pluribus-context 0.3.21 → 0.3.26

package/examples/context-input-evidence/convert-memory-provenance-log.mjs

@@ -0,0 +1,263 @@
+#!/usr/bin/env node
+import { createHash } from 'node:crypto';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const inputPath = process.argv[2] ? resolve(process.argv[2]) : join(here, 'sample-memory-provenance-log.jsonl');
+const receiptPath = process.argv[3] ? resolve(process.argv[3]) : join(here, 'memory-provenance-receipt.ndjson');
+const tracePath = process.argv[4] ? resolve(process.argv[4]) : join(here, 'memory-provenance-otel-trace.json');
+
+function sha256(value) {
+  return `sha256:${createHash('sha256').update(value ?? '').digest('hex')}`;
+}
+
+function hashRef(value) {
+  return sha256(value ?? '').slice(0, 19);
+}
+
+function readJsonl(path) {
+  return readFileSync(path, 'utf8')
+    .trim()
+    .split('\n')
+    .filter(Boolean)
+    .map((line, index) => {
+      try {
+        return JSON.parse(line);
+      } catch (error) {
+        throw new Error(`Invalid JSONL at ${path}:${index + 1}: ${error.message}`);
+      }
+    });
+}
+
+function unixNano(isoTimestamp) {
+  return `${BigInt(Date.parse(isoTimestamp)) * 1_000_000n}`;
+}
+
+function otelValue(value) {
+  if (typeof value === 'boolean') return { boolValue: value };
+  if (typeof value === 'number' && Number.isInteger(value)) return { intValue: String(value) };
+  if (typeof value === 'number') return { doubleValue: value };
+  if (typeof value === 'string') {
+    if (value === 'true' || value === 'false') return { boolValue: value === 'true' };
+    if (/^-?\d+$/.test(value)) return { intValue: value };
+    return { stringValue: value };
+  }
+  if (value == null) return { stringValue: '' };
+  return { stringValue: JSON.stringify(value) };
+}
+
+function attributesToOtel(attributes) {
+  return Object.entries(attributes).map(([key, value]) => ({ key, value: otelValue(value) }));
+}
+
+const records = readJsonl(inputPath);
+const sessionStart = records.find((record) => record.type === 'session.start') ?? {};
+const memoryWrites = records.filter((record) => record.type === 'memory.entry.promoted' || record.type === 'memory.entry.corrected');
+const hydrations = records.filter((record) => record.type === 'memory.bundle.hydrated');
+const provenanceChecks = records.filter((record) => record.type === 'memory.provenance.evaluated');
+
+if (memoryWrites.length === 0) {
+  throw new Error(`No memory entry write/correction records found in ${inputPath}`);
+}
+
+const sessionId = sessionStart.session_id ?? 'unknown-session';
+const conversationId = sessionStart.conversation_id ?? sessionId;
+const traceId = sha256(`${sessionId}:team-memory-provenance-trace`).replace('sha256:', '').slice(0, 32);
+const spanId = sha256(`${sessionId}:team-memory-provenance-span`).replace('sha256:', '').slice(0, 16);
+const writesByEntry = new Map();
+
+function baseAttributes(record) {
+  return {
+    'team_memory.team.hash': hashRef(record.team ?? sessionStart.team ?? ''),
+    'team_memory.scope.hash': hashRef(record.scope ?? ''),
+    'team_memory.visibility': record.visibility ?? 'unknown',
+    'session.id': sessionId,
+    'gen_ai.conversation.id': conversationId
+  };
+}
+
+const writeEvents = memoryWrites.map((record) => {
+  if (!Number.isInteger(record.sequence)) {
+    throw new Error(`Memory write ${record.entry_id ?? '<unknown>'} is missing integer sequence`);
+  }
+  const entryVersions = writesByEntry.get(record.entry_id) ?? [];
+  entryVersions.push(record);
+  writesByEntry.set(record.entry_id, entryVersions);
+
+  return {
+    trace_id: traceId,
+    span_id: spanId,
+    name: record.type === 'memory.entry.corrected' ? 'team_memory.entry.corrected' : 'team_memory.entry.promoted',
+    time: record.time,
+    attributes: {
+      ...baseAttributes(record),
+      'team_memory.entry.id_hash': hashRef(record.entry_id ?? ''),
+      'team_memory.entry.sequence': record.sequence,
+      'team_memory.entry.operation': record.type.replace('memory.entry.', ''),
