agentskeptic 4.2.0 → 6.0.0

package/schemas/openapi-commercial-v1.yaml

@@ -1,7 +1,7 @@
 openapi: "3.0.3"
 info:
   title: AgentSkeptic commercial license API
-  version: "4.2.0"
+  version: "6.0.0"
   contact:
     url: https://agentskeptic.com
   x-agentskeptic-distribution:
@@ -12,7 +12,7 @@ info:
     url: https://agentskeptic.com/contract/v1.json
     version: "1.0.1"
     manifestSha256: "c5f23ec43576716c4b9a13e752cd2962a78bb4b4da1f9e521f911e15dfd80268"
-  description: "Read-only checks at verify time—not color.\n\nMachine-readable contract for license preflight used by the published npm CLI.\nBase URL is your deployed app origin (same as NEXT_PUBLIC_APP_URL).\n\nEvery path in this document returns an `x-request-id` response header on all status codes (echo a valid client `x-request-id` when supplied; otherwise server-generated). Non-2xx JSON bodies follow RFC 7807-style Problem Details (`type`, `title`, `status`, `detail`, optional `code`, `instance`) unless noted; `POST /api/v1/usage/reserve` denials additionally include legacy `allowed`, `code`, `message`, and optional `upgrade_url` for backward compatibility.\n"
+  description: "Read-only checks at verify time—not color.\n\nMachine-readable contract for license preflight used by the published npm CLI.\nBase URL is your deployed app origin (same as NEXT_PUBLIC_APP_URL).\n\nEvery path in this document returns an `x-request-id` response header on all status codes (echo a valid client `x-request-id` when supplied; otherwise server-generated). Non-2xx JSON bodies follow RFC 7807-style Problem Details (`type`, `title`, `status`, `detail`, optional `code`, `instance`) unless noted; `POST /api/v1/usage/reserve` denials additionally include legacy `allowed`, `code`, `message`, and optional `upgrade_url` for backward compatibility.\n\n**Breaking (agentskeptic 5.x):** Hosted enforcement ingestion uses `schema_version` 3 with `outcome_certificate` (Outcome Certificate v3 inner JSON, including `failureSpine`). Legacy `schema_version` 2 payloads with `outcome_certificate_v1` are rejected. `POST /api/v1/funnel/verify-outcome` requires `schema_version` 3 and `evidence_gap_primary`. `POST /api/public/verification-reports` accepts envelope `schemaVersion` 3 only. **HTTP 4xx/5xx** responses are **not** `failure-spine-v1` and are **not** Outcome Certificate-shaped; operational CLI errors use `cli-error-envelope` on stderr only.\n"
 externalDocs:
   description: "First-run integration guide"
   url: https://agentskeptic.com/integrate
@@ -125,7 +125,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/EnforcementEvidenceRequestV2"
+              $ref: "#/components/schemas/EnforcementEvidenceRequestV3"
       responses:
         "200":
           description: Lifecycle transition completed
@@ -162,7 +162,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/EnforcementEvidenceRequestV2"
+              $ref: "#/components/schemas/EnforcementEvidenceRequestV3"
       responses:
         "200":
           description: Check completed (match, open drift, rerun pass/fail, etc.)
@@ -187,7 +187,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/EnforcementAcceptEvidenceRequestV2"
+              $ref: "#/components/schemas/EnforcementAcceptEvidenceRequestV3"
       responses:
         "200":
           description: Baseline updated; rerun POST /check required before returning to trusted-only posture
@@ -315,7 +315,7 @@ paths:
       summary: Licensed verify-outcome beacon (idempotent per API key + run_id)
       description: >
         POST after a successful `POST /api/v1/usage/reserve` for the same `run_id`. Success is HTTP 204 with an empty body.
-        Requires Bearer API key. Body schemaVersion must be 2.
+        Requires Bearer API key. Body `schema_version` must be 3 (`VerifyOutcomeRequestV3`). `evidence_gap_primary` duplicates `certificate.evidenceCompleteness.blockerCategory` at CLI emission time.
       security:
         - bearerAuth: []
       requestBody:
@@ -323,7 +323,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/VerifyOutcomeRequestV2"
+              $ref: "#/components/schemas/VerifyOutcomeRequestV3"
       responses:
         "204":
           description: Beacon accepted (or duplicate ignored)
@@ -556,27 +556,28 @@ components:
       scheme: bearer
       bearerFormat: API key
   schemas:
-    EnforcementEvidenceRequestV2:
+    EnforcementEvidenceRequestV3:
       type: object
-      required: [schema_version, run_id, workflow_id, outcome_certificate_v1, material_truth_sha256, certificate_sha256]
+      required: [schema_version, run_id, workflow_id, outcome_certificate, material_truth_sha256, certificate_sha256]
