altimate-receipts 0.3.0

package/dist/cli.js

@@ -0,0 +1,1523 @@
+#!/usr/bin/env node
+import {
+  CHECK_CATALOG,
+  applyDiffScope,
+  canonicalize,
+  changedFiles,
+  checkForId,
+  compareToTranscript,
+  copyToClipboard,
+  inDiff,
+  rederiveFromTranscript,
+  renderShareMarkdown,
+  sliceByBranch,
+  toDsseEnvelope
+} from "./chunk-SUAQDKUV.js";
+import {
+  computeTrends,
+  deriveTargets,
+  renderTrends,
+  upsertTrendsSection
+} from "./chunk-RQLUZ6FQ.js";
+import {
+  agentIds,
+  anyDetected,
+  buildReceipt,
+  collectGuardrails,
+  deriveFindings,
+  deriveSpans,
+  formatCostAlways,
+  formatTokens,
+  getVersion,
+  inRepo,
+  listSessions,
+  loadSession,
+  redact,
+  redactReceipt,
+  renderCard,
+  renderGuardrailsBlock,
+  renderList,
+  rootsHint,
+  selectForBranch,
+  selectSummary,
+  upsertGuardrailsSection,
+  verifyBundle
+} from "./chunk-UHI6BGLE.js";
+
+// src/cli.ts
+import { spawnSync } from "child_process";
+import { existsSync, mkdirSync, readFileSync as readFileSync4, writeFileSync } from "fs";
+import { join as join4, relative } from "path";
+import { pathToFileURL } from "url";
+
+// src/receipt/assert.ts
+import { readFileSync } from "fs";
+import { join } from "path";
+var OPS = /* @__PURE__ */ new Set([
+  "eq",
+  "ne",
+  "lt",
+  "lte",
+  "gt",
+  "gte",
+  "matches",
+  "in",
+  "empty",
+  "exists"
+]);
+function resolvePath(predicate, path) {
+  if (path === "findings" || path.startsWith("findings.")) {
+    const rest = path === "findings" ? "" : path.slice("findings.".length);
+    if (rest === "") {
+      return predicate.findings.length;
+    }
+    if (rest.startsWith("severity.")) {
+      const level = rest.slice("severity.".length);
+      return predicate.findings.filter((f) => f.severity === level).length;
+    }
+    return predicate.findings.filter((f) => f.id === rest || f.id.startsWith(`${rest}-`)).length;
+  }
+  let cur = predicate;
+  for (const key of path.split(".")) {
+    if (cur == null || typeof cur !== "object") {
+      return void 0;
+    }
+    cur = cur[key];
+  }
+  return cur;
+}
+var isNum = (v) => typeof v === "number" && Number.isFinite(v);
+var isEmpty = (v) => v == null || v === "" || v === 0 || Array.isArray(v) && v.length === 0 || typeof v === "object" && Object.keys(v).length === 0;
+function applyOp(op, actual, value) {
+  const needNum = () => isNum(actual) && isNum(value) ? null : { error: `op '${op}' needs a numeric field and value (got ${JSON.stringify(actual)})` };
+  switch (op) {
+    case "exists":
+      return { pass: actual !== void 0 && actual !== null };
+    case "empty":
+      return { pass: isEmpty(actual) };
+    case "eq":
+      return { pass: actual === value };
+    case "ne":
+      return { pass: actual !== value };
+    case "lt":
+      return needNum() ?? { pass: actual < value };
+    case "lte":
+      return needNum() ?? { pass: actual <= value };
+    case "gt":
+      return needNum() ?? { pass: actual > value };
+    case "gte":
+      return needNum() ?? { pass: actual >= value };
+    case "matches": {
+      if (typeof actual !== "string" || typeof value !== "string") {
+        return { error: `op 'matches' needs a string field and a string pattern` };
+      }
+      try {
+        return { pass: new RegExp(value).test(actual) };
+      } catch (e) {
+        return { error: `invalid regex '${value}': ${e.message}` };
+      }
+    }
+    case "in":
+      return Array.isArray(value) ? { pass: value.includes(actual) } : { error: `op 'in' needs an array value` };
+    default:
+      return { error: `unknown op '${op}'` };
+  }
+}
+function validateAssertion(raw) {
+  if (!raw || typeof raw !== "object") {
+    return { error: "assertion must be an object" };
+  }
+  const r = raw;
+  if (typeof r.path !== "string" || !r.path) {
+    return { error: "assertion.path must be a non-empty string" };
+  }
+  if (typeof r.op !== "string" || !OPS.has(r.op)) {
+    return { error: `assertion.op '${String(r.op)}' is not one of ${[...OPS].join("|")}` };
+  }
+  if (r.severity !== void 0 && r.severity !== "error" && r.severity !== "warn") {
+    return { error: "assertion.severity must be 'error' or 'warn'" };
+  }
+  return {
+    assertion: {
+      path: r.path,
+      op: r.op,
+      value: r.value,
+      severity: r.severity ?? "error"
+    }
+  };
+}
+function loadAsserts(repoRoot) {
+  const path = join(repoRoot, ".receipts", "asserts.json");
+  let text;
+  try {
+    text = readFileSync(path, "utf8");
+  } catch {
+    return [];
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch (e) {
+    throw new Error(`.receipts/asserts.json is not valid JSON: ${e.message}`);
+  }
+  const list = Array.isArray(parsed) ? parsed : parsed && typeof parsed === "object" && Array.isArray(parsed.asserts) ? parsed.asserts : null;
+  if (!list) {
+    throw new Error(".receipts/asserts.json must be an array or { asserts: [...] }");
+  }
+  const out = [];
+  for (const raw of list) {
+    const v = validateAssertion(raw);
+    if ("error" in v) {
+      throw new Error(`invalid assertion: ${v.error} (${JSON.stringify(raw)})`);
+    }
+    out.push(v.assertion);
+  }
+  return out;
+}
+function evaluateAsserts(receipt, asserts) {
+  return asserts.map((assertion) => {
+    const actual = resolvePath(receipt.predicate, assertion.path);
+    if (actual === void 0 && assertion.op !== "exists" && assertion.op !== "empty" && assertion.op !== "ne") {
+      return { assertion, pass: false, actual, error: `path '${assertion.path}' not found` };
+    }
+    const res = applyOp(assertion.op, actual, assertion.value);
+    return "error" in res ? { assertion, pass: false, actual, error: res.error } : { assertion, pass: res.pass, actual };
+  });
+}
+function assertExitCode(results) {
+  return results.some((r) => (!r.pass || r.error) && (r.assertion.severity ?? "error") === "error") ? 1 : 0;
+}
+function renderAssertResults(results) {
+  if (results.length === 0) {
+    return "receipts assert: no assertions (.receipts/asserts.json absent) \u2014 nothing to check.";
+  }
+  const lines = results.map((r) => {
+    const { path, op, value, severity } = r.assertion;
+    const expr = `${path} ${op}${value === void 0 ? "" : ` ${JSON.stringify(value)}`}`;
+    if (r.error) {
+      return `  \u26A0\uFE0F  ERROR  ${expr} \u2014 ${r.error}`;
+    }
+    const tag = r.pass ? "  \u2705 PASS " : severity === "warn" ? "  \u{1F7E1} WARN " : "  \u274C FAIL ";
+    return `${tag} ${expr}  (actual: ${JSON.stringify(r.actual)})`;
+  });
+  const failed = results.filter(
