agentskeptic 0.1.1

package/dist/verifyRunBundleSignature.js

@@ -0,0 +1,139 @@
+import { createPublicKey, verify } from "node:crypto";
+import { existsSync, readFileSync } from "node:fs";
+import path from "node:path";
+import { BUNDLE_SIGNATURE_ARTIFACT_INTEGRITY, BUNDLE_SIGNATURE_CRYPTO_INVALID, BUNDLE_SIGNATURE_MANIFEST_INVALID, BUNDLE_SIGNATURE_MANIFEST_UNSUPPORTED_VERSION, BUNDLE_SIGNATURE_MISSING_ARTIFACT, BUNDLE_SIGNATURE_PUBLIC_KEY_MISMATCH, BUNDLE_SIGNATURE_SIDECAR_INVALID, BUNDLE_SIGNATURE_SIGNED_HASH_MISMATCH, BUNDLE_SIGNATURE_UNSIGNED_MANIFEST, } from "./bundleSignatureCodes.js";
+import { sha256Hex } from "./agentRunRecord.js";
+import { loadSchemaValidator } from "./schemaLoad.js";
+import { AGENT_RUN_FILENAME, EVENTS_FILENAME, WORKFLOW_RESULT_FILENAME, WORKFLOW_RESULT_SIG_FILENAME, } from "./debugCorpus.js";
+import { normalizeSpkiPemForSidecar } from "./workflowResultSignature.js";
+const validateV2 = loadSchemaValidator("agent-run-record-v2");
+const validateSidecar = loadSchemaValidator("workflow-result-signature");
+function fail(code, message) {
+    return { ok: false, code, message };
+}
+/**
+ * Normative verify order (1–9): manifest parse + dispatch; events hash; wr hash; sig hash; sidecar parse+schema;
+ * signedContentSha256Hex vs manifest; PEM equality; crypto.verify.
+ */
+export function verifyRunBundleSignature(runDir, ed25519PublicKeyPemPath) {
+    const resolved = path.resolve(runDir);
+    const agentRunPath = path.join(resolved, AGENT_RUN_FILENAME);
+    if (!existsSync(agentRunPath)) {
+        return fail(BUNDLE_SIGNATURE_MISSING_ARTIFACT, `Missing ${AGENT_RUN_FILENAME}`);
+    }
+    let agentRunParsed;
+    try {
+        agentRunParsed = JSON.parse(readFileSync(agentRunPath, "utf8"));
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return fail(BUNDLE_SIGNATURE_MANIFEST_INVALID, msg);
+    }
+    const sv = agentRunParsed.schemaVersion;
+    if (sv !== 1 && sv !== 2) {
+        return fail(BUNDLE_SIGNATURE_MANIFEST_UNSUPPORTED_VERSION, `schemaVersion must be 1 or 2, got ${String(sv)}`);
+    }
+    if (sv === 1) {
+        return fail(BUNDLE_SIGNATURE_UNSIGNED_MANIFEST, "Bundle manifest is unsigned (schemaVersion 1)");
+    }
+    if (!validateV2(agentRunParsed)) {
+        return fail(BUNDLE_SIGNATURE_MANIFEST_INVALID, `${AGENT_RUN_FILENAME} failed agent-run-record-v2 schema validation.`);
+    }
+    const record = agentRunParsed;
+    const evSpec = record.artifacts.events;
+    const wrSpec = record.artifacts.workflowResult;
+    const sigSpec = record.artifacts.workflowResultSignature;
+    const evPath = path.join(resolved, evSpec.relativePath);
+    const wrPath = path.join(resolved, wrSpec.relativePath);
+    const sigPath = path.join(resolved, sigSpec.relativePath);
+    if (!existsSync(evPath)) {
+        return fail(BUNDLE_SIGNATURE_MISSING_ARTIFACT, `Missing ${EVENTS_FILENAME}`);
+    }
+    let evBuf;
+    try {
+        evBuf = readFileSync(evPath);
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return fail(BUNDLE_SIGNATURE_MISSING_ARTIFACT, msg);
+    }
+    if (evBuf.length !== evSpec.byteLength || sha256Hex(evBuf) !== evSpec.sha256) {
+        return fail(BUNDLE_SIGNATURE_ARTIFACT_INTEGRITY, `${EVENTS_FILENAME} does not match manifest`);
+    }
+    if (!existsSync(wrPath)) {
+        return fail(BUNDLE_SIGNATURE_MISSING_ARTIFACT, `Missing ${WORKFLOW_RESULT_FILENAME}`);
+    }
+    let wrBuf;
+    try {
+        wrBuf = readFileSync(wrPath);
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return fail(BUNDLE_SIGNATURE_MISSING_ARTIFACT, msg);
+    }
+    if (wrBuf.length !== wrSpec.byteLength || sha256Hex(wrBuf) !== wrSpec.sha256) {
+        return fail(BUNDLE_SIGNATURE_ARTIFACT_INTEGRITY, `${WORKFLOW_RESULT_FILENAME} does not match manifest`);
+    }
+    if (!existsSync(sigPath)) {
+        return fail(BUNDLE_SIGNATURE_MISSING_ARTIFACT, `Missing ${WORKFLOW_RESULT_SIG_FILENAME}`);
+    }
+    let sigFileBuf;
+    try {
+        sigFileBuf = readFileSync(sigPath);
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return fail(BUNDLE_SIGNATURE_MISSING_ARTIFACT, msg);
+    }
+    if (sigFileBuf.length !== sigSpec.byteLength || sha256Hex(sigFileBuf) !== sigSpec.sha256) {
+        return fail(BUNDLE_SIGNATURE_ARTIFACT_INTEGRITY, `${WORKFLOW_RESULT_SIG_FILENAME} does not match manifest`);
+    }
+    let sidecar;
+    try {
+        sidecar = JSON.parse(sigFileBuf.toString("utf8"));
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return fail(BUNDLE_SIGNATURE_SIDECAR_INVALID, msg);
+    }
+    if (!validateSidecar(sidecar)) {
+        return fail(BUNDLE_SIGNATURE_SIDECAR_INVALID, "workflow-result.sig.json failed schema validation");
+    }
+    const sc = sidecar;
+    if (sc.signedContentSha256Hex !== wrSpec.sha256) {
+        return fail(BUNDLE_SIGNATURE_SIGNED_HASH_MISMATCH, "signedContentSha256Hex does not match manifest");
+    }
+    let trustedPem;
+    try {
+        trustedPem = readFileSync(path.resolve(ed25519PublicKeyPemPath), "utf8");
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return fail(BUNDLE_SIGNATURE_MISSING_ARTIFACT, `Cannot read public key: ${msg}`);
+    }
+    const sidecarPem = sidecar.signingPublicKeySpkiPem;
+    if (typeof sidecarPem !== "string") {
+        return fail(BUNDLE_SIGNATURE_SIDECAR_INVALID, "Missing signingPublicKeySpkiPem");
+    }
+    if (normalizeSpkiPemForSidecar(sidecarPem) !== normalizeSpkiPemForSidecar(trustedPem)) {
+        return fail(BUNDLE_SIGNATURE_PUBLIC_KEY_MISMATCH, "Public key file does not match sidecar PEM");
+    }
+    const publicKey = createPublicKey({ key: trustedPem, format: "pem", type: "spki" });
+    const sigB64 = sidecar.signatureBase64;
+    if (typeof sigB64 !== "string") {
+        return fail(BUNDLE_SIGNATURE_SIDECAR_INVALID, "Missing signatureBase64");
+    }
+    let sigBytes;
+    try {
+        sigBytes = Buffer.from(sigB64, "base64");
+    }
+    catch {
+        return fail(BUNDLE_SIGNATURE_SIDECAR_INVALID, "Invalid signatureBase64");
+    }
+    const ok = verify(null, wrBuf, publicKey, sigBytes);
+    if (!ok) {
+        return fail(BUNDLE_SIGNATURE_CRYPTO_INVALID, "Ed25519 verify failed");
+    }
+    return { ok: true };
+}
+//# sourceMappingURL=verifyRunBundleSignature.js.map

