@sanity/ailf 7.2.3 → 7.3.1

package/dist/_vendor/ailf-shared/generated/help-content.js

@@ -78,11 +78,12 @@ export const HELP_TOPICS = [
     },
     {
         "id": "reading-score-trends",
-        "title": "Reading Score Trends",
-        "body": "## What the timeline shows\n\nThe Score Timeline view plots your AI Literacy Score over time. Each point is an\nevaluation run — a snapshot of how well your docs support AI agents at that\nmoment.\n\n## What to look for\n\n**Upward trends** after doc changes confirm that your improvements are working.\nIf you rewrote a GROQ guide and the GROQ area score climbs in the next run,\nthat's direct evidence of impact.\n\n**Sudden drops** usually mean something changed: a doc was deleted, an API\nchanged without a doc update, or a new task was added that exposes a gap.\n\n**Flat lines** mean stability — neither improving nor regressing. This is fine\nfor mature areas but concerning for areas you're actively working on.\n\n## Meaningful change vs. noise\n\nSmall fluctuations (±2–3 points) between runs are normal — they come from LLM\nnon-determinism and grader variance. Focus on changes of **5+ points** sustained\nacross multiple runs. The comparison view applies a noise threshold to help\ndistinguish real changes from statistical noise.\n\n## Filtering the timeline\n\nUse the filters to focus on specific evaluation modes (baseline vs. full),\nspecific doc sources (production vs. branch), or specific feature areas.\nComparing the same area across modes reveals whether a problem is in the docs\nthemselves (baseline score) or in how agents find them (agentic score).",
+        "title": "Reading the Analytics View",
+        "body": "## What this view answers\n\nThe Analytics view is built around one question: **did your doc changes move the\nscore, and why?** Rather than open on a chart and leave you to find the story,\nit leads with the answer — a plain-language verdict and the areas that moved\nmost — then lets you drill down into the evidence.\n\n## The control bar\n\nThe top row picks what you're looking at:\n\n- **Metric** — which number to track (composite score, doc lift, retrieval gap,\n  and so on).\n- **Break down by** — how to split it (feature area, team, model, source).\n- **Bucket** — how to group runs over time (per run, per day).\n- **Range** — how far back to look (for example, the last 30 days).\n\nThe second row holds the active **filter chips** — use _Add filter_ to scope to\na team, source, or mode — and a scope hint (reports in scope vs. total). Every\nknob and filter is saved in the URL, so a shared link reproduces exactly what\nyou see. Use **Copy link** to grab it.\n\n## Overall — the read\n\nThe **verdict strip** is the headline. In plain language it says whether docs\nare pulling ahead or slipping, and shows the headline metric with its change (Δ)\nsince the start of the range, a model → agent → docs decomposition bar, and a\ncoverage cell (how many reports and high-confidence groups are in scope).\n\n## Movers\n\nThe **movers board** leads with the top **Improved** and **Regressed** areas as\ncards — not the average. Each card shows the area, its value and Δ, a\ndecomposition bar, the release that most likely caused the move, and a\nconfidence read. A low-confidence **watch** callout flags big swings backed by\ntoo few runs: watch them, don't celebrate them yet.\n\nClick a mover card to reveal and decompose that series in the evidence chart.\n\n## The evidence\n\nThe **focus chart** has two modes:\n\n- **Compare** plots the selected series over time. It defaults to a focused set\n  (the movers plus the highest-volume areas) with a _show all_ expansion, and\n  draws release markers inline.\n- **Decompose** shows the ceiling / floor / actual band for a single series,\n  with causal story cards anchored to each release marker (for example, _\"Docs\n  +3 ~5 −1 → doc-lift +8 measured around this release\"_).\n\nDecompose is offered for the composite metric broken down by feature area — the\ncase where the model → agent → docs story is meaningful.\n\n## The breakdown table\n\nOne row per area (or per whatever you broke down by), each with an inline\ndecomposition bar, a sparkline, confidence, Δ, \"docs add,\" and a report count.\nSort any column, and click a row to cross-highlight it in the chart. Export the\ntable to CSV.\n\n## Meaningful change vs. noise\n\nSmall movements between runs are normal — they come from model non-determinism\nand grader variance. This view leans on **confidence** (how many runs back a\nnumber) and the **movers ranking** rather than a single ±point threshold: trust\na sustained move in a high-confidence area over a large swing in a\nlow-confidence one. The low-confidence watch exists precisely to stop you\nover-reading thin data.\n\n## Measured, not invented\n\nThe causal story is computed from real data, never fabricated. Release markers\ncome from the doc-change counts already recorded in each report, and the\n\"measured around this release\" doc-lift effect is derived from the real ceiling\n− floor series around the marker. Per-area prose (\"the editor API changed\") is\nintentionally not shown — the data carries change counts, not hand-written\nexplanations.",
         "source": "docs/help/reading-score-trends.md",
         "related": [
             "scoring-model",
+            "doc-lift",
             "comparing-runs"
         ]
     },