       properties:
         schema_version:
           type: integer
-          const: 2
+          const: 3
         run_id:
           type: string
         workflow_id:
           type: string
-        outcome_certificate_v1:
+        outcome_certificate:
           type: object
           additionalProperties: true
+          description: Outcome Certificate v2 JSON (schemaVersion 2) including evidenceCompleteness
         material_truth_sha256:
           type: string
         certificate_sha256:
           type: string
     EnforcementFsmEnvelopeV2:
       type: object
-      description: Hosted enforcement lifecycle + verification attempt payload (schema_version 2).
+      description: Hosted enforcement lifecycle response envelope for POST /check | /baselines | /accept (schema_version 2 on responses; distinct from evidence ingestion schema_version 3).
       required: [schema_version, code]
       properties:
         schema_version:
@@ -587,9 +588,9 @@ components:
         quota_enforced_via_reserve:
           type: boolean
       additionalProperties: true
-    EnforcementAcceptEvidenceRequestV2:
+    EnforcementAcceptEvidenceRequestV3:
       allOf:
-        - $ref: "#/components/schemas/EnforcementEvidenceRequestV2"
+        - $ref: "#/components/schemas/EnforcementEvidenceRequestV3"
         - type: object
           required: [expected_projection_hash, lifecycle_state_version]
           properties:
@@ -715,13 +716,14 @@ components:
           type: string
         code:
           type: string
-    VerifyOutcomeRequestV2:
+    VerifyOutcomeRequestV3:
       type: object
       required:
         - schema_version
         - run_id
         - workflow_id
         - trust_decision
+        - evidence_gap_primary
         - reason_codes
         - terminal_status
         - workload_class
@@ -729,7 +731,7 @@ components:
       properties:
         schema_version:
           type: integer
-          const: 2
+          const: 3
         run_id:
           type: string
           maxLength: 256
@@ -739,6 +741,24 @@ components:
         trust_decision:
           type: string
           enum: [safe, unsafe, unknown]
+        evidence_gap_primary:
+          type: string
+          enum:
+            - "none"
+            - "preview_lane"
+            - "ingest_empty"
+            - "ingest_unstructured"
+            - "registry_unknown_tool"
+            - "registry_resolution"
+            - "database_access"
+            - "timing_or_window"
+            - "witness_unavailable"
+            - "state_mismatch"
+            - "verification_incomplete"
+            - "event_sequence"
+            - "control_flow_context"
+            - "unclassified"
+          description: Mirrors Outcome Certificate evidenceCompleteness.blockerCategory at CLI emission time
         reason_codes:
           type: array
           maxItems: 8
@@ -752,7 +772,12 @@ components:
           enum: [bundled_examples, non_bundled]
         subcommand:
           type: string
-          enum: [batch_verify, quick_verify, verify_integrator_owned]
+          enum: [batch_verify, quick_verify, verify_integrator_owned, activate]
+        activation:
+          description: Present only when subcommand is activate (mirrors ActivationManifest-derived wire)
+          type: object
+          nullable: true
+          additionalProperties: true
     TrustDecisionRecordRequestV1:
       type: object
       additionalProperties: false
@@ -792,8 +817,8 @@ components:
           $ref: "#/components/schemas/TrustCertificateSnapshotRequestV1"
         human_blocker_lines:
           type: array
-          minItems: 6
-          maxItems: 6
+          minItems: 1
+          maxItems: 48
           items:
             type: string
     TrustCertificateSnapshotRequestV1:
@@ -907,8 +932,8 @@ components:
       additionalProperties: false
     PublicVerificationReportCreate:
       description: >
-        POST accepts schemaVersion 2 only: { "schemaVersion": 2, "certificate": <OutcomeCertificateV1> } per
-        schemas/public-verification-report-v2.schema.json. Legacy v1 envelopes are rejected with HTTP 400.
+        POST accepts schemaVersion 3 only: { "schemaVersion": 3, "certificate": <OutcomeCertificateV2> } per
+        schemas/public-verification-report-v3.schema.json. Legacy envelope POST bodies return HTTP 400.
       type: object
       additionalProperties: true
     PublicVerificationReportCreated:
@@ -921,7 +946,7 @@ components:
       properties:
         schemaVersion:
           type: integer
-          const: 2
+          const: 3
         id:
           type: string
           format: uuid

