agent-cli-runtime 0.1.0-alpha.1 → 0.1.0-alpha.3

package/CHANGELOG.md

@@ -1,5 +1,39 @@
 # Changelog
 
+## 0.1.0-alpha.3 — corrective pre-alpha release
+
+- P7-5 alpha.3 corrective release:
+  - records that `0.1.0-alpha.2` was published but its immutable npm tarball kept stale pre-publish package docs;
+  - recommends `0.1.0-alpha.3` as the corrective pre-alpha release for package consumers;
+  - adds a packaged-docs verification gate that packs and unpacks the local tarball before publish;
+  - extends published verification so registry tarball docs are downloaded, unpacked, and checked instead of trusting later repository docs;
+  - keeps npm registry metadata and GitHub Releases authoritative for available versions and dist-tags;
+  - keeps `.release-evidence/`, run ids, artifact ids, digests, tarball shasums, integrity values, local temporary paths, raw logs, raw CLI output, prompts, and token-looking values out of packaged docs.
+
+## 0.1.0-alpha.2 — published pre-alpha release
+
+- P7-4 alpha.2 real publish and post-publish evidence:
+  - publishes `0.1.0-alpha.2` to npm with the `alpha` dist-tag;
+  - creates GitHub pre-release `v0.1.0-alpha.2`;
+  - verifies registry version, dist-tags, installed-package CLI smoke, and GitHub Release metadata;
+  - the published `0.1.0-alpha.2` npm tarball contains stale pre-publish package docs, so package consumers should use `0.1.0-alpha.3`;
+  - records post-publish evidence outside the npm package under `.release-evidence/`;
+  - keeps current-run ids, artifact ids, digests, tarball shasums, pack shasums, local temporary paths, raw logs, raw CLI output, prompts, and token-looking values out of packaged docs.
+- P7-3 alpha.2 publish dry-run evidence:
+  - records fresh main release-candidate evidence for the exact alpha.2 publish target;
+  - records downloaded artifact verification with `npm run release:verify -- --dir <normalized-downloaded-artifact-dir>`;
+  - records local `npm publish --dry-run --ignore-scripts --tag alpha` evidence while keeping real npm publish and GitHub Release creation human-gated;
+  - keeps current-run ids, artifact ids, digests, tarball shasums, pack shasums, local temporary paths, raw logs, raw CLI output, prompts, and token-looking values out of packaged docs.
+- P7-1 alpha.2 package metadata preparation:
+  - bumps package metadata to `0.1.0-alpha.2` while keeping the real npm registry state at the already published `0.1.0-alpha.1`;
+  - documents the human-controlled alpha.2 path: fresh release-candidate workflow, downloaded artifact verification with `npm run release:verify`, local `npm publish --dry-run --ignore-scripts --tag alpha`, then a separate explicit publish decision;
+  - keeps current-run ids, artifact ids, digests, tarball shasums, pack shasums, local temporary paths, raw logs, raw CLI output, prompts, and token-looking values out of packaged docs.
+- P6 release-candidate gate consolidation:
+  - preserves the offline real compatibility evidence verifier as a release gate through `compat:real:evidence:verify`;
+  - keeps downloaded release-candidate artifacts at the five-artifact set: tarball, pack metadata, package file list, gate evidence, and release verification;
+  - records `daemon:verify`, `runtime:safety`, and `compat:real:evidence:verify` in gate evidence without launching authenticated real Codex/Claude/OpenCode runs;
+  - keeps `.release-evidence/` and `.reference/` outside the npm package boundary.
+
 ## 0.1.0-alpha.0 — pre-alpha developer preview (release-candidate hardening)
 
 - P3-10 pre-documentation alpha release-candidate evidence and human-gated publish packet:

package/README.md

@@ -23,13 +23,17 @@ Modern local coding agents already know how to plan, edit files, run tools, ask
 This repository is in **pre-alpha / developer preview**.
 
 Release boundary:
-- This is a P3-7 API / CLI schema freeze track, not a stable-contract or npm publication record.
-- P3-11 keeps current-head release-candidate evidence outside the npm package under `.release-evidence/`; packaged docs only describe the stable workflow and human-gated alpha publish boundary.
+- `agent-cli-runtime@0.1.0-alpha.1` is published on npm and has GitHub pre-release `v0.1.0-alpha.1`.
+- `agent-cli-runtime@0.1.0-alpha.2` is published on npm and has GitHub pre-release `v0.1.0-alpha.2`, but its immutable npm tarball contains stale pre-publish package docs.
+- `agent-cli-runtime@0.1.0-alpha.3` is the corrective pre-alpha release for package consumers.
+- `agent-cli-runtime@0.1.0-alpha.0` is deprecated because its immutable package docs shipped stale pre-publish state.
+- npm registry metadata and GitHub Releases are the source of truth for available versions and dist-tags.
+- Release-candidate and post-alpha evidence keeps current-head release and downloaded artifact details outside the npm package under `.release-evidence/` or GitHub Release assets.
 - `createAgentRuntime` is the only runtime value export.
 - No background daemon, no API server, no WAL, no database, and no remote runtime mode are included in this pre-alpha track.
 - The package is intended as a local-first execution kernel for embedding in a daemon or product shell, not as a hosted control plane.
 
-The API and CLI schema contract is [docs/api-schema-contract.md](./docs/api-schema-contract.md), the daemon-ready embedding contract is [docs/daemon-ready-contract.md](./docs/daemon-ready-contract.md), the SSOT is [docs/ssot.md](./docs/ssot.md), the release-candidate evidence entrypoint is [docs/release-report.md](./docs/release-report.md), and the future alpha publish runbook is [docs/release-publish-runbook.md](./docs/release-publish-runbook.md). The current implementation is a contract-hardening library-first Node.js/TypeScript implementation with memory-only default run and goal scheduling, optional durable local replay storage with crash/recovery health reporting, fault-injected consistency coverage, package-root API contract tests, tarball TypeScript consumer smoke, installed-package daemon embedding verification, compatibility profiles for the built-in CLIs, hardened planner/task-graph validation, versioned event/diagnostics/conformance/real-smoke/store/release-artifact contracts, redacted diagnostics, parser fixtures, local/remote release artifact verification, remote CI/artifact audit checks, alpha publish readiness docs, and thin local smoke/query CLI commands.
+The API and CLI schema contract is [docs/api-schema-contract.md](./docs/api-schema-contract.md), the daemon-ready embedding contract is [docs/daemon-ready-contract.md](./docs/daemon-ready-contract.md), the SSOT is [docs/ssot.md](./docs/ssot.md), the post-alpha evidence entrypoint is [docs/release-report.md](./docs/release-report.md), and the publish/runbook boundary is [docs/release-publish-runbook.md](./docs/release-publish-runbook.md). The current implementation is a contract-hardening library-first Node.js/TypeScript implementation with memory-only default run and goal scheduling, optional durable local replay storage with crash/recovery health reporting, fault-injected consistency coverage, package-root API contract tests, tarball TypeScript consumer smoke, installed-package daemon embedding verification, compatibility profiles for the built-in CLIs, hardened planner/task-graph validation, versioned event/diagnostics/conformance/real-smoke/store/release-artifact contracts, redacted diagnostics, parser fixtures, local/remote release artifact verification, post-alpha registry/GitHub Release evidence normalization, published npm install smoke, remote CI/artifact audit checks, alpha publish readiness docs, and thin local smoke/query CLI commands.
 
