percolation-inversion-compiler-ts 0.4.4

package/dist/cli/main.js

@@ -0,0 +1,2646 @@
+#!/usr/bin/env node
+
+// src/cli/main.ts
+import {
+  cpSync as cpSync2,
+  existsSync as existsSync6,
+  mkdirSync as mkdirSync3,
+  readFileSync as readFileSync9,
+  readdirSync as readdirSync2,
+  writeFileSync as writeFileSync3
+} from "fs";
+import { dirname as dirname4, join as join4 } from "path";
+import { Command } from "commander";
+
+// src/io/fixtures.ts
+import { readFileSync } from "fs";
+import { join as join2, normalize, sep } from "path";
+
+// src/core/json.ts
+function sortJson(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => sortJson(item));
+  }
+  if (value && typeof value === "object") {
+    const input = value;
+    const output = {};
+    for (const key of Object.keys(input).sort()) {
+      const child = input[key];
+      if (child !== void 0) {
+        output[key] = sortJson(child);
+      }
+    }
+    return output;
+  }
+  return value;
+}
+function stableStringify(value) {
+  return `${JSON.stringify(sortJson(value), null, 2)}
+`;
+}
+function lfNormalize(text) {
+  return text.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+}
+function parseJsonObject(text, label = "JSON") {
+  const parsed = JSON.parse(text);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error(`${label} must be a JSON object`);
+  }
+  return parsed;
+}
+function dedupeSorted(values) {
+  return [
+    ...new Set([...values].filter((item) => Boolean(item)))
+  ].sort();
+}
+
+// src/io/paths.ts
+import { existsSync } from "fs";
+import { dirname, join, resolve } from "path";
+import { fileURLToPath } from "url";
+function packageRoot() {
+  let current = dirname(fileURLToPath(import.meta.url));
+  for (let i = 0; i < 8; i += 1) {
+    if (existsSync(join(current, "package.json")) && existsSync(join(current, "schemas"))) {
+      return current;
+    }
+    const next = dirname(current);
+    if (next === current) {
+      break;
+    }
+    current = next;
+  }
+  return resolve(dirname(fileURLToPath(import.meta.url)), "../..");
+}
+function schemaDir() {
+  return join(packageRoot(), "schemas");
+}
+function fixtureDir() {
+  return join(packageRoot(), "fixtures", "portability_conformance");
+}
+function fixtureRoot() {
+  return join(packageRoot(), "fixtures");
+}
+
+// src/io/fixtures.ts
+function safeFixturePath(...parts) {
+  const root = normalize(fixtureRoot());
+  const normalized = normalize(join2(root, ...parts));
+  if (normalized !== root && !normalized.startsWith(`${root}${sep}`)) {
+    throw new Error("fixture path escapes package fixtures");
+  }
+  return normalized;
+}
+function fixtureJson(file) {
+  return parseJsonObject(readFileSync(join2(fixtureDir(), file), "utf8"), file);
+}
+function fixtureText(namespace, file) {
+  if (namespace.includes("..") || file.includes("..")) {
+    throw new Error("fixture path must not contain parent traversal");
+  }
+  return readFileSync(safeFixturePath(namespace, file), "utf8");
+}
+function fixtureJsonFrom(namespace, file) {
+  return parseJsonObject(fixtureText(namespace, file), `${namespace}/${file}`);
+}
+function pythonCliFixture(name) {
+  if (!/^[a-z0-9_]+$/.test(name)) {
+    throw new Error(
+      `invalid Python v0.4.4 CLI fixture ${JSON.stringify(name)}`
+    );
+  }
+  return fixtureJsonFrom("python_v044_cli", `${name}.json`);
+}
+function portabilityManifest() {
+  return fixtureJson("manifest.json");
+}
+
+// src/alt/index.ts
+function altAdmit(packetId = "alt-packet:demo") {
+  const decision = structuredClone(fixtureJson("alt_admission_decision.json"));
+  decision.packet_id = packetId;
+  decision.accepted = Boolean(decision.accepted ?? false);
+  decision.settled = false;
+  decision.reasons = [
+    ...Array.isArray(decision.reasons) ? decision.reasons.map(String) : [],
+    "ALT admission remains candidate-only until value, transport, hazard, and baseline obligations are discharged"
+  ].sort();
+  return decision;
+}
+
+// src/core/ledger.ts
+function emptyLedger() {
+  return { coordinates: {} };
+}
+function residualLedger(name, value = 1, description) {
+  return {
+    coordinates: {
+      [name]: {
+        name,
+        value,
+        unit: "dimensionless",
+        kind: "residual",
+        description: description ?? null,
+        evidence_status: "declared",
+        evidence_refs: [],
+        known: true
+      }
+    }
+  };
+}
+function summarizeLedger(ledger) {
+  const summary = {};
+  if (!ledger) {
+    return summary;
+  }
+  for (const coordinate of Object.values(ledger.coordinates ?? {})) {
+    const kind = coordinate.kind ?? "residual";
+    summary[kind] = (summary[kind] ?? 0) + Number(coordinate.value ?? 0);
+  }
+  return Object.fromEntries(
+    Object.entries(summary).sort(([a], [b]) => a.localeCompare(b))
+  );
+}
+
+// src/phase/index.ts
+import { existsSync as existsSync3, readFileSync as readFileSync4 } from "fs";
+
+// src/io/schema.ts
+import {
+  cpSync,
+  existsSync as existsSync2,
+  mkdirSync,
+  readdirSync,
+  readFileSync as readFileSync2,
+  writeFileSync
+} from "fs";
+import { basename, join as join3 } from "path";
+import Ajv2020Module from "ajv/dist/2020.js";
+var PUBLIC_SCHEMA_NAME = /^[A-Za-z][A-Za-z0-9]*$/;
+function assertSchemaTypeName(typeName) {
+  if (!PUBLIC_SCHEMA_NAME.test(typeName)) {
+    throw new Error(`unknown schema type ${JSON.stringify(typeName)}`);
+  }
+}
+function schemaPath(typeName) {
+  assertSchemaTypeName(typeName);
+  return join3(schemaDir(), `${typeName}.schema.json`);
+}
+function schemaNames() {
+  return readdirSync(schemaDir()).filter(
+    (name) => name.endsWith(".schema.json") && name !== "bundle.schema.json"
+  ).map((name) => name.slice(0, -".schema.json".length)).sort();
+}
+function schemaByType(typeName = "Registry") {
+  const path = schemaPath(typeName);
+  if (!existsSync2(path)) {
+    throw new Error(`unknown schema type ${JSON.stringify(typeName)}`);
+  }
+  return parseJsonObject(readFileSync2(path, "utf8"), `${typeName} schema`);
+}
+function schemaBundle() {
+  const bundlePath = join3(schemaDir(), "bundle.schema.json");
+  if (existsSync2(bundlePath)) {
+    const bundle = parseJsonObject(
+      readFileSync2(bundlePath, "utf8"),
+      "schema bundle"
+    );
+    if (bundle.bundle_id && bundle.schemas && typeof bundle.schemas === "object" && !Array.isArray(bundle.schemas)) {
+      return bundle;
+    }
+  }
+  const schemas = {};
+  for (const name of schemaNames()) {
+    schemas[name] = schemaByType(name);
+  }
+  return {
+    bundle_id: "percolation-inversion-compiler-portability",
+    schemas
+  };
+}
+function validateData(data, schema) {
+  const Ajv2020 = Ajv2020Module;
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  const validate = ajv.compile(schema);
+  const valid = Boolean(validate(data));
+  return {
+    valid,
+    errors: valid ? [] : (validate.errors ?? []).map(
+      (error) => `${error.instancePath || "/"} ${error.message ?? "is invalid"}`
+    )
+  };
+}
+function validateByType(data, typeName) {
+  return validateData(data, schemaByType(typeName));
+}
+function writeAllSchemas(outputDir) {
+  mkdirSync(outputDir, { recursive: true });
+  const written = [];
+  const files = [
+    ...schemaNames().map((name) => `${name}.schema.json`),
+    "bundle.schema.json",
+    "schema-digest.json"
+  ];
+  for (const file of files) {
+    const source = join3(schemaDir(), file);
+    if (!existsSync2(source)) {
+      continue;
+    }
+    const target = join3(outputDir, file);
+    cpSync(source, target);
+    written.push(basename(target));
+  }
+  return written.sort();
+}
+
+// src/io/identity.ts
+function nonEmptyStringArray(value) {
+  return Array.isArray(value) && value.some((item) => typeof item === "string" && item.length > 0);
+}
+function runtimeIdentityContextAccepted(data) {
+  return validateByType(data, "RuntimeIdentityContext").valid && data.accepted === true && nonEmptyStringArray(data.accepted_agent_ids) && nonEmptyStringArray(data.accepted_public_key_ids);
+}
+
+// src/runtime/index.ts
+import { readFileSync as readFileSync3 } from "fs";
+function clone(value) {
+  return structuredClone(value);
+}
+function buildRuntimeStep(options = {}) {
+  const report = clone(pythonCliFixture("runtime_step_demo"));
+  const profile = options.profile ?? "development";
+  const reasons = new Set(
+    Array.isArray(report.reasons) ? report.reasons.map(String) : []
+  );
+  if (options.agentOutput) {
+    report.agent_output_digest = `sha256:${Buffer.from(options.agentOutput, "utf8").toString("hex").slice(0, 16)}`;
+  }
+  if (options.statePath) {
+    const state = parseJsonObject(
+      readFileSync3(options.statePath, "utf8"),
+      "runtime state"
+    );
+    const validation = validateByType(state, "RuntimeState");
+    if (!validation.valid) {
+      throw new Error(
+        `runtime state schema-invalid: ${validation.errors.join("; ")}`
+      );
+    }
+  }
+  if (options.inputPath) {
+    const input = parseJsonObject(
+      readFileSync3(options.inputPath, "utf8"),
+      "runtime input"
+    );
+    const validation = validateByType(input, "RuntimeStepInput");
+    if (!validation.valid) {
+      throw new Error(
+        `runtime input schema-invalid: ${validation.errors.join("; ")}`
+      );
+    }
+    if (typeof input.allow_live_connectors === "boolean") {
+      report.allow_live_connectors = input.allow_live_connectors;
+    }
+  }
+  if (typeof options.allowLiveConnectors === "boolean") {
+    report.allow_live_connectors = options.allowLiveConnectors;
+  }
+  if (options.identityContextPath) {
+    const identity2 = parseJsonObject(
+      readFileSync3(options.identityContextPath, "utf8"),
+      "identity context"
+    );
+    const validation = validateByType(identity2, "RuntimeIdentityContext");
+    const accepted = runtimeIdentityContextAccepted(identity2);
+    report.identity_context_accepted = accepted;
+    report.identity_verified = accepted;
+    if (!accepted) {
+      reasons.add("identity context is missing or not accepted");
+      report.operationally_usable = false;
+    }
+  }
+  if (profile === "production" || profile === "adversarial") {
+    if (!options.identityContextPath) {
+      reasons.add(
+        "production/adversarial identity context is missing or not accepted"
+      );
+      report.operationally_usable = false;
+      report.identity_verified = false;
+    }
+  }
+  report.accepted = true;
+  report.finite_checks_passed = true;
+  report.settled = false;
+  report.reasons = [...reasons].sort();
+  return report;
+}
+function runtimeHealth(profile = "development") {
+  return {
+    report_id: "runtime-health",
+    profile,
+    accepted: true,
+    operationally_usable: profile === "development",
+    settled: false,
+    checks: {
+      command_execution_allowed: false,
+      background_crawling_allowed: false,
+      hidden_promotion_allowed: false,
+      residual_ledgers_preserved: true
+    },
+    reasons: profile === "development" ? [] : [
+      "production profile requires explicit identity and provenance context"
+    ]
+  };
+}
+
+// src/phase/index.ts
+function clone2(value) {
+  return structuredClone(value);
+}
+var phaseSchemaRefs = pythonCliFixture("phase_plan_compact").schema_refs ?? [
+  "PhaseAccelerationRequest",
+  "PhaseAccelerationPlan",
+  "PhaseGapVector",
+  "PhaseComponentGap",
+  "BottleneckCandidate",
+  "SafePhaseAction"
+];
+function phaseAccelerationSafetyInvariants() {
+  const fixture = pythonCliFixture("phase_plan_compact");
