@neuroverseos/governance 0.4.3 → 0.5.1

package/dist/cli/neuroverse.cjs

@@ -2002,10 +2002,10 @@ __export(world_loader_exports, {
 });
 async function loadWorldFromDirectory(dirPath) {
   const { readFile: readFile3 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
-  const { readdirSync: readdirSync5 } = await import("fs");
+  const { join: join13 } = await import("path");
+  const { readdirSync: readdirSync6 } = await import("fs");
   async function readJson(filename) {
-    const filePath = join9(dirPath, filename);
+    const filePath = join13(dirPath, filename);
     try {
       const content = await readFile3(filePath, "utf-8");
       return JSON.parse(content);
@@ -2035,11 +2035,11 @@ async function loadWorldFromDirectory(dirPath) {
   const metadataJson = await readJson("metadata.json");
   const rules = [];
   try {
-    const rulesDir = join9(dirPath, "rules");
-    const ruleFiles = readdirSync5(rulesDir).filter((f) => f.endsWith(".json")).sort();
+    const rulesDir = join13(dirPath, "rules");
+    const ruleFiles = readdirSync6(rulesDir).filter((f) => f.endsWith(".json")).sort();
     for (const file of ruleFiles) {
       try {
-        const content = await readFile3(join9(rulesDir, file), "utf-8");
+        const content = await readFile3(join13(rulesDir, file), "utf-8");
         rules.push(JSON.parse(content));
       } catch (err) {
         process.stderr.write(
@@ -2093,8 +2093,8 @@ async function loadWorld(worldPath) {
 }
 async function loadBundledWorld(name = DEFAULT_BUNDLED_WORLD) {
   const { readFile: readFile3 } = await import("fs/promises");
-  const { join: join9, dirname: dirname3 } = await import("path");
-  const { existsSync: existsSync6 } = await import("fs");
+  const { join: join13, dirname: dirname3 } = await import("path");
+  const { existsSync: existsSync9 } = await import("fs");
   const { fileURLToPath: fileURLToPath3 } = await import("url");
   const { parseWorldMarkdown: parseWorldMarkdown2 } = await Promise.resolve().then(() => (init_bootstrap_parser(), bootstrap_parser_exports));
   const { emitWorldDefinition: emitWorldDefinition2 } = await Promise.resolve().then(() => (init_bootstrap_emitter(), bootstrap_emitter_exports));
@@ -2102,16 +2102,16 @@ async function loadBundledWorld(name = DEFAULT_BUNDLED_WORLD) {
   let packageRoot;
   try {
     const thisFile = typeof __dirname !== "undefined" ? __dirname : dirname3(fileURLToPath3(import_meta.url));
-    packageRoot = join9(thisFile, "..", "..");
+    packageRoot = join13(thisFile, "..", "..");
   } catch {
     packageRoot = process.cwd();
   }
   const candidates = [
-    join9(packageRoot, "dist", "worlds", filename),
-    join9(packageRoot, "src", "worlds", filename)
+    join13(packageRoot, "dist", "worlds", filename),
+    join13(packageRoot, "src", "worlds", filename)
   ];
   for (const candidate of candidates) {
-    if (existsSync6(candidate)) {
+    if (existsSync9(candidate)) {
       const markdown = await readFile3(candidate, "utf-8");
       const parsed = parseWorldMarkdown2(markdown);
       if (!parsed.world) {
@@ -2141,8 +2141,8 @@ function slugify(text) {
 }
 async function addGuard(worldDir, input) {
   const { readFile: readFile3, writeFile: writeFile5 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
-  const guardsPath = join9(worldDir, "guards.json");
+  const { join: join13 } = await import("path");
+  const guardsPath = join13(worldDir, "guards.json");
   let config;
   try {
     const raw = await readFile3(guardsPath, "utf-8");
@@ -2182,13 +2182,13 @@ async function addGuard(worldDir, input) {
 }
 async function addRule(worldDir, input) {
   const { readFile: readFile3, writeFile: writeFile5, mkdir: mkdir2 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
-  const { readdirSync: readdirSync5 } = await import("fs");
-  const rulesDir = join9(worldDir, "rules");
+  const { join: join13 } = await import("path");
+  const { readdirSync: readdirSync6 } = await import("fs");
+  const rulesDir = join13(worldDir, "rules");
   await mkdir2(rulesDir, { recursive: true });
   let nextNum = 1;
   try {
-    const existing = readdirSync5(rulesDir).filter((f) => f.match(/^rule-\d+\.json$/)).sort();
+    const existing = readdirSync6(rulesDir).filter((f) => f.match(/^rule-\d+\.json$/)).sort();
     if (existing.length > 0) {
       const lastFile = existing[existing.length - 1];
       const match = lastFile.match(/rule-(\d+)\.json/);
@@ -2214,7 +2214,7 @@ async function addRule(worldDir, input) {
       effect_text: input.effects ? input.effects.map((e) => `${e.target} ${e.operation} ${e.value}`).join(", ") : "No direct effects"
     }
   };
-  const rulePath = join9(rulesDir, `rule-${ruleNum}.json`);
+  const rulePath = join13(rulesDir, `rule-${ruleNum}.json`);
   await writeFile5(rulePath, JSON.stringify(rule, null, 2) + "\n");
   const { loadWorldFromDirectory: loadWorldFromDirectory3 } = await Promise.resolve().then(() => (init_world_loader(), world_loader_exports));
   const world = await loadWorldFromDirectory3(worldDir);
@@ -2230,8 +2230,8 @@ async function addRule(worldDir, input) {
 }
 async function addInvariant(worldDir, input) {
   const { readFile: readFile3, writeFile: writeFile5 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
-  const invariantsPath = join9(worldDir, "invariants.json");
+  const { join: join13 } = await import("path");
+  const invariantsPath = join13(worldDir, "invariants.json");
   let config;
   try {
     const raw = await readFile3(invariantsPath, "utf-8");
@@ -2849,27 +2849,27 @@ ${candidates.map((c) => `  - ${c}`).join("\n")}`
 }
 async function collectMarkdownSources(inputPath) {
   const { stat, readFile: rf, readdir } = await import("fs/promises");
-  const { join: pathJoin, extname: extname2, basename: basename2 } = await import("path");
+  const { join: pathJoin, extname: extname2, basename: basename3 } = await import("path");
   const stats = await stat(inputPath);
   if (stats.isFile()) {
     const content = await rf(inputPath, "utf-8");
-    return [{ filename: basename2(inputPath), content }];
+    return [{ filename: basename3(inputPath), content }];
   }
   if (stats.isDirectory()) {
     const sources = [];
-    await collectDir(inputPath, sources, rf, pathJoin, extname2, basename2);
+    await collectDir(inputPath, sources, rf, pathJoin, extname2, basename3);
     sources.sort((a, b) => a.filename.localeCompare(b.filename));
     return sources;
   }
   throw new Error(`Input path is neither a file nor a directory: ${inputPath}`);
 }
-async function collectDir(dir, sources, rf, pathJoin, extname2, basename2) {
+async function collectDir(dir, sources, rf, pathJoin, extname2, basename3) {
   const { readdir } = await import("fs/promises");
   const entries = await readdir(dir, { withFileTypes: true });
   for (const entry of entries) {
     const fullPath = pathJoin(dir, entry.name);
     if (entry.isDirectory()) {
-      await collectDir(fullPath, sources, rf, pathJoin, extname2, basename2);
+      await collectDir(fullPath, sources, rf, pathJoin, extname2, basename3);
     } else if (entry.isFile() && extname2(entry.name).toLowerCase() === ".md") {
       const content = await rf(fullPath, "utf-8");
       sources.push({ filename: entry.name, content });
@@ -3528,21 +3528,21 @@ function parseArgs2(argv) {
 }
 async function writeWorldFiles(outputDir, world) {
   const { writeFile: writeFile5, mkdir: mkdir2 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
+  const { join: join13 } = await import("path");
   await mkdir2(outputDir, { recursive: true });
-  await writeFile5(join9(outputDir, "world.json"), JSON.stringify(world.world, null, 2));
-  await writeFile5(join9(outputDir, "invariants.json"), JSON.stringify({ invariants: world.invariants }, null, 2));
-  await writeFile5(join9(outputDir, "assumptions.json"), JSON.stringify(world.assumptions, null, 2));
-  await writeFile5(join9(outputDir, "state-schema.json"), JSON.stringify(world.stateSchema, null, 2));
-  await writeFile5(join9(outputDir, "gates.json"), JSON.stringify(world.gates, null, 2));
-  await writeFile5(join9(outputDir, "outcomes.json"), JSON.stringify(world.outcomes, null, 2));
-  await writeFile5(join9(outputDir, "metadata.json"), JSON.stringify(world.metadata, null, 2));
-  const rulesDir = join9(outputDir, "rules");
+  await writeFile5(join13(outputDir, "world.json"), JSON.stringify(world.world, null, 2));
+  await writeFile5(join13(outputDir, "invariants.json"), JSON.stringify({ invariants: world.invariants }, null, 2));
+  await writeFile5(join13(outputDir, "assumptions.json"), JSON.stringify(world.assumptions, null, 2));
+  await writeFile5(join13(outputDir, "state-schema.json"), JSON.stringify(world.stateSchema, null, 2));
+  await writeFile5(join13(outputDir, "gates.json"), JSON.stringify(world.gates, null, 2));
+  await writeFile5(join13(outputDir, "outcomes.json"), JSON.stringify(world.outcomes, null, 2));
+  await writeFile5(join13(outputDir, "metadata.json"), JSON.stringify(world.metadata, null, 2));
+  const rulesDir = join13(outputDir, "rules");
   await mkdir2(rulesDir, { recursive: true });
   const sortedRules = [...world.rules].sort((a, b) => a.order - b.order);
   for (let i = 0; i < sortedRules.length; i++) {
