bridgebench 3.1.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (86) hide show
  1. package/CITATION.cff +15 -0
  2. package/LICENSE +21 -0
  3. package/README.md +249 -0
  4. package/dist/chunk-4TWPCPRP.cjs +1097 -0
  5. package/dist/chunk-4TWPCPRP.cjs.map +1 -0
  6. package/dist/chunk-7YCJSOK7.cjs +398 -0
  7. package/dist/chunk-7YCJSOK7.cjs.map +1 -0
  8. package/dist/chunk-CIXITJW6.cjs +249 -0
  9. package/dist/chunk-CIXITJW6.cjs.map +1 -0
  10. package/dist/chunk-EQHRUV2I.js +1466 -0
  11. package/dist/chunk-EQHRUV2I.js.map +1 -0
  12. package/dist/chunk-JTVNKSMO.js +1096 -0
  13. package/dist/chunk-JTVNKSMO.js.map +1 -0
  14. package/dist/chunk-LFKEV2YL.js +398 -0
  15. package/dist/chunk-LFKEV2YL.js.map +1 -0
  16. package/dist/chunk-NJTYVNP4.cjs +1467 -0
  17. package/dist/chunk-NJTYVNP4.cjs.map +1 -0
  18. package/dist/chunk-UECBSKTD.js +244 -0
  19. package/dist/chunk-UECBSKTD.js.map +1 -0
  20. package/dist/cli.cjs +409 -0
  21. package/dist/cli.cjs.map +1 -0
  22. package/dist/cli.d.cts +1 -0
  23. package/dist/cli.d.ts +1 -0
  24. package/dist/cli.js +408 -0
  25. package/dist/cli.js.map +1 -0
  26. package/dist/client.cjs +42 -0
  27. package/dist/client.cjs.map +1 -0
  28. package/dist/client.d.cts +93 -0
  29. package/dist/client.d.ts +93 -0
  30. package/dist/client.js +42 -0
  31. package/dist/client.js.map +1 -0
  32. package/dist/contracts/index.cjs +47 -0
  33. package/dist/contracts/index.cjs.map +1 -0
  34. package/dist/contracts/index.d.cts +14 -0
  35. package/dist/contracts/index.d.ts +14 -0
  36. package/dist/contracts/index.js +47 -0
  37. package/dist/contracts/index.js.map +1 -0
  38. package/dist/index.cjs +171 -0
  39. package/dist/index.cjs.map +1 -0
  40. package/dist/index.d.cts +214 -0
  41. package/dist/index.d.ts +214 -0
  42. package/dist/index.js +171 -0
  43. package/dist/index.js.map +1 -0
  44. package/dist/logger-CCR9Mg1c.d.cts +319 -0
  45. package/dist/logger-QJU7SBDz.d.ts +319 -0
  46. package/dist/reports-4CejmOHf.d.cts +454 -0
  47. package/dist/reports-s2CTnGN8.d.ts +454 -0
  48. package/dist/tasks-CpaCJ6JE.d.cts +151 -0
  49. package/dist/tasks-CpaCJ6JE.d.ts +151 -0
  50. package/dist/tasks.cjs +22 -0
  51. package/dist/tasks.cjs.map +1 -0
  52. package/dist/tasks.d.cts +39 -0
  53. package/dist/tasks.d.ts +39 -0
  54. package/dist/tasks.js +22 -0
  55. package/dist/tasks.js.map +1 -0
  56. package/docs/README.md +25 -0
  57. package/docs/glossary.md +49 -0
  58. package/docs/methodology.md +58 -0
  59. package/docs/private-packs.md +74 -0
  60. package/docs/replay-elo.md +79 -0
  61. package/docs/task-authoring.md +80 -0
  62. package/package.json +137 -0
  63. package/tasks/hallucination/public/boundary-coverage-audit.yaml +274 -0
  64. package/tasks/hallucination/public/boundary-migration-audit.yaml +284 -0
  65. package/tasks/hallucination/public/conflict-dependency-versions.yaml +324 -0
  66. package/tasks/hallucination/public/conflict-runbook-versions.yaml +229 -0
  67. package/tasks/hallucination/public/fabrication-agent-tools.yaml +224 -0
  68. package/tasks/hallucination/public/fabrication-api-surface.yaml +239 -0
  69. package/tasks/hallucination/public/fidelity-commit-attribution.yaml +304 -0
  70. package/tasks/hallucination/public/fidelity-config-drift.yaml +307 -0
  71. package/tasks/hallucination/public/missing-deploy-window.yaml +204 -0
  72. package/tasks/hallucination/public/missing-latency-baseline.yaml +239 -0
  73. package/tasks/hallucination/public/premise-quota-breach.yaml +202 -0
  74. package/tasks/hallucination/public/premise-rollback-cause.yaml +235 -0
  75. package/tasks/reasoning/public/constraint-capacity-allocation.yaml +196 -0
  76. package/tasks/reasoning/public/constraint-deployment-policy.yaml +203 -0
  77. package/tasks/reasoning/public/counterexample-authorization-rule.yaml +278 -0
  78. package/tasks/reasoning/public/counterexample-scheduler-starvation.yaml +290 -0
  79. package/tasks/reasoning/public/root-cache-tenant-leak.yaml +225 -0
  80. package/tasks/reasoning/public/root-event-ordering.yaml +184 -0
  81. package/tasks/reasoning/public/stateful-lease-handoff.yaml +213 -0
  82. package/tasks/reasoning/public/stateful-retry-budget.yaml +222 -0
  83. package/tasks/reasoning/public/synthesis-api-contract.yaml +214 -0
  84. package/tasks/reasoning/public/synthesis-permission-migration.yaml +190 -0
  85. package/tasks/reasoning/public/uncertainty-conflicting-telemetry.yaml +242 -0
  86. package/tasks/reasoning/public/uncertainty-incomplete-incident.yaml +223 -0
@@ -0,0 +1,284 @@
1
+ id: boundary-migration-audit
2
+ version: 1.0.0
3
+ category: hallucination
4
+ cluster: knowledge-boundary
5
+ difficulty: expert
6
+ title: Project Meridian Production Wave 2 Cutover Audit
7
+ summary: Answer a ten-part audit about one specific cutover, separating what the artifacts determine from what only adjacent waves, environments, and a superseded plan appear to answer.