package/dist/verifyRunBundleSignature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyRunBundleSignature.js","sourceRoot":"","sources":["../src/verifyRunBundleSignature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,mCAAmC,EACnC,+BAA+B,EAC/B,iCAAiC,EACjC,6CAA6C,EAC7C,iCAAiC,EACjC,oCAAoC,EACpC,gCAAgC,EAChC,qCAAqC,EACrC,kCAAkC,GAEnC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,SAAS,EAAyB,MAAM,qBAAqB,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EACL,kBAAkB,EAClB,eAAe,EACf,wBAAwB,EACxB,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,0BAA0B,EAAE,MAAM,8BAA8B,CAAC;AAM1E,MAAM,UAAU,GAAG,mBAAmB,CAAC,qBAAqB,CAAC,CAAC;AAC9D,MAAM,eAAe,GAAG,mBAAmB,CAAC,2BAA2B,CAAC,CAAC;AAEzE,SAAS,IAAI,CAAC,IAAyB,EAAE,OAAe;IACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,MAAc,EACd,uBAA+B;IAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;IAE7D,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,iCAAiC,EAAE,WAAW,kBAAkB,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,IAAI,cAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAY,CAAC;IAC7E,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,EAAE,GAAI,cAA8C,CAAC,aAAa,CAAC;IACzE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,CACT,6CAA6C,EAC7C,qCAAqC,MAAM,CAAC,EAAE,CAAC,EAAE,CAClD,CAAC;IACJ,CAAC;IAED,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;QACb,OAAO,IAAI,CAAC,kCAAkC,EAAE,+CAA+C,CAAC,CAAC;IACnG,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,CACT,iCAAiC,EACjC,GAAG,kBAAkB,gDAAgD,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,cAAkC,CAAC;IAClD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC;IACvC,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC;IAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,uBAAuB,CAAC;IAEzD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAE1D,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC,iCAAiC,EAAE,WAAW,eAAe,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,IAAI,KAAa,CAAC;IAClB,IAAI,CAAC;QACH,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,UAAU,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QAC7E,OAAO,IAAI,CAAC,mCAAmC,EAAE,GAAG,eAAe,0BAA0B,CAAC,CAAC;IACjG,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC,iCAAiC,EAAE,WAAW,wBAAwB,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,IAAI,KAAa,CAAC;IAClB,IAAI,CAAC;QACH,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,UAAU,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QAC7E,OAAO,IAAI,CACT,mCAAmC,EACnC,GAAG,wBAAwB,0BAA0B,CACtD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,iCAAiC,EAAE,WAAW,4BAA4B,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,OAAO,CAAC,UAAU,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACzF,OAAO,IAAI,CACT,mCAAmC,EACnC,GAAG,4BAA4B,0BAA0B,CAC1D,CAAC;IACJ,CAAC;IAED,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAY,CAAC;IAC/D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,gCAAgC,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,gCAAgC,EAAE,mDAAmD,CAAC,CAAC;IACrG,CAAC;IAED,MAAM,EAAE,GAAG,OAA8C,CAAC;IAC1D,IAAI,EAAE,CAAC,sBAAsB,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC,qCAAqC,EAAE,gDAAgD,CAAC,CAAC;IACvG,CAAC;IAED,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,iCAAiC,EAAE,2BAA2B,GAAG,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,UAAU,GAAI,OAAgD,CAAC,uBAAuB,CAAC;IAC7F,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC,gCAAgC,EAAE,iCAAiC,CAAC,CAAC;IACnF,CAAC;IAED,IAAI,0BAA0B,CAAC,UAAU,CAAC,KAAK,0BAA0B,CAAC,UAAU,CAAC,EAAE,CAAC;QACtF,OAAO,IAAI,CAAC,oCAAoC,EAAE,4CAA4C,CAAC,CAAC;IAClG,CAAC;IAED,MAAM,SAAS,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IACpF,MAAM,MAAM,GAAI,OAAwC,CAAC,eAAe,CAAC;IACzE,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,gCAAgC,EAAE,yBAAyB,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,gCAAgC,EAAE,yBAAyB,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACpD,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,IAAI,CAAC,+BAA+B,EAAE,uBAAuB,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC"}

