altimate-receipts 0.5.2 → 0.6.0

package/dist/cli.js

@@ -13,13 +13,13 @@ import {
   renderShareMarkdown,
   sliceByBranch,
   toDsseEnvelope
-} from "./chunk-GOLRNSZT.js";
+} from "./chunk-ASPLZPMQ.js";
 import {
   computeTrends,
   deriveTargets,
   renderTrends,
   upsertTrendsSection
-} from "./chunk-EKMFU3ES.js";
+} from "./chunk-543NGQTN.js";
 import {
   agentIds,
   anyDetected,
@@ -43,10 +43,10 @@ import {
   selectSummary,
   upsertGuardrailsSection,
   verifyBundle
-} from "./chunk-EYM5WETZ.js";
+} from "./chunk-DBQWQVZZ.js";
 
 // src/cli.ts
-import { spawnSync as spawnSync4 } from "child_process";
+import { spawnSync as spawnSync5 } from "child_process";
 import {
   existsSync as existsSync4,
   mkdirSync as mkdirSync3,
@@ -57,7 +57,7 @@ import {
   writeFileSync as writeFileSync3
 } from "fs";
 import { homedir } from "os";
-import { join as join6, relative } from "path";
+import { join as join7, relative } from "path";
 import { pathToFileURL } from "url";
 
 // src/hook/installGitHook.ts
@@ -174,9 +174,64 @@ function wirePrepareScript(pkgPath) {
 }
 
 // src/hook/prePush.ts
+import { spawnSync as spawnSync3 } from "child_process";
+import { existsSync as existsSync3 } from "fs";
+import { join as join3 } from "path";
+
+// src/report/store.ts
 import { spawnSync as spawnSync2 } from "child_process";
-import { existsSync as existsSync2 } from "fs";
-import { join as join2 } from "path";
+var IDENT = ["-c", "user.name=receipts", "-c", "user.email=receipts@altimate.ai"];
+var RECEIPT_REF_PREFIX = "refs/receipts/";
+var receiptRef = (slug) => `${RECEIPT_REF_PREFIX}${slug}`;
+function git2(args, opts = {}) {
+  const r = spawnSync2("git", args, {
+    encoding: "utf8",
+    cwd: opts.cwd,
+    input: opts.input,
+    env: opts.env ? { ...process.env, ...opts.env } : process.env
+  });
+  return { out: (r.stdout ?? "").trim(), ok: r.status === 0, err: (r.stderr ?? "").trim() };
+}
+function writeReceiptRef(slug, branch, json, endedAtMs, cwd) {
+  const blob = git2(["hash-object", "-w", "--stdin"], { cwd, input: json });
+  if (!blob.ok) {
+    return { ok: false, reason: "hash-object failed (not a git repository?)" };
+  }
+  const tree = git2(["mktree"], { cwd, input: `100644 blob ${blob.out}	receipt.json
+` });
+  if (!tree.ok) {
+    return { ok: false, reason: "mktree failed" };
+  }
+  const when = `@${Math.max(1, Math.floor((endedAtMs ?? 0) / 1e3))} +0000`;
+  const commit = git2([...IDENT, "commit-tree", tree.out, "-m", `receipt: ${branch}`], {
+    cwd,
+    env: { GIT_AUTHOR_DATE: when, GIT_COMMITTER_DATE: when }
+  });
+  if (!commit.ok) {
+    return { ok: false, reason: `commit-tree failed: ${commit.err}` };
+  }
+  const ref = receiptRef(slug);
+  const upd = git2(["update-ref", ref, commit.out], { cwd });
+  if (!upd.ok) {
+    return { ok: false, reason: `update-ref ${ref} failed` };
+  }
+  return { ok: true, ref, commit: commit.out };
+}
+function readReceiptRef(slug, cwd) {
+  const r = git2(["cat-file", "blob", `${receiptRef(slug)}:receipt.json`], { cwd });
+  return r.ok ? r.out : null;
+}
+function listReceiptRefs(cwd) {
+  const r = git2(["for-each-ref", RECEIPT_REF_PREFIX, "--format=%(refname)"], { cwd });
+  if (!r.ok || !r.out) {
+    return [];
+  }
+  return r.out.split("\n").filter(Boolean).map((ref) => ({ ref, slug: ref.slice(RECEIPT_REF_PREFIX.length) }));
+}
+function pushReceiptRef(slug, remote = "origin", cwd) {
+  const ref = receiptRef(slug);
+  return git2(["push", remote, `+${ref}:${ref}`], { cwd }).ok;
+}
 
 // src/trace/gitCommand.ts
 var WRAPPERS = /* @__PURE__ */ new Set(["command", "exec", "nohup", "time", "env"]);
@@ -209,11 +264,63 @@ function gitInvocations(command) {
   return out;
 }
 
+// src/hook/settingsMerge.ts
