@riddledc/riddle-proof 0.8.53 → 0.8.54

package/dist/advanced/engine-harness.cjs

@@ -5057,6 +5057,32 @@ function isReadyShipGate(result) {
 function proofAssessmentRequestsShip(payload) {
   return String(payload.decision || "").trim() === "ready_to_ship";
 }
+var TRUSTED_PROOF_ASSESSMENT_READY_SOURCES = /* @__PURE__ */ new Set([
+  "supervising_agent",
+  "supervisor",
+  "openclaw_auto_ship_mode_none"
+]);
+function proofAssessmentSourceTrustedForShip(payload) {
+  const source = nonEmptyString(payload.source)?.toLowerCase();
+  if (!source) return true;
+  return TRUSTED_PROOF_ASSESSMENT_READY_SOURCES.has(source);
+}
+function proofAssessmentSourceBlocker(input) {
+  if (!proofAssessmentRequestsShip(input.payload)) return null;
+  if (proofAssessmentSourceTrustedForShip(input.payload)) return null;
+  const source = nonEmptyString(input.payload.source) || "unknown";
+  return {
+    code: input.code || "proof_assessment_source_not_trusted",
+    checkpoint: input.checkpoint || null,
+    message: `Riddle Proof cannot mark ready_to_ship from untrusted proof assessment source: ${source}.`,
+    details: compactRecord({
+      stage: input.stage || null,
+      proofAssessment: input.payload,
+      checkpoint_response_source: input.response?.source || null,
+      response: input.response || null
+    })
+  };
+}
 function proofAssessmentHardBlockers(state, payload) {
   const blockers = proofAssessmentHardBlockersForState(state || {});
   if (Array.isArray(payload.hard_blockers)) {
@@ -5087,6 +5113,15 @@ function stageFromCheckpointResponse(response, packet) {
   const stage = response.continue_with_stage || nonEmptyString(payload.continue_with_stage) || nonEmptyString(payload.recommended_stage) || nonEmptyString(resume?.continue_with_stage) || (response.decision === "retry_stage" ? packet.stage : "");
   return stage ? stage : null;
 }
+function proofAssessmentSourceFromCheckpointResponse(response) {
+  const kind = nonEmptyString(response.source?.kind)?.toLowerCase();
+  if (!kind) return "supervising_agent";
+  if (kind === "human") return "supervisor";
+  if (kind === "codex" || kind === "openclaw-main" || kind === "claude-code") {
+    return "supervising_agent";
+  }
+  return `checkpoint_response:${kind}`;
+}
 function proofAssessmentPayloadFromCheckpointResponse(response) {
   if (![
     "ready_to_ship",
@@ -5107,7 +5142,7 @@ function proofAssessmentPayloadFromCheckpointResponse(response) {
     continue_with_stage: stage || void 0,
     escalation_target: nonEmptyString(payload.escalation_target) || "agent",
     reasons: Array.isArray(response.reasons) ? response.reasons : Array.isArray(payload.reasons) ? payload.reasons : [],
-    source: "supervising_agent",
+    source: proofAssessmentSourceFromCheckpointResponse(response),
     checkpoint_response_source: response.source || null,
     checkpoint_response_created_at: response.created_at
   }));
@@ -5558,6 +5593,14 @@ function checkpointResponseContinuation(state, value) {
   if (packet.kind === "assess_proof" || packet.kind === "recover_evidence" || packet.stage === "verify") {
     const assessment = proofAssessmentPayloadFromCheckpointResponse(response);
     if (assessment) {
+      const sourceBlocker = proofAssessmentSourceBlocker({
+        checkpoint: packet.checkpoint,
+        stage: packet.stage,
+        payload: assessment,
+        response,
+        code: "checkpoint_response_source_not_trusted"
+      });
+      if (sourceBlocker) return { blocker: sourceBlocker };
       appendCheckpointResponse(state, response);
       if (state.request.ship_mode !== "ship" && proofAssessmentRequestsShip(assessment)) {
         const result = {
@@ -6116,6 +6159,25 @@ async function routeCheckpoint(request, state, result, agent, input) {
         }
       };
     }
+    const sourceBlocker = proofAssessmentSourceBlocker({
+      checkpoint,
+      stage: "verify",
+      payload,
+      code: "proof_assessment_source_not_trusted"
+    });
+    if (sourceBlocker) {
+      recordEvent(state, {
+        kind: "agent.proof_assessment.source_blocked",
+        checkpoint,
+        stage: "verify",
+        summary: sourceBlocker.message,
+        details: compactRecord({
+          proof_assessment: payload,
+          agent_duration_ms: durationMs
+        })
+      });
+      return { blocker: sourceBlocker };
+    }
     const visualBlocker = proofAssessmentVisualBlocker({
       ...context.fullRiddleState || {},
       verification_mode: context.fullRiddleState?.verification_mode || request.verification_mode