package/dist/verifyRunBundleSignature.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=verifyRunBundleSignature.test.d.ts.map

package/dist/verifyRunBundleSignature.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyRunBundleSignature.test.d.ts","sourceRoot":"","sources":["../src/verifyRunBundleSignature.test.ts"],"names":[],"mappings":""}

package/dist/verifyRunBundleSignature.test.js

@@ -0,0 +1,169 @@
+import { generateKeyPairSync } from "node:crypto";
+import { mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { afterEach, describe, expect, it } from "vitest";
+import { buildAgentRunRecordForBundle } from "./agentRunRecord.js";
+import { BUNDLE_SIGNATURE_ARTIFACT_INTEGRITY, BUNDLE_SIGNATURE_CRYPTO_INVALID, BUNDLE_SIGNATURE_PUBLIC_KEY_MISMATCH, BUNDLE_SIGNATURE_SIGNED_HASH_MISMATCH, BUNDLE_SIGNATURE_UNSIGNED_MANIFEST, } from "./bundleSignatureCodes.js";
+import { AGENT_RUN_FILENAME, EVENTS_FILENAME, WORKFLOW_RESULT_FILENAME, WORKFLOW_RESULT_SIG_FILENAME, } from "./debugCorpus.js";
+import { buildWorkflowResultSigSidecarBytes, normalizeSpkiPemForSidecar } from "./workflowResultSignature.js";
+import { verifyRunBundleSignature } from "./verifyRunBundleSignature.js";
+const root = join(fileURLToPath(import.meta.url), "..", "..");
+const runOk = join(root, "examples", "debug-corpus", "run_ok");
+function writeV2BundleDir(dir, opts) {
+    mkdirSync(dir, { recursive: true });
+    let sidecar = buildWorkflowResultSigSidecarBytes(opts.wrBytes, opts.privatePem);
+    if (opts.mutateSidecar) {
+        const p = JSON.parse(sidecar.toString("utf8").trim());
+        opts.mutateSidecar(p);
+        sidecar = Buffer.from(`${JSON.stringify(p)}\n`, "utf8");
+    }
+    const record = buildAgentRunRecordForBundle({
+        runId: "t",
+        workflowId: JSON.parse(opts.wrBytes.toString("utf8")).workflowId,
+        producer: { name: "n", version: "1" },
+        verifiedAt: "2026-04-07T12:00:00.000Z",
+        workflowResultBytes: opts.wrBytes,
+        eventsBytes: opts.evBytes,
+        workflowResultSignatureBytes: sidecar,
+    });
+    const manifestBuf = Buffer.from(`${JSON.stringify(record, null, 2)}\n`, "utf8");
+    writeFileSync(join(dir, EVENTS_FILENAME), opts.evBytes);
+    writeFileSync(join(dir, WORKFLOW_RESULT_FILENAME), opts.wrBytes);
+    writeFileSync(join(dir, WORKFLOW_RESULT_SIG_FILENAME), sidecar);
+    writeFileSync(join(dir, AGENT_RUN_FILENAME), manifestBuf);
+}
+describe("verifyRunBundleSignature", () => {
+    const { privateKey, publicKey } = generateKeyPairSync("ed25519");
+    const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
+    const publicPem = publicKey.export({ type: "spki", format: "pem" });
+    const wrBytes = readFileSync(join(runOk, "workflow-result.json"));
+    const evBytes = readFileSync(join(runOk, "events.ndjson"));
+    const dirs = [];
+    afterEach(() => {
+        for (const d of dirs) {
+            try {
+                rmSync(d, { recursive: true, force: true });
+            }
+            catch {
+                /* ignore */
+            }
+        }
+        dirs.length = 0;
+    });
+    it("returns ok true for valid v2 bundle", () => {
+        const dir = join(tmpdir(), `etl-sig-ok-${Date.now()}`);
+        dirs.push(dir);
+        writeV2BundleDir(dir, { wrBytes, evBytes, privatePem, publicPem });
+        const pubPath = join(dir, "pub.pem");
+        writeFileSync(pubPath, normalizeSpkiPemForSidecar(publicPem), "utf8");
+        const r = verifyRunBundleSignature(dir, pubPath);
+        expect(r).toEqual({ ok: true });
+    });
+    it("tampered workflow-result → ARTIFACT_INTEGRITY", () => {
+        const dir = join(tmpdir(), `etl-sig-t1-${Date.now()}`);
+        dirs.push(dir);
+        writeV2BundleDir(dir, { wrBytes, evBytes, privatePem, publicPem });
+        const wrPath = join(dir, WORKFLOW_RESULT_FILENAME);
+        const b = readFileSync(wrPath);
+        const t = Buffer.from(b);
+        t[t.length - 2] ^= 1;
+        writeFileSync(wrPath, t);
+        const pubPath = join(dir, "pub.pem");
+        writeFileSync(pubPath, normalizeSpkiPemForSidecar(publicPem), "utf8");
+        const r = verifyRunBundleSignature(dir, pubPath);
