@substrate-ai/sdlc 0.20.3 → 0.20.5

package/dist/verification/probes/executor.js

@@ -0,0 +1,109 @@
+/**
+ * Host-sandbox probe executor — Epic 55 / Phase 2.
+ *
+ * Runs one runtime probe directly on the operator machine via a detached
+ * shell process, with stream-separated capture and a hard timeout that
+ * terminates the entire process group. Same safety posture as BuildCheck —
+ * specifically the detached-process-group + SIGKILL-on-timeout pattern —
+ * so probe execution cannot orphan long-running descendants.
+ *
+ * Twin-sandbox execution is **deferred to Phase 3** (Digital Twin
+ * integration). RuntimeProbeCheck handles the `sandbox: twin` case itself
+ * without routing through this module.
+ */
+import { spawn } from 'node:child_process';
+import { DEFAULT_PROBE_TIMEOUT_MS, PROBE_TAIL_BYTES, } from './types.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Return the last N bytes of a UTF-8 string (sliced by length for simplicity). */
+function tail(text, bytes = PROBE_TAIL_BYTES) {
+    return text.length <= bytes ? text : text.slice(text.length - bytes);
+}
+/**
+ * Execute one probe on the host and return a structured ProbeResult.
+ *
+ * Behavior notes:
+ *   - The shell used is `/bin/sh -c '<probe.command>'` inside a detached
+ *     process group (so the entire tree is killed on timeout).
+ *   - stdout and stderr are captured independently; each is returned
+ *     tailed to PROBE_TAIL_BYTES (≤ 4 KiB) so published tarballs of the
+ *     run manifest stay small.
+ *   - Timeout defaults to `probe.timeout_ms ?? DEFAULT_PROBE_TIMEOUT_MS`
+ *     (60 s). When the timeout fires, the process group is SIGKILL'd and
+ *     the returned result has `outcome: 'timeout'`, `exitCode` undefined.
+ *   - Never throws. Spawn errors (e.g. exec format error) are returned as
+ *     `outcome: 'fail'` with exitCode -1 and the error message captured on
+ *     stderrTail, so the caller can emit a deterministic finding.
+ */
+export function executeProbeOnHost(probe, options = {}) {
+    const timeoutMs = probe.timeout_ms ?? DEFAULT_PROBE_TIMEOUT_MS;
+    const cwd = options.cwd ?? process.cwd();
+    const env = options.env ?? process.env;
+    const start = Date.now();
+    return new Promise((resolve) => {
+        let stdout = '';
+        let stderr = '';
+        let settled = false;
+        const child = spawn(probe.command, [], {
+            cwd,
+            env,
+            detached: true,
+            shell: true,
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        const finalize = (result) => {
+            if (settled)
+                return;
+            settled = true;
+            resolve(result);
+        };
+        child.on('error', (err) => {
+            // spawn error (ENOENT, EACCES, EMFILE, etc.) — never reach 'close'.
+            finalize({
+                outcome: 'fail',
+                command: probe.command,
+                exitCode: -1,
+                stdoutTail: tail(stdout),
+                stderrTail: tail(stderr + (stderr.length > 0 && !stderr.endsWith('\n') ? '\n' : '') + `spawn error: ${err.message}\n`),
+                durationMs: Date.now() - start,
+            });
+        });
+        child.stdout?.on('data', (chunk) => {
+            stdout += chunk.toString();
+        });
+        child.stderr?.on('data', (chunk) => {
+            stderr += chunk.toString();
+        });
+        const timeoutHandle = setTimeout(() => {
+            try {
+                if (child.pid !== undefined) {
+                    process.kill(-child.pid, 'SIGKILL');
+                }
+            }
+            catch {
+                // Process already exited between timeout fire and kill call.
+            }
+            finalize({
+                outcome: 'timeout',
+                command: probe.command,
+                stdoutTail: tail(stdout),
+                stderrTail: tail(stderr),
+                durationMs: Date.now() - start,
+            });
+        }, timeoutMs);
+        child.on('close', (code) => {
+            clearTimeout(timeoutHandle);
+            const duration = Date.now() - start;
+            finalize({
+                outcome: code === 0 ? 'pass' : 'fail',
+                command: probe.command,
+                ...(code !== null ? { exitCode: code } : {}),
+                stdoutTail: tail(stdout),
+                stderrTail: tail(stderr),
+                durationMs: duration,
+            });
+        });
+    });
+}
+//# sourceMappingURL=executor.js.map