+import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { dirname, join as join2 } from "path";
+var HOOK_COMMAND = "npx -y altimate-receipts@latest hook pre-push";
+function settingsStore(root) {
+  try {
+    const s = JSON.parse(readFileSync2(join2(root, ".claude", "settings.json"), "utf8"));
+    const v = s?.env?.RECEIPTS_STORE;
+    return typeof v === "string" && v ? v : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function mergeHookIntoSettings(path, command = HOOK_COMMAND) {
+  let settings = {};
+  if (existsSync2(path)) {
+    let parsed;
+    try {
+      parsed = JSON.parse(readFileSync2(path, "utf8"));
+    } catch {
+      return { ok: false, reason: `${path} is not valid JSON \u2014 leaving it untouched` };
+    }
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return { ok: false, reason: `${path} is not a JSON object \u2014 leaving it untouched` };
+    }
+    settings = parsed;
+  }
+  if (settings.hooks === void 0) {
+    settings.hooks = {};
+  }
+  const hooks = settings.hooks;
+  if (typeof hooks !== "object" || hooks === null || Array.isArray(hooks)) {
+    return { ok: false, reason: `${path} has a non-object "hooks" key \u2014 leaving it untouched` };
+  }
+  if (hooks.PreToolUse === void 0) {
+    hooks.PreToolUse = [];
+  }
+  const pre = hooks.PreToolUse;
+  if (!Array.isArray(pre)) {
+    return { ok: false, reason: `${path} has a non-array hooks.PreToolUse \u2014 leaving it untouched` };
+  }
+  const present = pre.some((e) => e?.hooks?.some((h) => h?.command === command));
+  if (present) {
+    return { ok: true, changed: false };
+  }
+  pre.push({ matcher: "Bash", hooks: [{ type: "command", command }] });
+  mkdirSync2(dirname(path), { recursive: true });
+  writeFileSync2(path, `${JSON.stringify(settings, null, 2)}
+`);
+  return { ok: true, changed: true };
+}
+
 // src/hook/prePush.ts
 var REPUSH_EXIT = 42;
 var ATTACH_SUBJECT = (branch) => `chore(receipts): attach agent receipt for ${branch}`;
-function git2(args, cwd) {
-  const r = spawnSync2("git", args, { encoding: "utf8", cwd });
+function git3(args, cwd) {
+  const r = spawnSync3("git", args, { encoding: "utf8", cwd });
   return r.status === 0 ? r.stdout.trim() : "";
 }
 var TAG_REFSPEC = /^(refs\/tags\/|v\d+(\.\d+)*$)/;
@@ -236,22 +343,33 @@ function isGitPush(command) {
 function gitStdinPushesBranch(stdin) {
   return stdin.split("\n").some((line) => line.trim().startsWith("refs/heads/"));
 }
-var hasMarker = (root) => existsSync2(join2(root, ".github", "workflows", "receipts.yml")) || existsSync2(join2(root, ".receipts"));
+var hasMarker = (root) => existsSync3(join3(root, ".github", "workflows", "receipts.yml")) || existsSync3(join3(root, ".receipts"));
 function repoOptedIn(repoRoot) {
   if (hasMarker(repoRoot)) {
     return true;
   }
-  const common = git2(["rev-parse", "--git-common-dir"], repoRoot);
+  const primary = primaryCheckout(repoRoot);
+  return primary ? hasMarker(primary) : false;
+}
+function primaryCheckout(repoRoot) {
+  const common = git3(["rev-parse", "--git-common-dir"], repoRoot);
   if (common.endsWith("/.git")) {
     const primary = common.slice(0, -"/.git".length);
     if (primary && primary !== repoRoot) {
-      return hasMarker(primary);
+      return primary;
     }
   }
-  return false;
+  return null;
 }
 function headIsAttachCommit(branch, cwd) {
-  return git2(["log", "-1", "--format=%s"], cwd) === ATTACH_SUBJECT(branch);
+  return git3(["log", "-1", "--format=%s"], cwd) === ATTACH_SUBJECT(branch);
+}
+function isDefaultBranch(branch, cwd) {
+  const head = git3(["symbolic-ref", "--short", "refs/remotes/origin/HEAD"], cwd);
+  if (head) {
+    return head === `origin/${branch}`;
+  }
+  return branch === "main" || branch === "master";
 }
 async function readStdin(stream = process.stdin) {
   let data = "";
