bootproof 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/README.md +840 -152
  2. package/dist/agent-plan.d.ts +44 -0
  3. package/dist/agent-plan.js +826 -0
  4. package/dist/agent-run.d.ts +117 -0
  5. package/dist/agent-run.js +459 -0
  6. package/dist/ai-repair.d.ts +58 -0
  7. package/dist/ai-repair.js +380 -0
  8. package/dist/cli.js +730 -46
  9. package/dist/diagnosis.js +101 -16
  10. package/dist/diff.d.ts +29 -0
  11. package/dist/diff.js +569 -0
  12. package/dist/exec.d.ts +30 -2
  13. package/dist/exec.js +329 -51
  14. package/dist/external-health.d.ts +16 -0
  15. package/dist/external-health.js +214 -0
  16. package/dist/infer.js +238 -39
  17. package/dist/plan.js +2 -0
  18. package/dist/proof.d.ts +78 -2
  19. package/dist/proof.js +265 -12
  20. package/dist/receipt.d.ts +52 -0
  21. package/dist/receipt.js +356 -0
  22. package/dist/redact.d.ts +4 -0
  23. package/dist/redact.js +86 -2
  24. package/dist/registry.d.ts +82 -30
  25. package/dist/registry.js +355 -53
  26. package/dist/remote.js +3 -3
  27. package/dist/repair-playbooks.d.ts +24 -0
  28. package/dist/repair-playbooks.js +593 -0
  29. package/dist/repair-safety.d.ts +130 -0
  30. package/dist/repair-safety.js +766 -0
  31. package/dist/repair.d.ts +43 -11
  32. package/dist/repair.js +716 -7
  33. package/dist/run.d.ts +3 -0
  34. package/dist/run.js +218 -41
  35. package/dist/sbom.d.ts +22 -0
  36. package/dist/sbom.js +99 -0
  37. package/dist/taxonomy.d.ts +8 -3
  38. package/dist/taxonomy.js +404 -8
  39. package/dist/types.d.ts +40 -1
  40. package/docs/AGENT_IN_THE_LOOP.md +171 -0
  41. package/docs/AGENT_RUN_RECEIPTS.md +38 -0
  42. package/docs/CI_ACTION.md +67 -2
  43. package/docs/DETERMINISTIC_REPAIR_SAFETY_MODEL.md +705 -0
  44. package/docs/FAILURE_TAXONOMY.md +28 -1
  45. package/docs/HONESTY_CONTRACT.md +34 -12
  46. package/docs/LAUNCH_PLAYBOOK.md +232 -0
  47. package/docs/REAL_WORLD_FIXTURES.md +105 -0
  48. package/docs/REGISTRY.md +48 -28
  49. package/docs/REPAIR_RECEIPT.md +54 -8
  50. package/docs/agent-loop-gap-analysis.md +188 -0
  51. package/docs/examples/registry-seeds/advertised-port-mismatch.json +28 -0
  52. package/docs/examples/registry-seeds/airbyte-abctl-external-orchestrator.json +36 -0
  53. package/docs/examples/registry-seeds/go-ollama-service.json +36 -0
  54. package/docs/examples/registry-seeds/laravel-vite-sqlite.json +36 -0
  55. package/docs/examples/registry-seeds/monorepo-ambiguous-health.json +29 -0
  56. package/docs/examples/registry-seeds/php-composer.json +33 -0
  57. package/docs/examples/registry-seeds/rails-bundler.json +32 -0
  58. package/docs/examples/registry-seeds/sentry-devenv-direnv.json +41 -0
  59. package/docs/schemas/action-verdict-v1.schema.json +64 -0
  60. package/docs/schemas/agent-plan-v1.schema.json +148 -0
  61. package/docs/schemas/agent-run-receipts-v1.schema.json +192 -0
  62. package/docs/schemas/ai-repair-suggestion-v1.schema.json +70 -0
  63. package/docs/schemas/ci-context-v1.schema.json +63 -0
  64. package/docs/schemas/diff-result-v1.schema.json +66 -0
  65. package/docs/schemas/federated-receipt-v1.schema.json +51 -0
  66. package/docs/schemas/registry-entry-v1.schema.json +95 -0
  67. package/docs/schemas/registry-seed-example-v1.schema.json +102 -0
  68. package/docs/schemas/repair-action-v1.schema.json +136 -0
  69. package/docs/schemas/repair-receipt-v1.schema.json +221 -0
  70. package/package.json +10 -6
@@ -1,13 +1,20 @@
1
1
  # Repair Receipts
2
2
 
3
- `bootproof fix` treats the normal BootProof verdict as an oracle. A signature-valid failed attestation is reused only when it identifies the exact current clean Git commit. Otherwise BootProof reproduces the failed run in a temporary copy. It applies one deterministic registered remediation there and reruns full verification.
