agentic-proofkit 0.1.91

package/docs/spec-proof-bundle-admission-design.md

@@ -0,0 +1,105 @@
+# Spec Proof Bundle Admission Design
+
+Status: accepted; implemented as a generic report primitive.
+
+Owner: `proofkit`.
+
+## Purpose
+
+A spec-first proof system needs more than independent validators. Requirement
+records, proof bindings, witness plans, producer admission, and receipts can all
+be individually valid while still failing to form one closed proof route.
+
+Formal goal:
+
+```text
+caller-owned requirement bindings
+  + caller-owned witness scheduler plan
+  + optional caller-owned producer admission report
+  + optional caller-owned receipt admission report
+  -> proofkit spec-proof-bundle admission report
+```
+
+## Authority Boundary
+
+Proofkit owns:
+
+- child report state checks for requirement bindings, witness plans, producer
+  admission, and receipt admission;
+- binding-command to witness-plan command linkage;
+- binding environment to witness-plan environment linkage;
+- merge-required receipt presence and status checks;
+- receipt witness-selector linkage to requirement or scenario ids;
+- merge-satisfying receipt to producer-admission row fact linkage;
+- deterministic report output and boundary non-claims.
+
+The consuming repository owns:
+
+- requirement meaning;
+- concrete proof binding content;
+- command and environment policy;
+- native witness execution;
+- producer authentication;
+- receipt freshness;
+- CI, merge, release, rollout, and production policy.
+
+Formal rule:
+
+```text
+Proofkit can validate that caller-provided proof records link together.
+Proofkit cannot prove that the linked native witnesses are fresh, authentic, or
+semantically sufficient.
+```
+
+## Model
+
+The bundle input contains:
+
+- one `requirementBindings` payload;
+- one `witnessPlan` payload;
+- optional `receiptProducerAdmission` report;
+- optional `receiptAdmission` report;
+- sorted `mergeRequiredReceiptIds`;
+- caller-owned non-claims.
+
+The report fails closed when:
+
+- any attached child report fails;
+- a binding command lacks a witness-plan command;
+- a witness-plan command is not referenced by requirement bindings;
+- a binding environment is absent from the witness-plan command;
+- a merge-required receipt is missing, not passed, or not merge-satisfying;
+- a merge-satisfying receipt lacks producer admission or its producer, kind,
+  environment, status, or merge-obligation facts drift from the producer row;
+- a receipt selector is outside the requirement graph.
+
+## Rejected Alternatives
+
+| Alternative | Rejection reason |
+|---|---|
+| Publish only independent validators and let every consumer write bundle glue. | That repeats the same fragile composition logic in every repository. |
+| Make proofkit execute witness commands before admitting the bundle. | That would turn proofkit into an orchestrator and native proof owner. |
+| Authenticate CI producers in the bundle primitive. | Trust roots and producer authentication are repository/organization policy, not generic linkage validation. |
+| Compute proof freshness in the bundle primitive. | Freshness depends on caller-owned current facts, invalidation rules, and merge policy. |
+
+## Proof Obligations
+
+- unit tests for accepted bundle linkage;
+- negative tests for missing witness-plan commands, missing producer admission,
+  unknown receipt selectors, and failed child reports;
+- CLI test for `spec-proof-bundle-admission`;
+- package artifact test proving the primitive ships in the package.
+
+## Non-Claims
+
+Spec proof bundle admission does not claim:
+
+- native witness execution;
+- producer authentication;
+- proof freshness;
+- requirement semantic adequacy;
+- command result correctness;
+- merge approval;
+- release approval;
+- rollout approval;
+- production readiness.

