npm - audrey - Versions diffs - 0.23.1 → 1.0.1 - Mend

audrey 0.23.1 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (250) hide show

package/CHANGELOG.md +101 -15
package/LICENSE +21 -21
package/README.md +232 -6
package/SECURITY.md +2 -1
package/benchmarks/adapter-kit.mjs +20 -0
package/benchmarks/adapter-self-test.mjs +166 -0
package/benchmarks/adapters/example-allow.mjs +28 -0
package/benchmarks/adapters/mem0-platform.mjs +267 -0
package/benchmarks/adapters/registry.json +51 -0
package/benchmarks/adapters/zep-cloud.mjs +280 -0
package/benchmarks/baselines.js +169 -0
package/benchmarks/build-leaderboard.mjs +170 -0
package/benchmarks/cases.js +537 -0
package/benchmarks/create-conformance-card.mjs +139 -0
package/benchmarks/create-submission-bundle.mjs +176 -0
package/benchmarks/dry-run-external-adapters.mjs +165 -0
package/benchmarks/guardbench.js +1125 -0
package/benchmarks/output/adapter-self-test/guardbench-adapter-self-test.json +50 -0
package/benchmarks/output/external/guardbench-external-dry-run.json +69 -0
package/benchmarks/output/external/guardbench-external-evidence.json +56 -0
package/benchmarks/output/guardbench-conformance-card.json +63 -0
package/benchmarks/output/guardbench-manifest.json +414 -0
package/benchmarks/output/guardbench-raw.json +1271 -0
package/benchmarks/output/guardbench-summary.json +2107 -0
package/benchmarks/output/leaderboard/guardbench-leaderboard.json +93 -0
package/benchmarks/output/leaderboard/guardbench-leaderboard.md +7 -0
package/benchmarks/output/submission-bundle/guardbench-conformance-card.json +63 -0
package/benchmarks/output/submission-bundle/guardbench-manifest.json +414 -0
package/benchmarks/output/submission-bundle/guardbench-raw.json +1271 -0
package/benchmarks/output/submission-bundle/guardbench-summary.json +2107 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-adapter-registry.schema.json +69 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-adapter-self-test.schema.json +156 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-conformance-card.schema.json +184 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-external-dry-run.schema.json +74 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-external-evidence.schema.json +108 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-external-run.schema.json +160 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-leaderboard.schema.json +179 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-manifest.schema.json +213 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-publication-verification.schema.json +47 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-raw.schema.json +184 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-submission-manifest.schema.json +151 -0
package/benchmarks/output/submission-bundle/schemas/guardbench-summary.schema.json +249 -0
package/benchmarks/output/submission-bundle/submission-manifest.json +131 -0
package/benchmarks/output/submission-bundle/validation-report.json +31 -0
package/benchmarks/output/summary.json +2354 -0
package/benchmarks/perf-snapshot.js +304 -0
package/benchmarks/perf.bench.js +161 -0
package/benchmarks/public-paths.mjs +78 -0
package/benchmarks/reference-results.js +70 -0
package/benchmarks/report.js +259 -0
package/benchmarks/run-external-guardbench.mjs +281 -0
package/benchmarks/run.js +682 -0
package/benchmarks/schemas/guardbench-adapter-registry.schema.json +69 -0
package/benchmarks/schemas/guardbench-adapter-self-test.schema.json +156 -0
package/benchmarks/schemas/guardbench-conformance-card.schema.json +184 -0
package/benchmarks/schemas/guardbench-external-dry-run.schema.json +74 -0
package/benchmarks/schemas/guardbench-external-evidence.schema.json +108 -0
package/benchmarks/schemas/guardbench-external-run.schema.json +160 -0
package/benchmarks/schemas/guardbench-leaderboard.schema.json +179 -0
package/benchmarks/schemas/guardbench-manifest.schema.json +213 -0
package/benchmarks/schemas/guardbench-publication-verification.schema.json +47 -0
package/benchmarks/schemas/guardbench-raw.schema.json +184 -0
package/benchmarks/schemas/guardbench-submission-manifest.schema.json +151 -0
package/benchmarks/schemas/guardbench-summary.schema.json +249 -0
package/benchmarks/snapshots/perf-0.22.2.json +123 -0
package/benchmarks/snapshots/perf-0.23.0.json +123 -0
package/benchmarks/validate-adapter-module.mjs +104 -0
package/benchmarks/validate-adapter-registry.mjs +134 -0
package/benchmarks/validate-adapter-self-test.mjs +96 -0
package/benchmarks/validate-guardbench-artifacts.mjs +343 -0
package/benchmarks/verify-external-evidence.mjs +296 -0
package/benchmarks/verify-publication-artifacts.mjs +286 -0
package/benchmarks/verify-submission-bundle.mjs +167 -0
package/dist/mcp-server/config.d.ts +1 -1
package/dist/mcp-server/config.d.ts.map +1 -1
package/dist/mcp-server/config.js +1 -1
package/dist/mcp-server/config.js.map +1 -1
package/dist/mcp-server/index.d.ts +65 -3
package/dist/mcp-server/index.d.ts.map +1 -1
package/dist/mcp-server/index.js +675 -157
package/dist/mcp-server/index.js.map +1 -1
package/dist/src/action-key.d.ts +9 -0
package/dist/src/action-key.d.ts.map +1 -0
package/dist/src/action-key.js +49 -0
package/dist/src/action-key.js.map +1 -0
package/dist/src/adaptive.js +5 -5
package/dist/src/affect.js +8 -8
