magenta-canon 0.5.0 → 0.7.0

package/README.md

@@ -22,6 +22,7 @@ npx magenta-canon demo                  # full local proof loop: allow · block
 npx magenta-canon verify --self-test    # verifier self-check: all verdict levels incl. a tamper FAIL
 npx magenta-canon gateway <config.json> # the stdio MCP capability gateway
 npx magenta-canon mirror --self-test    # external STH mirror: catch operator history rewrites
+npx magenta-canon sentinel pack         # Sentinel Mesh: invariant-check the packed artifact
 ```
 
 Magenta Canon is a proven **reference implementation**, not production-hosted infra
@@ -221,6 +222,52 @@ still regenerates on restart; old evidence keeps verifying). Keystore format,
 rotation protocol, boot-reconciliation table, and operator procedures:
 [`docs/WITNESS_IDENTITY.md`](docs/WITNESS_IDENTITY.md) (ships in the package).
 
+### Sentinel Mesh foundation — new in 0.6.0
+
+Magenta Canon 0.6.0 introduces an **executable Sentinel Mesh** that protects
+repository state, npm artifacts, dependency boundaries, release promotion,
+witness identity, and cryptographically authorized witness-key rotation:
+versioned invariants, deterministic repository / artifact / witness
+evaluation, evidence-preserving violations, and scoped release-promotion
+blocking.
+
+```bash
+magenta-canon sentinel repository        # invariant-check a git repository
+magenta-canon sentinel artifact <tgz|dir>  # invariant-check a packed artifact
+magenta-canon sentinel pack              # npm pack, then check the result
+magenta-canon sentinel witness --ledger ledger.jsonl  # witness rotation-authority check
+magenta-canon sentinel ledger ledger.jsonl  # ledger truth: sequence, chains, Merkle, checkpoints (new in 0.7.0)
+magenta-canon sentinel invariants        # list the invariant registry
+```
+
+The **Witness & Rotation Sentinel** (MC-WIT-001…011) watches the 0.5.0
+rotation-authority model itself: pinned-anchor continuity, dual-signed
+rotation validity, exact epoch boundaries, epoch-correct STH signing,
+retired-key resurrection / pre-activation refusal, and keystore↔ledger
+agreement — re-derived independently from the published wire formats, so it
+can disagree with a wrong (or compromised) server.
+
+The **Ledger Sentinel** (MC-LEDGER-001…021, new in 0.7.0) is the independent
+judge of ledger truth: contiguous receipt sequence, hash-chain and issuer
+signatures, RFC 6962 Merkle re-derivation, checkpoint monotonicity and
+equivocation refusal, corruption fail-closed vs bounded crash-tail
+quarantine, writer/lock authority (never auto-stolen), witness agreement,
+and mirror consistency. It reports five distinct outcomes — integrity /
+origin (pinned anchor only) / operational exclusivity (lock metadata only) /
+not-evaluated / violation — and is the contract any future storage backend
+(PostgreSQL, hosted) must satisfy before carrying authority
+([`docs/LEDGER_SENTINEL.md`](docs/LEDGER_SENTINEL.md), ships in the package).
+
+Sentinels are read-only, redacting (paths + fingerprints, never secret
+bodies), deterministic, network-free, and emit `magenta-sentinel-violation/1`
+evidence records; exit codes map to a scoped promotion decision (`eligible` /
+`blocked` / `requires-independent-review`). Records at this layer are
+**unsigned local diagnostics**, and the freeze is a release/build promotion
+gate — **not** a production kill switch, a hosted Sentinel service, or
+complete Mesh coverage (ledger/execution/configuration sentinels are future
+lanes). Honest scope and the full model:
+[`docs/SENTINEL_MESH.md`](docs/SENTINEL_MESH.md).
+
 ### From the repo vs. as a CLI
 
 - **From a repo checkout** (above): `npm install` then `npm run demo`.

package/bin/magenta-canon.mjs

@@ -48,6 +48,8 @@ Usage:
                                      verify <mirror>, check <mirror> <bundle>, --self-test.
   magenta-canon mirror-feed ...      One feed cycle for a mirror operator:
                                      (--bundle <file> | --url <evidence-url>) --mirror <file>.
+  magenta-canon sentinel <cmd>       Sentinel Mesh: repository | artifact <tgz|dir> |
+                                     pack | invariants  (deterministic invariant checks).
   magenta-canon --help               Show this help.
   magenta-canon --version            Print the version.