+        expect(r.ok).toBe(false);
+        if (!r.ok)
+            expect(r.code).toBe(BUNDLE_SIGNATURE_ARTIFACT_INTEGRITY);
+    });
+    it("tampered sidecar bytes → ARTIFACT_INTEGRITY", () => {
+        const dir = join(tmpdir(), `etl-sig-t2-${Date.now()}`);
+        dirs.push(dir);
+        writeV2BundleDir(dir, { wrBytes, evBytes, privatePem, publicPem });
+        const sigPath = join(dir, WORKFLOW_RESULT_SIG_FILENAME);
+        const b = readFileSync(sigPath);
+        const t = Buffer.from(b);
+        t[5] ^= 1;
+        writeFileSync(sigPath, t);
+        const pubPath = join(dir, "pub.pem");
+        writeFileSync(pubPath, normalizeSpkiPemForSidecar(publicPem), "utf8");
+        const r = verifyRunBundleSignature(dir, pubPath);
+        expect(r.ok).toBe(false);
+        if (!r.ok)
+            expect(r.code).toBe(BUNDLE_SIGNATURE_ARTIFACT_INTEGRITY);
+    });
+    it("wrong public key file vs sidecar → PUBLIC_KEY_MISMATCH", () => {
+        const dir = join(tmpdir(), `etl-sig-pk-${Date.now()}`);
+        dirs.push(dir);
+        writeV2BundleDir(dir, { wrBytes, evBytes, privatePem, publicPem });
+        const other = generateKeyPairSync("ed25519").publicKey.export({ type: "spki", format: "pem" });
+        const pubPath = join(dir, "wrong.pem");
+        writeFileSync(pubPath, normalizeSpkiPemForSidecar(other), "utf8");
+        const r = verifyRunBundleSignature(dir, pubPath);
+        expect(r.ok).toBe(false);
+        if (!r.ok)
+            expect(r.code).toBe(BUNDLE_SIGNATURE_PUBLIC_KEY_MISMATCH);
+    });
+    it("corrupted signatureBase64 → CRYPTO_INVALID", () => {
+        const dir = join(tmpdir(), `etl-sig-crypto-${Date.now()}`);
+        dirs.push(dir);
+        writeV2BundleDir(dir, {
+            wrBytes,
+            evBytes,
+            privatePem,
+            publicPem,
+            mutateSidecar: (p) => {
+                p.signatureBase64 = Buffer.alloc(64, 7).toString("base64");
+            },
+        });
+        const pubPath = join(dir, "pub.pem");
+        writeFileSync(pubPath, normalizeSpkiPemForSidecar(publicPem), "utf8");
+        const r = verifyRunBundleSignature(dir, pubPath);
+        expect(r.ok).toBe(false);
+        if (!r.ok)
+            expect(r.code).toBe(BUNDLE_SIGNATURE_CRYPTO_INVALID);
+    });
+    it("v1 manifest → UNSIGNED_MANIFEST", () => {
+        const dir = join(tmpdir(), `etl-sig-v1-${Date.now()}`);
+        dirs.push(dir);
+        mkdirSync(dir, { recursive: true });
+        const rec = buildAgentRunRecordForBundle({
+            runId: "x",
+            workflowId: "w",
+            producer: { name: "n", version: "v" },
+            verifiedAt: "2026-04-07T12:00:00.000Z",
+            workflowResultBytes: wrBytes,
+            eventsBytes: evBytes,
+        });
+        writeFileSync(join(dir, EVENTS_FILENAME), evBytes);
+        writeFileSync(join(dir, WORKFLOW_RESULT_FILENAME), wrBytes);
+        writeFileSync(join(dir, AGENT_RUN_FILENAME), `${JSON.stringify(rec, null, 2)}\n`, "utf8");
+        const pubPath = join(dir, "pub.pem");
+        writeFileSync(pubPath, normalizeSpkiPemForSidecar(publicPem), "utf8");
+        const r = verifyRunBundleSignature(dir, pubPath);
+        expect(r.ok).toBe(false);
+        if (!r.ok)
+            expect(r.code).toBe(BUNDLE_SIGNATURE_UNSIGNED_MANIFEST);
+    });
+    it("wrong signedContentSha256Hex → SIGNED_HASH_MISMATCH", () => {
+        const dir = join(tmpdir(), `etl-sig-hash-${Date.now()}`);
+        dirs.push(dir);
+        writeV2BundleDir(dir, {
+            wrBytes,
+            evBytes,
+            privatePem,
+            publicPem,
+            mutateSidecar: (p) => {
+                p.signedContentSha256Hex = "a".repeat(64);
+            },
+        });
+        const pubPath = join(dir, "pub.pem");
+        writeFileSync(pubPath, normalizeSpkiPemForSidecar(publicPem), "utf8");
+        const r = verifyRunBundleSignature(dir, pubPath);
+        expect(r.ok).toBe(false);
+        if (!r.ok)
+            expect(r.code).toBe(BUNDLE_SIGNATURE_SIGNED_HASH_MISMATCH);
+    });
+});
+//# sourceMappingURL=verifyRunBundleSignature.test.js.map

