hadara 0.1.0-rc.0

package/dist/services/release-dry-run.js

@@ -0,0 +1,253 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createReleaseDryRunReport = createReleaseDryRunReport;
+exports.readCurrentGitCommit = readCurrentGitCommit;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const schema_1 = require("../core/schema");
+const operational_debt_1 = require("./operational-debt");
+const release_evidence_1 = require("./release-evidence");
+function createReleaseDryRunReport(projectRoot) {
+    const packageMetadata = readPackageMetadata(projectRoot);
+    const gitCommit = readCurrentGitCommit(projectRoot);
+    const releaseGate = (0, operational_debt_1.createReleaseGateReport)(projectRoot, 'strict');
+    const evidenceRecords = (0, release_evidence_1.readReleaseEvidenceRecords)(projectRoot);
+    const evidence = evidenceRequirements().map((requirement) => validateEvidenceRequirement(evidenceRecords, requirement));
+    const checks = [
+        {
+            code: 'STRICT_RELEASE_GATE',
+            name: 'Strict release gate',
+            status: releaseGate.ok ? 'passed' : 'error',
+            summary: releaseGate.ok ? 'Strict read-only release gate passes before release dry-run planning.' : 'Strict read-only release gate must pass before release dry-run planning.'
+        },
+        ...evidence.map((item) => ({
+            code: item.code,
+            name: evidenceName(item.code),
+            status: evidenceCheckPassed(item, packageMetadata.version, gitCommit) ? 'passed' : 'error',
+            summary: evidenceSummary(item, packageMetadata.version, gitCommit)
+        })),
+        {
+            code: 'RELEASE_TARGETS',
+            name: 'Release target plan',
+            status: 'passed',
+            summary: 'Dry-run plans npm package first, GitHub Release second, and keeps Docker image publishing deferred.'
+        }
+    ];
+    const issues = checks
+        .filter((check) => check.status !== 'passed')
+        .map((check) => ({
+        severity: check.status === 'error' ? 'error' : 'warning',
+        code: `${check.code}_NOT_READY`,
+        message: `${check.name}: ${check.summary}`
+    }));
+    const report = {
+        schemaVersion: 'hadara.releaseDryRun.v1',
+        command: 'release.dryRun',
+        mode: 'dry-run',
+        ok: checks.every((check) => check.status !== 'error'),
+        current: {
+            packageName: packageMetadata.name,
+            packageVersion: packageMetadata.version,
+            ...(gitCommit ? { gitCommit } : {})
+        },
+        releaseTargets: {
+            primary: 'npm-package',
+            secondary: 'github-release',
+            dockerImage: 'deferred'
+        },
+        checks,
+        evidence,
+        plannedSteps: [
+            {
+                id: 'npm-publish',
+                target: 'npm-package',
+                willExecute: false,
+                requiresApproval: true,
+                summary: 'Would publish the package only in a later approval-gated release command with NPM_TOKEN presence checks.'
+            },
+            {
+                id: 'github-release',
+                target: 'github-release',
+                willExecute: false,
+                requiresApproval: true,
+                summary: 'Would create a GitHub Release with tarball, checksum, and manifest only in a later approval-gated release command.'
+            },
+            {
+                id: 'docker-image',
+                target: 'docker-image',
+                willExecute: false,
+                requiresApproval: true,
+                summary: 'Docker image publishing remains deferred unless the product/server runtime surface changes.'
