@neurcode-ai/cli 0.9.65 → 0.9.66

package/dist/governance/canonical-invariants.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Canonical Finding Invariants (Phase 1 + Phase 3)
+ *
+ * Two responsibilities:
+ *
+ * 1. Architectural invariant enforcement (Phase 1):
+ *    - Assert that policyViolations never contain structural:* rows
+ *    - If violated, emit a deterministic console warning (never throw)
+ *    - This guards against regressions where future code re-introduces the merge
+ *
+ * 2. Replay determinism (Phase 3):
+ *    - computeCanonicalFindingChecksum(): deterministic SHA-256 over finding set
+ *    - sortFindingsDeterministically(): canonical sort order for stable checksums
+ *
+ * Both functions are pure and dependency-free (only Node 'crypto').
+ */
+import type { GovernanceFinding } from '@neurcode-ai/contracts';
+import type { RuleViolation } from '@neurcode-ai/policy-engine';
+/**
+ * Assert that the policyViolations array contains no structural:* prefixed rows.
+ *
+ * Structural violations MUST flow only through `payload.structuralViolations`
+ * into the canonical pipeline. Structural rows in policyViolations cause
+ * cross-source duplicate GovernanceFinding objects.
+ *
+ * This guard emits a console.warn if violated — it NEVER throws. The intention
+ * is observability and regression detection, not hard failure. The pipeline's
+ * stripStructuralPolicyRows() provides the actual cleanup.
+ *
+ * @param violations  The policyViolations array before it reaches the pipeline
+ * @param context     Caller label for the warning message (e.g. 'verify:policy-only')
+ * @returns           Count of structural rows found (0 = invariant holds)
+ */
+export declare function assertNoStructuralPolicyRows(violations: RuleViolation[], context: string): number;
+/**
+ * Sort findings into a canonical deterministic order.
+ *
+ * Sort key (descending priority):
+ *   1. determinismClassification rank (descending — structural first)
+ *   2. severity rank (descending — BLOCKING first)
+ *   3. filePath (ascending — lexicographic)
+ *   4. line number (ascending)
+ *   5. id (ascending — stable tiebreaker)
+ *
+ * This order is stable across multiple runs on the same input, enabling
+ * reliable replay checksum comparison.
+ *
+ * NEVER mutates the input array — returns a new sorted array.
+ */
+export declare function sortFindingsDeterministically(findings: GovernanceFinding[]): GovernanceFinding[];
+/**
+ * Compute a deterministic SHA-256 checksum over the canonical finding set.
+ *
+ * Checksum input is built from sorted findings:
+ *   for each finding (in canonical sort order):
+ *     id + '\x1e' + severity + '\x1e' + determinismClassification +
+ *     '\x1e' + filePath + '\x1e' + line
+ *   joined with '\x00'
+ *
+ * This checksum:
+ *   - Changes if any finding is added, removed, or has severity/determinism changed
+ *   - Changes if canonical ordering changes (sort key must be stable)
+ *   - Is stable across process restarts on the same input
+ *   - Is used to detect replay drift (same commit + diff + rules → same checksum)
+ *
+ * @param findings  Raw findings from the canonical pipeline (NOT pre-sorted)
+ * @returns         hex SHA-256 string (64 chars)
+ */
+export declare function computeCanonicalFindingChecksum(findings: GovernanceFinding[]): string;
+/**
+ * Compare two sets of findings for replay equivalence.
+ *
+ * Returns a structured comparison result:
+ *   - 'exact': checksums match — identical governance output
+ *   - 'drift-detected': checksums differ — replay divergence
+ *
+ * @param baseline  Findings from the baseline (e.g. cached) run
+ * @param replay    Findings from the current run
+ */
+export declare function compareForReplayEquivalence(baseline: GovernanceFinding[], replay: GovernanceFinding[]): {
+    status: 'exact' | 'drift-detected';
+    baselineChecksum: string;
+    replayChecksum: string;
+    baselineCount: number;
+    replayCount: number;
+    driftDetails?: string;
+};
+//# sourceMappingURL=canonical-invariants.d.ts.map

package/dist/governance/canonical-invariants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-invariants.d.ts","sourceRoot":"","sources":["../../src/governance/canonical-invariants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAIhE;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,4BAA4B,CAC1C,UAAU,EAAE,aAAa,EAAE,EAC3B,OAAO,EAAE,MAAM,GACd,MAAM,CAYR;AA4BD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,iBAAiB,EAAE,GAAG,iBAAiB,EAAE,CAyBhG;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,+BAA+B,CAAC,QAAQ,EAAE,iBAAiB,EAAE,GAAG,MAAM,CAgBrF;AAED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,iBAAiB,EAAE,EAC7B,MAAM,EAAE,iBAAiB,EAAE,GAC1B;IACD,MAAM,EAAE,OAAO,GAAG,gBAAgB,CAAC;IACnC,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CA2CA"}

package/dist/governance/canonical-invariants.js

@@ -0,0 +1,197 @@
+"use strict";
+/**
+ * Canonical Finding Invariants (Phase 1 + Phase 3)
+ *
+ * Two responsibilities:
+ *
+ * 1. Architectural invariant enforcement (Phase 1):
+ *    - Assert that policyViolations never contain structural:* rows
+ *    - If violated, emit a deterministic console warning (never throw)
+ *    - This guards against regressions where future code re-introduces the merge
+ *
+ * 2. Replay determinism (Phase 3):
+ *    - computeCanonicalFindingChecksum(): deterministic SHA-256 over finding set
+ *    - sortFindingsDeterministically(): canonical sort order for stable checksums
+ *
+ * Both functions are pure and dependency-free (only Node 'crypto').
