loopgen 0.6.2 → 0.7.0

package/README.md

@@ -4,24 +4,28 @@
 [![CI](https://github.com/Nagiici/Loopgen/actions/workflows/ci.yml/badge.svg)](https://github.com/Nagiici/Loopgen/actions/workflows/ci.yml)
 [![license: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 
-**Run your AI's coding loop — and prove its work actually passed.**
+**The vendor-neutral verification & provenance gate for AI-generated code — bring your own agent.**
 
-Any model can *write* an `AGENTS.md`. loopgen does the part a stateless model can't: it **runs** a bounded
-loop, executes your real `test` / `lint` / `build` and **gates success on the exit codes**, **enforces**
-forbidden-path and iteration limits, and writes a **tamper-evident, hash-chained audit log + proof report**.
-Works with Claude Code, Codex, Cursor, and local models (Ollama, LM Studio, llama.cpp).
+Whatever agent writes the code — Claude Code, Codex, Cursor, or a local model — loopgen does the part a
+stateless model can't: it **runs** your real `test` / `lint` / `build`, **gates on the exit codes**,
+**enforces** forbidden-path and iteration limits, and records the run in a hash-chained ledger. Locally
+that's **tamper-evident evidence**; in CI it signs the entry against the **Sigstore/Rekor** public
+transparency log — a **verifiable, signed attestation** you can gate merges on.
 
 ```bash
 npx loopgen init             # scan your repo + pick bounded-loop templates (local wizard, nothing written)
-npx loopgen run test-repair  # run the loop, verify it, and leave proof it passed (exits 0/1 for CI)
+npx loopgen run test-repair  # run + verify the loop; leave tamper-evident evidence (signed in CI) — exits 0/1
 ```
 
-- ✅ **Prove the work** — `loopgen run` executes a loop, gates on your *real* verification commands, and
-  writes an auditable record a chatbot cannot. *Referee* mode verifies any agent's change; *driven* mode
-  drives a **local model** itself and **blocks forbidden writes before they land**.
+- ✅ **Verify the work** — `loopgen run` executes a loop, gates on your *real* verification commands, checks
+  forbidden paths, and writes a hash-chained audit a chatbot cannot. *Referee* mode verifies any agent's
+  change; *driven* mode drives a **local model** itself and **blocks forbidden writes before they land**.
+- 🔏 **Attest the work** — run it in CI and loopgen signs the audit entry against the **Sigstore/Rekor**
+  public transparency log (keyless — no keys to manage): a **verifiable, signed attestation** bound to the
+  commit, not just a local self-attested log. [Evidence vs. proof →](docs/THREAT-MODEL.md)
 - 🧾 **Govern the agents** — `loopgen audit` rolls up every dev's hash-chained ledger into a report + a
   self-contained HTML dashboard, and a CI **merge gate** (`audit check`, also a GitHub Action) blocks PRs
-  that lack passing, untampered proof.
+  that lack passing, untampered — and optionally **attested** — proof.
 - 🏠 **Local-first & open source (MIT)** — no telemetry, no cloud; drives only your local models; API keys
   are referenced by env-var name only.
 
@@ -35,20 +39,23 @@ npx loopgen run test-repair  # run the loop, verify it, and leave proof it passe
 
 ### 项目简介
 
-**跑你的 AI 编码循环 —— 并证明它的工作真的通过了。** 任何模型都能*写*一个 `AGENTS.md`;loopgen 做的是
-模型本身做不到的那部分:**执行**一个有界循环,跑你真实的 `test` / `lint` / `build` 并**按退出码判定通过/
-失败**,**强制**禁止路径与迭代上限,并写下一条**带哈希链、防篡改的审计 + 证明报告**。支持 Claude Code、
-Codex、Cursor 和本地模型(Ollama、LM Studio、llama.cpp)。
+**面向 AI 生成代码的厂商中立「验证 + 溯源」闸门 —— 自带 agent。** 无论代码由谁写(Claude Code、Codex、
+Cursor 或本地模型),loopgen 做的是无状态模型做不到的那部分:**执行**你真实的 `test` / `lint` / `build`、
+**按退出码判定**、**强制**禁止路径与迭代上限,并把这次运行记进一条哈希链账本。本地运行得到的是**防篡改证据
+(tamper-evident evidence)**;在 CI 里它会把这条记录对 **Sigstore/Rekor** 公开透明日志签名 —— 一份可被
+第三方校验的**签名证明(attestation)**,可直接用于合并闸门。
 
 ```bash
 npx loopgen init             # 扫描仓库 + 选择有界循环模板(本地向导,不写文件)
 npx loopgen run test-repair  # 跑这个循环、验证它,并留下「通过」的证据(退出码 0/1,可接 CI)
 ```
 
-- ✅ **证明工作** —— `loopgen run` 执行循环、按你的真实验证命令判定、写下 chatbot 做不到的可审计记录。
-  *referee* 模式验证任意 agent 的改动;*driven* 模式自己驱动**本地模型**,并在**落盘前拦截禁止路径写入**。
+- ✅ **验证工作** —— `loopgen run` 执行循环、按你的真实验证命令判定、检查禁止路径,写下 chatbot 做不到的
+  哈希链审计。*referee* 模式验证任意 agent 的改动;*driven* 模式自己驱动**本地模型**,并在**落盘前拦截禁止路径写入**。
+- 🔏 **签名证明** —— 在 CI 里运行,loopgen 会把审计条目对 **Sigstore/Rekor** 公开透明日志签名(keyless,
