npm - @riddledc/riddle-proof - Versions diffs - 0.8.52 → 0.8.54 - Mend

@riddledc/riddle-proof 0.8.52 → 0.8.54

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/dist/adapters/openclaw.js +4 -4
package/dist/advanced/engine-harness.cjs +117 -12
package/dist/advanced/engine-harness.js +4 -4
package/dist/advanced/index.cjs +117 -12
package/dist/advanced/index.d.cts +1 -1
package/dist/advanced/index.d.ts +1 -1
package/dist/advanced/index.js +5 -5
package/dist/advanced/proof-run-engine.d.cts +1 -1
package/dist/advanced/proof-run-engine.d.ts +1 -1
package/dist/advanced/runner.js +4 -4
package/dist/checkpoint.cjs +41 -11
package/dist/checkpoint.d.cts +2 -1
package/dist/checkpoint.d.ts +2 -1
package/dist/checkpoint.js +3 -1
package/dist/{chunk-AXWJJ2LC.js → chunk-BLM5EIBA.js} +40 -11
package/dist/{chunk-FWHJN3QG.js → chunk-ECLGGGAI.js} +3 -2
package/dist/{chunk-WURLFN72.js → chunk-IV4DVWPR.js} +82 -4
package/dist/{chunk-RBAU2M4S.js → chunk-JJ4IWRMJ.js} +1 -1
package/dist/{chunk-OYWZGDTS.js → chunk-LNWJAHAQ.js} +1 -1
package/dist/{chunk-2CZORYB7.js → chunk-S5DX7Z6X.js} +1 -1
package/dist/{chunk-M3IE3VNC.js → chunk-WDIKPIMB.js} +1 -1
package/dist/cli/index.js +5 -5
package/dist/cli.cjs +119 -12
package/dist/cli.js +5 -5
package/dist/engine-harness.cjs +117 -12
package/dist/engine-harness.js +4 -4
package/dist/index.cjs +120 -12
package/dist/index.d.cts +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +7 -5
package/dist/openclaw.js +4 -4
package/dist/{proof-run-engine-DpChFR5H.d.cts → proof-run-engine-Baiv6l3A.d.cts} +3 -3
package/dist/{proof-run-engine-BqRoA3Do.d.ts → proof-run-engine-MiKZt9oY.d.ts} +3 -3
package/dist/proof-run-engine.d.cts +1 -1
package/dist/proof-run-engine.d.ts +1 -1
package/dist/run-card.js +2 -2
package/dist/runner.js +4 -4
package/dist/spec/checkpoint.cjs +41 -11
package/dist/spec/checkpoint.d.cts +1 -1
package/dist/spec/checkpoint.d.ts +1 -1
package/dist/spec/checkpoint.js +3 -1
package/dist/spec/index.cjs +41 -11
package/dist/spec/index.d.cts +1 -1
package/dist/spec/index.d.ts +1 -1
package/dist/spec/index.js +5 -3
package/dist/spec/run-card.js +2 -2
package/dist/spec/state.js +3 -3
package/dist/state.js +3 -3
package/dist/types.d.cts +5 -0
package/dist/types.d.ts +5 -0
package/package.json +1 -1

package/dist/adapters/openclaw.js CHANGED Viewed

@@ -3,10 +3,10 @@ import {
   parseOpenClawAssertions,
   parseOpenClawJsonObjectOrArray,
   toRiddleProofRunParams
-} from "../chunk-OYWZGDTS.js";
-import "../chunk-M3IE3VNC.js";
-import "../chunk-RBAU2M4S.js";
-import "../chunk-AXWJJ2LC.js";
+} from "../chunk-LNWJAHAQ.js";
+import "../chunk-WDIKPIMB.js";
+import "../chunk-JJ4IWRMJ.js";
+import "../chunk-BLM5EIBA.js";
 import "../chunk-VY4Y5U57.js";
 import "../chunk-MLKGABMK.js";
 export {