3
+ `bootproof fix` treats the normal BootProof verdict as the oracle. The deterministic MVP reads
4
+ the latest signature-valid classified failure and maps only exact known evidence to a repair
5
+ action. It never uses AI.
4
6
 
5
- No receipt is emitted unless both statements are signed evidence:
7
+ Receipts preserve the complete lifecycle:
6
8
 
7
- - before: the sandbox run failed with a classified failure
8
- - after: the remediated sandbox run observed successful HTTP health
9
+ - suggested
10
+ - approved or declined
11
+ - applied or failed
12
+ - progressed or unchanged
13
+ - verified or unverified
9
14
 
10
- `bootproof fix` does not edit the original repository. A human may review the patch written under `.bootproof/` and explicitly invoke `bootproof apply-repair`.
15
+ Declined and failed attempts are valuable evidence, so they also produce signed receipts.
16
+ Only observed healthy HTTP sets `verified: true`. Progress without verification requires a
17
+ different after failure class.
11
18
 
12
19
  ## Schema
13
20
 
@@ -15,6 +22,16 @@ No receipt is emitted unless both statements are signed evidence:
15
22
  bootproof/repair-receipt/v1
16
23
  ```
17
24
 
25
+ The strict machine schemas are:
26
+
27
+ - [`schemas/repair-action-v1.schema.json`](schemas/repair-action-v1.schema.json)
28
+ - [`schemas/repair-receipt-v1.schema.json`](schemas/repair-receipt-v1.schema.json)
29
+
30
+ The v1 receipt now includes additive safety-foundation fields: the deterministic proposed
31
+ action, mutation scope, risk level, approval requirement, apply result, progress and
32
+ verification booleans, and redaction record. Existing signed verification fields remain for
33
+ backward-compatible inspection and application.
34
+
18
35
  ```json
19
36
  {
20
37
  "schema": "bootproof/repair-receipt/v1",
@@ -83,6 +100,10 @@ bootproof/repair-receipt/v1
83
100
 
84
101
  The receipt uses the same Ed25519 canonical-body pattern as attestations: `signer` and `signature` are excluded from the signed body. Tampering with the repair, before result, or after result invalidates verification.
85
102
 
103
+ An intact signature establishes integrity, not authorship by itself. `bootproof verify` reports
104
+ whether the repair receipt signer is this machine, explicitly known, or unknown foreign, using
105
+ the same local trust store as attestation verification.
106
+
86
107
  `beforeAttestationSha256` and both verification hashes are SHA-256 hashes of the corresponding attestation JSON objects.
87
108
 
88
109
  `fileChanges` is a signed application manifest. It contains only allowlisted boot-plumbing files and binds the expected preimage and verified after-content to SHA-256 hashes. `preconditions` binds read-only source inputs, such as the repository Compose file from which a repaired copy was derived.
@@ -99,7 +120,8 @@ emits exactly one:
99
120
  bootproof/repair-result/v1
100
121
  ```
101
122
 
102
- Exit `0` means a signed repair receipt was produced after observed HTTP health. Every unknown, inapplicable, failed, or unverified remediation exits `1`.
123
+ Exit `0` means the rerun observed healthy HTTP. A declined, failed, progressed-but-unverified,
124
+ unknown, or inapplicable remediation exits `1`, even when a signed receipt was written.
103
125
 
104
126
  `bootproof fix . --dry-run` executes nothing, writes nothing, and produces no proof.
105
127
 
@@ -117,6 +139,17 @@ bootproof fix https://github.com/user/repo --provider local --unsafe-local
117
139
 
118
140
  Cloning is not execution consent. The existing local execution acknowledgement remains mandatory.
119
141
 
142
+ Human command repairs show:
143
+
144
+ ```text
145
+ This repair may modify your local machine or services.