package/dist/src/audrey.d.ts +13 -0
package/dist/src/audrey.d.ts.map +1 -1
package/dist/src/audrey.js +68 -3
package/dist/src/audrey.js.map +1 -1
package/dist/src/capsule.js +4 -4
package/dist/src/causal.js +3 -3
package/dist/src/consolidate.js +48 -48
package/dist/src/controller.d.ts +78 -6
package/dist/src/controller.d.ts.map +1 -1
package/dist/src/controller.js +273 -53
package/dist/src/controller.js.map +1 -1
package/dist/src/db.js +172 -172
package/dist/src/decay.js +8 -8
package/dist/src/embedding.d.ts +2 -1
package/dist/src/embedding.d.ts.map +1 -1
package/dist/src/embedding.js +39 -29
package/dist/src/embedding.js.map +1 -1
package/dist/src/encode.js +6 -6
package/dist/src/feedback.d.ts +6 -0
package/dist/src/feedback.d.ts.map +1 -1
package/dist/src/feedback.js +6 -0
package/dist/src/feedback.js.map +1 -1
package/dist/src/forget.js +12 -12
package/dist/src/hybrid-recall.js +9 -9
package/dist/src/impact.js +6 -6
package/dist/src/import.d.ts +3 -3
package/dist/src/import.js +41 -41
package/dist/src/index.d.ts +5 -4
package/dist/src/index.d.ts.map +1 -1
package/dist/src/index.js +3 -3
package/dist/src/index.js.map +1 -1
package/dist/src/interference.js +14 -14
package/dist/src/introspect.js +18 -18
package/dist/src/preflight.d.ts.map +1 -1
package/dist/src/preflight.js +41 -0
package/dist/src/preflight.js.map +1 -1
package/dist/src/promote.js +7 -7
package/dist/src/prompts.js +118 -118
package/dist/src/recall.js +30 -30
package/dist/src/reflexes.d.ts +1 -0
package/dist/src/reflexes.d.ts.map +1 -1
package/dist/src/reflexes.js +3 -0
package/dist/src/reflexes.js.map +1 -1
package/dist/src/rollback.js +4 -4
package/dist/src/routes.d.ts.map +1 -1
package/dist/src/routes.js +71 -2
package/dist/src/routes.js.map +1 -1
package/dist/src/validate.js +25 -25
package/docs/AUDREY_PAPER_OUTLINE.md +175 -0
package/docs/MEMORY_BENCHMARKING.md +59 -0
package/docs/PRODUCTION_BACKLOG.md +304 -0
package/docs/paper/00-master.md +48 -0
package/docs/paper/01-introduction.md +27 -0
package/docs/paper/02-related-work.md +47 -0
package/docs/paper/03-problem-definition.md +108 -0
package/docs/paper/04-design.md +164 -0
package/docs/paper/05-guardbench-spec.md +412 -0
package/docs/paper/06-implementation.md +113 -0
package/docs/paper/07-evaluation.md +168 -0
package/docs/paper/08-discussion-limitations.md +61 -0
package/docs/paper/09-conclusion.md +11 -0
package/docs/paper/SUBMISSION_README.md +162 -0
package/docs/paper/appendix-a-demo-transcript.md +114 -0
package/docs/paper/arxiv-compile-report.schema.json +116 -0
package/docs/paper/arxiv-source.schema.json +61 -0
package/docs/paper/audrey-paper-v1.md +1106 -0
package/docs/paper/browser-launch-plan.json +209 -0
package/docs/paper/browser-launch-plan.schema.json +100 -0
package/docs/paper/browser-launch-results.json +86 -0
package/docs/paper/browser-launch-results.schema.json +66 -0
package/docs/paper/claim-register.json +138 -0
package/docs/paper/claim-register.schema.json +81 -0
package/docs/paper/evidence-ledger.md +103 -0
package/docs/paper/output/arxiv/README-arxiv.txt +8 -0
package/docs/paper/output/arxiv/arxiv-manifest.json +41 -0
package/docs/paper/output/arxiv/main.tex +949 -0
package/docs/paper/output/arxiv/references.bib +222 -0
package/docs/paper/output/arxiv-compile-report.json +24 -0
package/docs/paper/output/submission-bundle/LICENSE +21 -0
package/docs/paper/output/submission-bundle/README.md +555 -0
package/docs/paper/output/submission-bundle/benchmarks/output/adapter-self-test/guardbench-adapter-self-test.json +50 -0
package/docs/paper/output/submission-bundle/benchmarks/output/external/guardbench-external-dry-run.json +69 -0
package/docs/paper/output/submission-bundle/benchmarks/output/external/guardbench-external-evidence.json +56 -0
package/docs/paper/output/submission-bundle/benchmarks/output/guardbench-conformance-card.json +63 -0
package/docs/paper/output/submission-bundle/benchmarks/output/guardbench-manifest.json +414 -0
package/docs/paper/output/submission-bundle/benchmarks/output/guardbench-raw.json +1271 -0
package/docs/paper/output/submission-bundle/benchmarks/output/guardbench-summary.json +2107 -0
package/docs/paper/output/submission-bundle/benchmarks/output/leaderboard/guardbench-leaderboard.json +93 -0
package/docs/paper/output/submission-bundle/benchmarks/output/leaderboard/guardbench-leaderboard.md +7 -0
package/docs/paper/output/submission-bundle/benchmarks/output/submission-bundle/submission-manifest.json +131 -0
package/docs/paper/output/submission-bundle/benchmarks/output/submission-bundle/validation-report.json +31 -0
package/docs/paper/output/submission-bundle/benchmarks/output/summary.json +2354 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-adapter-registry.schema.json +69 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-adapter-self-test.schema.json +156 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-conformance-card.schema.json +184 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-external-dry-run.schema.json +74 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-external-evidence.schema.json +108 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-external-run.schema.json +160 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-leaderboard.schema.json +179 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-manifest.schema.json +213 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-publication-verification.schema.json +47 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-raw.schema.json +184 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-submission-manifest.schema.json +151 -0
