@sanity/ailf 7.2.3 → 7.3.0

package/config/airbyte/ai_literacy_framework.connector.yaml

@@ -104,6 +104,11 @@ definitions:
                 "host_platform": provenance.host.platform,
                 "host_arch": provenance.host.arch,
                 "host_ci": provenance.host.ci,
+                "validity_status": validity.status,
+                "validity_method": validity.method,
+                "validity_ruleset_version": validity.rulesetVersion,
+                "validity_assessed_at": validity.assessedAt,
+                "validity_reasons": validity.reasons,
                 _createdAt
               }
         record_selector:
@@ -724,6 +729,39 @@ schemas:
           - string
           - "null"
         description: CI provider when running under one (e.g., github-actions).
+      # ----------------------------------------------------------------
+      # D0059 — report validity (data-health axis, orthogonal to intent)
+      # ----------------------------------------------------------------
+      validity_status:
+        type:
+          - string
+          - "null"
+        description:
+          "Data-health verdict (D0059): ok | degraded | incomplete | suspect.
+          NULL for reports predating the validity stamp (treated as trusted)."
+      validity_method:
+        type:
+          - string
+          - "null"
+        description: '"auto" | "manual" — how the validity verdict was reached.'
+      validity_ruleset_version:
+        type:
+          - string
+          - "null"
+        description: Detector ruleset version, so re-assessments are comparable.
+      validity_assessed_at:
+        type:
+          - string
+          - "null"
+        description:
+          ISO 8601 UTC timestamp when the validity verdict was produced.
+      validity_reasons:
+        type:
+          - array
+          - "null"
+        items:
+          type: string
+        description: Which detector rules fired — the audit trail behind status.
       _createdAt:
         type:
           - string

package/config/bigquery/README.md

@@ -22,13 +22,13 @@ BigQuery views (this directory)
 
 ## Files
 
-| File                             | Purpose                                                                                                             |
-| -------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
-| `views/area_scores.sql`          | Flattens nested `model_scores` array into one row per area per model per report                                     |
-| `views/reports.sql`              | Clean passthrough view with correct types and column ordering                                                       |
-| `views/official_runs.sql`        | Canonical trend series (D0037): `classification='official' AND trigger_type='scheduled' AND owner_team='core-docs'` |
-| `views/official_area_scores.sql` | `area_scores` joined to `official_runs` — inherits the official-run predicate for area-level dashboards             |
-| `views/team_runs_template.sql`   | Recipe/template for instantiating per-team filtered views                                                           |
+| File                             | Purpose                                                                                                                                                      |
+| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `views/area_scores.sql`          | Flattens nested `model_scores` array into one row per area per model per report                                                                              |
+| `views/reports.sql`              | Clean passthrough view with correct types and column ordering; also materializes `validity_*` columns and the `include_in_default_trends` trust gate (D0059) |
+| `views/official_runs.sql`        | Canonical trend series (D0037): `classification='official' AND trigger_type='scheduled' AND owner_team='core-docs'`                                          |
+| `views/official_area_scores.sql` | `area_scores` joined to `official_runs` — inherits the official-run predicate for area-level dashboards                                                      |
+| `views/team_runs_template.sql`   | Recipe/template for instantiating per-team filtered views                                                                                                    |
 
 ## Setup
 
@@ -88,6 +88,38 @@ bq --project_id=data-platform-302218 --location=EU query --use_legacy_sql=false
 > run `bq query` from this repo regularly, consider setting the default with
 > `gcloud config set project data-platform-302218`.
 
+## Querying default (trustworthy) reports
+
+`ailf.reports` exposes every synced report, including development runs and
+structurally incomplete ones. BI dashboards and ad-hoc analysis should gate on
+the **`include_in_default_trends`** boolean, which materializes the single
+trustworthiness predicate (D0059) shared with the dashboard and Studio — so all
+three surfaces show the same default population:
+
+```sql
+SELECT *
+FROM   `data-platform-302218.ailf.reports`
+WHERE  include_in_default_trends = TRUE;
+```
+
+`include_in_default_trends` is the SQL form of the `includeInDefaultTrends`
+predicate (`INCLUDE_IN_DEFAULT_TRENDS_SQL` in `@sanity/ailf-shared`):
+
+```text
+(validity_status IS NULL OR validity_status = 'ok')
+  AND (classification IS NULL OR classification NOT IN ('test', 'experimental'))
+```
+
+To audit the _excluded_ (untrusted) reports — the inverse population, useful for
+the Tier-2 review pass — flip the predicate to `= FALSE`. The `validity_status`
+/ `validity_reasons` columns explain why each was excluded.
+
+> The `official_runs` view (above) is a **stricter** canonical-series gate
+> (`classification='official' AND trigger_type='scheduled' AND owner_team='core-docs'`);
+> `include_in_default_trends` is the **broader** "trustworthy enough to show by
+> default" gate. Use `official_runs` for the tracked trend line,
+> `include_in_default_trends` for general default views.
+
 ## Naming conventions
 
 - **`ailf_raw.*`** — raw Airbyte-loaded tables (nested JSON, Airbyte metadata

package/config/bigquery/views/reports.sql

@@ -64,6 +64,12 @@ SELECT
   host_platform,
   host_arch,
   host_ci,
+  validity_status,
+  validity_method,
+  validity_ruleset_version,
+  TIMESTAMP(validity_assessed_at)                 AS validity_assessed_at,
+  validity_reasons,
+  (validity_status IS NULL OR validity_status = 'ok') AND (classification IS NULL OR classification NOT IN ('test', 'experimental')) AS include_in_default_trends,
   TIMESTAMP(_createdAt)                           AS synced_at
 FROM
   `data-platform-302218.ailf_raw.reports`;

package/dist/_vendor/ailf-core/schemas/report.d.ts

@@ -139,6 +139,21 @@ export declare const ReportProvenanceSchema: z.ZodObject<{
     runId: z.ZodString;
     targetDocuments: z.ZodOptional<z.ZodArray<z.ZodString>>;
 }, z.core.$strict>;
+export declare const ReportValiditySchema: z.ZodObject<{
+    status: z.ZodEnum<{
+        ok: "ok";
+        degraded: "degraded";
+        incomplete: "incomplete";
+        suspect: "suspect";
+    }>;
+    reasons: z.ZodArray<z.ZodString>;
+    method: z.ZodEnum<{
+        auto: "auto";
+        manual: "manual";
+    }>;
+    rulesetVersion: z.ZodString;
+    assessedAt: z.ZodISODateTime;
+}, z.core.$strict>;
 export declare const ReportSchema: z.ZodObject<{
     id: z.ZodString;
     completedAt: z.ZodISODateTime;
@@ -269,6 +284,21 @@ export declare const ReportSchema: z.ZodObject<{
         }>>;
         detail: z.ZodString;
     }, z.core.$strict>>;
+    validity: z.ZodOptional<z.ZodObject<{
+        status: z.ZodEnum<{
+            ok: "ok";
+            degraded: "degraded";
+            incomplete: "incomplete";
+            suspect: "suspect";
+        }>;
+        reasons: z.ZodArray<z.ZodString>;
+        method: z.ZodEnum<{
+            auto: "auto";
+            manual: "manual";
+        }>;
+        rulesetVersion: z.ZodString;
+        assessedAt: z.ZodISODateTime;
+    }, z.core.$strict>>;
 }, z.core.$loose>;
 export type ReportSchemaInput = z.input<typeof ReportSchema>;
 export type ReportSchemaOutput = z.infer<typeof ReportSchema>;