@@ -278,7 +396,7 @@ async function runHookPrePush(dialect, stdin, generate) {
       if (payload.tool_name !== "Bash" || !payload.tool_input?.command) {
         return { exit: 0 };
       }
-      if (payload.cwd && existsSync2(payload.cwd)) {
+      if (payload.cwd && existsSync3(payload.cwd)) {
         process.chdir(payload.cwd);
       }
       if (!isGitPush(payload.tool_input.command)) {
@@ -287,15 +405,20 @@ async function runHookPrePush(dialect, stdin, generate) {
     } else if (!gitStdinPushesBranch(stdin)) {
       return { exit: 0 };
     }
-    const repoRoot = git2(["rev-parse", "--show-toplevel"]);
+    const repoRoot = git3(["rev-parse", "--show-toplevel"]);
     if (!repoRoot || !repoOptedIn(repoRoot)) {
       return { exit: 0 };
     }
-    const branch = git2(["rev-parse", "--abbrev-ref", "HEAD"]);
-    if (!branch || branch === "HEAD") {
+    const branch = git3(["rev-parse", "--abbrev-ref", "HEAD"]);
+    if (!branch || branch === "HEAD" || isDefaultBranch(branch)) {
       return { exit: 0 };
     }
-    if (dialect === "git" && headIsAttachCommit(branch)) {
+    const store = (process.env.RECEIPTS_STORE || settingsStore(repoRoot) || settingsStore(primaryCheckout(repoRoot) ?? "") || "commit").toLowerCase();
+    if (store === "none") {
+      return { exit: 0 };
+    }
+    process.env.RECEIPTS_STORE = store;
+    if (store !== "ref" && dialect === "git" && headIsAttachCommit(branch)) {
       return { exit: 0 };
     }
     const write = process.stderr.write.bind(process.stderr);
@@ -309,11 +432,22 @@ async function runHookPrePush(dialect, stdin, generate) {
     if (generated !== 0) {
       return { exit: 0 };
     }
-    if (!git2(["status", "--porcelain", ".receipts/"])) {
+    if (store === "ref") {
+      const slug = branch.replace(/[/\\]/g, "-");
+      if (readReceiptRef(slug) == null) {
+        return { exit: 0 };
+      }
+      const pushed = pushReceiptRef(slug);
+      return {
+        exit: 0,
+        message: pushed ? `receipts: receipt at refs/receipts/${slug} \u2014 travels alongside this push.` : `receipts: wrote refs/receipts/${slug}; pushing it failed \u2014 push the ref manually.`
+      };
+    }
+    if (!git3(["status", "--porcelain", ".receipts/"])) {
       return { exit: 0 };
     }
-    spawnSync2("git", ["add", ".receipts/"], { encoding: "utf8" });
-    const commit = spawnSync2(
+    spawnSync3("git", ["add", ".receipts/"], { encoding: "utf8" });
+    const commit = spawnSync3(
       "git",
       ["commit", "--no-verify", "-m", ATTACH_SUBJECT(branch), "--", ".receipts/"],
       { encoding: "utf8" }
@@ -336,52 +470,9 @@ async function runHookPrePush(dialect, stdin, generate) {
   }
 }
 
-// src/hook/settingsMerge.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
-import { dirname } from "path";
-var HOOK_COMMAND = "npx -y altimate-receipts@latest hook pre-push";
-function mergeHookIntoSettings(path, command = HOOK_COMMAND) {
-  let settings = {};
-  if (existsSync3(path)) {
-    let parsed;
-    try {
-      parsed = JSON.parse(readFileSync2(path, "utf8"));
-    } catch {
-      return { ok: false, reason: `${path} is not valid JSON \u2014 leaving it untouched` };
-    }
-    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
-      return { ok: false, reason: `${path} is not a JSON object \u2014 leaving it untouched` };
-    }
-    settings = parsed;
-  }
-  if (settings.hooks === void 0) {
-    settings.hooks = {};
-  }
-  const hooks = settings.hooks;
-  if (typeof hooks !== "object" || hooks === null || Array.isArray(hooks)) {
-    return { ok: false, reason: `${path} has a non-object "hooks" key \u2014 leaving it untouched` };
-  }
-  if (hooks.PreToolUse === void 0) {
-    hooks.PreToolUse = [];
-  }
-  const pre = hooks.PreToolUse;
-  if (!Array.isArray(pre)) {
