agentskeptic 0.2.1 → 1.0.1

package/dist/cli.js

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
 import { randomUUID } from "node:crypto";
-import { readFileSync, statSync } from "fs";
+import { readFileSync, statSync, writeSync } from "fs";
 import path from "path";
 import { CLI_OPERATIONAL_CODES, cliErrorEnvelope, formatOperationalMessage, } from "./failureCatalog.js";
-import { buildRunComparisonReport, formatRunComparisonReport, } from "./runComparison.js";
+import { buildRegressionArtifactFromCompareManifest, stringifyRegressionArtifact } from "./regressionArtifact.js";
 import { buildExecutionTraceView, formatExecutionTraceText } from "./executionTrace.js";
 import { loadEventsForWorkflow } from "./loadEvents.js";
-import { argValue, argValues, parseQuickCliArgs } from "./cliArgv.js";
+import { argValue, parseQuickCliArgs } from "./cliArgv.js";
 import { runEnforce } from "./enforceCli.js";
 import { formatRegistryValidationHumanReport, validateToolsRegistry, } from "./registryValidation.js";
 import { loadSchemaValidator } from "./schemaLoad.js";
@@ -17,23 +17,21 @@ import { normalizeToEmittedWorkflowResult } from "./workflowResultNormalize.js";
 import { debugServerEntryUrl, loadCorpusBundle, logCorpusLoadErrors, startDebugServerOnPort, } from "./debugServer.js";
 import { assertPlanPathInsideRepo, buildPlanTransitionEventsNdjson, buildPlanTransitionWorkflowResult, resolveCommitSha, sha256HexOfFile, } from "./planTransition.js";
 import { PLAN_TRANSITION_WORKFLOW_ID } from "./planTransitionConstants.js";
-import { COMPARE_INPUT_RUN_LEVEL_INCONSISTENT_MESSAGE } from "./runLevelDriftMessages.js";
-import { isV9RunLevelCodesInconsistent } from "./workflowRunLevelConsistency.js";
-import { formatWorkflowTruthReport } from "./workflowTruthReport.js";
-import { workflowEngineResultFromEmitted } from "./workflowResultNormalize.js";
+import { buildOutcomeCertificateFromWorkflowResult } from "./outcomeCertificate.js";
 import { atomicWriteUtf8File } from "./quickVerify/atomicWrite.js";
 import { buildQuickContractEventsNdjson } from "./quickVerify/buildQuickContractEventsNdjson.js";
 import { stableStringify } from "./quickVerify/canonicalJson.js";
-import { formatQuickVerifyHumanReport } from "./quickVerify/formatQuickVerifyHumanReport.js";
+import { buildOutcomeCertificateFromQuickReport } from "./outcomeCertificate.js";
 import { runQuickVerifyToValidatedReport } from "./quickVerify/runQuickVerify.js";
 import { checkAssuranceReportStale } from "./assurance/checkStale.js";
+import { buildAssuranceRunOutput, buildAssuranceStaleOutput, validateAndSerializeAssuranceOutput, } from "./assurance/buildAssuranceOutput.js";
 import { runAssuranceFromManifest } from "./assurance/runAssurance.js";
+import { newActivationHttpCorrelationId } from "./commercial/activationCorrelation.js";
 import { runLicensePreflightIfNeeded } from "./commercial/licensePreflight.js";
 import { postVerifyOutcomeBeacon } from "./commercial/postVerifyOutcomeBeacon.js";
 import { quickVerifyVerdictToTerminalStatus } from "./commercial/quickVerifyFunnelTerminalStatus.js";
 import { classifyQuickVerifyWorkload } from "./commercial/verifyWorkloadClassify.js";
 import { LICENSE_PREFLIGHT_ENABLED } from "./generated/commercialBuildFlags.js";
-import { orchestrateVerifyBatchLockRun, orchestrateVerifyQuickLockRun } from "./cli/lockOrchestration.js";
 import { formatDistributionFooter } from "./distributionFooter.js";
 import { postPublicVerificationReport } from "./shareReport/postPublicVerificationReport.js";
 import { runBootstrapSubcommand } from "./bootstrap/runBootstrapSubcommand.js";
@@ -43,17 +41,18 @@ import { maybeEmitOssClaimTicketUrlToStderr } from "./telemetry/maybeEmitOssClai
 import { classifyWorkflowLineage } from "./funnel/workflowLineageClassify.js";
 import { postProductActivationEvent } from "./telemetry/postProductActivationEvent.js";
 import { runFunnelAnonCliAndExit } from "./cli/runFunnelAnonSet.js";
+import { fetchCurrentUsage } from "./commercial/getCurrentUsage.js";
 function usageQuick() {
     return `Usage:
   agentskeptic quick --input <path> (--postgres-url <url> | --db <sqlitePath>) --export-registry <path>
-    [--emit-events <path>] [--workflow-id <id>] [--share-report-origin <https://host>]
+    [--emit-events <path>] [--workflow-id <id>] [--share-report-origin <https://host>] [--no-human-report]
 
