@openthink/stamp 1.10.0 → 2.0.1

package/dist/hooks/pre-receive.cjs

@@ -9,6 +9,10 @@ var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __commonJS = (cb, mod) => function __require() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
   if (from && typeof from === "object" || typeof from === "function") {
     for (let key of __getOwnPropNames(from))
@@ -25,6 +29,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
   mod
 ));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // node_modules/yaml/dist/nodes/identity.js
 var require_identity = __commonJS({
@@ -7329,8 +7334,24 @@ var require_dist = __commonJS({
 });
 
 // src/hooks/pre-receive.ts
-var import_node_child_process = require("child_process");
-var import_yaml4 = __toESM(require_dist(), 1);
+var pre_receive_exports = {};
+__export(pre_receive_exports, {
+  parsePathRules: () => parsePathRules,
+  verifyV4ApprovalSignatures: () => verifyV4ApprovalSignatures,
+  verifyV4Approvals: () => verifyV4Approvals,
+  verifyV4Checks: () => verifyV4Checks,
+  verifyV4DiffHash: () => verifyV4DiffHash,
+  verifyV4MergeStructure: () => verifyV4MergeStructure,
+  verifyV4OuterSignature: () => verifyV4OuterSignature,
+  verifyV4SignerTrust: () => verifyV4SignerTrust,
+  verifyV4StampPathsGuard: () => verifyV4StampPathsGuard,
+  verifyV4TargetBranch: () => verifyV4TargetBranch,
+  verifyV4TrustAnchorSignatures: () => verifyV4TrustAnchorSignatures
+});
+module.exports = __toCommonJS(pre_receive_exports);
+var import_node_child_process3 = require("child_process");
+var import_node_url = require("url");
+var import_yaml5 = __toESM(require_dist(), 1);
 
 // src/lib/attestation.ts
 var MIN_ACCEPTED_PAYLOAD_VERSION = 3;
@@ -7358,6 +7379,26 @@ function parseCommitAttestation(commitMessage) {
   return { payload, payloadBytes, signatureBase64: b64Sig };
 }
 
+// src/lib/attestationV4.ts
+var MIN_ACCEPTED_V4_SCHEMA_VERSION = 4;
+var MAX_V4_ENVELOPE_BYTES = 64 * 1024;
+function sortKeysDeep(value) {
+  if (value === null || typeof value !== "object") return value;
+  if (Array.isArray(value)) return value.map(sortKeysDeep);
+  const obj = value;
+  const out = {};
+  for (const key of Object.keys(obj).sort()) {
+    out[key] = sortKeysDeep(obj[key]);
+  }
+  return out;
+}
+function canonicalSerializeApproval(a) {
+  return Buffer.from(JSON.stringify(sortKeysDeep(a)), "utf8");
+}
+function canonicalSerializePayload(p) {
+  return Buffer.from(JSON.stringify(sortKeysDeep(p)), "utf8");
+}
+
 // src/lib/keys.ts
 var import_node_crypto = require("crypto");
 var import_node_fs2 = require("fs");
@@ -7488,7 +7529,622 @@ function verifyBytes(publicKeyPem, data, signatureBase64) {
   return (0, import_node_crypto3.verify)(null, data, key, sig);
 }
 
+// src/lib/trustedKeysManifest.ts
+var import_node_crypto4 = require("crypto");
+var import_yaml4 = __toESM(require_dist(), 1);
+var KNOWN_CAPABILITIES = ["admin", "operator", "server"];
+var MAX_MANIFEST_BYTES = 256 * 1024;
+var MAX_MANIFEST_ENTRIES = 1e4;
+var FINGERPRINT_PATTERN = /^sha256:[0-9a-f]{64}$/;
+var NAME_PATTERN = /^[A-Za-z0-9_.-]+$/;
+function parseManifest(yamlText) {
+  if (typeof yamlText !== "string") return null;
+  if (Buffer.byteLength(yamlText, "utf8") > MAX_MANIFEST_BYTES) return null;
+  let parsed;
+  try {
+    parsed = (0, import_yaml4.parse)(yamlText);
+  } catch {
+    return null;
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    return null;
+  }
+  const top = parsed;
+  const rawKeys = top.keys;
+  if (!rawKeys || typeof rawKeys !== "object" || Array.isArray(rawKeys)) {
+    return null;
+  }
+  const names = Object.keys(rawKeys);
+  if (names.length === 0) return null;
+  if (names.length > MAX_MANIFEST_ENTRIES) return null;
+  const fingerprintsSeen = /* @__PURE__ */ new Set();
+  const entries = [];
+  for (const name of names) {
+    if (!NAME_PATTERN.test(name)) return null;
+    const def = rawKeys[name];
+    if (!def || typeof def !== "object" || Array.isArray(def)) return null;
+    const d = def;
+    if (typeof d.fingerprint !== "string") return null;
+    if (!FINGERPRINT_PATTERN.test(d.fingerprint)) return null;
+    if (fingerprintsSeen.has(d.fingerprint)) return null;
+    fingerprintsSeen.add(d.fingerprint);
+    if (!Array.isArray(d.capabilities)) return null;
+    if (d.capabilities.length === 0) return null;
+    const capSet = /* @__PURE__ */ new Set();
+    for (const cap of d.capabilities) {
+      if (typeof cap !== "string") return null;
+      if (!isKnownCapability(cap)) return null;
+      capSet.add(cap);
+    }
+    const capabilities = [...capSet].sort();
+    let role_source;
+    if (d.role_source !== void 0) {
+      if (typeof d.role_source !== "string" || d.role_source.length === 0) {
+        return null;
+      }
+      role_source = d.role_source;
+    }
+    entries.push({
+      name,
+      fingerprint: d.fingerprint,
+      capabilities,
+      ...role_source !== void 0 ? { role_source } : {}
+    });
+  }
+  entries.sort((a, b) => a.name < b.name ? -1 : a.name > b.name ? 1 : 0);
+  return { entries };
+}
+function isKnownCapability(s) {
+  return KNOWN_CAPABILITIES.includes(s);
+}
+function serializeManifestCanonical(manifest) {
+  const sortedEntries = [...manifest.entries].sort(
+    (a, b) => a.name < b.name ? -1 : a.name > b.name ? 1 : 0
+  );
+  const keys = {};
+  for (const e of sortedEntries) {
+    const entry = {
+      capabilities: [...e.capabilities].sort(),
+      fingerprint: e.fingerprint
+    };
+    if (e.role_source !== void 0) {
+      entry.role_source = e.role_source;
+    }
+    keys[e.name] = entry;
+  }
+  const canonical = { keys };
+  return Buffer.from(JSON.stringify(canonical), "utf8");
+}
+function snapshotSha256(manifest) {
+  const bytes = serializeManifestCanonical(manifest);
+  const hex = (0, import_node_crypto4.createHash)("sha256").update(bytes).digest("hex");