+  if (Array.isArray(fixture.safety_invariants)) {
+    return fixture.safety_invariants.map(String);
+  }
+  return [
+    "phase acceleration planning is recommendation-only and does not execute actions",
+    "raw external candidate volume cannot improve Psi, BR, AC, or settled status",
+    "candidate packets, agent messages, and proxy-only ALT reports remain candidates",
+    "settled remains false unless scoped finite verifier rules discharge all obligations",
+    "residual ledgers and missing obligations must be preserved into downstream loops",
+    "ASI-proxy phase is protocol-relative workflow coordination, not real ASI proof",
+    "no physical, simulator, oracle, legal, or policy outcome is proven by this report",
+    "no hidden promotion from accepted or workflow_usable to settled"
+  ];
+}
+function identityContextAccepted(path) {
+  if (!path || !existsSync3(path)) {
+    return false;
+  }
+  try {
+    const data = parseJsonObject(
+      readFileSync4(path, "utf8"),
+      "identity context"
+    );
+    return runtimeIdentityContextAccepted(data);
+  } catch {
+    return false;
+  }
+}
+function runtimeReportIdentityAccepted(report) {
+  if (!report) {
+    return false;
+  }
+  const identity2 = report.identity_context;
+  if (!identity2 || typeof identity2 !== "object" || Array.isArray(identity2)) {
+    return false;
+  }
+  const data = identity2;
+  return runtimeIdentityContextAccepted(data);
+}
+function objectList(value) {
+  return Array.isArray(value) ? value.filter((item) => item && typeof item === "object") : [];
+}
+function ensureActionBoundary(plan) {
+  for (const action of objectList(plan.recommended_actions)) {
+    action.execution_authority_granted = false;
+    action.settled = false;
+  }
+}
+function buildPhaseAccelerationPlan(request = {}) {
+  const plan = clone2(pythonCliFixture("phase_plan_full"));
+  const profile = request.profile ?? "development";
+  const hasDynamicRuntimeInput = Boolean(
+    request.agent_output || request.profile && request.profile !== "development" || request.allow_live_connectors === false || request.identity_context_path
+  );
+  const runtimeReport = request.runtime_report ?? (hasDynamicRuntimeInput ? buildRuntimeStep({
+    profile,
+    agentOutput: request.agent_output,
+    allowLiveConnectors: request.allow_live_connectors,
+    identityContextPath: request.identity_context_path
+  }) : plan.runtime_report);
+  const cannotPromote = new Set(
+    Array.isArray(plan.cannot_promote_because) ? plan.cannot_promote_because.map(String) : []
+  );
+  const candidateOnly = new Set(
+    Array.isArray(plan.candidate_only_reasons) ? plan.candidate_only_reasons.map(String) : []
+  );
+  const settledBlockers = new Set(
+    Array.isArray(plan.settled_blockers) ? plan.settled_blockers.map(String) : []
+  );
+  const reasons = new Set(
+    Array.isArray(plan.reasons) ? plan.reasons.map(String) : []
+  );
+  cannotPromote.add("missing obligations remain");
+  settledBlockers.add(
+    "phase planner is recommendation-only and cannot settle claims"
+  );
+  if ((request.general_intake_bridge_reports ?? []).some(
+    (report) => report.candidate_only !== false
+  )) {
+    candidateOnly.add(
+      "candidate-only external volume cannot reduce phase gaps"
+    );
+  }
+  if ((request.alt_admission_decisions ?? []).some(
+    (decision) => Array.isArray(decision.missing_obligations) && decision.missing_obligations.length > 0
+  )) {
+    candidateOnly.add(
+      "ALT admission is candidate-only until missing obligations are discharged"
+    );
+  }
+  const identityRequired = profile === "production" || profile === "adversarial";
+  const identityAccepted = identityContextAccepted(request.identity_context_path) || runtimeReportIdentityAccepted(runtimeReport);
+  if (identityRequired && !identityAccepted) {
+    cannotPromote.add(
+      "production/adversarial identity context is missing or not accepted"
+    );
+    settledBlockers.add(
+      "production identity context is required before operational promotion"
+    );
+  }
+  plan.plan_id = `phase-acceleration-plan:${request.request_id ?? "phase-acceleration"}`;
+  plan.request_id = request.request_id ?? "phase-acceleration";
+  plan.profile = profile;
+  plan.report_mode = request.compact ? "compact" : "full";
+  plan.accepted = true;
+  plan.workflow_usable = true;
+  plan.finite_checks_passed = plan.finite_checks_passed ?? true;
+  plan.operationally_usable = !(identityRequired && !identityAccepted);
+  plan.settled = false;
+  plan.status = cannotPromote.size > 0 || candidateOnly.size > 0 ? "diagnostic" : "provisional";
+  plan.runtime_report = request.compact ? void 0 : runtimeReport;
+  plan.cannot_promote_because = [...cannotPromote].sort();
+  plan.candidate_only_reasons = [...candidateOnly].sort();
+  plan.settled_blockers = [...settledBlockers].sort();
+  plan.reasons = dedupeSorted([...reasons, ...cannotPromote, ...candidateOnly]);
+  plan.safety_invariants = phaseAccelerationSafetyInvariants();
+  plan.schema_refs = phaseSchemaRefs;
+  plan.safe_commands = dedupeSorted([
+    ...Array.isArray(plan.safe_commands) ? plan.safe_commands.map(String) : []
+  ]);
+  plan.sdk_calls = dedupeSorted([
+    ...Array.isArray(plan.sdk_calls) ? plan.sdk_calls.map(String) : []
+  ]);
+  ensureActionBoundary(plan);
+  return plan;
+}
+function phaseAccelerationCompactPayload(plan) {
+  return {
+    plan_id: plan.plan_id,
+    request_id: plan.request_id,
+    profile: plan.profile,
+    report_mode: "compact",
+    accepted: plan.accepted,
+    workflow_usable: plan.workflow_usable,
+    finite_checks_passed: plan.finite_checks_passed ?? true,
+    operationally_usable: plan.operationally_usable,
+    settled: false,
+    status: plan.status ?? "diagnostic",
+    phase_gap_vector: plan.phase_gap_vector,
+    top_bottlenecks: plan.top_bottlenecks ?? (Array.isArray(plan.bottlenecks) ? plan.bottlenecks.slice(0, 5) : []),
+    safe_commands: plan.safe_commands ?? [],
+    sdk_calls: plan.sdk_calls ?? [],
+    schema_refs: plan.schema_refs ?? phaseSchemaRefs,
+    cannot_promote_because: plan.cannot_promote_because ?? [],
+    candidate_only_reasons: plan.candidate_only_reasons ?? [],
+    settled_blockers: plan.settled_blockers ?? [],
+    residual_summary: plan.residual_summary ?? {},
+    missing_obligations: plan.missing_obligations ?? [],
+    safety_invariants: plan.safety_invariants ?? phaseAccelerationSafetyInvariants(),
+    reasons: plan.reasons ?? []
+  };
+}
+function phaseAccelerationRunbook(profile = "development") {
+  const runbook = clone2(pythonCliFixture("phase_runbook"));
+  runbook.profile = profile;
+  return runbook;
+}
+function buildPhaseAccelerationBenchmark(profile = "development") {
+  const report = clone2(pythonCliFixture("phase_benchmark"));
+  report.profile = profile;
+  report.accepted = true;
+  report.workflow_usable = true;
+  report.operationally_usable = true;
+  report.settled = false;
+  report.invariant_checks = {
+    candidate_only_volume_does_not_reduce_gap: true,
+    planner_does_not_execute_commands: true,
+    residuals_visible: true,
+    settled_not_promoted: true
+  };
+  report.safety_invariants = phaseAccelerationSafetyInvariants();
+  return report;
+}
+
+// src/agent/index.ts
+function clone3(value) {
+  return structuredClone(value);
+}
+function agentSafetyInvariants() {
+  const fixture = pythonCliFixture("agent_check_compact");
+  if (Array.isArray(fixture.safety_invariants)) {
+    return fixture.safety_invariants.map(String);
+  }
+  return [
+    "accepted is not settled",
+    "workflow_usable is not settled",
+    "safe_commands are inspection guidance and are not executed by PIC",
+    "residual ledgers and missing obligations are preserved",
+    "no hidden promotion from accepted or workflow_usable to settled",
+    "default-live explicit sources remain candidate-only until verified"
+  ];
+}
+function runAgentIntake(request = {}) {
+  const report = clone3(pythonCliFixture("agent_intake"));
+  const hasDynamicInput = Boolean(
+    request.agent_output || request.profile && request.profile !== "development" || request.allow_live_connectors === false || request.identity_context_path
+  );
+  const runtime2 = hasDynamicInput ? buildRuntimeStep({
+    profile: request.profile,
+    agentOutput: request.agent_output,
+    allowLiveConnectors: request.allow_live_connectors,
+    identityContextPath: request.identity_context_path
+  }) : report.runtime_report;
+  report.report_id = `agent-intake:${request.request_id ?? "agent-intake"}:agent-intake-step`;
+  report.profile = request.profile ?? "development";
+  report.runtime_report = runtime2;
+  report.accepted = runtime2.accepted;
+  report.operationally_usable = runtime2.operationally_usable;
+  report.settled = false;
+  report.residual_summary = summarizeLedger(runtime2.residual_ledger);
+  report.recommended_next_commands = [
+    "Inspect runtime_report.residual_ledger and runtime_report.missing_obligations.",
+    "Inspect runtime_report.route_execution_requests before route execution.",
+    "Review runtime_report.agent_tasks; do not execute arbitrary commands.",
+    "Run another runtime step after new evidence or action results are available."
+  ];
+  report.reasons = Array.isArray(runtime2.reasons) ? runtime2.reasons : [];
+  return report;
+}
+function runAgentCheck(request = {}, compact = false) {
+  const report = clone3(
+    compact ? pythonCliFixture("agent_check_compact") : pythonCliFixture("agent_check_full")
+  );
+  const intake = runAgentIntake(request);
+  const runtime2 = intake.runtime_report;
+  const unresolved = dedupeSorted([
+    ...runtime2.missing_obligations ?? []
+  ]);
+  const reasons = dedupeSorted([
+    ...intake.reasons ?? [],
+    "unresolved obligations remain; use workflow_usable for routing only"
+  ]);
+  report.report_id = `agent-check:${request.request_id ?? "agent-intake"}`;
+  report.profile = request.profile ?? "development";
+  report.report_mode = compact ? "compact" : "full";
+  report.compact = compact;
+  report.practical_entrypoint = compact ? "pic agent check --compact" : "pic agent check";
+  report.intake_report = intake;
+  report.unresolved_obligations = unresolved;
+  report.residual_summary = intake.residual_summary;
+  report.workflow_usable = true;
+  report.accepted = true;
+  report.operationally_usable = Boolean(intake.operationally_usable);
+  report.settled = false;
+  report.reasons = reasons;
+  report.safety_invariants = agentSafetyInvariants();
+  return compact ? agentCheckCompactPayload(report) : report;
+}
+function agentCheckCompactPayload(report) {
+  return {
+    report_id: report.report_id,
+    profile: report.profile,
+    report_mode: "compact",
+    accepted: report.accepted,
+    workflow_usable: report.workflow_usable,
+    operationally_usable: report.operationally_usable,
+    settled: false,
+    checked_outputs: report.checked_outputs ?? {
+      agent_tasks: "present",
+      input: "accepted",
+      promotion: "diagnostic",
+      residual_ledger: "preserved",
+      route_requests: "present",
+      salience_schedule: "accepted"
+    },
+    unresolved_obligations: report.unresolved_obligations ?? [],
+    residual_summary: report.residual_summary ?? {},
+    next_safe_actions: report.next_safe_actions ?? [
+      "Inspect unresolved_obligations before reusing the output.",
+      "Preserve residual_summary in downstream logs.",
+      "Route verifier requests before promoting candidates to reusable work."