     const ruleNum = String(i + 1).padStart(3, "0");
-    await writeFile5(join9(rulesDir, `rule-${ruleNum}.json`), JSON.stringify(sortedRules[i], null, 2));
+    await writeFile5(join13(rulesDir, `rule-${ruleNum}.json`), JSON.stringify(sortedRules[i], null, 2));
   }
 }
 function write(msg) {
@@ -3557,12 +3557,12 @@ function printInsight(finding2) {
 async function main2(argv = process.argv.slice(2)) {
   try {
     const args = parseArgs2(argv);
-    const { basename: basename2 } = await import("path");
+    const { basename: basename3 } = await import("path");
     write(`
 NeuroVerse World Builder
 `);
     write(`
-Analyzing: ${basename2(args.inputPath)}
+Analyzing: ${basename3(args.inputPath)}
 `);
     const derivedPath = args.outputDir ? `${args.outputDir}/source.nv-world.md` : ".neuroverse/build-output.nv-world.md";
     const { mkdir: mkdir2 } = await import("fs/promises");
@@ -3673,9 +3673,9 @@ World source written to: ${derivedPath}
     try {
       const emitResult = emitWorldDefinition(parseResult.world);
       await writeWorldFiles(outputDir, emitResult.world);
-      const { join: join9 } = await import("path");
+      const { join: join13 } = await import("path");
       const { copyFile } = await import("fs/promises");
-      const sourceDest = join9(outputDir, "source.nv-world.md");
+      const sourceDest = join13(outputDir, "source.nv-world.md");
       if (derivedPath !== sourceDest) {
         await copyFile(derivedPath, sourceDest);
       }
@@ -5009,8 +5009,8 @@ async function main6(argv = process.argv.slice(2)) {
   try {
     const args = parseArgs6(argv);
     const { writeFile: writeFile5 } = await import("fs/promises");
-    const { existsSync: existsSync6 } = await import("fs");
-    if (existsSync6(args.outputPath)) {
+    const { existsSync: existsSync9 } = await import("fs");
+    if (existsSync9(args.outputPath)) {
       process.stderr.write(`File already exists: ${args.outputPath}
 `);
       process.stderr.write("Use a different --output path or remove the existing file.\n");
@@ -5868,22 +5868,22 @@ function parseArgs9(argv) {
 }
 async function writeWorldFiles2(outputDir, world) {
   const { writeFile: writeFile5, mkdir: mkdir2 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
+  const { join: join13 } = await import("path");
   await mkdir2(outputDir, { recursive: true });
-  await writeFile5(join9(outputDir, "world.json"), JSON.stringify(world.world, null, 2));
-  await writeFile5(join9(outputDir, "invariants.json"), JSON.stringify({ invariants: world.invariants }, null, 2));
-  await writeFile5(join9(outputDir, "assumptions.json"), JSON.stringify(world.assumptions, null, 2));
-  await writeFile5(join9(outputDir, "state-schema.json"), JSON.stringify(world.stateSchema, null, 2));
-  const rulesDir = join9(outputDir, "rules");
+  await writeFile5(join13(outputDir, "world.json"), JSON.stringify(world.world, null, 2));
+  await writeFile5(join13(outputDir, "invariants.json"), JSON.stringify({ invariants: world.invariants }, null, 2));
+  await writeFile5(join13(outputDir, "assumptions.json"), JSON.stringify(world.assumptions, null, 2));
+  await writeFile5(join13(outputDir, "state-schema.json"), JSON.stringify(world.stateSchema, null, 2));
+  const rulesDir = join13(outputDir, "rules");
   await mkdir2(rulesDir, { recursive: true });
   const sortedRules = [...world.rules].sort((a, b) => a.order - b.order);
   for (let i = 0; i < sortedRules.length; i++) {
     const ruleNum = String(i + 1).padStart(3, "0");
-    await writeFile5(join9(rulesDir, `rule-${ruleNum}.json`), JSON.stringify(sortedRules[i], null, 2));
+    await writeFile5(join13(rulesDir, `rule-${ruleNum}.json`), JSON.stringify(sortedRules[i], null, 2));
   }
-  await writeFile5(join9(outputDir, "gates.json"), JSON.stringify(world.gates, null, 2));
-  await writeFile5(join9(outputDir, "outcomes.json"), JSON.stringify(world.outcomes, null, 2));
-  await writeFile5(join9(outputDir, "metadata.json"), JSON.stringify(world.metadata, null, 2));
+  await writeFile5(join13(outputDir, "gates.json"), JSON.stringify(world.gates, null, 2));
+  await writeFile5(join13(outputDir, "outcomes.json"), JSON.stringify(world.outcomes, null, 2));
+  await writeFile5(join13(outputDir, "metadata.json"), JSON.stringify(world.metadata, null, 2));
 }
 async function main9(argv = process.argv.slice(2)) {
   const startTime = performance.now();
@@ -7364,6 +7364,162 @@ var init_guard_contract = __esm({
   }
 });
 
+// src/engine/audit-logger.ts
+function verdictToAuditEvent(event, verdict) {
+  const auditEvent = {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    worldId: verdict.evidence.worldId,
+    worldName: verdict.evidence.worldName,
+    worldVersion: verdict.evidence.worldVersion,
+    intent: event.intent,
+    tool: event.tool,
+    scope: event.scope,
+    actor: event.roleId,
+    direction: event.direction,
+    decision: verdict.status,
+    reason: verdict.reason,
+    ruleId: verdict.ruleId,
+    warning: verdict.warning,
+    guardsMatched: verdict.evidence.guardsMatched,
+    rulesMatched: verdict.evidence.rulesMatched,
+    invariantsSatisfied: verdict.evidence.invariantsSatisfied,
+    invariantsTotal: verdict.evidence.invariantsTotal,
+    enforcementLevel: verdict.evidence.enforcementLevel,
+    durationMs: verdict.trace?.durationMs,
+    args: event.args
+  };
+  if (verdict.consequence) {
+    auditEvent.consequence = verdict.consequence;
+  }
+  if (verdict.reward) {
+    auditEvent.reward = verdict.reward;
+  }
+  if (verdict.intentRecord) {
+    auditEvent.originalIntent = verdict.intentRecord.originalIntent;
+    auditEvent.finalAction = verdict.intentRecord.finalAction;
+  }
+  return auditEvent;
+}
+async function readAuditLog(logPath, filter) {
+  const { readFile: readFile3 } = await import("fs/promises");
+  let content;
+  try {
+    content = await readFile3(logPath, "utf-8");
+  } catch {
+    return [];
+  }
+  const events = [];
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    try {
+      const event = JSON.parse(trimmed);
+      if (!filter || filter(event)) {
+        events.push(event);
+      }
+    } catch {
+    }
+  }
+  return events;
+}
+function summarizeAuditEvents(events) {
+  const allowed = events.filter((e) => e.decision === "ALLOW").length;
+  const blocked = events.filter((e) => e.decision === "BLOCK").length;
+  const paused = events.filter((e) => e.decision === "PAUSE").length;
+  const modified = events.filter((e) => e.decision === "MODIFY").length;
+  const penalized = events.filter((e) => e.decision === "PENALIZE").length;
+  const rewarded = events.filter((e) => e.decision === "REWARD").length;
+  const neutral = events.filter((e) => e.decision === "NEUTRAL").length;
+  const actorSet = /* @__PURE__ */ new Set();
+  for (const e of events) {
+    if (e.actor) actorSet.add(e.actor);
+  }
+  const intentMap = /* @__PURE__ */ new Map();
+  for (const e of events) {
+    const entry = intentMap.get(e.intent) ?? { count: 0, blocked: 0, paused: 0, penalized: 0, rewarded: 0 };
+    entry.count++;
+    if (e.decision === "BLOCK") entry.blocked++;
+    if (e.decision === "PAUSE") entry.paused++;
+    if (e.decision === "PENALIZE") entry.penalized++;
+    if (e.decision === "REWARD") entry.rewarded++;
+    intentMap.set(e.intent, entry);
+  }
+  const topIntents = [...intentMap.entries()].map(([intent, data]) => ({ intent, ...data })).sort((a, b) => b.count - a.count);
+  const ruleMap = /* @__PURE__ */ new Map();
+  for (const e of events) {
+    if (e.ruleId) {
+      ruleMap.set(e.ruleId, (ruleMap.get(e.ruleId) ?? 0) + 1);
+    }
+    for (const g of e.guardsMatched) {
+      ruleMap.set(g, (ruleMap.get(g) ?? 0) + 1);
+    }
+  }
+  const topRules = [...ruleMap.entries()].map(([ruleId, count]) => ({ ruleId, count })).sort((a, b) => b.count - a.count);
+  const redirected = blocked + paused + modified + penalized;
+  const total = events.length;
+  return {
+    totalActions: total,
+    allowed,
+    blocked,
+    paused,
+    modified,
+    penalized,
+    rewarded,
+    neutral,
+    actors: [...actorSet],
+    topIntents,
+    topRules,
+    firstEvent: events[0]?.timestamp ?? "",
+    lastEvent: events[events.length - 1]?.timestamp ?? "",
+    behavioralEconomy: {
+      totalPenalties: penalized,
+      totalRewards: rewarded,
+      netPressure: rewarded - penalized,
+      redirectionRate: total > 0 ? redirected / total : 0
+    }
+  };
+}
+var FileAuditLogger;
+var init_audit_logger = __esm({
+  "src/engine/audit-logger.ts"() {
+    "use strict";
+    init_guard_engine();
+    FileAuditLogger = class {
+      logPath;
+      buffer = [];
+      flushTimer = null;
+      flushIntervalMs;
+      constructor(logPath, options) {
+        this.logPath = logPath;
+        this.flushIntervalMs = options?.flushIntervalMs ?? 1e3;
+      }
+      log(event) {
+        this.buffer.push(JSON.stringify(event));
+        if (!this.flushTimer) {
+          this.flushTimer = setTimeout(() => {
+            void this.flush();
+          }, this.flushIntervalMs);
+        }
+      }
+      async flush() {
+        if (this.buffer.length === 0) return;
+        if (this.flushTimer) {
+          clearTimeout(this.flushTimer);