 
@@ -110,6 +112,11 @@ switch (sub) {
     // Plain-Node operator helper; delegates all mirror semantics to `mirror`.
     run(process.execPath, [path.join(ROOT, "scripts", "mirror-feed.mjs"), ...rest], { cwd: process.cwd() });
     break;
+  case "sentinel":
+    // Sentinel Mesh foundation: deterministic invariant evaluation over a
+    // repository or a packed artifact (read-only; unsigned local diagnostics).
+    runTs("scripts/magenta-sentinel.ts", rest, { cwd: process.cwd() });
+    break;
   case "-v":
   case "--version":
   case "version":

package/dist/MANIFEST.json

@@ -3,6 +3,7 @@
   "scripts/demo-control-plane.js": "3a559f39d17c1a403988e731e053d0d071cbd41ab595fd6246910f852337ab2f",
   "scripts/intake-cli.js": "189014db22d6fccb034ed1a93ec11efe8905be820bc468366c68bb2cabaf8a97",
   "scripts/magenta-mirror.js": "cf701065f7a6e20f7f44a9b815396aeb5fe031c3f003bcd793b8014ea8801b85",
+  "scripts/magenta-sentinel.js": "74336873d7f7c10825750e34a79988497ba793df593587f1c971b494a4d29f5f",
   "scripts/magenta-verify.js": "0bb65ef6ff1350789eecc4f0434ca94dcf3a89930f8ef1d62cc38100e18094ba",
   "scripts/mcp-gateway.js": "335923004b73511fe42ea0fc6f2e567afe8018dc95464a79027e4c2537e30de1",
   "server/agent-policy.js": "20dd9150f8244c33aaf14ecdf3a09f471210960d246cda9ab8d5abe0e8433518",
@@ -24,6 +25,14 @@
   "server/ledger-store.js": "fc8a46f925908764bac7a076cffa08053af4c1f93237bee408eb0ed1e61eeca2",
   "server/ledger.js": "9bf8f132e08d636070d2ede568b2eaf75810be245c90ecd5979d2d4de69af934",
   "server/persistence.js": "2e6b1d0b1c74babbd581780b028c2593256c5ec96c2d60f4c25159e3f54e4e3f",
+  "server/sentinel/artifact-sentinel.js": "93bae917af313c9247f8062af148e7c25ccfd16d0507fa85e755c64056715f8d",
+  "server/sentinel/ledger-sentinel.js": "37d1c7040ae2506454247d40b42bad6076273b577190eeb3a6571184849b1e71",
+  "server/sentinel/promotion.js": "68ac5e54eb8c07d5c75ba0d2325d595b1583557840cc46322b2053dd9924a0be",
+  "server/sentinel/repository-sentinel.js": "722e973c8860cf281b29db8c4a22ec3cf473afcb088247916e8278d5e11638cf",
+  "server/sentinel/rules.js": "ab24435df4f6f5b10f8b721fde37fe7fa894453648f17f04923cab56020c459f",
+  "server/sentinel/tar-reader.js": "ded811eefebf3e4afa332d1bc0a48318cc22ad824222eb15b2dc08eb51048272",
+  "server/sentinel/violation.js": "70d44ae5eb43a560fada399b31eac1a2beccb66916340e1f3e9b549731776b38",
+  "server/sentinel/witness-sentinel.js": "f024dbe9fb505c7520ec466ed31bf9b3284c3c3066dbd287121d2e4397d3fb0a",
   "server/storage.js": "7a7556a6d15d736f028698b6094072daa71eed2230427594edac9d29b531081a",
   "server/transparency-log.js": "7f238edc5cad4edc2c70a7b3e1977197cf2087e77789d181ffae0035f948391b",
   "server/trust-bootstrap.js": "57a53a3ee9cd630ada2867e8b087a34b069ba26f86a696d3ead74888dd7e8d5f",
@@ -31,6 +40,7 @@
   "server/witness.js": "b1a8209d4dae4ffafc3ca4a158474b369250472ba80cef03bd92048282be91a4",
   "shared/canonical.js": "476cee4b5c5702e8a2a198e79c2639cf8ff84000ffb92f68a04433ed2a2f5484",
   "shared/certificates.js": "7844e71a38e1b1324586c7d054b2f5c15222b86446318d1e6dea9bab504a4a73",
+  "shared/invariants.js": "7cde6f65dc014d9dd09849281734660369cbb0ea0f34faa583671efd2522d0c0",
   "shared/schema.js": "f89190990e3826e44c722d5e8f5b39fd59b4d3fb9ec047229930a17604e4646c",
   "shared/terminating-kernel.js": "8e2aa68d47d6780e4a70822482e3e410924e9d1af843f301a487da0af37ed047"
 }

package/dist/scripts/magenta-sentinel.js

@@ -0,0 +1,226 @@
+#!/usr/bin/env node
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * magenta-sentinel — Sentinel Mesh CLI (foundation layer).