package/dist/advanced/engine-harness.cjs CHANGED Viewed

@@ -3682,12 +3682,13 @@ function statePathsForRunState(state, engineStatePath2) {
 function responseSchemaForAuthorPacket() {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "payload", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "payload", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3715,12 +3716,13 @@ function responseSchemaForAuthorPacket() {
 function responseSchemaForProofAssessmentPacket() {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3756,12 +3758,13 @@ function responseSchemaForProofAssessmentPacket() {
 function responseSchemaForReconPacket() {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3789,12 +3792,13 @@ function responseSchemaForReconPacket() {
 function responseSchemaForImplementationPacket() {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3822,12 +3826,13 @@ function responseSchemaForImplementationPacket() {
 function responseSchemaForAdvancePacket(stage) {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3853,6 +3858,20 @@ function resumeTokenFor(input) {
   const hash = import_node_crypto.default.createHash("sha256").update(JSON.stringify(input)).digest("hex").slice(0, 24);
   return `rpchk_${hash}`;
 }
+function packetIdentityPayload(packet) {
+  const { packet_id: _packetId, ...identityPayload } = packet;
+  return identityPayload;
+}
+function checkpointPacketIdentity(packet) {
+  const hash = import_node_crypto.default.createHash("sha256").update(stableJson(packetIdentityPayload(packet))).digest("hex").slice(0, 24);
+  return `rppkt_${hash}`;
+}
+function withPacketIdentity(packet) {
+  return {
+    ...packet,
+    packet_id: checkpointPacketIdentity(packet)
+  };
+}
 function artifactsFromState(state) {
   const artifacts = [];
   for (const role of ["before", "prod", "after"]) {
@@ -3925,7 +3944,7 @@ function buildStageCheckpointPacket(input) {
   const checkpointContract = recordValue(input.engineResult.checkpointContract);
   const summary = nonEmptyString(input.engineResult.summary) || nonEmptyString(fullState.stage_summary) || `${stage} checkpoint needs a supervising decision.`;
   const kind = packetKindForStage(stage, checkpoint);
-  return {
+  return withPacketIdentity({
     version: RIDDLE_PROOF_CHECKPOINT_PACKET_VERSION,
     run_id: runId,
     state_path: input.runState.state_path,
@@ -3974,7 +3993,7 @@ function buildStageCheckpointPacket(input) {
       stage
     }),
     created_at: input.created_at || timestamp()
-  };
+  });
 }
 function buildAuthorCheckpointPacket(input) {
   const checkpoint = nonEmptyString(input.engineResult.checkpoint) || "author_supervisor_judgment";
@@ -3987,7 +4006,7 @@ function buildAuthorCheckpointPacket(input) {
   const reconResults = recordValue(fullState.recon_results);
   const checkpointContract = recordValue(input.engineResult.checkpointContract);
   const summary = nonEmptyString(input.engineResult.summary) || nonEmptyString(fullState.author_summary) || "Author checkpoint needs a supervising proof packet.";
-  return {
+  return withPacketIdentity({
     version: RIDDLE_PROOF_CHECKPOINT_PACKET_VERSION,
     run_id: runId,
     state_path: input.runState.state_path,
@@ -4036,7 +4055,7 @@ function buildAuthorCheckpointPacket(input) {
       stage
     }),
     created_at: input.created_at || timestamp()
-  };
+  });
 }
 function visualDeltaFromState(fullState) {
   const bundle = recordValue(fullState.evidence_bundle);
@@ -4107,7 +4126,7 @@ function buildProofAssessmentCheckpointPacket(input) {
   const evidenceIssueCode2 = visualDeltaIssueCode(visualDelta, visualDeltaRequired);
   const summary = nonEmptyString(input.engineResult.summary) || nonEmptyString(fullState.verify_summary) || "Verify captured evidence and needs a supervising proof assessment.";
   const recoveryHint = evidenceIssueCode2 ? "Required visual_delta evidence is incomplete. Keep this same run in verify/evidence recovery with decision=revise_capture and continue_with_stage=verify unless the evidence proves an implementation or recon problem." : "Assess whether the current artifacts prove the requested change, then choose the next stage.";
