create-claude-cabinet 0.27.4 → 0.29.0

package/README.md

@@ -90,6 +90,16 @@ few sessions, or before a release) to get a full review from every
 relevant member. You don't need to audit every session. The cabinet
 waits until called.
 
+Each member is also a registered **agent type** — invoke any member
+directly with `@cabinet-security`, `@cabinet-architecture`, etc.
+
+When the Workflow tool is available, `/audit` runs a **deliberative
+workflow**: Stage-1 members investigate, then Stage-2 critics
+(anti-confirmation, QA, architecture) annotate findings — challenging
+assumptions, adding context, or confirming. Findings arrive to triage
+with the debate already attached. Optional `--rebuttal` mode lets
+challenged members respond before triage.
+
 Members are organized into **committees** — groups by concern, so you
 can convene just the experts you need. Security review? Convene the
 security committee. Performance concerns? Just the speed committee.
@@ -114,6 +124,19 @@ Local SQLite database for actions, projects, and status tracking. Claude
 reads and writes it directly — no external service needed. Skip this if
 you already use GitHub Issues, Linear, or something else.
 
+### Memory (included in lean)
+
+Claude Code has built-in file memory, but no guardrails around it.
+The memory module adds structure:
+
+- **`/cc-remember`** — write a new memory with automatic indexing.
+  Every memory gets its own file and an entry in `MEMORY.md` so
+  `/orient` can find it next session.
+- **`/memory`** — browse and search what Claude remembers.
+- **Validation** — `validate-memory.mjs` checks that the index stays
+  within Claude Code's session-start budget and that every file is
+  indexed. A PostToolUse hook flags unindexed writes in real time.
+
 ### Compliance Stack (full install)
 
 Scoped instructions in `.claude/rules/` that load by file path. An
@@ -222,6 +245,8 @@ source code.
 │                    #   (incl. pib-db-access.md, pib-db-triggers.md)
 ├── briefing/        # project briefing templates
 ├── hooks/           # git guardrails, telemetry
+├── agents/          # generated agent-type wrappers (enables @cabinet-*)
+├── workflows/       # deliberative-audit.js (two-stage audit workflow)
 ├── rules/           # enforcement pipeline
 ├── memory/          # pattern templates
 └── settings.json    # hook configuration

package/lib/cli.js

@@ -8,6 +8,7 @@ const { mergeSettings, healUserSettings } = require('./settings-merge');
 const { create: createMetadata, read: readMetadata } = require('./metadata');
 const { setupDb } = require('./db-setup');
 const { setupVerifyRuntime } = require('./verify-setup');
+const { setupSiteAuditRuntime } = require('./site-audit-setup');
 const { reset } = require('./reset');
 
 const VERSION = require('../package.json').version;
@@ -343,6 +344,97 @@ function generateSkillIndex(projectDir) {
   return entries.length;
 }
 
