@openthink/stamp 2.0.1 → 2.1.0

package/dist/index.js

@@ -52,15 +52,15 @@ import {
   userKeysDir,
   userServerConfigPath,
   verifyBytes
-} from "./chunk-4PFD2DSY.js";
+} from "./chunk-MJULVH4B.js";
 
 // src/index.ts
 import { Command } from "commander";
 
 // src/commands/bootstrap.ts
 import { execFileSync as execFileSync4 } from "child_process";
-import { existsSync as existsSync7, readFileSync as readFileSync6, readdirSync, statSync, writeFileSync as writeFileSync5 } from "fs";
-import { dirname as dirname3, join as join3 } from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync7, readdirSync, statSync, writeFileSync as writeFileSync5 } from "fs";
+import { dirname as dirname4, join as join4 } from "path";
 
 // src/lib/agentsMd.ts
 import { existsSync, readFileSync, writeFileSync } from "fs";
@@ -541,8 +541,12 @@ function validateConfig(input) {
       throw new Error(`config.reviewers.${name} must be an object`);
     }
     const d = def;
-    if (typeof d.prompt !== "string") {
-      throw new Error(`config.reviewers.${name}.prompt must be a string`);
+    let prompt2;
+    if (d.prompt !== void 0) {
+      if (typeof d.prompt !== "string") {
+        throw new Error(`config.reviewers.${name}.prompt must be a string`);
+      }
+      prompt2 = d.prompt;
     }
     const tools = parseTools(d.tools, name);
     const mcp_servers = parseMcpServers(d.mcp_servers, name);
@@ -564,7 +568,7 @@ function validateConfig(input) {
       `config.reviewers.${name}.timeout_ms`
     );
     reviewers2[name] = {
-      prompt: d.prompt,
+      ...prompt2 !== void 0 ? { prompt: prompt2 } : {},
       ...tools ? { tools } : {},
       ...mcp_servers ? { mcp_servers } : {},
       ...enforce_reads_on_dotstamp !== void 0 ? { enforce_reads_on_dotstamp } : {},
@@ -1412,8 +1416,8 @@ import { createHash as createHash3, createPublicKey, verify } from "crypto";
 import { spawn } from "child_process";
 
 // src/lib/attestationV4.ts
-var CURRENT_V4_SCHEMA_VERSION = 4;
-var MIN_ACCEPTED_V4_SCHEMA_VERSION = 4;
+var CURRENT_V4_SCHEMA_VERSION = 5;
+var MIN_ACCEPTED_V4_SCHEMA_VERSION = 5;
 var MAX_V4_ENVELOPE_BYTES = 64 * 1024;
 function sortKeysDeep(value) {
   if (value === null || typeof value !== "object") return value;
@@ -1547,7 +1551,6 @@ function parseResponseJson(raw) {
     "diff_sha256",
     "base_sha",
     "head_sha",
-    "trusted_keys_snapshot_sha256",
     "issued_at",
     "server_key_id"
   ]) {
@@ -1945,6 +1948,7 @@ function buildTrustAnchorPayload(input) {
     head_sha: input.headSha,
     target_branch: input.targetBranch,
     diff_sha256: input.diffSha256,
+    manifest_snapshot_sha256: input.manifestSnapshotSha256,
     approvals: input.approvals,
     checks: input.checks,
     trust_anchor_signatures: [],
@@ -2027,6 +2031,11 @@ var COMMIT_PHASES_V4 = [
   { name: "verifyV4TargetBranch", fn: verifyV4TargetBranch },
   { name: "verifyV4SignerTrust", fn: verifyV4SignerTrust },
   { name: "verifyV4OuterSignature", fn: verifyV4OuterSignature },
+  // AGT-370: envelope-level manifest snapshot binding (lifted from
+  // the per-approval slot in v4). Runs once before the per-approval
+  // loop in verifyV4ApprovalSignatures — a single check replaces the
+  // N-checks per envelope the v4 verifier did.
+  { name: "verifyV4ManifestSnapshot", fn: verifyV4ManifestSnapshot },
   { name: "verifyV4Approvals", fn: verifyV4Approvals },
   { name: "verifyV4DiffHash", fn: verifyV4DiffHash },
   { name: "verifyV4ApprovalSignatures", fn: verifyV4ApprovalSignatures },
@@ -2159,10 +2168,19 @@ function verifyV4DiffHash(input) {
   }
   return { ok: true };
 }
+function verifyV4ManifestSnapshot(input) {
+  const { sha, payload, manifest } = input;
+  const computed = snapshotSha256(manifest);
+  if (payload.manifest_snapshot_sha256 !== computed) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 manifest_snapshot_sha256 (${payload.manifest_snapshot_sha256.slice(0, 16)}\u2026) does not match the manifest at base ${payload.base_sha.slice(0, 8)} (${computed.slice(0, 16)}\u2026). The envelope was signed against a different snapshot of the trust set than the one committed at the merge base. Re-run \`stamp merge\` (or \`stamp attest\`) so the outer signature binds to the current manifest.`
+    };
+  }
+  return { ok: true };
+}
 function verifyV4ApprovalSignatures(input) {
   const { sha, payload, manifest, pubkeyByFingerprint } = input;
-  const manifestSnapshot = snapshotSha256(manifest);
-  const reviewerDefs = readReviewerDefsAtRef(payload.base_sha);
   for (const entry of payload.approvals) {
     const a = entry.approval;
     const reviewerLabel = `"${a.reviewer}"`;
@@ -2184,12 +2202,6 @@ function verifyV4ApprovalSignatures(input) {
         reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: server_attestation.server_key_id (${entry.server_attestation.server_key_id}) does not match inner approval.server_key_id (${a.server_key_id}). The inner signed payload is authoritative; one of the two was tampered with after signing.`
       };
     }
-    if (a.trusted_keys_snapshot_sha256 !== manifestSnapshot) {
-      return {
-        ok: false,
-        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: trusted_keys_snapshot_sha256 (${a.trusted_keys_snapshot_sha256.slice(0, 16)}\u2026) does not match the manifest at base ${payload.base_sha.slice(0, 8)} (${manifestSnapshot.slice(0, 16)}\u2026). The server signed against a different snapshot of the trust set than the one committed at the merge base.`
-      };
-    }
     const caps = resolveCapability(manifest, a.server_key_id);
     if (caps === null) {
       return {
@@ -2229,29 +2241,6 @@ function verifyV4ApprovalSignatures(input) {
         reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: server signature does not verify against ${a.server_key_id} over canonical approval bytes`
       };
     }
-    const def = reviewerDefs[a.reviewer];
-    if (!def) {
-      return {
-        ok: false,
-        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: reviewer is not defined in .stamp/config.yml at base ${payload.base_sha.slice(0, 8)}`
-      };
-    }
-    let promptText;
-    try {
-      promptText = run(["show", `${payload.base_sha}:${def.prompt}`]);
-    } catch {
-      return {
-        ok: false,
-        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: prompt "${def.prompt}" is unreadable at base ${payload.base_sha.slice(0, 8)}`
-      };
-    }
-    const recomputedPromptSha = hashPromptBytes(Buffer.from(promptText, "utf8"));
-    if (recomputedPromptSha !== a.prompt_sha256) {
-      return {
-        ok: false,
-        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: prompt_sha256 mismatch \u2014 server signed ${a.prompt_sha256.slice(0, 12)}\u2026 but prompt file at base hashes to ${recomputedPromptSha.slice(0, 12)}\u2026. The reviewer prompt the server reviewed differs from the one in the merge-base tree.`
-      };
-    }
   }
   return { ok: true };
 }
@@ -2417,22 +2406,6 @@ function readPubkeyMapAt(ref) {
   }
   return buildPubkeyMap(names, (relPath) => run(["show", `${ref}:${relPath}`]));
 }
-function readReviewerDefsAtRef(ref) {
-  let yaml;
-  try {
-    yaml = run(["show", `${ref}:.stamp/config.yml`]);
-  } catch {
-    return {};
-  }
-  const defs = readReviewersFromYaml(yaml);
-  const out = {};
-  for (const [name, def] of Object.entries(defs)) {
-    if (def && typeof def.prompt === "string") {
-      out[name] = { prompt: def.prompt };
-    }
-  }
-  return out;
-}
 function readChangedFilesAtRef(baseSha, headSha) {
   let out;
   try {
@@ -2820,6 +2793,12 @@ function verifyReviewerHashesAtMergeBase(input) {
         reason: `${prefix} reviewer "${approval.reviewer}" not defined in .stamp/config.yml at merge-base`
       };
     }
+    if (def.prompt === void 0) {
+      return {
+        ok: false,
+        reason: `${prefix} reviewer "${approval.reviewer}" has no \`prompt:\` in .stamp/config.yml at merge-base; v3 attestation references prompt_sha256 but the producer flow for server-bundled prompts is v4 (server-attested). The attestation envelope and the config shape are inconsistent.`
+      };
+    }
     let promptBytes;
     try {
       promptBytes = run2(["show", `${baseSha}:${def.prompt}`]);
@@ -3166,9 +3145,38 @@ function readLineSync() {
   return out;
 }
 
