@veewo/gitnexus 1.4.11-rc.2 → 1.5.0-rc.2

package/dist/mcp/local/runtime-claim-rule-registry.js

@@ -0,0 +1,308 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { loadCompiledRuleBundle } from '../../rule-lab/compiled-bundles.js';
+export class RuleRegistryLoadError extends Error {
+    code;
+    details;
+    constructor(code, message, details) {
+        super(message);
+        this.name = 'RuleRegistryLoadError';
+        this.code = code;
+        this.details = details;
+    }
+}
+function decodeYamlScalar(raw) {
+    const trimmed = String(raw || '').trim();
+    if (trimmed.length < 2)
+        return trimmed;
+    const first = trimmed[0];
+    const last = trimmed[trimmed.length - 1];
+    if (first === '"' && last === '"') {
+        return trimmed
+            .slice(1, -1)
+            .replace(/\\"/g, '"')
+            .replace(/\\\\/g, '\\');
+    }
+    if (first === '\'' && last === '\'') {
+        return trimmed
+            .slice(1, -1)
+            .replace(/''/g, '\'');
+    }
+    return trimmed;
+}
+function readScalar(raw, key) {
+    const escaped = key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const match = raw.match(new RegExp(`^${escaped}:\\s*(.+)$`, 'm'));
+    if (!match)
+        return undefined;
+    return decodeYamlScalar(match[1]);
+}
+function readList(raw, key) {
+    const lines = raw.split(/\r?\n/);
+    const start = lines.findIndex((line) => new RegExp(`^${key}:\\s*$`).test(line.trim()));
+    if (start < 0)
+        return [];
+    const out = [];
+    for (let i = start + 1; i < lines.length; i++) {
+        const line = lines[i];
+        if (!/^\s+-\s+/.test(line))
+            break;
+        out.push(decodeYamlScalar(line.replace(/^\s+-\s+/, '')));
+    }
+    return out;
+}
+function readSectionLines(raw, key) {
+    const lines = raw.split(/\r?\n/);
+    const sectionHeader = new RegExp(`^(\\s*)${key}:\\s*$`);
+    const start = lines.findIndex((line) => sectionHeader.test(line));
+    if (start < 0)
+        return [];
+    const startMatch = lines[start].match(sectionHeader);
+    const sectionIndent = startMatch ? startMatch[1].length : 0;
+    const out = [];
+    for (let i = start + 1; i < lines.length; i++) {
+        const line = lines[i];
+        if (!line.trim()) {
+            out.push(line);
+            continue;
+        }
+        const indent = (line.match(/^(\s*)/)?.[1] || '').length;
+        if (indent <= sectionIndent)
+            break;
+        out.push(line);
+    }
+    return out;
+}
+function readNestedList(raw, section, key) {
+    const sectionLines = readSectionLines(raw, section);
+    if (sectionLines.length === 0)
+        return [];
+    const nestedKey = new RegExp(`^(\\s*)${key}:\\s*$`);
+    const start = sectionLines.findIndex((line) => nestedKey.test(line.trimStart()));
+    if (start < 0)
+        return [];
+    const normalized = sectionLines.map((line) => line.replace(/^\s{2}/, ''));
+    const startMatch = normalized[start].match(nestedKey);
+    const baseIndent = startMatch ? startMatch[1].length : 0;
+    const out = [];
+    for (let i = start + 1; i < normalized.length; i++) {
+        const line = normalized[i];
+        if (!line.trim())
+            continue;
+        const indent = (line.match(/^(\s*)/)?.[1] || '').length;
+        if (indent <= baseIndent)
+            break;
+        if (!/^\s*-\s+/.test(line))
+            break;
+        out.push(decodeYamlScalar(line.replace(/^\s*-\s+/, '')));
+    }
+    return out;
+}
+function readNestedScalar(raw, section, key) {
+    const sectionLines = readSectionLines(raw, section).map((line) => line.replace(/^\s{2}/, ''));