+      'team_memory.entry.body_hash': sha256(record.raw_body ?? ''),
+      'team_memory.entry.body_recorded': 'false',
+      'team_memory.entry.previous.id_hash': record.supersedes_entry_id ? hashRef(record.supersedes_entry_id) : '',
+      'team_memory.author.agent.id_hash': hashRef(record.author_agent_id ?? ''),
+      'team_memory.author.human.id_hash': hashRef(record.author_human_id ?? ''),
+      'team_memory.author.role': record.author_role ?? 'unknown',
+      'team_memory.source.session.id_hash': hashRef(record.source_session_id ?? ''),
+      'team_memory.source.compaction_epoch': record.source_compaction_epoch ?? 0,
+      'team_memory.promotion.reason_hash': sha256(record.promotion_reason ?? ''),
+      'team_memory.decision.scope': record.decision_scope ?? 'unknown',
+      'team_memory.privacy.raw_body_recorded': 'false',
+      'team_memory.privacy.raw_rationale_recorded': 'false'
+    }
+  };
+});
+
+const hydrationEvents = hydrations.map((record) => {
+  const selectedIds = record.selected_entry_ids ?? [];
+  const candidateIds = record.candidate_entry_ids ?? [];
+  const suppressedIds = record.suppressed_entry_ids ?? [];
+  const unknownAuthorIds = selectedIds.filter((entryId) => !writesByEntry.has(entryId));
+  if (unknownAuthorIds.length > 0) {
+    throw new Error(`Hydration selected entries without known provenance: ${unknownAuthorIds.join(', ')}`);
+  }
+  if ((record.loaded_sequence_min ?? 0) > (record.loaded_sequence_max ?? 0)) {
+    throw new Error(`Hydration sequence range is not monotonic for ${record.team ?? '<unknown team>'}`);
+  }
+
+  return {
+    trace_id: traceId,
+    span_id: spanId,
+    name: 'team_memory.bundle.hydrated',
+    time: record.time,
+    attributes: {
+      ...baseAttributes(record),
+      'team_memory.consumer.agent.id_hash': hashRef(record.consumer_agent_id ?? ''),
+      'team_memory.ticket.id_hash': hashRef(record.ticket_id ?? ''),
+      'team_memory.selection.policy': record.selection_policy ?? 'unknown',
+      'team_memory.query.hash': sha256(record.query_text ?? ''),
+      'team_memory.candidate.count': candidateIds.length,
+      'team_memory.selected.count': selectedIds.length,
+      'team_memory.suppressed.count': suppressedIds.length,
+      'team_memory.selected.entry_ids_hash': sha256(selectedIds.map(hashRef).join('\n')),
+      'team_memory.suppressed.entry_ids_hash': sha256(suppressedIds.map(hashRef).join('\n')),
+      'team_memory.loaded.sequence_min': record.loaded_sequence_min ?? 0,
+      'team_memory.loaded.sequence_max': record.loaded_sequence_max ?? 0,
+      'team_memory.loaded.ordering': 'monotonic_team_memory_sequence',
+      'team_memory.bundle.body_hash': sha256(record.raw_bundle ?? ''),
+      'team_memory.bundle.body_recorded': 'false',
+      'team_memory.privacy.raw_query_recorded': 'false',
+      'team_memory.privacy.raw_bundle_recorded': 'false'
+    }
+  };
+});
+
+const provenanceEvents = provenanceChecks.map((record) => {
+  const selectedCount = record.selected_count ?? 0;
+  const knownAuthorCount = record.known_author_count ?? 0;
+  const unknownAuthorCount = record.unknown_author_count ?? 0;
+  const accountedRelevance = (record.decisive_count ?? 0)
+    + (record.supporting_count ?? 0)
+    + (record.unused_count ?? 0)
+    + (record.unknown_relevance_count ?? 0);
+
+  if (knownAuthorCount + unknownAuthorCount !== selectedCount) {
+    throw new Error(`Author accounting invariant failed: selected_count != known_author_count + unknown_author_count`);
+  }
+  if (accountedRelevance !== selectedCount) {
+    throw new Error(`Relevance accounting invariant failed: selected_count != decisive + supporting + unused + unknown`);
+  }
+
+  return {
+    trace_id: traceId,
+    span_id: spanId,
+    name: 'team_memory.provenance.evaluated',
+    time: record.time,
+    attributes: {
+      ...baseAttributes(record),
+      'team_memory.consumer.agent.id_hash': hashRef(record.consumer_agent_id ?? ''),
+      'team_memory.selected.count': selectedCount,