package/dist/verifyRunBundleSignature.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyRunBundleSignature.test.js","sourceRoot":"","sources":["../src/verifyRunBundleSignature.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACzE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACzD,OAAO,EAAE,4BAA4B,EAAa,MAAM,qBAAqB,CAAC;AAC9E,OAAO,EACL,mCAAmC,EACnC,+BAA+B,EAC/B,oCAAoC,EACpC,qCAAqC,EACrC,kCAAkC,GACnC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,kBAAkB,EAClB,eAAe,EACf,wBAAwB,EACxB,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,kCAAkC,EAAE,0BAA0B,EAAE,MAAM,8BAA8B,CAAC;AAC9G,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AAGzE,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAC;AAE/D,SAAS,gBAAgB,CACvB,GAAW,EACX,IAMC;IAED,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,IAAI,OAAO,GAAG,kCAAkC,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAChF,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAA4B,CAAC;QACjF,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACtB,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,MAAM,GAAG,4BAA4B,CAAC;QAC1C,KAAK,EAAE,GAAG;QACV,UAAU,EAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAoB,CAAC,UAAU;QACpF,QAAQ,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE;QACrC,UAAU,EAAE,0BAA0B;QACtC,mBAAmB,EAAE,IAAI,CAAC,OAAO;QACjC,WAAW,EAAE,IAAI,CAAC,OAAO;QACzB,4BAA4B,EAAE,OAAO;KACtC,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAChF,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACxD,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,wBAAwB,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACjE,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,4BAA4B,CAAC,EAAE,OAAO,CAAC,CAAC;IAChE,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,EAAE,WAAW,CAAC,CAAC;AAC5D,CAAC;AAED,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACjE,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACjF,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IAE9E,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;IAE3D,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,SAAS,CAAC,GAAG,EAAE;QACb,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;QACH,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,gBAAgB,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;QACnE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACrC,aAAa,CAAC,OAAO,EAAE,0BAA0B,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,wBAAwB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,gBAAgB,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;QACnE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,wBAAwB,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;QACrB,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACrC,aAAa,CAAC,OAAO,EAAE,0BAA0B,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,wBAAwB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,gBAAgB,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;QACnE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;QACxD,MAAM,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QAChC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACV,aAAa,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACrC,aAAa,CAAC,OAAO,EAAE,0BAA0B,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,wBAAwB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,gBAAgB,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;QACnE,MAAM,KAAK,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;QACzG,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QACvC,aAAa,CAAC,OAAO,EAAE,0BAA0B,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC;QAClE,MAAM,CAAC,GAAG,wBAAwB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC3D,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,gBAAgB,CAAC,GAAG,EAAE;YACpB,OAAO;YACP,OAAO;YACP,UAAU;YACV,SAAS;YACT,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE;gBACnB,CAAC,CAAC,eAAe,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC7D,CAAC;SACF,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACrC,aAAa,CAAC,OAAO,EAAE,0BAA0B,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,wBAAwB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,MAAM,GAAG,GAAG,4BAA4B,CAAC;YACvC,KAAK,EAAE,GAAG;YACV,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE;YACrC,UAAU,EAAE,0BAA0B;YACtC,mBAAmB,EAAE,OAAO;YAC5B,WAAW,EAAE,OAAO;SACrB,CAAC,CAAC;QACH,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,EAAE,OAAO,CAAC,CAAC;QACnD,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,wBAAwB,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5D,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC1F,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACrC,aAAa,CAAC,OAAO,EAAE,0BAA0B,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,wBAAwB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,gBAAgB,CAAC,GAAG,EAAE;YACpB,OAAO;YACP,OAAO;YACP,UAAU;YACV,SAAS;YACT,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE;gBACnB,CAAC,CAAC,sBAAsB,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC5C,CAAC;SACF,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACrC,aAAa,CAAC,OAAO,EAAE,0BAA0B,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,wBAAwB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/wireReasonCodes.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Sole definition of emitted step / resolver `reason.code` and registry validation resolution codes.
+ * Pair with wireReasonEmittersGuard.test.ts (six emitter files only).
+ */
+/** Resolver / registry parameter resolution failures (`{ ok: false }` from resolveVerificationRequest). */
+export declare const REGISTRY_RESOLVER_CODE: {
+    readonly CONST_STRING_EMPTY: "CONST_STRING_EMPTY";
+    readonly STRING_SPEC_POINTER_MISSING: "STRING_SPEC_POINTER_MISSING";
+    readonly STRING_SPEC_TYPE: "STRING_SPEC_TYPE";
+    readonly STRING_SPEC_EMPTY: "STRING_SPEC_EMPTY";
+    readonly KEY_VALUE_POINTER_MISSING: "KEY_VALUE_POINTER_MISSING";
+    readonly KEY_VALUE_NOT_SCALAR: "KEY_VALUE_NOT_SCALAR";
+    readonly KEY_VALUE_SPEC_INVALID: "KEY_VALUE_SPEC_INVALID";
+    readonly TABLE_POINTER_INVALID: "TABLE_POINTER_INVALID";
+    readonly TABLE_SPEC_INVALID: "TABLE_SPEC_INVALID";
+    readonly INVALID_IDENTIFIER: "INVALID_IDENTIFIER";
+    readonly REQUIRED_FIELDS_POINTER_MISSING: "REQUIRED_FIELDS_POINTER_MISSING";
+    readonly REQUIRED_FIELDS_NOT_OBJECT: "REQUIRED_FIELDS_NOT_OBJECT";
+    readonly REQUIRED_FIELDS_VALUE_UNDEFINED: "REQUIRED_FIELDS_VALUE_UNDEFINED";
+    readonly REQUIRED_FIELDS_VALUE_NOT_SCALAR: "REQUIRED_FIELDS_VALUE_NOT_SCALAR";
+    readonly UNSUPPORTED_VERIFICATION_KIND: "UNSUPPORTED_VERIFICATION_KIND";
+    readonly DUPLICATE_EFFECT_ID: "DUPLICATE_EFFECT_ID";
+    readonly RELATIONAL_EXPECT_VALUE_INVALID: "RELATIONAL_EXPECT_VALUE_INVALID";
+    readonly RELATIONAL_SUM_COLUMN_REQUIRED: "RELATIONAL_SUM_COLUMN_REQUIRED";
+    readonly EQUALITY_DUPLICATE_COLUMN: "EQUALITY_DUPLICATE_COLUMN";
+    readonly FILTER_EQ_OVERLAPS_IDENTITY: "FILTER_EQ_OVERLAPS_IDENTITY";
+};
+/** SQL reconciliation / policy / pipeline step `reasons[].code` values (post-resolution verification axis). */
+export declare const SQL_VERIFICATION_OUTCOME_CODE: {
+    readonly ROW_ABSENT: "ROW_ABSENT";
+    readonly DUPLICATE_ROWS: "DUPLICATE_ROWS";
+    readonly ROW_SHAPE_MISMATCH: "ROW_SHAPE_MISMATCH";
+    readonly UNREADABLE_VALUE: "UNREADABLE_VALUE";
+    readonly VALUE_MISMATCH: "VALUE_MISMATCH";
+    readonly CONNECTOR_ERROR: "CONNECTOR_ERROR";
+    readonly MULTI_EFFECT_INCOMPLETE: "MULTI_EFFECT_INCOMPLETE";
+    readonly MULTI_EFFECT_ALL_FAILED: "MULTI_EFFECT_ALL_FAILED";
+    readonly MULTI_EFFECT_PARTIAL: "MULTI_EFFECT_PARTIAL";
+    readonly ROW_NOT_OBSERVED_WITHIN_WINDOW: "ROW_NOT_OBSERVED_WITHIN_WINDOW";
+    readonly MULTI_EFFECT_UNCERTAIN_WITHIN_WINDOW: "MULTI_EFFECT_UNCERTAIN_WITHIN_WINDOW";
+    readonly UNKNOWN_TOOL: "UNKNOWN_TOOL";
+    readonly RETRY_OBSERVATIONS_DIVERGE: "RETRY_OBSERVATIONS_DIVERGE";
+    readonly RELATED_ROWS_ABSENT: "RELATED_ROWS_ABSENT";
+    readonly RELATIONAL_EXPECTATION_MISMATCH: "RELATIONAL_EXPECTATION_MISMATCH";
+    readonly RELATIONAL_SCALAR_UNUSABLE: "RELATIONAL_SCALAR_UNUSABLE";
+    readonly ROW_PRESENT_WHEN_FORBIDDEN: "ROW_PRESENT_WHEN_FORBIDDEN";
+    readonly ORPHAN_ROW_DETECTED: "ORPHAN_ROW_DETECTED";
+    readonly FORBIDDEN_ROWS_STILL_PRESENT_WITHIN_WINDOW: "FORBIDDEN_ROWS_STILL_PRESENT_WITHIN_WINDOW";
+};
+export declare const UNKNOWN_TOOL: "UNKNOWN_TOOL";
+/** Fixed `code` strings on registry validation resolutionIssues / resolutionSkipped. */
+export declare const REGISTRY_VALIDATION_CODE: {
+    readonly NO_STEPS_FOR_WORKFLOW: "NO_STEPS_FOR_WORKFLOW";
+    readonly RETRY_OBSERVATIONS_DIVERGE: "RETRY_OBSERVATIONS_DIVERGE";
+    readonly UNKNOWN_TOOL: "UNKNOWN_TOOL";
+};
+//# sourceMappingURL=wireReasonCodes.d.ts.map