+// src/lib/version.ts
+import { readFileSync as readFileSync4 } from "fs";
+import { dirname, join as join3 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+function readPackageVersion() {
+  const here = dirname(fileURLToPath2(import.meta.url));
+  for (let dir = here, i = 0; i < 6; i++) {
+    try {
+      const raw = readFileSync4(join3(dir, "package.json"), "utf8");
+      const pkg = JSON.parse(raw);
+      if (pkg.name === "@openthink/stamp" && pkg.version) return pkg.version;
+    } catch {
+    }
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  throw new Error("could not locate @openthink/stamp package.json to read version");
+}
+
 // src/lib/deprecationNotice.ts
-function maybePrintDeprecationNotice() {
+function maybePrintDeprecationNotice(versionOverride) {
   if (process.env.STAMP_SUPPRESS_DEPRECATION === "1") return;
+  let major = null;
+  try {
+    const version = versionOverride ?? readPackageVersion();
+    const m = /^(\d+)\./.exec(version);
+    if (m) major = Number.parseInt(m[1], 10);
+  } catch {
+    return;
+  }
+  if (major === null || major >= 2) return;
   process.stderr.write(
     "warning: stamp 1.x is in maintenance \u2014 the server-attested 2.x line is active. See docs/migration-1.x-to-2.x.md. Suppress: STAMP_SUPPRESS_DEPRECATION=1.\n"
   );
@@ -3374,6 +3382,11 @@ function buildV3Trailers(input) {
         `reviewer "${a.reviewer}" approved the diff but is not defined in .stamp/config.yml at base ${input.baseSha.slice(0, 8)}. This shouldn't happen \u2014 runReview reads from the same base. File a bug at https://github.com/OpenThinkAi/stamp-cli/issues. Merge rolled back.`
       );
     }
+    if (def.prompt === void 0) {
+      throw new Error(
+        `reviewer "${a.reviewer}": no \`prompt:\` configured and no \`review_server:\` on branch rule \u2014 set \`reviewers.${a.reviewer}.prompt\` in .stamp/config.yml or configure a \`review_server:\` for server-attested mode. Merge rolled back.`
+      );
+    }
     const promptText = showAtRef(input.baseSha, def.prompt, input.repoRoot);
     const source = readReviewerSource(a.reviewer, input.repoRoot);
     return {
@@ -3460,7 +3473,6 @@ function buildV4Trailers(input) {
         "diff_sha256",
         "base_sha",
         "head_sha",
-        "trusted_keys_snapshot_sha256",
         "issued_at",
         "server_key_id"
       ]) {
@@ -3540,12 +3552,14 @@ function buildV4Trailers(input) {
     exit_code: c.exit_code,
     output_sha: c.output_sha
   }));
+  const manifestSnapshot = snapshotSha256(manifest);
   const trustAnchorSigs = collectTrustAnchorSignatures({
     repoRoot: input.repoRoot,
     baseSha: input.baseSha,
     headSha: input.headSha,
     targetBranch: input.targetBranch,
     diffSha256,
+    manifestSnapshotSha256: manifestSnapshot,
     approvals: entries,
     checks: v4Checks,
     operatorFingerprint: input.operatorFingerprint,
@@ -3558,6 +3572,7 @@ function buildV4Trailers(input) {
     head_sha: input.headSha,
     target_branch: input.targetBranch,
     diff_sha256: diffSha256,
+    manifest_snapshot_sha256: manifestSnapshot,
     approvals: entries,
     checks: v4Checks,
     trust_anchor_signatures: trustAnchorSigs,
@@ -3609,6 +3624,7 @@ function collectTrustAnchorSignatures(input) {
     headSha: input.headSha,
     targetBranch: input.targetBranch,
     diffSha256: input.diffSha256,
+    manifestSnapshotSha256: input.manifestSnapshotSha256,
     approvals: input.approvals,
     checks: input.checks,
     signerKeyId: input.operatorFingerprint
@@ -3763,12 +3779,12 @@ ${close}`;
 import {
   existsSync as existsSync3,
   mkdirSync,
-  readFileSync as readFileSync4,
+  readFileSync as readFileSync5,
   renameSync,
   unlinkSync,
   writeFileSync as writeFileSync2
 } from "fs";
-import { dirname } from "path";
+import { dirname as dirname2 } from "path";
 import { parse as parseYaml6, stringify as stringifyYaml } from "yaml";
 var DEFAULT_REVIEWER_MODELS = {
   security: "claude-sonnet-4-6",
@@ -3788,7 +3804,7 @@ function loadUserConfig() {
   if (!existsSync3(path2)) return null;
   let raw;
   try {
-    raw = readFileSync4(path2, "utf8");
+    raw = readFileSync5(path2, "utf8");
   } catch (err) {
     throw new Error(
       `failed to read ${path2}: ${err instanceof Error ? err.message : String(err)}`
@@ -3848,7 +3864,7 @@ function stringifyUserConfig(cfg) {
 }
 function writeUserConfig(cfg) {
   const path2 = userConfigPath();
-  const dir = dirname(path2);
+  const dir = dirname2(path2);
   if (!existsSync3(dir)) mkdirSync(dir, { recursive: true, mode: 448 });
   const tmp = `${path2}.tmp.${process.pid}`;
   writeFileSync2(tmp, stringifyUserConfig(cfg), { mode: 384 });
@@ -4659,7 +4675,7 @@ function stripLastLineVerdict(text) {
 
 // src/lib/llmNotice.ts
 import { existsSync as existsSync4, mkdirSync as mkdirSync3, writeFileSync as writeFileSync4 } from "fs";
-import { dirname as dirname2 } from "path";
+import { dirname as dirname3 } from "path";
 function maybePrintLlmNotice(repoRoot) {
   if (process.env.STAMP_SUPPRESS_LLM_NOTICE === "1") return;
   const marker = stampLlmNoticeMarkerPath(repoRoot);
@@ -4672,7 +4688,7 @@ function maybePrintLlmNotice(repoRoot) {
 `
   );
   try {
-    mkdirSync3(dirname2(marker), { recursive: true });
+    mkdirSync3(dirname3(marker), { recursive: true });
     writeFileSync4(marker, `${(/* @__PURE__ */ new Date()).toISOString()}
 `);
   } catch {
@@ -4702,6 +4718,11 @@ function buildReviewPlan(opts) {
   const reviewers2 = [];
   for (const name of reviewerNames) {
     const def = config2.reviewers[name];
+    if (def.prompt === void 0) {
+      throw new Error(
+        `reviewer "${name}": no \`prompt:\` configured and no \`review_server:\` on branch rule \u2014 set \`reviewers.${name}.prompt\` in .stamp/config.yml or configure a \`review_server:\` for server-attested mode.`
+      );
+    }
     let prompt2;
     try {
       prompt2 = showAtRef(resolved.base_sha, def.prompt, opts.repoRoot);
@@ -4912,7 +4933,7 @@ import { spawnSync as spawnSync4 } from "child_process";
 import { createInterface } from "readline";
 