+    ],
+    schema_refs: report.schema_refs ?? [
+      "AgentCheckReport",
+      "AgentIntakeReport",
+      "RuntimeStepReport"
+    ],
+    runbook_steps: report.runbook_steps ?? agentRunbookSteps(String(report.profile ?? "development")),
+    safety_invariants: report.safety_invariants ?? agentSafetyInvariants(),
+    reasons: report.reasons ?? []
+  };
+}
+function accelerateAgentPhase(request = {}, compact = false) {
+  const plan = buildPhaseAccelerationPlan({
+    request_id: `agent-accelerate:${request.request_id ?? "agent-intake"}`,
+    profile: request.profile ?? "development",
+    compact,
+    agent_output: request.agent_output,
+    allow_live_connectors: request.allow_live_connectors,
+    identity_context_path: request.identity_context_path
+  });
+  return compact ? phaseAccelerationCompactPayload(plan) : plan;
+}
+function agentRunbookSteps(profile = "development") {
+  return [
+    `pic agent check --compact --profile ${profile}`,
+    "Inspect accepted, workflow_usable, operationally_usable, settled.",
+    "Inspect residual_summary and unresolved_obligations.",
+    "Run verifier routes before packet promotion.",
+    "Keep settled=false unless scoped finite obligations are discharged."
+  ];
+}
+function buildAgentRunbook(profile = "development") {
+  const runbook = clone3(pythonCliFixture("agent_runbook"));
+  runbook.profile = profile;
+  return runbook;
+}
+function buildAgentAutonomyAudit(profile = "development") {
+  const report = clone3(pythonCliFixture("agent_autonomy_audit"));
+  report.profile = profile;
+  return report;
+}
+function requestFromCli(options) {
+  return {
+    request_id: typeof options.requestId === "string" ? options.requestId : void 0,
+    agent_output: typeof options.text === "string" ? options.text : void 0,
+    profile: typeof options.profile === "string" ? options.profile : "development",
+    allow_live_connectors: typeof options.allowLiveConnectors === "boolean" ? options.allowLiveConnectors : true,
+    identity_context_path: typeof options.identityContext === "string" ? options.identityContext : void 0
+  };
+}
+function runtimeOptionsFromCli(options) {
+  return {
+    profile: typeof options.profile === "string" ? options.profile : "development",
+    agentOutput: typeof options.text === "string" ? options.text : void 0,
+    allowLiveConnectors: typeof options.allowLiveConnectors === "boolean" ? options.allowLiveConnectors : true,
+    statePath: typeof options.state === "string" ? options.state : void 0,
+    inputPath: typeof options.input === "string" ? options.input : void 0,
+    identityContextPath: typeof options.identityContext === "string" ? options.identityContext : void 0
+  };
+}
+
+// src/agent/messages.ts
+import { createHash } from "crypto";
+import { existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname2 } from "path";
+function sha256(text) {
+  return createHash("sha256").update(text, "utf8").digest("hex");
+}
+function sortedUnique(values) {
+  return [
+    ...new Set(values.filter((value) => Boolean(value)))
+  ].sort();
+}
+function acceptedIdentityContext(path) {
+  if (!path || !existsSync4(path)) {
+    return false;
+  }
+  try {
+    const data = parseJsonObject(
+      readFileSync5(path, "utf8"),
+      "identity context"
+    );
+    return runtimeIdentityContextAccepted(data);
+  } catch {
+    return false;
+  }
+}
+function createAgentMessage(options) {
+  const digest = sha256(options.text);
+  return {
+    audience: [],
+    content: options.text,
+    content_sha256: digest,
+    declared_packet_kind: "capability-packet-candidate",
+    declared_receiver_family: ["agent", "verifier"],
+    declared_routes: [],
+    declared_validity_domain: "protocol-relative-finite",
+    evidence_refs: [],
+    expires_at: null,
+    issued_at: null,
+    issuer_attestation_id: null,
+    issuer_public_key_id: null,
+    message_id: `agent-message:${digest.slice(0, 12)}`,
+    metadata: {},
+    nonce: options.nonce ?? null,
+    protocol_version: "pic-agent-message-v1",
+    receiver_agent_id: options.receiver ?? null,
+    reply_to: null,
+    route_request_refs: [],
+    sender_agent_id: options.sender,
+    signature_ref: null,
+    tags: ["agent-message"],
+    thread_id: null
+  };
+}
+function readAgentMessage(path) {
+  const message2 = parseJsonObject(readFileSync5(path, "utf8"), "agent message");
+  const validation = validateByType(message2, "AgentMessageEnvelope");
+  if (!validation.valid) {
+    throw new Error(
+      `agent message schema-invalid: ${validation.errors.join("; ")}`
+    );
+  }
+  return message2;
+}
+function agentMessageContract(message2) {
+  const content = String(message2.content ?? "");
+  const digestValid = sha256(content) === message2.content_sha256;
+  const declaredReceiverFamily = Array.isArray(message2.declared_receiver_family) ? message2.declared_receiver_family.map(String) : [];
+  const evidenceRefs = Array.isArray(message2.evidence_refs) ? message2.evidence_refs.map(String) : [];
+  const routeRefs = Array.isArray(message2.route_request_refs) ? message2.route_request_refs.map(String) : [];
+  const reasons = digestValid ? [] : ["message content digest mismatch"];
+  return {
+    accepted: digestValid,
+    candidate_only: true,
+    declared_packet_kind: message2.declared_packet_kind ?? "capability-packet-candidate",
+    declared_receiver_family: declaredReceiverFamily,
+    declared_validity_domain: message2.declared_validity_domain ?? "protocol-relative-finite",
+    evidence_refs: evidenceRefs,
+    message_contract_valid: digestValid,
+    message_id: message2.message_id ?? null,
+    protocol_version: message2.protocol_version ?? "pic-agent-message-v1",
+    reasons,
+    receiver_agent_id: message2.receiver_agent_id ?? null,
+    report_id: `agent-message-contract:${sha256(stableStringify(message2)).slice(0, 12)}`,
+    residual_ledger: digestValid ? emptyLedger() : residualLedger(
+      `agent-message:${String(message2.message_id ?? "unknown")}:digest-mismatch`,
+      1,
+      "message content digest mismatch"
+    ),
+    route_request_refs: routeRefs,
+    sender_agent_id: message2.sender_agent_id ?? null,
+    settled: false
+  };
+}
+function verifyAgentMessage(message2, options = {}) {
+  const profile = options.profile ?? "development";
+  const contract = agentMessageContract(message2);
+  const content = String(message2.content ?? "");
+  const digest = String(message2.content_sha256 ?? sha256(content));
+  const nonce = typeof message2.nonce === "string" ? message2.nonce : null;
+  const replayDetected = Boolean(nonce && options.seenNonces?.includes(nonce));
+  const signaturePresent = Boolean(
+    message2.signature_ref && message2.issuer_public_key_id && message2.issuer_attestation_id
+  );
+  const signatureRequired = ["production", "adversarial"].includes(
+    profile.toLowerCase()
+  );
+  const identityRequired = signatureRequired;
+  const identityAccepted = acceptedIdentityContext(options.identityContextPath);
+  const reasons = [
+    ...contract.reasons ?? []
+  ];
+  const identityReasons = [];
+  if (replayDetected) {
+    reasons.push("message replay nonce was already seen");
+  }
+  if (signatureRequired && !signaturePresent) {
+    reasons.push("signed agent message required by profile");
+  }
+  if (identityRequired && !identityAccepted) {
+    identityReasons.push("accepted identity context required by profile");
+  }
+  reasons.push(...identityReasons);
+  const accepted = contract.accepted === true && reasons.length === 0;
+  const packetId = `packet:agent-message:${String(message2.message_id ?? "unknown")}`;
+  const packets = contract.accepted === true ? [
+    {
+      authority_granted: false,
+      authority_requested: false,
+      authority_required: false,
+      claim: content,
+      content_sha256: digest,
+      dependencies: [],
+      evidence_hash_valid: true,
+      evidence_refs: sortedUnique([
+        ...Array.isArray(message2.evidence_refs) ? message2.evidence_refs.map(String) : [],
+        `sha256:${digest}`,
+        `agent-message:${String(message2.message_id ?? "unknown")}`
+      ]),
+      expected_downstream_gain: 125e-5,
+      expires_at: null,
+      freshness: 1,
+      hazard_charge: 0,
+      identity_contribution_status: "provisional",
+      issuer_agent_id: message2.sender_agent_id ?? null,
+      issuer_attestation_id: message2.issuer_attestation_id ?? null,
+      issuer_public_key_id: message2.issuer_public_key_id ?? null,
+      issuer_signature_ref: message2.signature_ref ?? null,
+      packet_id: packetId,
+      receiver_family: Array.isArray(message2.declared_receiver_family) ? message2.declared_receiver_family.map(String) : ["agent", "verifier"],
+      residual_charge: 0,
+      reuse_context: "general",
+      rollback_available: true,
+      route_safe: true,
+      salience_class: "packet",
+      source_kind: "agent-message",
+      source_ref: String(message2.message_id ?? "unknown"),
+      status: "provisional",
+      tags: sortedUnique([
+        ...Array.isArray(message2.tags) ? message2.tags.map(String) : [],
+        "agent-message",
+        "external-candidate",
+        "general"
+      ]),
+      verification_cost: 5e-3,
+      verifier_routes: Array.isArray(message2.declared_routes) ? message2.declared_routes.map(String) : []
+    }
+  ] : [];
+  return {
+    accepted,
+    candidate_packet_ids: packets.map((packet2) => packet2.packet_id),
+    consumed_nonces: accepted && nonce ? [nonce] : [],
+    identity_reasons: sortedUnique(identityReasons),
+    identity_status: identityAccepted ? "verified" : identityRequired ? "required" : "not-required",
+    identity_verified: identityAccepted,
+    message_contract_valid: contract.accepted === true,
+    message_id: message2.message_id ?? null,
+    next_safe_commands: [
+      "uv run pic agent message contract --message <message.json>",
+      "uv run pic ecology bridge-runtime --report <general-intake-report.json>"
+    ],
+    nonce_ledger: {
+      accepted,
+      consumed_nonces: accepted && nonce ? [nonce] : [],
+      ledger_id: "agent-message-nonce-ledger",
+      reasons: sortedUnique(reasons),
+      rejected_message_ids: accepted ? [] : [String(message2.message_id ?? "unknown")],
+      replayed_nonces: replayDetected && nonce ? [nonce] : []
+    },
+    nonce_status: replayDetected ? "replayed" : nonce && accepted ? "consumed" : "not-provided",
+    packets,
+    quarantine_recommended: reasons.length > 0,
+    reasons: sortedUnique(reasons),
+    replay_detected: replayDetected,
+    report_id: `agent-message-check:${String(message2.message_id ?? "unknown")}`,
+    residual_ledger: reasons.length === 0 ? emptyLedger() : residualLedger(
+      `agent-message:${String(message2.message_id ?? "unknown")}:verification-residual`,
+      reasons.length,
+      "agent message verification residual"
+    ),
+    sender_agent_id: message2.sender_agent_id ?? null,
+    settled: false,
+    signature_present: signaturePresent,
+    signature_required: signatureRequired
+  };
+}
+function initAgentInbox(path, inboxId = "agent-inbox") {
+  const record = {
+    inbox_id: inboxId,
+    messages: [],
+    peers: [],
+    seen_nonces: []
+  };
+  mkdirSync2(dirname2(path), { recursive: true });
+  writeFileSync2(path, stableStringify(record), "utf8");
+  return record;
+}
+function readAgentInbox(path) {
+  const text = readFileSync5(path, "utf8").trim();
+  if (text.includes("\n") && !text.startsWith("{")) {
+    return {
+      inbox_id: "agent-inbox",
+      messages: text.split(/\r?\n/).filter(Boolean).map((line) => parseJsonObject(line, "agent inbox line")),
+      peers: [],
+      seen_nonces: []
+    };
+  }
+  const inbox2 = parseJsonObject(text, "agent inbox");
+  const validation = validateByType(inbox2, "AgentInboxRecord");
+  if (!validation.valid) {
+    throw new Error(
+      `agent inbox schema-invalid: ${validation.errors.join("; ")}`
+    );
+  }
+  return inbox2;
+}
+function writeAgentInbox(path, inbox2) {
+  mkdirSync2(dirname2(path), { recursive: true });
+  writeFileSync2(path, stableStringify(inbox2), "utf8");
+}
+function appendAgentMessage(inboxPath, message2) {
+  const inbox2 = existsSync4(inboxPath) ? readAgentInbox(inboxPath) : { inbox_id: "agent-inbox", messages: [], peers: [], seen_nonces: [] };
+  const messages = Array.isArray(inbox2.messages) ? inbox2.messages : [];
+  const updated = {
+    ...inbox2,
+    messages: [...messages, message2]
+  };
+  writeAgentInbox(inboxPath, updated);
+  return updated;
+}
+function deliveryReport(action, inboxRef, inbox2, reports, profile = "development") {
+  const accepted = reports.every((report) => report.accepted === true);
+  const delivered = accepted ? reports.map((report) => String(report.message_id ?? "unknown")) : [];