+  无需自管密钥):一份绑定 commit、**可被第三方校验的签名证明**,而非仅本地自证日志。[证据 vs 证明 →](docs/THREAT-MODEL.md)
 - 🧾 **治理 agent** —— `loopgen audit` 把每个开发者的哈希链账本聚合成报告 + 自包含 HTML 看板,CI **合并闸门**
-  (`audit check`,也有现成 GitHub Action)挡住「缺少通过/未被篡改证据」的 PR。
+  (`audit check`,也有现成 GitHub Action)挡住「缺少通过/未被篡改、以及可选未签名证明」的 PR。
 - 🏠 **local-first & 开源(MIT)** —— 无遥测、无云调用;只驱动你的本地模型;API key 仅按环境变量名引用。
 
 > 仍可先用内置 demo 预览:`loopgen init` 不需要真实项目、也不会写入文件。生成的可审查文件包括
@@ -433,11 +440,11 @@ npm run loopgen -- run [loop] [project]
 
 `apply` always shows a diff first. Without `--yes`, it asks for confirmation before writing files.
 
-### Run & prove the work (`loopgen run`)
+### Verify & attest the work (`loopgen run`)
 
-Generating config is just instructions. **`loopgen run` actually runs the verification and leaves proof** —
-something a stateless model cannot do. After you (or any agent — Claude Code, Cursor, Codex) complete a
-bounded change, run:
+Generating config is just instructions. **`loopgen run` actually runs the verification and leaves a
+tamper-evident record** — something a stateless model cannot do. After you (or any agent — Claude Code,
+Cursor, Codex) complete a bounded change, run:
 
 ```bash
 npm run loopgen -- run test-repair .
@@ -450,8 +457,13 @@ in `.loopgen/reports/*.md`. The process exits `0` on pass and `1` on fail, so it
 
 - `--dry-run` — run the checks, write nothing.
 - `--base <ref>` — git ref to diff against (default `HEAD`).
-- Scope: referee mode is **detection, not a sandbox** — it proves the change passed your real verification
-  and didn't modify forbidden paths; it does not block reads or out-of-tree writes.
+- Scope: referee mode is **detection, not a sandbox** — it records that the change passed your real
+  verification and didn't modify forbidden paths; it does not block reads or out-of-tree writes.
+- Trust: locally this is **tamper-evident evidence**. Run it in CI and loopgen signs the audit entry against
+  the **Sigstore/Rekor** public transparency log — a **verifiable, signed attestation** bound to the commit.
+  Attestation is automatic in CI with an OIDC identity (`--no-attest` to opt out); verify it with `loopgen
+  audit verify --attestation`. See [docs/THREAT-MODEL.md](docs/THREAT-MODEL.md) for what each tier does and
+  doesn't prove.
 
 #### Driven mode — loopgen runs the loop (`--mode driven`)
 
@@ -482,10 +494,12 @@ Every `loopgen run` appends to a per-repo, hash-chained `.loopgen/audit.jsonl`.
 those ledgers into team-level, compliance-ready evidence and a CI gate — local-first, no server:
 
 ```bash
-npm run loopgen -- audit verify                  # prove the hash chain is intact (tamper check)
+npm run loopgen -- audit verify                  # verify the hash chain is intact (tamper check)
+npm run loopgen -- audit verify --attestation    # also cryptographically verify the CI signatures
 npm run loopgen -- audit summary                 # one repo: pass rate, by loop, violations
 npm run loopgen -- audit aggregate ../repos --html gov.html --report gov.md   # roll up many repos/devs
 npm run loopgen -- audit check --require test-repair --require-no-violations --require-chain   # CI gate
+npm run loopgen -- audit check --require-attested # gate on a verifiable CI attestation, not just a local log
 ```
 
 `aggregate` scans the given files/directories for `audit.jsonl`, merges them into one rollup, and can write

package/dist/cli.js

@@ -14,6 +14,7 @@ import { startLoopgenServer } from "./server.js";
 import { DEFAULT_ADAPTER_IDS, parseAdapterIds } from "./core/adapters.js";
 import { runLoop } from "./core/runner.js";
 import { readAuditLog, verifyAuditChain } from "./core/audit.js";
+import { loadAttestationRef, verifyAttestation } from "./core/attest.js";
 import { buildSummary, collectAuditFiles, evaluatePolicy } from "./core/governance.js";
 import { renderGovernanceHtml, renderGovernanceMarkdown } from "./core/governance-report.js";
 import { promises as fsp } from "node:fs";
@@ -36,7 +37,7 @@ const { version } = require("../package.json");
 const program = new Command();
 program
     .name("loopgen")
-    .description("Run your AI's coding loop and prove its work actually passed — real verification, a tamper-evident audit, and a CI gate.")