+ *
+ *   magenta-canon sentinel repository [--root <dir>] [--json]
+ *   magenta-canon sentinel artifact <tgz|package-dir> [--expected-version <v>] [--json]
+ *   magenta-canon sentinel pack [--json]      (npm pack, then evaluate the tarball)
+ *
+ * Exit codes: 0 eligible/diagnostic-only · 1 blocked · 2 requires-independent-review
+ *             3 usage / subject unreadable.
+ *
+ * Honesty: all records emitted here are UNSIGNED LOCAL DIAGNOSTICS. They are
+ * structured findings, not third-party-verifiable attestations.
+ */
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const path = __importStar(require("node:path"));
+const repository_sentinel_1 = require("../server/sentinel/repository-sentinel");
+const artifact_sentinel_1 = require("../server/sentinel/artifact-sentinel");
+const witness_sentinel_1 = require("../server/sentinel/witness-sentinel");
+const ledger_sentinel_1 = require("../server/sentinel/ledger-sentinel");
+const promotion_1 = require("../server/sentinel/promotion");
+const invariants_1 = require("../shared/invariants");
+const USAGE = `magenta-sentinel — deterministic invariant evaluation (Sentinel Mesh foundation)
+
+Usage:
+  sentinel repository [--root <dir>] [--json]
+  sentinel artifact <tarball.tgz | package-dir> [--expected-version <v>] [--json]
+  sentinel pack [--json]
+  sentinel witness --ledger <file> [--keystore <file>] [--passphrase-env <VAR>]
+                   [--anchor <pubkey-hex>] [--json]
+  sentinel ledger <ledger.jsonl> [--anchor <pubkey-hex>] [--keystore <file>]
+                  [--passphrase-env <VAR>] [--mirror <mirror.jsonl>]
+                  [--no-lock-inspection] [--json]
+  sentinel invariants [--json]
+
+Exit: 0 eligible/diagnostic-only · 1 blocked · 2 requires review · 3 usage/unreadable
+`;
+function flag(args, name) {
+    const i = args.indexOf(name);
+    if (i >= 0) {
+        args.splice(i, 1);
+        return true;
+    }
+    return false;
+}
+function option(args, name) {
+    const i = args.indexOf(name);
+    if (i >= 0 && i + 1 < args.length) {
+        const v = args[i + 1];
+        args.splice(i, 2);
+        return v;
+    }
+    return undefined;
+}
+function printHuman(kind, subject, result, promo) {
+    console.log(`magenta-sentinel ${kind}`);
+    console.log(`  subject: ${subject}`);
+    console.log(`  invariants evaluated: ${result.evaluated_invariants.length} — passed ${result.passed.length}, failed ${result.failed.length}`);
+    for (const f of result.findings) {
+        console.log(`  [FAIL] ${f.invariant_id} (${f.severity}, ${f.disposition})`);
+        console.log(`         observed: ${f.observed}`);
+        console.log(`         paths: ${f.paths.join(", ") || "-"}`);
+    }
+    for (const v of result.violations) {
+        console.log(`  evidence: ${v.invariant_id} record ${v.record_hash.slice(0, 16)}… (${v.assurance})`);
+    }
+    if (result.findings.length === 0)
+        console.log("  all evaluated invariants hold");
+    console.log(`  PROMOTION: ${promo.decision.toUpperCase()}${promo.evidence_complete ? "" : " (evidence INCOMPLETE)"}`);
+}
+function exitFor(promo) {
+    switch (promo.decision) {
+        case "eligible":
+        case "diagnostic-only": return 0;
+        case "blocked": return 1;
+        case "requires-independent-review": return 2;
+    }
+}
+const argv = process.argv.slice(2);
+const sub = argv.shift();
+const json = flag(argv, "--json");
+try {
+    if (sub === "repository") {
+        const root = option(argv, "--root") ?? process.cwd();
+        const res = (0, repository_sentinel_1.runRepositorySentinel)({ repoRoot: path.resolve(root) });