   Input must contain structured tool activity (tool names and parameters extractable as JSON). Verification uses read-only SQL against the database you pass.
 
   Use - for stdin. Writes registry JSON array atomically, then optional events file, then stdout (see docs/quick-verify-normative.md).
   With --share-report-origin, human stderr is deferred until after a successful POST (same contract as batch verify; see docs/shareable-verification-reports.md).
 
-  Optional CI lock: exactly one of --output-lock <path> or --expect-lock <path> (same OSS/commercial split as batch; see docs/ci-enforcement.md).
+  CI enforcement over time is provided by "agentskeptic enforce" (stateful, paid). Lock flags are no longer supported on quick.
 
 Exit codes:
   0  verdict pass
@@ -71,8 +70,8 @@ function usageVerify() {
   agentskeptic bootstrap --input <path> (--db <sqlitePath> | --postgres-url <url>) --out <path>
     (BootstrapPackInput v1 JSON → contract pack + in-process verify; see docs/bootstrap-pack-normative.md)
 
-  agentskeptic crossing --bootstrap-input <path> --pack-out <path> (--db <sqlitePath> | --postgres-url <url>) [--no-truth-report]
-  agentskeptic crossing --workflow-id <id> --events <path> --registry <path> (--db <sqlitePath> | --postgres-url <url>) [--no-truth-report]
+  agentskeptic crossing --bootstrap-input <path> --pack-out <path> (--db <sqlitePath> | --postgres-url <url>) [--no-human-report]
+  agentskeptic crossing --workflow-id <id> --events <path> --registry <path> (--db <sqlitePath> | --postgres-url <url>) [--no-human-report]
     (canonical integrator crossing: bootstrap-led or pack-led; see docs/crossing-normative.md)
 
   agentskeptic verify-integrator-owned --workflow-id <id> --events <path> --registry <path> (--db <sqlitePath> | --postgres-url <url>)
@@ -81,8 +80,9 @@ function usageVerify() {
   agentskeptic --workflow-id <id> --events <path> --registry <path> --db <sqlitePath>
   agentskeptic --workflow-id <id> --events <path> --registry <path> --postgres-url <url>
 
-  Optional CI lock: append exactly one of --output-lock <path> or --expect-lock <path>
-  (OSS: --output-lock only; commercial: both; see docs/ci-enforcement.md and docs/commercial-enforce-gate-normative.md).
+  Stateful CI enforcement uses:
+  agentskeptic enforce --workflow-id <id> --events <path> --registry <path> (--db <sqlitePath> | --postgres-url <url>)
+  with optional --create-baseline or --accept-drift.
 
 Optional consistency (default strong):
   --consistency strong|eventual
@@ -95,18 +95,18 @@ With strong, do not pass --verification-window-ms or --poll-interval-ms.
 Provide exactly one of --db or --postgres-url.
 
 Optional output:
-  --no-truth-report   For verdict exits 0–2, do not print the human truth report to stderr (stderr empty). stdout WorkflowResult JSON is unchanged. Exit 3 stderr is unchanged (single-line JSON envelope).
-  --share-report-origin <https://host>   After successful verification, POST a shareable report to that origin (https only, origin with no path), then print human report + footer to stderr and WorkflowResult JSON to stdout. On POST failure: exit 3, stdout empty, stderr single-line JSON envelope (code SHARE_REPORT_FAILED). See docs/shareable-verification-reports.md.
+  --no-human-report   For verdict exits 0–2, do not print certificate.humanReport or distribution footer to stderr (stderr empty). stdout Outcome Certificate JSON is unchanged. Exit 3 stderr is unchanged (single-line JSON envelope).
+  --share-report-origin <https://host>   After successful verification, POST a shareable report (v2 envelope) to that origin (https only, origin with no path), then print human report + footer to stderr and Outcome Certificate JSON to stdout. On POST failure: exit 3, stdout empty, stderr single-line JSON envelope (code SHARE_REPORT_FAILED). See docs/shareable-verification-reports.md.
 