package/docs/specs/proofkit-consumer-infra-retirement/overview.md

@@ -0,0 +1,44 @@
+# Proofkit Consumer Infrastructure Retirement Spec
+
+This spec owns Proofkit's reusable primitives for retiring duplicated
+consumer-side proof infrastructure. It covers migration planning, installed
+package runtime dependency admission, workspace registry admission,
+repo-profile admission, and adoption workflow routing.
+It also covers structured parity evidence admission for repositories that need
+machine-checkable preconditions before local proof-owner retirement review.
+
+It is intentionally infrastructure-only. Consumers own old proof surfaces, new
+Proofkit inputs, parity evidence, native witness execution, command policy,
+receipt freshness, file deletion, CI admission, merge approval, release
+approval, rollout approval, and production decisions.
+
+## Requirements
+
+- `REQ-PROOFKIT-RETIRE-001`: migration plans keep old and new proof owners
+  explicit and block retirement unless caller-provided parity evidence and
+  post-retirement validation commands exist.
+- `REQ-PROOFKIT-RETIRE-002`: package runtime dependency admission validates
+  caller-provided installed package identity and location facts without reading
+  package manager state or resolving packages.
+- `REQ-PROOFKIT-RETIRE-003`: workspace registry admission validates
+  caller-provided script, dependency, and lockfile facts against caller policy
+  without owning repository command policy or lockfile freshness.
+- `REQ-PROOFKIT-RETIRE-004`: repo-profile structural and command admission
+  validates caller-owned profile, path, command, and environment facts without
+  scanning repositories or approving native proof coverage.
+- `REQ-PROOFKIT-RETIRE-005`: adoption workflow plans route legacy migration,
+  gradual adoption, and release-channel scenarios to existing Proofkit
+  primitives through bounded structured command refs.
+- `REQ-PROOFKIT-RETIRE-006`: migration parity admission validates
+  caller-provided parity evidence shape, source/target closure, typed
+  equivalence dimensions, and matched digest equality without owning evidence
+  authenticity, freshness, semantic correctness, or retirement approval.
+
+## Non-Claims
+
+- This spec does not authorize deletion of consumer files or local proof owners.
+- This spec does not execute commands, authenticate parity evidence, compute
+  proof freshness, or approve merge.
+- This spec does not make Proofkit a repository scanner, command-policy owner,
+  CI authority, release authority, rollout authority, or production-readiness
+  authority for consumers.

package/docs/specs/proofkit-consumer-infra-retirement/requirements.v1.json

@@ -0,0 +1,175 @@
+{
+  "schemaVersion": 1,
+  "sourceId": "proofkit.consumer-infra-retirement.requirements",
+  "specPackagePath": "docs/specs/proofkit-consumer-infra-retirement",
+  "overviewPath": "docs/specs/proofkit-consumer-infra-retirement/overview.md",
+  "requirementsPath": "docs/specs/proofkit-consumer-infra-retirement/requirements.v1.json",
+  "requirements": [
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-001",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "invariant": "Migration plans keep old and new proof owners explicit and block retirement unless caller-provided parity evidence and post-retirement validation commands exist.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RETIRE-001"
+      ],
+      "nonClaims": [
+        "This requirement does not claim file deletion, parity authenticity, native witness execution, proof freshness, merge approval, release approval, or rollout approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.consumer-infra-retirement",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-002",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "invariant": "Package runtime dependency admission validates caller-provided installed package identity and location facts without reading package manager state or resolving packages.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RETIRE-002"
+      ],
+      "nonClaims": [
+        "This requirement does not claim package resolution, manifest reads, lockfile reads, registry authentication, package-manager authority, native execution, proof freshness, merge approval, or rollout approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.consumer-infra-retirement",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-003",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "invariant": "Workspace registry admission validates caller-provided script, dependency, and lockfile facts against caller policy without owning repository command policy or lockfile freshness.",
+      "claimLevel": "blocking",
+      "riskClass": "medium",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RETIRE-003"
+      ],
+      "nonClaims": [
+        "This requirement does not claim script execution, lockfile generation, lockfile freshness, registry authentication, package-manager behavior, CI scheduling, merge approval, or rollout approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.consumer-infra-retirement",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-004",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "invariant": "Repo-profile structural and command admission validates caller-owned profile, path, command, and environment facts without scanning repositories or approving native proof coverage.",
+      "claimLevel": "blocking",
+      "riskClass": "medium",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RETIRE-004"
+      ],
+      "nonClaims": [
+        "This requirement does not claim repository scanning, tracked-file freshness, command execution, native proof coverage, CI readiness, merge approval, release approval, or rollout approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.consumer-infra-retirement",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-005",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "invariant": "Adoption workflow plans route legacy migration, gradual adoption, and release-channel scenarios to existing Proofkit primitives through bounded structured command refs.",
+      "claimLevel": "blocking",
+      "riskClass": "medium",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RETIRE-005"
+      ],
+      "nonClaims": [
+        "This requirement does not claim scenario appropriateness, repository scanning, command execution, receipt authentication, proof freshness, merge approval, release approval, or rollout approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.consumer-infra-retirement",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-006",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "invariant": "Migration parity admission validates caller-provided parity evidence shape, source/target closure, typed equivalence dimensions, and matched digest equality without owning evidence authenticity, freshness, semantic correctness, or retirement approval.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RETIRE-006"
+      ],
+      "nonClaims": [
+        "This requirement does not claim parity authenticity, digest computation, native witness execution, proof freshness, semantic correctness, proof coverage adequacy, old-owner deletion approval, merge approval, release approval, or rollout approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.consumer-infra-retirement",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    }
+  ],
+  "nonClaims": [
+    "Consumers still own old proof surfaces, new Proofkit inputs, parity evidence, native witness execution, command policy, receipts, CI admission, merge approval, release approval, rollout approval, and production decisions.",
+    "Proofkit consumer infrastructure retirement requirements describe reusable planning and admission primitives only."
+  ]
+}