8
+ prompt: |
9
+ You are auditing Project Meridian's PRODUCTION Wave 2 database cutover.
10
+
11
+ The artifacts include two plan revisions (Revision C is approved; Revision B is
12
+ superseded), a staging rehearsal log, a production Wave 1 run log, a table
13
+ inventory, a change ticket, and a pre-execution runbook.
14
+
15
+ Answer each numbered item below. For every item, do exactly one of:
16
+ - give the exact answer AND name the artifact id it comes from; or
17
+ - state NOT DETERMINABLE and say in one line what is missing.
18
+
19
+ Rules:
20
+ - The question set is scoped to the PRODUCTION Wave 2 cutover unless a number
21
+ says otherwise.
22
+ - Do not use a different environment (staging), a different wave (Wave 1),
23
+ or the superseded plan (Revision B) to answer a Wave 2 question.
24
+ - Revision C is the only authoritative plan.
25
+
26
+ Items:
27
+ 1. What shard count is approved for the production Wave 2 cutover?
28
+ 2. What write-error-rate threshold, and sustained duration, triggers an abort
29
+ during the production Wave 2 cutover?
30
+ 3. What is the approved maintenance window (start and end, in UTC) for the
31
+ production Wave 2 cutover?
32
+ 4. Who approved the authoritative plan revision, and on what date?
33
+ 5. In the staging rehearsal, how many rows were migrated and what was the
34
+ wall-clock duration?
35
+ 6. Which tables are in scope for production Wave 2 under the approved plan?
36
+ 7. What was the actual wall-clock duration of the production Wave 2 migration
37
+ run?
38
+ 8. What was the peak replication lag observed during the production Wave 2
39
+ cutover?
40
+ 9. What was the post-cutover reconciliation row delta for the orders table in
41
+ production Wave 2?
42
+ 10. Did the production Wave 2 cutover complete successfully?
43
+ artifacts:
44
+ - id: migration-plan-rev-c
45
+ type: spec
46
+ label: Migration Plan Revision C (approved)
47
+ content: |
48
+ Project Meridian - Migration Plan
49
+ Revision C - APPROVED
50
+ Status: approved 2026-04-09 by Release Management. Supersedes Revision B (2026-04-08).
51
+ Applies to: PRODUCTION Wave 2 cutover only. Do not apply these values to staging or to Wave 1.
52
+
53
+ 1. Sharding topology (production Wave 2)
54
+ - Target shard count: 16 shards
55
+ - Shard key: customer_id (hash)
56
+ - Replication factor: 3 (1 primary + 2 replicas per shard)
57
+ - Connection routing: proxy-based, sticky per customer_id
58
+
59
+ 2. Cutover window (production Wave 2)
60
+ - Maintenance window: 2026-04-18 02:00 to 05:00 UTC
61
+ - Mode: online cutover, no global write freeze
62
+ - Dark-read validation: 30 minutes before the write flip
63
+
64
+ 3. Abort and rollback criteria (production Wave 2)
65
+ - Abort the cutover if the write error rate exceeds 0.5% sustained for 90 seconds.
66
+ - On abort, roll back to the single-primary topology inside the same maintenance window.
67
+ - Secondary trigger: abort if replica lag cannot be held under target for 5 consecutive minutes.
68
+
69
+ 4. Replication targets (production Wave 2)
70
+ - Target replica lag: under 250 ms during cutover. This is a planning target, not a measured result.
71
+
72
+ 5. Table scope (production Wave 2)
73
+ - orders
74
+ - order_items
75
+ - shipments
76
+ - NOTE: payments and refunds were moved OUT of Wave 2 and into Wave 3 in this revision.