package/dist/_vendor/ailf-core/schemas/report.js

@@ -25,7 +25,7 @@
  */
 import { z } from "zod";
 import { LITERACY_VARIANTS } from "../../ailf-shared/index.js";
-import { DEGRADED_ENRICHMENT_FIELDS } from "../types/index.js";
+import { DEGRADED_ENRICHMENT_FIELDS, REPORT_VALIDITY_STATUSES, } from "../types/index.js";
 // ---------------------------------------------------------------------------
 // RunContext building blocks (mirrors packages/shared/src/run-context.ts)
 // ---------------------------------------------------------------------------
@@ -217,6 +217,21 @@ export const ReportProvenanceSchema = z
 // (ScoreSummary, FeatureScore, the W0051 slim types) are out of Scope A.
 // ---------------------------------------------------------------------------
 const RecordPassthroughSchema = z.record(z.string(), z.unknown());
+// ---------------------------------------------------------------------------
+// ReportValidity — top-level data-health axis (D0059), orthogonal to
+// `provenance.classification`. `satisfies z.ZodType<ReportValidity>` (D0045):
+// the domain type is authored independently in ../types/report-validity.ts,
+// so schema/type drift is a build error. Strict — unknown keys signal drift.
+// ---------------------------------------------------------------------------
+export const ReportValiditySchema = z
+    .object({
+    status: z.enum(REPORT_VALIDITY_STATUSES),
+    reasons: z.array(z.string()),
+    method: z.enum(["auto", "manual"]),
+    rulesetVersion: z.string().min(1),
+    assessedAt: z.iso.datetime({ offset: true }),
+})
+    .strict();
 export const ReportSchema = z
     .object({
     id: z.string().min(1),
@@ -236,7 +251,8 @@ export const ReportSchema = z
     title: z.string().nullable().optional(),
     // Degraded marker (mirrors `ReportDegradation`): present only when a full
     // eval scored tests but enrichment did not complete. Strict — unknown
-    // keys here signal real drift.
+    // keys here signal real drift. Superseded by `validity` (D0059); retained
+    // for back-compat reads until the backfill migrates it.
     degraded: z
         .object({
         reason: z.literal("enrichment-missing"),
@@ -247,5 +263,8 @@ export const ReportSchema = z
     })
         .strict()
         .optional(),
+    // Data-health axis (D0059). Additive + nullable: pre-stamp reads have no
+    // `validity` and are treated as trustworthy until backfilled.
+    validity: ReportValiditySchema.optional(),
 })
     .passthrough();

package/dist/_vendor/ailf-core/services/index.d.ts

@@ -13,6 +13,7 @@ export { aggregateAreas, aggregateDimensions, computeEnsembleScore, computeTaskS
 export { extractModelName, extractProvider, mergeConfig, modelMatchesMode, resolveModelVariants, } from "./config-helpers.js";
 export { buildSlimReportSummary } from "./slim-report-summary.js";
 export { reportToMarkdown, type RenderableReport, } from "./report-to-markdown.js";
+export { assessReportValidity, REPORT_VALIDITY_RULESET_VERSION, type AssessReportValidityOptions, type ReportValidityAssessment, type ReportValidityInput, type ReportValidityReviewFlag, type ReportValidityReviewReason, } from "./report-validity-detector.js";
 export { createDiagnosisRunner, diagnosisVersion, type CardGenerator, type CardRegistry, type DiagnosisRunner, type DiagnosisRunnerDeps, type DiagnosisRunnerRunArgs, type GeneratorContext, } from "./diagnosis-runner.js";
 export { cardRegistry, type CardDefinition } from "./diagnosis/registry.js";
 export { createLLMClient, type LLMClientAdapters, type LLMClientFactoryConfig, type LLMClientKeys, } from "./llm-client-factory.js";

package/dist/_vendor/ailf-core/services/index.js

@@ -14,6 +14,10 @@ export { extractModelName, extractProvider, mergeConfig, modelMatchesMode, resol
 export { buildSlimReportSummary } from "./slim-report-summary.js";
 export { reportToMarkdown, } from "./report-to-markdown.js";
 // ---------------------------------------------------------------------------
+// Report-validity detector (D0059) — pure, versioned trustworthiness engine
+// ---------------------------------------------------------------------------
+export { assessReportValidity, REPORT_VALIDITY_RULESET_VERSION, } from "./report-validity-detector.js";
+// ---------------------------------------------------------------------------
 // Actionability ladder Phase 1 + Phase 5 — diagnosis runner + card registry
 // ---------------------------------------------------------------------------
 export { createDiagnosisRunner, diagnosisVersion, } from "./diagnosis-runner.js";

package/dist/_vendor/ailf-core/services/report-validity-detector.d.ts

@@ -0,0 +1,116 @@
+/**
+ * @sanity/ailf-core — Report-validity detector (D0059)
+ *
+ * The detection brain for the report trustworthiness model. A pure, versioned,
+ * I/O-free rules engine that computes both trustworthiness axes for a report —
+ * intent (`classification`, D0037) and data health (`validity`) — with a
+ * confidence tier so it never mislabels ambiguous data.
+ *
+ * Reused unchanged by the eval write path (`W-stamp-validity-write-path`,
+ * stamps every new report) and the one-shot backfill
+ * (`W-backfill-report-validity`, labels the historical store).
+ *
+ * **Confidence tiers (D0059 §2):**
+ *
+ *   - **Tier 1 — auto.** High-confidence, unambiguous rules. Intent:
+ *     `scheduled + github-actions → official`; `testing-ground` team /
+ *     `env-override` source / generated-id executor → `test`/`experimental`;
+ *     de-drift `ad-hoc → adhoc`. Validity: `degraded → "degraded"`.
+ *   - **Tier 2 — review list.** Anything resting on shape-sensitive content
+ *     signals (empty `testResults`, `testCount` mismatch) is *emitted to a
+ *     review list rather than guessed* — 34%/66% of the historical store hits
+ *     these and is dominated by report-shape evolution (GCS-externalized
+ *     per-test data, per-model granularity), NOT defects. The engine never
+ *     auto-flags them invalid; a human confirms in batch and the verdict is
+ *     written `method:"manual"`.
+ *
+ * A `method:"manual"` verdict is authoritative — re-running the detector never
+ * overwrites it.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md
+ */
+import { type RunClassification, type RunExecutor, type RunOwner, type RunTrigger } from "../../ailf-shared/index.d.ts";
+import type { ReportDegradation, ReportValidity } from "../types/index.js";
+/**
+ * Detector ruleset version. Bump on any rule or threshold recalibration so a
+ * later re-assessment is a comparable, auditable re-run (D0059 §2). Stamped
+ * onto every `validity` verdict the engine produces.
+ */
+export declare const REPORT_VALIDITY_RULESET_VERSION = "1.0.0";
+/**
+ * The minimal report projection the detector reads.
+ *
+ * Authored as a raw-tolerant *consumer view* (not `Pick<Report, …>`) on
+ * purpose: the engine runs at the raw-document boundary during the backfill,
+ * where legacy drift like `ad-hoc` still exists and `provenance.classification`
+ * is therefore typed `string`, not `RunClassification`. A fully-typed `Report`
+ * is structurally assignable to this shape, so the write path can pass one
+ * directly. Only the seven fields the rules actually consult appear here.
+ */
+export interface ReportValidityInput {
+    provenance: {
+        /** Raw classification — may carry legacy drift (`ad-hoc`); normalized here. */
+        classification?: string;
+        trigger: RunTrigger;
+        executor: RunExecutor;
+        owner: RunOwner;
+        source: {
+            name: string;
+        };
+    };
+    summary: {
+        /** Per-feature scores; only `testCount` is read (summed across features). */
+        scores?: ReadonlyArray<{
+            testCount?: number;
+        }>;
+        /** Per-test×model results; only the length is read. */
+        testResults?: ReadonlyArray<unknown>;
+        /** Low-scoring grader judgments; only the length is read. */
+        lowScoringJudgments?: ReadonlyArray<unknown>;
+    };
+    /** Legacy degradation marker (D0059 subsumes it into `validity.status`). */
+    degraded?: ReportDegradation;
+    /** Existing verdict — a `method:"manual"` value is preserved on re-run. */
+    validity?: ReportValidity;
+}
+/**
+ * Why a report was routed to Tier-2 human review instead of being
+ * auto-decided. Each corresponds to a shape-sensitive signal the engine
+ * deliberately refuses to interpret automatically (D0059 §caveat).
+ */
+export type ReportValidityReviewReason = "empty-test-results" | "test-count-mismatch";
+/** A single Tier-2 review-list entry. */
+export interface ReportValidityReviewFlag {
+    reason: ReportValidityReviewReason;
+    /** Human-readable explanation for the batch-review UI / backfill report. */
+    detail: string;
+}
+/**
+ * The detector's verdict for one report.
+ *
+ * `classification` is **optional**: present only when the engine has a
+ * positive opinion (a Tier-1 intent rule fired, or de-drift changed the
+ * value). It is `undefined` when the existing classification is already
+ * canonical and no rule applies — so callers patch idempotently and a re-run
+ * never clobbers an already-correct or human-corrected value.
+ */
+export interface ReportValidityAssessment {
+    classification?: RunClassification;
+    validity: ReportValidity;
+    reviewFlags: ReportValidityReviewFlag[];
+}
+export interface AssessReportValidityOptions {
+    /**
+     * ISO 8601 UTC timestamp stamped onto the verdict's `assessedAt`. Injected
+     * by the caller so the engine stays pure and deterministic (no clock read).
+     */
+    assessedAt: string;
+}
+/**
+ * Assess a report's trustworthiness — its intent (`classification`) and data
+ * health (`validity`) — plus any Tier-2 signals that need human review.
+ *
+ * Pure and deterministic: same input + `assessedAt` → identical output.
+ */
+export declare function assessReportValidity(report: ReportValidityInput, options: AssessReportValidityOptions): ReportValidityAssessment;