+/**
+ * Generate .claude/agents/cabinet-*.md wrapper definitions from installed
+ * cabinet SKILL.md files. Each wrapper is frontmatter-only and uses the
+ * `skills:` field to preload the skill body into the agent's context — the
+ * skill stays the single source of truth, so no prose is duplicated.
+ *
+ * The wrappers give each cabinet member a registered subagent identity:
+ * the transcript shows `subagent_type: cabinet-security` (trustworthy, not
+ * spoofable) instead of `general-purpose`, and `@cabinet-security` resolves
+ * as an agent type. This runs unconditionally — the identity layer benefits
+ * plan/execute/orient cabinet consultations, not just audits.
+ *
+ * Tool grants: cabinet `tools:` frontmatter is human-readable documentation
+ * (e.g., "fetch_docs (all projects -- ...)"), NOT a machine-parseable
+ * allowlist. So we grant a safe read-only base and ADD web tools only when
+ * the skill signals it needs them — never strip a capability the skill assumes.
+ *
+ * Reconciles the directory: wrappers whose cabinet skill no longer exists are
+ * deleted, so removing a member upstream doesn't leave a zombie wrapper.
+ */
+function generateAgentWrappers(projectDir) {
+  const skillsDir = path.join(projectDir, '.claude', 'skills');
+  if (!fs.existsSync(skillsDir)) return 0;
+
+  const agentsDir = path.join(projectDir, '.claude', 'agents');
+
+  // Discover cabinet members from installed skills.
+  const wanted = new Map(); // name -> wrapper content
+  const dirs = fs.readdirSync(skillsDir, { withFileTypes: true });
+  for (const dir of dirs) {
+    if (!dir.isDirectory() || !dir.name.startsWith('cabinet-')) continue;
+    const skillFile = path.join(skillsDir, dir.name, 'SKILL.md');
+    if (!fs.existsSync(skillFile)) continue;
+
+    const content = fs.readFileSync(skillFile, 'utf8');
+    const fm = parseFrontmatter(content);
+    if (!fm || !fm.name) continue;
+
+    const description = (fm.description || '').replace(/\s+/g, ' ').trim();
+    // YAML-safe single-line double-quoted scalar.
+    const descYaml = '"' + description.replace(/\\/g, '\\\\').replace(/"/g, '\\"') + '"';
+
+    // Base read-only investigation tools every cabinet member gets.
+    const tools = ['Read', 'Grep', 'Glob', 'Bash'];
+    // Cabinet tools: frontmatter is descriptive text, not an allowlist —
+    // scan it for real web-tool signals and add them.
+    const toolSignal = (typeof fm.tools === 'string' ? fm.tools : '').toLowerCase();
+    if (/websearch/.test(toolSignal)) tools.push('WebSearch');
+    if (/webfetch|fetch_docs/.test(toolSignal)) tools.push('WebFetch');
+
+    // model: none of the cabinet skills declare one today; default to sonnet,
+    // but honor an explicit declaration if a member ever sets one.
+    const model = (typeof fm.model === 'string' && fm.model.trim()) || 'sonnet';
+
+    const wrapper =
+      `---\n` +
+      `name: ${fm.name}\n` +
+      `description: ${descYaml}\n` +
+      `tools: ${[...new Set(tools)].join(', ')}\n` +
+      `model: ${model}\n` +
+      `skills: [${fm.name}]\n` +
+      `---\n`;
+
+    wanted.set(fm.name, wrapper);
+  }
+
+  if (wanted.size === 0) {
+    // No cabinet members installed — reconcile away any stale wrappers below,
+    // but only if the agents dir exists.
+    if (!fs.existsSync(agentsDir)) return 0;
+  }
+
+  fs.mkdirSync(agentsDir, { recursive: true });
+
+  // Write current wrappers.
+  for (const [name, wrapper] of wanted) {
+    fs.writeFileSync(path.join(agentsDir, `${name}.md`), wrapper);
+  }
+
+  // Reconcile: remove cabinet-*.md wrappers with no matching skill (zombies).
+  for (const file of fs.readdirSync(agentsDir)) {
+    if (!file.startsWith('cabinet-') || !file.endsWith('.md')) continue;
+    const name = file.slice(0, -3);
+    if (!wanted.has(name)) {
+      fs.unlinkSync(path.join(agentsDir, file));
+    }
+  }
+
+  return wanted.size;
+}
+
 // MODULES is the manifest: every template path here is copied into a
 // consumer's project on install. A skill/hook/script that exists under
 // templates/ but is NOT listed in any module never ships — that is the
@@ -454,6 +546,7 @@ const MODULES = {
       'scripts/triage-server.mjs', 'scripts/triage-ui.html',
       'scripts/finding-schema.json', 'scripts/resolve-committees.cjs',
       'scripts/review-server.mjs', 'scripts/review-ui.html',
+      'workflows/deliberative-audit.js', 'cabinet/critique-contract.md',
     ],
   },
   'lifecycle': {
@@ -487,6 +580,18 @@ const MODULES = {
     ],
     postInstall: 'verify-setup',
   },
+  'site-audit': {
+    name: 'Site Audit (deployed-site quality)',
+    description: '15-check audit for deployed websites: performance, accessibility (3 engines), security, SEO, DNS, privacy, sustainability. Standalone HTML report + comparison mode.',
+    mandatory: false,
+    default: false,
+    lean: false,
+    templates: [
+      'skills/cc-site-audit',
+      'site-audit-runtime',
+    ],
+    postInstall: 'site-audit-setup',
+  },
 };
 