+        const promo = (0, promotion_1.decidePromotion)({ subject: `repository:${res.subject_identity}`, findings: res.findings, violations: res.violations });
+        if (json)
+            console.log(JSON.stringify({ result: res, promotion: promo }, null, 2));
+        else
+            printHuman("repository", res.subject_identity, res, promo);
+        process.exit(exitFor(promo));
+    }
+    else if (sub === "artifact") {
+        const target = argv.find((a) => !a.startsWith("-"));
+        if (!target) {
+            console.error("sentinel artifact: missing <tarball|dir>\n\n" + USAGE);
+            process.exit(3);
+        }
+        const expectedVersion = option(argv, "--expected-version");
+        const res = (0, artifact_sentinel_1.runArtifactSentinel)(path.resolve(target), { expectedVersion });
+        const promo = (0, promotion_1.decidePromotion)({ subject: `artifact:${res.subject_identity}`, findings: res.findings, violations: res.violations });
+        if (json)
+            console.log(JSON.stringify({ result: res, promotion: promo }, null, 2));
+        else
+            printHuman("artifact", `${res.artifact_name ?? "?"}@${res.artifact_version ?? "?"} (${res.subject_identity.slice(0, 19)}…, ${res.file_count} files)`, res, promo);
+        process.exit(exitFor(promo));
+    }
+    else if (sub === "pack") {
+        const out = (0, node_child_process_1.execFileSync)("npm", ["pack", "--silent"], { cwd: process.cwd(), encoding: "utf8", shell: process.platform === "win32" });
+        const tgz = out.trim().split(/\r?\n/).pop();
+        if (!(0, node_fs_1.existsSync)(tgz)) {
+            console.error(`sentinel pack: npm pack did not produce ${tgz}`);
+            process.exit(3);
+        }
+        const res = (0, artifact_sentinel_1.runArtifactSentinel)(path.resolve(tgz));
+        const promo = (0, promotion_1.decidePromotion)({ subject: `artifact:${res.subject_identity}`, findings: res.findings, violations: res.violations });
+        if (json)
+            console.log(JSON.stringify({ result: res, promotion: promo, tarball: tgz }, null, 2));
+        else {
+            console.log(`  packed: ${tgz}`);
+            printHuman("artifact", `${res.artifact_name}@${res.artifact_version}`, res, promo);
+        }
+        process.exit(exitFor(promo));
+    }
+    else if (sub === "witness") {
+        const ledger = option(argv, "--ledger");
+        if (!ledger) {
+            console.error("sentinel witness: missing --ledger <file>\n\n" + USAGE);
+            process.exit(3);
+        }
+        const keystore = option(argv, "--keystore");
+        const res = (0, witness_sentinel_1.runWitnessSentinel)({
+            ledgerPath: path.resolve(ledger),
+            keystorePath: keystore ? path.resolve(keystore) : undefined,
+            passphraseEnv: option(argv, "--passphrase-env"),
+            anchorPubkey: option(argv, "--anchor"),
+        });
+        const promo = (0, promotion_1.decidePromotion)({ subject: `witness:${res.subject_identity}`, findings: res.findings, violations: res.violations });
+        if (json)
+            console.log(JSON.stringify({ result: res, promotion: promo }, null, 2));
+        else {
+            printHuman("witness", `${res.subject_identity.slice(0, 27)}… (${res.ledger_sth_count} STH, ${res.ledger_rotation_count} rotation(s), tip ${res.tip_fingerprint ?? "-"})`, res, promo);
+            for (const n of res.not_evaluated)
+                console.log(`  [NOT EVALUATED] ${n.invariant_id}: ${n.reason}`);
+            if (res.incomplete_tail_ignored)
+                console.log("  note: incomplete trailing ledger line ignored (crash-tail semantics)");
+        }
