job-forge 2.14.46 → 2.14.47

package/.cursor/rules/main.mdc

@@ -30,7 +30,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [H6] Application outcomes flow through `batch/tracker-additions/*.tsv`, not `data/pipeline.md`. After any multi-apply run, the orchestrator MUST run `npx job-forge merge` then `npx job-forge verify` before ending the session.
   why: `pipeline.md` is the URL inbox (`[ ]` pending → `[x]` processed); `data/applications/YYYY-MM-DD.md` is the outcome log; the TSV pathway is the only safe bridge because `merge` handles column order and duplicate detection
 
-- [H7] Load-bearing facts passed to downstream subagents must originate from a file, not from prior subagent prose. Authoritative sources: `data/pipeline.md`, `data/scan-history.tsv`, `batch/scan-output-*.md`, `reports/{num}-*.md` with `**URL:**` / `**Score:**` headers, emitted score JSON validated by `npx job-forge score:check --input ...`, `batch/tracker-additions/*.tsv`, cached JD content returned by `npx job-forge cache:get --url ...`, source path/line pointers returned by `npx job-forge index:query ...`, materialized fact records returned by `npx job-forge facts:query ...`, selected next actions returned by `npx job-forge prioritize:select ...`, and lineage records returned by `npx job-forge lineage:explain ...`.
+- [H7] Load-bearing facts passed to downstream subagents must originate from a file, not from prior subagent prose. Authoritative sources: `data/pipeline.md`, `data/scan-history.tsv`, `batch/scan-output-*.md`, `reports/{num}-*.md` with `**URL:**` / `**Score:**` headers, emitted score JSON validated by `npx job-forge score:check --input ...`, `batch/tracker-additions/*.tsv`, cached JD content returned by `npx job-forge cache:get --url ...`, source path/line pointers returned by `npx job-forge index:query ...`, materialized fact records returned by `npx job-forge facts:query ...`, selected next actions returned by `npx job-forge prioritize:select ...`, lineage records returned by `npx job-forge lineage:explain ...`, and verified `.jobforge-receipts/*.agent.zip` paths checked with `npx job-forge receipts:verify ...`.
   why: 2026-04-18 scan subagent returned 30 fabricated Greenhouse IDs in prose (plausible-looking, non-existent); orchestrator dispatched 30 downstream subagents that all 404'd. Subagents can hallucinate IDs, scores, and confirmation text — round-trip through a file or don't trust the value
 
 - [H8] Never paste proxy values from `config/profile.yml` into `task` prompts, status text, or summaries. If a proxy is configured, tell the subagent exactly: "Proxy is configured; read `config/profile.yml` and pass its top-level `proxy:` object plus `headless: true`, `browserMode: \"stock\"`, `blockDetection: true`, and `blockedSitePolicy: \"manual-handoff\"` to every `geometra_connect` call and every Geometra auto-connect call that passes `pageUrl` or `url`." Do not transcribe `server`, `username`, `password`, or `bypass`, even if you just read them from disk.
@@ -62,7 +62,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D7] For standalone `batch` runs, prefer `batch/batch-runner.sh` instead of hand-rolling the loop. It delegates to `@agent-pattern-labs/iso-orchestrator`, persists workflow records in `.jobforge-runs/`, caps bundle fan-out, and mutexes state/report-number writes. Use `JOBFORGE_LEGACY_BATCH_RUNNER=1` only as a fallback.
   why: the old Bash loop encoded resumability and parallelism manually; the iso-orchestrator path makes the durable control state inspectable and prevents report-number collisions under parallel bundles
 
-- [D8] Use deterministic local helpers instead of prose when they can answer or validate state, identity, policy, scoring, timing, dispatch, priority, lineage, migration, or safe-export questions. Read `modes/reference-local-helpers.md` when choosing a helper or changing helper wiring.
+- [D8] Use deterministic local helpers instead of prose when they can answer or validate state, identity, policy, scoring, timing, dispatch, priority, lineage, migration, receipts, or safe-export questions. Read `modes/reference-local-helpers.md` when choosing a helper or changing helper wiring.
   why: the helper ecosystem is now broad enough that repeating every command in the shared prefix wastes cache budget; the reference keeps operational details on demand while `npm run lint:helpers` enforces integration drift in code
 
 ## Procedure
@@ -76,7 +76,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 7. Cross-check subagent facts against authoritative files [H7].
 8. Apply score gate [D4, D8].
 9. Merge contract-validated TSV outcomes [H6, D8].
-10. Verify tracker and run postflight check before ending [H6, D8].
+10. Verify tracker and run postflight check before ending [H6, D8]. For irreversible or trust-sensitive boundaries only (application submitted, blocked-site manual handoff, release, repro, inter-agent handoff), create and verify a receipt from the relevant artifacts with `npx job-forge receipts:create ...` and `npx job-forge receipts:verify ...` [D8].
 
 ## Routing
 

package/AGENTS.md

@@ -25,7 +25,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [H6] Application outcomes flow through `batch/tracker-additions/*.tsv`, not `data/pipeline.md`. After any multi-apply run, the orchestrator MUST run `npx job-forge merge` then `npx job-forge verify` before ending the session.
   why: `pipeline.md` is the URL inbox (`[ ]` pending → `[x]` processed); `data/applications/YYYY-MM-DD.md` is the outcome log; the TSV pathway is the only safe bridge because `merge` handles column order and duplicate detection
 
-- [H7] Load-bearing facts passed to downstream subagents must originate from a file, not from prior subagent prose. Authoritative sources: `data/pipeline.md`, `data/scan-history.tsv`, `batch/scan-output-*.md`, `reports/{num}-*.md` with `**URL:**` / `**Score:**` headers, emitted score JSON validated by `npx job-forge score:check --input ...`, `batch/tracker-additions/*.tsv`, cached JD content returned by `npx job-forge cache:get --url ...`, source path/line pointers returned by `npx job-forge index:query ...`, materialized fact records returned by `npx job-forge facts:query ...`, selected next actions returned by `npx job-forge prioritize:select ...`, and lineage records returned by `npx job-forge lineage:explain ...`.
+- [H7] Load-bearing facts passed to downstream subagents must originate from a file, not from prior subagent prose. Authoritative sources: `data/pipeline.md`, `data/scan-history.tsv`, `batch/scan-output-*.md`, `reports/{num}-*.md` with `**URL:**` / `**Score:**` headers, emitted score JSON validated by `npx job-forge score:check --input ...`, `batch/tracker-additions/*.tsv`, cached JD content returned by `npx job-forge cache:get --url ...`, source path/line pointers returned by `npx job-forge index:query ...`, materialized fact records returned by `npx job-forge facts:query ...`, selected next actions returned by `npx job-forge prioritize:select ...`, lineage records returned by `npx job-forge lineage:explain ...`, and verified `.jobforge-receipts/*.agent.zip` paths checked with `npx job-forge receipts:verify ...`.
   why: 2026-04-18 scan subagent returned 30 fabricated Greenhouse IDs in prose (plausible-looking, non-existent); orchestrator dispatched 30 downstream subagents that all 404'd. Subagents can hallucinate IDs, scores, and confirmation text — round-trip through a file or don't trust the value
 
