magenta-canon 0.1.13 → 0.2.0

package/README.md

@@ -141,9 +141,12 @@ record and shows verification **fails**. It is local/dev only — an ephemeral p
 and a fresh universe in a temp dir, cleaned up on exit.
 
 <details>
-<summary>Prefer the manual steps?</summary>
+<summary>Prefer the manual steps? (repo checkout)</summary>
 
 ```bash
+# These manual steps run from a REPO CHECKOUT (they boot the full hosted
+# control plane, which does not ship in the npm package). From an npm install,
+# just run `npx magenta-canon demo` — it is the same proof loop, self-contained.
 # 1. boot the control plane (the witness + evidence surface) and bootstrap trust
 INTERNAL_API_KEY=operator-secret-xyz MAGENTA_STATE_FILE=/tmp/magenta-state.json \
   PORT=5000 npx tsx server/index.ts &
@@ -158,7 +161,7 @@ DOWNSTREAM_LOG=/tmp/downstream-calls.log \
 
 # 3. publish evidence and verify it independently
 curl -s :5000/api/trust/evidence > bundle.json
-npx tsx scripts/magenta-verify.ts bundle.json     # → RESULT: VERIFIED
+npx magenta-canon verify bundle.json              # → RESULT: VERIFIED
 ```
 </details>
 
@@ -219,7 +222,7 @@ REFUSED_CALL isError=true  :: Blocked by Magenta capability gate: exceeds delega
 {"name":"refund","args":{"amount_cents":8900,"order_id":"4471"}}     ← only the allowed call
 # the blocked $250 refund is ABSENT — it never reached the tool.
 
-$ npx tsx scripts/magenta-verify.ts bundle.json
+$ npx magenta-canon verify bundle.json
   [PASS] STH signature verifies
   [PASS] receipt chain intact
   [PASS] recomputed Merkle root == signed STH root

package/bin/magenta-canon.mjs

@@ -66,12 +66,21 @@ function run(cmd, args, opts = {}) {
   child.on("error", (e) => { console.error(`magenta-canon: failed to start: ${e.message}`); process.exit(1); });
 }
 
-// Run one of the package's TypeScript entry scripts via tsx.
+// Run one of the package's entry scripts. The published package carries the
+// PRECOMPILED runtime (dist/**/*.js, plain CommonJS) and executes it directly
+// with Node — no tsx, no esbuild, no install scripts in the consumer graph.
+// A repo checkout (no dist/ built) falls back to running the TypeScript source
+// via tsx, which is a devDependency there.
 function runTs(relScript, args, opts = {}) {
+  const compiled = path.join(ROOT, "dist", relScript.replace(/\.ts$/, ".js"));
+  if (existsSync(compiled)) {
+    run(process.execPath, [compiled, ...args], opts);
+    return;
+  }
   const cli = tsxCli();
   const script = path.join(ROOT, relScript);
   if (!existsSync(script)) { console.error(`magenta-canon: missing ${relScript} in package`); process.exit(1); }
-  if (!cli) { console.error("magenta-canon: could not locate 'tsx' (a dependency). Try reinstalling."); process.exit(1); }
+  if (!cli) { console.error("magenta-canon: could not locate 'tsx' (dev fallback for repo checkouts). Run `npm install` first."); process.exit(1); }
   run(process.execPath, [cli, script, ...args], opts);
 }
 

