@riddledc/riddle-proof 0.8.32 → 0.8.34

package/dist/advanced/index.d.cts

@@ -1,5 +1,5 @@
 export { b as runner } from '../runner-4LJ5z0D-.cjs';
 export { l as engineHarness } from '../engine-harness-LBfqbFSe.cjs';
 export { p as proofRunCore } from '../proof-run-core-B1GeqkR8.cjs';
-export { p as proofRunEngine } from '../proof-run-engine-DeHxtGnW.cjs';
+export { p as proofRunEngine } from '../proof-run-engine-4dM37pEx.cjs';
 import '../types.cjs';

package/dist/advanced/index.d.ts

@@ -1,5 +1,5 @@
 export { b as runner } from '../runner-BdQpOkZD.js';
 export { l as engineHarness } from '../engine-harness-CMACHP6A.js';
 export { p as proofRunCore } from '../proof-run-core-B1GeqkR8.js';
-export { p as proofRunEngine } from '../proof-run-engine-DYfmd8d7.js';
+export { p as proofRunEngine } from '../proof-run-engine-BqaeqAze.js';
 import '../types.js';

package/dist/advanced/proof-run-engine.d.cts

@@ -1,2 +1,2 @@
-export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from '../proof-run-engine-DeHxtGnW.cjs';
+export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from '../proof-run-engine-4dM37pEx.cjs';
 import '../proof-run-core-B1GeqkR8.cjs';

package/dist/advanced/proof-run-engine.d.ts

@@ -1,2 +1,2 @@
-export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from '../proof-run-engine-DYfmd8d7.js';
+export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from '../proof-run-engine-BqaeqAze.js';
 import '../proof-run-core-B1GeqkR8.js';

package/dist/{proof-run-engine-DeHxtGnW.d.cts → proof-run-engine-4dM37pEx.d.cts}

@@ -292,7 +292,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     blocking?: boolean;
     details?: Record<string, unknown>;
     ok: boolean;
-    action: "recon" | "author" | "ship" | "implement" | "verify" | "setup" | "run";
+    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup" | "run";
     state_path: string;
     stage: any;
     summary: string;
@@ -382,7 +382,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     continueWithStage?: WorkflowStage | null;
     blocking?: boolean;
     details?: Record<string, unknown>;
-    action: "recon" | "author" | "ship" | "implement" | "verify" | "setup" | "run";
+    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup" | "run";
     state_path: string;
     stage: any;
     checkpoint: string;
@@ -659,7 +659,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     error?: undefined;
 } | {
     ok: boolean;
-    action: "recon" | "author" | "ship" | "implement" | "verify" | "setup";
+    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup";
     state_path: string;
     stage: any;
     summary: string;

package/dist/{proof-run-engine-DYfmd8d7.d.ts → proof-run-engine-BqaeqAze.d.ts}

@@ -292,7 +292,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     blocking?: boolean;
     details?: Record<string, unknown>;
     ok: boolean;
-    action: "recon" | "author" | "ship" | "implement" | "verify" | "setup" | "run";
+    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup" | "run";
     state_path: string;
     stage: any;
     summary: string;
@@ -382,7 +382,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     continueWithStage?: WorkflowStage | null;
     blocking?: boolean;
     details?: Record<string, unknown>;
-    action: "recon" | "author" | "ship" | "implement" | "verify" | "setup" | "run";
+    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup" | "run";
     state_path: string;
     stage: any;
     checkpoint: string;
@@ -659,7 +659,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     error?: undefined;
 } | {
     ok: boolean;
-    action: "recon" | "author" | "ship" | "implement" | "verify" | "setup";
+    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup";
     state_path: string;
     stage: any;
     summary: string;

package/dist/proof-run-engine.d.cts

@@ -1,2 +1,2 @@
 import './proof-run-core-B1GeqkR8.cjs';
-export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from './proof-run-engine-DeHxtGnW.cjs';
+export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from './proof-run-engine-4dM37pEx.cjs';

package/dist/proof-run-engine.d.ts

@@ -1,2 +1,2 @@
 import './proof-run-core-B1GeqkR8.js';
-export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from './proof-run-engine-DYfmd8d7.js';
+export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from './proof-run-engine-BqaeqAze.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@riddledc/riddle-proof",
-  "version": "0.8.32",
+  "version": "0.8.34",
   "description": "Reusable Riddle Proof contracts and helpers for evidence-backed agent changes.",
   "license": "MIT",
   "author": "RiddleDC",

