npm - @neurcode/action - Versions diffs - 0.2.1 → 0.2.2 - Mend

@neurcode/action 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +9 -3
package/action.yml +36 -4
package/dist/index.js +618 -9
package/dist/index.js.map +1 -1
package/dist/runtime-compat.js +125 -0
package/dist/runtime-compat.js.map +1 -0
package/dist/verify-mode.js +15 -0
package/dist/verify-mode.js.map +1 -1
package/package.json +9 -8
package/src/index.ts +400 -9
package/src/runtime-compat.ts +201 -0
package/src/verify-mode.ts +32 -0
package/tests/reliability-contract.test.ts +136 -0
package/LICENSE +0 -201

package/dist/index.js CHANGED Viewed

@@ -35282,7 +35282,13 @@ function wrappy (fn, cb) {
 "use strict";
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.CLI_JSON_CONTRACT_VERSION = void 0;
+exports.RUNTIME_COMPATIBILITY_CONTRACT_VERSION = exports.RUNTIME_COMPATIBILITY_CONTRACT_ID = exports.CLI_JSON_CONTRACT_VERSION = void 0;
+exports.compareSemver = compareSemver;
+exports.isSemverAtLeast = isSemverAtLeast;
+exports.getMinimumCompatiblePeerVersion = getMinimumCompatiblePeerVersion;
+exports.getRuntimeMinimumPeerVersionMatrix = getRuntimeMinimumPeerVersionMatrix;
+exports.buildRuntimeCompatibilityDescriptor = buildRuntimeCompatibilityDescriptor;
+exports.evaluateRuntimePeerCompatibility = evaluateRuntimePeerCompatibility;
 exports.parseCliPlanJsonPayload = parseCliPlanJsonPayload;
 exports.parseCliApplyJsonPayload = parseCliApplyJsonPayload;
 exports.parseCliVerifyJsonPayload = parseCliVerifyJsonPayload;
@@ -35291,7 +35297,24 @@ exports.parseCliShipJsonPayload = parseCliShipJsonPayload;
 exports.parseCliShipRunsJsonPayload = parseCliShipRunsJsonPayload;
 exports.parseCliShipResumeJsonPayload = parseCliShipResumeJsonPayload;
 exports.parseCliShipAttestationVerifyJsonPayload = parseCliShipAttestationVerifyJsonPayload;
+exports.parseCliCompatJsonPayload = parseCliCompatJsonPayload;
 exports.CLI_JSON_CONTRACT_VERSION = '2026-04-04';
+exports.RUNTIME_COMPATIBILITY_CONTRACT_ID = 'neurcode-runtime-compatibility';
+exports.RUNTIME_COMPATIBILITY_CONTRACT_VERSION = '2026-04-04';
+const RUNTIME_MINIMUM_PEER_VERSIONS = {
+    cli: {
+        action: '0.2.1',
+        api: '0.2.0',
+    },
+    action: {
+        cli: '0.9.35',
+        api: '0.2.0',
+    },
+    api: {
+        cli: '0.9.35',
+        action: '0.2.1',
+    },
+};
 function asRecord(value, label) {
     if (!value || typeof value !== 'object' || Array.isArray(value)) {
         throw new Error(`${label}: expected object`);
@@ -35347,6 +35370,125 @@ function asContractVersion(record) {
     }
     return value;
 }
+function asRuntimeComponent(record, key, label) {
+    const value = asString(record, key, label);
+    if (value === 'cli' || value === 'action' || value === 'api') {
+        return value;
+    }
+    throw new Error(`${label}: expected ${key}:("cli"|"action"|"api")`);
+}
+function parseRuntimeMinimumPeerVersions(value, label) {
+    if (value === undefined || value === null)
+        return {};
+    const record = asRecord(value, `${label}.minimumPeerVersions`);
+    const next = {};
+    for (const component of ['cli', 'action', 'api']) {
+        const componentValue = record[component];
+        if (componentValue === undefined)
+            continue;
+        if (typeof componentValue !== 'string' || !componentValue.trim()) {
+            throw new Error(`${label}.minimumPeerVersions: expected ${component}:string`);
+        }
+        next[component] = componentValue.trim();
+    }
+    return next;
+}
+function parseRuntimeCompatibilityDescriptor(value, label) {
+    const record = asRecord(value, `${label}.compatibility`);
+    return {
+        contractId: asString(record, 'contractId', `${label}.compatibility`),
+        runtimeContractVersion: asString(record, 'runtimeContractVersion', `${label}.compatibility`),
+        cliJsonContractVersion: asString(record, 'cliJsonContractVersion', `${label}.compatibility`),
+        component: asRuntimeComponent(record, 'component', `${label}.compatibility`),
+        componentVersion: asString(record, 'componentVersion', `${label}.compatibility`),
+        minimumPeerVersions: parseRuntimeMinimumPeerVersions(record.minimumPeerVersions, `${label}.compatibility`),
+    };
+}
+function parseSemver(value) {
+    const normalized = value.trim().replace(/^v/i, '').split('+')[0].split('-')[0];
