npm - pluribus-context - Versions diffs - 0.3.21 → 0.3.26 - Mend

pluribus-context 0.3.21 → 0.3.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/examples/context-input-evidence/convert-agent-overlay-log.mjs ADDED Viewed

@@ -0,0 +1,156 @@
+#!/usr/bin/env node
+import { createHash } from 'node:crypto';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const here = dirname(fileURLToPath(import.meta.url));
+const inputPath = join(here, 'agent-overlay-log.jsonl');
+const receiptPath = join(here, 'agent-overlay-receipt.ndjson');
+const tracePath = join(here, 'agent-overlay-otel-trace.json');
+function sha256(value) {
+  return `sha256:${createHash('sha256').update(value).digest('hex')}`;
+}
+function parseJsonl(filePath) {
+  return readFileSync(filePath, 'utf8')
+    .trim()
+    .split('\n')
+    .filter(Boolean)
+    .map((line) => JSON.parse(line));
+}
+function attributeValue(value) {
+  if (typeof value === 'boolean') return { boolValue: value };
+  if (typeof value === 'number') return { intValue: value };
+  return { stringValue: String(value ?? '') };
+}
+function toOtelAttributes(attributes) {
+  return Object.entries(attributes).map(([key, value]) => ({
+    key,
+    value: attributeValue(value)
+  }));
+}
+const records = parseJsonl(inputPath);
+const session = records.find((record) => record.type === 'session.start');
+if (!session) {
+  throw new Error('agent-overlay-log.jsonl must contain a session.start record');
+}
+const contextRecords = records.filter((record) => record.type === 'agent_context.loaded');
+const events = contextRecords.map((record) => {
+  const loaded = record.activation !== 'not_loaded_wrong_agent' && record.delivered_text.length > 0;
+  const sourceBytesHash = sha256(record.source_text);
+  const deliveredHash = loaded ? sha256(record.delivered_text) : '';
+  return {
+    trace_id: 'demo-trace-agent-overlays',
+    span_id: session.session_id,
+    name: loaded ? 'context.input.loaded' : 'context.input.candidate_suppressed',
+    time: record.time,
+    attributes: {
+      'context.input.kind': 'agent_instructions',
+      'context.input.source.path': record.source_path,
+      'context.input.source.role': record.source_role,
+      'context.input.source.bytes_hash': sourceBytesHash,
+      'context.input.delivered.hash': deliveredHash,
+      'context.input.delivered.truncated': false,
+      'session.id': session.session_id,
+      'gen_ai.conversation.id': session.conversation_id,
+      'agent.name': session.agent,
+      'workspace.name': session.workspace,
+      'context.input.loaded_by': loaded ? 'native-file-discovery' : 'overlay-selector',
+      'context.input.activation': record.activation,
+      'context.input.scope': 'repo',
+      'context.input.applies_to': record.target_agent,
+      'context.input.load_order': record.load_order,
+      'context.input.composition_policy': record.composition_policy,
+      'context.input.fallback_policy': record.fallback_policy,
+      'context.input.why_loaded': record.why_loaded,
+      'context.input.expected_benefit': record.expected_benefit,
+      'context.input.duplicate.dedupe_scope': 'conversation',
+      'context.input.duplicate.suppression_policy': loaded
+        ? 'keep_distinct_source_roles_in_order'
+        : 'suppress_overlay_for_non_target_agent',
+      'context.input.duplicate.role': loaded ? 'selected' : 'suppressed',
+      'privacy.raw_context_recorded': false,
+      'privacy.raw_prompt_recorded': false,
+      'privacy.raw_tool_args_recorded': false
+    }
+  };
+});
+writeFileSync(receiptPath, `${events.map((event) => JSON.stringify(event)).join('\n')}\n`);
+const trace = {
+  resourceSpans: [
+    {
+      resource: {
+        attributes: toOtelAttributes({
+          'service.name': 'pluribus-context-input-evidence',
+          'telemetry.sdk.language': 'javascript',
+          'pluribus.demo': 'agent-overlay-receipts'
+        })
+      },
+      scopeSpans: [
+        {
+          scope: { name: 'pluribus.context-input-evidence', version: '0.0.0-demo' },
+          spans: [
+            {
+              traceId: 'demo-trace-agent-overlays',
+              spanId: session.session_id,
+              name: 'agent.session',