+    .description("Verification & provenance gate for AI-generated code — real verification, tamper-evident local evidence, and a verifiable signed attestation in CI. Bring your own agent.")
     .version(version);
 program
     .command("init")
@@ -168,7 +169,8 @@ program
     .option("--openai-compatible-model <model>", "driven mode: OpenAI-compatible model name")
     .option("--openai-compatible-base-url <url>", "driven mode: OpenAI-compatible base URL")
     .option("--openai-compatible-api-key-env <name>", "driven mode: env var name for the API key")
-    .description("Run a loop's verification against the working tree and write a tamper-evident proof.")
+    .option("--no-attest", "skip signing the audit entry even in CI (attestation is automatic when an OIDC identity is present)")
+    .description("Run a loop's verification against the working tree; leaves tamper-evident evidence locally, or a verifiable signed attestation in CI.")
     .action(async (loop, project, options) => {
     const result = await runLoop({
         projectRoot: path.resolve(project),
@@ -185,7 +187,8 @@ program
         ollamaBaseUrl: options.ollamaBaseUrl,
         openaiCompatibleModel: options.openaiCompatibleModel,
         openaiCompatibleBaseUrl: options.openaiCompatibleBaseUrl,
-        openaiCompatibleApiKeyEnv: options.openaiCompatibleApiKeyEnv
+        openaiCompatibleApiKeyEnv: options.openaiCompatibleApiKeyEnv,
+        attest: options.attest
     });
     if (options.json) {
         console.log(JSON.stringify(result, null, 2));
@@ -199,9 +202,11 @@ const audit = program.command("audit").description("Inspect, aggregate, and gate
 audit
     .command("verify")
     .argument("[project]", "project directory", ".")
-    .description("Verify the audit hash chain is intact (tamper check).")
-    .action(async (project) => {
-    const entries = await readAuditLog(path.resolve(project));
+    .option("--attestation", "also cryptographically verify external attestations (cosign/Sigstore), not just the local chain")
+    .description("Verify the audit hash chain is intact (tamper check); with --attestation, verify the signed proofs too.")
+    .action(async (project, options) => {
+    const root = path.resolve(project);
+    const entries = await readAuditLog(root);
     const chain = verifyAuditChain(entries);
     if (chain.valid) {
         console.log(`Audit chain valid (${entries.length} entries).`);
@@ -210,6 +215,28 @@ audit
         console.log(`Audit chain BROKEN at entry ${chain.brokenAt}.`);
         process.exitCode = 1;
     }
+    if (options.attestation) {
+        const attested = entries.filter((entry) => entry.provenance?.tier === "attested");
+        if (!attested.length) {
+            console.log("Attestations: no CI-attested entries to verify.");
+            return;
+        }
+        let failures = 0;
+        for (const entry of attested) {
+            const ref = await loadAttestationRef(root, entry.entryId);
+            const result = await verifyAttestation({ projectRoot: root, entryHash: entry.hash, ci: entry.provenance?.ci, ref });
+            const id = entry.entryId.slice(0, 8);
+            if (result.ok)
+                console.log(`  attestation ${id}… ok${result.reason ? ` (${result.reason})` : ""}`);
+            else {
+                console.log(`  attestation ${id}… FAILED — ${result.reason ?? "unknown"}`);
+                failures += 1;
+            }
+        }
+        console.log(`Attestations: ${attested.length - failures}/${attested.length} verified.`);
+        if (failures)
+            process.exitCode = 1;
+    }
 });
 audit
     .command("summary")
@@ -259,6 +286,7 @@ audit
     .option("--since <iso>", "only consider runs at/after this ISO timestamp")
     .option("--require-no-violations", "fail if any run modified forbidden paths")
     .option("--require-chain", "fail if the audit chain is broken")
+    .option("--require-attested", "fail unless every run carries a CI attestation claim (verify the signatures with `audit verify --attestation`)")
     .description("Gate CI/merge on the audit log; exits 1 if the policy is not satisfied.")
