coding-agent-skills 0.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (357) hide show
  1. package/AGENTS.md +44 -0
  2. package/CHANGELOG.md +205 -0
  3. package/CONTRIBUTING.md +54 -0
  4. package/LICENSE +21 -0
  5. package/README.md +85 -0
  6. package/ROADMAP.md +87 -0
  7. package/RUNBOOK.md +47 -0
  8. package/bin/coding-agent-skills +75 -0
  9. package/contracts/evidence-pack/README.md +22 -0
  10. package/contracts/evidence-pack/evidence-pack.example.json +60 -0
  11. package/contracts/evidence-pack/evidence-pack.example.md +49 -0
  12. package/contracts/evidence-pack/evidence-pack.schema.json +156 -0
  13. package/docs/adapters/README.md +82 -0
  14. package/docs/adapters/discovery.md +50 -0
  15. package/docs/adapters/external-adapters.md +42 -0
  16. package/docs/adapters/project-installation.md +135 -0
  17. package/docs/adapters/real-project-adoption.md +193 -0
  18. package/docs/adapters/upgrade-evidence.md +67 -0
  19. package/docs/adapters/upgrades.md +83 -0
  20. package/docs/architecture/README.md +23 -0
  21. package/docs/authoring/README.md +54 -0
  22. package/docs/evidence-bundles/README.md +94 -0
  23. package/docs/privacy/README.md +26 -0
  24. package/docs/release/README.md +42 -0
  25. package/docs/release/npm-package.md +85 -0
  26. package/docs/safety/README.md +94 -0
  27. package/docs/testing/README.md +100 -0
  28. package/docs/usage/README.md +89 -0
  29. package/docs/versioning/README.md +30 -0
  30. package/docs/versioning/adapter-compatibility.md +54 -0
  31. package/examples/README.md +12 -0
  32. package/examples/adapters/README.md +9 -0
  33. package/examples/adapters/documentation-precedence.json +62 -0
  34. package/examples/adapters/narrow-repo-map.json +64 -0
  35. package/examples/adapters/runtime-status-hints.json +76 -0
  36. package/examples/command-policies/README.md +3 -0
  37. package/examples/command-policies/build-verify.json +57 -0
  38. package/examples/command-policies/git-preflight.json +44 -0
  39. package/examples/command-policies/llm-drift-control.json +45 -0
  40. package/examples/command-policies/repo-map.json +59 -0
  41. package/examples/command-policies/runtime-truth.json +59 -0
  42. package/examples/evidence-packs/README.md +3 -0
  43. package/examples/evidence-packs/build-verify.json +68 -0
  44. package/examples/evidence-packs/git-preflight.json +55 -0
  45. package/examples/evidence-packs/llm-drift-control.json +55 -0
  46. package/examples/evidence-packs/repo-map.json +55 -0
  47. package/examples/evidence-packs/runtime-truth.json +55 -0
  48. package/examples/manifests/README.md +3 -0
  49. package/examples/manifests/build-verify.json +14 -0
  50. package/examples/manifests/git-preflight.json +14 -0
  51. package/examples/manifests/llm-drift-control.json +14 -0
  52. package/examples/manifests/repo-map.json +14 -0
  53. package/examples/manifests/runtime-truth.json +14 -0
  54. package/examples/upgrade-evidence/README.md +14 -0
  55. package/examples/upgrade-evidence/chain-fail.evidence.json +155 -0
  56. package/examples/upgrade-evidence/chain-fail.evidence.md +14 -0
  57. package/examples/upgrade-evidence/chain-pass.evidence.json +156 -0
  58. package/examples/upgrade-evidence/stale-pin.evidence.json +117 -0
  59. package/examples/upgrade-evidence/unsafe-upgrade.evidence.json +128 -0
  60. package/examples/upgrade-evidence/valid-upgrade.evidence.json +105 -0
  61. package/examples/upgrade-evidence/valid-upgrade.evidence.md +13 -0
  62. package/examples/workflows/README.md +3 -0
  63. package/examples/workflows/build-verify.md +20 -0
  64. package/examples/workflows/git-preflight.md +18 -0
  65. package/examples/workflows/llm-drift-control.md +16 -0
  66. package/examples/workflows/repo-map.md +20 -0
  67. package/examples/workflows/runtime-truth.md +17 -0
  68. package/package.json +58 -0
  69. package/runs/skill-runs.md +162 -0
  70. package/schemas/adapter-upgrade-evidence.schema.json +443 -0
  71. package/schemas/archive-index.schema.json +174 -0
  72. package/schemas/archive-report.schema.json +322 -0
  73. package/schemas/command-policy.schema.json +125 -0
  74. package/schemas/evidence-bundle.schema.json +394 -0
  75. package/schemas/project-adapter-installation.schema.json +127 -0
  76. package/schemas/project-adapter.schema.json +328 -0
  77. package/schemas/skill-manifest.schema.json +40 -0
  78. package/scripts/check-adapter-upgrade-chain.mjs +32 -0
  79. package/scripts/check-adapter-upgrade.mjs +31 -0
  80. package/scripts/lib/adapter-discovery.mjs +441 -0
  81. package/scripts/lib/adapter-repo-map.mjs +358 -0
  82. package/scripts/lib/adapter-upgrade-chain.mjs +261 -0
  83. package/scripts/lib/adapter-upgrade.mjs +434 -0
  84. package/scripts/lib/evidence-bundle.mjs +831 -0
  85. package/scripts/lib/pack-rules.mjs +704 -0
  86. package/scripts/lib/project-adapter-installation.mjs +327 -0
  87. package/scripts/lib/safe-evidence-output.mjs +92 -0
  88. package/scripts/lib/schema-validator.mjs +146 -0
  89. package/scripts/lib/semver.mjs +54 -0
  90. package/scripts/lib/upgrade-evidence.mjs +276 -0
  91. package/scripts/render-adapter-repo-map.mjs +8 -0
  92. package/scripts/render-evidence-archive-report.mjs +18 -0
  93. package/scripts/run-next +220 -0
  94. package/scripts/test-pack.mjs +2232 -0
  95. package/scripts/validate-adapters.mjs +10 -0
  96. package/scripts/validate-maintainer-loop.mjs +146 -0
  97. package/scripts/validate-pack.mjs +950 -0
  98. package/scripts/validate-project-adapters.mjs +8 -0
  99. package/scripts/verify-evidence-bundle.mjs +18 -0
  100. package/skills/build-verify/SKILL.md +62 -0
  101. package/skills/build-verify/adapter-interface.md +7 -0
  102. package/skills/build-verify/agents/openai.yaml +4 -0
  103. package/skills/build-verify/checklist.md +12 -0
  104. package/skills/build-verify/evidence-template.md +11 -0
  105. package/skills/build-verify/examples.md +16 -0
  106. package/skills/build-verify/failure-modes.md +14 -0
  107. package/skills/git-preflight/SKILL.md +65 -0
  108. package/skills/git-preflight/adapter-interface.md +7 -0
  109. package/skills/git-preflight/agents/openai.yaml +4 -0
  110. package/skills/git-preflight/checklist.md +11 -0
  111. package/skills/git-preflight/evidence-template.md +10 -0
  112. package/skills/git-preflight/examples.md +18 -0
  113. package/skills/git-preflight/failure-modes.md +13 -0
  114. package/skills/llm-drift-control/SKILL.md +67 -0
  115. package/skills/llm-drift-control/adapter-interface.md +7 -0
  116. package/skills/llm-drift-control/agents/openai.yaml +4 -0
  117. package/skills/llm-drift-control/checklist.md +11 -0
  118. package/skills/llm-drift-control/evidence-template.md +13 -0
  119. package/skills/llm-drift-control/examples.md +15 -0
  120. package/skills/llm-drift-control/failure-modes.md +13 -0
  121. package/skills/repo-map/SKILL.md +71 -0
  122. package/skills/repo-map/adapter-interface.md +18 -0
  123. package/skills/repo-map/agents/openai.yaml +4 -0
  124. package/skills/repo-map/checklist.md +15 -0
  125. package/skills/repo-map/evidence-template.md +29 -0
  126. package/skills/repo-map/examples.md +19 -0
  127. package/skills/repo-map/failure-modes.md +16 -0
  128. package/skills/runtime-truth/SKILL.md +62 -0
  129. package/skills/runtime-truth/adapter-interface.md +7 -0