package/dist/advanced/engine-harness.js

@@ -2,7 +2,7 @@ import {
   createDisabledRiddleProofAgentAdapter,
   readRiddleProofRunStatus,
   runRiddleProofEngineHarness
-} from "../chunk-ZLBOGPUL.js";
+} from "../chunk-IV4DVWPR.js";
 import "../chunk-WDIKPIMB.js";
 import "../chunk-JJ4IWRMJ.js";
 import "../chunk-EKZXU6MU.js";

package/dist/advanced/index.cjs

@@ -5596,6 +5596,32 @@ function isReadyShipGate(result) {
 function proofAssessmentRequestsShip(payload) {
   return String(payload.decision || "").trim() === "ready_to_ship";
 }
+var TRUSTED_PROOF_ASSESSMENT_READY_SOURCES = /* @__PURE__ */ new Set([
+  "supervising_agent",
+  "supervisor",
+  "openclaw_auto_ship_mode_none"
+]);
+function proofAssessmentSourceTrustedForShip(payload) {
+  const source = nonEmptyString(payload.source)?.toLowerCase();
+  if (!source) return true;
+  return TRUSTED_PROOF_ASSESSMENT_READY_SOURCES.has(source);
+}
+function proofAssessmentSourceBlocker(input) {
+  if (!proofAssessmentRequestsShip(input.payload)) return null;
+  if (proofAssessmentSourceTrustedForShip(input.payload)) return null;
+  const source = nonEmptyString(input.payload.source) || "unknown";
+  return {
+    code: input.code || "proof_assessment_source_not_trusted",
+    checkpoint: input.checkpoint || null,
+    message: `Riddle Proof cannot mark ready_to_ship from untrusted proof assessment source: ${source}.`,
+    details: compactRecord({
+      stage: input.stage || null,
+      proofAssessment: input.payload,
+      checkpoint_response_source: input.response?.source || null,
+      response: input.response || null
+    })
+  };
+}
 function proofAssessmentHardBlockers(state, payload) {
   const blockers = proofAssessmentHardBlockersForState(state || {});
   if (Array.isArray(payload.hard_blockers)) {
@@ -5626,6 +5652,15 @@ function stageFromCheckpointResponse(response, packet) {
   const stage = response.continue_with_stage || nonEmptyString(payload.continue_with_stage) || nonEmptyString(payload.recommended_stage) || nonEmptyString(resume?.continue_with_stage) || (response.decision === "retry_stage" ? packet.stage : "");
   return stage ? stage : null;
 }
+function proofAssessmentSourceFromCheckpointResponse(response) {
+  const kind = nonEmptyString(response.source?.kind)?.toLowerCase();
+  if (!kind) return "supervising_agent";
+  if (kind === "human") return "supervisor";
+  if (kind === "codex" || kind === "openclaw-main" || kind === "claude-code") {
+    return "supervising_agent";
+  }
+  return `checkpoint_response:${kind}`;
+}
 function proofAssessmentPayloadFromCheckpointResponse(response) {
   if (![
     "ready_to_ship",
@@ -5646,7 +5681,7 @@ function proofAssessmentPayloadFromCheckpointResponse(response) {
     continue_with_stage: stage || void 0,
     escalation_target: nonEmptyString(payload.escalation_target) || "agent",
     reasons: Array.isArray(response.reasons) ? response.reasons : Array.isArray(payload.reasons) ? payload.reasons : [],
-    source: "supervising_agent",
+    source: proofAssessmentSourceFromCheckpointResponse(response),
     checkpoint_response_source: response.source || null,
     checkpoint_response_created_at: response.created_at
   }));
@@ -6097,6 +6132,14 @@ function checkpointResponseContinuation(state, value) {
   if (packet.kind === "assess_proof" || packet.kind === "recover_evidence" || packet.stage === "verify") {
     const assessment = proofAssessmentPayloadFromCheckpointResponse(response);
     if (assessment) {
+      const sourceBlocker = proofAssessmentSourceBlocker({
+        checkpoint: packet.checkpoint,
+        stage: packet.stage,
+        payload: assessment,
+        response,
+        code: "checkpoint_response_source_not_trusted"
+      });
+      if (sourceBlocker) return { blocker: sourceBlocker };
       appendCheckpointResponse(state, response);
       if (state.request.ship_mode !== "ship" && proofAssessmentRequestsShip(assessment)) {
         const result = {
@@ -6655,6 +6698,25 @@ async function routeCheckpoint(request, state, result, agent, input) {
         }
       };
     }
+    const sourceBlocker = proofAssessmentSourceBlocker({
+      checkpoint,
+      stage: "verify",
+      payload,
+      code: "proof_assessment_source_not_trusted"
+    });
+    if (sourceBlocker) {
+      recordEvent(state, {
+        kind: "agent.proof_assessment.source_blocked",
+        checkpoint,
+        stage: "verify",
+        summary: sourceBlocker.message,
+        details: compactRecord({
+          proof_assessment: payload,
+          agent_duration_ms: durationMs
+        })
+      });
+      return { blocker: sourceBlocker };
+    }
     const visualBlocker = proofAssessmentVisualBlocker({
       ...context.fullRiddleState || {},
       verification_mode: context.fullRiddleState?.verification_mode || request.verification_mode

