@openclawbrain/cli 0.4.13 → 0.4.15

package/dist/src/local-session-passive-learning.js

@@ -44,6 +44,32 @@ function sanitizeToken(value) {
 function slugifyIdentity(value) {
     return value.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
 }
+function sortSessionRecordsDeterministically(records) {
+    return [...records].sort((left, right) => {
+        const leftTimestamp = Date.parse(left.timestamp);
+        const rightTimestamp = Date.parse(right.timestamp);
+        if (leftTimestamp !== rightTimestamp) {
+            return leftTimestamp - rightTimestamp;
+        }
+        const leftId = typeof left.id === "string" ? left.id : "";
+        const rightId = typeof right.id === "string" ? right.id : "";
+        const leftParentId = typeof left.parentId === "string" ? left.parentId : "";
+        const rightParentId = typeof right.parentId === "string" ? right.parentId : "";
+        if (rightParentId === leftId && leftParentId !== rightId) {
+            return -1;
+        }
+        if (leftParentId === rightId && rightParentId !== leftId) {
+            return 1;
+        }
+        if (leftId !== rightId) {
+            return leftId.localeCompare(rightId);
+        }
+        if (leftParentId !== rightParentId) {
+            return leftParentId.localeCompare(rightParentId);
+        }
+        return left.type.localeCompare(right.type);
+    });
+}
 function deriveChannel(sessionKey, entry) {
     const deliveryChannel = normalizeString(entry.deliveryContext?.channel);
     if (deliveryChannel !== null) {
@@ -256,7 +282,7 @@ export function buildPassiveLearningSessionExportFromOpenClawSessionStore(input)
     let droppedRuntimeNoiseCount = 0;
     let nextSequence = sequenceStart;
     let latestAssistantInteractionId = null;
-    for (const record of input.records) {
+    for (const record of sortSessionRecordsDeterministically(input.records)) {
         if (record.type !== "message") {
             continue;
         }
@@ -451,4 +477,4 @@ export function buildPassiveLearningStoreExportFromOpenClawSessionIndex(input) {
         warnings: sessions.flatMap((session) => session.warnings)
     };
 }
-//# sourceMappingURL=local-session-passive-learning.js.map
+//# sourceMappingURL=local-session-passive-learning.js.map

package/dist/src/materialization-embedder.js

@@ -0,0 +1,11 @@
+import { reindexCandidatePackBuildResultWithEmbedder } from "./local-learner.js";
+
+export async function reindexMaterializationCandidateWithEmbedder(materialization, embedder) {
+    if (materialization === null || embedder === null) {
+        return materialization;
+    }
+    return {
+        ...materialization,
+        candidate: await reindexCandidatePackBuildResultWithEmbedder(materialization.candidate, embedder)
+    };
+}

package/dist/src/openclaw-hook-truth.d.ts

@@ -2,6 +2,8 @@ import { type OpenClawBrainInstallLayout } from "./openclaw-plugin-install.js";
 export type OpenClawBrainHookInstallState = "installed" | "not_installed" | "blocked_by_allowlist" | "unverified";
 export type OpenClawBrainHookLoadability = "loadable" | "blocked" | "not_installed" | "unverified";
 export type OpenClawBrainHookLoadProof = "status_probe_ready" | "not_ready";
+export type OpenClawBrainHookGuardSeverity = "none" | "degraded" | "blocking";
+export type OpenClawBrainHookGuardActionability = "none" | "pin_openclaw_home" | "repair_install";
 export type OpenClawBrainPluginAllowlistState = "unrestricted" | "allowed" | "blocked" | "invalid" | "unverified";
 export interface OpenClawBrainHookInspection {
     scope: "exact_openclaw_home" | "activation_root_only";
@@ -24,6 +26,10 @@ export interface OpenClawBrainHookInspection {
 }
 export interface OpenClawBrainHookLoadSummary extends OpenClawBrainHookInspection {
     loadProof: OpenClawBrainHookLoadProof;
+    guardSeverity: OpenClawBrainHookGuardSeverity;
+    guardActionability: OpenClawBrainHookGuardActionability;
+    guardSummary: string;
+    guardAction: string;
 }
 export declare function inspectOpenClawBrainPluginAllowlist(openclawHome: string): {
     state: Exclude<OpenClawBrainPluginAllowlistState, "unverified">;