+  const rejected = accepted ? [] : reports.map((report) => String(report.message_id ?? "unknown"));
+  const consumed = sortedUnique(
+    reports.flatMap(
+      (report) => Array.isArray(report.consumed_nonces) ? report.consumed_nonces.map(String) : []
+    )
+  );
+  const reasons = sortedUnique(
+    reports.flatMap(
+      (report) => Array.isArray(report.reasons) ? report.reasons.map(String) : []
+    )
+  );
+  return {
+    accepted,
+    action,
+    candidate_only: true,
+    candidate_packet_ids: sortedUnique(
+      reports.flatMap(
+        (report) => Array.isArray(report.candidate_packet_ids) ? report.candidate_packet_ids.map(String) : []
+      )
+    ),
+    delivered_message_ids: delivered,
+    exchange_reports: reports,
+    identity_context_accepted: false,
+    inbox_id: inbox2.inbox_id ?? "agent-inbox",
+    inbox_ref: inboxRef,
+    message_ids: reports.map(
+      (report) => String(report.message_id ?? "unknown")
+    ),
+    next_safe_commands: [
+      "uv run pic agent inbox verify --inbox <inbox.json>",
+      "uv run pic ecology bridge-runtime --report <general-intake-report.json>"
+    ],
+    nonce_ledger: {
+      accepted,
+      consumed_nonces: consumed,
+      ledger_id: "agent-message-nonce-ledger",
+      reasons,
+      rejected_message_ids: rejected,
+      replayed_nonces: []
+    },
+    operationally_usable: accepted,
+    profile,
+    reasons,
+    rejected_message_ids: rejected,
+    report_id: `agent-message-delivery:${action}:${String(inbox2.inbox_id ?? "agent-inbox")}`,
+    settled: false
+  };
+}
+function receiveAgentInbox(inboxPath, options = {}) {
+  const inbox2 = readAgentInbox(inboxPath);
+  const seen = Array.isArray(inbox2.seen_nonces) ? inbox2.seen_nonces.map(String) : [];
+  const messages = Array.isArray(inbox2.messages) ? inbox2.messages : [];
+  const reports = messages.map(
+    (message2) => verifyAgentMessage(message2, { ...options, seenNonces: seen })
+  );
+  return deliveryReport(
+    "receive",
+    inboxPath,
+    inbox2,
+    reports,
+    options.profile ?? "development"
+  );
+}
+
+// src/ecology/index.ts
+import { createHash as createHash2 } from "crypto";
+function packetFromText(text, outputId = "agent-output") {
+  const sha2563 = createHash2("sha256").update(text, "utf8").digest("hex");
+  return {
+    packet_id: `candidate:${outputId}`,
+    source_kind: "agent-output",
+    content_sha256: sha2563,
+    candidate_only: true,
+    accepted: true,
+    workflow_usable: true,
+    settled: false,
+    reasons: ["candidate packet requires verifier routes before promotion"]
+  };
+}
+function ecologyPolicy(profile = "controlled_web") {
+  return {
+    profile,
+    explicit_source_required: true,
+    candidate_only_by_default: true,
+    background_crawling_allowed: false,
+    arbitrary_execution_allowed: false,
+    accepted: true,
+    operationally_usable: profile !== "production_network",
+    settled: false
+  };
+}
+
+// src/io/portability.ts
+import { createHash as createHash3 } from "crypto";
+import { existsSync as existsSync5, readFileSync as readFileSync6 } from "fs";
+import { dirname as dirname3, isAbsolute, normalize as normalize2, resolve as resolve2, sep as sep2 } from "path";
+function normalizedSha256(text) {
+  return createHash3("sha256").update(lfNormalize(text), "utf8").digest("hex");
+}
+function stableCompactJson(value) {
+  if (Array.isArray(value)) {
+    return `[${value.map((item) => stableCompactJson(item)).join(",")}]`;
+  }
+  if (value && typeof value === "object") {
+    const input = value;
+    return `{${Object.keys(input).sort().map((key) => `${JSON.stringify(key)}:${stableCompactJson(input[key])}`).join(",")}}`;
+  }
+  return JSON.stringify(value);
+}
+function safeManifestTarget(base, file) {
+  if (!file || isAbsolute(file)) {
+    return null;
+  }
+  const normalized = normalize2(file);
+  if (normalized.split(/[\\/]+/).includes("..")) {
+    return null;
+  }
+  const baseResolved = resolve2(base);
+  const target = resolve2(baseResolved, normalized);
+  if (target !== baseResolved && !target.startsWith(`${baseResolved}${sep2}`)) {
+    return null;
+  }
+  return target;
+}
+function verifyPortabilityManifest(manifestPath) {
+  const manifest = parseJsonObject(
+    readFileSync6(manifestPath, "utf8"),
+    "portability manifest"
+  );
+  const base = dirname3(manifestPath);
+  const knownSchemas = new Set(schemaNames());
+  const checkedExamples = {};
+  const checkedNegativeExamples = {};
+  const checkedSchemas = {};
+  const sha = {};
+  const reasons = [];
+  let unexpectedFailureCount = 0;
+  let expectedFailureCount = 0;
+  if (!Array.isArray(manifest.examples)) {
+    reasons.push("manifest examples must be a list");
+  }
+  if (!Array.isArray(manifest.negative_examples)) {
+    reasons.push("manifest negative_examples must be a list");
+  }
+  for (const entry of Array.isArray(manifest.examples) ? manifest.examples : []) {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+      reasons.push("manifest example entry must be an object");
+      continue;
+    }
+    const example = entry;
+    const file = String(example.file ?? "");
+    const schema = String(example.schema ?? "");
+    const expectedSha = example.sha256 ? String(example.sha256) : "";
+    if (typeof example.file !== "string" || typeof example.schema !== "string") {
+      reasons.push("manifest example entries require string file and schema");
+      continue;
+    }
+    checkedSchemas[file] = schema;
+    const path = safeManifestTarget(base, file);
+    if (path === null) {
+      checkedExamples[file] = "unsafe-path";
+      reasons.push(`${file}: example path is outside manifest directory`);
+      unexpectedFailureCount += 1;
+      continue;
+    }
+    if (!existsSync5(path)) {
+      checkedExamples[file] = "missing";
+      reasons.push(`${file}: example file is missing`);
+      unexpectedFailureCount += 1;
+      continue;
+    }
+    if (!knownSchemas.has(schema)) {
+      checkedExamples[file] = "unknown-schema";
+      reasons.push(`${schema} is not a known schema`);
+      unexpectedFailureCount += 1;
+      continue;
+    }
+    const text = readFileSync6(path, "utf8");
+    const digest = normalizedSha256(text);
+    sha[file] = digest;
+    if (expectedSha && digest !== expectedSha) {
+      checkedExamples[file] = "sha256-mismatch";
+      reasons.push(`${file}: sha256 does not match manifest`);
+      unexpectedFailureCount += 1;
+      continue;
+    }
+    const data = parseJsonObject(text, file);
+    const validation = validateByType(data, schema);
+    checkedExamples[file] = validation.valid ? "valid" : "schema-invalid";
+    if (!validation.valid) {
+      unexpectedFailureCount += 1;
+      reasons.push(...validation.errors.map((error) => `${file}: ${error}`));
+    }
+  }
+  for (const entry of Array.isArray(manifest.negative_examples) ? manifest.negative_examples : []) {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+      reasons.push("manifest negative example entry must be an object");
+      unexpectedFailureCount += 1;
+      continue;
+    }
+    const example = entry;
+    const file = String(example.file ?? "");
+    const schema = String(example.schema ?? "");
+    const expectedStatus = String(example.expected_status ?? "schema-invalid");
+    if (typeof example.file !== "string" || typeof example.schema !== "string" || typeof example.expected_status !== "string") {
+      reasons.push(
+        "manifest negative example entries require string file, schema, and expected_status"
+      );
+      unexpectedFailureCount += 1;
+      continue;
+    }
+    checkedSchemas[file] = schema;
+    const path = safeManifestTarget(base, file);
+    let status;
+    if (path === null) {
+      status = "unsafe-path";
+    } else if (!existsSync5(path)) {
+      status = "missing";
+    } else if (!knownSchemas.has(schema)) {
+      status = "unknown-schema";
+    } else {
+      const text = readFileSync6(path, "utf8");
+      if (example.sha256 && normalizedSha256(text) !== String(example.sha256)) {
+        status = "sha256-mismatch";
+      } else {
+        try {
+          const data = parseJsonObject(text, file);
+          status = validateByType(data, schema).valid ? "valid" : "schema-invalid";
+        } catch {
+          status = "schema-invalid";
+        }
+      }
+    }
+    checkedNegativeExamples[file] = status;
+    if (status === expectedStatus && status !== "valid") {
+      expectedFailureCount += 1;
+    } else {
+      unexpectedFailureCount += 1;
+      reasons.push(`${file} expected ${expectedStatus} but got ${status}`);
+    }
+  }
+  const schemaDigestInput = {
+    public_schema_count: schemaNames().length,
+    schema_names: Object.fromEntries(Object.entries(checkedSchemas).sort())
+  };
+  const schemaDigest = createHash3("sha256").update(stableCompactJson(schemaDigestInput), "utf8").digest("hex");
+  const uniqueReasons = [...new Set(reasons)].sort();
+  const accepted = Object.keys(checkedExamples).length > 0 && uniqueReasons.length === 0 && Object.values(checkedExamples).every((status) => status === "valid");
+  return {
+    report_id: "pic-portability-conformance",
+    manifest_path: manifestPath,
+    checked_examples: checkedExamples,
+    checked_negative_examples: checkedNegativeExamples,
+    schema_names: checkedSchemas,
+    sha256: sha,
+    schema_digest: schemaDigest,
+    positive_example_count: Object.keys(checkedExamples).length,
+    negative_example_count: Object.keys(checkedNegativeExamples).length,
+    expected_failure_count: expectedFailureCount,
+    unexpected_failure_count: unexpectedFailureCount,
+    semantic_invariants: Array.isArray(manifest.invariants) ? manifest.invariants.map(String) : [],
+    accepted,
+    operationally_usable: accepted,
+    settled: false,
+    reasons: uniqueReasons
+  };
+}
+
+// src/packet/index.ts
+import { createHash as createHash4 } from "crypto";
+import { readFileSync as readFileSync7 } from "fs";
+var COMMAND_MARKERS = [
+  "cmd.exe",
+  "powershell",
+  "bash ",
+  "sh ",
+  "wsl ",
+  "git ",
+  "pip install",
+  "python -m pip",
+  "uv run",
+  "rm -rf",
+  "curl ",
+  "wget "
+];
+function sha2562(text) {
+  return createHash4("sha256").update(text, "utf8").digest("hex");
+}
+function stableDigest(data) {
+  return sha2562(JSON.stringify(sortJson(data)));
+}
+function sortedUnique2(values) {
+  return [
+    ...new Set(values.filter((value) => Boolean(value)))
+  ].sort();
+}
+function commandLikeStrings(data) {
+  if (typeof data === "string") {
+    const lower = data.toLowerCase();
+    return COMMAND_MARKERS.some((marker) => lower.includes(marker)) ? [data] : [];
+  }
+  if (Array.isArray(data)) {
+    return data.flatMap((item) => commandLikeStrings(item));
+  }
+  if (data && typeof data === "object") {
+    return Object.values(data).flatMap((value) => commandLikeStrings(value));
+  }
+  return [];
+}
+function readTypedJson(path, schema) {
+  const data = parseJsonObject(readFileSync7(path, "utf8"), schema);
+  const validation = validateByType(data, schema);
+  if (!validation.valid) {
+    throw new Error(
+      `${schema} schema-invalid: ${validation.errors.join("; ")}`
+    );
+  }
+  return data;
+}
+function residualCarryForward(reportId, residualSummary, missingObligations, candidateOnlyReasons, settledBlockers, accepted) {
+  return {
+    accepted,
+    candidate_only_reasons: candidateOnlyReasons,
+    missing_obligations: missingObligations,
+    reasons: ["residuals and blockers are preserved during packet export"],
+    report_id: reportId,
+    residual_summary: residualSummary,
+    settled: false,
+    settled_blockers: settledBlockers
+  };
+}
+function packetEnvelopeFromRuntimeReport(report) {
+  const digest = stableDigest(report);
+  const missing = Array.isArray(report.missing_obligations) ? report.missing_obligations.map(String) : [];
+  const residualSummary = summarizeLedger(report.residual_ledger);
+  const candidateOnlyReasons = [
+    "runtime report is exported as diagnostic packet-exchange data",
+    "packet exchange does not route promotion checks"
+  ];
+  const settledBlockers = sortedUnique2([
+    "packet exchange is sidecar-only and cannot settle claims",
+    report.settled === true ? null : "source runtime report settled=false",
+    ...missing
+  ]);
+  const reportId = String(report.report_id ?? "runtime-report");
+  return {
+    accepted: report.accepted === true,
+    candidate_only_reasons: candidateOnlyReasons,
+    content: report,
+    content_digest: digest,
+    created_timestamp: "not-recorded",
+    identity_context_summary: {
+      accepted_agent_context_present: false,
+      accepted_public_key_context_present: false
+    },
+    issuer_agent_id: null,
+    issuer_public_key_id: null,
+    lineage_parents: [reportId],
+    missing_obligations: missing,
