agentxchain 2.64.0 → 2.65.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentxchain",
-  "version": "2.64.0",
+  "version": "2.65.0",
   "description": "CLI for AgentXchain — governed multi-agent software delivery",
   "type": "module",
   "bin": {

package/src/commands/accept-turn.js

@@ -166,6 +166,9 @@ export async function acceptTurnCommand(opts = {}) {
   if (accepted?.cost?.usd != null) {
     console.log(`  ${chalk.dim('Cost:')}     $${formatUsd(accepted.cost.usd)}`);
   }
+  if (accepted?.verification_replay) {
+    console.log(`  ${chalk.dim('Replay:')}   ${accepted.verification_replay.overall} (${accepted.verification_replay.matched_commands}/${accepted.verification_replay.replayed_commands})`);
+  }
   if (result.budget_warning) {
     console.log(`  ${chalk.yellow('Budget warning:')} ${result.budget_warning}`);
   }

package/src/commands/step.js

@@ -1023,6 +1023,9 @@ function printAcceptSummary(result) {
   if (accepted?.cost?.usd != null) {
     console.log(`  ${chalk.dim('Cost:')}     $${(accepted.cost.usd || 0).toFixed(2)}`);
   }
+  if (accepted?.verification_replay) {
+    console.log(`  ${chalk.dim('Replay:')}   ${accepted.verification_replay.overall} (${accepted.verification_replay.matched_commands}/${accepted.verification_replay.replayed_commands})`);
+  }
   console.log('');
 
   if (result.state?.status === 'completed') {

package/src/commands/verify.js

@@ -1,5 +1,4 @@
 import chalk from 'chalk';
-import { spawnSync } from 'node:child_process';
 import { loadProjectContext, loadProjectState } from '../lib/config.js';
 import { getActiveTurns } from '../lib/governed-state.js';
 import { normalizeVerification } from '../lib/repo-observer.js';
@@ -8,6 +7,10 @@ import { getTurnStagingResultPath } from '../lib/turn-paths.js';
 import { resolve } from 'node:path';
 import { loadExportArtifact, verifyExportArtifact } from '../lib/export-verifier.js';
 import { verifyProtocolConformance } from '../lib/protocol-conformance.js';
+import {
+  DEFAULT_VERIFICATION_REPLAY_TIMEOUT_MS,
+  replayVerificationMachineEvidence,
+} from '../lib/verification-replay.js';
 
 export async function verifyProtocolCommand(opts, command) {
   const requestedTier = Number.parseInt(String(opts.tier || '1'), 10);
@@ -113,7 +116,7 @@ export async function verifyTurnCommand(turnId, opts = {}) {
     process.exit(2);
   }
 
-  const timeoutMs = Number.parseInt(String(opts.timeout || '30000'), 10);
+  const timeoutMs = Number.parseInt(String(opts.timeout || String(DEFAULT_VERIFICATION_REPLAY_TIMEOUT_MS)), 10);
   if (!Number.isInteger(timeoutMs) || timeoutMs <= 0) {
     console.log(chalk.red('verify turn requires a positive integer --timeout in milliseconds.'));
     process.exit(2);
@@ -142,10 +145,6 @@ export async function verifyTurnCommand(turnId, opts = {}) {
   const runtimeType = config.runtimes?.[selectedTurn.runtime_id]?.type || 'manual';
   const declaredStatus = turnResult.verification?.status || 'skipped';
   const normalizedStatus = normalizeVerification(turnResult.verification, runtimeType).status;
-  const machineEvidence = Array.isArray(turnResult.verification?.machine_evidence)
-    ? turnResult.verification.machine_evidence
-    : [];
-
   const payload = {
     turn_id: selectedTurnId,
     role: selectedTurn.assigned_role,
@@ -159,23 +158,13 @@ export async function verifyTurnCommand(turnId, opts = {}) {
       warnings: validation.warnings || [],
     },
     timeout_ms: timeoutMs,
-    overall: 'not_reproducible',
-    replayed_commands: 0,
-    matched_commands: 0,
-    commands: [],
+    ...replayVerificationMachineEvidence({
+      root,
+      verification: turnResult.verification,
+      timeoutMs,
+    }),
   };
 