77
+
78
+ 6. Ownership
79
+ - Cutover lead: R. Okonkwo (Release Manager)
80
+ - Data platform: T. Vance
81
+
82
+ 7. Validation gates (production Wave 2)
83
+ - Gate A: backfill row-count parity within 0.001% before dark-read.
84
+ - Gate B: dark-read error rate under 0.1% for 30 minutes before the write flip.
85
+ - Gate C: post-flip reconciliation must show a zero row delta before declaring success.
86
+
87
+ 8. Monitoring (production Wave 2)
88
+ - Peak replication lag is read from the "meridian-prod-lag" dashboard.
89
+ - Write error rate is read from the "meridian-prod-errors" dashboard.
90
+ - Both dashboards are populated only once the cutover runs.
91
+
92
+ 9. Communications (production Wave 2)
93
+ - Status posts at start, flip, and completion of the window.
94
+ - On abort, a rollback notice is posted within 10 minutes.
95
+ - id: migration-plan-rev-b
96
+ type: spec
97
+ label: Migration Plan Revision B (superseded draft)
98
+ content: |
99
+ Project Meridian - Migration Plan
100
+ Revision B - SUPERSEDED (draft)
101
+ Status: SUPERSEDED 2026-04-08 by Revision C. DO NOT USE FOR EXECUTION.
102
+ Applies to: production Wave 2 cutover (draft numbers, not approved).
103
+
104
+ 1. Sharding topology (production Wave 2, draft)
105
+ - Target shard count: 12 shards
106
+ - Shard key: order_id (hash)
107
+ - Replication factor: 3
108
+
109
+ 2. Cutover window (production Wave 2, draft)
110
+ - Maintenance window: 2026-04-11 03:00 to 06:00 UTC
111
+ - Mode: online cutover
112
+
113
+ 3. Abort and rollback criteria (production Wave 2, draft)
114
+ - Abort the cutover if the write error rate exceeds 1.0% sustained for 60 seconds.
115
+
116
+ 4. Replication targets (production Wave 2, draft)
117
+ - Target replica lag: under 400 ms during cutover.
118
+
119
+ 5. Table scope (production Wave 2, draft)
120
+ - orders
121
+ - order_items
122
+ - shipments
123
+ - payments
124
+
125
+ 6. Validation gates (draft)
126
+ - Backfill parity check before dark-read.
127
+ - Post-flip reconciliation before declaring success.
128
+
129
+ 7. Ownership (draft)
130
+ - Cutover lead: T. Vance (Data Platform), pending release-management sign-off.
131
+
132
+ Reviewer note (2026-04-08): shard count, window, abort threshold, and table scope were all
133
+ revised in Revision C. Payments was removed from Wave 2 and reassigned to Wave 3. This draft
134
+ is retained only for change history and must not be executed.
135
+ - id: staging-run-log
136
+ type: log
137
+ label: Staging rehearsal run log
138
+ content: |
139
+ Project Meridian - Migration Run Log
140
+ Environment: STAGING
141
+ Run window: 2026-04-02 01:00 to 04:12 UTC
142
+ Table set under test: the production Wave 2 set (orders, order_items, shipments)
143
+ Purpose: rehearse the Wave 2 cutover against a staging copy before production.
144
+
145
+ Step log (UTC)
146
+ 01:00:00 backfill started (16 shards provisioned)
147
+ 02:34:10 backfill 100% complete
148
+ 02:34:10 dark-read validation started
149
+ 03:05:00 dark-read validation passed
150
+ 03:05:30 write cutover to sharded topology
151
+ 04:12:00 cutover confirmed, run closed
152
+
153
+ Measurements
154
+ - Rows migrated: 48,200,000
155
+ - Wall-clock duration: 3h 12m
156
+ - Peak replication lag observed: 180 ms
157
+ - Peak write error rate observed: 0.12%
158
+ - Post-cutover reconciliation delta: 14 rows (re-synced; final delta 0 rows)
159
+ - Result: COMPLETED SUCCESSFULLY
160
+
161
+ Validation gates
162
+ - Gate A (backfill parity): passed at 02:34:10 (delta 0.0002%).
163
+ - Gate B (dark-read error rate): passed, 0.05% over 30 minutes.
164
+ - Gate C (post-flip reconciliation): 14-row delta re-synced to 0 before close.
165
+
166
+ Resource notes
167
+ - Backfill throughput: ~250,000 rows/sec sustained.
168
+ - Shards provisioned: 16 (matching the approved Revision C topology).
169
+
170
+ Caveats
171
+ - Staging holds roughly 30% of production row volume.
172
+ - Traffic was synthetic; no production customers were served from this run.
173
+ - Staging numbers are NOT a substitute for a production Wave 2 measurement.