  130. package/skills/runtime-truth/agents/openai.yaml +4 -0
  131. package/skills/runtime-truth/checklist.md +11 -0
  132. package/skills/runtime-truth/evidence-template.md +12 -0
  133. package/skills/runtime-truth/examples.md +20 -0
  134. package/skills/runtime-truth/failure-modes.md +13 -0
  135. package/tests/README.md +44 -0
  136. package/tests/adapters/README.md +15 -0
  137. package/tests/completion/README.md +15 -0
  138. package/tests/evidence/README.md +15 -0
  139. package/tests/fixtures/README.md +23 -0
  140. package/tests/fixtures/adapters/allow-deploy.json +60 -0
  141. package/tests/fixtures/adapters/allow-git-push.json +60 -0
  142. package/tests/fixtures/adapters/expand-scope.json +53 -0
  143. package/tests/fixtures/adapters/expose-secrets.json +53 -0
  144. package/tests/fixtures/adapters/incompatible-version.json +53 -0
  145. package/tests/fixtures/adapters/override-audit-only.json +53 -0
  146. package/tests/fixtures/adapters/redefine-completion.json +53 -0
  147. package/tests/fixtures/adapters/remove-required-evidence.json +53 -0
  148. package/tests/fixtures/adapters/suppress-failures.json +53 -0
  149. package/tests/fixtures/adapters/valid-narrowing.json +53 -0
  150. package/tests/fixtures/adapters/valid-repo-map.json +53 -0
  151. package/tests/fixtures/adapters/weakening-repo-map.json +42 -0
  152. package/tests/fixtures/completion/cases.json +143 -0
  153. package/tests/fixtures/completion/false-complete.json +51 -0
  154. package/tests/fixtures/evidence-bundles/advisory-review-soon/archive/evidence-archive-index.json +52 -0
  155. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/repo-map.evidence.json +68 -0
  156. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/valid-upgrade.evidence.json +105 -0
  157. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence-bundle.json +109 -0
  158. package/tests/fixtures/evidence-bundles/invalid-archive/archive/evidence-archive-index.json +52 -0
  159. package/tests/fixtures/evidence-bundles/invalid-archive/evidence/repo-map.evidence.json +68 -0
  160. package/tests/fixtures/evidence-bundles/invalid-archive/evidence/valid-upgrade.evidence.json +105 -0
  161. package/tests/fixtures/evidence-bundles/invalid-archive/evidence-bundle.json +109 -0
  162. package/tests/fixtures/evidence-bundles/invalid-archive-index/archive/evidence-archive-index.json +52 -0
  163. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/repo-map.evidence.json +68 -0
  164. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/valid-upgrade.evidence.json +105 -0
  165. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence-bundle.json +109 -0
  166. package/tests/fixtures/evidence-bundles/invalid-hash/archive/evidence-archive-index.json +52 -0
  167. package/tests/fixtures/evidence-bundles/invalid-hash/evidence/repo-map.evidence.json +68 -0
  168. package/tests/fixtures/evidence-bundles/invalid-hash/evidence/valid-upgrade.evidence.json +105 -0
  169. package/tests/fixtures/evidence-bundles/invalid-hash/evidence-bundle.json +109 -0
  170. package/tests/fixtures/evidence-bundles/invalid-missing-entry/archive/evidence-archive-index.json +52 -0
  171. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/repo-map.evidence.json +68 -0
  172. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/valid-upgrade.evidence.json +105 -0
  173. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence-bundle.json +109 -0
  174. package/tests/fixtures/evidence-bundles/invalid-path/archive/evidence-archive-index.json +52 -0
  175. package/tests/fixtures/evidence-bundles/invalid-path/evidence/repo-map.evidence.json +68 -0
  176. package/tests/fixtures/evidence-bundles/invalid-path/evidence/valid-upgrade.evidence.json +105 -0
  177. package/tests/fixtures/evidence-bundles/invalid-path/evidence-bundle.json +109 -0
  178. package/tests/fixtures/evidence-bundles/invalid-provenance/archive/evidence-archive-index.json +52 -0
  179. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/repo-map.evidence.json +68 -0
  180. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/valid-upgrade.evidence.json +105 -0
  181. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence-bundle.json +109 -0
  182. package/tests/fixtures/evidence-bundles/invalid-regression/archive/evidence-archive-index.json +52 -0
  183. package/tests/fixtures/evidence-bundles/invalid-regression/evidence/repo-map.evidence.json +68 -0
  184. package/tests/fixtures/evidence-bundles/invalid-regression/evidence/valid-upgrade.evidence.json +105 -0
  185. package/tests/fixtures/evidence-bundles/invalid-regression/evidence-bundle.json +113 -0
  186. package/tests/fixtures/evidence-bundles/invalid-retention/archive/evidence-archive-index.json +52 -0
  187. package/tests/fixtures/evidence-bundles/invalid-retention/evidence/repo-map.evidence.json +68 -0
  188. package/tests/fixtures/evidence-bundles/invalid-retention/evidence/valid-upgrade.evidence.json +105 -0
  189. package/tests/fixtures/evidence-bundles/invalid-retention/evidence-bundle.json +109 -0
  190. package/tests/fixtures/evidence-bundles/invalid-signature-plan/archive/evidence-archive-index.json +52 -0
  191. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/repo-map.evidence.json +68 -0
  192. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/valid-upgrade.evidence.json +105 -0
  193. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence-bundle.json +109 -0
  194. package/tests/fixtures/evidence-bundles/valid-bundle/archive/evidence-archive-index.json +52 -0
  195. package/tests/fixtures/evidence-bundles/valid-bundle/evidence/repo-map.evidence.json +68 -0
  196. package/tests/fixtures/evidence-bundles/valid-bundle/evidence/valid-upgrade.evidence.json +105 -0
  197. package/tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json +109 -0
  198. package/tests/fixtures/external-adapters/empty/README.md +3 -0
  199. package/tests/fixtures/external-adapters/invalid-completion-override/.coding-agent/adapters/completion/adapter.json +53 -0
  200. package/tests/fixtures/external-adapters/invalid-deploy/.coding-agent/adapters/deploy/adapter.json +60 -0
  201. package/tests/fixtures/external-adapters/invalid-evidence-suppression/.coding-agent/adapters/evidence/adapter.json +53 -0
  202. package/tests/fixtures/external-adapters/invalid-failure-suppression/.coding-agent/adapters/failures/adapter.json +53 -0
  203. package/tests/fixtures/external-adapters/invalid-git-push/.coding-agent/adapters/publish/adapter.json +60 -0
  204. package/tests/fixtures/external-adapters/invalid-malformed/.coding-agent/adapters/malformed/adapter.json +1 -0
  205. package/tests/fixtures/external-adapters/invalid-malformed/malformed-adapter.txt +1 -0
  206. package/tests/fixtures/external-adapters/invalid-mode-escalation/.coding-agent/adapters/mode/adapter.json +53 -0
  207. package/tests/fixtures/external-adapters/invalid-path-traversal/.coding-agent/adapters/path/adapter.json +53 -0
  208. package/tests/fixtures/external-adapters/invalid-restriction-removal/.coding-agent/adapters/restrictions/adapter.json +52 -0
  209. package/tests/fixtures/external-adapters/invalid-scope-expansion/.coding-agent/adapters/scope/adapter.json +53 -0
  210. package/tests/fixtures/external-adapters/invalid-secret-exposure/.coding-agent/adapters/secrets/adapter.json +53 -0