 // src/lib/serverConfig.ts
-import { existsSync as existsSync5, readFileSync as readFileSync5 } from "fs";
+import { existsSync as existsSync5, readFileSync as readFileSync6 } from "fs";
 import { parse as parseYaml7 } from "yaml";
 var DEFAULT_USER = "git";
 var DEFAULT_REPO_ROOT = "/srv/git";
@@ -4942,7 +4963,7 @@ function loadServerConfig() {
   if (!existsSync5(path2)) return null;
   let raw;
   try {
-    raw = readFileSync5(path2, "utf8");
+    raw = readFileSync6(path2, "utf8");
   } catch (err) {
     throw new Error(
       `failed to read ${path2}: ${err instanceof Error ? err.message : String(err)}`
@@ -5311,19 +5332,6 @@ async function runReview(opts) {
       `no reviewers to run at base ${resolved.base_sha.slice(0, 8)} (config there has ${Object.keys(config2.reviewers).length} configured). If this branch ADDS a new reviewer, the new reviewer cannot review its own introduction \u2014 that's a deliberate security boundary. Land the reviewer in a separate PR first, then it can review subsequent diffs.`
     );
   }
-  const promptBytesByReviewer = /* @__PURE__ */ new Map();
-  for (const name of reviewerNames) {
-    const def = config2.reviewers[name];
-    let bytes;
-    try {
-      bytes = showAtRef(resolved.base_sha, def.prompt, repoRoot);
-    } catch (err) {
-      throw new Error(
-        `failed to read prompt for reviewer "${name}" from base ${resolved.base_sha.slice(0, 8)}: ${err instanceof Error ? err.message : String(err)}. (The reviewer is configured at the base but its prompt file is missing there.)`
-      );
-    }
-    promptBytesByReviewer.set(name, bytes);
-  }
   const targetBranch = opts.into ?? inferTargetBranch(opts.diff);
   const branchRule = targetBranch ? findBranchRule(config2.branches, targetBranch) : void 0;
   if (branchRule?.review_server) {
@@ -5331,7 +5339,7 @@ async function runReview(opts) {
       opts,
       config: config2,
       reviewerNames,
-      promptBytesByReviewer,
+      promptBytesByReviewer: /* @__PURE__ */ new Map(),
       resolved,
       repoRoot,
       reviewServerUrl: branchRule.review_server,
@@ -5339,6 +5347,24 @@ async function runReview(opts) {
     });
     return;
   }
+  const promptBytesByReviewer = /* @__PURE__ */ new Map();
+  for (const name of reviewerNames) {
+    const def = config2.reviewers[name];
+    if (def.prompt === void 0) {
+      throw new Error(
+        `reviewer "${name}": no \`prompt:\` configured and no \`review_server:\` on branch rule \u2014 set \`reviewers.${name}.prompt\` in .stamp/config.yml or configure a \`review_server:\` for server-attested mode.`
+      );
+    }
+    let bytes;
+    try {
+      bytes = showAtRef(resolved.base_sha, def.prompt, repoRoot);
+    } catch (err) {
+      throw new Error(
+        `failed to read prompt for reviewer "${name}" from base ${resolved.base_sha.slice(0, 8)}: ${err instanceof Error ? err.message : String(err)}. (The reviewer is configured at the base but its prompt file is missing there.)`
+      );
+    }
+    promptBytesByReviewer.set(name, bytes);
+  }
   maybePrintLlmNotice(repoRoot);
   const userCfg = loadOrCreateUserConfig();
   if (userCfg.created) {
@@ -5867,6 +5893,7 @@ function buildPlan(current, targetBranch, targetRule, opts) {
     }
     newReviewersConfig = seed.config.reviewers;
     for (const [name, def] of Object.entries(seed.config.reviewers)) {
+      if (def.prompt === void 0) continue;
       const promptBody = seed.reviewerFiles.get(def.prompt);
       if (promptBody === void 0) {
         throw new Error(
@@ -5921,27 +5948,27 @@ function readSeedDir(seedDir) {
   if (!existsSync7(seedDir) || !statSync(seedDir).isDirectory()) {
     throw new Error(`--from path is not a directory: ${seedDir}`);
   }
-  const configPath = join3(seedDir, "config.yml");
+  const configPath = join4(seedDir, "config.yml");
   if (!existsSync7(configPath)) {
     throw new Error(`--from dir missing config.yml: ${configPath}`);
   }
-  const reviewersDir = join3(seedDir, "reviewers");
+  const reviewersDir = join4(seedDir, "reviewers");
   if (!existsSync7(reviewersDir) || !statSync(reviewersDir).isDirectory()) {
     throw new Error(`--from dir missing reviewers/ subdirectory: ${reviewersDir}`);
   }
-  const yaml = readFileSync6(configPath, "utf8");
+  const yaml = readFileSync7(configPath, "utf8");
   const config2 = parseConfigFromYaml(yaml);
   const reviewerFiles = /* @__PURE__ */ new Map();
   for (const entry of readdirSync(reviewersDir)) {
-    const full = join3(reviewersDir, entry);
+    const full = join4(reviewersDir, entry);
     if (statSync(full).isFile()) {
-      reviewerFiles.set(`.stamp/reviewers/${entry}`, readFileSync6(full, "utf8"));
+      reviewerFiles.set(`.stamp/reviewers/${entry}`, readFileSync7(full, "utf8"));
     }
   }
   let mirrorYml;
-  const mirrorPath = join3(seedDir, "mirror.yml");
+  const mirrorPath = join4(seedDir, "mirror.yml");
   if (existsSync7(mirrorPath)) {
-    mirrorYml = readFileSync6(mirrorPath, "utf8");
+    mirrorYml = readFileSync7(mirrorPath, "utf8");
   }
   return { config: config2, reviewerFiles, mirrorYml };
 }
@@ -5949,12 +5976,12 @@ function writeBootstrapFiles(repoRoot, plan) {
   ensureDir(stampConfigDir(repoRoot));
   ensureDir(stampReviewersDir(repoRoot));
   for (const { path: path2, content } of plan.reviewerFiles.values()) {
-    const full = join3(repoRoot, path2);
-    ensureDir(dirname3(full));
+    const full = join4(repoRoot, path2);
+    ensureDir(dirname4(full));
     writeFileSync5(full, content);
   }
   if (plan.mirrorYml !== void 0) {
-    writeFileSync5(join3(repoRoot, ".stamp/mirror.yml"), plan.mirrorYml);
+    writeFileSync5(join4(repoRoot, ".stamp/mirror.yml"), plan.mirrorYml);
   }
   writeFileSync5(stampConfigFile(repoRoot), stringifyConfig(plan.newConfig));
 }
@@ -5997,8 +6024,8 @@ function branchExists(name, cwd) {
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync9, readFileSync as readFileSync8, writeFileSync as writeFileSync7 } from "fs";
-import { dirname as dirname4, join as join5 } from "path";
+import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
+import { dirname as dirname5, join as join6 } from "path";
 
 // src/lib/ghRuleset.ts
 import { spawnSync as spawnSync5 } from "child_process";
@@ -6334,14 +6361,14 @@ function computeDesiredBypassActors(current, deployKeyId, flags) {
 }
 
 // src/lib/oteamConfig.ts
-import { existsSync as existsSync8, readFileSync as readFileSync7, renameSync as renameSync2, writeFileSync as writeFileSync6 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync8, renameSync as renameSync2, writeFileSync as writeFileSync6 } from "fs";
 import { homedir } from "os";
-import { join as join4 } from "path";
-var OTEAM_CONFIG_PATH = join4(homedir(), ".open-team", "config.json");
+import { join as join5 } from "path";
+var OTEAM_CONFIG_PATH = join5(homedir(), ".open-team", "config.json");
 function readOteamConfig(configPath = OTEAM_CONFIG_PATH) {
   if (!existsSync8(configPath)) return null;
   try {
-    const parsed = JSON.parse(readFileSync7(configPath, "utf8"));
+    const parsed = JSON.parse(readFileSync8(configPath, "utf8"));
     if (Array.isArray(parsed)) {
       throw new Error("config must be a JSON object, not an array");
     }
@@ -6356,7 +6383,7 @@ function patchStampHost(host, configPath = OTEAM_CONFIG_PATH) {
   let config2 = {};
   if (existsSync8(configPath)) {
     try {
-      const parsed = JSON.parse(readFileSync7(configPath, "utf8"));
+      const parsed = JSON.parse(readFileSync8(configPath, "utf8"));
       if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
         config2 = parsed;
       }
@@ -6382,6 +6409,7 @@ function patchStampHost(host, configPath = OTEAM_CONFIG_PATH) {
 }
 