 /** Recursively collect all relative file paths under a directory. */
@@ -1115,21 +1220,26 @@ async function run() {
 
   // --- Run module postInstall hooks ---
   // Modules with a `postInstall` field dispatch to a matching setup
-  // function after templates are copied. Currently only 'verify-setup'
-  // (the cabinet-verify tarball builder) is wired.
+  // function. Table-driven: add new runtime installers here.
+  const POST_INSTALL_HANDLERS = {
+    'verify-setup': setupVerifyRuntime,
+    'site-audit-setup': setupSiteAuditRuntime,
+  };
   for (const moduleKey of selectedModules) {
     const mod = MODULES[moduleKey];
     if (!mod.postInstall) continue;
-    if (mod.postInstall === 'verify-setup') {
-      try {
-        console.log('');
-        const verifyResult = setupVerifyRuntime({ dryRun: !!flags.dryRun });
-        for (const r of verifyResult.results || []) console.log(`  📋 ${r}`);
-      } catch (err) {
-        console.log(`  ⚠ cabinet-verify runtime setup failed: ${err.message}`);
-        console.log('    /verify install.sh will fail until the runtime is installed.');
-        console.log('    Re-run the installer to retry.');
-      }
+    const handler = POST_INSTALL_HANDLERS[mod.postInstall];
+    if (!handler) {
+      console.log(`  ⚠ Unknown postInstall handler: ${mod.postInstall}`);
+      continue;
+    }
+    try {
+      console.log('');
+      const result = handler({ dryRun: !!flags.dryRun });
+      for (const r of result.results || []) console.log(`  📋 ${r}`);
+    } catch (err) {
+      console.log(`  ⚠ ${mod.postInstall} failed: ${err.message}`);
+      console.log('    Re-run the installer to retry.');
     }
   }
 
@@ -1290,6 +1400,17 @@ async function run() {
     }
   }
 
+  // --- Generate cabinet agent-type wrappers ---
+  // Unconditional (not audit-gated): the registered subagent identity benefits
+  // plan/execute/orient cabinet consultations, not just /audit. No-op when no
+  // cabinet members are installed.
+  if (!flags.dryRun) {
+    const wrapperCount = generateAgentWrappers(projectDir);
+    if (wrapperCount > 0) {
+      console.log(`  🪪 Generated ${wrapperCount} cabinet agent wrappers in .claude/agents/`);
+    }
+  }
+
   // --- Write metadata ---
   if (!flags.dryRun) {
     createMetadata(projectDir, {
@@ -1353,4 +1474,4 @@ async function run() {
   console.log('');
 }
 
-module.exports = { run, MODULES };
+module.exports = { run, MODULES, generateAgentWrappers };