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertNoStructuralPolicyRows = assertNoStructuralPolicyRows;
+exports.sortFindingsDeterministically = sortFindingsDeterministically;
+exports.computeCanonicalFindingChecksum = computeCanonicalFindingChecksum;
+exports.compareForReplayEquivalence = compareForReplayEquivalence;
+const crypto_1 = require("crypto");
+// ── Phase 1: Architectural invariant guard ────────────────────────────────────
+/**
+ * Assert that the policyViolations array contains no structural:* prefixed rows.
+ *
+ * Structural violations MUST flow only through `payload.structuralViolations`
+ * into the canonical pipeline. Structural rows in policyViolations cause
+ * cross-source duplicate GovernanceFinding objects.
+ *
+ * This guard emits a console.warn if violated — it NEVER throws. The intention
+ * is observability and regression detection, not hard failure. The pipeline's
+ * stripStructuralPolicyRows() provides the actual cleanup.
+ *
+ * @param violations  The policyViolations array before it reaches the pipeline
+ * @param context     Caller label for the warning message (e.g. 'verify:policy-only')
+ * @returns           Count of structural rows found (0 = invariant holds)
+ */
+function assertNoStructuralPolicyRows(violations, context) {
+    const leaked = violations.filter(v => String(v.rule ?? '').startsWith('structural:'));
+    if (leaked.length > 0) {
+        console.warn(`[neurcode/canonical-invariant] VIOLATION in ${context}: ` +
+            `${leaked.length} structural:* row(s) found in policyViolations. ` +
+            `These should flow exclusively through payload.structuralViolations. ` +
+            `Rows: ${leaked.map(v => v.rule).join(', ')}. ` +
+            `The canonical pipeline will strip them, but this represents a source-level duplication bug.`);
+    }
+    return leaked.length;
+}
+// ── Phase 3: Replay determinism ───────────────────────────────────────────────
+/**
+ * Determinism rank for sorting (higher = more deterministic = sorted first).
+ * Identical to rankDeterminism in canonical-pipeline.ts — kept separate to
+ * avoid circular import.
+ */
+function rankDeterminism(d) {
+    switch (d) {
+        case 'deterministic-structural': return 4;
+        case 'deterministic-semantic': return 3;
+        case 'heuristic-advisory': return 2;
+        case 'llm-assisted-planning': return 1;
+        default: return 0;
+    }
+}
+function rankSeverity(s) {
+    switch (s) {
+        case 'BLOCKING': return 3;
+        case 'ADVISORY': return 2;
+        case 'INFO': return 1;
+        default: return 0;
+    }
+}
+/**
+ * Sort findings into a canonical deterministic order.
+ *
+ * Sort key (descending priority):
+ *   1. determinismClassification rank (descending — structural first)
+ *   2. severity rank (descending — BLOCKING first)
+ *   3. filePath (ascending — lexicographic)
+ *   4. line number (ascending)
+ *   5. id (ascending — stable tiebreaker)
+ *
+ * This order is stable across multiple runs on the same input, enabling
+ * reliable replay checksum comparison.
+ *
+ * NEVER mutates the input array — returns a new sorted array.
+ */
+function sortFindingsDeterministically(findings) {
+    return [...findings].sort((a, b) => {
+        // 1. Determinism rank descending
+        const dA = rankDeterminism(a.determinismClassification);
+        const dB = rankDeterminism(b.determinismClassification);
+        if (dA !== dB)
+            return dB - dA;
+        // 2. Severity descending
+        const sA = rankSeverity(a.severity);
+        const sB = rankSeverity(b.severity);
+        if (sA !== sB)
+            return sB - sA;
+        // 3. File path ascending
+        const fA = a.evidence?.filePath ?? '';
+        const fB = b.evidence?.filePath ?? '';
+        if (fA !== fB)
+            return fA < fB ? -1 : 1;
+        // 4. Line number ascending
+        const lA = a.evidence?.line ?? 0;
+        const lB = b.evidence?.line ?? 0;
+        if (lA !== lB)
+            return lA - lB;
+        // 5. ID ascending (stable tiebreaker)
+        return a.id < b.id ? -1 : a.id > b.id ? 1 : 0;
+    });
+}
+/**
+ * Compute a deterministic SHA-256 checksum over the canonical finding set.