+    const escaped = key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const match = sectionLines
+        .map((line) => line.trimStart())
+        .join('\n')
+        .match(new RegExp(`^${escaped}:\\s*(.+)$`, 'm'));
+    if (!match)
+        return undefined;
+    return decodeYamlScalar(match[1]);
+}
+function majorVersion(version) {
+    const n = Number(String(version || '').trim().split('.')[0]);
+    return Number.isFinite(n) ? n : 0;
+}
+function assertDslShape(raw, filePath, version) {
+    if (majorVersion(version) < 2)
+        return;
+    const required = ['match', 'topology', 'closure', 'claims'];
+    const missing = required.filter((key) => !new RegExp(`^${key}:\\s*$`, 'm').test(raw));
+    if (missing.length > 0) {
+        throw new Error(`Rule yaml missing required DSL sections (${missing.join(', ')}): ${filePath}`);
+    }
+}
+export function parseRuleYaml(raw, filePath) {
+    const id = readScalar(raw, 'id');
+    const version = readScalar(raw, 'version');
+    if (!id || !version) {
+        throw new Error(`Rule yaml missing required id/version: ${filePath}`);
+    }
+    assertDslShape(raw, filePath, version);
+    const triggerTokens = readNestedList(raw, 'match', 'trigger_tokens');
+    const closureRequiredHops = readNestedList(raw, 'closure', 'required_hops');
+    const claimGuarantees = readNestedList(raw, 'claims', 'guarantees');
+    const claimNonGuarantees = readNestedList(raw, 'claims', 'non_guarantees');
+    const claimNextAction = readNestedScalar(raw, 'claims', 'next_action');
+    const legacyTriggerFamily = readScalar(raw, 'trigger_family');
+    const legacyRequiredHops = readList(raw, 'required_hops');
+    const legacyGuarantees = readList(raw, 'guarantees');
+    const legacyNonGuarantees = readList(raw, 'non_guarantees');
+    const legacyNextAction = readScalar(raw, 'next_action');
+    // Parse resource_bindings
+    const rbLines = readSectionLines(raw, 'resource_bindings');
+    let resource_bindings;
+    if (rbLines.length > 0) {
+        resource_bindings = [];
+        const joined = rbLines.map((l) => l.replace(/^\s{2}/, '')).join('\n');
+        const entries = joined.split(/(?=^\s*- kind:)/m).filter((s) => s.trim());
+        for (const entry of entries) {
+            const kindMatch = entry.match(/- kind:\s*(.+)/);
+            if (!kindMatch)
+                continue;
+            const binding = { kind: decodeYamlScalar(kindMatch[1]) };
+            const scalar = (k) => {
+                const m = entry.match(new RegExp(`^\\s+${k}:\\s*(.+)$`, 'm'));
+                return m ? decodeYamlScalar(m[1]) : undefined;
+            };
+            const list = (k) => {
+                const lines = entry.split('\n');
+                const idx = lines.findIndex((l) => new RegExp(`^\\s+${k}:\\s*$`).test(l));
+                if (idx < 0)
+                    return undefined;
+                const out = [];
+                for (let i = idx + 1; i < lines.length; i++) {
+                    if (!/^\s+-\s+/.test(lines[i]))
+                        break;
+                    out.push(decodeYamlScalar(lines[i].replace(/^\s+-\s+/, '')));
+                }
+                return out.length > 0 ? out : undefined;
+            };
+            binding.ref_field_pattern = scalar('ref_field_pattern');
+            binding.target_entry_points = list('target_entry_points');
+            binding.host_class_pattern = scalar('host_class_pattern');
+            binding.field_name = scalar('field_name');
+            binding.loader_methods = list('loader_methods');
+            resource_bindings.push(binding);
+        }
+        if (resource_bindings.length === 0)