package/docs/paper/output/submission-bundle/benchmarks/schemas/guardbench-summary.schema.json +249 -0
package/docs/paper/output/submission-bundle/docs/AUDREY_PAPER_OUTLINE.md +175 -0
package/docs/paper/output/submission-bundle/docs/paper/00-master.md +48 -0
package/docs/paper/output/submission-bundle/docs/paper/01-introduction.md +27 -0
package/docs/paper/output/submission-bundle/docs/paper/02-related-work.md +47 -0
package/docs/paper/output/submission-bundle/docs/paper/03-problem-definition.md +108 -0
package/docs/paper/output/submission-bundle/docs/paper/04-design.md +164 -0
package/docs/paper/output/submission-bundle/docs/paper/05-guardbench-spec.md +412 -0
package/docs/paper/output/submission-bundle/docs/paper/06-implementation.md +113 -0
package/docs/paper/output/submission-bundle/docs/paper/07-evaluation.md +168 -0
package/docs/paper/output/submission-bundle/docs/paper/08-discussion-limitations.md +61 -0
package/docs/paper/output/submission-bundle/docs/paper/09-conclusion.md +11 -0
package/docs/paper/output/submission-bundle/docs/paper/SUBMISSION_README.md +162 -0
package/docs/paper/output/submission-bundle/docs/paper/appendix-a-demo-transcript.md +114 -0
package/docs/paper/output/submission-bundle/docs/paper/arxiv-compile-report.schema.json +116 -0
package/docs/paper/output/submission-bundle/docs/paper/arxiv-source.schema.json +61 -0
package/docs/paper/output/submission-bundle/docs/paper/audrey-paper-v1.md +1106 -0
package/docs/paper/output/submission-bundle/docs/paper/browser-launch-plan.json +209 -0
package/docs/paper/output/submission-bundle/docs/paper/browser-launch-plan.schema.json +100 -0
package/docs/paper/output/submission-bundle/docs/paper/browser-launch-results.json +86 -0
package/docs/paper/output/submission-bundle/docs/paper/browser-launch-results.schema.json +66 -0
package/docs/paper/output/submission-bundle/docs/paper/claim-register.json +138 -0
package/docs/paper/output/submission-bundle/docs/paper/claim-register.schema.json +81 -0
package/docs/paper/output/submission-bundle/docs/paper/evidence-ledger.md +103 -0
package/docs/paper/output/submission-bundle/docs/paper/output/arxiv/README-arxiv.txt +8 -0
package/docs/paper/output/submission-bundle/docs/paper/output/arxiv/arxiv-manifest.json +41 -0
package/docs/paper/output/submission-bundle/docs/paper/output/arxiv/main.tex +949 -0
package/docs/paper/output/submission-bundle/docs/paper/output/arxiv/references.bib +222 -0
package/docs/paper/output/submission-bundle/docs/paper/output/arxiv-compile-report.json +24 -0
package/docs/paper/output/submission-bundle/docs/paper/paper-submission-bundle.schema.json +70 -0
package/docs/paper/output/submission-bundle/docs/paper/publication-pack.json +81 -0
package/docs/paper/output/submission-bundle/docs/paper/publication-pack.schema.json +60 -0
package/docs/paper/output/submission-bundle/docs/paper/references.bib +222 -0
package/docs/paper/output/submission-bundle/package.json +212 -0
package/docs/paper/output/submission-bundle/paper-submission-manifest.json +379 -0
package/docs/paper/paper-submission-bundle.schema.json +70 -0
package/docs/paper/publication-pack.json +81 -0
package/docs/paper/publication-pack.schema.json +60 -0
package/docs/paper/references.bib +222 -0
package/package.json +87 -4
package/scripts/audit-release-completion.mjs +362 -0
package/scripts/create-arxiv-source.mjs +362 -0
package/scripts/create-paper-submission-bundle.mjs +210 -0
package/scripts/finalize-release.mjs +526 -0
package/scripts/prepare-release-cut.mjs +269 -0
package/scripts/publish-release-bundle.mjs +209 -0
package/scripts/publish-release-github-api.mjs +429 -0
package/scripts/run-vitest.mjs +34 -0
package/scripts/smoke-cli.js +92 -0
package/scripts/sync-paper-artifacts.mjs +109 -0
package/scripts/verify-arxiv-compile.mjs +440 -0
package/scripts/verify-arxiv-source.mjs +194 -0
package/scripts/verify-browser-launch-plan.mjs +237 -0
package/scripts/verify-browser-launch-results.mjs +285 -0
package/scripts/verify-paper-artifacts.mjs +338 -0
package/scripts/verify-paper-claims.mjs +226 -0
package/scripts/verify-paper-submission-bundle.mjs +207 -0
package/scripts/verify-publication-pack.mjs +196 -0
package/scripts/verify-python-package.py +201 -0
package/scripts/verify-release-readiness.mjs +785 -0

package/benchmarks/validate-guardbench-artifacts.mjs ADDED Viewed

@@ -0,0 +1,343 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { createHash } from 'node:crypto';
+import { basename, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { publicPath } from './public-paths.mjs';
+const DEFAULT_DIR = 'benchmarks/output';
+const DEFAULT_SEEDED_SECRET = 'sk-guardbench-secret-0000000000000000000000000000';
+const SCHEMA_FILES = {
+  manifest: 'guardbench-manifest.schema.json',
+  summary: 'guardbench-summary.schema.json',
+  raw: 'guardbench-raw.schema.json',
+  externalRun: 'guardbench-external-run.schema.json',
+  conformanceCard: 'guardbench-conformance-card.schema.json',
+};