package/dist/_vendor/ailf-core/services/report-validity-detector.js

@@ -0,0 +1,128 @@
+/**
+ * @sanity/ailf-core — Report-validity detector (D0059)
+ *
+ * The detection brain for the report trustworthiness model. A pure, versioned,
+ * I/O-free rules engine that computes both trustworthiness axes for a report —
+ * intent (`classification`, D0037) and data health (`validity`) — with a
+ * confidence tier so it never mislabels ambiguous data.
+ *
+ * Reused unchanged by the eval write path (`W-stamp-validity-write-path`,
+ * stamps every new report) and the one-shot backfill
+ * (`W-backfill-report-validity`, labels the historical store).
+ *
+ * **Confidence tiers (D0059 §2):**
+ *
+ *   - **Tier 1 — auto.** High-confidence, unambiguous rules. Intent:
+ *     `scheduled + github-actions → official`; `testing-ground` team /
+ *     `env-override` source / generated-id executor → `test`/`experimental`;
+ *     de-drift `ad-hoc → adhoc`. Validity: `degraded → "degraded"`.
+ *   - **Tier 2 — review list.** Anything resting on shape-sensitive content
+ *     signals (empty `testResults`, `testCount` mismatch) is *emitted to a
+ *     review list rather than guessed* — 34%/66% of the historical store hits
+ *     these and is dominated by report-shape evolution (GCS-externalized
+ *     per-test data, per-model granularity), NOT defects. The engine never
+ *     auto-flags them invalid; a human confirms in batch and the verdict is
+ *     written `method:"manual"`.
+ *
+ * A `method:"manual"` verdict is authoritative — re-running the detector never
+ * overwrites it.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md
+ */
+import { isKnownExecutorIdentity, looksLikeGeneratedExecutorId, normalizeOwnerTeam, normalizeRunClassification, } from "../../ailf-shared/index.js";
+/**
+ * Detector ruleset version. Bump on any rule or threshold recalibration so a
+ * later re-assessment is a comparable, auditable re-run (D0059 §2). Stamped
+ * onto every `validity` verdict the engine produces.
+ */
+export const REPORT_VALIDITY_RULESET_VERSION = "1.0.0";
+/**
+ * Tier-1 intent detection. Returns a `RunClassification` only when the engine
+ * has a positive opinion; `undefined` means "leave the existing value".
+ */
+function detectIntent(provenance) {
+    const { classification, executor, owner, source, trigger } = provenance;
+    // Highest-confidence positive: a scheduled run executed by GitHub Actions is
+    // the canonical official series.
+    if (trigger.type === "scheduled" &&
+        executor.type === "system" &&
+        executor.name === "github-actions") {
+        return "official";
+    }
+    // Explicit non-canonical contexts.
+    if (normalizeOwnerTeam(owner.team) === "testing-ground")
+        return "test";
+    if (source.name === "env-override")
+        return "experimental";
+    if (executor.type === "user" &&
+        !isKnownExecutorIdentity(executor.name) &&
+        looksLikeGeneratedExecutorId(executor.name)) {
+        return "experimental";
+    }
+    // No rule fired — de-drift the existing value, returning it only when it
+    // actually changes.
+    const normalized = normalizeRunClassification(classification);
+    return normalized === classification ? undefined : normalized;
+}
+/**
+ * Tier-2 review flags. Surfaces shape-sensitive signals for human batch-review
+ * — it never decides validity itself. Skipped entirely for already-`degraded`
+ * reports, where missing/empty test data is already explained.
+ */
+function collectReviewFlags(summary) {
+    const flags = [];
+    const testResultCount = summary.testResults?.length ?? 0;
+    const summedTestCount = (summary.scores ?? []).reduce((total, score) => total + (score.testCount ?? 0), 0);
+    if (summedTestCount > 0 && testResultCount === 0) {
+        flags.push({
+            reason: "empty-test-results",
+            detail: `${summedTestCount} scored tests but testResults is empty — may be GCS-externalized (W0329) rather than a defect; needs human review.`,
+        });
+    }
+    else if (testResultCount > 0 &&
+        summedTestCount > 0 &&
+        testResultCount !== summedTestCount) {
+        flags.push({
+            reason: "test-count-mismatch",
+            detail: `testResults length (${testResultCount}) ≠ summed testCount (${summedTestCount}) — per-model/sampling granularity difference, not necessarily a defect.`,
+        });
+    }
+    return flags;
+}
+/**
+ * Assess a report's trustworthiness — its intent (`classification`) and data
+ * health (`validity`) — plus any Tier-2 signals that need human review.
+ *
+ * Pure and deterministic: same input + `assessedAt` → identical output.
+ */
+export function assessReportValidity(report, options) {
+    const classification = detectIntent(report.provenance);
+    // A human verdict is authoritative — never overwrite a manual data-health
+    // assessment on a re-run. Intent normalization is still surfaced: it is
+    // idempotent and orthogonal to the data-health review.
+    if (report.validity?.method === "manual") {
+        return { classification, validity: report.validity, reviewFlags: [] };
+    }
+    // Tier-1 validity: the only auto-assigned non-`ok` status is `degraded`
+    // (subsumes the legacy flag). `incomplete`/`suspect` rest on the shape
+    // caveat and require human review — they are written `method:"manual"`.
+    const reasons = [];
+    let status = "ok";
+    if (report.degraded) {
+        status = "degraded";
+        reasons.push(`degraded:${report.degraded.reason}`);
+    }
+    const validity = {
+        status,
+        reasons,
+        method: "auto",
+        rulesetVersion: REPORT_VALIDITY_RULESET_VERSION,
+        assessedAt: options.assessedAt,
+    };
+    return {
+        classification,
+        validity,
+        reviewFlags: status === "degraded" ? [] : collectReviewFlags(report.summary),
+    };
+}

package/dist/_vendor/ailf-core/types/index.d.ts

@@ -14,6 +14,7 @@ import type { ArtifactType } from "../artifact-registry.js";
 import type { SymbolPreflightReport } from "./symbol-preflight-report.js";
 import type { AssociationValues, RunId } from "./branded-ids.js";
 import type { GraderJudgment } from "./grader-judgment.js";
+import type { ReportValidity } from "./report-validity.js";
 export type { ActualScoreEntry, ComponentResult, TestResult, UrlMetadata, } from "./scoring-input.js";
 export type { DocumentRef, RunContext, RunTrigger } from "../../ailf-shared/index.d.ts";
 export type { StoredBaseline, StoredReport, StoredRun, StoredTaskResult, StoredTrace, SchemaVersioned, } from "./storage-schema.js";
@@ -43,6 +44,7 @@ export type { CriterionSubJudgment, DocCitation, DocCitationRole, GraderEmittedJ
 export type { LegacyGraderJudgment } from "./legacy-grader-judgment.js";
 export type { BaseChannel, ChannelScope, EmailChannel, EventType, KnownEventType, KnownMemberRole, MemberRole, NotificationChannel, NotificationChannelType, SlackChannel, Team, TeamId, TeamMember, TeamRef, TeamSlug, TeamStatus, WebhookChannel, } from "./team.js";
 export type { AilfUser, AilfUserPreferences, TeamReference } from "./user.js";
+export { isReportValidityStatus, REPORT_VALIDITY_STATUSES, type ReportValidity, type ReportValidityMethod, type ReportValidityStatus, } from "./report-validity.js";
 type DocumentRef = _DocumentRef;
 /** Aggregated retrieval metrics for a feature area */
 export interface AreaRetrievalMetrics {
@@ -1503,6 +1505,12 @@ export type DegradedEnrichmentField = (typeof DEGRADED_ENRICHMENT_FIELDS)[number
  * because `grader-judgments.json` was missing). Present so the dashboard and
  * Studio can show "enrichment failed" rather than a misleading empty
  * "no tests" state on a report that still has a score.
+ *
+ * @deprecated Superseded by {@link ReportValidity} (D0059). The data-health
+ * axis subsumes this flag: a degraded report is `validity.status:"degraded"`.
+ * Retained for back-compat reads; the backfill migrates `degraded:true →
+ * validity.status:"degraded"` (`W-backfill-report-validity`). Do not set it on
+ * new reports — stamp `validity` instead.
  */
 export interface ReportDegradation {
     /** Why the report is degraded. Single-variant union, widen as needed. */
@@ -1517,8 +1525,19 @@ export interface Report {
     /**
      * Set when the report is published in a degraded state — a full eval
      * scored tests but enrichment did not complete. Absent on healthy reports.
+     *
+     * @deprecated Superseded by {@link Report.validity} (D0059). New write paths
+     * stamp `validity` (with `status:"degraded"` in this case) instead.
      */
     degraded?: ReportDegradation;
+    /**
+     * Post-hoc data-health assessment (D0059) — orthogonal to
+     * `provenance.classification` (run intent). Top-level because it judges the
+     * report's *data*, not the run. Additive + nullable: absent on pre-stamp
+     * reports, which are treated as trustworthy until backfilled. Subsumes the
+     * legacy {@link Report.degraded} flag.
+     */
+    validity?: ReportValidity;
     /**
      * Snapshot of the run manifest's `artifacts` slice at publish time (D0032).
      * The source of truth lives in `gs://…/runs/{runId}/manifest.json`; this