 - [H8] Never paste proxy values from `config/profile.yml` into `task` prompts, status text, or summaries. If a proxy is configured, tell the subagent exactly: "Proxy is configured; read `config/profile.yml` and pass its top-level `proxy:` object plus `headless: true`, `browserMode: \"stock\"`, `blockDetection: true`, and `blockedSitePolicy: \"manual-handoff\"` to every `geometra_connect` call and every Geometra auto-connect call that passes `pageUrl` or `url`." Do not transcribe `server`, `username`, `password`, or `bypass`, even if you just read them from disk.
@@ -57,7 +57,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D7] For standalone `batch` runs, prefer `batch/batch-runner.sh` instead of hand-rolling the loop. It delegates to `@agent-pattern-labs/iso-orchestrator`, persists workflow records in `.jobforge-runs/`, caps bundle fan-out, and mutexes state/report-number writes. Use `JOBFORGE_LEGACY_BATCH_RUNNER=1` only as a fallback.
   why: the old Bash loop encoded resumability and parallelism manually; the iso-orchestrator path makes the durable control state inspectable and prevents report-number collisions under parallel bundles
 
-- [D8] Use deterministic local helpers instead of prose when they can answer or validate state, identity, policy, scoring, timing, dispatch, priority, lineage, migration, or safe-export questions. Read `modes/reference-local-helpers.md` when choosing a helper or changing helper wiring.
+- [D8] Use deterministic local helpers instead of prose when they can answer or validate state, identity, policy, scoring, timing, dispatch, priority, lineage, migration, receipts, or safe-export questions. Read `modes/reference-local-helpers.md` when choosing a helper or changing helper wiring.
   why: the helper ecosystem is now broad enough that repeating every command in the shared prefix wastes cache budget; the reference keeps operational details on demand while `npm run lint:helpers` enforces integration drift in code
 
 ## Procedure
@@ -71,7 +71,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 7. Cross-check subagent facts against authoritative files [H7].
 8. Apply score gate [D4, D8].
 9. Merge contract-validated TSV outcomes [H6, D8].
-10. Verify tracker and run postflight check before ending [H6, D8].
+10. Verify tracker and run postflight check before ending [H6, D8]. For irreversible or trust-sensitive boundaries only (application submitted, blocked-site manual handoff, release, repro, inter-agent handoff), create and verify a receipt from the relevant artifacts with `npx job-forge receipts:create ...` and `npx job-forge receipts:verify ...` [D8].
 
 ## Routing
 

package/CLAUDE.md

@@ -25,7 +25,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [H6] Application outcomes flow through `batch/tracker-additions/*.tsv`, not `data/pipeline.md`. After any multi-apply run, the orchestrator MUST run `npx job-forge merge` then `npx job-forge verify` before ending the session.
   why: `pipeline.md` is the URL inbox (`[ ]` pending → `[x]` processed); `data/applications/YYYY-MM-DD.md` is the outcome log; the TSV pathway is the only safe bridge because `merge` handles column order and duplicate detection
 
-- [H7] Load-bearing facts passed to downstream subagents must originate from a file, not from prior subagent prose. Authoritative sources: `data/pipeline.md`, `data/scan-history.tsv`, `batch/scan-output-*.md`, `reports/{num}-*.md` with `**URL:**` / `**Score:**` headers, emitted score JSON validated by `npx job-forge score:check --input ...`, `batch/tracker-additions/*.tsv`, cached JD content returned by `npx job-forge cache:get --url ...`, source path/line pointers returned by `npx job-forge index:query ...`, materialized fact records returned by `npx job-forge facts:query ...`, selected next actions returned by `npx job-forge prioritize:select ...`, and lineage records returned by `npx job-forge lineage:explain ...`.
+- [H7] Load-bearing facts passed to downstream subagents must originate from a file, not from prior subagent prose. Authoritative sources: `data/pipeline.md`, `data/scan-history.tsv`, `batch/scan-output-*.md`, `reports/{num}-*.md` with `**URL:**` / `**Score:**` headers, emitted score JSON validated by `npx job-forge score:check --input ...`, `batch/tracker-additions/*.tsv`, cached JD content returned by `npx job-forge cache:get --url ...`, source path/line pointers returned by `npx job-forge index:query ...`, materialized fact records returned by `npx job-forge facts:query ...`, selected next actions returned by `npx job-forge prioritize:select ...`, lineage records returned by `npx job-forge lineage:explain ...`, and verified `.jobforge-receipts/*.agent.zip` paths checked with `npx job-forge receipts:verify ...`.
   why: 2026-04-18 scan subagent returned 30 fabricated Greenhouse IDs in prose (plausible-looking, non-existent); orchestrator dispatched 30 downstream subagents that all 404'd. Subagents can hallucinate IDs, scores, and confirmation text — round-trip through a file or don't trust the value
 
 - [H8] Never paste proxy values from `config/profile.yml` into `task` prompts, status text, or summaries. If a proxy is configured, tell the subagent exactly: "Proxy is configured; read `config/profile.yml` and pass its top-level `proxy:` object plus `headless: true`, `browserMode: \"stock\"`, `blockDetection: true`, and `blockedSitePolicy: \"manual-handoff\"` to every `geometra_connect` call and every Geometra auto-connect call that passes `pageUrl` or `url`." Do not transcribe `server`, `username`, `password`, or `bypass`, even if you just read them from disk.
@@ -57,7 +57,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D7] For standalone `batch` runs, prefer `batch/batch-runner.sh` instead of hand-rolling the loop. It delegates to `@agent-pattern-labs/iso-orchestrator`, persists workflow records in `.jobforge-runs/`, caps bundle fan-out, and mutexes state/report-number writes. Use `JOBFORGE_LEGACY_BATCH_RUNNER=1` only as a fallback.
   why: the old Bash loop encoded resumability and parallelism manually; the iso-orchestrator path makes the durable control state inspectable and prevents report-number collisions under parallel bundles
 
-- [D8] Use deterministic local helpers instead of prose when they can answer or validate state, identity, policy, scoring, timing, dispatch, priority, lineage, migration, or safe-export questions. Read `modes/reference-local-helpers.md` when choosing a helper or changing helper wiring.
+- [D8] Use deterministic local helpers instead of prose when they can answer or validate state, identity, policy, scoring, timing, dispatch, priority, lineage, migration, receipts, or safe-export questions. Read `modes/reference-local-helpers.md` when choosing a helper or changing helper wiring.
   why: the helper ecosystem is now broad enough that repeating every command in the shared prefix wastes cache budget; the reference keeps operational details on demand while `npm run lint:helpers` enforces integration drift in code
 
 ## Procedure
@@ -71,7 +71,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 7. Cross-check subagent facts against authoritative files [H7].
 8. Apply score gate [D4, D8].
 9. Merge contract-validated TSV outcomes [H6, D8].
-10. Verify tracker and run postflight check before ending [H6, D8].
+10. Verify tracker and run postflight check before ending [H6, D8]. For irreversible or trust-sensitive boundaries only (application submitted, blocked-site manual handoff, release, repro, inter-agent handoff), create and verify a receipt from the relevant artifacts with `npx job-forge receipts:create ...` and `npx job-forge receipts:verify ...` [D8].
 