+const ARTIFACT_FILES = {
+  manifest: 'guardbench-manifest.json',
+  summary: 'guardbench-summary.json',
+  raw: 'guardbench-raw.json',
+};
+const OPTIONAL_ARTIFACT_FILES = {
+  externalRun: 'external-run-metadata.json',
+  conformanceCard: 'guardbench-conformance-card.json',
+};
+function parseArgs(argv = process.argv.slice(2)) {
+  const args = {
+    dir: DEFAULT_DIR,
+    schemasDir: 'benchmarks/schemas',
+    seededSecrets: [DEFAULT_SEEDED_SECRET],
+    json: false,
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const token = argv[i];
+    if ((token === '--dir' || token === '--out-dir') && argv[i + 1]) args.dir = argv[++i];
+    else if (token === '--schemas-dir' && argv[i + 1]) args.schemasDir = argv[++i];
+    else if (token === '--seeded-secret' && argv[i + 1]) args.seededSecrets.push(argv[++i]);
+    else if (token === '--no-default-secret') args.seededSecrets = [];
+    else if (token === '--json') args.json = true;
+    else if (token === '--help') {
+      return { ...args, help: true };
+    }
+  }
+  return args;
+}
+function usage() {
+  return [
+    'Usage: node benchmarks/validate-guardbench-artifacts.mjs [--dir benchmarks/output] [--json]',
+    '',
+    'Validates guardbench-manifest.json, guardbench-summary.json, and',
+    'guardbench-raw.json against the published GuardBench JSON schemas.',
+    '',
+    'Options:',
+    '  --dir <path>             Directory containing GuardBench output artifacts.',
+    '  --schemas-dir <path>     Directory containing GuardBench schema files.',
+    '  --seeded-secret <value>  Additional seeded raw secret that must not appear.',
+    '  --no-default-secret      Do not check the built-in GuardBench redaction probe.',
+    '  --json                   Print a machine-readable validation report.',
+  ].join('\n');
+}
+function readText(path) {
+  if (!existsSync(path)) throw new Error(`Missing required file: ${path}`);
+  return readFileSync(path, 'utf-8');
+}
+function readJson(path) {
+  return JSON.parse(readText(path));
+}
+function sha256File(path) {
+  return createHash('sha256').update(readFileSync(path)).digest('hex');
+}
+export function computeGuardBenchArtifactHashes(dir, files = Object.values(ARTIFACT_FILES)) {
+  const resolvedDir = resolve(dir);
+  return Object.fromEntries(files.map(file => [file, sha256File(join(resolvedDir, file))]));
+}
+function typeOf(value) {
+  if (Array.isArray(value)) return 'array';
+  if (value === null) return 'null';
+  return typeof value;
+}
+export function validateSchema(value, schema, label, root = schema) {
+  const errors = [];
+  function validate(current, currentSchema, path) {
+    if (currentSchema.$ref) {
+      const refPath = currentSchema.$ref.replace(/^#\//, '').split('/');
+      const resolved = refPath.reduce((node, key) => node?.[key], root);
+      if (!resolved) {
+        errors.push(`${path}: unresolved schema ref ${currentSchema.$ref}`);
+        return;
+      }
+      validate(current, resolved, path);
+      return;
+    }
+    if (currentSchema.anyOf) {
+      const nested = currentSchema.anyOf.map(option => {
+        const before = errors.length;
+        validate(current, option, path);
+        return errors.splice(before);
+      });
+      if (!nested.some(group => group.length === 0)) {
+        errors.push(`${path}: did not match any allowed schema`);
+      }
+      return;
+    }
+    if (currentSchema.const !== undefined && current !== currentSchema.const) {
+      errors.push(`${path}: expected constant ${currentSchema.const}`);
+    }
+    if (currentSchema.enum && !currentSchema.enum.includes(current)) {
+      errors.push(`${path}: expected one of ${currentSchema.enum.join(', ')}`);
+    }
+    if (currentSchema.type === 'integer') {
+      if (typeof current !== 'number' || !Number.isInteger(current)) {
+        errors.push(`${path}: expected integer, got ${typeOf(current)}`);
+        return;
+      }
+    } else if (currentSchema.type) {
+      const actual = typeOf(current);
+      if (actual !== currentSchema.type) {
+        errors.push(`${path}: expected ${currentSchema.type}, got ${actual}`);
+        return;
+      }
+    }
+    if (currentSchema.minLength != null && String(current).length < currentSchema.minLength) {
+      errors.push(`${path}: shorter than minLength ${currentSchema.minLength}`);
+    }
+    if (currentSchema.pattern && typeof current === 'string' && !(new RegExp(currentSchema.pattern).test(current))) {
+      errors.push(`${path}: does not match ${currentSchema.pattern}`);
+    }
+    if (currentSchema.minimum != null && typeof current === 'number' && current < currentSchema.minimum) {
+      errors.push(`${path}: below minimum ${currentSchema.minimum}`);
+    }
+    if (currentSchema.maximum != null && typeof current === 'number' && current > currentSchema.maximum) {
+      errors.push(`${path}: above maximum ${currentSchema.maximum}`);
+    }
+    if (currentSchema.type === 'array') {
+      if (currentSchema.minItems != null && current.length < currentSchema.minItems) {
+        errors.push(`${path}: expected at least ${currentSchema.minItems} items`);
+      }
+      if (currentSchema.items) {
+        current.forEach((item, index) => validate(item, currentSchema.items, `${path}[${index}]`));
+      }
+    }