+  return `sha256:${hex}`;
+}
+function resolveCapability(manifest, fingerprint) {
+  for (const entry of manifest.entries) {
+    if (entry.fingerprint === fingerprint) {
+      return [...entry.capabilities];
+    }
+  }
+  return null;
+}
+
+// src/lib/v4Trust.ts
+var import_node_child_process2 = require("child_process");
+var import_node_crypto6 = require("crypto");
+
+// src/lib/sshReviewClient.ts
+var import_node_crypto5 = require("crypto");
+var import_node_child_process = require("child_process");
+function buildPubkeyMap(pubFilenames, readAtBase) {
+  const out = /* @__PURE__ */ new Map();
+  for (const name of pubFilenames) {
+    if (!name.endsWith(".pub")) continue;
+    let pem;
+    try {
+      pem = readAtBase(`.stamp/trusted-keys/${name}`);
+    } catch {
+      continue;
+    }
+    let fp;
+    try {
+      fp = fingerprintFromPem(pem);
+    } catch {
+      continue;
+    }
+    out.set(fp, pem);
+  }
+  return out;
+}
+
+// src/lib/v4Trust.ts
+var COMMIT_PHASES_V4 = [
+  { name: "verifyV4MergeStructure", fn: verifyV4MergeStructure },
+  { name: "verifyV4TargetBranch", fn: verifyV4TargetBranch },
+  { name: "verifyV4SignerTrust", fn: verifyV4SignerTrust },
+  { name: "verifyV4OuterSignature", fn: verifyV4OuterSignature },
+  { name: "verifyV4Approvals", fn: verifyV4Approvals },
+  { name: "verifyV4DiffHash", fn: verifyV4DiffHash },
+  { name: "verifyV4ApprovalSignatures", fn: verifyV4ApprovalSignatures },
+  { name: "verifyV4Checks", fn: verifyV4Checks },
+  // Runs before verifyV4StampPathsGuard for UX (clearer error message
+  // on forged sigs); the guard is correct out-of-order too.
+  { name: "verifyV4TrustAnchorSignatures", fn: verifyV4TrustAnchorSignatures },
+  // Independently re-verifies trust-anchor signatures — see the
+  // ORDERING note above. Phase ordering is not security-load-bearing.
+  { name: "verifyV4StampPathsGuard", fn: verifyV4StampPathsGuard }
+];
+var PR_MODE_PHASES_V4 = COMMIT_PHASES_V4.filter((p) => p.name !== "verifyV4MergeStructure");
+function verifyV4MergeStructure(input) {
+  const { sha, branch, payload } = input;
+  const parents = run(["rev-list", "--parents", "-n", "1", sha]).trim().split(/\s+/).slice(1);
+  if (parents.length !== 2) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)} is not a merge commit (has ${parents.length} parent(s)). Every commit to '${branch}' must be a --no-ff merge.`
+    };
+  }
+  const [parent0, parent1] = parents;
+  if (parent1 !== payload.head_sha) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 second parent (${parent1.slice(0, 8)}) != payload.head_sha (${payload.head_sha.slice(0, 8)})`
+    };
+  }
+  const mergeBase = run(["merge-base", parent0, parent1]).trim();
+  if (mergeBase !== payload.base_sha) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 merge-base(${parent0.slice(0, 8)}, ${parent1.slice(0, 8)}) = ${mergeBase.slice(0, 8)} != payload.base_sha (${payload.base_sha.slice(0, 8)})`
+    };
+  }
+  return { ok: true };
+}
+function verifyV4TargetBranch(input) {
+  const { sha, branch, payload } = input;
+  if (payload.target_branch !== branch) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 payload.target_branch ("${payload.target_branch}") does not match the branch being pushed ("${branch}")`
+    };
+  }
+  return { ok: true };
+}
+function verifyV4SignerTrust(input) {
+  const { sha, payload, manifest, pubkeyByFingerprint } = input;
+  const caps = resolveCapability(manifest, payload.signer_key_id);
+  if (caps === null) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 signer key ${payload.signer_key_id} is not listed in .stamp/trusted-keys/manifest.yml at base ${payload.base_sha.slice(0, 8)}`
+    };
+  }
+  if (!caps.includes("admin") && !caps.includes("operator")) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 signer key ${payload.signer_key_id} has capabilities [${caps.join(", ")}] in the manifest at base ${payload.base_sha.slice(0, 8)} \u2014 needs 'admin' or 'operator' to sign a v4 envelope. Update the manifest entry and re-merge.`
+    };
+  }
+  if (!pubkeyByFingerprint.has(payload.signer_key_id)) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 signer key ${payload.signer_key_id} is in the manifest but no matching .pub file exists in .stamp/trusted-keys/ at base ${payload.base_sha.slice(0, 8)}. Commit the public key alongside the manifest entry and re-merge.`
+    };
+  }
+  return { ok: true };
+}
+function verifyV4OuterSignature(input) {
+  const { sha, payload, payloadBytes, signatureBase64, pubkeyByFingerprint } = input;
+  const pem = pubkeyByFingerprint.get(payload.signer_key_id);
+  let sigValid = false;
+  try {
+    sigValid = verifyBytes(pem, payloadBytes, signatureBase64);
+  } catch (err) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 outer signature verification threw \u2014 ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+  if (!sigValid) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 outer Ed25519 signature does not verify against the operator's trusted key ${payload.signer_key_id}`
+    };
+  }
+  return { ok: true };
+}
+function verifyV4Approvals(input) {
+  const { sha, payload, rule } = input;
+  const approvedReviewers = new Set(
+    payload.approvals.filter((a) => a.approval.verdict === "approved").map((a) => a.approval.reviewer)
+  );
+  const missing = rule.required.filter((r) => !approvedReviewers.has(r));
+  if (missing.length > 0) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 missing required approvals \u2014 ${missing.join(", ")}`
+    };
+  }
+  return { ok: true };
+}
+function verifyV4DiffHash(input) {
+  const { sha, payload } = input;
+  let diffText;
+  try {
+    diffText = run(["diff", `${payload.base_sha}...${payload.head_sha}`]);