-  if (machineEvidence.length === 0) {
-    payload.reason = 'No verification.machine_evidence commands were declared. commands/evidence_summary are not executable proof.';
-    emitTurnVerification(payload, opts.json);
-    process.exit(1);
-  }
-
-  payload.commands = machineEvidence.map((entry, index) => replayEvidenceCommand(root, entry, index, timeoutMs));
-  payload.replayed_commands = payload.commands.length;
-  payload.matched_commands = payload.commands.filter((entry) => entry.matched).length;
-  payload.overall = payload.commands.every((entry) => entry.matched) ? 'match' : 'mismatch';
-
   emitTurnVerification(payload, opts.json);
   process.exit(payload.overall === 'match' ? 0 : 1);
 }
@@ -310,31 +299,6 @@ function emitTurnValidationFailure(validation, jsonMode) {
   console.log('');
 }
 
-function replayEvidenceCommand(root, entry, index, timeoutMs) {
-  const result = spawnSync(entry.command, {
-    cwd: root,
-    encoding: 'utf8',
-    shell: true,
-    timeout: timeoutMs,
-    maxBuffer: 1024 * 1024,
-  });
-
-  const timedOut = result.error?.code === 'ETIMEDOUT';
-  const actualExitCode = Number.isInteger(result.status) ? result.status : null;
-  const errorMessage = result.error?.message || null;
-
-  return {
-    index,
-    command: entry.command,
-    declared_exit_code: entry.exit_code,
-    actual_exit_code: actualExitCode,
-    matched: actualExitCode === entry.exit_code,
-    timed_out: timedOut,
-    signal: result.signal || null,
-    error: errorMessage,
-  };
-}
-
 function emitTurnVerification(payload, jsonMode) {
   if (jsonMode) {
     console.log(JSON.stringify(payload, null, 2));

package/src/lib/governed-state.js

@@ -44,6 +44,10 @@ import { emitRunEvent } from './run-events.js';
 import { writeSessionCheckpoint } from './session-checkpoint.js';
 import { recordRunHistory } from './run-history.js';
 import { buildDefaultRunProvenance } from './run-provenance.js';
+import {
+  replayVerificationMachineEvidence,
+  summarizeVerificationReplay,
+} from './verification-replay.js';
 
 // ── Constants ────────────────────────────────────────────────────────────────
 
@@ -2367,6 +2371,9 @@ function _acceptGovernedTurnLocked(root, config, opts) {
   const normalizedVerification = normalizeVerification(turnResult.verification, runtimeType);
   const artifactType = turnResult.artifact?.type || 'review';
   const derivedRef = deriveAcceptedRef(observation, artifactType, state.accepted_integration_ref);
+  const verificationReplay = (config.policies || []).some((policy) => policy?.rule === 'require_reproducible_verification')
+    ? replayVerificationMachineEvidence({ root, verification: turnResult.verification })
+    : null;
 
   // Policy evaluation — declarative governance rules (spec: POLICY_ENGINE_SPEC.md)
   const policyResult = evaluatePolicies(config.policies || [], {
@@ -2375,6 +2382,7 @@ function _acceptGovernedTurnLocked(root, config, opts) {
     turnStatus: turnResult.status,
     turnCostUsd: readTurnCostUsd(turnResult),
     history: historyEntries,
+    verificationReplay,
   });
 
   if (policyResult.blocks.length > 0) {
@@ -2572,6 +2580,7 @@ function _acceptGovernedTurnLocked(root, config, opts) {
     artifacts_created: turnResult.artifacts_created || [],
     verification: turnResult.verification || {},
     normalized_verification: normalizedVerification,
+    ...(verificationReplay ? { verification_replay: summarizeVerificationReplay(verificationReplay) } : {}),
     artifact: turnResult.artifact || {},
     observed_artifact: observedArtifact,
     proposed_next_role: turnResult.proposed_next_role,
@@ -3176,6 +3185,7 @@ function _acceptGovernedTurnLocked(root, config, opts) {
     hookResults,
     ...(budgetWarning ? { budget_warning: budgetWarning } : {}),
     ...(policyResult.warnings.length > 0 ? { policy_warnings: policyResult.warnings } : {}),
+    ...(verificationReplay ? { verification_replay: summarizeVerificationReplay(verificationReplay) } : {}),
   };
 }
 