+    if (currentSchema.type === 'object') {
+      for (const required of currentSchema.required ?? []) {
+        if (!Object.hasOwn(current, required)) errors.push(`${path}: missing required property ${required}`);
+      }
+      if (currentSchema.additionalProperties === false) {
+        for (const key of Object.keys(current)) {
+          if (!Object.hasOwn(currentSchema.properties ?? {}, key)) {
+            errors.push(`${path}: unexpected property ${key}`);
+          }
+        }
+      }
+      for (const [key, propertySchema] of Object.entries(currentSchema.properties ?? {})) {
+        if (Object.hasOwn(current, key)) validate(current[key], propertySchema, `${path}.${key}`);
+      }
+    }
+  }
+  validate(value, schema, label);
+  return errors;
+}
+function stableJson(value) {
+  if (Array.isArray(value)) return `[${value.map(stableJson).join(',')}]`;
+  if (value && typeof value === 'object') {
+    return `{${Object.keys(value).sort().map(key => `${JSON.stringify(key)}:${stableJson(value[key])}`).join(',')}}`;
+  }
+  return JSON.stringify(value);
+}
+function assertSameJson(actual, expected, label, failures) {
+  if (stableJson(actual) !== stableJson(expected)) {
+    failures.push(`${label}: cross-artifact mismatch`);
+  }
+}
+export function validateGuardBenchArtifacts(options = {}) {
+  const dir = resolve(options.dir ?? DEFAULT_DIR);
+  const schemasDir = resolve(options.schemasDir ?? 'benchmarks/schemas');
+  const seededSecrets = options.seededSecrets ?? [DEFAULT_SEEDED_SECRET];
+  const failures = [];
+  const artifacts = {};
+  const schemas = {};
+  const artifactPaths = {};
+  const optionalArtifacts = {};
+  for (const [key, file] of Object.entries(ARTIFACT_FILES)) {
+    artifactPaths[key] = join(dir, file);
+    try {
+      artifacts[key] = readJson(artifactPaths[key]);
+    } catch (error) {
+      failures.push(error.message);
+    }
+  }
+  for (const [key, file] of Object.entries(SCHEMA_FILES)) {
+    try {
+      schemas[key] = readJson(join(schemasDir, file));
+    } catch (error) {
+      failures.push(error.message);
+    }
+  }
+  if (failures.length === 0) {
+    for (const key of Object.keys(ARTIFACT_FILES)) {
+      for (const error of validateSchema(artifacts[key], schemas[key], `guardbench-${key}`)) {
+        failures.push(`${basename(artifactPaths[key])}: ${error}`);
+      }
+    }
+    for (const [key, file] of Object.entries(OPTIONAL_ARTIFACT_FILES)) {
+      const path = join(dir, file);
+      if (!existsSync(path)) continue;
+      artifactPaths[key] = path;
+      try {
+        optionalArtifacts[key] = readJson(path);
+      } catch (error) {
+        failures.push(error.message);
+        continue;
+      }
+      for (const error of validateSchema(optionalArtifacts[key], schemas[key], `guardbench-${key}`)) {
+        failures.push(`${basename(path)}: ${error}`);
+      }
+    }
+    const externalRun = optionalArtifacts.externalRun;
+    if (externalRun?.artifactHashes) {
+      const currentHashes = computeGuardBenchArtifactHashes(dir);
+      for (const [file, expectedHash] of Object.entries(externalRun.artifactHashes)) {
+        if (!Object.hasOwn(currentHashes, file)) {
+          failures.push(`external-run-metadata.json: artifactHashes includes unknown file ${file}`);
+        } else if (currentHashes[file] !== expectedHash) {
+          failures.push(`external-run-metadata.json: artifactHashes.${file} does not match current artifact`);
+        }
+      }
+      for (const file of Object.values(ARTIFACT_FILES)) {
+        if (!Object.hasOwn(externalRun.artifactHashes, file)) {
+          failures.push(`external-run-metadata.json: artifactHashes missing ${file}`);
+        }
+      }
+    }
+    const conformanceCard = optionalArtifacts.conformanceCard;
+    if (conformanceCard) {
+      const currentHashes = computeGuardBenchArtifactHashes(dir);
+      for (const [file, expectedHash] of Object.entries(conformanceCard.integrity?.artifactHashes ?? {})) {
+        if (!Object.hasOwn(currentHashes, file)) {
+          failures.push(`guardbench-conformance-card.json: integrity.artifactHashes includes unknown file ${file}`);
+        } else if (currentHashes[file] !== expectedHash) {
+          failures.push(`guardbench-conformance-card.json: integrity.artifactHashes.${file} does not match current artifact`);
+        }
+      }
+      if (conformanceCard.manifestVersion !== artifacts.manifest.manifestVersion) {
+        failures.push('guardbench-conformance-card.json: manifestVersion does not match guardbench-manifest.json');
+      }
+      if (conformanceCard.suiteId !== artifacts.manifest.suiteId) {
+        failures.push('guardbench-conformance-card.json: suiteId does not match guardbench-manifest.json');
+      }
+      if (!artifacts.summary.systemSummaries?.some(row => row.system === conformanceCard.subject?.name)) {
+        failures.push('guardbench-conformance-card.json: subject.name is not present in guardbench-summary.json');
+      }
+    }
+    assertSameJson(artifacts.summary.manifest, artifacts.manifest, 'summary.manifest vs guardbench-manifest.json', failures);
+    assertSameJson(artifacts.summary.cases, artifacts.raw.cases, 'summary.cases vs raw.cases', failures);