+  } catch (err) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 unable to compute base...head diff \u2014 ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+  const actualDiffSha256 = (0, import_node_crypto6.createHash)("sha256").update(Buffer.from(diffText, "utf8")).digest("hex");
+  if (actualDiffSha256 !== payload.diff_sha256) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 diff_sha256 mismatch \u2014 payload claims ${payload.diff_sha256.slice(0, 12)}\u2026 but base...head hashes to ${actualDiffSha256.slice(0, 12)}\u2026. The operator signed against a different diff than what the commit actually merges.`
+    };
+  }
+  for (const entry of payload.approvals) {
+    if (entry.approval.diff_sha256 !== actualDiffSha256) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval for "${entry.approval.reviewer}" was server-signed against diff_sha256 ${entry.approval.diff_sha256.slice(0, 12)}\u2026 but base...head hashes to ${actualDiffSha256.slice(0, 12)}\u2026. The server's verdict is for a different diff.`
+      };
+    }
+  }
+  return { ok: true };
+}
+function verifyV4ApprovalSignatures(input) {
+  const { sha, payload, manifest, pubkeyByFingerprint } = input;
+  const manifestSnapshot = snapshotSha256(manifest);
+  const reviewerDefs = readReviewerDefsAtRef(payload.base_sha);
+  for (const entry of payload.approvals) {
+    const a = entry.approval;
+    const reviewerLabel = `"${a.reviewer}"`;
+    if (a.base_sha !== payload.base_sha) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel} was signed against base_sha ${a.base_sha.slice(0, 8)} but envelope's base_sha is ${payload.base_sha.slice(0, 8)}`
+      };
+    }
+    if (a.head_sha !== payload.head_sha) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel} was signed against head_sha ${a.head_sha.slice(0, 8)} but envelope's head_sha is ${payload.head_sha.slice(0, 8)}`
+      };
+    }
+    if (entry.server_attestation.server_key_id !== a.server_key_id) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: server_attestation.server_key_id (${entry.server_attestation.server_key_id}) does not match inner approval.server_key_id (${a.server_key_id}). The inner signed payload is authoritative; one of the two was tampered with after signing.`
+      };
+    }
+    if (a.trusted_keys_snapshot_sha256 !== manifestSnapshot) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: trusted_keys_snapshot_sha256 (${a.trusted_keys_snapshot_sha256.slice(0, 16)}\u2026) does not match the manifest at base ${payload.base_sha.slice(0, 8)} (${manifestSnapshot.slice(0, 16)}\u2026). The server signed against a different snapshot of the trust set than the one committed at the merge base.`
+      };
+    }
+    const caps = resolveCapability(manifest, a.server_key_id);
+    if (caps === null) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel} was signed by ${a.server_key_id}, but that key is not in .stamp/trusted-keys/manifest.yml at base ${payload.base_sha.slice(0, 8)}`
+      };
+    }
+    if (!caps.includes("server")) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel} was signed by ${a.server_key_id}, but that key's capabilities [${caps.join(", ")}] don't include 'server' at base ${payload.base_sha.slice(0, 8)}`
+      };
+    }
+    const serverPem = pubkeyByFingerprint.get(a.server_key_id);
+    if (!serverPem) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: no .pub file in .stamp/trusted-keys/ at base ${payload.base_sha.slice(0, 8)} matches fingerprint ${a.server_key_id}`
+      };
+    }
+    let sigOk = false;
+    try {
+      sigOk = verifyBytes(
+        serverPem,
+        canonicalSerializeApproval(a),
+        entry.server_attestation.signature
+      );
+    } catch (err) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: server signature verification threw \u2014 ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+    if (!sigOk) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: server signature does not verify against ${a.server_key_id} over canonical approval bytes`
+      };
+    }
+    const def = reviewerDefs[a.reviewer];
+    if (!def) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: reviewer is not defined in .stamp/config.yml at base ${payload.base_sha.slice(0, 8)}`
+      };
+    }
+    let promptText;
+    try {
+      promptText = run(["show", `${payload.base_sha}:${def.prompt}`]);
+    } catch {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: prompt "${def.prompt}" is unreadable at base ${payload.base_sha.slice(0, 8)}`
+      };
+    }
+    const recomputedPromptSha = hashPromptBytes(Buffer.from(promptText, "utf8"));
+    if (recomputedPromptSha !== a.prompt_sha256) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: prompt_sha256 mismatch \u2014 server signed ${a.prompt_sha256.slice(0, 12)}\u2026 but prompt file at base hashes to ${recomputedPromptSha.slice(0, 12)}\u2026. The reviewer prompt the server reviewed differs from the one in the merge-base tree.`
+      };
+    }
+  }
+  return { ok: true };
+}
+function verifyV4Checks(input) {
+  const { sha, payload, rule } = input;
+  const requiredChecks = rule.required_checks ?? [];
+  const attestedByName = new Map(payload.checks.map((c) => [c.name, c]));
+  const missingChecks = [];
+  const failingChecks = [];
+  for (const req of requiredChecks) {
+    const attested = attestedByName.get(req.name);
+    if (!attested) {
+      missingChecks.push(req.name);
+      continue;
+    }
+    if (attested.exit_code !== 0) {
+      failingChecks.push(`${req.name} (exit ${attested.exit_code})`);
+    }
+  }
+  if (missingChecks.length > 0) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 attestation is missing required check(s) \u2014 ${missingChecks.join(", ")}`
+    };
+  }
+  if (failingChecks.length > 0) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 attestation records failing check(s) \u2014 ${failingChecks.join(", ")}`