  211. package/tests/fixtures/external-adapters/invalid-skill-id/.coding-agent/adapters/skill/adapter.json +53 -0
  212. package/tests/fixtures/external-adapters/invalid-skill-version/.coding-agent/adapters/skill-version/adapter.json +53 -0
  213. package/tests/fixtures/external-adapters/invalid-unknown-manifest/.coding-agent/adapters/unknown/manifest.json +1 -0
  214. package/tests/fixtures/external-adapters/invalid-version/.coding-agent/adapters/version/adapter.json +53 -0
  215. package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/invalid/adapter.json +60 -0
  216. package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/valid/adapter.json +53 -0
  217. package/tests/fixtures/external-adapters/valid-basic/.coding-agent/adapters/basic/adapter.json +53 -0
  218. package/tests/fixtures/external-adapters/valid-doc-precedence/coding-agent/adapters/docs/adapter.json +53 -0
  219. package/tests/fixtures/external-adapters/valid-runtime-status/adapters/coding-agent/runtime/adapter.json +65 -0
  220. package/tests/fixtures/mutation/cases.json +87 -0
  221. package/tests/fixtures/mutation/snapshot-target/README.md +3 -0
  222. package/tests/fixtures/mutation/snapshot-target/state.json +4 -0
  223. package/tests/fixtures/policy/commands.json +164 -0
  224. package/tests/fixtures/policy/properties.json +126 -0
  225. package/tests/fixtures/privacy/cases.json +47 -0
  226. package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.agents/adapters/basic/adapter.json +53 -0
  227. package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.coding-agent/skills.json +23 -0
  228. package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/adapters/basic/adapter.json +53 -0
  229. package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/skills.json +23 -0
  230. package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
  231. package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/skills.json +23 -0
  232. package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/adapters/basic/adapter.json +53 -0
  233. package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/skills.json +23 -0
  234. package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/adapters/basic/adapter.json +53 -0
  235. package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/skills.json +23 -0
  236. package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/adapters/basic/adapter.json +53 -0
  237. package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/skills.json +23 -0
  238. package/tests/fixtures/project-adapter-installation/invalid-missing-declaration/.coding-agent/adapters/basic/adapter.json +53 -0
  239. package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/adapters/basic/adapter.json +53 -0
  240. package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/skills.json +23 -0
  241. package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/adapters/basic/adapter.json +53 -0
  242. package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/skills.json +23 -0
  243. package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/adapters/basic/adapter.json +53 -0
  244. package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/skills.json +23 -0
  245. package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/adapters/basic/adapter.json +53 -0
  246. package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/skills.json +23 -0
  247. package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
  248. package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/skills.json +23 -0
  249. package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/adapters/basic/adapter.json +53 -0
  250. package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/skills.json +23 -0
  251. package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/adapters/basic/adapter.json +53 -0
  252. package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/skills.json +23 -0
  253. package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/adapters/basic/adapter.json +52 -0
  254. package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/skills.json +23 -0
  255. package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent/adapters/docs/adapter.json +53 -0
  256. package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent.skills.json +23 -0
  257. package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/adapters/basic/adapter.json +53 -0
  258. package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/skills.json +23 -0
  259. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/.coding-agent/skills.json +28 -0
  260. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/repo/adapter.json +53 -0
  261. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/runtime/adapter.json +58 -0
  262. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  263. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/skills.json +27 -0
  264. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  265. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/skills.json +27 -0
  266. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  267. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/skills.json +27 -0
  268. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  269. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/skills.json +27 -0
  270. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  271. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/skills.json +27 -0
  272. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  273. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/skills.json +27 -0
  274. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  275. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/skills.json +27 -0
  276. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  277. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/skills.json +27 -0
  278. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  279. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/skills.json +27 -0
  280. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  281. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/skills.json +27 -0
  282. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  283. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/skills.json +27 -0
  284. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  285. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/skills.json +27 -0
  286. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/adapters/fixture-chain-adapter/adapter.json +69 -0
  287. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/skills.json +27 -0
  288. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  289. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/skills.json +27 -0
  290. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  291. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/skills.json +27 -0
  292. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  293. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/skills.json +27 -0
  294. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  295. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/skills.json +27 -0
  296. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  297. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/skills.json +27 -0