 ## Why
 
@@ -280,14 +284,18 @@ void goalRequest;
 void runtime.shutdown();
 ```
 
-The daemon embedding gate installs the packed tarball into a temporary consumer, then executes fake-CLI detect/conformance, run, goal, replay, diagnostics, store inspection, shutdown, and reopen checks. The runtime safety gate uses the same installed-package boundary for repeated run/goal execution, slow event consumption, cancel/timeout churn, repeated shutdown, lease close, and reopen checks:
+The daemon embedding gate installs the packed tarball into a temporary consumer, then executes fake-CLI detect/conformance, run, goal, replay, diagnostics, store inspection, shutdown, and reopen checks. The runtime safety gate uses the same installed-package boundary for repeated run/goal execution, slow event consumption, cancel/timeout churn, repeated shutdown, lease close, and reopen checks. The published daemon consumer gate installs `agent-cli-runtime@0.1.0-alpha.1` from the npm registry into a temporary daemon-style consumer and exercises the published package lifecycle with fake Codex/Claude/OpenCode binaries. The published adapter gate installs the published package from the npm registry and verifies built-in Codex, Claude, and OpenCode adapter detection, argv shape, stdin prompt transport, parser behavior, redaction, and failure isolation with fake CLIs. The published verification gate aggregates those post-publish checks plus registry metadata into a redacted artifact:
 
 ```bash
 npm run daemon:verify
 npm run runtime:safety
+npm run published:daemon:verify
+npm run published:adapters:verify
+npm run published:verify -- --out-dir published-verification
+npm run published:verify:evidence -- --dir published-verification
 ```
 
-The broader release gate installs the packed tarball into a temporary TypeScript project, runs `tsc --noEmit`, and then executes fake-CLI library run/goal/replay/diagnostics smoke. See `npm run daemon:verify`, `npm run runtime:safety`, `npm run dogfood`, and [docs/release-checklist.md](./docs/release-checklist.md).
+The broader release gate installs the packed tarball into a temporary TypeScript project, runs `tsc --noEmit`, and then executes fake-CLI library run/goal/replay/diagnostics smoke. See `npm run daemon:verify`, `npm run runtime:safety`, `npm run published:daemon:verify`, `npm run published:adapters:verify`, `npm run published:verify`, `npm run dogfood`, and [docs/release-checklist.md](./docs/release-checklist.md).
 
 Required local agent CLIs are optional by scenario:
 
@@ -334,6 +342,11 @@ Use one of the quick verification command sets before release:
 npm run ci
 npm run daemon:verify
 npm run runtime:safety
+npm run compat:real:evidence:verify
+npm run published:daemon:verify
+npm run published:adapters:verify
+npm run published:verify -- --out-dir published-verification
+npm run published:verify:evidence -- --dir published-verification
 npm run dogfood
 npm run prepublish:check
 node ./dist/cli/main.js conformance --mode fixtures --json
@@ -344,9 +357,32 @@ node ./dist/cli/main.js smoke --mode real --agent codex --json
 
 `conformance --mode real` and `smoke --mode real` without `--allow-real-run` perform real local detection/profile certification only. They do not launch an authenticated agent run. A real run requires `--allow-real-run`; without `--cwd`, the runtime uses an isolated temporary cwd and requests read-only behavior. Treat `--allow-real-run` as an explicit local-account/network boundary.
 
-CI uses a Node.js 20/22/24 matrix for typecheck, lint, tests, build, production dependency audit, package boundary checks, and `npm pack --dry-run`. A separate single-Node release-gates job runs `npm run daemon:verify`, `npm run runtime:safety`, and `npm run dogfood` so the full matrix does not launch redundant installed-package gates. The dogfood, CI, and prepublish paths share the same safety boundary: fixtures, fake CLIs, and real local detection/profile certification are allowed by default; authenticated real agent runs are not launched unless `--allow-real-run` is explicit.
+`npm run compat:real:evidence` creates a repo-only redacted compatibility summary under `.release-evidence/` and is an explicit evidence refresh action, not a default release gate. By default it runs only safe real preflight. Authenticated smoke evidence requires explicit pairs such as `--allow-real-run --agent codex --expect-text "agent-runtime codex smoke ok"`; skipped states like `real_run_skipped`, `auth_missing`, and `needs_verification` remain evidence states and are not converted into success. `npm run compat:real:evidence:verify` is the offline P6-3 drift gate for that file. It does not launch real CLI runs; it rejects unsafe content, missing dirty-state evidence, skipped/auth-missing states claimed as success, incomplete authenticated success evidence, missing `needsVerification` audit items, and invalid package-boundary claims. `prepublish:check` and `release:candidate` run this verifier against existing repo-only evidence without refreshing real CLI evidence.
 
-For local release-candidate confidence, run `npm run prepublish:check`. It combines typecheck, lint, tests, build, daemon embedding verification, runtime safety verification, dogfood, production audit, package boundary checks, and a pack dry-run. The GitHub Actions `Release Candidate` workflow is manually triggered with `workflow_dispatch`, runs `npm ci`, `npm run ci`, `npm run dogfood`, and `npm run release:candidate -- --out-dir release-candidate`; the generated artifact set includes `agent-cli-runtime-tarball`, `agent-cli-runtime-pack-metadata`, `agent-cli-runtime-package-files`, `agent-cli-runtime-gate-evidence`, and `agent-cli-runtime-release-verification`. Version `0.1.0-alpha.0` was published to npm and has a GitHub pre-release at `v0.1.0-alpha.0`; that immutable tarball contains stale pre-publish status text, so `0.1.0-alpha.1` is the corrective alpha candidate. Because release docs are included in the npm package, volatile current-run evidence must stay outside packaged docs under `.release-evidence/` or GitHub Release assets. A real alpha publish requires a fresh release-candidate workflow for the exact commit being published, downloaded artifacts passing `npm run release:verify -- --dir <normalized-artifact-dir>`, and explicit maintainer authorization for `npm publish --tag alpha`.
+CI uses a Node.js 20/22/24 matrix for typecheck, lint, tests, build, production dependency audit, package boundary checks, and `npm pack --dry-run`. A separate single-Node release-gates job runs `npm run daemon:verify`, `npm run runtime:safety`, and `npm run dogfood` so the full matrix does not launch redundant installed-package gates. CI intentionally does not run the repo-only compatibility evidence verifier; `prepublish:check` and `release:candidate` are the release/evidence paths that have access to `.release-evidence/`. The dogfood, CI, and prepublish paths share the same safety boundary: fixtures, fake CLIs, and real local detection/profile certification are allowed by default; authenticated real agent runs are not launched unless `--allow-real-run` is explicit.
+
+For local release-candidate confidence, run `npm run prepublish:check`. It combines typecheck, lint, tests, build, daemon embedding verification, runtime safety verification, offline real compatibility evidence verification, dogfood, production audit, package boundary checks, and a pack dry-run. The GitHub Actions `Release Candidate` workflow is manually triggered with `workflow_dispatch`, runs `npm ci`, `npm run ci`, `npm run dogfood`, and `npm run release:candidate -- --out-dir release-candidate`; the generated artifact set includes `agent-cli-runtime-tarball`, `agent-cli-runtime-pack-metadata`, `agent-cli-runtime-package-files`, `agent-cli-runtime-gate-evidence`, and `agent-cli-runtime-release-verification`.
+
+Version `0.1.0-alpha.1` is published to npm and has GitHub pre-release `v0.1.0-alpha.1`. Version `0.1.0-alpha.2` is published to npm with the `alpha` dist-tag and has GitHub pre-release `v0.1.0-alpha.2`, but its immutable tarball contains stale pre-publish package docs. Version `0.1.0-alpha.3` is the corrective pre-alpha release for package consumers. Version `0.1.0-alpha.0` is deprecated because its immutable tarball contains stale pre-publish status text. npm registry metadata and GitHub Releases are the source of truth for available versions and dist-tags. Because release docs are included in the npm package, volatile current-run evidence must stay outside packaged docs under `.release-evidence/` or GitHub Release assets.
+
+Post-alpha verification:
+
+```bash
+npm run release:post-alpha:verify
+npm run smoke:published
+npm run published:daemon:verify
+npm run published:adapters:verify
+npm run published:verify -- --out-dir published-verification
+npm run published:verify:evidence -- --dir published-verification
+```
+
+`release:post-alpha:verify` compares the npm registry tarball with the `v0.1.0-alpha.1` GitHub Release tarball. Raw gzip SHA1/SHA256 values may differ because the registry tarball and Release asset are separate packaging artifacts; the package content boundary is npm registry `shasum`/`integrity`, matching unpacked package file list and content, and `npm run release:verify -- --dir <downloaded-github-release-assets-dir>`.
+
+`published:daemon:verify` installs the already published npm package from the registry, not the local checkout or local `dist/`, and emits `schemaVersion: "agent-runtime.publishedDaemonConsumer.v1"` with `packageSource: "npm-registry"`. It uses fake CLIs only and covers detect, run, goal, cancel, timeout, replay, read-only inspection while a writer is active, second-writer refusal, shutdown/reopen, and stale owner recovery without launching authenticated real agent runs.
+
+`published:adapters:verify` also installs from the npm registry and emits `schemaVersion: "agent-runtime.publishedAdapters.v1"` with `packageSource: "npm-registry"`. It uses fake Codex/Claude/OpenCode binaries to verify the published package's built-in adapter invocation shape, stdin prompt transport, parser noise tolerance, redaction, and per-adapter failure isolation. This is fake-CLI adapter contract evidence, not authenticated real CLI compatibility success evidence.
+
+`published:verify` emits `schemaVersion: "agent-cli-runtime.publishedVerification.v1"` and writes `published-verification/published-verification.json` by default. It aggregates `smoke:published`, `published:daemon:verify`, `published:adapters:verify`, `release:post-alpha:verify`, and npm registry metadata without storing raw stdout/stderr or requiring publish credentials. The manual GitHub Actions `Published Package Verification` workflow runs the same post-publish verification on Node.js 22 and uploads `agent-cli-runtime-published-verification`.
 
 To create a local release-candidate artifact set without publishing, run:
 
@@ -355,9 +391,9 @@ npm run release:candidate -- --out-dir release-candidate
 npm run release:verify -- --dir release-candidate
 ```
 