-  return {
+  return withPacketIdentity({
     version: RIDDLE_PROOF_CHECKPOINT_PACKET_VERSION,
     run_id: runId,
     state_path: input.runState.state_path,
@@ -4167,7 +4186,7 @@ function buildProofAssessmentCheckpointPacket(input) {
       stage
     }),
     created_at: input.created_at || timestamp()
-  };
+  });
 }
 function buildCheckpointPacketForEngineResult(input) {
   const checkpoint = nonEmptyString(input.engineResult.checkpoint) || "";
@@ -4196,6 +4215,7 @@ function normalizeCheckpointResponse(value) {
     version: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION,
     run_id: runId,
     checkpoint,
+    packet_id: nonEmptyString(record.packet_id),
     resume_token: nonEmptyString(record.resume_token),
     decision,
     summary,
@@ -4227,6 +4247,9 @@ function checkpointSummaryFromState(state, engineStatePath2) {
   const latestResponseEntry = [...responses].reverse().find((entry) => entry.response);
   const latestPacket = state.checkpoint_packet || latestPacketEntry?.packet;
   const latestResponse = latestResponseEntry?.response;
+  const latestPacketId = latestPacket?.packet_id || null;
+  const latestResponsePacketId = latestResponse?.packet_id || null;
+  const packetIdMatches = !latestResponse ? null : latestPacketId && latestResponsePacketId ? latestPacketId === latestResponsePacketId : latestPacketId || latestResponsePacketId ? false : null;
   const latestResumeToken = latestPacket?.resume_token || null;
   const latestResponseToken = latestResponse?.resume_token || null;
   const tokenMatches = !latestResponse ? null : latestResumeToken && latestResponseToken ? latestResumeToken === latestResponseToken : latestResumeToken || latestResponseToken ? false : null;
@@ -4241,6 +4264,9 @@ function checkpointSummaryFromState(state, engineStatePath2) {
     latest_decision: latestResponse?.decision || null,
     latest_packet_summary: latestPacket?.summary || null,
     latest_response_summary: latestResponse?.summary || null,
+    latest_packet_id: latestPacketId,
+    latest_response_packet_id: latestResponsePacketId,
+    packet_id_matches: packetIdMatches,
     latest_resume_token: latestResumeToken,
     latest_response_token: latestResponseToken,
     token_matches: tokenMatches,
@@ -4257,6 +4283,7 @@ function checkpointResponseIdentity(response) {
   const logicalResponse = compactRecord({
     run_id: response.run_id,
     checkpoint: response.checkpoint,
+    packet_id: response.packet_id,
     resume_token: response.resume_token,
     decision: response.decision,
     summary: response.summary,
@@ -5030,6 +5057,32 @@ function isReadyShipGate(result) {
 function proofAssessmentRequestsShip(payload) {
   return String(payload.decision || "").trim() === "ready_to_ship";
 }
+var TRUSTED_PROOF_ASSESSMENT_READY_SOURCES = /* @__PURE__ */ new Set([
+  "supervising_agent",
+  "supervisor",
+  "openclaw_auto_ship_mode_none"
+]);
+function proofAssessmentSourceTrustedForShip(payload) {
+  const source = nonEmptyString(payload.source)?.toLowerCase();
+  if (!source) return true;
+  return TRUSTED_PROOF_ASSESSMENT_READY_SOURCES.has(source);
+}
+function proofAssessmentSourceBlocker(input) {
+  if (!proofAssessmentRequestsShip(input.payload)) return null;
+  if (proofAssessmentSourceTrustedForShip(input.payload)) return null;
+  const source = nonEmptyString(input.payload.source) || "unknown";
+  return {
+    code: input.code || "proof_assessment_source_not_trusted",
+    checkpoint: input.checkpoint || null,
+    message: `Riddle Proof cannot mark ready_to_ship from untrusted proof assessment source: ${source}.`,
+    details: compactRecord({
+      stage: input.stage || null,
+      proofAssessment: input.payload,
+      checkpoint_response_source: input.response?.source || null,
+      response: input.response || null
+    })
+  };
+}