+ *
+ * Checksum input is built from sorted findings:
+ *   for each finding (in canonical sort order):
+ *     id + '\x1e' + severity + '\x1e' + determinismClassification +
+ *     '\x1e' + filePath + '\x1e' + line
+ *   joined with '\x00'
+ *
+ * This checksum:
+ *   - Changes if any finding is added, removed, or has severity/determinism changed
+ *   - Changes if canonical ordering changes (sort key must be stable)
+ *   - Is stable across process restarts on the same input
+ *   - Is used to detect replay drift (same commit + diff + rules → same checksum)
+ *
+ * @param findings  Raw findings from the canonical pipeline (NOT pre-sorted)
+ * @returns         hex SHA-256 string (64 chars)
+ */
+function computeCanonicalFindingChecksum(findings) {
+    const sorted = sortFindingsDeterministically(findings);
+    const input = sorted
+        .map(f => [
+        f.id,
+        f.severity,
+        f.determinismClassification,
+        f.evidence?.filePath ?? '',
+        String(f.evidence?.line ?? 0),
+    ].join('\x1e'))
+        .join('\x00');
+    return (0, crypto_1.createHash)('sha256').update(input, 'utf-8').digest('hex');
+}
+/**
+ * Compare two sets of findings for replay equivalence.
+ *
+ * Returns a structured comparison result:
+ *   - 'exact': checksums match — identical governance output
+ *   - 'drift-detected': checksums differ — replay divergence
+ *
+ * @param baseline  Findings from the baseline (e.g. cached) run
+ * @param replay    Findings from the current run
+ */
+function compareForReplayEquivalence(baseline, replay) {
+    const baselineChecksum = computeCanonicalFindingChecksum(baseline);
+    const replayChecksum = computeCanonicalFindingChecksum(replay);
+    if (baselineChecksum === replayChecksum) {
+        return {
+            status: 'exact',
+            baselineChecksum,
+            replayChecksum,
+            baselineCount: baseline.length,
+            replayCount: replay.length,
+        };
+    }
+    // Drift detected — build detailed explanation
+    const baselineIds = new Set(baseline.map(f => f.id));
+    const replayIds = new Set(replay.map(f => f.id));
+    const added = replay.filter(f => !baselineIds.has(f.id)).map(f => f.id);
+    const removed = baseline.filter(f => !replayIds.has(f.id)).map(f => f.id);
+    // Findings present in both but with changed severity or determinism
+    const changed = [];
+    for (const bf of baseline) {
+        const rf = replay.find(f => f.id === bf.id);
+        if (rf && (rf.severity !== bf.severity || rf.determinismClassification !== bf.determinismClassification)) {
+            changed.push(`${bf.id}(sev:${bf.severity}→${rf.severity},det:${bf.determinismClassification}→${rf.determinismClassification})`);
+        }
+    }
+    const parts = [];
+    if (added.length > 0)
+        parts.push(`added=${added.length}[${added.slice(0, 3).join(',')}${added.length > 3 ? '...' : ''}]`);
+    if (removed.length > 0)
+        parts.push(`removed=${removed.length}[${removed.slice(0, 3).join(',')}${removed.length > 3 ? '...' : ''}]`);
+    if (changed.length > 0)
+        parts.push(`changed=${changed.length}[${changed.slice(0, 3).join(',')}${changed.length > 3 ? '...' : ''}]`);
+    return {
+        status: 'drift-detected',
+        baselineChecksum,
+        replayChecksum,
+        baselineCount: baseline.length,
+        replayCount: replay.length,
+        driftDetails: parts.join('; ') || 'checksum mismatch (unknown cause)',
+    };
+}
+//# sourceMappingURL=canonical-invariants.js.map

package/dist/governance/canonical-invariants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-invariants.js","sourceRoot":"","sources":["../../src/governance/canonical-invariants.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;AAuBH,oEAeC;AA2CD,sEAyBC;AAoBD,0EAgBC;AAYD,kEAqDC;AA7MD,mCAAoC;AAIpC,iFAAiF;AAEjF;;;;;;;;;;;;;;GAcG;AACH,SAAgB,4BAA4B,CAC1C,UAA2B,EAC3B,OAAe;IAEf,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;IACtF,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,IAAI,CACV,+CAA+C,OAAO,IAAI;YAC1D,GAAG,MAAM,CAAC,MAAM,kDAAkD;YAClE,sEAAsE;YACtE,SAAS,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;YAC/C,6FAA6F,CAC9F,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC;AACvB,CAAC;AAED,iFAAiF;AAEjF;;;;GAIG;AACH,SAAS,eAAe,CAAC,CAAS;IAChC,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,0BAA0B,CAAC,CAAE,OAAO,CAAC,CAAC;QAC3C,KAAK,wBAAwB,CAAC,CAAI,OAAO,CAAC,CAAC;QAC3C,KAAK,oBAAoB,