+        process.exit(exitFor(promo));
+    }
+    else if (sub === "ledger") {
+        const target = argv.find((a) => !a.startsWith("-"));
+        if (!target) {
+            console.error("sentinel ledger: missing <ledger.jsonl>\n\n" + USAGE);
+            process.exit(3);
+        }
+        const keystore = option(argv, "--keystore");
+        const mirror = option(argv, "--mirror");
+        const res = (0, ledger_sentinel_1.runLedgerSentinel)({
+            ledgerPath: path.resolve(target),
+            anchorPubkey: option(argv, "--anchor") ?? option(argv, "--expected-witness-key"),
+            keystorePath: keystore ? path.resolve(keystore) : undefined,
+            passphraseEnv: option(argv, "--passphrase-env"),
+            mirrorPath: mirror ? path.resolve(mirror) : undefined,
+            inspectLock: !flag(argv, "--no-lock-inspection"),
+        });
+        const promo = (0, promotion_1.decidePromotion)({ subject: `ledger:${res.subject_identity}`, findings: res.findings, violations: res.violations });
+        if (json)
+            console.log(JSON.stringify({ result: res, promotion: promo }, null, 2));
+        else {
+            printHuman("ledger", `${res.subject_identity.slice(0, 26)}… (${res.record_count} records: ${res.receipt_count} receipts, ${res.checkpoint_count} STH, ${res.rotation_count} rotation(s))`, res, promo);
+            for (const n of res.not_evaluated)
+                console.log(`  [NOT EVALUATED] ${n.invariant_id}: ${n.reason}`);
+            if (res.incomplete_tail_quarantined)
+                console.log("  note: incomplete trailing append quarantined (carries no authority)");
+            if (res.witness_cross_run)
+                console.log(`  witness cross-run: ${res.witness_cross_run.failed.length === 0 ? "agrees" : "DISAGREES"} (tip ${res.witness_cross_run.tip_fingerprint ?? "-"})`);
+        }
+        process.exit(exitFor(promo));
+    }
+    else if (sub === "invariants") {
+        if (json)
+            console.log(JSON.stringify(invariants_1.INVARIANTS, null, 2));
+        else
+            for (const i of invariants_1.INVARIANTS)
+                console.log(`${i.id}  v${i.version}  ${i.status.padEnd(9)} ${i.severity.padEnd(8)} ${i.disposition.padEnd(26)} ${i.name}`);
+        process.exit(0);
+    }
+    else {
+        process.stdout.write(USAGE);
+        process.exit(sub === undefined || sub === "--help" || sub === "-h" ? 0 : 3);
+    }
+}
+catch (e) {
+    if (e instanceof artifact_sentinel_1.TarError) {
+        console.error(`sentinel: artifact unreadable (refusing to guess): ${e.message}`);
+        process.exit(3);
+    }
+    console.error(`sentinel: ${e.message}`);
+    process.exit(3);
+}

package/dist/server/sentinel/artifact-sentinel.js

@@ -0,0 +1,286 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TarError = exports.runArtifactSentinel = exports.ARTIFACT_SENTINEL_VERSION = exports.ARTIFACT_SENTINEL_TYPE = void 0;
+/**
+ * ARTIFACT SENTINEL — deterministic evaluation of artifact/dependency
+ * invariants (MC-ART-*, MC-DEP-*) over a packed npm artifact.
+ *
+ * Three subject modes:
+ *   - tarball:   a .tgz file (read in-memory via the hardened tar reader);
+ *   - directory: an extracted package directory (or any package root);
+ *   - the current `npm pack` output (the CLI wires this; the sentinel itself
+ *     only ever sees a tarball path or directory path).
+ *
+ * Read-only (MC-REL-004), no network, deterministic, redacting. It does NOT
+ * claim npm-registry origin: subject identity is the sha256 the sentinel
+ * computed locally; binding that to a registry artifact requires registry
+ * metadata supplied and verified independently.