 function proofAssessmentHardBlockers(state, payload) {
   const blockers = proofAssessmentHardBlockersForState(state || {});
   if (Array.isArray(payload.hard_blockers)) {
@@ -5060,6 +5113,15 @@ function stageFromCheckpointResponse(response, packet) {
   const stage = response.continue_with_stage || nonEmptyString(payload.continue_with_stage) || nonEmptyString(payload.recommended_stage) || nonEmptyString(resume?.continue_with_stage) || (response.decision === "retry_stage" ? packet.stage : "");
   return stage ? stage : null;
 }
+function proofAssessmentSourceFromCheckpointResponse(response) {
+  const kind = nonEmptyString(response.source?.kind)?.toLowerCase();
+  if (!kind) return "supervising_agent";
+  if (kind === "human") return "supervisor";
+  if (kind === "codex" || kind === "openclaw-main" || kind === "claude-code") {
+    return "supervising_agent";
+  }
+  return `checkpoint_response:${kind}`;
+}
 function proofAssessmentPayloadFromCheckpointResponse(response) {
   if (![
     "ready_to_ship",
@@ -5080,7 +5142,7 @@ function proofAssessmentPayloadFromCheckpointResponse(response) {
     continue_with_stage: stage || void 0,
     escalation_target: nonEmptyString(payload.escalation_target) || "agent",
     reasons: Array.isArray(response.reasons) ? response.reasons : Array.isArray(payload.reasons) ? payload.reasons : [],
-    source: "supervising_agent",
+    source: proofAssessmentSourceFromCheckpointResponse(response),
     checkpoint_response_source: response.source || null,
     checkpoint_response_created_at: response.created_at
   }));
@@ -5407,6 +5469,22 @@ function checkpointResponseContinuation(state, value) {
       }
     };
   }
+  if (packet.packet_id && response.packet_id !== packet.packet_id) {
+    return {
+      blocker: {
+        code: "checkpoint_response_packet_id_mismatch",
+        checkpoint: packet.checkpoint,
+        message: "Checkpoint response packet_id does not match the pending checkpoint packet.",
+        details: {
+          stage: packet.stage,
+          expected_packet_id: packet.packet_id,
+          actual_packet_id: response.packet_id || null,
+          expected_resume_token: packet.resume_token || null,
+          actual_resume_token: response.resume_token || null
+        }
+      }
+    };
+  }
   if (!packet.allowed_decisions.includes(response.decision)) {
     return {
       blocker: {
@@ -5515,6 +5593,14 @@ function checkpointResponseContinuation(state, value) {
   if (packet.kind === "assess_proof" || packet.kind === "recover_evidence" || packet.stage === "verify") {
     const assessment = proofAssessmentPayloadFromCheckpointResponse(response);
     if (assessment) {
+      const sourceBlocker = proofAssessmentSourceBlocker({
+        checkpoint: packet.checkpoint,
+        stage: packet.stage,
+        payload: assessment,
+        response,
+        code: "checkpoint_response_source_not_trusted"
+      });
+      if (sourceBlocker) return { blocker: sourceBlocker };
       appendCheckpointResponse(state, response);
       if (state.request.ship_mode !== "ship" && proofAssessmentRequestsShip(assessment)) {
         const result = {
@@ -6073,6 +6159,25 @@ async function routeCheckpoint(request, state, result, agent, input) {
         }
       };
     }
+    const sourceBlocker = proofAssessmentSourceBlocker({
+      checkpoint,
+      stage: "verify",
+      payload,
+      code: "proof_assessment_source_not_trusted"
+    });
+    if (sourceBlocker) {
+      recordEvent(state, {
+        kind: "agent.proof_assessment.source_blocked",
+        checkpoint,
+        stage: "verify",
+        summary: sourceBlocker.message,
+        details: compactRecord({
+          proof_assessment: payload,
+          agent_duration_ms: durationMs
+        })
+      });
+      return { blocker: sourceBlocker };
+    }
     const visualBlocker = proofAssessmentVisualBlocker({
       ...context.fullRiddleState || {},
       verification_mode: context.fullRiddleState?.verification_mode || request.verification_mode