 // src/commands/init.ts
+var DEFAULT_ACTION_SOURCE = "OpenThinkAi/stamp-cli";
 function runInit(opts = {}) {
   maybePrintDeprecationNotice();
   const repoRoot = findRepoRoot();
@@ -6412,26 +6440,26 @@ For local-only / advisory use against this GitHub repo: re-run with \`stamp init
   if (!alreadyHasConfig) {
     if (opts.minimal) {
       writeFileSync7(configFile, stringifyConfig(MINIMAL_CONFIG));
-      writeFileSync7(join5(reviewersDir, "example.md"), EXAMPLE_REVIEWER_PROMPT);
+      writeFileSync7(join6(reviewersDir, "example.md"), EXAMPLE_REVIEWER_PROMPT);
     } else {
       writeFileSync7(configFile, stringifyConfig(DEFAULT_CONFIG));
       writeFileSync7(
-        join5(reviewersDir, "security.md"),
+        join6(reviewersDir, "security.md"),
         DEFAULT_SECURITY_PROMPT
       );
       writeFileSync7(
-        join5(reviewersDir, "standards.md"),
+        join6(reviewersDir, "standards.md"),
         DEFAULT_STANDARDS_PROMPT
       );
       writeFileSync7(
-        join5(reviewersDir, "product.md"),
+        join6(reviewersDir, "product.md"),
         DEFAULT_PRODUCT_PROMPT
       );
     }
   }
   const { keypair, created: keyCreated } = ensureUserKeypair();
   const userCfg = loadOrCreateUserConfig();
-  const pubKeyPath = join5(
+  const pubKeyPath = join6(
     trustedKeysDir,
     publicKeyFingerprintFilename(keypair.fingerprint)
   );
@@ -6445,7 +6473,8 @@ For local-only / advisory use against this GitHub repo: re-run with \`stamp init
   const prCheckResult = maybeWriteVerifyWorkflow(
     repoRoot,
     opts.prCheck,
-    effectiveMode
+    effectiveMode,
+    opts.actionSource ?? DEFAULT_ACTION_SOURCE
   );
   const prModeResult = opts.prMode ? maybeWritePrModeMirrorWorkflow(repoRoot, { force: opts.prModeForce }) : { action: "skipped", path: PR_MODE_WORKFLOW_PATH, substitution: null };
   const agentsMdAction = opts.agentsMd === false ? "skipped" : ensureAgentsMd(repoRoot, effectiveMode);
@@ -6597,8 +6626,8 @@ function runBootstrapCommit(repoRoot, scaffoldOrSync) {
     return { kind: "skipped-already-tracked" };
   }
   const toAdd = [".stamp"];
-  if (existsSync9(join5(repoRoot, "AGENTS.md"))) toAdd.push("AGENTS.md");
-  if (existsSync9(join5(repoRoot, "CLAUDE.md"))) toAdd.push("CLAUDE.md");
+  if (existsSync9(join6(repoRoot, "AGENTS.md"))) toAdd.push("AGENTS.md");
+  if (existsSync9(join6(repoRoot, "CLAUDE.md"))) toAdd.push("CLAUDE.md");
   runGit(["add", ...toAdd], repoRoot);
   let hasStagedChanges = false;
   try {
@@ -6803,27 +6832,27 @@ function resolveMode(userMode, remoteClass) {
   }
 }
 var VERIFY_ACTION_REF = "v1.6.1";
-function maybeWriteVerifyWorkflow(repoRoot, prCheckOpt, effectiveMode) {
+function maybeWriteVerifyWorkflow(repoRoot, prCheckOpt, effectiveMode, actionSource = DEFAULT_ACTION_SOURCE) {
   const path2 = ".github/workflows/stamp-verify.yml";
-  const fullPath = join5(repoRoot, path2);
+  const fullPath = join6(repoRoot, path2);
   const defaultForMode = effectiveMode !== "server-gated";
   const shouldWrite = prCheckOpt ?? defaultForMode;
   if (!shouldWrite) return { action: "skipped", path: path2 };
   if (existsSync9(fullPath)) {
     return { action: "exists", path: path2 };
   }
-  ensureDir(dirname4(fullPath));
-  writeFileSync7(fullPath, renderVerifyWorkflow());
+  ensureDir(dirname5(fullPath));
+  writeFileSync7(fullPath, renderVerifyWorkflow(actionSource));
   return { action: "wrote", path: path2 };
 }
 var PR_MODE_WORKFLOW_PATH = ".github/workflows/stamp-mirror.yml";
 function maybeWritePrModeMirrorWorkflow(repoRoot, opts = {}) {
-  const fullPath = join5(repoRoot, PR_MODE_WORKFLOW_PATH);
+  const fullPath = join6(repoRoot, PR_MODE_WORKFLOW_PATH);
   const substitution = derivePrModeSubstitution(repoRoot);
   if (existsSync9(fullPath) && !opts.force) {
     return { action: "exists", path: PR_MODE_WORKFLOW_PATH, substitution };
   }
-  ensureDir(dirname4(fullPath));
+  ensureDir(dirname5(fullPath));
   writeFileSync7(fullPath, renderMirrorWorkflow(substitution));
   return { action: "wrote", path: PR_MODE_WORKFLOW_PATH, substitution };
 }
@@ -6831,9 +6860,9 @@ function derivePrModeSubstitution(repoRoot) {
   let host = null;
   let port = null;
   try {
-    const configFile = join5(repoRoot, ".stamp", "config.yml");
+    const configFile = join6(repoRoot, ".stamp", "config.yml");
     if (existsSync9(configFile)) {
-      const cfg = parseConfigFromYaml(readFileSync8(configFile, "utf8"));
+      const cfg = parseConfigFromYaml(readFileSync9(configFile, "utf8"));
       for (const rule of Object.values(cfg.branches)) {
         if (rule.review_server) {
           try {
@@ -7073,7 +7102,7 @@ function printPrModeWalkthrough(result) {
   );
   console.log();
 }
-function renderVerifyWorkflow() {
+function renderVerifyWorkflow(actionSource = DEFAULT_ACTION_SOURCE) {
   return [
     "name: stamp verify",
     "",
@@ -7106,18 +7135,18 @@ function renderVerifyWorkflow() {
     "          # would force per-step refetches.",
     "          fetch-depth: 0",
     "      - name: stamp/verify-attestation",
-    `        uses: OpenThinkAi/stamp-cli/.github/actions/verify-attestation@${VERIFY_ACTION_REF}`,
+    `        uses: ${actionSource}/.github/actions/verify-attestation@${VERIFY_ACTION_REF}`,
     ""
   ].join("\n");
 }
 
 // src/commands/migrateServerAttested.ts
-import { existsSync as existsSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync8 } from "fs";
-import { dirname as dirname5, join as join7, relative } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync11, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname6, join as join8, relative } from "path";
 