+    assertSameJson(artifacts.summary.provenance, artifacts.raw.provenance, 'summary.provenance vs raw.provenance', failures);
+    if (artifacts.summary.generatedAt !== artifacts.raw.generatedAt) {
+      failures.push('summary.generatedAt vs raw.generatedAt: cross-artifact mismatch');
+    }
+    if (artifacts.manifest.manifestVersion !== artifacts.raw.manifestVersion) {
+      failures.push('manifest.manifestVersion vs raw.manifestVersion: cross-artifact mismatch');
+    }
+    if (artifacts.summary.artifactRedactionSweep?.passed !== true) {
+      failures.push('guardbench-summary.json: artifactRedactionSweep did not pass');
+    }
+    if (artifacts.raw.artifactRedactionSweep?.passed !== true) {
+      failures.push('guardbench-raw.json: artifactRedactionSweep did not pass');
+    }
+    const artifactText = Object.values(artifacts).map(value => JSON.stringify(value)).join('\n');
+    for (const secret of seededSecrets) {
+      if (secret && artifactText.includes(secret)) {
+        failures.push(`raw seeded secret leaked into GuardBench artifacts: ${secret}`);
+      }
+    }
+    const manifestText = JSON.stringify(artifacts.manifest);
+    if (!manifestText.includes('seededSecretRefs')) {
+      failures.push('guardbench-manifest.json: missing seededSecretRefs');
+    }
+    if (manifestText.includes('"seededSecrets"')) {
+      failures.push('guardbench-manifest.json: contains seededSecrets');
+    }
+  }
+  return {
+    ok: failures.length === 0,
+    dir: publicPath(dir),
+    schemasDir: publicPath(schemasDir),
+    files: Object.values(ARTIFACT_FILES),
+    optionalFiles: Object.values(OPTIONAL_ARTIFACT_FILES).filter(file => existsSync(join(dir, file))),
+    failures,
+  };
+}
+async function main() {
+  const args = parseArgs();
+  if (args.help) {
+    console.log(usage());
+    return;
+  }
+  const report = validateGuardBenchArtifacts(args);
+  if (args.json) {
+    console.log(JSON.stringify(report, null, 2));
+  } else if (report.ok) {
+    console.log(`GuardBench artifact validation passed: ${report.dir}`);
+  } else {
+    console.error('GuardBench artifact validation failed:');
+    for (const failure of report.failures) console.error(`- ${failure}`);
+  }
+  if (!report.ok) process.exit(1);
+}
+if (process.argv[1] && resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+  main().catch(error => {
+    console.error(error.stack ?? error.message);
+    process.exit(1);
+  });
+}

package/benchmarks/verify-external-evidence.mjs ADDED Viewed

@@ -0,0 +1,296 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { validateAdapterRegistry } from './validate-adapter-registry.mjs';
+import { validateGuardBenchArtifacts, validateSchema } from './validate-guardbench-artifacts.mjs';
+import { publicPath } from './public-paths.mjs';
+const ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '..');
+const DEFAULT_REGISTRY = 'benchmarks/adapters/registry.json';
+const DEFAULT_REGISTRY_SCHEMA = 'benchmarks/schemas/guardbench-adapter-registry.schema.json';
+const DEFAULT_EXTERNAL_RUN_SCHEMA = 'benchmarks/schemas/guardbench-external-run.schema.json';
+const DEFAULT_EVIDENCE_SCHEMA = 'benchmarks/schemas/guardbench-external-evidence.schema.json';
+const DEFAULT_OUT_ROOT = 'benchmarks/output/external';
+const DEFAULT_REPORT = 'benchmarks/output/external/guardbench-external-evidence.json';
+const PENDING_METADATA_STATUSES = new Set(['blocked', 'dry-run-missing-env', 'dry-run-ready']);
+function fromRoot(path) {
+  return resolve(ROOT, path);
+}
+function readJson(path) {
+  return JSON.parse(readFileSync(path, 'utf-8'));
+}
+function writeJson(path, value) {
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, `${JSON.stringify(value, null, 2)}\n`, 'utf-8');
+}
+export function parseExternalEvidenceArgs(argv = process.argv.slice(2)) {
+  const args = {
+    registry: DEFAULT_REGISTRY,
+    registrySchema: DEFAULT_REGISTRY_SCHEMA,
+    externalRunSchema: DEFAULT_EXTERNAL_RUN_SCHEMA,
+    evidenceSchema: DEFAULT_EVIDENCE_SCHEMA,
+    outRoot: DEFAULT_OUT_ROOT,
+    report: DEFAULT_REPORT,
+    adapters: [],
+    allowPending: false,
+    json: false,
+    write: true,
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const token = argv[i];
+    if (token === '--registry' && argv[i + 1]) args.registry = argv[++i];
+    else if (token === '--registry-schema' && argv[i + 1]) args.registrySchema = argv[++i];
+    else if (token === '--external-run-schema' && argv[i + 1]) args.externalRunSchema = argv[++i];
+    else if (token === '--evidence-schema' && argv[i + 1]) args.evidenceSchema = argv[++i];
+    else if (token === '--out-root' && argv[i + 1]) args.outRoot = argv[++i];
+    else if (token === '--report' && argv[i + 1]) args.report = argv[++i];
+    else if (token === '--adapter' && argv[i + 1]) args.adapters.push(argv[++i]);
+    else if (token === '--allow-pending') args.allowPending = true;
+    else if (token === '--json') args.json = true;
+    else if (token === '--no-write') args.write = false;
+    else if (token === '--help' || token === '-h') args.help = true;
+    else throw new Error(`Unknown argument: ${token}`);
+  }
+  return args;
+}
+function usage() {
+  return `Usage: node benchmarks/verify-external-evidence.mjs [options]
+Options:
+  --registry <path>             GuardBench adapter registry. Default: ${DEFAULT_REGISTRY}.