+    (r) => !r.pass && (r.assertion.severity ?? "error") === "error"
+  ).length;
+  const warned = results.filter((r) => !r.pass && r.assertion.severity === "warn").length;
+  const passed = results.filter((r) => r.pass).length;
+  lines.push(
+    `  ${passed} passed \xB7 ${failed} failed${warned ? ` \xB7 ${warned} warned` : ""} of ${results.length}`
+  );
+  return lines.join("\n");
+}
+
+// src/report/badge.ts
+var SEV_ORDER = ["critical", "high", "medium", "low"];
+function worstSeverity(findings) {
+  return SEV_ORDER.find((s) => findings.some((f) => f.severity === s));
+}
+function badgeEndpoint(predicate) {
+  const findings = predicate.findings ?? [];
+  const n = findings.length;
+  const worst = worstSeverity(findings);
+  const color = n === 0 ? "brightgreen" : worst === "critical" || worst === "high" ? "red" : worst === "medium" ? "orange" : "yellow";
+  const message = n === 0 ? "no findings" : `${n} finding${n === 1 ? "" : "s"}`;
+  return { schemaVersion: 1, label: "receipts", message, color };
+}
+
+// src/report/diff.ts
+function findingKey(f) {
+  return `${f.title}\0${f.filePath ?? ""}`;
+}
+function scopeLabel(r) {
+  const s = r.predicate.scope;
+  if (!s || s.kind === "session") return "whole session";
+  if (s.kind === "branch") return `branch ${s.branch ?? "?"}`;
+  return `diff (${(s.files ?? []).length} files${s.base ? ` vs ${s.base}` : ""})`;
+}
+function diffReceipts(a, b) {
+  const ea = a.predicate.evidence;
+  const eb = b.predicate.evidence;
+  const count = (key, label, va, vb) => ({
+    key,
+    label,
+    a: va,
+    b: vb,
+    delta: vb - va
+  });
+  const counts = [
+    count("filesChanged", "files changed", ea.filesChanged, eb.filesChanged),
+    count("edits", "edits", ea.edits, eb.edits),
+    count("commands", "commands", ea.commands, eb.commands),
+    count("reads", "reads", ea.reads, eb.reads),
+    count("destructiveOps", "destructive ops", ea.destructiveOps, eb.destructiveOps),
+    count("tokens", "tokens", ea.tokens.total, eb.tokens.total)
+  ];
+  const aKeys = new Set(a.predicate.findings.map(findingKey));
+  const bKeys = new Set(b.predicate.findings.map(findingKey));
+  const findingsAdded = b.predicate.findings.filter((f) => !aKeys.has(findingKey(f)));
+  const findingsRemoved = a.predicate.findings.filter((f) => !bKeys.has(findingKey(f)));
+  const findingsCommon = a.predicate.findings.filter((f) => bKeys.has(findingKey(f))).length;
+  return {
+    grade: { a: a.predicate.grade, b: b.predicate.grade },
+    counts,
+    cost: { a: ea.costUsd, b: eb.costUsd, delta: eb.costUsd - ea.costUsd },
+    testsObserved: { a: ea.testsRan, b: eb.testsRan },
+    findingsAdded,
+    findingsRemoved,
+    findingsCommon,
+    scope: { a: scopeLabel(a), b: scopeLabel(b) }
+  };
+}
+var SEV_ICON = { critical: "\u26D4", high: "\u26A0\uFE0F", medium: "\u{1F50D}", low: "\xB7" };
+function signed(n) {
+  if (n === 0) return "\xB10";
+  return n > 0 ? `+${n}` : `${n}`;
+}
+function findingLines(fs) {
+  return fs.map((f) => {
+    const loc = f.filePath ? ` (\`${f.filePath}\`)` : "";
+    return `  ${SEV_ICON[f.severity] ?? "\xB7"} ${f.title}${loc}`;
+  });
+}
+function renderDiff(d) {
+  const out = [];
+  out.push("Receipt diff \u2014 A (baseline) \u2192 B (new)");
+  out.push("");
+  out.push(`Grade: ${d.grade.a} \u2192 ${d.grade.b}`);
+  out.push(`Scope: A ${d.scope.a} \xB7 B ${d.scope.b}`);
+  out.push("");
+  out.push("Evidence:");
+  for (const c of d.counts) {
+    out.push(`  ${c.label}: ${c.a} \u2192 ${c.b} (${signed(c.delta)})`);
+  }
+  const cd = d.cost;
+  const costDelta = cd.delta === 0 ? "\xB10" : (cd.delta > 0 ? "+" : "-") + formatCostAlways(Math.abs(cd.delta));
+  out.push(`  cost: ${formatCostAlways(cd.a)} \u2192 ${formatCostAlways(cd.b)} (${costDelta})`);
+  out.push(
+    `  tokens (total): ${formatTokens(d.counts.find((c) => c.key === "tokens")?.a ?? 0)} \u2192 ${formatTokens(d.counts.find((c) => c.key === "tokens")?.b ?? 0)}`
+  );
+  const to = d.testsObserved;
+  const toStr = (v) => v ? "observed" : "not observed";
+  out.push(`  test command: ${toStr(to.a)} \u2192 ${toStr(to.b)}${to.a !== to.b ? " (changed)" : ""}`);
+  out.push("");
+  out.push(
+    `Findings: ${d.findingsAdded.length} only in B \xB7 ${d.findingsRemoved.length} only in A \xB7 ${d.findingsCommon} in both`
+  );
+  if (d.findingsAdded.length) {
+    out.push("");
+    out.push("Only in B (new):");
+    out.push(...findingLines(d.findingsAdded));
+  }
+  if (d.findingsRemoved.length) {
+    out.push("");
+    out.push("Only in A (absent from B):");
+    out.push(...findingLines(d.findingsRemoved));
+  }
+  out.push("");
+  out.push("Deterministic \xB7 0 model calls \xB7 evidence, not judgement.");
+  return `${out.join("\n")}
+`;
+}
+
+// src/report/eval.ts
+function firedCategories(findings) {
+  const keys = /* @__PURE__ */ new Set();
+  for (const f of findings) {
+    const c = checkForId(f.id);
+    if (c) {
+      keys.add(c.key);
+    }
+  }
+  return keys;
+}
+function summarizeFieldScan(rows) {
+  const label = new Map(CHECK_CATALOG.map((c) => [c.key, c.label]));
+  const cat = /* @__PURE__ */ new Map();
+  let flagged = 0;
+  for (const r of rows) {
+    if (r.categories.length) {
+      flagged++;
+    }
+    for (const key of new Set(r.categories)) {
+      cat.set(key, (cat.get(key) ?? 0) + 1);
+    }
+  }
+  const byCategory = [...cat.entries()].map(([key, sessions]) => ({ key, label: label.get(key) ?? key, sessions })).sort((a, b) => b.sessions - a.sessions || a.label.localeCompare(b.label));
+  return { scanned: rows.length, flagged, byCategory, rows: [...rows] };
+}
+function renderFieldScan(s) {
+  if (s.scanned === 0) {
+    return "No local agent sessions found to scan.\n";
+  }
+  const out = [];
+  out.push(`Receipts field scan \u2014 ${s.scanned} real local session${s.scanned === 1 ? "" : "s"}`);
+  out.push("");
+  const rate = Math.round(100 * s.flagged / s.scanned);
+  out.push(`Flagged: ${s.flagged}/${s.scanned} sessions (${rate}%) carried \u22651 merge-surface flag`);
+  out.push("");
+  if (s.byCategory.length === 0) {
+    out.push("No merge-surface category fired on any scanned session.");
+  } else {
+    out.push("By category (sessions flagged):");
+    for (const c of s.byCategory) {
+      out.push(`  ${c.label.padEnd(26)} ${c.sessions}`);
+    }
+  }
+  out.push(
+    "",
+    "A flag may be a true finding or a false positive \u2014 this is a flag rate you interpret,",
+    "not a verdict. Deterministic \xB7 0 model calls \xB7 reads only local sessions."