package/dist/src/openclaw-hook-truth.js

@@ -74,6 +74,32 @@ function describeAdditionalInstallDetail(additionalInstalls) {
         .map((install) => `${shortenPath(install.extensionDir)} (${describeOpenClawBrainInstallLayout(install.installLayout)}, ${describeOpenClawBrainInstallIdentity(install)})`)
         .join(", ")}`;
 }
+function summarizeOpenClawBrainHookGuard(inspection) {
+    if (inspection.scope === "activation_root_only") {
+        return {
+            guardSeverity: "degraded",
+            guardActionability: "pin_openclaw_home",
+            guardSummary: "current-profile hook state is not self-proven from this status scope",
+            guardAction: "Rerun status with --openclaw-home <path> to prove the current profile hook."
+        };
+    }
+    if (inspection.installState === "installed" && inspection.loadability === "loadable") {
+        return {
+            guardSeverity: "none",
+            guardActionability: "none",
+            guardSummary: "profile hook is installed and loadable",
+            guardAction: "none"
+        };
+    }
+    return {
+        guardSeverity: "blocking",
+        guardActionability: "repair_install",
+        guardSummary: inspection.installState === "not_installed"
+            ? "profile hook is missing or incomplete"
+            : "profile hook is present but OpenClaw will not load it",
+        guardAction: "Run openclawbrain install --openclaw-home <path> to repair the installed hook."
+    };
+}
 export function inspectOpenClawBrainPluginAllowlist(openclawHome) {
     const { path: openclawJsonPath, config } = readOpenClawJsonConfig(openclawHome);
     const installedPlugin = findInstalledOpenClawBrainPlugin(openclawHome);
@@ -252,6 +278,7 @@ export function inspectOpenClawBrainHookStatus(openclawHome) {
 export function summarizeOpenClawBrainHookLoad(inspection, statusProbeReady) {
     return {
         ...inspection,
+        ...summarizeOpenClawBrainHookGuard(inspection),
         loadProof: inspection.loadability === "loadable" && statusProbeReady
             ? "status_probe_ready"
             : "not_ready"

package/dist/src/proof-command.js

@@ -19,6 +19,22 @@ function normalizeOptionalCliString(value) {
     return trimmed.length > 0 ? trimmed : null;
 }
 
+function normalizeReportedProofPath(filePath) {
+    const normalizedPath = normalizeOptionalCliString(filePath);
+    if (normalizedPath === null) {
+        return null;
+    }
+    if (normalizedPath === "~") {
+        return homedir();
+    }
+    if (normalizedPath.startsWith("~/")) {
+        return path.join(homedir(), normalizedPath.slice(2));
+    }
+    return path.isAbsolute(normalizedPath)
+        ? normalizedPath
+        : path.resolve(normalizedPath);
+}
+
 function canonicalizeExistingProofPath(filePath) {
     const resolvedPath = path.resolve(filePath);
     try {
@@ -191,6 +207,12 @@ function readJsonSnapshot(filePath) {
     }
 }
 