package/dist/wireReasonCodes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wireReasonCodes.d.ts","sourceRoot":"","sources":["../src/wireReasonCodes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,2GAA2G;AAC3G,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;CAqBzB,CAAC;AAEX,+GAA+G;AAC/G,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;CAoBhC,CAAC;AAEX,eAAO,MAAM,YAAY,gBAA6C,CAAC;AAEvE,wFAAwF;AACxF,eAAO,MAAM,wBAAwB;;;;CAI3B,CAAC"}

package/dist/wireReasonCodes.js

@@ -0,0 +1,57 @@
+/**
+ * Sole definition of emitted step / resolver `reason.code` and registry validation resolution codes.
+ * Pair with wireReasonEmittersGuard.test.ts (six emitter files only).
+ */
+/** Resolver / registry parameter resolution failures (`{ ok: false }` from resolveVerificationRequest). */
+export const REGISTRY_RESOLVER_CODE = {
+    CONST_STRING_EMPTY: "CONST_STRING_EMPTY",
+    STRING_SPEC_POINTER_MISSING: "STRING_SPEC_POINTER_MISSING",
+    STRING_SPEC_TYPE: "STRING_SPEC_TYPE",
+    STRING_SPEC_EMPTY: "STRING_SPEC_EMPTY",
+    KEY_VALUE_POINTER_MISSING: "KEY_VALUE_POINTER_MISSING",
+    KEY_VALUE_NOT_SCALAR: "KEY_VALUE_NOT_SCALAR",
+    KEY_VALUE_SPEC_INVALID: "KEY_VALUE_SPEC_INVALID",
+    TABLE_POINTER_INVALID: "TABLE_POINTER_INVALID",
+    TABLE_SPEC_INVALID: "TABLE_SPEC_INVALID",
+    INVALID_IDENTIFIER: "INVALID_IDENTIFIER",
+    REQUIRED_FIELDS_POINTER_MISSING: "REQUIRED_FIELDS_POINTER_MISSING",
+    REQUIRED_FIELDS_NOT_OBJECT: "REQUIRED_FIELDS_NOT_OBJECT",
+    REQUIRED_FIELDS_VALUE_UNDEFINED: "REQUIRED_FIELDS_VALUE_UNDEFINED",
+    REQUIRED_FIELDS_VALUE_NOT_SCALAR: "REQUIRED_FIELDS_VALUE_NOT_SCALAR",
+    UNSUPPORTED_VERIFICATION_KIND: "UNSUPPORTED_VERIFICATION_KIND",
+    DUPLICATE_EFFECT_ID: "DUPLICATE_EFFECT_ID",
+    RELATIONAL_EXPECT_VALUE_INVALID: "RELATIONAL_EXPECT_VALUE_INVALID",
+    RELATIONAL_SUM_COLUMN_REQUIRED: "RELATIONAL_SUM_COLUMN_REQUIRED",
+    EQUALITY_DUPLICATE_COLUMN: "EQUALITY_DUPLICATE_COLUMN",
+    FILTER_EQ_OVERLAPS_IDENTITY: "FILTER_EQ_OVERLAPS_IDENTITY",
+};
+/** SQL reconciliation / policy / pipeline step `reasons[].code` values (post-resolution verification axis). */
+export const SQL_VERIFICATION_OUTCOME_CODE = {
+    ROW_ABSENT: "ROW_ABSENT",
+    DUPLICATE_ROWS: "DUPLICATE_ROWS",
+    ROW_SHAPE_MISMATCH: "ROW_SHAPE_MISMATCH",
+    UNREADABLE_VALUE: "UNREADABLE_VALUE",
+    VALUE_MISMATCH: "VALUE_MISMATCH",
+    CONNECTOR_ERROR: "CONNECTOR_ERROR",
+    MULTI_EFFECT_INCOMPLETE: "MULTI_EFFECT_INCOMPLETE",
+    MULTI_EFFECT_ALL_FAILED: "MULTI_EFFECT_ALL_FAILED",
+    MULTI_EFFECT_PARTIAL: "MULTI_EFFECT_PARTIAL",
+    ROW_NOT_OBSERVED_WITHIN_WINDOW: "ROW_NOT_OBSERVED_WITHIN_WINDOW",
+    MULTI_EFFECT_UNCERTAIN_WITHIN_WINDOW: "MULTI_EFFECT_UNCERTAIN_WITHIN_WINDOW",
+    UNKNOWN_TOOL: "UNKNOWN_TOOL",
+    RETRY_OBSERVATIONS_DIVERGE: "RETRY_OBSERVATIONS_DIVERGE",
+    RELATED_ROWS_ABSENT: "RELATED_ROWS_ABSENT",
+    RELATIONAL_EXPECTATION_MISMATCH: "RELATIONAL_EXPECTATION_MISMATCH",
+    RELATIONAL_SCALAR_UNUSABLE: "RELATIONAL_SCALAR_UNUSABLE",
+    ROW_PRESENT_WHEN_FORBIDDEN: "ROW_PRESENT_WHEN_FORBIDDEN",
+    ORPHAN_ROW_DETECTED: "ORPHAN_ROW_DETECTED",
+    FORBIDDEN_ROWS_STILL_PRESENT_WITHIN_WINDOW: "FORBIDDEN_ROWS_STILL_PRESENT_WITHIN_WINDOW",
+};
+export const UNKNOWN_TOOL = SQL_VERIFICATION_OUTCOME_CODE.UNKNOWN_TOOL;
+/** Fixed `code` strings on registry validation resolutionIssues / resolutionSkipped. */
+export const REGISTRY_VALIDATION_CODE = {
+    NO_STEPS_FOR_WORKFLOW: "NO_STEPS_FOR_WORKFLOW",
+    RETRY_OBSERVATIONS_DIVERGE: "RETRY_OBSERVATIONS_DIVERGE",
+    UNKNOWN_TOOL: "UNKNOWN_TOOL",
+};
+//# sourceMappingURL=wireReasonCodes.js.map