+            }
+        ],
+        privacy: {
+            tokenValuesIncluded: false,
+            rawLogsIncluded: false,
+            privatePathsIncluded: false,
+            publishExecuted: false,
+            githubReleaseCreated: false,
+            dockerImageBuilt: false
+        },
+        issues
+    };
+    (0, schema_1.assertSchema)('hadara.releaseDryRun.v1', report);
+    return report;
+}
+function readCurrentGitCommit(projectRoot) {
+    const gitDir = node_path_1.default.join(projectRoot, '.git');
+    try {
+        const head = node_fs_1.default.readFileSync(node_path_1.default.join(gitDir, 'HEAD'), 'utf8').trim();
+        if (/^[a-f0-9]{40}$/.test(head))
+            return head;
+        const match = /^ref:\s*(.+)$/.exec(head);
+        if (!match)
+            return undefined;
+        const refPath = node_path_1.default.join(gitDir, match[1]);
+        const ref = node_fs_1.default.readFileSync(refPath, 'utf8').trim();
+        return /^[a-f0-9]{40}$/.test(ref) ? ref : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function validateEvidenceRequirement(records, requirement) {
+    const record = records.filter(requirement.predicate).sort((a, b) => b.time.localeCompare(a.time))[0];
+    if (!record) {
+        return {
+            code: requirement.code,
+            artifactExists: false
+        };
+    }
+    const artifact = (0, release_evidence_1.validateReleaseEvidenceArtifact)(record);
+    return {
+        code: requirement.code,
+        taskId: record.taskId,
+        time: record.time,
+        artifactExists: artifact.exists,
+        result: record.result,
+        ...(record.evidencePath ? { evidencePath: record.evidencePath } : {}),
+        ...(artifact.schemaValid === undefined ? {} : { artifactSchemaValid: artifact.schemaValid }),
+        ...(artifact.sourceOk === undefined ? {} : { sourceOk: artifact.sourceOk }),
+        ...(artifact.category ? { category: artifact.category } : {}),
+        ...(artifact.mode ? { mode: artifact.mode } : {}),
+        ...(artifact.packageVersion ? { packageVersion: artifact.packageVersion } : {}),
+        ...(artifact.gitCommit ? { gitCommit: artifact.gitCommit } : {}),
+        ...(artifact.manifestHash ? { manifestHash: artifact.manifestHash } : {})
+    };
+}
+function evidenceCheckPassed(item, packageVersion, gitCommit) {
+    if (item.result !== 'passed')
+        return false;
+    if (item.artifactExists !== true || item.artifactSchemaValid !== true || item.sourceOk !== true)
+        return false;
+    if (item.code === 'PACKAGE_SMOKE_EVIDENCE' && (item.category !== 'package-smoke' || item.mode !== 'local'))
+        return false;
+    if (item.code === 'CLEAN_CHECKOUT_SMOKE_EVIDENCE' && (item.category !== 'clean-checkout-smoke' || item.mode !== 'execute'))
+        return false;
+    if (item.code === 'RELEASE_ARTIFACT_EVIDENCE') {
+        if (item.category !== 'release-artifact' || item.mode !== 'execute')
+            return false;
+        if (item.packageVersion !== packageVersion)
+            return false;
+        if (!item.manifestHash)
+            return false;
+    }
+    if (gitCommit && item.gitCommit && item.gitCommit !== gitCommit)
+        return false;
+    return true;
+}
+function evidenceSummary(item, packageVersion, gitCommit) {
+    if (!item.taskId)
+        return 'No matching passed public evidence record was found.';
+    if (!item.artifactExists)
+        return `${item.taskId} at ${item.time} has no linked public evidence artifact.`;
+    if (item.artifactSchemaValid !== true)
+        return `${item.taskId} at ${item.time} has a linked artifact, but schema validation failed.`;
+    if (item.sourceOk !== true)
+        return `${item.taskId} at ${item.time} has a linked artifact, but source report ok is not true.`;
+    if (item.result !== 'passed')
+        return `${item.taskId} at ${item.time} is not a passed evidence record.`;
+    if (item.code === 'PACKAGE_SMOKE_EVIDENCE' && (item.category !== 'package-smoke' || item.mode !== 'local')) {
+        return `${item.taskId} at ${item.time} does not match expected package-smoke category/mode.`;
+    }
+    if (item.code === 'CLEAN_CHECKOUT_SMOKE_EVIDENCE' && (item.category !== 'clean-checkout-smoke' || item.mode !== 'execute')) {
+        return `${item.taskId} at ${item.time} does not match expected clean-checkout category/mode.`;
+    }
+    if (item.code === 'RELEASE_ARTIFACT_EVIDENCE') {
+        if (item.category !== 'release-artifact' || item.mode !== 'execute')