package/dist/MANIFEST.json

@@ -0,0 +1,32 @@
+{
+  "package.json": "8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
+  "scripts/demo-control-plane.js": "3357c8de8e3fe32e73e0be99a3bb02179dff3ee041854d4ee6f8d135e4d8dcbf",
+  "scripts/intake-cli.js": "189014db22d6fccb034ed1a93ec11efe8905be820bc468366c68bb2cabaf8a97",
+  "scripts/magenta-mirror.js": "cf701065f7a6e20f7f44a9b815396aeb5fe031c3f003bcd793b8014ea8801b85",
+  "scripts/magenta-verify.js": "3c41d176a435ae8f53dd49c2418f63be5ad82de7e26fbe9f436a6545f521d331",
+  "scripts/mcp-gateway.js": "335923004b73511fe42ea0fc6f2e567afe8018dc95464a79027e4c2537e30de1",
+  "server/agent-policy.js": "20dd9150f8244c33aaf14ecdf3a09f471210960d246cda9ab8d5abe0e8433518",
+  "server/agent-record.js": "790bbfa2a10601c2bdcd98873e6e41babdf96d1df7c7ca34f19791de4c8b860f",
+  "server/crypto.js": "ebbcb2929e7b3651e4ec04c9fbf3dcb656e3ae0d30bf8864f3642f72f3be2f39",
+  "server/execution-receipts.js": "171a506df7d1e99f3370de9a41c1a4f0b21b38d1f02edc78d9c44e68c93dbee4",
+  "server/intake/categories.js": "e9860eee0e2e0fe96c7ade165e5e068fae0874de2c7d39ff796efc91e713013b",
+  "server/intake/engine.js": "abb8feacd925520cbf01acc2e932d9ebb037a3d016b053b7b10deaf8f545a605",
+  "server/intake/gateway-intake.js": "40514fa489b031c29725e9b837e83998217bbc1ae84cf9259154a16b1faae2e8",
+  "server/intake/index.js": "fd287181a5deb2a2141b479851b4e8fc21aefea39a22baecebdef6a7450af752",
+  "server/intake/intake-witness.js": "f974ca4637e03536ed84e1ea65d249b628cb52b322ddee344d42dcf4bba4ed00",
+  "server/intake/model-witness.js": "a80563a28b31a041fa9b61ed7b2d13dbca6f8464656e0f2abc2c174a22580d65",
+  "server/intake/persistence.js": "49b73cbac3f36f19a3d4f0f4dca88da90e0c281c6aaeae00a022093e339c4792",
+  "server/intake/queue.js": "f5e4f6a9a425e23ad113b08e35739355ff979d906e05bb95a48e6082757bbcfd",
+  "server/intake/rationale.js": "3ea64a1430828ae5a06b41f4e93d06cdd667850d6a2ff9a1e266f98bdfc6c404",
+  "server/intake/types.js": "014891c6c8360648d6954b3185ae92d56be625484bf2f0d0f71dac271a59e23b",
+  "server/intake/witness.js": "588ad166f4870d65a6ed334c70aaa2deb1d6d96ec97d889902a9eda7528bd34f",
+  "server/persistence.js": "2e6b1d0b1c74babbd581780b028c2593256c5ec96c2d60f4c25159e3f54e4e3f",
+  "server/storage.js": "4f1660e9542dcb157148f561efd757d8aa452730c3a09064d3b1314feb16e8c9",
+  "server/transparency-log.js": "42d0d9fd3de9c60389ca882b546d9784e6ef0003895898dd5958d763d54f2f6b",
+  "server/trust-bootstrap.js": "57a53a3ee9cd630ada2867e8b087a34b069ba26f86a696d3ead74888dd7e8d5f",
+  "server/witness.js": "e94384a35a4cfce39990e580eb5b572ef9a2d4c4d9bad1a2ed9b5382aba64b1b",
+  "shared/canonical.js": "476cee4b5c5702e8a2a198e79c2639cf8ff84000ffb92f68a04433ed2a2f5484",
+  "shared/certificates.js": "7844e71a38e1b1324586c7d054b2f5c15222b86446318d1e6dea9bab504a4a73",
+  "shared/schema.js": "f89190990e3826e44c722d5e8f5b39fd59b4d3fb9ec047229930a17604e4646c",
+  "shared/terminating-kernel.js": "8e2aa68d47d6780e4a70822482e3e410924e9d1af843f301a487da0af37ed047"
+}