  298. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  299. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/skills.json +27 -0
  300. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  301. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/skills.json +27 -0
  302. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  303. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/skills.json +27 -0
  304. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  305. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/skills.json +27 -0
  306. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +71 -0
  307. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/skills.json +27 -0
  308. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  309. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/skills.json +27 -0
  310. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  311. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/skills.json +27 -0
  312. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  313. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/skills.json +27 -0
  314. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  315. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/skills.json +27 -0
  316. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  317. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/skills.json +27 -0
  318. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  319. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/skills.json +27 -0
  320. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  321. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/skills.json +27 -0
  322. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  323. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/skills.json +27 -0
  324. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  325. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/skills.json +27 -0
  326. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
  327. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/skills.json +27 -0
  328. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  329. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/skills.json +27 -0
  330. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
  331. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/skills.json +27 -0
  332. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  333. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/skills.json +27 -0
  334. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  335. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/skills.json +27 -0
  336. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  337. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/skills.json +27 -0
  338. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  339. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/skills.json +27 -0
  340. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  341. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/skills.json +27 -0
  342. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  343. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/skills.json +27 -0
  344. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  345. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/skills.json +27 -0
  346. package/tests/fixtures/sample-repo/.env.example +1 -0
  347. package/tests/fixtures/sample-repo/README.md +4 -0
  348. package/tests/fixtures/sample-repo/docs/architecture.md +3 -0
  349. package/tests/fixtures/sample-repo/package.json +11 -0
  350. package/tests/fixtures/sample-repo/src/index.js +3 -0
  351. package/tests/fixtures/sample-repo/test/index.test.js +8 -0
  352. package/tests/fixtures/triggers/cases.json +101 -0
  353. package/tests/policy/README.md +16 -0
  354. package/tests/privacy/README.md +14 -0
  355. package/tests/safety/README.md +17 -0
  356. package/tests/trigger/README.md +11 -0
  357. package/work-ledger.md +159 -0
@@ -0,0 +1,831 @@
1
+ import { createHash } from "node:crypto";
2
+ import fs from "node:fs";
3
+ import path from "node:path";
4
+ import { fileURLToPath } from "node:url";
5
+
6
+ import {
7
+ completionIssues,
8
+ detectSensitiveValues,
9
+ PILOT_VERSION,
10
+ PREVIOUS_PILOT_VERSION,
11
+ } from "./pack-rules.mjs";
12
+ import { validateValue } from "./schema-validator.mjs";
13
+
14
+ const DEFAULT_CORE_ROOT = path.resolve(
15
+ path.dirname(fileURLToPath(import.meta.url)),
16
+ "..",
17
+ "..",
18
+ );
19
+ const STATUS_RANK = new Map([
20
+ ["complete", 3],
21
+ ["pass", 3],
22
+ ["partial", 2],
23
+ ["warn", 2],
24
+ ["blocked", 1],
25
+ ["failed", 0],
26
+ ["fail", 0],
27
+ ]);
28
+ const MIN_SYNTHETIC_RETENTION_DAYS = 30;
29
+ const MIN_MAINTAINER_RETENTION_DAYS = 90;
30
+ const MAX_RETENTION_DAYS = 3650;
31
+ const MIN_ARCHIVE_REPORT_BYTES = 512;
32
+ const MAX_ARCHIVE_REPORT_BYTES = 250000;
33
+ const MIN_RETENTION_ADVISORY_THRESHOLD_DAYS = 1;
34
+ const MAX_RETENTION_ADVISORY_THRESHOLD_DAYS = 365;
35
+ const SIGNATURE_REQUIRED_ARTIFACTS = [
36
+ "canonical-bundle-json",
37
+ "detached-signature",
38
+ "public-verification-identity",
39
+ ];
40
+
41
+ function readText(file) {
42
+ return fs.readFileSync(file, "utf8");
43
+ }
44
+
45
+ function readJson(file) {
46
+ return JSON.parse(readText(file));
47
+ }
48
+
49
+ function sha256(text) {
50
+ return createHash("sha256").update(text).digest("hex");
51
+ }
52
+
53
+ function canonical(value) {
54
+ if (Array.isArray(value)) return value.map(canonical);
55
+ if (value && typeof value === "object") {
56
+ return Object.fromEntries(
57
+ Object.entries(value)
58
+ .sort(([left], [right]) => left.localeCompare(right))
59
+ .map(([key, entry]) => [key, canonical(entry)]),
60
+ );
61
+ }
62
+ return value;
63
+ }
64
+
65
+ function reportHash(report) {
66
+ return sha256(JSON.stringify(canonical(report)));
67
+ }
68
+
69
+ function inside(root, candidate) {
70
+ const relative = path.relative(root, candidate);
71
+ return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
72
+ }
73
+
74
+ function safeRelativePath(bundleRoot, relativePath, options = {}) {
75
+ const extension = options.extension ?? ".json";
76
+ const missingCode = options.missingCode ?? "missing-path";
77
+ const traversalCode = options.traversalCode ?? "path-traversal";
78
+ const secretCode = options.secretCode ?? "secret-path";
79
+ const missingFileCode = options.missingFileCode ?? "path-missing";
80
+ const symlinkCode = options.symlinkCode ?? "path-symlink-escape";
81
+ const notFileCode = options.notFileCode ?? "path-not-file";
82
+ const requireExists = options.requireExists ?? true;
83
+
84
+ if (!relativePath || typeof relativePath !== "string") {
85
+ return { ok: false, code: missingCode };
86
+ }
87
+ if (path.isAbsolute(relativePath) || relativePath.split(/[\\/]+/).includes("..")) {
88
+ return { ok: false, code: traversalCode };
89
+ }
90
+ if (relativePath.split(/[\\/]+/).some((part) => /^\.env(?:\.|$)/.test(part))) {
91
+ return { ok: false, code: secretCode };
92
+ }
93
+ if (extension && !relativePath.endsWith(extension)) {
94
+ return { ok: false, code: notFileCode };
95
+ }
96
+ const resolved = path.resolve(bundleRoot, relativePath);
97
+ if (!inside(bundleRoot, resolved)) return { ok: false, code: traversalCode };
98
+ if (!fs.existsSync(resolved)) {
