hadara 0.1.0-rc.0

package/dist/services/operational-debt.js

@@ -0,0 +1,767 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OPERATIONAL_DEBT_RECORDS = void 0;
+exports.createOperationalDebtReport = createOperationalDebtReport;
+exports.createOperationalDebtShowReport = createOperationalDebtShowReport;
+exports.createReleaseGateReport = createReleaseGateReport;
+exports.createOperationalDebtAggregate = createOperationalDebtAggregate;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const schema_1 = require("../core/schema");
+const task_capsule_1 = require("../task/task-capsule");
+exports.OPERATIONAL_DEBT_RECORDS = [
+    {
+        id: 'OD-0001',
+        title: 'Task Capsule Markdown consistency can drift after context compaction',
+        source: 'known_issue.log#1',
+        category: 'validation',
+        status: 'mitigated',
+        severity: 'medium',
+        targetCapability: 'Task Capsule format validation'
+    },
+    {
+        id: 'OD-0002',
+        title: 'New sessions may miss Docker-based validation environment details',
+        source: 'known_issue.log#2',
+        category: 'environment',
+        status: 'mitigated',
+        severity: 'medium',
+        targetCapability: 'Validation environment handoff'
+    },
+    {
+        id: 'OD-0003',
+        title: 'Agents can overfit to the last capsule and miss broader roadmap state',
+        source: 'known_issue.log#3',
+        category: 'continuity',
+        status: 'mitigated',
+        severity: 'high',
+        targetCapability: 'Required-reading protocol and roadmap-aware handoff guidance'
+    },
+    {
+        id: 'OD-0004',
+        title: 'Long-running capsule work can concentrate too many features in one file',
+        source: 'known_issue.log#4',
+        category: 'complexity',
+        status: 'tracked',
+        severity: 'medium',
+        targetCapability: 'LOC and complexity risk indicators'
+    },
+    {
+        id: 'OD-0005',
+        title: 'LOC calculation utility is needed for complexity management',
+        source: 'known_issue.log#5',
+        category: 'complexity',
+        status: 'candidate',
+        severity: 'low',
+        targetCapability: 'Changed LOC utility'
+    },
+    {
+        id: 'OD-0006',
+        title: 'Capsule size should scale with task complexity',
+        source: 'known_issue.log#6',
+        category: 'scope-control',
+        status: 'tracked',
+        severity: 'medium',
+        targetCapability: 'Capsule size indicator'
+    },
+    {
+        id: 'OD-0007',
+        title: 'Task change size should be visible in dashboard or TUI surfaces',
+        source: 'known_issue.log#7',
+        category: 'visibility',
+        status: 'candidate',
+        severity: 'low',
+        targetCapability: 'Changed-size dashboard signal'
+    },
+    {
+        id: 'OD-0008',
+        title: 'ACCEPTANCE.md checkboxes can be marked before implementation evidence exists',
+        source: 'known_issue.log#8',
+        category: 'validation',
+        status: 'mitigated',
+        severity: 'high',
+        targetCapability: 'Premature acceptance guard and done-level harness validation'
+    }
+];
+function createOperationalDebtReport(projectRoot) {
+    const tasks = (0, task_capsule_1.listTaskCapsules)(projectRoot);
+    return {
+        schemaVersion: 'hadara.operational_debt.v1',
+        command: 'operational-debt.report',
+        ok: true,
+        records: exports.OPERATIONAL_DEBT_RECORDS,
+        aggregate: createOperationalDebtAggregate(exports.OPERATIONAL_DEBT_RECORDS),
+        capsuleSizeIndicators: tasks.map((task) => measureCapsuleSize(projectRoot, task)),
+        issues: tasks.flatMap((task) => detectPrematureAcceptance(projectRoot, task))
+    };
+}
+function createOperationalDebtShowReport(projectRoot, id) {
+    const record = createOperationalDebtReport(projectRoot).records.find((candidate) => candidate.id === id) ?? null;
+    return {
+        schemaVersion: 'hadara.operational_debt.show.v1',
+        command: 'operational-debt.show',
+        ok: record !== null,
+        id,
+        record,
+        issues: record
+            ? []
+            : [
+                {
+                    severity: 'error',
+                    code: 'OPERATIONAL_DEBT_NOT_FOUND',
+                    message: `Operational debt record not found: ${id}`
+                }
+            ]
+    };
+}
+function createReleaseGateReport(projectRoot, mode = 'advisory') {
+    const debt = createOperationalDebtReport(projectRoot);
+    const highOpen = debt.records.filter((record) => isOpenDebt(record) && record.severity === 'high');
+    const blocking = mode === 'strict' && highOpen.length > 0;
+    const readiness = createReleaseReadinessChecks(projectRoot, mode);
+    const debtIssues = highOpen.length > 0
+        ? [
+            {
+                severity: blocking ? 'error' : 'warning',
+                code: 'OPEN_HIGH_OPERATIONAL_DEBT',
+                message: `${highOpen.length} open high-severity operational debt record(s) remain.`
+            }
+        ]
+        : [];
+    const issues = [...readiness.issues, ...debtIssues];
+    return {
+        schemaVersion: 'hadara.releaseGate.v1',
+        command: 'release.gate',
+        mode,
+        ok: !blocking && readiness.checks.every((check) => check.status !== 'error'),
+        checks: [
+            ...readiness.checks,
+            {
+                code: 'OPEN_HIGH_OPERATIONAL_DEBT',
+                name: 'No high severity operational debt',
+                status: highOpen.length > 0 ? (blocking ? 'error' : 'warning') : 'passed',
+                summary: highOpen.length > 0 ? `${highOpen.map((record) => record.id).join(', ')} remain open.` : 'No open high-severity operational debt records.'