package/dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "commonjs"
+}

package/dist/scripts/demo-control-plane.js

@@ -0,0 +1,171 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * MAGENTA DEMO CONTROL PLANE — minimal, local-only proof harness.
+ *
+ * This is NOT the production server. It is a deliberately tiny node:http surface
+ * that exposes ONLY the four endpoints `scripts/demo.mjs` needs to prove the
+ * wedge end-to-end:
+ *
+ *   GET  /api/health                  readiness
+ *   POST /internal/founder/ceremony   bootstrap the trust root (INTERNAL_API_KEY)
+ *   POST /internal/agent/action       gate + witness one agent action (INTERNAL_API_KEY)
+ *   GET  /api/trust/evidence          export the signed evidence bundle
+ *
+ * It reuses the EXACT same core trust modules the production routes use
+ * (`witnessLog`, `storage`, `recordAgentAction`, `bootstrapRootAuthority`) — the
+ * gate/witness/receipt/evidence semantics are identical; only the HTTP shell is
+ * different. This lets the lean npm package keep the one-command `demo` without
+ * shipping the hosted Express/Passport/PostgreSQL control plane (server/routes.ts,
+ * server/index.ts). The production hosted plane remains intact in the repo as its
+ * own artifact; this harness does not replace it.
+ *
+ * Hard constraints (it is a demo, treated like one):
+ *   - binds 127.0.0.1 ONLY (never a public interface);
+ *   - persists nothing unless MAGENTA_STATE_FILE is explicitly set (the demo sets
+ *     it to an ephemeral temp file);
+ *   - INTERNAL_API_KEY-gated /internal/* routes, fail closed (503) when unset;
+ *   - no Express, no Passport, no database driver, no sessions, no founder admin,
+ *     no production routes — only the proof path.
+ */
+const node_http_1 = require("node:http");
+const node_crypto_1 = require("node:crypto");
+const storage_1 = require("../server/storage");
+const witness_1 = require("../server/witness");
+const agent_record_1 = require("../server/agent-record");
+const trust_bootstrap_1 = require("../server/trust-bootstrap");
+const PORT = Number(process.env.PORT ?? 0);
+const HOST = "127.0.0.1";
+const INTERNAL_API_KEY = process.env.INTERNAL_API_KEY;
+function sendJson(res, status, body) {
+    const text = JSON.stringify(body);
+    res.writeHead(status, { "Content-Type": "application/json" });
+    res.end(text);
+}
+function readBody(req) {
+    return new Promise((resolve, reject) => {
+        let raw = "";
+        req.on("data", (c) => {
+            raw += c;
+            if (raw.length > 1000000)
+                reject(new Error("request body too large"));
+        });
+        req.on("end", () => {
+            if (!raw.trim())
+                return resolve({});
+            try {
+                resolve(JSON.parse(raw));
+            }
+            catch {
+                reject(new Error("invalid JSON body"));
+            }
+        });
+        req.on("error", reject);
+    });
+}
+// Constant-time INTERNAL_API_KEY check, same posture as the production route.
+function internalAuthOk(req, res) {
+    if (!INTERNAL_API_KEY) {
+        sendJson(res, 503, { error: "internal_auth_unconfigured", message: "INTERNAL_API_KEY is not set" });
+        return false;
+    }
+    const provided = req.headers["x-internal-key"];
+    const ok = typeof provided === "string" &&
+        (0, node_crypto_1.timingSafeEqual)((0, node_crypto_1.createHash)("sha256").update(provided).digest(), (0, node_crypto_1.createHash)("sha256").update(INTERNAL_API_KEY).digest());
+    if (!ok) {
+        sendJson(res, 401, { error: "unauthorized", message: "Valid X-Internal-Key header required" });
+        return false;
+    }
+    return true;
+}
+const server = (0, node_http_1.createServer)(async (req, res) => {
+    try {
+        const url = (req.url ?? "").split("?")[0];
+        const method = req.method ?? "GET";
+        // ── GET /api/health ──────────────────────────────────────────────────────
+        if (method === "GET" && url === "/api/health") {
+            return sendJson(res, 200, { status: "healthy", plane: "demo-control-plane" });
+        }
+        // ── POST /internal/founder/ceremony ──────────────────────────────────────