package/dist/advanced/index.d.cts

@@ -1,5 +1,5 @@
 export { b as runner } from '../runner-4LJ5z0D-.cjs';
 export { l as engineHarness } from '../engine-harness-LBfqbFSe.cjs';
 export { p as proofRunCore } from '../proof-run-core-7Dqm7RKM.cjs';
-export { p as proofRunEngine } from '../proof-run-engine-DpChFR5H.cjs';
+export { p as proofRunEngine } from '../proof-run-engine-Baiv6l3A.cjs';
 import '../types.cjs';

package/dist/advanced/index.d.ts

@@ -1,5 +1,5 @@
 export { b as runner } from '../runner-BdQpOkZD.js';
 export { l as engineHarness } from '../engine-harness-CMACHP6A.js';
 export { p as proofRunCore } from '../proof-run-core-7Dqm7RKM.js';
-export { p as proofRunEngine } from '../proof-run-engine-BqRoA3Do.js';
+export { p as proofRunEngine } from '../proof-run-engine-MiKZt9oY.js';
 import '../types.js';

package/dist/advanced/index.js

@@ -6,7 +6,7 @@ import {
 } from "../chunk-S5DX7Z6X.js";
 import {
   engine_harness_exports
-} from "../chunk-ZLBOGPUL.js";
+} from "../chunk-IV4DVWPR.js";
 import "../chunk-WDIKPIMB.js";
 import "../chunk-JJ4IWRMJ.js";
 import {

package/dist/advanced/proof-run-engine.d.cts

@@ -1,2 +1,2 @@
-export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from '../proof-run-engine-DpChFR5H.cjs';
+export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from '../proof-run-engine-Baiv6l3A.cjs';
 import '../proof-run-core-7Dqm7RKM.cjs';

package/dist/advanced/proof-run-engine.d.ts

@@ -1,2 +1,2 @@
-export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from '../proof-run-engine-BqRoA3Do.js';
+export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from '../proof-run-engine-MiKZt9oY.js';
 import '../proof-run-core-7Dqm7RKM.js';

package/dist/{chunk-2ALMXMFZ.js → chunk-ECLGGGAI.js}

@@ -28,7 +28,7 @@ import {
   createDisabledRiddleProofAgentAdapter,
   readRiddleProofRunStatus,
   runRiddleProofEngineHarness
-} from "./chunk-ZLBOGPUL.js";
+} from "./chunk-IV4DVWPR.js";
 import {
   createCheckpointResponseTemplate
 } from "./chunk-BLM5EIBA.js";