 Exit codes:
   0  workflow status complete
   1  workflow status inconsistent
   2  workflow status incomplete
   3  operational failure (see stderr JSON)
-  4  CI lock mismatch with --expect-lock (stdout: WorkflowResult line; stderr: envelope after human report if any)
+  4  reserved for stateful enforce drift mismatch
 
-  agentskeptic compare --prior <path> [--prior <path> ...] --current <path>
-  Compare saved WorkflowResult JSON files (local only; see docs).
+  agentskeptic compare --manifest <compare-run-manifest.json>
+  Compare runs from a manifest (workflow results + events paths; see docs/regression-artifact-normative.md).
 
   agentskeptic validate-registry --registry <path>
   agentskeptic validate-registry --registry <path> --events <path> --workflow-id <id>
@@ -116,9 +116,9 @@ Exit codes:
   agentskeptic execution-trace --workflow-id <id> --events <path> [--workflow-result <path>] [--format json|text]
   Emit ExecutionTraceView JSON or text (see docs/agentskeptic.md).
 
-  agentskeptic enforce batch (--expect-lock <path> | --output-lock <path>) <same flags as batch verify>
-  agentskeptic enforce quick (--expect-lock <path> | --output-lock <path>) <same flags as quick>
-  CI enforcement with pinned ci-lock-v1 (see docs/ci-enforcement.md).
+  agentskeptic enforce --workflow-id <id> --events <path> --registry <path> (--db <sqlitePath> | --postgres-url <url>)
+    [--create-baseline | --accept-drift]
+  CI enforcement over time (stateful baseline/drift workflow).
 
   agentskeptic assurance run --manifest <path> [--write-report <path>]
   agentskeptic assurance stale --report <path> --max-age-hours <n>
@@ -139,12 +139,24 @@ Advanced / optional (persisted runs, signing, local UI, plan/git checks):
 
   --help, -h  print this message and exit 0`;
 }
+function usageCurrentCommand() {
+    return `Usage:
+  agentskeptic usage [--json]
+
+Shows current commercial quota usage from GET /api/v1/usage/current.
+
+Exit codes:
+  0  success
+  3  operational failure (stderr: JSON envelope)
+
+  --help, -h  print this message and exit 0`;
+}
 function usageVerifyIntegratorOwned() {
     return `Usage:
   agentskeptic verify-integrator-owned --workflow-id <id> --events <path> --registry <path> --db <sqlitePath>
   agentskeptic verify-integrator-owned --workflow-id <id> --events <path> --registry <path> --postgres-url <url>
 
-  Same flags and verification semantics as contract batch verify, except paths classified as bundled_examples are rejected (exit 2; stderr: INTEGRATOR_OWNED_GATE). CI lock flags (--output-lock / --expect-lock) are not supported here—use standard batch verify for lock flows.
+  Same flags and verification semantics as contract batch verify, except paths classified as bundled_examples are rejected (exit 2; stderr: INTEGRATOR_OWNED_GATE).
 
   See docs/agentskeptic.md (Integrator-owned gate).
 
@@ -294,13 +306,13 @@ function runExecutionTraceSubcommand(args) {
 }
 function usageCompare() {
     return `Usage:
-  agentskeptic compare --prior <workflowResult.json> [--prior <path> ...] --current <workflowResult.json>
+  agentskeptic compare --manifest <compare-run-manifest.json>
 
-Compares the current run (last file) against the immediate prior run (last --prior).
-Recurrence uses all runs in order: each --prior in order, then --current.
+  Manifest schema: schemas/compare-run-manifest-v1.schema.json.
+  Success: stdout is UTF-8 RegressionArtifactV1 JSON (sorted keys); stderr is artifact.humanText only.
 