package/runtime/lib/ship.py

@@ -320,7 +320,20 @@ def local_artifact_sources_fingerprint(local_sources):
 def public_proof_artifacts(state):
     published = state.get('proof_artifact_publication') or {}
     artifacts = published.get('artifacts') if isinstance(published, dict) else []
-    public = [artifact for artifact in artifacts or [] if isinstance(artifact, dict) and (artifact.get('raw_url') or artifact.get('html_url'))]
+    attachments = state.get('proof_image_attachments') or {}
+    attachment_artifacts = attachments.get('artifacts') if isinstance(attachments, dict) else []
+    public = [
+        {
+            **artifact,
+            'raw_url': artifact.get('attachment_url'),
+            'html_url': artifact.get('attachment_url'),
+            'embeddable': True,
+            'attachment': True,
+        }
+        for artifact in attachment_artifacts or []
+        if isinstance(artifact, dict) and artifact.get('attachment_url')
+    ]
+    public.extend([artifact for artifact in artifacts or [] if isinstance(artifact, dict) and (artifact.get('raw_url') or artifact.get('html_url'))])
     for artifact in collect_proof_artifact_sources(state):
         url = str(artifact.get('url') or '').strip()
         if is_http_url(url):
@@ -328,6 +341,7 @@ def public_proof_artifacts(state):
                 **artifact,
                 'raw_url': url,
                 'html_url': url,
+                'embeddable': True,
                 'published': False,
             })
     deduped = []
@@ -346,6 +360,8 @@ def first_public_artifact_url(state, role, kind=None):
             continue
         if kind and artifact.get('kind') != kind:
             continue
+        if artifact.get('kind') == 'image' and artifact.get('embeddable') is False:
+            continue
         return artifact.get('raw_url') or artifact.get('html_url') or artifact.get('url') or ''
     return ''
 
@@ -362,6 +378,92 @@ def resolve_github_repo_name(repo_dir):
     return ''
 
 
+def resolve_github_repo_private(repo_dir):
+    result = sp.run(['gh', 'repo', 'view', '--json', 'isPrivate', '--jq', '.isPrivate'],
+                    cwd=repo_dir, capture_output=True, text=True, timeout=30)
+    if result.returncode == 0:
+        text = result.stdout.strip().lower()
+        if text in ('true', 'false'):
+            return text == 'true'
+    return None
+
+
+def github_file_url(repo_name, ref, path_value, mode='blob'):
+    safe_path = urllib.parse.quote(str(path_value or '').lstrip('/'), safe='/._-')
+    return 'https://github.com/' + repo_name + '/' + mode + '/' + ref + '/' + safe_path
+
+
+def parse_github_image_markdown(line):
+    match = re.search(r'!\[[^\]]*\]\((https://github\.com/user-attachments/assets/[^)\s]+)\)', str(line or '').strip())
+    return match.group(1) if match else ''
+
+
+def upload_local_images_to_github_attachments(state, repo_dir):
+    if truthy(os.environ.get('RIDDLE_PROOF_DISABLE_GITHUB_IMAGE_ATTACHMENTS')):
+        state['proof_image_attachments'] = {'ok': False, 'skipped': True, 'reason': 'disabled'}
+        save_state(state)
+        return state['proof_image_attachments']
+
+    image_sources = [
+        artifact for artifact in local_proof_artifact_sources(state)
+        if artifact.get('kind') == 'image' and artifact.get('path')
+    ]
+    if not image_sources:
+        state['proof_image_attachments'] = {'ok': True, 'skipped': True, 'reason': 'no local image artifacts'}
+        save_state(state)
+        return state['proof_image_attachments']
+
+    repo_name = resolve_github_repo_name(repo_dir)
+    if not repo_name:
+        state['proof_image_attachments'] = {'ok': False, 'skipped': True, 'reason': 'repo name unavailable'}
+        save_state(state)
+        return state['proof_image_attachments']
+
+    timeout_seconds = int(os.environ.get('RIDDLE_PROOF_GH_IMAGE_TIMEOUT_SECONDS') or '15')
+    command = ['gh', 'image'] + [artifact.get('path') for artifact in image_sources] + ['--repo', repo_name]
+    try:
+        result = sp.run(command, cwd=repo_dir, capture_output=True, text=True, timeout=timeout_seconds)
+    except sp.TimeoutExpired:
+        state['proof_image_attachments'] = {'ok': False, 'skipped': True, 'reason': 'gh image timed out'}
+        save_state(state)
+        return state['proof_image_attachments']
+
+    if result.returncode != 0:
+        state['proof_image_attachments'] = {
+            'ok': False,
+            'skipped': True,
+            'reason': 'gh image failed',
+            'stderr': (result.stderr or result.stdout or '')[:500],
+        }
+        save_state(state)
+        return state['proof_image_attachments']
+
+    urls = [parse_github_image_markdown(line) for line in result.stdout.splitlines()]
+    urls = [url for url in urls if url]
+    if not urls:
+        state['proof_image_attachments'] = {'ok': False, 'skipped': True, 'reason': 'gh image returned no attachment URLs'}
+        save_state(state)
+        return state['proof_image_attachments']
+
+    artifacts = []
+    for index, artifact in enumerate(image_sources):
+        if index >= len(urls):
+            break
+        artifacts.append({
+            **artifact,
+            'attachment_url': urls[index],
+            'attachment': True,
+            'embeddable': True,
+        })
+    state['proof_image_attachments'] = {
+        'ok': True,
+        'repo': repo_name,
+        'artifacts': artifacts,
+    }
+    save_state(state)
+    return state['proof_image_attachments']
+
+
 def write_artifact_readme(path_value, state, artifacts):
     lines = [
         '# Riddle Proof Artifacts',
@@ -403,6 +505,7 @@ def publish_local_proof_artifacts_to_github(state, repo_dir, pr_num):
     repo_name = resolve_github_repo_name(repo_dir)
     if not repo_name:
         raise SystemExit('Could not resolve GitHub repository name for proof artifact publication.')
+    repo_private = resolve_github_repo_private(repo_dir)
 