-`release:candidate` writes `npm-pack.json`, `package-files.txt`, `gate-evidence.json`, the tarball, and `release-verification.json` to the output directory. `release:verify` can also validate the same files after downloading GitHub Actions artifacts, including proof that `daemon:verify` and `runtime:safety` were recorded for the candidate.
+`release:candidate` writes `npm-pack.json`, `package-files.txt`, `gate-evidence.json`, the tarball, and `release-verification.json` to the output directory. `release:verify` can also validate the same files after downloading GitHub Actions artifacts, including proof that `daemon:verify`, `runtime:safety`, and the offline real compatibility evidence verifier were recorded for the candidate.
 
-The release evidence summary is [docs/release-report.md](./docs/release-report.md). The alpha publish decision runbook is [docs/release-publish-runbook.md](./docs/release-publish-runbook.md). `npm publish --dry-run --ignore-scripts --tag alpha` is documented there as a local manual dry-run check; it must not publish and is not required as a remote CI gate.
+The release evidence summary is [docs/release-report.md](./docs/release-report.md). The alpha publish decision runbook is [docs/release-publish-runbook.md](./docs/release-publish-runbook.md). `npm publish --dry-run --ignore-scripts --tag alpha` is documented there as a local manual dry-run check; it must not publish and is not required as a remote CI gate. Published package verification is a separate manual post-publish workflow, not a publish workflow.
 
 Runnable examples are in [examples/library-run.js](./examples/library-run.js), [examples/library-goal.js](./examples/library-goal.js), and [examples/cli-dogfood.md](./examples/cli-dogfood.md). The JavaScript examples create local fake CLIs and do not require real provider secrets.
 

package/README.zh-CN.md

@@ -23,13 +23,17 @@ Agent CLI Runtime 是一个 adapter layer。它适合你在不想重新造一个
 本仓库目前处于 **pre-alpha / developer preview**。
 
 发布边界说明：
-- 这是 P3-7 API / CLI schema freeze 阶段，不承诺稳定 API，也不是 npm 发布记录。
-- P3-11 将 current-head release-candidate 证据保存在 npm 包外的 `.release-evidence/`；包内文档只描述稳定流程和人工门禁 alpha publish 边界。
+- `agent-cli-runtime@0.1.0-alpha.1` 已发布到 npm，并创建了 GitHub pre-release `v0.1.0-alpha.1`。
+- `agent-cli-runtime@0.1.0-alpha.2` 已发布到 npm，并创建了 GitHub pre-release `v0.1.0-alpha.2`，但其不可变 npm tarball 内含过期的发布前 package docs。
+- `agent-cli-runtime@0.1.0-alpha.3` 是面向 package consumer 的 corrective pre-alpha release。
+- `agent-cli-runtime@0.1.0-alpha.0` 已 deprecate，原因是不可变 package docs 内含过期的发布前状态。
+- 可用版本和 dist-tags 以 npm registry metadata 与 GitHub Releases 为准。
+- release-candidate 与 post-alpha evidence 将 current-head release 和下载 artifact 细节保存在 npm 包外的 `.release-evidence/` 或 GitHub Release assets 中。
 - `createAgentRuntime` 是当前公开的主要 value 入口，其他 adapter/parser/store 内部实现不对外承诺。
 - 这版不包含后台 daemon、API server、WAL、database 或 remote runtime 模式承诺。
 - 运行时定位是可嵌入 daemon/product shell 的 local-first execution kernel，不替代托管平台服务。
 
-API 与 CLI schema 契约在 [docs/api-schema-contract.md](./docs/api-schema-contract.md)，daemon-ready 嵌入契约在 [docs/daemon-ready-contract.md](./docs/daemon-ready-contract.md)，SSOT 在 [docs/ssot.md](./docs/ssot.md)，release-candidate 证据入口在 [docs/release-report.md](./docs/release-report.md)，未来 alpha 发布 runbook 在 [docs/release-publish-runbook.md](./docs/release-publish-runbook.md)。当前实现是 contract-hardening 的 library-first Node.js/TypeScript 版本，默认 memory-only run / goal 调度，可选 durable local replay storage 及 crash/recovery health reporting，并补充 fault-injected consistency coverage、package-root API contract tests、tarball TypeScript consumer smoke 和 installed-package daemon embedding verification；包含内置 CLI compatibility profiles、强化后的 planner/task-graph validation、版本化 event/diagnostics/conformance/real-smoke/store/release-artifact 契约、parser fixtures、本地/远端 release artifact verification、remote CI/artifact audit checks、alpha publish readiness docs，以及本地 smoke/query 薄 CLI。
+API 与 CLI schema 契约在 [docs/api-schema-contract.md](./docs/api-schema-contract.md)，daemon-ready 嵌入契约在 [docs/daemon-ready-contract.md](./docs/daemon-ready-contract.md)，SSOT 在 [docs/ssot.md](./docs/ssot.md)，post-alpha evidence 入口在 [docs/release-report.md](./docs/release-report.md)，publish/runbook 边界在 [docs/release-publish-runbook.md](./docs/release-publish-runbook.md)。当前实现是 contract-hardening 的 library-first Node.js/TypeScript 版本，默认 memory-only run / goal 调度，可选 durable local replay storage 及 crash/recovery health reporting，并补充 fault-injected consistency coverage、package-root API contract tests、tarball TypeScript consumer smoke 和 installed-package daemon embedding verification；包含内置 CLI compatibility profiles、强化后的 planner/task-graph validation、版本化 event/diagnostics/conformance/real-smoke/store/release-artifact 契约、parser fixtures、本地/远端 release artifact verification、post-alpha registry/GitHub Release evidence normalization、published npm install smoke、remote CI/artifact audit checks、alpha publish readiness docs，以及本地 smoke/query 薄 CLI。
 