+            return `${item.taskId} at ${item.time} does not match expected release-artifact category/mode.`;
+        if (item.packageVersion !== packageVersion)
+            return `${item.taskId} at ${item.time} package version ${item.packageVersion ?? 'unknown'} does not match current ${packageVersion}.`;
+        if (!item.manifestHash)
+            return `${item.taskId} at ${item.time} does not expose a release artifact manifest hash.`;
+    }
+    if (gitCommit && item.gitCommit && item.gitCommit !== gitCommit)
+        return `${item.taskId} at ${item.time} git commit ${item.gitCommit} does not match current ${gitCommit}.`;
+    return `${item.taskId} at ${item.time} has a current schema-valid public artifact.`;
+}
+function evidenceRequirements() {
+    return [
+        {
+            code: 'PACKAGE_SMOKE_EVIDENCE',
+            name: 'Package smoke evidence',
+            category: 'package-smoke',
+            mode: 'local',
+            predicate: (record) => record.result === 'passed' &&
+                record.visibility === 'public' &&
+                record.evidencePath !== undefined &&
+                (includesAll(record.summary, ['package smoke', '--execute']) || includesAny(record.evidencePath, ['artifacts/package-smoke'])) &&
+                includesAny(`${record.summary}\n${record.evidencePath}`, ['--attach-evidence', 'artifacts/package-smoke', 'hadara.packageSmoke.v1'])
+        },
+        {
+            code: 'CLEAN_CHECKOUT_SMOKE_EVIDENCE',
+            name: 'Clean checkout smoke evidence',
+            category: 'clean-checkout-smoke',
+            mode: 'execute',
+            predicate: (record) => record.result === 'passed' &&
+                record.visibility === 'public' &&
+                record.evidencePath !== undefined &&
+                (includesAll(record.summary, ['smoke clean-checkout', '--execute']) || includesAny(record.evidencePath, ['artifacts/clean-checkout-smoke'])) &&
+                includesAny(`${record.summary}\n${record.evidencePath}`, ['--attach-evidence', 'artifacts/clean-checkout-smoke', 'hadara.cleanCheckoutSmoke.v1'])
+        },
+        {
+            code: 'RELEASE_ARTIFACT_EVIDENCE',
+            name: 'Release artifact evidence',
+            category: 'release-artifact',
+            mode: 'execute',
+            predicate: (record) => record.result === 'passed' &&
+                record.visibility === 'public' &&
+                record.evidencePath !== undefined &&
+                includesAll(record.summary, ['release artifact', '--execute']) &&
+                includesAny(record.summary, ['artifacts/release-artifact', 'hadara.releaseArtifact.v1', 'generated tarball/checksum/manifest'])
+        }
+    ];
+}
+function evidenceName(code) {
+    return evidenceRequirements().find((requirement) => requirement.code === code)?.name ?? code;
+}
+function readPackageMetadata(projectRoot) {
+    try {
+        const parsed = JSON.parse(node_fs_1.default.readFileSync(node_path_1.default.join(projectRoot, 'package.json'), 'utf8'));
+        if (!isRecord(parsed))
+            return { name: 'unknown', version: 'unknown' };
+        return {
+            name: typeof parsed.name === 'string' ? parsed.name : 'unknown',
+            version: typeof parsed.version === 'string' ? parsed.version : 'unknown'
+        };
+    }
+    catch {
+        return { name: 'unknown', version: 'unknown' };
+    }
+}
+function includesAll(text, needles) {
+    return needles.every((needle) => text.includes(needle));
+}
+function includesAny(text, needles) {
+    return needles.some((needle) => text.includes(needle));
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}

package/dist/services/release-evidence.js

@@ -0,0 +1,138 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readReleaseEvidenceRecords = readReleaseEvidenceRecords;
+exports.validateReleaseEvidenceArtifact = validateReleaseEvidenceArtifact;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const schema_1 = require("../core/schema");
+function readReleaseEvidenceRecords(projectRoot) {
+    const tasksDir = node_path_1.default.join(projectRoot, 'tasks');
+    if (!node_fs_1.default.existsSync(tasksDir))
+        return [];
+    return node_fs_1.default
+        .readdirSync(tasksDir, { withFileTypes: true })
+        .filter((entry) => entry.isDirectory() && /^T-\d{4}-/.test(entry.name))
+        .flatMap((entry) => readTaskEvidenceRecords(node_path_1.default.join(tasksDir, entry.name)));
+}
+function validateReleaseEvidenceArtifact(record) {
+    if (!record.evidencePath)