package/lib/site-audit-setup.js

@@ -0,0 +1,84 @@
+/**
+ * site-audit-setup.js — install the @claude-cabinet/site-audit runtime
+ * to ~/.claude-cabinet/site-audit/<version>/.
+ *
+ * Mirrors verify-setup.js: npm-pack the source, install to a versioned
+ * dir, write a current/VERSION pointer. Idempotent.
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const CC_HOME = path.join(os.homedir(), '.claude-cabinet');
+const SITE_AUDIT_BASE = path.join(CC_HOME, 'site-audit');
+
+function setupSiteAuditRuntime(opts = {}) {
+  const dryRun = !!opts.dryRun;
+  const runtimeSourceDir =
+    opts.runtimeSourceDir || path.resolve(__dirname, '..', 'templates', 'site-audit-runtime');
+
+  const packageJsonPath = path.join(runtimeSourceDir, 'package.json');
+  if (!fs.existsSync(packageJsonPath)) {
+    throw new Error(`site-audit-setup: ${packageJsonPath} not found.`);
+  }
+  const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+  const version = pkg.version;
+  if (typeof version !== 'string' || version.length === 0) {
+    throw new Error(`site-audit-setup: ${packageJsonPath} has no version field`);
+  }
+
+  const installDir = path.join(SITE_AUDIT_BASE, version, 'dist');
+  const tarballName = `claude-cabinet-site-audit-${version}.tgz`;
+  const tarballPath = path.join(installDir, tarballName);
+  const versionPointer = path.join(SITE_AUDIT_BASE, 'current', 'VERSION');
+  const results = [];
+
+  if (dryRun) {
+    results.push(`Would install @claude-cabinet/site-audit@${version}`);
+    results.push(`  source:  ${runtimeSourceDir}`);
+    results.push(`  target:  ${tarballPath}`);
+    results.push(`  pointer: ${versionPointer}`);
+    return { installPath: installDir, version, status: 'dry-run', results };
+  }
+
+  if (fs.existsSync(tarballPath) && fs.statSync(tarballPath).size > 1024) {
+    results.push(`@claude-cabinet/site-audit@${version} already installed (${tarballPath})`);
+    writeVersionPointer(versionPointer, version);
+    return { installPath: installDir, version, status: 'skipped', results };
+  }
+
+  if (fs.existsSync(tarballPath)) fs.unlinkSync(tarballPath);
+
+  fs.mkdirSync(installDir, { recursive: true });
+  const packStdout = execSync(`npm pack --silent --pack-destination "${installDir}"`, {
+    cwd: runtimeSourceDir,
+    encoding: 'utf8',
+  }).trim();
+
+  const lastLine = packStdout.split('\n').filter(Boolean).pop() || '';
+  const producedName = path.basename(lastLine);
+  if (producedName && producedName !== tarballName) {
+    const producedPath = path.join(installDir, producedName);
+    if (fs.existsSync(producedPath)) {
+      fs.renameSync(producedPath, tarballPath);
+    }
+  }
+
+  if (!fs.existsSync(tarballPath)) {
+    throw new Error(`site-audit-setup: tarball not found after npm pack: ${tarballPath}`);
+  }
+
+  writeVersionPointer(versionPointer, version);
+  results.push(`Installed @claude-cabinet/site-audit@${version}`);
+  results.push(`  ${tarballPath}`);
+  return { installPath: installDir, version, status: 'installed', results };
+}
+
+function writeVersionPointer(pointerPath, version) {
+  fs.mkdirSync(path.dirname(pointerPath), { recursive: true });
+  fs.writeFileSync(pointerPath, version + '\n', 'utf8');
+}
+
+module.exports = { setupSiteAuditRuntime };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-claude-cabinet",
-  "version": "0.27.4",
+  "version": "0.29.0",
   "description": "Claude Cabinet — opinionated process scaffolding for Claude Code projects",
   "bin": {
     "create-claude-cabinet": "bin/create-claude-cabinet.js"

package/templates/cabinet/critique-contract.md

@@ -0,0 +1,63 @@
+# Critique Contract — Stage-2 Audit Output
+
+This contract defines how **Stage-2 critics** annotate Stage-1 findings
+during a deliberative audit. Stage-1 members produce findings (see
+`output-contract.md`). Stage-2 members review those findings through
+their domain lens and produce annotations.
+
+## Input
+
+You receive a JSON array of findings from Stage-1 members. Each finding
+has the fields defined in `output-contract.md`: id, cabinet-member,
+severity, title, description, evidence, etc.
+
+## Your Task
+
+Review each finding through your domain lens. For findings that touch
+your expertise, produce an annotation. For findings outside your domain,
+stay silent — silence means "no objection from my perspective."
+
+Default to no annotation. Only speak when you have something to add:
+a factual correction, a challenge to an assumption, supporting evidence,
+or additional context that changes how the finding should be interpreted.
+
+## Annotation Types
+
+| Type | When to use | Example |
+|------|------------|---------|
+| `challenge` | You disagree with the finding's conclusion or severity | "This input is already escaped by the ORM — the vulnerability described doesn't exist in the current implementation" |
+| `support` | You have independent evidence confirming the finding | "The audit log also replicates to analytics DB — blast radius is wider than stated" |
+| `context` | Additional information that changes interpretation | "This coupling is intentional — it's the auth boundary described in the architecture doc" |
+| `correction` | A factual error in the finding | "The file path referenced was renamed in commit abc123 — the actual location is..." |
+
+## Output Format
+
+Return a JSON object matching this schema:
+
+```json
+{
+  "annotations": [
+    {
+      "findingId": "security-0001",
+      "type": "challenge",
+      "text": "Your annotation here",
+      "severitySuggestion": "info"
+    }
+  ]
+}
+```
+
+Fields:
+- **findingId** (required): the `id` of the Stage-1 finding you're annotating
+- **type** (required): one of `challenge`, `support`, `context`, `correction`
+- **text** (required): your annotation — be specific and cite evidence
+- **severitySuggestion** (optional): if you think the severity should change,
+  suggest the new level. Omit if the current severity is appropriate.
+
+## Scope Rules
+
+- Annotate only findings that intersect your domain expertise.
+- You may annotate findings from any Stage-1 member, not just your own domain.
+- Do not produce new findings — that's Stage 1's job.
+- Do not repeat or rephrase a finding. Add to it or challenge it.
+- If two findings contradict each other, annotate both to surface the tension.