CAAC,CAAQ,OAAO,CAAC,CAAC;QAC3C,KAAK,uBAAuB,CAAC,CAAK,OAAO,CAAC,CAAC;QAC3C,OAAO,CAAC,CAA0B,OAAO,CAAC,CAAC;IAC7C,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,UAAU,CAAC,CAAE,OAAO,CAAC,CAAC;QAC3B,KAAK,UAAU,CAAC,CAAE,OAAO,CAAC,CAAC;QAC3B,KAAK,MAAM,CAAC,CAAM,OAAO,CAAC,CAAC;QAC3B,OAAO,CAAC,CAAU,OAAO,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAgB,6BAA6B,CAAC,QAA6B;IACzE,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACjC,iCAAiC;QACjC,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;QAE9B,yBAAyB;QACzB,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACpC,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACpC,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;QAE9B,yBAAyB;QACzB,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,IAAI,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,IAAI,EAAE,CAAC;QACtC,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEvC,2BAA2B;QAC3B,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;QACjC,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;QACjC,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;QAE9B,sCAAsC;QACtC,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,+BAA+B,CAAC,QAA6B;IAC3E,MAAM,MAAM,GAAG,6BAA6B,CAAC,QAAQ,CAAC,CAAC;IAEvD,MAAM,KAAK,GAAG,MAAM;SACjB,GAAG,CAAC,CAAC,CAAC,EAAE,CACP;QACE,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,QAAQ;QACV,CAAC,CAAC,yBAAyB;QAC3B,CAAC,CAAC,QAAQ,EAAE,QAAQ,IAAI,EAAE;QAC1B,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;KAC9B,CAAC,IAAI,CAAC,MAAM,CAAC,CACf;SACA,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACnE,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,2BAA2B,CACzC,QAA6B,EAC7B,MAA2B;IAS3B,MAAM,gBAAgB,GAAG,+BAA+B,CAAC,QAAQ,CAAC,CAAC;IACnE,MAAM,cAAc,GAAK,+BAA+B,CAAC,MAAM,CAAC,CAAC;IAEjE,IAAI,gBAAgB,KAAK,cAAc,EAAE,CAAC;QACxC,OAAO;YACL,MAAM,EAAE,OAAO;YACf,gBAAgB;YAChB,cAAc;YACd,aAAa,EAAE,QAAQ,CAAC,MAAM;YAC9B,WAAW,EAAE,MAAM,CAAC,MAAM;SAC3B,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,SAAS,GAAK,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAEnD,MAAM,KAAK,GAAK,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1E,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAE1E,oEAAoE;IACpE,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;QAC1B,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QAC5C,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC,QAAQ,KAAK,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,yBAAyB,KAAK,EAAE,CAAC,yBAAyB,CAAC,EAAE,CAAC;YACzG,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,QAAQ,QAAQ,EAAE,CAAC,yBAAyB,IAAI,EAAE,CAAC,yBAAyB,GAAG,CAAC,CAAC;QAClI,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAI,KAAK,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5H,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACpI,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAEpI,OAAO;QACL,MAAM,EAAE,gBAAgB;QACxB,gBAAgB;QAChB,cAAc;QACd,aAAa,EAAE,QAAQ,CAAC,MAAM;QAC9B,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,mCAAmC;KACtE,CAAC;AACJ,CAAC"}

package/dist/governance/canonical-ordering.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Canonical Deterministic Ordering (Phase 1 — Canonical Deterministic Ordering)
+ *
+ * Single source of truth for finding sort order across:
+ *   - replayChecksum generation
+ *   - provenance serialization
+ *   - governance envelope emission
+ *   - telemetry harvesting
+ *
+ * INVARIANT:
+ *   Any two invocations on the same logical finding set MUST produce
+ *   the same ordered array, regardless of:
+ *   - filesystem traversal order
+ *   - async execution timing
+ *   - insertion order
+ *   - Map iteration order
+ *   - Object.keys() order
+ *
+ * Canonical sort key (evaluated in priority order):
+ *   1. severity          (BLOCKING > ADVISORY > INFO > unknown)
+ *   2. determinismClassification (deterministic-structural > deterministic-semantic
+ *                                 > heuristic-advisory > llm-assisted-planning > unknown)
+ *   3. ruleId            (ascending lexicographic)
+ *   4. filePath          (ascending lexicographic, normalized to forward slashes)
+ *   5. line              (ascending numeric, missing = 0)
+ *   6. column            (ascending numeric, missing = 0)
+ *   7. findingId         (ascending lexicographic — stable tiebreaker, always unique)
+ *
+ * These rules ensure a total order: no two distinct findings can be equal on
+ * all 7 keys simultaneously (findingId is always unique by construction).