package/dist/verification/probes/executor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.js","sourceRoot":"","sources":["../../../src/verification/probes/executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAA;AAC1C,OAAO,EACL,wBAAwB,EACxB,gBAAgB,GAGjB,MAAM,YAAY,CAAA;AAEnB,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,mFAAmF;AACnF,SAAS,IAAI,CAAC,IAAY,EAAE,KAAK,GAAG,gBAAgB;IAClD,OAAO,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,CAAA;AACtE,CAAC;AAcD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAmB,EACnB,UAA8B,EAAE;IAEhC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,IAAI,wBAAwB,CAAA;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAA;IACxC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAA;IACtC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAExB,OAAO,IAAI,OAAO,CAAc,CAAC,OAAO,EAAE,EAAE;QAC1C,IAAI,MAAM,GAAG,EAAE,CAAA;QACf,IAAI,MAAM,GAAG,EAAE,CAAA;QACf,IAAI,OAAO,GAAG,KAAK,CAAA;QAEnB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE;YACrC,GAAG;YACH,GAAG;YACH,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,IAAI;YACX,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,CAAC,MAAmB,EAAE,EAAE;YACvC,IAAI,OAAO;gBAAE,OAAM;YACnB,OAAO,GAAG,IAAI,CAAA;YACd,OAAO,CAAC,MAAM,CAAC,CAAA;QACjB,CAAC,CAAA;QAED,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,oEAAoE;YACpE,QAAQ,CAAC;gBACP,OAAO,EAAE,MAAM;gBACf,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,QAAQ,EAAE,CAAC,CAAC;gBACZ,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;gBACxB,UAAU,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,gBAAgB,GAAG,CAAC,OAAO,IAAI,CAAC;gBACtH,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;aAC/B,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAA;QAC5B,CAAC,CAAC,CAAA;QACF,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAA;QAC5B,CAAC,CAAC,CAAA;QAEF,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YACpC,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;oBAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBACrC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,6DAA6D;YAC/D,CAAC;YACD,QAAQ,CAAC;gBACP,OAAO,EAAE,SAAS;gBAClB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;gBACxB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;gBACxB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;aAC/B,CAAC,CAAA;QACJ,CAAC,EAAE,SAAS,CAAC,CAAA;QAEb,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,aAAa,CAAC,CAAA;YAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAA;YACnC,QAAQ,CAAC;gBACP,OAAO,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBACrC,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5C,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;gBACxB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;gBACxB,UAAU,EAAE,QAAQ;aACrB,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/dist/verification/probes/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Runtime probe public surface — Epic 55 / Phase 2.
+ *
+ * Re-exports the parser, executor, and supporting types. The actual
+ * VerificationCheck implementation lives in ../checks/runtime-probe-check.ts
+ * to keep the existing `checks/` directory as the canonical location for
+ * all VerificationCheck subclasses.
+ */
+export { DEFAULT_PROBE_TIMEOUT_MS, PROBE_TAIL_BYTES, RuntimeProbeListSchema, RuntimeProbeSandboxSchema, RuntimeProbeSchema, } from './types.js';
+export type { ProbeResult, RuntimeProbe, RuntimeProbeParseResult, RuntimeProbeSandbox, } from './types.js';
+export { parseRuntimeProbes } from './parser.js';
+export { executeProbeOnHost } from './executor.js';
+export type { HostExecuteOptions } from './executor.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/verification/probes/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/verification/probes/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,wBAAwB,EACxB,gBAAgB,EAChB,sBAAsB,EACtB,yBAAyB,EACzB,kBAAkB,GACnB,MAAM,YAAY,CAAA;AACnB,YAAY,EACV,WAAW,EACX,YAAY,EACZ,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAEhD,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAA;AAClD,YAAY,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAA"}

package/dist/verification/probes/index.js

@@ -0,0 +1,12 @@
+/**
+ * Runtime probe public surface — Epic 55 / Phase 2.
+ *
+ * Re-exports the parser, executor, and supporting types. The actual
+ * VerificationCheck implementation lives in ../checks/runtime-probe-check.ts
+ * to keep the existing `checks/` directory as the canonical location for
+ * all VerificationCheck subclasses.
+ */
+export { DEFAULT_PROBE_TIMEOUT_MS, PROBE_TAIL_BYTES, RuntimeProbeListSchema, RuntimeProbeSandboxSchema, RuntimeProbeSchema, } from './types.js';
+export { parseRuntimeProbes } from './parser.js';
+export { executeProbeOnHost } from './executor.js';
+//# sourceMappingURL=index.js.map