146
+ Command: <exact command>
147
+ Risk: medium
148
+ Run this command? Type Y to approve:
149
+ ```
150
+
151
+ Only uppercase `Y` approves. JSON and CI modes never prompt and never execute a repair command.
152
+
120
153
  ## Explicit Application
121
154
 
122
155
  Repair generation and repair application are separate operations:
@@ -140,6 +173,18 @@ Application exits `0` only after all signed file changes are written and re-hash
140
173
 
141
174
  | Failure class | Deterministic remediation |
142
175
  |---|---|
176
+ | `missing_ruby_version` | Propose `rbenv install <requiredVersion>` as a medium-risk host mutation. |
177
+ | `missing_build_tool` with exact CMake evidence | Propose `brew install cmake` as a host mutation requiring approval. |
178
+ | `native_extension_compile_failed` for `idn-ruby` | Propose Homebrew native dependencies, then a separately approved static-prefix Bundler configuration action. |
179
+ | `missing_database_config` | Preview a patch copying the repository PostgreSQL/example config when the destination is absent and the content is safe to persist. |
180
+ | `missing_required_config` for `config/gitlab.yml` | Preview a patch copying `config/gitlab.yml.example` when the destination is absent. |
181
+ | `postgres_unavailable` | Start only a detected local Homebrew PostgreSQL package and show `pg_isready`; otherwise emit an instruction. |
182
+ | `postgres_role_missing` | Propose `createuser -s <role>` only for an exact shell-safe role from evidence. |
183
+ | `database_schema_missing` | Propose high-risk `bundle exec rails db:migrate`. |
184
+ | `unsupported_database_version` | Propose separate high-risk install and service-start actions for the exact PostgreSQL major without changing PATH. |
185
+ | `unsupported_database_config` | Preview removal of only exact `geo`/`embedding` top-level sections when the patch contains no secrets. |
186
+ | `redis_unavailable` | Propose `brew services start redis` when Homebrew is detectable; otherwise emit a generic instruction. |
187
+ | `missing_env_var` for only `RAILS_ENV` | Emit `RAILS_ENV=development bootproof up . --provider local --unsafe-local --install` as a non-executed instruction. |
143
188
  | `service_port_allocated` | Remap a BootProof-generated Compose host port, or create a complete BootProof-owned repaired Compose copy beside the repository file without editing it. |
144
189
  | `package_manager_version_mismatch` | Run the exact declared `corepack prepare <manager>@<version> --activate` command in the sandbox. |
145
190
  | `migrations_missing` | Select one exact migration framework from repository markers plus preserved evidence: Prisma, Django, Rails, Knex, or Drizzle. Ambiguous matches refuse instead of guessing. |
@@ -150,7 +195,7 @@ Local host execution still requires `--unsafe-local`, and `fix` never auto-appli
150
195
 
151
196
  ## Files
152
197
 
153
- Successful repair output is kept in the original repository's BootProof output directory:
198
+ Repair output is kept in the original repository's BootProof output directory:
154
199
 
155
200
  ```text
156
201
  .bootproof/attestation.json
@@ -161,7 +206,8 @@ Successful repair output is kept in the original repository's BootProof output d
161
206
 
162
207
  The patch is present only when the repair produced a repository or repaired-Compose file change. Plan-only and environment-only repairs may have no patch.
163
208
 
164
- The after attestation is retained so its signature and receipt hash can be inspected independently. Sandbox paths in that attestation describe where verification actually occurred.
209
+ The after attestation exists only when an approved command triggered a rerun. It is retained so
210
+ progress and verification can be inspected independently.
165
211
 
166
212
  ## Allowed Scope
167
213
 
@@ -0,0 +1,188 @@
1
+ # Agent-Loop Gap Analysis
2
+
3
+ Audit date: 2026-06-12
4
+
5
+ Target architecture:
6
+
7
+ > Diagnose -> Classify -> Plan -> Risk-Classify -> Approve -> Execute One Step
8
+ > -> Verify -> Receipt -> Repeat
9
+
10
+ This document tracks the current OSS agent-loop architecture. It does not
11
+ authorize autonomous execution.