+          this.flushTimer = null;
+        }
+        const lines = this.buffer.splice(0).join("\n") + "\n";
+        try {
+          const { appendFile, mkdir: mkdir2 } = await import("fs/promises");
+          const { dirname: dirname3 } = await import("path");
+          await mkdir2(dirname3(this.logPath), { recursive: true });
+          await appendFile(this.logPath, lines, "utf-8");
+        } catch {
+        }
+      }
+    };
+  }
+});
+
 // src/cli/guard.ts
 var guard_exports = {};
 __export(guard_exports, {
@@ -7374,6 +7530,7 @@ function parseArgs11(argv) {
   let trace = false;
   let level;
   let aiClassify = false;
+  let logPath;
   for (let i = 0; i < argv.length; i++) {
     const arg = argv[i];
     if (arg === "--world" && i + 1 < argv.length) {
@@ -7382,6 +7539,8 @@ function parseArgs11(argv) {
       trace = true;
     } else if (arg === "--ai-classify") {
       aiClassify = true;
+    } else if (arg === "--log" && i + 1 < argv.length) {
+      logPath = argv[++i];
     } else if (arg === "--level" && i + 1 < argv.length) {
       const val = argv[++i];
       if (val === "basic" || val === "standard" || val === "strict") {
@@ -7391,7 +7550,7 @@ function parseArgs11(argv) {
       }
     }
   }
-  return { worldPath, trace, level, aiClassify };
+  return { worldPath, trace, level, aiClassify, logPath };
 }
 async function main11(argv = process.argv.slice(2)) {
   try {
@@ -7451,6 +7610,11 @@ async function main11(argv = process.argv.slice(2)) {
       const options = { trace: args.trace, level: args.level };
       verdict = evaluateGuard(event, world, options);
     }
+    if (args.logPath) {
+      const logger = new FileAuditLogger(args.logPath, { flushIntervalMs: 0 });
+      logger.log(verdictToAuditEvent(event, verdict));
+      await logger.flush();
+    }
     process.stdout.write(JSON.stringify(verdict, null, 2) + "\n");
     const exitCode = GUARD_EXIT_CODES[verdict.status];
     process.exit(exitCode);
@@ -7479,6 +7643,7 @@ var init_guard = __esm({
     init_world_resolver();
     init_guard_contract();
     init_cli_utils();
+    init_audit_logger();
   }
 });
 
@@ -8077,13 +8242,13 @@ function handleHealthCheck() {
 }
 async function handleListPresets(policiesDir) {
   const { readdir, readFile: readFile3 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
-  const dir = policiesDir ?? join9(process.cwd(), "policies");
+  const { join: join13 } = await import("path");
+  const dir = policiesDir ?? join13(process.cwd(), "policies");
   const presets = [];
   try {
     const files = await readdir(dir);
     for (const file of files.filter((f) => f.endsWith(".txt")).sort()) {
-      const content = await readFile3(join9(dir, file), "utf-8");
+      const content = await readFile3(join13(dir, file), "utf-8");
       const id = file.replace(".txt", "");
       const name = id.split("-").map((w) => w.charAt(0).toUpperCase() + w.slice(1)).join(" ");
       const firstLine = content.split("\n").find((l) => l.trim().length > 0) ?? "";
@@ -8155,7 +8320,7 @@ function govern(action, world, options) {
 }
 async function writeTempWorld(dir, policyLines) {
   const { writeFile: writeFile5, mkdir: mkdir2 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
+  const { join: join13 } = await import("path");
   await mkdir2(dir, { recursive: true });
   const worldJson = {
     world_id: "demo-live",
@@ -8197,9 +8362,9 @@ async function writeTempWorld(dir, policyLines) {
     authoring_method: "manual-authoring"
   };
   await Promise.all([
-    writeFile5(join9(dir, "world.json"), JSON.stringify(worldJson, null, 2)),
-    writeFile5(join9(dir, "kernel.json"), JSON.stringify(kernelJson, null, 2)),
-    writeFile5(join9(dir, "metadata.json"), JSON.stringify(metadataJson, null, 2))
+    writeFile5(join13(dir, "world.json"), JSON.stringify(worldJson, null, 2)),
+    writeFile5(join13(dir, "kernel.json"), JSON.stringify(kernelJson, null, 2)),
+    writeFile5(join13(dir, "metadata.json"), JSON.stringify(metadataJson, null, 2))
   ]);
 }
 var init_govern = __esm({
@@ -11310,9 +11475,9 @@ async function main15(argv) {
   }
   if (worldPath) {
     try {
-      const { existsSync: existsSync6 } = await import("fs");
-      const { join: join9 } = await import("path");
-      const hasWorld = existsSync6(join9(worldPath, "world.json"));
+      const { existsSync: existsSync9 } = await import("fs");
+      const { join: join13 } = await import("path");
+      const hasWorld = existsSync9(join13(worldPath, "world.json"));
       checks.push({
         label: "World file detected",
         status: hasWorld ? "pass" : "fail",
@@ -11327,12 +11492,12 @@ async function main15(argv) {
       });
     }
   } else {
-    const { existsSync: existsSync6 } = await import("fs");
-    const { join: join9 } = await import("path");
+    const { existsSync: existsSync9 } = await import("fs");
+    const { join: join13 } = await import("path");
     const candidates = ["./world", "./.neuroverse", "./worlds"];
     let found;
     for (const dir of candidates) {
-      if (existsSync6(join9(dir, "world.json"))) {
+      if (existsSync9(join13(dir, "world.json"))) {
         found = dir;
         break;
       }
@@ -12384,8 +12549,8 @@ async function deriveCommand(args) {
     return;
   }
   const plan = result.plan;
-  const { mkdirSync: mkdirSync3 } = await import("fs");
-  mkdirSync3(outputDir, { recursive: true });
+  const { mkdirSync: mkdirSync5 } = await import("fs");
+  mkdirSync5(outputDir, { recursive: true });
   const worldJson = {
     world_id: `plan_${plan.plan_id}`,
     name: `Derived: ${plan.objective}`,
@@ -12982,11 +13147,17 @@ async function runPipeMode(config) {
     process.stderr.write(`[neuroverse] Plan: ${state.plan.plan_id} (${state.plan.objective})
 `);
   }
+  const MAX_BUFFER_SIZE = 1e6;
   return new Promise((resolve5, reject) => {
     let buffer = "";
     process.stdin.setEncoding("utf-8");
     process.stdin.on("data", (chunk) => {
       buffer += chunk;
+      if (buffer.length > MAX_BUFFER_SIZE) {
+        process.stderr.write("[neuroverse] Warning: pipe buffer exceeded 1MB, resetting\n");
+        buffer = "";
+        return;
+      }
       const lines = buffer.split("\n");
       buffer = lines.pop() ?? "";
       for (const line of lines) {
@@ -13151,7 +13322,9 @@ var init_session = __esm({
     init_plan_engine();
     init_world_loader();
     init_decision_flow_engine();
-    SessionManager = class {
+    SessionManager = class _SessionManager {
+      /** Maximum unique agent IDs tracked before eviction. Prevents unbounded memory growth. */
+      static MAX_AGENTS = 1e4;
       config;
       state;
       engineOptions;
@@ -13215,6 +13388,16 @@ var init_session = __esm({
           if (verdict.status === "REWARD" && verdict.reward) {
             agentState = applyReward(agentState, verdict.reward, verdict.ruleId ?? "unknown");
           }
+          if (this.state.agentStates.size >= _SessionManager.MAX_AGENTS && !this.state.agentStates.has(event.roleId)) {
+            const oldest = this.state.agentStates.keys().next().value;
+            if (oldest !== void 0) {
+              this.state.agentStates.delete(oldest);
+            }
+            process.stderr.write(
+              `[neuroverse] Warning: agent state map at capacity (${_SessionManager.MAX_AGENTS}), evicted oldest entry
+`
+            );
+          }
           this.state.agentStates.set(event.roleId, agentState);
         }
         this.config.onVerdict?.(verdict, event);
@@ -13368,8 +13551,15 @@ async function main18(args) {
   const plan = planPath ? loadPlan(planPath) : autoDetectPlan();
   const level = parseArg2(args, "--level");
   const trace = hasFlag(args, "--trace");
+  const logPath = parseArg2(args, "--log");
   const isPipeMode = hasFlag(args, "--pipe") || !process.stdin.isTTY;
   const isInteractive = hasFlag(args, "--interactive");
+  let auditLogger;
+  if (logPath) {
+    auditLogger = new FileAuditLogger(logPath);
+    process.stderr.write(`[neuroverse] Audit logging to ${logPath}
+`);
+  }
   if (isInteractive) {
     const providerName = parseArg2(args, "--provider");
     if (!providerName) {
@@ -13393,6 +13583,9 @@ async function main18(args) {
         level,
         trace,
         onVerdict: (verdict, event) => {
+          if (auditLogger) {
+            auditLogger.log(verdictToAuditEvent(event, verdict));
+          }
           if (verdict.status !== "ALLOW") {
             process.stderr.write(
               `  [${verdict.status}] ${event.intent} \u2014 ${verdict.reason ?? verdict.ruleId ?? "governance rule"}
@@ -13419,8 +13612,12 @@ async function main18(args) {
       worldPath,
       plan,
       level,
-      trace
+      trace,
+      onVerdict: auditLogger ? (verdict, event) => {
+        auditLogger.log(verdictToAuditEvent(event, verdict));
+      } : void 0
     });
+    if (auditLogger) await auditLogger.flush();
   } else {
     process.stdout.write(RUN_USAGE + "\n");
     process.exit(0);
@@ -13433,6 +13630,7 @@ var init_run = __esm({
     import_fs5 = require("fs");
     import_path6 = require("path");
     init_world_resolver();
+    init_audit_logger();
     RUN_USAGE = `
 neuroverse run \u2014 Governed runtime for AI agents.