package/dist/verification/probes/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/verification/probes/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,wBAAwB,EACxB,gBAAgB,EAChB,sBAAsB,EACtB,yBAAyB,EACzB,kBAAkB,GACnB,MAAM,YAAY,CAAA;AAQnB,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAEhD,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAA"}

package/dist/verification/probes/parser.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Runtime probe parser — Epic 55 / Phase 2.
+ *
+ * Locates the `## Runtime Probes` section in a story's markdown content and
+ * extracts any probe declarations contained in a `yaml` code fence inside
+ * it. Never throws: every failure mode is returned as a RuntimeProbeParseResult
+ * variant so the VerificationCheck can emit a structured finding rather than
+ * crash the verification pipeline.
+ */
+import { type RuntimeProbeParseResult } from './types.js';
+/**
+ * Parse the `## Runtime Probes` section of a story's markdown content.
+ *
+ * Outcomes:
+ *   - section missing                                  → { kind: 'absent' }
+ *   - section present, no yaml fence                   → { kind: 'invalid' }
+ *   - section present, yaml fence malformed            → { kind: 'invalid' }
+ *   - section present, yaml root is not a list         → { kind: 'invalid' }
+ *   - section present, entry fails RuntimeProbeSchema  → { kind: 'invalid' }
+ *   - section present, yaml valid, all entries valid   → { kind: 'parsed' }
+ *
+ * Duplicate names within a single story are surfaced as `invalid` so that
+ * finding messages can unambiguously reference a probe by name.
+ */
+export declare function parseRuntimeProbes(storyContent: string): RuntimeProbeParseResult;
+//# sourceMappingURL=parser.d.ts.map

package/dist/verification/probes/parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../../src/verification/probes/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAGL,KAAK,uBAAuB,EAC7B,MAAM,YAAY,CAAA;AAmEnB;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,uBAAuB,CAsDhF"}

package/dist/verification/probes/parser.js

@@ -0,0 +1,134 @@
+/**
+ * Runtime probe parser — Epic 55 / Phase 2.
+ *
+ * Locates the `## Runtime Probes` section in a story's markdown content and
+ * extracts any probe declarations contained in a `yaml` code fence inside
+ * it. Never throws: every failure mode is returned as a RuntimeProbeParseResult
+ * variant so the VerificationCheck can emit a structured finding rather than
+ * crash the verification pipeline.
+ */
+import { load as yamlLoad, YAMLException } from 'js-yaml';
+import { RuntimeProbeListSchema, } from './types.js';
+// ---------------------------------------------------------------------------
+// Section extraction
+// ---------------------------------------------------------------------------
+const SECTION_HEADING = /^##\s+Runtime\s+Probes\s*$/i;
+/**
+ * Return the raw text of the story's `## Runtime Probes` section (excluding
+ * the heading line itself), or `undefined` if the section is not present.
+ *
+ * The section ends at the next `##` heading or end-of-file. Sub-headings
+ * (`###`, `####`) remain part of the section body.
+ */
+function extractRuntimeProbesSection(storyContent) {
+    const lines = storyContent.split(/\r?\n/);
+    const start = lines.findIndex((line) => SECTION_HEADING.test(line.trim()));
+    if (start === -1)
+        return undefined;
+    let end = lines.length;
+    for (let i = start + 1; i < lines.length; i += 1) {
+        if (/^##\s+\S/.test(lines[i] ?? '')) {
+            end = i;
+            break;
+        }
+    }
+    return lines.slice(start + 1, end).join('\n');
+}
+/**
+ * Extract the body of the first ```yaml (or ```yml) fenced block in the
+ * given section text. Returns `undefined` if no yaml fence is present.
+ *
+ * The opening fence is recognized case-insensitively and may carry an
+ * arbitrary trailing info string (e.g. ```yaml title=...). The closing
+ * fence is any line whose first non-whitespace run is exactly three
+ * backticks.
+ */
+function extractYamlFence(section) {
+    const lines = section.split(/\r?\n/);
+    let inside = false;
+    let collected;
+    for (const line of lines) {
+        if (!inside) {
+            if (/^\s*```\s*(yaml|yml)\b/i.test(line)) {
+                inside = true;
+                collected = [];
+            }
+            continue;
+        }
+        // inside a yaml fence
+        if (/^\s*```\s*$/.test(line)) {
+            return (collected ?? []).join('\n');
+        }
+        collected?.push(line);
+    }
+    // Unterminated fence → treat as missing; the caller surfaces this as an
+    // `invalid` parse result with a clear message.
+    return undefined;
+}
+// ---------------------------------------------------------------------------
+// parseRuntimeProbes — public entry point
+// ---------------------------------------------------------------------------
+/**
+ * Parse the `## Runtime Probes` section of a story's markdown content.
+ *
+ * Outcomes:
+ *   - section missing                                  → { kind: 'absent' }
+ *   - section present, no yaml fence                   → { kind: 'invalid' }
+ *   - section present, yaml fence malformed            → { kind: 'invalid' }
+ *   - section present, yaml root is not a list         → { kind: 'invalid' }
+ *   - section present, entry fails RuntimeProbeSchema  → { kind: 'invalid' }
+ *   - section present, yaml valid, all entries valid   → { kind: 'parsed' }
+ *
+ * Duplicate names within a single story are surfaced as `invalid` so that
+ * finding messages can unambiguously reference a probe by name.
+ */
+export function parseRuntimeProbes(storyContent) {
+    const section = extractRuntimeProbesSection(storyContent);
+    if (section === undefined) {
+        return { kind: 'absent' };
+    }
+    const yamlBody = extractYamlFence(section);
+    if (yamlBody === undefined) {
+        return {
+            kind: 'invalid',
+            error: '## Runtime Probes section is present but contains no terminated ```yaml fenced block',
+        };
+    }
+    let parsed;
+    try {
+        parsed = yamlLoad(yamlBody) ?? [];
+    }
+    catch (err) {
+        const detail = err instanceof YAMLException ? err.message : String(err);
+        return { kind: 'invalid', error: `YAML parse error: ${detail}` };
+    }
+    if (!Array.isArray(parsed)) {
+        return {
+            kind: 'invalid',
+            error: `probe block root must be a YAML list; got ${typeof parsed}`,
+        };
+    }
+    const validation = RuntimeProbeListSchema.safeParse(parsed);
+    if (!validation.success) {
+        const first = validation.error.issues[0];
+        const path = first?.path.join('.') ?? '';
+        const message = first?.message ?? 'schema validation failed';
+        return {
+            kind: 'invalid',
+            error: `probe list is malformed at ${path || '<root>'}: ${message}`,
+        };
+    }
+    const probes = validation.data;
+    const seen = new Set();
+    for (const probe of probes) {
+        if (seen.has(probe.name)) {
+            return {
+                kind: 'invalid',
+                error: `duplicate probe name: ${probe.name}`,
+            };
+        }
+        seen.add(probe.name);
+    }
+    return { kind: 'parsed', probes };
+}
+//# sourceMappingURL=parser.js.map