 ## 为什么需要它
 
@@ -278,14 +282,18 @@ void goalRequest;
 void runtime.shutdown();
 ```
 
-Daemon embedding gate 会把 packed tarball 安装到临时 consumer，再用 fake CLI 跑 detect/conformance、run、goal、replay、diagnostics、store inspection、shutdown 和 reopen。Runtime safety gate 使用同样的 installed-package 边界，覆盖 repeated run/goal、慢 event consumer、cancel/timeout churn、repeated shutdown、lease close 和 reopen：
+Daemon embedding gate 会把 packed tarball 安装到临时 consumer，再用 fake CLI 跑 detect/conformance、run、goal、replay、diagnostics、store inspection、shutdown 和 reopen。Runtime safety gate 使用同样的 installed-package 边界，覆盖 repeated run/goal、慢 event consumer、cancel/timeout churn、repeated shutdown、lease close 和 reopen。Published daemon consumer gate 会从 npm registry 安装 `agent-cli-runtime@0.1.0-alpha.1` 到临时 daemon-style consumer，并用 fake Codex/Claude/OpenCode binaries 验证已发布包的嵌入生命周期。Published adapter gate 会从 npm registry 安装已发布包，并用 fake CLI 验证内置 Codex、Claude、OpenCode adapter detection、argv shape、stdin prompt transport、parser behavior、redaction 和 failure isolation。Published verification gate 会把这些 post-publish checks 和 registry metadata 聚合为 redacted artifact：
 
 ```bash
 npm run daemon:verify
 npm run runtime:safety
+npm run published:daemon:verify
+npm run published:adapters:verify
+npm run published:verify -- --out-dir published-verification
+npm run published:verify:evidence -- --dir published-verification
 ```
 
-更完整的 release gate 会把 packed tarball 安装到临时 TypeScript 项目，执行 `tsc --noEmit`，再用 fake CLI 跑 library run / goal / replay / diagnostics smoke。见 `npm run daemon:verify`、`npm run runtime:safety`、`npm run dogfood` 和 [docs/release-checklist.md](./docs/release-checklist.md)。
+更完整的 release gate 会把 packed tarball 安装到临时 TypeScript 项目，执行 `tsc --noEmit`，再用 fake CLI 跑 library run / goal / replay / diagnostics smoke。见 `npm run daemon:verify`、`npm run runtime:safety`、`npm run published:daemon:verify`、`npm run published:adapters:verify`、`npm run published:verify`、`npm run dogfood` 和 [docs/release-checklist.md](./docs/release-checklist.md)。
 
 本机 agent CLI 按场景安装即可：
 
@@ -332,6 +340,11 @@ export HTTP_PROXY=http://127.0.0.1:7897
 npm run ci
 npm run daemon:verify
 npm run runtime:safety
+npm run compat:real:evidence:verify
+npm run published:daemon:verify
+npm run published:adapters:verify
+npm run published:verify -- --out-dir published-verification
+npm run published:verify:evidence -- --dir published-verification
 npm run dogfood
 npm run prepublish:check
 node ./dist/cli/main.js conformance --mode fixtures --json
@@ -342,9 +355,32 @@ node ./dist/cli/main.js smoke --mode real --agent codex --json
 
 `conformance --mode real` 和 `smoke --mode real` 不带 `--allow-real-run` 时只做真实本地 detection/profile certification，不启动 authenticated real agent run。只有显式传入 `--allow-real-run` 才会执行真实 run；未传 `--cwd` 时 runtime 使用隔离临时目录，并请求 read-only 行为。请把 `--allow-real-run` 当成本机账号/网络 run 的明确安全边界。
 
-CI 使用 Node.js 20/22/24 matrix 跑 typecheck、lint、tests、build、production dependency audit、package boundary check 和 `npm pack --dry-run`。`npm run daemon:verify`、`npm run runtime:safety` 和 `npm run dogfood` 放在单 Node 版本 release-gates job 中执行，避免 matrix 重复跑 installed-package gates。dogfood、CI 和 prepublish 的默认边界一致：允许 fixtures、fake CLIs、真实本地 detection/profile certification；不带 `--allow-real-run` 时不启动 authenticated real agent run。
+`npm run compat:real:evidence` 会在 `.release-evidence/` 下生成 repo-only 的 redacted compatibility summary，它是显式 evidence refresh 动作，不是默认发布门禁。默认只跑 safe real preflight；authenticated smoke evidence 必须显式传入成对参数，例如 `--allow-real-run --agent codex --expect-text "agent-runtime codex smoke ok"`。`real_run_skipped`、`auth_missing`、`needs_verification` 等 skipped/blocked 状态会保留为 evidence state，不会写成 success。`npm run compat:real:evidence:verify` 是 P6-3 的离线 drift gate，只复验 evidence 文件，不启动真实 CLI run；它会拒绝泄露内容、缺失 dirty-state evidence、把 skipped/auth-missing 伪装成 success、authenticated success 证据不完整、缺少 `needsVerification` audit 项，以及 package boundary 声明无效。`prepublish:check` 和 `release:candidate` 会针对既有 repo-only evidence 运行该 verifier，但不会刷新真实 CLI evidence。
 
-本地 release-candidate 置信门禁使用 `npm run prepublish:check`。它会组合 typecheck、lint、tests、build、daemon embedding verification、runtime safety verification、dogfood、production audit、package boundary check 和 pack dry-run。GitHub Actions 的 `Release Candidate` workflow 通过 `workflow_dispatch` 手动触发，执行 `npm ci`、`npm run ci`、`npm run dogfood` 和 `npm run release:candidate -- --out-dir release-candidate`；生成并上传 `agent-cli-runtime-tarball`、`agent-cli-runtime-pack-metadata`、`agent-cli-runtime-package-files`、`agent-cli-runtime-gate-evidence` 和 `agent-cli-runtime-release-verification`。`0.1.0-alpha.0` 已发布到 npm，并有 `v0.1.0-alpha.0` GitHub pre-release；该不可变 tarball 内含过期的发布前状态说明，所以 `0.1.0-alpha.1` 是修复该文档状态的 alpha candidate。由于 release docs 会进入 npm package，current-run 的易漂移证据必须留在包外的 `.release-evidence/` 或 GitHub Release assets 中。真实 alpha publish 需要先为待发布 commit 触发 fresh release-candidate workflow，下载 artifacts 并通过 `npm run release:verify -- --dir <normalized-artifact-dir>`，再由 maintainer 明确授权执行 `npm publish --tag alpha`。
+CI 使用 Node.js 20/22/24 matrix 跑 typecheck、lint、tests、build、production dependency audit、package boundary check 和 `npm pack --dry-run`。`npm run daemon:verify`、`npm run runtime:safety` 和 `npm run dogfood` 放在单 Node 版本 release-gates job 中执行，避免 matrix 重复跑 installed-package gates。CI 刻意不运行 repo-only compatibility evidence verifier；`prepublish:check` 和 `release:candidate` 是能读取 `.release-evidence/` 的 release/evidence 路径。dogfood、CI 和 prepublish 的默认边界一致：允许 fixtures、fake CLIs、真实本地 detection/profile certification；不带 `--allow-real-run` 时不启动 authenticated real agent run。
+
+本地 release-candidate 置信门禁使用 `npm run prepublish:check`。它会组合 typecheck、lint、tests、build、daemon embedding verification、runtime safety verification、offline real compatibility evidence verification、dogfood、production audit、package boundary check 和 pack dry-run。GitHub Actions 的 `Release Candidate` workflow 通过 `workflow_dispatch` 手动触发，执行 `npm ci`、`npm run ci`、`npm run dogfood` 和 `npm run release:candidate -- --out-dir release-candidate`；生成并上传 `agent-cli-runtime-tarball`、`agent-cli-runtime-pack-metadata`、`agent-cli-runtime-package-files`、`agent-cli-runtime-gate-evidence` 和 `agent-cli-runtime-release-verification`。
+
+`0.1.0-alpha.1` 已发布到 npm，并有 GitHub pre-release `v0.1.0-alpha.1`。`0.1.0-alpha.2` 已发布到 npm，使用 `alpha` dist-tag，并创建了 GitHub pre-release `v0.1.0-alpha.2`，但其不可变 tarball 内含过期的发布前 package docs。`0.1.0-alpha.3` 是面向 package consumer 的 corrective pre-alpha release。`0.1.0-alpha.0` 已 deprecate，原因是该不可变 tarball 内含过期的发布前状态说明。可用版本和 dist-tags 以 npm registry metadata 与 GitHub Releases 为准。由于 release docs 会进入 npm package，current-run 的易漂移证据必须留在包外的 `.release-evidence/` 或 GitHub Release assets 中。
+
+post-alpha 验证：
+
+```bash
+npm run release:post-alpha:verify
+npm run smoke:published
+npm run published:daemon:verify
+npm run published:adapters:verify
+npm run published:verify -- --out-dir published-verification
+npm run published:verify:evidence -- --dir published-verification
+```
+
+`release:post-alpha:verify` 会比较 npm registry tarball 与 `v0.1.0-alpha.1` GitHub Release tarball。两者 raw gzip SHA1/SHA256 可以不同，因为 registry tarball 和 Release asset 是不同 packaging artifact；package 内容边界以 npm registry `shasum`/`integrity`、解包后的 package 文件列表和内容一致性，以及 `npm run release:verify -- --dir <downloaded-github-release-assets-dir>` 为准。
+
+`published:daemon:verify` 安装的是已经发布到 npm registry 的包，不依赖本地 checkout 或本地 `dist/`，输出 `schemaVersion: "agent-runtime.publishedDaemonConsumer.v1"` 且 `packageSource: "npm-registry"`。它只使用 fake CLI，覆盖 detect、run、goal、cancel、timeout、replay、writer active 时的 read-only inspection、second-writer refusal、shutdown/reopen 和 stale owner recovery，不启动 authenticated real agent run。
+
+`published:adapters:verify` 同样从 npm registry 安装，输出 `schemaVersion: "agent-runtime.publishedAdapters.v1"` 且 `packageSource: "npm-registry"`。它用 fake Codex/Claude/OpenCode binaries 验证已发布包的内置 adapter invocation shape、stdin prompt transport、parser noise tolerance、redaction 和 per-adapter failure isolation。这是 fake-CLI adapter contract evidence，不是 authenticated real CLI compatibility success evidence。
+
+`published:verify` 输出 `schemaVersion: "agent-cli-runtime.publishedVerification.v1"`，默认写入 `published-verification/published-verification.json`。它聚合 `smoke:published`、`published:daemon:verify`、`published:adapters:verify`、`release:post-alpha:verify` 和 npm registry metadata，不保存 raw stdout/stderr，也不需要发布凭证。GitHub Actions 的手动 `Published Package Verification` workflow 会在 Node.js 22 上执行同一套 post-publish verification，并上传 `agent-cli-runtime-published-verification`。
 
 如需在本地生成可审查的 release-candidate artifact set：
 
@@ -353,9 +389,9 @@ npm run release:candidate -- --out-dir release-candidate
 npm run release:verify -- --dir release-candidate
 ```
 