 
@@ -14224,27 +14422,27 @@ function computeWorldDiff(a, b) {
 }
 async function worldSnapshot(worldPath) {
   const { readdir, readFile: readFile3, mkdir: mkdir2, writeFile: writeFile5 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
+  const { join: join13 } = await import("path");
   const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
-  const snapshotDir = join9(worldPath, ".snapshots", timestamp);
+  const snapshotDir = join13(worldPath, ".snapshots", timestamp);
   await mkdir2(snapshotDir, { recursive: true });
   const files = await readdir(worldPath);
   let copied = 0;
   for (const file of files) {
     if (file.endsWith(".json")) {
-      const content = await readFile3(join9(worldPath, file), "utf-8");
-      await writeFile5(join9(snapshotDir, file), content, "utf-8");
+      const content = await readFile3(join13(worldPath, file), "utf-8");
+      await writeFile5(join13(snapshotDir, file), content, "utf-8");
       copied++;
     }
   }
   try {
-    const rulesDir = join9(worldPath, "rules");
+    const rulesDir = join13(worldPath, "rules");
     const ruleFiles = await readdir(rulesDir);
-    await mkdir2(join9(snapshotDir, "rules"), { recursive: true });
+    await mkdir2(join13(snapshotDir, "rules"), { recursive: true });
     for (const file of ruleFiles) {
       if (file.endsWith(".json")) {
-        const content = await readFile3(join9(rulesDir, file), "utf-8");
-        await writeFile5(join9(snapshotDir, "rules", file), content, "utf-8");
+        const content = await readFile3(join13(rulesDir, file), "utf-8");
+        await writeFile5(join13(snapshotDir, "rules", file), content, "utf-8");
         copied++;
       }
     }
@@ -14257,8 +14455,8 @@ async function worldSnapshot(worldPath) {
 }
 async function worldRollback(worldPath) {
   const { readdir, readFile: readFile3, writeFile: writeFile5, mkdir: mkdir2 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
-  const snapshotsDir = join9(worldPath, ".snapshots");
+  const { join: join13 } = await import("path");
+  const snapshotsDir = join13(worldPath, ".snapshots");
   let snapshots;
   try {
     snapshots = (await readdir(snapshotsDir)).sort();
@@ -14273,34 +14471,34 @@ async function worldRollback(worldPath) {
     return;
   }
   const latest = snapshots[snapshots.length - 1];
-  const snapshotDir = join9(snapshotsDir, latest);
+  const snapshotDir = join13(snapshotsDir, latest);
   const backupTimestamp = "pre-rollback-" + (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
-  const backupDir = join9(snapshotsDir, backupTimestamp);
+  const backupDir = join13(snapshotsDir, backupTimestamp);
   await mkdir2(backupDir, { recursive: true });
   const currentFiles = await readdir(worldPath);
   for (const file of currentFiles) {
     if (file.endsWith(".json")) {
-      const content = await readFile3(join9(worldPath, file), "utf-8");
-      await writeFile5(join9(backupDir, file), content, "utf-8");
+      const content = await readFile3(join13(worldPath, file), "utf-8");
+      await writeFile5(join13(backupDir, file), content, "utf-8");
     }
   }
   const snapshotFiles = await readdir(snapshotDir);
   let restored = 0;
   for (const file of snapshotFiles) {
     if (file.endsWith(".json")) {
-      const content = await readFile3(join9(snapshotDir, file), "utf-8");
-      await writeFile5(join9(worldPath, file), content, "utf-8");
+      const content = await readFile3(join13(snapshotDir, file), "utf-8");
+      await writeFile5(join13(worldPath, file), content, "utf-8");
       restored++;
     }
   }
   try {
-    const rulesDir = join9(snapshotDir, "rules");
+    const rulesDir = join13(snapshotDir, "rules");
     const ruleFiles = await readdir(rulesDir);
-    await mkdir2(join9(worldPath, "rules"), { recursive: true });
+    await mkdir2(join13(worldPath, "rules"), { recursive: true });
     for (const file of ruleFiles) {
       if (file.endsWith(".json")) {
-        const content = await readFile3(join9(rulesDir, file), "utf-8");
-        await writeFile5(join9(worldPath, "rules", file), content, "utf-8");
+        const content = await readFile3(join13(rulesDir, file), "utf-8");
+        await writeFile5(join13(worldPath, "rules", file), content, "utf-8");
         restored++;
       }
     }
@@ -14451,177 +14649,55 @@ Options:
   }
 });
 
-// src/engine/audit-logger.ts
-function verdictToAuditEvent(event, verdict) {
-  const auditEvent = {
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    worldId: verdict.evidence.worldId,
-    worldName: verdict.evidence.worldName,
-    worldVersion: verdict.evidence.worldVersion,
-    intent: event.intent,
-    tool: event.tool,
-    scope: event.scope,
-    actor: event.roleId,
-    direction: event.direction,
-    decision: verdict.status,
-    reason: verdict.reason,
-    ruleId: verdict.ruleId,
-    warning: verdict.warning,
-    guardsMatched: verdict.evidence.guardsMatched,
-    rulesMatched: verdict.evidence.rulesMatched,
-    invariantsSatisfied: verdict.evidence.invariantsSatisfied,
-    invariantsTotal: verdict.evidence.invariantsTotal,
-    enforcementLevel: verdict.evidence.enforcementLevel,
-    durationMs: verdict.trace?.durationMs,
-    args: event.args
-  };
-  if (verdict.consequence) {
-    auditEvent.consequence = verdict.consequence;
+// src/cli/trace.ts
+var trace_exports = {};
+__export(trace_exports, {
+  main: () => main20
+});
+function parseArgs16(argv) {
+  const args = {};
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--summary") {
+      args.summary = true;
+    } else if (arg === "--json") {
+      args.json = true;
+    } else if (arg === "--help" || arg === "-h") {
+      args.help = true;
+    } else if (arg === "--log" && argv[i + 1]) {
+      args.log = argv[++i];
+    } else if (arg === "--filter" && argv[i + 1]) {
+      args.filter = argv[++i].toUpperCase();
+    } else if (arg === "--actor" && argv[i + 1]) {
+      args.actor = argv[++i];
+    } else if (arg === "--intent" && argv[i + 1]) {
+      args.intent = argv[++i];
+    } else if (arg === "--last" && argv[i + 1]) {
+      args.last = argv[++i];
+    }
   }
-  if (verdict.reward) {
-    auditEvent.reward = verdict.reward;
+  return args;
+}
+function formatEvent(event) {
+  const ts = event.timestamp.split("T")[1]?.replace("Z", "").slice(0, 8) ?? event.timestamp;
+  const icon = event.decision === "ALLOW" ? "  \u2713" : event.decision === "BLOCK" ? "  \u2717" : "  \u23F8";
+  const parts = [];
+  parts.push(`  [${ts}] ${event.actor ?? "unknown"}`);
+  parts.push(`    Action: ${event.intent}${event.tool ? ` (tool: ${event.tool})` : ""}`);
+  parts.push(`    Result:${icon} ${event.decision}`);
+  if (event.guardsMatched.length > 0) {
+    parts.push(`    Guards: ${event.guardsMatched.join(", ")}`);
   }
-  if (verdict.intentRecord) {
-    auditEvent.originalIntent = verdict.intentRecord.originalIntent;
-    auditEvent.finalAction = verdict.intentRecord.finalAction;
+  if (event.rulesMatched.length > 0) {
+    parts.push(`    Rules:  ${event.rulesMatched.join(", ")}`);