+        // recordAgentAction only requires the ROOT authority (it signs receipts with
+        // the root key), so the minimal ceremony bootstraps the root if absent.
+        if (method === "POST" && url === "/internal/founder/ceremony") {
+            if (!internalAuthOk(req, res))
+                return;
+            let rootCert = await storage_1.storage.getRootCertificate();
+            if (!rootCert) {
+                await (0, trust_bootstrap_1.bootstrapRootAuthority)();
+                rootCert = await storage_1.storage.getRootCertificate();
+                if (!rootCert)
+                    return sendJson(res, 500, { error: "ceremony_failed", message: "root bootstrap did not persist" });
+            }
+            return sendJson(res, 200, {
+                status: "FOUNDER_CEREMONY_COMPLETE",
+                message: "Demo trust root established (minimal local proof harness).",
+                root_public_key: rootCert.subject_pubkey,
+            });
+        }
+        // ── POST /internal/agent/action ──────────────────────────────────────────
+        // Same shared core the MCP gateway uses; response shape mirrors the
+        // production route so the gateway driver consumes it unchanged.
+        if (method === "POST" && url === "/internal/agent/action") {
+            if (!internalAuthOk(req, res))
+                return;
+            let body;
+            try {
+                body = await readBody(req);
+            }
+            catch (e) {
+                return sendJson(res, 400, { error: "bad_request", message: e.message });
+            }
+            if (!body?.agent_id || !body?.authorized_by || !Array.isArray(body?.granted_capabilities) || body.granted_capabilities.length === 0 || !body?.action) {
+                return sendJson(res, 400, { error: "bad_request", message: "provide {agent_id, authorized_by, granted_capabilities[], action, params?}" });
+            }
+            let recorded;
+            try {
+                recorded = await (0, agent_record_1.recordAgentAction)({
+                    action: body.action,
+                    params: body.params ?? {},
+                    grantedCapabilities: body.granted_capabilities,
+                    agentId: body.agent_id,
+                    authorizedBy: body.authorized_by,
+                    intent: body.intent ?? "",
+                    model: body.model ?? "none(structured-input)",
+                    session: body.session,
+                });
+            }
+            catch (e) {
+                if (e instanceof agent_record_1.TrustNotBootstrappedError) {
+                    return sendJson(res, 409, { error: "trust_not_bootstrapped", message: e.message });
+                }
+                throw e;
+            }
+            const { decision, receipt, index } = recorded;
+            return sendJson(res, 200, {
+                recorded: true,
+                allowed: decision.allowed,
+                decision,
+                receipt: { action: receipt.action, receipt_hash: receipt.receipt_hash, timestamp: receipt.timestamp },
+                witness: { index, latest_sth: witness_1.witnessLog.latestSTH() ?? null },
+            });
+        }
+        // ── GET /api/trust/evidence ──────────────────────────────────────────────
+        if (method === "GET" && url === "/api/trust/evidence") {
+            const receipts = [...(await storage_1.storage.getExecutionReceipts())].reverse(); // creation order
+            return sendJson(res, 200, {
+                witness_pubkey: witness_1.witnessLog.witnessPublicKey,
+                sth: witness_1.witnessLog.latestSTH() ?? null,
+                receipts,
+            });
+        }
+        sendJson(res, 404, { error: "not_found", message: `${method} ${url} is not served by the demo control plane` });
+    }
+    catch (e) {
+        sendJson(res, 500, { error: "internal_error", message: e instanceof Error ? e.message : String(e) });
+    }
+});
+server.listen(PORT, HOST, () => {
+    const addr = server.address();
+    const port = typeof addr === "object" && addr ? addr.port : PORT;
+    console.log(`demo-control-plane listening on http://${HOST}:${port}`);
+});