+    };
+  }
+  return { ok: true };
+}
+function verifyV4TrustAnchorSignatures(input) {
+  const { sha, payload, manifest, pubkeyByFingerprint } = input;
+  if (payload.trust_anchor_signatures.length === 0) return { ok: true };
+  const payloadForAdmins = {
+    ...payload,
+    trust_anchor_signatures: []
+  };
+  const adminSigningBytes = canonicalSerializePayload(payloadForAdmins);
+  const seen = /* @__PURE__ */ new Set();
+  for (const ts of payload.trust_anchor_signatures) {
+    if (seen.has(ts.signer_key_id)) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 trust_anchor_signatures contains a duplicate entry for ${ts.signer_key_id}`
+      };
+    }
+    seen.add(ts.signer_key_id);
+    const caps = resolveCapability(manifest, ts.signer_key_id);
+    if (caps === null) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 trust_anchor_signatures includes ${ts.signer_key_id}, which is not in the manifest at base ${payload.base_sha.slice(0, 8)}`
+      };
+    }
+    if (!caps.includes("admin")) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 trust_anchor_signatures includes ${ts.signer_key_id} with capabilities [${caps.join(", ")}] \u2014 needs 'admin' to counter-sign at base ${payload.base_sha.slice(0, 8)}`
+      };
+    }
+    const pem = pubkeyByFingerprint.get(ts.signer_key_id);
+    if (!pem) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 trust_anchor_signatures includes ${ts.signer_key_id} but no matching .pub file is committed at base ${payload.base_sha.slice(0, 8)}`
+      };
+    }
+    let ok = false;
+    try {
+      ok = verifyBytes(pem, adminSigningBytes, ts.signature);
+    } catch (err) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 trust-anchor signature by ${ts.signer_key_id} threw on verify \u2014 ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+    if (!ok) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 trust-anchor signature by ${ts.signer_key_id} does not verify`
+      };
+    }
+  }
+  return { ok: true };
+}
+function verifyV4StampPathsGuard(input) {
+  const { sha, payload, manifest, pubkeyByFingerprint, pathRules, changedFiles } = input;
+  if (pathRules.length === 0) return { ok: true };
+  const payloadForAdmins = {
+    ...payload,
+    trust_anchor_signatures: []
+  };
+  const adminSigningBytes = canonicalSerializePayload(payloadForAdmins);
+  const validSigners = /* @__PURE__ */ new Set();
+  for (const ts of payload.trust_anchor_signatures) {
+    if (validSigners.has(ts.signer_key_id)) continue;
+    const pem = pubkeyByFingerprint.get(ts.signer_key_id);
+    if (!pem) continue;
+    let ok = false;
+    try {
+      ok = verifyBytes(pem, adminSigningBytes, ts.signature);
+    } catch {
+      ok = false;
+    }
+    if (ok) validSigners.add(ts.signer_key_id);
+  }
+  for (const rule of pathRules) {
+    const matched = changedFiles.filter((f) => pathMatchesAny(f, [rule.pattern]));
+    if (matched.length === 0) continue;
+    let qualifying = 0;
+    for (const keyId of validSigners) {
+      const caps = resolveCapability(manifest, keyId);
+      if (caps !== null && caps.includes(rule.require_capability)) {
+        qualifying++;
+      }
+    }
+    if (qualifying < rule.minimum_signatures) {
+      const sample = matched.slice(0, 3).join(", ");
+      const moreSuffix = matched.length > 3 ? `, +${matched.length - 3} more` : "";
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 path_rules gate for pattern "${rule.pattern}" requires ${rule.minimum_signatures} signature(s) from keys with capability '${rule.require_capability}' (diff touches ${matched.length} matched path(s): ${sample}${moreSuffix}), but only ${qualifying} qualifying trust_anchor_signature(s) are present at base ${payload.base_sha.slice(0, 8)}. Re-run the merge after collecting the required admin counter-signatures.`
+      };
+    }
+    if (!rule.bypass_review_cycle && payload.approvals.length === 0) {
+      return {
+        ok: false,
+        reason: `commit ${sha.slice(0, 8)}: v4 path_rules gate for pattern "${rule.pattern}" has bypass_review_cycle=false (admin signatures + reviewer cycle required), but the envelope carries no approvals \u2014 the reviewer cycle did not run for this merge.`
+      };
+    }
+  }
+  return { ok: true };
+}
+function run(args) {
+  try {
+    return (0, import_node_child_process2.execFileSync)("git", args, {
+      encoding: "utf8",
+      maxBuffer: 16 * 1024 * 1024,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+  } catch (err) {
+    throw new Error(
+      `git ${args.join(" ")} failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function readPubkeyMapAt(ref) {
+  let lsOut;
+  try {
+    lsOut = run(["ls-tree", "--name-only", ref, ".stamp/trusted-keys/"]);
+  } catch {
+    return /* @__PURE__ */ new Map();
+  }
+  const names = [];
+  for (const line of lsOut.split("\n")) {
+    if (!line) continue;
+    const prefix = ".stamp/trusted-keys/";
+    const basename = line.startsWith(prefix) ? line.slice(prefix.length) : line;
+    if (basename.endsWith(".pub")) names.push(basename);
+  }
+  return buildPubkeyMap(names, (relPath) => run(["show", `${ref}:${relPath}`]));
+}
+function readReviewerDefsAtRef(ref) {
+  let yaml;
+  try {
+    yaml = run(["show", `${ref}:.stamp/config.yml`]);
+  } catch {
+    return {};
+  }
+  const defs = readReviewersFromYaml(yaml);
+  const out = {};
+  for (const [name, def] of Object.entries(defs)) {
+    if (def && typeof def.prompt === "string") {
+      out[name] = { prompt: def.prompt };
+    }
+  }
+  return out;
+}
+function readChangedFilesAtRef(baseSha, headSha) {
+  let out;
+  try {
+    out = run(["diff", "-z", "--name-only", `${baseSha}...${headSha}`]);
+  } catch {
+    return null;
+  }
+  return out.split("\0").filter((l) => l.length > 0);
+}