+            resource_bindings = undefined;
+    }
+    // Parse lifecycle_overrides
+    const loEntryPoints = readNestedList(raw, 'lifecycle_overrides', 'additional_entry_points');
+    const loScope = readNestedScalar(raw, 'lifecycle_overrides', 'scope');
+    const lifecycle_overrides = loEntryPoints.length > 0 || loScope
+        ? {
+            ...(loEntryPoints.length > 0 ? { additional_entry_points: loEntryPoints } : {}),
+            ...(loScope ? { scope: loScope } : {}),
+        }
+        : undefined;
+    return {
+        id,
+        version,
+        trigger_family: legacyTriggerFamily || triggerTokens[0] || 'unknown',
+        resource_types: readList(raw, 'resource_types'),
+        host_base_type: readList(raw, 'host_base_type'),
+        match: {
+            trigger_tokens: triggerTokens,
+            symbol_kind: readNestedList(raw, 'match', 'symbol_kind'),
+            module_scope: readNestedList(raw, 'match', 'module_scope'),
+            resource_types: readNestedList(raw, 'match', 'resource_types'),
+            host_base_type: readNestedList(raw, 'match', 'host_base_type'),
+        },
+        required_hops: closureRequiredHops.length > 0 ? closureRequiredHops : legacyRequiredHops,
+        guarantees: claimGuarantees.length > 0 ? claimGuarantees : legacyGuarantees,
+        non_guarantees: claimNonGuarantees.length > 0 ? claimNonGuarantees : legacyNonGuarantees,
+        next_action: claimNextAction || legacyNextAction,
+        family: readScalar(raw, 'family') || 'verification_rules',
+        resource_bindings,
+        lifecycle_overrides,
+        file_path: filePath,
+    };
+}
+export async function loadRuleRegistry(repoPath, rulesRoot) {
+    const normalizedRepoPath = path.resolve(repoPath);
+    const root = rulesRoot
+        ? path.resolve(rulesRoot)
+        : path.join(normalizedRepoPath, '.gitnexus', 'rules');
+    const compiledVerificationBundle = await loadCompiledRuleBundle(normalizedRepoPath, 'verification_rules', root);
+    if (compiledVerificationBundle && compiledVerificationBundle.rules.length > 0) {
+        return {
+            repoPath: normalizedRepoPath,
+            rulesRoot: root,
+            catalogPath: path.join(root, 'compiled', 'verification_rules.v2.json'),
+            activeRules: compiledVerificationBundle.rules.map((rule) => ({
+                id: rule.id,
+                version: rule.version,
+                trigger_family: rule.trigger_family,
+                resource_types: rule.resource_types,
+                host_base_type: rule.host_base_type,
+                match: rule.match,
+                required_hops: rule.required_hops,
+                guarantees: rule.guarantees,
+                non_guarantees: rule.non_guarantees,
+                next_action: rule.next_action,
+                file_path: rule.file_path,
+                topology: rule.topology,
+                closure: rule.closure,
+                claims: rule.claims,
+            })),
+        };
+    }
+    const catalogPath = path.join(root, 'catalog.json');
+    let catalogRaw;
+    try {
+        catalogRaw = await fs.readFile(catalogPath, 'utf-8');
+    }
+    catch (error) {
+        if (error?.code === 'ENOENT') {
+            throw new RuleRegistryLoadError('rule_catalog_missing', `Runtime claim rule catalog not found: ${catalogPath}`, { repoPath: normalizedRepoPath, rulesRoot: root, catalogPath });
+        }
+        throw error;
+    }
+    let catalog;
+    try {
+        catalog = JSON.parse(catalogRaw);
+    }
+    catch {