package/dist/_vendor/ailf-shared/index.d.ts

@@ -31,6 +31,7 @@ export { GRADE_BOUNDARIES, scoreGrade, type ScoreGrade, } from "./score-grades.j
 export { NOISE_THRESHOLD } from "./noise-threshold.js";
 export { CANONICAL_EVAL_MODES, isLiteracyVariant, LEGACY_EVAL_MODE_ALIASES, LITERACY_VARIANTS, RAW_EVAL_MODES, type EvalMode, type LiteracyVariant, type RawEvalMode, } from "./eval-modes.js";
 export { isKnownOwnerTeam, KNOWN_OWNER_TEAMS, normalizeOwnerTeam, resolveTeamRef, type SlugLike, } from "./owner-teams.js";
-export { isRunClassification, RUN_CLASSIFICATIONS, RUN_EXECUTOR_SURFACES, type RunClassification, type RunExecutor, type RunExecutorSurface, type RunExecutorSystem, type RunExecutorUser, type RunHost, type RunLineage, type RunOwner, type RunTool, } from "./run-classification.js";
+export { canonicalizeExecutorIdentity, isKnownExecutorIdentity, isRunClassification, looksLikeGeneratedExecutorId, normalizeRunClassification, RUN_CLASSIFICATIONS, RUN_EXECUTOR_SURFACES, type RunClassification, type RunExecutor, type RunExecutorSurface, type RunExecutorSystem, type RunExecutorUser, type RunHost, type RunLineage, type RunOwner, type RunTool, } from "./run-classification.js";
 export { type RunTrigger } from "./run-trigger.js";
 export { type RunContext } from "./run-context.js";
+export { includeInDefaultTrends, INCLUDE_IN_DEFAULT_TRENDS_GROQ, INCLUDE_IN_DEFAULT_TRENDS_SQL, type TrustGateReport, } from "./trustworthiness.js";

package/dist/_vendor/ailf-shared/index.js

@@ -30,4 +30,5 @@ export { GRADE_BOUNDARIES, scoreGrade, } from "./score-grades.js";
 export { NOISE_THRESHOLD } from "./noise-threshold.js";
 export { CANONICAL_EVAL_MODES, isLiteracyVariant, LEGACY_EVAL_MODE_ALIASES, LITERACY_VARIANTS, RAW_EVAL_MODES, } from "./eval-modes.js";
 export { isKnownOwnerTeam, KNOWN_OWNER_TEAMS, normalizeOwnerTeam, resolveTeamRef, } from "./owner-teams.js";
-export { isRunClassification, RUN_CLASSIFICATIONS, RUN_EXECUTOR_SURFACES, } from "./run-classification.js";
+export { canonicalizeExecutorIdentity, isKnownExecutorIdentity, isRunClassification, looksLikeGeneratedExecutorId, normalizeRunClassification, RUN_CLASSIFICATIONS, RUN_EXECUTOR_SURFACES, } from "./run-classification.js";
+export { includeInDefaultTrends, INCLUDE_IN_DEFAULT_TRENDS_GROQ, INCLUDE_IN_DEFAULT_TRENDS_SQL, } from "./trustworthiness.js";