+ */
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const path = __importStar(require("node:path"));
+const invariants_1 = require("../../shared/invariants");
+const violation_1 = require("./violation");
+const tar_reader_1 = require("./tar-reader");
+Object.defineProperty(exports, "TarError", { enumerable: true, get: function () { return tar_reader_1.TarError; } });
+const rules_1 = require("./rules");
+exports.ARTIFACT_SENTINEL_TYPE = "artifact-sentinel";
+exports.ARTIFACT_SENTINEL_VERSION = "1.0.0";
+function finding(invId, observed, expected, paths) {
+    const inv = (0, invariants_1.getInvariant)(invId);
+    return {
+        invariant_id: inv.id, invariant_version: inv.version, severity: inv.severity,
+        authority_class: inv.authorityClass, disposition: inv.disposition,
+        observed, expected, paths: paths.sort(),
+    };
+}
+function loadTarball(tgzPath) {
+    const buf = (0, node_fs_1.readFileSync)(tgzPath);
+    const sha256 = (0, node_crypto_1.createHash)("sha256").update(buf).digest("hex");
+    const entries = (0, tar_reader_1.readTgz)(buf);
+    const suspicious = entries.filter((e) => e.suspiciousPath).map((e) => e.name);
+    const files = entries
+        .filter((e) => e.typeflag === "0" || e.typeflag === "\0")
+        .map((e) => ({ rel: e.name.replace(/^package\//, ""), content: e.content }));
+    return { files, sha256, suspicious };
+}
+function walkDir(root) {
+    const out = [];
+    const stack = [root];
+    while (stack.length) {
+        const dir = stack.pop();
+        for (const name of (0, node_fs_1.readdirSync)(dir).sort()) {
+            const abs = path.join(dir, name);
+            const st = (0, node_fs_1.statSync)(abs);
+            if (st.isDirectory()) {
+                if (name === "node_modules" || name === ".git")
+                    continue;
+                stack.push(abs);
+            }
+            else if (st.isFile()) {
+                out.push(abs);
+            }
+        }
+    }
+    return out.sort();
+}
+function loadDirectory(dirPath) {
+    const abs = walkDir(dirPath);
+    const files = abs.map((a) => ({
+        rel: path.relative(dirPath, a).split(path.sep).join("/"),
+        content: (0, node_fs_1.readFileSync)(a),
+    }));
+    // Deterministic directory identity: hash of sorted (path, sha256) pairs.
+    const h = (0, node_crypto_1.createHash)("sha256");
+    for (const f of files) {
+        h.update(f.rel);
+        h.update("\0");
+        h.update((0, node_crypto_1.createHash)("sha256").update(f.content).digest());
+        h.update("\0");
+    }
+    return { files, sha256: `dir:${h.digest("hex")}` };
+}
+function runArtifactSentinel(subjectPath, opts = {}) {
+    if (!(0, node_fs_1.existsSync)(subjectPath)) {
+        throw new Error(`artifact-sentinel: subject not found: ${subjectPath}`);
+    }
+    const isDir = (0, node_fs_1.statSync)(subjectPath).isDirectory();
+    const findings = [];
+    let files;
+    let subjectIdentity;
+    const mode = isDir ? "directory" : "tarball";
+    if (isDir) {
+        ({ files, sha256: subjectIdentity } = loadDirectory(subjectPath));
+    }
+    else {
+        const loaded = loadTarball(subjectPath); // throws TarError on malformed/bomb
+        files = loaded.files;
+        subjectIdentity = loaded.sha256;
+        if (loaded.suspicious.length > 0) {
+            // No invariant ID needed to refuse this: a traversal-shaped entry means
+            // the archive is not an honest npm artifact. Reported under MC-ART-007
+            // (manifest/files integrity) as a structural integrity failure.
+            findings.push(finding("MC-ART-007", `archive contains suspicious entry path(s): ${loaded.suspicious.join(", ")}`, "all archive entry paths are relative and traversal-free", loaded.suspicious));