+        throw new RuleRegistryLoadError('rule_catalog_invalid', `Runtime claim rule catalog is invalid JSON: ${catalogPath}`, { repoPath: normalizedRepoPath, rulesRoot: root, catalogPath });
+    }
+    const catalogRules = Array.isArray(catalog.rules) ? catalog.rules : [];
+    const activeRules = [];
+    for (const entry of catalogRules) {
+        if (entry.enabled === false)
+            continue;
+        const relativeRulePath = String(entry.file || path.join('approved', `${entry.id}.yaml`));
+        const rulePath = path.join(root, relativeRulePath);
+        let raw;
+        try {
+            raw = await fs.readFile(rulePath, 'utf-8');
+        }
+        catch (error) {
+            if (error?.code === 'ENOENT') {
+                throw new RuleRegistryLoadError('rule_file_missing', `Runtime claim rule file not found: ${rulePath}`, { repoPath: normalizedRepoPath, rulesRoot: root, catalogPath, rulePath, ruleId: entry.id });
+            }
+            throw error;
+        }
+        const parsed = parseRuleYaml(raw, rulePath);
+        if (parsed.id !== entry.id) {
+            throw new Error(`Rule id mismatch between catalog and yaml: ${entry.id} vs ${parsed.id}`);
+        }
+        activeRules.push({
+            ...parsed,
+            version: entry.version || parsed.version,
+            family: entry.family || parsed.family || 'verification_rules',
+        });
+    }
+    return {
+        repoPath: normalizedRepoPath,
+        rulesRoot: root,
+        catalogPath,
+        activeRules,
+    };
+}
+export async function loadAnalyzeRules(repoPath, rulesRoot) {
+    const normalizedRepoPath = path.resolve(repoPath);
+    const root = rulesRoot
+        ? path.resolve(rulesRoot)
+        : path.join(normalizedRepoPath, '.gitnexus', 'rules');
+    const analyzeBundle = await loadCompiledRuleBundle(normalizedRepoPath, 'analyze_rules', root);
+    if (analyzeBundle && analyzeBundle.rules.length > 0) {
+        return analyzeBundle.rules.map((rule) => ({
+            ...rule,
+            family: 'analyze_rules',
+        }));
+    }
+    const registry = await loadRuleRegistry(repoPath, rulesRoot);
+    return registry.activeRules.filter((r) => r.family === 'analyze_rules');
+}

package/dist/mcp/local/runtime-claim-rule-registry.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/mcp/local/runtime-claim-rule-registry.test.js

@@ -0,0 +1,215 @@
+import assert from 'node:assert/strict';
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { test } from 'vitest';
+import { RuleRegistryLoadError, loadRuleRegistry } from './runtime-claim-rule-registry.js';
+test('loads active runtime claim rules from project catalog', async () => {
+    const repoPath = path.resolve('.');
+    const registry = await loadRuleRegistry(repoPath);
+    assert.equal(registry.activeRules[0].id, 'unity.gungraph.reload.output-getvalue.v1');
+    assert.equal(registry.activeRules[0].version, '1.0.0');
+});
+test('throws rule_catalog_missing when target repo has no catalog (no ancestor fallback)', async () => {
+    const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'gitnexus-runtime-claim-rules-'));
+    const workspaceRoot = path.join(tempRoot, 'workspace');
+    const nestedCwd = path.join(workspaceRoot, 'packages', 'app');
+    const rulesRoot = path.join(workspaceRoot, '.gitnexus', 'rules');
+    const catalogPath = path.join(rulesRoot, 'catalog.json');
+    await fs.mkdir(path.join(rulesRoot, 'approved'), { recursive: true });
+    await fs.mkdir(nestedCwd, { recursive: true });
+    await fs.writeFile(catalogPath, JSON.stringify({
+        rules: [
+            {
+                id: 'demo.reload.rule.v1',
+                version: '1.2.3',
+                file: 'approved/demo.reload.rule.v1.yaml',