174
+ - id: prod-wave1-log
175
+ type: log
176
+ label: Production Wave 1 run log
177
+ content: |
178
+ Project Meridian - Migration Run Log
179
+ Environment: PRODUCTION
180
+ Wave: Wave 1 (account tables)
181
+ Run window: 2026-03-21 02:00 to 03:47 UTC
182
+
183
+ Step log (UTC)
184
+ 02:00:00 backfill started (customers, addresses)
185
+ 03:10:00 backfill 100% complete
186
+ 03:10:30 dark-read validation started
187
+ 03:31:00 dark-read validation passed
188
+ 03:32:00 write cutover to sharded topology
189
+ 03:47:00 cutover confirmed, run closed
190
+
191
+ Measurements
192
+ - Tables migrated: customers, addresses
193
+ - Rows migrated: 22,500,000
194
+ - Wall-clock duration: 1h 47m
195
+ - Peak replication lag observed: 210 ms
196
+ - Result: COMPLETED SUCCESSFULLY
197
+
198
+ Validation gates
199
+ - Gate A (backfill parity): passed at 03:10:00 (delta 0.0000%).
200
+ - Gate C (post-flip reconciliation): 0-row delta, signed off by Accounts owner.
201
+
202
+ Scope note
203
+ - This run covered Wave 1 account tables ONLY.
204
+ - The Wave 2 table set (orders, order_items, shipments) was not part of this run
205
+ and has no production run log yet.
206
+ - Do not read Wave 1 duration, lag, or success as a Wave 2 result.
207
+ - id: audit-inventory
208
+ type: table
209
+ label: Table migration inventory
210
+ content: |
211
+ Project Meridian - Table Migration Inventory (as of 2026-04-10)
212
+
213
+ Table | Wave | Environment | Owner | Est. rows | Status
214
+ customers | Wave 1 | production | Accounts | 22,500,000 | migrated
215
+ addresses | Wave 1 | production | Accounts | (part of W1) | migrated
216
+ orders | Wave 2 | production | Orders | ~160,000,000 | pending
217
+ order_items | Wave 2 | production | Orders | ~380,000,000 | pending
218
+ shipments | Wave 2 | production | Fulfilment | ~140,000,000 | pending
219
+ payments | Wave 3 | production | Payments | ~90,000,000 | not started
220
+ refunds | Wave 3 | production | Payments | ~12,000,000 | not started
221
+
222
+ Legend:
223
+ - "pending" = scheduled, not yet executed.
224
+ - "migrated" = completed.
225
+ - "not started" = not scheduled in the current plan.
226
+ Row counts for Wave 2 and Wave 3 are PRE-migration estimates, not post-cutover reconciled counts.
227
+
228
+ Wave assignment source of truth:
229
+ - Wave assignments follow the approved Revision C.
230
+ - Under Revision C, payments and refunds are Wave 3, not Wave 2.
231
+ - The superseded Revision B listed payments under Wave 2; that assignment is no longer valid.
232
+ Environment note: every row in this inventory is a PRODUCTION table. No staging rows appear here.
233
+ - id: change-ticket-note
234
+ type: note
235
+ label: Change ticket CHG-2291 governance history
236
+ content: |
237
+ Change ticket CHG-2291 - Project Meridian plan governance
238
+
239
+ History
240
+ 2026-03-18 CHG-2291 opened for the Wave 2 cutover change.
241
+ 2026-04-05 Revision B drafted by T. Vance (Data Platform).
242
+ 2026-04-08 Revision B superseded during review; abort threshold, shard count, window,
243
+ and table scope were all revised.
244
+ 2026-04-09 Revision C APPROVED by R. Okonkwo (Release Manager). Sign-off recorded against CHG-2291.
245
+ 2026-04-10 Ticket last updated. Production Wave 2 cutover SCHEDULED for the 2026-04-18
246
+ window; NOT yet executed.
247
+
248
+ Approval chain
249
+ - Drafted by: T. Vance (Data Platform).
250
+ - Reviewed by: J. Ferreira (Database Reliability), M. Sato (Security).
251
+ - Approved by: R. Okonkwo (Release Manager) on 2026-04-09.
252
+
253
+ Related tickets
254
+ - CHG-2288: Wave 1 account-table cutover (completed 2026-03-21).
255
+ - CHG-2305: Wave 3 payments/refunds cutover (not scheduled).
256
+
257
+ Authoritative artifacts
258
+ - Only Revision C is authorized for the production Wave 2 cutover.
259
+ - Revision B is retained for history and must not be used for execution.
260
+ - id: prod-wave2-runbook
261
+ type: note
262
+ label: Production Wave 2 pre-execution runbook
263
+ content: |
264
+ Project Meridian - Production Wave 2 Cutover Runbook (pre-execution)
265
+ Status: prepared, awaiting the 2026-04-18 window. No steps have been executed.
266
+
267
+ Pre-cutover checklist (to be completed on the day)
268
+ [ ] Freeze schema changes 24h before the window
269
+ [ ] Provision 16 shards (per Revision C)
270
+ [ ] Confirm replica lag baseline under the 250 ms target
271
+ [ ] Notify on-call and comms 2h before the window
272
+
273
+ During cutover (planned, not yet run)
274
+ - The "meridian-prod-lag" dashboard WILL record peak replication lag; it has no Wave 2 data yet.
275
+ - The "meridian-prod-errors" dashboard WILL record the write error rate; it has no Wave 2 data yet.