+        return { exists: false, issues: ['EVIDENCE_ARTIFACT_PATH_MISSING'] };
+    const taskRoot = node_path_1.default.resolve(record.taskDir);
+    const artifactPath = node_path_1.default.resolve(record.taskDir, record.evidencePath);
+    if (!artifactPath.startsWith(`${taskRoot}${node_path_1.default.sep}`))
+        return { exists: false, issues: ['EVIDENCE_ARTIFACT_OUTSIDE_TASK'] };
+    if (!node_fs_1.default.existsSync(artifactPath))
+        return { exists: false, issues: ['EVIDENCE_ARTIFACT_MISSING'] };
+    try {
+        const content = node_fs_1.default.readFileSync(artifactPath, 'utf8');
+        const parsed = JSON.parse(content);
+        if (!isRecord(parsed) || typeof parsed.schemaVersion !== 'string') {
+            return { exists: true, schemaValid: false, issues: ['EVIDENCE_ARTIFACT_SCHEMA_MISSING'] };
+        }
+        if (parsed.schemaVersion === 'hadara.smokeEvidenceSummary.v1') {
+            const sourceReport = isRecord(parsed.sourceReport) ? parsed.sourceReport : {};
+            return {
+                exists: true,
+                schemaVersion: parsed.schemaVersion,
+                schemaValid: (0, schema_1.validateSchema)('hadara.smokeEvidenceSummary.v1', parsed).ok,
+                sourceOk: sourceReport.ok === true,
+                category: typeof parsed.category === 'string' ? parsed.category : undefined,
+                mode: typeof sourceReport.mode === 'string' ? sourceReport.mode : undefined,
+                packageVersion: readOptionalString(parsed.packageVersion) ?? readOptionalString(sourceReport.packageVersion),
+                gitCommit: readOptionalString(parsed.gitCommit) ?? readOptionalString(sourceReport.gitCommit),
+                issues: []
+            };
+        }
+        if (parsed.schemaVersion === 'hadara.releaseArtifact.v1') {
+            const artifacts = Array.isArray(parsed.artifacts) ? parsed.artifacts : [];
+            const manifest = artifacts.find((artifact) => isRecord(artifact) && artifact.kind === 'manifest');
+            const evidence = isRecord(parsed.evidence) ? parsed.evidence : {};
+            return {
+                exists: true,
+                schemaVersion: parsed.schemaVersion,
+                schemaValid: (0, schema_1.validateSchema)('hadara.releaseArtifact.v1', parsed).ok,
+                sourceOk: parsed.ok === true,
+                category: 'release-artifact',
+                mode: typeof parsed.mode === 'string' ? parsed.mode : undefined,
+                packageVersion: isRecord(parsed.package) ? readOptionalString(parsed.package.version) : undefined,
+                gitCommit: readOptionalString(evidence.gitCommit) ?? readOptionalString(parsed.gitCommit),
+                manifestHash: readOptionalString(manifest?.hash),
+                issues: []
+            };
+        }
+        if (parsed.schemaVersion === 'hadara.releaseArtifact.manifest.v1') {
+            return {
+                exists: true,
+                schemaVersion: parsed.schemaVersion,
+                schemaValid: (0, schema_1.validateSchema)('hadara.releaseArtifact.manifest.v1', parsed).ok,
+                sourceOk: true,
+                category: 'release-artifact',
+                mode: 'execute',
+                packageVersion: isRecord(parsed.package) ? readOptionalString(parsed.package.version) : undefined,
+                manifestHash: `sha256:${sha256(content)}`,
+                issues: []
+            };
+        }
+        return {
+            exists: true,
+            schemaVersion: parsed.schemaVersion,
+            schemaValid: false,
+            issues: ['EVIDENCE_ARTIFACT_SCHEMA_UNSUPPORTED']
+        };
+    }
+    catch {
+        return { exists: true, schemaValid: false, issues: ['EVIDENCE_ARTIFACT_INVALID_JSON'] };
+    }
+}
+function readTaskEvidenceRecords(taskDir) {
+    const evidencePath = node_path_1.default.join(taskDir, 'evidence.jsonl');
+    if (!node_fs_1.default.existsSync(evidencePath))
+        return [];
+    return node_fs_1.default
+        .readFileSync(evidencePath, 'utf8')
+        .split(/\r?\n/)
+        .map((line) => {
+        if (line.trim() === '')
+            return null;
+        try {
+            const parsed = JSON.parse(line);
+            if (!isRecord(parsed))
+                return null;
+            if (parsed.schemaVersion !== 'hadara.evidence.v1')
+                return null;
+            if (typeof parsed.time !== 'string' || typeof parsed.summary !== 'string')
+                return null;