     .action(async (project, options) => {
     const entries = await readAuditLog(path.resolve(project));
@@ -266,7 +294,8 @@ audit
         requireLoops: options.require ? options.require.split(",").map((item) => item.trim()).filter(Boolean) : undefined,
         since: options.since,
         requireNoViolations: options.requireNoViolations,
-        requireChainValid: options.requireChain
+        requireChainValid: options.requireChain,
+        requireAttested: options.requireAttested
     };
     const result = evaluatePolicy(entries, policy);
     if (result.ok) {
@@ -352,10 +381,19 @@ function printRunResult(result) {
         console.log(`  report: ${result.reportPath}`);
     if (!result.dryRun)
         console.log(`  audit: .loopgen/audit.jsonl (${result.entry.hash.slice(0, 12)}…)`);
+    const tier = result.entry.provenance?.tier;
+    if (tier === "attested") {
+        const signed = result.attestation && result.attestation.method !== "none";
+        console.log(`  trust: ${signed ? `CI-attested (signed via ${result.attestation.method}) — verify with \`loopgen audit verify --attestation\`` : "attestation requested but no signer available — local evidence only"}`);
+    }
+    else if (!result.dryRun) {
+        console.log("  trust: local evidence (run in CI for a verifiable signed attestation)");
+    }
 }
 function printSummary(summary) {
     console.log(`Runs: ${summary.total} (${summary.passed} pass / ${summary.failed} fail) — ${Math.round(summary.passRate * 100)}%`);
     console.log(`Modes: referee ${summary.byMode.referee}, driven ${summary.byMode.driven}`);
+    console.log(`Trust: local ${summary.byTier.local}, CI-attested ${summary.byTier.attested}`);
     console.log(`Chain: ${summary.chain.valid ? "valid" : `BROKEN at ${summary.chain.brokenAt}`}`);
     console.log(`Forbidden violations: ${summary.forbiddenViolationRuns} run(s); blocked attempts (prevented): ${summary.blockedAttempts}`);
     for (const [loop, stat] of Object.entries(summary.byLoop).sort((a, b) => b[1].total - a[1].total)) {

package/dist/core/attest.js

@@ -0,0 +1,184 @@
+import { execFile } from "node:child_process";
+import { createHash } from "node:crypto";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { promisify } from "node:util";
+import { canonicalize } from "./audit.js";
+const execFileAsync = promisify(execFile);
+export const ATTESTATION_DIR = path.join(".loopgen", "attestations");
+export const LOOPGEN_PREDICATE_TYPE = "https://github.com/Nagiici/Loopgen/run-attestation/v1";
+const GITHUB_OIDC_ISSUER = "https://token.actions.githubusercontent.com";
+function sha256Hex(value) {
+    return createHash("sha256").update(value).digest("hex");
+}
+function errMsg(error) {
+    if (error && typeof error === "object") {
+        const stderr = error.stderr;
+        if (typeof stderr === "string" && stderr.trim())
+            return stderr.trim().split("\n").slice(-1)[0];
+        if (error instanceof Error)
+            return error.message;
+    }
+    return String(error);
+}
+function isMissingBinary(error) {
+    return Boolean(error && typeof error === "object" && error.code === "ENOENT");
+}
+export function detectCiProvenance(env = process.env) {
+    if (env.GITHUB_ACTIONS === "true") {
+        const ci = {
+            provider: "github-actions",
+            repo: env.GITHUB_REPOSITORY,
+            ref: env.GITHUB_REF,
+            commitSha: env.GITHUB_SHA,
+            workflow: env.GITHUB_WORKFLOW,
+            workflowRef: env.GITHUB_WORKFLOW_REF,
+            runId: env.GITHUB_RUN_ID,
+            runAttempt: env.GITHUB_RUN_ATTEMPT,
+            runnerEnv: env.RUNNER_ENVIRONMENT,
+            actor: env.GITHUB_ACTOR
+        };
+        const canAttest = Boolean(env.ACTIONS_ID_TOKEN_REQUEST_URL && env.ACTIONS_ID_TOKEN_REQUEST_TOKEN) || Boolean(env.SIGSTORE_ID_TOKEN);
+        return { ci, canAttest };
+    }
+    if (env.CI === "true") {
+        const ci = { provider: "other-ci", commitSha: env.GITHUB_SHA ?? env.CI_COMMIT_SHA };
+        return { ci, canAttest: Boolean(env.SIGSTORE_ID_TOKEN) };
+    }
+    return { canAttest: Boolean(env.SIGSTORE_ID_TOKEN) };
+}
+// ---------- attestation subject (the digest set the signature binds to) ----------
+export function buildAttestationSubject(git, loop, verification) {
+    const loopSpecHash = sha256Hex(canonicalize(loop));
+    const verificationDigest = sha256Hex(canonicalize(verification.results.map((r) => ({ command: r.command, exitCode: r.exitCode, timedOut: r.timedOut }))));
+    return { commitSha: git.shaAfter, treeClean: git.clean, loopSpecHash, verificationDigest };
+}
+// ---------- default attestor: keyless Sigstore via cosign (best-effort, degrades to local) ----------
+async function cosignAvailable() {
+    try {
+        await execFileAsync("cosign", ["version"], { timeout: 15_000 });
+        return true;
+    }
+    catch (error) {
+        if (isMissingBinary(error))
+            return false;
+        return true; // present but `version` exited non-zero for some other reason — still usable
+    }
+}
+function predicatePathFor(projectRoot, entryId) {
+    return path.join(projectRoot, ATTESTATION_DIR, `${entryId}.predicate.json`);
+}
+function bundlePathFor(projectRoot, entryId) {
+    return path.join(projectRoot, ATTESTATION_DIR, `${entryId}.sigstore.json`);
+}
+// cosign verify-blob requires an identity; derive it for GitHub OIDC, else signal "local checks only".