package/dist/scripts/intake-cli.js

@@ -0,0 +1,303 @@
+#!/usr/bin/env tsx
+"use strict";
+/**
+ * Intake Discipline CLI — exercise classification-as-governed-promotion.
+ *
+ *   npx tsx scripts/intake-cli.ts kernel             # print + verify the terminating kernel
+ *   npx tsx scripts/intake-cli.ts demo               # worked promote / quarantine / fail-closed
+ *   npx tsx scripts/intake-cli.ts classify <in.json> # run one classification from a JSON spec
+ *
+ * The CLI never authorizes runtime/autonomy. It only classifies intake and
+ * prints witnessed promote-or-quarantine receipts. Action remains fail-closed:
+ * a "promote" here means "admitted to the trusted pipeline", not "executed".
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_fs_1 = require("node:fs");
+const index_1 = require("../server/intake/index");
+const C = {
+    reset: "\x1b[0m", bold: "\x1b[1m", dim: "\x1b[2m",
+    green: "\x1b[32m", yellow: "\x1b[33m", red: "\x1b[31m", magenta: "\x1b[35m", cyan: "\x1b[36m",
+};
+const tty = process.stdout.isTTY;
+const c = (code, s) => (tty ? code + s + C.reset : s);
+function printKernel() {
+    console.log(c(C.bold, "Terminating Kernel ") + c(C.dim, `(${index_1.TERMINATING_KERNEL.version})`));
+    for (const a of index_1.TERMINATING_KERNEL.axioms) {
+        console.log(`  ${c(C.cyan, a.id)} ${c(C.dim, `[${a.kind}]`)} ${a.law}`);
+    }
+    const ok = (0, index_1.verifyKernelSeal)();
+    console.log("");
+    console.log(`  seal: ${c(C.dim, index_1.KERNEL_SEAL)}`);
+    console.log(`  sealed & intact: ${ok ? c(C.green, "yes") : c(C.red, "NO — kernel has been edited without re-sealing")}`);
+}
+function decorrelatedWitnesses(independentVerdict) {
+    return [
+        index_1.provenanceWitness,
+        index_1.structuralRationaleWitness,
+        (0, index_1.makeDeterministicReclassifier)("reclass.cli", () => independentVerdict),
+    ];
+}
+function runOne(ledger, spec) {
+    const raw = ledger.submitRaw(spec.content, spec.source);
+    const claim = {
+        raw_id: raw.raw_id,
+        raw_hash: raw.raw_hash,
+        proposed_category: spec.proposed_category,
+        classifier_identity: spec.classifier_identity ?? "cli:operator",
+        rationale: [{ cites: "raw_hash", value: raw.raw_hash }],
+        allowed_downstream_uses: spec.allowed_downstream_uses ?? ["display"],
+        confidence: spec.confidence ?? 0.9,
+    };
+    const witnesses = decorrelatedWitnesses(spec.independent_verdict ?? spec.proposed_category);
+    if (spec.authority) {
+        // High-authority promotions require agreement across >= 2 mechanism CLASSES;
+        // add a rule-class witness alongside the deterministic set.
+        witnesses.push((0, index_1.makeRuleWitness)("cli-policy", (_c, r) => ({
+            verdict: spec.independent_verdict ?? spec.proposed_category,
+            reason: "cli policy table match",
+            citations: [{ cites: "raw_hash", value: r.raw_hash }],
+        })));
+    }
+    const outcome = ledger.classify(claim, witnesses, spec.authority);
+    const r = outcome.receipt;
+    const tag = outcome.decision === "promote"
+        ? c(C.green, "● PROMOTE")
+        : c(C.yellow, "▲ QUARANTINE");
+    console.log("");
+    console.log(`${tag}  ${c(C.bold, spec.proposed_category)}  ${c(C.dim, raw.raw_id)}`);
+    console.log(`  source        ${r.source_identity} @ ${r.source_location}`);
+    console.log(`  raw_hash      ${c(C.dim, r.raw_hash)}`);
+    console.log(`  classifier    ${r.classifier_identity}  (confidence ${String(r.confidence)})`);
+    console.log(`  witnesses     ${r.witnesses.map((w) => `${c(C.dim, w.mechanism_class)}/${w.mechanism}:${w.availability !== "available" ? c(C.yellow, w.availability) : w.agree ? c(C.green, "agree") : c(C.red, w.verdict)}`).join("  ")}`);
+    console.log(`  reconcile     ${r.reconciliation.status} (${r.reconciliation.against})`);
+    if (r.decision_reasons.length > 0) {
+        console.log(c(C.yellow, "  held because:"));
+        for (const reason of r.decision_reasons)
+            console.log(c(C.yellow, `    - ${reason}`));