+            if (typeof parsed.taskId !== 'string' || typeof parsed.kind !== 'string')
+                return null;
+            if (typeof parsed.result !== 'string' || typeof parsed.visibility !== 'string')
+                return null;
+            return {
+                taskId: parsed.taskId,
+                taskDir,
+                time: parsed.time,
+                kind: parsed.kind,
+                summary: parsed.summary,
+                result: parsed.result,
+                visibility: parsed.visibility,
+                ...(typeof parsed.evidencePath === 'string' ? { evidencePath: parsed.evidencePath } : {})
+            };
+        }
+        catch {
+            return null;
+        }
+    })
+        .filter((record) => record !== null);
+}
+function readOptionalString(value) {
+    return typeof value === 'string' && value.trim() !== '' ? value : undefined;
+}
+function sha256(content) {
+    return node_crypto_1.default.createHash('sha256').update(content, 'utf8').digest('hex');
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}

package/dist/services/release-publish.js

@@ -0,0 +1,163 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createReleasePublishReport = createReleasePublishReport;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const schema_1 = require("../core/schema");
+const audit_1 = require("../core/audit");
+const release_dry_run_1 = require("./release-dry-run");
+const CONFIRMATION_PHRASE = 'publish-deploy';
+function createReleasePublishReport(options) {
+    const mode = options.mode ?? 'dry-run';
+    const env = options.env ?? process.env;
+    const metadata = readPackageMetadata(options.projectRoot);
+    const metadataPublishable = !metadata.private && /^0\.1\.0-rc\.\d+$/.test(metadata.packageVersion);
+    const dryRun = (0, release_dry_run_1.createReleaseDryRunReport)(options.projectRoot);
+    const approval = {
+        required: true,
+        actorProvided: Boolean(options.approvalActor),
+        reasonProvided: Boolean(options.approvalReason),
+        confirmationProvided: options.confirm === CONFIRMATION_PHRASE
+    };
+    const checks = [
+        {
+            code: 'RELEASE_DRY_RUN',
+            name: 'Release dry-run readiness',
+            status: dryRun.ok ? 'passed' : 'error',
+            summary: dryRun.ok ? 'Release dry-run prerequisites passed.' : 'Release dry-run prerequisites must pass before publish/deploy.'
+        },
+        {
+            code: 'PACKAGE_PUBLISHABLE_METADATA',
+            name: 'Package publishable metadata',
+            status: metadataPublishable ? 'passed' : 'error',
+            summary: metadataPublishable ? 'Package metadata is in release-candidate mode.' : 'Package metadata must be 0.1.0-rc.N with private false before publish/deploy readiness can pass.'
+        },
+        {
+            code: 'APPROVAL_RECORD',
+            name: 'Approval record',
+            status: mode === 'dry-run' || (approval.actorProvided && approval.reasonProvided && approval.confirmationProvided) ? 'passed' : 'error',
+            summary: mode === 'dry-run'
+                ? 'Dry-run mode records approval requirements without requiring approval metadata.'
+                : 'Execute mode requires approval actor, reason, and confirmation phrase.'
+        },
+        {
+            code: 'NPM_TOKEN_PRESENCE',
+            name: 'NPM token presence',
+            status: env.NPM_TOKEN ? 'passed' : mode === 'dry-run' ? 'warning' : 'error',
+            summary: env.NPM_TOKEN ? 'NPM_TOKEN is present; token value is not read into the report.' : 'NPM_TOKEN is not present.'
+        },
+        {
+            code: 'GITHUB_RELEASE_TOKEN_PRESENCE',
+            name: 'GitHub Release token presence',
+            status: env.HADARA_GITHUB_RELEASE_TOKEN || env.GITHUB_TOKEN ? 'passed' : mode === 'dry-run' ? 'warning' : 'error',
+            summary: env.HADARA_GITHUB_RELEASE_TOKEN || env.GITHUB_TOKEN
+                ? 'A GitHub Release token name is present; token value is not read into the report.'
+                : 'No GitHub Release token is present.'
+        },
+        {
+            code: 'DOCKER_TARGET_DEFERRED',
+            name: 'Docker target deferred',
+            status: 'passed',
+            summary: 'Docker image publishing remains deferred.'
+        },
+        {
+            code: 'NO_MUTATION_EXECUTED',
+            name: 'No release mutation executed',
+            status: 'passed',
+            summary: 'This command reports gates and never publishes, creates GitHub Releases, or builds Docker images.'