+  --out-root <path>             External evidence root. Default: ${DEFAULT_OUT_ROOT}.
+  --report <path>               Output report path. Default: ${DEFAULT_REPORT}.
+  --adapter <id>                Limit verification to one adapter id. May repeat.
+  --allow-pending               Treat missing, blocked, or dry-run-only evidence as pending.
+  --json                        Print the machine-readable evidence report.
+  --no-write                    Do not write the evidence report.
+`;
+}
+function credentialLeaks(text, requiredEnv, env) {
+  const leaks = [];
+  for (const name of requiredEnv) {
+    const value = env[name];
+    if (typeof value === 'string' && value.length >= 8 && text.includes(value)) {
+      leaks.push(name);
+    }
+  }
+  return leaks;
+}
+function pendingRow(target, outDir, metadataPath, allowPending, reason, metadata = null, extraFailures = [], secretLeakCount = 0) {
+  return {
+    id: target.id,
+    name: target.name,
+    path: target.path,
+    credentialMode: target.credentialMode,
+    requiredEnv: target.requiredEnv,
+    outDir: publicPath(outDir),
+    metadataPath: publicPath(metadataPath),
+    status: 'pending',
+    evidenceKind: metadata?.dryRun ? 'dry-run' : reason === 'missing' ? 'missing' : 'blocked',
+    metadataStatus: metadata?.status ?? null,
+    dryRun: metadata?.dryRun ?? null,
+    missingEnv: metadata?.missingEnv ?? target.requiredEnv,
+    artifactValidationOk: null,
+    adapterConformanceOk: null,
+    secretLeakCount,
+    failures: allowPending ? extraFailures : [
+      ...extraFailures,
+      reason === 'missing'
+        ? `Missing external run metadata: ${metadataPath}`
+        : `External evidence is pending for ${target.id}: ${metadata?.status ?? reason}`,
+    ],
+  };
+}
+function verifyLiveMetadata(target, outDir, metadataPath, metadata, metadataText, schemas, env) {
+  const failures = [];
+  const schemaErrors = validateSchema(metadata, schemas.externalRun, 'guardbench-externalRun');
+  failures.push(...schemaErrors);
+  const artifactValidation = validateGuardBenchArtifacts({ dir: outDir });
+  if (!artifactValidation.ok) {
+    failures.push(...artifactValidation.failures.map(failure => `artifact validation: ${failure}`));
+  }
+  if (metadata.adapter !== target.id) failures.push(`metadata adapter ${metadata.adapter} does not match registry id ${target.id}`);
+  if (metadata.dryRun !== false) failures.push('metadata must come from a live run, not a dry run');
+  if (metadata.status !== 'passed') failures.push(`metadata status must be passed, got ${metadata.status}`);
+  if (metadata.exitCode !== 0) failures.push(`metadata exitCode must be 0, got ${metadata.exitCode}`);
+  if ((metadata.missingEnv ?? []).length !== 0) failures.push(`metadata still reports missing runtime env: ${(metadata.missingEnv ?? []).join(', ')}`);
+  for (const name of target.requiredEnv) {
+    if (!(metadata.requiredEnv ?? []).includes(name)) failures.push(`metadata requiredEnv missing ${name}`);
+  }
+  if (metadata.artifactValidation?.ok !== true) failures.push('metadata artifactValidation.ok must be true');
+  if (metadata.adapterConformance?.ok !== true) failures.push('metadata adapterConformance.ok must be true');
+  if (!metadata.artifactHashes) failures.push('metadata missing artifactHashes');
+  const leakedEnv = credentialLeaks(metadataText, target.requiredEnv, env);
+  failures.push(...leakedEnv.map(name => `metadata leaks runtime credential value for ${name}`));
+  return {
+    id: target.id,
+    name: target.name,
+    path: target.path,
+    credentialMode: target.credentialMode,
+    requiredEnv: target.requiredEnv,
+    outDir: publicPath(outDir),
+    metadataPath: publicPath(metadataPath),
+    status: failures.length === 0 ? 'verified' : 'failed',
+    evidenceKind: 'live',
+    metadataStatus: metadata.status ?? null,
+    dryRun: metadata.dryRun ?? null,
+    missingEnv: metadata.missingEnv ?? [],
+    artifactValidationOk: artifactValidation.ok,
+    adapterConformanceOk: metadata.adapterConformance?.ok ?? null,
+    secretLeakCount: leakedEnv.length,
+    failures,
+  };
+}
+function verifyTarget(target, options, schemas) {
+  const outDir = resolve(options.outRoot, target.id);
+  const metadataPath = join(outDir, 'external-run-metadata.json');
+  if (!existsSync(metadataPath)) {
+    return pendingRow(target, outDir, metadataPath, options.allowPending, 'missing');
+  }
+  let metadata = null;
+  let metadataText = '';
+  const parseFailures = [];
+  try {
+    metadataText = readFileSync(metadataPath, 'utf-8');
+    metadata = JSON.parse(metadataText);
+  } catch (error) {
+    parseFailures.push(error.message);
+  }
+  if (!metadata) {
+    return {
+      id: target.id,
+      name: target.name,