-    return { ok: false, reason: `${path} has a non-array hooks.PreToolUse \u2014 leaving it untouched` };
-  }
-  const present = pre.some((e) => e?.hooks?.some((h) => h?.command === command));
-  if (present) {
-    return { ok: true, changed: false };
-  }
-  pre.push({ matcher: "Bash", hooks: [{ type: "command", command }] });
-  mkdirSync2(dirname(path), { recursive: true });
-  writeFileSync2(path, `${JSON.stringify(settings, null, 2)}
-`);
-  return { ok: true, changed: true };
-}
-
 // src/receipt/assert.ts
 import { readFileSync as readFileSync3 } from "fs";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 var OPS = /* @__PURE__ */ new Set([
   "eq",
   "ne",
@@ -476,7 +567,7 @@ function validateAssertion(raw) {
   };
 }
 function loadAsserts(repoRoot) {
-  const path = join3(repoRoot, ".receipts", "asserts.json");
+  const path = join4(repoRoot, ".receipts", "asserts.json");
   let text;
   try {
     text = readFileSync3(path, "utf8");
@@ -704,7 +795,7 @@ function renderFieldScan(s) {
 
 // src/report/log.ts
 import { readFileSync as readFileSync4, readdirSync } from "fs";
-import { join as join4 } from "path";
+import { dirname as dirname2, join as join5 } from "path";
 var SEV_ICON2 = { critical: "\u26D4", high: "\u26A0\uFE0F", medium: "\u{1F50D}", low: "\xB7" };
 var SEV_RANK = { critical: 0, high: 1, medium: 2, low: 3 };
 var NON_RECEIPT = /(?:^|\/)(?:asserts(?:\.example)?|sample)\.json$/i;
@@ -722,13 +813,27 @@ function loadReceiptHistory(dir) {
   try {
     files = readdirSync(dir).filter((f) => f.endsWith(".json") && !NON_RECEIPT.test(f));
   } catch {
-    return [];
+    files = [];
+  }
+  const sources = files.map((f) => {
+    try {
+      return { name: f, raw: readFileSync4(join5(dir, f), "utf8") };
+    } catch {
+      return { name: f, raw: null };
+    }
+  });
+  const repo = dirname2(dir);
+  for (const { slug } of listReceiptRefs(repo)) {
+    sources.push({ name: `${slug}@ref`, raw: readReceiptRef(slug, repo) });
   }
   const entries = [];
-  for (const f of files) {
+  for (const { name: f, raw } of sources) {
+    if (raw == null) {
+      continue;
+    }
     let input;
     try {
-      input = JSON.parse(readFileSync4(join4(dir, f), "utf8"));
+      input = JSON.parse(raw);
     } catch {
       continue;
     }
@@ -892,7 +997,7 @@ function toSarif(receipt) {
 
 // src/report/stats.ts
 import { readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
-import { join as join5 } from "path";
+import { join as join6 } from "path";
 var NON_RECEIPT2 = /(?:^|\/)(?:asserts(?:\.example)?|sample)\.json$/i;
 function computeStats(dir) {
   let files;
@@ -910,7 +1015,7 @@ function computeStats(dir) {
   for (const f of files) {
     let input;
     try {
-      input = JSON.parse(readFileSync5(join5(dir, f), "utf8"));
+      input = JSON.parse(readFileSync5(join6(dir, f), "utf8"));
     } catch {
       skipped++;
       continue;
@@ -1027,13 +1132,13 @@ function renderHandoffMarkdown(h) {
 }
 
 // src/trace/commitMatch.ts
-import { spawnSync as spawnSync3 } from "child_process";
+import { spawnSync as spawnSync4 } from "child_process";
 var SHA_CAP = 200;
 function branchShas(base, cwd) {
   if (!base) {
     return [];
   }
-  const r = spawnSync3("git", ["log", `--max-count=${SHA_CAP}`, "--format=%H", `${base}..HEAD`], {
+  const r = spawnSync4("git", ["log", `--max-count=${SHA_CAP}`, "--format=%H", `${base}..HEAD`], {
     encoding: "utf8",
     cwd
   });
@@ -1330,6 +1435,7 @@ async function run(argv) {
   }
   if (args.command === "rederive") {
     return runRederive(args.file, {
+      source: args.agent,
       branch: args.branchScope,
       redact: args.redact,
       compact: args.compact
@@ -1436,8 +1542,8 @@ Run a coding-agent session first, then try again.