   }
-  return auditEvent;
-}
-async function readAuditLog(logPath, filter) {
-  const { readFile: readFile3 } = await import("fs/promises");
-  let content;
-  try {
-    content = await readFile3(logPath, "utf-8");
-  } catch {
-    return [];
+  if (event.reason) {
+    parts.push(`    Reason: ${event.reason}`);
   }
-  const events = [];
-  for (const line of content.split("\n")) {
-    const trimmed = line.trim();
-    if (!trimmed) continue;
-    try {
-      const event = JSON.parse(trimmed);
-      if (!filter || filter(event)) {
-        events.push(event);
-      }
-    } catch {
-    }
+  if (event.warning) {
+    parts.push(`    Warning: ${event.warning}`);
   }
-  return events;
-}
-function summarizeAuditEvents(events) {
-  const allowed = events.filter((e) => e.decision === "ALLOW").length;
-  const blocked = events.filter((e) => e.decision === "BLOCK").length;
-  const paused = events.filter((e) => e.decision === "PAUSE").length;
-  const modified = events.filter((e) => e.decision === "MODIFY").length;
-  const penalized = events.filter((e) => e.decision === "PENALIZE").length;
-  const rewarded = events.filter((e) => e.decision === "REWARD").length;
-  const neutral = events.filter((e) => e.decision === "NEUTRAL").length;
-  const actorSet = /* @__PURE__ */ new Set();
-  for (const e of events) {
-    if (e.actor) actorSet.add(e.actor);
-  }
-  const intentMap = /* @__PURE__ */ new Map();
-  for (const e of events) {
-    const entry = intentMap.get(e.intent) ?? { count: 0, blocked: 0, paused: 0, penalized: 0, rewarded: 0 };
-    entry.count++;
-    if (e.decision === "BLOCK") entry.blocked++;
-    if (e.decision === "PAUSE") entry.paused++;
-    if (e.decision === "PENALIZE") entry.penalized++;
-    if (e.decision === "REWARD") entry.rewarded++;
-    intentMap.set(e.intent, entry);
-  }
-  const topIntents = [...intentMap.entries()].map(([intent, data]) => ({ intent, ...data })).sort((a, b) => b.count - a.count);
-  const ruleMap = /* @__PURE__ */ new Map();
-  for (const e of events) {
-    if (e.ruleId) {
-      ruleMap.set(e.ruleId, (ruleMap.get(e.ruleId) ?? 0) + 1);
-    }
-    for (const g of e.guardsMatched) {
-      ruleMap.set(g, (ruleMap.get(g) ?? 0) + 1);
-    }
-  }
-  const topRules = [...ruleMap.entries()].map(([ruleId, count]) => ({ ruleId, count })).sort((a, b) => b.count - a.count);
-  const redirected = blocked + paused + modified + penalized;
-  const total = events.length;
-  return {
-    totalActions: total,
-    allowed,
-    blocked,
-    paused,
-    modified,
-    penalized,
-    rewarded,
-    neutral,
-    actors: [...actorSet],
-    topIntents,
-    topRules,
-    firstEvent: events[0]?.timestamp ?? "",
-    lastEvent: events[events.length - 1]?.timestamp ?? "",
-    behavioralEconomy: {
-      totalPenalties: penalized,
-      totalRewards: rewarded,
-      netPressure: rewarded - penalized,
-      redirectionRate: total > 0 ? redirected / total : 0
-    }
-  };
-}
-var init_audit_logger = __esm({
-  "src/engine/audit-logger.ts"() {
-    "use strict";
-    init_guard_engine();
-  }
-});
-
-// src/cli/trace.ts
-var trace_exports = {};
-__export(trace_exports, {
-  main: () => main20
-});
-function parseArgs16(argv) {
-  const args = {};
-  for (let i = 0; i < argv.length; i++) {
-    const arg = argv[i];
-    if (arg === "--summary") {
-      args.summary = true;
-    } else if (arg === "--json") {
-      args.json = true;
-    } else if (arg === "--help" || arg === "-h") {
-      args.help = true;
-    } else if (arg === "--log" && argv[i + 1]) {
-      args.log = argv[++i];
-    } else if (arg === "--filter" && argv[i + 1]) {
-      args.filter = argv[++i].toUpperCase();
-    } else if (arg === "--actor" && argv[i + 1]) {
-      args.actor = argv[++i];
-    } else if (arg === "--intent" && argv[i + 1]) {
-      args.intent = argv[++i];
-    } else if (arg === "--last" && argv[i + 1]) {
-      args.last = argv[++i];
-    }
-  }
-  return args;
-}
-function formatEvent(event) {
-  const ts = event.timestamp.split("T")[1]?.replace("Z", "").slice(0, 8) ?? event.timestamp;
-  const icon = event.decision === "ALLOW" ? "  \u2713" : event.decision === "BLOCK" ? "  \u2717" : "  \u23F8";
-  const parts = [];
-  parts.push(`  [${ts}] ${event.actor ?? "unknown"}`);
-  parts.push(`    Action: ${event.intent}${event.tool ? ` (tool: ${event.tool})` : ""}`);
-  parts.push(`    Result:${icon} ${event.decision}`);
-  if (event.guardsMatched.length > 0) {
-    parts.push(`    Guards: ${event.guardsMatched.join(", ")}`);
-  }
-  if (event.rulesMatched.length > 0) {
-    parts.push(`    Rules:  ${event.rulesMatched.join(", ")}`);
-  }
-  if (event.reason) {
-    parts.push(`    Reason: ${event.reason}`);
-  }
-  if (event.warning) {
-    parts.push(`    Warning: ${event.warning}`);
-  }
-  return parts.join("\n");
+  return parts.join("\n");
 }
 function formatSummary(events) {
   const summary2 = summarizeAuditEvents(events);
@@ -15596,12 +15672,590 @@ var init_equity_penalties = __esm({
   }
 });
 
+// src/cli/keygen.ts
+var keygen_exports = {};
+__export(keygen_exports, {
+  main: () => main26
+});
+function parseArgs20(argv) {
+  let output = (0, import_path8.join)((0, import_os2.homedir)(), ".neuroverse", "keys");
+  let name = "neuroverse";
+  let force = false;
+  let help = false;
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if ((arg === "--output" || arg === "-o") && argv[i + 1]) {
+      output = argv[++i];
+    } else if ((arg === "--name" || arg === "-n") && argv[i + 1]) {
+      name = argv[++i];
+    } else if (arg === "--force") {
+      force = true;
+    } else if (arg === "--help" || arg === "-h") {
+      help = true;
+    }
+  }
+  return { output, name, force, help };
+}
+async function main26(argv = process.argv.slice(2)) {
+  const args = parseArgs20(argv);
+  if (args.help) {
+    process.stdout.write(USAGE5 + "\n");
+    return;
+  }
+  const pubPath = (0, import_path8.join)(args.output, `${args.name}.pub`);
+  const keyPath = (0, import_path8.join)(args.output, `${args.name}.key`);
+  if (!args.force && ((0, import_fs7.existsSync)(pubPath) || (0, import_fs7.existsSync)(keyPath))) {
+    process.stderr.write(`Keys already exist at ${args.output}/${args.name}.*
+`);
+    process.stderr.write("Use --force to overwrite.\n");
+    process.exit(1);
+  }
+  const { publicKey, privateKey } = (0, import_crypto.generateKeyPairSync)("ed25519", {
+    publicKeyEncoding: { type: "spki", format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" }
+  });
+  (0, import_fs7.mkdirSync)(args.output, { recursive: true });
+  (0, import_fs7.writeFileSync)(pubPath, publicKey, "utf-8");
+  (0, import_fs7.writeFileSync)(keyPath, privateKey, { encoding: "utf-8", mode: 384 });
+  process.stdout.write(`Keypair generated:
+`);
+  process.stdout.write(`  Public:  ${pubPath}
+`);
+  process.stdout.write(`  Private: ${keyPath}
+`);
+  process.stdout.write(`
+Share the .pub file with anyone who needs to verify your worlds.
+`);
+  process.stdout.write(`Keep the .key file secret.