+ */
+import type { GovernanceFinding } from '@neurcode-ai/contracts';
+/**
+ * Compute the canonical ordering key for a single finding.
+ *
+ * Returns a tuple whose elements, compared left-to-right, produce the
+ * canonical ordering defined above. Useful for inspection and testing.
+ *
+ * Format: [severityRank, determinismRank, ruleId, filePath, line, column, id]
+ */
+export declare function canonicalFindingOrderingKey(f: GovernanceFinding): readonly [
+    number,
+    number,
+    string,
+    string,
+    number,
+    number,
+    string
+];
+/**
+ * Sort findings into the canonical deterministic order.
+ *
+ * Properties:
+ *   - Pure function — NEVER mutates the input array
+ *   - Stable across process restarts for identical inputs
+ *   - Independent of insertion order, Map iteration, filesystem traversal
+ *   - Total order — no two distinct findings can compare as equal
+ *
+ * @param findings  Any array of GovernanceFinding (may be in any order)
+ * @returns         New sorted array (input is not mutated)
+ */
+export declare function sortCanonicalFindingsStable(findings: GovernanceFinding[]): GovernanceFinding[];
+/**
+ * Validate that a finding array is already in canonical order.
+ *
+ * Returns the index of the first out-of-order finding pair, or -1 if
+ * the array is already sorted. Used for invariant checking.
+ *
+ * Emits a console.warn if ordering drift is detected.
+ *
+ * @param findings  Array to validate (not mutated)
+ * @param context   Caller label for the warning (e.g. 'envelope-emit')
+ * @returns         Index of first violation, or -1 if canonical
+ */
+export declare function validateCanonicalOrder(findings: GovernanceFinding[], context: string): number;
+//# sourceMappingURL=canonical-ordering.d.ts.map

package/dist/governance/canonical-ordering.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-ordering.d.ts","sourceRoot":"","sources":["../../src/governance/canonical-ordering.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAsChE;;;;;;;GAOG;AACH,wBAAgB,2BAA2B,CAAC,CAAC,EAAE,iBAAiB,GAAG,SAAS;IAC1E,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;CACvD,CAUA;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,iBAAiB,EAAE,GAAG,iBAAiB,EAAE,CAmC9F;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,iBAAiB,EAAE,EAC7B,OAAO,EAAE,MAAM,GACd,MAAM,CA2CR"}

package/dist/governance/canonical-ordering.js

@@ -0,0 +1,189 @@
+"use strict";
+/**
+ * Canonical Deterministic Ordering (Phase 1 — Canonical Deterministic Ordering)
+ *
+ * Single source of truth for finding sort order across:
+ *   - replayChecksum generation
+ *   - provenance serialization
+ *   - governance envelope emission
+ *   - telemetry harvesting
+ *
+ * INVARIANT:
+ *   Any two invocations on the same logical finding set MUST produce
+ *   the same ordered array, regardless of:
+ *   - filesystem traversal order
+ *   - async execution timing
+ *   - insertion order
+ *   - Map iteration order
+ *   - Object.keys() order
+ *
+ * Canonical sort key (evaluated in priority order):
+ *   1. severity          (BLOCKING > ADVISORY > INFO > unknown)
+ *   2. determinismClassification (deterministic-structural > deterministic-semantic
+ *                                 > heuristic-advisory > llm-assisted-planning > unknown)
+ *   3. ruleId            (ascending lexicographic)
+ *   4. filePath          (ascending lexicographic, normalized to forward slashes)
+ *   5. line              (ascending numeric, missing = 0)
+ *   6. column            (ascending numeric, missing = 0)
+ *   7. findingId         (ascending lexicographic — stable tiebreaker, always unique)
+ *
+ * These rules ensure a total order: no two distinct findings can be equal on
+ * all 7 keys simultaneously (findingId is always unique by construction).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.canonicalFindingOrderingKey = canonicalFindingOrderingKey;
+exports.sortCanonicalFindingsStable = sortCanonicalFindingsStable;
+exports.validateCanonicalOrder = validateCanonicalOrder;
+// ── Rank tables ───────────────────────────────────────────────────────────────
+/**
+ * Severity rank — higher number = sorted first (BLOCKING first).
+ * Deterministic: closed set, no dynamic lookup.
+ */
+function rankSeverity(s) {
+    switch (s) {
+        case 'BLOCKING': return 3;
+        case 'ADVISORY': return 2;
+        case 'INFO': return 1;
+        default: return 0;
+    }
+}
+/**
+ * Determinism classification rank — higher = sorted first (structural first).