 ## Routing
 

package/README.md

@@ -65,7 +65,7 @@ JobForge is built for selective, high-fit applications. It is not intended for s
 - Scans configured company portals and job boards.
 - Tracks applications, follow-ups, rejections, offers, reports, and PDFs.
 - Supports batch evaluation and application work through bounded subagents.
-- Uses local helper CLIs for dedupe, scoring, lineage, preflight, postflight, and tracker integrity.
+- Uses local helper CLIs for dedupe, scoring, lineage, preflight, postflight, receipts, and tracker integrity.
 
 ## Common Commands
 
@@ -78,6 +78,7 @@ Run these from your personal project root after `npm install`.
 | Merge batch tracker additions | `npx job-forge merge` |
 | Generate a CV PDF from the current project | `npx job-forge pdf` |
 | Show token usage | `npx job-forge tokens --days 1` |
+| Create a verifiable evidence receipt | `npx job-forge receipts:create --artifact <file>` |
 | Rebuild harness symlinks | `npx job-forge sync` |
 | Upgrade the harness | `npm run update-harness` |
 

package/bin/create-job-forge.mjs

@@ -198,6 +198,12 @@ const consumerPkg = {
     'redact:verify': 'job-forge redact:verify',
     'redact:apply': 'job-forge redact:apply',
     'redact:explain': 'job-forge redact:explain',
+    'receipts:create': 'job-forge receipts:create',
+    'receipts:capture': 'job-forge receipts:capture',
+    'receipts:verify': 'job-forge receipts:verify',
+    'receipts:inspect': 'job-forge receipts:inspect',
+    'receipts:redact': 'job-forge receipts:redact',
+    'receipts:path': 'job-forge receipts:path',
     'migrate:plan': 'job-forge migrate:plan',
     'migrate:apply': 'job-forge migrate:apply',
     'migrate:check': 'job-forge migrate:check',
@@ -317,6 +323,7 @@ Before doing any work, remember where things live in *this* project:
 | Dispatch preflight policy | \`templates/preflight.json\` | Safe apply rounds/gates; use \`job-forge preflight:*\` |
 | Dispatch postflight policy | \`templates/postflight.json\` | Safe apply settlement; use \`job-forge postflight:*\` |
 | Consumer migrations | \`templates/migrations.json\` | Safe script/gitignore upgrades; use \`job-forge migrate:*\` |
+| Evidence receipts | \`.jobforge-receipts/\` | Portable verifiable work receipts; use \`job-forge receipts:*\` |
 | Scanner config | \`portals.yml\` (project root) | Company configs |
 | Profile / identity | \`config/profile.yml\` | Candidate name, email, target roles |
 | CV | \`cv.md\` (project root) | Markdown, source of truth |
@@ -417,6 +424,7 @@ data/timeline-events.jsonl
 .jobforge-mcp/
 .jobforge-runs/
 .jobforge-redacted/
+.jobforge-receipts/
 reports/
 !reports/.gitkeep
 batch/batch-state.tsv

package/bin/job-forge.mjs

@@ -36,6 +36,7 @@
  *   prioritize:*   Rank local next-action queues via iso-prioritize
  *   lineage:*      Record artifact lineage and stale outputs via iso-lineage
  *   redact:*       Sanitize local exports via iso-redact
+ *   receipts:*     Create/verify/redact portable JobForge evidence receipts
  *   migrate:*      Apply deterministic consumer-project migrations via iso-migrate
  *   sync           Re-run the harness symlink sync (bin/sync.mjs)
  *   help, --help   Show this message
@@ -230,6 +231,15 @@ const redactAliases = {
   'redact:path': 'path',
 };
 
+const receiptsAliases = {
+  'receipts:create': 'create',
+  'receipts:capture': 'capture',
+  'receipts:verify': 'verify',
+  'receipts:inspect': 'inspect',
+  'receipts:redact': 'redact',
+  'receipts:path': 'path',
+};
+
 const migrateAliases = {
   'migrate:plan': 'plan',
   'migrate:apply': 'apply',
@@ -332,6 +342,11 @@ Commands:
   redact:verify           Fail if local text still contains sensitive values
   redact:apply            Write a sanitized copy of local text
   redact:explain          Show the active redaction policy
+  receipts:create         Create a portable receipt from JobForge artifacts
+  receipts:capture        Capture a command's stdout/stderr into a receipt
+  receipts:verify         Verify a receipt manifest and artifact hashes
+  receipts:inspect        Summarize a receipt without unpacking it
+  receipts:redact         Redact a receipt with templates/redact.json
   migrate:plan            Preview deterministic consumer-project migrations
   migrate:apply           Apply deterministic consumer-project migrations
   migrate:check           Fail if migrations are pending
@@ -394,6 +409,8 @@ Pass --help after a command to see its own flags, e.g.:
   job-forge lineage:check --artifact reports/123-acme-2026-04-27.md
   job-forge redact:scan --input raw-session.jsonl
   job-forge redact:apply --input raw-session.jsonl --output .jobforge-redacted/session.jsonl
+  job-forge receipts:create --company "Acme" --role "Staff Engineer" --artifact batch/tracker-additions/123-acme.tsv --include-ledger
+  job-forge receipts:verify .jobforge-receipts/receipt.agent.zip
   job-forge migrate:check
   job-forge migrate:apply
 
@@ -675,6 +692,21 @@ if (cmd === 'redact' || redactAliases[cmd]) {
   process.exit(result.status ?? 1);
 }
 
+if (cmd === 'receipts' || receiptsAliases[cmd]) {
+  const receiptsArgs = cmd === 'receipts'
+    ? (rest.length === 0 ? ['help'] : rest)
+    : [receiptsAliases[cmd], ...rest];
+
+  const scriptPath = join(PKG_ROOT, 'scripts/receipts.mjs');
+  const result = spawnSync(process.execPath, [scriptPath, ...receiptsArgs], {
+    stdio: 'inherit',
+    cwd: PROJECT_DIR,
+    env: process.env,
+  });
+
+  process.exit(result.status ?? 1);
+}
+
 if (cmd === 'migrate' || migrateAliases[cmd]) {
   const migrateArgs = cmd === 'migrate'
     ? (rest.length === 0 ? ['help'] : rest)