package/dist/advanced/engine-harness.js CHANGED Viewed

@@ -2,11 +2,11 @@ import {
   createDisabledRiddleProofAgentAdapter,
   readRiddleProofRunStatus,
   runRiddleProofEngineHarness
-} from "../chunk-WURLFN72.js";
-import "../chunk-M3IE3VNC.js";
-import "../chunk-RBAU2M4S.js";
+} from "../chunk-IV4DVWPR.js";
+import "../chunk-WDIKPIMB.js";
+import "../chunk-JJ4IWRMJ.js";
 import "../chunk-EKZXU6MU.js";
-import "../chunk-AXWJJ2LC.js";
+import "../chunk-BLM5EIBA.js";
 import "../chunk-VY4Y5U57.js";
 import "../chunk-MLKGABMK.js";
 export {

package/dist/advanced/index.cjs CHANGED Viewed

@@ -3716,12 +3716,13 @@ function statePathsForRunState(state, engineStatePath2) {
 function responseSchemaForAuthorPacket() {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "payload", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "payload", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3749,12 +3750,13 @@ function responseSchemaForAuthorPacket() {
 function responseSchemaForProofAssessmentPacket() {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3790,12 +3792,13 @@ function responseSchemaForProofAssessmentPacket() {
 function responseSchemaForReconPacket() {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3823,12 +3826,13 @@ function responseSchemaForReconPacket() {
 function responseSchemaForImplementationPacket() {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3856,12 +3860,13 @@ function responseSchemaForImplementationPacket() {
 function responseSchemaForAdvancePacket(stage) {
   return {
     type: "object",
-    required: ["version", "run_id", "checkpoint", "decision", "summary", "created_at"],
+    required: ["version", "run_id", "checkpoint", "packet_id", "decision", "summary", "created_at"],
     additionalProperties: false,
     properties: {
       version: { const: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION },
       run_id: { type: "string" },
       checkpoint: { type: "string" },
+      packet_id: { type: "string" },
       resume_token: { type: "string" },
       decision: {
         type: "string",
@@ -3887,6 +3892,20 @@ function resumeTokenFor(input) {
   const hash = import_node_crypto.default.createHash("sha256").update(JSON.stringify(input)).digest("hex").slice(0, 24);
   return `rpchk_${hash}`;
 }
+function packetIdentityPayload(packet) {
+  const { packet_id: _packetId, ...identityPayload } = packet;
+  return identityPayload;
+}
+function checkpointPacketIdentity(packet) {
+  const hash = import_node_crypto.default.createHash("sha256").update(stableJson(packetIdentityPayload(packet))).digest("hex").slice(0, 24);
+  return `rppkt_${hash}`;
+}
+function withPacketIdentity(packet) {
+  return {
+    ...packet,
+    packet_id: checkpointPacketIdentity(packet)
+  };
+}
 function artifactsFromState(state) {
   const artifacts = [];
   for (const role of ["before", "prod", "after"]) {
@@ -3959,7 +3978,7 @@ function buildStageCheckpointPacket(input) {
   const checkpointContract = recordValue(input.engineResult.checkpointContract);
   const summary = nonEmptyString(input.engineResult.summary) || nonEmptyString(fullState.stage_summary) || `${stage} checkpoint needs a supervising decision.`;
   const kind = packetKindForStage(stage, checkpoint);
-  return {
+  return withPacketIdentity({
     version: RIDDLE_PROOF_CHECKPOINT_PACKET_VERSION,
     run_id: runId,
     state_path: input.runState.state_path,
@@ -4008,7 +4027,7 @@ function buildStageCheckpointPacket(input) {
       stage
     }),
     created_at: input.created_at || timestamp()
-  };
+  });
 }
 function buildAuthorCheckpointPacket(input) {
   const checkpoint = nonEmptyString(input.engineResult.checkpoint) || "author_supervisor_judgment";
@@ -4021,7 +4040,7 @@ function buildAuthorCheckpointPacket(input) {
   const reconResults = recordValue(fullState.recon_results);
   const checkpointContract = recordValue(input.engineResult.checkpointContract);
   const summary = nonEmptyString(input.engineResult.summary) || nonEmptyString(fullState.author_summary) || "Author checkpoint needs a supervising proof packet.";
-  return {
+  return withPacketIdentity({
     version: RIDDLE_PROOF_CHECKPOINT_PACKET_VERSION,
     run_id: runId,
     state_path: input.runState.state_path,
@@ -4070,7 +4089,7 @@ function buildAuthorCheckpointPacket(input) {
       stage
     }),