99
+ return requireExists ? { ok: false, code: missingFileCode } : { ok: true, path: resolved };
100
+ }
101
+ const stat = fs.lstatSync(resolved);
102
+ if (stat.isSymbolicLink()) return { ok: false, code: symlinkCode };
103
+ if (!stat.isFile()) return { ok: false, code: notFileCode };
104
+ return { ok: true, path: resolved };
105
+ }
106
+
107
+ function safeEntryPath(bundleRoot, relativePath) {
108
+ return safeRelativePath(bundleRoot, relativePath, {
109
+ extension: ".json",
110
+ missingCode: "missing-entry-path",
111
+ traversalCode: "entry-path-traversal",
112
+ secretCode: "entry-secret-path",
113
+ missingFileCode: "entry-missing",
114
+ symlinkCode: "entry-symlink-escape",
115
+ notFileCode: "entry-not-file",
116
+ });
117
+ }
118
+
119
+ function safeArchivePath(bundleRoot, relativePath) {
120
+ return safeRelativePath(bundleRoot, relativePath, {
121
+ extension: ".json",
122
+ requireExists: false,
123
+ missingCode: "missing-archive-path",
124
+ traversalCode: "archive-path-traversal",
125
+ secretCode: "archive-secret-path",
126
+ symlinkCode: "archive-symlink-escape",
127
+ notFileCode: "archive-not-file",
128
+ });
129
+ }
130
+
131
+ function safeArchiveIndexPath(bundleRoot, relativePath) {
132
+ return safeRelativePath(bundleRoot, relativePath, {
133
+ extension: ".json",
134
+ missingCode: "missing-archive-index-path",
135
+ traversalCode: "archive-index-path-traversal",
136
+ secretCode: "archive-index-secret-path",
137
+ missingFileCode: "archive-index-missing",
138
+ symlinkCode: "archive-index-symlink-escape",
139
+ notFileCode: "archive-index-not-file",
140
+ });
141
+ }
142
+
143
+ function dateValue(value) {
144
+ const parsed = Date.parse(value ?? "");
145
+ return Number.isNaN(parsed) ? null : parsed;
146
+ }
147
+
148
+ function daysBetween(start, end) {
149
+ return (end - start) / (24 * 60 * 60 * 1000);
150
+ }
151
+
152
+ function retentionExpiryAdvisory(bundle) {
153
+ const retention = bundle.retention ?? {};
154
+ const advisory = retention.expiryAdvisory ?? {};
155
+ const generatedAt = dateValue(bundle.generatedAt);
156
+ const retainUntil = dateValue(retention.retainUntil);
157
+ const threshold = Number.isInteger(advisory.reviewThresholdDays)
158
+ ? advisory.reviewThresholdDays
159
+ : 0;
160
+
161
+ if (generatedAt === null || retainUntil === null || threshold <= 0) {
162
+ return {
163
+ status: "unknown",
164
+ daysUntilExpiry: 0,
165
+ reviewThresholdDays: threshold,
166
+ advisoryOnly: true,
167
+ deleteAutomatically: false,
168
+ recommendedAction: "manual-review-only",
169
+ };
170
+ }
171
+
172
+ const daysUntilExpiry = Math.floor(daysBetween(generatedAt, retainUntil));
173
+ const reviewAt = retainUntil - threshold * 24 * 60 * 60 * 1000;
174
+ let status = "retained";
175
+ if (retainUntil <= generatedAt) {
176
+ status = "expired-review-required";
177
+ } else if (generatedAt >= reviewAt) {
178
+ status = "review-soon";
179
+ }
180
+
181
+ return {
182
+ status,
183
+ daysUntilExpiry,
184
+ reviewThresholdDays: threshold,
185
+ advisoryOnly: true,
186
+ deleteAutomatically: false,
187
+ recommendedAction: "manual-review-only",
188
+ };
189
+ }
190
+
191
+ function retentionIssues(bundle) {
192
+ const issues = [];
193
+ const retention = bundle.retention ?? {};
194
+ const minimumDays = retention.minimumDays;
195
+ const minAllowed =
196
+ retention.classification === "maintainer-release-evidence"
197
+ ? MIN_MAINTAINER_RETENTION_DAYS
198
+ : MIN_SYNTHETIC_RETENTION_DAYS;
199
+
200
+ if (!Number.isInteger(minimumDays)) {
201
+ issues.push("retention-minimum-days-invalid");
202
+ } else {
203
+ if (minimumDays < minAllowed) issues.push("retention-window-too-short");
204
+ if (minimumDays > MAX_RETENTION_DAYS) issues.push("retention-window-too-long");
205
+ }
206
+
207
+ const generatedAt = dateValue(bundle.generatedAt);
208
+ const retainUntil = dateValue(retention.retainUntil);
209
+ if (generatedAt === null || retainUntil === null) {
210
+ issues.push("retention-date-invalid");
211
+ } else if (retainUntil <= generatedAt) {
212
+ issues.push("retention-expired");
213
+ } else if (Number.isInteger(minimumDays) && daysBetween(generatedAt, retainUntil) < minimumDays) {
214
+ issues.push("retention-retain-until-too-soon");
215
+ }
216
+
217
+ if (retention.redaction !== "secret-values-prohibited") {
218
+ issues.push("retention-redaction-weakened");
219
+ }
220
+ const advisory = retention.expiryAdvisory ?? {};
221
+ if (advisory.mode !== "retention-expiry-review") {
222
+ issues.push("retention-advisory-mode-invalid");
223
+ }
224
+ if (!Number.isInteger(advisory.reviewThresholdDays)) {
225
+ issues.push("retention-advisory-threshold-invalid");
226
+ } else {
227
+ if (advisory.reviewThresholdDays < MIN_RETENTION_ADVISORY_THRESHOLD_DAYS) {
228
+ issues.push("retention-advisory-threshold-too-small");
229
+ }
230
+ if (advisory.reviewThresholdDays > MAX_RETENTION_ADVISORY_THRESHOLD_DAYS) {
231
+ issues.push("retention-advisory-threshold-too-large");
232
+ }
233
+ }
234
+ if (advisory.action !== "manual-review-only") {
235
+ issues.push("retention-advisory-action-invalid");
236
+ }
237
+ if (advisory.advisoryOnly !== true) {
238
+ issues.push("retention-advisory-not-advisory");
239
+ }
240
+ if (advisory.deleteAutomatically !== false) {
241
+ issues.push("retention-advisory-delete-enabled");
242
+ }
243
+ return issues.sort();
244
+ }
245
+
246
+ function provenanceIssues(bundle) {
247
+ const issues = [];
248
+ const provenance = bundle.provenance ?? {};
249
+ const signature = provenance.signature ?? {};
250
+ if (provenance.sourceTag !== `v${bundle.core?.currentVersion}`) {
251
+ issues.push("provenance-tag-mismatch");
252
+ }
253
+ if (detectSensitiveValues(JSON.stringify(provenance)).length) {
254
+ issues.push("provenance-secret-like-content");
255
+ }
256
+ if (signature.mode !== "detached-signature-design") {
257
+ issues.push("provenance-signature-mode-invalid");
258
+ }
259
+ if (signature.canonicalization !== "canonical-json-v1") {
260
+ issues.push("provenance-canonicalization-invalid");
261
+ }
262
+ if (signature.digestAlgorithm !== "sha256") {
263
+ issues.push("provenance-digest-invalid");
264
+ }
265
+ if (signature.status === "unsigned-fixture" && provenance.source !== "synthetic-fixture") {
266
+ issues.push("provenance-unsigned-nonfixture");
267
+ }
268
+ if (signature.status === "detached-signature-present") {
269
+ if (!signature.signaturePath || !signature.signatureSha256) {
270
+ issues.push("provenance-detached-signature-missing");
271
+ }
272
+ } else if (signature.signaturePath || signature.signatureSha256) {
273
+ issues.push("provenance-unexpected-signature-artifact");
274
+ }
275
+ if (signature.status === "verification-deferred") {
276
+ issues.push("provenance-signature-verification-deferred");
277
+ }
278
+ const plan = signature.verificationPlan ?? {};
279
+ if (plan.mode !== "detached-signature-verification-plan") {
280
+ issues.push("provenance-verification-plan-mode-invalid");
281
+ }
282
+ if (plan.validatesSignatureNow !== false) {
283
+ issues.push("provenance-verification-plan-runs-signature-check");
284
+ }
285
+ if (plan.failClosedWithoutValidSignature !== true) {
286
+ issues.push("provenance-verification-plan-not-fail-closed");
287
+ }
288