package/dist/verification/probes/parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.js","sourceRoot":"","sources":["../../../src/verification/probes/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,IAAI,IAAI,QAAQ,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AACzD,OAAO,EACL,sBAAsB,GAGvB,MAAM,YAAY,CAAA;AAEnB,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,eAAe,GAAG,6BAA6B,CAAA;AAErD;;;;;;GAMG;AACH,SAAS,2BAA2B,CAAC,YAAoB;IACvD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IACzC,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;IAC1E,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAA;IAElC,IAAI,GAAG,GAAG,KAAK,CAAC,MAAM,CAAA;IACtB,KAAK,IAAI,CAAC,GAAG,KAAK,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACjD,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YACpC,GAAG,GAAG,CAAC,CAAA;YACP,MAAK;QACP,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAC/C,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IACpC,IAAI,MAAM,GAAG,KAAK,CAAA;IAClB,IAAI,SAA+B,CAAA;IACnC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,MAAM,GAAG,IAAI,CAAA;gBACb,SAAS,GAAG,EAAE,CAAA;YAChB,CAAC;YACD,SAAQ;QACV,CAAC;QACD,sBAAsB;QACtB,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACrC,CAAC;QACD,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;IACvB,CAAC;IACD,wEAAwE;IACxE,+CAA+C;IAC/C,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAoB;IACrD,MAAM,OAAO,GAAG,2BAA2B,CAAC,YAAY,CAAC,CAAA;IACzD,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;IAC3B,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAA;IAC1C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO;YACL,IAAI,EAAE,SAAS;YACf,KAAK,EACH,sFAAsF;SACzF,CAAA;IACH,CAAC;IAED,IAAI,MAAe,CAAA;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;IACnC,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,GAAG,YAAY,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACvE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,qBAAqB,MAAM,EAAE,EAAE,CAAA;IAClE,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,OAAO;YACL,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,6CAA6C,OAAO,MAAM,EAAE;SACpE,CAAA;IACH,CAAC;IAED,MAAM,UAAU,GAAG,sBAAsB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IAC3D,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxC,MAAM,IAAI,GAAG,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;QACxC,MAAM,OAAO,GAAG,KAAK,EAAE,OAAO,IAAI,0BAA0B,CAAA;QAC5D,OAAO;YACL,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,8BAA8B,IAAI,IAAI,QAAQ,KAAK,OAAO,EAAE;SACpE,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAmB,UAAU,CAAC,IAAI,CAAA;IAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAC9B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,OAAO;gBACL,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,yBAAyB,KAAK,CAAC,IAAI,EAAE;aAC7C,CAAA;QACH,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACtB,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAA;AACnC,CAAC"}