package/dist/_vendor/ailf-shared/run-classification.d.ts

@@ -19,6 +19,59 @@
 export type RunClassification = "official" | "adhoc" | "experimental" | "test" | "external";
 export declare const RUN_CLASSIFICATIONS: readonly RunClassification[];
 export declare function isRunClassification(value: unknown): value is RunClassification;
+/**
+ * Normalize a free-form classification value to a canonical
+ * {@link RunClassification}.
+ *
+ * - Trims and lowercases.
+ * - Maps the legacy `ad-hoc` spelling onto canonical `adhoc`.
+ * - Defaults empty / unknown input to `adhoc` — D0037's documented
+ *   default bucket, biased away from the canonical `official` series.
+ *
+ * Pure and deterministic — reused by the detector (`W-report-validity-detector`)
+ * and the backfill (`W-backfill-report-validity`).
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ */
+export declare function normalizeRunClassification(value: string | undefined | null): RunClassification;
+/**
+ * Collapse a free-form executor name onto its canonical identity slug.
+ *
+ * - Trims and lowercases.
+ * - Maps known spellings (above) to one identity.
+ * - Passes unknown names through (trimmed + lowercased).
+ * - Returns `undefined` for empty / nullish input.
+ *
+ * Pure and deterministic — used by the validity detector
+ * (`W-report-validity-detector`) to recognize a known human before the
+ * generated-id heuristic runs, and by the backfill to de-drift
+ * `provenance.executor.name`.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ */
+export declare function canonicalizeExecutorIdentity(name: string | undefined | null): string | undefined;
+/** Whether an executor name collapses to a recognized human identity. */
+export declare function isKnownExecutorIdentity(name: string | undefined | null): boolean;
+/**
+ * Heuristic: does an executor name look like a *generated* handle/id rather
+ * than a human name? (D0059 §Context flagged ids like `gDVzuuHam`,
+ * `gL78msEDh` in the report store.)
+ *
+ * Deterministic and deliberately conservative — it judges *shape* only:
+ * a single token (no whitespace) of length 7–12, alphanumeric, mixing
+ * upper- and lower-case, and either containing a digit or showing ≥4
+ * upper/lower transitions. The transition floor is calibrated against the
+ * observed sample so two-word PascalCase names ("JohnSmith" — 3
+ * transitions) are NOT flagged; the generated ids (≥4 transitions or a
+ * digit) are. Known identities are excluded by the caller
+ * ({@link isKnownExecutorIdentity}) before this runs, so collapsed
+ * spellings like `GabeStah` never reach it as a positive.
+ *
+ * False positives are tolerable: the detector only uses this to propose an
+ * `experimental` classification, which is reversible (label-and-exclude,
+ * never delete) and surfaced for human review during the backfill.
+ */
+export declare function looksLikeGeneratedExecutorId(name: string | undefined | null): boolean;
 /**
  * Attribution — which team and (optionally) individual the run *belongs to*.
  *

package/dist/_vendor/ailf-shared/run-classification.js

@@ -21,6 +21,117 @@ export function isRunClassification(value) {
     return (typeof value === "string" &&
         RUN_CLASSIFICATIONS.includes(value));
 }
+/**
+ * Lowercase legacy spelling → canonical classification. The `RunClassification`
+ * type has long been canonical `adhoc`, but historical report data carries the
+ * hyphenated `ad-hoc` spelling (D0059 §Context). Only observed drift belongs
+ * here.
+ */
+const RUN_CLASSIFICATION_ALIASES = {
+    "ad-hoc": "adhoc",
+};
+/**
+ * Normalize a free-form classification value to a canonical
+ * {@link RunClassification}.
+ *
+ * - Trims and lowercases.
+ * - Maps the legacy `ad-hoc` spelling onto canonical `adhoc`.
+ * - Defaults empty / unknown input to `adhoc` — D0037's documented