+ const artifacts = Array.isArray(plan.requiredArtifacts) ? plan.requiredArtifacts : [];
289
+ for (const artifact of SIGNATURE_REQUIRED_ARTIFACTS) {
290
+ if (!artifacts.includes(artifact)) {
291
+ issues.push(`provenance-verification-plan-missing:${artifact}`);
292
+ }
293
+ }
294
+ if (signature.status === "unsigned-fixture") {
295
+ if (plan.status !== "fixture-unsigned-not-required") {
296
+ issues.push("provenance-verification-plan-status-invalid");
297
+ }
298
+ } else if (signature.status === "detached-signature-present") {
299
+ if (plan.status !== "ready-artifacts-required") {
300
+ issues.push("provenance-verification-plan-status-invalid");
301
+ }
302
+ } else if (signature.status === "verification-deferred" && plan.status !== "planned-not-run") {
303
+ issues.push("provenance-verification-plan-status-invalid");
304
+ }
305
+ return issues.sort();
306
+ }
307
+
308
+ function archiveIndexIssues(bundle, bundleRoot, schema) {
309
+ const issues = [];
310
+ const archive = bundle.archive ?? {};
311
+ const index = archive.index ?? {};
312
+ const safePath = safeArchiveIndexPath(bundleRoot, index.path);
313
+ if (!safePath.ok) {
314
+ issues.push(safePath.code);
315
+ return { issues: issues.sort(), summary: null };
316
+ }
317
+
318
+ let parsedIndex;
319
+ const rawIndex = readText(safePath.path);
320
+ if (detectSensitiveValues(rawIndex).length) issues.push("archive-index-secret-like-content");
321
+ try {
322
+ parsedIndex = JSON.parse(rawIndex);
323
+ } catch {
324
+ issues.push("archive-index-json-invalid");
325
+ return { issues: issues.sort(), summary: null };
326
+ }
327
+
328
+ issues.push(...validateValue(schema, parsedIndex).map((issue) => `archive-index-schema:${issue}`));
329
+ const entryIds = (bundle.entries ?? []).map((entry) => entry.id).sort();
330
+ const indexEntryIds = (parsedIndex.entries ?? []).map((entry) => entry.id).sort();
331
+ if (parsedIndex.bundleId !== bundle.bundleId) issues.push("archive-index-bundle-mismatch");
332
+ if (parsedIndex.generatedAt !== bundle.generatedAt) issues.push("archive-index-generated-at-mismatch");
333
+ if (parsedIndex.core?.currentVersion !== bundle.core?.currentVersion) {
334
+ issues.push("archive-index-current-version-mismatch");
335
+ }
336
+ if (parsedIndex.core?.previousVersion !== bundle.core?.previousVersion) {
337
+ issues.push("archive-index-previous-version-mismatch");
338
+ }
339
+ if (parsedIndex.retention?.retainUntil !== bundle.retention?.retainUntil) {
340
+ issues.push("archive-index-retention-mismatch");
341
+ }
342
+ if (parsedIndex.retention?.advisory?.status !== retentionExpiryAdvisory(bundle).status) {
343
+ issues.push("archive-index-advisory-mismatch");
344
+ }
345
+ if (parsedIndex.provenance?.sourceTag !== bundle.provenance?.sourceTag) {
346
+ issues.push("archive-index-provenance-mismatch");
347
+ }
348
+ if (JSON.stringify(indexEntryIds) !== JSON.stringify(entryIds)) {
349
+ issues.push("archive-index-entry-mismatch");
350
+ }
351
+ for (const entry of bundle.entries ?? []) {
352
+ const indexed = (parsedIndex.entries ?? []).find((candidate) => candidate.id === entry.id);
353
+ if (!indexed) continue;
354
+ if (indexed.kind !== entry.kind || indexed.sha256 !== entry.sha256) {
355
+ issues.push(`archive-index-entry-metadata-mismatch:${entry.id}`);
356
+ }
357
+ }
358
+ if (parsedIndex.changedState?.changed !== false) {
359
+ issues.push("archive-index-changed-state-detected");
360
+ }
361
+
362
+ return {
363
+ issues: issues.sort(),
364
+ summary: {
365
+ path: index.path,
366
+ format: index.format ?? null,
367
+ entryCount: indexEntryIds.length,
368
+ entryIds: indexEntryIds,
369
+ },
370
+ };
371
+ }
372
+
373
+ function archiveIssues(bundle, bundleRoot, schemas) {
374
+ const issues = [];
375
+ const archive = bundle.archive ?? {};
376
+ const safePath = safeArchivePath(bundleRoot, archive.reportPath);
377
+ if (!safePath.ok) issues.push(safePath.code);
378
+ if (archive.includeRawEvidence !== false) issues.push("archive-raw-evidence-enabled");
379
+ if (archive.includeSecretValues !== false) issues.push("archive-secret-values-enabled");
380
+ if (archive.writePolicy !== "no-write-without-approval") {
381
+ issues.push("archive-write-policy-weakened");
382
+ }
383
+ if (archive.retentionLinked !== true) issues.push("archive-retention-unlinked");
384
+ const index = archive.index ?? {};
385
+ if (index.format !== "sanitized-json-index") issues.push("archive-index-format-invalid");
386
+ if (index.includeRawEvidence !== false) issues.push("archive-index-raw-evidence-enabled");
387
+ if (index.includeSecretValues !== false) issues.push("archive-index-secret-values-enabled");
388
+ if (index.writePolicy !== "no-write-without-approval") {
389
+ issues.push("archive-index-write-policy-weakened");
390
+ }
391
+ if (index.retentionLinked !== true) issues.push("archive-index-retention-unlinked");
392
+ if (!Number.isInteger(archive.maxReportBytes)) {
393
+ issues.push("archive-max-bytes-invalid");
394
+ } else {
395
+ if (archive.maxReportBytes < MIN_ARCHIVE_REPORT_BYTES) {
396
+ issues.push("archive-max-bytes-too-small");
397
+ }
398
+ if (archive.maxReportBytes > MAX_ARCHIVE_REPORT_BYTES) {
399
+ issues.push("archive-max-bytes-too-large");
400
+ }
401
+ }
402
+ const indexResult = archiveIndexIssues(bundle, bundleRoot, schemas.archiveIndex);
403
+ issues.push(...indexResult.issues);
404
+ return { issues: issues.sort(), indexSummary: indexResult.summary };
405
+ }
406
+
407
+ function statusOfEvidence(kind, evidence) {
408
+ if (kind === "evidence-pack") return evidence.status;
409
+ if (kind === "adapter-upgrade-evidence") return evidence.finalStatus;
410
+ return undefined;
411
+ }
412
+
413
+ function schemaForKind(kind, schemas) {
414
+ if (kind === "evidence-pack") return schemas.evidencePack;
415
+ if (kind === "adapter-upgrade-evidence") return schemas.adapterUpgradeEvidence;
416
+ return null;
417
+ }
418
+
419
+ function entryIssues(entry, evidence, schemas, bundle) {
420
+ const issues = [];
421
+ const schema = schemaForKind(entry.kind, schemas);
422
+ if (!schema) {
423
+ issues.push("unsupported-entry-kind");
424
+ return issues;
425
+ }
426
+ issues.push(...validateValue(schema, evidence).map((issue) => `schema:${issue}`));
427
+ if (entry.kind === "evidence-pack") {
428
+ issues.push(...completionIssues(evidence).map((issue) => `completion:${issue}`));
429
+ }
430
+ if (entry.kind === "adapter-upgrade-evidence") {
431
+ if (evidence.validator?.version !== bundle.core?.currentVersion) {
432
+ issues.push("upgrade-evidence-validator-version-mismatch");
433
+ }
434
+ if (evidence.coreVersions?.after !== bundle.core?.currentVersion) {
435
+ issues.push("upgrade-evidence-target-version-mismatch");
436
+ }
437
+ }
438
+ const actualStatus = statusOfEvidence(entry.kind, evidence);
439
+ if (actualStatus !== entry.expectedStatus) issues.push("status-mismatch");
440
+ if (evidence.changedState?.changed === true) issues.push("changed-state-detected");
441
+ return issues;
442
+ }
443
+
444
+ function regressionIssues(bundle, verifiedEntries) {
445
+ const issues = [];
446
+ if (bundle.regression.baselineVersion !== PREVIOUS_PILOT_VERSION) {
447
+ issues.push("baseline-version-mismatch");
448
+ }
449
+ if (bundle.regression.targetVersion !== PILOT_VERSION) {
450
+ issues.push("target-version-mismatch");
451
+ }
452