+function githubIdentityArgs(ci) {
+    if (ci?.provider !== "github-actions" || !ci.repo)
+        return undefined;
+    const identity = ci.workflowRef
+        ? `https://github.com/${ci.workflowRef}`
+        : `^https://github.com/${ci.repo}/`;
+    const flag = ci.workflowRef ? "--certificate-identity" : "--certificate-identity-regexp";
+    return [flag, identity, "--certificate-oidc-issuer", GITHUB_OIDC_ISSUER];
+}
+export function createDefaultAttestor() {
+    return {
+        async produce(req) {
+            if (!(await cosignAvailable()))
+                return { method: "none" };
+            const predicatePath = predicatePathFor(req.projectRoot, req.entryId);
+            const bundlePath = bundlePathFor(req.projectRoot, req.entryId);
+            await fs.mkdir(path.dirname(predicatePath), { recursive: true });
+            const predicate = {
+                predicateType: LOOPGEN_PREDICATE_TYPE,
+                entryId: req.entryId,
+                entryHash: req.entryHash, // binds the signature to the exact audit entry hash
+                subject: req.subject,
+                ci: req.ci
+            };
+            await fs.writeFile(predicatePath, `${JSON.stringify(predicate, null, 2)}\n`, "utf8");
+            await execFileAsync("cosign", ["sign-blob", "--yes", "--bundle", bundlePath, predicatePath], {
+                timeout: 120_000
+            });
+            return {
+                method: "cosign-keyless",
+                bundlePath: path.relative(req.projectRoot, bundlePath),
+                predicateType: LOOPGEN_PREDICATE_TYPE
+            };
+        },
+        async verify(req) {
+            const { ref } = req;
+            if (ref.method !== "cosign-keyless" || !ref.bundlePath) {
+                return { ok: false, reason: "no external attestation bundle recorded for this entry" };
+            }
+            const bundlePath = path.join(req.projectRoot, ref.bundlePath);
+            const predicatePath = bundlePath.replace(/\.sigstore\.json$/, ".predicate.json");
+            const predicateRaw = await fs.readFile(predicatePath, "utf8").catch(() => undefined);
+            if (!predicateRaw)
+                return { ok: false, reason: "attestation predicate file is missing" };
+            const predicate = JSON.parse(predicateRaw);
+            // Local cross-checks: the signed payload must bind the live entry hash + the recorded CI identity.
+            if (predicate.entryHash !== req.entryHash) {
+                return { ok: false, reason: `signed entryHash ${predicate.entryHash} != audit entry hash ${req.entryHash}` };
+            }
+            if (req.ci?.repo && predicate.ci?.repo && req.ci.repo !== predicate.ci.repo) {
+                return { ok: false, reason: "signed CI repo does not match the audit entry's CI repo" };
+            }
+            if (!(await cosignAvailable())) {
+                return { ok: true, reason: "predicate cross-check passed; cosign not installed, signature not cryptographically verified" };
+            }
+            const identityArgs = githubIdentityArgs(predicate.ci ?? req.ci);
+            if (!identityArgs) {
+                return { ok: true, reason: "predicate cross-check passed; non-GitHub identity, cosign identity not constructed" };
+            }
+            try {
+                await execFileAsync("cosign", ["verify-blob", "--bundle", bundlePath, ...identityArgs, predicatePath], {
+                    timeout: 120_000
+                });
+                return { ok: true };
+            }
+            catch (error) {
+                return { ok: false, reason: `cosign verify-blob failed: ${errMsg(error)}` };
+            }
+        }
+    };
+}
+// Re-derive the attestation reference for an entry from its deterministic sibling-bundle path.
+// (The AttestationRef is out-of-band — not in the hashed entry — so verify reconstructs it by entryId.)
+export async function loadAttestationRef(projectRoot, entryId) {
+    const bundlePath = bundlePathFor(projectRoot, entryId);
+    const exists = await fs
+        .stat(bundlePath)
+        .then(() => true)
+        .catch(() => false);
+    if (!exists)
+        return { method: "none" };
+    return { method: "cosign-keyless", bundlePath: path.relative(projectRoot, bundlePath), predicateType: LOOPGEN_PREDICATE_TYPE };
+}
+// ---------- top-level wrappers used by runner.ts / cli.ts ----------
+// Produce an attestation. NEVER throws — a failed/unavailable signer must not fail a passing run; it
+// just leaves the run at local-evidence grade (method: "none").
+export async function produceAttestation(opts) {
+    const attestor = opts.attestor ?? createDefaultAttestor();
+    try {
+        return await attestor.produce({
+            projectRoot: opts.projectRoot,
+            entryId: opts.entryId,
+            entryHash: opts.entryHash,
+            subject: opts.subject,
+            ci: opts.ci
+        });
+    }
+    catch {
+        return { method: "none" };
+    }
+}
+export async function verifyAttestation(opts) {
+    const attestor = opts.attestor ?? createDefaultAttestor();
+    try {
+        return await attestor.verify({ projectRoot: opts.projectRoot, entryHash: opts.entryHash, ci: opts.ci, ref: opts.ref });
+    }
+    catch (error) {
+        return { ok: false, reason: errMsg(error) };
+    }
+}

package/dist/core/audit.js

@@ -5,7 +5,7 @@ export const AUDIT_FILE = ".loopgen/audit.jsonl";
 // Deterministic JSON: object keys sorted recursively so the hash is stable across runs/machines.