 // src/lib/migrateServerAttested.ts
-import { readdirSync as readdirSync2, readFileSync as readFileSync9, statSync as statSync2 } from "fs";
-import { join as join6 } from "path";
+import { readdirSync as readdirSync2, readFileSync as readFileSync10, statSync as statSync2 } from "fs";
+import { join as join7 } from "path";
 function detectExistingKeys(repoRoot, onSkip) {
   const dir = stampTrustedKeysDir(repoRoot);
   let entries;
@@ -7131,7 +7160,7 @@ function detectExistingKeys(repoRoot, onSkip) {
   const out = [];
   for (const filename of entries.sort()) {
     if (!filename.endsWith(".pub")) continue;
-    const full = join6(dir, filename);
+    const full = join7(dir, filename);
     try {
       const st = statSync2(full);
       if (!st.isFile()) continue;
@@ -7140,7 +7169,7 @@ function detectExistingKeys(repoRoot, onSkip) {
     }
     let pem;
     try {
-      pem = readFileSync9(full, "utf8");
+      pem = readFileSync10(full, "utf8");
     } catch (err) {
       onSkip?.(filename, err instanceof Error ? err.message : String(err));
       continue;
@@ -7328,7 +7357,7 @@ function runMigrateToServerAttested(opts = {}) {
       console.error(`note: skipping .stamp/trusted-keys/${filename} \u2014 ${reason}`);
     })
   );
-  const manifestPath = join7(repoRoot, MANIFEST_RELATIVE_PATH);
+  const manifestPath = join8(repoRoot, MANIFEST_RELATIVE_PATH);
   const manifestExists = existsSync10(manifestPath);
   let adminFingerprints;
   if (manifestExists) {
@@ -7361,7 +7390,7 @@ function runMigrateToServerAttested(opts = {}) {
       `expected .stamp/config.yml at ${cfgPath} but found none. Run \`stamp init\` first.`
     );
   }
-  const cfgInput = readFileSync10(cfgPath, "utf8");
+  const cfgInput = readFileSync11(cfgPath, "utf8");
   const rewrite = rewriteConfigForMigration(cfgInput);
   if (dryRun) {
     printDryRun({
@@ -7385,10 +7414,10 @@ function runMigrateToServerAttested(opts = {}) {
     console.error(`warning: ${w}`);
   }
   let manifestAction;
-  if (manifestExists && readFileSync10(manifestPath, "utf8") === manifestText) {
+  if (manifestExists && readFileSync11(manifestPath, "utf8") === manifestText) {
     manifestAction = "unchanged";
   } else {
-    ensureDir(dirname5(manifestPath));
+    ensureDir(dirname6(manifestPath));
     writeFileSync8(manifestPath, manifestText);
     manifestAction = "wrote";
   }
@@ -7454,7 +7483,7 @@ function readExistingAdminFingerprints(manifestPath) {
   const out = /* @__PURE__ */ new Set();
   let text;
   try {
-    text = readFileSync10(manifestPath, "utf8");
+    text = readFileSync11(manifestPath, "utf8");
   } catch {
     return out;
   }
@@ -7529,9 +7558,9 @@ function indent(text, prefix) {
 import { spawnSync as spawnSync6 } from "child_process";
 import { request as httpRequest } from "http";
 import { request as httpsRequest } from "https";
-import { existsSync as existsSync11, readFileSync as readFileSync11 } from "fs";
+import { existsSync as existsSync11, readFileSync as readFileSync12 } from "fs";
 import { homedir as homedir2, hostname, userInfo } from "os";
-import { join as join8 } from "path";
+import { join as join9 } from "path";
 import { createInterface as createInterface2 } from "readline/promises";
 
 // src/lib/inviteUrl.ts
@@ -7698,10 +7727,10 @@ function runInvitesMint(opts) {
   }
 }
 function defaultSshPubkeyPath() {
-  return join8(homedir2(), ".ssh", "id_ed25519.pub");
+  return join9(homedir2(), ".ssh", "id_ed25519.pub");
 }
 function defaultStampPubkeyPath() {
-  return join8(homedir2(), ".stamp", "keys", "ed25519.pub");
+  return join9(homedir2(), ".stamp", "keys", "ed25519.pub");
 }
 function defaultShortName() {
   const u = userInfo().username || "user";
@@ -7714,13 +7743,13 @@ function loadSshPubkey(path2) {
       `SSH pubkey not found at ${path2}. Generate one with \`ssh-keygen -t ed25519\` or pass --ssh-pubkey <path>.`
     );
   }
-  const raw = readFileSync11(path2, "utf8");
+  const raw = readFileSync12(path2, "utf8");
   const parsed = parseSshPubkey(raw);
   return { path: path2, full: parsed.full, fingerprint: parsed.fingerprint };
 }
 function loadStampPubkey(path2) {
   if (!existsSync11(path2)) return null;
-  const pem = readFileSync11(path2, "utf8");
+  const pem = readFileSync12(path2, "utf8");
   try {
     const fp = fingerprintFromPem(pem);
     return { path: path2, pem, fingerprint: fp };
@@ -7865,15 +7894,15 @@ async function runInvitesAccept(opts) {
 
 // src/commands/provision.ts
 import { spawnSync as spawnSync8 } from "child_process";
-import { existsSync as existsSync13, mkdtempSync, readFileSync as readFileSync12, rmSync, writeFileSync as writeFileSync10 } from "fs";
+import { existsSync as existsSync13, mkdtempSync, readFileSync as readFileSync13, rmSync, writeFileSync as writeFileSync10 } from "fs";
 import { tmpdir } from "os";
-import { join as join9, resolve as resolvePath } from "path";
+import { join as join10, resolve as resolvePath } from "path";
 import { parse as parseYaml8 } from "yaml";
 
 // src/commands/server.ts
 import { spawnSync as spawnSync7 } from "child_process";
 import { existsSync as existsSync12, mkdirSync as mkdirSync4, renameSync as renameSync3, unlinkSync as unlinkSync2, writeFileSync as writeFileSync9 } from "fs";
-import { dirname as dirname6 } from "path";
+import { dirname as dirname7 } from "path";
 import { stringify as stringifyYaml2 } from "yaml";
 
 // src/lib/perRepoKey.ts
@@ -8032,7 +8061,7 @@ function writeConfig(opts) {
     repoRootPrefix: opts.repoRootPrefix
   });
   const path2 = userServerConfigPath();
-  const dir = dirname6(path2);
+  const dir = dirname7(path2);
   if (!existsSync12(dir)) mkdirSync4(dir, { recursive: true, mode: 448 });
   const tmp = `${path2}.tmp.${process.pid}`;
   writeFileSync9(tmp, yaml, { mode: 384 });
@@ -8345,9 +8374,9 @@ async function runMigrateExisting(opts, server2) {
     console.log("\n(dry run \u2014 no changes made)");
     return;
   }
-  const stagingDir = mkdtempSync(join9(tmpdir(), "stamp-migrate-"));
-  const bareCloneDir = join9(stagingDir, `${opts.name}.git`);
-  const tarballPath = join9(stagingDir, `${opts.name}.tar.gz`);
+  const stagingDir = mkdtempSync(join10(tmpdir(), "stamp-migrate-"));
+  const bareCloneDir = join10(stagingDir, `${opts.name}.git`);
+  const tarballPath = join10(stagingDir, `${opts.name}.tar.gz`);
   try {
     console.log(`
 Building bare-clone tarball of existing repo`);
@@ -8383,9 +8412,9 @@ function ensureCwdIsGitRepo(cwd) {
   }
 }
 function ensureStampInitDone(cwd) {
-  if (!existsSync13(join9(cwd, ".stamp", "config.yml"))) {
+  if (!existsSync13(join10(cwd, ".stamp", "config.yml"))) {
     throw new Error(
-      `--migrate-existing expects this repo to already be stamp-init'd (${join9(cwd, ".stamp/config.yml")} not found). Run \`stamp init --mode local-only\` first, calibrate your reviewers, then re-run with --migrate-existing.`
+      `--migrate-existing expects this repo to already be stamp-init'd (${join10(cwd, ".stamp/config.yml")} not found). Run \`stamp init --mode local-only\` first, calibrate your reviewers, then re-run with --migrate-existing.`
     );
   }
 }
@@ -8510,7 +8539,7 @@ mirror.yml was added to .stamp/. Commit it through the normal stamp flow:`);
   }
 }
 function readMirrorYmlGithubRepo(repoRoot) {
-  const path2 = join9(repoRoot, ".stamp", "mirror.yml");
+  const path2 = join10(repoRoot, ".stamp", "mirror.yml");
   if (!existsSync13(path2)) {
     throw new Error(
       `${path2} not found \u2014 --migrate-bypass operates on an already-server-gated repo, but this cwd has no .stamp/mirror.yml. If the repo is not yet server-gated, provision it first with \`stamp provision --migrate-existing\`.`
@@ -8518,7 +8547,7 @@ function readMirrorYmlGithubRepo(repoRoot) {
   }
   let raw;
   try {
-    raw = readFileSync12(path2, "utf8");
+    raw = readFileSync13(path2, "utf8");
   } catch (err) {
     throw new Error(
       `could not read ${path2}: ${err instanceof Error ? err.message : String(err)}`
@@ -8758,10 +8787,10 @@ import {
 import {
   existsSync as existsSync14,
   readdirSync as readdirSync3,
-  readFileSync as readFileSync13,
+  readFileSync as readFileSync14,
   writeFileSync as writeFileSync11
 } from "fs";
-import { join as join10, resolve } from "path";
+import { join as join11, resolve } from "path";
 var USERS_EXIT = {
   OK: 0,
   CONFIG: 1,
@@ -8820,10 +8849,10 @@ function findExistingTrustedKey(repoRoot, fingerprint) {
   if (!existsSync14(dir)) return null;
   for (const f of readdirSync3(dir)) {
     if (!f.endsWith(".pub")) continue;
-    const fullPath = join10(dir, f);
+    const fullPath = join11(dir, f);
     let pem;
     try {
-      pem = readFileSync13(fullPath, "utf8");
+      pem = readFileSync14(fullPath, "utf8");
     } catch {
       continue;
     }
@@ -8875,7 +8904,7 @@ function runTrustGrant(opts) {
     );
   }
   const repoRoot = resolve(opts.repoPath ?? process.cwd());
-  if (!existsSync14(join10(repoRoot, ".git"))) {
+  if (!existsSync14(join11(repoRoot, ".git"))) {
     throw new UsageError(`${repoRoot} is not a git repository`);
   }
   if (!existsSync14(stampConfigDir(repoRoot))) {
@@ -8917,7 +8946,7 @@ function runTrustGrant(opts) {
   runGit2(["checkout", "-b", branch], repoRoot);
   const keysDir = stampTrustedKeysDir(repoRoot);
   ensureDir(keysDir, 493);
-  const keyFile = join10(keysDir, `${opts.shortName}.pub`);
+  const keyFile = join11(keysDir, `${opts.shortName}.pub`);
   writeFileSync11(keyFile, pem, { mode: 420 });
   runGit2(["add", keyFile], repoRoot);
   runGit2(
@@ -9115,8 +9144,8 @@ function runUsersRemove(opts) {
 }
 