package/dist/_vendor/ailf-core/types/index.js

@@ -19,6 +19,7 @@ export { evalModeType } from "./eval-mode-config.js";
 export { DEFAULT_PREFLIGHT_CODE_CORRECTNESS_WEIGHT, } from "./preflight-scoring.js";
 export { CONVENTIONAL_DERIVATIONS, isConfidence } from "./confidence.js";
 export { err, fixtureId, generateJudgmentId, generateRunId, judgmentId, ok, providerId, resultId, runId, suiteId, taskId, traceId, } from "./branded-ids.js";
+export { isReportValidityStatus, REPORT_VALIDITY_STATUSES, } from "./report-validity.js";
 /** Set of canonical legacy modes — exported for report-formatter use. */
 export const LEGACY_FAILURE_MODES = [
     "api-error",

package/dist/_vendor/ailf-core/types/report-validity.d.ts

@@ -0,0 +1,60 @@
+/**
+ * @sanity/ailf-core — Report validity (data-health axis)
+ *
+ * `ReportValidity` is the post-hoc data-health assessment of a published
+ * report, orthogonal to `provenance.classification` (run intent, D0037).
+ * It is a top-level sibling of the legacy `ReportDegradation` flag, which it
+ * subsumes (`degraded:true → validity.status:"degraded"`).
+ *
+ * Authored independently of the Zod schema so the schema can assert
+ * `satisfies z.ZodType<ReportValidity>` and turn drift into a build error
+ * (D0045). Populated by the confidence-tiered detector
+ * (`W-report-validity-detector`) and the eval write path
+ * (`W-stamp-validity-write-path`); gated everywhere by the shared
+ * `includeInDefaultTrends` predicate (`W-trustworthiness-predicate`).
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md
+ */
+/**
+ * The validity-status vocabulary. Single `as const` tuple so the runtime Zod
+ * `z.enum(...)` and the `ReportValidityStatus` type derive from one source —
+ * the same drift-proofing the `DEGRADED_ENRICHMENT_FIELDS` tuple uses.
+ *
+ *  - `ok`         — trustworthy; included in default trends.
+ *  - `degraded`   — enrichment/grading failed (subsumes the legacy `degraded`
+ *                   flag).
+ *  - `incomplete` — expected grains genuinely missing, after the report-shape
+ *                   caveat is accounted for (see design doc).
+ *  - `suspect`    — passed structural checks but flagged for review (anomaly or
+ *                   ambiguous heuristic).
+ */
+export declare const REPORT_VALIDITY_STATUSES: readonly ["ok", "degraded", "incomplete", "suspect"];
+export type ReportValidityStatus = (typeof REPORT_VALIDITY_STATUSES)[number];
+/**
+ * How the validity verdict was reached. A `"manual"` verdict is authoritative
+ * — re-running the detector never overwrites it (the detector emits a re-run
+ * only over `"auto"` verdicts).
+ */
+export type ReportValidityMethod = "auto" | "manual";
+/**
+ * Post-hoc data-health assessment of a published report.
+ *
+ * Top-level on the `Report` (a judgment about the report's *data*), NOT under
+ * `provenance` (which records run *intent*). Additive and nullable: pre-stamp
+ * reads have no `validity` and are treated as trustworthy until backfilled.
+ */
+export interface ReportValidity {
+    /** Data-health verdict. */
+    status: ReportValidityStatus;
+    /** Which detector rules fired — the audit trail behind `status`. */
+    reasons: string[];
+    /** Whether an automated rule or a human produced this verdict. */
+    method: ReportValidityMethod;
+    /** Detector ruleset version, so re-assessments are comparable. */
+    rulesetVersion: string;
+    /** When the verdict was produced (ISO 8601 UTC). */
+    assessedAt: string;
+}
+/** Type guard for {@link ReportValidityStatus}. */
+export declare function isReportValidityStatus(value: unknown): value is ReportValidityStatus;

package/dist/_vendor/ailf-core/types/report-validity.js

@@ -0,0 +1,42 @@
+/**
+ * @sanity/ailf-core — Report validity (data-health axis)
+ *
+ * `ReportValidity` is the post-hoc data-health assessment of a published
+ * report, orthogonal to `provenance.classification` (run intent, D0037).
+ * It is a top-level sibling of the legacy `ReportDegradation` flag, which it
+ * subsumes (`degraded:true → validity.status:"degraded"`).
+ *
+ * Authored independently of the Zod schema so the schema can assert
+ * `satisfies z.ZodType<ReportValidity>` and turn drift into a build error
+ * (D0045). Populated by the confidence-tiered detector
+ * (`W-report-validity-detector`) and the eval write path
+ * (`W-stamp-validity-write-path`); gated everywhere by the shared
+ * `includeInDefaultTrends` predicate (`W-trustworthiness-predicate`).
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md
+ */
+/**
+ * The validity-status vocabulary. Single `as const` tuple so the runtime Zod
+ * `z.enum(...)` and the `ReportValidityStatus` type derive from one source —
+ * the same drift-proofing the `DEGRADED_ENRICHMENT_FIELDS` tuple uses.
+ *
+ *  - `ok`         — trustworthy; included in default trends.
+ *  - `degraded`   — enrichment/grading failed (subsumes the legacy `degraded`
+ *                   flag).
+ *  - `incomplete` — expected grains genuinely missing, after the report-shape
+ *                   caveat is accounted for (see design doc).
+ *  - `suspect`    — passed structural checks but flagged for review (anomaly or
+ *                   ambiguous heuristic).
+ */
+export const REPORT_VALIDITY_STATUSES = [
+    "ok",
+    "degraded",
+    "incomplete",
+    "suspect",
+];
+/** Type guard for {@link ReportValidityStatus}. */
+export function isReportValidityStatus(value) {
+    return (typeof value === "string" &&
+        REPORT_VALIDITY_STATUSES.includes(value));
+}