+    }
+    console.log(`  receipt_hash  ${c(C.magenta, r.receipt_hash)}`);
+}
+function demo() {
+    console.log(c(C.bold, "Intake Discipline — worked example\n"));
+    printKernel();
+    const ledger = new index_1.IntakeLedger({ anchor: () => { } });
+    console.log("\n" + c(C.dim, "1) clean low-authority classification → PROMOTE"));
+    runOne(ledger, {
+        content: { observed: "agent read a file" },
+        source: { identity: "fs:watcher", location: "/repo/README.md" },
+        proposed_category: "observation",
+    });
+    console.log("\n" + c(C.dim, "2) independent reclassifier disagrees → QUARANTINE (retained, not discarded)"));
+    runOne(ledger, {
+        content: { text: "the refund is approved" },
+        source: { identity: "model:opus", location: "chat" },
+        proposed_category: "approval",
+        independent_verdict: "claim", // the rule sees a mere claim, not an approval
+        authority: { capabilities: ["promote:approval"], grantedBy: "human:cj" },
+    });
+    console.log("\n" + c(C.dim, "3) high-authority category with NO governed authority → QUARANTINE (fail-closed)"));
+    runOne(ledger, {
+        content: { do: "refund $5000" },
+        source: { identity: "agent:autopilot", location: "tool:stripe" },
+        proposed_category: "execution",
+    });
+    console.log("\n" + c(C.dim, "4) same act WITH a governed authority grant → PROMOTE"));
+    runOne(ledger, {
+        content: { do: "refund $50" },
+        source: { identity: "agent:autopilot", location: "tool:stripe" },
+        proposed_category: "execution",
+        authority: { capabilities: ["promote:execution"], grantedBy: "human:cj" },
+    });
+    console.log("\n" + c(C.dim, "5) an UNAVAILABLE model witness (no runtime injected) → QUARANTINE (held, not crashed)"));
+    {
+        const raw = ledger.submitRaw({ text: "needs a model opinion" }, { identity: "feed", location: "intake" });
+        const claim = {
+            raw_id: raw.raw_id,
+            raw_hash: raw.raw_hash,
+            proposed_category: "evidence",
+            classifier_identity: "cli:operator",
+            rationale: [{ cites: "raw_hash", value: raw.raw_hash }],
+            allowed_downstream_uses: ["display"],
+            confidence: 0.6,
+        };
+        const outcome = ledger.classify(claim, [
+            index_1.provenanceWitness,
+            index_1.structuralRationaleWitness,
+            (0, index_1.createModelWitnessAdapter)("opus"), // no decide → unavailable → blocks
+        ]);
+        const r = outcome.receipt;
+        console.log(`${c(C.yellow, "▲ QUARANTINE")}  evidence  ${c(C.dim, raw.raw_id)}`);
+        console.log(`  witnesses     ${r.witnesses.map((w) => `${c(C.dim, w.mechanism_class)}:${w.availability !== "available" ? c(C.yellow, w.availability) : c(C.green, "agree")}`).join("  ")}`);
+        for (const reason of r.decision_reasons)
+            console.log(c(C.yellow, `    - ${reason}`));
+    }
+    const s = ledger.status();
+    console.log("\n" + c(C.bold, "ledger ") + `promoted=${s.promoted} quarantined=${s.quarantined} receipts=${s.receipts}`);
+    console.log(c(C.dim, `chain head ${s.head}`));
+}
+function queueDemo() {
+    console.log(c(C.bold, "Quarantine Escalation Queue — worked example\n"));
+    const ledger = new index_1.IntakeLedger({ anchor: () => { } });
+    const queue = new index_1.QuarantineQueue();
+    // 1) a model-unavailable quarantine lands in the queue
+    const raw = ledger.submitRaw({ text: "ambiguous directive" }, { identity: "feed", location: "intake" });
+    const claim = {
+        raw_id: raw.raw_id,
+        raw_hash: raw.raw_hash,
+        proposed_category: "claim",
+        classifier_identity: "cli:operator",
+        rationale: [{ cites: "raw_hash", value: raw.raw_hash }],
+        allowed_downstream_uses: ["display"],
+        confidence: 0.5,
+    };
+    const held = ledger.classify(claim, [index_1.provenanceWitness, index_1.structuralRationaleWitness, (0, index_1.createModelWitnessAdapter)("opus")]);