package/dist/{chunk-ZLBOGPUL.js → chunk-IV4DVWPR.js}

@@ -361,6 +361,32 @@ function isReadyShipGate(result) {
 function proofAssessmentRequestsShip(payload) {
   return String(payload.decision || "").trim() === "ready_to_ship";
 }
+var TRUSTED_PROOF_ASSESSMENT_READY_SOURCES = /* @__PURE__ */ new Set([
+  "supervising_agent",
+  "supervisor",
+  "openclaw_auto_ship_mode_none"
+]);
+function proofAssessmentSourceTrustedForShip(payload) {
+  const source = nonEmptyString(payload.source)?.toLowerCase();
+  if (!source) return true;
+  return TRUSTED_PROOF_ASSESSMENT_READY_SOURCES.has(source);
+}
+function proofAssessmentSourceBlocker(input) {
+  if (!proofAssessmentRequestsShip(input.payload)) return null;
+  if (proofAssessmentSourceTrustedForShip(input.payload)) return null;
+  const source = nonEmptyString(input.payload.source) || "unknown";
+  return {
+    code: input.code || "proof_assessment_source_not_trusted",
+    checkpoint: input.checkpoint || null,
+    message: `Riddle Proof cannot mark ready_to_ship from untrusted proof assessment source: ${source}.`,
+    details: compactRecord({
+      stage: input.stage || null,
+      proofAssessment: input.payload,
+      checkpoint_response_source: input.response?.source || null,
+      response: input.response || null
+    })
+  };
+}
 function proofAssessmentHardBlockers(state, payload) {
   const blockers = proofAssessmentHardBlockersForState(state || {});
   if (Array.isArray(payload.hard_blockers)) {
@@ -391,6 +417,15 @@ function stageFromCheckpointResponse(response, packet) {
   const stage = response.continue_with_stage || nonEmptyString(payload.continue_with_stage) || nonEmptyString(payload.recommended_stage) || nonEmptyString(resume?.continue_with_stage) || (response.decision === "retry_stage" ? packet.stage : "");
   return stage ? stage : null;
 }
+function proofAssessmentSourceFromCheckpointResponse(response) {
+  const kind = nonEmptyString(response.source?.kind)?.toLowerCase();
+  if (!kind) return "supervising_agent";
+  if (kind === "human") return "supervisor";
+  if (kind === "codex" || kind === "openclaw-main" || kind === "claude-code") {
+    return "supervising_agent";
+  }
+  return `checkpoint_response:${kind}`;
+}
 function proofAssessmentPayloadFromCheckpointResponse(response) {
   if (![
     "ready_to_ship",
@@ -411,7 +446,7 @@ function proofAssessmentPayloadFromCheckpointResponse(response) {
     continue_with_stage: stage || void 0,
     escalation_target: nonEmptyString(payload.escalation_target) || "agent",
     reasons: Array.isArray(response.reasons) ? response.reasons : Array.isArray(payload.reasons) ? payload.reasons : [],
-    source: "supervising_agent",
+    source: proofAssessmentSourceFromCheckpointResponse(response),
     checkpoint_response_source: response.source || null,
     checkpoint_response_created_at: response.created_at
   }));
@@ -862,6 +897,14 @@ function checkpointResponseContinuation(state, value) {
   if (packet.kind === "assess_proof" || packet.kind === "recover_evidence" || packet.stage === "verify") {
     const assessment = proofAssessmentPayloadFromCheckpointResponse(response);
     if (assessment) {
+      const sourceBlocker = proofAssessmentSourceBlocker({
+        checkpoint: packet.checkpoint,
+        stage: packet.stage,
+        payload: assessment,
+        response,
+        code: "checkpoint_response_source_not_trusted"
+      });
+      if (sourceBlocker) return { blocker: sourceBlocker };
       appendCheckpointResponse(state, response);
       if (state.request.ship_mode !== "ship" && proofAssessmentRequestsShip(assessment)) {
         const result = {
@@ -1420,6 +1463,25 @@ async function routeCheckpoint(request, state, result, agent, input) {
         }
       };
     }
+    const sourceBlocker = proofAssessmentSourceBlocker({
+      checkpoint,
+      stage: "verify",
+      payload,
+      code: "proof_assessment_source_not_trusted"
+    });
+    if (sourceBlocker) {
+      recordEvent(state, {
+        kind: "agent.proof_assessment.source_blocked",
+        checkpoint,
+        stage: "verify",
+        summary: sourceBlocker.message,
+        details: compactRecord({
+          proof_assessment: payload,
+          agent_duration_ms: durationMs
+        })
+      });
+      return { blocker: sourceBlocker };
+    }
     const visualBlocker = proofAssessmentVisualBlocker({
       ...context.fullRiddleState || {},
       verification_mode: context.fullRiddleState?.verification_mode || request.verification_mode

package/dist/cli/index.js

@@ -1,8 +1,8 @@
-import "../chunk-2ALMXMFZ.js";
+import "../chunk-ECLGGGAI.js";
 import "../chunk-DI2XNGEZ.js";
 import "../chunk-6KYXX4OE.js";
 import "../chunk-EX7TO4I5.js";
-import "../chunk-ZLBOGPUL.js";
+import "../chunk-IV4DVWPR.js";
 import "../chunk-WDIKPIMB.js";
 import "../chunk-JJ4IWRMJ.js";
 import "../chunk-EKZXU6MU.js";