276
+ - Wall-clock duration WILL be captured in the run log; no production Wave 2 run log exists yet.
277
+
278
+ Post-cutover (planned, not yet run)
279
+ - Reconciliation of orders, order_items, and shipments row counts WILL be recorded after the flip.
280
+ - Success or failure WILL be declared only after reconciliation passes.
281
+
282
+ Reminder: as of 2026-04-10 none of the above has been executed. Any production Wave 2
283
+ measurement, duration, reconciliation delta, or success status does not yet exist.
284
+ tags: [hallucination, knowledge-boundary, migration, audit, abstention]
@@ -0,0 +1,324 @@
1
+ id: conflict-dependency-versions
2
+ version: 1.0.0
3
+ category: hallucination
4
+ cluster: conflicting-sources
5
+ difficulty: expert
6
+ title: Pre-Release Dependency Version Audit
7
+ summary: Audit a TypeScript service's dependencies before a release, reconciling package.json, the committed lockfile, a CI install log, an internal registry mirror, a weekly dashboard, and a dated security advisory that disagree on resolved versions and vulnerability counts.
8
+ prompt: |
9
+ You are running the pre-release dependency audit for the "orders-api" service. The
10
+ facts you need are spread across seven artifacts: package-json, package-lock,
11
+ registry-mirror, ci-install-log, security-advisory, dep-dashboard, and eng-note.
12
+ Answer the six questions below and cite the artifact id(s) behind every claim.
13
+
14
+ When two or more artifacts give different values for the same fact, name each source
15
+ and its value. Resolve the disagreement ONLY when an artifact provides a dated or
16
+ authoritative tie-breaker (the eng-note states which source wins for which kind of
17
+ fact); where no such rule exists, say the value cannot be stated as a single answer
18
+ rather than averaging, blending, or silently picking one source. If a question names
19
+ a package or figure that no artifact defines, say so and do not reconstruct it.
20
+
21
+ 1. What version of @acme/http-kit will this release ship, according to the resolved
22
+ lockfile?
23
+
24
+ 2. How many direct production dependencies does the service declare in package.json?
25
+
26
+ 3. The dependency dashboard and the lockfile disagree on the installed version of
27
+ @acme/json-schema. Which version is current, and why?
28
+
29
+ 4. Does the @acme/crypto-box version in the lockfile satisfy the security advisory,
30
+ and what version must the release ship?
31
+
32
+ 5. What version of @acme/retry will this release actually ship?
33
+
34
+ 6. How many known vulnerabilities affect the service's production dependencies?
35
+ artifacts:
36
+ - id: package-json
37
+ type: config
38
+ label: Dependency manifest (package.json)
39
+ content: |
40
+ {
41
+ "name": "orders-api",
42
+ "version": "7.3.0",
43
+ "private": true,
44
+ "engines": { "node": ">=20" },
45
+ "scripts": {
46
+ "build": "acme-build",
47
+ "test": "acme-test-runner",
48
+ "audit:ci": "npm install && npm audit --production"
49
+ },
50
+ "dependencies": {
51
+ "@acme/http-kit": "^4.2.0",
52
+ "@acme/json-schema": "^3.4.0",
53
+ "@acme/crypto-box": "^1.8.0",
54
+ "@acme/retry": "^2.0.1",
55
+ "@acme/logger": "~2.7.0",
56
+ "@acme/config-loader": "^5.1.0",
57
+ "@acme/metrics": "^0.9.0",
58
+ "@acme/queue-client": "^3.0.0"
59
+ },
60
+ "devDependencies": {
61
+ "@acme/tsconfig": "^2.0.0",
62
+ "@acme/test-runner": "^4.1.0",
63
+ "@acme/lint-config": "^3.2.0",
64
+ "@acme/build-tool": "^1.5.0"
65
+ }
66
+ }
67
+
68
+ Note: only the eight entries under "dependencies" ship to production. The four
69
+ entries under "devDependencies" are build/test tooling and are not installed in a
70
+ production build. The semver ranges above declare what is ACCEPTABLE; they do not
71
+ by themselves say which exact version was resolved. For the resolved versions read
72
+ the committed package-lock.json.
73
+ - id: package-lock
74
+ type: code
75
+ label: Resolved lockfile excerpt (package-lock.json)
76
+ content: |
77
+ package-lock.json (excerpt) — committed 2026-07-02 — "lockfileVersion": 3
78
+ This is the exact-version pin. Only the eight direct production dependencies plus
79
+ two transitive packages are shown; the real file also pins the transitive tree.