+    if (held.decision !== "quarantine")
+        throw new Error("expected quarantine");
+    const item = queue.ingest(held);
+    console.log(c(C.dim, "1) model-unavailable quarantine ingested as a queue item"));
+    console.log(`   ${c(C.cyan, item.item_id)}  status=${item.status}  reasons=${item.quarantine_reasons.length}  original receipt ${c(C.dim, item.quarantine_receipt_hash.slice(0, 16))}…`);
+    // 2) a human reviews it; their decision is ONE witness; the ceremony decides
+    console.log(c(C.dim, "\n2) human review supplies a HumanDecision → ceremony re-runs"));
+    const { item: reviewed, outcome } = queue.review(ledger, item.item_id, {
+        decision: { reviewer: "cj", verdict: "claim", reason: "read it; it is an assertion, not an instruction" },
+        witnesses: [index_1.provenanceWitness, index_1.structuralRationaleWitness],
+    });
+    console.log(`   ${c(C.cyan, reviewed.item_id)}  status=${c(reviewed.status === "resolved_promoted" ? C.green : C.yellow, reviewed.status)}`);
+    console.log(`   original receipt ${c(C.dim, reviewed.quarantine_receipt_hash.slice(0, 16))}… preserved`);
+    console.log(`   new receipt      ${c(C.magenta, reviewed.resolution.new_receipt_hash.slice(0, 16))}… (${outcome.decision})`);
+    // 3) duplicate processing fails closed
+    console.log(c(C.dim, "\n3) duplicate review attempt fails closed"));
+    try {
+        queue.review(ledger, item.item_id, {
+            decision: { reviewer: "cj", verdict: "claim", reason: "again" },
+            witnesses: [index_1.provenanceWitness, index_1.structuralRationaleWitness],
+        });
+        console.log(c(C.red, "   UNEXPECTED: duplicate review succeeded"));
+    }
+    catch (err) {
+        console.log(`   ${c(C.green, "refused:")} ${err.message}`);
+    }
+    const qs = queue.status();
+    console.log("\n" + c(C.bold, "queue ") + JSON.stringify(qs.byStatus) + c(C.dim, `  ledger receipts=${ledger.status().receipts}`));
+}
+function modelDemo() {
+    console.log(c(C.bold, "Model Witness Runtime Adapter — worked example\n"));
+    const ledger = new index_1.IntakeLedger({ anchor: () => { } });
+    const run = (label, witness, category = "observation", authority) => {
+        const raw = ledger.submitRaw({ text: label }, { identity: "feed", location: "intake" });
+        const claim = {
+            raw_id: raw.raw_id, raw_hash: raw.raw_hash, proposed_category: category,
+            classifier_identity: "cli:operator",
+            rationale: [{ cites: "raw_hash", value: raw.raw_hash }],
+            allowed_downstream_uses: ["display"], confidence: 0.8,
+        };
+        const outcome = ledger.classify(claim, [index_1.provenanceWitness, index_1.structuralRationaleWitness, witness], authority);
+        const m = outcome.receipt.witnesses.find((w) => w.mechanism_class === "model");
+        const tag = outcome.decision === "promote" ? c(C.green, "● PROMOTE  ") : c(C.yellow, "▲ QUARANTINE");
+        console.log(`${tag}  ${label}`);
+        console.log(`   model witness: ${m.availability !== "available" ? c(C.yellow, m.availability) : m.agree ? c(C.green, "agree") : c(C.red, String(m.verdict))} — ${m.reason.slice(0, 100)}`);
+        if (outcome.decision === "quarantine") {
+            for (const r of outcome.receipt.decision_reasons.slice(0, 2))
+                console.log(c(C.dim, `     - ${r.slice(0, 110)}`));
+        }
+        console.log("");
+    };
+    run("1) no runtime injected → unavailable, held", (0, index_1.createModelRuntimeWitness)("opus"));
+    run("2) configured fake runtime, valid structured decision → usable vote, promotes", (0, index_1.createModelRuntimeWitness)("opus", (0, index_1.makeFakeModelRuntime)("fake:ok", () => "observation", { confidence: 0.85 })));
+    run("3) prose-only output → inadmissible, held", (0, index_1.createModelRuntimeWitness)("opus", (0, index_1.makeFakeModelRuntime)("fake:prose", () => "observation", { returnProse: true })));
+    run("4) runtime throws → contained, held", (0, index_1.createModelRuntimeWitness)("opus", (0, index_1.makeFakeModelRuntime)("fake:boom", () => "observation", { throwError: true })));