+  );
+  return `${out.join("\n")}
+`;
+}
+
+// src/report/log.ts
+import { readFileSync as readFileSync2, readdirSync } from "fs";
+import { join as join2 } from "path";
+var SEV_ICON2 = { critical: "\u26D4", high: "\u26A0\uFE0F", medium: "\u{1F50D}", low: "\xB7" };
+var SEV_RANK = { critical: 0, high: 1, medium: 2, low: 3 };
+var NON_RECEIPT = /(?:^|\/)(?:asserts(?:\.example)?|sample)\.json$/i;
+function scopeLabel2(scope) {
+  if (!scope || scope.kind === "session") return "session";
+  if (scope.kind === "branch") return `branch ${scope.branch ?? "?"}`;
+  return `diff ${(scope.files ?? []).length}f`;
+}
+function isoDate(ms) {
+  if (!ms || !Number.isFinite(ms)) return "\u2014".padEnd(10);
+  return new Date(ms).toISOString().slice(0, 10);
+}
+function loadReceiptHistory(dir) {
+  let files;
+  try {
+    files = readdirSync(dir).filter((f) => f.endsWith(".json") && !NON_RECEIPT.test(f));
+  } catch {
+    return [];
+  }
+  const entries = [];
+  for (const f of files) {
+    let input;
+    try {
+      input = JSON.parse(readFileSync2(join2(dir, f), "utf8"));
+    } catch {
+      continue;
+    }
+    const res = verifyBundle(input);
+    if (!res.ok || !res.receipt) continue;
+    const p = res.receipt.predicate;
+    const fs = p.findings ?? [];
+    let topSeverity;
+    for (const x of fs) {
+      if (!topSeverity || SEV_RANK[x.severity] < SEV_RANK[topSeverity]) topSeverity = x.severity;
+    }
+    entries.push({
+      name: f.replace(/\.json$/i, ""),
+      grade: p.grade,
+      costUsd: p.evidence.diffCostUsd ?? p.evidence.costUsd,
+      findings: fs.length,
+      topSeverity,
+      scope: scopeLabel2(p.scope),
+      endedAt: p.session?.endedAt
+    });
+  }
+  entries.sort((a, b) => (b.endedAt ?? 0) - (a.endedAt ?? 0) || a.name.localeCompare(b.name));
+  return entries;
+}
+function renderLog(entries, total = entries.length) {
+  if (!entries.length) return "No committed receipts found in .receipts/.\n";
+  const rows = entries.map((e) => {
+    const findings = e.findings === 0 ? "0" : `${e.findings} ${e.topSeverity ? SEV_ICON2[e.topSeverity] : ""}`.trim();
+    return {
+      date: isoDate(e.endedAt),
+      grade: e.grade,
+      cost: formatCostAlways(e.costUsd),
+      findings,
+      scope: e.scope,
+      name: e.name
+    };
+  });
+  const w = (key, head2) => Math.max(head2.length, ...rows.map((r) => r[key].length));
+  const wDate = w("date", "DATE");
+  const wGrade = Math.max(5, ...rows.map((r) => r.grade.length));
+  const wCost = w("cost", "COST");
+  const wFind = w("findings", "FINDINGS");
+  const wScope = w("scope", "SCOPE");
+  const head = `${"DATE".padEnd(wDate)}  ${"GRADE".padEnd(wGrade)}  ${"COST".padEnd(wCost)}  ${"FINDINGS".padEnd(wFind)}  ${"SCOPE".padEnd(wScope)}  RECEIPT`;
+  const lines = rows.map(
+    (r) => `${r.date.padEnd(wDate)}  ${r.grade.padEnd(wGrade)}  ${r.cost.padEnd(wCost)}  ${r.findings.padEnd(wFind)}  ${r.scope.padEnd(wScope)}  ${r.name}`
+  );
+  const header = `Receipt history \u2014 .receipts/ (${total} receipt${total === 1 ? "" : "s"}${entries.length < total ? `, showing ${entries.length}` : ""})`;
+  return `${header}
+
+${head}
+${lines.join("\n")}
+
+<cost = this change's cost (diff-scoped where available) \xB7 grade is each receipt's own recorded grade \xB7 evidence, not judgement>
+`;
+}
+
+// src/report/sarif.ts
+var INFO_URI = "https://github.com/AltimateAI/altimate-receipts";
+function levelOf(severity) {
+  if (severity === "critical" || severity === "high") return "error";
+  if (severity === "medium") return "warning";
+  return "note";
+}
+function ruleIdOf(id) {
+  const check = checkForId(id);
+  if (check) return check.key;
+  return id.replace(/-(?:tool|gen|span|s)-?\d.*$/i, "") || id;
+}
+function repoRelative(filePath, scopeFiles) {
+  const base = filePath.split("/").pop() ?? filePath;
+  for (const sf of scopeFiles) {
+    if (sf === filePath || sf.endsWith(`/${filePath}`) || filePath.endsWith(`/${sf}`)) return sf;
+    if ((sf.split("/").pop() ?? sf) === base) return sf;
+  }
+  return base;
+}
+function toSarif(receipt) {
+  const p = receipt.predicate;
+  const scopeFiles = p.scope?.files ?? [];
+  const findings = p.findings ?? [];
+  const ruleOrder = [];
+  const rules = /* @__PURE__ */ new Map();
+  const sevRank = { error: 0, warning: 1, note: 2 };
+  const results = findings.map((f) => {
+    const ruleId = ruleIdOf(f.id);
+    const level = levelOf(f.severity);
+    const existing = rules.get(ruleId);
+    if (!existing) {
+      ruleOrder.push(ruleId);
+      rules.set(ruleId, {
+        id: ruleId,
+        name: checkForId(f.id)?.label ?? ruleId,
+        shortDescription: { text: checkForId(f.id)?.label ?? ruleId },
+        defaultConfiguration: { level },
+        helpUri: INFO_URI
+      });
+    } else if (sevRank[level] < sevRank[existing.defaultConfiguration.level]) {
+      existing.defaultConfiguration.level = level;
+    }
+    const uri = f.filePath ? repoRelative(f.filePath, scopeFiles) : void 0;
+    const result = {
+      ruleId,
+      ruleIndex: ruleOrder.indexOf(ruleId),
+      level,
+      message: { text: f.detail ? `${f.title} \u2014 ${f.detail}` : f.title },
+      // Stable across commits: rule + path, never the volatile span id.