package/dist/verification/probes/types.d.ts

@@ -0,0 +1,122 @@
+/**
+ * Runtime probe types — Epic 55 / Phase 2.
+ *
+ * A "runtime probe" is an author-declared executable command that the
+ * verification pipeline runs against a real or ephemeral target environment
+ * to answer the question "does the artifact this story produced actually
+ * work?". Runtime probes exist specifically to catch the class of bugs that
+ * static shape-gates (phantom-review, trivial-output, ac-evidence, build)
+ * cannot — runtime misconfiguration, wrong image paths, systemd semantics,
+ * credential issues, and so on.
+ *
+ * This file defines the data shape; parsing lives in ./parser.ts, execution
+ * lives in ./executor.ts, and the VerificationCheck implementation lives in
+ * ../checks/runtime-probe-check.ts.
+ */
+import { z } from 'zod';
+/**
+ * Execution sandbox for a runtime probe.
+ *
+ * - `host`: probe runs directly on the operator's machine. Explicit opt-in.
+ *   Cheapest; most dangerous. Authors choosing `host` acknowledge the probe
+ *   may touch host state (ports, systemd units, filesystem) and take
+ *   responsibility for cleanup.
+ * - `twin`: probe runs inside an ephemeral sandbox brokered by the Digital
+ *   Twin subsystem (Epic 47). Twin integration is **deferred to Phase 3** —
+ *   probes with `sandbox: twin` currently emit a `probe-deferred` warn
+ *   finding rather than executing. Authors can declare twin-scoped probes
+ *   today and they will execute transparently once Phase 3 lands.
+ */
+export declare const RuntimeProbeSandboxSchema: z.ZodEnum<{
+    host: "host";
+    twin: "twin";
+}>;
+export type RuntimeProbeSandbox = z.infer<typeof RuntimeProbeSandboxSchema>;
+/**
+ * Default per-probe timeout in milliseconds. Matches the existing
+ * BuildCheck ceiling (60 s) — deliberate, so probe timeouts are bounded
+ * by the same policy the pipeline already uses for long-running checks.
+ */
+export declare const DEFAULT_PROBE_TIMEOUT_MS = 60000;
+/** Hard upper bound on per-probe stdout/stderr retention (≤ 4 KiB — the
+ *  same convention as VerificationFinding.{stdoutTail,stderrTail}). */
+export declare const PROBE_TAIL_BYTES: number;
+/**
+ * Zod schema for one runtime probe declared in a story's
+ * `## Runtime Probes` section.
+ *
+ * Required fields (`name`, `sandbox`, `command`) force authors to make
+ * intent explicit — no silent defaults that could mask a miswritten probe.
+ * Optional fields cover operational knobs with sensible fallbacks.
+ */
+export declare const RuntimeProbeSchema: z.ZodObject<{
+    name: z.ZodString;
+    sandbox: z.ZodEnum<{
+        host: "host";
+        twin: "twin";
+    }>;
+    command: z.ZodString;
+    timeout_ms: z.ZodOptional<z.ZodNumber>;
+    description: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type RuntimeProbe = z.infer<typeof RuntimeProbeSchema>;
+/** Zod schema for the full list (wrapping the per-probe schema). */
+export declare const RuntimeProbeListSchema: z.ZodArray<z.ZodObject<{
+    name: z.ZodString;
+    sandbox: z.ZodEnum<{
+        host: "host";
+        twin: "twin";
+    }>;
+    command: z.ZodString;
+    timeout_ms: z.ZodOptional<z.ZodNumber>;
+    description: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>>;
+/**
+ * Result of parsing the `## Runtime Probes` section from story markdown.
+ *
+ * Parsing never throws — instead it returns one of three variants so the
+ * VerificationCheck can distinguish and emit appropriate findings:
+ *
+ * - `absent`:  section missing entirely. Treat as "no probes declared" →
+ *              check emits pass with skip note. Backward compat for every
+ *              story authored before Phase 2.
+ * - `parsed`:  section present, YAML valid, all entries match
+ *              RuntimeProbeSchema. `probes` is the parsed array (may be
+ *              empty if the YAML list was intentionally `[]`).
+ * - `invalid`: section present but YAML is malformed, the root value is
+ *              not a list, or at least one entry fails schema validation.
+ *              The check surfaces `invalid` as a fail finding with the
+ *              original parse error so authors see the exact problem.
+ */
+export type RuntimeProbeParseResult = {
+    kind: 'absent';
+} | {
+    kind: 'parsed';
+    probes: RuntimeProbe[];
+} | {
+    kind: 'invalid';
+    error: string;
+};
+/**
+ * Outcome of one probe execution.
+ *
+ * Mirrors the optional `{command, exitCode, stdoutTail, stderrTail,
+ * durationMs}` surface on VerificationFinding so the RuntimeProbeCheck can
+ * lift ProbeResult fields into a finding with minimal translation.
+ *
+ * `outcome` disambiguates the three terminal states the check cares about:
+ *
+ * - `pass`:    command exited 0 within its timeout.
+ * - `fail`:    command exited non-zero within its timeout.
+ * - `timeout`: probe exceeded its timeout and was killed. `exitCode` is
+ *              undefined (the process never reported one).
+ */
+export interface ProbeResult {
+    outcome: 'pass' | 'fail' | 'timeout';
+    command: string;
+    exitCode?: number;
+    stdoutTail: string;
+    stderrTail: string;
+    durationMs: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/verification/probes/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/verification/probes/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB;;;EAA2B,CAAA;AACjE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA;AAM3E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,QAAS,CAAA;AAE9C;uEACuE;AACvE,eAAO,MAAM,gBAAgB,QAAW,CAAA;AAExC;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;iBAW7B,CAAA;AAEF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAE7D,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;kBAA8B,CAAA;AAMjE;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,MAAM,uBAAuB,GAC/B;IAAE,IAAI,EAAE,QAAQ,CAAA;CAAE,GAClB;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,YAAY,EAAE,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAA;AAMtC;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;IACpC,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;CACnB"}