 Exit codes:
-  0  comparison succeeded (stdout: RunComparisonReport JSON; stderr: human summary)
+  0  comparison succeeded
   3  operational failure (stderr: JSON envelope only; stdout empty)
 
   --help, -h  print this message and exit 0`;
@@ -315,8 +327,13 @@ function usageAssurance() {
 
   assurance run executes each manifest scenario by spawning this CLI (schemas/assurance-manifest-v1.schema.json).
   Path arguments in each scenario argv are resolved relative to the manifest file's directory unless absolute.
+  Successful stdout is a single JSON line: schemas/assurance-output-v1.schema.json (kind assurance_run) with
+  embedded runReport (schemas/assurance-run-report-v1.schema.json). Scenario spawn wall time is capped by
+  AGENTSKEPTIC_ASSURANCE_SCENARIO_TIMEOUT_MS (default 900000 ms); timed-out scenarios record exitCode 124.
 
   assurance stale exits 1 when the report issuedAt is older than max-age-hours (UTC wall clock).
+  Successful stdout is one JSON line (kind assurance_stale). issuedAt more than ~5 minutes in the future
+  is exit 3 (ASSURANCE_REPORT_ISSUED_AT_FUTURE_SKEW). Human stale stderr is not used.
 
 Exit codes (run):
   0  all scenarios exited 0
@@ -349,7 +366,15 @@ function runAssuranceSubcommand(args) {
             writeCliError(res.code, res.message);
             process.exit(3);
         }
-        const line = `${JSON.stringify(res.report)}\n`;
+        let line;
+        try {
+            line = validateAndSerializeAssuranceOutput(buildAssuranceRunOutput(res.report));
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            writeCliError(CLI_OPERATIONAL_CODES.INTERNAL_ERROR, formatOperationalMessage(`assurance output: ${msg}`));
+            process.exit(3);
+        }
         try {
             process.stdout.write(line);
         }
@@ -387,11 +412,29 @@ function runAssuranceSubcommand(args) {
             writeCliError(st.code, st.message);
             process.exit(3);
         }
-        if (st.kind === "stale") {
-            process.stderr.write("AssuranceRunReport issuedAt is older than --max-age-hours.\n");
-            process.exit(1);
+        let staleLine;
+        try {
+            staleLine = validateAndSerializeAssuranceOutput(buildAssuranceStaleOutput({
+                fresh: st.kind === "fresh",
+                issuedAt: st.issuedAt,
+                ageMs: st.ageMs,
+                maxAgeHours: st.maxAgeHours,
+            }));
         }
-        process.exit(0);
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            writeCliError(CLI_OPERATIONAL_CODES.INTERNAL_ERROR, formatOperationalMessage(`assurance output: ${msg}`));
+            process.exit(3);
+        }
+        try {
+            process.stdout.write(staleLine);
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            writeCliError(CLI_OPERATIONAL_CODES.INTERNAL_ERROR, formatOperationalMessage(`stdout: ${msg}`));
+            process.exit(3);
+        }
+        process.exit(st.kind === "fresh" ? 0 : 1);
     }
     writeCliError(CLI_OPERATIONAL_CODES.ASSURANCE_USAGE, "Use agentskeptic assurance run or agentskeptic assurance stale.");
     process.exit(3);
@@ -401,18 +444,10 @@ async function runQuickSubcommand(args) {
         console.log(usageQuick());
         process.exit(0);
     }
-    const expectLockQ = argValue(args, "--expect-lock");
-    const outputLockQ = argValue(args, "--output-lock");
-    const hasExpectQ = expectLockQ !== undefined;
-    const hasOutputQ = outputLockQ !== undefined;
-    if (hasExpectQ && hasOutputQ) {
-        writeCliError(CLI_OPERATIONAL_CODES.ENFORCE_USAGE, "quick requires exactly one of --expect-lock <path> or --output-lock <path>.");
+    if (argValue(args, "--expect-lock") !== undefined || argValue(args, "--output-lock") !== undefined) {