 // src/commands/keys.ts
-import { existsSync as existsSync15, readdirSync as readdirSync4, readFileSync as readFileSync14, writeFileSync as writeFileSync12 } from "fs";
-import { basename, join as join11 } from "path";
+import { existsSync as existsSync15, readdirSync as readdirSync4, readFileSync as readFileSync15, writeFileSync as writeFileSync12 } from "fs";
+import { basename, join as join12 } from "path";
 function keysGenerate() {
   const existing = loadUserKeypair();
   if (existing) {
@@ -9160,7 +9189,7 @@ function keysList() {
     }
     for (const file of pubFiles.sort()) {
       try {
-        const pem = readFileSync14(join11(trustedDir, file), "utf8");
+        const pem = readFileSync15(join12(trustedDir, file), "utf8");
         const fp = fingerprintFromPem(pem);
         const marker = local && fp === local.fingerprint ? " (you)" : "";
         console.log(`  ${fp}${marker}  [${file}]`);
@@ -9187,7 +9216,7 @@ function keysTrust(pubFile) {
   if (!existsSync15(pubFile)) {
     throw new Error(`public key file not found: ${pubFile}`);
   }
-  const pem = readFileSync14(pubFile, "utf8");
+  const pem = readFileSync15(pubFile, "utf8");
   let fingerprint;
   try {
     fingerprint = fingerprintFromPem(pem);
@@ -9197,7 +9226,7 @@ function keysTrust(pubFile) {
     );
   }
   const filename = publicKeyFingerprintFilename(fingerprint);
-  const dest = join11(trustedDir, filename);
+  const dest = join12(trustedDir, filename);
   if (existsSync15(dest)) {
     console.log(`${fingerprint} is already trusted (${basename(dest)})`);
     return;
@@ -9456,11 +9485,13 @@ function signPending(repoRoot, rawSha, opts) {
     }
     predictedSigner = opts.signerKeyId;
   }
+  const manifestSnapshotSha256 = snapshotSha256(manifest);
   const signingBytes = trustAnchorSigningBytes({
     baseSha,
     headSha,
     targetBranch,
     diffSha256,
+    manifestSnapshotSha256,
     approvals,
     checks: [],
     // see trustAnchorPayload.ts "Operational caveat"
@@ -9657,14 +9688,14 @@ function gitDiffBetween(repoRoot, base, head) {
 
 // src/commands/adminRotate.ts
 import { execFileSync as execFileSync6 } from "child_process";
-import { copyFileSync, existsSync as existsSync16, readFileSync as readFileSync15, writeFileSync as writeFileSync13 } from "fs";
-import { join as join12, relative as relative2 } from "path";
+import { copyFileSync, existsSync as existsSync16, readFileSync as readFileSync16, writeFileSync as writeFileSync13 } from "fs";
+import { join as join13, relative as relative2 } from "path";
 var NAME_PATTERN2 = /^[A-Za-z0-9_.-]+$/;
 var FINGERPRINT_PATTERN2 = /^sha256:[0-9a-f]{64}$/;
 var KNOWN_CAPABILITIES2 = ["admin", "operator", "server"];
 function runAdminAddKey(opts) {
   const repoRoot = findRepoRoot();
-  const manifestPath = join12(repoRoot, MANIFEST_RELATIVE_PATH);
+  const manifestPath = join13(repoRoot, MANIFEST_RELATIVE_PATH);
   const trustedDir = stampTrustedKeysDir(repoRoot);
   if (!NAME_PATTERN2.test(opts.name)) {
     throw new Error(
@@ -9675,7 +9706,7 @@ function runAdminAddKey(opts) {
   if (!existsSync16(opts.pubkeyPath)) {
     throw new Error(`pubkey file not found: ${opts.pubkeyPath}`);
   }
-  const pem = readFileSync15(opts.pubkeyPath, "utf8");
+  const pem = readFileSync16(opts.pubkeyPath, "utf8");
   if (!pem.includes("-----BEGIN PUBLIC KEY-----")) {
     throw new Error(
       `${opts.pubkeyPath} does not look like a public key PEM (no "-----BEGIN PUBLIC KEY-----" header). Refusing to import \u2014 did you accidentally pass the private key path? Public keys live at ~/.stamp/keys/ed25519.pub (note the .pub suffix).`
@@ -9694,7 +9725,7 @@ function runAdminAddKey(opts) {
       `no manifest at ${MANIFEST_RELATIVE_PATH}. Run \`stamp init --migrate-to-server-attested\` to bootstrap one, then re-run \`stamp admin add-key\`.`
     );
   }
-  const existing = parseManifest(readFileSync15(manifestPath, "utf8"));
+  const existing = parseManifest(readFileSync16(manifestPath, "utf8"));
   if (!existing) {
     throw new Error(
       `${MANIFEST_RELATIVE_PATH} failed to parse. Fix the file (see \`stamp admin list-keys\` for the current state) before adding a new key.`
@@ -9729,7 +9760,7 @@ function runAdminAddKey(opts) {
   }
   writeFileSync13(manifestPath, yamlText);
   const pubDestFilename = publicKeyFingerprintFilename(fingerprint);
-  const pubDestPath = join12(trustedDir, pubDestFilename);
+  const pubDestPath = join13(trustedDir, pubDestFilename);
   if (!existsSync16(pubDestPath)) {
     copyFileSync(opts.pubkeyPath, pubDestPath);
   }
@@ -9754,7 +9785,7 @@ function runAdminAddKey(opts) {
 }
 function runAdminRevoke(opts) {
   const repoRoot = findRepoRoot();
-  const manifestPath = join12(repoRoot, MANIFEST_RELATIVE_PATH);
+  const manifestPath = join13(repoRoot, MANIFEST_RELATIVE_PATH);
   if (!FINGERPRINT_PATTERN2.test(opts.fingerprint)) {
     throw new Error(
       `fingerprint ${JSON.stringify(opts.fingerprint)} is not in the expected sha256:<64-hex> form. Run \`stamp admin list-keys\` to copy a fingerprint exactly.`
@@ -9765,7 +9796,7 @@ function runAdminRevoke(opts) {
       `no manifest at ${MANIFEST_RELATIVE_PATH} \u2014 nothing to revoke.`
     );
   }
-  const existing = parseManifest(readFileSync15(manifestPath, "utf8"));
+  const existing = parseManifest(readFileSync16(manifestPath, "utf8"));
   if (!existing) {
     throw new Error(
       `${MANIFEST_RELATIVE_PATH} failed to parse. Fix the file before revoking.`
@@ -9826,7 +9857,7 @@ function runAdminRevoke(opts) {
 }
 function runAdminListKeys(opts = {}) {
   const repoRoot = findRepoRoot();
-  const manifestPath = join12(repoRoot, MANIFEST_RELATIVE_PATH);
+  const manifestPath = join13(repoRoot, MANIFEST_RELATIVE_PATH);
   if (!existsSync16(manifestPath)) {
     if (opts.json) {
       process.stdout.write(JSON.stringify({ entries: [] }, null, 2) + "\n");
@@ -9838,7 +9869,7 @@ function runAdminListKeys(opts = {}) {
     );
     return;
   }
-  const manifest = parseManifest(readFileSync15(manifestPath, "utf8"));
+  const manifest = parseManifest(readFileSync16(manifestPath, "utf8"));
   if (!manifest) {
     throw new Error(
       `${MANIFEST_RELATIVE_PATH} failed to parse. Fix the file by hand (see \`git show HEAD:${MANIFEST_RELATIVE_PATH}\` for the last good version) before continuing.`
@@ -10184,6 +10215,7 @@ function parseEnvelope(bytes) {
     return null;
   }
   if (typeof p.diff_sha256 !== "string") return null;
+  if (typeof p.manifest_snapshot_sha256 !== "string") return null;
   if (!Array.isArray(p.trust_anchor_signatures)) return null;
   if (typeof p.target_branch_tip_sha !== "string") return null;
   return env;
@@ -10405,7 +10437,6 @@ Run \`stamp review --diff ${input.revspec}\` to populate the signed row, then re
         "diff_sha256",
         "base_sha",
         "head_sha",
-        "trusted_keys_snapshot_sha256",
         "issued_at",
         "server_key_id"
       ]) {
@@ -10480,6 +10511,7 @@ Run \`stamp review --diff ${input.revspec}\` to populate the signed row, then re
     db.close();
   }
   const trustAnchorSignatures = [];
+  const manifestSnapshot = snapshotSha256(manifest);
   const payload = {
     schema_version: PR_ATTESTATION_SCHEMA_VERSION,
     patch_id: input.patchId,
@@ -10488,6 +10520,7 @@ Run \`stamp review --diff ${input.revspec}\` to populate the signed row, then re
     target_branch: input.targetBranch,
     target_branch_tip_sha: input.targetBranchTipSha,
     diff_sha256: diffSha256,
+    manifest_snapshot_sha256: manifestSnapshot,
     approvals: entries,
     checks: [],
     // Phase-1 deliberate omission — see file-level comment.
@@ -10548,6 +10581,11 @@ function buildV2Envelope(input) {
         `reviewer "${a.reviewer}" approved the diff but is not defined in .stamp/config.yml at base ${input.baseSha.slice(0, 8)}. This shouldn't happen \u2014 runReview reads from the same base. File a bug at https://github.com/OpenThinkAi/stamp-cli/issues.`
       );
     }
+    if (def.prompt === void 0) {
+      throw new Error(
+        `reviewer "${a.reviewer}": no \`prompt:\` configured and no \`review_server:\` on branch rule \u2014 set \`reviewers.${a.reviewer}.prompt\` in .stamp/config.yml or configure a \`review_server:\` for server-attested PR mode.`
+      );
+    }
     const promptText = showAtRef(input.baseSha, def.prompt, input.repoRoot);
     const source = readReviewerSource2(a.reviewer, input.repoRoot);
     return {
@@ -10613,7 +10651,7 @@ function readReviewerSource2(reviewerName, repoRoot) {
 