+            },
+        ],
+    }), 'utf-8');
+    await fs.writeFile(path.join(rulesRoot, 'approved', 'demo.reload.rule.v1.yaml'), ['id: demo.reload.rule.v1', 'version: 1.2.3', 'trigger_family: reload'].join('\n'), 'utf-8');
+    const originalCwd = process.cwd();
+    process.chdir(nestedCwd);
+    try {
+        await assert.rejects(() => loadRuleRegistry(path.join(tempRoot, 'does-not-exist')), (error) => {
+            assert.ok(error instanceof RuleRegistryLoadError);
+            assert.equal(error.code, 'rule_catalog_missing');
+            assert.match(String(error.message || ''), /catalog not found/i);
+            return true;
+        });
+    }
+    finally {
+        process.chdir(originalCwd);
+        await fs.rm(tempRoot, { recursive: true, force: true });
+    }
+});
+test('throws rule_catalog_missing when rulesRoot exists but catalog.json is missing', async () => {
+    const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'gitnexus-runtime-claim-rules-'));
+    const repoPath = path.join(tempRoot, 'repo');
+    const rulesRoot = path.join(repoPath, '.gitnexus', 'rules');
+    await fs.mkdir(path.join(rulesRoot, 'approved'), { recursive: true });
+    try {
+        await assert.rejects(() => loadRuleRegistry(repoPath), (error) => {
+            assert.ok(error instanceof RuleRegistryLoadError);
+            assert.equal(error.code, 'rule_catalog_missing');
+            return true;
+        });
+    }
+    finally {
+        await fs.rm(tempRoot, { recursive: true, force: true });
+    }
+});
+test('throws rule_file_missing when catalog entry points to missing yaml file', async () => {
+    const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'gitnexus-runtime-claim-rules-'));
+    const repoPath = path.join(tempRoot, 'repo');
+    const rulesRoot = path.join(repoPath, '.gitnexus', 'rules');
+    await fs.mkdir(path.join(rulesRoot, 'approved'), { recursive: true });
+    await fs.writeFile(path.join(rulesRoot, 'catalog.json'), JSON.stringify({
+        rules: [
+            {
+                id: 'demo.reload.rule.v1',
+                version: '1.0.0',
+                file: 'approved/demo.reload.rule.v1.yaml',
+            },
+        ],
+    }), 'utf-8');
+    try {
+        await assert.rejects(() => loadRuleRegistry(repoPath), (error) => {
+            assert.ok(error instanceof RuleRegistryLoadError);
+            assert.equal(error.code, 'rule_file_missing');
+            assert.match(String(error.message || ''), /rule file not found/i);
+            return true;
+        });
+    }
+    finally {
+        await fs.rm(tempRoot, { recursive: true, force: true });
+    }
+});
+test('parses scalar/list values with spaces, quotes, and escapes without truncation', async () => {
+    const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'gitnexus-runtime-claim-rules-'));
+    const repoPath = path.join(tempRoot, 'repo');
+    const rulesRoot = path.join(repoPath, '.gitnexus', 'rules');
+    await fs.mkdir(path.join(rulesRoot, 'approved'), { recursive: true });
+    await fs.writeFile(path.join(rulesRoot, 'catalog.json'), JSON.stringify({
+        rules: [
+            {
+                id: 'demo.scalar-parser.v1',
+                version: '1.0.0',
+                file: 'approved/demo.scalar-parser.v1.yaml',
+            },
+        ],
+    }), 'utf-8');
+    await fs.writeFile(path.join(rulesRoot, 'approved', 'demo.scalar-parser.v1.yaml'), [
+        'id: demo.scalar-parser.v1',
+        'version: 1.0.0',
+        'trigger_family: reload',
+        'resource_types:',
+        '  - "asset ref"',
+        "  - 'prefab ref'",
+        'host_base_type:',