+function describeStepWarning(step) {
+    return step.captureState === "partial"
+        ? `${step.stepId} ended as ${step.resultClass} with partial capture`
+        : `${step.stepId} ended as ${step.resultClass}`;
+}
+
 function extractStartupBreadcrumbs(logText, bundleStartedAtIso) {
     if (!logText) {
         return { all: [], afterBundleStart: [] };
@@ -230,6 +252,135 @@ function extractStatusSignals(statusText) {
         serveActivePack: /serve\s+state=serving_active_pack/.test(statusText),
         routeFnAvailable: /routeFn\s+available=yes/.test(statusText),
         proofPath: statusText.match(/proofPath=([^\s]+)/)?.[1] ?? null,
+        proofError: statusText.match(/proofError=([^\s]+)/)?.[1] ?? null,
+    };
+}
+function extractDetailedStatusLine(statusText, prefix) {
+    const normalizedPrefix = `${prefix} `;
+    return statusText.split(/\r?\n/).find((line) => line.startsWith(normalizedPrefix)) ?? null;
+}
+function extractKeyValuePairs(line) {
+    if (typeof line !== "string") {
+        return {};
+    }
+    const pairs = {};
+    for (const match of line.matchAll(/([A-Za-z][A-Za-z0-9]*)=([^\s]+)/g)) {
+        pairs[match[1]] = match[2];
+    }
+    return pairs;
+}
+function extractAttachedProfileCoverageEntries(line) {
+    if (typeof line !== "string") {
+        return [];
+    }
+    const normalized = line.replace(/^attachedSet\s+/, "");
+    const proofPathIndex = normalized.indexOf(" proofPath=");
+    const entriesText = (proofPathIndex === -1 ? normalized : normalized.slice(0, proofPathIndex)).trim();
+    if (entriesText.length === 0 || entriesText === "none") {
+        return [];
+    }
+    const entries = [];
+    let index = 0;
+    while (index < entriesText.length) {
+        while (index < entriesText.length && entriesText[index] === " ") {
+            index += 1;
+        }
+        if (index >= entriesText.length) {
+            break;
+        }
+        const bracketStart = entriesText.indexOf("[", index);
+        if (bracketStart === -1) {
+            break;
+        }
+        const bracketEnd = entriesText.indexOf("]", bracketStart + 1);
+        if (bracketEnd === -1) {
+            break;
+        }
+        const rawLabel = entriesText.slice(index, bracketStart).trim();
+        const fields = extractKeyValuePairs(entriesText.slice(bracketStart + 1, bracketEnd));
+        entries.push({
+            label: rawLabel.replace(/^\*/, "").trim(),
+            current: rawLabel.startsWith("*"),
+            hookFiles: fields.hook ?? "unknown",
+            configLoad: fields.config ?? "unknown",
+            runtimeLoad: fields.runtime ?? "unknown",
+            loadedAt: fields.loadedAt ?? null,
+            coverageState: fields.hook === "present" && fields.config === "allows_load" && fields.runtime === "proven"
+                ? "covered"
+                : "attention"
+        });
+        index = bracketEnd + 1;
+    }
+    return entries;
+}
+function buildCoverageSnapshot({ attachedSetLine, runtimeLoadProofSnapshot, openclawHome }) {
+    const parsedEntries = extractAttachedProfileCoverageEntries(attachedSetLine);
+    const proofProfiles = Array.isArray(runtimeLoadProofSnapshot?.value?.profiles)
+        ? runtimeLoadProofSnapshot.value.profiles
+        : [];
+    const profiles = parsedEntries.length > 0
+        ? parsedEntries
+        : proofProfiles.map((profile) => ({
+            label: `${profile?.profileId ?? "current_profile"}@${canonicalizeExistingProofPath(profile?.openclawHome ?? "")}`,
+            current: canonicalizeExistingProofPath(profile?.openclawHome ?? "") === canonicalizeExistingProofPath(openclawHome),
+            hookFiles: "unknown",
+            configLoad: "unknown",
+            runtimeLoad: "proven",
+            loadedAt: profile?.loadedAt ?? null,
+            coverageState: "covered"
+        }));
+    const runtimeProvenCount = profiles.filter((entry) => entry.runtimeLoad === "proven").length;
+    return {
+        contract: "openclaw_operator_profile_coverage_snapshot.v1",
+        generatedAt: new Date().toISOString(),
+        openclawHome: canonicalizeExistingProofPath(openclawHome),
+        attachedProfileCount: profiles.length,
+        runtimeProofProfileCount: proofProfiles.length,
+        hookReadyCount: profiles.filter((entry) => entry.hookFiles === "present").length,
+        configReadyCount: profiles.filter((entry) => entry.configLoad === "allows_load").length,
+        runtimeProvenCount,
+        coverageRate: profiles.length === 0 ? null : runtimeProvenCount / profiles.length,
+        profiles
+    };
+}
+function buildHardeningSnapshot({ attachTruthLine, serveLine, routeFnLine, verdict, statusSignals }) {
+    const attachTruth = extractKeyValuePairs(attachTruthLine);
+    const serve = extractKeyValuePairs(serveLine);
+    const routeFn = extractKeyValuePairs(routeFnLine);
+    return {
+        contract: "openclaw_operator_hardening_snapshot.v1",
+        generatedAt: new Date().toISOString(),
+        statusSignals: {
+            statusOk: statusSignals.statusOk,
+            loadProofReady: statusSignals.loadProofReady,
+            runtimeProven: statusSignals.runtimeProven,
+            serveActivePack: statusSignals.serveActivePack,
+            routeFnAvailable: statusSignals.routeFnAvailable,
+        },
+        attachTruth: {
+            current: attachTruth.current ?? null,
+            hook: attachTruth.hook ?? null,
+            config: attachTruth.config ?? null,
+            runtime: attachTruth.runtime ?? null,
+            watcher: attachTruth.watcher ?? null,
+        },
+        serve: {
+            state: serve.state ?? null,
+            failOpen: serve.failOpen ?? null,
+            hardFail: serve.hardFail ?? null,
+            usedRouteFn: serve.usedRouteFn ?? null,
+            awaitingFirstExport: serve.awaitingFirstExport ?? null,
+        },
+        routeFn: {
+            available: routeFn.available ?? null,
+            freshness: routeFn.freshness ?? null,
+        },
+        verdict: {
+            verdict: verdict.verdict,
+            severity: verdict.severity,
+            missingProofCount: Array.isArray(verdict.missingProofs) ? verdict.missingProofs.length : 0,
+            warningCount: Array.isArray(verdict.warnings) ? verdict.warnings.length : 0,
+        }
     };
 }
 