package/docs/ARCHITECTURE.md

@@ -169,6 +169,7 @@ data/pipeline.md        →  Pending URLs and `local:jds/...` inbox (see modes/p
 .jobforge-timeline.json  →  Deterministic follow-up action plan built from templates/timeline.json
 .jobforge-prioritize.json → Deterministic next-action priority queue built from templates/prioritize.json
 .jobforge-lineage.json   →  Artifact lineage graph for stale report/PDF checks
+.jobforge-receipts/      →  Portable evidence receipts for side-effect, handoff, release, blocked-site, and repro boundaries
 jds/*.md                 →  Saved job descriptions referenced from the pipeline (`local:jds/{file}`)
 templates/states.yml     →  Canonical status values
 templates/canon.json      →  Canonical URL/company/role identity keys
@@ -197,6 +198,7 @@ Create `data/pipeline.md` when you start using the URL inbox (`/job-forge pipeli
 - Timeline: `.jobforge-timeline.json` (created on demand by `job-forge timeline:*`; gitignored local next-action state)
 - Prioritize: `.jobforge-prioritize.json` and `.jobforge-prioritize-items.json` (created on demand by `job-forge prioritize:*`; gitignored local ranking state)
 - Lineage: `.jobforge-lineage.json` (created by `job-forge lineage:record`; gitignored local stale-output state)
+- Receipts: `.jobforge-receipts/*.agent.zip` (created by `job-forge receipts:create` / `receipts:capture`; gitignored local evidence bundles)
 - Canon: `templates/canon.json` (identity rules inspected with `job-forge canon:*`)
 - Score: `templates/score.json` (weighted rubric and gates inspected with `job-forge score:*`)
 - Timeline policy: `templates/timeline.json` (follow-up windows inspected with `job-forge timeline:*`)
@@ -266,6 +268,7 @@ Scripts maintain data consistency. In a consumer project they're invoked via the
 | `scripts/preflight.mjs` | `npx job-forge preflight:plan` / `preflight:check` / `preflight:explain` | Deterministic `@agent-pattern-labs/iso-preflight` dispatch planning for file-backed candidate facts and gates |
 | `scripts/postflight.mjs` | `npx job-forge postflight:status` / `postflight:check` / `postflight:explain` | Deterministic `@agent-pattern-labs/iso-postflight` settlement for dispatch outcomes, required tracker TSV artifacts, and merge/verify post-steps |
 | `scripts/redact.mjs` | `npx job-forge redact:scan` / `redact:apply` / `redact:verify` | Deterministic `@agent-pattern-labs/iso-redact` safe-export scanning and sanitization for traces, prompts, reports, and fixtures |
+| `scripts/receipts.mjs` | `npx job-forge receipts:create` / `receipts:verify` / `receipts:redact` | Portable JobForge evidence receipts for side-effect, release, blocked-site, repro, and inter-agent handoff boundaries |
 | `scripts/migrate.mjs` | `npx job-forge migrate:plan` / `migrate:apply` / `migrate:check` | Deterministic `@agent-pattern-labs/iso-migrate` consumer-project upgrades for scripts and generated-artifact ignores |
 | `scripts/check-helper-integration.mjs` | `npm run lint:helpers` | Integration lint that keeps helper packages, scripts, scaffolder defaults, migrations, generated ignores, docs, and `modes/reference-local-helpers.md` aligned |
 | `tracker-lib.mjs` | _(library)_ | Shared helpers for reading/writing day-based tracker files — imported by merge/dedup/verify/normalize |

package/docs/CUSTOMIZATION.md

@@ -190,6 +190,10 @@ Application settlement policy lives in `templates/postflight.json` and is checke
 
 Safe-export redaction rules live in `templates/redact.json` and are enforced locally by `@agent-pattern-labs/iso-redact`. Use `job-forge redact:scan --input <file>` before sharing traces, prompts, reports, or fixtures outside the project, `job-forge redact:apply --input <file> --output .jobforge-redacted/<file>` to write a sanitized copy, and `job-forge redact:verify --input <file>` to fail if secrets or configured PII remain. Findings never print matched values. This is not an MCP and does not add prompt or tool-schema tokens.
 
+## JobForge evidence receipts
+
+Evidence receipts live under `.jobforge-receipts/` and are created locally by `job-forge receipts:*`. Use them at side-effect boundaries such as application submission, blocked-site manual handoff, release, repro, or inter-agent handoff. `receipts:create` can attach tracker TSVs, reports, portal snapshots/form schemas, Geometra replay files, filtered ledger events, proof payloads, and verdicts; `receipts:verify` checks manifest hashes; `receipts:redact` applies `templates/redact.json` before sharing. Routine reads and ordinary local edits do not need receipts.
+
 ## JobForge consumer migrations
 
 Consumer-project migrations live in `templates/migrations.json` and are applied locally by `@agent-pattern-labs/iso-migrate`. `job-forge sync` applies safe migrations automatically after refreshing symlinks; use `JOB_FORGE_SKIP_MIGRATIONS=1` to opt out. Use `job-forge migrate:plan`, `job-forge migrate:apply`, and `job-forge migrate:check` to inspect or enforce script/gitignore drift explicitly. This is not an MCP and does not add prompt or tool-schema tokens.

package/docs/README.md

@@ -31,7 +31,7 @@ The harness exposes a single CLI (`job-forge`) installed as a `bin` entry. In a
 
 | What you need | Where to read |
 |---------------|---------------|
-| Full command list (`verify`, `merge`, `dedup`, `normalize`, `pdf`, `sync-check`, `tokens`, `trace`, `telemetry`, `guard`, `ledger`, `capabilities`, `context`, `cache`, `index`, `facts`, `score`, `canon`, `timeline`, `prioritize`, `lineage`, `preflight`, `postflight`, `redact`, `migrate`, `sync`). | [SETUP.md — Tracker and scripts (terminal)](SETUP.md#tracker-and-scripts-terminal). |
+| Full command list (`verify`, `merge`, `dedup`, `normalize`, `pdf`, `sync-check`, `tokens`, `trace`, `telemetry`, `guard`, `ledger`, `capabilities`, `context`, `cache`, `index`, `facts`, `score`, `canon`, `timeline`, `prioritize`, `lineage`, `preflight`, `postflight`, `redact`, `receipts`, `migrate`, `sync`). | [SETUP.md — Tracker and scripts (terminal)](SETUP.md#tracker-and-scripts-terminal). |
 | What each harness `.mjs` script does. | [ARCHITECTURE.md — Pipeline integrity](ARCHITECTURE.md#pipeline-integrity) and the scripts table underneath. |
 | Batch runner, TSV layout, and `batch/tracker-additions/` merge flow. | [batch/README.md](../batch/README.md). |
 | PR gate for harness contributions (`npm run verify` + `npm run smoke:iso` + `npm run build:dashboard`). | [CONTRIBUTING.md — Development](../CONTRIBUTING.md#development). |

package/docs/SETUP.md

@@ -145,6 +145,8 @@ From your project root, these commands maintain the tracker and pipeline checks.
 | Fail unless dispatch outcomes and post-steps are complete | `npx job-forge postflight:check --plan batch/preflight-plan.json --outcomes batch/postflight-outcomes.json` | `npm run postflight:check -- --plan ... --outcomes ...` |
 | Sanitize local text before exporting it | `npx job-forge redact:apply --input raw-session.jsonl --output .jobforge-redacted/session.jsonl` | `npm run redact:apply -- --input ... --output ...` |
 | Verify local text is safe to export | `npx job-forge redact:verify --input .jobforge-redacted/session.jsonl` | `npm run redact:verify -- --input ...` |
+| Create a verifiable work receipt | `npx job-forge receipts:create --company "Acme" --role "Staff Engineer" --artifact batch/tracker-additions/example.tsv --include-ledger` | `npm run receipts:create -- --company ... --role ... --artifact ... --include-ledger` |
+| Verify or redact a receipt | `npx job-forge receipts:verify .jobforge-receipts/example.agent.zip` | `npm run receipts:verify -- .jobforge-receipts/example.agent.zip` |
 | Inspect pending consumer migrations | `npx job-forge migrate:plan` | `npm run migrate:plan` |
 | Map status column to canonical labels | `npx job-forge normalize` | `npm run normalize` |
 | Merge duplicate company/role rows | `npx job-forge dedup` | `npm run dedup` |

package/iso/instructions.md

@@ -25,7 +25,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [H6] Application outcomes flow through `batch/tracker-additions/*.tsv`, not `data/pipeline.md`. After any multi-apply run, the orchestrator MUST run `npx job-forge merge` then `npx job-forge verify` before ending the session.
   why: `pipeline.md` is the URL inbox (`[ ]` pending → `[x]` processed); `data/applications/YYYY-MM-DD.md` is the outcome log; the TSV pathway is the only safe bridge because `merge` handles column order and duplicate detection
 