12
+
13
+ ## Status Summary
14
+
15
+ | Capability | Status | Current repository state |
16
+ |---|---|---|
17
+ | Engineering constitution | Exists | `AGENTS.md` contains the complete agent-loop principles, approval boundary, one-step rule, verification rule, receipt rule, honest-stop rule, and OSS/Cloud boundary. |
18
+ | External health verification | Exists | `verify-url` and `up --external-health` record external-health attestations with explicit non-orchestration ownership and honest auth/unreachable classifications. |
19
+ | Agent planning | Planning-only foundation exists | `bootproof plan-agent` writes a strict local agent plan with evidence, risk-classified candidate actions, approvals, verification steps, and stop conditions. It executes no candidate action. |
20
+ | Shared action risk model | Exists | Deterministic repair and `plan-agent` use one strict action-risk classifier with canonical mutation scopes, approval prompts, blocked reasons, verification steps, a hard blocklist, and at-least-medium risk for unknown commands. |
21
+ | Airbyte runbook recognition | Exists | Planning identifies Airbyte from repository identity and structural evidence, emits the abctl-managed orchestration classifications, uses the shared high-risk Kubernetes model, marks credential access secret-sensitive, and plans external health verification without execution. |
22
+ | Local agent receipt chain | Exists for planning and verification | `plan-agent` creates a redacted run directory with hash-linked diagnosis, plan, and action receipts. Repository-scoped external health can append verification receipts, the derived final summary states ownership and stop status, and `explain-run` verifies the chain. Approved action execution remains intentionally unimplemented. |
23
+
24
+ ## Existing Capabilities
25
+
26
+ ### Constitution
27
+
28
+ `AGENTS.md` already states that BootProof may plan and risk-classify actions,
29
+ may execute only approved local actions, must execute one step at a time,
30
+ must verify after every action, must save local receipts, and must stop on
31
+ unknown or unsafe steps.
32
+
33
+ It also preserves these boundaries:
34
+
35
+ - `bootproof up` is deterministic, zero-AI, and evidence-based.
36
+ - Planning and action completion are not proof.
37
+ - External health must not imply that BootProof started the application.
38
+ - AI assistance is optional and must use the same safety model.
39
+ - Cloud/SaaS, telemetry, and automatic upload remain outside this OSS repo.
40
+
41
+ ### Deterministic Repair Loop
42
+
43
+ The current `bootproof fix` path implements a human-driven subset of the loop:
44
+
45
+ - reads a signature-valid failed attestation;
46
+ - classifies exact known evidence;
47
+ - selects one deterministic repair candidate;
48
+ - displays action type, mutation scope, risk, and exact command or patch;
49
+ - requires uppercase `Y` for command or patch testing;
50
+ - executes only the selected action;
51
+ - reruns BootProof in a sandbox;
52
+ - records declined, failed, progressed, or verified outcomes;
53
+ - writes a signed local repair receipt.
54
+
55
+ Later candidate actions may be displayed, but they are not silently chained or
56
+ executed in the same approval.
57
+
58
+ ### Health and Evidence Primitives
59
+
60
+ The health engine already:
61
+
62
+ - records requested URL, HTTP status, headers, redirect location, body excerpt,
63
+ timestamp, acceptance decision, and connection errors;
64
+ - accepts HTTP 2xx and expected application sign-in redirects;
65
+ - preserves failed observations;
66
+ - clears stale health evidence during later successful observations.
67
+
68
+ External verification now provides `bootproof verify-url <url>` and
69
+ `bootproof up . --external-health <url>`. Its attestations use
70
+ `verificationMode: external-health`, set `bootproofOrchestrated: false`, and
71
+ classify successful HTTP 2xx/3xx observations as `external_service_verified`.
72
+ HTTP 401/403 is `auth_required`; connection and non-success responses are
73
+ `external_health_unreachable`.
74
+
75
+ ### Safety and Receipt Primitives
76
+
77
+ `bootproof/repair-action/v1` currently provides:
78
+
79
+ - `actionType`;
80
+ - `mutationScope`;
81
+ - `riskLevel`;
82
+ - `requiresApproval`;
83
+ - structured commands, patches, and instructions;
84
+ - a hard safety validator for shell control, `sudo`, destructive commands,
85
+ protected environment files, blocked paths, and exfiltration patterns.
86
+
87
+ `bootproof/repair-receipt/v1` currently records:
88
+
89
+ - proposed action and risk fields;
90
+ - approval and application timestamps;
91
+ - apply result;
92
+ - before and after failure classes;
93
+ - progress and verification;
94
+ - redactions;
95
+ - signature-valid before/after attestation hashes when available.