package/dist/_vendor/ailf-shared/generated/help-content.js

@@ -78,11 +78,12 @@ export const HELP_TOPICS = [
     },
     {
         "id": "reading-score-trends",
-        "title": "Reading Score Trends",
-        "body": "## What the timeline shows\n\nThe Score Timeline view plots your AI Literacy Score over time. Each point is an\nevaluation run — a snapshot of how well your docs support AI agents at that\nmoment.\n\n## What to look for\n\n**Upward trends** after doc changes confirm that your improvements are working.\nIf you rewrote a GROQ guide and the GROQ area score climbs in the next run,\nthat's direct evidence of impact.\n\n**Sudden drops** usually mean something changed: a doc was deleted, an API\nchanged without a doc update, or a new task was added that exposes a gap.\n\n**Flat lines** mean stability — neither improving nor regressing. This is fine\nfor mature areas but concerning for areas you're actively working on.\n\n## Meaningful change vs. noise\n\nSmall fluctuations (±2–3 points) between runs are normal — they come from LLM\nnon-determinism and grader variance. Focus on changes of **5+ points** sustained\nacross multiple runs. The comparison view applies a noise threshold to help\ndistinguish real changes from statistical noise.\n\n## Filtering the timeline\n\nUse the filters to focus on specific evaluation modes (baseline vs. full),\nspecific doc sources (production vs. branch), or specific feature areas.\nComparing the same area across modes reveals whether a problem is in the docs\nthemselves (baseline score) or in how agents find them (agentic score).",
+        "title": "Reading the Analytics View",
+        "body": "## What this view answers\n\nThe Analytics view is built around one question: **did your doc changes move the\nscore, and why?** Rather than open on a chart and leave you to find the story,\nit leads with the answer — a plain-language verdict and the areas that moved\nmost — then lets you drill down into the evidence.\n\n## The control bar\n\nThe top row picks what you're looking at:\n\n- **Metric** — which number to track (composite score, doc lift, retrieval gap,\n  and so on).\n- **Break down by** — how to split it (feature area, team, model, source).\n- **Bucket** — how to group runs over time (per run, per day).\n- **Range** — how far back to look (for example, the last 30 days).\n\nThe second row holds the active **filter chips** — use _Add filter_ to scope to\na team, source, or mode — and a scope hint (reports in scope vs. total). Every\nknob and filter is saved in the URL, so a shared link reproduces exactly what\nyou see. Use **Copy link** to grab it.\n\n## Overall — the read\n\nThe **verdict strip** is the headline. In plain language it says whether docs\nare pulling ahead or slipping, and shows the headline metric with its change (Δ)\nsince the start of the range, a model → agent → docs decomposition bar, and a\ncoverage cell (how many reports and high-confidence groups are in scope).\n\n## Movers\n\nThe **movers board** leads with the top **Improved** and **Regressed** areas as\ncards — not the average. Each card shows the area, its value and Δ, a\ndecomposition bar, the release that most likely caused the move, and a\nconfidence read. A low-confidence **watch** callout flags big swings backed by\ntoo few runs: watch them, don't celebrate them yet.\n\nClick a mover card to reveal and decompose that series in the evidence chart.\n\n## The evidence\n\nThe **focus chart** has two modes:\n\n- **Compare** plots the selected series over time. It defaults to a focused set\n  (the movers plus the highest-volume areas) with a _show all_ expansion, and\n  draws release markers inline.\n- **Decompose** shows the ceiling / floor / actual band for a single series,\n  with causal story cards anchored to each release marker (for example, _\"Docs\n  +3 ~5 −1 → doc-lift +8 measured around this release\"_).\n\nDecompose is offered for the composite metric broken down by feature area — the\ncase where the model → agent → docs story is meaningful.\n\n## The breakdown table\n\nOne row per area (or per whatever you broke down by), each with an inline\ndecomposition bar, a sparkline, confidence, Δ, \"docs add,\" and a report count.\nSort any column, and click a row to cross-highlight it in the chart. Export the\ntable to CSV.\n\n## Meaningful change vs. noise\n\nSmall movements between runs are normal — they come from model non-determinism\nand grader variance. This view leans on **confidence** (how many runs back a\nnumber) and the **movers ranking** rather than a single ±point threshold: trust\na sustained move in a high-confidence area over a large swing in a\nlow-confidence one. The low-confidence watch exists precisely to stop you\nover-reading thin data.\n\n## Measured, not invented\n\nThe causal story is computed from real data, never fabricated. Release markers\ncome from the doc-change counts already recorded in each report, and the\n\"measured around this release\" doc-lift effect is derived from the real ceiling\n− floor series around the marker. Per-area prose (\"the editor API changed\") is\nintentionally not shown — the data carries change counts, not hand-written\nexplanations.",
         "source": "docs/help/reading-score-trends.md",
         "related": [
             "scoring-model",
+            "doc-lift",
             "comparing-runs"
         ]
     },

package/dist/_vendor/ailf-shared/index.d.ts

@@ -31,6 +31,7 @@ export { GRADE_BOUNDARIES, scoreGrade, type ScoreGrade, } from "./score-grades.j
 export { NOISE_THRESHOLD } from "./noise-threshold.js";
 export { CANONICAL_EVAL_MODES, isLiteracyVariant, LEGACY_EVAL_MODE_ALIASES, LITERACY_VARIANTS, RAW_EVAL_MODES, type EvalMode, type LiteracyVariant, type RawEvalMode, } from "./eval-modes.js";
 export { isKnownOwnerTeam, KNOWN_OWNER_TEAMS, normalizeOwnerTeam, resolveTeamRef, type SlugLike, } from "./owner-teams.js";
-export { isRunClassification, RUN_CLASSIFICATIONS, RUN_EXECUTOR_SURFACES, type RunClassification, type RunExecutor, type RunExecutorSurface, type RunExecutorSystem, type RunExecutorUser, type RunHost, type RunLineage, type RunOwner, type RunTool, } from "./run-classification.js";
+export { canonicalizeExecutorIdentity, isKnownExecutorIdentity, isRunClassification, looksLikeGeneratedExecutorId, normalizeRunClassification, RUN_CLASSIFICATIONS, RUN_EXECUTOR_SURFACES, type RunClassification, type RunExecutor, type RunExecutorSurface, type RunExecutorSystem, type RunExecutorUser, type RunHost, type RunLineage, type RunOwner, type RunTool, } from "./run-classification.js";
 export { type RunTrigger } from "./run-trigger.js";
 export { type RunContext } from "./run-context.js";
+export { includeInDefaultTrends, INCLUDE_IN_DEFAULT_TRENDS_GROQ, INCLUDE_IN_DEFAULT_TRENDS_SQL, type TrustGateReport, } from "./trustworthiness.js";

package/dist/_vendor/ailf-shared/index.js

@@ -30,4 +30,5 @@ export { GRADE_BOUNDARIES, scoreGrade, } from "./score-grades.js";
 export { NOISE_THRESHOLD } from "./noise-threshold.js";
 export { CANONICAL_EVAL_MODES, isLiteracyVariant, LEGACY_EVAL_MODE_ALIASES, LITERACY_VARIANTS, RAW_EVAL_MODES, } from "./eval-modes.js";
 export { isKnownOwnerTeam, KNOWN_OWNER_TEAMS, normalizeOwnerTeam, resolveTeamRef, } from "./owner-teams.js";
-export { isRunClassification, RUN_CLASSIFICATIONS, RUN_EXECUTOR_SURFACES, } from "./run-classification.js";
+export { canonicalizeExecutorIdentity, isKnownExecutorIdentity, isRunClassification, looksLikeGeneratedExecutorId, normalizeRunClassification, RUN_CLASSIFICATIONS, RUN_EXECUTOR_SURFACES, } from "./run-classification.js";
+export { includeInDefaultTrends, INCLUDE_IN_DEFAULT_TRENDS_GROQ, INCLUDE_IN_DEFAULT_TRENDS_SQL, } from "./trustworthiness.js";

package/dist/_vendor/ailf-shared/run-classification.d.ts

@@ -19,6 +19,59 @@
 export type RunClassification = "official" | "adhoc" | "experimental" | "test" | "external";
 export declare const RUN_CLASSIFICATIONS: readonly RunClassification[];
 export declare function isRunClassification(value: unknown): value is RunClassification;
+/**
+ * Normalize a free-form classification value to a canonical
+ * {@link RunClassification}.
+ *
+ * - Trims and lowercases.
+ * - Maps the legacy `ad-hoc` spelling onto canonical `adhoc`.
+ * - Defaults empty / unknown input to `adhoc` — D0037's documented
+ *   default bucket, biased away from the canonical `official` series.
+ *
+ * Pure and deterministic — reused by the detector (`W-report-validity-detector`)
+ * and the backfill (`W-backfill-report-validity`).
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ */
+export declare function normalizeRunClassification(value: string | undefined | null): RunClassification;
+/**
+ * Collapse a free-form executor name onto its canonical identity slug.
+ *
+ * - Trims and lowercases.
+ * - Maps known spellings (above) to one identity.
+ * - Passes unknown names through (trimmed + lowercased).
+ * - Returns `undefined` for empty / nullish input.
+ *
+ * Pure and deterministic — used by the validity detector
+ * (`W-report-validity-detector`) to recognize a known human before the
+ * generated-id heuristic runs, and by the backfill to de-drift
+ * `provenance.executor.name`.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ */
+export declare function canonicalizeExecutorIdentity(name: string | undefined | null): string | undefined;
+/** Whether an executor name collapses to a recognized human identity. */
+export declare function isKnownExecutorIdentity(name: string | undefined | null): boolean;
+/**
+ * Heuristic: does an executor name look like a *generated* handle/id rather
+ * than a human name? (D0059 §Context flagged ids like `gDVzuuHam`,
+ * `gL78msEDh` in the report store.)
+ *
+ * Deterministic and deliberately conservative — it judges *shape* only:
+ * a single token (no whitespace) of length 7–12, alphanumeric, mixing
+ * upper- and lower-case, and either containing a digit or showing ≥4
+ * upper/lower transitions. The transition floor is calibrated against the
+ * observed sample so two-word PascalCase names ("JohnSmith" — 3
+ * transitions) are NOT flagged; the generated ids (≥4 transitions or a
+ * digit) are. Known identities are excluded by the caller
+ * ({@link isKnownExecutorIdentity}) before this runs, so collapsed
+ * spellings like `GabeStah` never reach it as a positive.
+ *
+ * False positives are tolerable: the detector only uses this to propose an
+ * `experimental` classification, which is reversible (label-and-exclude,
+ * never delete) and surfaced for human review during the backfill.
+ */
+export declare function looksLikeGeneratedExecutorId(name: string | undefined | null): boolean;
 /**
  * Attribution — which team and (optionally) individual the run *belongs to*.
  *