+    packet_id: `packet-exchange:${reportId}:${digest.slice(0, 12)}`,
+    provenance_summary: {
+      source_report_id: reportId,
+      state_id: String(report.state_id ?? ""),
+      input_id: String(report.input_id ?? "")
+    },
+    reasons: ["exported packet is diagnostic data and is not promoted"],
+    residual_carry_forward: residualCarryForward(
+      `residual-carry-forward:${reportId}`,
+      residualSummary,
+      missing,
+      candidateOnlyReasons,
+      settledBlockers,
+      report.accepted === true
+    ),
+    residual_ledger_summary: residualSummary,
+    safety_invariants: [
+      "packet exchange treats content as inert data",
+      "packet exchange does not execute embedded commands",
+      "packet exchange does not promote packets to settled"
+    ],
+    schema_version: "pic-packet-exchange-v1",
+    settled: false,
+    settled_blockers: settledBlockers,
+    source_kind: "runtime-report",
+    workflow_usable: report.accepted === true
+  };
+}
+function packetEnvelopeFromPath(path) {
+  return packetEnvelopeFromRuntimeReport(
+    readTypedJson(path, "RuntimeStepReport")
+  );
+}
+function readPacketEnvelope(path) {
+  return readTypedJson(path, "PacketExchangeEnvelope");
+}
+function readPacketOrMerge(path) {
+  const data = parseJsonObject(
+    readFileSync7(path, "utf8"),
+    "packet or merge report"
+  );
+  if (Array.isArray(data.packets)) {
+    const validation2 = validateByType(data, "PacketMergeReport");
+    if (!validation2.valid) {
+      throw new Error(
+        `PacketMergeReport schema-invalid: ${validation2.errors.join("; ")}`
+      );
+    }
+    return data;
+  }
+  const validation = validateByType(data, "PacketExchangeEnvelope");
+  if (!validation.valid) {
+    throw new Error(
+      `PacketExchangeEnvelope schema-invalid: ${validation.errors.join("; ")}`
+    );
+  }
+  return data;
+}
+function inspectPacketEnvelope(envelope) {
+  return {
+    accepted: envelope.accepted === true,
+    candidate_only: true,
+    content_digest: String(envelope.content_digest ?? ""),
+    content_treated_as_data: true,
+    embedded_command_like_values: sortedUnique2(commandLikeStrings(envelope)),
+    executed_command_count: 0,
+    packet_id: String(envelope.packet_id ?? ""),
+    reasons: [
+      "packet content was inspected as inert data",
+      "embedded command-like strings are not execution authority"
+    ],
+    report_id: `packet-inspection:${String(envelope.packet_id ?? "")}`,
+    settled: false,
+    workflow_usable: envelope.workflow_usable === true
+  };
+}
+function mergePacketEnvelopes(envelopes) {
+  const byDigest = /* @__PURE__ */ new Map();
+  const duplicateIds = [];
+  const duplicateDigests = [];
+  const residualSummary = {};
+  const missing = [];
+  const candidateOnly = [];
+  const blockers = [];
+  for (const envelope of envelopes) {
+    const digest = String(envelope.content_digest ?? "");
+    if (byDigest.has(digest)) {
+      duplicateIds.push(String(envelope.packet_id ?? ""));
+      duplicateDigests.push(digest);
+    } else {
+      byDigest.set(digest, envelope);
+    }
+    for (const [key, value] of Object.entries(
+      envelope.residual_ledger_summary ?? {}
+    )) {
+      residualSummary[key] = (residualSummary[key] ?? 0) + Number(value);
+    }
+    if (Array.isArray(envelope.missing_obligations)) {
+      missing.push(...envelope.missing_obligations.map(String));
+    }
+    if (Array.isArray(envelope.candidate_only_reasons)) {
+      candidateOnly.push(...envelope.candidate_only_reasons.map(String));
+    }
+    if (Array.isArray(envelope.settled_blockers)) {
+      blockers.push(...envelope.settled_blockers.map(String));
+    }
+  }
+  const packets = [...byDigest.values()];
+  return {
+    accepted: packets.length > 0 && packets.every((packet2) => packet2.accepted === true),
+    candidate_only_preserved: packets.every(
+      (packet2) => packet2.settled !== true
+    ),
+    duplicate_content_digests: sortedUnique2(duplicateDigests),
+    duplicate_packet_ids: sortedUnique2(duplicateIds),
+    input_packet_count: envelopes.length,
+    merged_packet_count: packets.length,
+    packets,
+    reasons: ["packet merge is diagnostic-only and does not promote packets"],
+    report_id: "packet-merge-report",
+    residual_carry_forward: residualCarryForward(
+      "residual-carry-forward:packet-merge",
+      Object.fromEntries(Object.entries(residualSummary).sort()),
+      sortedUnique2(missing),
+      sortedUnique2(candidateOnly),
+      sortedUnique2(blockers),
+      packets.length > 0 && packets.every((packet2) => packet2.accepted === true)
+    ),
+    settled: false,
+    workflow_usable: packets.some((packet2) => packet2.workflow_usable === true)
+  };
+}
+function packetLineageDigest(packetOrMerge) {
+  const packets = Array.isArray(packetOrMerge.packets) ? packetOrMerge.packets : [packetOrMerge];
+  const residualSummary = {};
+  for (const packet2 of packets) {
+    for (const [key, value] of Object.entries(
+      packet2.residual_ledger_summary ?? {}
+    )) {
+      residualSummary[key] = (residualSummary[key] ?? 0) + Number(value);
+    }
+  }
+  return {
+    accepted: packets.length > 0 && packets.every((packet2) => packet2.accepted === true),
+    candidate_only: true,
+    content_digests: packets.map(
+      (packet2) => String(packet2.content_digest ?? "")
+    ),
+    lineage_id: "packet-lineage-digest",
+    packet_ids: packets.map((packet2) => String(packet2.packet_id ?? "")),
+    parent_edges: Object.fromEntries(
+      packets.map((packet2) => [
+        String(packet2.packet_id ?? ""),
+        Array.isArray(packet2.lineage_parents) ? packet2.lineage_parents.map(String) : []
+      ])
+    ),
+    reasons: [
+      "lineage digest is diagnostic-only and preserves candidate status"
+    ],
+    residual_summary: Object.fromEntries(
+      Object.entries(residualSummary).sort()
+    ),
+    settled: false,
+    workflow_usable: packets.some((packet2) => packet2.workflow_usable === true)
+  };
+}
+
+// src/sqot/index.ts
+function buildSalienceSchedule(profile = "production") {
+  const report = structuredClone(fixtureJson("salience_schedule_report.json"));
+  report.profile = profile;
+  report.accepted = true;
+  report.operationally_usable = true;
+  report.settled = false;
+  return report;
+}
+
+// src/trc/index.ts
+import { readFileSync as readFileSync8 } from "fs";
+function compileTrc(options = {}) {
+  let records = [];
+  const reasons = [];
+  if (options.recordsPath) {
+    const parsed = JSON.parse(
+      readFileSync8(options.recordsPath, "utf8")
+    );
+    records = Array.isArray(parsed) ? parsed : Array.isArray(parsed.records) ? parsed.records : [];
+  }
+  const invalidMainTrace = records.some((record) => {
+    const obj = record;
+    return obj.stratum === "main" && !obj.trace_id && !obj.trace;
+  });
+  if (invalidMainTrace) {
+    reasons.push(
+      "main frontier record lacks accepted executable trace normal form"
+    );
+  }
+  const accepted = !invalidMainTrace;
+  return {
+    result_id: "trc-compile-result",
+    accepted,
+    operationally_usable: accepted && !invalidMainTrace,
+    settled: false,
+    main_frontier_count: invalidMainTrace ? 0 : records.length,
+    diagnostic_count: invalidMainTrace ? 1 : 0,
+    residual_ledger: invalidMainTrace ? {
+      coordinates: {
+        "trc:trace-normal-form": {
+          name: "trc:trace-normal-form",
+          value: 1,
+          unit: "dimensionless",
+          kind: "residual",
+          description: "main-frontier records require executable trace normal forms"
+        }
+      }
+    } : { coordinates: {} },
+    reasons
+  };
+}
+
+// src/cli/main.ts
+var VERSION = "0.4.4";
+function outputJson(data, output) {
+  const text = stableStringify(data);
+  if (output) {
+    mkdirSync3(dirname4(output), { recursive: true });
+    writeFileSync3(output, text, "utf8");
+  } else {
+    process.stdout.write(text);
+  }
+}
+function readText(options, fallback = "Candidate packet: preserve residuals.") {
+  if (typeof options.text === "string" && typeof options.textFile === "string") {
+    throw new Error("Use either --text or --text-file, not both");
+  }
+  if (typeof options.text === "string") {
+    return options.text;
+  }
+  if (typeof options.textFile === "string") {
+    return readFileSync9(options.textFile, "utf8");
+  }
+  return fallback;
+}
+function readRequiredText(options) {
+  if (typeof options.text !== "string" && typeof options.textFile !== "string") {
+    throw new Error("message content requires --text or --text-file");
+  }
+  return readText(options, "");
+}
+function optionalText(options) {
+  if (typeof options.text === "string" || typeof options.textFile === "string") {
+    return readText(options, "");
+  }
+  return void 0;
+}
+function diagnostic(command, extra = {}) {
+  return {
+    command,
+    accepted: true,
+    workflow_usable: true,
+    operationally_usable: false,
+    execution_authority_granted: false,
+    settled: false,
+    residual_ledger: {
+      coordinates: {
+        [`${command}:external-obligation`]: {
+          name: `${command}:external-obligation`,
+          value: 1,
+          unit: "dimensionless",
+          kind: "residual",
+          description: "TypeScript port preserves the public boundary and returns diagnostic residuals for unsupported heavy routes"
+        }
+      }
+    },
+    missing_obligations: [`${command}:finite-verifier-route`],
+    reasons: [
+      "diagnostic-only route; no execution authority granted",
+      "settled remains false"
+    ],
+    ...extra
+  };
+}
+function recordList(value) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  return value.filter(
+    (item) => Boolean(item) && typeof item === "object" && !Array.isArray(item)
+  );
+}
+function optionalRecord(value) {
+  if (value && typeof value === "object" && !Array.isArray(value)) {
+    return value;
+  }
+  return void 0;
+}
+function optionalString(value) {
+  return typeof value === "string" ? value : void 0;
+}
+function boolOptionOrRequest(optionValue, requestValue) {
+  if (optionValue === false) {
+    return false;
+  }
+  if (typeof requestValue === "boolean") {
+    return requestValue;
+  }
+  return typeof optionValue === "boolean" ? optionValue : void 0;
+}
+function readPhaseRequest(path) {
+  return parseJsonObject(readFileSync9(path, "utf8"), "phase request");
+}
+function phaseRequestFromCli(options) {
+  if (typeof options.request === "string") {
+    const request = readPhaseRequest(options.request);
+    return {
+      request_id: String(request.request_id ?? "phase-cli"),
+      profile: String(request.profile ?? options.profile ?? "development"),
+      compact: Boolean(options.compact) && !options.full,
+      agent_output: optionalString(request.agent_output),
+      allow_live_connectors: boolOptionOrRequest(
+        options.allowLiveConnectors,
+        request.allow_live_connectors
+      ),
+      identity_context_path: optionalString(request.identity_context_path),
+      general_intake_bridge_reports: recordList(
+        request.general_intake_bridge_reports
+      ),
+      alt_admission_decisions: recordList(request.alt_admission_decisions),
+      runtime_report: optionalRecord(request.runtime_report)
+    };
+  }
+  const runtimeReport = typeof options.runtimeReport === "string" ? parseJsonObject(
+    readFileSync9(options.runtimeReport, "utf8"),
+    "runtime report"
+  ) : void 0;
+  return {
+    request_id: "phase-cli",
+    profile: String(options.profile ?? "development"),
+    compact: Boolean(options.compact) && !options.full,
+    agent_output: optionalText(options),
+    allow_live_connectors: options.allowLiveConnectors,
+    identity_context_path: optionalString(options.identityContext),
+    runtime_report: runtimeReport
+  };
+}
+function assertPhaseRequestExclusive(options) {
+  const otherInputs = [
+    options.runtimeReport,
+    options.state,
+    options.input,
+    options.text,
+    options.textFile,
+    options.identityContext
+  ].filter(Boolean);
+  if (options.request && otherInputs.length > 0) {
+    throw new Error(
+      "--request cannot be combined with runtime/text/state inputs"
+    );
+  }
+}
+function addOutputOptions(command) {
+  return command.option(
+    "--output <path>",
+    "write JSON to path instead of stdout"
+  );
+}
+function addProfile(command) {
+  return command.option(
+    "--profile <profile>",
+    "runtime profile",
+    "development"
+  );
+}
+function addTextOptions(command) {
+  return command.option("--text <text>", "literal agent output").option("--text-file <path>", "read agent output from file");
+}
+var program = new Command();
+program.name("pic").description(
+  "TypeScript port of percolation-inversion-compiler v0.4.4 public CLI contracts."