+function pathGlobToRegex(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+  const DOUBLE = "\0DOUBLESTAR\0";
+  const translated = escaped.replace(/\*\*/g, DOUBLE).replace(/\*/g, "[^/]*").replace(/\?/g, "[^/]").split(DOUBLE).join(".*");
+  return new RegExp(`^${translated}$`);
+}
+function pathMatchesAny(filePath, patterns) {
+  for (const p of patterns) {
+    if (pathGlobToRegex(p).test(filePath)) return true;
+  }
+  return false;
+}
+function parsePathRules(raw) {
+  if (raw === void 0 || raw === null) return { rules: [], warnings: [] };
+  if (typeof raw !== "object" || Array.isArray(raw)) {
+    return {
+      rules: [],
+      warnings: [
+        `path_rules: top-level value must be a YAML map (e.g. \`".stamp/**": { ... }\`). Got ${Array.isArray(raw) ? "an array" : typeof raw}; entire path_rules section ignored.`
+      ]
+    };
+  }
+  const out = [];
+  const warnings = [];
+  for (const [pattern, rule] of Object.entries(raw)) {
+    if (typeof pattern !== "string" || pattern.length === 0) {
+      warnings.push(`path_rules: empty or non-string pattern key skipped.`);
+      continue;
+    }
+    if (!rule || typeof rule !== "object" || Array.isArray(rule)) {
+      warnings.push(
+        `path_rules["${pattern}"]: rule body must be a YAML map with require_capability/minimum_signatures/bypass_review_cycle fields. Rule ignored \u2014 the path is NOT gated.`
+      );
+      continue;
+    }
+    const r = rule;
+    if (typeof r.require_capability !== "string" || r.require_capability.length === 0) {
+      warnings.push(
+        `path_rules["${pattern}"]: require_capability must be a non-empty string (e.g. \`admin\`). Got ${typeof r.require_capability}; rule ignored \u2014 the path is NOT gated.`
+      );
+      continue;
+    }
+    if (typeof r.minimum_signatures !== "number" || !Number.isInteger(r.minimum_signatures) || r.minimum_signatures < 1) {
+      warnings.push(
+        `path_rules["${pattern}"]: minimum_signatures must be a positive integer (got ${JSON.stringify(r.minimum_signatures)}). Rule ignored \u2014 the path is NOT gated.`
+      );
+      continue;
+    }
+    if (typeof r.bypass_review_cycle !== "boolean") {
+      warnings.push(
+        `path_rules["${pattern}"]: bypass_review_cycle must be a YAML boolean (true or false; YAML's \`yes\`/\`no\`/\`on\`/\`off\` are NOT parsed as booleans here). Got ${JSON.stringify(r.bypass_review_cycle)}; rule ignored \u2014 the path is NOT gated.`
+      );
+      continue;
+    }
+    out.push({
+      pattern,
+      require_capability: r.require_capability,
+      minimum_signatures: r.minimum_signatures,
+      bypass_review_cycle: r.bypass_review_cycle
+    });
+  }
+  out.sort((a, b) => a.pattern < b.pattern ? -1 : a.pattern > b.pattern ? 1 : 0);
+  return { rules: out, warnings };
+}
+
 // src/hooks/pre-receive.ts
+var import_meta = {};
 var ZERO_SHA = "0000000000000000000000000000000000000000";
 function main() {
   const stdin = readAllStdin();
@@ -7550,7 +8206,7 @@ function verifyRef(oldSha, newSha, refname) {
 function verifyTagPush(newSha, refname) {
   let pointedCommit;
   try {
-    pointedCommit = run(["rev-parse", `${newSha}^{commit}`]).trim();
+    pointedCommit = run2(["rev-parse", `${newSha}^{commit}`]).trim();
   } catch (err) {
     reject(
       refname,
@@ -7559,7 +8215,7 @@ function verifyTagPush(newSha, refname) {
   }
   let headRef;
   try {
-    headRef = run(["symbolic-ref", "HEAD"]).trim();
+    headRef = run2(["symbolic-ref", "HEAD"]).trim();
   } catch {
     reject(
       refname,
@@ -7568,7 +8224,7 @@ function verifyTagPush(newSha, refname) {
   }
   let defaultBranchTip;
   try {
-    defaultBranchTip = run(["rev-parse", headRef]).trim();
+    defaultBranchTip = run2(["rev-parse", headRef]).trim();
   } catch {
     reject(
       refname,
@@ -7582,7 +8238,7 @@ function verifyTagPush(newSha, refname) {
       `no readable .stamp/config.yml at ${defaultBranchTip.slice(0, 8)}; tag pushes require a bootstrapped repo`
     );
   }
-  const branchListing = run([
+  const branchListing = run2([
     "for-each-ref",
     "--format=%(refname:short)",
     "refs/heads/"
@@ -7599,7 +8255,7 @@ function verifyTagPush(newSha, refname) {
     );
   }
   for (const b of protectedBranches) {
-    const tip = run(["rev-parse", `refs/heads/${b}`]).trim();
+    const tip = run2(["rev-parse", `refs/heads/${b}`]).trim();
     if (isAncestor(pointedCommit, tip)) {
       return;
     }
@@ -7609,8 +8265,18 @@ function verifyTagPush(newSha, refname) {
     `tag points at commit ${pointedCommit.slice(0, 8)} which is not reachable from any protected branch (${protectedBranches.join(", ")}). Tags can only point at commits that have already passed branch verification \u2014 merge to a protected branch first via the stamp flow, then create the tag from that commit.`
   );
 }
+var COMMIT_PHASES = [
+  { name: "verifyMergeStructure", fn: verifyMergeStructure },
+  { name: "verifyTargetBranch", fn: verifyTargetBranch },
+  { name: "verifySignerTrust", fn: verifySignerTrust },
+  { name: "verifyTrailerSignature", fn: verifyTrailerSignature },
+  { name: "verifyApprovals", fn: verifyApprovals },
+  { name: "verifyChecks", fn: verifyChecks },
+  { name: "verifySchemaVersion", fn: verifySchemaVersion },
+  { name: "verifyReviewerHashesAtMergeBase", fn: verifyReviewerHashesAtMergeBase }
+];
 function verifyCommit(sha, branch, rule, trustedKeys, refname) {
-  const commitMessage = run(["cat-file", "-p", sha]).split(/\n\n/s).slice(1).join("\n\n");
+  const commitMessage = run2(["cat-file", "-p", sha]).split(/\n\n/s).slice(1).join("\n\n");
   const parsed = parseCommitAttestation(commitMessage);
   if (!parsed) {
     reject(
@@ -7618,66 +8284,106 @@ function verifyCommit(sha, branch, rule, trustedKeys, refname) {