package/dist/cli.cjs

@@ -5143,6 +5143,32 @@ function isReadyShipGate(result) {
 function proofAssessmentRequestsShip(payload) {
   return String(payload.decision || "").trim() === "ready_to_ship";
 }
+var TRUSTED_PROOF_ASSESSMENT_READY_SOURCES = /* @__PURE__ */ new Set([
+  "supervising_agent",
+  "supervisor",
+  "openclaw_auto_ship_mode_none"
+]);
+function proofAssessmentSourceTrustedForShip(payload) {
+  const source = nonEmptyString(payload.source)?.toLowerCase();
+  if (!source) return true;
+  return TRUSTED_PROOF_ASSESSMENT_READY_SOURCES.has(source);
+}
+function proofAssessmentSourceBlocker(input) {
+  if (!proofAssessmentRequestsShip(input.payload)) return null;
+  if (proofAssessmentSourceTrustedForShip(input.payload)) return null;
+  const source = nonEmptyString(input.payload.source) || "unknown";
+  return {
+    code: input.code || "proof_assessment_source_not_trusted",
+    checkpoint: input.checkpoint || null,
+    message: `Riddle Proof cannot mark ready_to_ship from untrusted proof assessment source: ${source}.`,
+    details: compactRecord({
+      stage: input.stage || null,
+      proofAssessment: input.payload,
+      checkpoint_response_source: input.response?.source || null,
+      response: input.response || null
+    })
+  };
+}
 function proofAssessmentHardBlockers(state, payload) {
   const blockers = proofAssessmentHardBlockersForState(state || {});
   if (Array.isArray(payload.hard_blockers)) {
@@ -5173,6 +5199,15 @@ function stageFromCheckpointResponse(response, packet) {
   const stage = response.continue_with_stage || nonEmptyString(payload.continue_with_stage) || nonEmptyString(payload.recommended_stage) || nonEmptyString(resume?.continue_with_stage) || (response.decision === "retry_stage" ? packet.stage : "");
   return stage ? stage : null;
 }
+function proofAssessmentSourceFromCheckpointResponse(response) {
+  const kind = nonEmptyString(response.source?.kind)?.toLowerCase();
+  if (!kind) return "supervising_agent";
+  if (kind === "human") return "supervisor";
+  if (kind === "codex" || kind === "openclaw-main" || kind === "claude-code") {
+    return "supervising_agent";
+  }
+  return `checkpoint_response:${kind}`;
+}
 function proofAssessmentPayloadFromCheckpointResponse(response) {
   if (![
     "ready_to_ship",
@@ -5193,7 +5228,7 @@ function proofAssessmentPayloadFromCheckpointResponse(response) {
     continue_with_stage: stage || void 0,
     escalation_target: nonEmptyString(payload.escalation_target) || "agent",
     reasons: Array.isArray(response.reasons) ? response.reasons : Array.isArray(payload.reasons) ? payload.reasons : [],
-    source: "supervising_agent",
+    source: proofAssessmentSourceFromCheckpointResponse(response),
     checkpoint_response_source: response.source || null,
     checkpoint_response_created_at: response.created_at
   }));
@@ -5644,6 +5679,14 @@ function checkpointResponseContinuation(state, value) {
   if (packet.kind === "assess_proof" || packet.kind === "recover_evidence" || packet.stage === "verify") {
     const assessment = proofAssessmentPayloadFromCheckpointResponse(response);
     if (assessment) {
+      const sourceBlocker = proofAssessmentSourceBlocker({
+        checkpoint: packet.checkpoint,
+        stage: packet.stage,
+        payload: assessment,
+        response,
+        code: "checkpoint_response_source_not_trusted"
+      });
+      if (sourceBlocker) return { blocker: sourceBlocker };
       appendCheckpointResponse(state, response);
       if (state.request.ship_mode !== "ship" && proofAssessmentRequestsShip(assessment)) {
         const result = {
@@ -6202,6 +6245,25 @@ async function routeCheckpoint(request, state, result, agent, input) {
         }
       };
     }
+    const sourceBlocker = proofAssessmentSourceBlocker({
+      checkpoint,
+      stage: "verify",
+      payload,
+      code: "proof_assessment_source_not_trusted"
+    });
+    if (sourceBlocker) {
+      recordEvent(state, {
+        kind: "agent.proof_assessment.source_blocked",
+        checkpoint,
+        stage: "verify",
+        summary: sourceBlocker.message,
+        details: compactRecord({
+          proof_assessment: payload,
+          agent_duration_ms: durationMs
+        })
+      });
+      return { blocker: sourceBlocker };
+    }
     const visualBlocker = proofAssessmentVisualBlocker({
       ...context.fullRiddleState || {},
       verification_mode: context.fullRiddleState?.verification_mode || request.verification_mode