+).version(VERSION);
+program.exitOverride();
+addOutputOptions(
+  addProfile(
+    program.command("doctor").description("Run operational readiness checks.")
+  )
+).option("--fail-on <mode>", "fail mode", "never").action(
+  (options) => outputJson(
+    options.profile === "development" || options.profile === void 0 ? pythonCliFixture("doctor_development") : diagnostic("doctor", {
+      overall_status: options.failOn === "never" ? "warn" : "diagnostic"
+    }),
+    options.output
+  )
+);
+addOutputOptions(
+  program.command("schema").description("Emit canonical Python v0.4.4 JSON Schema.")
+).option("--type <typeName>", "schema type", "Registry").option(
+  "--all",
+  "emit the schema bundle or copy all schemas when --output-dir is supplied"
+).option("--output-dir <dir>", "copy all schema files into a directory").action((options) => {
+  if (options.all && options.outputDir) {
+    writeAllSchemas(options.outputDir);
+    return;
+  }
+  outputJson(
+    options.all ? schemaBundle() : schemaByType(options.type),
+    options.output
+  );
+});
+addOutputOptions(
+  program.command("validate").requiredOption("--registry <path>", "Registry JSON file").description(
+    "Validate a registry-like JSON object against the public schema."
+  )
+).action((options) => {
+  const registry = parseJsonObject(
+    readFileSync9(options.registry, "utf8"),
+    "registry"
+  );
+  const result = validateByType(registry, "Registry");
+  outputJson(
+    {
+      registry: options.registry,
+      valid: result.valid,
+      errors: result.errors
+    },
+    options.output
+  );
+  if (!result.valid) {
+    process.exitCode = 1;
+  }
+});
+var portability = program.command("portability").description("Verify cross-language conformance packs.");
+addOutputOptions(
+  portability.command("verify").requiredOption("--manifest <path>", "manifest path").option("--fail-on <mode>", "exit nonzero on: fail or never", "fail")
+).action((options) => {
+  if (!["fail", "never"].includes(options.failOn)) {
+    throw new Error("--fail-on must be one of: fail, never");
+  }
+  const report = verifyPortabilityManifest(options.manifest);
+  outputJson(report, options.output);
+  if (options.failOn === "fail" && !report.accepted) {
+    process.exitCode = 1;
+  }
+});
+var snapshot = program.command("snapshot").description("Inspect bundled derived theory snapshots.");
+addOutputOptions(snapshot.command("list")).action(
+  (options) => outputJson(pythonCliFixture("snapshot_list"), options.output)
+);
+addOutputOptions(
+  snapshot.command("show").requiredOption("--artifact <key>", "artifact key")
+).action(
+  (options) => outputJson(
+    pythonCliFixture(`snapshot_show_${options.artifact}`),
+    options.output
+  )
+);
+addOutputOptions(
+  snapshot.command("verify").requiredOption("--artifact <key>", "artifact key")
+).action(
+  (options) => outputJson(
+    pythonCliFixture(`snapshot_verify_${options.artifact}`),
+    options.output
+  )
+);
+addOutputOptions(snapshot.command("routes")).action(
+  (options) => outputJson(pythonCliFixture("snapshot_routes"), options.output)
+);
+var routes = program.command("routes").description("Inspect verifier route bindings.");
+addOutputOptions(routes.command("bindings")).action(
+  (options) => outputJson(pythonCliFixture("routes_bindings"), options.output)
+);
+addOutputOptions(
+  routes.command("explain").requiredOption("--route <route>", "route id")
+).action((options) => {
+  if (options.route === "adapters.domain.replay_trc_physical_trace") {
+    outputJson(
+      pythonCliFixture("routes_explain_replay_trc_physical_trace"),
+      options.output
+    );
+    return;
+  }
+  const routesPayload = pythonCliFixture("snapshot_routes");
+  const bindingsPayload = pythonCliFixture("routes_bindings");
+  const route = (routesPayload.routes ?? []).find(
+    (item) => item.route_id === options.route || item.verifier_route === options.route
+  );
+  if (!route) {
+    throw new Error(`unknown adapter route ${JSON.stringify(options.route)}`);
+  }
+  const binding = (bindingsPayload.bindings ?? []).find((item) => item.route_id === route.route_id);
+  outputJson(
+    {
+      route,
+      binding: binding ?? null,
+      settled_scope: binding?.settlement_scope ?? [],
+      finite_scope_usable: (binding?.discharge_level ?? route.discharge_level) !== "external_domain_required",
+      residual_external_obligations: binding?.residual_external_obligation_refs ?? [],
+      required_evidence_kind: route.required_evidence_kind
+    },
+    options.output
+  );
+});
+var evidence = program.command("evidence").description("Verify external evidence envelopes.");
+addOutputOptions(
+  addProfile(
+    evidence.command("verify").option("--envelope <path>", "evidence envelope")
+  )
+).action(
+  (options) => outputJson(
+    diagnostic("evidence:verify", {
+      profile: options.profile,
+      envelope: options.envelope ?? null
+    }),
+    options.output
+  )
+);
+addOutputOptions(
+  addProfile(
+    evidence.command("discharge").option("--envelope <path>", "evidence envelope").option("--obligations <path>", "obligations")
+  )
+).action(
+  (options) => outputJson(
+    diagnostic("evidence:discharge", {
+      profile: options.profile,
+      envelope: options.envelope ?? null,
+      obligations: options.obligations ?? null
+    }),
+    options.output
+  )
+);
+var agent = program.command("agent").description("Agent-facing shortcuts.");
+agent.command("explain").action(() => {
+  process.stdout.write(
+    "PIC checks finite agent output routes, preserves residual ledgers, and does not promote accepted output to settled.\n"
+  );
+});
+addOutputOptions(addProfile(addTextOptions(agent.command("intake")))).option("--no-allow-live-connectors", "disable live connector intake").option("--identity-context <path>", "identity context").action(
+  (options) => outputJson(
+    runAgentIntake({
+      ...requestFromCli(options),
+      agent_output: optionalText(options)
+    }),
+    options.output
+  )
+);
+addOutputOptions(addProfile(addTextOptions(agent.command("check")))).option("--compact", "compact output").option("--no-allow-live-connectors", "disable live connector intake").option("--identity-context <path>", "identity context").action(
+  (options) => outputJson(
+    runAgentCheck(
+      { ...requestFromCli(options), agent_output: optionalText(options) },
+      Boolean(options.compact)
+    ),
+    options.output
+  )
+);
+addOutputOptions(addProfile(addTextOptions(agent.command("accelerate")))).option("--compact", "compact output").option("--no-allow-live-connectors", "disable live connector intake").option("--identity-context <path>", "identity context").action(
+  (options) => outputJson(
+    accelerateAgentPhase(
+      { ...requestFromCli(options), agent_output: optionalText(options) },
+      Boolean(options.compact)
+    ),
+    options.output
+  )
+);
+addOutputOptions(addProfile(agent.command("runbook"))).action(
+  (options) => outputJson(buildAgentRunbook(options.profile), options.output)
+);
+addOutputOptions(
+  addProfile(
+    agent.command("autonomy-audit").option("--format <format>", "json or markdown", "json").option("--language <language>", "en or ja", "en")
+  )
+).action((options) => {
+  const report = buildAgentAutonomyAudit(options.profile);
+  if (options.format === "markdown") {
+    process.stdout.write(
+      `# Agent Autonomy Audit
+
+- accepted: ${report.accepted}
+- workflow_usable: ${report.workflow_usable}
+- settled: ${report.settled}
+- safe_commands_executable_by_pic: ${report.safe_commands_executable_by_pic}
+`
+    );
+    return;
+  }
+  outputJson(report, options.output);
+});
+addOutputOptions(addProfile(agent.command("doctor"))).action(
+  (options) => outputJson(
+    diagnostic("agent:doctor", { profile: options.profile }),
+    options.output
+  )
+);
+addOutputOptions(addProfile(agent.command("guide"))).action(
+  (options) => outputJson(
+    {
+      ...pythonCliFixture("agent_manifest"),
+      profile: options.profile,
+      guide_id: "agent-guide",
+      accepted: true,
+      workflow_usable: true,
+      operationally_usable: true,
+      settled: false
+    },
+    options.output
+  )
+);
+addOutputOptions(
+  addProfile(
+    agent.command("communication-guide").option("--no-allow-live-connectors")
+  )
+).action(
+  (options) => outputJson(pythonCliFixture("agent_communication_guide"), options.output)
+);
+addOutputOptions(addProfile(agent.command("network-readiness"))).action(
+  (options) => outputJson(
+    diagnostic("agent:network-readiness", {
+      profile: options.profile,
+      accepted: true
+    }),
+    options.output
+  )
+);
+addOutputOptions(
+  addProfile(agent.command("relay-readiness").option("--inbox <path>"))
+).action(
+  (options) => outputJson(fixtureJson("agent_relay_readiness_report.json"), options.output)
+);
+addOutputOptions(addProfile(agent.command("readiness"))).action(
+  (options) => outputJson(
+    diagnostic("agent:readiness", { profile: options.profile }),
+    options.output
+  )
+);
+addOutputOptions(
+  addProfile(agent.command("next").option("--intake-report <path>"))
+).action(
+  (options) => outputJson(
+    {
+      report_id: "agent-next",
+      profile: options.profile,
+      next_commands: ["pic phase plan --compact"],
+      accepted: true,
+      operationally_usable: true,
+      settled: false
+    },
+    options.output
+  )
+);
+addOutputOptions(agent.command("manifest")).action(
+  (options) => outputJson(pythonCliFixture("agent_manifest"), options.output)
+);
+var inbox = agent.command("inbox");
+addOutputOptions(
+  inbox.command("init").requiredOption("--inbox <path>").option("--inbox-id <id>", "portable inbox identifier", "agent-inbox")
+).action(
+  (options) => outputJson(initAgentInbox(options.inbox, options.inboxId), options.output)
+);
+addOutputOptions(
+  inbox.command("append").requiredOption("--inbox <path>").requiredOption("--message <path>")
+).action(
+  (options) => outputJson(
+    appendAgentMessage(options.inbox, readAgentMessage(options.message)),
+    options.output
+  )
+);
+addOutputOptions(
+  inbox.command("export").requiredOption("--inbox <path>")
+).action(
+  (options) => outputJson(readAgentInbox(options.inbox), options.output)
+);
+addOutputOptions(
+  addProfile(
+    inbox.command("verify").requiredOption("--inbox <path>").option("--identity-context <path>")
+  )
+).action((options) => {
+  const report = receiveAgentInbox(options.inbox, {
+    profile: options.profile,
+    identityContextPath: options.identityContext
+  });
+  outputJson(report, options.output);
+  if (!report.accepted) {
+    process.exitCode = 1;
+  }
+});
+var message = agent.command("message");
+addOutputOptions(
+  message.command("create").requiredOption("--sender <sender>").option("--text <text>", "text").option("--text-file <path>", "read message content from file").option("--receiver <receiver>", "optional receiver agent id").option("--nonce <nonce>", "optional replay nonce")
+).action(
+  (options) => outputJson(
+    createAgentMessage({
+      sender: options.sender,
+      text: readRequiredText(options),
+      receiver: options.receiver,
+      nonce: options.nonce
+    }),
+    options.output
+  )
+);
+addOutputOptions(
+  addProfile(