       `commit ${sha.slice(0, 8)} has no Stamp-Payload / Stamp-Verified trailers. Every commit to '${branch}' must be a stamped merge.`
     );
   }
-  const { payload, payloadBytes, signatureBase64 } = parsed;
-  const parents = run(["rev-list", "--parents", "-n", "1", sha]).trim().split(/\s+/).slice(1);
+  const rawSchemaVersion = parsed.payload.schema_version;
+  if (typeof rawSchemaVersion === "number" && rawSchemaVersion >= MIN_ACCEPTED_V4_SCHEMA_VERSION) {
+    verifyCommitV4(sha, branch, rule, parsed.payloadBytes, parsed.signatureBase64, refname);
+    return;
+  }
+  const input = {
+    sha,
+    branch,
+    rule,
+    trustedKeys,
+    payload: parsed.payload,
+    payloadBytes: parsed.payloadBytes,
+    signatureBase64: parsed.signatureBase64
+  };
+  for (const phase of COMMIT_PHASES) {
+    const result = phase.fn(input);
+    if (!result.ok) reject(refname, result.reason);
+  }
+}
+function verifyMergeStructure(input) {
+  const { sha, branch, payload } = input;
+  const parents = run2(["rev-list", "--parents", "-n", "1", sha]).trim().split(/\s+/).slice(1);
   if (parents.length !== 2) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)} is not a merge commit (has ${parents.length} parent(s)). Every commit to '${branch}' must be a --no-ff merge.`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)} is not a merge commit (has ${parents.length} parent(s)). Every commit to '${branch}' must be a --no-ff merge.`
+    };
   }
   const [parent0, parent1] = parents;
   if (parent1 !== payload.head_sha) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: second parent (${parent1.slice(0, 8)}) != payload.head_sha (${payload.head_sha.slice(0, 8)})`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: second parent (${parent1.slice(0, 8)}) != payload.head_sha (${payload.head_sha.slice(0, 8)})`
+    };
   }
-  const mergeBase = run(["merge-base", parent0, parent1]).trim();
+  const mergeBase = run2(["merge-base", parent0, parent1]).trim();
   if (mergeBase !== payload.base_sha) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: merge-base(${parent0.slice(0, 8)}, ${parent1.slice(0, 8)}) = ${mergeBase.slice(0, 8)} != payload.base_sha (${payload.base_sha.slice(0, 8)})`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: merge-base(${parent0.slice(0, 8)}, ${parent1.slice(0, 8)}) = ${mergeBase.slice(0, 8)} != payload.base_sha (${payload.base_sha.slice(0, 8)})`
+    };
   }
+  return { ok: true };
+}
+function verifyTargetBranch(input) {
+  const { sha, branch, payload } = input;
   if (payload.target_branch !== branch) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: payload.target_branch ("${payload.target_branch}") does not match the branch being pushed ("${branch}")`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: payload.target_branch ("${payload.target_branch}") does not match the branch being pushed ("${branch}")`
+    };
   }
-  const trustedPem = trustedKeys.get(payload.signer_key_id);
-  if (!trustedPem) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: signer key ${payload.signer_key_id} is not in .stamp/trusted-keys/`
-    );
+  return { ok: true };
+}
+function verifySignerTrust(input) {
+  const { sha, payload, trustedKeys } = input;
+  if (!trustedKeys.has(payload.signer_key_id)) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: signer key ${payload.signer_key_id} is not in .stamp/trusted-keys/`
+    };
   }
+  return { ok: true };
+}
+function verifyTrailerSignature(input) {
+  const { sha, payload, payloadBytes, signatureBase64, trustedKeys } = input;
+  const trustedPem = trustedKeys.get(payload.signer_key_id);
   let sigValid = false;
   try {
     sigValid = verifyBytes(trustedPem, payloadBytes, signatureBase64);
   } catch (err) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: signature verification threw \u2014 ${err instanceof Error ? err.message : String(err)}`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: signature verification threw \u2014 ${err instanceof Error ? err.message : String(err)}`
+    };
   }
   if (!sigValid) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: Ed25519 signature does not verify against the signer's trusted key`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: Ed25519 signature does not verify against the signer's trusted key`
+    };
   }
+  return { ok: true };
+}
+function verifyApprovals(input) {
+  const { sha, payload, rule } = input;
   const approvedReviewers = new Set(
     payload.approvals.filter((a) => a.verdict === "approved").map((a) => a.reviewer)
   );
   const missing = rule.required.filter((r) => !approvedReviewers.has(r));
   if (missing.length > 0) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: missing required approvals \u2014 ${missing.join(", ")}`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: missing required approvals \u2014 ${missing.join(", ")}`
+    };
   }
+  return { ok: true };
+}
+function verifyChecks(input) {
+  const { sha, payload, rule } = input;
   const requiredChecks = rule.required_checks ?? [];
   const attestedByName = new Map(
     (payload.checks ?? []).map((c) => [c.name, c])
@@ -7695,36 +8401,42 @@ function verifyCommit(sha, branch, rule, trustedKeys, refname) {
     }
   }
   if (missingChecks.length > 0) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: attestation is missing required check(s) \u2014 ${missingChecks.join(", ")}`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: attestation is missing required check(s) \u2014 ${missingChecks.join(", ")}`
+    };
   }
   if (failingChecks.length > 0) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: attestation records failing check(s) \u2014 ${failingChecks.join(", ")}`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: attestation records failing check(s) \u2014 ${failingChecks.join(", ")}`
+    };
   }
+  return { ok: true };
+}
+function verifySchemaVersion(input) {