package/schemas/outcome-certificate-v2.schema.json

@@ -0,0 +1,93 @@
+{
+  "$id": "https://agentskeptic.com/schemas/outcome-certificate-v2.schema.json",
+  "title": "OutcomeCertificateV2",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schemaVersion",
+    "workflowId",
+    "runKind",
+    "stateRelation",
+    "highStakesReliance",
+    "relianceRationale",
+    "intentSummary",
+    "explanation",
+    "steps",
+    "humanReport",
+    "evidenceCompleteness"
+  ],
+  "properties": {
+    "schemaVersion": { "type": "integer", "const": 2 },
+    "workflowId": { "type": "string", "minLength": 1, "maxLength": 512 },
+    "runKind": {
+      "type": "string",
+      "enum": ["contract_sql", "contract_sql_langgraph_checkpoint_trust", "quick_preview"]
+    },
+    "stateRelation": {
+      "type": "string",
+      "enum": ["matches_expectations", "does_not_match", "not_established"]
+    },
+    "highStakesReliance": { "type": "string", "enum": ["permitted", "prohibited"] },
+    "relianceRationale": { "type": "string", "minLength": 1, "maxLength": 8192 },
+    "intentSummary": { "type": "string", "minLength": 1, "maxLength": 8192 },
+    "explanation": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["headline", "details"],
+      "properties": {
+        "headline": { "type": "string", "minLength": 1, "maxLength": 2048 },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "required": ["code", "message"],
+            "properties": {
+              "code": { "type": "string", "minLength": 1, "maxLength": 256 },
+              "message": { "type": "string", "minLength": 1, "maxLength": 4096 }
+            }
+          }
+        }
+      }
+    },
+    "steps": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["seq", "declaredAction", "expectedOutcome", "observedOutcome"],
+        "properties": {
+          "seq": { "type": "integer", "minimum": 0 },
+          "toolId": { "type": "string", "maxLength": 512 },
+          "declaredAction": { "type": "string", "minLength": 1, "maxLength": 4096 },
+          "expectedOutcome": { "type": "string", "minLength": 1, "maxLength": 4096 },
+          "observedOutcome": { "type": "string", "minLength": 1, "maxLength": 8192 }
+        }
+      }
+    },
+    "humanReport": { "type": "string", "minLength": 1, "maxLength": 1048576 },
+    "checkpointVerdicts": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["checkpointKey", "verdict", "seqs", "productionMeaning"],
+        "properties": {
+          "checkpointKey": { "type": "string", "minLength": 1, "maxLength": 2048 },
+          "verdict": {
+            "type": "string",
+            "enum": ["verified", "inconsistent", "incomplete"]
+          },
+          "seqs": {
+            "type": "array",
+            "items": { "type": "integer", "minimum": 0 }
+          },
+          "productionMeaning": { "type": "string", "minLength": 1, "maxLength": 8192 }
+        }
+      }
+    },
+    "evidenceCompleteness": {
+      "$ref": "https://agentskeptic.com/schemas/evidence-completeness-v1.schema.json"
+    }
+  }
+}