-`release:candidate` 会在输出目录写入 `npm-pack.json`、`package-files.txt`、`gate-evidence.json`、tarball 和 `release-verification.json`。`release:verify` 也可用于下载 GitHub Actions artifacts 后复核同一组文件，并确认候选包记录了 `daemon:verify` 和 `runtime:safety` 证据。
+`release:candidate` 会在输出目录写入 `npm-pack.json`、`package-files.txt`、`gate-evidence.json`、tarball 和 `release-verification.json`。`release:verify` 也可用于下载 GitHub Actions artifacts 后复核同一组文件，并确认候选包记录了 `daemon:verify`、`runtime:safety` 和 offline real compatibility evidence verifier 证据。
 
-Release evidence summary 见 [docs/release-report.md](./docs/release-report.md)，alpha publish decision runbook 见 [docs/release-publish-runbook.md](./docs/release-publish-runbook.md)。`npm publish --dry-run --ignore-scripts --tag alpha` 只作为本地手动 dry-run check 记录在这些文档中；它不得真的 publish，也不作为远端 CI 必选 gate。
+Release evidence summary 见 [docs/release-report.md](./docs/release-report.md)，alpha publish decision runbook 见 [docs/release-publish-runbook.md](./docs/release-publish-runbook.md)。`npm publish --dry-run --ignore-scripts --tag alpha` 只作为本地手动 dry-run check 记录在这些文档中；它不得真的 publish，也不作为远端 CI 必选 gate。Published package verification 是单独的手动 post-publish workflow，不是 publish workflow。
 
 可运行示例见 [examples/library-run.js](./examples/library-run.js)、[examples/library-goal.js](./examples/library-goal.js) 和 [examples/cli-dogfood.md](./examples/cli-dogfood.md)。两个 JavaScript 示例会创建本地 fake CLI，不需要真实 provider secret。
 

package/dist/core/schema-contract.d.ts

@@ -22,6 +22,16 @@ export declare const CLI_SCHEMA_INVENTORY: readonly [{
     readonly requiredTopLevelFields: readonly ["schemaVersion", "ok", "mode", "agents"];
     readonly classificationFields: readonly ["agents[].runClassification", "agents[].skippedReason", "agents[].failureReason"];
     readonly redactionRules: readonly ["observedTextTail is bounded and redacted", "diagnostics are redacted", "no prompt text", "no token values", "no Bearer values", "no auth environment assignment values", "no private absolute cwd paths"];
+}, {
+    readonly schemaVersion: "agent-runtime.publishedAdapters.v1";
+    readonly requiredTopLevelFields: readonly ["schemaVersion", "ok", "packageName", "version", "packageSource", "checks", "agents", "diagnostics", "noAuthenticatedRealRun"];
+    readonly classificationFields: readonly ["ok", "checks.failureIsolation", "agents[].terminalStatus"];
+    readonly redactionRules: readonly ["no temp paths", "no raw stdout/stderr", "no full prompt", "no prompt text", "no token values", "no Bearer values", "no auth environment assignment values", "no private absolute cwd paths"];
+}, {
+    readonly schemaVersion: "agent-cli-runtime.publishedVerification.v1";
+    readonly requiredTopLevelFields: readonly ["schemaVersion", "ok", "packageName", "version", "gitSha", "checkedAt", "packageSource", "gates", "registry", "diagnostics", "noAuthenticatedRealRun", "noNpmPublish", "noNpmToken"];
+    readonly classificationFields: readonly ["ok", "gates[].ok", "gates[].schemaVersion", "registry.ok", "diagnostics[].code"];
+    readonly redactionRules: readonly ["no raw stdout/stderr", "no temp paths", "no full prompt", "no npm token references", "no prompt text", "no token values", "no Bearer values", "no auth environment assignment values", "no private absolute cwd paths"];
 }, {
     readonly schemaVersion: "agent-runtime.realSmoke.v1";
     readonly requiredTopLevelFields: readonly ["schemaVersion", "type", "ok", "mode", "adapter", "version", "auth", "modelsSource", "runClassification", "expectedTextRequired", "expectedTextMatched", "observedTextDeltaCount", "observedTextTail", "cwdMutationChecked", "cwdMutated", "diagnosticsCount", "diagnostics", "skippedReason", "failureReason"];