@@ -238,69 +389,106 @@ function hasPackagedHookSource(pluginInspectText) {
 }
 
 function buildVerdict({ steps, gatewayStatus, pluginInspect, statusSignals, breadcrumbs, runtimeLoadProofSnapshot, openclawHome }) {
-    const failedStep = steps.find((step) => step.resultClass !== "success" && step.skipped !== true);
-    if (failedStep) {
-        return {
-            verdict: "command_failed",
-            severity: "blocking",
-            why: `${failedStep.stepId} exited as ${failedStep.resultClass}`,
-        };
-    }
+    const failedSteps = steps.filter((step) => step.resultClass !== "success" && step.skipped !== true);
+    const failedDetailedStatusStep = failedSteps.find((step) => step.stepId === "05-detailed-status");
     const gatewayHealthy = /Runtime:\s+running/m.test(gatewayStatus) && /RPC probe:\s+ok/m.test(gatewayStatus);
     const pluginLoaded = /Status:\s+loaded/m.test(pluginInspect);
     const packagedHookPath = hasPackagedHookSource(pluginInspect);
     const breadcrumbLoaded = breadcrumbs.afterBundleStart.some((entry) => entry.kind === "loaded");
     const runtimeProofMatched = Array.isArray(runtimeLoadProofSnapshot?.value?.profiles)
         && runtimeLoadProofSnapshot.value.profiles.some((profile) => canonicalizeExistingProofPath(profile?.openclawHome ?? "") === canonicalizeExistingProofPath(openclawHome));
-    const missingProofs = [];
-    if (!gatewayHealthy)
-        missingProofs.push("gateway_health");
-    if (!pluginLoaded)
-        missingProofs.push("plugin_loaded");
-    if (!packagedHookPath)
-        missingProofs.push("packaged_hook_path");
+    const runtimeTruthGaps = [];
     if (!statusSignals.statusOk)
-        missingProofs.push("status_ok");
+        runtimeTruthGaps.push("status_ok");
     if (!statusSignals.loadProofReady)
-        missingProofs.push("load_proof");
+        runtimeTruthGaps.push("load_proof");
     if (!statusSignals.runtimeProven)
-        missingProofs.push("runtime_proven");
+        runtimeTruthGaps.push("runtime_proven");
     if (!statusSignals.serveActivePack)
-        missingProofs.push("serve_active_pack");
+        runtimeTruthGaps.push("serve_active_pack");
     if (!statusSignals.routeFnAvailable)
-        missingProofs.push("route_fn");
-    if (!breadcrumbLoaded)
-        missingProofs.push("startup_breadcrumb");
-    if (!runtimeProofMatched)
-        missingProofs.push("runtime_load_proof_record");
-    if (missingProofs.length === 0) {
+        runtimeTruthGaps.push("route_fn");
+    const warningCodes = [];
+    const warnings = [];
+    if (!gatewayHealthy) {
+        warningCodes.push("gateway_health");
+        warnings.push("gateway status did not confirm runtime running and RPC probe ok");
+    }
+    if (!pluginLoaded) {
+        warningCodes.push("plugin_loaded");
+        warnings.push("plugin inspect did not report Status: loaded");
+    }
+    if (!packagedHookPath) {
+        warningCodes.push("packaged_hook_path");
+        warnings.push("plugin inspect did not confirm the packaged hook source");
+    }
+    if (!breadcrumbLoaded) {
+        warningCodes.push("startup_breadcrumb");
+        warnings.push("startup log did not contain a post-bundle [openclawbrain] BRAIN LOADED breadcrumb");
+    }