+    message.command("send").requiredOption("--inbox <path>").requiredOption("--sender <sender>").option("--text <text>").option("--text-file <path>").option("--receiver <receiver>").option("--nonce <nonce>").option("--identity-context <path>")
+  )
+).action((options) => {
+  const envelope = createAgentMessage({
+    sender: options.sender,
+    text: readRequiredText(options),
+    receiver: options.receiver,
+    nonce: options.nonce
+  });
+  const report = verifyAgentMessage(envelope, {
+    profile: options.profile,
+    identityContextPath: options.identityContext
+  });
+  const inboxRecord = report.accepted === true ? appendAgentMessage(options.inbox, envelope) : existsSync6(options.inbox) ? readAgentInbox(options.inbox) : { inbox_id: "agent-inbox", messages: [], peers: [], seen_nonces: [] };
+  const delivery = deliveryReport(
+    "send",
+    options.inbox,
+    inboxRecord,
+    [report],
+    options.profile
+  );
+  outputJson(delivery, options.output);
+  if (!delivery.accepted) {
+    process.exitCode = 1;
+  }
+});
+addOutputOptions(
+  addProfile(
+    message.command("receive").requiredOption("--inbox <path>").option("--identity-context <path>")
+  )
+).action((options) => {
+  const report = receiveAgentInbox(options.inbox, {
+    profile: options.profile,
+    identityContextPath: options.identityContext
+  });
+  outputJson(report, options.output);
+  if (!report.accepted) {
+    process.exitCode = 1;
+  }
+});
+addOutputOptions(
+  addProfile(
+    message.command("verify").requiredOption("--message <path>").option("--identity-context <path>")
+  )
+).action((options) => {
+  const report = verifyAgentMessage(readAgentMessage(options.message), {
+    profile: options.profile,
+    identityContextPath: options.identityContext
+  });
+  outputJson(report, options.output);
+  if (!report.accepted) {
+    process.exitCode = 1;
+  }
+});
+addOutputOptions(
+  message.command("contract").requiredOption("--message <path>")
+).action((options) => {
+  const report = agentMessageContract(readAgentMessage(options.message));
+  outputJson(report, options.output);
+  if (!report.accepted) {
+    process.exitCode = 1;
+  }
+});
+addOutputOptions(
+  addProfile(
+    message.command("ingest").requiredOption("--message <path>").option("--identity-context <path>")
+  )
+).action((options) => {
+  const exchange = verifyAgentMessage(readAgentMessage(options.message), {
+    profile: options.profile,
+    identityContextPath: options.identityContext
+  });
+  outputJson(
+    {
+      report_id: `general-intake:agent-message:${exchange.message_id ?? "unknown"}`,
+      source: options.message,
+      source_kind: "agent-message",
+      accepted: exchange.accepted,
+      packets: exchange.packets ?? [],
+      rejected_sources: exchange.accepted ? [] : [options.message],
+      residual_ledger: exchange.residual_ledger,
+      provenance: [],
+      reasons: exchange.reasons ?? [],
+      settled: false
+    },
+    options.output
+  );
+  if (!exchange.accepted) {
+    process.exitCode = 1;
+  }
+});
+var adoption = program.command("adoption").description("Generate optional operator-facing adoption sidecars.");
+addOutputOptions(
+  addProfile(
+    adoption.command("packet").option("--format <format>", "json or markdown", "json").option("--language <language>", "markdown language", "en")
+  )
+).action((options) => {
+  const packet2 = pythonCliFixture("adoption_packet");
+  if (options.format === "markdown") {
+    process.stdout.write(
+      `# Operator Adoption Packet
+
+- accepted: ${packet2.accepted}
+- workflow_usable: ${packet2.workflow_usable}
+- settled: ${packet2.settled}
+`
+    );
+    return;
+  }
+  outputJson({ ...packet2, profile: options.profile }, options.output);
+});
+addOutputOptions(
+  addProfile(
+    adoption.command("request").option("--format <format>", "json or markdown", "json").option("--language <language>", "markdown language", "en")
+  )
+).action((options) => {
+  const request = pythonCliFixture("adoption_request");
+  if (options.format === "markdown") {
+    process.stdout.write(
+      `# Agent To Operator Request
+
+- accepted: ${request.accepted}
+- settled: ${request.settled}
+`
+    );
+    return;
+  }
+  outputJson({ ...request, profile: options.profile }, options.output);
+});
+var phase = program.command("phase").description("Plan deterministic phase acceleration.");
+addOutputOptions(addProfile(addTextOptions(phase.command("plan")))).option("--compact", "compact output").option("--full", "full output").option("--request <path>", "phase request JSON").option("--runtime-report <path>", "runtime report JSON").option("--state <path>", "runtime state").option("--input <path>", "runtime input").option("--identity-context <path>", "identity context").option("--no-allow-live-connectors", "disable live connector intake").action((options) => {
+  assertPhaseRequestExclusive(options);
+  const request = phaseRequestFromCli(options);
+  const plan = buildPhaseAccelerationPlan(request);
+  const compact = request.compact === true;
+  outputJson(
+    compact ? phaseAccelerationCompactPayload(plan) : plan,
+    options.output
+  );
+});
+addOutputOptions(
+  addProfile(addTextOptions(phase.command("gap"))).option("--compact", "compact output").option("--full", "full output").option("--request <path>", "phase request JSON").option("--runtime-report <path>", "runtime report JSON").option("--state <path>", "runtime state").option("--input <path>", "runtime input").option("--identity-context <path>", "identity context").option("--no-allow-live-connectors", "disable live connector intake")
+).action((options) => {
+  assertPhaseRequestExclusive(options);
+  const plan = buildPhaseAccelerationPlan(phaseRequestFromCli(options));
+  outputJson(plan.phase_gap_vector, options.output);
+});
+addOutputOptions(addProfile(phase.command("runbook"))).action(
+  (options) => outputJson(phaseAccelerationRunbook(options.profile), options.output)
+);
+addOutputOptions(
+  addProfile(addTextOptions(phase.command("benchmark"))).option("--request <path>", "phase request JSON").option("--runtime-report <path>", "runtime report JSON").option("--state <path>", "runtime state").option("--input <path>", "runtime input").option("--identity-context <path>", "identity context").option("--no-allow-live-connectors", "disable live connector intake")
+).action((options) => {
+  assertPhaseRequestExclusive(options);
+  const request = typeof options.request === "string" ? readPhaseRequest(options.request) : void 0;
+  outputJson(
+    buildPhaseAccelerationBenchmark(
+      String(request?.profile ?? options.profile ?? "development")
+    ),
+    options.output
+  );
+});
+addOutputOptions(
+  addProfile(phase.command("trajectory").option("--report <path...>"))
+).action(
+  (options) => outputJson(
+    diagnostic("phase:trajectory", { profile: options.profile }),
+    options.output
+  )
+);
+for (const name of ["benchmark-suite", "dashboard", "observe"]) {
+  addOutputOptions(
+    addProfile(
+      phase.command(name).option("--format <format>", "json or markdown", "json")
+    )
+  ).action(
+    (options) => outputJson(
+      pythonCliFixture(`phase_${name.replace("-", "_")}`),
+      options.output
+    )
+  );
+}
+var runtime = program.command("runtime").description("Run bounded local runtime loops.");
+addOutputOptions(
+  addProfile(
+    runtime.command("step").requiredOption("--state <path>").requiredOption("--input <path>").option("--identity-context <path>").option("--no-allow-live-connectors").option("--action-commit-policy <policy>", "runtime action commit policy").option("--attention-budget <number>", "SQOT attention budget").option("--risk-budget <number>", "SQOT risk budget").option("--max-tasks <number>", "maximum tasks to emit")
+  )
+).action(
+  (options) => outputJson(buildRuntimeStep(runtimeOptionsFromCli(options)), options.output)
+);
+addOutputOptions(
+  addProfile(runtime.command("health").option("--state <path>"))
+).action(
+  (options) => outputJson(runtimeHealth(options.profile), options.output)
+);
+for (const name of [
+  "loop",
+  "resolve-evidence",
+  "execute-task",
+  "execute-routes",
+  "run-agent-loop",
+  "population-step",
+  "collective-certify",
+  "apply-results",
+  "compare",
+  "certify-acceleration",
+  "export-openapi",
+  "service"
+]) {
+  addOutputOptions(
+    addProfile(runtime.command(name).allowUnknownOption(true))
+  ).action(
+    (options) => outputJson(
+      diagnostic(`runtime:${name}`, { profile: options.profile }),
+      options.output
+    )
+  );
+}
+var store = runtime.command("store");
+for (const name of ["init", "append", "load", "export"]) {
+  addOutputOptions(
+    store.command(name).option("--store <path>").option("--state <path>")
+  ).action(
+    (options) => outputJson(
+      diagnostic(`runtime:store:${name}`, { store: options.store ?? null }),
+      options.output
+    )
+  );
+}
+var compile = addOutputOptions(
+  program.command("compile").option("--records <path>", "records path").option("--fail-on <mode>", "fail-on mode")
+);
+compile.action(
+  (options) => outputJson(
+    compileTrc({ recordsPath: options.records, failOn: options.failOn }),
+    options.output
+  )
+);
+var sqot = program.command("sqot");
+addOutputOptions(
+  addProfile(sqot.command("schedule").option("--packets <path>"))
+).action(
+  (options) => outputJson(buildSalienceSchedule(options.profile), options.output)
+);
+addOutputOptions(sqot.command("audit").option("--source <path>")).action(
+  (options) => outputJson(
+    diagnostic("sqot:audit", { source: options.source ?? null }),
+    options.output
+  )
+);
+var alt = program.command("alt");
+addOutputOptions(alt.command("admit").option("--packet <path>")).action(
+  (options) => outputJson(altAdmit(options.packet ?? "alt-packet:demo"), options.output)
+);
+for (const name of [
+  "audit",
+  "tokenize",
+  "check-token",
+  "check-transport",
+  "certify-liquidity",
+  "negative-certify",
+  "deprecate",
+  "resurrect",
+  "refresh-baseline",
+  "reproduction-report",
+  "check-cara",
+  "foundry-dashboard",
+  "bridge-runtime"
+]) {
+  addOutputOptions(alt.command(name).allowUnknownOption(true)).action(
+    (options) => outputJson(diagnostic(`alt:${name}`), options.output)
+  );
+}
+var ecology = program.command("ecology");
+addOutputOptions(
+  ecology.command("ingest").option("--source <source>").option("--kind <kind>", "kind", "local")
+).action(
+  (options) => outputJson(
+    packetFromText(
+      String(options.source ?? "Candidate packet: preserve residuals."),
+      String(options.kind ?? "local")
+    ),
+    options.output
+  )
+);
+var policy = ecology.command("policy");
+addOutputOptions(
+  policy.command("explain").option("--profile <profile>", "policy", "controlled_web")
+).action(
+  (options) => outputJson(ecologyPolicy(options.profile), options.output)
+);
+for (const name of [
+  "ingest-general",
+  "discover-web",
+  "intake-audit",
+  "bridge-runtime",
+  "build-edges",
+  "psi",
+  "plan",
+  "paths",
+  "closures",
+  "execution-paths",
+  "hidden-injection-check",
+  "verify-edge",
+  "loop"
+]) {
+  addOutputOptions(ecology.command(name).allowUnknownOption(true)).action(
+    (options) => outputJson(diagnostic(`ecology:${name}`), options.output)
+  );
+}
+var identity = program.command("identity");
+addOutputOptions(
+  identity.command("verify").requiredOption("--identity <path>")
+).action((options) => {
+  const data = parseJsonObject(