+      partialFingerprints: { receiptsId: `${ruleId}::${uri ?? "session"}` }
+    };
+    if (uri) {
+      result.locations = [
+        {
+          physicalLocation: {
+            artifactLocation: { uri },
+            ...f.line ? { region: { startLine: f.line } } : {}
+          }
+        }
+      ];
+    }
+    return result;
+  });
+  const ruleList = ruleOrder.map((id) => rules.get(id));
+  return {
+    $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "Receipts",
+            informationUri: INFO_URI,
+            version: p.generator?.version,
+            rules: ruleList
+          }
+        },
+        results
+      }
+    ]
+  };
+}
+
+// src/report/stats.ts
+import { readFileSync as readFileSync3, readdirSync as readdirSync2 } from "fs";
+import { join as join3 } from "path";
+var NON_RECEIPT2 = /(?:^|\/)(?:asserts(?:\.example)?|sample)\.json$/i;
+function computeStats(dir) {
+  let files;
+  try {
+    files = readdirSync2(dir).filter((f) => f.endsWith(".json") && !NON_RECEIPT2.test(f));
+  } catch {
+    files = [];
+  }
+  const grades = { A: 0, B: 0, C: 0, F: 0 };
+  const cat = /* @__PURE__ */ new Map();
+  let receipts = 0;
+  let skipped = 0;
+  let flagged = 0;
+  let totalFindings = 0;
+  for (const f of files) {
+    let input;
+    try {
+      input = JSON.parse(readFileSync3(join3(dir, f), "utf8"));
+    } catch {
+      skipped++;
+      continue;
+    }
+    const res = verifyBundle(input);
+    if (!res.ok || !res.receipt) {
+      skipped++;
+      continue;
+    }
+    receipts++;
+    const p = res.receipt.predicate;
+    grades[p.grade] = (grades[p.grade] ?? 0) + 1;
+    const findings = p.findings ?? [];
+    if (findings.length) flagged++;
+    totalFindings += findings.length;
+    const seen = /* @__PURE__ */ new Set();
+    for (const finding of findings) {
+      const c = checkForId(finding.id);
+      if (!c) continue;
+      const row = cat.get(c.key) ?? { icon: c.icon, label: c.label, findings: 0, receipts: 0 };
+      row.findings++;
+      if (!seen.has(c.key)) {
+        row.receipts++;
+        seen.add(c.key);
+      }
+      cat.set(c.key, row);
+    }
+  }
+  const byCategory = [...cat.entries()].map(([key, v]) => ({ key, ...v })).sort((a, b) => b.findings - a.findings || a.label.localeCompare(b.label));
+  return { receipts, skipped, flagged, grades, byCategory, totalFindings };
+}
+function renderStats(s) {
+  if (s.receipts === 0) return "No committed receipts found in .receipts/.\n";
+  const out = [];
+  out.push(
+    `Receipts scoreboard \u2014 ${s.receipts} receipt${s.receipts === 1 ? "" : "s"} in .receipts/`
+  );
+  out.push("");
+  const pct = (n) => `${Math.round(100 * n / s.receipts)}%`;
+  out.push(
+    `Grades: \u{1F7E2} A ${s.grades.A} \xB7 \u{1F7E1} B ${s.grades.B} \xB7 \u{1F7E0} C ${s.grades.C} \xB7 \u{1F534} F ${s.grades.F}`
+  );
+  out.push(`Flagged: ${s.flagged}/${s.receipts} receipts (${pct(s.flagged)}) carried \u22651 finding`);
+  out.push("");
+  if (s.byCategory.length === 0) {
+    out.push("Problems caught: none \u2014 every committed receipt was clean.");
+  } else {
+    out.push(
+      `Problems caught (${s.totalFindings} findings across ${s.byCategory.length} categories):`
+    );
+    for (const c of s.byCategory) {
+      out.push(
+        `  ${c.icon} ${c.label.padEnd(26)} ${c.findings} finding${c.findings === 1 ? "" : "s"} in ${c.receipts} receipt${c.receipts === 1 ? "" : "s"}`
+      );
+    }
+  }
+  if (s.skipped) {
+    out.push("", `<${s.skipped} non-receipt/invalid file${s.skipped === 1 ? "" : "s"} skipped>`);
+  }
+  out.push("", "Deterministic \xB7 0 model calls \xB7 counts of recorded receipts, not a verdict.");
+  return `${out.join("\n")}
+`;
+}
+
+// src/share/handoff.ts
+var OPEN_IDS = /* @__PURE__ */ new Set(["unverified-change", "claimed-commit-none", "fake-green"]);
+function buildHandoff(receipt, findings) {
+  const all = [...findings.main, ...findings.minor];
+  const ev = receipt.predicate.evidence;
+  return {
+    subject: receipt.subject[0]?.digest.sha256 ?? "",
+    grade: receipt.predicate.grade,
+    done: {
+      filesChanged: ev.filesChanged,
+      edits: ev.edits,
+      commands: ev.commands,
+      reads: ev.reads,
+      testsRan: ev.testsRan
+    },
+    open: all.filter((f) => OPEN_IDS.has(f.id)).map((f) => redact(f.title)),
+    risk: all.filter((f) => f.severity === "high" || f.severity === "critical").map((f) => ({ severity: f.severity, title: redact(f.title) })),
+    next: all.map((f) => f.fixPrompt).filter((p) => !!p).map(redact),
+    prevent: all.map((f) => f.guardrailRule).filter((g) => !!g).map(redact),
+    verify: `receipts rederive <transcript>   # reproduces subject ${(receipt.subject[0]?.digest.sha256 ?? "").slice(0, 12)}\u2026`
+  };
+}
+function renderHandoffMarkdown(h) {
+  const lines = [];
+  lines.push(`# Handoff \u2014 Grade ${h.grade}`, "");
+  lines.push(
+    "## \u2705 Done",
+    `${h.done.filesChanged} files changed \xB7 ${h.done.edits} edits \xB7 ${h.done.commands} commands \xB7 ${h.done.reads} reads \xB7 tests ran: ${h.done.testsRan ? "yes" : "no"}`,
+    ""
+  );
+  if (h.open.length) {
+    lines.push("## \u{1F6A7} Open", ...h.open.map((o) => `- ${o}`), "");
+  }
+  if (h.risk.length) {
+    lines.push(
+      "## \u{1F6E1}\uFE0F Risk",
+      ...h.risk.map((r) => `- **${r.severity.toUpperCase()}** ${r.title}`),
+      ""
+    );
+  }
+  if (h.next.length) {
+    lines.push("## \u23ED\uFE0F Next", ...h.next.map((n) => `- ${n}`), "");
+  }
+  if (h.prevent.length) {
+    lines.push("## \u{1F9F7} Prevent", ...h.prevent.map((p) => `- ${p}`), "");
+  }
+  lines.push("## \u{1F50E} Verify", `\`${h.verify}\``, "");
+  return `${lines.join("\n").trimEnd()}
+`;
+}
+
+// src/cli.ts
+var HELP = `
+\u{1F9FE}  receipts \u2014 proof, not vibes
+
+  A deterministic, cross-agent Report Card of what your coding agent actually did.
+  Reads the agent's own transcript locally. No account, no upload, no model calls.
+
+Usage
+  receipts [selector]           Print the Agent Report Card for a session
+  receipts --list               List recent sessions (then: receipts <n>)
+  receipts --json [selector]    Emit the Receipt object (in-toto Statement)
+  receipts --share [selector]   Print a redacted, paste-ready Markdown summary
+  receipts --handoff [selector]  Print a verifiable handoff brief (done/open/risk/next/verify)
+  receipts guardrails [sel]     Paste-ready prevention rules (AGENTS.md / CLAUDE.md)
+                                from the findings (--last N to aggregate sessions)
+  receipts trends               Cross-session digest: grades, recurring findings,
+                                and evidence over your last N sessions (default 10)
+  receipts pr                   Write this PR's redacted Receipt to .receipts/
+                                (diff-scoped: only this change's findings)
+  receipts envelope <receipt>   Wrap a Receipt as an unsigned DSSE envelope
+  receipts verify <bundle>      Verify a Receipt (+ --transcript to prove fidelity)
+  receipts diff [<a> <b>]       What changed between two Receipts (no args: last two; --json)
+  receipts log [dir]            List the committed receipts in .receipts/ (--last N)
+  receipts stats [dir]          Dogfooding scoreboard: how often it ran + what it caught
+  receipts eval                 Flag-rate of the detectors over your real local sessions (--last N, --json)
+  receipts badge [receipt]      shields.io endpoint JSON for a README/PR badge (--out f)
+  receipts sarif [receipt]      SARIF 2.1.0 for GitHub code-scanning (inline + Security tab; --out f)
+  receipts init                 Scaffold the PR-check workflow into this repo (1-command adopt)
+  receipts rederive <file>      Reproduce the canonical Receipt from a transcript
+  receipts assert [selector]    Check the receipt against committed .receipts/asserts.json (CI gate)
+  receipts mcp                  Start the MCP server (stdio) for IDEs/agents
+
+  selector: a list number (e.g. 3), a session id, or part of the title.