package/docs/specs/proofkit-package-boundary/overview.md

@@ -0,0 +1,32 @@
+# Proofkit Package Boundary Spec
+
+This spec owns the first self-hosted Proofkit package-boundary requirements.
+It is intentionally narrow: it covers package CLI/report boundary, module import
+denial, and package artifact behavior only.
+
+## Requirements
+
+- `REQ-PROOFKIT-PACKAGE-001`: the package artifact set exposes the supported
+  CLI through one root package with embedded platform binaries while denying
+  root imports, source imports, generated JavaScript imports, and deep internal
+  package paths as public contract.
+- `REQ-PROOFKIT-PACKAGE-002`: the CLI builds deterministic reports and plans
+  from caller-owned JSON without executing native witnesses, scanning implicit
+  repository state, or deciding proof freshness.
+- `REQ-PROOFKIT-PACKAGE-003`: the root package remains installable and
+  executable by an outside consumer on the current native platform without
+  claiming registry publication.
+- `REQ-PROOFKIT-PACKAGE-004`: CI package-gate receipts used as merge evidence
+  are admitted through a declared producer policy and proof-receipt shape
+  validator instead of current-build output alone.
+
+## Non-Claims
+
+- This spec does not claim consumer repository adoption.
+- This spec does not claim registry publication.
+- This spec does not claim runtime execution for non-native embedded platform
+  binaries unless CI supplies that native OS and CPU tuple.
+- This spec does not claim proof freshness, merge approval, rollout approval,
+  or production readiness.
+- This spec does not make current-build Proofkit output sufficient to admit the
+  same current build.