-- [H7] Load-bearing facts passed to downstream subagents must originate from a file, not from prior subagent prose. Authoritative sources: `data/pipeline.md`, `data/scan-history.tsv`, `batch/scan-output-*.md`, `reports/{num}-*.md` with `**URL:**` / `**Score:**` headers, emitted score JSON validated by `npx job-forge score:check --input ...`, `batch/tracker-additions/*.tsv`, cached JD content returned by `npx job-forge cache:get --url ...`, source path/line pointers returned by `npx job-forge index:query ...`, materialized fact records returned by `npx job-forge facts:query ...`, selected next actions returned by `npx job-forge prioritize:select ...`, and lineage records returned by `npx job-forge lineage:explain ...`.
+- [H7] Load-bearing facts passed to downstream subagents must originate from a file, not from prior subagent prose. Authoritative sources: `data/pipeline.md`, `data/scan-history.tsv`, `batch/scan-output-*.md`, `reports/{num}-*.md` with `**URL:**` / `**Score:**` headers, emitted score JSON validated by `npx job-forge score:check --input ...`, `batch/tracker-additions/*.tsv`, cached JD content returned by `npx job-forge cache:get --url ...`, source path/line pointers returned by `npx job-forge index:query ...`, materialized fact records returned by `npx job-forge facts:query ...`, selected next actions returned by `npx job-forge prioritize:select ...`, lineage records returned by `npx job-forge lineage:explain ...`, and verified `.jobforge-receipts/*.agent.zip` paths checked with `npx job-forge receipts:verify ...`.
   why: 2026-04-18 scan subagent returned 30 fabricated Greenhouse IDs in prose (plausible-looking, non-existent); orchestrator dispatched 30 downstream subagents that all 404'd. Subagents can hallucinate IDs, scores, and confirmation text — round-trip through a file or don't trust the value
 
 - [H8] Never paste proxy values from `config/profile.yml` into `task` prompts, status text, or summaries. If a proxy is configured, tell the subagent exactly: "Proxy is configured; read `config/profile.yml` and pass its top-level `proxy:` object plus `headless: true`, `browserMode: \"stock\"`, `blockDetection: true`, and `blockedSitePolicy: \"manual-handoff\"` to every `geometra_connect` call and every Geometra auto-connect call that passes `pageUrl` or `url`." Do not transcribe `server`, `username`, `password`, or `bypass`, even if you just read them from disk.
@@ -57,7 +57,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 - [D7] For standalone `batch` runs, prefer `batch/batch-runner.sh` instead of hand-rolling the loop. It delegates to `@agent-pattern-labs/iso-orchestrator`, persists workflow records in `.jobforge-runs/`, caps bundle fan-out, and mutexes state/report-number writes. Use `JOBFORGE_LEGACY_BATCH_RUNNER=1` only as a fallback.
   why: the old Bash loop encoded resumability and parallelism manually; the iso-orchestrator path makes the durable control state inspectable and prevents report-number collisions under parallel bundles
 
-- [D8] Use deterministic local helpers instead of prose when they can answer or validate state, identity, policy, scoring, timing, dispatch, priority, lineage, migration, or safe-export questions. Read `modes/reference-local-helpers.md` when choosing a helper or changing helper wiring.
+- [D8] Use deterministic local helpers instead of prose when they can answer or validate state, identity, policy, scoring, timing, dispatch, priority, lineage, migration, receipts, or safe-export questions. Read `modes/reference-local-helpers.md` when choosing a helper or changing helper wiring.
   why: the helper ecosystem is now broad enough that repeating every command in the shared prefix wastes cache budget; the reference keeps operational details on demand while `npm run lint:helpers` enforces integration drift in code
 
 ## Procedure
@@ -71,7 +71,7 @@ AI-powered job search pipeline: scans portals, evaluates offers, generates CVs v
 7. Cross-check subagent facts against authoritative files [H7].
 8. Apply score gate [D4, D8].
 9. Merge contract-validated TSV outcomes [H6, D8].
-10. Verify tracker and run postflight check before ending [H6, D8].
+10. Verify tracker and run postflight check before ending [H6, D8]. For irreversible or trust-sensitive boundaries only (application submitted, blocked-site manual handoff, release, repro, inter-agent handoff), create and verify a receipt from the relevant artifacts with `npx job-forge receipts:create ...` and `npx job-forge receipts:verify ...` [D8].
 
 ## Routing
 

package/modes/reference-local-helpers.md

@@ -13,6 +13,7 @@ Prefer a local helper when the workflow needs:
 - One-shot rendered browser snapshots or form schemas.
 - Scoring, timing, priority, or lineage decisions.
 - Safe export checks.
+- Evidence bundles at side-effect, release, handoff, blocked-site, or repro boundaries.
 
 Do not paste whole helper outputs into prompts unless the downstream agent needs that exact file-backed result. Prefer passing paths, ids, keys, and short summaries.
 
@@ -40,6 +41,7 @@ Do not paste whole helper outputs into prompts unless the downstream agent needs
 | Follow-up timing | `templates/timeline.json` | `npx job-forge timeline:*` |
 | Next-action ranking | `templates/prioritize.json` | `npx job-forge prioritize:*` |
 | Artifact lineage | `.jobforge-lineage.json` | `npx job-forge lineage:*` |
+| Evidence receipts | `.jobforge-receipts/` | `npx job-forge receipts:*` |
 
 ## Mandatory Uses
 
@@ -50,6 +52,7 @@ Do not paste whole helper outputs into prompts unless the downstream agent needs
 - For next-action or replacement-candidate selection, run `prioritize:build` or `prioritize:select --limit N`.
 - For generated reports or PDFs reused after input changes, run `lineage:check --artifact <file>` if lineage exists; after creating derived artifacts, record them with `lineage:record --artifact <file> --input <source>...`.
 - Before exporting traces, prompts, reports, or fixtures outside the project, run `redact:scan`, `redact:apply`, or `redact:verify`.
+- After irreversible or trust-sensitive actions, create a receipt with `receipts:create` from the relevant tracker TSV, report, portal snapshot/form schema, and filtered ledger events. Use `receipts:verify` before treating a receipt as a workflow gate, and `receipts:redact` before sharing it outside the project.
 - When diagnosing consumer harness drift, run `migrate:plan` or `migrate:check`; `job-forge sync` applies safe migrations automatically unless `JOB_FORGE_SKIP_MIGRATIONS=1` is set.
 - When you only need a rendered page model, compact snapshot, or form schema from one URL, prefer `portal:snapshot` / `portal:form-schema` over Geometra MCP tool calls. Use MCP for interactive multi-step browser sessions.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "job-forge",
-  "version": "2.14.46",
+  "version": "2.14.47",
   "description": "AI-powered job search pipeline built on opencode",
   "type": "module",
   "bin": {
@@ -106,6 +106,12 @@
     "redact:verify": "node bin/job-forge.mjs redact:verify",
     "redact:apply": "node bin/job-forge.mjs redact:apply",
     "redact:explain": "node bin/job-forge.mjs redact:explain",
+    "receipts:create": "node bin/job-forge.mjs receipts:create",
+    "receipts:capture": "node bin/job-forge.mjs receipts:capture",
+    "receipts:verify": "node bin/job-forge.mjs receipts:verify",
+    "receipts:inspect": "node bin/job-forge.mjs receipts:inspect",
+    "receipts:redact": "node bin/job-forge.mjs receipts:redact",
+    "receipts:path": "node bin/job-forge.mjs receipts:path",
     "migrate:plan": "node bin/job-forge.mjs migrate:plan",
     "migrate:apply": "node bin/job-forge.mjs migrate:apply",
     "migrate:check": "node bin/job-forge.mjs migrate:check",
@@ -195,6 +201,7 @@
     "@agent-pattern-labs/iso-postflight": "^0.1.1",
     "@agent-pattern-labs/iso-preflight": "^0.1.1",
     "@agent-pattern-labs/iso-prioritize": "^0.1.1",
+    "@agent-pattern-labs/iso-receipts": "^0.1.0",
     "@agent-pattern-labs/iso-redact": "^0.1.1",
     "@agent-pattern-labs/iso-score": "^0.1.1",
     "@agent-pattern-labs/iso-timeline": "^0.1.1",