+              kind: 'SPAN_KIND_INTERNAL',
+              startTimeUnixNano: '0',
+              endTimeUnixNano: '0',
+              attributes: toOtelAttributes({
+                'session.id': session.session_id,
+                'gen_ai.conversation.id': session.conversation_id,
+                'agent.name': session.agent,
+                'workspace.name': session.workspace,
+                'privacy.raw_context_recorded': false
+              }),
+              events: events.map((event) => ({
+                name: event.name,
+                timeUnixNano: '0',
+                attributes: toOtelAttributes(event.attributes)
+              }))
+            }
+          ]
+        }
+      ]
+    }
+  ]
+};
+writeFileSync(tracePath, `${JSON.stringify(trace, null, 2)}\n`);
+const loaded = events.filter((event) => event.name === 'context.input.loaded');
+const suppressed = events.filter((event) => event.name === 'context.input.candidate_suppressed');
+const rawLeakStrings = [
+  'Prefer small reviewable changes',
+  'Cursor-specific workspace rule hints',
+  'Codex-specific sandbox notes'
+];
+const traceText = JSON.stringify(trace);
+const receiptText = events.map((event) => JSON.stringify(event)).join('\n');
+const leaksRawText = rawLeakStrings.some((value) => traceText.includes(value) || receiptText.includes(value));
+const summary = {
+  schema: 'pluribus.agentOverlayReceipt.demo.v0',
+  eventCount: events.length,
+  loadedContextInputs: loaded.length,
+  suppressedOverlayCandidates: suppressed.length,
+  loadedSourceRoles: loaded.map((event) => event.attributes['context.input.source.role']),
+  compositionPolicies: [...new Set(events.map((event) => event.attributes['context.input.composition_policy']))],
+  includesLoadOrder: events.every((event) => Number.isInteger(event.attributes['context.input.load_order'])),
+  rawTextCopiedToReceipt: leaksRawText,
+  receiptPath: 'examples/context-input-evidence/agent-overlay-receipt.ndjson',
+  tracePath: 'examples/context-input-evidence/agent-overlay-otel-trace.json',
+  lesson: 'Agent-specific AGENTS.md overlays need load-order, target-agent, fallback, and suppression receipts; otherwise composition is a naming convention, not evidence.'
+};
+console.log(JSON.stringify(summary, null, 2));

package/examples/context-input-evidence/convert-agentgateway-progressive-disclosure-log.mjs ADDED Viewed

@@ -0,0 +1,251 @@
+#!/usr/bin/env node
+import { createHash } from 'node:crypto';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const here = dirname(fileURLToPath(import.meta.url));
+const inputPath = process.argv[2] ? resolve(process.argv[2]) : join(here, 'sample-agentgateway-progressive-disclosure-log.jsonl');
+const receiptPath = process.argv[3] ? resolve(process.argv[3]) : join(here, 'agentgateway-progressive-disclosure-receipt.ndjson');
+const tracePath = process.argv[4] ? resolve(process.argv[4]) : join(here, 'agentgateway-progressive-disclosure-otel-trace.json');
+function sha256(value) {
+  return `sha256:${createHash('sha256').update(value ?? '').digest('hex')}`;
+}
+function hashRef(value) {
+  return sha256(value ?? '').slice(0, 19);
+}
+function readJsonl(path) {
+  return readFileSync(path, 'utf8')
+    .trim()
+    .split('\n')
+    .filter(Boolean)
+    .map((line, index) => {
+      try {
+        return JSON.parse(line);
+      } catch (error) {
+        throw new Error(`Invalid JSONL at ${path}:${index + 1}: ${error.message}`);
+      }
+    });
+}
+function unixNano(isoTimestamp) {
+  return `${BigInt(Date.parse(isoTimestamp)) * 1_000_000n}`;
+}
+function otelValue(value) {
+  if (typeof value === 'boolean') return { boolValue: value };
+  if (typeof value === 'number' && Number.isInteger(value)) return { intValue: String(value) };
+  if (typeof value === 'number') return { doubleValue: value };
+  if (value == null) return { stringValue: '' };
+  return { stringValue: String(value) };
+}
+function attributesToOtel(attributes) {
+  return Object.entries(attributes).map(([key, value]) => ({ key, value: otelValue(value) }));
+}
+function tokenBucket(value) {
+  if (value < 100) return 'under_100';
+  if (value < 1_000) return 'under_1k';
+  if (value < 10_000) return 'under_10k';
+  if (value < 50_000) return 'under_50k';