+    const match = normalized.match(/^(\d+)\.(\d+)\.(\d+)$/);
+    if (!match)
+        return null;
+    const major = Number(match[1]);
+    const minor = Number(match[2]);
+    const patch = Number(match[3]);
+    if (!Number.isFinite(major) || !Number.isFinite(minor) || !Number.isFinite(patch)) {
+        return null;
+    }
+    return [major, minor, patch];
+}
+function compareSemver(left, right) {
+    const l = parseSemver(left);
+    const r = parseSemver(right);
+    if (!l || !r)
+        return null;
+    for (let idx = 0; idx < 3; idx += 1) {
+        if (l[idx] > r[idx])
+            return 1;
+        if (l[idx] < r[idx])
+            return -1;
+    }
+    return 0;
+}
+function isSemverAtLeast(actual, minimum) {
+    const compare = compareSemver(actual, minimum);
+    if (compare === null)
+        return null;
+    return compare >= 0;
+}
+function getMinimumCompatiblePeerVersion(component, peer) {
+    return RUNTIME_MINIMUM_PEER_VERSIONS[component][peer];
+}
+function getRuntimeMinimumPeerVersionMatrix() {
+    return {
+        cli: { ...RUNTIME_MINIMUM_PEER_VERSIONS.cli },
+        action: { ...RUNTIME_MINIMUM_PEER_VERSIONS.action },
+        api: { ...RUNTIME_MINIMUM_PEER_VERSIONS.api },
+    };
+}
+function buildRuntimeCompatibilityDescriptor(component, componentVersion) {
+    return {
+        contractId: exports.RUNTIME_COMPATIBILITY_CONTRACT_ID,
+        runtimeContractVersion: exports.RUNTIME_COMPATIBILITY_CONTRACT_VERSION,
+        cliJsonContractVersion: exports.CLI_JSON_CONTRACT_VERSION,
+        component,
+        componentVersion,
+        minimumPeerVersions: { ...RUNTIME_MINIMUM_PEER_VERSIONS[component] },
+    };
+}
+function evaluateRuntimePeerCompatibility(versions) {
+    const issues = [];
+    for (const component of ['cli', 'action', 'api']) {
+        for (const peer of ['cli', 'action', 'api']) {
+            if (peer === component)
+                continue;
+            const required = getMinimumCompatiblePeerVersion(component, peer);
+            if (!required)
+                continue;
+            const actual = versions[peer];
+            const compatible = isSemverAtLeast(actual, required);
+            if (compatible === null) {
+                issues.push({
+                    component,
+                    peer,
+                    required,
+                    actual,
+                    code: 'UNPARSABLE_VERSION',
+                });
+            }
+            else if (!compatible) {
+                issues.push({
+                    component,
+                    peer,
+                    required,
+                    actual,
+                    code: 'VERSION_BELOW_MINIMUM',
+                });
+            }
+        }
+    }
+    return issues;
+}
 function parseCliPlanJsonPayload(value, label = 'plan') {
     const record = asRecord(value, label);
     return {
@@ -35446,6 +35588,22 @@ function parseCliShipAttestationVerifyJsonPayload(value, label = 'ship-attestati
         digest: asOptionalRecord(record, 'digest', label),
     };
 }
+function parseCliCompatJsonPayload(value, label = 'compat') {
+    const record = asRecord(value, label);
+    const component = asString(record, 'component', label);
+    if (component !== 'cli') {
+        throw new Error(`${label}: expected component:"cli"`);
+    }
+    return {
+        ...record,
+        contractVersion: asContractVersion(record),
+        success: asBoolean(record, 'success', label),
+        timestamp: asString(record, 'timestamp', label),
+        component: 'cli',
+        componentVersion: asString(record, 'componentVersion', label),
+        compatibility: parseRuntimeCompatibilityDescriptor(record.compatibility, label),
+    };
+}
 //# sourceMappingURL=index.js.map
 /***/ }),
@@ -35494,8 +35652,11 @@ const exec = __importStar(__nccwpck_require__(7167));
 const github = __importStar(__nccwpck_require__(5251));
 const contracts_1 = __nccwpck_require__(7239);
 const fs_1 = __nccwpck_require__(9896);
+const http = __importStar(__nccwpck_require__(8611));
+const https = __importStar(__nccwpck_require__(5692));
 const path_1 = __nccwpck_require__(6928);
 const verify_mode_1 = __nccwpck_require__(4288);
+const runtime_compat_1 = __nccwpck_require__(5654);
 const ANSI_PATTERN = /\u001b\[[0-9;]*m/g;
 const NON_FAST_FORWARD_PATTERNS = [