+            }
+        ],
+        issues
+    };
+}
+function createReleaseReadinessChecks(projectRoot, mode) {
+    const packageJson = readJsonObject(node_path_1.default.join(projectRoot, 'package.json'));
+    const ciWorkflow = readOptionalText(node_path_1.default.join(projectRoot, '.github', 'workflows', 'ci.yml'));
+    const v1Schemas = readOptionalText(node_path_1.default.join(projectRoot, 'docs', 'V1_0_IMPLEMENTATION_SCHEMAS.md'));
+    const developmentSlices = readOptionalText(node_path_1.default.join(projectRoot, 'docs', 'DEVELOPMENT_SLICES.md'));
+    const projectState = readOptionalText(node_path_1.default.join(projectRoot, 'docs', 'PROJECT_STATE.md'));
+    const testStrategy = readOptionalText(node_path_1.default.join(projectRoot, 'docs', 'TEST_STRATEGY.md'));
+    const releaseReadiness = readOptionalText(node_path_1.default.join(projectRoot, 'docs', 'RELEASE_READINESS.md'));
+    const validationHistory = readOptionalText(node_path_1.default.join(projectRoot, 'docs', 'VALIDATION_HISTORY.md'));
+    const licenseText = readOptionalText(node_path_1.default.join(projectRoot, 'LICENSE'));
+    const evidence = readReleaseEvidenceRecords(projectRoot);
+    const checks = [
+        checkPackageBin(packageJson, mode),
+        checkPackageScripts(packageJson, mode),
+        checkNodePolicy(packageJson, ciWorkflow, mode),
+        checkCiWorkflow(ciWorkflow, mode),
+        checkCleanCheckoutPolicy(v1Schemas, developmentSlices, testStrategy, mode),
+        checkPackageSmokeArtifactBoundary(testStrategy, mode),
+        checkPackageSmokeCommandSurface(testStrategy, mode),
+        checkPackageMetadataReadiness(packageJson, licenseText, testStrategy, releaseReadiness, validationHistory, mode),
+        checkReleaseWorkflowTargetDecision(releaseReadiness, mode),
+        checkInstallerSurfaceAndSchema(releaseReadiness, mode),
+        checkInstallMatrixSmokePlan(releaseReadiness, mode),
+        checkPackageSmokeEvidence(evidence, mode),
+        checkCleanCheckoutSmokeEvidence(evidence, mode),
+        checkReleaseArtifactEvidence(evidence, mode),
+        checkInstallMatrixSmokeEvidence(),
+        checkGeneratedArtifactPolicy(projectState, developmentSlices, mode),
+        checkRemoteCiObservation(testStrategy, validationHistory, mode)
+    ];
+    const issues = checks
+        .filter((check) => check.status !== 'passed')
+        .map((check) => ({
+        severity: check.status === 'error' ? 'error' : 'warning',
+        code: releaseReadinessIssueCode(check.code),
+        message: `${check.name}: ${check.summary}`
+    }));
+    return { checks, issues };
+}
+function releaseReadinessIssueCode(checkCode) {
+    if (checkCode === 'REMOTE_CI_OBSERVATION')
+        return 'REMOTE_CI_OBSERVATION_UNRECORDED';
+    if (checkCode === 'PACKAGE_SMOKE_ARTIFACT_BOUNDARY')
+        return 'PACKAGE_SMOKE_ARTIFACT_BOUNDARY_UNCLEAR';
+    if (checkCode === 'PACKAGE_SMOKE_COMMAND_SURFACE')
+        return 'PACKAGE_SMOKE_COMMAND_SURFACE_UNCLEAR';
+    if (checkCode === 'PACKAGE_METADATA_RELEASE_READINESS')
+        return 'PACKAGE_METADATA_RELEASE_READINESS_UNCLEAR';
+    if (checkCode === 'CI_RELEASE_WORKFLOW_TARGET_DECISION')
+        return 'CI_RELEASE_WORKFLOW_TARGET_DECISION_UNCLEAR';
+    if (checkCode === 'INSTALLER_SCRIPT_SURFACE_SCHEMA')
+        return 'INSTALLER_SCRIPT_SURFACE_SCHEMA_UNCLEAR';
+    if (checkCode === 'INSTALL_MATRIX_SMOKE_PLAN')
+        return 'INSTALL_MATRIX_SMOKE_PLAN_UNCLEAR';
+    if (checkCode === 'PACKAGE_SMOKE_EVIDENCE')
+        return 'PACKAGE_SMOKE_EVIDENCE_MISSING';
+    if (checkCode === 'CLEAN_CHECKOUT_SMOKE_EVIDENCE')
+        return 'CLEAN_CHECKOUT_SMOKE_EVIDENCE_MISSING';
+    if (checkCode === 'RELEASE_ARTIFACT_EVIDENCE')
+        return 'RELEASE_ARTIFACT_EVIDENCE_MISSING';
+    if (checkCode === 'INSTALL_MATRIX_SMOKE_EVIDENCE')
+        return 'INSTALL_MATRIX_SMOKE_EVIDENCE_MISSING';
+    return checkCode;
+}
+function checkPackageBin(packageJson, mode) {
+    const bin = isRecord(packageJson?.bin) ? packageJson.bin : {};
+    const ok = bin.hadara === './dist/cli/main.js';
+    return {
+        code: 'PACKAGE_BIN_MISSING',
+        name: 'Package bin entry',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok ? 'package.json exposes hadara at ./dist/cli/main.js.' : 'package.json must expose bin.hadara as ./dist/cli/main.js.'