+  return 'over_50k';
+}
+function byteBucket(value) {
+  if (value === 0) return 'zero';
+  if (value < 1_000) return 'under_1kb';
+  if (value < 10_000) return 'under_10kb';
+  if (value < 100_000) return 'under_100kb';
+  return 'over_100kb';
+}
+function countBucket(value) {
+  if (value === 0) return 'zero';
+  if (value <= 5) return 'under_5';
+  if (value <= 25) return 'under_25';
+  if (value <= 100) return 'under_100';
+  return 'over_100';
+}
+const records = readJsonl(inputPath);
+const session = records.find((record) => record.type === 'session.start');
+const index = records.find((record) => record.type === 'mcp.gateway.index.loaded');
+const schema = records.find((record) => record.type === 'mcp.gateway.tool_schema.loaded');
+const invoke = records.find((record) => record.type === 'mcp.gateway.tool_invoked');
+const completed = records.find((record) => record.type === 'mcp.gateway.session.completed');
+if (!session || !index || !schema || !invoke || !completed) {
+  throw new Error(`Expected session.start, mcp.gateway.index.loaded, mcp.gateway.tool_schema.loaded, mcp.gateway.tool_invoked, and mcp.gateway.session.completed records in ${inputPath}`);
+}
+const traceSeed = `${session.session_id}:${session.conversation_id}:agentgateway-progressive-disclosure`;
+const traceId = sha256(traceSeed).replace('sha256:', '').slice(0, 32);
+const spanId = sha256(`${traceSeed}:span`).replace('sha256:', '').slice(0, 16);
+const events = [
+  {
+    trace_id: traceId,
+    span_id: spanId,
+    name: 'mcp.gateway.index.loaded',
+    time: index.time,
+    attributes: {
+      'session.id': session.session_id,
+      'gen_ai.conversation.id': session.conversation_id,
+      'agent.name': session.agent,
+      'mcp.gateway.name': index.gateway,
+      'mcp.gateway.tool_mode': index.mode,
+      'mcp.gateway.visible_tools_hash': sha256(index.client_visible_tools.join('\n')),
+      'mcp.gateway.visible_tool_count': index.client_visible_tools.length,
+      'mcp.gateway.upstream_server_hash': hashRef(index.upstream_server),
+      'mcp.gateway.upstream_tool_count_bucket': countBucket(index.upstream_tool_count),
+      'mcp.gateway.full_schema_token_count_bucket': tokenBucket(index.full_upstream_schema_token_count),
+      'mcp.gateway.visible_index_token_count_bucket': tokenBucket(index.visible_index_token_count),
+      'mcp.gateway.full_upstream_schemas_loaded_at_startup': false,
+      'privacy.raw_index_recorded': false,
+      'privacy.raw_upstream_tool_schemas_recorded': false
+    }
+  },
+  {
+    trace_id: traceId,
+    span_id: spanId,
+    name: 'mcp.gateway.tool_schema.loaded',
+    time: schema.time,
+    attributes: {
+      'session.id': session.session_id,
+      'gen_ai.conversation.id': session.conversation_id,
+      'mcp.gateway.name': schema.gateway,
+      'mcp.tool.name_hash': hashRef(schema.tool),
+      'mcp.tool.schema_command_hash': hashRef(schema.schema_command),
+      'mcp.tool.schema_hash': sha256(schema.raw_schema),
+      'mcp.tool.schema_token_count_bucket': tokenBucket(schema.schema_token_count),
+      'mcp.tool.schema_load_reason_hash': hashRef(schema.selection_reason),
+      'mcp.tool.unselected_tools_hash': sha256(schema.unselected_tool_names.join('\n')),
+      'mcp.tool.unselected_schema_loaded_count': schema.unselected_schema_loaded_count,
+      'privacy.raw_tool_schema_recorded': false,
+      'privacy.raw_unselected_tool_names_recorded': false
+    }
+  },
+  {
+    trace_id: traceId,
+    span_id: spanId,
+    name: 'mcp.gateway.tool_invoked',
+    time: invoke.time,
+    attributes: {
+      'session.id': session.session_id,
+      'gen_ai.conversation.id': session.conversation_id,
+      'mcp.gateway.name': invoke.gateway,
+      'mcp.tool.name_hash': hashRef(invoke.tool),
+      'mcp.tool_call.status': invoke.status,
+      'mcp.tool_call.arguments_hash': sha256(invoke.raw_arguments),
+      'mcp.tool_call.result_sample_hash': sha256(invoke.raw_result_sample),
+      'mcp.tool_call.result_count_bucket': countBucket(invoke.result_count),
+      'mcp.tool_call.latency_ms': invoke.latency_ms,
+      'mcp.tool_call.response_size_bucket': byteBucket(invoke.response_bytes),
+      'privacy.raw_tool_arguments_recorded': false,