+  const { sha, payload } = input;
   const version = payload.schema_version ?? 1;
   if (version < MIN_ACCEPTED_PAYLOAD_VERSION) {
-    reject(
-      refname,
-      `commit ${sha.slice(0, 8)}: attestation schema_version ${version} is no longer accepted (minimum supported is ${MIN_ACCEPTED_PAYLOAD_VERSION} \u2014 earlier versions are known-broken under the feature-branch self-review attack). Re-create the merge with a current stamp-cli build which produces v${MIN_ACCEPTED_PAYLOAD_VERSION} attestations bound to the merge-base tree.`
-    );
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: attestation schema_version ${version} is no longer accepted (minimum supported is ${MIN_ACCEPTED_PAYLOAD_VERSION} \u2014 earlier versions are known-broken under the feature-branch self-review attack). Re-create the merge with a current stamp-cli build which produces v${MIN_ACCEPTED_PAYLOAD_VERSION} attestations bound to the merge-base tree.`
+    };
   }
-  verifyReviewerHashesAtMergeBase(sha, payload.base_sha, payload, refname);
+  return { ok: true };
 }
-function verifyReviewerHashesAtMergeBase(sha, baseSha, payload, refname) {
+function verifyReviewerHashesAtMergeBase(input) {
+  const { sha, payload } = input;
+  const baseSha = payload.base_sha;
   const prefix = `commit ${sha.slice(0, 8)}: v3 attestation:`;
   let configYaml;
   try {
-    configYaml = run(["show", `${baseSha}:.stamp/config.yml`]);
+    configYaml = run2(["show", `${baseSha}:.stamp/config.yml`]);
   } catch {
-    reject(
-      refname,
-      `${prefix} .stamp/config.yml unreadable at merge-base ${baseSha.slice(0, 8)}`
-    );
+    return {
+      ok: false,
+      reason: `${prefix} .stamp/config.yml unreadable at merge-base ${baseSha.slice(0, 8)}`
+    };
   }
   const reviewers = readReviewersFromYaml(configYaml);
   for (const approval of payload.approvals) {
@@ -7733,42 +8445,111 @@ function verifyReviewerHashesAtMergeBase(sha, baseSha, payload, refname) {
     if (!approval.tools_sha256) missing.push("tools_sha256");
     if (!approval.mcp_sha256) missing.push("mcp_sha256");
     if (missing.length > 0) {
-      reject(
-        refname,
-        `${prefix} approval for "${approval.reviewer}" is missing ${missing.join(", ")}`
-      );
+      return {
+        ok: false,
+        reason: `${prefix} approval for "${approval.reviewer}" is missing ${missing.join(", ")}`
+      };
     }
     const def = reviewers[approval.reviewer];
     if (!def) {
-      reject(
-        refname,
-        `${prefix} reviewer "${approval.reviewer}" not defined in .stamp/config.yml at merge-base`
-      );
+      return {
+        ok: false,
+        reason: `${prefix} reviewer "${approval.reviewer}" not defined in .stamp/config.yml at merge-base`
+      };
     }
     let promptBytes;
     try {
-      promptBytes = run(["show", `${baseSha}:${def.prompt}`]);
+      promptBytes = run2(["show", `${baseSha}:${def.prompt}`]);
     } catch {
-      reject(
-        refname,
-        `${prefix} reviewer "${approval.reviewer}" prompt "${def.prompt}" unreadable at merge-base`
-      );
+      return {
+        ok: false,
+        reason: `${prefix} reviewer "${approval.reviewer}" prompt "${def.prompt}" unreadable at merge-base`
+      };
+    }
+    const fields = [
+      { field: "prompt", computed: hashPromptBytes(Buffer.from(promptBytes, "utf8")), expected: approval.prompt_sha256 },
+      { field: "tools", computed: hashTools(def.tools), expected: approval.tools_sha256 },
+      { field: "mcp_servers", computed: hashMcpServers(def.mcp_servers), expected: approval.mcp_sha256 }
+    ];
+    for (const f of fields) {
+      if (f.computed === f.expected) continue;
+      return {
+        ok: false,
+        reason: `${prefix} reviewer "${approval.reviewer}" ${f.field} hash mismatch (expected ${f.expected.slice(0, 16)}..., committed tree has ${f.computed.slice(0, 16)}...). The committed config differs from what the attestation claims; re-run stamp merge or revert the change.`
+      };
     }
-    checkHashOrReject(prefix, refname, approval.reviewer, "prompt", hashPromptBytes(Buffer.from(promptBytes, "utf8")), approval.prompt_sha256);
-    checkHashOrReject(prefix, refname, approval.reviewer, "tools", hashTools(def.tools), approval.tools_sha256);
-    checkHashOrReject(prefix, refname, approval.reviewer, "mcp_servers", hashMcpServers(def.mcp_servers), approval.mcp_sha256);
   }
+  return { ok: true };
 }
-function checkHashOrReject(prefix, refname, reviewer, field, computed, expected) {
-  if (computed === expected) return;
-  reject(
-    refname,
-    `${prefix} reviewer "${reviewer}" ${field} hash mismatch (expected ${expected.slice(0, 16)}..., committed tree has ${computed.slice(0, 16)}...). The committed config differs from what the attestation claims; re-run stamp merge or revert the change.`
-  );
+function verifyCommitV4(sha, branch, rule, payloadBytes, signatureBase64, refname) {
+  let payload;
+  try {
+    payload = JSON.parse(payloadBytes.toString("utf8"));
+  } catch (err) {
+    reject(
+      refname,
+      `commit ${sha.slice(0, 8)}: v4 payload is not valid JSON \u2014 ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!payload || typeof payload !== "object" || typeof payload.schema_version !== "number" || typeof payload.base_sha !== "string" || typeof payload.head_sha !== "string" || typeof payload.target_branch !== "string" || typeof payload.diff_sha256 !== "string" || typeof payload.signer_key_id !== "string" || !Array.isArray(payload.approvals) || !Array.isArray(payload.checks) || !Array.isArray(payload.trust_anchor_signatures)) {
+    reject(
+      refname,
+      `commit ${sha.slice(0, 8)}: v4 payload has invalid structure (missing or wrong-typed fields)`
+    );
+  }
+  if (payload.schema_version < MIN_ACCEPTED_V4_SCHEMA_VERSION) {
+    reject(