+        }
+    ];
+    const issues = checks
+        .filter((check) => check.status !== 'passed')
+        .map((check) => ({
+        severity: check.status === 'error' ? 'error' : 'warning',
+        code: `${check.code}_${check.status === 'error' ? 'BLOCKED' : 'WARNING'}`,
+        message: `${check.name}: ${check.summary}`
+    }));
+    const audit = writeReleasePublishAudit(options, mode, issues);
+    const report = {
+        schemaVersion: 'hadara.releasePublish.v1',
+        command: 'release.publish',
+        mode,
+        ok: mode === 'dry-run' ? checks.every((check) => check.status !== 'error') : false,
+        current: metadata,
+        approval,
+        releaseTargets: [
+            {
+                id: 'npm-publish',
+                target: 'npm-package',
+                status: dryRun.ok && metadataPublishable && env.NPM_TOKEN ? 'ready' : 'blocked',
+                tokenName: 'NPM_TOKEN',
+                tokenPresent: Boolean(env.NPM_TOKEN),
+                willExecute: false,
+                summary: 'npm publish remains blocked until all gates pass and a future mutation-capable release runner is explicitly approved.'
+            },
+            {
+                id: 'github-release',
+                target: 'github-release',
+                status: dryRun.ok && metadataPublishable && (env.HADARA_GITHUB_RELEASE_TOKEN || env.GITHUB_TOKEN) ? 'ready' : 'blocked',
+                tokenName: env.HADARA_GITHUB_RELEASE_TOKEN ? 'HADARA_GITHUB_RELEASE_TOKEN' : 'GITHUB_TOKEN',
+                tokenPresent: Boolean(env.HADARA_GITHUB_RELEASE_TOKEN || env.GITHUB_TOKEN),
+                willExecute: false,
+                summary: 'GitHub Release creation remains blocked until all gates pass and a future mutation-capable release runner is explicitly approved.'
+            },
+            {
+                id: 'docker-image',
+                target: 'docker-image',
+                status: 'deferred',
+                willExecute: false,
+                summary: 'Docker image publishing is deferred by the current release target decision.'
+            }
+        ],
+        checks,
+        privacy: {
+            tokenValuesIncluded: false,
+            rawLogsIncluded: false,
+            privatePathsIncluded: false,
+            publishExecuted: false,
+            githubReleaseCreated: false,
+            dockerImageBuilt: false
+        },
+        ...(audit ? { audit } : {}),
+        issues
+    };
+    (0, schema_1.assertSchema)('hadara.releasePublish.v1', report);
+    return report;
+}
+function readPackageMetadata(projectRoot) {
+    const parsed = JSON.parse(node_fs_1.default.readFileSync(node_path_1.default.join(projectRoot, 'package.json'), 'utf8'));
+    return {
+        packageName: typeof parsed.name === 'string' ? parsed.name : 'unknown',
+        packageVersion: typeof parsed.version === 'string' ? parsed.version : 'unknown',
+        private: parsed.private === true
+    };
+}
+function writeReleasePublishAudit(options, mode, issues) {
+    if (mode !== 'execute')
+        return undefined;
+    if (!options.auditDir) {
+        return {
+            attempted: true,
+            written: false
+        };
+    }
+    (0, audit_1.writeAuditEvent)(options.auditDir, {
+        actor: 'user',
+        event_type: 'release.publish.execute.requested',
+        risk: 'blocked',
+        summary: 'Release publish/deploy execute request was blocked before mutation.',
+        payload: {
+            approvalActorProvided: Boolean(options.approvalActor),
+            approvalReasonProvided: Boolean(options.approvalReason),
+            confirmationProvided: options.confirm === CONFIRMATION_PHRASE,
+            issueCodes: issues.map((issue) => issue.code)
+        }
+    });
+    return {
+        attempted: true,
+        written: true
+    };
+}

package/dist/services/smoke-evidence.js

@@ -0,0 +1,104 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.attachReducedSmokeEvidence = attachReducedSmokeEvidence;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const fs_1 = require("../core/fs");
+const evidence_1 = require("../evidence/evidence");
+const redaction_1 = require("../core/redaction");