+ * Deterministic: closed set, no dynamic lookup.
+ */
+function rankDeterminism(d) {
+    switch (d) {
+        case 'deterministic-structural': return 4;
+        case 'deterministic-semantic': return 3;
+        case 'heuristic-advisory': return 2;
+        case 'llm-assisted-planning': return 1;
+        default: return 0;
+    }
+}
+/** Normalize a file path to use forward slashes for cross-platform stability. */
+function normalizePath(p) {
+    return p.replace(/\\/g, '/');
+}
+// ── Public API ────────────────────────────────────────────────────────────────
+/**
+ * Compute the canonical ordering key for a single finding.
+ *
+ * Returns a tuple whose elements, compared left-to-right, produce the
+ * canonical ordering defined above. Useful for inspection and testing.
+ *
+ * Format: [severityRank, determinismRank, ruleId, filePath, line, column, id]
+ */
+function canonicalFindingOrderingKey(f) {
+    return [
+        rankSeverity(f.severity),
+        rankDeterminism(f.determinismClassification),
+        f.structuralMetadata?.ruleId ?? '',
+        normalizePath(f.evidence?.filePath ?? ''),
+        f.evidence?.line ?? 0,
+        f.evidence?.column ?? 0,
+        f.id,
+    ];
+}
+/**
+ * Sort findings into the canonical deterministic order.
+ *
+ * Properties:
+ *   - Pure function — NEVER mutates the input array
+ *   - Stable across process restarts for identical inputs
+ *   - Independent of insertion order, Map iteration, filesystem traversal
+ *   - Total order — no two distinct findings can compare as equal
+ *
+ * @param findings  Any array of GovernanceFinding (may be in any order)
+ * @returns         New sorted array (input is not mutated)
+ */
+function sortCanonicalFindingsStable(findings) {
+    return [...findings].sort((a, b) => {
+        // 1. Severity descending (BLOCKING first)
+        const sA = rankSeverity(a.severity);
+        const sB = rankSeverity(b.severity);
+        if (sA !== sB)
+            return sB - sA;
+        // 2. Determinism classification descending (structural first)
+        const dA = rankDeterminism(a.determinismClassification);
+        const dB = rankDeterminism(b.determinismClassification);
+        if (dA !== dB)
+            return dB - dA;
+        // 3. Rule ID ascending
+        const rA = a.structuralMetadata?.ruleId ?? '';
+        const rB = b.structuralMetadata?.ruleId ?? '';
+        if (rA !== rB)
+            return rA < rB ? -1 : 1;
+        // 4. File path ascending (normalized)
+        const fA = normalizePath(a.evidence?.filePath ?? '');
+        const fB = normalizePath(b.evidence?.filePath ?? '');
+        if (fA !== fB)
+            return fA < fB ? -1 : 1;
+        // 5. Line number ascending (missing = 0)
+        const lA = a.evidence?.line ?? 0;
+        const lB = b.evidence?.line ?? 0;
+        if (lA !== lB)
+            return lA - lB;
+        // 6. Column number ascending (missing = 0)
+        const cA = a.evidence?.column ?? 0;
+        const cB = b.evidence?.column ?? 0;
+        if (cA !== cB)
+            return cA - cB;
+        // 7. Finding ID ascending — guaranteed unique tiebreaker
+        return a.id < b.id ? -1 : a.id > b.id ? 1 : 0;
+    });
+}
+/**
+ * Validate that a finding array is already in canonical order.
+ *
+ * Returns the index of the first out-of-order finding pair, or -1 if
+ * the array is already sorted. Used for invariant checking.
+ *
+ * Emits a console.warn if ordering drift is detected.