package/src/lib/policy-evaluator.js

@@ -78,6 +78,32 @@ const RULE_EVALUATORS = {
     }
     return { triggered: false, message: '' };
   },
+
+  require_reproducible_verification: (_params, ctx) => {
+    const replay = ctx.verificationReplay;
+    if (!replay) {
+      return {
+        triggered: true,
+        message: 'verification replay context is missing at acceptance time',
+      };
+    }
+
+    if (replay.overall === 'match') {
+      return { triggered: false, message: '' };
+    }
+
+    if (replay.overall === 'not_reproducible') {
+      return {
+        triggered: true,
+        message: replay.reason || 'verification.machine_evidence did not provide executable proof',
+      };
+    }
+
+    return {
+      triggered: true,
+      message: `verification replay mismatch: ${replay.matched_commands || 0}/${replay.replayed_commands || 0} commands matched declared exit codes`,
+    };
+  },
 };
 
 export const VALID_POLICY_RULES = Object.keys(RULE_EVALUATORS);
@@ -185,6 +211,12 @@ function validatePolicyParams(rule, params, prefix) {
         }
       }
       break;
+
+    case 'require_reproducible_verification':
+      if (params != null && typeof params !== 'object') {
+        errors.push(`${prefix}: params must be an object when provided`);
+      }
+      break;
   }
 
   return errors;

package/src/lib/verification-replay.js

@@ -0,0 +1,68 @@
+import { spawnSync } from 'node:child_process';
+
+export const DEFAULT_VERIFICATION_REPLAY_TIMEOUT_MS = 30_000;
+
+export function replayVerificationMachineEvidence({ root, verification, timeoutMs = DEFAULT_VERIFICATION_REPLAY_TIMEOUT_MS }) {
+  const machineEvidence = Array.isArray(verification?.machine_evidence)
+    ? verification.machine_evidence
+    : [];
+
+  const payload = {
+    timeout_ms: timeoutMs,
+    overall: 'not_reproducible',
+    replayed_commands: 0,
+    matched_commands: 0,
+    commands: [],
+  };
+
+  if (machineEvidence.length === 0) {
+    payload.reason = 'No verification.machine_evidence commands were declared. commands/evidence_summary are not executable proof.';
+    return payload;
+  }
+
+  payload.commands = machineEvidence.map((entry, index) => replayEvidenceCommand(root, entry, index, timeoutMs));
+  payload.replayed_commands = payload.commands.length;
+  payload.matched_commands = payload.commands.filter((entry) => entry.matched).length;
+  payload.overall = payload.commands.every((entry) => entry.matched) ? 'match' : 'mismatch';
+
+  return payload;
+}
+
+export function replayEvidenceCommand(root, entry, index, timeoutMs = DEFAULT_VERIFICATION_REPLAY_TIMEOUT_MS) {
+  const result = spawnSync(entry.command, {
+    cwd: root,
+    encoding: 'utf8',
+    shell: true,
+    timeout: timeoutMs,
+    maxBuffer: 1024 * 1024,
+  });
+
+  const timedOut = result.error?.code === 'ETIMEDOUT';
+  const actualExitCode = Number.isInteger(result.status) ? result.status : null;
+  const errorMessage = result.error?.message || null;
+
+  return {
+    index,
+    command: entry.command,
+    declared_exit_code: entry.exit_code,
+    actual_exit_code: actualExitCode,
+    matched: actualExitCode === entry.exit_code,
+    timed_out: timedOut,
+    signal: result.signal || null,
+    error: errorMessage,
+  };
+}
+
+export function summarizeVerificationReplay(payload) {
+  if (!payload) {
+    return null;
+  }
+
+  return {
+    overall: payload.overall,
+    replayed_commands: payload.replayed_commands || 0,
+    matched_commands: payload.matched_commands || 0,
+    timeout_ms: payload.timeout_ms || DEFAULT_VERIFICATION_REPLAY_TIMEOUT_MS,
+    ...(payload.reason ? { reason: payload.reason } : {}),
+  };
+}