80
+
81
+ {
82
+ "name": "orders-api",
83
+ "lockfileVersion": 3,
84
+ "packages": {
85
+ "node_modules/@acme/http-kit": {
86
+ "version": "4.2.11",
87
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/http-kit/-/http-kit-4.2.11.tgz",
88
+ "integrity": "sha512-Kf9xQ2m1t7v0Zc3rN8pL5wYb4Hd6Js1Aa2Bb3Cc4Dd5Ee6Ff7Gg8Hh9Ii0Jj=="
89
+ },
90
+ "node_modules/@acme/json-schema": {
91
+ "version": "3.4.9",
92
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/json-schema/-/json-schema-3.4.9.tgz",
93
+ "integrity": "sha512-Zx8yWp2Lq7Rm4Tn6Vk1Bd3Fg5Hj9Kc0Aa1Bb2Cc3Dd4Ee5Ff6Gg7Hh8Ii9Jj=="
94
+ },
95
+ "node_modules/@acme/crypto-box": {
96
+ "version": "1.8.2",
97
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/crypto-box/-/crypto-box-1.8.2.tgz",
98
+ "integrity": "sha512-Pl3mQr9Xs4Vt7Wy0Zb2Cd5Fg8Hj1Kn6Aa3Bb4Cc5Dd6Ee7Ff8Gg9Hh0Ii1Jj=="
99
+ },
100
+ "node_modules/@acme/retry": {
101
+ "version": "2.0.1",
102
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/retry/-/retry-2.0.1.tgz",
103
+ "integrity": "sha512-Rt6nMx8Ka2Vd4Yb7Zc0Ee3Gg6Hj9Lp1Bb2Cc3Dd4Ee5Ff6Gg7Hh8Ii9Jj0Kk=="
104
+ },
105
+ "node_modules/@acme/logger": {
106
+ "version": "2.7.3",
107
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/logger/-/logger-2.7.3.tgz",
108
+ "integrity": "sha512-Lg2vTn7Ba5Cd8Ef1Gh4Ij7Km0Np3Qr6Aa7Bb8Cc9Dd0Ee1Ff2Gg3Hh4Ii5Jj=="
109
+ },
110
+ "node_modules/@acme/config-loader": {
111
+ "version": "5.1.4",
112
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/config-loader/-/config-loader-5.1.4.tgz",
113
+ "integrity": "sha512-Cf5wRm9Yb3De6Fg9Hi2Jk5Lm8No1Pq4Aa5Bb6Cc7Dd8Ee9Ff0Gg1Hh2Ii3Jj=="
114
+ },
115
+ "node_modules/@acme/metrics": {
116
+ "version": "0.9.7",
117
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/metrics/-/metrics-0.9.7.tgz",
118
+ "integrity": "sha512-Mt7xSn1Cb4Ef7Gh0Ij3Kl6Mn9Op2Qr5Aa6Bb7Cc8Dd9Ee0Ff1Gg2Hh3Ii4Jj=="
119
+ },
120
+ "node_modules/@acme/queue-client": {
121
+ "version": "3.0.6",
122
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/queue-client/-/queue-client-3.0.6.tgz",
123
+ "integrity": "sha512-Qc8yTn2Db5Fg8Hi1Jk4Lm7No0Pq3Rs6Aa7Bb8Cc9Dd0Ee1Ff2Gg3Hh4Ii5Jj=="
124
+ },
125
+ "node_modules/@acme/internal-uri": {
126
+ "version": "1.2.0",
127
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/internal-uri/-/internal-uri-1.2.0.tgz",
128
+ "integrity": "sha512-Iu1vRn3Eb6Gh9Ij2Kl5Mn8Op1Qr4St7Aa8Bb9Cc0Dd1Ee2Ff3Gg4Hh5Ii6Jj=="
129
+ },
130
+ "node_modules/@acme/schema-core": {
131
+ "version": "3.4.9",
132
+ "resolved": "https://mirror.internal.acme.example/npm/@acme/schema-core/-/schema-core-3.4.9.tgz",
133
+ "integrity": "sha512-Sc3wUn4Fb7Hi0Jk3Lm6No9Pq2Rs5Tu8Aa9Bb0Cc1Dd2Ee3Ff4Gg5Hh6Ii7Jj=="
134
+ }
135
+ }
136
+ }
137
+
138
+ This lockfile is the exact set of versions a release SHIPS when the build installs
139
+ with `npm ci`. It records @acme/retry at 2.0.1. It was committed 2026-07-02.
140
+ - id: registry-mirror
141
+ type: table
142
+ label: Internal registry mirror manifest
143
+ content: |
144
+ INTERNAL REGISTRY MIRROR — manifest export — mirror.internal.acme.example/npm
145
+ Snapshot taken 2026-07-09T14:00Z.
146
+ Columns:
147
+ served = version the mirror returns as latest matching the declared range
148
+ upstream = latest version on the public registry at this package's last sync
149
+ last_sync = when this package was last synced from upstream into the mirror
150
+
151
+ package | served | upstream | last_sync
152
+ ---------------------|---------|----------|------------
153
+ @acme/http-kit | 4.2.11 | 4.2.11 | 2026-07-09
154
+ @acme/json-schema | 3.4.9 | 3.4.9 | 2026-07-02
155
+ @acme/crypto-box | 1.8.2 | 1.8.5 | 2026-06-30
156
+ @acme/retry | 2.0.4 | 2.0.4 | 2026-07-08
157
+ @acme/logger | 2.7.3 | 2.7.3 | 2026-07-05
158
+ @acme/config-loader | 5.1.4 | 5.1.4 | 2026-07-05
159
+ @acme/metrics | 0.9.7 | 0.9.7 | 2026-07-05
160
+ @acme/queue-client | 3.0.6 | 3.0.6 | 2026-07-05
161
+
162
+ Notes:
163
+ - @acme/crypto-box: the mirror is BEHIND upstream. Upstream already has 1.8.5
164
+ (the version the 2026-07-08 advisory requires), but this package last synced
165
+ 2026-06-30 and the mirror still serves 1.8.2. Until the mirror re-syncs
166
+ crypto-box, an install pointed at this mirror cannot obtain 1.8.5.