package/dist/_vendor/ailf-shared/run-classification.js

@@ -21,6 +21,117 @@ export function isRunClassification(value) {
     return (typeof value === "string" &&
         RUN_CLASSIFICATIONS.includes(value));
 }
+/**
+ * Lowercase legacy spelling → canonical classification. The `RunClassification`
+ * type has long been canonical `adhoc`, but historical report data carries the
+ * hyphenated `ad-hoc` spelling (D0059 §Context). Only observed drift belongs
+ * here.
+ */
+const RUN_CLASSIFICATION_ALIASES = {
+    "ad-hoc": "adhoc",
+};
+/**
+ * Normalize a free-form classification value to a canonical
+ * {@link RunClassification}.
+ *
+ * - Trims and lowercases.
+ * - Maps the legacy `ad-hoc` spelling onto canonical `adhoc`.
+ * - Defaults empty / unknown input to `adhoc` — D0037's documented
+ *   default bucket, biased away from the canonical `official` series.
+ *
+ * Pure and deterministic — reused by the detector (`W-report-validity-detector`)
+ * and the backfill (`W-backfill-report-validity`).
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ */
+export function normalizeRunClassification(value) {
+    if (!value)
+        return "adhoc";
+    const trimmed = value.trim().toLowerCase();
+    if (!trimmed)
+        return "adhoc";
+    const canonical = RUN_CLASSIFICATION_ALIASES[trimmed] ?? trimmed;
+    return isRunClassification(canonical) ? canonical : "adhoc";
+}
+/**
+ * Lowercased executor-name spelling → canonical identity slug. One human
+ * appears under several spellings in the historical report store
+ * (D0059 §Context: `Gabe Wyatt` / `GabeStah` / `gabewyatt`); collapsing
+ * them lets attribution and `classification` queries treat them as one
+ * person. Only observed drift belongs here — unknown names pass through.
+ */
+const EXECUTOR_IDENTITY_ALIASES = {
+    "gabe wyatt": "gabe-wyatt",
+    gabestah: "gabe-wyatt",
+    gabewyatt: "gabe-wyatt",
+};
+/**
+ * Collapse a free-form executor name onto its canonical identity slug.
+ *
+ * - Trims and lowercases.
+ * - Maps known spellings (above) to one identity.
+ * - Passes unknown names through (trimmed + lowercased).
+ * - Returns `undefined` for empty / nullish input.
+ *
+ * Pure and deterministic — used by the validity detector
+ * (`W-report-validity-detector`) to recognize a known human before the
+ * generated-id heuristic runs, and by the backfill to de-drift
+ * `provenance.executor.name`.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ */
+export function canonicalizeExecutorIdentity(name) {
+    if (!name)
+        return undefined;
+    const trimmed = name.trim().toLowerCase();
+    if (!trimmed)
+        return undefined;
+    return EXECUTOR_IDENTITY_ALIASES[trimmed] ?? trimmed;
+}
+/** Whether an executor name collapses to a recognized human identity. */
+export function isKnownExecutorIdentity(name) {
+    if (!name)
+        return false;
+    return name.trim().toLowerCase() in EXECUTOR_IDENTITY_ALIASES;
+}
+/**
+ * Heuristic: does an executor name look like a *generated* handle/id rather
+ * than a human name? (D0059 §Context flagged ids like `gDVzuuHam`,
+ * `gL78msEDh` in the report store.)
+ *
+ * Deterministic and deliberately conservative — it judges *shape* only:
+ * a single token (no whitespace) of length 7–12, alphanumeric, mixing
+ * upper- and lower-case, and either containing a digit or showing ≥4
+ * upper/lower transitions. The transition floor is calibrated against the
+ * observed sample so two-word PascalCase names ("JohnSmith" — 3
+ * transitions) are NOT flagged; the generated ids (≥4 transitions or a
+ * digit) are. Known identities are excluded by the caller
+ * ({@link isKnownExecutorIdentity}) before this runs, so collapsed
+ * spellings like `GabeStah` never reach it as a positive.
+ *
+ * False positives are tolerable: the detector only uses this to propose an
+ * `experimental` classification, which is reversible (label-and-exclude,
+ * never delete) and surfaced for human review during the backfill.
+ */
+export function looksLikeGeneratedExecutorId(name) {
+    if (!name)
+        return false;
+    const token = name.trim();
+    if (token.length < 7 || token.length > 12)
+        return false;
+    if (!/^[A-Za-z0-9]+$/.test(token))
+        return false;
+    if (!/[A-Z]/.test(token) || !/[a-z]/.test(token))
+        return false;
+    if (/[0-9]/.test(token))
+        return true;
+    let transitions = 0;
+    for (let i = 1; i < token.length; i++) {
+        if (/[A-Z]/.test(token[i - 1]) !== /[A-Z]/.test(token[i]))
+            transitions++;
+    }
+    return transitions >= 4;
+}
 export const RUN_EXECUTOR_SURFACES = [
     "cli",
     "studio",