+      'privacy.raw_tool_results_recorded': false
+    }
+  },
+  {
+    trace_id: traceId,
+    span_id: spanId,
+    name: 'mcp.gateway.session.completed',
+    time: completed.time,
+    attributes: {
+      'session.id': session.session_id,
+      'gen_ai.conversation.id': session.conversation_id,
+      'mcp.gateway.session.status': completed.status,
+      'mcp.gateway.full_upstream_schemas_loaded': completed.full_upstream_schemas_loaded,
+      'mcp.gateway.loaded_tool_schema_count': completed.loaded_tool_schema_count,
+      'mcp.gateway.invoked_tool_count': completed.invoked_tool_count,
+      'mcp.gateway.progressive_disclosure.audit_gap': completed.audit_gap
+    }
+  }
+];
+writeFileSync(receiptPath, `${events.map((event) => JSON.stringify(event)).join('\n')}\n`);
+const trace = {
+  resourceSpans: [
+    {
+      resource: {
+        attributes: attributesToOtel({
+          'service.name': 'pluribus-agentgateway-progressive-disclosure-receipt-demo',
+          'service.version': '0.0.0-fixture',
+          'deployment.environment.name': 'local-fixture'
+        })
+      },
+      scopeSpans: [
+        {
+          scope: {
+            name: 'pluribus.context_input_evidence.agentgateway_progressive_disclosure_demo',
+            version: '0.0.0-fixture'
+          },
+          spans: [
+            {
+              traceId,
+              spanId,
+              parentSpanId: '',
+              name: 'agent.session.mcp.gateway.progressive_disclosure',
+              kind: 1,
+              startTimeUnixNano: unixNano(index.time),
+              endTimeUnixNano: unixNano(completed.time),
+              attributes: attributesToOtel({
+                'session.id': session.session_id,
+                'gen_ai.conversation.id': session.conversation_id,
+                'agent.name': session.agent,
+                'workspace.name': session.workspace,
+                'gen_ai.request.model': session.model,
+                'mcp.gateway.name': index.gateway,
+                'mcp.gateway.tool_mode': index.mode,
+                'mcp.gateway.disclosure.strategy': 'visible_index_then_get_tool_invoke_tool'
+              }),
+              events: events.map((event) => ({
+                name: event.name,
+                timeUnixNano: unixNano(event.time),
+                attributes: attributesToOtel(event.attributes)
+              }))
+            }
+          ]
+        }
+      ]
+    }
+  ]
+};
+writeFileSync(tracePath, `${JSON.stringify(trace, null, 2)}\n`);
+const forbiddenRawStrings = [
+  'Acme-Co',
+  'sk_live_gateway_fixture',
+  'finance@acme.example',
+  'private-enterprise-mcp',
+  'support.ticket.search',
+  'TICKET-private-001',
+  'Stripe prod incident',
+  'private-support-ops'
+];
+const exportedText = `${events.map((event) => JSON.stringify(event)).join('\n')}\n${JSON.stringify(trace)}`;
+const rawTextCopiedToReceipt = forbiddenRawStrings.some((value) => exportedText.includes(value));
+const summary = {
+  schema: 'pluribus.agentgatewayProgressiveDisclosureReceipt.demo.v0',
+  eventCount: events.length,
+  visibleToolCount: index.client_visible_tools.length,
+  upstreamToolCountBucket: events[0].attributes['mcp.gateway.upstream_tool_count_bucket'],
+  fullSchemaTokenBucket: events[0].attributes['mcp.gateway.full_schema_token_count_bucket'],
+  visibleIndexTokenBucket: events[0].attributes['mcp.gateway.visible_index_token_count_bucket'],
+  loadedToolSchemaCount: completed.loaded_tool_schema_count,
+  fullUpstreamSchemasLoaded: completed.full_upstream_schemas_loaded,
+  includesArgumentsHash: Boolean(events[2].attributes['mcp.tool_call.arguments_hash']),
+  includesResultSampleHash: Boolean(events[2].attributes['mcp.tool_call.result_sample_hash']),
+  rawTextCopiedToReceipt,
+  receiptPath: 'examples/context-input-evidence/agentgateway-progressive-disclosure-receipt.ndjson',
+  tracePath: 'examples/context-input-evidence/agentgateway-progressive-disclosure-otel-trace.json',
+  lesson: 'MCP gateway progressive disclosure still needs receipts: prove the client saw only lightweight meta-tools/index, one full schema loaded on demand, one tool ran, and private schemas/queries/results stayed out of the trace.'