     'non-fast-forward',
@@ -35543,6 +35704,17 @@ function parseBoolean(input, fallback) {
         return false;
     return fallback;
 }
+function parseBooleanOrUndefined(input) {
+    if (input === undefined || input === null || input.trim() === '') {
+        return undefined;
+    }
+    const normalized = input.trim().toLowerCase();
+    if (['1', 'true', 'yes', 'on'].includes(normalized))
+        return true;
+    if (['0', 'false', 'no', 'off'].includes(normalized))
+        return false;
+    return undefined;
+}
 function parsePositiveInt(input, fallback, min, max) {
     const parsed = Number(input);
     if (!Number.isFinite(parsed))
@@ -35664,6 +35836,56 @@ function readJsonFile(path) {
         return null;
     }
 }
+function assertStrictDeterministicArtifacts(input) {
+    if (!input.strictMode)
+        return;
+    const errors = [];
+    if (!input.supportsCompiledPolicy) {
+        errors.push('Current CLI does not support --compiled-policy, but strict mode requires a compiled policy artifact.');
+    }
+    if (!input.supportsChangeContract) {
+        errors.push('Current CLI does not support --change-contract, but strict mode requires a change contract artifact.');
+    }
+    const compiledPath = input.compiledPolicyPath?.trim();
+    if (!compiledPath) {
+        errors.push('Missing compiled policy artifact path in strict mode (compiled_policy_path).');
+    }
+    else {
+        const absoluteCompiledPath = (0, path_1.resolve)(input.cwd, compiledPath);
+        const compiled = readJsonFile(absoluteCompiledPath);
+        if (!compiled) {
+            errors.push(`Compiled policy artifact not found or invalid JSON: ${compiledPath}`);
+        }
+        else {
+            const hasFingerprint = typeof compiled.fingerprint === 'string' && compiled.fingerprint.trim().length > 0;
+            const hasRules = Array.isArray(compiled.rules) || Array.isArray(compiled.statements);
+            if (!hasFingerprint && !hasRules) {
+                errors.push(`Compiled policy artifact appears invalid (missing fingerprint/rules): ${compiledPath}`);
+            }
+        }
+    }
+    const contractPath = input.changeContractPath?.trim();
+    if (!contractPath) {
+        errors.push('Missing change contract artifact path in strict mode (change_contract_path).');
+    }
+    else {
+        const absoluteContractPath = (0, path_1.resolve)(input.cwd, contractPath);
+        const contract = readJsonFile(absoluteContractPath);
+        if (!contract) {
+            errors.push(`Change contract artifact not found or invalid JSON: ${contractPath}`);
+        }
+        else {
+            const hasContractId = typeof contract.contractId === 'string' && contract.contractId.trim().length > 0;
+            const hasPlanId = typeof contract.planId === 'string' && contract.planId.trim().length > 0;
+            if (!hasContractId || !hasPlanId) {
+                errors.push(`Change contract artifact appears invalid (missing contractId/planId): ${contractPath}`);
+            }
+        }
+    }
+    if (errors.length > 0) {
+        throw new Error(`Strict enterprise mode requires deterministic compiled-policy + change-contract artifacts:\n- ${errors.join('\n- ')}`);
+    }
+}
 function detectProjectOrgId(cwd) {
     const statePath = (0, path_1.join)(cwd, '.neurcode', 'config.json');
     const state = readJsonFile(statePath);
@@ -35732,6 +35954,154 @@ function extractLastJsonObject(output) {
     }
     return null;
 }
+function resolveActionPackageVersion() {
+    const fromEnv = process.env.NEURCODE_ACTION_VERSION || process.env.npm_package_version;
+    if (fromEnv && fromEnv.trim()) {
+        return fromEnv.trim();
+    }
+    const candidates = [
+        (0, path_1.resolve)(__dirname, '../package.json'),
+        (0, path_1.resolve)(process.cwd(), 'package.json'),
+    ];
+    for (const candidate of candidates) {
+        try {
+            if (!(0, fs_1.existsSync)(candidate))
+                continue;
+            const parsed = JSON.parse((0, fs_1.readFileSync)(candidate, 'utf-8'));
+            const version = parsed?.version;
+            if (typeof version === 'string' && version.trim()) {
+                return version.trim();
+            }
+        }
+        catch {
+            // Ignore and continue to next candidate.