+`);
+}
+var import_crypto, import_fs7, import_path8, import_os2, USAGE5;
+var init_keygen = __esm({
+  "src/cli/keygen.ts"() {
+    "use strict";
+    import_crypto = require("crypto");
+    import_fs7 = require("fs");
+    import_path8 = require("path");
+    import_os2 = require("os");
+    USAGE5 = `
+neuroverse keygen \u2014 Generate Ed25519 signing keypair
+
+Usage:
+  neuroverse keygen [--output <dir>] [--name <name>]
+
+Options:
+  --output <dir>   Key directory (default: ~/.neuroverse/keys/)
+  --name <name>    Key name (default: neuroverse)
+  --force          Overwrite existing keys
+
+Examples:
+  neuroverse keygen
+  neuroverse keygen --name production --output ./keys/
+`.trim();
+  }
+});
+
+// src/cli/sign.ts
+var sign_exports = {};
+__export(sign_exports, {
+  buildManifest: () => buildManifest,
+  canonicalManifest: () => canonicalManifest,
+  main: () => main27
+});
+function parseArgs21(argv) {
+  let worldPath = "";
+  let keyPath = (0, import_path9.join)((0, import_os3.homedir)(), ".neuroverse", "keys", "neuroverse.key");
+  let help = false;
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--world" && argv[i + 1]) {
+      worldPath = argv[++i];
+    } else if (arg === "--key" && argv[i + 1]) {
+      keyPath = argv[++i];
+    } else if (arg === "--help" || arg === "-h") {
+      help = true;
+    }
+  }
+  return { worldPath, keyPath, help };
+}
+function collectFiles(dir, base) {
+  const root = base ?? dir;
+  const files = [];
+  for (const entry of (0, import_fs8.readdirSync)(dir)) {
+    if (entry === ".nv-signature.json") continue;
+    const full = (0, import_path9.join)(dir, entry);
+    const stat = (0, import_fs8.statSync)(full);
+    if (stat.isDirectory()) {
+      files.push(...collectFiles(full, root));
+    } else {
+      files.push((0, import_path9.relative)(root, full));
+    }
+  }
+  return files.sort();
+}
+function buildManifest(worldPath) {
+  const files = collectFiles(worldPath);
+  const manifest = {};
+  for (const file of files) {
+    const content = (0, import_fs8.readFileSync)((0, import_path9.join)(worldPath, file));
+    manifest[file] = (0, import_crypto2.createHash)("sha256").update(content).digest("hex");
+  }
+  return manifest;
+}
+function canonicalManifest(files) {
+  const sorted = Object.keys(files).sort();
+  return sorted.map((k) => `${k}:${files[k]}`).join("\n");
+}
+async function main27(argv = process.argv.slice(2)) {
+  const args = parseArgs21(argv);
+  if (args.help) {
+    process.stdout.write(USAGE6 + "\n");
+    return;
+  }
+  if (!args.worldPath) {
+    process.stderr.write("Error: --world <dir> is required.\n");
+    process.exit(1);
+  }
+  let privateKey;
+  try {
+    privateKey = (0, import_fs8.readFileSync)(args.keyPath, "utf-8");
+  } catch {
+    process.stderr.write(`Error: Cannot read private key at ${args.keyPath}
+`);
+    process.stderr.write('Run "neuroverse keygen" to generate a keypair.\n');
+    process.exit(1);
+    return;
+  }
+  const files = buildManifest(args.worldPath);
+  const canonical = canonicalManifest(files);
+  const manifestHash = (0, import_crypto2.createHash)("sha256").update(canonical).digest("hex");
+  const signature = (0, import_crypto2.sign)(null, Buffer.from(manifestHash), privateKey).toString("base64");
+  const artifact = {
+    signatureVersion: "1.0",
+    signedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    files,
+    manifestHash,
+    signature
+  };
+  const outPath = (0, import_path9.join)(args.worldPath, ".nv-signature.json");
+  (0, import_fs8.writeFileSync)(outPath, JSON.stringify(artifact, null, 2) + "\n", "utf-8");
+  process.stdout.write(`Signed ${Object.keys(files).length} files in ${args.worldPath}
+`);
+  process.stdout.write(`Signature: ${outPath}
+`);
+}
+var import_crypto2, import_fs8, import_path9, import_os3, USAGE6;
+var init_sign = __esm({
+  "src/cli/sign.ts"() {
+    "use strict";
+    import_crypto2 = require("crypto");
+    import_fs8 = require("fs");
+    import_path9 = require("path");
+    import_os3 = require("os");
+    USAGE6 = `
+neuroverse sign \u2014 Sign a world artifact
+
+Usage:
+  neuroverse sign --world <dir> [--key <path>]
+
+Options:
+  --world <dir>    World directory to sign (required)
+  --key <path>     Private key path (default: ~/.neuroverse/keys/neuroverse.key)
+
+Examples:
+  neuroverse sign --world ./world/
+  neuroverse sign --world ./world/ --key ./keys/production.key
+`.trim();
+  }
+});
+
+// src/cli/verify.ts
+var verify_exports = {};
+__export(verify_exports, {
+  main: () => main28
+});
+function parseArgs22(argv) {
+  let worldPath = "";
+  let keyPath = (0, import_path10.join)((0, import_os4.homedir)(), ".neuroverse", "keys", "neuroverse.pub");
+  let json = false;
+  let help = false;
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--world" && argv[i + 1]) {
+      worldPath = argv[++i];
+    } else if (arg === "--key" && argv[i + 1]) {
+      keyPath = argv[++i];
+    } else if (arg === "--json") {
+      json = true;
+    } else if (arg === "--help" || arg === "-h") {
+      help = true;
+    }
+  }
+  return { worldPath, keyPath, json, help };
+}
+async function main28(argv = process.argv.slice(2)) {
+  const args = parseArgs22(argv);
+  if (args.help) {
+    process.stdout.write(USAGE7 + "\n");
+    return;
+  }
+  if (!args.worldPath) {
+    process.stderr.write("Error: --world <dir> is required.\n");
+    process.exit(1);
+  }
+  const result = {
+    valid: false,
+    worldPath: args.worldPath,
+    fileCount: 0,
+    errors: []
+  };
+  const sigPath = (0, import_path10.join)(args.worldPath, ".nv-signature.json");
+  if (!(0, import_fs9.existsSync)(sigPath)) {
+    result.errors.push("No .nv-signature.json found \u2014 world is unsigned.");
+    outputResult(result, args.json);
+    process.exit(1);
+  }
+  let artifact;
+  try {
+    artifact = JSON.parse((0, import_fs9.readFileSync)(sigPath, "utf-8"));
+  } catch {
+    result.errors.push("Cannot parse .nv-signature.json \u2014 file is corrupt.");
+    outputResult(result, args.json);
+    process.exit(1);
+    return;
+  }
+  result.signedAt = artifact.signedAt;
+  result.fileCount = Object.keys(artifact.files).length;
+  let publicKey;
+  try {
+    publicKey = (0, import_fs9.readFileSync)(args.keyPath, "utf-8");
+  } catch {
+    result.errors.push(`Cannot read public key at ${args.keyPath}`);
+    outputResult(result, args.json);
+    process.exit(1);
+    return;
+  }
+  const currentFiles = buildManifest(args.worldPath);
+  for (const file of Object.keys(currentFiles)) {
+    if (!(file in artifact.files)) {
+      result.errors.push(`Added: ${file} (not in signature)`);
+    }
+  }
+  for (const [file, hash] of Object.entries(artifact.files)) {
+    if (!(file in currentFiles)) {
+      result.errors.push(`Missing: ${file} (was in signature)`);
+    } else if (currentFiles[file] !== hash) {
+      result.errors.push(`Changed: ${file} (hash mismatch)`);
+    }
+  }
+  if (result.errors.length > 0) {
+    outputResult(result, args.json);
+    process.exit(1);
+    return;
+  }
+  const canonical = canonicalManifest(artifact.files);
+  const manifestHash = (0, import_crypto3.createHash)("sha256").update(canonical).digest("hex");
+  if (manifestHash !== artifact.manifestHash) {
+    result.errors.push("Manifest hash mismatch \u2014 signature metadata is corrupt.");
+    outputResult(result, args.json);
+    process.exit(1);
+    return;
+  }
+  const isValid = (0, import_crypto3.verify)(null, Buffer.from(manifestHash), publicKey, Buffer.from(artifact.signature, "base64"));
+  if (!isValid) {
+    result.errors.push("Signature verification failed \u2014 wrong key or tampered manifest.");
+    outputResult(result, args.json);
+    process.exit(1);
+    return;
+  }
+  result.valid = true;
+  outputResult(result, args.json);
+}
+function outputResult(result, json) {
+  if (json) {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    return;
+  }
+  if (result.valid) {
+    process.stdout.write(`VALID \u2014 ${result.fileCount} files verified
+`);
+    process.stdout.write(`  Signed at: ${result.signedAt}
+`);
+    process.stdout.write(`  World: ${result.worldPath}
+`);
+  } else {
+    process.stdout.write(`INVALID \u2014 signature verification failed
+`);
+    for (const error of result.errors) {
+      process.stdout.write(`  ${error}
+`);
+    }
+  }
+}
+var import_crypto3, import_fs9, import_path10, import_os4, USAGE7;
+var init_verify = __esm({
+  "src/cli/verify.ts"() {
+    "use strict";
+    import_crypto3 = require("crypto");
+    import_fs9 = require("fs");
+    import_path10 = require("path");