+      'team_memory.selected.known_author_count': knownAuthorCount,
+      'team_memory.selected.unknown_author_count': unknownAuthorCount,
+      'team_memory.loaded.ordered_sequence_count': record.ordered_sequence_count ?? 0,
+      'team_memory.relevance.decisive_count': record.decisive_count ?? 0,
+      'team_memory.relevance.supporting_count': record.supporting_count ?? 0,
+      'team_memory.relevance.unused_count': record.unused_count ?? 0,
+      'team_memory.relevance.unknown_count': record.unknown_relevance_count ?? 0,
+      'team_memory.accounting.invariant': 'selected_count == known_author_count + unknown_author_count && selected_count == decisive_count + supporting_count + unused_count + unknown_relevance_count',
+      'team_memory.audit_gap': record.audit_gap ?? 'proves provenance and loading boundaries, not factual correctness'
+    }
+  };
+});
+
+const events = [...writeEvents, ...hydrationEvents, ...provenanceEvents]
+  .sort((left, right) => Date.parse(left.time) - Date.parse(right.time));
+writeFileSync(receiptPath, `${events.map((event) => JSON.stringify(event)).join('\n')}\n`);
+
+const eventTimes = records.map((record) => Date.parse(record.time)).filter(Number.isFinite);
+const startTimeMs = Number.isFinite(Date.parse(sessionStart.time)) ? Date.parse(sessionStart.time) : Math.min(...eventTimes);
+const endTimeMs = Math.max(...eventTimes) + 1;
+
+const otlpTrace = {
+  resourceSpans: [
+    {
+      resource: {
+        attributes: attributesToOtel({
+          'service.name': 'pluribus-team-memory-provenance-demo',
+          'service.version': '0.0.0-fixture',
+          'deployment.environment.name': 'local-fixture'
+        })
+      },
+      scopeSpans: [
+        {
+          scope: {
+            name: 'pluribus.context_input_evidence.team_memory_provenance_demo',
+            version: '0.0.0-fixture'
+          },
+          spans: [
+            {
+              traceId,
+              spanId,
+              parentSpanId: '',
+              name: 'agent.session',
+              kind: 1,
+              startTimeUnixNano: `${BigInt(startTimeMs) * 1_000_000n}`,
+              endTimeUnixNano: `${BigInt(endTimeMs) * 1_000_000n}`,
+              attributes: attributesToOtel({
+                'session.id': sessionId,
+                'gen_ai.conversation.id': conversationId,
+                'gen_ai.agent.name': sessionStart.agent ?? 'unknown',
+                'gen_ai.operation.name': 'agent_session',
+                'code.repository.name': sessionStart.repo ?? '',
+                'pluribus.team_memory.write.count': writeEvents.length,
+                'pluribus.team_memory.hydration.count': hydrationEvents.length,
+                'pluribus.team_memory.provenance_evaluation.count': provenanceEvents.length
+              }),
+              events: events.map((event) => ({
+                name: event.name,
+                timeUnixNano: unixNano(event.time),
+                attributes: attributesToOtel(event.attributes)
+              }))
+            }
+          ]
+        }
+      ]
+    }
+  ]
+};
+
+writeFileSync(tracePath, `${JSON.stringify(otlpTrace, null, 2)}\n`);
+
+console.log(JSON.stringify({
+  schema: 'pluribus.contextInputEvidence.teamMemoryProvenanceDemo.v0',
+  inputPath,
+  receiptPath,
+  tracePath,
+  sessionId,
+  conversationId,
+  writeEventCount: writeEvents.length,
+  hydrationEventCount: hydrationEvents.length,
+  provenanceEvaluationEventCount: provenanceEvents.length,
+  invariant: 'each hydrated memory has known author provenance, monotonic order, and selected_count accounting for author + relevance buckets',
+  privacyDefault: 'outputs hashes, counts, buckets, roles, scope, and sequence numbers; does not copy raw memory bodies, prompts, tickets, private paths, secrets, or customer data',
+  lesson: 'Team memory needs provenance receipts: who/which agent wrote or corrected each memory, in what order, and which entries actually hydrated into the receiving agent context.'