     created_at: input.created_at || timestamp()
-  };
+  });
 }
 function visualDeltaFromState(fullState) {
   const bundle = recordValue(fullState.evidence_bundle);
@@ -4141,7 +4160,7 @@ function buildProofAssessmentCheckpointPacket(input) {
   const evidenceIssueCode2 = visualDeltaIssueCode(visualDelta, visualDeltaRequired);
   const summary = nonEmptyString(input.engineResult.summary) || nonEmptyString(fullState.verify_summary) || "Verify captured evidence and needs a supervising proof assessment.";
   const recoveryHint = evidenceIssueCode2 ? "Required visual_delta evidence is incomplete. Keep this same run in verify/evidence recovery with decision=revise_capture and continue_with_stage=verify unless the evidence proves an implementation or recon problem." : "Assess whether the current artifacts prove the requested change, then choose the next stage.";
-  return {
+  return withPacketIdentity({
     version: RIDDLE_PROOF_CHECKPOINT_PACKET_VERSION,
     run_id: runId,
     state_path: input.runState.state_path,
@@ -4201,7 +4220,7 @@ function buildProofAssessmentCheckpointPacket(input) {
       stage
     }),
     created_at: input.created_at || timestamp()
-  };
+  });
 }
 function buildCheckpointPacketForEngineResult(input) {
   const checkpoint = nonEmptyString(input.engineResult.checkpoint) || "";
@@ -4230,6 +4249,7 @@ function normalizeCheckpointResponse(value) {
     version: RIDDLE_PROOF_CHECKPOINT_RESPONSE_VERSION,
     run_id: runId,
     checkpoint,
+    packet_id: nonEmptyString(record.packet_id),
     resume_token: nonEmptyString(record.resume_token),
     decision,
     summary,
@@ -4261,6 +4281,9 @@ function checkpointSummaryFromState(state, engineStatePath2) {
   const latestResponseEntry = [...responses].reverse().find((entry) => entry.response);
   const latestPacket = state.checkpoint_packet || latestPacketEntry?.packet;
   const latestResponse = latestResponseEntry?.response;
+  const latestPacketId = latestPacket?.packet_id || null;
+  const latestResponsePacketId = latestResponse?.packet_id || null;
+  const packetIdMatches = !latestResponse ? null : latestPacketId && latestResponsePacketId ? latestPacketId === latestResponsePacketId : latestPacketId || latestResponsePacketId ? false : null;
   const latestResumeToken = latestPacket?.resume_token || null;
   const latestResponseToken = latestResponse?.resume_token || null;
   const tokenMatches = !latestResponse ? null : latestResumeToken && latestResponseToken ? latestResumeToken === latestResponseToken : latestResumeToken || latestResponseToken ? false : null;
@@ -4275,6 +4298,9 @@ function checkpointSummaryFromState(state, engineStatePath2) {
     latest_decision: latestResponse?.decision || null,
     latest_packet_summary: latestPacket?.summary || null,
     latest_response_summary: latestResponse?.summary || null,
+    latest_packet_id: latestPacketId,
+    latest_response_packet_id: latestResponsePacketId,
+    packet_id_matches: packetIdMatches,
     latest_resume_token: latestResumeToken,
     latest_response_token: latestResponseToken,
     token_matches: tokenMatches,
@@ -4291,6 +4317,7 @@ function checkpointResponseIdentity(response) {
   const logicalResponse = compactRecord({
     run_id: response.run_id,
     checkpoint: response.checkpoint,
+    packet_id: response.packet_id,
     resume_token: response.resume_token,
     decision: response.decision,
     summary: response.summary,
@@ -5569,6 +5596,32 @@ function isReadyShipGate(result) {
 function proofAssessmentRequestsShip(payload) {
   return String(payload.decision || "").trim() === "ready_to_ship";
 }
+var TRUSTED_PROOF_ASSESSMENT_READY_SOURCES = /* @__PURE__ */ new Set([
+  "supervising_agent",
+  "supervisor",
+  "openclaw_auto_ship_mode_none"
+]);
+function proofAssessmentSourceTrustedForShip(payload) {
+  const source = nonEmptyString(payload.source)?.toLowerCase();
+  if (!source) return true;
+  return TRUSTED_PROOF_ASSESSMENT_READY_SOURCES.has(source);
+}
+function proofAssessmentSourceBlocker(input) {
+  if (!proofAssessmentRequestsShip(input.payload)) return null;
+  if (proofAssessmentSourceTrustedForShip(input.payload)) return null;
+  const source = nonEmptyString(input.payload.source) || "unknown";
+  return {
+    code: input.code || "proof_assessment_source_not_trusted",
+    checkpoint: input.checkpoint || null,