     run_id = safe_slug(state.get('run_id') or str(int(time.time())), 'run')
     pr_slug = safe_slug('pr-' + str(pr_num or 'unknown'), 'pr')
@@ -467,16 +570,18 @@ def publish_local_proof_artifacts_to_github(state, repo_dir, pr_num):
         for artifact in published:
             if artifact.get('published'):
                 published_path = artifact.get('published_path')
-                artifact['raw_url'] = 'https://raw.githubusercontent.com/' + repo_name + '/' + commit + '/' + published_path
-                artifact['html_url'] = 'https://github.com/' + repo_name + '/blob/' + commit + '/' + published_path
+                artifact['raw_url'] = github_file_url(repo_name, commit, published_path, 'raw')
+                artifact['html_url'] = github_file_url(repo_name, commit, published_path, 'blob')
+                artifact['embeddable'] = False if repo_private is True and artifact.get('kind') == 'image' else True
         publication = {
             'ok': True,
             'branch': artifact_branch,
             'commit': commit,
             'repo': repo_name,
-            'html_url': 'https://github.com/' + repo_name + '/tree/' + commit + '/' + artifact_dir_name,
-            'manifest_url': 'https://github.com/' + repo_name + '/blob/' + commit + '/' + artifact_dir_name + '/proof-artifacts.json',
-            'readme_url': 'https://github.com/' + repo_name + '/blob/' + commit + '/' + artifact_dir_name + '/README.md',
+            'repo_private': repo_private,
+            'html_url': github_file_url(repo_name, commit, artifact_dir_name, 'tree'),
+            'manifest_url': github_file_url(repo_name, commit, artifact_dir_name + '/proof-artifacts.json', 'blob'),
+            'readme_url': github_file_url(repo_name, commit, artifact_dir_name + '/README.md', 'blob'),
             'source_fingerprint': source_fingerprint,
             'artifacts': published,
         }
@@ -1075,6 +1180,12 @@ if publication.get('ok') and not publication.get('skipped'):
 elif publication.get('skipped'):
     print('Proof artifact publication skipped: ' + publication.get('reason', 'unknown'))
 