+    };
+}
+function checkPackageScripts(packageJson, mode) {
+    const scripts = isRecord(packageJson?.scripts) ? packageJson.scripts : {};
+    const required = ['build', 'test', 'test:contract', 'test:harness', 'check'];
+    const missing = required.filter((script) => typeof scripts[script] !== 'string' || scripts[script].trim() === '');
+    return {
+        code: 'VALIDATION_SCRIPT_MISSING',
+        name: 'Package validation scripts',
+        status: missing.length === 0 ? 'passed' : readinessFailureStatus(mode),
+        summary: missing.length === 0 ? `${required.join(', ')} scripts are defined.` : `Missing package scripts: ${missing.join(', ')}.`
+    };
+}
+function checkNodePolicy(packageJson, ciWorkflow, mode) {
+    const devDependencies = isRecord(packageJson?.devDependencies) ? packageJson.devDependencies : {};
+    const nodeTypes = String(devDependencies['@types/node'] ?? '');
+    const ciUsesNode22 = ciWorkflow !== null && /node-version:\s*22\b/.test(ciWorkflow);
+    const ok = nodeTypes.startsWith('^22') && ciUsesNode22;
+    return {
+        code: 'NODE_POLICY_UNCLEAR',
+        name: 'Node version policy',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok ? 'Development typings and CI target Node 22.' : 'Node 22 must be reflected in dev dependencies and CI.'
+    };
+}
+function checkCiWorkflow(ciWorkflow, mode) {
+    const missing = [
+        ['actions/setup-node@v4', ciWorkflow?.includes('actions/setup-node@v4')],
+        ['npm ci', ciWorkflow?.includes('npm ci')],
+        ['npm run check', ciWorkflow?.includes('npm run check')]
+    ]
+        .filter(([, present]) => !present)
+        .map(([name]) => name);
+    return {
+        code: 'CI_CLEAN_INSTALL_UNCLEAR',
+        name: 'CI clean install check',
+        status: missing.length === 0 ? 'passed' : readinessFailureStatus(mode),
+        summary: missing.length === 0 ? 'CI installs dependencies cleanly and runs npm run check.' : `CI workflow is missing: ${missing.join(', ')}.`
+    };
+}
+function checkCleanCheckoutPolicy(v1Schemas, developmentSlices, testStrategy, mode) {
+    const ok = includesAll(v1Schemas, ['npm ci', 'npm run check', 'doctor --json', 'ops status --json']) &&
+        includesAny(developmentSlices, ['clean checkout smoke', 'clean-checkout smoke']) &&
+        includesAll(testStrategy, [
+            'Clean Checkout Package Smoke Plan',
+            'npm ci',
+            'npm run build',
+            'node dist/cli/main.js doctor --json',
+            'node dist/cli/main.js ops status --json',
+            'node dist/cli/main.js release gate --mode strict --json',
+            'no packaging or release execution'
+        ]);
+    return {
+        code: 'CLEAN_CHECKOUT_SMOKE_UNCLEAR',
+        name: 'Clean checkout smoke policy',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? 'Release planning documents the clean-checkout package smoke sequence.'
+            : 'Release planning must document clean-checkout package smoke expectations.'