package/dist/cli.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
-import "./chunk-2ALMXMFZ.js";
+import "./chunk-ECLGGGAI.js";
 import "./chunk-DI2XNGEZ.js";
 import "./chunk-6KYXX4OE.js";
 import "./chunk-EX7TO4I5.js";
-import "./chunk-ZLBOGPUL.js";
+import "./chunk-IV4DVWPR.js";
 import "./chunk-WDIKPIMB.js";
 import "./chunk-JJ4IWRMJ.js";
 import "./chunk-EKZXU6MU.js";

package/dist/engine-harness.cjs

@@ -5055,6 +5055,32 @@ function isReadyShipGate(result) {
 function proofAssessmentRequestsShip(payload) {
   return String(payload.decision || "").trim() === "ready_to_ship";
 }
+var TRUSTED_PROOF_ASSESSMENT_READY_SOURCES = /* @__PURE__ */ new Set([
+  "supervising_agent",
+  "supervisor",
+  "openclaw_auto_ship_mode_none"
+]);
+function proofAssessmentSourceTrustedForShip(payload) {
+  const source = nonEmptyString(payload.source)?.toLowerCase();
+  if (!source) return true;
+  return TRUSTED_PROOF_ASSESSMENT_READY_SOURCES.has(source);
+}
+function proofAssessmentSourceBlocker(input) {
+  if (!proofAssessmentRequestsShip(input.payload)) return null;
+  if (proofAssessmentSourceTrustedForShip(input.payload)) return null;
+  const source = nonEmptyString(input.payload.source) || "unknown";
+  return {
+    code: input.code || "proof_assessment_source_not_trusted",
+    checkpoint: input.checkpoint || null,
+    message: `Riddle Proof cannot mark ready_to_ship from untrusted proof assessment source: ${source}.`,
+    details: compactRecord({
+      stage: input.stage || null,
+      proofAssessment: input.payload,
+      checkpoint_response_source: input.response?.source || null,
+      response: input.response || null
+    })
+  };
+}
 function proofAssessmentHardBlockers(state, payload) {
   const blockers = proofAssessmentHardBlockersForState(state || {});
   if (Array.isArray(payload.hard_blockers)) {
@@ -5085,6 +5111,15 @@ function stageFromCheckpointResponse(response, packet) {
   const stage = response.continue_with_stage || nonEmptyString(payload.continue_with_stage) || nonEmptyString(payload.recommended_stage) || nonEmptyString(resume?.continue_with_stage) || (response.decision === "retry_stage" ? packet.stage : "");
   return stage ? stage : null;
 }
+function proofAssessmentSourceFromCheckpointResponse(response) {
+  const kind = nonEmptyString(response.source?.kind)?.toLowerCase();
+  if (!kind) return "supervising_agent";
+  if (kind === "human") return "supervisor";
+  if (kind === "codex" || kind === "openclaw-main" || kind === "claude-code") {
+    return "supervising_agent";
+  }
+  return `checkpoint_response:${kind}`;
+}
 function proofAssessmentPayloadFromCheckpointResponse(response) {
   if (![
     "ready_to_ship",
@@ -5105,7 +5140,7 @@ function proofAssessmentPayloadFromCheckpointResponse(response) {
     continue_with_stage: stage || void 0,
     escalation_target: nonEmptyString(payload.escalation_target) || "agent",
     reasons: Array.isArray(response.reasons) ? response.reasons : Array.isArray(payload.reasons) ? payload.reasons : [],
-    source: "supervising_agent",
+    source: proofAssessmentSourceFromCheckpointResponse(response),
     checkpoint_response_source: response.source || null,
     checkpoint_response_created_at: response.created_at
   }));
@@ -5556,6 +5591,14 @@ function checkpointResponseContinuation(state, value) {
   if (packet.kind === "assess_proof" || packet.kind === "recover_evidence" || packet.stage === "verify") {
     const assessment = proofAssessmentPayloadFromCheckpointResponse(response);
     if (assessment) {
+      const sourceBlocker = proofAssessmentSourceBlocker({
+        checkpoint: packet.checkpoint,
+        stage: packet.stage,
+        payload: assessment,
+        response,
+        code: "checkpoint_response_source_not_trusted"
+      });
+      if (sourceBlocker) return { blocker: sourceBlocker };
       appendCheckpointResponse(state, response);
       if (state.request.ship_mode !== "ship" && proofAssessmentRequestsShip(assessment)) {
         const result = {
@@ -6114,6 +6157,25 @@ async function routeCheckpoint(request, state, result, agent, input) {
         }
       };
     }
+    const sourceBlocker = proofAssessmentSourceBlocker({
+      checkpoint,
+      stage: "verify",
+      payload,
+      code: "proof_assessment_source_not_trusted"
+    });
+    if (sourceBlocker) {
+      recordEvent(state, {
+        kind: "agent.proof_assessment.source_blocked",
+        checkpoint,
+        stage: "verify",
+        summary: sourceBlocker.message,
+        details: compactRecord({
+          proof_assessment: payload,
+          agent_duration_ms: durationMs
+        })
+      });
+      return { blocker: sourceBlocker };
+    }
     const visualBlocker = proofAssessmentVisualBlocker({
       ...context.fullRiddleState || {},
       verification_mode: context.fullRiddleState?.verification_mode || request.verification_mode