package/scripts/check-helper-integration.mjs

@@ -35,6 +35,7 @@ const groups = [
   helper('prioritize', '@agent-pattern-labs/iso-prioritize', ['status', 'items', 'build', 'rank', 'select', 'check', 'verify', 'explain'], { template: 'templates/prioritize.json', artifacts: ['.jobforge-prioritize.json', '.jobforge-prioritize-items.json'], migrated: true }),
   helper('lineage', '@agent-pattern-labs/iso-lineage', ['status', 'record', 'check', 'stale', 'verify', 'explain'], { artifacts: ['.jobforge-lineage.json'], migrated: true }),
   helper('redact', '@agent-pattern-labs/iso-redact', ['scan', 'verify', 'apply', 'explain'], { template: 'templates/redact.json', artifacts: ['.jobforge-redacted/'], migrated: true }),
+  helper('receipts', '', ['create', 'capture', 'verify', 'inspect', 'redact', 'path'], { artifacts: ['.jobforge-receipts/'], migrated: true }),
   helper('migrate', '@agent-pattern-labs/iso-migrate', ['plan', 'apply', 'check', 'explain'], { template: 'templates/migrations.json', migrated: true }),
 ];
 

package/scripts/receipts.mjs

@@ -0,0 +1,488 @@
+#!/usr/bin/env node
+
+import { spawnSync } from 'node:child_process';
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  statSync,
+} from 'node:fs';
+import { basename, dirname, isAbsolute, join, relative, resolve } from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+import { PROJECT_DIR } from '../tracker-lib.mjs';
+import {
+  companyRoleKey,
+  legacyCompanyRoleKey,
+  legacyUrlKey,
+  readJobForgeLedger,
+  slugPart,
+  urlKey,
+} from '../lib/jobforge-ledger.mjs';
+import { readJobForgeRedactConfig } from '../lib/jobforge-redact.mjs';
+
+const RECEIPTS_DIR = '.jobforge-receipts';
+const USAGE = `job-forge receipts - portable local evidence receipts
+
+Usage:
+  job-forge receipts:create [--kind <kind>] [--out <receipt.agent.zip|dir>] [--subject <text>] [--run-id <id>]
+    [--url <url>] [--company <name> --role <role>] [--status <status>]
+    [--artifact <file> ...] [--geometra <file> ...] [--portal <file> ...]
+    [--include-ledger | --all-ledger] [--verdict <json|@file>] [--proof <json|@file>] [--redact] [--json]
+  job-forge receipts:capture [--out <receipt.agent.zip|dir>] [--subject <text>] [--run-id <id>] [--json] -- <command> [args...]
+  job-forge receipts:verify <receipt.agent.zip|dir> [--json]
+  job-forge receipts:inspect <receipt.agent.zip|dir> [--json]
+  job-forge receipts:redact <receipt.agent.zip|dir> --out <receipt.agent.zip|dir> [--json]
+  job-forge receipts:path
+
+Use receipts at workflow boundaries: application submission, blocked-site
+manual handoff, release, repro, or inter-agent handoff. Do not create receipts
+for routine reads or ordinary local edits.`;
+
+const [cmd = 'help', ...rawArgs] = process.argv.slice(2);
+const opts = parseArgs(rawArgs);
+
+if (opts.help || cmd === 'help' || cmd === '--help' || cmd === '-h') {
+  console.log(USAGE);
+  process.exit(0);
+}
+
+try {
+  const receipts = await loadIsoReceipts();
+  if (cmd === 'path') {
+    console.log(receiptsDir());
+  } else if (cmd === 'create') {
+    await create(receipts, opts);
+  } else if (cmd === 'capture') {
+    await capture(receipts, opts);
+  } else if (cmd === 'verify') {
+    verify(receipts, opts);
+  } else if (cmd === 'inspect') {
+    inspect(receipts, opts);
+  } else if (cmd === 'redact') {
+    redact(receipts, opts);
+  } else {
+    console.error(`unknown receipts command "${cmd}"\n`);
+    console.error(USAGE);
+    process.exit(2);
+  }
+} catch (error) {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+}
+
+function parseArgs(args) {
+  const opts = {
+    artifacts: [],
+    geometra: [],
+    portal: [],
+    command: [],
+    json: false,
+    help: false,
+    includeLedger: false,
+    allLedger: false,
+    redact: false,
+  };
+  let afterDoubleDash = false;
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (afterDoubleDash) {
+      opts.command.push(arg);
+    } else if (arg === '--') {
+      afterDoubleDash = true;
+    } else if (arg === '--json') {
+      opts.json = true;
+    } else if (arg === '--redact') {
+      opts.redact = true;
+    } else if (arg === '--include-ledger') {
+      opts.includeLedger = true;
+    } else if (arg === '--all-ledger') {
+      opts.allLedger = true;
+    } else if (arg === '--out' || arg === '-o') {
+      opts.out = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--out=')) {
+      opts.out = arg.slice('--out='.length);
+    } else if (arg === '--kind') {
+      opts.kind = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--kind=')) {
+      opts.kind = arg.slice('--kind='.length);
+    } else if (arg === '--subject') {
+      opts.subject = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--subject=')) {
+      opts.subject = arg.slice('--subject='.length);
+    } else if (arg === '--run-id') {
+      opts.runId = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--run-id=')) {
+      opts.runId = arg.slice('--run-id='.length);
+    } else if (arg === '--url') {
+      opts.url = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--url=')) {
+      opts.url = arg.slice('--url='.length);
+    } else if (arg === '--company') {
+      opts.company = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--company=')) {
+      opts.company = arg.slice('--company='.length);
+    } else if (arg === '--role') {
+      opts.role = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--role=')) {
+      opts.role = arg.slice('--role='.length);
+    } else if (arg === '--status') {
+      opts.status = valueAfter(args, ++i, arg);
+    } else if (arg.startsWith('--status=')) {
+      opts.status = arg.slice('--status='.length);
+    } else if (arg === '--artifact') {
+      opts.artifacts.push(valueAfter(args, ++i, arg));
+    } else if (arg.startsWith('--artifact=')) {
+      opts.artifacts.push(arg.slice('--artifact='.length));
+    } else if (arg === '--geometra') {
+      opts.geometra.push(valueAfter(args, ++i, arg));
+    } else if (arg.startsWith('--geometra=')) {
+      opts.geometra.push(arg.slice('--geometra='.length));
+    } else if (arg === '--portal') {
+      opts.portal.push(valueAfter(args, ++i, arg));
+    } else if (arg.startsWith('--portal=')) {
+      opts.portal.push(arg.slice('--portal='.length));
+    } else if (arg === '--verdict') {
+      opts.verdict = readJsonArg(valueAfter(args, ++i, arg), arg);
+    } else if (arg.startsWith('--verdict=')) {