   process.stdout.write(renderCard({ summary, derived, findings }, { color: args.color }));
   return 0;
 }
-function git3(args) {
-  const r = spawnSync4("git", args, { encoding: "utf8" });
+function git4(args) {
+  const r = spawnSync5("git", args, { encoding: "utf8" });
   return r.status === 0 ? r.stdout.trim() : "";
 }
 var PR_SELECT_SCAN = 150;
@@ -1448,7 +1554,7 @@ function branchBirthMs(base) {
   if (!base) {
     return null;
   }
-  const out = git3(["log", "--reverse", "--format=%at", `${base}..HEAD`]);
+  const out = git4(["log", "--reverse", "--format=%at", `${base}..HEAD`]);
   const first = Number(out.split("\n")[0]?.trim());
   return Number.isFinite(first) && first > 0 ? first * 1e3 : null;
 }
@@ -1493,8 +1599,8 @@ async function pickForDiff(all, branch, repoRoot, files, birthMs = null, shas =
   return best ?? primary;
 }
 async function runPr(opts) {
-  const branch = opts.branch || git3(["rev-parse", "--abbrev-ref", "HEAD"]);
-  const repoRoot = git3(["rev-parse", "--show-toplevel"]);
+  const branch = opts.branch || git4(["rev-parse", "--abbrev-ref", "HEAD"]);
+  const repoRoot = git4(["rev-parse", "--show-toplevel"]);
   if (!branch || branch === "HEAD") {
     process.stderr.write("receipts pr: not on a git branch (use --branch <name>).\n");
     return 1;
@@ -1553,7 +1659,7 @@ Build the branch with a coding agent first, or run \`receipts --list\`.
   const receipt = redactReceipt(await buildReceipt(scopedSession, derived, findings, { scope }));
   const json = `${JSON.stringify(receipt, null, 2)}
 `;
-  const store = (opts.store || process.env.RECEIPTS_STORE || "commit").toLowerCase();
+  const store = (opts.store || process.env.RECEIPTS_STORE || (repoRoot ? settingsStore(repoRoot) ?? settingsStore(primaryCheckout(repoRoot) ?? "") : void 0) || "commit").toLowerCase();
   if (store === "none") {
     process.stdout.write(json);
     process.stderr.write(
@@ -1567,21 +1673,33 @@ Build the branch with a coding agent first, or run \`receipts --list\`.
       `receipts pr: store=${store} not yet implemented (SPEC-0064) \u2014 using \`commit\`.
 `
     );
-  } else if (store !== "commit") {
+  } else if (store !== "commit" && store !== "ref") {
     process.stderr.write(`receipts pr: unknown store=${store} \u2014 using \`commit\`.
 `);
   }
   const safe = branch.replace(/[/\\]/g, "-");
-  const dir = join6(repoRoot || ".", ".receipts");
-  const out = opts.out ?? join6(dir, `${safe}.json`);
+  if (store === "ref") {
+    const w = writeReceiptRef(safe, branch, json, summary.endedAt, repoRoot || void 0);
+    if (w.ok) {
+      process.stderr.write(
+        `receipts pr: wrote ${w.ref} (Grade ${receipt.predicate.grade}, ${scopeNote}) from "${summary.title ?? "untitled"}" \u2014 no tree files.
+`
+      );
+      return 0;
+    }
+    process.stderr.write(`receipts pr: store=ref failed (${w.reason}) \u2014 using \`commit\`.
+`);
+  }
+  const dir = join7(repoRoot || ".", ".receipts");
+  const out = opts.out ?? join7(dir, `${safe}.json`);
   mkdirSync3(dir, { recursive: true });
-  const attrs = join6(dir, ".gitattributes");
+  const attrs = join7(dir, ".gitattributes");
   if (!existsSync4(attrs)) {
     writeFileSync3(attrs, "* linguist-generated\n");
-    git3(["add", attrs]);
+    git4(["add", attrs]);
   }
   writeFileSync3(out, json);
-  git3(["add", out]);
+  git4(["add", out]);
   const rel = repoRoot ? relative(repoRoot, out) : out;
   process.stderr.write(
     `receipts pr: wrote ${rel} (Grade ${receipt.predicate.grade}, ${scopeNote}) from "${summary.title ?? "untitled"}".