package/dist/verification/probes/types.js

@@ -0,0 +1,68 @@
+/**
+ * Runtime probe types — Epic 55 / Phase 2.
+ *
+ * A "runtime probe" is an author-declared executable command that the
+ * verification pipeline runs against a real or ephemeral target environment
+ * to answer the question "does the artifact this story produced actually
+ * work?". Runtime probes exist specifically to catch the class of bugs that
+ * static shape-gates (phantom-review, trivial-output, ac-evidence, build)
+ * cannot — runtime misconfiguration, wrong image paths, systemd semantics,
+ * credential issues, and so on.
+ *
+ * This file defines the data shape; parsing lives in ./parser.ts, execution
+ * lives in ./executor.ts, and the VerificationCheck implementation lives in
+ * ../checks/runtime-probe-check.ts.
+ */
+import { z } from 'zod';
+// ---------------------------------------------------------------------------
+// Sandbox — where the probe runs
+// ---------------------------------------------------------------------------
+/**
+ * Execution sandbox for a runtime probe.
+ *
+ * - `host`: probe runs directly on the operator's machine. Explicit opt-in.
+ *   Cheapest; most dangerous. Authors choosing `host` acknowledge the probe
+ *   may touch host state (ports, systemd units, filesystem) and take
+ *   responsibility for cleanup.
+ * - `twin`: probe runs inside an ephemeral sandbox brokered by the Digital
+ *   Twin subsystem (Epic 47). Twin integration is **deferred to Phase 3** —
+ *   probes with `sandbox: twin` currently emit a `probe-deferred` warn
+ *   finding rather than executing. Authors can declare twin-scoped probes
+ *   today and they will execute transparently once Phase 3 lands.
+ */
+export const RuntimeProbeSandboxSchema = z.enum(['host', 'twin']);
+// ---------------------------------------------------------------------------
+// RuntimeProbe — one author-declared probe
+// ---------------------------------------------------------------------------
+/**
+ * Default per-probe timeout in milliseconds. Matches the existing
+ * BuildCheck ceiling (60 s) — deliberate, so probe timeouts are bounded
+ * by the same policy the pipeline already uses for long-running checks.
+ */
+export const DEFAULT_PROBE_TIMEOUT_MS = 60_000;
+/** Hard upper bound on per-probe stdout/stderr retention (≤ 4 KiB — the
+ *  same convention as VerificationFinding.{stdoutTail,stderrTail}). */
+export const PROBE_TAIL_BYTES = 4 * 1024;
+/**
+ * Zod schema for one runtime probe declared in a story's
+ * `## Runtime Probes` section.
+ *
+ * Required fields (`name`, `sandbox`, `command`) force authors to make
+ * intent explicit — no silent defaults that could mask a miswritten probe.
+ * Optional fields cover operational knobs with sensible fallbacks.
+ */
+export const RuntimeProbeSchema = z.object({
+    /** Stable, unique-within-story identifier used in finding messages and logs. */
+    name: z.string().min(1, 'probe name is required'),
+    /** Where the probe runs. See RuntimeProbeSandboxSchema. */
+    sandbox: RuntimeProbeSandboxSchema,
+    /** Shell command line(s). Passed to a detached `sh -c` wrapper on host execution. */
+    command: z.string().min(1, 'probe command is required'),
+    /** Optional per-probe timeout in ms. Defaults to DEFAULT_PROBE_TIMEOUT_MS. */
+    timeout_ms: z.number().int().positive().optional(),
+    /** Optional human-readable description. Surfaced in finding messages. */
+    description: z.string().optional(),
+});
+/** Zod schema for the full list (wrapping the per-probe schema). */
+export const RuntimeProbeListSchema = z.array(RuntimeProbeSchema);
+//# sourceMappingURL=types.js.map