+        "  - 'ReloadBase'",
+        'required_hops:',
+        '  - resource',
+        'guarantees:',
+        "  - 'guarantee with spaces'",
+        'non_guarantees:',
+        '  - "double-quote \\"inside\\""',
+        "  - 'single-quote ''inside'''",
+        'next_action: node gitnexus/dist/cli/index.js query --runtime-chain-verify on-demand "Reload NEON.Game.Graph.Nodes.Reloads"',
+    ].join('\n'), 'utf-8');
+    try {
+        const registry = await loadRuleRegistry(repoPath);
+        const rule = registry.activeRules[0];
+        assert.equal(rule.id, 'demo.scalar-parser.v1');
+        assert.deepEqual(rule.resource_types, ['asset ref', 'prefab ref']);
+        assert.deepEqual(rule.guarantees, ['guarantee with spaces']);
+        assert.deepEqual(rule.non_guarantees, ['double-quote "inside"', "single-quote 'inside'"]);
+        assert.equal(rule.next_action, 'node gitnexus/dist/cli/index.js query --runtime-chain-verify on-demand "Reload NEON.Game.Graph.Nodes.Reloads"');
+    }
+    finally {
+        await fs.rm(tempRoot, { recursive: true, force: true });
+    }
+});
+test('rejects rule yaml when topology/closure/claims are missing', async () => {
+    const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'gitnexus-runtime-claim-rules-'));
+    const repoPath = path.join(tempRoot, 'repo');
+    const rulesRoot = path.join(repoPath, '.gitnexus', 'rules');
+    await fs.mkdir(path.join(rulesRoot, 'approved'), { recursive: true });
+    await fs.writeFile(path.join(rulesRoot, 'catalog.json'), JSON.stringify({
+        rules: [
+            {
+                id: 'demo.reload.rule.v2',
+                version: '2.0.0',
+                file: 'approved/demo.reload.rule.v2.yaml',
+            },
+        ],
+    }), 'utf-8');
+    await fs.writeFile(path.join(rulesRoot, 'approved', 'demo.reload.rule.v2.yaml'), [
+        'id: demo.reload.rule.v2',
+        'version: 2.0.0',
+        'trigger_family: reload',
+        'resource_types:',
+        '  - asset',
+        'host_base_type:',
+        '  - ReloadBase',
+        'required_hops:',
+        '  - resource',
+        'guarantees:',
+        '  - reload_chain_closed',
+        'non_guarantees:',
+        '  - no_runtime_execution_guarantee',
+    ].join('\n'), 'utf-8');
+    try {
+        await assert.rejects(() => loadRuleRegistry(repoPath), /topology|closure|claims/i);
+    }
+    finally {
+        await fs.rm(tempRoot, { recursive: true, force: true });
+    }
+});
+test('loads v2 verification bundle from explicit compiled path without catalog fallback', async () => {
+    const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'gitnexus-runtime-claim-rules-'));
+    const repoPath = path.join(tempRoot, 'repo');
+    const compiledRoot = path.join(repoPath, '.gitnexus', 'rules', 'compiled');
+    await fs.mkdir(compiledRoot, { recursive: true });
+    await fs.writeFile(path.join(compiledRoot, 'verification_rules.v2.json'), JSON.stringify({
+        bundle_version: '2.0.0',
+        family: 'verification_rules',
+        generated_at: new Date().toISOString(),
+        rules: [
+            {
+                id: 'demo.bundle.rule.v2',
+                version: '2.0.0',
+                trigger_family: 'reload',
+                resource_types: ['asset'],
+                host_base_type: ['ReloadBase'],
+                required_hops: ['resource', 'code_runtime'],
+                guarantees: ['reload_chain_closed'],
+                non_guarantees: ['no_runtime_execution'],
+                next_action: 'gitnexus query "reload"',
+                file_path: '.gitnexus/rules/compiled/verification_rules.v2.json',