package/dist/engine-harness.js

@@ -2,7 +2,7 @@ import {
   createDisabledRiddleProofAgentAdapter,
   readRiddleProofRunStatus,
   runRiddleProofEngineHarness
-} from "./chunk-ZLBOGPUL.js";
+} from "./chunk-IV4DVWPR.js";
 import "./chunk-WDIKPIMB.js";
 import "./chunk-JJ4IWRMJ.js";
 import "./chunk-EKZXU6MU.js";

package/dist/index.cjs

@@ -5811,6 +5811,32 @@ function isReadyShipGate(result) {
 function proofAssessmentRequestsShip(payload) {
   return String(payload.decision || "").trim() === "ready_to_ship";
 }
+var TRUSTED_PROOF_ASSESSMENT_READY_SOURCES = /* @__PURE__ */ new Set([
+  "supervising_agent",
+  "supervisor",
+  "openclaw_auto_ship_mode_none"
+]);
+function proofAssessmentSourceTrustedForShip(payload) {
+  const source = nonEmptyString(payload.source)?.toLowerCase();
+  if (!source) return true;
+  return TRUSTED_PROOF_ASSESSMENT_READY_SOURCES.has(source);
+}
+function proofAssessmentSourceBlocker(input) {
+  if (!proofAssessmentRequestsShip(input.payload)) return null;
+  if (proofAssessmentSourceTrustedForShip(input.payload)) return null;
+  const source = nonEmptyString(input.payload.source) || "unknown";
+  return {
+    code: input.code || "proof_assessment_source_not_trusted",
+    checkpoint: input.checkpoint || null,
+    message: `Riddle Proof cannot mark ready_to_ship from untrusted proof assessment source: ${source}.`,
+    details: compactRecord({
+      stage: input.stage || null,
+      proofAssessment: input.payload,
+      checkpoint_response_source: input.response?.source || null,
+      response: input.response || null
+    })
+  };
+}
 function proofAssessmentHardBlockers(state, payload) {
   const blockers = proofAssessmentHardBlockersForState(state || {});
   if (Array.isArray(payload.hard_blockers)) {
@@ -5841,6 +5867,15 @@ function stageFromCheckpointResponse(response, packet) {
   const stage = response.continue_with_stage || nonEmptyString(payload.continue_with_stage) || nonEmptyString(payload.recommended_stage) || nonEmptyString(resume?.continue_with_stage) || (response.decision === "retry_stage" ? packet.stage : "");
   return stage ? stage : null;
 }
+function proofAssessmentSourceFromCheckpointResponse(response) {
+  const kind = nonEmptyString(response.source?.kind)?.toLowerCase();
+  if (!kind) return "supervising_agent";
+  if (kind === "human") return "supervisor";
+  if (kind === "codex" || kind === "openclaw-main" || kind === "claude-code") {
+    return "supervising_agent";
+  }
+  return `checkpoint_response:${kind}`;
+}
 function proofAssessmentPayloadFromCheckpointResponse(response) {
   if (![
     "ready_to_ship",
@@ -5861,7 +5896,7 @@ function proofAssessmentPayloadFromCheckpointResponse(response) {
     continue_with_stage: stage || void 0,
     escalation_target: nonEmptyString(payload.escalation_target) || "agent",
     reasons: Array.isArray(response.reasons) ? response.reasons : Array.isArray(payload.reasons) ? payload.reasons : [],
-    source: "supervising_agent",
+    source: proofAssessmentSourceFromCheckpointResponse(response),
     checkpoint_response_source: response.source || null,
     checkpoint_response_created_at: response.created_at
   }));
@@ -6312,6 +6347,14 @@ function checkpointResponseContinuation(state, value) {
   if (packet.kind === "assess_proof" || packet.kind === "recover_evidence" || packet.stage === "verify") {
     const assessment = proofAssessmentPayloadFromCheckpointResponse(response);
     if (assessment) {
+      const sourceBlocker = proofAssessmentSourceBlocker({
+        checkpoint: packet.checkpoint,
+        stage: packet.stage,
+        payload: assessment,
+        response,
+        code: "checkpoint_response_source_not_trusted"
+      });
+      if (sourceBlocker) return { blocker: sourceBlocker };
       appendCheckpointResponse(state, response);
       if (state.request.ship_mode !== "ship" && proofAssessmentRequestsShip(assessment)) {
         const result = {
@@ -6870,6 +6913,25 @@ async function routeCheckpoint(request, state, result, agent, input) {
         }
       };
     }
+    const sourceBlocker = proofAssessmentSourceBlocker({
+      checkpoint,
+      stage: "verify",
+      payload,
+      code: "proof_assessment_source_not_trusted"
+    });
+    if (sourceBlocker) {
+      recordEvent(state, {
+        kind: "agent.proof_assessment.source_blocked",
+        checkpoint,
+        stage: "verify",
+        summary: sourceBlocker.message,
+        details: compactRecord({
+          proof_assessment: payload,
+          agent_duration_ms: durationMs
+        })
+      });
+      return { blocker: sourceBlocker };
+    }
     const visualBlocker = proofAssessmentVisualBlocker({
       ...context.fullRiddleState || {},
       verification_mode: context.fullRiddleState?.verification_mode || request.verification_mode