package/templates/cabinet/output-contract.md

@@ -146,3 +146,22 @@ Return valid JSON matching `scripts/finding-schema.json`.
 
 Your response must be ONLY the JSON object — no markdown fences, no
 commentary outside the JSON.
+
+## Deliberation Fields (Two-Stage Audit)
+
+When the audit runs in two-stage deliberative mode, findings may acquire
+additional fields after initial creation:
+
+- `status` — Set during deliberation. Values: `upheld` (no challenges),
+  `challenged` (critic disagreed), `modified` (author accepted critique),
+  `withdrawn` (author conceded), `rebutted` (author defended).
+- `annotations[]` — Array of Stage-2 critic annotations. Each has
+  `cabinet-member`, `type` (challenge/support/context/correction),
+  `text`, and optional `severity-suggestion`.
+- `rebuttal` — The original author's response to challenges. Has
+  `response` (withdraw/modify/defend) and `comment`.
+
+**Stage-1 members:** Emit findings as normal using the schema above.
+These deliberation fields are added later by the workflow.
+
+**Stage-2 members:** Use `critique-contract.md` instead of this file.

package/templates/scripts/finding-schema.json

@@ -75,6 +75,55 @@
             "type": "array",
             "items": { "type": "string" },
             "description": "Categorization tags for filtering"
+          },
+          "status": {
+            "type": "string",
+            "enum": ["upheld", "challenged", "modified", "withdrawn", "rebutted"],
+            "description": "Set during Stage 2/3 deliberation. Absent for single-stage audits."
+          },
+          "annotations": {
+            "type": "array",
+            "items": {
+              "type": "object",
+              "required": ["cabinet-member", "type", "text"],
+              "properties": {
+                "cabinet-member": {
+                  "type": "string",
+                  "description": "Stage-2 critic who made this annotation"
+                },
+                "type": {
+                  "type": "string",
+                  "enum": ["challenge", "support", "context", "correction"],
+                  "description": "challenge = disagrees, support = confirms, context = adds info, correction = factual fix"
+                },
+                "text": {
+                  "type": "string",
+                  "description": "The annotation content"
+                },
+                "severity-suggestion": {
+                  "type": "string",
+                  "enum": ["critical", "warn", "info", "idea"],
+                  "description": "Critic's suggested severity change, if any"
+                }
+              }
+            },
+            "description": "Stage-2 critic annotations from deliberative audit. Absent for single-stage audits."
+          },
+          "rebuttal": {
+            "type": "object",
+            "properties": {
+              "response": {
+                "type": "string",
+                "enum": ["withdraw", "modify", "defend"],
+                "description": "Stage-1 member's response to challenges"
+              },
+              "comment": {
+                "type": "string",
+                "description": "Explanation of the response"
+              }
+            },
+            "required": ["response", "comment"],
+            "description": "Stage-1 member's response to Stage-2 challenges (opt-in rebuttal mode). Absent when no rebuttal requested or finding was not challenged."
           }
         }
       }

package/templates/scripts/merge-findings.js

@@ -90,23 +90,32 @@ for (const file of files) {
 const timestamp = new Date().toISOString();
 const runId = `run-${basename(runDir)}`;
 