+        writeCliError(CLI_OPERATIONAL_CODES.ENFORCE_USAGE, "Lock flags are removed. Use `agentskeptic verify` for stateless checks or `agentskeptic enforce` for stateful CI enforcement.");
         process.exit(3);
     }
-    if (hasExpectQ !== hasOutputQ) {
-        await orchestrateVerifyQuickLockRun(args);
-        return;
-    }
     let pq;
     try {
         pq = parseQuickCliArgs(args);
@@ -424,13 +459,17 @@ async function runQuickSubcommand(args) {
         }
         throw e;
     }
-    const { inputPath, exportPath, emitEventsPath, workflowIdQuick, dbPath, postgresUrl, shareReportOrigin } = pq;
+    const { inputPath, exportPath, emitEventsPath, workflowIdQuick, dbPath, postgresUrl, shareReportOrigin, noHumanReport, } = pq;
     const activationRunId = process.env.AGENTSKEPTIC_RUN_ID?.trim() ||
         process.env.WORKFLOW_VERIFIER_RUN_ID?.trim() ||
         randomUUID();
+    const quickHttpCorrelationId = newActivationHttpCorrelationId();
     let quickPreflight;
     try {
-        quickPreflight = await runLicensePreflightIfNeeded("verify", { runId: activationRunId });
+        quickPreflight = await runLicensePreflightIfNeeded("verify", {
+            runId: activationRunId,
+            xRequestId: quickHttpCorrelationId,
+        });
     }
     catch (e) {
         if (e instanceof TruthLayerError) {
@@ -523,20 +562,22 @@ async function runQuickSubcommand(args) {
             process.exit(3);
         }
     }
-    const human = formatQuickVerifyHumanReport(report, {
+    const quickHumanOpts = {
         workflowId: workflowIdQuick,
         eventsPath: emitEventsPath !== undefined ? emitEventsPath : undefined,
         registryPath: exportPath,
         dbFlag: dbPath ?? undefined,
         postgresUrl: postgresUrl !== undefined,
+    };
+    const certificate = buildOutcomeCertificateFromQuickReport({
+        report,
+        workflowId: workflowIdQuick,
+        humanReportOptions: quickHumanOpts,
     });
     if (shareReportOrigin !== undefined) {
         const shareRes = await postPublicVerificationReport(shareReportOrigin, {
-            schemaVersion: 1,
-            kind: "quick",
-            workflowDisplayId: workflowIdQuick,
-            quickReport: report,
-            humanReportText: human,
+            schemaVersion: 2,
+            certificate,
         });
         if (!shareRes.ok) {
             writeCliError(CLI_OPERATIONAL_CODES.SHARE_REPORT_FAILED, formatOperationalMessage(`share_report_origin=${shareReportOrigin} http_status=${String(shareRes.status)} detail=${shareRes.bodySnippet}`));
@@ -544,27 +585,32 @@ async function runQuickSubcommand(args) {
         }
     }
     try {
-        process.stdout.write(stableStringify(report) + "\n");
+        writeSync(1, `${stableStringify(certificate)}\n`);
     }
     catch (e) {
         const msg = e instanceof Error ? e.message : String(e);
         writeCliError(CLI_OPERATIONAL_CODES.INTERNAL_ERROR, formatOperationalMessage(`stdout: ${msg}`));
         process.exit(3);
     }
-    console.error(human);
-    process.stderr.write(formatDistributionFooter());
+    if (!noHumanReport) {
+        console.error(certificate.humanReport);
+        process.stderr.write(formatDistributionFooter());
+    }
     await maybeEmitOssClaimTicketUrlToStderr({
         run_id: activationRunId,
         terminal_status: quickVerifyVerdictToTerminalStatus(report.verdict),
         workload_class: quickWorkloadClass,
         subcommand: "quick_verify",
         build_profile: quickBuildProfile,
+        xRequestId: quickHttpCorrelationId,
     });
     await postVerifyOutcomeBeacon({
         runId: quickPreflight.runId,
+        certificate,
         terminal_status: quickVerifyVerdictToTerminalStatus(report.verdict),
         workload_class: quickWorkloadClass,
         subcommand: "quick_verify",
+        xRequestId: quickHttpCorrelationId,
     });
     if (report.verdict === "pass")