+    import_os4 = require("os");
+    init_sign();
+    USAGE7 = `
+neuroverse verify \u2014 Verify a signed world artifact
+
+Usage:
+  neuroverse verify --world <dir> [--key <path>]
+
+Options:
+  --world <dir>    World directory to verify (required)
+  --key <path>     Public key path (default: ~/.neuroverse/keys/neuroverse.pub)
+  --json           Output result as JSON
+
+Exit codes:
+  0  Valid \u2014 world matches signature
+  1  Invalid \u2014 signature mismatch, tampered files, or missing signature
+
+Examples:
+  neuroverse verify --world ./world/
+  neuroverse verify --world ./world/ --key ./keys/production.pub
+`.trim();
+  }
+});
+
+// src/cli/migrate.ts
+var migrate_exports = {};
+__export(migrate_exports, {
+  LATEST_VERSION: () => LATEST_VERSION,
+  main: () => main29
+});
+function detectVersion(worldPath) {
+  const metaPath = (0, import_path11.join)(worldPath, "metadata.json");
+  if ((0, import_fs10.existsSync)(metaPath)) {
+    try {
+      const meta = JSON.parse((0, import_fs10.readFileSync)(metaPath, "utf-8"));
+      if (meta.schema_version) return meta.schema_version;
+    } catch {
+    }
+  }
+  return "1.0.0";
+}
+function compareVersions(a, b) {
+  const pa = a.split(".").map(Number);
+  const pb = b.split(".").map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((pa[i] ?? 0) < (pb[i] ?? 0)) return -1;
+    if ((pa[i] ?? 0) > (pb[i] ?? 0)) return 1;
+  }
+  return 0;
+}
+function findMigrationPath(from, to) {
+  const path = [];
+  let current = from;
+  while (compareVersions(current, to) < 0) {
+    const next = MIGRATIONS.find((m) => m.from === current);
+    if (!next) break;
+    path.push(next);
+    current = next.to;
+  }
+  return path;
+}
+function parseArgs23(argv) {
+  let worldPath = "";
+  let dryRun = false;
+  let backup = false;
+  let target = LATEST_VERSION;
+  let json = false;
+  let help = false;
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--world" && argv[i + 1]) {
+      worldPath = argv[++i];
+    } else if (arg === "--dry-run") {
+      dryRun = true;
+    } else if (arg === "--backup") {
+      backup = true;
+    } else if (arg === "--target" && argv[i + 1]) {
+      target = argv[++i];
+    } else if (arg === "--json") {
+      json = true;
+    } else if (arg === "--help" || arg === "-h") {
+      help = true;
+    }
+  }
+  return { worldPath, dryRun, backup, target, json, help };
+}
+async function main29(argv = process.argv.slice(2)) {
+  const args = parseArgs23(argv);
+  if (args.help) {
+    process.stdout.write(USAGE8 + "\n");
+    return;
+  }
+  if (!args.worldPath) {
+    process.stderr.write("Error: --world <dir> is required.\n");
+    process.exit(1);
+  }
+  const currentVersion = detectVersion(args.worldPath);
+  const targetVersion = args.target;
+  if (compareVersions(currentVersion, targetVersion) >= 0) {
+    const plan2 = {
+      currentVersion,
+      targetVersion,
+      migrations: [],
+      changes: []
+    };
+    if (args.json) {
+      process.stdout.write(JSON.stringify(plan2, null, 2) + "\n");
+    } else {
+      process.stdout.write(`World is already at version ${currentVersion} (target: ${targetVersion})
+`);
+      process.stdout.write("No migrations needed.\n");
+    }
+    return;
+  }
+  const migrationPath = findMigrationPath(currentVersion, targetVersion);
+  if (migrationPath.length === 0) {
+    process.stderr.write(`No migration path from ${currentVersion} to ${targetVersion}
+`);
+    process.exit(1);
+    return;
+  }
+  if (args.dryRun) {
+    const plan2 = {
+      currentVersion,
+      targetVersion,
+      migrations: migrationPath.map((m) => ({ from: m.from, to: m.to, description: m.description })),
+      changes: []
+    };
+    if (args.json) {
+      process.stdout.write(JSON.stringify(plan2, null, 2) + "\n");
+    } else {
+      process.stdout.write(`Migration plan: ${currentVersion} \u2192 ${targetVersion}
+`);
+      process.stdout.write(`Steps: ${migrationPath.length}
+
+`);
+      for (const m of migrationPath) {
+        process.stdout.write(`  ${m.from} \u2192 ${m.to}: ${m.description}
+`);
+      }
+      process.stdout.write("\nRun without --dry-run to apply.\n");
+    }
+    return;
+  }
+  if (args.backup) {
+    const backupPath = args.worldPath + ".backup";
+    (0, import_fs10.cpSync)(args.worldPath, backupPath, { recursive: true });
+    process.stdout.write(`Backup created: ${backupPath}
+`);
+  }
+  const allChanges = [];
+  for (const migration of migrationPath) {
+    process.stdout.write(`Applying: ${migration.from} \u2192 ${migration.to} (${migration.description})
+`);
+    const changes = migration.apply(args.worldPath);
+    allChanges.push(...changes);
+    for (const change of changes) {
+      process.stdout.write(`  ${change.action}: ${change.file} \u2014 ${change.description}
+`);
+    }
+  }
+  const plan = {
+    currentVersion,
+    targetVersion,
+    migrations: migrationPath.map((m) => ({ from: m.from, to: m.to, description: m.description })),
+    changes: allChanges
+  };
+  if (args.json) {
+    process.stdout.write(JSON.stringify(plan, null, 2) + "\n");
+  }
+  process.stdout.write(`
+Migration complete: ${currentVersion} \u2192 ${targetVersion} (${allChanges.length} changes)
+`);
+}
+var import_fs10, import_path11, USAGE8, MIGRATIONS, LATEST_VERSION;
+var init_migrate = __esm({
+  "src/cli/migrate.ts"() {
+    "use strict";
+    import_fs10 = require("fs");
+    import_path11 = require("path");
+    USAGE8 = `
+neuroverse migrate \u2014 World schema version migration
+
+Usage:
+  neuroverse migrate --world <dir> [options]
+
+Options:
+  --world <dir>       World directory to migrate (required)
+  --dry-run           Show what would change without modifying files
+  --backup            Copy original world to <dir>.backup before migrating
+  --target <version>  Target schema version (default: latest)
+  --json              Output migration plan as JSON
+
+Examples:
+  neuroverse migrate --world ./world/ --dry-run
+  neuroverse migrate --world ./world/ --backup
+  neuroverse migrate --world ./world/ --target 1.1.0
+`.trim();
+    MIGRATIONS = [
+      {
+        from: "1.0.0",
+        to: "1.1.0",
+        description: "Add enforcement_level to world.json, normalize metadata fields",
+        apply: (worldPath) => {
+          const changes = [];
+          const worldJsonPath = (0, import_path11.join)(worldPath, "world.json");
+          if ((0, import_fs10.existsSync)(worldJsonPath)) {
+            const world = JSON.parse((0, import_fs10.readFileSync)(worldJsonPath, "utf-8"));
+            if (!world.enforcement_level) {
+              world.enforcement_level = "standard";
+              (0, import_fs10.writeFileSync)(worldJsonPath, JSON.stringify(world, null, 2) + "\n", "utf-8");
+              changes.push({
+                file: "world.json",
+                action: "modified",
+                description: 'Added enforcement_level: "standard"'
+              });
+            }
+          }
+          const metaPath = (0, import_path11.join)(worldPath, "metadata.json");
+          if ((0, import_fs10.existsSync)(metaPath)) {
+            const meta = JSON.parse((0, import_fs10.readFileSync)(metaPath, "utf-8"));
+            let modified = false;
+            if (meta.configurator_version && !meta.authoring_method) {
+              meta.authoring_method = meta.configurator_version;
+              delete meta.configurator_version;
+              modified = true;
+            }
+            if (!meta.schema_version) {
+              meta.schema_version = "1.1.0";
+              modified = true;
+            } else {
+              meta.schema_version = "1.1.0";
+              modified = true;
+            }
+            if (modified) {
+              (0, import_fs10.writeFileSync)(metaPath, JSON.stringify(meta, null, 2) + "\n", "utf-8");
+              changes.push({
+                file: "metadata.json",
+                action: "modified",
+                description: "Normalized metadata fields, updated schema_version to 1.1.0"
+              });
+            }
+          }
+          return changes;
+        }
+      }
+    ];
+    LATEST_VERSION = MIGRATIONS.length > 0 ? MIGRATIONS[MIGRATIONS.length - 1].to : "1.0.0";
+  }
+});
+
 // src/cli/configure-ai.ts
 var configure_ai_exports = {};
 __export(configure_ai_exports, {
-  main: () => main26
+  main: () => main30
 });
-function parseArgs20(argv) {
+function parseArgs24(argv) {
   let provider;
   let model;
   let apiKey;
@@ -15626,9 +16280,9 @@ function parseArgs20(argv) {
   }
   return { provider, model, apiKey, endpoint, show, test };