+};
+console.log(JSON.stringify(summary, null, 2));

package/examples/context-input-evidence/convert-brain-remediation-log.mjs ADDED Viewed

@@ -0,0 +1,241 @@
+#!/usr/bin/env node
+import { createHash } from 'node:crypto';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const here = dirname(fileURLToPath(import.meta.url));
+const inputPath = process.argv[2] ? resolve(process.argv[2]) : join(here, 'sample-brain-remediation-log.jsonl');
+const receiptPath = process.argv[3] ? resolve(process.argv[3]) : join(here, 'brain-remediation-receipt.ndjson');
+const tracePath = process.argv[4] ? resolve(process.argv[4]) : join(here, 'brain-remediation-otel-trace.json');
+function sha256(value) {
+  return `sha256:${createHash('sha256').update(value ?? '').digest('hex')}`;
+}
+function hashRef(value) {
+  return sha256(value ?? '').slice(0, 19);
+}
+function readJsonl(path) {
+  return readFileSync(path, 'utf8')
+    .trim()
+    .split('\n')
+    .filter(Boolean)
+    .map((line, index) => {
+      try {
+        return JSON.parse(line);
+      } catch (error) {
+        throw new Error(`Invalid JSONL at ${path}:${index + 1}: ${error.message}`);
+      }
+    });
+}
+function unixNano(isoTimestamp) {
+  return `${BigInt(Date.parse(isoTimestamp)) * 1_000_000n}`;
+}
+function otelValue(value) {
+  if (typeof value === 'boolean') return { boolValue: value };
+  if (typeof value === 'number' && Number.isInteger(value)) return { intValue: String(value) };
+  if (typeof value === 'number') return { doubleValue: value };
+  if (typeof value === 'string') {
+    if (value === 'true' || value === 'false') return { boolValue: value === 'true' };
+    if (/^-?\d+$/.test(value)) return { intValue: value };
+    return { stringValue: value };
+  }
+  if (value == null) return { stringValue: '' };
+  return { stringValue: JSON.stringify(value) };
+}
+function attributesToOtel(attributes) {
+  return Object.entries(attributes).map(([key, value]) => ({ key, value: otelValue(value) }));
+}
+function dollarBucket(value) {
+  if (value === 0) return 'zero';
+  if (value < 1) return 'under_1_usd';
+  if (value < 5) return 'under_5_usd';
+  return 'over_5_usd';
+}
+function scoreBucket(value) {
+  if (value >= 90) return 'healthy';
+  if (value >= 75) return 'needs_attention';
+  if (value >= 50) return 'degraded';
+  return 'critical';
+}
+const records = readJsonl(inputPath);
+const start = records.find((record) => record.type === 'brain.doctor.start');
+const precheck = records.find((record) => record.type === 'brain.doctor.precheck');
+const plan = records.find((record) => record.type === 'brain.remediation.plan');
+const jobs = records.filter((record) => record.type === 'brain.remediation.job');
+const postcheck = records.find((record) => record.type === 'brain.doctor.postcheck');
+const completed = records.find((record) => record.type === 'brain.doctor.completed');
+if (!start || !precheck || !plan || !postcheck || !completed) {
+  throw new Error(`Expected start, precheck, plan, postcheck, and completed records in ${inputPath}`);
+}
+const traceSeed = `${start.instance_id}:${start.run_id}:brain-remediation`;
+const traceId = sha256(traceSeed).replace('sha256:', '').slice(0, 32);
+const spanId = sha256(`${traceSeed}:span`).replace('sha256:', '').slice(0, 16);
+const instanceHash = hashRef(start.instance_id);
+const runHash = hashRef(start.run_id);
+const protectedPhases = start.protected_phases ?? [];