+        }
+    }
+    const fileMap = new Map(files.map((f) => [f.rel, f]));
+    const relPaths = files.map((f) => f.rel);
+    // package.json metadata
+    let pkg = null;
+    const pkgFile = fileMap.get("package.json");
+    if (pkgFile) {
+        try {
+            pkg = JSON.parse(pkgFile.content.toString("utf8"));
+        }
+        catch {
+            pkg = null;
+        }
+    }
+    const evaluatedDomains = new Set(["artifact", "dependency"]);
+    const evaluated = (0, invariants_1.ratifiedInvariants)().filter((i) => evaluatedDomains.has(i.domain)).map((i) => i.id);
+    // ── MC-ART-001 / MC-ART-002: secrets & identities ─────────────────────
+    const pemHits = [];
+    const prints = [];
+    for (const f of files) {
+        if (f.content.length > rules_1.MAX_SCAN_BYTES || (0, rules_1.isProbablyBinary)(f.content))
+            continue;
+        const text = f.content.toString("utf8");
+        if (rules_1.PEM_PRIVATE_KEY_WITH_BODY.test(text)) {
+            pemHits.push(f.rel);
+            prints.push(`${f.rel}=${(0, rules_1.matchFingerprint)(text, rules_1.PEM_PRIVATE_KEY_WITH_BODY)}`);
+        }
+    }
+    if (pemHits.length > 0) {
+        findings.push(finding("MC-ART-001", `PEM private-key material in artifact; fingerprints: ${prints.join(", ")}`, "artifact contains no private-key material", pemHits));
+    }
+    const identityHits = relPaths.filter((p) => rules_1.FORBIDDEN_IDENTITY_PATHS.some((re) => re.test(p)));
+    if (identityHits.length > 0) {
+        findings.push(finding("MC-ART-002", "generated identity / keystore entry in artifact", "no identity or keystore entries", identityHits));
+    }
+    // ── MC-ART-003: tests ──────────────────────────────────────────────────
+    const testHits = relPaths.filter((p) => rules_1.TEST_FILE_PATHS.some((re) => re.test(p)));
+    if (testHits.length > 0) {
+        findings.push(finding("MC-ART-003", "test file(s) in artifact", "no test files ship", testHits));
+    }
+    // ── MC-ART-004: hosted plane (+ legacy heartbeat surfaces) ────────────
+    const hostedHits = relPaths.filter((p) => rules_1.HOSTED_PLANE_PATHS.some((re) => re.test(p)) || rules_1.FORBIDDEN_HEARTBEAT_PATHS.some((re) => re.test(p)));
+    if (hostedHits.length > 0) {
+        findings.push(finding("MC-ART-004", "hosted-only / legacy module(s) in artifact", "no hosted-plane or legacy heartbeat modules ship", hostedHits));
+    }
+    // ── MC-ART-005: runtime TS / source maps ──────────────────────────────
+    const tsHits = relPaths.filter((p) => rules_1.RUNTIME_TS_PATH.test(p) && !rules_1.TYPE_DECLARATION_PATH.test(p));
+    const mapHits = relPaths.filter((p) => rules_1.SOURCE_MAP_PATH.test(p));
+    if (tsHits.length + mapHits.length > 0) {
+        findings.push(finding("MC-ART-005", "runtime TypeScript or source map(s) in artifact", "precompiled JS only; no .ts (non-decl) or .map", [...tsHits, ...mapHits]));
+    }
+    // ── MC-ART-006: required entrypoints ──────────────────────────────────
+    const missingEntry = rules_1.REQUIRED_DIST_ENTRYPOINTS.filter((e) => !fileMap.has(e));
+    if (missingEntry.length > 0) {
+        findings.push(finding("MC-ART-006", `missing compiled entrypoint(s): ${missingEntry.join(", ")}`, "all required compiled entrypoints present", missingEntry));
+    }
+    // ── MC-ART-007: manifest equality ─────────────────────────────────────
+    const manifestFile = fileMap.get("dist/MANIFEST.json");
+    if (!manifestFile) {
+        findings.push(finding("MC-ART-007", "dist/MANIFEST.json missing", "manifest present and matching", ["dist/MANIFEST.json"]));
+    }
+    else {
+        try {
+            const manifest = JSON.parse(manifestFile.content.toString("utf8"));
+            // build-lean writes a flat { "<dist-relative path>": "<sha256>" } map.