+}, null, 2));

package/examples/context-input-evidence/convert-secret-scanning-log.mjs

@@ -0,0 +1,233 @@
+#!/usr/bin/env node
+import { createHash } from 'node:crypto';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const inputPath = process.argv[2] ? resolve(process.argv[2]) : join(here, 'sample-secret-scanning-log.jsonl');
+const receiptPath = process.argv[3] ? resolve(process.argv[3]) : join(here, 'secret-scanning-receipt.ndjson');
+const tracePath = process.argv[4] ? resolve(process.argv[4]) : join(here, 'secret-scanning-otel-trace.json');
+
+function sha256(value) {
+  return `sha256:${createHash('sha256').update(value ?? '').digest('hex')}`;
+}
+
+function hashRef(value) {
+  return sha256(value ?? '').slice(0, 19);
+}
+
+function hashList(values = []) {
+  return sha256(values.join('\n'));
+}
+
+function readJsonl(path) {
+  return readFileSync(path, 'utf8')
+    .trim()
+    .split('\n')
+    .filter(Boolean)
+    .map((line, index) => {
+      try {
+        return JSON.parse(line);
+      } catch (error) {
+        throw new Error(`Invalid JSONL at ${path}:${index + 1}: ${error.message}`);
+      }
+    });
+}
+
+function unixNano(isoTimestamp) {
+  return `${BigInt(Date.parse(isoTimestamp)) * 1_000_000n}`;
+}
+
+function otelValue(value) {
+  if (typeof value === 'boolean') return { boolValue: value };
+  if (typeof value === 'number' && Number.isInteger(value)) return { intValue: String(value) };
+  if (typeof value === 'number') return { doubleValue: value };
+  if (value == null) return { stringValue: '' };
+  return { stringValue: String(value) };
+}
+
+function attributesToOtel(attributes) {
+  return Object.entries(attributes).map(([key, value]) => ({ key, value: otelValue(value) }));
+}
+
+function countBucket(value) {
+  if (value === 0) return 'zero';
+  if (value <= 2) return 'under_2';
+  if (value <= 5) return 'under_5';
+  return 'over_5';
+}
+
+function lineBucket(line) {
+  if (line <= 20) return '1_20';
+  if (line <= 100) return '21_100';
+  return 'over_100';
+}
+
+function durationBucket(ms) {
+  if (ms < 1_000) return 'under_1s';
+  if (ms < 10_000) return 'under_10s';
+  return 'over_10s';
+}
+
+const records = readJsonl(inputPath);
+const session = records.find((record) => record.type === 'session.start');
+const requested = records.find((record) => record.type === 'security.secret_scanning.requested');
+const completed = records.find((record) => record.type === 'security.secret_scanning.completed');
+const findings = records.filter((record) => record.type === 'security.secret_scanning.finding.presented');
+const bypass = records.find((record) => record.type === 'security.secret_scanning.bypass.evaluated');
+const verified = records.find((record) => record.type === 'security.secret_scanning.remediation.verified');
+
+if (!session || !requested || !completed || findings.length === 0 || !bypass || !verified) {
+  throw new Error(`Expected session, secret scanning request/completion/findings/bypass/remediation records in ${inputPath}`);
+}
+
+const traceSeed = `${session.session_id}:${session.conversation_id}:secret-scanning`;
+const traceId = sha256(traceSeed).replace('sha256:', '').slice(0, 32);
+const spanId = sha256(`${traceSeed}:span`).replace('sha256:', '').slice(0, 16);
+
+const baseAttrs = {
+  'session.id': session.session_id,
+  'gen_ai.conversation.id': session.conversation_id,
+  'agent.name': session.agent,
+  'mcp.provider': session.provider,
+  'mcp.client': session.client,
+  'repository.hash': hashRef(session.repository),
+  'repository.path_hash': sha256(session.repo),
+};
+
+const events = [
+  {
+    name: 'security.secret_scanning.requested',
+    time: requested.time,
+    attributes: {
+      ...baseAttrs,
+      'security.scan.request.hash': hashRef(requested.request_id),
+      'security.scan.trigger': requested.trigger,
+      'security.scan.toolset': requested.toolset,
+      'security.scan.tool': requested.tool,
+      'security.scan.scope': requested.scan_scope,
+      'security.scan.diff_path_count': requested.diff_paths.length,
+      'security.scan.diff_paths_hash': hashList(requested.diff_paths),
+      'security.scan.prompt_hash': sha256(requested.prompt),
+      'security.secret_scanning.push_protection_customization': requested.push_protection_customization,
+      'security.secret_scanning.persisted_as_github_alert': requested.persisted_as_github_alert,
+      'privacy.raw_prompt_recorded': false,
+      'privacy.raw_diff_paths_recorded': false,
+      'privacy.raw_secret_values_recorded': false,
+    },
+  },
+  {
+    name: 'security.secret_scanning.completed',
+    time: completed.time,
+    attributes: {
+      ...baseAttrs,
+      'security.scan.request.hash': hashRef(completed.request_id),