+        }
+    }
+    return '0.0.0';
+}
+function normalizeApiBaseUrl(value) {
+    return value.trim().replace(/\/+$/, '');
+}
+function requestJson(url, timeoutMs) {
+    return new Promise((resolvePromise, rejectPromise) => {
+        let target;
+        try {
+            target = new URL(url);
+        }
+        catch (error) {
+            rejectPromise(new Error(`Invalid API URL: ${url} (${error instanceof Error ? error.message : String(error)})`));
+            return;
+        }
+        const transport = target.protocol === 'http:' ? http : https;
+        const request = transport.request({
+            protocol: target.protocol,
+            hostname: target.hostname,
+            port: target.port || undefined,
+            path: `${target.pathname}${target.search}`,
+            method: 'GET',
+            headers: {
+                Accept: 'application/json',
+                'User-Agent': 'neurcode-action/runtime-compat',
+            },
+        }, (response) => {
+            let body = '';
+            response.setEncoding('utf8');
+            response.on('data', (chunk) => {
+                body += chunk;
+            });
+            response.on('end', () => {
+                let payload = null;
+                try {
+                    payload = body ? JSON.parse(body) : null;
+                }
+                catch {
+                    payload = null;
+                }
+                resolvePromise({
+                    statusCode: response.statusCode || 0,
+                    body,
+                    payload,
+                    url,
+                });
+            });
+        });
+        request.on('error', (error) => {
+            rejectPromise(new Error(`Request failed for ${url}: ${error.message}`));
+        });
+        request.setTimeout(timeoutMs, () => {
+            request.destroy(new Error(`Request timed out after ${timeoutMs}ms`));
+        });
+        request.end();
+    });
+}
+async function resolveApiHealthPayload(apiBaseUrl, timeoutMs) {
+    const baseUrl = normalizeApiBaseUrl(apiBaseUrl);
+    const candidates = [`${baseUrl}/api/v1/health`, `${baseUrl}/health`];
+    const failures = [];
+    for (const url of candidates) {
+        try {
+            const response = await requestJson(url, timeoutMs);
+            const payload = response.payload;
+            const statusValue = payload && typeof payload === 'object' && !Array.isArray(payload)
+                ? payload.status
+                : null;
+            if (response.statusCode >= 200 && response.statusCode < 300 && statusValue === 'ok') {
+                return payload;
+            }
+            failures.push(`${url} returned ${response.statusCode}`);
+        }
+        catch (error) {
+            failures.push(error instanceof Error ? error.message : String(error));
+        }
+    }
+    throw new Error(`API compatibility probe failed (${failures.join(' | ')}).`);
+}
+async function runCompatibilityHandshake(input) {
+    const actionVersion = resolveActionPackageVersion();
+    const compatCommand = withCliCommandTimeout(input.cli, ['compat', '--json'], input.timeoutMinutes);
+    const compatResult = await runCommand(compatCommand.cmd, compatCommand.args, { cwd: input.cwd });
+    if (compatResult.exitCode !== 0) {
+        throw new Error(`Compatibility handshake failed: unable to run "neurcode compat --json". ` +
+            `Output: ${stripAnsi(compatResult.output).trim() || 'no output'}`);
+    }
+    const cliCompatPayload = extractLastJsonObject(compatResult.output);
+    if (!cliCompatPayload) {
+        throw new Error('Compatibility handshake failed: CLI compat output did not contain JSON.');
+    }
+    const cliCompatibility = (0, runtime_compat_1.parseCliCompatibilityPayload)(cliCompatPayload);
+    let apiCompatibility = null;
+    let apiVersion;
+    if (input.apiUrl) {
+        const apiHealthPayload = await resolveApiHealthPayload(input.apiUrl, 10000);
+        apiCompatibility = (0, runtime_compat_1.parseApiHealthCompatibilityPayload)(apiHealthPayload);
+        if (!apiCompatibility && input.requireApiCompatibility) {
+            throw new Error('Compatibility handshake failed: API health payload does not include compatibility metadata.');
+        }
+        if (apiCompatibility?.componentVersion) {
+            apiVersion = apiCompatibility.componentVersion;
+        }
+        else if (apiHealthPayload
+            && typeof apiHealthPayload === 'object'
+            && !Array.isArray(apiHealthPayload)
+            && typeof apiHealthPayload.version === 'string') {
+            apiVersion = apiHealthPayload.version;
+        }
+    }
+    const errors = (0, runtime_compat_1.validateActionHandshake)({
+        actionVersion,
+        cliCompatibility,
+        apiCompatibility,
+        requireApiCompatibility: input.requireApiCompatibility && Boolean(input.apiUrl),
+    });
+    if (errors.length > 0) {