96
+
97
+ ## Partial Capabilities
98
+
99
+ ### Run Planning
100
+
101
+ `bootproof plan` is planning-only and performs no execution or writes. Its
102
+ `RunPlan` steps contain an identifier, kind, optional command, description,
103
+ and required flag.
104
+
105
+ It is not an agent plan because it does not contain:
106
+
107
+ - candidate alternatives;
108
+ - per-action risk classification;
109
+ - mutation scope;
110
+ - approval requirement;
111
+ - blocked reason;
112
+ - verification step;
113
+ - secret-sensitivity metadata;
114
+ - a persisted `.bootproof/agent-plan.json`.
115
+
116
+ ### Shared Risk Model
117
+
118
+ The deterministic repair safety module is the shared action-risk contract used
119
+ by deterministic repair and `plan-agent`. It provides:
120
+
121
+ - canonical action type, mutation scope, risk, and approval fields;
122
+ - generated approval prompts, blocked reasons, and verification steps;
123
+ - deterministic high-risk classification for host installs, Kubernetes
124
+ mutations, database migrations, and credential generation;
125
+ - at-least-medium classification for unknown commands;
126
+ - one hard blocklist before any command can become executable.
127
+
128
+ Deterministic repair actions remain sourced from `deterministic_playbook`.
129
+ `plan-agent` consumes the same classifier but remains planning-only.
130
+
131
+ ### Receipt History
132
+
133
+ BootProof writes `.bootproof/attestation.json`,
134
+ `.bootproof/repair-receipt.json`, and, after a rerun,
135
+ `.bootproof/repair-after-attestation.json`. Repair receipts are signed and bind
136
+ before/after attestations with hashes.
137
+
138
+ Repair files remain attempt-scoped. Agent planning now additionally creates a
139
+ run-scoped local chain under `.bootproof/agent-runs/<run-id>/`, where immutable
140
+ diagnosis, plan, action, and verification receipts link by SHA-256 hash.
141
+ `final-summary.json` records the current derived status, and
142
+ `bootproof explain-run <run-id>` verifies and explains the chain.
143
+
144
+ ## Existing Agent Run Capability
145
+
146
+ - `.bootproof/agent-runs/<run-id>/`;
147
+ - redacted initial attestation and plan snapshots;
148
+ - per-action planning receipts;
149
+ - appendable verification receipts;
150
+ - previous-receipt SHA-256 links;
151
+ - a derived final summary;
152
+ - `bootproof explain-run <run-id>`.
153
+
154
+ Planning still executes nothing. No autonomous or approved action runner exists.
155
+
156
+ ## Recommended Next Prompt Order
157
+
158
+ 1. **Only after the receipt contracts are stable, add a human-driven
159
+ single-step runner.**
160
+ Execute exactly one approved local action, verify it, write the chained
161
+ receipts, and stop for a new explicit approval. Do not add autonomous
162
+ multi-step execution in this stage.
163
+
164
+ ## Files Inspected
165
+
166
+ - `AGENTS.md`
167
+ - `src/cli.ts`
168
+ - `src/types.ts`
169
+ - `src/infer.ts`
170
+ - `src/plan.ts`
171
+ - `src/run.ts`
172
+ - `src/exec.ts`
173
+ - `src/proof.ts`
174
+ - `src/taxonomy.ts`
175
+ - `src/diagnosis.ts`
176
+ - `src/repair-safety.ts`
177
+ - `src/repair-playbooks.ts`
178
+ - `src/repair.ts`
179
+ - `src/registry.ts`
180
+ - `docs/DETERMINISTIC_REPAIR_SAFETY_MODEL.md`
181
+ - `docs/FAILURE_TAXONOMY.md`
182
+ - `docs/HONESTY_CONTRACT.md`
183
+ - `docs/REPAIR_RECEIPT.md`
184
+ - `docs/REGISTRY.md`
185
+ - `docs/schemas/repair-action-v1.schema.json`
186
+ - `docs/schemas/repair-receipt-v1.schema.json`
187
+ - `tests/unit.test.mjs`
188
+ - `tests/e2e.test.mjs`
@@ -0,0 +1,28 @@
1
+ {
2
+ "schema": "bootproof/registry-seed-example/v1",
3
+ "name": "advertised-port-mismatch",
4