+ const byId = new Map(verifiedEntries.map((entry) => [entry.id, entry]));
453
+ for (const baseline of bundle.regression.baselineEntries) {
454
+ const current = byId.get(baseline.id);
455
+ if (!current) {
456
+ issues.push(`missing-baseline-entry:${baseline.id}`);
457
+ continue;
458
+ }
459
+ if ((STATUS_RANK.get(current.status) ?? -1) < (STATUS_RANK.get(baseline.status) ?? -1)) {
460
+ issues.push(`status-regression:${baseline.id}`);
461
+ }
462
+ }
463
+ return issues.sort();
464
+ }
465
+
466
+ export function verifyEvidenceBundle(bundleFile, options = {}) {
467
+ const coreRoot = path.resolve(options.coreRoot ?? DEFAULT_CORE_ROOT);
468
+ const bundlePath = path.resolve(bundleFile ?? "");
469
+ if (!bundleFile) {
470
+ return { ok: false, status: "failed", codes: ["missing-bundle-file"] };
471
+ }
472
+ if (!fs.existsSync(bundlePath)) {
473
+ return { ok: false, status: "failed", codes: ["bundle-not-found"] };
474
+ }
475
+ if (fs.lstatSync(bundlePath).isSymbolicLink()) {
476
+ return { ok: false, status: "failed", codes: ["bundle-symlink-escape"] };
477
+ }
478
+
479
+ const bundleRoot = path.dirname(bundlePath);
480
+ const schemas = {
481
+ evidenceBundle: readJson(path.join(coreRoot, "schemas/evidence-bundle.schema.json")),
482
+ evidencePack: readJson(
483
+ path.join(coreRoot, "contracts/evidence-pack/evidence-pack.schema.json"),
484
+ ),
485
+ adapterUpgradeEvidence: readJson(
486
+ path.join(coreRoot, "schemas/adapter-upgrade-evidence.schema.json"),
487
+ ),
488
+ archiveIndex: readJson(path.join(coreRoot, "schemas/archive-index.schema.json")),
489
+ };
490
+ const codes = new Set();
491
+ const failures = [];
492
+ let bundle;
493
+
494
+ try {
495
+ const rawBundle = readText(bundlePath);
496
+ if (detectSensitiveValues(rawBundle).length) codes.add("secret-like-content");
497
+ bundle = JSON.parse(rawBundle);
498
+ } catch {
499
+ return { ok: false, status: "failed", codes: ["bundle-json-invalid"] };
500
+ }
501
+
502
+ for (const issue of validateValue(schemas.evidenceBundle, bundle)) {
503
+ failures.push(`bundle:${issue}`);
504
+ codes.add("bundle-schema-invalid");
505
+ }
506
+ if (bundle.core?.currentVersion !== PILOT_VERSION) codes.add("current-version-mismatch");
507
+ if (bundle.core?.previousVersion !== PREVIOUS_PILOT_VERSION) {
508
+ codes.add("previous-version-mismatch");
509
+ }
510
+ if (bundle.changedState?.changed !== false) codes.add("changed-state-detected");
511
+ const retentionCodes = retentionIssues(bundle);
512
+ const provenanceCodes = provenanceIssues(bundle);
513
+ const retentionAdvisory = retentionExpiryAdvisory(bundle);
514
+ const archiveResult = archiveIssues(bundle, bundleRoot, schemas);
515
+ const archiveCodes = archiveResult.issues;
516
+ const archiveIndexCodes = archiveCodes.filter((code) => code.startsWith("archive-index"));
517
+ for (const code of [...retentionCodes, ...provenanceCodes, ...archiveCodes]) {
518
+ codes.add(code);
519
+ }
520
+
521
+ const verifiedEntries = [];
522
+ const seenIds = new Set();
523
+ for (const entry of bundle.entries ?? []) {
524
+ if (seenIds.has(entry.id)) codes.add("duplicate-entry-id");
525
+ seenIds.add(entry.id);
526
+
527
+ const safePath = safeEntryPath(bundleRoot, entry.path);
528
+ if (!safePath.ok) {
529
+ codes.add(safePath.code);
530
+ verifiedEntries.push({
531
+ id: entry.id,
532
+ kind: entry.kind,
533
+ status: "fail",
534
+ hash: null,
535
+ codes: [safePath.code],
536
+ });
537
+ continue;
538
+ }
539
+
540
+ const rawEntry = readText(safePath.path);
541
+ const actualHash = sha256(rawEntry);
542
+ const entryCodes = [];
543
+ if (actualHash !== entry.sha256) entryCodes.push("hash-mismatch");
544
+ if (detectSensitiveValues(rawEntry).length) entryCodes.push("secret-like-content");
545
+ let evidence;
546
+ try {
547
+ evidence = JSON.parse(rawEntry);
548
+ } catch {
549
+ entryCodes.push("entry-json-invalid");
550
+ evidence = {};
551
+ }
552
+ entryCodes.push(...entryIssues(entry, evidence, schemas, bundle));
553
+ for (const code of entryCodes) codes.add(code.split(":")[0]);
554
+ verifiedEntries.push({
555
+ id: entry.id,
556
+ kind: entry.kind,
557
+ status: statusOfEvidence(entry.kind, evidence) ?? "fail",
558
+ hash: actualHash,
559
+ codes: [...new Set(entryCodes)].sort(),
560
+ });
561
+ }
562
+
563
+ const regressionCodes = regressionIssues(bundle, verifiedEntries);
564
+ for (const code of regressionCodes) codes.add(code.split(":")[0]);
565
+
566
+ const stableReport = {
567
+ bundleId: bundle.bundleId ?? null,
568
+ core: {
569
+ currentVersion: bundle.core?.currentVersion ?? null,
570
+ previousVersion: bundle.core?.previousVersion ?? null,
571
+ },
572
+ retention: {
573
+ classification: bundle.retention?.classification ?? null,
574
+ minimumDays: bundle.retention?.minimumDays ?? null,
575
+ retainUntil: bundle.retention?.retainUntil ?? null,
576
+ disposition: bundle.retention?.disposition ?? null,
577
+ storage: bundle.retention?.storage ?? null,
578
+ expiryAdvisory: retentionAdvisory,
579
+ codes: retentionCodes,
580
+ },
581
+ provenance: {
582
+ source: bundle.provenance?.source ?? null,
583
+ producer: bundle.provenance?.producer ?? null,
584
+ sourceCommit: bundle.provenance?.sourceCommit ?? null,
585
+ sourceTag: bundle.provenance?.sourceTag ?? null,
586
+ signature: {
587
+ mode: bundle.provenance?.signature?.mode ?? null,
588
+ status: bundle.provenance?.signature?.status ?? null,
589
+ identityRef: bundle.provenance?.signature?.identityRef ?? null,
590
+ canonicalization: bundle.provenance?.signature?.canonicalization ?? null,
591
+ digestAlgorithm: bundle.provenance?.signature?.digestAlgorithm ?? null,
592
+ verificationPlan: bundle.provenance?.signature?.verificationPlan ?? null,
593
+ },
594
+ codes: provenanceCodes,
595
+ },
596
+ archive: {
597
+ format: bundle.archive?.format ?? null,
598
+ reportPath: bundle.archive?.reportPath ?? null,
599
+ writePolicy: bundle.archive?.writePolicy ?? null,
600
+ maxReportBytes: bundle.archive?.maxReportBytes ?? null,
601
+ index: {
602
+ status: archiveResult.indexSummary && archiveIndexCodes.length === 0 ? "present" : "failed",
603
+ path: archiveResult.indexSummary?.path ?? bundle.archive?.index?.path ?? null,
604
+ format: archiveResult.indexSummary?.format ?? bundle.archive?.index?.format ?? null,
605
+ entryCount: archiveResult.indexSummary?.entryCount ?? 0,
606
+ entryIds: archiveResult.indexSummary?.entryIds ?? [],
607
+ codes: archiveIndexCodes,
608
+ },
609
+ codes: archiveCodes,
610
+ },
611
+ entries: verifiedEntries,
612
+ regression: {
613
+ baselineVersion: bundle.regression?.baselineVersion ?? null,
614
+ targetVersion: bundle.regression?.targetVersion ?? null,
615
+ codes: regressionCodes,
616
+ },
617
+ };
618
+ const firstHash = reportHash(stableReport);
619
+ const secondHash = reportHash(stableReport);
620
+ if (firstHash !== secondHash) codes.add("replay-nondeterministic");
621
+
622
+ const report = {
623
+ ok: codes.size === 0,
624
+ status: codes.size === 0 ? "complete" : "failed",
625
+ bundleId: bundle.bundleId ?? null,
626
+ core: stableReport.core,
627
+ entryCount: verifiedEntries.length,
628
+ verifiedEntries,
629
+ replay: {
630
+ deterministic: firstHash === secondHash,
631
+ reportHash: firstHash,
632
+ },
633
+ regression: {
634
+ baselineVersion: bundle.regression?.baselineVersion ?? null,