+        throw new Error(`Compatibility handshake failed:\n- ${errors.join('\n- ')}`);
+    }
+    return {
+        actionVersion,
+        cliVersion: cliCompatibility.componentVersion,
+        apiVersion,
+    };
+}
 function parseVerifyResult(output) {
     const parsed = extractLastJsonObject(output);
     if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed))
@@ -36140,6 +36510,24 @@ async function ensureCliInstalled(input) {
 function withCliCommandTimeout(cli, args, timeoutMinutes) {
     return withCommandTimeout(cli.cmd, [...cli.argsPrefix, ...args], timeoutMinutes);
 }
+async function resolveVerifyCapabilities(cli, cwd) {
+    const helpCommand = withCliCommandTimeout(cli, ['verify', '--help'], 2);
+    const helpResult = await runCommand(helpCommand.cmd, helpCommand.args, { cwd });
+    if (helpResult.exitCode !== 0) {
+        core.warning('Unable to detect verify flag capabilities; defaulting to full verify flag set.');
+        return {
+            supportsCompiledPolicy: true,
+            supportsChangeContract: true,
+            supportsEnforceChangeContract: true,
+        };
+    }
+    const helpText = stripAnsi(helpResult.output).toLowerCase();
+    return {
+        supportsCompiledPolicy: helpText.includes('--compiled-policy'),
+        supportsChangeContract: helpText.includes('--change-contract'),
+        supportsEnforceChangeContract: helpText.includes('--enforce-change-contract'),
+    };
+}
 async function resolveCliInvocation(cwd) {
     const direct = await runCommand('neurcode', ['--version'], { cwd });
     if (direct.exitCode === 0) {
@@ -36353,10 +36741,15 @@ async function run() {
         const cliInstallSource = parseCliInstallSource(core.getInput('neurcode_cli_source'));
         const cliWorkspacePath = core.getInput('neurcode_cli_workspace_path') || 'packages/cli';
         const verifyTimeoutMinutes = parsePositiveInt(core.getInput('verify_timeout_minutes'), 8, 1, 120);
+        const enforceCompatibilityHandshake = parseBoolean(core.getInput('enforce_compatibility_handshake'), true);
+        const requireApiCompatibilityHandshake = parseBoolean(core.getInput('require_api_compatibility_handshake'), true);
+        const compatibilityProbeTimeoutMinutes = parsePositiveInt(core.getInput('compatibility_probe_timeout_minutes'), 2, 1, 15);
+        const configuredApiUrl = (process.env.NEURCODE_API_URL || '').trim();
         const verifyPolicyOnly = parseBoolean(core.getInput('verify_policy_only'), false);
+        const enterpriseMode = parseBoolean(core.getInput('enterprise_mode'), true);
         const compiledPolicyPath = (core.getInput('compiled_policy_path') || 'neurcode.policy.compiled.json').trim();
         const changeContractPath = (core.getInput('change_contract_path') || '.neurcode/change-contract.json').trim();
-        const enforceChangeContract = parseBoolean(core.getInput('enforce_change_contract'), false);
+        const enforceChangeContractOverride = parseBooleanOrUndefined(core.getInput('enforce_change_contract'));
         const changedFilesOnly = parseBoolean(core.getInput('changed_files_only'), false);
         const autoRemediate = parseBoolean(core.getInput('auto_remediate'), false);
         const remediationGoalInput = core.getInput('remediation_goal') || '';
@@ -36370,7 +36763,15 @@ async function run() {
         const shipNetworkRetryDelaySeconds = parsePositiveInt(core.getInput('ship_network_retry_delay_seconds'), 5, 0, 30);
         const remediationCommit = parseBoolean(core.getInput('remediation_commit'), false);
         const remediationPush = parseBoolean(core.getInput('remediation_push'), false);
-        const enforceStrictVerification = parseBoolean(core.getInput('enforce_strict_verification'), false);
+        const enforceStrictVerificationOverride = parseBooleanOrUndefined(core.getInput('enforce_strict_verification'));
+        const enterpriseEnforcement = (0, verify_mode_1.resolveEnterpriseEnforcement)({
+            enterpriseMode,
+            verifyPolicyOnly,
+            enforceChangeContract: enforceChangeContractOverride,
+            enforceStrictVerification: enforceStrictVerificationOverride,
+        });
+        let enforceChangeContract = enterpriseEnforcement.enforceChangeContract;
+        const enforceStrictVerification = enterpriseEnforcement.enforceStrictVerification;
         const verifyAfterRemediation = parseBoolean(core.getInput('verify_after_remediation'), true);
         const verifyAfterRemediationTimeoutMinutes = parsePositiveInt(core.getInput('verify_after_remediation_timeout_minutes'), verifyTimeoutMinutes, 1, 120);
         const requireRemediationPushSuccess = parseBoolean(core.getInput('require_remediation_push_success'), false);
@@ -36398,6 +36799,52 @@ async function run() {
             source: cliInstallSource,
             workspacePath: cliWorkspacePath,
         });
+        if (enforceCompatibilityHandshake) {
+            const handshake = await runCompatibilityHandshake({