 // src/commands/prune.ts
 import { existsSync as existsSync18, readdirSync as readdirSync5, statSync as statSync3, unlinkSync as unlinkSync3 } from "fs";
-import { join as join13 } from "path";
+import { join as join14 } from "path";
 
 // src/lib/duration.ts
 function parseRetentionDuration(input) {
@@ -10642,8 +10680,8 @@ function runPrune(opts) {
   );
   const repoRoot = findRepoRoot();
   const dbPath = stampStateDbPath(repoRoot);
-  const parsesDir = join13(gitCommonDir(repoRoot), "stamp", "failed-parses");
-  const runsDir = join13(gitCommonDir(repoRoot), "stamp", "failed-runs");
+  const parsesDir = join14(gitCommonDir(repoRoot), "stamp", "failed-parses");
+  const runsDir = join14(gitCommonDir(repoRoot), "stamp", "failed-runs");
   const spoolCutoffMs = Date.now() - durationMs;
   if (!existsSync18(dbPath) && !existsSync18(parsesDir) && !existsSync18(runsDir)) {
     console.log(
@@ -10724,7 +10762,7 @@ function peekSpools(spoolDir, cutoffMs) {
   if (!existsSync18(spoolDir)) return [];
   const out = [];
   for (const entry of readdirSync5(spoolDir)) {
-    const filepath = join13(spoolDir, entry);
+    const filepath = join14(spoolDir, entry);
     let stat;
     try {
       stat = statSync3(filepath);
@@ -10879,27 +10917,27 @@ function loadOrEmpty() {
 import { spawnSync as spawnSync15 } from "child_process";
 import {
   existsSync as existsSync21,
-  readFileSync as readFileSync17,
+  readFileSync as readFileSync18,
   statSync as statSync4,
   unlinkSync as unlinkSync4,
   writeFileSync as writeFileSync15
 } from "fs";
-import { join as join15, relative as relative3, resolve as resolve2 } from "path";
+import { join as join16, relative as relative3, resolve as resolve2 } from "path";
 import { parse as parseYaml10, stringify as stringifyYaml3 } from "yaml";
 