package/dist/wireReasonCodes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wireReasonCodes.js","sourceRoot":"","sources":["../src/wireReasonCodes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,2GAA2G;AAC3G,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,kBAAkB,EAAE,oBAAoB;IACxC,2BAA2B,EAAE,6BAA6B;IAC1D,gBAAgB,EAAE,kBAAkB;IACpC,iBAAiB,EAAE,mBAAmB;IACtC,yBAAyB,EAAE,2BAA2B;IACtD,oBAAoB,EAAE,sBAAsB;IAC5C,sBAAsB,EAAE,wBAAwB;IAChD,qBAAqB,EAAE,uBAAuB;IAC9C,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,+BAA+B,EAAE,iCAAiC;IAClE,0BAA0B,EAAE,4BAA4B;IACxD,+BAA+B,EAAE,iCAAiC;IAClE,gCAAgC,EAAE,kCAAkC;IACpE,6BAA6B,EAAE,+BAA+B;IAC9D,mBAAmB,EAAE,qBAAqB;IAC1C,+BAA+B,EAAE,iCAAiC;IAClE,8BAA8B,EAAE,gCAAgC;IAChE,yBAAyB,EAAE,2BAA2B;IACtD,2BAA2B,EAAE,6BAA6B;CAClD,CAAC;AAEX,+GAA+G;AAC/G,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,UAAU,EAAE,YAAY;IACxB,cAAc,EAAE,gBAAgB;IAChC,kBAAkB,EAAE,oBAAoB;IACxC,gBAAgB,EAAE,kBAAkB;IACpC,cAAc,EAAE,gBAAgB;IAChC,eAAe,EAAE,iBAAiB;IAClC,uBAAuB,EAAE,yBAAyB;IAClD,uBAAuB,EAAE,yBAAyB;IAClD,oBAAoB,EAAE,sBAAsB;IAC5C,8BAA8B,EAAE,gCAAgC;IAChE,oCAAoC,EAAE,sCAAsC;IAC5E,YAAY,EAAE,cAAc;IAC5B,0BAA0B,EAAE,4BAA4B;IACxD,mBAAmB,EAAE,qBAAqB;IAC1C,+BAA+B,EAAE,iCAAiC;IAClE,0BAA0B,EAAE,4BAA4B;IACxD,0BAA0B,EAAE,4BAA4B;IACxD,mBAAmB,EAAE,qBAAqB;IAC1C,0CAA0C,EAAE,4CAA4C;CAChF,CAAC;AAEX,MAAM,CAAC,MAAM,YAAY,GAAG,6BAA6B,CAAC,YAAY,CAAC;AAEvE,wFAAwF;AACxF,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,qBAAqB,EAAE,uBAAuB;IAC9C,0BAA0B,EAAE,4BAA4B;IACxD,YAAY,EAAE,cAAc;CACpB,CAAC"}

package/dist/wireReasonEmittersGuard.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=wireReasonEmittersGuard.test.d.ts.map

package/dist/wireReasonEmittersGuard.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wireReasonEmittersGuard.test.d.ts","sourceRoot":"","sources":["../src/wireReasonEmittersGuard.test.ts"],"names":[],"mappings":""}

package/dist/wireReasonEmittersGuard.test.js

@@ -0,0 +1,36 @@
+import { describe, expect, it } from "vitest";
+import { readFileSync } from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+const root = path.join(path.dirname(fileURLToPath(import.meta.url)), "..");
+const EMITTER_FILES = [
+    "reconciler.ts",
+    "multiEffectRollup.ts",
+    "relationalInvariant.ts",
+    "verificationPolicy.ts",
+    "resolveExpectation.ts",
+    "pipeline.ts",
+    "registryValidation.ts",
+];
+const CODE_STRING_LITERAL = /\bcode\s*:\s*"([A-Z][A-Z0-9_]*)"/g;
+function stripWholeLineComments(src) {
+    return src
+        .split("\n")
+        .filter((line) => {
+        const t = line.trimStart();
+        return !t.startsWith("//");
+    })
+        .join("\n");
+}
+describe("wireReasonEmittersGuard", () => {
+    it("emitter files contain no code: \"UPPER_SNAKE\" property literals", () => {
+        for (const rel of EMITTER_FILES) {
+            const p = path.join(root, "src", rel);
+            const raw = readFileSync(p, "utf8");
+            const body = stripWholeLineComments(raw);
+            const matches = [...body.matchAll(CODE_STRING_LITERAL)];
+            expect(matches, rel).toEqual([]);
+        }
+    });
+});
+//# sourceMappingURL=wireReasonEmittersGuard.test.js.map