+  With no selector, the most recent session is used.
+
+Options
+  --list                        List recent sessions and exit
+  --agent <name>                Limit to one agent: claude-code | codex | cursor | openclaw
+  --json                        Emit the Receipt as JSON (no card)
+  --compact                     With --json, emit canonical (sorted, minified) JSON
+  --share                       Emit a redacted Markdown summary for sharing
+  --redact                      With --json, redact secrets from the Receipt
+  --out <path>                  With --json, write to a file instead of stdout
+  --base <ref>                  With pr, the diff base to scope against (default: main)
+  --branch <name>               With pr, fall back to a branch slice (default: current)
+  --whole-session               With pr, use the whole session (no scoping)
+  --last <n>                    With guardrails / trends, span the last n sessions
+  --copy                        Also copy --share / --json output to the clipboard
+  --no-color                    Disable ANSI color (also honors NO_COLOR)
+  -v, --version                 Print the version and exit
+  -h, --help                    Print this help and exit
+
+Signing is done in CI by the "Verified-by: Receipts" GitHub Action (Sigstore
+keyless via GitHub Artifact Attestations). See docs/verified-by.md.
+
+Receipts reports what an agent DID \u2014 not whether it was correct. Your tests are
+the oracle for success. Evidence, not judgement.
+
+Note: a Receipt can contain titles, file paths, and command snippets from the
+transcript (possibly secrets). Plain --json is local only; use --share or
+--json --redact to mask secrets before the output leaves your machine.
+
+Docs: https://github.com/AltimateAI/altimate-receipts
+`;
+var COMMANDS = /* @__PURE__ */ new Set([
+  "envelope",
+  "verify",
+  "pr",
+  "mcp",
+  "rederive",
+  "guardrails",
+  "trends",
+  "diff",
+  "log",
+  "stats",
+  "eval",
+  "badge",
+  "sarif",
+  "init",
+  "assert"
+]);
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  const parsed = {
+    help: false,
+    version: false,
+    list: false,
+    json: false,
+    compact: false,
+    share: false,
+    handoff: false,
+    redact: false,
+    copy: false,
+    wholeSession: false,
+    color: !process.env.NO_COLOR && process.stdout.isTTY === true
+  };
+  const positionals = [];
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a === "-h" || a === "--help") {
+      parsed.help = true;
+    } else if (a === "-v" || a === "--version") {
+      parsed.version = true;
+    } else if (a === "--list") {
+      parsed.list = true;
+    } else if (a === "--json") {
+      parsed.json = true;
+    } else if (a === "--compact") {
+      parsed.compact = true;
+    } else if (a === "--share") {
+      parsed.share = true;
+    } else if (a === "--handoff") {
+      parsed.handoff = true;
+    } else if (a === "--redact") {
+      parsed.redact = true;
+    } else if (a === "--copy") {
+      parsed.copy = true;
+    } else if (a === "--out") {
+      parsed.out = args[++i];
+    } else if (a === "--branch") {
+      parsed.branchScope = args[++i];
+    } else if (a === "--base") {
+      parsed.base = args[++i];
+    } else if (a === "--transcript") {
+      parsed.transcript = args[++i];
+    } else if (a === "--last") {
+      const n = Number(args[++i]);
+      if (Number.isFinite(n) && n > 0) {
+        parsed.last = Math.floor(n);
+      }
+    } else if (a === "--whole-session") {
+      parsed.wholeSession = true;
+    } else if (a === "--agent") {
+      const next = args[i + 1];
+      if (next && agentIds().includes(next)) {
+        parsed.agent = next;
+        i++;
+      }
+    } else if (a === "--no-color") {
+      parsed.color = false;
+    } else if (a === "--color") {
+      parsed.color = true;
+    } else if (!a.startsWith("-")) {
+      positionals.push(a);
+    }
+  }
+  if (positionals[0] && COMMANDS.has(positionals[0])) {
+    parsed.command = positionals[0];
+    parsed.file = positionals[1];
+    parsed.second = positionals[2];
+  } else {
+    parsed.selector = positionals[0];
+  }
+  return parsed;
+}
+async function run(argv) {
+  const args = parseArgs(argv);
+  if (args.version) {
+    process.stdout.write(`${getVersion()}
+`);
+    return 0;
+  }
+  if (args.help) {
+    process.stdout.write(`${HELP}
+`);
+    return 0;
+  }
+  if (args.command === "envelope") {
+    return runEnvelope(args.file);
+  }
+  if (args.command === "verify") {
+    return runVerify(args.file, { transcript: args.transcript, branch: args.branchScope });
+  }
+  if (args.command === "diff") {
+    return runDiff(args.file, args.second, { json: args.json, out: args.out });
+  }
+  if (args.command === "log") {
+    return runLog(args.file, { json: args.json, last: args.last, out: args.out });
+  }
+  if (args.command === "stats") {
+    return runStats(args.file, { json: args.json, out: args.out });
+  }
+  if (args.command === "eval") {
+    return runEval({ json: args.json, limit: args.last, agent: args.agent });
+  }
+  if (args.command === "badge") {
+    return runBadge(args.file, { out: args.out });
+  }
+  if (args.command === "sarif") {
+    return runSarif(args.file, { out: args.out });
+  }
+  if (args.command === "init") {
+    return runInit();
+  }
+  if (args.command === "rederive") {
+    return runRederive(args.file, {
+      branch: args.branchScope,
+      redact: args.redact,
+      compact: args.compact
+    });
+  }
+  if (args.command === "guardrails") {
+    return runGuardrails({
+      selector: args.file,
+      agent: args.agent,
+      last: args.last,
+      out: args.out,
+      copy: args.copy,
+      json: args.json
+    });
+  }
+  if (args.command === "trends") {
+    return runTrends({
+      selector: args.file,
+      agent: args.agent,
+      last: args.last,
+      out: args.out,
+      copy: args.copy,
+      json: args.json,
+      color: args.color
+    });
+  }
+  if (args.command === "pr") {
+    return runPr({
+      out: args.out,
+      branch: args.branchScope,
+      base: args.base,
+      wholeSession: args.wholeSession
+    });
+  }
+  if (args.command === "assert") {
+    return runAssert({ selector: args.file, agent: args.agent, json: args.json });
+  }
+  if (args.command === "mcp") {
+    const { startStdio } = await import("./mcp/server.js");
+    await startStdio();
+    await new Promise((resolve) => {
+      process.stdin.once("close", resolve);
+      process.stdin.once("end", resolve);
+    });
+    return 0;
+  }
+  if (!await anyDetected()) {
+    process.stderr.write(
+      `No agent transcripts found under ${rootsHint()}.