+image_attachments = upload_local_images_to_github_attachments(s, repo_dir)
+if image_attachments.get('ok') and not image_attachments.get('skipped'):
+    print('Proof images attached: ' + str(len(image_attachments.get('artifacts') or [])))
+elif image_attachments.get('skipped'):
+    print('Proof image attachment skipped: ' + image_attachments.get('reason', 'unknown'))
+
 # Post proof comment on PR
 body = '## Riddle Proof — Proof of Fix\n\n'
 body += '**Goal:** ' + s.get('change_request', '') + '\n\n'
@@ -1094,15 +1205,34 @@ if publication.get('ok') and not publication.get('skipped'):
 before_image = first_public_artifact_url(s, 'before', 'image')
 prod_image = first_public_artifact_url(s, 'prod', 'image')
 after_image = first_public_artifact_url(s, 'after', 'image')
+linked_image_artifacts = [
+    artifact for artifact in public_artifacts
+    if artifact.get('kind') == 'image'
+    and artifact.get('embeddable') is False
+    and (artifact.get('html_url') or artifact.get('raw_url'))
+]
 if before_image:
     body += '### Before\n![before](' + before_image + ')\n\n'
 if prod_image:
     body += '### Prod\n![prod](' + prod_image + ')\n\n'
 if after_image:
     body += '### After\n![after](' + after_image + ')\n\n'
+elif linked_image_artifacts:
+    body += '### After evidence\nA screenshot artifact was captured, but GitHub attachment upload was unavailable; linked image artifacts are listed below.\n\n'
 else:
     body += '### After evidence\nNo after screenshot was captured for this verification mode; structured evidence is summarized below.\n\n'
 
+if linked_image_artifacts:
+    body += '### Image artifacts\n'
+    for artifact in linked_image_artifacts[:12]:
+        label = artifact.get('name') or artifact.get('filename') or 'image'
+        url = artifact.get('html_url') or artifact.get('raw_url')
+        body += '- [' + str(label) + '](' + str(url) + ')'
+        if artifact.get('role'):
+            body += ' (' + str(artifact.get('role')) + ')'
+        body += '\n'
+    body += '\n'
+
 data_artifacts = [
     artifact for artifact in public_artifacts
     if artifact.get('kind') != 'image' and (artifact.get('html_url') or artifact.get('raw_url'))

package/runtime/tests/ship_artifact_publication.py

@@ -27,7 +27,15 @@ import sys
 
 args = sys.argv[1:]
 if args[:3] == ["repo", "view", "--json"]:
-    print("example/test-repo")
+    if "isPrivate" in args:
+        print("true")
+    else:
+        print("example/test-repo")
+    raise SystemExit(0)
+if args and args[0] == "image":
+    image_paths = [arg for arg in args[1:] if not arg.startswith("--") and arg != "example/test-repo"]
+    for index, image_path in enumerate(image_paths):
+        print(f"![{os.path.basename(image_path)}](https://github.com/user-attachments/assets/00000000-0000-4000-8000-{index:012d})")
     raise SystemExit(0)
 if args[:2] == ["pr", "list"]:
     print("")
@@ -163,13 +171,16 @@ def main():
         assert publication.get("ok") is True, "proof artifact publication should be recorded"
         assert publication.get("artifacts"), "published artifact list should be recorded"
         assert updated.get("ship_report", {}).get("after_artifact_url", "").startswith(
-            "https://raw.githubusercontent.com/example/test-repo/"
-        ), "ship report should expose a public after artifact URL"
+            "https://github.com/user-attachments/assets/"
+        ), "ship report should expose a GitHub-hosted attachment URL for the after artifact"
 
         comment = comment_body_path.read_text(encoding="utf-8")
         assert "file://" not in comment, "PR proof comment must not expose local file URLs"
-        assert "![after](https://raw.githubusercontent.com/example/test-repo/" in comment, (
-            "PR proof comment should embed the GitHub-hosted after screenshot"
+        assert "raw.githubusercontent.com" not in comment, (
+            "PR proof comment must not depend on unauthenticated raw GitHub URLs"
+        )
+        assert "![after](https://github.com/user-attachments/assets/" in comment, (
+            "PR proof comment should embed the GitHub user-attachments screenshot when available"
         )
         assert "[proof.json](https://github.com/example/test-repo/blob/" in comment, (
             "PR proof comment should link the structured proof JSON"