 // undefined-valued keys are skipped (matching JSON.stringify) so the in-memory hash equals the hash
 // recomputed from the JSON-round-tripped entry — otherwise dropped keys would break the chain.
-function canonicalize(value) {
+export function canonicalize(value) {
     if (value === null || typeof value !== "object")
         return JSON.stringify(value);
     if (Array.isArray(value))

package/dist/core/governance-report.js

@@ -16,6 +16,7 @@ export function renderGovernanceMarkdown(summary) {
 - Runs: **${summary.total}** (${summary.passed} passed / ${summary.failed} failed) — pass rate **${pct(summary.passRate)}**
 - Window: ${summary.firstAt ?? "—"} → ${summary.lastAt ?? "—"}
 - Modes: referee ${summary.byMode.referee} · driven ${summary.byMode.driven}
+- Trust: local evidence ${summary.byTier.local} · **CI-attested** ${summary.byTier.attested}
 - Chain integrity: ${summary.chain.valid ? "**valid**" : `**BROKEN** (entry ${summary.chain.brokenAt})`}
 - Forbidden-path violations: **${summary.forbiddenViolationRuns}** run(s)
 - Blocked attempts (driven, prevented at apply time): **${summary.blockedAttempts}**
@@ -88,6 +89,7 @@ code{font-family:"IBM Plex Mono",monospace;font-size:13px}
   <div class="card"><div class="k">Forbidden violations</div><div class="v ${summary.forbiddenViolationRuns ? "bad" : "good"}">${summary.forbiddenViolationRuns}</div></div>
   <div class="card"><div class="k">Blocked (prevented)</div><div class="v">${summary.blockedAttempts}</div></div>
   <div class="card"><div class="k">Chain</div><div class="v ${summary.chain.valid ? "good" : "bad"}">${summary.chain.valid ? "valid" : "BROKEN"}</div></div>
+  <div class="card"><div class="k">CI-attested</div><div class="v">${summary.byTier.attested}/${summary.total}</div></div>
 </div>
 <h2>By loop</h2>
 <table><thead><tr><th>Loop</th><th>Runs</th><th>Passed</th><th>Pass rate</th></tr></thead><tbody>${loopRows || '<tr><td colspan="4">No runs.</td></tr>'}</tbody></table>

package/dist/core/governance.js

@@ -55,6 +55,7 @@ function summarizeEntries(entries, sources, chain) {
     const byLoop = {};
     const byActor = {};
     const byMode = { referee: 0, driven: 0 };
+    const byTier = { local: 0, attested: 0 };
     let passed = 0;
     let blockedAttempts = 0;
     let forbiddenViolationRuns = 0;
@@ -67,6 +68,10 @@ function summarizeEntries(entries, sources, chain) {
             byMode.driven += 1;
         else
             byMode.referee += 1;
+        if (entry.provenance?.tier === "attested")
+            byTier.attested += 1;
+        else
+            byTier.local += 1;
         byLoop[entry.loopId] ??= { total: 0, passed: 0 };
         byLoop[entry.loopId].total += 1;
         if (entry.passed)
@@ -95,6 +100,7 @@ function summarizeEntries(entries, sources, chain) {
         passRate: total ? passed / total : 0,
         byLoop,
         byMode,
+        byTier,
         byActor,
         blockedAttempts,
         forbiddenViolationRuns,
@@ -118,6 +124,12 @@ export function evaluatePolicy(entries, policy) {
         if (violations.length)
             failures.push(`${violations.length} run(s) modified forbidden paths`);
     }
+    if (policy.requireAttested) {
+        // Checks the in-band claim only; cryptographic verification is `loopgen audit verify --attestation`.