+      opts.verdict = readJsonArg(arg.slice('--verdict='.length), '--verdict');
+    } else if (arg === '--proof') {
+      opts.proof = readJsonArg(valueAfter(args, ++i, arg), arg);
+    } else if (arg.startsWith('--proof=')) {
+      opts.proof = readJsonArg(arg.slice('--proof='.length), '--proof');
+    } else if (arg === '--help' || arg === '-h') {
+      opts.help = true;
+    } else if (!arg.startsWith('--') && !opts.input) {
+      opts.input = arg;
+    } else {
+      throw new Error(`unknown argument "${arg}"`);
+    }
+  }
+  return opts;
+}
+
+function valueAfter(values, index, flag) {
+  const value = values[index];
+  if (!value || value.startsWith('--')) throw new Error(`${flag} requires a value`);
+  return value;
+}
+
+async function create(receipts, opts) {
+  const kind = opts.kind || 'application';
+  const artifacts = opts.artifacts.map((path) => fileInput(path, 'artifacts'));
+  const geometraReplay = [
+    ...opts.geometra.map((path) => fileInput(path, 'geometra-replay')),
+    ...opts.portal.map((path) => fileInput(path, 'geometra-replay')),
+  ];
+  const events = [
+    {
+      type: 'jobforge.receipt.created',
+      data: compactObject({
+        kind,
+        url: opts.url,
+        company: opts.company,
+        role: opts.role,
+        status: opts.status,
+      }),
+      meta: { source: 'job-forge' },
+    },
+  ];
+
+  if (opts.includeLedger || opts.allLedger) {
+    const ledger = selectLedgerEvents(opts);
+    artifacts.push({
+      path: 'artifacts/jobforge-ledger-events.jsonl',
+      content: `${ledger.map((event) => JSON.stringify(event)).join('\n')}${ledger.length ? '\n' : ''}`,
+      kind: 'artifact',
+      contentType: 'application/jsonl',
+    });
+    events.push({
+      type: 'jobforge.ledger.snapshot',
+      data: {
+        count: ledger.length,
+        all: Boolean(opts.allLedger),
+        filters: ledgerFilters(opts),
+      },
+      meta: { source: 'job-forge' },
+    });
+  }
+
+  let receipt = receipts.createReceipt({
+    subject: subjectFor(opts, kind),
+    runId: opts.runId,
+    generator: { name: 'job-forge', version: packageVersion() },
+    events,
+    artifacts,
+    geometraReplay,
+    verdict: opts.verdict,
+    proof: opts.proof,
+    extensions: {
+      jobforge: compactObject({
+        kind,
+        projectDir: PROJECT_DIR,
+        url: opts.url,
+        company: opts.company,
+        role: opts.role,
+        status: opts.status,
+      }),
+    },
+  });
+  if (opts.redact) receipt = receipts.redactReceipt(receipt, {
+    policy: readJobForgeRedactConfig(PROJECT_DIR),
+    policyName: 'templates/redact.json',
+  });
+
+  const out = resolveOutputPath(opts.out || defaultReceiptPath(kind, opts));
+  writeOutput(receipts, receipt, out);
+  const verifyResult = receipts.verifyReceipt(receipt);
+  output(opts, {
+    out,
+    receiptId: receipt.manifest.receiptId,
+    entries: receipt.manifest.entries.length,
+    verify: verifyResult,
+  }, () => {
+    console.log(`receipts: wrote ${relativePath(out)} (${receipt.manifest.receiptId})`);
+    console.log(receipts.formatReceiptVerifyResult(verifyResult));
+  });
+}
+
+async function capture(receipts, opts) {
+  if (opts.command.length === 0) throw new Error('capture requires a command after --');
+  const startedAt = new Date().toISOString();
+  const started = Date.now();
+  const result = spawnSync(opts.command[0], opts.command.slice(1), {
+    cwd: PROJECT_DIR,
+    encoding: 'buffer',
+    maxBuffer: 64 * 1024 * 1024,
+  });
+  const endedAt = new Date().toISOString();
+  const durationMs = Date.now() - started;
+  const exitCode = result.status ?? (result.error ? 127 : null);
+
+  const receipt = receipts.createReceipt({
+    subject: opts.subject || `jobforge:command:${opts.command[0]}`,
+    runId: opts.runId,
+    generator: { name: 'job-forge', version: packageVersion() },
+    command: {
+      argv: opts.command,
+      cwd: PROJECT_DIR,
+      exitCode,
+      signal: result.signal ?? null,
+      startedAt,
+      endedAt,
+      durationMs,
+    },
+    environment: {
+      platform: process.platform,
+      arch: process.arch,
+      node: process.version,
+    },
+    events: [
+      { type: 'jobforge.command.started', at: startedAt, data: { argv: opts.command, cwd: PROJECT_DIR } },
+      {
+        type: 'jobforge.command.exited',
+        at: endedAt,
+        data: compactObject({
+          exitCode,
+          signal: result.signal,
+          durationMs,
+          error: result.error?.message,
+        }),
+      },
+    ],
+    artifacts: [
+      { path: 'artifacts/stdout.txt', content: result.stdout || Buffer.alloc(0), contentType: 'text/plain' },
+      { path: 'artifacts/stderr.txt', content: result.stderr || Buffer.alloc(0), contentType: 'text/plain' },
+    ],
+  });
+
+  const out = resolveOutputPath(opts.out || defaultReceiptPath('command', opts));
+  writeOutput(receipts, receipt, out);
+  output(opts, {
+    out,
+    receiptId: receipt.manifest.receiptId,
+    exitCode,
+  }, () => {
+    console.log(`receipts: wrote ${relativePath(out)} (${receipt.manifest.receiptId}, command exit ${exitCode ?? 'signal'})`);
+  });
+}
+
+function verify(receipts, opts) {
+  if (!opts.input) throw new Error('verify requires a receipt path');
+  const result = receipts.verifyReceipt(resolveInputPath(opts.input));
+  output(opts, result, () => console.log(receipts.formatReceiptVerifyResult(result)));
+  if (!result.ok) process.exit(1);
+}
+
+function inspect(receipts, opts) {
+  if (!opts.input) throw new Error('inspect requires a receipt path');
+  const result = receipts.inspectReceipt(resolveInputPath(opts.input));
+  output(opts, result, () => console.log(receipts.formatReceiptInspectResult(result)));
+}
+
+function redact(receipts, opts) {
+  if (!opts.input) throw new Error('redact requires a receipt path');
+  if (!opts.out) throw new Error('redact requires --out <path>');
+  const redacted = receipts.redactReceipt(receipts.readReceipt(resolveInputPath(opts.input)), {
+    policy: readJobForgeRedactConfig(PROJECT_DIR),
+    policyName: 'templates/redact.json',
+  });
+  const out = resolveOutputPath(opts.out);
+  writeOutput(receipts, redacted, out);
+  output(opts, {
+    out,
+    receiptId: redacted.manifest.receiptId,
+    redaction: redacted.manifest.redaction,
+  }, () => {