package/dist/core/schema-contract.js

@@ -59,6 +59,42 @@ export const CLI_SCHEMA_INVENTORY = [
         classificationFields: ["agents[].runClassification", "agents[].skippedReason", "agents[].failureReason"],
         redactionRules: ["observedTextTail is bounded and redacted", "diagnostics are redacted", ...commonRedactionRules],
     },
+    {
+        schemaVersion: "agent-runtime.publishedAdapters.v1",
+        requiredTopLevelFields: [
+            "schemaVersion",
+            "ok",
+            "packageName",
+            "version",
+            "packageSource",
+            "checks",
+            "agents",
+            "diagnostics",
+            "noAuthenticatedRealRun",
+        ],
+        classificationFields: ["ok", "checks.failureIsolation", "agents[].terminalStatus"],
+        redactionRules: ["no temp paths", "no raw stdout/stderr", "no full prompt", ...commonRedactionRules],
+    },
+    {
+        schemaVersion: "agent-cli-runtime.publishedVerification.v1",
+        requiredTopLevelFields: [
+            "schemaVersion",
+            "ok",
+            "packageName",
+            "version",
+            "gitSha",
+            "checkedAt",
+            "packageSource",
+            "gates",
+            "registry",
+            "diagnostics",
+            "noAuthenticatedRealRun",
+            "noNpmPublish",
+            "noNpmToken",
+        ],
+        classificationFields: ["ok", "gates[].ok", "gates[].schemaVersion", "registry.ok", "diagnostics[].code"],
+        redactionRules: ["no raw stdout/stderr", "no temp paths", "no full prompt", "no npm token references", ...commonRedactionRules],
+    },
     {
         schemaVersion: "agent-runtime.realSmoke.v1",
         requiredTopLevelFields: [

package/dist/core/schema-contract.js.map

@@ -1 +1 @@
-{"version":3,"file":"schema-contract.js","sourceRoot":"","sources":["../../src/core/schema-contract.ts"],"names":[],"mappings":"AASA,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,SAAS;IACT,QAAQ;IACR,SAAS;IACT,UAAU;IACV,aAAa;IACb,mBAAmB;IACnB,kBAAkB;IAClB,aAAa;IACb,cAAc;IACd,oBAAoB;CAC6B,CAAC;AAEpD,MAAM,CAAC,MAAM,iCAAiC,GAAG;IAC/C,SAAS;IACT,kBAAkB;IAClB,cAAc;IACd,wBAAwB;IACxB,kBAAkB;IAClB,oBAAoB;IACpB,mBAAmB;IACnB,aAAa;IACb,SAAS;IACT,QAAQ;CACA,CAAC;AAIX,MAAM,oBAAoB,GAAG;IAC3B,gBAAgB;IAChB,iBAAiB;IACjB,kBAAkB;IAClB,uCAAuC;IACvC,+BAA+B;CACvB,CAAC;AAEX,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC;QACE,aAAa,EAAE,wBAAwB;QACvC,sBAAsB,EAAE,CAAC,eAAe,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC;QAC1F,oBAAoB,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAC5D,cAAc,EAAE,CAAC,+DAA+D,EAAE,GAAG,oBAAoB,CAAC;KAC3G;IACD;QACE,aAAa,EAAE,8BAA8B;QAC7C,sBAAsB,EAAE;YACtB,eAAe;YACf,YAAY;YACZ,SAAS;YACT,UAAU;YACV,QAAQ;YACR,aAAa;YACb,oBAAoB;YACpB,qBAAqB;YACrB,mBAAmB;YACnB,gBAAgB;SACjB;QACD,oBAAoB,EAAE,CAAC,kCAAkC,EAAE,oBAAoB,CAAC;QAChF,cAAc,EAAE,CAAC,2BAA2B,EAAE,4BAA4B,EAAE,GAAG,oBAAoB,CAAC;KACrG;IACD;QACE,aAAa,EAAE,8BAA8B;QAC7C,sBAAsB,EAAE,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC;QACjE,oBAAoB,EAAE,CAAC,4BAA4B,EAAE,wBAAwB,EAAE,wBAAwB,CAAC;QACxG,cAAc,EAAE,CAAC,0CAA0C,EAAE,0BAA0B,EAAE,GAAG,oBAAoB,CAAC;KAClH;IACD;QACE,aAAa,EAAE,4BAA4B;QAC3C,sBAAsB,EAAE;YACtB,eAAe;YACf,MAAM;YACN,IAAI;YACJ,MAAM;YACN,SAAS;YACT,SAAS;YACT,MAAM;YACN,cAAc;YACd,mBAAmB;YACnB,sBAAsB;YACtB,qBAAqB;YACrB,wBAAwB;YACxB,kBAAkB;YAClB,oBAAoB;YACpB,YAAY;YACZ,kBAAkB;YAClB,aAAa;YACb,eAAe;YACf,eAAe;SAChB;QACD,oBAAoB,EAAE,CAAC,mBAAmB,EAAE,eAAe,EAAE,eAAe,CAAC;QAC7E,cAAc,EAAE,CAAC,qBAAqB,EAAE,0CAA0C,EAAE,GAAG,oBAAoB,CAAC;KAC7G;IACD;QACE,aAAa,EAAE,8BAA8B;QAC7C,sBAAsB,EAAE;YACtB,eAAe;YACf,IAAI;YACJ,WAAW;YACX,MAAM;YACN,QAAQ;YACR,kBAAkB;YAClB,kBAAkB;YAClB,cAAc;YACd,eAAe;YACf,mBAAmB;YACnB,UAAU;YACV,oBAAoB;YACpB,aAAa;SACd;QACD,oBAAoB,EAAE,CAAC,IAAI,EAAE,aAAa,EAAE,oBAAoB,CAAC;QACjE,cAAc,EAAE,CAAC,4BAA4B,EAAE,GAAG,oBAAoB,CAAC;KACxE;IACD;QACE,aAAa,EAAE,8BAA8B;QAC7C,sBAAsB,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,aAAa,CAAC;QACzH,oBAAoB,EAAE,CAAC,IAAI,EAAE,eAAe,EAAE,kBAAkB,EAAE,oBAAoB,CAAC;QACvF,cAAc,EAAE,CAAC,+CAA+C,EAAE,4BAA4B,EAAE,GAAG,oBAAoB,CAAC;KACzH;IACD;QACE,aAAa,EAAE,2BAA2B;QAC1C,sBAAsB,EAAE,CAAC,eAAe,EAAE,IAAI,EAAE,OAAO,CAAC;QACxD,oBAAoB,EAAE,CAAC,YAAY,CAAC;QACpC,cAAc,EAAE,CAAC,qCAAqC,EAAE,GAAG,oBAAoB,CAAC;KACjF;IACD;QACE,aAAa,EAAE,0CAA0C;QACzD,sBAAsB,EAAE;YACtB,eAAe;YACf,IAAI;YACJ,cAAc;YACd,SAAS;YACT,aAAa;YACb,eAAe;YACf,cAAc;YACd,aAAa;YACb,SAAS;SACV;QACD,oBAAoB,EAAE,CAAC,IAAI,EAAE,oBAAoB,CAAC;QAClD,cAAc,EAAE,CAAC,0BAA0B,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,yBAAyB,CAAC;KAC/H;IACD;QACE,aAAa,EAAE,0CAA0C;QACzD,sBAAsB,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,OAAO,EAAE,wBAAwB,EAAE,cAAc,EAAE,YAAY,CAAC;QACzH,oBAAoB,EAAE,CAAC,YAAY,EAAE,6BAA6B,EAAE,uBAAuB,CAAC;QAC5F,cAAc,EAAE,CAAC,kCAAkC,EAAE,yBAAyB,EAAE,uBAAuB,CAAC;KACzG;CAC8C,CAAC"}