package/schemas/outcome-certificate-v3.schema.json

@@ -0,0 +1,97 @@
+{
+  "$id": "https://agentskeptic.com/schemas/outcome-certificate-v3.schema.json",
+  "title": "OutcomeCertificateV3",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schemaVersion",
+    "workflowId",
+    "runKind",
+    "stateRelation",
+    "highStakesReliance",
+    "relianceRationale",
+    "intentSummary",
+    "explanation",
+    "steps",
+    "humanReport",
+    "evidenceCompleteness",
+    "failureSpine"
+  ],
+  "properties": {
+    "schemaVersion": { "type": "integer", "const": 3 },
+    "workflowId": { "type": "string", "minLength": 1, "maxLength": 512 },
+    "runKind": {
+      "type": "string",
+      "enum": ["contract_sql", "contract_sql_langgraph_checkpoint_trust", "quick_preview"]
+    },
+    "stateRelation": {
+      "type": "string",
+      "enum": ["matches_expectations", "does_not_match", "not_established"]
+    },
+    "highStakesReliance": { "type": "string", "enum": ["permitted", "prohibited"] },
+    "relianceRationale": { "type": "string", "minLength": 1, "maxLength": 8192 },
+    "intentSummary": { "type": "string", "minLength": 1, "maxLength": 8192 },
+    "explanation": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["headline", "details"],
+      "properties": {
+        "headline": { "type": "string", "minLength": 1, "maxLength": 2048 },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "required": ["code", "message"],
+            "properties": {
+              "code": { "type": "string", "minLength": 1, "maxLength": 256 },
+              "message": { "type": "string", "minLength": 1, "maxLength": 4096 }
+            }
+          }
+        }
+      }
+    },
+    "steps": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["seq", "declaredAction", "expectedOutcome", "observedOutcome"],
+        "properties": {
+          "seq": { "type": "integer", "minimum": 0 },
+          "toolId": { "type": "string", "maxLength": 512 },
+          "declaredAction": { "type": "string", "minLength": 1, "maxLength": 4096 },
+          "expectedOutcome": { "type": "string", "minLength": 1, "maxLength": 4096 },
+          "observedOutcome": { "type": "string", "minLength": 1, "maxLength": 8192 }
+        }
+      }
+    },
+    "humanReport": { "type": "string", "minLength": 1, "maxLength": 1048576 },
+    "checkpointVerdicts": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["checkpointKey", "verdict", "seqs", "productionMeaning"],
+        "properties": {
+          "checkpointKey": { "type": "string", "minLength": 1, "maxLength": 2048 },
+          "verdict": {
+            "type": "string",
+            "enum": ["verified", "inconsistent", "incomplete"]
+          },
+          "seqs": {
+            "type": "array",
+            "items": { "type": "integer", "minimum": 0 }
+          },
+          "productionMeaning": { "type": "string", "minLength": 1, "maxLength": 8192 }
+        }
+      }
+    },
+    "evidenceCompleteness": {
+      "$ref": "https://agentskeptic.com/schemas/evidence-completeness-v1.schema.json"
+    },
+    "failureSpine": {
+      "$ref": "https://agentskeptic.com/schemas/failure-spine-v1.schema.json"
+    }
+  }
+}

package/schemas/public-verification-report-v3.schema.json

@@ -0,0 +1,15 @@
+{
+  "$id": "https://agentskeptic.com/schemas/public-verification-report-v3.schema.json",
+  "title": "PublicVerificationReportEnvelopeV3",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["schemaVersion", "certificate"],
+  "properties": {
+    "schemaVersion": { "type": "integer", "const": 3 },
+    "certificate": {
+      "$ref": "https://agentskeptic.com/schemas/outcome-certificate-v3.schema.json"
+    },
+    "cliVersion": { "type": "string", "maxLength": 128 },
+    "createdFrom": { "type": "string", "maxLength": 256 }
+  }
+}