+ *   default bucket, biased away from the canonical `official` series.
+ *
+ * Pure and deterministic — reused by the detector (`W-report-validity-detector`)
+ * and the backfill (`W-backfill-report-validity`).
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ */
+export function normalizeRunClassification(value) {
+    if (!value)
+        return "adhoc";
+    const trimmed = value.trim().toLowerCase();
+    if (!trimmed)
+        return "adhoc";
+    const canonical = RUN_CLASSIFICATION_ALIASES[trimmed] ?? trimmed;
+    return isRunClassification(canonical) ? canonical : "adhoc";
+}
+/**
+ * Lowercased executor-name spelling → canonical identity slug. One human
+ * appears under several spellings in the historical report store
+ * (D0059 §Context: `Gabe Wyatt` / `GabeStah` / `gabewyatt`); collapsing
+ * them lets attribution and `classification` queries treat them as one
+ * person. Only observed drift belongs here — unknown names pass through.
+ */
+const EXECUTOR_IDENTITY_ALIASES = {
+    "gabe wyatt": "gabe-wyatt",
+    gabestah: "gabe-wyatt",
+    gabewyatt: "gabe-wyatt",
+};
+/**
+ * Collapse a free-form executor name onto its canonical identity slug.
+ *
+ * - Trims and lowercases.
+ * - Maps known spellings (above) to one identity.
+ * - Passes unknown names through (trimmed + lowercased).
+ * - Returns `undefined` for empty / nullish input.
+ *
+ * Pure and deterministic — used by the validity detector
+ * (`W-report-validity-detector`) to recognize a known human before the
+ * generated-id heuristic runs, and by the backfill to de-drift
+ * `provenance.executor.name`.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ */
+export function canonicalizeExecutorIdentity(name) {
+    if (!name)
+        return undefined;
+    const trimmed = name.trim().toLowerCase();
+    if (!trimmed)
+        return undefined;
+    return EXECUTOR_IDENTITY_ALIASES[trimmed] ?? trimmed;
+}
+/** Whether an executor name collapses to a recognized human identity. */
+export function isKnownExecutorIdentity(name) {
+    if (!name)
+        return false;
+    return name.trim().toLowerCase() in EXECUTOR_IDENTITY_ALIASES;
+}
+/**
+ * Heuristic: does an executor name look like a *generated* handle/id rather
+ * than a human name? (D0059 §Context flagged ids like `gDVzuuHam`,
+ * `gL78msEDh` in the report store.)
+ *
+ * Deterministic and deliberately conservative — it judges *shape* only:
+ * a single token (no whitespace) of length 7–12, alphanumeric, mixing
+ * upper- and lower-case, and either containing a digit or showing ≥4
+ * upper/lower transitions. The transition floor is calibrated against the
+ * observed sample so two-word PascalCase names ("JohnSmith" — 3
+ * transitions) are NOT flagged; the generated ids (≥4 transitions or a
+ * digit) are. Known identities are excluded by the caller
+ * ({@link isKnownExecutorIdentity}) before this runs, so collapsed
+ * spellings like `GabeStah` never reach it as a positive.
+ *
+ * False positives are tolerable: the detector only uses this to propose an
+ * `experimental` classification, which is reversible (label-and-exclude,
+ * never delete) and surfaced for human review during the backfill.
+ */
+export function looksLikeGeneratedExecutorId(name) {
+    if (!name)
+        return false;
+    const token = name.trim();
+    if (token.length < 7 || token.length > 12)
+        return false;
+    if (!/^[A-Za-z0-9]+$/.test(token))
+        return false;
+    if (!/[A-Z]/.test(token) || !/[a-z]/.test(token))
+        return false;
+    if (/[0-9]/.test(token))
+        return true;
+    let transitions = 0;
+    for (let i = 1; i < token.length; i++) {
+        if (/[A-Z]/.test(token[i - 1]) !== /[A-Z]/.test(token[i]))
+            transitions++;
+    }
+    return transitions >= 4;
+}
 export const RUN_EXECUTOR_SURFACES = [
     "cli",
     "studio",