+ "source": "synthetic_minimal_fixture",
5
+ "structuralMarkers": [
6
+ "selected command starts a Vite asset server",
7
+ "inferred health URL uses port 8080",
8
+ "process output advertises https://localhost:5173/",
9
+ "no successful response on inferred health candidate"
10
+ ],
11
+ "expectedBootProof": {
12
+ "kind": "classification",
13
+ "values": [
14
+ "health_candidate_port_mismatch"
15
+ ]
16
+ },
17
+ "safeNextStep": "Confirm whether the advertised endpoint is an asset server or the primary application, correct the reviewed health target, and rerun verification.",
18
+ "repairDisposition": "refused",
19
+ "externallyOrchestrated": false,
20
+ "evidenceOutcome": "diagnostic_only",
21
+ "verificationBasis": "An advertised URL mismatch is precise failure evidence, not successful health evidence; BootProof must still observe the intended application endpoint.",
22
+ "redactionsApplied": [
23
+ "only localhost URL patterns included",
24
+ "no response body data included",
25
+ "no local username paths included"
26
+ ]
27
+ }
28
+
@@ -0,0 +1,36 @@
1
+ {
2
+ "schema": "bootproof/registry-seed-example/v1",
3
+ "name": "airbyte-abctl-external-orchestrator",
4
+ "source": "synthetic_minimal_fixture",
5
+ "structuralMarkers": [
6
+ "Airbyte Open Source README marker",
7
+ "settings.gradle root project airbyte",
8
+ "airbyte-cdk/",
9
+ "airbyte-integrations/",
10
+ "docker-images/",
11
+ "docs mention abctl",
12
+ "kind and Helm deployment markers"
13
+ ],
14
+ "expectedBootProof": {
15
+ "kind": "agent_plan",
16
+ "values": [
17
+ "airbyte_abctl_managed",
18
+ "large_orchestration_repo",
19
+ "external_orchestrator_required",
20
+ "kind_kubernetes_backed",
21
+ "helm_deployed",
22
+ "auth_required"
23
+ ]
24
+ },
25
+ "safeNextStep": "Review host tooling, explicitly approve the high-risk abctl local install step outside bootproof up, then use bootproof verify-url against http://localhost:8001/api/v1/health.",
26
+ "repairDisposition": "approval_required",
27
+ "externallyOrchestrated": true,
28
+ "evidenceOutcome": "verified_boot_possible",
29
+ "verificationBasis": "An observed successful external health response can verify the already-running service, but BootProof must not claim that it started Airbyte.",
30
+ "redactionsApplied": [
31
+ "no credentials output included",
32
+ "no Kubernetes secrets included",
33
+ "no copied vendor manifests included"
34
+ ]
35
+ }
36
+
@@ -0,0 +1,36 @@
1
+ {
2
+ "schema": "bootproof/registry-seed-example/v1",
3
+ "name": "go-ollama-service",
4
+ "source": "synthetic_minimal_fixture",
5
+ "structuralMarkers": [
6
+ "go.mod",
7
+ "main.go",
8
+ "cmd/",
9
+ "OLLAMA_HOST",
10
+ "serve command",
11
+ "port 11434",
12
+ "/api/tags"
13
+ ],
14
+ "expectedBootProof": {
15
+ "kind": "classification_and_inference",
16
+ "values": [
17
+ "go-backend",
18
+ "go run . serve",
19
+ "go_runtime_missing",
20
+ "go_build_failed",
21
+ "http://127.0.0.1:11434/",
22
+ "http://127.0.0.1:11434/api/tags"
23
+ ]
24
+ },
25
+ "safeNextStep": "Use the evidenced Go serve command only when the repository markers support it, then require an observed HTTP response on port 11434.",
26
+ "repairDisposition": "refused",
27
+ "externallyOrchestrated": false,
28
+ "evidenceOutcome": "verified_boot_possible",
29
+ "verificationBasis": "Observed HTTP 200 health from the root or /api/tags can verify the service; Go markers and a running process cannot.",
30
+ "redactionsApplied": [
31
+ "no model data included",
32
+ "no host environment values included",
33
+ "no local username paths included"
34
+ ]
35
+ }
36
+
@@ -0,0 +1,36 @@
1
+ {
2
+ "schema": "bootproof/registry-seed-example/v1",
3
+ "name": "laravel-vite-sqlite",
4