         process.exit(0);
@@ -688,78 +734,27 @@ function runCompareSubcommand(args) {
         console.log(usageCompare());
         process.exit(0);
     }
-    const priors = argValues(args, "--prior");
-    const currentPath = argValue(args, "--current");
-    if (priors.length < 1 || !currentPath) {
-        writeCliError(CLI_OPERATIONAL_CODES.COMPARE_USAGE, "compare requires at least one --prior and --current.");
+    const manifestPath = argValue(args, "--manifest");
+    if (!manifestPath) {
+        writeCliError(CLI_OPERATIONAL_CODES.COMPARE_USAGE, "compare requires --manifest <path>.");
         process.exit(3);
     }
-    const paths = [...priors, currentPath];
-    const validateCompareInput = loadSchemaValidator("workflow-result-compare-input");
-    const results = [];
-    const displayLabels = [];
-    for (const filePath of paths) {
-        displayLabels.push(path.basename(filePath));
-        let raw;
-        try {
-            raw = readFileSync(filePath, "utf8");
-        }
-        catch (e) {
-            const msg = e instanceof Error ? e.message : String(e);
-            writeCliError(CLI_OPERATIONAL_CODES.COMPARE_INPUT_READ_FAILED, formatOperationalMessage(msg));
-            process.exit(3);
-        }
-        let parsed;
-        try {
-            parsed = JSON.parse(raw);
-        }
-        catch (e) {
-            const msg = e instanceof Error ? e.message : String(e);
-            writeCliError(CLI_OPERATIONAL_CODES.COMPARE_INPUT_JSON_SYNTAX, formatOperationalMessage(msg));
-            process.exit(3);
-        }
-        if (isV9RunLevelCodesInconsistent(parsed)) {
-            writeCliError(CLI_OPERATIONAL_CODES.COMPARE_INPUT_RUN_LEVEL_INCONSISTENT, COMPARE_INPUT_RUN_LEVEL_INCONSISTENT_MESSAGE);
-            process.exit(3);
-        }
-        if (!validateCompareInput(parsed)) {
-            writeCliError(CLI_OPERATIONAL_CODES.COMPARE_INPUT_SCHEMA_INVALID, JSON.stringify(validateCompareInput.errors ?? []));
-            process.exit(3);
-        }
-        try {
-            results.push(normalizeToEmittedWorkflowResult(parsed));
-        }
-        catch (e) {
-            if (e instanceof TruthLayerError) {
-                writeCliError(e.code, e.message);
-                process.exit(3);
-            }
-            throw e;
-        }
-    }
-    const wf0 = results[0].workflowId;
-    for (const r of results) {
-        if (r.workflowId !== wf0) {
-            writeCliError(CLI_OPERATIONAL_CODES.COMPARE_WORKFLOW_ID_MISMATCH, "All WorkflowResult inputs must share the same workflowId.");
-            process.exit(3);
-        }
-    }
-    let report;
+    let artifact;
     try {
-        report = buildRunComparisonReport(results, displayLabels);
+        const built = buildRegressionArtifactFromCompareManifest(manifestPath);
+        artifact = built.artifact;
     }
     catch (e) {
+        if (e instanceof TruthLayerError) {
+            writeCliError(e.code, e.message);
+            process.exit(3);
+        }
         const msg = e instanceof Error ? e.message : String(e);
         writeCliError(CLI_OPERATIONAL_CODES.INTERNAL_ERROR, formatOperationalMessage(msg));
         process.exit(3);
     }
-    const validateReport = loadSchemaValidator("run-comparison-report");
-    if (!validateReport(report)) {
-        writeCliError(CLI_OPERATIONAL_CODES.COMPARE_RUN_COMPARISON_REPORT_INVALID, JSON.stringify(validateReport.errors ?? []));
-        process.exit(3);
-    }
-    process.stderr.write(`${formatRunComparisonReport(report)}\n`);
-    console.log(JSON.stringify(report));
+    process.stderr.write(artifact.humanText.endsWith("\n") ? artifact.humanText : `${artifact.humanText}\n`);
+    process.stdout.write(`${stringifyRegressionArtifact(artifact)}\n`);
     process.exit(0);
 }
 function usageDebug() {
@@ -829,7 +824,7 @@ function usagePlanTransition() {
 