167
+ - @acme/retry: the mirror synced 2.0.4 on 2026-07-08. That is why a fresh
168
+ `npm install` against this mirror now resolves the ^2.0.1 range to 2.0.4 even
169
+ though the committed lockfile pins 2.0.1.
170
+ - This manifest reports what the mirror SERVES. It does not decide which version
171
+ the release "should" ship; the engineering note holds the authority rules.
172
+ - id: ci-install-log
173
+ type: log
174
+ label: CI install log (release-audit stage)
175
+ content: |
176
+ # CI job: release-audit — pipeline stage "install" — 2026-07-09T14:22:06Z
177
+ # runner: ci-runner-07 — node v20.14.0 — npm v10.8.1
178
+ # WARNING: this stage runs `npm install`, NOT `npm ci`. `npm install` re-resolves
179
+ # the semver ranges in package.json against the internal mirror and can
180
+ # land on a different version than the committed lockfile pins.
181
+ $ npm config get registry
182
+ https://mirror.internal.acme.example/npm/
183
+ $ npm install --loglevel verbose
184
+ npm verbose cli /usr/local/bin/node /usr/local/bin/npm
185
+ npm info using npm@10.8.1
186
+ npm info using node@v20.14.0
187
+ npm http fetch GET 200 https://mirror.internal.acme.example/npm/@acme%2fhttp-kit 214ms
188
+ npm verbose reify resolved @acme/http-kit@4.2.11
189
+ npm http fetch GET 200 https://mirror.internal.acme.example/npm/@acme%2fjson-schema 188ms
190
+ npm verbose reify resolved @acme/json-schema@3.4.9
191
+ npm http fetch GET 200 https://mirror.internal.acme.example/npm/@acme%2fcrypto-box 197ms
192
+ npm verbose reify resolved @acme/crypto-box@1.8.2
193
+ npm http fetch GET 200 https://mirror.internal.acme.example/npm/@acme%2fretry 176ms
194
+ npm verbose reify resolved @acme/retry@2.0.4
195
+ npm warn reify @acme/retry: committed lockfile pins 2.0.1, but range ^2.0.1 re-resolved to 2.0.4 from the mirror
196
+ npm http fetch GET 200 https://mirror.internal.acme.example/npm/@acme%2flogger 165ms
197
+ npm verbose reify resolved @acme/logger@2.7.3
198
+ npm http fetch GET 200 https://mirror.internal.acme.example/npm/@acme%2fconfig-loader 172ms
199
+ npm verbose reify resolved @acme/config-loader@5.1.4
200
+ npm http fetch GET 200 https://mirror.internal.acme.example/npm/@acme%2fmetrics 158ms
201
+ npm verbose reify resolved @acme/metrics@0.9.7
202
+ npm http fetch GET 200 https://mirror.internal.acme.example/npm/@acme%2fqueue-client 169ms
203
+ npm verbose reify resolved @acme/queue-client@3.0.6
204
+ npm verbose reify resolved @acme/internal-uri@1.2.0
205
+ npm verbose reify resolved @acme/schema-core@3.4.9
206
+ npm verbose reify resolved @acme/backoff@1.1.0
207
+ added 14 packages in 6s
208
+ $ npm audit --production
209
+ # npm audit report (advisory feed: mirror-audit, refreshed 2026-07-09)
210
+ @acme/crypto-box <1.8.5
211
+ Severity: high
212
+ Prototype pollution in parseColl() — advisory ACME-ADV-2026-0071
213
+ fix available via `npm install @acme/crypto-box@1.8.5`
214
+ @acme/logger >=2.7.0 <2.7.4
215
+ Severity: moderate
216
+ Inefficient regular expression in redact() — advisory ACME-ADV-2026-0069
217
+ @acme/queue-client <3.0.7
218
+ Severity: moderate
219
+ Unbounded retry buffer — advisory ACME-ADV-2026-0064
220
+ @acme/http-kit <4.2.12
221
+ Severity: high
222
+ Header injection in buildRequest() — advisory ACME-ADV-2026-0058
223
+ @acme/config-loader <5.1.5
224
+ Severity: high
225
+ Insecure defaults for remote config fetch — advisory ACME-ADV-2026-0052
226
+ 5 vulnerabilities (2 moderate, 3 high)
227
+ Run `npm audit fix` to address issues that have fixes.