@@ -1739,8 +1857,9 @@ function runDiff(fileA, fileB, opts = {}) {
       );
       return 1;
     }
-    pathA = join6(".receipts", `${hist[1].name}.json`);
-    pathB = join6(".receipts", `${hist[0].name}.json`);
+    const sourceOf = (name) => name.endsWith("@ref") ? name : join7(".receipts", `${name}.json`);
+    pathA = sourceOf(hist[1].name);
+    pathB = sourceOf(hist[0].name);
     process.stdout.write(`receipts diff: ${hist[1].name} \u2192 ${hist[0].name} (most recent two)
 
 `);
@@ -1754,7 +1873,8 @@ function runDiff(fileA, fileB, opts = {}) {
   const read = (f) => {
     let input;
     try {
-      input = JSON.parse(readFileSync6(f, "utf8"));
+      const raw = f.endsWith("@ref") ? readReceiptRef(f.slice(0, -"@ref".length)) : null;
+      input = JSON.parse(raw ?? readFileSync6(f, "utf8"));
     } catch (err) {
       process.stderr.write(`Could not read ${f}: ${err instanceof Error ? err.message : err}
 `);
@@ -1813,9 +1933,9 @@ function runStats(dir, opts = {}) {
   return 0;
 }
 function runBadge(file, opts = {}) {
-  const repoRoot = git3(["rev-parse", "--show-toplevel"]) || ".";
-  const branch = git3(["rev-parse", "--abbrev-ref", "HEAD"]);
-  const path = file ?? (branch && branch !== "HEAD" ? join6(repoRoot, ".receipts", `${branch.replace(/[/\\]/g, "-")}.json`) : void 0);
+  const repoRoot = git4(["rev-parse", "--show-toplevel"]) || ".";
+  const branch = git4(["rev-parse", "--abbrev-ref", "HEAD"]);
+  const path = file ?? (branch && branch !== "HEAD" ? join7(repoRoot, ".receipts", `${branch.replace(/[/\\]/g, "-")}.json`) : void 0);
   if (!path || !existsSync4(path)) {
     process.stderr.write(
       `receipts badge: no receipt found${path ? ` at ${path}` : ""}. Run \`receipts pr\` first, or pass a receipt path.
@@ -1849,9 +1969,9 @@ function runBadge(file, opts = {}) {
   return 0;
 }
 function runSarif(file, opts = {}) {
-  const repoRoot = git3(["rev-parse", "--show-toplevel"]) || ".";
-  const branch = git3(["rev-parse", "--abbrev-ref", "HEAD"]);
-  const path = file ?? (branch && branch !== "HEAD" ? join6(repoRoot, ".receipts", `${branch.replace(/[/\\]/g, "-")}.json`) : void 0);
+  const repoRoot = git4(["rev-parse", "--show-toplevel"]) || ".";
+  const branch = git4(["rev-parse", "--abbrev-ref", "HEAD"]);
+  const path = file ?? (branch && branch !== "HEAD" ? join7(repoRoot, ".receipts", `${branch.replace(/[/\\]/g, "-")}.json`) : void 0);
   if (!path || !existsSync4(path)) {
     process.stderr.write(
       `receipts sarif: no receipt found${path ? ` at ${path}` : ""}. Run \`receipts pr\` first, or pass a receipt path.
@@ -1885,8 +2005,8 @@ function runSarif(file, opts = {}) {
   return 0;
 }
 function runPrune(dir, opts = {}) {
-  const repoRoot = git3(["rev-parse", "--show-toplevel"]) || ".";
-  const dpath = dir ?? join6(repoRoot, ".receipts");
+  const repoRoot = git4(["rev-parse", "--show-toplevel"]) || ".";
+  const dpath = dir ?? join7(repoRoot, ".receipts");
   let files;
   try {
     files = readdirSync3(dpath).filter((f) => f.endsWith(".json"));
@@ -1895,7 +2015,7 @@ function runPrune(dir, opts = {}) {
 `);
     return 0;
   }
-  const ls = git3(["ls-remote", "--heads", "origin"]);
+  const ls = git4(["ls-remote", "--heads", "origin"]);
   if (ls === null) {
     process.stderr.write(
       "receipts prune: could not list remote branches (offline / no 'origin'?) \u2014 aborting, nothing removed.\n"
@@ -1907,8 +2027,11 @@ function runPrune(dir, opts = {}) {
   );
   const { keep, remove } = planPrune(files, liveSlugs);
   if (remove.length === 0) {
-    process.stdout.write(`receipts prune: nothing to prune (${keep.length} receipt(s) kept).