-const summary = {
-  findings: allFindings,
-  meta: {
-    runId,
-    timestamp,
-    trigger: 'manual',
-    members: Object.keys(memberCounts),
-    counts: {
-      total: allFindings.length,
-      findings: allFindings.length - positiveCount,
-      positive: positiveCount,
-      ...severityCounts,
-    },
-    byMember: memberCounts,
+const meta = {
+  runId,
+  timestamp,
+  trigger: 'manual',
+  members: Object.keys(memberCounts),
+  counts: {
+    total: allFindings.length,
+    findings: allFindings.length - positiveCount,
+    positive: positiveCount,
+    ...severityCounts,
   },
+  byMember: memberCounts,
 };
 
+if (allFindings.some(f => f.annotations && f.annotations.length > 0)) {
+  meta.deliberation = {
+    annotatedCount: allFindings.filter(f => f.annotations && f.annotations.length > 0).length,
+    challengedCount: allFindings.filter(f => f.status === 'challenged' || f.status === 'rebutted').length,
+    upheldCount: allFindings.filter(f => f.status === 'upheld').length,
+    withdrawnCount: allFindings.filter(f => f.status === 'withdrawn').length,
+    modifiedCount: allFindings.filter(f => f.status === 'modified').length,
+  };
+}
+
+const summary = { findings: allFindings, meta };
+
 const summaryPath = join(runDir, 'run-summary.json');
 writeFileSync(summaryPath, JSON.stringify(summary, null, 2));
 console.log(`\nMerged ${allFindings.length} findings → ${summaryPath}`);

package/templates/scripts/pib-db-lib.mjs

@@ -285,21 +285,44 @@ export function ingestFindings(db, { runDir }) {
     VALUES (?, ?, ?, ?, ?)
   `).run(runId, dateStr, timestamp, data.meta?.trigger || 'manual', data.findings?.length || 0);
 
-  const insert = db.prepare(`
-    INSERT OR REPLACE INTO audit_findings
-      (id, run_id, cabinet_member, severity, title, description, assumption,
-       evidence, question, file, line, suggested_fix, auto_fixable, type)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `);
+  // Try the full INSERT with deliberation columns first; fall back to the
+  // legacy shape for existing databases that haven't added them yet.
+  let insert;
+  let hasDeliberationCols = true;
+  try {
+    insert = db.prepare(`
+      INSERT OR REPLACE INTO audit_findings
+        (id, run_id, cabinet_member, severity, title, description, assumption,
+         evidence, question, file, line, suggested_fix, auto_fixable, type,
+         status, annotations, rebuttal)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+  } catch {
+    hasDeliberationCols = false;
+    insert = db.prepare(`
+      INSERT OR REPLACE INTO audit_findings
+        (id, run_id, cabinet_member, severity, title, description, assumption,
+         evidence, question, file, line, suggested_fix, auto_fixable, type)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+  }
 
   let count = 0;
   for (const f of (data.findings || [])) {
-    insert.run(
+    const base = [
       f.id, runId, f['cabinet-member'], f.severity, f.title,
       f.description || null, f.assumption || null, f.evidence || null,
       f.question || null, f.file || null, f.line || null,
       f.suggestedFix || null, f.autoFixable ? 1 : 0, f.type || 'finding'
-    );
+    ];
+    if (hasDeliberationCols) {
+      base.push(
+        f.status || null,
+        f.annotations ? JSON.stringify(f.annotations) : null,
+        f.rebuttal ? JSON.stringify(f.rebuttal) : null
+      );
+    }
+    insert.run(...base);
     count++;
   }
   return { count, runId, message: `Ingested ${count} findings from ${runDir} (run: ${runId})` };

package/templates/scripts/pib-db-schema.sql

@@ -66,7 +66,11 @@ CREATE TABLE IF NOT EXISTS audit_findings (
                         CHECK(triage_status IN ('open','approved','rejected','deferred','fixed','archived')),
   triage_notes        TEXT,
   triaged_at          TEXT,
-  fix_description     TEXT
+  fix_description     TEXT,
+  -- Deliberation fields (two-stage audit). Absent for single-stage audits.
+  status              TEXT CHECK(status IS NULL OR status IN ('upheld','challenged','modified','withdrawn','rebutted')),
+  annotations         TEXT,  -- JSON array of Stage-2 critic annotations
+  rebuttal            TEXT   -- JSON object: Stage-1 member's response to challenges
 );
 
 -- Append-only history of trigger-condition evaluations.