+Run a coding-agent session first, then try again.
+`
+    );
+    return 1;
+  }
+  const sessions = await listSessions(args.agent);
+  if (args.list) {
+    process.stdout.write(renderList(sessions, { color: args.color }));
+    return 0;
+  }
+  const summary = selectSummary(sessions, args.selector);
+  if (!summary) {
+    process.stderr.write(
+      args.selector ? `No session matched "${args.selector}". Try \`receipts --list\`.
+` : "No sessions found.\n"
+    );
+    return 1;
+  }
+  const session = await loadSession(summary);
+  if (!session) {
+    process.stderr.write(`Could not read session: ${summary.id}
+`);
+    return 1;
+  }
+  const derived = deriveSpans(session);
+  const findings = deriveFindings(derived);
+  if (args.json) {
+    let receipt = await buildReceipt(session, derived, findings);
+    if (args.redact) {
+      receipt = redactReceipt(receipt);
+    }
+    const out = args.compact ? canonicalize(receipt) : JSON.stringify(receipt, null, 2);
+    if (args.out) {
+      writeFileSync(args.out, `${out}
+`);
+      process.stderr.write(`Receipt written to ${args.out}
+`);
+      return 0;
+    }
+    emit(out, args.copy, "Receipt");
+    return 0;
+  }
+  if (args.share) {
+    const md = renderShareMarkdown({ summary, session, derived, findings });
+    emit(md.trimEnd(), args.copy, "Shareable summary");
+    return 0;
+  }
+  if (args.handoff) {
+    const receipt = redactReceipt(await buildReceipt(session, derived, findings));
+    const md = renderHandoffMarkdown(buildHandoff(receipt, findings));
+    emit(md.trimEnd(), args.copy, "Handoff");
+    return 0;
+  }
+  process.stdout.write(renderCard({ summary, derived, findings }, { color: args.color }));
+  return 0;
+}
+function git(args) {
+  const r = spawnSync("git", args, { encoding: "utf8" });
+  return r.status === 0 ? r.stdout.trim() : "";
+}
+var PR_SELECT_SCAN = 150;
+function diffOverlap(derived, files) {
+  return derived.filesChanged.filter((f) => inDiff(f.path, files)).length;
+}
+async function pickForDiff(all, branch, repoRoot, files) {
+  const load = async (sum) => {
+    const session = await loadSession(sum);
+    if (!session) {
+      return null;
+    }
+    return { summary: sum, session, derived: deriveSpans(session) };
+  };
+  const primarySum = selectForBranch(all, branch, repoRoot);
+  const primary = primarySum ? await load(primarySum) : null;
+  if (primary && diffOverlap(primary.derived, files) > 0) {
+    return primary;
+  }
+  let best = null;
+  let bestScore = 0;
+  const recent = all.filter((s) => inRepo(s.projectPath, repoRoot)).slice(0, PR_SELECT_SCAN);
+  for (const sum of recent) {
+    const cand = await load(sum);
+    if (!cand) {
+      continue;
+    }
+    const score = diffOverlap(cand.derived, files);
+    if (score > bestScore) {
+      best = cand;
+      bestScore = score;
+    }
+  }
+  return best ?? primary;
+}
+async function runPr(opts) {
+  const branch = opts.branch || git(["rev-parse", "--abbrev-ref", "HEAD"]);
+  const repoRoot = git(["rev-parse", "--show-toplevel"]);
+  if (!branch || branch === "HEAD") {
+    process.stderr.write("receipts pr: not on a git branch (use --branch <name>).\n");
+    return 1;
+  }
+  const diff = opts.wholeSession ? null : changedFiles(opts.base);
+  const all = await listSessions();
+  const picked = diff ? await pickForDiff(all, branch, repoRoot || void 0, diff.files) : await (async () => {
+    const sum = selectForBranch(all, branch, repoRoot || void 0);
+    return sum ? { summary: sum, session: await loadSession(sum), derived: null } : null;
+  })();
+  if (!picked || !picked.session) {
+    process.stderr.write(
+      `receipts pr: no agent session found for branch "${branch}" in this repo.
+Build the branch with a coding agent first, or run \`receipts --list\`.
+`
+    );
+    return 1;
+  }
+  const { summary, session } = picked;
+  let scopedSession = session;
+  let derived = picked.derived ?? deriveSpans(session);
+  let findings = deriveFindings(derived);
+  let scope = { kind: "session" };
+  let scopeNote = "whole session";
+  if (diff) {
+    const sd = applyDiffScope(derived, findings, diff.files);
+    derived = sd.derived;
+    findings = sd.findings;
+    scope = { kind: "diff", base: diff.base, files: diff.files };
+    scopeNote = `diff vs ${diff.base} (${diff.files.length} file${diff.files.length === 1 ? "" : "s"})`;
+  } else if (!opts.wholeSession) {
+    const slice = sliceByBranch(session, branch);
+    if (slice) {
+      scopedSession = slice;
+      derived = deriveSpans(slice);
+      findings = deriveFindings(derived);
+      scope = { kind: "branch", branch };
+      scopeNote = `branch ${branch} (no git diff)`;
+    } else {
+      scopeNote = "whole session (no diff / branch tags)";
+    }
+  }
+  const receipt = redactReceipt(await buildReceipt(scopedSession, derived, findings, { scope }));
+  const safe = branch.replace(/[/\\]/g, "-");
+  const dir = join4(repoRoot || ".", ".receipts");
+  const out = opts.out ?? join4(dir, `${safe}.json`);
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(out, `${JSON.stringify(receipt, null, 2)}
+`);
+  git(["add", out]);
+  const rel = repoRoot ? relative(repoRoot, out) : out;
+  process.stderr.write(
+    `receipts pr: wrote ${rel} (Grade ${receipt.predicate.grade}, ${scopeNote}) from "${summary.title ?? "untitled"}".
+`
+  );
+  return 0;
+}
+async function runGuardrails(opts) {
+  if (!await anyDetected()) {
+    process.stderr.write(`No agent transcripts found under ${rootsHint()}.
+`);
+    return 1;
+  }
+  const derivations = await deriveTargets({
+    agent: opts.agent,
+    last: opts.last,
+    selector: opts.selector
+  });
+  if (derivations.length === 0) {
+    process.stderr.write("guardrails: no matching session.\n");
+    return 1;
+  }
+  const findingSets = derivations.map((d) => d.findings);
+  const rules = collectGuardrails(findingSets);
+  const block = renderGuardrailsBlock(rules, opts.json ? "json" : "md");
+  if (opts.out) {
+    const existing = existsSync(opts.out) ? readFileSync4(opts.out, "utf8") : "";
+    writeFileSync(opts.out, upsertGuardrailsSection(existing, block));
+    process.stderr.write(
+      `guardrails: wrote ${rules.length} rule(s) to ${opts.out} (from ${findingSets.length} session${findingSets.length === 1 ? "" : "s"}).
+`
+    );
+    return 0;
+  }
+  emit(block, opts.copy ?? false, "Guardrails");
+  if (opts.last) {
+    process.stderr.write(`(from the last ${findingSets.length} sessions)
+`);
+  }
+  return 0;
+}
+async function runTrends(opts) {
+  if (!await anyDetected()) {
+    process.stderr.write(`No agent transcripts found under ${rootsHint()}.