635
+ targetVersion: bundle.regression?.targetVersion ?? null,
636
+ codes: regressionCodes,
637
+ },
638
+ retention: stableReport.retention,
639
+ provenance: stableReport.provenance,
640
+ archive: stableReport.archive,
641
+ codes: [...codes].sort(),
642
+ failures,
643
+ changedState: {
644
+ changed: false,
645
+ summary: "Evidence bundle verification did not modify project, runtime, service, database, or remote state.",
646
+ },
647
+ };
648
+ return report;
649
+ }
650
+
651
+ export function buildEvidenceArchiveReport(bundleFile, options = {}) {
652
+ const coreRoot = path.resolve(options.coreRoot ?? DEFAULT_CORE_ROOT);
653
+ const verification = verifyEvidenceBundle(bundleFile, options);
654
+ const schemas = {
655
+ archiveReport: readJson(path.join(coreRoot, "schemas/archive-report.schema.json")),
656
+ };
657
+ const report = {
658
+ reportVersion: "1.1.0",
659
+ bundleId: verification.bundleId ?? "unknown-bundle",
660
+ core: verification.core ?? {
661
+ currentVersion: null,
662
+ previousVersion: null,
663
+ },
664
+ verification: {
665
+ status: verification.status,
666
+ entryCount: verification.entryCount ?? 0,
667
+ entryIds: (verification.verifiedEntries ?? []).map((entry) => entry.id).sort(),
668
+ codes: verification.codes ?? [],
669
+ replayHash: verification.replay?.reportHash ?? "0".repeat(64),
670
+ regression: verification.regression ?? {
671
+ baselineVersion: null,
672
+ targetVersion: null,
673
+ codes: [],
674
+ },
675
+ },
676
+ retention: {
677
+ classification: verification.retention?.classification ?? "synthetic-test-evidence",
678
+ minimumDays: verification.retention?.minimumDays ?? 0,
679
+ retainUntil: verification.retention?.retainUntil ?? "1970-01-01T00:00:00Z",
680
+ disposition: verification.retention?.disposition ?? "retain-then-review",
681
+ storage: verification.retention?.storage ?? "repository-fixture",
682
+ expiryAdvisory: verification.retention?.expiryAdvisory ?? {
683
+ status: "unknown",
684
+ daysUntilExpiry: 0,
685
+ reviewThresholdDays: 0,
686
+ advisoryOnly: true,
687
+ deleteAutomatically: false,
688
+ recommendedAction: "manual-review-only",
689
+ },
690
+ },
691
+ provenance: {
692
+ source: verification.provenance?.source ?? "synthetic-fixture",
693
+ producer: verification.provenance?.producer ?? "unknown-producer",
694
+ sourceCommit: verification.provenance?.sourceCommit ?? "0".repeat(40),
695
+ sourceTag: verification.provenance?.sourceTag ?? "v0.0.0",
696
+ signature: verification.provenance?.signature ?? {
697
+ mode: "detached-signature-design",
698
+ status: "unsigned-fixture",
699
+ identityRef: "unknown-identity",
700
+ canonicalization: "canonical-json-v1",
701
+ digestAlgorithm: "sha256",
702
+ verificationPlan: {
703
+ mode: "detached-signature-verification-plan",
704
+ status: "fixture-unsigned-not-required",
705
+ requiredArtifacts: SIGNATURE_REQUIRED_ARTIFACTS,
706
+ validatesSignatureNow: false,
707
+ failClosedWithoutValidSignature: true,
708
+ },
709
+ },
710
+ },
711
+ archive: {
712
+ format: verification.archive?.format ?? "sanitized-json-summary",
713
+ reportPath: verification.archive?.reportPath ?? "archive/evidence-archive-report.json",
714
+ writePolicy: verification.archive?.writePolicy ?? "no-write-without-approval",
715
+ maxReportBytes: verification.archive?.maxReportBytes ?? MAX_ARCHIVE_REPORT_BYTES,
716
+ index: verification.archive?.index ?? {
717
+ status: "missing",
718
+ path: "archive/evidence-archive-index.json",
719
+ format: "sanitized-json-index",
720
+ entryCount: 0,
721
+ entryIds: [],
722
+ codes: ["archive-index-missing"],
723
+ },
724
+ },
725
+ changedState: {
726
+ changed: false,
727
+ summary:
728
+ "Evidence archive report rendering did not write files or mutate project, runtime, service, database, or remote state.",
729
+ },
730
+ recommendedNextAction:
731
+ "Store the sanitized report only after explicit approval and keep raw evidence out of archive summaries.",
732
+ };
733
+ const reportText = JSON.stringify(canonical(report), null, 2);
734
+ const schemaErrors = validateValue(schemas.archiveReport, report);
735
+ const codes = new Set(verification.codes ?? []);
736
+ if (schemaErrors.length) codes.add("archive-report-schema-invalid");
737
+ if (detectSensitiveValues(reportText).length) codes.add("archive-report-secret-like-content");
738
+ if (Buffer.byteLength(reportText, "utf8") > report.archive.maxReportBytes) {
739
+ codes.add("archive-report-too-large");
740
+ }
741
+ const firstHash = reportHash(report);
742
+ const secondHash = reportHash(report);
743
+ if (firstHash !== secondHash) codes.add("archive-report-nondeterministic");
744
+
745
+ return {
746
+ ok: verification.ok && codes.size === 0,
747
+ status: verification.ok && codes.size === 0 ? "complete" : "failed",
748
+ report,
749
+ reportHash: firstHash,
750
+ deterministic: firstHash === secondHash,
751
+ codes: [...codes].sort(),
752
+ schemaErrors,
753
+ changedState: report.changedState,
754
+ };
755
+ }
756
+
757
+ export function formatEvidenceBundleSummary(result) {
758
+ if (result.ok) {
759
+ return [
760
+ `evidence bundle verified: ${result.entryCount} entries, deterministic replay accepted`,
761
+ `regression baseline ${result.regression.baselineVersion} -> ${result.regression.targetVersion}`,
762
+ ];
763
+ }
764
+ return [
765
+ `evidence bundle failed: ${result.entryCount ?? 0} entries checked`,
766
+ `rejection codes: ${(result.codes ?? []).join(",")}`,
767
+ ];
768
+ }
769
+
770
+ export function evidenceBundleCliResult(bundleFile, options = {}) {
771
+ if (!bundleFile) {
772
+ return {
773
+ exitCode: 2,
774
+ stream: "stderr",
775
+ lines: ["usage: node scripts/verify-evidence-bundle.mjs <bundle-file> [--json]"],
776
+ };
777
+ }
778
+ const result = verifyEvidenceBundle(bundleFile, options);
779
+ if (options.json) {
780
+ return {
781
+ exitCode: result.ok ? 0 : 1,
782
+ stream: "stdout",
783
+ lines: [JSON.stringify(result, null, 2)],
784
+ result,
785
+ };
786
+ }
787
+ return {
788
+ exitCode: result.ok ? 0 : 1,
789
+ stream: result.ok ? "stdout" : "stderr",
790
+ lines: formatEvidenceBundleSummary(result),
791
+ result,
792
+ };
793
+ }
794
+
795
+ export function formatEvidenceArchiveSummary(result) {
796
+ if (result.ok) {
797
+ return [
798
+ `evidence archive report rendered: ${result.report.verification.entryCount} entries, sanitized summary accepted`,
799
+ `archive report hash ${result.reportHash}`,
800
+ ];
801
+ }
802
+ return [
803
+ "evidence archive report failed safely",
804
+ `rejection codes: ${(result.codes ?? []).join(",")}`,
805
+ ];
806
+ }
807
+
808
+ export function evidenceArchiveCliResult(bundleFile, options = {}) {
809
+ if (!bundleFile) {
810
+ return {
811
+ exitCode: 2,
812
+ stream: "stderr",
813
+ lines: ["usage: node scripts/render-evidence-archive-report.mjs <bundle-file> [--json]"],
814
+ };
815
+ }
816
+ const result = buildEvidenceArchiveReport(bundleFile, options);
817
+ if (options.json) {
818
+ return {
819
+ exitCode: result.ok ? 0 : 1,
820
+ stream: "stdout",
821
+ lines: [JSON.stringify(result.report, null, 2)],
822
+ result,
823
+ };
824
+ }
825
+ return {
826
+ exitCode: result.ok ? 0 : 1,
827
+ stream: result.ok ? "stdout" : "stderr",
828
+ lines: formatEvidenceArchiveSummary(result),
829
+ result,
830
+ };
831
+ }