+{"version":3,"file":"schema-contract.js","sourceRoot":"","sources":["../../src/core/schema-contract.ts"],"names":[],"mappings":"AASA,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,SAAS;IACT,QAAQ;IACR,SAAS;IACT,UAAU;IACV,aAAa;IACb,mBAAmB;IACnB,kBAAkB;IAClB,aAAa;IACb,cAAc;IACd,oBAAoB;CAC6B,CAAC;AAEpD,MAAM,CAAC,MAAM,iCAAiC,GAAG;IAC/C,SAAS;IACT,kBAAkB;IAClB,cAAc;IACd,wBAAwB;IACxB,kBAAkB;IAClB,oBAAoB;IACpB,mBAAmB;IACnB,aAAa;IACb,SAAS;IACT,QAAQ;CACA,CAAC;AAIX,MAAM,oBAAoB,GAAG;IAC3B,gBAAgB;IAChB,iBAAiB;IACjB,kBAAkB;IAClB,uCAAuC;IACvC,+BAA+B;CACvB,CAAC;AAEX,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC;QACE,aAAa,EAAE,wBAAwB;QACvC,sBAAsB,EAAE,CAAC,eAAe,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC;QAC1F,oBAAoB,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAC5D,cAAc,EAAE,CAAC,+DAA+D,EAAE,GAAG,oBAAoB,CAAC;KAC3G;IACD;QACE,aAAa,EAAE,8BAA8B;QAC7C,sBAAsB,EAAE;YACtB,eAAe;YACf,YAAY;YACZ,SAAS;YACT,UAAU;YACV,QAAQ;YACR,aAAa;YACb,oBAAoB;YACpB,qBAAqB;YACrB,mBAAmB;YACnB,gBAAgB;SACjB;QACD,oBAAoB,EAAE,CAAC,kCAAkC,EAAE,oBAAoB,CAAC;QAChF,cAAc,EAAE,CAAC,2BAA2B,EAAE,4BAA4B,EAAE,GAAG,oBAAoB,CAAC;KACrG;IACD;QACE,aAAa,EAAE,8BAA8B;QAC7C,sBAAsB,EAAE,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC;QACjE,oBAAoB,EAAE,CAAC,4BAA4B,EAAE,wBAAwB,EAAE,wBAAwB,CAAC;QACxG,cAAc,EAAE,CAAC,0CAA0C,EAAE,0BAA0B,EAAE,GAAG,oBAAoB,CAAC;KAClH;IACD;QACE,aAAa,EAAE,oCAAoC;QACnD,sBAAsB,EAAE;YACtB,eAAe;YACf,IAAI;YACJ,aAAa;YACb,SAAS;YACT,eAAe;YACf,QAAQ;YACR,QAAQ;YACR,aAAa;YACb,wBAAwB;SACzB;QACD,oBAAoB,EAAE,CAAC,IAAI,EAAE,yBAAyB,EAAE,yBAAyB,CAAC;QAClF,cAAc,EAAE,CAAC,eAAe,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,GAAG,oBAAoB,CAAC;KACrG;IACD;QACE,aAAa,EAAE,4CAA4C;QAC3D,sBAAsB,EAAE;YACtB,eAAe;YACf,IAAI;YACJ,aAAa;YACb,SAAS;YACT,QAAQ;YACR,WAAW;YACX,eAAe;YACf,OAAO;YACP,UAAU;YACV,aAAa;YACb,wBAAwB;YACxB,cAAc;YACd,YAAY;SACb;QACD,oBAAoB,EAAE,CAAC,IAAI,EAAE,YAAY,EAAE,uBAAuB,EAAE,aAAa,EAAE,oBAAoB,CAAC;QACxG,cAAc,EAAE,CAAC,sBAAsB,EAAE,eAAe,EAAE,gBAAgB,EAAE,yBAAyB,EAAE,GAAG,oBAAoB,CAAC;KAChI;IACD;QACE,aAAa,EAAE,4BAA4B;QAC3C,sBAAsB,EAAE;YACtB,eAAe;YACf,MAAM;YACN,IAAI;YACJ,MAAM;YACN,SAAS;YACT,SAAS;YACT,MAAM;YACN,cAAc;YACd,mBAAmB;YACnB,sBAAsB;YACtB,qBAAqB;YACrB,wBAAwB;YACxB,kBAAkB;YAClB,oBAAoB;YACpB,YAAY;YACZ,kBAAkB;YAClB,aAAa;YACb,eAAe;YACf,eAAe;SAChB;QACD,oBAAoB,EAAE,CAAC,mBAAmB,EAAE,eAAe,EAAE,eAAe,CAAC;QAC7E,cAAc,EAAE,CAAC,qBAAqB,EAAE,0CAA0C,EAAE,GAAG,oBAAoB,CAAC;KAC7G;IACD;QACE,aAAa,EAAE,8BAA8B;QAC7C,sBAAsB,EAAE;YACtB,eAAe;YACf,IAAI;YACJ,WAAW;YACX,MAAM;YACN,QAAQ;YACR,kBAAkB;YAClB,kBAAkB;YAClB,cAAc;YACd,eAAe;YACf,mBAAmB;YACnB,UAAU;YACV,oBAAoB;YACpB,aAAa;SACd;QACD,oBAAoB,EAAE,CAAC,IAAI,EAAE,aAAa,EAAE,oBAAoB,CAAC;QACjE,cAAc,EAAE,CAAC,4BAA4B,EAAE,GAAG,oBAAoB,CAAC;KACxE;IACD;QACE,aAAa,EAAE,8BAA8B;QAC7C,sBAAsB,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,aAAa,CAAC;QACzH,oBAAoB,EAAE,CAAC,IAAI,EAAE,eAAe,EAAE,kBAAkB,EAAE,oBAAoB,CAAC;QACvF,cAAc,EAAE,CAAC,+CAA+C,EAAE,4BAA4B,EAAE,GAAG,oBAAoB,CAAC;KACzH;IACD;QACE,aAAa,EAAE,2BAA2B;QAC1C,sBAAsB,EAAE,CAAC,eAAe,EAAE,IAAI,EAAE,OAAO,CAAC;QACxD,oBAAoB,EAAE,CAAC,YAAY,CAAC;QACpC,cAAc,EAAE,CAAC,qCAAqC,EAAE,GAAG,oBAAoB,CAAC;KACjF;IACD;QACE,aAAa,EAAE,0CAA0C;QACzD,sBAAsB,EAAE;YACtB,eAAe;YACf,IAAI;YACJ,cAAc;YACd,SAAS;YACT,aAAa;YACb,eAAe;YACf,cAAc;YACd,aAAa;YACb,SAAS;SACV;QACD,oBAAoB,EAAE,CAAC,IAAI,EAAE,oBAAoB,CAAC;QAClD,cAAc,EAAE,CAAC,0BAA0B,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,yBAAyB,CAAC;KAC/H;IACD;QACE,aAAa,EAAE,0CAA0C;QACzD,sBAAsB,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,OAAO,EAAE,wBAAwB,EAAE,cAAc,EAAE,YAAY,CAAC;QACzH,oBAAoB,EAAE,CAAC,YAAY,EAAE,6BAA6B,EAAE,uBAAuB,CAAC;QAC5F,cAAc,EAAE,CAAC,kCAAkC,EAAE,yBAAyB,EAAE,uBAAuB,CAAC;KACzG;CAC8C,CAAC"}