+`);
+    return 1;
+  }
+  const requested = opts.last && opts.last > 0 ? opts.last : opts.selector ? 1 : 10;
+  const derivations = await deriveTargets(
+    opts.last && opts.last > 0 ? { agent: opts.agent, last: opts.last } : opts.selector ? { agent: opts.agent, selector: opts.selector } : { agent: opts.agent, last: 10 }
+  );
+  if (derivations.length === 0) {
+    process.stderr.write("trends: no matching sessions.\n");
+    return 1;
+  }
+  const inputs = derivations.slice().reverse().map((d) => ({ derived: d.derived, findings: d.findings }));
+  const trends = computeTrends(inputs, requested);
+  if (opts.out) {
+    const block = renderTrends(trends, "md");
+    const existing = existsSync(opts.out) ? readFileSync4(opts.out, "utf8") : "";
+    writeFileSync(opts.out, upsertTrendsSection(existing, block));
+    process.stderr.write(
+      `trends: wrote section to ${opts.out} (from ${trends.window.used} sessions).
+`
+    );
+    return 0;
+  }
+  if (opts.json) {
+    emit(renderTrends(trends, "json"), opts.copy ?? false, "Trends");
+    return 0;
+  }
+  process.stdout.write(renderTrends(trends, "card", { color: opts.color }));
+  if (opts.copy) {
+    const ok = copyToClipboard(renderTrends(trends, "card", { color: false }));
+    process.stderr.write(
+      ok ? "Trends copied to clipboard.\n" : "Clipboard unavailable \u2014 copy the output above.\n"
+    );
+  }
+  return 0;
+}
+function runEnvelope(file) {
+  if (!file) {
+    process.stderr.write("Usage: receipts envelope <receipt.json>\n");
+    return 1;
+  }
+  try {
+    const receipt = JSON.parse(readFileSync4(file, "utf8"));
+    process.stdout.write(`${JSON.stringify(toDsseEnvelope(receipt), null, 2)}
+`);
+    return 0;
+  } catch (err) {
+    process.stderr.write(`Could not read ${file}: ${err instanceof Error ? err.message : err}
+`);
+    return 1;
+  }
+}
+async function runVerify(file, opts = {}) {
+  if (!file) {
+    process.stderr.write("Usage: receipts verify <bundle.json> [--transcript <t> [--branch b]]\n");
+    return 1;
+  }
+  let input;
+  try {
+    input = JSON.parse(readFileSync4(file, "utf8"));
+  } catch (err) {
+    process.stderr.write(`Could not read ${file}: ${err instanceof Error ? err.message : err}
+`);
+    return 1;
+  }
+  const result = verifyBundle(input);
+  if (!result.ok) {
+    process.stderr.write("\u2717 Invalid Receipt:\n");
+    for (const e of result.errors) {
+      process.stderr.write(`  - ${e}
+`);
+    }
+    return 1;
+  }
+  const sig = result.signed ? `signed${result.rekorLogIndex !== void 0 ? ` \xB7 Rekor #${result.rekorLogIndex}` : ""}` : "unsigned";
+  process.stdout.write(`\u2713 Valid Receipt \u2014 Grade ${result.grade} \xB7 ${sig}
+`);
+  if (result.signer) {
+    process.stdout.write(`  signer: ${result.signer}
+`);
+  }
+  if (opts.transcript && result.receipt) {
+    const cmp = await compareToTranscript(result.receipt, opts.transcript, { branch: opts.branch });
+    if (!cmp.rederived) {
+      process.stderr.write("  \u2717 could not re-derive from the supplied transcript\n");
+      return 1;
+    }
+    if (!cmp.matches) {
+      process.stderr.write(
+        "  \u2717 re-derivation MISMATCH \u2014 the Receipt does not match its transcript (possibly hand-edited)\n"
+      );
+      return 1;
+    }
+    process.stdout.write("  \u2713 re-derived \u2014 faithful to the transcript (L1)\n");
+    return 0;
+  }
+  process.stdout.write(
+    "  Note: structural check only. Pass --transcript to prove fidelity (L1); `gh attestation verify` for full Sigstore/Rekor.\n"
+  );
+  return 0;
+}
+function runDiff(fileA, fileB, opts = {}) {
+  let pathA = fileA;
+  let pathB = fileB;
+  if (!pathA && !pathB) {
+    const hist = loadReceiptHistory(".receipts");
+    if (hist.length < 2) {
+      process.stderr.write(
+        `receipts diff: need two receipts. Found ${hist.length} in .receipts/ \u2014 pass two explicitly: receipts diff <a.json> <b.json>.
+`
+      );
+      return 1;
+    }
+    pathA = join4(".receipts", `${hist[1].name}.json`);
+    pathB = join4(".receipts", `${hist[0].name}.json`);
+    process.stdout.write(`receipts diff: ${hist[1].name} \u2192 ${hist[0].name} (most recent two)
+
+`);
+  }
+  if (!pathA || !pathB) {
+    process.stderr.write(
+      "Usage: receipts diff [<receiptA.json> <receiptB.json>] [--json] [--out <f>]\n  with no args, diffs the two most recent receipts in .receipts/\n"
+    );
+    return 1;
+  }
+  const read = (f) => {
+    let input;
+    try {
+      input = JSON.parse(readFileSync4(f, "utf8"));
+    } catch (err) {
+      process.stderr.write(`Could not read ${f}: ${err instanceof Error ? err.message : err}
+`);
+      return null;
+    }
+    const res = verifyBundle(input);
+    if (!res.ok || !res.receipt) {
+      process.stderr.write(`\u2717 ${f} is not a valid Receipt:
+`);
+      for (const e of res.errors) process.stderr.write(`  - ${e}
+`);
+      return null;
+    }
+    return res.receipt;
+  };
+  const a = read(pathA);
+  const b = read(pathB);
+  if (!a || !b) return 1;
+  const delta = diffReceipts(a, b);
+  const output = opts.json ? `${JSON.stringify(delta, null, 2)}
+` : renderDiff(delta);
+  if (opts.out) {
+    writeFileSync(opts.out, output);
+    process.stdout.write(`receipts diff: wrote ${opts.out}
+`);
+  } else {
+    process.stdout.write(output);
+  }
+  return 0;
+}
+function runLog(dir, opts = {}) {
+  const all = loadReceiptHistory(dir ?? ".receipts");
+  const shown = opts.last ? all.slice(0, opts.last) : all;
+  const output = opts.json ? `${JSON.stringify(shown, null, 2)}
+` : renderLog(shown, all.length);
+  if (opts.out) {
+    writeFileSync(opts.out, output);
+    process.stdout.write(`receipts log: wrote ${opts.out}
+`);
+  } else {
+    process.stdout.write(output);
+  }
+  return 0;
+}
+function runStats(dir, opts = {}) {
+  const stats = computeStats(dir ?? ".receipts");
+  const output = opts.json ? `${JSON.stringify(stats, null, 2)}
+` : renderStats(stats);
+  if (opts.out) {
+    writeFileSync(opts.out, output);
+    process.stdout.write(`receipts stats: wrote ${opts.out}
+`);
+  } else {
+    process.stdout.write(output);
+  }
+  return 0;
+}
+function runBadge(file, opts = {}) {
+  const repoRoot = git(["rev-parse", "--show-toplevel"]) || ".";
+  const branch = git(["rev-parse", "--abbrev-ref", "HEAD"]);
+  const path = file ?? (branch && branch !== "HEAD" ? join4(repoRoot, ".receipts", `${branch.replace(/[/\\]/g, "-")}.json`) : void 0);
+  if (!path || !existsSync(path)) {
+    process.stderr.write(
+      `receipts badge: no receipt found${path ? ` at ${path}` : ""}. Run \`receipts pr\` first, or pass a receipt path.