+    };
+}
+function checkPackageSmokeArtifactBoundary(testStrategy, mode) {
+    const ok = includesAll(testStrategy, [
+        'Executable Package Smoke Artifact Boundary',
+        'Allowed workspace',
+        '/tmp/hadara-package-smoke/<run-id>',
+        'Package artifact paths',
+        'tasks/<task-id>/artifacts/package-smoke/',
+        'Redaction and audit handling',
+        'Evidence/report shape',
+        'hadara.packageSmoke.v1',
+        'performs no package-smoke execution'
+    ]);
+    return {
+        code: 'PACKAGE_SMOKE_ARTIFACT_BOUNDARY',
+        name: 'Package smoke artifact boundary',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? 'Executable package-smoke artifact and evidence boundaries are documented before implementation.'
+            : 'Executable package-smoke workspace, artifact, redaction/audit, and evidence boundaries must be documented before implementation.'
+    };
+}
+function checkPackageSmokeCommandSurface(testStrategy, mode) {
+    const ok = includesAll(testStrategy, [
+        'Package Smoke Command Surface',
+        'hadara package smoke --dry-run --json',
+        'hadara package smoke --task <task-id> --json',
+        'hadara package smoke --workspace /tmp/hadara-package-smoke/<run-id> --json',
+        'hadara package smoke --from ./dist-release/hadara-0.1.0-rc.0.tgz --json',
+        'hadara package smoke --keep-temp --json',
+        'Do not use `hadara release smoke` as the primary command surface',
+        '`--timeout <seconds>`',
+        '`--attach-evidence`',
+        '`--private-logs`',
+        'Package smoke must not be callable from MCP by default',
+        'The release gate must not call `hadara package smoke`'
+    ]);
+    return {
+        code: 'PACKAGE_SMOKE_COMMAND_SURFACE',
+        name: 'Package smoke command surface',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? '`hadara package smoke` command naming, flags, approval, cleanup, failure, evidence, and MCP boundaries are documented.'
+            : 'Package-smoke command naming, flags, approval, cleanup, failure, evidence, and MCP boundaries must be documented before implementation.'
+    };
+}
+function checkPackageMetadataReadiness(packageJson, licenseText, testStrategy, releaseReadiness, validationHistory, mode) {
+    const bin = isRecord(packageJson?.bin) ? packageJson.bin : {};
+    const files = Array.isArray(packageJson?.files) ? packageJson.files.filter((entry) => typeof entry === 'string') : [];
+    const bootstrapMetadataOk = packageJson?.name === 'hadara' &&
+        packageJson?.version === '0.0.0-bootstrap' &&
+        packageJson?.private === true &&
+        bin.hadara === './dist/cli/main.js';
+    const releaseCandidateMetadataOk = packageJson?.name === 'hadara' &&
+        /^0\.1\.0-rc\.\d+$/.test(String(packageJson?.version ?? '')) &&
+        packageJson?.private === false &&
+        packageJson?.license === 'MIT' &&
+        bin.hadara === './dist/cli/main.js' &&
+        includesAll(files.join('\n'), ['dist/', 'README.md', 'LICENSE', 'package.json']) &&
+        licenseText !== null &&
+        includesAny(validationHistory, ['hadara.packageSmoke.v1', 'PACKAGE_SMOKE_EVIDENCE']);
+    const metadataMarkers = [
+        'Package Metadata Release Readiness',
+        'Package name decision: `hadara`',
+        'npm registry observation: `npm view hadara name version --registry=https://registry.npmjs.org` returned 404 on 2026-05-28',
+        'Current version is `0.1.0-rc.0`',
+        'Current package is `private: false`',
+        'Current binary remains `bin.hadara` at `./dist/cli/main.js`',
+        'Current `files` whitelist is `dist/`, `README.md`, `LICENSE`, and `package.json`',
+        'Bootstrap metadata mode: version `0.0.0-bootstrap`, `private: true`, no package publishability',
+        'Release-candidate metadata mode: version `0.1.0-rc.N`, `private: false`, `files` whitelist present, `LICENSE` present, package smoke evidence present',
+        'Scoped fallback decision: do not silently switch names',
+        'Version policy: first release-candidate target is `0.1.0-rc.0`; first stable target is `0.1.0`',
+        'T-0142 transitions `private` to false only after the package files whitelist, root README, license decision, and package-smoke evidence gates exist',
+        'Final `files` whitelist target: `dist/`, `README.md`, `LICENSE`, `package.json`, plus installer and portable files only after those files exist',
+        'Do not add `files` entries for missing installer or portable paths in T-0127',
+        'MIT license decision: adopt MIT; `LICENSE` exists and is included in the package whitelist',
+        'Publish target decision: npm package first, GitHub Release second, Docker image deferred',
+        'Installed CLI verification must use `hadara doctor --json`',
+        'T-0142 performs no publish, no GitHub Release creation, no Docker image build, and no registry mutation; it transitions metadata and regenerates reduced release evidence only',
+        'Before adding more T-0128+ release/install/package-smoke readiness markers, prefer moving the structured readiness source to `docs/RELEASE_READINESS.md` or `docs/release-readiness.json`'
+    ];
+    const docsOk = includesAll(testStrategy, metadataMarkers) || includesAll(releaseReadiness, metadataMarkers);
+    const ok = (bootstrapMetadataOk || releaseCandidateMetadataOk) && docsOk;
+    return {
+        code: 'PACKAGE_METADATA_RELEASE_READINESS',
+        name: 'Package metadata release readiness',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? 'Package name, release-candidate version, private transition, files target, license path, publish target, and installed CLI verification decisions are documented without publishing.'