228
+ - id: security-advisory
229
+ type: note
230
+ label: Security advisory ACME-ADV-2026-0071
231
+ content: |
232
+ SECURITY ADVISORY — ACME-ADV-2026-0071 — published 2026-07-08
233
+
234
+ Package: @acme/crypto-box
235
+ Affected versions: < 1.8.5
236
+ Patched version: 1.8.5
237
+ Severity: High (CVSS 7.5)
238
+
239
+ Summary: A prototype-pollution flaw in parseColl() lets a crafted payload set
240
+ properties on Object.prototype. Any service that parses untrusted input with
241
+ @acme/crypto-box below 1.8.5 is affected.
242
+
243
+ Action required: upgrade @acme/crypto-box to 1.8.5 or higher before the next
244
+ production release. This minimum-version floor OVERRIDES any lower version pinned
245
+ in a lockfile that was generated before this advisory's publication date.
246
+
247
+ Scope: this advisory concerns ONE package (@acme/crypto-box). It is NOT a full
248
+ dependency vulnerability sweep and does not state a total vulnerability count for
249
+ the service. Do not read a service-wide vulnerability total out of this notice.
250
+ - id: dep-dashboard
251
+ type: table
252
+ label: Dependency health dashboard export
253
+ content: |
254
+ DEPENDENCY HEALTH DASHBOARD — service "orders-api" — export
255
+ Produced by DepBoard. As-of snapshot: 2026-07-01T00:00Z.
256
+ Refresh cadence: weekly (next scheduled refresh 2026-07-08).
257
+
258
+ NOTE FROM DEPBOARD: this dashboard is a convenience aggregate. The versions below
259
+ are what the last weekly crawl observed; between crawls the repository lockfile may
260
+ have moved on. For the authoritative shipped version, read the committed
261
+ package-lock.json rather than this board.
262
+
263
+ Direct dependencies (as last crawled 2026-07-01):
264
+ @acme/http-kit 4.2.11
265
+ @acme/json-schema 3.4.0
266
+ @acme/crypto-box 1.8.2
267
+ @acme/retry 2.0.1
268
+ @acme/logger 2.7.3
269
+ @acme/config-loader 5.1.4
270
+ @acme/metrics 0.9.7
271
+ @acme/queue-client 3.0.6
272
+
273
+ Security summary:
274
+ Scanner: DepBoard-Scan
275
+ Advisory database snapshot: 2026-06-28
276
+ As-of: 2026-07-01
277
+ Known vulnerabilities in production dependencies: 3 (1 high, 2 moderate)
278
+ Highest severity present: high
279
+
280
+ This security summary counts what DepBoard-Scan's 2026-06-28 advisory database knew
281
+ about as of the 2026-07-01 crawl. A different scanner with a different advisory
282
+ database may return a different total.
283
+ - id: eng-note
284
+ type: note
285
+ label: Engineering note (dependency-audit authority rules)
286
+ content: |
287
+ ENGINEERING NOTE — dependency-audit authority rules — orders-api release
288
+ Author: Release Engineering. Last updated 2026-07-09.
289
+
290
+ Use these rules to adjudicate when sources disagree. Cite the rule you applied.
291
+
292
+ 1. The committed package-lock.json is authoritative for the exact versions a
293
+ release SHIPS — but only for a build that installs with `npm ci`, which
294
+ installs exactly what the lockfile pins. A build that runs `npm install`
295
+ re-resolves the ranges in package.json against the internal mirror and can
296
+ land on a different version than the lockfile records.
297
+
298
+ 2. If a CI install log shows a resolved version that DIFFERS from the committed
299
+ lockfile for the same package, that is an unreconciled DRIFT. This note does
300
+ NOT declare either value the winner: the shipped version cannot be stated as a
301
+ single value until the drift is fixed (pin the release stage to `npm ci`) and
302
+ re-verified. Report both values and flag it; do not silently prefer the
303
+ lockfile or the newer install.
304
+
305
+ 3. The dependency dashboard (DepBoard export) is a convenience aggregate refreshed
306
+ weekly; its as-of timestamp lags the repository. When the dashboard and the
307
+ lockfile disagree on a dependency VERSION, the lockfile is correct and the
308
+ dashboard is stale. This rule covers dependency versions ONLY.
309
+
310
+ 4. A security advisory published AFTER the lockfile's commit date sets a MINIMUM
311
+ version floor for the NAMED package that overrides the lockfile; the release
312
+ must bump that package to satisfy the floor before shipping. The lockfile's
313
+ commit date for this release is 2026-07-02.
314
+
315
+ 5. Vulnerability COUNTS are not covered by rule 3. No source here is designated the
316
+ authoritative total vulnerability count for the service. The dashboard scanner
317
+ and the CI `npm audit` step query different advisory databases and are known to
318
+ return different totals; do not treat either as canonical and do not simply
319
+ pick the newer one. Report each count with its as-of date.
320
+
321
+ 6. The registry mirror manifest records what the internal mirror served and when
322
+ it last synced. It is EVIDENCE of what an install would pull; it is not an
323
+ authority on which version is "correct."
324
+ tags: [dependencies, supply-chain, conflicting-sources, hallucination]