 Optional:
   --workflow-id <id>   (default ${PLAN_TRANSITION_WORKFLOW_ID})
-  --no-truth-report
+  --no-human-report
   --write-run-bundle <dir>
   --sign-ed25519-private-key <path>   (requires --write-run-bundle)
 
@@ -857,7 +852,7 @@ function runPlanTransitionSubcommand(args) {
         process.exit(3);
     }
     const workflowId = argValue(args, "--workflow-id") ?? PLAN_TRANSITION_WORKFLOW_ID;
-    const noTruthReport = args.includes("--no-truth-report");
+    const noHumanReport = args.includes("--no-human-report");
     const writeRunBundleDir = argValue(args, "--write-run-bundle");
     const signPrivateKeyPath = argValue(args, "--sign-ed25519-private-key");
     if (signPrivateKeyPath !== undefined && writeRunBundleDir === undefined) {
@@ -889,9 +884,9 @@ function runPlanTransitionSubcommand(args) {
         writeCliError(CLI_OPERATIONAL_CODES.WORKFLOW_RESULT_SCHEMA_INVALID, JSON.stringify(validateResult.errors ?? []));
         process.exit(3);
     }
-    if (!noTruthReport) {
-        const engine = workflowEngineResultFromEmitted(result);
-        process.stderr.write(`${formatWorkflowTruthReport(engine)}\n`);
+    if (!noHumanReport) {
+        const cert = buildOutcomeCertificateFromWorkflowResult(result, "contract_sql");
+        process.stderr.write(`${cert.humanReport}\n`);
     }
     if (writeRunBundleDir !== undefined) {
         try {
@@ -931,6 +926,34 @@ function runPlanTransitionSubcommand(args) {
 }
 async function main() {
     const args = process.argv.slice(2);
+    if (args[0] === "usage") {
+        const rest = args.slice(1);
+        if (rest.includes("--help") || rest.includes("-h")) {
+            console.log(usageCurrentCommand());
+            process.exit(0);
+        }
+        const asJson = rest.includes("--json");
+        try {
+            const payload = await fetchCurrentUsage();
+            if (asJson) {
+                console.log(JSON.stringify(payload));
+            }
+            else {
+                const included = payload.included_monthly === null ? "unlimited" : String(payload.included_monthly);
+                process.stdout.write(`Plan: ${payload.plan}\nMonth: ${payload.year_month}\nUsed: ${payload.used_total}\nIncluded: ${included}\nOverage: ${payload.overage_count}\nState: ${payload.quota_state}\nAllowed next: ${payload.allowed_next}\nEstimated overage USD: ${payload.estimated_overage_usd}\n`);
+            }
+            process.exit(0);
+        }
+        catch (e) {
+            if (e instanceof TruthLayerError) {
+                writeCliError(e.code, e.message);
+                process.exit(3);
+            }
+            const msg = e instanceof Error ? e.message : String(e);
+            writeCliError(CLI_OPERATIONAL_CODES.INTERNAL_ERROR, formatOperationalMessage(msg));
+            process.exit(3);
+        }
+    }
     if (args[0] === "funnel-anon") {
         await runFunnelAnonCliAndExit(args.slice(1));
         return;
@@ -990,22 +1013,10 @@ async function main() {
         }
         process.exit(0);
     }
-    const expectLockB = argValue(verifyCliArgs, "--expect-lock");
-    const outputLockB = argValue(verifyCliArgs, "--output-lock");
-    const hasExpectB = expectLockB !== undefined;
-    const hasOutputB = outputLockB !== undefined;
-    if (hasExpectB && hasOutputB) {
-        writeCliError(CLI_OPERATIONAL_CODES.ENFORCE_USAGE, "batch verify requires exactly one of --expect-lock <path> or --output-lock <path>.");
+    if (argValue(verifyCliArgs, "--expect-lock") !== undefined || argValue(verifyCliArgs, "--output-lock") !== undefined) {
+        writeCliError(CLI_OPERATIONAL_CODES.ENFORCE_USAGE, "Lock flags are removed. Use `agentskeptic enforce` for over-time CI enforcement.");
         process.exit(3);
     }
-    if (hasExpectB !== hasOutputB) {
-        if (leadIsIntegratorOwned) {
-            writeCliError(CLI_OPERATIONAL_CODES.CLI_USAGE, "verify-integrator-owned does not support --output-lock or --expect-lock; use standard contract verify for CI lock flows.");
-            process.exit(3);
-        }
-        await orchestrateVerifyBatchLockRun(verifyCliArgs);
-        return;
-    }
     await runBatchVerifyWithTelemetrySubcommand(verifyCliArgs, {
         telemetrySubcommand: leadIsIntegratorOwned ? "verify_integrator_owned" : "batch_verify",
         rejectBundled: leadIsIntegratorOwned,