package/dist/_vendor/ailf-shared/trustworthiness.d.ts

@@ -0,0 +1,97 @@
+/**
+ * trustworthiness.ts — The single trust gate for reports (D0059).
+ *
+ * `includeInDefaultTrends` is the one definition of "show this report by
+ * default." Every surface (dashboard analytics, Studio presets, the BigQuery
+ * `reports.sql` view) references this predicate so the gate cannot drift
+ * between consumers.
+ *
+ * Two orthogonal axes decide inclusion:
+ *
+ *  - **Validity (data health, D0059)** — the *primary* gate. A report is
+ *    included only when its `validity.status` is `ok` OR validity is absent
+ *    (pre-stamp reads are trusted until backfilled — the rollout is additive
+ *    and nullable). Any non-`ok` status (`degraded` / `incomplete` /
+ *    `suspect`) excludes the report regardless of intent.
+ *  - **Intent (run classification, D0037)** — a *secondary* exclusion. The
+ *    explicit `test` and `experimental` classifications are dropped;
+ *    `adhoc` / `official` / `external` (and a missing classification) are kept.
+ *    `adhoc` is intentionally included — it holds real production one-offs;
+ *    the validity gate, not the intent gate, removes the bad ones inside it.
+ *
+ * We model a slim subset of the core `Report` shape (the two read axes) rather
+ * than importing `Report` / `ReportValidity` from `@sanity/ailf-core`: this
+ * package is the dependency-graph leaf and imports nothing from core. A full
+ * core `Report` is structurally assignable to {@link TrustGateReport}.
+ *
+ * The predicate is total — it never throws — and is kept trivially
+ * translatable to the two query-language forms it is materialized as on the
+ * other surfaces (`W-studio-bigquery-validity`): the GROQ filter behind the
+ * Studio "Trustworthy" preset ({@link INCLUDE_IN_DEFAULT_TRENDS_GROQ}) and the
+ * SQL boolean in the BigQuery `reports.sql` view
+ * ({@link INCLUDE_IN_DEFAULT_TRENDS_SQL}). Those constants live here, beside the
+ * function, so the one gate cannot drift between consumers; a cross-check test
+ * asserts all three forms agree across the full truth table.
+ *
+ * Note the SQL form is NULL-safe on *both* axes: a bare
+ * `classification NOT IN ('test','experimental')` would evaluate to `NULL`
+ * (not `TRUE`) for an unclassified row under SQL three-valued logic, silently
+ * excluding pre-taxonomy reports the TS predicate keeps — hence the explicit
+ * `classification IS NULL OR …`.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md — §Decision/3
+ */
+import type { RunClassification } from "./run-classification.js";
+/**
+ * Slim subset of a core `Report` — only the two axes the trust gate reads.
+ *
+ * `validity.status` is typed as a bare `string` (not core's
+ * `ReportValidityStatus`) so this leaf package imports nothing from
+ * `@sanity/ailf-core`; the predicate only distinguishes `"ok"` from
+ * everything else. `validity` absent/`null` ⇒ pre-stamp read ⇒ trusted.
+ */
+export interface TrustGateReport {
+    /** Data-health axis (D0059), top-level on the report. */
+    validity?: {
+        status: string;
+    } | null;
+    /** Run-intent axis (D0037), under provenance. */
+    provenance?: {
+        classification?: RunClassification | null;
+    } | null;
+}
+/**
+ * Whether a report should appear in default trend views.
+ *
+ * Validity is the primary gate; intent is a secondary exclusion. See the
+ * module header for the full rationale and the equivalent SQL.
+ *
+ * @returns `true` when the report is trustworthy enough to show by default.
+ */
+export declare function includeInDefaultTrends(report: TrustGateReport): boolean;
+/**
+ * GROQ form of {@link includeInDefaultTrends}, as a boolean expression over an
+ * `ailf.report` document. Drop it into a Studio structure filter with the
+ * document-type guard, e.g.
+ * `` `_type == "ailf.report" && ${INCLUDE_IN_DEFAULT_TRENDS_GROQ}` ``.
+ *
+ * GROQ's `in` returns `false` (not `null`) for an absent left operand, so an
+ * unclassified report passes the intent clause without an explicit
+ * `defined(...)` guard — matching the TS predicate's "missing ⇒ kept" rule.
+ * `defined(validity.status)` makes the absent-validity case trusted.
+ */
+export declare const INCLUDE_IN_DEFAULT_TRENDS_GROQ = "(!defined(validity.status) || validity.status == \"ok\") && !(provenance.classification in [\"test\", \"experimental\"])";
+/**
+ * SQL form of {@link includeInDefaultTrends}, as a boolean expression over the
+ * flattened `ailf.reports` BigQuery row (columns `validity_status`,
+ * `classification`). Materialized verbatim as the `include_in_default_trends`
+ * column in `packages/eval/config/bigquery/views/reports.sql`; an eval test
+ * asserts the view embeds this exact string.
+ *
+ * Both axes are NULL-safe so the column matches the TS predicate row-for-row:
+ * `classification NOT IN (...)` alone is `NULL` for an unclassified row under
+ * SQL three-valued logic, which a `WHERE`/boolean context treats as `FALSE` —
+ * silently dropping pre-taxonomy reports the TS predicate keeps.
+ */
+export declare const INCLUDE_IN_DEFAULT_TRENDS_SQL = "(validity_status IS NULL OR validity_status = 'ok') AND (classification IS NULL OR classification NOT IN ('test', 'experimental'))";