+const precheckEvent = {
+  trace_id: traceId,
+  span_id: spanId,
+  name: 'brain.doctor.precheck.completed',
+  time: precheck.time,
+  attributes: {
+    'brain.instance.id_hash': instanceHash,
+    'brain.doctor.run.id_hash': runHash,
+    'brain.doctor.mode': start.mode ?? 'doctor.remediate',
+    'brain.doctor.score.before': precheck.score,
+    'brain.doctor.score.before_bucket': scoreBucket(precheck.score),
+    'brain.doctor.issue.count.before': precheck.issue_count,
+    'brain.doctor.issue.categories_hash': sha256((precheck.issue_categories ?? []).join('\n')),
+    'brain.doctor.snapshot.before_hash': hashRef(precheck.brain_snapshot),
+    'brain.privacy.raw_brain_recorded': 'false',
+    'brain.privacy.raw_issue_recorded': 'false'
+  }
+};
+const planEvent = {
+  trace_id: traceId,
+  span_id: spanId,
+  name: 'brain.doctor.remediation.plan.selected',
+  time: plan.time,
+  attributes: {
+    'brain.instance.id_hash': instanceHash,
+    'brain.doctor.run.id_hash': runHash,
+    'brain.remediation.plan.id_hash': hashRef(plan.plan_id),
+    'brain.remediation.plan.summary_hash': sha256(plan.plan_summary ?? ''),
+    'brain.remediation.plan.step_count': plan.step_count ?? jobs.length,
+    'brain.remediation.plan.estimated_spend_bucket': dollarBucket(plan.estimated_usd ?? 0),
+    'brain.remediation.plan.expected_score_delta': plan.expected_score_delta ?? 0,
+    'brain.remediation.plan.requires_protected_phase': String(Boolean(plan.requires_protected_phase)),
+    'brain.remediation.protected_phases_hash': sha256(protectedPhases.join('\n')),
+    'brain.privacy.raw_plan_recorded': 'false'
+  }
+};
+const jobEvents = jobs.map((job) => ({
+  trace_id: traceId,
+  span_id: spanId,
+  name: 'brain.doctor.remediation.job.evaluated',
+  time: job.time,
+  attributes: {
+    'brain.instance.id_hash': instanceHash,
+    'brain.doctor.run.id_hash': runHash,
+    'brain.remediation.job.id_hash': hashRef(job.job_id),
+    'brain.remediation.job.kind': job.step_kind ?? 'unknown',
+    'brain.remediation.job.status': job.status ?? 'unknown',
+    'brain.remediation.job.protected_phase': String(Boolean(job.protected_phase)),
+    'brain.remediation.job.estimated_spend_bucket': dollarBucket(job.estimated_usd ?? 0),
+    'brain.remediation.job.actual_spend_bucket': dollarBucket(job.actual_usd ?? 0),
+    'brain.remediation.job.changed_entity_count': job.changed_entity_count ?? 0,
+    'brain.remediation.job.refusal_reason': job.refusal_reason ?? '',
+    'brain.remediation.job.skip_reason': job.skip_reason ?? '',
+    'brain.privacy.raw_change_recorded': 'false'
+  }
+}));
+const completedEvent = {
+  trace_id: traceId,
+  span_id: spanId,
+  name: 'brain.doctor.remediation.completed',
+  time: completed.time,
+  attributes: {
+    'brain.instance.id_hash': instanceHash,
+    'brain.doctor.run.id_hash': runHash,
+    'brain.doctor.outcome': completed.outcome ?? 'unknown',
+    'brain.doctor.target_score': completed.target_score ?? start.target_score,
+    'brain.doctor.score.before': completed.score_before ?? precheck.score,
+    'brain.doctor.score.after': completed.score_after ?? postcheck.score,
+    'brain.doctor.score.after_bucket': scoreBucket(completed.score_after ?? postcheck.score),
+    'brain.doctor.target_reached': String((completed.score_after ?? postcheck.score) >= (completed.target_score ?? start.target_score ?? 0)),