package/schemas/quick-verify-report.schema.json

@@ -12,10 +12,11 @@
     "ingest",
     "units",
     "exportableRegistry",
-    "productTruth"
+    "productTruth",
+    "evidenceCompleteness"
   ],
   "properties": {
-    "schemaVersion": { "type": "integer", "const": 4 },
+    "schemaVersion": { "type": "integer", "const": 5 },
     "verdict": { "type": "string", "enum": ["pass", "fail", "uncertain"] },
     "summary": { "type": "string", "minLength": 1 },
     "verificationMode": { "type": "string", "const": "inferred" },
@@ -246,6 +247,9 @@
         "quickVerifyProvisional": { "type": "boolean", "const": true },
         "contractReplayPartialCoverage": { "type": "boolean" }
       }
+    },
+    "evidenceCompleteness": {
+      "$ref": "https://agentskeptic.com/schemas/evidence-completeness-v1.schema.json"
     }
   }
 }

package/schemas/regression-artifact-v1.schema.json

@@ -82,7 +82,7 @@
             "enum": ["contract_sql", "contract_sql_langgraph_checkpoint_trust"]
           },
           "certificateCanonicalDigest": { "type": "string", "pattern": "^[a-f0-9]{64}$" },
-          "certificate": { "$ref": "https://agentskeptic.com/schemas/outcome-certificate-v1.schema.json" }
+          "certificate": { "$ref": "https://agentskeptic.com/schemas/outcome-certificate-v3.schema.json" }
         }
       }
     },

package/schemas/trust-decision-record-v1.schema.json

@@ -64,9 +64,9 @@
     },
     "human_blocker_lines": {
       "type": "array",
-      "minItems": 6,
-      "maxItems": 6,
-      "items": { "type": "string", "maxLength": 4096 }
+      "minItems": 1,
+      "maxItems": 48,
+      "items": { "type": "string", "maxLength": 8192 }
     }
   }
 }

package/scripts/discovery-payload.lib.cjs

@@ -27,6 +27,9 @@ const MAX_SUMMARY_UTF8_BYTES = 65536;
 const MAX_PR_BODY_UTF8_BYTES = 10240;
 const STDERR_TAIL_LINES = 20;
 
+/** Max UTF-8 bytes of stdout parsed for Outcome Certificate JSON (`failureSpine` extraction). */
+const MAX_STDOUT_PARSE_BYTES = 262144;
+
 const REPO_ROOT = join(__dirname, "..");
 const README_ADOPTION_START = "<!-- adoption-canonical:start -->";
 const README_ADOPTION_END = "<!-- adoption-canonical:end -->";
@@ -311,8 +314,109 @@ function formatStderrBlock(stderrText) {
 }
 