+ "source": "synthetic_minimal_fixture",
5
+ "structuralMarkers": [
6
+ "artisan",
7
+ "composer.json",
8
+ "package.json",
9
+ "vite.config.js",
10
+ ".env.example",
11
+ "Connection: sqlite",
12
+ "database/database.sqlite missing"
13
+ ],
14
+ "expectedBootProof": {
15
+ "kind": "classification_and_inference",
16
+ "values": [
17
+ "php-backend",
18
+ "laravel",
19
+ "node-frontend",
20
+ "vite",
21
+ "laravel_sqlite_database_missing",
22
+ "laravel_migrations_required"
23
+ ]
24
+ },
25
+ "safeNextStep": "Review creation of database/database.sqlite, separately approve php artisan migrate, then rerun the Laravel application and require observed HTTP health.",
26
+ "repairDisposition": "approval_required",
27
+ "externallyOrchestrated": false,
28
+ "evidenceOutcome": "verified_boot_possible",
29
+ "verificationBasis": "A later observed HTTP 2xx response or accepted redirect to /login can verify the Laravel application; file creation and migration completion alone cannot.",
30
+ "redactionsApplied": [
31
+ "no environment values included",
32
+ "no database contents included",
33
+ "no local username paths included"
34
+ ]
35
+ }
36
+
@@ -0,0 +1,29 @@
1
+ {
2
+ "schema": "bootproof/registry-seed-example/v1",
3
+ "name": "monorepo-ambiguous-health",
4
+ "source": "synthetic_minimal_fixture",
5
+ "structuralMarkers": [
6
+ "root package.json workspaces",
7
+ "parallel root dev command",
8
+ "apps/web/package.json",
9
+ "apps/docs/package.json",
10
+ "multiple plausible health ports"
11
+ ],
12
+ "expectedBootProof": {
13
+ "kind": "classification",
14
+ "values": [
15
+ "workspace_ambiguous"
16
+ ]
17
+ },
18
+ "safeNextStep": "Select one reviewed workspace explicitly and rerun BootProof against that application instead of guessing among parallel services.",
19
+ "repairDisposition": "refused",
20
+ "externallyOrchestrated": false,
21
+ "evidenceOutcome": "diagnostic_only",
22
+ "verificationBasis": "Ambiguous workspace markers justify refusal only; no workspace can be marked verified until its own health response is observed.",
23
+ "redactionsApplied": [
24
+ "workspace names are generic",
25
+ "no repository source included",
26
+ "no environment values included"
27
+ ]
28
+ }
29
+
@@ -0,0 +1,33 @@
1
+ {
2
+ "schema": "bootproof/registry-seed-example/v1",
3
+ "name": "php-composer",
4
+ "source": "synthetic_minimal_fixture",
5
+ "structuralMarkers": [
6
+ "composer.json",
7
+ "composer.lock",
8
+ "php command not found",
9
+ "composer command not found",
10
+ "lock file package PHP constraint mismatch",
11
+ "vendor/autoload.php missing"
12
+ ],
13
+ "expectedBootProof": {
14
+ "kind": "classification",
15
+ "values": [
16
+ "missing_php_runtime",
17
+ "missing_composer",
18
+ "unsupported_php_version_for_composer_lock",
19
+ "missing_php_vendor_autoload"
20
+ ]
21
+ },
22
+ "safeNextStep": "Select a PHP version compatible with composer.lock, install Composer through the documented local method, and run composer install without editing the lockfile as the first step.",
23
+ "repairDisposition": "refused",
24
+ "externallyOrchestrated": false,
25
+ "evidenceOutcome": "diagnostic_only",
26
+ "verificationBasis": "Runtime and dependency evidence can support only a failed diagnostic receipt until a separate application health check succeeds.",
27
+ "redactionsApplied": [
28
+ "no package registry credentials included",
29
+ "no private package names included",
30
+ "no local filesystem paths included"
31
+ ]
32
+ }
33
+
@@ -0,0 +1,32 @@
1
+ {
2
+ "schema": "bootproof/registry-seed-example/v1",
3
+ "name": "rails-bundler",
4
+ "source": "synthetic_minimal_fixture",
5
+ "structuralMarkers": [
6
+ "Gemfile",
7
+ "bin/rails",
8