package/dist/_vendor/ailf-shared/trustworthiness.js

@@ -0,0 +1,86 @@
+/**
+ * trustworthiness.ts — The single trust gate for reports (D0059).
+ *
+ * `includeInDefaultTrends` is the one definition of "show this report by
+ * default." Every surface (dashboard analytics, Studio presets, the BigQuery
+ * `reports.sql` view) references this predicate so the gate cannot drift
+ * between consumers.
+ *
+ * Two orthogonal axes decide inclusion:
+ *
+ *  - **Validity (data health, D0059)** — the *primary* gate. A report is
+ *    included only when its `validity.status` is `ok` OR validity is absent
+ *    (pre-stamp reads are trusted until backfilled — the rollout is additive
+ *    and nullable). Any non-`ok` status (`degraded` / `incomplete` /
+ *    `suspect`) excludes the report regardless of intent.
+ *  - **Intent (run classification, D0037)** — a *secondary* exclusion. The
+ *    explicit `test` and `experimental` classifications are dropped;
+ *    `adhoc` / `official` / `external` (and a missing classification) are kept.
+ *    `adhoc` is intentionally included — it holds real production one-offs;
+ *    the validity gate, not the intent gate, removes the bad ones inside it.
+ *
+ * We model a slim subset of the core `Report` shape (the two read axes) rather
+ * than importing `Report` / `ReportValidity` from `@sanity/ailf-core`: this
+ * package is the dependency-graph leaf and imports nothing from core. A full
+ * core `Report` is structurally assignable to {@link TrustGateReport}.
+ *
+ * The predicate is total — it never throws — and is kept trivially
+ * translatable to the two query-language forms it is materialized as on the
+ * other surfaces (`W-studio-bigquery-validity`): the GROQ filter behind the
+ * Studio "Trustworthy" preset ({@link INCLUDE_IN_DEFAULT_TRENDS_GROQ}) and the
+ * SQL boolean in the BigQuery `reports.sql` view
+ * ({@link INCLUDE_IN_DEFAULT_TRENDS_SQL}). Those constants live here, beside the
+ * function, so the one gate cannot drift between consumers; a cross-check test
+ * asserts all three forms agree across the full truth table.
+ *
+ * Note the SQL form is NULL-safe on *both* axes: a bare
+ * `classification NOT IN ('test','experimental')` would evaluate to `NULL`
+ * (not `TRUE`) for an unclassified row under SQL three-valued logic, silently
+ * excluding pre-taxonomy reports the TS predicate keeps — hence the explicit
+ * `classification IS NULL OR …`.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md — §Decision/3
+ */
+/**
+ * Whether a report should appear in default trend views.
+ *
+ * Validity is the primary gate; intent is a secondary exclusion. See the
+ * module header for the full rationale and the equivalent SQL.
+ *
+ * @returns `true` when the report is trustworthy enough to show by default.
+ */
+export function includeInDefaultTrends(report) {
+    const status = report.validity?.status;
+    // Primary gate: trustworthy when explicitly `ok` or not yet assessed.
+    const validityOk = status == null || status === "ok";
+    const classification = report.provenance?.classification;
+    // Secondary exclusion: drop explicit test/experimental intent only.
+    const intentIncluded = classification !== "test" && classification !== "experimental";
+    return validityOk && intentIncluded;
+}
+/**
+ * GROQ form of {@link includeInDefaultTrends}, as a boolean expression over an
+ * `ailf.report` document. Drop it into a Studio structure filter with the
+ * document-type guard, e.g.
+ * `` `_type == "ailf.report" && ${INCLUDE_IN_DEFAULT_TRENDS_GROQ}` ``.
+ *
+ * GROQ's `in` returns `false` (not `null`) for an absent left operand, so an
+ * unclassified report passes the intent clause without an explicit
+ * `defined(...)` guard — matching the TS predicate's "missing ⇒ kept" rule.
+ * `defined(validity.status)` makes the absent-validity case trusted.
+ */
+export const INCLUDE_IN_DEFAULT_TRENDS_GROQ = '(!defined(validity.status) || validity.status == "ok") && !(provenance.classification in ["test", "experimental"])';
+/**
+ * SQL form of {@link includeInDefaultTrends}, as a boolean expression over the
+ * flattened `ailf.reports` BigQuery row (columns `validity_status`,
+ * `classification`). Materialized verbatim as the `include_in_default_trends`
+ * column in `packages/eval/config/bigquery/views/reports.sql`; an eval test
+ * asserts the view embeds this exact string.
+ *
+ * Both axes are NULL-safe so the column matches the TS predicate row-for-row:
+ * `classification NOT IN (...)` alone is `NULL` for an unclassified row under
+ * SQL three-valued logic, which a `WHERE`/boolean context treats as `FALSE` —
+ * silently dropping pre-taxonomy reports the TS predicate keeps.
+ */
+export const INCLUDE_IN_DEFAULT_TRENDS_SQL = "(validity_status IS NULL OR validity_status = 'ok') AND (classification IS NULL OR classification NOT IN ('test', 'experimental'))";

package/dist/adapters/task-sources/repo-schemas.d.ts

@@ -1564,8 +1564,8 @@ export declare const RepoConfigSchema: z.ZodObject<{
     summary: z.ZodOptional<z.ZodObject<{
         onRun: z.ZodOptional<z.ZodEnum<{
             never: "never";
-            always: "always";
             auto: "auto";
+            always: "always";
         }>>;
     }, z.core.$strip>>;
     taskSource: z.ZodOptional<z.ZodObject<{