 // src/lib/reviewerLock.ts
-import { existsSync as existsSync20, readFileSync as readFileSync16, writeFileSync as writeFileSync14 } from "fs";
-import { join as join14 } from "path";
+import { existsSync as existsSync20, readFileSync as readFileSync17, writeFileSync as writeFileSync14 } from "fs";
+import { join as join15 } from "path";
 var LOCK_FILE_VERSION = 1;
 var LOCK_DRIFT_EXIT = 3;
 function lockFilePath(repoRoot, reviewerName) {
-  return join14(repoRoot, ".stamp", "reviewers", `${reviewerName}.lock.json`);
+  return join15(repoRoot, ".stamp", "reviewers", `${reviewerName}.lock.json`);
 }
 function readLockFile(repoRoot, reviewerName) {
   const path2 = lockFilePath(repoRoot, reviewerName);
   if (!existsSync20(path2)) return null;
   try {
-    const raw = readFileSync16(path2, "utf8");
+    const raw = readFileSync17(path2, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version !== "number" || typeof parsed.source !== "string" || typeof parsed.ref !== "string" || typeof parsed.reviewer !== "string" || typeof parsed.prompt_sha256 !== "string" || typeof parsed.tools_sha256 !== "string" || typeof parsed.mcp_sha256 !== "string") {
       throw new Error(`malformed lock file at ${path2}`);
@@ -10920,13 +10958,18 @@ function checkReviewerDrift(repoRoot, reviewerName, def) {
   if (!lock) {
     return unpinnedResult();
   }
-  const promptPath = join14(repoRoot, def.prompt);
+  if (def.prompt === void 0) {
+    throw new Error(
+      `reviewer "${reviewerName}" has a lock file but no \`prompt:\` configured (server-bundled in Shape 4). Lock files pin local prompt bytes and don't apply in server-attested mode. Delete .stamp/reviewers/${reviewerName}.lock.json to un-pin, or set \`reviewers.${reviewerName}.prompt\` in .stamp/config.yml if you intend to author the prompt locally.`
+    );
+  }
+  const promptPath = join15(repoRoot, def.prompt);
   if (!existsSync20(promptPath)) {
     throw new Error(
       `reviewer "${reviewerName}" has a lock file but its prompt "${def.prompt}" does not exist on disk. Re-run 'stamp reviewers fetch ${reviewerName} --from ${lock.source}@${lock.ref}' to restore it, or delete the lock file to un-pin the reviewer.`
     );
   }
-  const promptBytes = readFileSync16(promptPath);
+  const promptBytes = readFileSync17(promptPath);
   const observedPrompt = hashPromptBytes(promptBytes);
   const observedTools = hashTools(def.tools);
   const observedMcp = hashMcpServers(def.mcp_servers);
@@ -11005,6 +11048,10 @@ function reviewersList() {
   const maxNameLen = Math.max(...names.map((n) => n.length));
   for (const name of names) {
     const def = config2.reviewers[name];
+    if (def.prompt === void 0) {
+      console.log(`  ${name.padEnd(maxNameLen)}   (server-bundled \u2014 no local prompt)`);
+      continue;
+    }
     const abs = resolve2(repoRoot, def.prompt);
     let annotation = "";
     if (!existsSync21(abs)) {
@@ -11031,6 +11078,11 @@ function reviewersEdit(name) {
       `reviewer "${name}" is not configured. Run \`stamp reviewers list\` to see available reviewers.`
     );
   }
+  if (def.prompt === void 0) {
+    throw new Error(
+      `reviewer "${name}" has no \`prompt:\` configured (server-bundled in Shape 4). There is no local prompt file to edit. To author the prompt locally, set \`reviewers.${name}.prompt\` to a path under .stamp/reviewers/ in .stamp/config.yml.`
+    );
+  }
   const target = resolve2(repoRoot, def.prompt);
   launchEditor(target);
 }
@@ -11095,6 +11147,10 @@ function reviewersRemove(name, opts = {}) {
   delete config2.reviewers[name];
   writeFileSync15(configPath, stringifyConfig(config2));
   console.log(`reviewer "${name}" removed from .stamp/config.yml`);
+  if (def.prompt === void 0) {
+    console.log(`(no local prompt file \u2014 reviewer was server-bundled)`);
+    return;
+  }
   if (opts.deleteFile) {
     const promptAbs = resolve2(repoRoot, def.prompt);
     if (existsSync21(promptAbs)) {
@@ -11128,8 +11184,13 @@ async function reviewersTest(name, diff) {
   console.log(`  prompt sourced from working tree (test/iteration use case)`);
   console.log();
   const def = config2.reviewers[name];
-  const promptPath = join15(repoRoot, def.prompt);
-  const systemPrompt = readFileSync17(promptPath, "utf8");
+  if (def.prompt === void 0) {
+    throw new Error(
+      `reviewer "${name}" has no \`prompt:\` configured (server-bundled in Shape 4). \`stamp reviewers test\` is a local prompt-iteration helper and needs a local prompt file to invoke. Set \`reviewers.${name}.prompt\` in .stamp/config.yml to a path under .stamp/reviewers/ to use this command.`
+    );
+  }
+  const promptPath = join16(repoRoot, def.prompt);
+  const systemPrompt = readFileSync18(promptPath, "utf8");
   const result = await invokeReviewer({
     reviewer: name,
     config: config2,
@@ -11172,7 +11233,9 @@ function reviewersShow(name, opts) {
   const bar = "\u2500".repeat(72);
   console.log(bar);
   console.log(`reviewer: ${name}`);
-  console.log(`prompt:   ${config2.reviewers[name].prompt}`);
+  console.log(
+    `prompt:   ${config2.reviewers[name].prompt ?? "(server-bundled \u2014 no local prompt)"}`
+  );
   console.log(bar);
   if (stats.total === 0) {
     console.log("  no verdicts recorded yet");
@@ -11267,7 +11330,7 @@ async function reviewersFetch(reviewerName, opts) {
       mcpServers = validateMcpServersFromSource(parsed.mcp_servers, source, ref);
     }
   }
-  const promptPath = join15(reviewersDir, `${reviewerName}.md`);
+  const promptPath = join16(reviewersDir, `${reviewerName}.md`);
   const promptBytes = Buffer.from(promptText, "utf8");
   const promptSha = hashPromptBytes(promptBytes);
   const toolsSha = hashTools(tools);
@@ -11605,28 +11668,6 @@ function printGate(result, base_sha, head_sha) {
 
 // src/commands/update.ts
 import { spawnSync as spawnSync16 } from "child_process";
-
-// src/lib/version.ts
-import { readFileSync as readFileSync18 } from "fs";
-import { dirname as dirname7, join as join16 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-function readPackageVersion() {
-  const here = dirname7(fileURLToPath2(import.meta.url));
-  for (let dir = here, i = 0; i < 6; i++) {
-    try {
-      const raw = readFileSync18(join16(dir, "package.json"), "utf8");
-      const pkg = JSON.parse(raw);
-      if (pkg.name === "@openthink/stamp" && pkg.version) return pkg.version;
-    } catch {
-    }
-    const parent = dirname7(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  throw new Error("could not locate @openthink/stamp package.json to read version");
-}
-
-// src/commands/update.ts
 var PKG_NAME = "@openthink/stamp";
 function compareSemver(a, b) {
   const parse2 = (v) => (v.split("-")[0] ?? "0.0.0").split(".").map((n) => parseInt(n, 10) || 0);
@@ -11840,6 +11881,12 @@ function verifyReviewerHashes(sha, payload, repoRoot, config2) {
         `v2 attestation: reviewer "${approval.reviewer}" is in payload but not defined in config.reviewers at the merge commit`
       );
     }
+    if (def.prompt === void 0) {
+      fail(
+        sha,
+        `v2 attestation: reviewer "${approval.reviewer}" has no \`prompt:\` in .stamp/config.yml at the merge commit. v2 attestations cite prompt_sha256 over the on-tree prompt file, but the producer flow for server-bundled prompts is v4 (server-attested) \u2014 the envelope and config shape are inconsistent.`
+      );
+    }
     const promptBytes = tryGitShow(`${sha}:${def.prompt}`, repoRoot);
     if (promptBytes === null) {
       fail(
@@ -11972,6 +12019,7 @@ function verifyV3Envelope(envelope, opts, resolved, patch_id, repoRoot) {
     head_sha: envelope.payload.head_sha,
     target_branch: envelope.payload.target_branch,
     diff_sha256: envelope.payload.diff_sha256,
+    manifest_snapshot_sha256: envelope.payload.manifest_snapshot_sha256,
     approvals: envelope.payload.approvals,
     checks: envelope.payload.checks,
     trust_anchor_signatures: envelope.payload.trust_anchor_signatures,
@@ -12228,6 +12276,9 @@ program.command("init").description(
 ).option(
   "--pr-mode-force",
   "with --pr-mode, overwrite an existing .github/workflows/stamp-mirror.yml (useful when re-running after configuring review_server so the host/port placeholders fill in)"
+).option(
+  "--action-source <org/repo>",
+  "GitHub repo that hosts the stamp/verify-attestation action used by .github/workflows/stamp-verify.yml. Default 'OpenThinkAi/stamp-cli'. Override when consuming a fork (e.g. 'Anglepoint-Inc/anglepoint-stamp-server') so the workflow tracks your fork's updates instead of the upstream."
 ).action(
   (opts) => {
     try {
@@ -12235,6 +12286,11 @@ program.command("init").description(
         runMigrateToServerAttested({ dryRun: opts.dryRun === true });
         return;
       }
+      if (opts.dryRun === true) {
+        throw new Error(
+          "--dry-run is supported only with --migrate-to-server-attested. Re-run with --migrate-to-server-attested to preview the migration scaffold, or drop --dry-run to run the requested init operation."
+        );
+      }
       let mode;
       if (opts.mode === void 0) {
         mode = void 0;
@@ -12245,6 +12301,13 @@ program.command("init").description(
           `--mode must be 'server-gated' or 'local-only' (got "${opts.mode}")`
         );
       }
+      if (opts.actionSource !== void 0) {
+        if (!/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/.test(opts.actionSource)) {
+          throw new Error(
+            `--action-source must be of the form 'org/repo' (got "${opts.actionSource}")`
+          );
+        }
+      }
       runInit({
         minimal: opts.minimal,
         agentsMd: opts.agentsMd,
@@ -12260,7 +12323,8 @@ program.command("init").description(
         // default fires when the operator hasn't opted out.
         prCheck: opts.prCheck === false ? false : void 0,
         prMode: opts.prMode === true,
-        prModeForce: opts.prModeForce === true
+        prModeForce: opts.prModeForce === true,
+        actionSource: opts.actionSource
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -12593,7 +12657,7 @@ program.command("prune").description(
 });
 program.command("ui").description("launch the interactive terminal UI").action(async () => {
   try {
-    const { runUi } = await import("./ui-P5DRAT3P.js");
+    const { runUi } = await import("./ui-67BDQPER.js");
     runUi();
   } catch (err) {
     handleCliError(err);