package/docs/specs/proofkit-package-boundary/requirements.v1.json

@@ -0,0 +1,121 @@
+{
+  "schemaVersion": 1,
+  "sourceId": "proofkit.package-boundary.requirements",
+  "specPackagePath": "docs/specs/proofkit-package-boundary",
+  "overviewPath": "docs/specs/proofkit-package-boundary/overview.md",
+  "requirementsPath": "docs/specs/proofkit-package-boundary/requirements.v1.json",
+  "requirements": [
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-001",
+      "ownerId": "proofkit.package-boundary",
+      "invariant": "The package artifact set exposes the supported CLI through one root package with embedded platform binaries while denying root imports, source imports, generated JavaScript imports, and deep internal package paths as public contract.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-PACKAGE-001"
+      ],
+      "nonClaims": [
+        "This requirement does not claim consumer adoption, registry publication, rollout approval, or production readiness."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.package-boundary",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-002",
+      "ownerId": "proofkit.package-boundary",
+      "invariant": "The CLI builds deterministic reports and plans from caller-owned JSON without executing native witnesses, scanning implicit repository state, or deciding proof freshness.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-PACKAGE-002"
+      ],
+      "nonClaims": [
+        "This requirement does not claim native witness execution, producer authentication, proof freshness, or merge approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.package-boundary",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-003",
+      "ownerId": "proofkit.package-boundary",
+      "invariant": "The root package remains installable and executable by an outside consumer on the current native platform without claiming registry publication.",
+      "claimLevel": "blocking",
+      "riskClass": "medium",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-PACKAGE-003"
+      ],
+      "nonClaims": [
+        "This requirement does not claim registry publication, registry consumer installation, execution for non-native platform binaries, or rollout readiness."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.package-boundary",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-004",
+      "ownerId": "proofkit.package-boundary",
+      "invariant": "CI package-gate receipts used as merge evidence are admitted through a declared producer policy and proof-receipt shape validator instead of current-build output alone.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-PACKAGE-004"
+      ],
+      "nonClaims": [
+        "This requirement does not authenticate GitHub Actions, compute proof freshness, approve merge, approve release, or make local advisory receipts merge-satisfying evidence."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.package-boundary",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    }
+  ],
+  "nonClaims": [
+    "Proofkit requirement source admission validates record shape only; it does not own requirement meaning.",
+    "Proofkit self-hosting records do not replace native package tests, release evidence, or registry publication proof."
+  ]
+}

package/docs/specs/proofkit-receipt-authority/overview.md

@@ -0,0 +1,35 @@
+# Proofkit Receipt Authority Spec
+
+This spec owns Proofkit's reusable receipt authority primitives: proof receipt
+shape admission, receipt producer policy linkage, producer-policy self-proof
+guards, and spec-proof bundle linkage between requirements, witness plans,
+producer admission, and receipts.
+
+It is intentionally infrastructure-only. Consumers authenticate producers,
+define trust roots, execute native witnesses, compute freshness, match current
+obligations, and decide merge, release, rollout, and production policy.
+
+## Requirements
+
+- `REQ-PROOFKIT-RECEIPT-001`: proof receipt admission validates caller-provided
+  receipt shape, digests, timestamps, selectors, evidence refs, artifact refs,
+  status, and provenance fields without authenticating producers or computing
+  freshness.
+- `REQ-PROOFKIT-RECEIPT-002`: receipt producer admission validates
+  caller-owned producer policy and receipt metadata linkage without proving that
+  the producer actually created the receipt.
+- `REQ-PROOFKIT-RECEIPT-003`: producer-policy self-proof detects when
+  merge-obligation receipts depend on trust tuples newly admitted by the same
+  policy change without approving or rejecting the policy change itself.
+- `REQ-PROOFKIT-RECEIPT-004`: spec-proof bundle admission validates linkage
+  across requirement bindings, witness plans, producer admission, and receipt
+  admission without executing native witnesses or approving merge.
+
+## Non-Claims
+
+- This spec does not authenticate CI, local runners, or receipt producers.
+- This spec does not compute receipt freshness or current-obligation
+  satisfaction.
+- This spec does not execute commands or verify native command pass evidence.
+- This spec does not approve merge, release, registry publication, rollout, or
+  production readiness.