+    'brain.doctor.issue.count.after': postcheck.issue_count,
+    'brain.doctor.issue.categories_after_hash': sha256((postcheck.issue_categories ?? []).join('\n')),
+    'brain.doctor.snapshot.after_hash': hashRef(postcheck.brain_snapshot),
+    'brain.remediation.jobs.submitted': completed.jobs_submitted ?? jobs.filter((job) => job.status === 'submitted').length,
+    'brain.remediation.jobs.skipped': completed.jobs_skipped ?? jobs.filter((job) => job.status === 'skipped').length,
+    'brain.remediation.jobs.refused': completed.jobs_refused ?? jobs.filter((job) => job.status === 'refused').length,
+    'brain.remediation.cost.cap_bucket': dollarBucket(completed.max_usd ?? start.max_usd ?? 0),
+    'brain.remediation.cost.actual_bucket': dollarBucket(completed.actual_usd ?? 0),
+    'brain.privacy.raw_brain_recorded': 'false',
+    'brain.privacy.raw_operator_note_recorded': 'false'
+  }
+};
+const events = [precheckEvent, planEvent, ...jobEvents, completedEvent]
+  .sort((left, right) => Date.parse(left.time) - Date.parse(right.time));
+writeFileSync(receiptPath, `${events.map((event) => JSON.stringify(event)).join('\n')}\n`);
+const eventTimes = records.map((record) => Date.parse(record.time)).filter(Number.isFinite);
+const startTimeMs = Number.isFinite(Date.parse(start.time)) ? Date.parse(start.time) : Math.min(...eventTimes);
+const endTimeMs = Number.isFinite(Date.parse(completed.time)) ? Date.parse(completed.time) : Math.max(...eventTimes) + 1;
+const otlpTrace = {
+  resourceSpans: [
+    {
+      resource: {
+        attributes: attributesToOtel({
+          'service.name': 'pluribus-brain-remediation-receipt-demo',
+          'service.version': '0.0.0-fixture',
+          'deployment.environment.name': 'local-fixture'
+        })
+      },
+      scopeSpans: [
+        {
+          scope: {
+            name: 'pluribus.context_input_evidence.brain_remediation_demo',
+            version: '0.0.0-fixture'
+          },
+          spans: [
+            {
+              traceId,
+              spanId,
+              parentSpanId: '',
+              name: 'agent.memory.doctor',
+              kind: 1,
+              startTimeUnixNano: `${BigInt(startTimeMs) * 1_000_000n}`,
+              endTimeUnixNano: `${BigInt(endTimeMs) * 1_000_000n}`,
+              attributes: attributesToOtel({
+                'brain.instance.id_hash': instanceHash,
+                'brain.doctor.run.id_hash': runHash,
+                'brain.doctor.mode': start.mode ?? 'doctor.remediate',
+                'brain.doctor.target_score': start.target_score ?? 0,
+                'brain.remediation.cost.cap_bucket': dollarBucket(start.max_usd ?? 0),
+                'brain.remediation.job.count': jobs.length
+              }),
+              events: events.map((event) => ({
+                name: event.name,
+                timeUnixNano: unixNano(event.time),
+                attributes: attributesToOtel(event.attributes)
+              }))
+            }
+          ]
+        }
+      ]
+    }
+  ]
+};
+writeFileSync(tracePath, `${JSON.stringify(otlpTrace, null, 2)}\n`);
+console.log(JSON.stringify({
+  schema: 'pluribus.contextInputEvidence.brainRemediationReceiptDemo.v0',
+  inputPath,
+  receiptPath,
+  tracePath,
+  instanceHash,
+  runHash,
+  eventCount: events.length,
+  jobEvents: jobEvents.length,
+  outcome: completed.outcome,
+  rawPayloadRecorded: false
+}, null, 2));