+            : 'Package metadata release-readiness decisions must be documented before publishability is accepted.'
+    };
+}
+function checkInstallerSurfaceAndSchema(releaseReadiness, mode) {
+    const ok = includesAll(releaseReadiness, [
+        'Installer Script Surface and Schema',
+        '`scripts/install.sh`',
+        '`scripts/install.ps1`',
+        '`portable/bin/hadara`',
+        '`portable/bin/hadara.cmd`',
+        '`portable/bin/hadara.ps1`',
+        'Installer scripts install or plan installation from a tarball or directory',
+        'Installer scripts must support dry-run planning before mutation',
+        'Installer scripts must emit `hadara.install.plan.v1` JSON for dry-run planning',
+        'Installer scripts must not use `sudo` by default',
+        'Installer scripts must not force `npm install -g`',
+        'Installer scripts must not mutate shell profiles or PATH by default',
+        'Portable launchers invoke an installed or portable HADARA bundle',
+        'Portable launchers do not install dependencies',
+        'Portable launchers do not mutate PATH',
+        'Portable launchers do not modify project files',
+        'Linux/POSIX/WSL prefix suggestion: `~/.local/share/hadara`',
+        'Linux/POSIX/WSL bin link suggestion: `~/.local/bin/hadara`',
+        'Windows prefix suggestion: `%LOCALAPPDATA%\\HADARA`',
+        'Windows cmd launcher suggestion: `%LOCALAPPDATA%\\HADARA\\bin\\hadara.cmd`',
+        'Windows PowerShell launcher suggestion: `%LOCALAPPDATA%\\HADARA\\bin\\hadara.ps1`',
+        'Default POSIX/WSL/Windows install paths are suggestions, not silent decisions',
+        'Windows USB portable root: user-selected removable drive, for example `L:\\HADARA`',
+        'WSL USB portable root for `--platform usb`: user-selected mounted removable drive, for example `/mnt/l/HADARA`',
+        'The drive letter or mount path must not be assumed',
+        'USB install roots must be explicitly provided',
+        '`--platform wsl` uses Linux-style default install suggestions',
+        'Installer plans must validate Node 22',
+        'WSL install plans must reject Windows `node.exe` shims',
+        'Schema id: `hadara.install.plan.v1`',
+        'Target paths must be public path references, not raw absolute path strings',
+        '`target.prefix.pathRedacted: true` is required for public install-plan output',
+        '`target.launcher.pathRedacted: true` is required for public install-plan output',
+        '`source.pathRedacted: true` is required when source path details appear in public install-plan output',
+        '`execution.executeEnabled` must state whether mutation is available to the current command implementation',
+        '`mode: execute` is schema-reserved only until an explicit later capsule implements mutation',
+        'T-0129 dry-run implementation must reject execute mode or return `INSTALL_EXECUTION_DISABLED`',
+        'The schema fixture documents a future execute mode but does not authorize installer execution',
+        'The release gate checks installer surface and schema markers only',
+        'The release gate must not execute `scripts/install.sh`',
+        'The release gate must not execute `scripts/install.ps1`'
+    ]);
+    return {
+        code: 'INSTALLER_SCRIPT_SURFACE_SCHEMA',
+        name: 'Installer script surface and schema',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? 'Installer script paths, portable launchers, install locations, Node/WSL checks, and install plan schema are documented without install mutation.'
+            : 'Installer script paths, portable launchers, install locations, Node/WSL checks, and install plan schema must be documented before implementation.'
+    };
+}
+function checkReleaseWorkflowTargetDecision(releaseReadiness, mode) {
+    const ok = includesAll(releaseReadiness, [
+        'CI Release Workflow Target Decision',
+        'Primary release target: npm package',
+        'Secondary release target: GitHub Release with tarball, checksum, and manifest',
+        'Deferred release target: Docker image',
+        'npm publish token name: `NPM_TOKEN`',
+        'GitHub Release token name: `GITHUB_TOKEN` or `HADARA_GITHUB_RELEASE_TOKEN`',
+        'Token values must never be written to repository files, public evidence, release artifacts, logs, manifests, or context export',
+        'Publish/deploy remains explicit approval only',
+        'T-0139 performs no publish, no GitHub Release creation, no Docker image build, no registry mutation, no GitHub API call, and no token loading',
+        'Evidence freshness must compare evidence to the release candidate window',
+        'Evidence cross-check should follow this order: record exists, artifact exists, artifact schema valid, `sourceReport.ok` true when present, category/mode/result match the expected check',
+        'Release artifact evidence flow must be explicit: run `hadara release artifact --execute --json --output dist-release`'
+    ]);
+    return {
+        code: 'CI_RELEASE_WORKFLOW_TARGET_DECISION',
+        name: 'CI/release workflow target decision',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? 'Release targets, token names, approval boundary, and T-0140 evidence hardening requirements are documented.'