+    if (!runtimeProofMatched) {
+        warningCodes.push("runtime_load_proof_record");
+        warnings.push(runtimeLoadProofSnapshot.error !== null
+            ? `runtime-load-proof snapshot was unreadable: ${runtimeLoadProofSnapshot.error}`
+            : runtimeLoadProofSnapshot.exists
+                ? "runtime-load-proof snapshot did not include the current openclaw home"
+                : "runtime-load-proof snapshot was missing");
+    }
+    if (statusSignals.proofError !== null && statusSignals.proofError !== "none") {
+        warningCodes.push(`proof_error:${statusSignals.proofError}`);
+        warnings.push(`detailed status reported proofError=${statusSignals.proofError}`);
+    }
+    for (const step of failedSteps) {
+        warningCodes.push(`step:${step.stepId}:${step.resultClass}:${step.captureState}`);
+        warnings.push(describeStepWarning(step));
+    }
+    const uniqueWarningCodes = [...new Set(warningCodes)];
+    const uniqueWarnings = [...new Set(warnings)];
+    if (runtimeTruthGaps.length === 0 && uniqueWarningCodes.length === 0) {
         return {
             verdict: "success_and_proven",
             severity: "none",
             why: "install, restart, gateway health, plugin load, startup breadcrumb, runtime-load-proof record, and detailed status all aligned",
+            missingProofs: [],
+            warnings: [],
+        };
+    }
+    if (runtimeTruthGaps.length === 0) {
+        return {
+            verdict: "success_but_proof_incomplete",
+            severity: "degraded",
+            why: `status/runtime evidence stayed healthy, but proof warnings remained: ${uniqueWarningCodes.join(", ")}`,
+            missingProofs: uniqueWarningCodes,
+            warnings: uniqueWarnings,
+        };
+    }
+    const hasUsableStatusTruth = statusSignals.statusOk
+        || statusSignals.loadProofReady
+        || statusSignals.runtimeProven
+        || statusSignals.serveActivePack
+        || statusSignals.routeFnAvailable;
+    if (failedDetailedStatusStep && !hasUsableStatusTruth) {
+        return {
+            verdict: "command_failed",
+            severity: "blocking",
+            why: `${failedDetailedStatusStep.stepId} ended as ${failedDetailedStatusStep.resultClass} before runtime truth could be established`,
+            missingProofs: runtimeTruthGaps,
+            warnings: uniqueWarnings,
         };
     }
-    const blocking = missingProofs.some((item) => [
-        "gateway_health",
-        "plugin_loaded",
-        "packaged_hook_path",
-        "status_ok",
-        "load_proof",
-        "runtime_proven",
-        "serve_active_pack",
-        "route_fn",
-    ].includes(item));
     return {
-        verdict: blocking ? "degraded_or_failed_proof" : "success_but_proof_incomplete",
-        severity: blocking ? "blocking" : "degraded",
-        why: `missing or conflicting proofs: ${missingProofs.join(", ")}`,
-        missingProofs,
+        verdict: "degraded_or_failed_proof",
+        severity: "blocking",
+        why: `missing or conflicting runtime truths: ${runtimeTruthGaps.join(", ")}`,
+        missingProofs: [...new Set([...runtimeTruthGaps, ...uniqueWarningCodes])],
+        warnings: uniqueWarnings,
     };
 }
 