package/dist/commands/publish.js

@@ -27,6 +27,7 @@ import { addOutputDirOption } from "./shared/options.js";
 import { getCallerCwd, resolveOutputDir } from "./shared/resolve-output-dir.js";
 import { buildProvenance, } from "../pipeline/provenance.js";
 import { generateReportTitle } from "../pipeline/report-title.js";
+import { stampReportValidity } from "../pipeline/report-validity.js";
 import { buildSlimReportSummary } from "../_vendor/ailf-core/index.js";
 import { generateReportId, } from "../report-store.js";
 import { withRetry } from "../sinks/retry.js";
@@ -214,8 +215,14 @@ async function runPublishCommand(summaryPath, outputDir, opts) {
     // -----------------------------------------------------------------------
     // 5. Write to Sanity (system of record)
     // -----------------------------------------------------------------------
+    // Stamp the data-health validity axis + normalize classification (D0059)
+    // — the same server-computed forward guarantee the pipeline write path
+    // applies, so reports published via this command carry validity too.
+    const stampedReport = stampReportValidity(report, now);
     console.log("  Writing to Sanity Content Lake...");
-    const sanityResult = store ? await store.write(report) : null;
+    const sanityResult = store
+        ? await store.write(stampedReport)
+        : null;
     if (sanityResult) {
         console.log(`  ✅ Report written: ${sanityResult}`);
     }
@@ -237,7 +244,7 @@ async function runPublishCommand(summaryPath, outputDir, opts) {
         console.log();
         console.log(`  Delivering to ${sinks.length} sink(s)...`);
         const settled = await Promise.allSettled(sinks.map(async (sink) => {
-            const result = await withRetry(() => sink.publish(report));
+            const result = await withRetry(() => sink.publish(stampedReport));
             return { name: sink.name, result };
         }));
         for (const outcome of settled) {

package/dist/orchestration/steps/publish-report-step.js

@@ -16,6 +16,7 @@ import { assoc, buildSlimReportSummary, } from "../../_vendor/ailf-core/index.js
 import { checkScoreSummaryValid } from "../../pipeline/checks.js";
 import { buildProvenance, } from "../../pipeline/provenance.js";
 import { generateReportTitle } from "../../pipeline/report-title.js";
+import { stampReportValidity } from "../../pipeline/report-validity.js";
 import { generateReportId } from "../../report-store.js";
 import { withRetry } from "../../sinks/retry.js";
 export class PublishReportStep {
@@ -145,21 +146,28 @@ export class PublishReportStep {
                 testResults: slimSummary.testResults.map(slimTestResult),
             };
         }
+        // Stamp the data-health `validity` axis (D0059) and normalize
+        // `provenance.classification` on the report now that it is fully assembled
+        // (degradation + slim summary settled). The verdict is server-computed
+        // from the report's own data — never the caller envelope (D0037) — and
+        // assessed at the report's completion time. From here on, the stamped
+        // report is what reaches the snapshot artifact, the store, and the sinks.
+        const stampedReport = stampReportValidity(report, now);
         // Share reportId with downstream steps (CallbackStep + orchestrator job update)
         state.reportId = reportId;
         // W0050 — migrated from ctx.collector.capture to the unified writer.
         // reportSnapshot: full Report JSON for replay (run-scoped, bulk).
-        await ctx.artifactWriter.emit("reportSnapshot", assoc(ctx), report);
+        await ctx.artifactWriter.emit("reportSnapshot", assoc(ctx), stampedReport);
         // autoComparison: delta vs baseline (run-scoped, bulk, optional).
         if (comparison) {
             await ctx.artifactWriter.emit("autoComparison", assoc(ctx), comparison);
         }
         // Write to store (system of record — best-effort, P5)
         const sanityResult = ctx.reportStore
-            ? await ctx.reportStore.write(report)
+            ? await ctx.reportStore.write(stampedReport)
             : null;
         // Run sinks (fire-and-forget, P6)
-        const publishResult = await runSinks(report, ctx);
+        const publishResult = await runSinks(stampedReport, ctx);
         // sinkResults: per-sink outcome (run-scoped, per-entry keyed by sink name).
         for (const r of publishResult.sinkResults) {
             await ctx.artifactWriter.emit("sinkResults", assoc(ctx, { name: r.name }), {

package/dist/pipeline/calculate-scores.js

@@ -1479,9 +1479,15 @@ export async function calculateAndWriteScores(options) {
                 logger: log,
             });
             // Mutate-in-place so subsequent steps (validateGraderJudgmentsCalibration,
-            // persist) see the consensus-merged scores.
+            // persist) see the consensus-merged scores. Snapshot first: the runner's
+            // no-borderline fast path returns the SAME array reference it received,
+            // so `regraded` may alias `judgments`. Truncating `judgments` would then
+            // empty `regraded` before the spread reads it, silently wiping every
+            // judgment (extract N, persist 0) — the divergence the post-persist guard
+            // aborts on. Copying breaks the alias regardless of what the runner returns.
+            const merged = [...regraded];
             judgments.length = 0;
-            judgments.push(...regraded);
+            judgments.push(...merged);
             if (consistencyByJudgment.size > 0) {
                 log.info(`Borderline consensus merged ${consistencyByJudgment.size} judgment(s)`);
             }