+                match: { trigger_tokens: ['reload'] },
+                topology: [
+                    { hop: 'resource', from: { entity: 'resource' }, to: { entity: 'script' }, edge: { kind: 'binds_script' } },
+                ],
+                closure: {
+                    required_hops: ['resource', 'code_runtime'],
+                    failure_map: { missing_evidence: 'rule_matched_but_evidence_missing' },
+                },
+                claims: {
+                    guarantees: ['reload_chain_closed'],
+                    non_guarantees: ['no_runtime_execution'],
+                    next_action: 'gitnexus query "reload"',
+                },
+            },
+        ],
+    }, null, 2), 'utf-8');
+    try {
+        const registry = await loadRuleRegistry(repoPath);
+        assert.equal(registry.activeRules[0].id, 'demo.bundle.rule.v2');
+        assert.equal(registry.activeRules[0].version, '2.0.0');
+        assert.deepEqual(registry.activeRules[0].required_hops, ['resource', 'code_runtime']);
+    }
+    finally {
+        await fs.rm(tempRoot, { recursive: true, force: true });
+    }
+});

package/dist/mcp/local/runtime-claim.d.ts

@@ -0,0 +1,38 @@
+import type { RuntimeChainEvidenceLevel } from './runtime-chain-evidence.js';
+import type { RuntimeChainGap, RuntimeChainHop, RuntimeChainStatus } from './runtime-chain-verify.js';
+import type { RuntimeClaimRule } from './runtime-claim-rule-registry.js';
+export type RuntimeClaimReason = 'rule_not_matched' | 'rule_matched_but_evidence_missing' | 'rule_matched_but_verification_failed' | 'gate_disabled';
+export interface RuntimeClaim {
+    rule_id: string;
+    rule_version: string;
+    scope: {
+        resource_types: string[];
+        host_base_type: string[];
+        trigger_family: string;
+    };
+    status: Exclude<RuntimeChainStatus, 'pending'>;
+    evidence_level: RuntimeChainEvidenceLevel;
+    guarantees: string[];
+    non_guarantees: string[];
+    hops: RuntimeChainHop[];
+    gaps: RuntimeChainGap[];
+    reason?: RuntimeClaimReason;
+    next_action?: string;
+}
+export declare function buildRuntimeClaimFromRule(input: {
+    rule: RuntimeClaimRule;
+    status: Exclude<RuntimeChainStatus, 'pending'>;
+    evidence_level: RuntimeChainEvidenceLevel;
+    hops: RuntimeChainHop[];
+    gaps: RuntimeChainGap[];
+    reason?: RuntimeClaimReason;
+    next_action?: string;
+}): RuntimeClaim;
+export declare function buildReloadRuntimeClaim(input: {
+    status: Exclude<RuntimeChainStatus, 'pending'>;
+    evidence_level: RuntimeChainEvidenceLevel;
+    hops: RuntimeChainHop[];
+    gaps: RuntimeChainGap[];
+    reason?: RuntimeClaimReason;
+    next_action?: string;
+}): RuntimeClaim;

package/dist/mcp/local/runtime-claim.js

@@ -0,0 +1,54 @@
+function resolveNonGuarantees(rule) {
+    if (rule && Array.isArray(rule.non_guarantees) && rule.non_guarantees.length > 0) {
+        return [...rule.non_guarantees];
+    }
+    return [
+        'no_runtime_execution',
+        'no_dynamic_data_flow_proof',
+        'no_state_transition_proof',
+    ];
+}
+export function buildRuntimeClaimFromRule(input) {
+    const guarantees = input.status === 'verified_full'
+        ? [...(input.rule.guarantees || [])]
+        : [];
+    return {
+        rule_id: input.rule.id,
+        rule_version: input.rule.version,
+        scope: {
+            resource_types: [...(input.rule.resource_types || [])],
+            host_base_type: [...(input.rule.host_base_type || [])],
+            trigger_family: input.rule.trigger_family || 'unknown',
+        },
+        status: input.status,
+        evidence_level: input.evidence_level,