+    console.log(`receipts: redacted ${redacted.manifest.receiptId} to ${relativePath(out)}`);
+  });
+}
+
+function fileInput(input, bucket) {
+  const path = resolveInputPath(input);
+  if (!existsSync(path)) throw new Error(`artifact not found: ${input}`);
+  if (!statSync(path).isFile()) throw new Error(`artifact is not a file: ${input}`);
+  return {
+    path: receiptArtifactPath(path, bucket),
+    content: readFileSync(path),
+    kind: bucket === 'geometra-replay' ? 'geometra-replay' : 'artifact',
+  };
+}
+
+function receiptArtifactPath(path, bucket) {
+  const rel = relative(PROJECT_DIR, path).replace(/\\/g, '/');
+  if (rel && !rel.startsWith('../') && rel !== '..' && !isAbsolute(rel)) return `${bucket}/${rel}`;
+  return `${bucket}/external/${basename(path)}`;
+}
+
+function selectLedgerEvents(opts) {
+  const events = readJobForgeLedger(PROJECT_DIR);
+  if (opts.allLedger) return statusFiltered(events, opts.status);
+  const keys = ledgerFilterKeys(opts);
+  if (keys.length === 0) {
+    throw new Error('--include-ledger requires --url or --company/--role; use --all-ledger to attach every ledger event');
+  }
+  return statusFiltered(events.filter((event) => keys.includes(event.key)), opts.status);
+}
+
+function ledgerFilterKeys(opts) {
+  const keys = [];
+  if (opts.url) keys.push(urlKey(opts.url, PROJECT_DIR), legacyUrlKey(opts.url));
+  if (opts.company || opts.role) {
+    if (!opts.company || !opts.role) throw new Error('--company and --role must be provided together');
+    keys.push(companyRoleKey(opts.company, opts.role, PROJECT_DIR), legacyCompanyRoleKey(opts.company, opts.role));
+  }
+  return [...new Set(keys)];
+}
+
+function statusFiltered(events, status) {
+  if (!status) return events;
+  return events.filter((event) => event.data?.status === status);
+}
+
+function ledgerFilters(opts) {
+  return compactObject({
+    url: opts.url,
+    company: opts.company,
+    role: opts.role,
+    status: opts.status,
+    keys: ledgerFilterKeys(opts),
+  });
+}
+
+function subjectFor(opts, kind) {
+  if (opts.subject) return opts.subject;
+  if (opts.company && opts.role) return `jobforge:application:${companyRoleKey(opts.company, opts.role, PROJECT_DIR)}`;
+  if (opts.url) return `jobforge:url:${urlKey(opts.url, PROJECT_DIR)}`;
+  if (opts.runId) return `jobforge:run:${opts.runId}`;
+  return `jobforge:${kind}`;
+}
+
+function defaultReceiptPath(kind, opts) {
+  const stamp = new Date().toISOString().replace(/[:.]/g, '-');
+  const seed = opts.company || opts.role || opts.url || opts.subject || opts.runId || kind;
+  const slug = slugPart(seed).slice(0, 80) || kind;
+  return join(RECEIPTS_DIR, `${stamp}-${slug}.agent.zip`);
+}
+
+function writeOutput(receipts, receipt, out) {
+  mkdirSync(dirname(out), { recursive: true });
+  if (out.endsWith('.zip')) receipts.packReceipt(receipt, out);
+  else receipts.writeReceiptDirectory(receipt, out);
+}
+
+async function loadIsoReceipts() {
+  const explicit = process.env.JOB_FORGE_ISO_RECEIPTS_MODULE;
+  if (explicit) return import(pathToFileURL(resolve(explicit)).href);
+
+  try {
+    return await import('@agent-pattern-labs/iso-receipts');
+  } catch {
+    const scriptDir = dirname(fileURLToPath(import.meta.url));
+    const sibling = resolve(scriptDir, '../../iso/packages/iso-receipts/dist/index.js');
+    if (existsSync(sibling)) return import(pathToFileURL(sibling).href);
+    throw new Error(
+      'Could not load @agent-pattern-labs/iso-receipts. Install dependencies, ' +
+      'or build the sibling iso repo so ../iso/packages/iso-receipts/dist/index.js exists.',
+    );
+  }
+}
+
+function packageVersion() {
+  try {
+    const pkgPath = resolve(dirname(fileURLToPath(import.meta.url)), '..', 'package.json');
+    return JSON.parse(readFileSync(pkgPath, 'utf8')).version;
+  } catch {
+    return undefined;
+  }
+}
+
+function readJsonArg(raw, flag) {
+  const text = raw.startsWith('@') ? readFileSync(resolveInputPath(raw.slice(1)), 'utf8') : raw;
+  try {
+    const parsed = JSON.parse(text);
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) throw new Error('expected object');
+    return parsed;
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    throw new Error(`${flag}: invalid JSON: ${detail}`);
+  }
+}
+
+function resolveInputPath(path) {
+  return isAbsolute(path) ? path : resolve(PROJECT_DIR, path);
+}
+
+function resolveOutputPath(path) {
+  return isAbsolute(path) ? path : resolve(PROJECT_DIR, path);
+}
+
+function receiptsDir() {
+  return join(PROJECT_DIR, RECEIPTS_DIR);
+}
+
+function relativePath(path) {
+  return relative(PROJECT_DIR, path) || '.';
+}
+
+function output(opts, jsonValue, textWriter) {
+  if (opts.json) console.log(JSON.stringify(jsonValue, null, 2));
+  else textWriter();
+}
+
+function compactObject(obj) {
+  const out = {};
+  for (const [key, value] of Object.entries(obj || {})) {
+    const clean = jsonValue(value);
+    if (clean !== undefined) out[key] = clean;
+  }
+  return out;
+}
+
+function jsonValue(value) {
+  if (value === undefined) return undefined;
+  if (value === null) return null;
+  if (typeof value === 'string' || typeof value === 'number' || typeof value === 'boolean') return value;
+  if (Array.isArray(value)) return value.map(jsonValue).filter((item) => item !== undefined);
+  if (typeof value === 'object') return compactObject(value);
+  return String(value);
+}

package/templates/migrations.json

@@ -84,6 +84,12 @@
             "redact:verify": "job-forge redact:verify",
             "redact:apply": "job-forge redact:apply",
             "redact:explain": "job-forge redact:explain",
+            "receipts:create": "job-forge receipts:create",
+            "receipts:capture": "job-forge receipts:capture",
+            "receipts:verify": "job-forge receipts:verify",
+            "receipts:inspect": "job-forge receipts:inspect",
+            "receipts:redact": "job-forge receipts:redact",
+            "receipts:path": "job-forge receipts:path",
             "migrate:plan": "job-forge migrate:plan",
             "migrate:apply": "job-forge migrate:apply",
             "migrate:check": "job-forge migrate:check",
@@ -114,6 +120,7 @@
             ".jobforge-lineage.json",
             ".jobforge-mcp/",
             ".jobforge-redacted/",
+            ".jobforge-receipts/",
             "data/timeline-events.jsonl",
             "batch/preflight-candidates.json",
             "batch/preflight-plan.json",