+    run("5) model agrees on EXECUTION but no governed authority → held (model is never authority)", (0, index_1.createModelRuntimeWitness)("opus", (0, index_1.makeFakeModelRuntime)("fake:ok", () => "execution")), "execution");
+    const s = ledger.status();
+    console.log(c(C.bold, "ledger ") + `promoted=${s.promoted} quarantined=${s.quarantined} receipts=${s.receipts}`);
+}
+async function gatewayDemo() {
+    const { McpGate } = await Promise.resolve().then(() => __importStar(require("./mcp-gateway")));
+    console.log(c(C.bold, "Gateway Intake Integration — worked example (enforce mode)\n"));
+    console.log(c(C.dim, "Intake sits in FRONT of the capability gate. A tool call reaches downstream"));
+    console.log(c(C.dim, "ONLY IF intake promotes AND the gate allows.\n"));
+    const ledger = new index_1.IntakeLedger({ anchor: () => { } });
+    const queue = new index_1.QuarantineQueue();
+    const checker = (0, index_1.makeGatewayIntakeChecker)({
+        ledger, queue,
+        baseWitnesses: [index_1.provenanceWitness, index_1.structuralRationaleWitness],
+        policy: index_1.conservativeGatewayPolicy,
+    });
+    const config = { agent: { agentId: "a1", authorizedBy: "op" }, grantedCapabilities: ["agent.mcp.call"] };
+    let downstreamHits = 0;
+    const forward = async (msg) => { downstreamHits++; return { jsonrpc: "2.0", id: (msg.id ?? null), result: { content: [{ type: "text", text: "DOWNSTREAM REACHED" }] } }; };
+    const gateFor = (allowed) => new McpGate(config, async () => ({ allowed, reason: allowed ? "ok" : "ceiling exceeded", receiptHash: "exec" }), forward, { mode: "enforce", check: checker });
+    const call = (name, args) => ({ jsonrpc: "2.0", id: 1, method: "tools/call", params: { name, arguments: args } });
+    const show = async (label, gateAllowed, args) => {
+        const before = downstreamHits;
+        const out = await gateFor(gateAllowed).handle(call("refund", args));
+        const reached = downstreamHits > before;
+        const tag = reached ? c(C.green, "→ DOWNSTREAM REACHED") : c(C.red, "✗ blocked, downstream NOT reached");
+        console.log(`${c(C.bold, label)}`);
+        console.log(`   intake: ${out.intakeQuarantined ? c(C.yellow, "QUARANTINE") : c(C.green, "promote")}  |  gate: ${gateAllowed ? c(C.green, "allow") : c(C.red, "refuse")}  ⇒  ${tag}\n`);
+    };
+    await show("1) well-formed args, gate allows", true, { amount: 50 });
+    await show("2) well-formed args, gate REFUSES (intake promote can't override the gate)", false, { amount: 9999 });
+    await show("3) prototype-pollution args, gate would allow (intake quarantines first)", true, { amount: 50, ["__proto__"]: { x: 1 } });
+    console.log(c(C.bold, "result ") + `downstream reached ${downstreamHits}/3 times (only case 1)`);
+    console.log(c(C.dim, `escalation queue: ${queue.pending().length} item(s) pending review`));
+}
+function classifyFromFile(path) {
+    const spec = JSON.parse((0, node_fs_1.readFileSync)(path, "utf8"));
+    if (!(0, index_1.isIntakeCategory)(spec.proposed_category)) {
+        console.error(`invalid proposed_category: ${spec.proposed_category}`);
+        process.exit(2);
+    }
+    const ledger = new index_1.IntakeLedger({ anchor: () => { } });
+    runOne(ledger, spec);
+}
+const [sub, arg] = process.argv.slice(2);
+switch (sub) {
+    case "kernel":
+        printKernel();
+        break;
+    case "demo":
+        demo();
+        break;
+    case "queue-demo":
+        queueDemo();
+        break;
+    case "model-demo":
+        modelDemo();
+        break;
+    case "gateway-demo":
+        gatewayDemo();
+        break;
+    case "classify":
+        if (!arg) {
+            console.error("usage: intake-cli classify <input.json>");
+            process.exit(2);
+        }
+        classifyFromFile(arg);
+        break;
+    default:
+        console.log("usage: intake-cli <kernel|demo|queue-demo|model-demo|gateway-demo|classify <input.json>>");
+        process.exit(sub ? 2 : 0);
+}