+    const prunedRefs = pruneReceiptRefs(liveSlugs, opts.dryRun ?? false);
+    if (prunedRefs === 0) {
+      process.stdout.write(`receipts prune: nothing to prune (${keep.length} receipt(s) kept).
 `);
+    }
     return 0;
   }
   if (opts.dryRun) {
@@ -1920,11 +2043,13 @@ function runPrune(dir, opts = {}) {
       process.stdout.write(`  - ${f}
 `);
     }
+    pruneReceiptRefs(liveSlugs, true);
     return 0;
   }
+  pruneReceiptRefs(liveSlugs, false);
   for (const f of remove) {
-    const p = join6(dpath, f);
-    if (git3(["rm", "-f", "--", p]) === null) {
+    const p = join7(dpath, f);
+    if (git4(["rm", "-f", "--", p]) === null) {
       try {
         unlinkSync(p);
       } catch {
@@ -1937,6 +2062,24 @@ function runPrune(dir, opts = {}) {
   );
   return 0;
 }
+function pruneReceiptRefs(liveSlugs, dryRun) {
+  const refs = listReceiptRefs().filter(({ slug }) => !liveSlugs.has(slug));
+  if (refs.length === 0) {
+    return 0;
+  }
+  for (const { ref, slug } of refs) {
+    if (dryRun) {
+      process.stdout.write(`  - ${ref}
+`);
+      continue;
+    }
+    git4(["update-ref", "-d", ref]);
+    git4(["push", "origin", `:${ref}`]);
+    process.stdout.write(`receipts prune: removed ${ref} (branch ${slug} gone).
+`);
+  }
+  return refs.length;
+}
 async function runEval(opts = {}) {
   const limit = opts.limit && opts.limit > 0 ? opts.limit : 200;
   const summaries = (await listSessions(opts.agent)).slice(0, limit);
@@ -1973,7 +2116,7 @@ function runInit(opts = {}) {
     written.push(path);
     lines.push(`receipts init: wrote ${path} (tracking ${tag}, quiet + non-blocking).`);
   }
-  const settingsPath = join6(".claude", "settings.json");
+  const settingsPath = join7(".claude", "settings.json");
   const merged = mergeHookIntoSettings(settingsPath);
   if (!merged.ok) {
     lines.push(`receipts init: ${merged.reason}.`);
@@ -1983,14 +2126,14 @@ function runInit(opts = {}) {
   } else {
     lines.push(`receipts init: ${settingsPath} already has the receipts hook.`);
   }
-  const ignorePath = join6(".claude", ".gitignore");
+  const ignorePath = join7(".claude", ".gitignore");
   if (!existsSync4(ignorePath)) {
     writeFileSync3(ignorePath, "*\n!settings.json\n!.gitignore\n");
     written.push(ignorePath);
     lines.push(`receipts init: wrote ${ignorePath} (commit settings.json, ignore the rest).`);
   }
   if (opts.agents?.includes("codex") || existsSync4(".codex")) {
-    const codexPath = join6(".codex", "hooks.json");
+    const codexPath = join7(".codex", "hooks.json");
     const m = mergeHookIntoSettings(
       codexPath,
       "npx -y altimate-receipts@latest hook pre-push --agent codex"
@@ -2004,7 +2147,7 @@ function runInit(opts = {}) {
       lines.push(`receipts init: ${codexPath} already has the receipts hook.`);
     }
   }
-  const attrsPath = join6(".receipts", ".gitattributes");
+  const attrsPath = join7(".receipts", ".gitattributes");
   if (!existsSync4(attrsPath)) {
     mkdirSync3(".receipts", { recursive: true });
     writeFileSync3(attrsPath, "* linguist-generated\n");
@@ -2043,22 +2186,22 @@ function openAdoptionPr(written, lines) {
     lines.push("receipts init: nothing new to commit \u2014 the repo is already integrated.");
     return;
   }
-  if (!git3(["rev-parse", "--git-dir"])) {
+  if (!git4(["rev-parse", "--git-dir"])) {
     lines.push("receipts init: not a git repository \u2014 commit the files above manually.");
     return;
   }
-  if (git3(["rev-parse", "--verify", "--quiet", ADOPT_BRANCH]) !== "") {