package/dist/_vendor/ailf-shared/trustworthiness.d.ts

@@ -0,0 +1,97 @@
+/**
+ * trustworthiness.ts — The single trust gate for reports (D0059).
+ *
+ * `includeInDefaultTrends` is the one definition of "show this report by
+ * default." Every surface (dashboard analytics, Studio presets, the BigQuery
+ * `reports.sql` view) references this predicate so the gate cannot drift
+ * between consumers.
+ *
+ * Two orthogonal axes decide inclusion:
+ *
+ *  - **Validity (data health, D0059)** — the *primary* gate. A report is
+ *    included only when its `validity.status` is `ok` OR validity is absent
+ *    (pre-stamp reads are trusted until backfilled — the rollout is additive
+ *    and nullable). Any non-`ok` status (`degraded` / `incomplete` /
+ *    `suspect`) excludes the report regardless of intent.
+ *  - **Intent (run classification, D0037)** — a *secondary* exclusion. The
+ *    explicit `test` and `experimental` classifications are dropped;
+ *    `adhoc` / `official` / `external` (and a missing classification) are kept.
+ *    `adhoc` is intentionally included — it holds real production one-offs;
+ *    the validity gate, not the intent gate, removes the bad ones inside it.
+ *
+ * We model a slim subset of the core `Report` shape (the two read axes) rather
+ * than importing `Report` / `ReportValidity` from `@sanity/ailf-core`: this
+ * package is the dependency-graph leaf and imports nothing from core. A full
+ * core `Report` is structurally assignable to {@link TrustGateReport}.
+ *
+ * The predicate is total — it never throws — and is kept trivially
+ * translatable to the two query-language forms it is materialized as on the
+ * other surfaces (`W-studio-bigquery-validity`): the GROQ filter behind the
+ * Studio "Trustworthy" preset ({@link INCLUDE_IN_DEFAULT_TRENDS_GROQ}) and the
+ * SQL boolean in the BigQuery `reports.sql` view
+ * ({@link INCLUDE_IN_DEFAULT_TRENDS_SQL}). Those constants live here, beside the
+ * function, so the one gate cannot drift between consumers; a cross-check test
+ * asserts all three forms agree across the full truth table.
+ *
+ * Note the SQL form is NULL-safe on *both* axes: a bare
+ * `classification NOT IN ('test','experimental')` would evaluate to `NULL`
+ * (not `TRUE`) for an unclassified row under SQL three-valued logic, silently
+ * excluding pre-taxonomy reports the TS predicate keeps — hence the explicit
+ * `classification IS NULL OR …`.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md — §Decision/3
+ */
+import type { RunClassification } from "./run-classification.js";
+/**
+ * Slim subset of a core `Report` — only the two axes the trust gate reads.
+ *
+ * `validity.status` is typed as a bare `string` (not core's
+ * `ReportValidityStatus`) so this leaf package imports nothing from
+ * `@sanity/ailf-core`; the predicate only distinguishes `"ok"` from
+ * everything else. `validity` absent/`null` ⇒ pre-stamp read ⇒ trusted.
+ */
+export interface TrustGateReport {
+    /** Data-health axis (D0059), top-level on the report. */
+    validity?: {
+        status: string;
+    } | null;
+    /** Run-intent axis (D0037), under provenance. */
+    provenance?: {
+        classification?: RunClassification | null;
+    } | null;
+}
+/**
+ * Whether a report should appear in default trend views.
+ *
+ * Validity is the primary gate; intent is a secondary exclusion. See the
+ * module header for the full rationale and the equivalent SQL.
+ *
+ * @returns `true` when the report is trustworthy enough to show by default.
+ */
+export declare function includeInDefaultTrends(report: TrustGateReport): boolean;
+/**
+ * GROQ form of {@link includeInDefaultTrends}, as a boolean expression over an
+ * `ailf.report` document. Drop it into a Studio structure filter with the
+ * document-type guard, e.g.
+ * `` `_type == "ailf.report" && ${INCLUDE_IN_DEFAULT_TRENDS_GROQ}` ``.
+ *
+ * GROQ's `in` returns `false` (not `null`) for an absent left operand, so an
+ * unclassified report passes the intent clause without an explicit
+ * `defined(...)` guard — matching the TS predicate's "missing ⇒ kept" rule.
+ * `defined(validity.status)` makes the absent-validity case trusted.
+ */
+export declare const INCLUDE_IN_DEFAULT_TRENDS_GROQ = "(!defined(validity.status) || validity.status == \"ok\") && !(provenance.classification in [\"test\", \"experimental\"])";
+/**
+ * SQL form of {@link includeInDefaultTrends}, as a boolean expression over the
+ * flattened `ailf.reports` BigQuery row (columns `validity_status`,
+ * `classification`). Materialized verbatim as the `include_in_default_trends`
+ * column in `packages/eval/config/bigquery/views/reports.sql`; an eval test
+ * asserts the view embeds this exact string.
+ *
+ * Both axes are NULL-safe so the column matches the TS predicate row-for-row:
+ * `classification NOT IN (...)` alone is `NULL` for an unclassified row under
+ * SQL three-valued logic, which a `WHERE`/boolean context treats as `FALSE` —
+ * silently dropping pre-taxonomy reports the TS predicate keeps.
+ */
+export declare const INCLUDE_IN_DEFAULT_TRENDS_SQL = "(validity_status IS NULL OR validity_status = 'ok') AND (classification IS NULL OR classification NOT IN ('test', 'experimental'))";

package/dist/_vendor/ailf-shared/trustworthiness.js

@@ -0,0 +1,86 @@
+/**
+ * trustworthiness.ts — The single trust gate for reports (D0059).
+ *
+ * `includeInDefaultTrends` is the one definition of "show this report by
+ * default." Every surface (dashboard analytics, Studio presets, the BigQuery
+ * `reports.sql` view) references this predicate so the gate cannot drift
+ * between consumers.
+ *
+ * Two orthogonal axes decide inclusion:
+ *
+ *  - **Validity (data health, D0059)** — the *primary* gate. A report is
+ *    included only when its `validity.status` is `ok` OR validity is absent
+ *    (pre-stamp reads are trusted until backfilled — the rollout is additive
+ *    and nullable). Any non-`ok` status (`degraded` / `incomplete` /
+ *    `suspect`) excludes the report regardless of intent.
+ *  - **Intent (run classification, D0037)** — a *secondary* exclusion. The
+ *    explicit `test` and `experimental` classifications are dropped;
+ *    `adhoc` / `official` / `external` (and a missing classification) are kept.
+ *    `adhoc` is intentionally included — it holds real production one-offs;
+ *    the validity gate, not the intent gate, removes the bad ones inside it.
+ *
+ * We model a slim subset of the core `Report` shape (the two read axes) rather
+ * than importing `Report` / `ReportValidity` from `@sanity/ailf-core`: this
+ * package is the dependency-graph leaf and imports nothing from core. A full
+ * core `Report` is structurally assignable to {@link TrustGateReport}.
+ *
+ * The predicate is total — it never throws — and is kept trivially
+ * translatable to the two query-language forms it is materialized as on the
+ * other surfaces (`W-studio-bigquery-validity`): the GROQ filter behind the
+ * Studio "Trustworthy" preset ({@link INCLUDE_IN_DEFAULT_TRENDS_GROQ}) and the
+ * SQL boolean in the BigQuery `reports.sql` view
+ * ({@link INCLUDE_IN_DEFAULT_TRENDS_SQL}). Those constants live here, beside the
+ * function, so the one gate cannot drift between consumers; a cross-check test
+ * asserts all three forms agree across the full truth table.
+ *
+ * Note the SQL form is NULL-safe on *both* axes: a bare
+ * `classification NOT IN ('test','experimental')` would evaluate to `NULL`
+ * (not `TRUE`) for an unclassified row under SQL three-valued logic, silently
+ * excluding pre-taxonomy reports the TS predicate keeps — hence the explicit
+ * `classification IS NULL OR …`.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md — §Decision/3
+ */
+/**
+ * Whether a report should appear in default trend views.
+ *
+ * Validity is the primary gate; intent is a secondary exclusion. See the
+ * module header for the full rationale and the equivalent SQL.
+ *
+ * @returns `true` when the report is trustworthy enough to show by default.
+ */
+export function includeInDefaultTrends(report) {
+    const status = report.validity?.status;
+    // Primary gate: trustworthy when explicitly `ok` or not yet assessed.
+    const validityOk = status == null || status === "ok";
+    const classification = report.provenance?.classification;
+    // Secondary exclusion: drop explicit test/experimental intent only.
+    const intentIncluded = classification !== "test" && classification !== "experimental";
+    return validityOk && intentIncluded;
+}
+/**
+ * GROQ form of {@link includeInDefaultTrends}, as a boolean expression over an
+ * `ailf.report` document. Drop it into a Studio structure filter with the
+ * document-type guard, e.g.
+ * `` `_type == "ailf.report" && ${INCLUDE_IN_DEFAULT_TRENDS_GROQ}` ``.
+ *
+ * GROQ's `in` returns `false` (not `null`) for an absent left operand, so an
+ * unclassified report passes the intent clause without an explicit
+ * `defined(...)` guard — matching the TS predicate's "missing ⇒ kept" rule.
+ * `defined(validity.status)` makes the absent-validity case trusted.
+ */
+export const INCLUDE_IN_DEFAULT_TRENDS_GROQ = '(!defined(validity.status) || validity.status == "ok") && !(provenance.classification in ["test", "experimental"])';
+/**
+ * SQL form of {@link includeInDefaultTrends}, as a boolean expression over the
+ * flattened `ailf.reports` BigQuery row (columns `validity_status`,
+ * `classification`). Materialized verbatim as the `include_in_default_trends`
+ * column in `packages/eval/config/bigquery/views/reports.sql`; an eval test
+ * asserts the view embeds this exact string.
+ *
+ * Both axes are NULL-safe so the column matches the TS predicate row-for-row:
+ * `classification NOT IN (...)` alone is `NULL` for an unclassified row under
+ * SQL three-valued logic, which a `WHERE`/boolean context treats as `FALSE` —
+ * silently dropping pre-taxonomy reports the TS predicate keeps.
+ */
+export const INCLUDE_IN_DEFAULT_TRENDS_SQL = "(validity_status IS NULL OR validity_status = 'ok') AND (classification IS NULL OR classification NOT IN ('test', 'experimental'))";

package/dist/adapters/task-sources/repo-schemas.d.ts

@@ -1564,8 +1564,8 @@ export declare const RepoConfigSchema: z.ZodObject<{
     summary: z.ZodOptional<z.ZodObject<{
         onRun: z.ZodOptional<z.ZodEnum<{
             never: "never";
-            always: "always";
             auto: "auto";
+            always: "always";
         }>>;
     }, z.core.$strip>>;
     taskSource: z.ZodOptional<z.ZodObject<{