 }
-async function main26(argv = process.argv.slice(2)) {
+async function main30(argv = process.argv.slice(2)) {
   try {
-    const args = parseArgs20(argv);
+    const args = parseArgs24(argv);
     if (args.show) {
       const config2 = await loadConfig();
       if (!config2) {
@@ -15829,7 +16483,7 @@ var init_prompt_utils = __esm({
 // src/cli/configure-world.ts
 var configure_world_exports = {};
 __export(configure_world_exports, {
-  main: () => main27
+  main: () => main31
 });
 function metricToStateVariable(metric) {
   const id = metric.toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_|_$/g, "");
@@ -16247,15 +16901,15 @@ function generateWorld(state) {
   return { worldJson, stateSchema, guardsJson, rules, gatesJson, invariants, outcomes, metadata };
 }
 async function writeWorld(outputDir, world) {
-  const { mkdirSync: mkdirSync3, existsSync: existsSync6 } = await import("fs");
+  const { mkdirSync: mkdirSync5, existsSync: existsSync9 } = await import("fs");
   const { writeFile: writeFile5 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
+  const { join: join13 } = await import("path");
   const files = [];
-  if (!existsSync6(outputDir)) mkdirSync3(outputDir, { recursive: true });
-  const rulesDir = join9(outputDir, "rules");
-  if (!existsSync6(rulesDir)) mkdirSync3(rulesDir, { recursive: true });
+  if (!existsSync9(outputDir)) mkdirSync5(outputDir, { recursive: true });
+  const rulesDir = join13(outputDir, "rules");
+  if (!existsSync9(rulesDir)) mkdirSync5(rulesDir, { recursive: true });
   const writeJson = async (name, data) => {
-    const path = join9(outputDir, name);
+    const path = join13(outputDir, name);
     await writeFile5(path, JSON.stringify(data, null, 2) + "\n", "utf-8");
     files.push(path);
   };
@@ -16267,13 +16921,13 @@ async function writeWorld(outputDir, world) {
   await writeJson("outcomes.json", world.outcomes);
   await writeJson("metadata.json", world.metadata);
   for (const rule of world.rules) {
-    const rulePath = join9(rulesDir, `${rule.id}.json`);
+    const rulePath = join13(rulesDir, `${rule.id}.json`);
     await writeFile5(rulePath, JSON.stringify(rule, null, 2) + "\n", "utf-8");
     files.push(rulePath);
   }
   return files;
 }
-function parseArgs21(argv) {
+function parseArgs25(argv) {
   let outputDir = "./world/";
   for (let i = 0; i < argv.length; i++) {
     const arg = argv[i];
@@ -16283,9 +16937,9 @@ function parseArgs21(argv) {
   }
   return { outputDir };
 }
-async function main27(argv = process.argv.slice(2)) {
+async function main31(argv = process.argv.slice(2)) {
   try {
-    const args = parseArgs21(argv);
+    const args = parseArgs25(argv);
     const context = await phaseContext();
     const guardState = await phaseGuard(context.domain);
     const systemState = await phaseSystem(context.domain);
@@ -16354,7 +17008,7 @@ async function main27(argv = process.argv.slice(2)) {
 }
 async function phaseRefine(outputDir, world) {
   const { writeFile: writeFile5 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
+  const { join: join13 } = await import("path");
   heading("Refinement: Thresholds & Collapse");
   const primaryMetric = world.gatesJson.viability_classification[0]?.field || "system_health";
   info(`
@@ -16371,7 +17025,7 @@ async function phaseRefine(outputDir, world) {
       if (!isNaN(parsed)) gate.value = parsed;
     }
     await writeFile5(
-      join9(outputDir, "gates.json"),
+      join13(outputDir, "gates.json"),
       JSON.stringify(world.gatesJson, null, 2) + "\n",
       "utf-8"
     );
@@ -16393,7 +17047,7 @@ async function phaseRefine(outputDir, world) {
           result: "MODEL_COLLAPSES"
         };
         await writeFile5(
-          join9(outputDir, "rules", `${rule.id}.json`),
+          join13(outputDir, "rules", `${rule.id}.json`),
           JSON.stringify(rule, null, 2) + "\n",
           "utf-8"
         );
@@ -17127,7 +17781,7 @@ var init_lens = __esm({
 // src/cli/lens.ts
 var lens_exports = {};
 __export(lens_exports, {
-  main: () => main28
+  main: () => main32
 });
 async function cmdList(argv) {
   let worldPath = "";
@@ -17387,9 +18041,9 @@ async function cmdAdd(argv) {
     id = name.toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_|_$/g, "");
   }
   const { readFile: readFile3, writeFile: writeFile5 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
+  const { join: join13 } = await import("path");
   const possiblePaths = [
-    join9(worldPath, "world.nv-world.md"),
+    join13(worldPath, "world.nv-world.md"),
     worldPath
   ];
   let mdPath = "";
@@ -17410,7 +18064,7 @@ async function cmdAdd(argv) {
       const files = await readdir(worldPath);
       const mdFile = files.find((f) => f.endsWith(".nv-world.md"));
       if (mdFile) {
-        mdPath = join9(worldPath, mdFile);
+        mdPath = join13(worldPath, mdFile);
         mdContent = await readFile3(mdPath, "utf-8");
       }
     } catch {
@@ -17460,7 +18114,7 @@ async function cmdAdd(argv) {
 
 `);
 }
-async function main28(argv = process.argv.slice(2)) {
+async function main32(argv = process.argv.slice(2)) {
   const subcommand = argv[0];
   const subArgs = argv.slice(1);
   try {
@@ -17538,7 +18192,7 @@ Examples:
 });
 
 // src/cli/neuroverse.ts
-var USAGE5 = `
+var USAGE9 = `
 neuroverse \u2014 Turn ideas into worlds.
 
 Commands:
@@ -17566,6 +18220,10 @@ Commands:
   decision-flow  Intent \u2192 Rule \u2192 Outcome visualization (behavioral governance)
   equity-penalties  Fortune 500 equity PENALIZE/REWARD simulation
   world          World management (status, diff, snapshot, rollback)
+  keygen         Generate Ed25519 signing keypair
+  sign           Sign a world artifact (cryptographic manifest)
+  verify         Verify a signed world artifact
+  migrate        Migrate world schema between versions
   derive         AI-assisted synthesis of .nv-world.md from markdown
   bootstrap      Compile .nv-world.md \u2192 world JSON files
   configure-ai   Configure AI provider credentials
@@ -17603,6 +18261,10 @@ Usage:
   neuroverse equity-penalties --world <dir> [--agents N] [--rounds N] [--json]
   neuroverse configure-ai --provider <name> --model <name> --api-key <key>
   neuroverse configure-world [--output <dir>]
+  neuroverse keygen [--output <dir>] [--name <name>]
+  neuroverse sign --world <dir> [--key <path>]
+  neuroverse verify --world <dir> [--key <path>]
+  neuroverse migrate --world <dir> [--dry-run] [--backup]
   neuroverse lens list [--world <dir>] [--json]
   neuroverse lens preview <id> [--world <dir>]
   neuroverse lens compile <id,...> [--world <dir>] [--role <role>] [--json]
@@ -17631,7 +18293,7 @@ Examples:
   neuroverse doctor
   neuroverse playground --world ./world/
 `.trim();
-async function main29() {
+async function main33() {
   const args = process.argv.slice(2);
   const command = args[0];
   const subArgs = args.slice(1);
@@ -17744,6 +18406,22 @@ async function main29() {
       const { main: equityPenaltiesMain } = await Promise.resolve().then(() => (init_equity_penalties(), equity_penalties_exports));
       return equityPenaltiesMain(subArgs);
     }
+    case "keygen": {
+      const { main: keygenMain } = await Promise.resolve().then(() => (init_keygen(), keygen_exports));
+      return keygenMain(subArgs);
+    }
+    case "sign": {
+      const { main: signMain } = await Promise.resolve().then(() => (init_sign(), sign_exports));
+      return signMain(subArgs);
+    }
+    case "verify": {
+      const { main: verifyMain } = await Promise.resolve().then(() => (init_verify(), verify_exports));
+      return verifyMain(subArgs);
+    }
+    case "migrate": {
+      const { main: migrateMain } = await Promise.resolve().then(() => (init_migrate(), migrate_exports));
+      return migrateMain(subArgs);
+    }
     case "configure-ai": {
       const { main: configureAiMain } = await Promise.resolve().then(() => (init_configure_ai(), configure_ai_exports));
       return configureAiMain(subArgs);
@@ -17760,7 +18438,7 @@ async function main29() {
     case "-h":
     case "help":
     case void 0: {
-      process.stdout.write(USAGE5 + "\n");
+      process.stdout.write(USAGE9 + "\n");
       process.exit(0);
       break;
     }
@@ -17768,12 +18446,12 @@ async function main29() {
       process.stderr.write(`Unknown command: "${command}"
 
 `);
-      process.stdout.write(USAGE5 + "\n");
+      process.stdout.write(USAGE9 + "\n");
       process.exit(1);
     }
   }
 }
-main29().catch((e) => {
+main33().catch((e) => {
   process.stderr.write(`Fatal: ${e}
 `);
   process.exit(3);