package/dist/wireReasonEmittersGuard.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wireReasonEmittersGuard.test.js","sourceRoot":"","sources":["../src/wireReasonEmittersGuard.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;AAE3E,MAAM,aAAa,GAAG;IACpB,eAAe;IACf,sBAAsB;IACtB,wBAAwB;IACxB,uBAAuB;IACvB,uBAAuB;IACvB,aAAa;IACb,uBAAuB;CACxB,CAAC;AAEF,MAAM,mBAAmB,GAAG,mCAAmC,CAAC;AAEhE,SAAS,sBAAsB,CAAC,GAAW;IACzC,OAAO,GAAG;SACP,KAAK,CAAC,IAAI,CAAC;SACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QACf,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAC3B,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC;SACD,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;YACtC,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;YACpC,MAAM,IAAI,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACzC,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;YACxD,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACnC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/withWorkflowVerification.persistBundle.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=withWorkflowVerification.persistBundle.test.d.ts.map

package/dist/withWorkflowVerification.persistBundle.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"withWorkflowVerification.persistBundle.test.d.ts","sourceRoot":"","sources":["../src/withWorkflowVerification.persistBundle.test.ts"],"names":[],"mappings":""}

package/dist/withWorkflowVerification.persistBundle.test.js

@@ -0,0 +1,104 @@
+import { generateKeyPairSync } from "node:crypto";
+import { readFileSync, writeFileSync, mkdtempSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { fileURLToPath } from "node:url";
+import { DatabaseSync } from "node:sqlite";
+import { describe, expect, it, beforeAll, afterAll } from "vitest";
+import { normalizeSpkiPemForSidecar } from "./workflowResultSignature.js";
+import { loadCorpusRun, resolveCorpusRootReal } from "./debugCorpus.js";
+import { withWorkflowVerification } from "./pipeline.js";
+import { verifyRunBundleSignature } from "./verifyRunBundleSignature.js";
+const root = join(fileURLToPath(import.meta.url), "..", "..");
+describe("withWorkflowVerification persistBundle", () => {
+    let workDir;
+    let dbPath;
+    beforeAll(() => {
+        workDir = mkdtempSync(join(tmpdir(), "etl-wfv-persist-"));
+        dbPath = join(workDir, "demo.db");
+        const sql = readFileSync(join(root, "examples", "seed.sql"), "utf8");
+        const db = new DatabaseSync(dbPath);
+        db.exec(sql);
+        db.close();
+    });
+    afterAll(() => {
+        rmSync(workDir, { recursive: true, force: true });
+    });
+    it("writes a bundle that loadCorpusRun loads as ok with one verified step", async () => {
+        const eventsPath = join(root, "examples", "events.ndjson");
+        const registryPath = join(root, "examples", "tools.json");
+        const wfId = "wf_complete";
+        const lines = readFileSync(eventsPath, "utf8").split(/\r?\n/).filter((l) => l.trim().length > 0);
+        const events = lines.map((l) => JSON.parse(l)).filter((e) => e.workflowId === wfId);
+        const bundleParent = mkdtempSync(join(tmpdir(), "etl-persist-out-"));
+        const runId = "hook_run";
+        const outDir = join(bundleParent, runId);
+        try {
+            const result = await withWorkflowVerification({
+                workflowId: wfId,
+                registryPath,
+                dbPath,
+                truthReport: () => { },
+                persistBundle: { outDir },
+            }, (observeStep) => {
+                for (const ev of events) {
+                    observeStep(ev);
+                }
+            });
+            expect(result.steps.length).toBe(1);
+            expect(result.steps[0].status).toBe("verified");
+            const loaded = loadCorpusRun(resolveCorpusRootReal(bundleParent), runId);
+            expect(loaded.loadStatus).toBe("ok");
+            const written = readFileSync(join(outDir, "events.ndjson"), "utf8").trim().split(/\r?\n/);
+            expect(written.length).toBe(1);
+            expect(JSON.parse(written[0])).toEqual(events[0]);
+        }
+        finally {
+            rmSync(bundleParent, { recursive: true, force: true });
+        }
+    });
+    it("persistBundle with ed25519PrivateKeyPemPath writes v2 bundle verifiable by verifyRunBundleSignature", async () => {
+        const eventsPath = join(root, "examples", "events.ndjson");
+        const registryPath = join(root, "examples", "tools.json");
+        const wfId = "wf_complete";
+        const lines = readFileSync(eventsPath, "utf8").split(/\r?\n/).filter((l) => l.trim().length > 0);
+        const events = lines.map((l) => JSON.parse(l)).filter((e) => e.workflowId === wfId);
+        const bundleParent = mkdtempSync(join(tmpdir(), "etl-persist-sign-"));
+        const runId = "hook_signed";
+        const outDir = join(bundleParent, runId);
+        const { privateKey, publicKey } = generateKeyPairSync("ed25519");
+        const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
+        const publicPem = publicKey.export({ type: "spki", format: "pem" });
+        const keyPath = join(bundleParent, "private.pem");
+        const pubPath = join(bundleParent, "public.pem");
+        writeFileSync(keyPath, privatePem, "utf8");
+        writeFileSync(pubPath, normalizeSpkiPemForSidecar(publicPem), "utf8");
+        try {
+            await withWorkflowVerification({
+                workflowId: wfId,
+                registryPath,
+                dbPath,
+                truthReport: () => { },
+                persistBundle: { outDir, ed25519PrivateKeyPemPath: keyPath },
+            }, (observeStep) => {
+                for (const ev of events) {
+                    observeStep(ev);
+                }
+            });
+            const loaded = loadCorpusRun(resolveCorpusRootReal(bundleParent), runId);
+            expect(loaded.loadStatus).toBe("ok");
+            if (loaded.loadStatus !== "ok")
+                return;
+            expect(loaded.agentRunRecord.schemaVersion).toBe(2);
+            if (loaded.agentRunRecord.schemaVersion !== 2)
+                return;
+            expect(loaded.agentRunRecord.artifacts.workflowResultSignature.relativePath).toBe("workflow-result.sig.json");
+            const vr = verifyRunBundleSignature(outDir, pubPath);
+            expect(vr).toEqual({ ok: true });
+        }
+        finally {
+            rmSync(bundleParent, { recursive: true, force: true });
+        }
+    });
+});
+//# sourceMappingURL=withWorkflowVerification.persistBundle.test.js.map