package/dist/pipeline/report-validity.d.ts

@@ -0,0 +1,32 @@
+/**
+ * stampReportValidity — apply the report-trustworthiness detector at write time.
+ *
+ * The eval write path's forward guarantee (D0059): every newly written report
+ * carries a top-level `validity` data-health stamp so the trustworthiness gap
+ * cannot recur on new reports. Lives in `pipeline/` (not the orchestration
+ * step) so both report-write paths — `PublishReportStep` and the standalone
+ * `publish` command — import it without a command→orchestration-step coupling.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md
+ */
+import { type Report } from "../_vendor/ailf-core/index.d.ts";
+/**
+ * Stamp the data-health `validity` axis (D0059) onto a report and normalize
+ * its `provenance.classification` to the canonical spelling.
+ *
+ * Runs the pure detector (`assessReportValidity`) over the assembled report.
+ * `Report` structurally satisfies the detector's `ReportValidityInput`
+ * (`provenance` extends `RunContext`; `summary` is a `ReportSummary`), so no
+ * adapter is needed. The verdict is **server-computed from the report's own
+ * data** (D0037): `assessedAt` is injected by the caller (the report's
+ * completion time) and nothing is read from the caller envelope.
+ *
+ * `classification` is patched only when the detector returns one — it returns
+ * `undefined` when the existing value is already canonical and no Tier-1 rule
+ * fired, so the patch is idempotent and never clobbers a correct (or
+ * human-corrected) value. Tier-2 review flags are not persisted here; the
+ * one-shot backfill consumes them. Returns a new report; the input is not
+ * mutated.
+ */
+export declare function stampReportValidity(report: Report, assessedAt: string): Report;

package/dist/pipeline/report-validity.js

@@ -0,0 +1,43 @@
+/**
+ * stampReportValidity — apply the report-trustworthiness detector at write time.
+ *
+ * The eval write path's forward guarantee (D0059): every newly written report
+ * carries a top-level `validity` data-health stamp so the trustworthiness gap
+ * cannot recur on new reports. Lives in `pipeline/` (not the orchestration
+ * step) so both report-write paths — `PublishReportStep` and the standalone
+ * `publish` command — import it without a command→orchestration-step coupling.
+ *
+ * @see docs/decisions/D0059-report-validity-axis-and-trustworthiness-gate.md
+ * @see docs/design-docs/report-trustworthiness-model.md
+ */
+import { assessReportValidity } from "../_vendor/ailf-core/index.js";
+/**
+ * Stamp the data-health `validity` axis (D0059) onto a report and normalize
+ * its `provenance.classification` to the canonical spelling.
+ *
+ * Runs the pure detector (`assessReportValidity`) over the assembled report.
+ * `Report` structurally satisfies the detector's `ReportValidityInput`
+ * (`provenance` extends `RunContext`; `summary` is a `ReportSummary`), so no
+ * adapter is needed. The verdict is **server-computed from the report's own
+ * data** (D0037): `assessedAt` is injected by the caller (the report's
+ * completion time) and nothing is read from the caller envelope.
+ *
+ * `classification` is patched only when the detector returns one — it returns
+ * `undefined` when the existing value is already canonical and no Tier-1 rule
+ * fired, so the patch is idempotent and never clobbers a correct (or
+ * human-corrected) value. Tier-2 review flags are not persisted here; the
+ * one-shot backfill consumes them. Returns a new report; the input is not
+ * mutated.
+ */
+export function stampReportValidity(report, assessedAt) {
+    const { classification, validity } = assessReportValidity(report, {
+        assessedAt,
+    });
+    return {
+        ...report,
+        provenance: classification
+            ? { ...report.provenance, classification }
+            : report.provenance,
+        validity,
+    };
+}

package/dist/report-store.d.ts

@@ -225,6 +225,7 @@ export interface SanityReportDoc {
     };
     tag: null | string;
     title: null | string;
+    validity?: Report["validity"];
 }
 export declare function toSanityReportDoc(report: Report): SanityReportDoc;
 /**

package/dist/report-store.js

@@ -491,6 +491,7 @@ export function toSanityReportDoc(report) {
         },
         tag: report.tag ?? null,
         title: report.title ?? null,
+        ...(report.validity ? { validity: report.validity } : {}),
     };
 }
 /**
@@ -534,6 +535,7 @@ export function toReport(doc) {
         summary: doc.summary,
         tag: doc.tag,
         title: doc.title,
+        validity: doc.validity,
     };
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sanity/ailf",
-  "version": "7.2.3",
+  "version": "7.3.1",
   "private": false,
   "publishConfig": {
     "access": "public"