+                cli: cliInvocation,
+                cwd,
+                timeoutMinutes: compatibilityProbeTimeoutMinutes,
+                apiUrl: configuredApiUrl || undefined,
+                requireApiCompatibility: requireApiCompatibilityHandshake,
+            });
+            core.info(`Compatibility handshake passed (action=${handshake.actionVersion}, cli=${handshake.cliVersion}${handshake.apiVersion ? `, api=${handshake.apiVersion}` : ''}).`);
+            core.setOutput('compatibility_handshake', 'passed');
+            core.setOutput('compatibility_contract_version', contracts_1.RUNTIME_COMPATIBILITY_CONTRACT_VERSION);
+            core.setOutput('compatibility_action_version', handshake.actionVersion);
+            core.setOutput('compatibility_cli_version', handshake.cliVersion);
+            if (handshake.apiVersion) {
+                core.setOutput('compatibility_api_version', handshake.apiVersion);
+            }
+        }
+        else {
+            core.warning('Compatibility handshake is disabled via enforce_compatibility_handshake=false.');
+            core.setOutput('compatibility_handshake', 'skipped');
+        }
+        const verifyCapabilities = await resolveVerifyCapabilities(cliInvocation, cwd);
+        const effectiveCompiledPolicyPath = verifyCapabilities.supportsCompiledPolicy
+            ? (compiledPolicyPath || undefined)
+            : undefined;
+        const effectiveChangeContractPath = verifyCapabilities.supportsChangeContract
+            ? (changeContractPath || undefined)
+            : undefined;
+        if (!verifyCapabilities.supportsCompiledPolicy && compiledPolicyPath) {
+            core.warning('CLI does not support --compiled-policy; compiled policy artifact input will be ignored.');
+        }
+        if (!verifyCapabilities.supportsChangeContract && changeContractPath) {
+            core.warning('CLI does not support --change-contract; contract path input will be ignored.');
+        }
+        if (enforceChangeContract && !verifyCapabilities.supportsEnforceChangeContract) {
+            core.warning('CLI does not support --enforce-change-contract; contract hard-fail mode will be disabled.');
+            enforceChangeContract = false;
+        }
+        assertStrictDeterministicArtifacts({
+            cwd,
+            strictMode: enforceStrictVerification,
+            compiledPolicyPath: effectiveCompiledPolicyPath,
+            changeContractPath: effectiveChangeContractPath,
+            supportsCompiledPolicy: verifyCapabilities.supportsCompiledPolicy,
+            supportsChangeContract: verifyCapabilities.supportsChangeContract,
+        });
         const pr = github.context.payload.pull_request;
         const defaultBaseRef = pr ? `origin/${pr.base.ref}` : 'HEAD~1';
         const baseRef = baseRefInput.trim() || defaultBaseRef;
@@ -36405,6 +36852,9 @@ async function run() {
             ? `Running verify in PR context against ${baseRef}`
             : `Running verify in push context against ${baseRef}`);
         core.info(`Verification mode: ${verifyPolicyOnly ? 'policy-only' : 'plan-aware'}`);
+        core.info(`Enterprise mode: ${enterpriseMode ? 'enabled' : 'disabled'}`);
+        core.info(`Verify capabilities => compiled_policy=${verifyCapabilities.supportsCompiledPolicy}, change_contract=${verifyCapabilities.supportsChangeContract}, enforce_change_contract=${verifyCapabilities.supportsEnforceChangeContract}`);
+        core.info(`Enterprise enforcement => enforce_change_contract=${enforceChangeContract}, enforce_strict_verification=${enforceStrictVerification}`);
         let changedFiles = new Set();
         if (changedFilesOnly) {
             const changedFilesRun = await runCommand('git', ['diff', '--name-only', `${baseRef}...HEAD`], { cwd });
@@ -36417,6 +36867,7 @@ async function run() {
             }
         }
         let effectiveVerifyPolicyOnly = verifyPolicyOnly;
+        let effectiveEnforceChangeContract = enforceChangeContract;
         const hasExplicitPlanId = Boolean(planId && planId.trim());
         let policyOnlyFallbackUsed = false;
         let fallbackFailureHint = null;
@@ -36426,9 +36877,10 @@ async function run() {
             projectId: projectId || undefined,
             policyOnly: effectiveVerifyPolicyOnly,
             record,
-            compiledPolicyPath: compiledPolicyPath || undefined,
-            changeContractPath: changeContractPath || undefined,
-            enforceChangeContract,
+            compiledPolicyPath: effectiveCompiledPolicyPath,
+            changeContractPath: effectiveChangeContractPath,
+            enforceChangeContract: effectiveEnforceChangeContract,
+            strictArtifacts: enforceStrictVerification,
         });
         let verifyCommand = withCliCommandTimeout(cliInvocation, verifyArgs, verifyTimeoutMinutes);
         let verifyRun = await runCommand(verifyCommand.cmd, verifyCommand.args, {
@@ -36451,15 +36903,22 @@ async function run() {