+ *
+ * @param findings  Array to validate (not mutated)
+ * @param context   Caller label for the warning (e.g. 'envelope-emit')
+ * @returns         Index of first violation, or -1 if canonical
+ */
+function validateCanonicalOrder(findings, context) {
+    for (let i = 1; i < findings.length; i++) {
+        const prev = findings[i - 1];
+        const curr = findings[i];
+        const kPrev = canonicalFindingOrderingKey(prev);
+        const kCurr = canonicalFindingOrderingKey(curr);
+        // Compare tuple element by element
+        for (let k = 0; k < kPrev.length; k++) {
+            const pv = kPrev[k];
+            const cv = kCurr[k];
+            if (typeof pv === 'number' && typeof cv === 'number') {
+                if (pv > cv) {
+                    console.warn(`[neurcode/canonical-ordering] ORDERING DRIFT at index ${i} in ${context}. ` +
+                        `Finding "${prev.id}" (key[${k}]=${pv}) appears before "${curr.id}" (key[${k}]=${cv}) ` +
+                        `but canonical order requires ascending value at position ${k}. ` +
+                        `Run sortCanonicalFindingsStable() before serialization.`);
+                    return i;
+                }
+                if (pv < cv)
+                    break; // correct order for this pair
+            }
+            else if (typeof pv === 'string' && typeof cv === 'string') {
+                // Numeric keys are descending (rank), string keys are ascending
+                // Keys 0 and 1 are ranks (descending means higher rank first = larger number first)
+                if (k <= 1) {
+                    // These are rank values stored as numbers — already handled above
+                    break;
+                }
+                if (pv > cv) {
+                    console.warn(`[neurcode/canonical-ordering] ORDERING DRIFT at index ${i} in ${context}. ` +
+                        `Finding "${prev.id}" (key[${k}]="${pv}") appears before "${curr.id}" ` +
+                        `(key[${k}]="${cv}") but canonical order requires ascending string at position ${k}. ` +
+                        `Run sortCanonicalFindingsStable() before serialization.`);
+                    return i;
+                }
+                if (pv < cv)
+                    break; // correct order for this pair
+            }
+        }
+    }
+    return -1;
+}
+//# sourceMappingURL=canonical-ordering.js.map

package/dist/governance/canonical-ordering.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-ordering.js","sourceRoot":"","sources":["../../src/governance/canonical-ordering.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;;AAgDH,kEAYC;AAcD,kEAmCC;AAcD,wDA8CC;AArKD,iFAAiF;AAEjF;;;GAGG;AACH,SAAS,YAAY,CAAC,CAAS;IAC7B,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1B,KAAK,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1B,KAAK,MAAM,CAAC,CAAK,OAAO,CAAC,CAAC;QAC1B,OAAO,CAAC,CAAS,OAAO,CAAC,CAAC;IAC5B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,CAAS;IAChC,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,0BAA0B,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1C,KAAK,wBAAwB,CAAC,CAAG,OAAO,CAAC,CAAC;QAC1C,KAAK,oBAAoB,CAAC,CAAO,OAAO,CAAC,CAAC;QAC1C,KAAK,uBAAuB,CAAC,CAAI,OAAO,CAAC,CAAC;QAC1C,OAAO,CAAC,CAAyB,OAAO,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,iFAAiF;AACjF,SAAS,aAAa,CAAC,CAAS;IAC9B,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED,iFAAiF;AAEjF;;;;;;;GAOG;AACH,SAAgB,2BAA2B,CAAC,CAAoB;IAG9D,OAAO;QACL,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC;QACxB,eAAe,CAAC,CAAC,CAAC,yBAAyB,CAAC;QAC5C,CAAC,CAAC,kBAAkB,EAAE,MAAM,IAAI,EAAE;QAClC,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,IAAI,EAAE,CAAC;QACzC,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC;QACrB,CAAC,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC;QACvB,CAAC,CAAC,EAAE;KACI,CAAC;AACb,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,2BAA2B,CAAC,QAA6B;IACvE,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACjC,0CAA0C;QAC1C,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACpC,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACpC,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;QAE9B,8DAA8D;QAC9D,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;QAE9B,uBAAuB;QACvB,MAAM,EAAE,GAAG,CAAC,CAAC,kBAAkB,EAAE,MAAM,IAAI,EAAE,CAAC;QAC9C,MAAM,EAAE,GAAG,CAAC,CAAC,kBAAkB,EAAE,MAAM,IAAI,EAAE,CAAC;QAC9C,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEvC,sCAAsC;QACtC,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC;QACrD,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC;QACrD,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEvC,yCAAyC;QACzC,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;QACjC,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;QACjC,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;QAE9B,2CAA2C;QAC3C,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,CAAC;QACnC,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,CAAC;QACnC,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;QAE9B,yDAAyD;QACzD,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,sBAAsB,CACpC,QAA6B,EAC7B,OAAe;IAEf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,KAAK,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;QAEhD,mCAAmC;QACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACpB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;gBACrD,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC;oBACZ,OAAO,CAAC,IAAI,CACV,yDAAyD,CAAC,OAAO,OAAO,IAAI;wBAC5E,YAAY,IAAI,CAAC,EAAE,UAAU,CAAC,KAAK,EAAE,qBAAqB,IAAI,CAAC,EAAE,UAAU,CAAC,KAAK,EAAE,IAAI;wBACvF,4DAA4D,CAAC,IAAI;wBACjE,yDAAyD,CAC1D,CAAC;oBACF,OAAO,CAAC,CAAC;gBACX,CAAC;gBACD,IAAI,EAAE,GAAG,EAAE;oBAAE,MAAM,CAAC,8BAA8B;YACpD,CAAC;iBAAM,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;gBAC5D,gEAAgE;gBAChE,oFAAoF;gBACpF,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACX,kEAAkE;oBAClE,MAAM;gBACR,CAAC;gBACD,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC;oBACZ,OAAO,CAAC,IAAI,CACV,yDAAyD,CAAC,OAAO,OAAO,IAAI;wBAC5E,YAAY,IAAI,CAAC,EAAE,UAAU,CAAC,MAAM,EAAE,sBAAsB,IAAI,CAAC,EAAE,IAAI;wBACvE,QAAQ,CAAC,MAAM,EAAE,gEAAgE,CAAC,IAAI;wBACtF,yDAAyD,CAC1D,CAAC;oBACF,OAAO,CAAC,CAAC;gBACX,CAAC;gBACD,IAAI,EAAE,GAAG,EAAE;oBAAE,MAAM,CAAC,8BAA8B;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC,CAAC;AACZ,CAAC"}

package/dist/governance/canonical-pipeline.d.ts

@@ -4,6 +4,13 @@ import type { IntentIssue } from '../intent-engine/matcher';
 import type { FlowIssue } from '../intent-engine/flow-validator';
 import type { RegressionIssue } from '../intent-engine/regression';
 import type { RuleViolation } from '@neurcode-ai/policy-engine';
+/**
+ * Strip structural:* prefixed violations from the policy-engine row list.