+    path: target.path,
+    credentialMode: target.credentialMode,
+    requiredEnv: target.requiredEnv,
+    outDir: publicPath(outDir),
+    metadataPath: publicPath(metadataPath),
+      status: 'failed',
+      evidenceKind: 'missing',
+      metadataStatus: null,
+      dryRun: null,
+      missingEnv: target.requiredEnv,
+      artifactValidationOk: null,
+      adapterConformanceOk: null,
+      secretLeakCount: 0,
+      failures: parseFailures,
+    };
+  }
+  const metadataSchemaFailures = validateSchema(metadata, schemas.externalRun, 'guardbench-externalRun');
+  const leakedEnv = credentialLeaks(metadataText, target.requiredEnv, options.env);
+  const metadataFailures = [
+    ...metadataSchemaFailures,
+    ...leakedEnv.map(name => `metadata leaks runtime credential value for ${name}`),
+  ];
+  if (metadata.dryRun === true || PENDING_METADATA_STATUSES.has(metadata.status)) {
+    return pendingRow(target, outDir, metadataPath, options.allowPending, metadata.status ?? 'pending', metadata, metadataFailures, leakedEnv.length);
+  }
+  return verifyLiveMetadata(target, outDir, metadataPath, metadata, metadataText, schemas, options.env);
+}
+function externalTargetsFromRegistry(registry, adapterIds) {
+  const selected = new Set(adapterIds ?? []);
+  return (registry.adapters ?? [])
+    .filter(adapter => adapter.credentialMode === 'runtime-env')
+    .filter(adapter => selected.size === 0 || selected.has(adapter.id));
+}
+export function validateExternalEvidenceReport(report, options = {}) {
+  const schema = readJson(fromRoot(options.schema ?? DEFAULT_EVIDENCE_SCHEMA));
+  return validateSchema(report, schema, 'guardbench-external-evidence');
+}
+export async function verifyExternalGuardBenchEvidence(options = {}) {
+  const registryPath = fromRoot(options.registry ?? DEFAULT_REGISTRY);
+  const registrySchemaPath = fromRoot(options.registrySchema ?? DEFAULT_REGISTRY_SCHEMA);
+  const outRoot = fromRoot(options.outRoot ?? DEFAULT_OUT_ROOT);
+  const allowPending = options.allowPending === true;
+  const registry = options.targets ? null : readJson(registryPath);
+  const registryValidation = options.targets
+    ? { ok: true, failures: [] }
+    : await validateAdapterRegistry({ registry: registryPath, schema: registrySchemaPath });
+  const targets = options.targets ?? externalTargetsFromRegistry(registry, options.adapters);
+  const schemas = {
+    externalRun: readJson(fromRoot(options.externalRunSchema ?? DEFAULT_EXTERNAL_RUN_SCHEMA)),
+  };
+  const rows = targets.map(target => verifyTarget(target, {
+    outRoot,
+    allowPending,
+    env: options.env ?? process.env,
+  }, schemas));
+  const unknownAdapters = (options.adapters ?? []).filter(id => !targets.some(target => target.id === id));
+  const failures = [
+    ...registryValidation.failures.map(failure => `registry: ${failure}`),
+    ...unknownAdapters.map(id => `Unknown runtime-env adapter id: ${id}`),
+    ...rows.flatMap(row => row.failures.map(failure => `${row.id}: ${failure}`)),
+  ];
+  const report = {
+    schemaVersion: '1.0.0',
+    suite: 'GuardBench external evidence verification',
+    generatedAt: new Date().toISOString(),
+    ok: failures.length === 0,
+    allowPending,
+    registry: options.targets ? 'inline-targets' : publicPath(registryPath),
+    outRoot: publicPath(outRoot),
+    adapters: rows,
+    failures,
+  };
+  const schemaFailures = validateExternalEvidenceReport(report, { schema: options.evidenceSchema ?? DEFAULT_EVIDENCE_SCHEMA });
+  if (schemaFailures.length > 0) {
+    throw new Error(`GuardBench external evidence schema validation failed: ${schemaFailures.join('; ')}`);
+  }
+  if (options.write !== false) {
+    writeJson(fromRoot(options.report ?? DEFAULT_REPORT), report);
+  }
+  return report;
+}
+async function main() {
+  const args = parseExternalEvidenceArgs();
+  if (args.help) {
+    console.log(usage());
+    return;
+  }
+  const report = await verifyExternalGuardBenchEvidence(args);
+  if (args.json) {
+    console.log(JSON.stringify(report, null, 2));
+  } else if (report.ok) {
+    const verified = report.adapters.filter(adapter => adapter.status === 'verified').length;
+    const pending = report.adapters.filter(adapter => adapter.status === 'pending').length;
+    console.log(`GuardBench external evidence verification passed: ${verified} verified, ${pending} pending`);
+  } else {
+    console.error('GuardBench external evidence verification failed:');
+    for (const failure of report.failures) console.error(`- ${failure}`);
+  }
+  if (!report.ok) process.exit(1);
+}
+if (process.argv[1] && resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+  main().catch(error => {
+    console.error(error.stack ?? error.message);
+    process.exit(1);
+  });
+}