+        const notAttested = scoped.filter((entry) => entry.provenance?.tier !== "attested");
+        if (notAttested.length)
+            failures.push(`${notAttested.length} run(s) are not CI-attested (local self-attested only)`);
+    }
     for (const loopId of policy.requireLoops ?? []) {
         const ok = scoped.some((entry) => entry.loopId === loopId && entry.passed);
         if (!ok)

package/dist/core/report.js

@@ -1,4 +1,4 @@
-export function renderProofReport(loop, entry, verification, iterationLogs) {
+export function renderProofReport(loop, entry, verification, iterationLogs, attestation) {
     const banner = entry.passed ? "✅ PASS" : "❌ FAIL";
     const changed = [...entry.changedFiles.tracked, ...entry.changedFiles.untracked];
     const commandBlocks = verification.results
@@ -21,6 +21,7 @@ Loop: \`${entry.loopId}\` · Mode: ${entry.mode} · Iterations: ${entry.iteratio
 Generated: ${entry.timestamp}
 By: ${entry.actor.user ?? "unknown"}@${entry.actor.host ?? "unknown"}
 Audit entry: \`${entry.hash}\`
+Trust: ${trustLine(entry, attestation)}
 
 ## Goal
 
@@ -51,7 +52,7 @@ ${forbiddenSection}
 ${entry.driven && iterationLogs ? `\n${renderIterationHistory(iterationLogs)}` : ""}
 ---
 
-${scopeFooter(entry)}
+${scopeFooter(entry, attestation)}
 `;
 }
 function renderIterationHistory(iterationLogs) {
@@ -75,9 +76,28 @@ ${log.reasoning ? `> ${log.reasoning}\n` : ""}- Applied: ${applied}
     });
     return `## Iteration history\n\n${blocks.join("\n\n")}\n`;
 }
-function scopeFooter(entry) {
+function scopeFooter(entry, attestation) {
     if (entry.driven) {
-        return `> Scope: **bounded + enforced**. loopgen drove a local model (${entry.driven.model.adapter} · ${entry.driven.model.modelName}), blocked forbidden writes and non-allowlisted commands **at apply time**, bounded iterations, and verified each one (stop reason: ${entry.driven.stopReason}). The model still proposes actions — this is enforcement, not a sandbox. Audit is hash-chained in \`.loopgen/audit.jsonl\`.`;
+        return `> Scope: **bounded + enforced**. loopgen drove a local model (${entry.driven.model.adapter} · ${entry.driven.model.modelName}), blocked forbidden writes and non-allowlisted commands **at apply time**, bounded iterations, and verified each one (stop reason: ${entry.driven.stopReason}). The model still proposes actions — this is enforcement, not a sandbox.${trustFooter(entry, attestation)}`;
     }
-    return `> Scope: this is **detection, not prevention**. loopgen ran the verification commands above and diffed the working tree after the work session; it does not sandbox the agent or block reads. The audit entry is hash-chained in \`.loopgen/audit.jsonl\` (tamper-evident against in-place edits).`;
+    return `> Scope: this is **detection, not prevention**. loopgen ran the verification commands above and diffed the working tree after the work session; it does not sandbox the agent or block reads.${trustFooter(entry, attestation)}`;
+}
+// Evidence (local) vs proof (CI-attested) — stated precisely so the report never over-claims.
+function isSigned(entry, attestation) {
+    return entry.provenance?.tier === "attested" && Boolean(attestation && attestation.method !== "none");
+}
+function trustLine(entry, attestation) {
+    if (isSigned(entry, attestation)) {
+        return "**attested** (CI) — audit hash signed against Sigstore/Rekor; verify with `loopgen audit verify --attestation`";
+    }
+    if (entry.provenance?.tier === "attested") {
+        return "attested (CI) requested, but no signer was available — **local evidence only**";
+    }
+    return "**local** — tamper-evident evidence (re-run in CI for a verifiable signed attestation)";
+}
+function trustFooter(entry, attestation) {
+    if (isSigned(entry, attestation)) {
+        return ` This run is **CI-attested**: the audit entry hash is signed against the Sigstore/Rekor public transparency log and bound to commit \`${entry.git.shaAfter ?? "(none)"}\` — **verifiable proof** (\`loopgen audit verify --attestation\`).`;
+    }
+    return ` The audit entry is hash-chained in \`.loopgen/audit.jsonl\` — **tamper-evident local evidence**, not signed proof. Re-run in CI for a verifiable signed attestation.`;
 }

package/dist/core/runner.js

@@ -3,6 +3,7 @@ import { promises as fs } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { runDrivenLoop } from "./agent-loop.js";
+import { buildAttestationSubject, detectCiProvenance, produceAttestation } from "./attest.js";
 import { appendAuditEntry, hashEntry, readAuditLog } from "./audit.js";
 import { checkForbiddenPaths } from "./forbidden.js";
 import * as git from "./git.js";
@@ -40,6 +41,7 @@ async function runReferee(projectRoot, loop, loopFile, options) {
     });
     const passed = verification.passed && forbidden.ok;
     const input = baseEntry(loopFile, loop, "referee", { base, shaBefore, shaAfter, clean }, changed, diffstat, forbidden, verification, 1, passed);
+    input.provenance = resolveProvenance(options, { shaAfter, clean }, loop, verification);
     return finalize(projectRoot, loop, input, verification, forbidden, options);
 }
 async function runDriven(projectRoot, loop, loopFile, options) {
@@ -75,6 +77,7 @@ async function runDriven(projectRoot, loop, loopFile, options) {
     const passed = driven.passed && forbidden.ok;
     const input = baseEntry(loopFile, loop, "driven", { base, shaBefore, shaAfter, clean }, changed, diffstat, forbidden, verification, driven.iterations.length, passed);
     input.driven = { stopReason: driven.stopReason, model: modelMeta, attempts: summarizeIterations(driven.iterations) };
+    input.provenance = resolveProvenance(options, { shaAfter, clean }, loop, verification);
     return finalize(projectRoot, loop, input, verification, forbidden, options, driven.iterations);
 }
 function baseEntry(loopFile, loop, mode, gitInfo, changed, diffstat, forbidden, verification, iterations, passed) {
@@ -112,13 +115,26 @@ async function finalize(projectRoot, loop, input, verification, forbidden, optio
     else {
         entry = await appendAuditEntry(projectRoot, input);
     }
+    // Root of trust: the signature's subject IS entry.hash, so this runs AFTER the entry is hashed and
+    // appended. A missing/failed signer never fails the run — it just leaves local-grade evidence.