+ * These are already represented in structuralViolations — keeping them in
+ * policyViolations causes cross-source duplicate GovernanceFinding objects.
+ * Called by attachCanonicalGovernance before building the envelope.
+ */
+export declare function stripStructuralPolicyRows(violations: RuleViolation[]): RuleViolation[];
 export declare function findingFromStructural(v: StructuralViolation): GovernanceFinding;
 export declare function findingFromPolicyEngine(v: RuleViolation): GovernanceFinding;
 export declare function findingFromIntentIssue(i: IntentIssue): GovernanceFinding;

package/dist/governance/canonical-pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"canonical-pipeline.d.ts","sourceRoot":"","sources":["../../src/governance/canonical-pipeline.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAEV,iBAAiB,EACjB,yBAAyB,EAEzB,8BAA8B,EAC/B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAoChE,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,mBAAmB,GAAG,iBAAiB,CAkC/E;AAED,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,aAAa,GAAG,iBAAiB,CAyB3E;AAED,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,WAAW,GAAG,iBAAiB,CAgBxE;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,SAAS,GAAG,iBAAiB,CAepE;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,eAAe,GAAG,iBAAiB,CAc3E;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAcjF;AAED,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,iBAAiB,CAcpG;AAmGD,wBAAgB,mCAAmC,CACjD,KAAK,EAAE;IACL,oBAAoB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC7C,gBAAgB,CAAC,EAAE,aAAa,EAAE,CAAC;IACnC,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,UAAU,CAAC,EAAE,SAAS,EAAE,CAAC;IACzB,WAAW,CAAC,EAAE,eAAe,EAAE,CAAC;IAChC,UAAU,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvD,kBAAkB,CAAC,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/D,UAAU,CAAC,EAAE,iBAAiB,CAAC,oBAAoB,CAAC,CAAC;CACtD,GACA,8BAA8B,CAwChC;AAuDD;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA+BnG;AAED,wBAAgB,iCAAiC,CAAC,KAAK,EAAE;IACvD,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACzC,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChD,GAAG,yBAAyB,CA8D5B"}
+{"version":3,"file":"canonical-pipeline.d.ts","sourceRoot":"","sources":["../../src/governance/canonical-pipeline.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAEV,iBAAiB,EACjB,yBAAyB,EAEzB,8BAA8B,EAE/B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAehE;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,aAAa,EAAE,GAAG,aAAa,EAAE,CAEtF;AAgCD,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,mBAAmB,GAAG,iBAAiB,CAkC/E;AAED,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,aAAa,GAAG,iBAAiB,CAyB3E;AAED,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,WAAW,GAAG,iBAAiB,CAgBxE;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,SAAS,GAAG,iBAAiB,CAepE;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,eAAe,GAAG,iBAAiB,CAc3E;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAcjF;AAED,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,iBAAiB,CAcpG;AA+ID,wBAAgB,mCAAmC,CACjD,KAAK,EAAE;IACL,oBAAoB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC7C,gBAAgB,CAAC,EAAE,aAAa,EAAE,CAAC;IACnC,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,UAAU,CAAC,EAAE,SAAS,EAAE,CAAC;IACzB,WAAW,CAAC,EAAE,eAAe,EAAE,CAAC;IAChC,UAAU,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvD,kBAAkB,CAAC,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/D,UAAU,CAAC,EAAE,iBAAiB,CAAC,oBAAoB,CAAC,CAAC;CACtD,GACA,8BAA8B,CA0EhC;AAuDD;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAiCnG;AAED,wBAAgB,iCAAiC,CAAC,KAAK,EAAE;IACvD,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACzC,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChD,GAAG,yBAAyB,CAuK5B"}