAE,GAAG,EACV,GAAG,EAAE,yBAAyB,EAC9B,QAAQ,EAAE,MAAM,IAAI,GACnB,OAAO,CAAC;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,qBAAqB,CAAC,IAAI,CAAC,CAAA;CAAE,CAAC,CAO/D;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,GAAG,EAAE,yBAAyB,EAC9B,OAAO,EAAE,iBAAiB,EAC1B,OAAO,EAAE,MAAM,CAAC,GACf,CAAC,CAMH;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,GAAG,EAAE,yBAAyB,EAC9B,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAIT;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,GAAG,EAAE,yBAAyB,GAC7B,KAAK,CAAC;IAAE,OAAO,EAAE,iBAAiB,CAAC;IAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAA;CAAE,CAAC,CAQlF"}