+    let attestation;
+    if (!options.dryRun && entry.provenance?.tier === "attested" && entry.provenance.subject) {
+        attestation = await produceAttestation({
+            projectRoot,
+            entryId: entry.entryId,
+            entryHash: entry.hash,
+            subject: entry.provenance.subject,
+            ci: entry.provenance.ci,
+            attestor: options.attestor
+        });
+    }
     let reportPath;
     if (!options.dryRun && options.writeReport !== false) {
         const stamp = entry.timestamp.replace(/[:.]/g, "-");
         reportPath = path.join(".loopgen", "reports", `${loop.id}-${stamp}.md`);
         const absolute = path.join(projectRoot, reportPath);
         await fs.mkdir(path.dirname(absolute), { recursive: true });
-        await fs.writeFile(absolute, renderProofReport(loop, entry, verification, iterationLogs), "utf8");
+        await fs.writeFile(absolute, renderProofReport(loop, entry, verification, iterationLogs, attestation), "utf8");
     }
     if (!options.dryRun) {
         await appendStateEntry(projectRoot, loop, entry);
@@ -131,9 +147,20 @@ async function finalize(projectRoot, loop, input, verification, forbidden, optio
         forbidden,
         reportPath,
         dryRun: Boolean(options.dryRun),
-        iterationLogs
+        iterationLogs,
+        attestation
     };
 }
+// Capture the trust tier + CI/OIDC claims + the digest set a signature will bind to.
+// All fields are known BEFORE the entry is hashed, so this rides the chain like `driven`.
+function resolveProvenance(options, gitInfo, loop, verification) {
+    const { ci, canAttest } = detectCiProvenance();
+    const subject = buildAttestationSubject(gitInfo, loop, verification);
+    // Default: auto-attest when an ambient OIDC identity exists; --attest forces, --no-attest disables.
+    const requested = options.attest === undefined ? canAttest : options.attest;
+    const tier = requested && Boolean(ci) && canAttest ? "attested" : "local";
+    return { tier, ci, subject };
+}
 function summarizeIterations(logs) {
     return logs.map((log) => ({
         iteration: log.iteration,

package/examples/github-attested-merge-gate.yml

@@ -0,0 +1,37 @@
+# Reference workflow — produce a VERIFIABLE signed attestation for an AI-assisted change, then gate the
+# merge on it. Copy into your repo's .github/workflows/.
+#
+# Why id-token: write? It hands the job a GitHub OIDC identity, so cosign can sign the audit entry hash
+# keylessly against the Sigstore / Rekor PUBLIC transparency log — loopgen holds no keys. The signature
+# binds an accountable CI identity (repo + workflow) to the exact commit + verification result.
+# See docs/THREAT-MODEL.md for what this does and does not prove.
+name: loopgen attested gate
+on: [pull_request]
+
+permissions:
+  contents: read
+  id-token: write # GitHub OIDC identity → keyless Sigstore signing
+
+jobs:
+  attested-gate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - uses: sigstore/cosign-installer@v3 # the keyless signer used by `loopgen run --attest`
+      - run: npm install -g loopgen
+
+      # Run the loop's verification IN CI and sign the audit entry against Sigstore/Rekor.
+      # In CI with an OIDC identity, attestation is automatic; pass --no-attest to opt out.
+      - run: loopgen run test-repair --attest
+
+      # Gate the merge on a CRYPTOGRAPHICALLY VERIFIABLE attestation — not just a local self-attested log.
+      # require-attested makes the action install cosign and run `audit verify --attestation`.
+      - uses: Nagiici/Loopgen/.github/actions/audit-check@v0.7.0
+        with:
+          require: test-repair
+          require-no-violations: "true"
+          require-chain: "true"
+          require-attested: "true"

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loopgen",
-  "version": "0.6.2",
-  "description": "Run your AI's coding loop and prove its work actually passed — real verification, a tamper-evident audit, and a CI gate. Local-first.",
+  "version": "0.7.0",
+  "description": "The vendor-neutral verification & provenance gate for AI-generated code — bring your own agent. Local runs leave tamper-evident evidence; CI runs produce a verifiable, signed attestation (Sigstore/SLSA) you can gate merges on.",
   "type": "module",
   "engines": {
     "node": ">=18"
@@ -28,6 +28,11 @@
   "keywords": [
     "ai-agents",
     "verification",
+    "provenance",
+    "attestation",
+    "sigstore",
+    "slsa",
+    "supply-chain",
     "audit",
     "ci",
     "governance",