+            : 'Release workflow targets, token names, approval boundary, and evidence hardening requirements must be documented before release scripts.'
+    };
+}
+function checkInstallMatrixSmokePlan(releaseReadiness, mode) {
+    const ok = includesAll(releaseReadiness, [
+        'Install Matrix Smoke Plan',
+        'T-0130 defines install-matrix smoke planning only',
+        'Matrix row: Linux source checkout',
+        'Matrix row: Linux package install',
+        'Matrix row: WSL source checkout',
+        'Matrix row: Windows source checkout',
+        'Matrix row: Windows package install',
+        'Matrix row: USB portable on Windows',
+        'Matrix row: USB portable on WSL',
+        'Matrix row: installed CLI major-feature smoke',
+        'Docker/Linux validation does not replace real Windows validation',
+        'USB rows must require explicit user-selected USB roots',
+        'Package-install rows are blocked until package smoke and release artifacts exist',
+        'Matrix evidence must record platform, source kind, installer/package form, command form, and reduced public result',
+        'Raw logs and private paths must stay temporary or private/local',
+        'The release gate must not execute install matrix smoke'
+    ]);
+    return {
+        code: 'INSTALL_MATRIX_SMOKE_PLAN',
+        name: 'Install matrix smoke plan',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? 'Install matrix rows, platform boundaries, evidence shape, and non-execution release-gate behavior are documented.'
+            : 'Install matrix smoke rows and evidence boundaries must be documented before execution.'
+    };
+}
+function checkPackageSmokeEvidence(evidence, mode) {
+    const match = findLatestEvidence(evidence, (record) => record.result === 'passed' &&
+        record.visibility === 'public' &&
+        (includesAll(record.summary, ['package smoke', '--execute']) ||
+            Boolean(record.evidencePath?.includes('artifacts/package-smoke/'))) &&
+        (includesAny(record.summary, ['--attach-evidence', 'artifacts/package-smoke', 'hadara.packageSmoke.v1']) ||
+            Boolean(record.evidencePath?.includes('artifacts/package-smoke/'))));
+    return createEvidenceCheck('PACKAGE_SMOKE_EVIDENCE', 'Package smoke evidence', match, mode, 'Latest package-smoke evidence is recorded', 'Record passed public package-smoke execution evidence before release readiness is frozen.');
+}
+function checkCleanCheckoutSmokeEvidence(evidence, mode) {
+    const match = findLatestEvidence(evidence, (record) => record.result === 'passed' &&
+        record.visibility === 'public' &&
+        (includesAll(record.summary, ['smoke clean-checkout', '--execute']) ||
+            Boolean(record.evidencePath?.includes('artifacts/clean-checkout-smoke/'))) &&
+        (includesAny(record.summary, ['--attach-evidence', 'artifacts/clean-checkout-smoke', 'hadara.cleanCheckoutSmoke.v1']) ||
+            Boolean(record.evidencePath?.includes('artifacts/clean-checkout-smoke/'))));
+    return createEvidenceCheck('CLEAN_CHECKOUT_SMOKE_EVIDENCE', 'Clean checkout smoke evidence', match, mode, 'Latest clean-checkout smoke evidence is recorded', 'Record passed public clean-checkout smoke evidence before release readiness is frozen.');
+}
+function checkReleaseArtifactEvidence(evidence, mode) {
+    const match = findLatestEvidence(evidence, (record) => record.result === 'passed' &&
+        record.visibility === 'public' &&
+        includesAll(record.summary, ['release artifact', '--execute']) &&
+        includesAny(record.summary, ['generated tarball/checksum/manifest', 'retained-output', 'hadara.releaseArtifact.v1']));
+    return createEvidenceCheck('RELEASE_ARTIFACT_EVIDENCE', 'Release artifact evidence', match, mode, 'Latest release artifact build evidence is recorded', 'Record passed public release artifact build evidence before release readiness is frozen.');
+}
+function checkInstallMatrixSmokeEvidence() {
+    return {
+        code: 'INSTALL_MATRIX_SMOKE_EVIDENCE',
+        name: 'Install matrix smoke evidence',
+        status: 'passed',
+        summary: 'Install-matrix evidence enforcement is deferred until an executable install-matrix smoke surface exists.'