-function buildSummary({ options, steps, verdict, gatewayStatusText, pluginInspectText, statusSignals, breadcrumbs, runtimeLoadProofSnapshot }) {
+function buildSummary({ options, steps, verdict, gatewayStatusText, pluginInspectText, statusSignals, breadcrumbs, runtimeLoadProofSnapshot, guardLine, attributionLine, learningPathLine, coverageSnapshot, hardeningSnapshot }) {
     const passed = [];
     const missing = [];
+    const warnings = Array.isArray(verdict.warnings) ? verdict.warnings : [];
     if (steps.find((step) => step.stepId === "01-install")?.resultClass === "success") {
         passed.push("install command succeeded");
     }
@@ -350,6 +538,36 @@ function buildSummary({ options, steps, verdict, gatewayStatusText, pluginInspec
         "## Missing / incomplete",
         ...(missing.length === 0 ? ["- none"] : missing.map((item) => `- ${item}`)),
         "",
+        "## Warnings",
+        ...(warnings.length === 0 ? ["- none"] : warnings.map((item) => `- ${item}`)),
+        "",
+        "## Runtime Guard",
+        ...(guardLine === null
+            ? ["- runtime guard line not reported by detailed status"]
+            : [`- ${guardLine}`]),
+        "",
+        "## Learning Attribution",
+        ...(attributionLine === null
+            ? ["- attribution line not reported by detailed status"]
+            : [`- ${attributionLine}`]),
+        ...(learningPathLine === null
+            ? []
+            : [`- ${learningPathLine}`]),
+        "",
+        "## Coverage snapshot",
+        `- attached profiles: ${coverageSnapshot.attachedProfileCount}`,
+        `- runtime-proven profiles: ${coverageSnapshot.runtimeProvenCount}/${coverageSnapshot.attachedProfileCount}`,
+        `- coverage rate: ${coverageSnapshot.coverageRate === null ? "none" : coverageSnapshot.coverageRate.toFixed(3)}`,
+        ...(coverageSnapshot.profiles.length === 0
+            ? ["- per-profile: none"]
+            : coverageSnapshot.profiles.map((entry) => `- ${entry.current ? "*" : ""}${entry.label} coverage=${entry.coverageState} hook=${entry.hookFiles} config=${entry.configLoad} runtime=${entry.runtimeLoad} loadedAt=${entry.loadedAt ?? "none"}`)),
+        "",
+        "## Hardening snapshot",
+        `- status signals: statusOk=${hardeningSnapshot.statusSignals.statusOk} loadProofReady=${hardeningSnapshot.statusSignals.loadProofReady} runtimeProven=${hardeningSnapshot.statusSignals.runtimeProven} serveActivePack=${hardeningSnapshot.statusSignals.serveActivePack} routeFnAvailable=${hardeningSnapshot.statusSignals.routeFnAvailable}`,
+        `- serve: state=${hardeningSnapshot.serve.state ?? "none"} failOpen=${hardeningSnapshot.serve.failOpen ?? "none"} hardFail=${hardeningSnapshot.serve.hardFail ?? "none"} usedRouteFn=${hardeningSnapshot.serve.usedRouteFn ?? "none"}`,
+        `- attachTruth: current=${hardeningSnapshot.attachTruth.current ?? "none"} hook=${hardeningSnapshot.attachTruth.hook ?? "none"} config=${hardeningSnapshot.attachTruth.config ?? "none"} runtime=${hardeningSnapshot.attachTruth.runtime ?? "none"}`,
+        `- proof verdict: ${hardeningSnapshot.verdict.verdict} severity=${hardeningSnapshot.verdict.severity} warnings=${hardeningSnapshot.verdict.warningCount}`,
+        "",
         "## Step ledger",
         ...steps.map((step) => `- ${step.stepId}: ${step.skipped ? "skipped" : `${step.resultClass} (${step.captureState})`} - ${step.summary}`),
     ];
@@ -570,15 +788,29 @@ export function captureOperatorProofBundle(options) {
     const statusCapture = addStep("05-detailed-status", "detailed status", cliInvocation.command, [...cliInvocation.args, "status", "--openclaw-home", options.openclawHome, "--detailed"]);
     const gatewayLogPath = extractGatewayLogPath(gatewayStatusCapture.stdout);
     const activationRoot = extractActivationRoot(statusCapture.stdout, options.activationRoot ?? null);
-    const runtimeLoadProofPath = path.join(activationRoot, "attachment-truth", "runtime-load-proofs.json");
+    const statusSignals = extractStatusSignals(statusCapture.stdout);
+    const attachTruthLine = extractDetailedStatusLine(statusCapture.stdout, "attachTruth");
+    const attachedSetLine = extractDetailedStatusLine(statusCapture.stdout, "attachedSet");
+    const serveLine = extractDetailedStatusLine(statusCapture.stdout, "serve");