package/dist/commands/publish.js

@@ -27,6 +27,7 @@ import { addOutputDirOption } from "./shared/options.js";
 import { getCallerCwd, resolveOutputDir } from "./shared/resolve-output-dir.js";
 import { buildProvenance, } from "../pipeline/provenance.js";
 import { generateReportTitle } from "../pipeline/report-title.js";
+import { stampReportValidity } from "../pipeline/report-validity.js";
 import { buildSlimReportSummary } from "../_vendor/ailf-core/index.js";
 import { generateReportId, } from "../report-store.js";
 import { withRetry } from "../sinks/retry.js";
@@ -214,8 +215,14 @@ async function runPublishCommand(summaryPath, outputDir, opts) {
     // -----------------------------------------------------------------------
     // 5. Write to Sanity (system of record)
     // -----------------------------------------------------------------------
+    // Stamp the data-health validity axis + normalize classification (D0059)
+    // — the same server-computed forward guarantee the pipeline write path
+    // applies, so reports published via this command carry validity too.
+    const stampedReport = stampReportValidity(report, now);
     console.log("  Writing to Sanity Content Lake...");
-    const sanityResult = store ? await store.write(report) : null;
+    const sanityResult = store
+        ? await store.write(stampedReport)
+        : null;
     if (sanityResult) {
         console.log(`  ✅ Report written: ${sanityResult}`);
     }
@@ -237,7 +244,7 @@ async function runPublishCommand(summaryPath, outputDir, opts) {
         console.log();
         console.log(`  Delivering to ${sinks.length} sink(s)...`);
         const settled = await Promise.allSettled(sinks.map(async (sink) => {
-            const result = await withRetry(() => sink.publish(report));
+            const result = await withRetry(() => sink.publish(stampedReport));
             return { name: sink.name, result };
         }));
         for (const outcome of settled) {

package/dist/orchestration/steps/publish-report-step.js

@@ -16,6 +16,7 @@ import { assoc, buildSlimReportSummary, } from "../../_vendor/ailf-core/index.js
 import { checkScoreSummaryValid } from "../../pipeline/checks.js";
 import { buildProvenance, } from "../../pipeline/provenance.js";
 import { generateReportTitle } from "../../pipeline/report-title.js";
+import { stampReportValidity } from "../../pipeline/report-validity.js";
 import { generateReportId } from "../../report-store.js";
 import { withRetry } from "../../sinks/retry.js";
 export class PublishReportStep {
@@ -145,21 +146,28 @@ export class PublishReportStep {
                 testResults: slimSummary.testResults.map(slimTestResult),
             };
         }
+        // Stamp the data-health `validity` axis (D0059) and normalize
+        // `provenance.classification` on the report now that it is fully assembled
+        // (degradation + slim summary settled). The verdict is server-computed
+        // from the report's own data — never the caller envelope (D0037) — and
+        // assessed at the report's completion time. From here on, the stamped
+        // report is what reaches the snapshot artifact, the store, and the sinks.
+        const stampedReport = stampReportValidity(report, now);
         // Share reportId with downstream steps (CallbackStep + orchestrator job update)
         state.reportId = reportId;
         // W0050 — migrated from ctx.collector.capture to the unified writer.
         // reportSnapshot: full Report JSON for replay (run-scoped, bulk).
-        await ctx.artifactWriter.emit("reportSnapshot", assoc(ctx), report);
+        await ctx.artifactWriter.emit("reportSnapshot", assoc(ctx), stampedReport);
         // autoComparison: delta vs baseline (run-scoped, bulk, optional).
         if (comparison) {
             await ctx.artifactWriter.emit("autoComparison", assoc(ctx), comparison);
         }
         // Write to store (system of record — best-effort, P5)
         const sanityResult = ctx.reportStore
-            ? await ctx.reportStore.write(report)
+            ? await ctx.reportStore.write(stampedReport)
             : null;
         // Run sinks (fire-and-forget, P6)
-        const publishResult = await runSinks(report, ctx);
+        const publishResult = await runSinks(stampedReport, ctx);
         // sinkResults: per-sink outcome (run-scoped, per-entry keyed by sink name).
         for (const r of publishResult.sinkResults) {
             await ctx.artifactWriter.emit("sinkResults", assoc(ctx, { name: r.name }), {

package/dist/pipeline/report-validity.d.ts

@@ -0,0 +1,32 @@
+/**
+ * stampReportValidity — apply the report-trustworthiness detector at write time.
+ *
+ * The eval write path's forward guarantee (D0059): every newly written report
+ * carries a top-level `validity` data-health stamp so the trustworthiness gap
+ * cannot recur on new reports. Lives in `pipeline/` (not the orchestration
+ * step) so both report-write paths — `PublishReportStep` and the standalone
+ * `publish` command — import it without a command→orchestration-step coupling.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md
+ */
+import { type Report } from "../_vendor/ailf-core/index.d.ts";
+/**
+ * Stamp the data-health `validity` axis (D0059) onto a report and normalize
+ * its `provenance.classification` to the canonical spelling.
+ *
+ * Runs the pure detector (`assessReportValidity`) over the assembled report.
+ * `Report` structurally satisfies the detector's `ReportValidityInput`
+ * (`provenance` extends `RunContext`; `summary` is a `ReportSummary`), so no
+ * adapter is needed. The verdict is **server-computed from the report's own
+ * data** (D0037): `assessedAt` is injected by the caller (the report's
+ * completion time) and nothing is read from the caller envelope.
+ *
+ * `classification` is patched only when the detector returns one — it returns
+ * `undefined` when the existing value is already canonical and no Tier-1 rule
+ * fired, so the patch is idempotent and never clobbers a correct (or
+ * human-corrected) value. Tier-2 review flags are not persisted here; the
+ * one-shot backfill consumes them. Returns a new report; the input is not
+ * mutated.
+ */
+export declare function stampReportValidity(report: Report, assessedAt: string): Report;

package/dist/pipeline/report-validity.js

@@ -0,0 +1,43 @@
+/**
+ * stampReportValidity — apply the report-trustworthiness detector at write time.
+ *
+ * The eval write path's forward guarantee (D0059): every newly written report
+ * carries a top-level `validity` data-health stamp so the trustworthiness gap
+ * cannot recur on new reports. Lives in `pipeline/` (not the orchestration
+ * step) so both report-write paths — `PublishReportStep` and the standalone
+ * `publish` command — import it without a command→orchestration-step coupling.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md
+ */
+import { assessReportValidity } from "../_vendor/ailf-core/index.js";
+/**
+ * Stamp the data-health `validity` axis (D0059) onto a report and normalize
+ * its `provenance.classification` to the canonical spelling.
+ *
+ * Runs the pure detector (`assessReportValidity`) over the assembled report.
+ * `Report` structurally satisfies the detector's `ReportValidityInput`
+ * (`provenance` extends `RunContext`; `summary` is a `ReportSummary`), so no
+ * adapter is needed. The verdict is **server-computed from the report's own
+ * data** (D0037): `assessedAt` is injected by the caller (the report's
+ * completion time) and nothing is read from the caller envelope.
+ *
+ * `classification` is patched only when the detector returns one — it returns
+ * `undefined` when the existing value is already canonical and no Tier-1 rule
+ * fired, so the patch is idempotent and never clobbers a correct (or
+ * human-corrected) value. Tier-2 review flags are not persisted here; the
+ * one-shot backfill consumes them. Returns a new report; the input is not
+ * mutated.
+ */
+export function stampReportValidity(report, assessedAt) {
+    const { classification, validity } = assessReportValidity(report, {
+        assessedAt,
+    });
+    return {
+        ...report,
+        provenance: classification
+            ? { ...report.provenance, classification }
+            : report.provenance,
+        validity,
+    };
+}

package/dist/report-store.d.ts

@@ -225,6 +225,7 @@ export interface SanityReportDoc {
     };
     tag: null | string;
     title: null | string;
+    validity?: Report["validity"];
 }
 export declare function toSanityReportDoc(report: Report): SanityReportDoc;
 /**

package/dist/report-store.js

@@ -491,6 +491,7 @@ export function toSanityReportDoc(report) {
         },
         tag: report.tag ?? null,
         title: report.title ?? null,
+        ...(report.validity ? { validity: report.validity } : {}),
     };
 }
 /**
@@ -534,6 +535,7 @@ export function toReport(doc) {
         summary: doc.summary,
         tag: doc.tag,
         title: doc.title,
+        validity: doc.validity,
     };
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sanity/ailf",
-  "version": "7.2.3",
+  "version": "7.3.0",
   "private": false,
   "publishConfig": {
     "access": "public"