+    };
+}
+function createEvidenceCheck(code, name, match, mode, passedSummary, missingSummary) {
+    if (!match) {
+        return {
+            code,
+            name,
+            status: readinessFailureStatus(mode),
+            summary: missingSummary
+        };
+    }
+    const artifactNote = match.artifactSchemaValid === undefined ? '' : match.artifactSchemaValid ? '; linked summary artifact is schema-valid' : '; linked summary artifact was not schema-valid';
+    return {
+        code,
+        name,
+        status: match.artifactSchemaValid === false ? readinessFailureStatus(mode) : 'passed',
+        summary: `${passedSummary}: ${match.record.taskId} at ${match.record.time}${artifactNote}.`
+    };
+}
+function checkGeneratedArtifactPolicy(projectState, developmentSlices, mode) {
+    const ok = includesAll(projectState, ['contextPath: null', '.hadara/local/tui/', 'read-only local API routes']) && includesAll(developmentSlices, ['without writing generated context files']);
+    return {
+        code: 'GENERATED_ARTIFACT_POLICY_UNCLEAR',
+        name: 'Generated artifact policy',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? 'Context export, dashboard APIs, and TUI cache boundaries are documented as non-committed/generated or read-only surfaces.'
+            : 'Generated context/dashboard/cache artifact boundaries must be documented before release.'
+    };
+}
+function checkRemoteCiObservation(testStrategy, validationHistory, mode) {
+    const ok = includesAll(testStrategy, ['Remote CI observation', 'local Docker validation remains the primary reproducible check']) &&
+        includesAll(validationHistory, ['GitHub Actions CI run', 'actions/runs/']);
+    return {
+        code: 'REMOTE_CI_OBSERVATION',
+        name: 'Remote CI observation evidence',
+        status: ok ? 'passed' : readinessFailureStatus(mode),
+        summary: ok
+            ? 'Remote GitHub Actions status is recorded separately from local release-gate checks.'
+            : 'Record a recent remote GitHub Actions observation and keep it distinct from local Docker validation.'
+    };
+}
+function readReleaseEvidenceRecords(projectRoot) {
+    return (0, task_capsule_1.listTaskCapsules)(projectRoot).flatMap((task) => readTaskEvidenceRecords(task.dir));
+}
+function readTaskEvidenceRecords(taskDir) {
+    const evidencePath = node_path_1.default.join(taskDir, 'evidence.jsonl');
+    if (!node_fs_1.default.existsSync(evidencePath))
+        return [];
+    return node_fs_1.default
+        .readFileSync(evidencePath, 'utf8')
+        .split(/\r?\n/)
+        .map((line) => {
+        if (line.trim() === '')
+            return null;
+        try {
+            const parsed = JSON.parse(line);
+            if (!isRecord(parsed))
+                return null;
+            if (parsed.schemaVersion !== 'hadara.evidence.v1')
+                return null;
+            if (typeof parsed.time !== 'string' || typeof parsed.summary !== 'string')
+                return null;
+            if (typeof parsed.taskId !== 'string' || typeof parsed.kind !== 'string')
+                return null;
+            if (typeof parsed.result !== 'string' || typeof parsed.visibility !== 'string')
+                return null;
+            return {
+                taskId: parsed.taskId,
+                taskDir,
+                time: parsed.time,
+                kind: parsed.kind,
+                summary: parsed.summary,
+                result: parsed.result,
+                visibility: parsed.visibility,
+                ...(typeof parsed.evidencePath === 'string' ? { evidencePath: parsed.evidencePath } : {})
+            };
+        }
+        catch {
+            return null;
+        }
+    })
+        .filter((record) => record !== null);
+}
+function findLatestEvidence(evidence, predicate) {
+    const matches = evidence.filter(predicate).sort((a, b) => b.time.localeCompare(a.time));
+    const record = matches[0];
+    if (!record)
+        return null;
+    return {
+        record,
+        ...validateLinkedEvidenceArtifact(record)
+    };
+}
+function validateLinkedEvidenceArtifact(record) {
+    if (!record.evidencePath)
+        return {};
+    const artifactPath = node_path_1.default.resolve(record.taskDir, record.evidencePath);
+    if (!artifactPath.startsWith(`${node_path_1.default.resolve(record.taskDir)}${node_path_1.default.sep}`) || !node_fs_1.default.existsSync(artifactPath))
+        return {};
+    try {
+        const parsed = JSON.parse(node_fs_1.default.readFileSync(artifactPath, 'utf8'));
+        if (!isRecord(parsed) || typeof parsed.schemaVersion !== 'string')
+            return { artifactSchemaValid: false };
+        if (parsed.schemaVersion !== 'hadara.smokeEvidenceSummary.v1')
+            return {};
+        return { artifactSchemaValid: (0, schema_1.validateSchema)('hadara.smokeEvidenceSummary.v1', parsed).ok };
+    }
+    catch {
+        return { artifactSchemaValid: false };