             core.warning('Plan-aware verification failed due to missing plan context. Retrying with --policy-only fallback.');
             policyOnlyFallbackUsed = true;
             effectiveVerifyPolicyOnly = true;
+            effectiveEnforceChangeContract =
+                (typeof enforceChangeContractOverride === 'boolean' ? enforceChangeContractOverride : false)
+                    && verifyCapabilities.supportsEnforceChangeContract;
+            if (typeof enforceChangeContractOverride !== 'boolean' && enforceChangeContract) {
+                core.info('Policy-only fallback detected; auto-disabling change-contract hard-fail for fallback run.');
+            }
             verifyArgs = (0, verify_mode_1.buildVerifyArgs)({
                 baseRef,
                 projectId: projectId || undefined,
                 planId: undefined,
                 policyOnly: true,
                 record,
-                compiledPolicyPath: compiledPolicyPath || undefined,
-                changeContractPath: changeContractPath || undefined,
-                enforceChangeContract,
+                compiledPolicyPath: effectiveCompiledPolicyPath,
+                changeContractPath: effectiveChangeContractPath,
+                enforceChangeContract: effectiveEnforceChangeContract,
+                strictArtifacts: enforceStrictVerification,
             });
             verifyCommand = withCliCommandTimeout(cliInvocation, verifyArgs, verifyTimeoutMinutes);
             verifyRun = await runCommand(verifyCommand.cmd, verifyCommand.args, {
@@ -36715,6 +37174,9 @@ async function run() {
                 : 'plan_aware';
         core.setOutput('verify_mode', verifyModeOutput);
         core.setOutput('policy_only_fallback_used', policyOnlyFallbackUsed ? 'true' : 'false');
+        core.setOutput('enterprise_mode_active', enterpriseMode ? 'true' : 'false');
+        core.setOutput('enterprise_enforced_change_contract', effectiveEnforceChangeContract ? 'true' : 'false');
+        core.setOutput('enterprise_enforced_strict_verification', enforceStrictVerification ? 'true' : 'false');
         if (remediation) {
             core.setOutput('remediation_status', remediation.status);
             core.setOutput('merge_confidence', remediation.mergeConfidence);
@@ -36762,6 +37224,138 @@ async function run() {
 run();
+/***/ }),
+/***/ 5654:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+"use strict";
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.parseCliCompatibilityPayload = parseCliCompatibilityPayload;
+exports.parseApiHealthCompatibilityPayload = parseApiHealthCompatibilityPayload;
+exports.validateActionHandshake = validateActionHandshake;
+const contracts_1 = __nccwpck_require__(7239);
+function asRecord(value, label) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        throw new Error(`${label}: expected object`);
+    }
+    return value;
+}
+function asString(record, key, label) {
+    const value = record[key];
+    if (typeof value !== 'string' || !value.trim()) {
+        throw new Error(`${label}: expected ${key}:string`);
+    }
+    return value.trim();
+}
+function asRuntimeComponent(value, label) {
+    if (value === 'cli' || value === 'action' || value === 'api') {
+        return value;
+    }
+    throw new Error(`${label}: expected component "cli" | "action" | "api"`);
+}
+function parseMinimumPeerVersions(value, label) {
+    if (value === undefined || value === null)
+        return {};
+    const record = asRecord(value, `${label}.minimumPeerVersions`);
+    const next = {};
+    for (const component of ['cli', 'action', 'api']) {
+        const item = record[component];
+        if (item === undefined)
+            continue;
+        if (typeof item !== 'string' || !item.trim()) {
+            throw new Error(`${label}.minimumPeerVersions: expected ${component}:string`);
+        }
+        next[component] = item.trim();
+    }
+    return next;
+}
+function parseDescriptor(value, label) {
+    const record = asRecord(value, label);
+    return {
+        contractId: asString(record, 'contractId', label),
+        runtimeContractVersion: asString(record, 'runtimeContractVersion', label),
+        cliJsonContractVersion: asString(record, 'cliJsonContractVersion', label),
+        component: asRuntimeComponent(asString(record, 'component', label), label),
+        componentVersion: asString(record, 'componentVersion', label),
+        minimumPeerVersions: parseMinimumPeerVersions(record.minimumPeerVersions, label),
+    };
+}
+function parseCliCompatibilityPayload(value) {
+    const parsed = (0, contracts_1.parseCliCompatJsonPayload)(value, 'action-cli-compat');
+    if (parsed.success !== true) {
+        throw new Error('action-cli-compat: success=false');
+    }
+    const descriptor = parseDescriptor(parsed.compatibility, 'action-cli-compat.compatibility');
+    return {
+        source: 'cli',
+        ...descriptor,
+    };
+}