+function attachReducedSmokeEvidence(input) {
+    const taskDir = findTaskDir(input.projectRoot, input.taskId);
+    if (!taskDir) {
+        throw new Error(`Task capsule not found: ${input.taskId}`);
+    }
+    const time = new Date().toISOString();
+    const summaryContent = createReducedSummary(input, time);
+    const content = JSON.stringify(summaryContent, null, 2);
+    const policy = (0, evidence_1.createPublicEvidenceArtifactPolicyReport)(content);
+    if (policy.blocking) {
+        throw new evidence_1.EvidenceArtifactPolicyError('PUBLIC_ARTIFACT_SECRET_DETECTED', 'Public smoke evidence summary contains secret-like content; collect raw logs privately or reduce the report first.', policy.redaction);
+    }
+    const artifactDir = node_path_1.default.join(taskDir, 'artifacts', input.category);
+    (0, fs_1.ensureDir)(artifactDir);
+    const targetPath = node_path_1.default.join(artifactDir, `${safeFilePart(time)}-summary.json`);
+    node_fs_1.default.writeFileSync(targetPath, content, 'utf8');
+    const evidencePath = toPortablePath(node_path_1.default.relative(taskDir, targetPath));
+    const summary = (0, redaction_1.redactSecrets)(input.summary.replace(/\|/g, '/'));
+    const evidence = {
+        schemaVersion: 'hadara.evidence.v1',
+        time,
+        taskId: input.taskId,
+        kind: input.kind,
+        summary,
+        result: input.result,
+        visibility: 'public',
+        evidencePath
+    };
+    appendEvidenceMarkdown(taskDir, evidence);
+    node_fs_1.default.appendFileSync(node_path_1.default.join(taskDir, 'evidence.jsonl'), `${JSON.stringify(evidence)}\n`, 'utf8');
+    return {
+        evidence,
+        artifact: {
+            kind: 'summary',
+            visibility: 'public',
+            evidencePath: toPortablePath(node_path_1.default.join('tasks', node_path_1.default.basename(taskDir), evidencePath)),
+            rawContentIncluded: false
+        }
+    };
+}
+function createReducedSummary(input, time) {
+    return {
+        schemaVersion: 'hadara.smokeEvidenceSummary.v1',
+        time,
+        taskId: input.taskId,
+        category: input.category,
+        sourceReport: {
+            schemaVersion: input.report.schemaVersion,
+            command: input.report.command,
+            mode: input.report.mode,
+            ok: input.report.ok
+        },
+        execution: input.report.execution,
+        steps: input.report.steps.map((step) => ({
+            id: step.id,
+            label: step.label,
+            status: step.status,
+            ...(step.exitCode === undefined ? {} : { exitCode: step.exitCode }),
+            ...(step.elapsedMs === undefined ? {} : { elapsedMs: step.elapsedMs }),
+            summary: step.summary
+        })),
+        privacy: input.report.privacy,
+        issues: input.report.issues.map((issue) => ({
+            severity: issue.severity,
+            code: issue.code,
+            message: issue.message,
+            ...(issue.stepId ? { stepId: issue.stepId } : {})
+        })),
+        rawLogsIncluded: false,
+        privatePathsIncluded: false,
+        rawPackageContentsIncluded: false
+    };
+}
+function appendEvidenceMarkdown(taskDir, evidence) {
+    const markdownPath = node_path_1.default.join(taskDir, 'EVIDENCE.md');
+    if (!node_fs_1.default.existsSync(markdownPath)) {
+        node_fs_1.default.writeFileSync(markdownPath, '# Evidence\n\n| Time | Kind | Summary | Result |\n|---|---|---|---|\n', 'utf8');
+    }
+    node_fs_1.default.appendFileSync(markdownPath, `| ${evidence.time} | ${evidence.kind} | ${evidence.summary} (${evidence.evidencePath}) | ${evidence.result} |\n`, 'utf8');
+}
+function findTaskDir(projectRoot, taskId) {
+    const tasksDir = node_path_1.default.join(projectRoot, 'tasks');
+    if (!node_fs_1.default.existsSync(tasksDir))
+        return null;
+    const entry = node_fs_1.default.readdirSync(tasksDir).find((name) => name.startsWith(`${taskId}-`));
+    return entry ? node_path_1.default.join(tasksDir, entry) : null;
+}
+function safeFilePart(value) {
+    return value.replace(/[^A-Za-z0-9._-]+/g, '-').replace(/^-+|-+$/g, '') || 'artifact';
+}
+function toPortablePath(value) {
+    return value.split(node_path_1.default.sep).join('/');
+}