+      refname,
+      `commit ${sha.slice(0, 8)}: v4 attestation schema_version ${payload.schema_version} is below minimum ${MIN_ACCEPTED_V4_SCHEMA_VERSION}. Re-create the merge with a current stamp-cli build.`
+    );
+  }
+  let manifestYaml;
+  try {
+    manifestYaml = run2(["show", `${payload.base_sha}:.stamp/trusted-keys/manifest.yml`]);
+  } catch (err) {
+    reject(
+      refname,
+      `commit ${sha.slice(0, 8)}: .stamp/trusted-keys/manifest.yml is missing at base ${payload.base_sha.slice(0, 8)} \u2014 v4 attestations require the manifest in the merge-base tree. (${err instanceof Error ? err.message : String(err)})`
+    );
+  }
+  const manifest = parseManifest(manifestYaml);
+  if (!manifest) {
+    reject(
+      refname,
+      `commit ${sha.slice(0, 8)}: .stamp/trusted-keys/manifest.yml at base ${payload.base_sha.slice(0, 8)} failed to parse (bad YAML, duplicate fingerprint, unknown capability, etc.)`
+    );
+  }
+  const pubkeyByFingerprint = readPubkeyMapAt(payload.base_sha);
+  const configAtBase = readConfigAt(payload.base_sha);
+  const pathRules = configAtBase?.path_rules ?? [];
+  const changedFiles = readChangedFilesAtRef(payload.base_sha, payload.head_sha);
+  if (changedFiles === null) {
+    reject(
+      refname,
+      `commit ${sha.slice(0, 8)}: unable to enumerate changed files between base ${payload.base_sha.slice(0, 8)} and head ${payload.head_sha.slice(0, 8)} for path_rules evaluation. Run \`stamp review --diff <base>..<head>\` and re-attempt the merge.`
+    );
+    return;
+  }
+  const input = {
+    sha,
+    branch,
+    rule,
+    payload,
+    payloadBytes,
+    signatureBase64,
+    manifest,
+    pubkeyByFingerprint,
+    pathRules,
+    changedFiles
+  };
+  for (const phase of COMMIT_PHASES_V4) {
+    const result = phase.fn(input);
+    if (!result.ok) reject(refname, result.reason);
+  }
 }
-function run(args) {
+function run2(args) {
   try {
-    return (0, import_node_child_process.execFileSync)("git", args, {
+    return (0, import_node_child_process3.execFileSync)("git", args, {
       encoding: "utf8",
       maxBuffer: 16 * 1024 * 1024,
       stdio: ["ignore", "pipe", "pipe"]
@@ -7797,8 +8578,8 @@ function resolveBranchRule(branches, branchName) {
 }
 function readConfigAt(sha) {
   try {
-    const raw = run(["show", `${sha}:.stamp/config.yml`]);
-    const parsed = (0, import_yaml4.parse)(raw);
+    const raw = run2(["show", `${sha}:.stamp/config.yml`]);
+    const parsed = (0, import_yaml5.parse)(raw);
     if (!parsed || typeof parsed !== "object") return null;
     const obj = parsed;
     const branches = {};
@@ -7824,7 +8605,15 @@ function readConfigAt(sha) {
         };
       }
     }
-    return { branches };
+    const parsedPathRules = parsePathRules(obj.path_rules);
+    for (const warning of parsedPathRules.warnings) {
+      process.stderr.write(`stamp-verify: ${warning}
+`);
+    }
+    return {
+      branches,
+      ...parsedPathRules.rules.length > 0 ? { path_rules: parsedPathRules.rules } : {}
+    };
   } catch {
     return null;
   }
@@ -7833,14 +8622,14 @@ function readTrustedKeysAt(sha) {
   const map = /* @__PURE__ */ new Map();
   let lsOut;
   try {
-    lsOut = run(["ls-tree", "-r", "--name-only", sha, ".stamp/trusted-keys/"]);
+    lsOut = run2(["ls-tree", "-r", "--name-only", sha, ".stamp/trusted-keys/"]);
   } catch {
     return map;
   }
   const files = lsOut.split("\n").filter((f) => f.endsWith(".pub"));
   for (const path of files) {
     try {
-      const pem = run(["show", `${sha}:${path}`]);
+      const pem = run2(["show", `${sha}:${path}`]);
       const fp = fingerprintFromPem(pem);
       map.set(fp, pem);
     } catch {
@@ -7850,7 +8639,7 @@ function readTrustedKeysAt(sha) {
 }
 function readLiveRef(refname) {
   try {
-    return (0, import_node_child_process.execFileSync)("git", ["rev-parse", "--verify", refname], {
+    return (0, import_node_child_process3.execFileSync)("git", ["rev-parse", "--verify", refname], {
       encoding: "utf8",
       stdio: ["ignore", "pipe", "pipe"]
     }).trim();
@@ -7860,7 +8649,7 @@ function readLiveRef(refname) {
 }
 function isAncestor(ancestor, descendant) {
   try {
-    (0, import_node_child_process.execFileSync)(
+    (0, import_node_child_process3.execFileSync)(
       "git",
       ["merge-base", "--is-ancestor", ancestor, descendant],
       { stdio: "ignore" }
@@ -7871,7 +8660,7 @@ function isAncestor(ancestor, descendant) {
   }
 }
 function listNewCommits(oldSha, newSha) {
-  const out = run([
+  const out = run2([
     "rev-list",
     "--first-parent",
     `${oldSha}..${newSha}`
@@ -7896,14 +8685,41 @@ function reject(refname, reason) {
 `);
   process.exit(1);
 }
-try {
-  main();
-  process.exit(0);
-} catch (err) {
-  process.stderr.write(
-    `stamp-verify: internal error \u2014 ${err instanceof Error ? err.stack ?? err.message : String(err)}
+function isMainModule() {
+  const argv1 = typeof process !== "undefined" ? process.argv?.[1] : void 0;
+  if (!argv1) {
+    return false;
+  }
+  try {
+    return (0, import_node_url.fileURLToPath)(import_meta.url) === argv1;
+  } catch {
+    return true;
+  }
+}
+if (isMainModule()) {
+  try {
+    main();
+    process.exit(0);
+  } catch (err) {
+    process.stderr.write(
+      `stamp-verify: internal error \u2014 ${err instanceof Error ? err.stack ?? err.message : String(err)}
 `
-  );
-  process.exit(1);
+    );
+    process.exit(1);
+  }
 }
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  parsePathRules,
+  verifyV4ApprovalSignatures,
+  verifyV4Approvals,
+  verifyV4Checks,
+  verifyV4DiffHash,
+  verifyV4MergeStructure,
+  verifyV4OuterSignature,
+  verifyV4SignerTrust,
+  verifyV4StampPathsGuard,
+  verifyV4TargetBranch,
+  verifyV4TrustAnchorSignatures
+});
 //# sourceMappingURL=pre-receive.cjs.map