 /**
- * Assemble PR body: header → optional verdict → stderr → footer → marker.
- * Truncates stderr block from the start only until UTF-8 length ≤ max.
+ * Parse workflow stdout for a single-line/single-object Outcome Certificate JSON and extract `failureSpine`.
+ * @param {string} stdoutText
+ * @returns {{ ok: true; spine: Record<string, unknown> } | { malformed: true } | { oversized: true }}
+ */
+function extractFailureSummaryFromStdout(stdoutText) {
+  const t = String(stdoutText ?? "").trim();
+  if (t.length === 0) return { malformed: true };
+  if (utf8ByteLength(t) > MAX_STDOUT_PARSE_BYTES) return { oversized: true };
+  let obj;
+  try {
+    obj = JSON.parse(t);
+  } catch {
+    return { malformed: true };
+  }
+  if (!obj || typeof obj !== "object") return { malformed: true };
+  const spine = obj.failureSpine;
+  if (!spine || typeof spine !== "object") return { malformed: true };
+  return { ok: true, spine };
+}
+
+/**
+ * @param {Record<string, unknown>} spine
+ */
+function renderFailureSummaryMarkdownFromSpine(spine) {
+  const af = /** @type {{ category: string; severity: string; recommendedAction: string; automationSafe: boolean }} */ (
+    spine.actionableFailure
+  );
+  const codes = Array.isArray(spine.primaryCodes) ? spine.primaryCodes.join(",") : "";
+  return [
+    "## Failure summary (agentskeptic)",
+    "",
+    `- trust_decision: ${spine.trustDecision}`,
+    `- summary: ${spine.summary}`,
+    `- actionable_failure: category=${af.category} severity=${af.severity} recommended_action=${af.recommendedAction} automation_safe=${af.automationSafe}`,
+    `- primary_codes: ${codes}`,
+    `- rerun_guidance: ${spine.rerunGuidance}`,
+    `- source: ${spine.source}`,
+    "",
+  ].join("\n");
+}
+
+/**
+ * @param {Record<string, unknown>} envelope — cli-error-envelope JSON
+ */
+function projectCliEnvelopeToCiMarkdown(envelope) {
+  const fd = /** @type {{ summary: string; actionableFailure: { category: string; severity: string; recommendedAction: string; automationSafe: boolean } }} */ (
+    envelope.failureDiagnosis
+  );
+  const af = fd.actionableFailure;
+  return [
+    "## Failure summary (agentskeptic)",
+    "",
+    "- trust_decision: unknown",
+    `- summary: ${fd.summary}`,
+    `- actionable_failure: category=${af.category} severity=${af.severity} recommended_action=${af.recommendedAction} automation_safe=${af.automationSafe}`,
+    "- primary_codes: _(operational)_",
+    `- rerun_guidance: ${String(envelope.message)}`,
+    "- source: operational",
+    "",
+  ].join("\n");
+}
+
+/**
+ * @param {string} line
+ */
+function tryParseCliErrorEnvelopeLine(line) {
+  const s = String(line).trim();
+  if (!s.startsWith("{")) return null;
+  try {
+    const o = JSON.parse(s);
+    if (
+      o &&
+      typeof o === "object" &&
+      o.schemaVersion === 2 &&
+      o.kind === "execution_truth_layer_error" &&
+      o.failureDiagnosis &&
+      typeof o.failureDiagnosis === "object" &&
+      o.failureDiagnosis.actionableFailure
+    ) {
+      return o;
+    }
+  } catch {
+    /* ignore */
+  }
+  return null;
+}
+
+/**
+ * @param {string} stderrText
+ * @returns {string[]}
+ */
+function extractOperationalFailureMarkdownFromStderr(stderrText) {
+  const out = [];
+  for (const line of String(stderrText).split(/\r?\n/)) {
+    const env = tryParseCliErrorEnvelopeLine(line);
+    if (env) out.push(projectCliEnvelopeToCiMarkdown(env));
+  }
+  return out;
+}
+
+/**
+ * Assemble PR body: header → optional stdout oversize note → failure summary (certificate spine and/or operational stderr) → stderr → footer → marker.
+ * Truncates stderr tail lines from the front until UTF-8 length ≤ max (failure summary retained).
  *
  * @param {Record<string, unknown>} payload
  * @param {{ stderrText: string; workflowStdoutText: string }} capture
@@ -329,12 +433,27 @@ ${String(payload.identityOneLiner)}
 
 `;
 