+    message: `Riddle Proof cannot mark ready_to_ship from untrusted proof assessment source: ${source}.`,
+    details: compactRecord({
+      stage: input.stage || null,
+      proofAssessment: input.payload,
+      checkpoint_response_source: input.response?.source || null,
+      response: input.response || null
+    })
+  };
+}
 function proofAssessmentHardBlockers(state, payload) {
   const blockers = proofAssessmentHardBlockersForState(state || {});
   if (Array.isArray(payload.hard_blockers)) {
@@ -5599,6 +5652,15 @@ function stageFromCheckpointResponse(response, packet) {
   const stage = response.continue_with_stage || nonEmptyString(payload.continue_with_stage) || nonEmptyString(payload.recommended_stage) || nonEmptyString(resume?.continue_with_stage) || (response.decision === "retry_stage" ? packet.stage : "");
   return stage ? stage : null;
 }
+function proofAssessmentSourceFromCheckpointResponse(response) {
+  const kind = nonEmptyString(response.source?.kind)?.toLowerCase();
+  if (!kind) return "supervising_agent";
+  if (kind === "human") return "supervisor";
+  if (kind === "codex" || kind === "openclaw-main" || kind === "claude-code") {
+    return "supervising_agent";
+  }
+  return `checkpoint_response:${kind}`;
+}
 function proofAssessmentPayloadFromCheckpointResponse(response) {
   if (![
     "ready_to_ship",
@@ -5619,7 +5681,7 @@ function proofAssessmentPayloadFromCheckpointResponse(response) {
     continue_with_stage: stage || void 0,
     escalation_target: nonEmptyString(payload.escalation_target) || "agent",
     reasons: Array.isArray(response.reasons) ? response.reasons : Array.isArray(payload.reasons) ? payload.reasons : [],
-    source: "supervising_agent",
+    source: proofAssessmentSourceFromCheckpointResponse(response),
     checkpoint_response_source: response.source || null,
     checkpoint_response_created_at: response.created_at
   }));
@@ -5946,6 +6008,22 @@ function checkpointResponseContinuation(state, value) {
       }
     };
   }
+  if (packet.packet_id && response.packet_id !== packet.packet_id) {
+    return {
+      blocker: {
+        code: "checkpoint_response_packet_id_mismatch",
+        checkpoint: packet.checkpoint,
+        message: "Checkpoint response packet_id does not match the pending checkpoint packet.",
+        details: {
+          stage: packet.stage,
+          expected_packet_id: packet.packet_id,
+          actual_packet_id: response.packet_id || null,
+          expected_resume_token: packet.resume_token || null,
+          actual_resume_token: response.resume_token || null
+        }
+      }
+    };
+  }
   if (!packet.allowed_decisions.includes(response.decision)) {
     return {
       blocker: {
@@ -6054,6 +6132,14 @@ function checkpointResponseContinuation(state, value) {
   if (packet.kind === "assess_proof" || packet.kind === "recover_evidence" || packet.stage === "verify") {
     const assessment = proofAssessmentPayloadFromCheckpointResponse(response);
     if (assessment) {
+      const sourceBlocker = proofAssessmentSourceBlocker({
+        checkpoint: packet.checkpoint,
+        stage: packet.stage,
+        payload: assessment,
+        response,
+        code: "checkpoint_response_source_not_trusted"
+      });
+      if (sourceBlocker) return { blocker: sourceBlocker };
       appendCheckpointResponse(state, response);
       if (state.request.ship_mode !== "ship" && proofAssessmentRequestsShip(assessment)) {
         const result = {
@@ -6612,6 +6698,25 @@ async function routeCheckpoint(request, state, result, agent, input) {
         }
       };
     }
+    const sourceBlocker = proofAssessmentSourceBlocker({
+      checkpoint,
+      stage: "verify",
+      payload,
+      code: "proof_assessment_source_not_trusted"
+    });
+    if (sourceBlocker) {
+      recordEvent(state, {
+        kind: "agent.proof_assessment.source_blocked",
+        checkpoint,
+        stage: "verify",
+        summary: sourceBlocker.message,
+        details: compactRecord({
+          proof_assessment: payload,
+          agent_duration_ms: durationMs
+        })
+      });
+      return { blocker: sourceBlocker };
+    }
     const visualBlocker = proofAssessmentVisualBlocker({
       ...context.fullRiddleState || {},
       verification_mode: context.fullRiddleState?.verification_mode || request.verification_mode