package/dist/verification/probes/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/verification/probes/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAA;AAGjE,8EAA8E;AAC9E,2CAA2C;AAC3C,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,MAAM,CAAA;AAE9C;uEACuE;AACvE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,GAAG,IAAI,CAAA;AAExC;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,gFAAgF;IAChF,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,wBAAwB,CAAC;IACjD,2DAA2D;IAC3D,OAAO,EAAE,yBAAyB;IAClC,qFAAqF;IACrF,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,2BAA2B,CAAC;IACvD,8EAA8E;IAC9E,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAClD,yEAAyE;IACzE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAA;AAIF,oEAAoE;AACpE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAA"}

package/dist/verification/types.d.ts

@@ -8,6 +8,8 @@
  * Package placement: packages/sdlc/src/verification/ — SDLC-specific fields
  * (storyKey, commitSha, priorStoryFiles) make these types inappropriate for @substrate-ai/core.
  */
+import type { VerificationFinding } from './findings.js';
+export type { VerificationFinding, VerificationFindingSeverity } from './findings.js';
 /**
  * Slim projection of code-review dispatch signals needed by PhantomReviewCheck.
  *
@@ -102,12 +104,19 @@ export interface VerificationContext {
 /**
  * Result returned by a single VerificationCheck.run() invocation.
  *
- * AC2: status is 'pass' | 'warn' | 'fail'.
+ * `details` is a human-readable rendering, preserved for any consumer that
+ * already reads it. `findings` (story 55-1) is the structured per-issue
+ * surface — downstream consumers (retry prompts, run manifest, post-run
+ * analysis) should prefer it. Checks that emit findings should derive
+ * `details` via `renderFindings(findings)` so the two stay in sync.
  */
 export interface VerificationResult {
     status: 'pass' | 'warn' | 'fail';
     details: string;
     duration_ms: number;
+    /** Structured per-issue payload. Optional for backward compatibility with
+     * checks and consumers that pre-date story 55-1. */
+    findings?: VerificationFinding[];
 }
 /**
  * Per-check result included in a VerificationSummary.