+function parseApiHealthCompatibilityPayload(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return null;
+    }
+    const record = value;
+    if (!record.compatibility) {
+        return null;
+    }
+    const descriptor = parseDescriptor(record.compatibility, 'action-api-compat.compatibility');
+    return {
+        source: 'api',
+        ...descriptor,
+    };
+}
+function validateVersionMinimum(label, actual, required, errors) {
+    if (!required)
+        return;
+    const isCompatible = (0, contracts_1.isSemverAtLeast)(actual, required);
+    if (isCompatible === null) {
+        errors.push(`${label}: unable to compare versions (actual=${actual}, required=${required}).`);
+        return;
+    }
+    if (!isCompatible) {
+        errors.push(`${label}: actual=${actual} is below required=${required}.`);
+    }
+}
+function validateContractEnvelope(descriptor, expectedComponent, errors) {
+    if (descriptor.component !== expectedComponent) {
+        errors.push(`${descriptor.source} compatibility payload expected component=${expectedComponent} but received ${descriptor.component}.`);
+    }
+    if (descriptor.contractId !== contracts_1.RUNTIME_COMPATIBILITY_CONTRACT_ID) {
+        errors.push(`${descriptor.source} compatibility payload has unexpected contractId=${descriptor.contractId} (expected ${contracts_1.RUNTIME_COMPATIBILITY_CONTRACT_ID}).`);
+    }
+    if (descriptor.runtimeContractVersion !== contracts_1.RUNTIME_COMPATIBILITY_CONTRACT_VERSION) {
+        errors.push(`${descriptor.source} compatibility payload has runtimeContractVersion=${descriptor.runtimeContractVersion} (expected ${contracts_1.RUNTIME_COMPATIBILITY_CONTRACT_VERSION}).`);
+    }
+    if (descriptor.cliJsonContractVersion !== contracts_1.CLI_JSON_CONTRACT_VERSION) {
+        errors.push(`${descriptor.source} compatibility payload has cliJsonContractVersion=${descriptor.cliJsonContractVersion} (expected ${contracts_1.CLI_JSON_CONTRACT_VERSION}).`);
+    }
+}
+function validateActionHandshake(input) {
+    const errors = [];
+    const { actionVersion, cliCompatibility } = input;
+    const apiCompatibility = input.apiCompatibility || null;
+    const requireApiCompatibility = input.requireApiCompatibility === true;
+    validateContractEnvelope(cliCompatibility, 'cli', errors);
+    validateVersionMinimum('CLI version required by action', cliCompatibility.componentVersion, (0, contracts_1.getMinimumCompatiblePeerVersion)('action', 'cli'), errors);
+    validateVersionMinimum('Action version required by CLI payload', actionVersion, cliCompatibility.minimumPeerVersions.action, errors);
+    if (!apiCompatibility) {
+        if (requireApiCompatibility) {
+            errors.push('API compatibility payload missing while API compatibility handshake is required.');
+        }
+        return errors;
+    }
+    validateContractEnvelope(apiCompatibility, 'api', errors);
+    validateVersionMinimum('API version required by action', apiCompatibility.componentVersion, (0, contracts_1.getMinimumCompatiblePeerVersion)('action', 'api'), errors);
+    validateVersionMinimum('Action version required by API payload', actionVersion, apiCompatibility.minimumPeerVersions.action, errors);
+    validateVersionMinimum('CLI version required by API payload', cliCompatibility.componentVersion, apiCompatibility.minimumPeerVersions.cli, errors);
+    validateVersionMinimum('API version required by CLI payload', apiCompatibility.componentVersion, cliCompatibility.minimumPeerVersions.api, errors);
+    return errors;
+}
 /***/ }),
 /***/ 4288:
@@ -36772,6 +37366,7 @@ run();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.isMissingPlanVerificationFailure = isMissingPlanVerificationFailure;
 exports.buildVerifyArgs = buildVerifyArgs;
+exports.resolveEnterpriseEnforcement = resolveEnterpriseEnforcement;
 exports.getVerifyFallbackDecision = getVerifyFallbackDecision;
 const ANSI_PATTERN = /\u001b\[[0-9;]*m/g;
 const MISSING_PLAN_VERIFY_PATTERNS = [
@@ -36807,10 +37402,24 @@ function buildVerifyArgs(input) {
         args.push('--change-contract', input.changeContractPath);
     if (input.enforceChangeContract)
         args.push('--enforce-change-contract');
+    if (input.strictArtifacts)
+        args.push('--strict-artifacts');
     if (input.record)
         args.push('--record');
     return args;
 }
+function resolveEnterpriseEnforcement(input) {
+    const enforceChangeContract = typeof input.enforceChangeContract === 'boolean'
+        ? input.enforceChangeContract
+        : (input.enterpriseMode && !input.verifyPolicyOnly);
+    const enforceStrictVerification = typeof input.enforceStrictVerification === 'boolean'
+        ? input.enforceStrictVerification
+        : input.enterpriseMode;
+    return {
+        enforceChangeContract,
+        enforceStrictVerification,
+    };
+}
 function getVerifyFallbackDecision(input) {
     if (input.verifyExitCode === 0) {
         return { shouldRetryPolicyOnly: false, reason: 'verify_succeeded' };