package/dist/advanced/index.d.cts CHANGED Viewed

@@ -1,5 +1,5 @@
 export { b as runner } from '../runner-4LJ5z0D-.cjs';
 export { l as engineHarness } from '../engine-harness-LBfqbFSe.cjs';
 export { p as proofRunCore } from '../proof-run-core-7Dqm7RKM.cjs';
-export { p as proofRunEngine } from '../proof-run-engine-DpChFR5H.cjs';
+export { p as proofRunEngine } from '../proof-run-engine-Baiv6l3A.cjs';
 import '../types.cjs';

package/dist/advanced/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 export { b as runner } from '../runner-BdQpOkZD.js';
 export { l as engineHarness } from '../engine-harness-CMACHP6A.js';
 export { p as proofRunCore } from '../proof-run-core-7Dqm7RKM.js';
-export { p as proofRunEngine } from '../proof-run-engine-BqRoA3Do.js';
+export { p as proofRunEngine } from '../proof-run-engine-MiKZt9oY.js';
 import '../types.js';

package/dist/advanced/index.js CHANGED Viewed

@@ -3,16 +3,16 @@ import {
 } from "../chunk-VYJD6XYF.js";
 import {
   runner_exports
-} from "../chunk-2CZORYB7.js";
+} from "../chunk-S5DX7Z6X.js";
 import {
   engine_harness_exports
-} from "../chunk-WURLFN72.js";
-import "../chunk-M3IE3VNC.js";
-import "../chunk-RBAU2M4S.js";
+} from "../chunk-IV4DVWPR.js";
+import "../chunk-WDIKPIMB.js";
+import "../chunk-JJ4IWRMJ.js";
 import {
   proof_run_core_exports
 } from "../chunk-EKZXU6MU.js";
-import "../chunk-AXWJJ2LC.js";
+import "../chunk-BLM5EIBA.js";
 import "../chunk-VY4Y5U57.js";
 import "../chunk-MLKGABMK.js";
 export {