-  const verdictTrim = String(workflowStdoutText).trim();
-  const oneLine =
-    verdictTrim.length > 0 ? verdictTrim.split("\n")[0].slice(0, 500) : "";
-  const verdictSection = oneLine
-    ? ["## Verification stdout (first line)", "", "```", oneLine, "```", ""].join("\n")
-    : "";
+  const ext = extractFailureSummaryFromStdout(workflowStdoutText);
+  const operationalBlocks = extractOperationalFailureMarkdownFromStderr(stderrText);
+
+  let oversizedNote = "";
+  if (ext.oversized) {
+    oversizedNote = `_(stdout exceeded 262144 UTF-8 bytes; failure summary skipped)_\n\n`;
+  }
+
+  const failureParts = [];
+  if ("ok" in ext && ext.ok) failureParts.push(renderFailureSummaryMarkdownFromSpine(ext.spine));
+  failureParts.push(...operationalBlocks);
+
+  const failureSummaryBlock = failureParts.length > 0 ? failureParts.join("\n") : "";
+
+  let unparsedStdoutBlock = "";
+  if (ext.malformed) {
+    const rawOut = String(workflowStdoutText).trim();
+    if (rawOut.length > 0) {
+      unparsedStdoutBlock = `## Verification stdout (unparsed)\n\n\`\`\`text\n${rawOut}\n\`\`\`\n\n`;
+    }
+  }
 
   let stderrBlock = formatStderrBlock(stderrText);
 
@@ -350,12 +469,16 @@ ${String(payload.identityOneLiner)}
     "",
   ].join("\n");
 
-  function assemble(verdict, sb) {
-    const raw = header + verdict + sb + footer;
+  function assemble(middle) {
+    const raw = header + middle + footer;
     return normalizeDiscoveryText(raw);
   }
 
-  let body = assemble(verdictSection, stderrBlock);
+  function middleFrom(stderrBlk) {
+    return oversizedNote + failureSummaryBlock + unparsedStdoutBlock + stderrBlk;
+  }
+
+  let body = assemble(middleFrom(stderrBlock));
   if (utf8ByteLength(body) <= MAX_PR_BODY_UTF8_BYTES) {
     return body;
   }
@@ -367,19 +490,14 @@ ${String(payload.identityOneLiner)}
     stderrBlock = inner
       ? `## CLI stderr (last ${STDERR_TAIL_LINES} lines)\n\n\`\`\`text\n${inner}\n\`\`\`\n`
       : "## CLI stderr (last 20 lines)\n\n_(no stderr)_\n";
-    body = assemble(verdictSection, stderrBlock);
+    body = assemble(middleFrom(stderrBlock));
     if (utf8ByteLength(body) <= MAX_PR_BODY_UTF8_BYTES) return body;
   }
 
   stderrBlock = "## CLI stderr (last 20 lines)\n\n_(no stderr)_\n";
-  body = assemble(verdictSection, stderrBlock);
+  body = assemble(middleFrom(stderrBlock));
   if (utf8ByteLength(body) <= MAX_PR_BODY_UTF8_BYTES) return body;
 
-  if (verdictSection) {
-    body = assemble("", stderrBlock);
-    if (utf8ByteLength(body) <= MAX_PR_BODY_UTF8_BYTES) return body;
-  }
-
   throw new Error(
     `discovery-payload: PR body still exceeds ${MAX_PR_BODY_UTF8_BYTES} bytes after truncation`,
   );
@@ -408,6 +526,7 @@ module.exports = {
   PR_MARKER_LINE_LEGACY,
   MAX_SUMMARY_UTF8_BYTES,
   MAX_PR_BODY_UTF8_BYTES,
+  MAX_STDOUT_PARSE_BYTES,
   STDERR_TAIL_LINES,
   buildDiscoveryPayload,
   normalizeDiscoveryText,
@@ -417,6 +536,9 @@ module.exports = {
   renderLlmsTextFromPayload,
   renderCiSummaryMarkdownFromPayload,
   renderCiPrBodyFromPayload,
+  extractFailureSummaryFromStdout,
+  renderFailureSummaryMarkdownFromSpine,
+  projectCliEnvelopeToCiMarkdown,
   parseGithubRepoFromUrl,
   selectPrCommentUpsert,
 };

package/dist/decisionBlocker.contract.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=decisionBlocker.contract.test.d.ts.map