+    }
+}
+function readinessFailureStatus(mode) {
+    return mode === 'strict' ? 'error' : 'warning';
+}
+function readJsonObject(filePath) {
+    try {
+        const parsed = JSON.parse(node_fs_1.default.readFileSync(filePath, 'utf8'));
+        return isRecord(parsed) ? parsed : null;
+    }
+    catch {
+        return null;
+    }
+}
+function readOptionalText(filePath) {
+    try {
+        return node_fs_1.default.readFileSync(filePath, 'utf8');
+    }
+    catch {
+        return null;
+    }
+}
+function includesAll(text, needles) {
+    return text !== null && needles.every((needle) => text.includes(needle));
+}
+function includesAny(text, needles) {
+    return text !== null && needles.some((needle) => text.includes(needle));
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function createOperationalDebtAggregate(records) {
+    const aggregate = {
+        total: records.length,
+        open: 0,
+        tracked: 0,
+        mitigated: 0,
+        candidate: 0,
+        highOpen: 0,
+        bySeverity: {
+            high: 0,
+            medium: 0,
+            low: 0
+        }
+    };
+    for (const record of records) {
+        aggregate[record.status] += 1;
+        aggregate.bySeverity[record.severity] += 1;
+        if (isOpenDebt(record))
+            aggregate.open += 1;
+        if (isOpenDebt(record) && record.severity === 'high')
+            aggregate.highOpen += 1;
+    }
+    return aggregate;
+}
+function isOpenDebt(record) {
+    return record.status !== 'mitigated';
+}
+function measureCapsuleSize(projectRoot, task) {
+    const files = node_fs_1.default
+        .readdirSync(task.dir, { withFileTypes: true })
+        .filter((entry) => entry.isFile())
+        .map((entry) => node_path_1.default.join(task.dir, entry.name));
+    const totals = files.reduce((acc, filePath) => {
+        const content = node_fs_1.default.readFileSync(filePath, 'utf8');
+        return {
+            bytes: acc.bytes + Buffer.byteLength(content, 'utf8'),
+            lines: acc.lines + countLines(content)
+        };
+    }, { bytes: 0, lines: 0 });
+    return {
+        taskId: task.id,
+        capsule: toPortablePath(node_path_1.default.relative(projectRoot, task.dir)),
+        fileCount: files.length,
+        lineCount: totals.lines,
+        byteCount: totals.bytes,
+        size: classifyCapsuleSize(totals.lines)
+    };
+}
+function detectPrematureAcceptance(projectRoot, task) {
+    const taskPath = node_path_1.default.join(task.dir, 'TASK.md');
+    const acceptancePath = node_path_1.default.join(task.dir, 'ACCEPTANCE.md');
+    const evidencePath = node_path_1.default.join(task.dir, 'evidence.jsonl');
+    if (!node_fs_1.default.existsSync(taskPath) || !node_fs_1.default.existsSync(acceptancePath))
+        return [];
+    const taskStatus = readTaskStatus(taskPath);
+    const acceptance = node_fs_1.default.readFileSync(acceptancePath, 'utf8');
+    const checkedCount = acceptance.match(/-\s+\[[xX]\]/g)?.length ?? 0;
+    const evidenceCount = countValidEvidenceRecords(evidencePath);
+    if (checkedCount > 0 && (taskStatus !== 'Done' || evidenceCount === 0)) {
+        return [
+            {
+                severity: 'warning',
+                code: 'PREMATURE_ACCEPTANCE_CHECKED',
+                message: `${task.id} has checked acceptance boxes before Done status or evidence records.`,
+                path: toPortablePath(node_path_1.default.relative(projectRoot, acceptancePath))
+            }
+        ];
+    }
+    return [];
+}
+function classifyCapsuleSize(lineCount) {
+    if (lineCount < 80)
+        return 'tiny';
+    if (lineCount > 700)
+        return 'large';
+    return 'standard';
+}
+function readTaskStatus(taskPath) {
+    const content = node_fs_1.default.readFileSync(taskPath, 'utf8');
+    const match = content.match(/^## Status\s*\n+([\s\S]*?)(?:\n## |\s*$)/m);
+    return match?.[1]?.trim().split(/\r?\n/)[0]?.trim() || 'Unknown';
+}
+function countValidEvidenceRecords(evidencePath) {
+    if (!node_fs_1.default.existsSync(evidencePath))
+        return 0;
+    return node_fs_1.default
+        .readFileSync(evidencePath, 'utf8')
+        .trim()
+        .split(/\r?\n/)
+        .filter(Boolean)
+        .filter((line) => {
+        try {
+            const record = JSON.parse(line);
+            return (record &&
+                typeof record === 'object' &&
+                record.schemaVersion === 'hadara.evidence.v1' &&
+                typeof record.time === 'string' &&
+                typeof record.taskId === 'string' &&
+                typeof record.summary === 'string' &&
+                typeof record.visibility === 'string');
+        }
+        catch {
+            return false;
+        }
+    }).length;
+}
+function countLines(content) {
+    if (!content)
+        return 0;
+    return content.split(/\r?\n/).length;
+}
+function toPortablePath(value) {
+    return value.split(node_path_1.default.sep).join('/');
+}