+            const listed = typeof manifest.files === "object" && manifest.files !== null ? manifest.files : manifest;
+            const distFiles = relPaths.filter((p) => p.startsWith("dist/") && p !== "dist/MANIFEST.json");
+            const bad = [];
+            for (const [rel, hash] of Object.entries(listed)) {
+                const f = fileMap.get(`dist/${rel}`);
+                if (!f) {
+                    bad.push(`missing:dist/${rel}`);
+                    continue;
+                }
+                const actual = (0, node_crypto_1.createHash)("sha256").update(f.content).digest("hex");
+                if (actual !== hash)
+                    bad.push(`hash-mismatch:dist/${rel}`);
+            }
+            for (const p of distFiles) {
+                const rel = p.replace(/^dist\//, "");
+                if (!(rel in listed))
+                    bad.push(`unlisted:${p}`);
+            }
+            if (bad.length > 0) {
+                findings.push(finding("MC-ART-007", `manifest disagreement: ${bad.join(", ")}`, "dist/MANIFEST.json lists exactly the dist files with matching sha256", bad));
+            }
+        }
+        catch {
+            findings.push(finding("MC-ART-007", "dist/MANIFEST.json unparseable", "manifest present and matching", ["dist/MANIFEST.json"]));
+        }
+    }
+    // ── MC-ART-008: version consistency ───────────────────────────────────
+    const artifactVersion = pkg?.version ?? null;
+    if (!pkg) {
+        findings.push(finding("MC-ART-008", "package.json missing or unparseable", "artifact carries valid package metadata", ["package.json"]));
+    }
+    else if (opts.expectedVersion && artifactVersion !== opts.expectedVersion) {
+        findings.push(finding("MC-ART-008", `artifact version ${artifactVersion} != expected ${opts.expectedVersion}`, "artifact version equals the version under evaluation", ["package.json"]));
+    }
+    // ── MC-DEP-*: dependency posture ──────────────────────────────────────
+    if (pkg) {
+        const deps = pkg.dependencies ?? {};
+        const depNames = Object.keys(deps).sort();
+        const unexpected = depNames.filter((d) => !rules_1.APPROVED_RUNTIME_DEPENDENCIES.includes(d));
+        if (unexpected.length > 0) {
+            findings.push(finding("MC-DEP-001", `unexpected runtime dependencies: ${unexpected.map((d) => `${d}@${deps[d]}`).join(", ")}`, `runtime dependencies exactly: ${rules_1.APPROVED_RUNTIME_DEPENDENCIES.join(", ")}`, ["package.json"]));
+        }
+        const installScripts = rules_1.INSTALL_SCRIPT_NAMES.filter((s) => pkg.scripts && s in pkg.scripts);
+        if (installScripts.length > 0) {
+            findings.push(finding("MC-DEP-002", `install lifecycle script(s) declared: ${installScripts.join(", ")}`, "no install lifecycle scripts", ["package.json"]));
+        }
+        const transpilers = depNames.filter((d) => rules_1.FORBIDDEN_TRANSPILERS.includes(d));
+        if (transpilers.length > 0) {
+            findings.push(finding("MC-DEP-004", `runtime transpiler dependency: ${transpilers.join(", ")}`, "no runtime transpiler/loader dependencies", ["package.json"]));
+        }
+        const hostedDeps = depNames.filter((d) => rules_1.HOSTED_DEPENDENCIES.includes(d));
+        if (hostedDeps.length > 0) {
+            findings.push(finding("MC-DEP-005", `hosted-plane dependency leaked: ${hostedDeps.join(", ")}`, "no hosted-plane runtime dependencies", ["package.json"]));
+        }
+    }
+    const nativeHits = [];
+    for (const f of files) {
+        const cls = (0, rules_1.nativeBinaryClass)(f.content);
+        if (cls || f.rel.endsWith(".node"))
+            nativeHits.push(`${f.rel}${cls ? ` (${cls})` : ""}`);
+    }
+    if (nativeHits.length > 0) {
+        findings.push(finding("MC-DEP-003", `native binary entries: ${nativeHits.join(", ")}`, "no native binaries in artifact", nativeHits.map((s) => s.split(" ")[0])));
+    }
+    const failed = Array.from(new Set(findings.map((f) => f.invariant_id))).sort();
+    const passed = evaluated.filter((id) => !failed.includes(id)).sort();
+    const violations = findings.map((f) => (0, violation_1.buildViolationRecord)({
+        sentinelType: exports.ARTIFACT_SENTINEL_TYPE,
+        sentinelVersion: exports.ARTIFACT_SENTINEL_VERSION,
+        subjectType: "artifact",
+        subjectIdentity,
+        finding: f,
+        detectedAt: opts.detectedAt,
+        detector: opts.detector,
+    }));
+    const blocking = findings.some((f) => f.disposition !== "report");
+    return {
+        sentinel_type: exports.ARTIFACT_SENTINEL_TYPE,
+        sentinel_version: exports.ARTIFACT_SENTINEL_VERSION,
+        subject_type: "artifact",
+        subject_identity: subjectIdentity,
+        subject_mode: mode,
+        artifact_name: pkg?.name ?? null,
+        artifact_version: artifactVersion,
+        file_count: files.length,
+        evaluated_invariants: evaluated.sort(),
+        passed,
+        failed,
+        findings,
+        violations,
+        release_promotion_eligible: !blocking,
+    };
+}
+exports.runArtifactSentinel = runArtifactSentinel;