+`
+    );
+    return 1;
+  }
+  let input;
+  try {
+    input = JSON.parse(readFileSync4(path, "utf8"));
+  } catch {
+    process.stderr.write(`receipts badge: could not parse ${path}
+`);
+    return 1;
+  }
+  const res = verifyBundle(input);
+  if (!res.ok || !res.receipt) {
+    process.stderr.write(`receipts badge: ${path} is not a valid Receipt.
+`);
+    return 1;
+  }
+  const output = `${JSON.stringify(badgeEndpoint(res.receipt.predicate), null, 2)}
+`;
+  if (opts.out) {
+    writeFileSync(opts.out, output);
+    process.stdout.write(`receipts badge: wrote ${opts.out}
+`);
+  } else {
+    process.stdout.write(output);
+  }
+  return 0;
+}
+function runSarif(file, opts = {}) {
+  const repoRoot = git(["rev-parse", "--show-toplevel"]) || ".";
+  const branch = git(["rev-parse", "--abbrev-ref", "HEAD"]);
+  const path = file ?? (branch && branch !== "HEAD" ? join4(repoRoot, ".receipts", `${branch.replace(/[/\\]/g, "-")}.json`) : void 0);
+  if (!path || !existsSync(path)) {
+    process.stderr.write(
+      `receipts sarif: no receipt found${path ? ` at ${path}` : ""}. Run \`receipts pr\` first, or pass a receipt path.
+`
+    );
+    return 1;
+  }
+  let input;
+  try {
+    input = JSON.parse(readFileSync4(path, "utf8"));
+  } catch {
+    process.stderr.write(`receipts sarif: could not parse ${path}
+`);
+    return 1;
+  }
+  const res = verifyBundle(input);
+  if (!res.ok || !res.receipt) {
+    process.stderr.write(`receipts sarif: ${path} is not a valid Receipt.
+`);
+    return 1;
+  }
+  const output = `${JSON.stringify(toSarif(res.receipt), null, 2)}
+`;
+  if (opts.out) {
+    writeFileSync(opts.out, output);
+    process.stdout.write(`receipts sarif: wrote ${opts.out}
+`);
+  } else {
+    process.stdout.write(output);
+  }
+  return 0;
+}
+async function runEval(opts = {}) {
+  const limit = opts.limit && opts.limit > 0 ? opts.limit : 200;
+  const summaries = (await listSessions(opts.agent)).slice(0, limit);
+  const rows = [];
+  for (const summary of summaries) {
+    const session = await loadSession(summary);
+    if (!session) {
+      continue;
+    }
+    const { main, minor } = deriveFindings(deriveSpans(session));
+    rows.push({
+      title: summary.title ?? summary.id,
+      categories: [...firedCategories([...main, ...minor])]
+    });
+  }
+  const scan = summarizeFieldScan(rows);
+  process.stdout.write(opts.json ? `${JSON.stringify(scan, null, 2)}
+` : renderFieldScan(scan));
+  return 0;
+}
+function runInit() {
+  const v = getVersion();
+  const tag = /^\d+\.\d+\.\d+$/.test(v) ? `v${v}` : "v0.2.2";
+  const dir = ".github/workflows";
+  const path = `${dir}/receipts.yml`;
+  if (existsSync(path)) {
+    process.stdout.write(`receipts init: ${path} already exists \u2014 leaving it untouched.
+`);
+    return 0;
+  }
+  const content = `name: Verified by Receipts
+
+# Deterministic "what did the coding agent actually do?" check on PRs. Quiet + non-blocking
+# pilot: acts only when a branch commits an agent Receipt (.receipts/<branch>.json);
+# otherwise silent. Adds a new "Receipts" check only \u2014 touches no existing workflow.
+# Docs: https://github.com/AltimateAI/altimate-receipts/blob/main/docs/onboarding-internal.md
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  id-token: write # Sigstore keyless signing of the receipt
+  attestations: write # record the attestation
+  pull-requests: write # post the Receipts comment
+  checks: write # post the Receipts check
+
+jobs:
+  receipts:
+    uses: AltimateAI/altimate-receipts/.github/workflows/receipts.reusable.yml@${tag}
+    with:
+      require-receipt: false # never fail a PR that has no receipt (soft pilot)
+      notify-when-missing: false # stay silent unless a receipt is present
+      # block-on: ""          # informational check; never blocks a merge
+`;
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(path, content);
+  process.stdout.write(
+    [
+      `receipts init: wrote ${path} (pinned to ${tag}, quiet + non-blocking).`,
+      "  Commit it, open a PR, and the Receipts check runs on every PR.",
+      "  Generate receipts locally with the pre-push hook \u2014 see docs/onboarding-internal.md.",
+      ""
+    ].join("\n")
+  );
+  return 0;
+}
+async function runRederive(file, opts = {}) {
+  if (!file) {
+    process.stderr.write("Usage: receipts rederive <transcript.jsonl> [--branch b] [--redact]\n");
+    return 1;
+  }
+  const receipt = await rederiveFromTranscript(file, { branch: opts.branch, redact: opts.redact });
+  if (!receipt) {
+    process.stderr.write(`receipts rederive: could not read a session from ${file}
+`);
+    return 1;
+  }
+  const out = opts.compact ? canonicalize(receipt) : JSON.stringify(receipt, null, 2);
+  process.stdout.write(`${out}
+`);
+  return 0;
+}
+async function runAssert(opts) {
+  const repoRoot = git(["rev-parse", "--show-toplevel"]) || ".";
+  let asserts;
+  try {
+    asserts = loadAsserts(repoRoot);
+  } catch (e) {
+    process.stderr.write(`receipts assert: ${e.message}
+`);
+    return 2;
+  }
+  if (asserts.length === 0) {
+    process.stdout.write(`${renderAssertResults([])}
+`);
+    return 0;
+  }
+  const summary = selectSummary(await listSessions(opts.agent), opts.selector);
+  if (!summary) {
+    process.stderr.write(
+      opts.selector ? `No session matched "${opts.selector}". Try \`receipts --list\`.
+` : "No sessions found.\n"
+    );
+    return 1;
+  }
+  const session = await loadSession(summary);
+  if (!session) {
+    process.stderr.write(`Could not read session: ${summary.id}
+`);
+    return 1;
+  }
+  const derived = deriveSpans(session);
+  const receipt = await buildReceipt(session, derived, deriveFindings(derived));
+  const results = evaluateAsserts(receipt, asserts);
+  if (opts.json) {
+    process.stdout.write(`${JSON.stringify(results, null, 2)}
+`);
+  } else {
+    process.stdout.write(`${renderAssertResults(results)}
+`);
+  }
+  return assertExitCode(results);
+}
+function emit(text, copy, label) {
+  process.stdout.write(`${text}
+`);
+  if (copy) {
+    const ok = copyToClipboard(text);
+    process.stderr.write(
+      ok ? `
+${label} copied to clipboard.
+` : "\nClipboard unavailable \u2014 copy the output above.\n"
+    );
+  }
+}
+var entry = process.argv[1];
+var isMain = entry !== void 0 && import.meta.url === pathToFileURL(entry).href;
+if (isMain) {
+  run(process.argv).then((code) => process.exit(code)).catch((err) => {
+    process.stderr.write(`receipts: ${err instanceof Error ? err.message : String(err)}
+`);
+    process.exit(1);
+  });
+}
+export {
+  diffOverlap,
+  parseArgs,
+  run
+};
+//# sourceMappingURL=cli.js.map