+    const routeFnLine = extractDetailedStatusLine(statusCapture.stdout, "routeFn");
+    const guardLine = extractDetailedStatusLine(statusCapture.stdout, "guard");
+    const attributionLine = extractDetailedStatusLine(statusCapture.stdout, "attribution");
+    const learningPathLine = extractDetailedStatusLine(statusCapture.stdout, "path");
+    const runtimeLoadProofPath = normalizeReportedProofPath(statusSignals.proofPath)
+        ?? path.join(activationRoot, "attachment-truth", "runtime-load-proofs.json");
     const runtimeLoadProofSnapshot = readJsonSnapshot(runtimeLoadProofPath);
     const gatewayLogText = readTextIfExists(gatewayLogPath);
     const breadcrumbs = extractStartupBreadcrumbs(gatewayLogText, bundleStartedAt);
-    const statusSignals = extractStatusSignals(statusCapture.stdout);
+    const coverageSnapshot = buildCoverageSnapshot({
+        attachedSetLine,
+        runtimeLoadProofSnapshot,
+        openclawHome: options.openclawHome,
+    });
     writeText(path.join(bundleDir, "extracted-startup-breadcrumbs.log"), breadcrumbs.all.length === 0
         ? "<no matching breadcrumbs found>\n"
         : `${breadcrumbs.all.map((entry) => entry.line).join("\n")}\n`);
     writeJson(path.join(bundleDir, "runtime-load-proof.json"), runtimeLoadProofSnapshot);
+    writeJson(path.join(bundleDir, "coverage-snapshot.json"), coverageSnapshot);
     const verdict = buildVerdict({
         steps,
         gatewayStatus: gatewayStatusCapture.stdout,
@@ -588,6 +820,13 @@ export function captureOperatorProofBundle(options) {
         runtimeLoadProofSnapshot,
         openclawHome: options.openclawHome,
     });
+    const hardeningSnapshot = buildHardeningSnapshot({
+        attachTruthLine,
+        serveLine,
+        routeFnLine,
+        verdict,
+        statusSignals,
+    });
     writeJson(path.join(bundleDir, "steps.json"), {
         bundleStartedAt,
         openclawHome: canonicalizeExistingProofPath(options.openclawHome),
@@ -600,6 +839,8 @@ export function captureOperatorProofBundle(options) {
         bundleStartedAt,
         verdict,
         statusSignals,
+        coverageSnapshot,
+        hardeningSnapshot,
         breadcrumbs: {
             allCount: breadcrumbs.all.length,
             postBundleCount: breadcrumbs.afterBundleStart.length,
@@ -607,7 +848,11 @@ export function captureOperatorProofBundle(options) {
         },
         runtimeLoadProofPath,
         runtimeLoadProofError: runtimeLoadProofSnapshot.error,
+        guardLine,
+        attributionLine,
+        learningPathLine,
     });
+    writeJson(path.join(bundleDir, "hardening-snapshot.json"), hardeningSnapshot);
     writeText(path.join(bundleDir, "summary.md"), buildSummary({
         options,
         steps,
@@ -617,6 +862,11 @@ export function captureOperatorProofBundle(options) {
         statusSignals,
         breadcrumbs,
         runtimeLoadProofSnapshot,
+        guardLine,
+        attributionLine,
+        learningPathLine,
+        coverageSnapshot,
+        hardeningSnapshot,
     }));
     return {
         ok: true,
@@ -627,14 +877,21 @@ export function captureOperatorProofBundle(options) {
         gatewayLogPath,
         runtimeLoadProofPath,
         runtimeLoadProofSnapshot,
+        coverageSnapshot,
+        hardeningSnapshot,
         verdict,
         statusSignals,
+        guardLine,
+        attributionLine,
+        learningPathLine,
         steps,
         summaryPath: path.join(bundleDir, "summary.md"),
         stepsPath: path.join(bundleDir, "steps.json"),
         verdictPath: path.join(bundleDir, "verdict.json"),
         breadcrumbPath: path.join(bundleDir, "extracted-startup-breadcrumbs.log"),
         runtimeLoadProofSnapshotPath: path.join(bundleDir, "runtime-load-proof.json"),
+        coverageSnapshotPath: path.join(bundleDir, "coverage-snapshot.json"),
+        hardeningSnapshotPath: path.join(bundleDir, "hardening-snapshot.json"),
     };
 }
 
@@ -649,6 +906,8 @@ export function formatOperatorProofResult(result) {
         `  Verdict: ${result.verdictPath}`,
         `  Breadcrumbs: ${result.breadcrumbPath}`,
         `  Runtime proof: ${result.runtimeLoadProofSnapshotPath}`,
+        `  Coverage snapshot: ${result.coverageSnapshotPath}`,
+        `  Hardening snapshot: ${result.hardeningSnapshotPath}`,
     ];
     return lines.join("\n");
 }