+  if (git4(["rev-parse", "--verify", "--quiet", ADOPT_BRANCH]) !== "") {
     lines.push(
       `receipts init: branch ${ADOPT_BRANCH} already exists \u2014 commit the files above to it manually.`
     );
     return;
   }
-  if (spawnSync4("git", ["checkout", "-b", ADOPT_BRANCH], { encoding: "utf8" }).status !== 0) {
+  if (spawnSync5("git", ["checkout", "-b", ADOPT_BRANCH], { encoding: "utf8" }).status !== 0) {
     lines.push(`receipts init: could not create branch ${ADOPT_BRANCH} \u2014 commit manually.`);
     return;
   }
-  spawnSync4("git", ["add", "--", ...written], { encoding: "utf8" });
-  const commit = spawnSync4(
+  spawnSync5("git", ["add", "--", ...written], { encoding: "utf8" });
+  const commit = spawnSync5(
     "git",
     ["commit", "-m", "chore: adopt receipts \u2014 zero-install agent-work verification"],
     { encoding: "utf8" }
@@ -2070,7 +2213,7 @@ function openAdoptionPr(written, lines) {
     return;
   }
   lines.push(`receipts init: committed ${written.length} file(s) on ${ADOPT_BRANCH}.`);
-  const push = spawnSync4("git", ["push", "-u", "origin", ADOPT_BRANCH], { encoding: "utf8" });
+  const push = spawnSync5("git", ["push", "-u", "origin", ADOPT_BRANCH], { encoding: "utf8" });
   if (push.status !== 0) {
     lines.push(
       "receipts init: push failed (no remote / auth?) \u2014 push the branch and open a PR manually."
@@ -2078,7 +2221,7 @@ function openAdoptionPr(written, lines) {
     return;
   }
   lines.push(`receipts init: pushed ${ADOPT_BRANCH}.`);
-  const gh = spawnSync4(
+  const gh = spawnSync5(
     "gh",
     [
       "pr",
@@ -2094,7 +2237,7 @@ function openAdoptionPr(written, lines) {
     lines.push(`receipts init: opened the PR \u2014 ${gh.stdout.trim().split("\n").pop()}`);
     return;
   }
-  const remote = git3(["remote", "get-url", "origin"]);
+  const remote = git4(["remote", "get-url", "origin"]);
   const slug = remote ? /github\.com[:/]([^/]+\/[^/.]+)/.exec(remote)?.[1] : void 0;
   lines.push(
     slug ? `receipts init: open the PR here \u2014 https://github.com/${slug}/pull/new/${ADOPT_BRANCH}` : "receipts init: branch pushed \u2014 open a PR from it in your forge."
@@ -2159,7 +2302,7 @@ function runInstallHook() {
   return 0;
 }
 function runSetupLocal() {
-  const path = join6(homedir(), ".claude", "settings.json");
+  const path = join7(homedir(), ".claude", "settings.json");
   const res = mergeHookIntoSettings(path);
   if (!res.ok) {
     process.stderr.write(`receipts setup-local: ${res.reason}.
@@ -2175,10 +2318,16 @@ function runSetupLocal() {
 }
 async function runRederive(file, opts = {}) {
   if (!file) {
-    process.stderr.write("Usage: receipts rederive <transcript.jsonl> [--branch b] [--redact]\n");
+    process.stderr.write(
+      "Usage: receipts rederive <transcript.jsonl> [--agent a] [--branch b] [--redact]\n"
+    );
     return 1;
   }
-  const receipt = await rederiveFromTranscript(file, { branch: opts.branch, redact: opts.redact });
+  const receipt = await rederiveFromTranscript(file, {
+    source: opts.source,
+    branch: opts.branch,
+    redact: opts.redact
+  });
   if (!receipt) {
     process.stderr.write(`receipts rederive: could not read a session from ${file}
 `);
@@ -2190,7 +2339,7 @@ async function runRederive(file, opts = {}) {
   return 0;
 }
 async function runAssert(opts) {
-  const repoRoot = git3(["rev-parse", "--show-toplevel"]) || ".";
+  const repoRoot = git4(["rev-parse", "--show-toplevel"]) || ".";
   let asserts;
   try {
     asserts = loadAsserts(repoRoot);