package/docs/specs/proofkit-receipt-authority/requirements.v1.json

@@ -0,0 +1,121 @@
+{
+  "schemaVersion": 1,
+  "sourceId": "proofkit.receipt-authority.requirements",
+  "specPackagePath": "docs/specs/proofkit-receipt-authority",
+  "overviewPath": "docs/specs/proofkit-receipt-authority/overview.md",
+  "requirementsPath": "docs/specs/proofkit-receipt-authority/requirements.v1.json",
+  "requirements": [
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-001",
+      "ownerId": "proofkit.receipt-authority",
+      "invariant": "Proof receipt admission validates caller-provided receipt shape, digests, timestamps, selectors, evidence refs, artifact refs, status, and provenance fields without authenticating producers or computing freshness.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RECEIPT-001"
+      ],
+      "nonClaims": [
+        "This requirement does not claim producer authentication, receipt freshness, native command execution, command result correctness, current-obligation matching, or merge approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.receipt-authority",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-002",
+      "ownerId": "proofkit.receipt-authority",
+      "invariant": "Receipt producer admission validates caller-owned producer policy and receipt metadata linkage without proving that the producer actually created the receipt.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RECEIPT-002"
+      ],
+      "nonClaims": [
+        "This requirement does not claim producer authentication, receipt freshness, command execution, command result correctness, CI log authority, or merge approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.receipt-authority",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-003",
+      "ownerId": "proofkit.receipt-authority",
+      "invariant": "Producer-policy self-proof detects when merge-obligation receipts depend on trust tuples newly admitted by the same policy change without approving or rejecting the policy change itself.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RECEIPT-003"
+      ],
+      "nonClaims": [
+        "This requirement does not claim producer authentication, receipt freshness, policy digest provenance, policy-diff discovery, migration exception approval, or merge approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.receipt-authority",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-004",
+      "ownerId": "proofkit.receipt-authority",
+      "invariant": "Spec-proof bundle admission validates linkage across requirement bindings, witness plans, producer admission, and receipt admission without executing native witnesses or approving merge.",
+      "claimLevel": "blocking",
+      "riskClass": "high",
+      "proofBindingRefs": [
+        "proofkit/requirement-bindings.json"
+      ],
+      "nonClaimRefs": [
+        "NC-PROOFKIT-RECEIPT-004"
+      ],
+      "nonClaims": [
+        "This requirement does not claim native witness execution, producer authentication, proof freshness, command result correctness, merge approval, release approval, or rollout approval."
+      ],
+      "lifecycle": {
+        "state": "active",
+        "replacementRequirementIds": [],
+        "evidenceRefs": []
+      },
+      "deferral": null,
+      "updatePolicy": {
+        "reviewOwnerId": "proofkit.receipt-authority",
+        "requiresImpactDeclaration": true,
+        "requiresProofBindingReview": true
+      }
+    }
+  ],
+  "nonClaims": [
+    "Consumers still own producer trust roots, native witness execution, receipt freshness, current-obligation matching, CI admission, merge policy, and rollout decisions.",
+    "Proofkit receipt authority requirements describe reusable receipt shape and linkage primitives only."
+  ]
+}

package/docs/specs/proofkit-spec-proof-core/overview.md

@@ -0,0 +1,36 @@
+# Proofkit Spec-Proof Core Spec
+
+This spec owns Proofkit's reusable spec-to-proof primitives: requirement source
+admission, requirement proof bindings, witness planning, selective proof
+planning, selective evidence admission, rendered proof views, and bounded agent
+envelopes.
+
+It is intentionally infrastructure-only. Consumers provide requirement
+sentences, proof bindings, changed-path facts, command policy, native witnesses,
+execution receipts, and merge policy.
+
+## Requirements
+
+- `REQ-PROOFKIT-SPEC-001`: requirement source admission validates structured
+  `REQ-*` records and source-package shape without owning requirement meaning
+  or scanning overview prose as authority.
+- `REQ-PROOFKIT-SPEC-002`: requirement proof binding reports validate
+  caller-owned requirement-to-witness mappings and emit deterministic lookup
+  projections without executing witnesses or deciding proof freshness.
+- `REQ-PROOFKIT-SPEC-003`: witness planning accepts caller-owned structured
+  command metadata, scheduler constraints, and environment classes without
+  executing commands or selecting repository policy.
+- `REQ-PROOFKIT-SPEC-004`: selective planning and selective evidence reports
+  keep changed-path facts, planned commands, receipts, and obligation
+  candidates explicit and fail closed for unknown or unmatched proof inputs.
+- `REQ-PROOFKIT-SPEC-005`: rendered proof views and agent envelopes remain
+  bounded, derived presentations over structured source and never become
+  canonical proof or requirement authority.
+
+## Non-Claims
+
+- This spec does not claim consumer repository adoption.
+- This spec does not claim native witness execution.
+- This spec does not authenticate receipt producers or compute proof freshness.
+- This spec does not approve merge, release, registry publication, rollout, or
+  production readiness.