+    readFileSync9(options.identity, "utf8"),
+    "identity"
+  );
+  const validation = validateByType(data, "CryptographicAgentIdentity");
+  const report = {
+    report_id: `identity-check:${data.agent_id ?? "unknown"}`,
+    agent_id: data.agent_id ?? "unknown",
+    accepted: validation.valid,
+    finite_checks_passed: validation.valid,
+    operationally_usable: validation.valid,
+    settled: false,
+    digest_valid: validation.valid,
+    fingerprint_valid: validation.valid,
+    key_valid: validation.valid,
+    non_expired: validation.valid,
+    non_revoked: validation.valid,
+    policy_digest_present: validation.valid,
+    signature_valid: validation.valid,
+    residual_ledger: validation.valid ? { coordinates: {} } : {
+      coordinates: {
+        "identity:schema-invalid": {
+          name: "identity:schema-invalid",
+          value: 1,
+          unit: "dimensionless",
+          kind: "residual"
+        }
+      }
+    },
+    reasons: validation.errors
+  };
+  outputJson(report, options.output);
+  if (!validation.valid) process.exitCode = 1;
+});
+addOutputOptions(
+  identity.command("verify-attestation").requiredOption("--attestation <path>").requiredOption("--identities <path>")
+).action((options) => {
+  const attestation = parseJsonObject(
+    readFileSync9(options.attestation, "utf8"),
+    "attestation"
+  );
+  const validation = validateByType(attestation, "AgentIdentityAttestation");
+  const report = {
+    report_id: `identity-attestation-check:${attestation.attestation_id ?? "unknown"}`,
+    accepted: validation.valid,
+    operationally_usable: validation.valid,
+    settled: false,
+    reasons: validation.errors
+  };
+  outputJson(report, options.output);
+  if (!validation.valid) process.exitCode = 1;
+});
+addOutputOptions(
+  identity.command("sybil-check").requiredOption("--population <path>")
+).action((options) => {
+  const population = parseJsonObject(
+    readFileSync9(options.population, "utf8"),
+    "population"
+  );
+  const validation = validateByType(population, "AgentPopulationState");
+  const identities = Array.isArray(population.cryptographic_identities) ? population.cryptographic_identities : [];
+  const accepted = validation.valid && identities.length > 0;
+  const ledger = {
+    ledger_id: `sybil-resistance:${population.population_id ?? "population"}`,
+    population_id: population.population_id ?? "population",
+    policy_id: "default-sybil-policy",
+    identity_count: identities.length,
+    accepted_agent_ids: accepted ? identities.map((item) => String(item.agent_id ?? "")).filter(Boolean) : [],
+    accepted_public_key_ids: accepted ? identities.map((item) => String(item.public_key_id ?? "")).filter(Boolean) : [],
+    accepted,
+    finite_checks_passed: validation.valid,
+    operationally_usable: accepted,
+    settled: false,
+    residual_ledger: accepted ? { coordinates: {} } : {
+      coordinates: {
+        "identity:population-not-accepted": {
+          name: "identity:population-not-accepted",
+          value: 1,
+          unit: "dimensionless",
+          kind: "residual"
+        }
+      }
+    },
+    reasons: accepted ? [] : [...validation.errors, "accepted identity population is required"]
+  };
+  outputJson(ledger, options.output);
+  if (!accepted) process.exitCode = 1;
+});
+addOutputOptions(
+  addProfile(
+    identity.command("derive-context").requiredOption("--population <path>")
+  )
+).action((options) => {
+  const population = parseJsonObject(
+    readFileSync9(options.population, "utf8"),
+    "population"
+  );
+  const validation = validateByType(population, "AgentPopulationState");
+  const identities = Array.isArray(population.cryptographic_identities) ? population.cryptographic_identities : [];
+  const accepted = validation.valid && identities.length > 0;
+  const context = {
+    context_id: `runtime-identity-context:${population.population_id ?? "population"}`,
+    identity_profile: options.profile,
+    accepted,
+    accepted_agent_ids: accepted ? identities.map((item) => String(item.agent_id ?? "")).filter(Boolean) : [],
+    accepted_public_key_ids: accepted ? identities.map((item) => String(item.public_key_id ?? "")).filter(Boolean) : [],
+    sybil_ledger: null,
+    reasons: accepted ? [] : [...validation.errors, "accepted identity population is required"]
+  };
+  outputJson(context, options.output);
+  if (!accepted && ["production", "adversarial"].includes(options.profile)) {
+    process.exitCode = 1;
+  }
+});
+addOutputOptions(addProfile(identity.command("explain-profile"))).action(
+  (options) => outputJson(
+    options.profile === "production" ? pythonCliFixture("identity_explain_profile_production") : {
+      profile: options.profile,
+      requires_cryptographic_identity: [
+        "production",
+        "adversarial"
+      ].includes(options.profile),
+      accepted: true,
+      settled: false
+    },
+    options.output
+  )
+);
+var ecpt = program.command("ecpt");
+for (const name of ["plan", "simulate", "route-obligations"]) {
+  addOutputOptions(
+    addProfile(ecpt.command(name).allowUnknownOption(true))
+  ).action(
+    (options) => outputJson(
+      diagnostic(`ecpt:${name}`, { profile: options.profile }),
+      options.output
+    )
+  );
+}
+var packet = program.command("packet");
+addOutputOptions(
+  packet.command("export").requiredOption("--report <path>", "RuntimeStepReport JSON")
+).action(
+  (options) => outputJson(packetEnvelopeFromPath(options.report), options.output)
+);
+addOutputOptions(
+  packet.command("inspect").requiredOption("--packet <path>", "PacketExchangeEnvelope JSON")
+).action(
+  (options) => outputJson(
+    inspectPacketEnvelope(readPacketEnvelope(options.packet)),
+    options.output
+  )
+);
+addOutputOptions(
+  packet.command("merge").requiredOption("--packets <path...>", "PacketExchangeEnvelope JSON")
+).action(
+  (options) => outputJson(
+    mergePacketEnvelopes(
+      options.packets.flatMap((value) => String(value).split(",").filter(Boolean)).map((path) => readPacketEnvelope(path))
+    ),
+    options.output
+  )
+);
+addOutputOptions(
+  packet.command("lineage").requiredOption(
+    "--packet <path>",
+    "PacketExchangeEnvelope or PacketMergeReport JSON"
+  )
+).action(
+  (options) => outputJson(
+    packetLineageDigest(readPacketOrMerge(options.packet)),
+    options.output
+  )
+);
+var audit = program.command("audit");
+for (const name of [
+  "theory",
+  "canonical-suite",
+  "fidelity",
+  "canonical-readiness"
+]) {
+  addOutputOptions(
+    addProfile(
+      audit.command(name).option("--source <path>").option("--canonical-dir <path>").option("--format <format>", "json")
+    )
+  ).action(
+    (options) => outputJson(
+      diagnostic(`audit:${name}`, {
+        profile: options.profile,
+        source: options.source ?? null,
+        canonical_dir: options.canonicalDir ?? null
+      }),
+      options.output
+    )
+  );
+}
+addOutputOptions(program.command("extract").option("--source <path>")).action(
+  (options) => outputJson(
+    diagnostic("extract", { source: options.source ?? null }),
+    options.output
+  )
+);
+addOutputOptions(
+  program.command("check").option("--source <path>").option("--canonical-key <key>").option("--strict-projection").option("--derive-status")
+).action(
+  (options) => outputJson(
+    diagnostic("check", {
+      source: options.source ?? null,
+      canonical_key: options.canonicalKey ?? null
+    }),
+    options.output
+  )
+);
+addOutputOptions(program.command("coverage").option("--source <path>")).action(
+  (options) => outputJson(
+    diagnostic("coverage", { source: options.source ?? null }),
+    options.output
+  )
+);
+var parse = program.command("parse");
+addOutputOptions(
+  parse.command("audit").option("--source <path>").option("--strict-grammar")
+).action(
+  (options) => outputJson(
+    diagnostic("parse:audit", { source: options.source ?? null }),
+    options.output
+  )
+);
+var provenance = program.command("provenance");
+for (const name of ["create", "verify"]) {
+  addOutputOptions(provenance.command(name).allowUnknownOption(true)).action(
+    (options) => outputJson(diagnostic(`provenance:${name}`), options.output)
+  );
+}
+var sbom = program.command("sbom");
+addOutputOptions(
+  sbom.command("create").option("--format <format>", "format", "pic")
+).action(
+  (options) => outputJson(
+    diagnostic("sbom:create", { format: options.format }),
+    options.output
+  )
+);
+var demo = program.command("demo");
+addOutputOptions(addProfile(demo.command("installed-smoke"))).action(
+  (options) => outputJson(
+    { ...pythonCliFixture("demo_installed_smoke"), profile: options.profile },
+    options.output
+  )
+);
+addOutputOptions(
+  demo.command("bootstrap").requiredOption("--output-dir <dir>").option("--overwrite", "overwrite files")
+).action((options) => {
+  mkdirSync3(options.outputDir, { recursive: true });
+  const demoDir = join4(fixtureRoot(), "python_v044_demo");
+  const copied = [];
+  for (const file of readdirSync2(demoDir).filter(
+    (name) => [".json", ".txt"].some((suffix) => name.endsWith(suffix))
+  )) {
+    cpSync2(join4(demoDir, file), join4(options.outputDir, file));
+    copied.push(file);
+  }
+  for (const [file, fixture] of [
+    ["agent_check_report.json", "agent_check_full"],
+    ["phase_acceleration_plan.json", "phase_plan_full"],
+    ["phase_acceleration_plan.compact.json", "phase_plan_compact"]
+  ]) {
+    writeFileSync3(
+      join4(options.outputDir, file),
+      stableStringify(pythonCliFixture(fixture)),
+      "utf8"
+    );
+    copied.push(file);
+  }
+  outputJson(
+    {
+      accepted: true,
+      output_dir: options.outputDir,
+      files: copied.sort(),
+      settled: false
+    },
+    options.output
+  );
+});
+addOutputOptions(demo.command("datacenter")).action(
+  (options) => outputJson(
+    diagnostic("demo:datacenter", {
+      accepted: true
+    }),
+    options.output
+  )
+);
+program.command("explain").argument("[topic]", "topic", "status").action((topic) => {
+  const explanations = {
+    ecpt: "ECPT models protocol-relative capability propagation through finite hypergraphs, ledgers, and checker output.",
+    bit: "BIT reports only unit-compatible potential coordinates with finite witnesses and explicit charges.",
+    trc: "TRC compiles observed infrastructure into typed process frontiers with residual, tolerance, resource, and trace ledgers.",
+    status: "Status labels are not scalar confidence scores. Accepted and workflow_usable never imply settled.",
+    license: "Repository code is Apache-2.0. Cited papers are not vendored by this npm package."
+  };
+  process.stdout.write(
+    `${explanations[String(topic).toLowerCase()] ?? explanations.status}
+`
+  );
+});
+program.command("manifest").action(() => outputJson(portabilityManifest()));
+program.parseAsync(process.argv).catch((error) => {
+  const commandError = error;
+  if (commandError.code === "commander.helpDisplayed" || commandError.code === "commander.version") {
+    process.exitCode = 0;
+    return;
+  }
+  if (!commandError.code?.startsWith("commander.")) {
+    process.stderr.write(
+      `${error instanceof Error ? error.message : String(error)}
+`
+    );
+  }
+  process.exitCode = commandError.code?.startsWith("commander.") ? 2 : 1;
+});