package/dist/verification/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/verification/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,6GAA6G;IAC7G,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,mFAAmF;IACnF,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAMD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,uEAAuE;IACvE,MAAM,CAAC,EAAE,SAAS,GAAG,QAAQ,GAAG,MAAM,CAAA;IACtC,oEAAoE;IACpE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,yDAAyD;IACzD,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAA;CACjC;AAMD;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB,sDAAsD;IACtD,UAAU,EAAE,MAAM,CAAA;IAClB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAA;IACjB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAA;IACf,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,aAAa,CAAA;IAC5B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,eAAe,CAAA;IAChC;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAMD;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAA;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,uBAAwB,SAAQ,kBAAkB;IACjE,SAAS,EAAE,MAAM,CAAA;CAClB;AAMD;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,uBAAuB,EAAE,CAAA;IACjC,gDAAgD;IAChD,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAA;IAChC,WAAW,EAAE,MAAM,CAAA;CACpB;AAMD;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,+EAA+E;IAC/E,IAAI,EAAE,MAAM,CAAA;IACZ,mFAAmF;IACnF,IAAI,EAAE,GAAG,GAAG,GAAG,CAAA;IACf;;;OAGG;IACH,GAAG,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAA;CAC/D"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/verification/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAA;AAGxD,YAAY,EAAE,mBAAmB,EAAE,2BAA2B,EAAE,MAAM,eAAe,CAAA;AAMrF;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,6GAA6G;IAC7G,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,mFAAmF;IACnF,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAMD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,uEAAuE;IACvE,MAAM,CAAC,EAAE,SAAS,GAAG,QAAQ,GAAG,MAAM,CAAA;IACtC,oEAAoE;IACpE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,yDAAyD;IACzD,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAA;CACjC;AAMD;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB,sDAAsD;IACtD,UAAU,EAAE,MAAM,CAAA;IAClB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAA;IACjB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAA;IACf,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,aAAa,CAAA;IAC5B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,eAAe,CAAA;IAChC;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAMD;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAA;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;IACnB;wDACoD;IACpD,QAAQ,CAAC,EAAE,mBAAmB,EAAE,CAAA;CACjC;AAED;;;GAGG;AACH,MAAM,WAAW,uBAAwB,SAAQ,kBAAkB;IACjE,SAAS,EAAE,MAAM,CAAA;CAClB;AAMD;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,uBAAuB,EAAE,CAAA;IACjC,gDAAgD;IAChD,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAA;IAChC,WAAW,EAAE,MAAM,CAAA;CACpB;AAMD;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,+EAA+E;IAC/E,IAAI,EAAE,MAAM,CAAA;IACZ,mFAAmF;IACnF,IAAI,EAAE,GAAG,GAAG,GAAG,CAAA;IACf;;;OAGG;IACH,GAAG,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAA;CAC/D"}

package/dist/verification/verification-pipeline.d.ts

@@ -52,11 +52,13 @@ export declare class VerificationPipeline {
 /**
  * Create a VerificationPipeline pre-loaded with the canonical check set.
  *
- * Canonical Tier A check order (architecture section 3.5):
+ * Canonical Tier A check order:
  *   1. PhantomReviewCheck — story 51-2  (runs first: unreviewed stories skipped)
  *   2. TrivialOutputCheck — story 51-3
  *   3. AcceptanceCriteriaEvidenceCheck
  *   4. BuildCheck         — story 51-4
+ *   5. RuntimeProbeCheck  — Epic 55 Phase 2: runtime behavior gate; runs last
+ *                           in Tier A because probes may depend on built artifacts
  *
  * @param bus    Typed event bus for verification events.
  * @param config Optional config (used to forward threshold to TrivialOutputCheck).

package/dist/verification/verification-pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verification-pipeline.d.ts","sourceRoot":"","sources":["../../src/verification/verification-pipeline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,KAAK,EACV,iBAAiB,EACjB,mBAAmB,EAEnB,mBAAmB,EACpB,MAAM,YAAY,CAAA;AAGnB,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAA;AA2BhF;;;;;;GAMG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA2B;IAChD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA0B;IAElD;;;OAGG;gBACS,GAAG,EAAE,aAAa,CAAC,UAAU,CAAC,EAAE,MAAM,GAAE,iBAAiB,EAAO;IAO5E;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAIxC;;;;;;;;;;OAUG;IACG,GAAG,CAAC,OAAO,EAAE,mBAAmB,EAAE,IAAI,GAAE,GAAG,GAAG,GAAS,GAAG,OAAO,CAAC,mBAAmB,CAAC;CAuD7F;AAMD;;;;;;;;;;;GAWG;AACH,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,aAAa,CAAC,UAAU,CAAC,EAC9B,MAAM,CAAC,EAAE,wBAAwB,GAChC,oBAAoB,CAQtB"}
+{"version":3,"file":"verification-pipeline.d.ts","sourceRoot":"","sources":["../../src/verification/verification-pipeline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,KAAK,EACV,iBAAiB,EACjB,mBAAmB,EAEnB,mBAAmB,EACpB,MAAM,YAAY,CAAA;AAGnB,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAA;AA4BhF;;;;;;GAMG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA2B;IAChD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA0B;IAElD;;;OAGG;gBACS,GAAG,EAAE,aAAa,CAAC,UAAU,CAAC,EAAE,MAAM,GAAE,iBAAiB,EAAO;IAO5E;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAIxC;;;;;;;;;;OAUG;IACG,GAAG,CAAC,OAAO,EAAE,mBAAmB,EAAE,IAAI,GAAE,GAAG,GAAG,GAAS,GAAG,OAAO,CAAC,mBAAmB,CAAC;CAqE7F;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,aAAa,CAAC,UAAU,CAAC,EAC9B,MAAM,CAAC,EAAE,wBAAwB,GAChC,oBAAoB,CAStB"}