package/dist/index.js

@@ -102,7 +102,7 @@ import {
   createDisabledRiddleProofAgentAdapter,
   readRiddleProofRunStatus,
   runRiddleProofEngineHarness
-} from "./chunk-ZLBOGPUL.js";
+} from "./chunk-IV4DVWPR.js";
 import {
   RIDDLE_PROOF_RUN_STATE_VERSION,
   appendRunEvent,

package/dist/{proof-run-engine-DpChFR5H.d.cts → proof-run-engine-Baiv6l3A.d.cts}

@@ -292,7 +292,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     blocking?: boolean;
     details?: Record<string, unknown>;
     ok: boolean;
-    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup" | "run";
+    action: "setup" | "recon" | "author" | "implement" | "verify" | "ship" | "run";
     state_path: string;
     stage: any;
     summary: string;
@@ -382,7 +382,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     continueWithStage?: WorkflowStage | null;
     blocking?: boolean;
     details?: Record<string, unknown>;
-    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup" | "run";
+    action: "setup" | "recon" | "author" | "implement" | "verify" | "ship" | "run";
     state_path: string;
     stage: any;
     checkpoint: string;
@@ -659,7 +659,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     error?: undefined;
 } | {
     ok: boolean;
-    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup";
+    action: "setup" | "recon" | "author" | "implement" | "verify" | "ship";
     state_path: string;
     stage: any;
     summary: string;

package/dist/{proof-run-engine-BqRoA3Do.d.ts → proof-run-engine-MiKZt9oY.d.ts}

@@ -292,7 +292,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     blocking?: boolean;
     details?: Record<string, unknown>;
     ok: boolean;
-    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup" | "run";
+    action: "setup" | "recon" | "author" | "implement" | "verify" | "ship" | "run";
     state_path: string;
     stage: any;
     summary: string;
@@ -382,7 +382,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     continueWithStage?: WorkflowStage | null;
     blocking?: boolean;
     details?: Record<string, unknown>;
-    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup" | "run";
+    action: "setup" | "recon" | "author" | "implement" | "verify" | "ship" | "run";
     state_path: string;
     stage: any;
     checkpoint: string;
@@ -659,7 +659,7 @@ declare function executeWorkflow(params: WorkflowParams, pluginConfig: any, reso
     error?: undefined;
 } | {
     ok: boolean;
-    action: "author" | "recon" | "ship" | "implement" | "verify" | "setup";
+    action: "setup" | "recon" | "author" | "implement" | "verify" | "ship";
     state_path: string;
     stage: any;
     summary: string;

package/dist/proof-run-engine.d.cts

@@ -1,2 +1,2 @@
 import './proof-run-core-7Dqm7RKM.cjs';
-export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from './proof-run-engine-DpChFR5H.cjs';
+export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from './proof-run-engine-Baiv6l3A.cjs';

package/dist/proof-run-engine.d.ts

@@ -1,2 +1,2 @@
 import './proof-run-core-7Dqm7RKM.js';
-export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from './proof-run-engine-BqRoA3Do.js';
+export { R as RiddleProofEngine, c as createRiddleProofEngine, e as executeWorkflow } from './proof-run-engine-MiKZt9oY.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@riddledc/riddle-proof",
-  "version": "0.8.53",
+  "version": "0.8.54",
   "description": "Reusable Riddle Proof contracts and helpers for evidence-backed agent changes.",
   "license": "MIT",
   "author": "RiddleDC",