+        guarantees,
+        non_guarantees: resolveNonGuarantees(input.rule),
+        hops: input.hops,
+        gaps: input.gaps,
+        ...(input.reason ? { reason: input.reason } : {}),
+        ...(input.next_action ? { next_action: input.next_action } : {}),
+    };
+}
+export function buildReloadRuntimeClaim(input) {
+    return buildRuntimeClaimFromRule({
+        rule: {
+            id: 'unity.gungraph.reload.output-getvalue.v1',
+            version: '1.0.0',
+            trigger_family: 'reload',
+            resource_types: ['asset', 'prefab', 'meta'],
+            host_base_type: ['ReloadBase'],
+            required_hops: ['resource', 'guid_map', 'code_loader', 'code_runtime'],
+            guarantees: ['resource_to_runtime_chain_closed'],
+            non_guarantees: ['no_runtime_execution', 'no_dynamic_data_flow_proof', 'no_state_transition_proof'],
+            next_action: input.next_action,
+            file_path: '.gitnexus/rules/approved/unity.gungraph.reload.output-getvalue.v1.yaml',
+        },
+        status: input.status,
+        evidence_level: input.evidence_level,
+        hops: input.hops,
+        gaps: input.gaps,
+        reason: input.reason,
+        next_action: input.next_action,
+    });
+}

package/dist/mcp/local/runtime-claim.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/mcp/local/runtime-claim.test.js

@@ -0,0 +1,27 @@
+import assert from 'node:assert/strict';
+import { test } from 'vitest';
+import { buildRuntimeClaimFromRule } from './runtime-claim.js';
+test('runtime_claim contract includes rule-driven metadata and guarantees', () => {
+    const claim = buildRuntimeClaimFromRule({
+        rule: {
+            id: 'demo.reload.v1',
+            version: '1.2.3',
+            trigger_family: 'reload',
+            resource_types: ['asset'],
+            host_base_type: ['ReloadBase'],
+            required_hops: ['resource'],
+            guarantees: ['demo_chain_closed'],
+            non_guarantees: ['demo_non_guarantee'],
+            next_action: 'node demo',
+            file_path: '.gitnexus/rules/approved/demo.reload.v1.yaml',
+        },
+        status: 'verified_full',
+        evidence_level: 'verified_chain',
+        hops: [{ hop_type: 'resource', anchor: 'Assets/A.prefab:1', confidence: 'high', note: 'resource anchor' }],
+        gaps: [],
+    });
+    assert.equal(claim.rule_id, 'demo.reload.v1');
+    assert.equal(claim.rule_version, '1.2.3');
+    assert.deepEqual(claim.guarantees, ['demo_chain_closed']);
+    assert.deepEqual(claim.non_guarantees, ['demo_non_guarantee']);
+});

package/dist/mcp/local/unity-enrichment.d.ts

@@ -10,6 +10,7 @@ export interface UnityHydrationMeta {
     isComplete: boolean;
     completenessReason: string[];
     needsParityRetry: boolean;
+    reason?: string;
     retryHint?: string;
 }
 export interface UnityContextPayload extends Pick<ResolveOutput, 'resourceBindings' | 'serializedFields' | 'unityDiagnostics'> {

package/dist/mcp/local/unity-enrichment.js

@@ -5,7 +5,7 @@ export async function loadUnityContext(_repoId, symbolId, execute) {
     MATCH (symbol {id: '${escapedSymbolId}'})-[r:CodeRelation]->(target)
     WHERE r.type IN ['UNITY_COMPONENT_INSTANCE', 'UNITY_SERIALIZED_TYPE_IN', 'UNITY_RESOURCE_SUMMARY']
     RETURN target.filePath AS resourcePath,
-      CASE WHEN r.type = 'UNITY_RESOURCE_SUMMARY' THEN '' ELSE target.description END AS payload,
+      CASE WHEN r.type = 'UNITY_RESOURCE_SUMMARY' THEN '' ELSE COALESCE(target.description, r.reason, '') END AS payload,
       r.type AS relationType,
       r.reason AS relationReason
     ORDER BY target.filePath, target.id