package/docs/api-schema-contract.md

@@ -42,12 +42,15 @@ Internal but packaged files under `dist/**` may exist in the npm tarball because
 | `agent-runtime.event.v1` | `schemaVersion`, `id`, `sequence`, `timestamp`, `scope`, `event` | `terminal.result`, `terminal.reason` | Runtime redaction before CLI emission; no prompts, tokens, Bearer values, auth env values, or private cwd paths. |
 | `agent-runtime.diagnostics.v1` | `schemaVersion`, `exportedAt`, `subject`, `manifest`, `events`, `diagnostics`, `storageDiagnostics`, `consistencyWarnings`, `supervisorSummary`, `adapterSummary` | `supervisorSummary.terminalReason`, `diagnostics[].code` | No raw event payload dump, raw corrupt JSONL line, prompt, token, Bearer value, auth env value, or private path. |
 | `agent-runtime.conformance.v1` | `schemaVersion`, `ok`, `mode`, `agents` | `agents[].runClassification`, `agents[].skippedReason`, `agents[].failureReason` | `observedTextTail` and diagnostics are bounded and redacted; no prompt, token, raw stdout/stderr, or private cwd. |
+| `agent-runtime.publishedAdapters.v1` | `schemaVersion`, `ok`, `packageName`, `version`, `packageSource`, `checks`, `agents`, `diagnostics`, `noAuthenticatedRealRun` | `ok`, `checks.failureIsolation`, `agents[].terminalStatus` | No temp paths, raw stdout/stderr, full prompt, token, Bearer value, auth env value, or private cwd. |
+| `agent-cli-runtime.publishedVerification.v1` | `schemaVersion`, `ok`, `packageName`, `version`, `gitSha`, `checkedAt`, `packageSource`, `gates`, `registry`, `diagnostics`, `noAuthenticatedRealRun`, `noNpmPublish`, `noNpmToken` | `ok`, `gates[].ok`, `gates[].schemaVersion`, `registry.ok`, `diagnostics[].code` | No raw stdout/stderr, temp paths, full prompt, npm token references, token, Bearer value, auth env value, or private cwd. |
+| `agent-cli-runtime.realCompatibilityEvidenceVerification.v1` | `schemaVersion`, `ok`, `evidenceSchemaVersion`, `file`, `checkedAt`, `diagnostics` | `ok`, `diagnostics[].code` | Diagnostics are redacted; no private paths, token-looking values, Bearer values, auth env assignments, raw stdout/stderr, full prompt text, or raw observed real CLI output. |
 | `agent-runtime.realSmoke.v1` | `schemaVersion`, `type`, `ok`, `mode`, `adapter`, `version`, `auth`, `modelsSource`, `runClassification`, `expectedTextRequired`, `expectedTextMatched`, `observedTextDeltaCount`, `observedTextTail`, `cwdMutationChecked`, `cwdMutated`, `diagnosticsCount`, `diagnostics`, `skippedReason`, `failureReason` | `runClassification`, `skippedReason`, `failureReason` | No final run record, prompt, token, raw stdout/stderr, or private cwd; `observedTextTail` is bounded and redacted. |
 | `agent-runtime.storeHealth.v1` | `schemaVersion`, `ok`, `checkedAt`, `lock`, `totals`, `corruptManifests`, `corruptEventLogs`, `partialTails`, `activeRecords`, `activeInterrupted`, `warnings`, `storageDiagnostics`, `diagnostics` | `ok`, `lock.status`, `diagnostics.byCode` | No raw corrupt JSONL line, token, Bearer value, auth env value, or private path. |
 | `agent-runtime.storeRepair.v1` | `schemaVersion`, `storageDir`, `checkedAt`, `dryRun`, `applied`, `ok`, `actions`, `diagnostics` | `ok`, `blockedReason`, `actions[].action`, `diagnostics.byCode` | Backup paths and diagnostics are redacted; no raw corrupt JSONL line, token, Bearer value, auth env value, or private path. |
 | `agent-runtime.cliError.v1` | `schemaVersion`, `ok`, `error` | `error.code` | `error.message` is short and redacted; no prompt, token, Bearer value, auth env value, or private path. |
-| `agent-cli-runtime.releaseVerification.v1` | `schemaVersion`, `ok`, `checkedFiles`, `tarball`, `diagnostics`, `artifactNames`, `gateEvidence`, `packageName`, `version` | `ok`, `diagnostics[].code` | Diagnostics are redacted; no private package paths, token-looking values, Bearer values, auth env assignments, npm token references, or disallowed package paths. |
-| `agent-cli-runtime.releaseGateEvidence.v1` | `schemaVersion`, `generatedAt`, `gates`, `noAuthenticatedRealRun`, `noNpmPublish`, `noNpmToken` | `gates[].ok`, `gates[].outputSchemaVersion`, `gates[].packageSource` | No authenticated real run output, npm token references, raw paths, prompts, or secrets. |
+| `agent-cli-runtime.releaseVerification.v1` | `schemaVersion`, `ok`, `checkedFiles`, `tarball`, `diagnostics`, `artifactNames`, `gateEvidence`, `packageName`, `version` | `ok`, `diagnostics[].code` | Diagnostics are redacted; no private package paths, token-looking values, Bearer values, auth env assignments, npm token references, repo-only real compatibility evidence scripts, or disallowed package paths. |
+| `agent-cli-runtime.releaseGateEvidence.v1` | `schemaVersion`, `generatedAt`, `gates`, `noAuthenticatedRealRun`, `noNpmPublish`, `noNpmToken` | `gates[].ok`, `gates[].outputSchemaVersion`, `gates[].packageSource`, `gates[].evidenceSchemaVersion`, `gates[].diagnostics.codes` | No authenticated real run output, npm token references, raw paths, prompts, secrets, raw evidence files, raw stdout/stderr, or diagnostic messages. |
 
 ## Failure Taxonomy
 
@@ -89,4 +92,12 @@ Classification rules:
 
 Default gates may run real local detection/profile certification, but they must not launch authenticated real agent runs. `--allow-real-run` is the explicit local account/network boundary and remains outside CI, dogfood, prepublish, and release-candidate gates.
 
-Release verification and gate evidence schemas must stay aligned with `scripts/verify-release-artifacts.mjs` and `scripts/create-release-candidate.mjs`. `gate-evidence.json` records the installed-tarball daemon-ready gates, while `release-verification.json` validates artifacts, package file parity, private-path/secret scans, and release gate evidence.
+Release verification and gate evidence schemas must stay aligned with `scripts/verify-release-artifacts.mjs` and `scripts/create-release-candidate.mjs`. `gate-evidence.json` records the installed-tarball daemon-ready gates and the offline repo-only real compatibility evidence verification gate, while `release-verification.json` validates artifacts, package file parity, private-path/secret scans, repo-only evidence boundaries, and release gate evidence.
+
+Published package verification uses `agent-cli-runtime.publishedVerification.v1` and stays repo-only. It aggregates `smoke:published`, `published:daemon:verify`, `published:adapters:verify`, `release:post-alpha:verify`, and npm registry metadata without storing raw stdout/stderr or adding any publish credential path.
+
+Repo-only real compatibility evidence uses `agent-cli-runtime.realCompatibilityEvidence.v1` and is generated by `npm run compat:real:evidence` under `.release-evidence/`. It is not a package runtime CLI schema, but it follows the same redaction boundary: no raw stdout/stderr, no full prompt text, no private absolute paths, no token values, no Bearer values, and no auth environment assignment values. It records `gitHeadSha`, `gitDirty`, `gitStatusBeforeWrite`, and `gitStatusAfterWrite` because the evidence may be generated from a dirty implementation tree before the P6-1 commit exists. The default command runs only safe real preflight; authenticated real smoke requires explicit `--allow-real-run --agent <id> --expect-text <text>` pairs.
+
+P6-2 verification uses `agent-cli-runtime.realCompatibilityEvidenceVerification.v1` and is run with `npm run compat:real:evidence:verify`. It is an offline repo-only evidence gate: it reads the existing evidence file, does not start authenticated real CLI runs, and fails with stable diagnostic codes such as `invalid_schema`, `unsafe_content`, `missing_dirty_state`, `skip_state_claimed_as_success`, `authenticated_success_incomplete`, `needs_verification_missing`, and `package_boundary_invalid`.
+
+P6-3 integrates that offline verifier into release gates without refreshing real CLI evidence. `npm run prepublish:check` runs `npm run compat:real:evidence:verify` after installed-package daemon/runtime safety gates and before dogfood. `npm run release:candidate` records a `real-compatibility-evidence` gate with `script: "compat:real:evidence:verify"`, `command: "npm run compat:real:evidence:verify"`, `outputSchemaVersion: "agent-cli-runtime.realCompatibilityEvidenceVerification.v1"`, `evidenceSchemaVersion: "agent-cli-runtime.realCompatibilityEvidence.v1"`, `ok`, and diagnostics summarized only as `{ count, codes }`. It must not embed `.release-evidence/p6-1-real-cli-compatibility.json`, raw verifier output, raw stdout/stderr, diagnostic messages, full prompts, private paths, tokens, Bearer values, or auth environment values.