+ "config/database.yml example marker",
9
+ "rbenv version is not installed",
10
+ "Gem::Ext::BuildError",
11
+ "Failed to build gem native extension"
12
+ ],
13
+ "expectedBootProof": {
14
+ "kind": "classification_and_inference",
15
+ "values": [
16
+ "ruby-backend",
17
+ "missing_ruby_version",
18
+ "native_extension_compile_failed"
19
+ ]
20
+ },
21
+ "safeNextStep": "Approve installation of the exact repository-required Ruby version or evidenced native build dependency, rerun dependency installation, then require observed Rails HTTP health.",
22
+ "repairDisposition": "approval_required",
23
+ "externallyOrchestrated": false,
24
+ "evidenceOutcome": "verified_boot_possible",
25
+ "verificationBasis": "An observed Rails HTTP response, including an accepted authentication redirect, may verify boot; successful Bundler installation is not proof.",
26
+ "redactionsApplied": [
27
+ "no Bundler credentials included",
28
+ "no database values included",
29
+ "no copied application configuration included"
30
+ ]
31
+ }
32
+
@@ -0,0 +1,41 @@
1
+ {
2
+ "schema": "bootproof/registry-seed-example/v1",
3
+ "name": "sentry-devenv-direnv",
4
+ "source": "synthetic_minimal_fixture",
5
+ "structuralMarkers": [
6
+ "pyproject.toml",
7
+ "Makefile",
8
+ "package.json",
9
+ "pnpm-lock.yaml",
10
+ "devservices/",
11
+ "scripts/do.sh mentions devenv",
12
+ "devenv sync",
13
+ "direnv allow"
14
+ ],
15
+ "expectedBootProof": {
16
+ "kind": "classification_and_inference",
17
+ "values": [
18
+ "python-backend",
19
+ "node-frontend",
20
+ "make-driven",
21
+ "devservices-backed",
22
+ "devenv-managed",
23
+ "large-hybrid-app",
24
+ "repo_requires_devenv",
25
+ "missing_devenv_tool",
26
+ "missing_direnv_tool",
27
+ "sentry_virtualenv_not_activated"
28
+ ]
29
+ },
30
+ "safeNextStep": "Install and configure the documented devenv and direnv tools, review and run devenv sync, activate with direnv allow, and rerun BootProof without automatic setup execution.",
31
+ "repairDisposition": "approval_required",
32
+ "externallyOrchestrated": false,
33
+ "evidenceOutcome": "diagnostic_only",
34
+ "verificationBasis": "Setup-path evidence supports conservative diagnosis only; verified boot requires a later observed application health response.",
35
+ "redactionsApplied": [
36
+ "no virtual environment contents included",
37
+ "no package registry credentials included",
38
+ "no copied vendor scripts included"
39
+ ]
40
+ }
41
+
@@ -0,0 +1,64 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://bootproof.dev/schemas/action-verdict-v1.schema.json",
4
+ "title": "BootProof GitHub Action Verdict v1",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema",
9
+ "verified",
10
+ "shouldFail",
11
+ "failureReason",
12
+ "failureClass",
13
+ "bootproofExitCode",
14
+ "driftDetected",
15
+ "commandsExecuted",
16
+ "cloudUploadPerformed",
17
+ "federatedReceiptCommitted",
18
+ "agentActionsExecuted"
19
+ ],
20
+ "properties": {
21
+ "schema": {
22
+ "const": "bootproof/action-verdict/v1"
23
+ },
24
+ "verified": {
25
+ "type": "boolean"
26
+ },
27
+ "shouldFail": {
28
+ "type": "boolean"
29
+ },
30
+ "failureReason": {
31
+ "type": "string"
32
+ },
33
+ "failureClass": {
34
+ "type": "string"
35
+ },
36
+ "bootproofExitCode": {
37
+ "type": [
38
+ "integer",
39
+ "null"
40
+ ]
41
+ },
42
+ "driftDetected": {
43
+ "type": "boolean"
44
+ },
45
+ "commandsExecuted": {
46
+ "type": "array",
47
+ "items": {
48
+ "type": "array",
49
+ "items": {
50
+ "type": "string"
51
+ }
52
+ }
53
+ },
54
+ "cloudUploadPerformed": {
55
+ "const": false
56
+ },
57
+ "federatedReceiptCommitted": {
58
+ "const": false
59
+ },
60
+ "agentActionsExecuted": {
61
+ "const": false
62
+ }
63
+ }
64
+ }