+      'security.scan.status': completed.status,
+      'security.scan.files_scanned': completed.files_scanned,
+      'security.scan.line_count_bucket': countBucket(Math.ceil(completed.line_count / 100)),
+      'security.secret_scanning.finding_count': completed.finding_count,
+      'security.secret_scanning.finding_count_bucket': countBucket(completed.finding_count),
+      'security.secret_scanning.detector_count': completed.detector_count,
+      'security.secret_scanning.engine_snapshot_hash': hashRef(completed.engine_snapshot),
+      'security.scan.latency_bucket': durationBucket(completed.latency_ms),
+      'security.scan.tool_response_hash': sha256(completed.tool_response_excerpt),
+      'privacy.raw_tool_response_recorded': false,
+      'privacy.raw_secret_values_recorded': false,
+    },
+  },
+  ...findings.map((finding) => ({
+    name: 'security.secret_scanning.finding.presented',
+    time: finding.time,
+    attributes: {
+      ...baseAttrs,
+      'security.scan.request.hash': hashRef(finding.request_id),
+      'security.finding.hash': hashRef(finding.finding_id),
+      'security.secret_scanning.secret_type': finding.secret_type,
+      'security.finding.severity': finding.severity,
+      'security.finding.location_path_hash': sha256(finding.location_path),
+      'security.finding.line_bucket': lineBucket(finding.line),
+      'security.finding.secret_value_hash': sha256(finding.secret_value),
+      'security.finding.remediation_hash': sha256(finding.remediation),
+      'security.secret_scanning.push_protection_action': finding.push_protection_action,
+      'security.secret_scanning.bypass_allowed': finding.bypass_allowed,
+      'privacy.raw_location_path_recorded': false,
+      'privacy.raw_secret_value_recorded': false,
+      'privacy.raw_remediation_text_recorded': false,
+    },
+  })),
+  {
+    name: 'security.secret_scanning.bypass.evaluated',
+    time: bypass.time,
+    attributes: {
+      ...baseAttrs,
+      'security.scan.request.hash': hashRef(bypass.request_id),
+      'security.policy.hash': hashRef(bypass.policy),
+      'security.secret_scanning.bypass_requested': bypass.bypass_requested,
+      'security.secret_scanning.bypass_allowed': bypass.bypass_allowed,
+      'security.secret_scanning.bypass_reason': bypass.bypass_reason,
+      'security.secret_scanning.decision': bypass.decision,
+      'security.operator_note_hash': sha256(bypass.operator_note),
+      'privacy.raw_operator_note_recorded': false,
+    },
+  },
+  {
+    name: 'security.secret_scanning.remediation.verified',
+    time: verified.time,
+    attributes: {
+      ...baseAttrs,
+      'security.scan.request.hash': hashRef(verified.request_id),
+      'security.scan.rescan.hash': hashRef(verified.rescan_id),
+      'security.scan.status': verified.status,
+      'security.scan.changed_path_count': verified.changed_paths.length,
+      'security.scan.changed_paths_hash': hashList(verified.changed_paths),
+      'security.secret_scanning.finding_count_after': verified.finding_count_after,
+      'security.remediation.rotation_ticket_hash': sha256(verified.rotation_ticket),
+      'security.scan.latency_bucket': durationBucket(verified.latency_ms),
+      'privacy.raw_changed_paths_recorded': false,
+      'privacy.raw_rotation_ticket_recorded': false,
+      'audit.gap': 'receipt_proves_scan_findings_policy_and_clean_rescan_not_secret_revocation_completion',
+    },
+  },
+].map((event) => ({ trace_id: traceId, span_id: spanId, ...event }));
+
+const receipt = events.map((event) => JSON.stringify(event)).join('\n') + '\n';
+writeFileSync(receiptPath, receipt);
+
+const trace = {
+  resourceSpans: [
+    {
+      resource: {
+        attributes: attributesToOtel({
+          'service.name': 'pluribus-context-input-evidence-demo',
+          'service.version': '0.3.23',
+        }),
+      },
+      scopeSpans: [
+        {
+          scope: { name: 'pluribus.context_input_evidence.secret_scanning', version: '0.1.0' },
+          spans: [
+            {
+              traceId,
+              spanId,
+              name: 'agent.session',
+              kind: 1,
+              startTimeUnixNano: unixNano(session.time),
+              endTimeUnixNano: unixNano(verified.time),
+              attributes: attributesToOtel(baseAttrs),
+              events: events.map((event) => ({
+                name: event.name,
+                timeUnixNano: unixNano(event.time),
+                attributes: attributesToOtel(event.attributes),
+              })),
+            },
+          ],
+        },
+      ],
+    },
+  ],
+};
+
+writeFileSync(tracePath, `${JSON.stringify(trace, null, 2)}\n`);
+console.log(`wrote ${events.length} secret scanning receipt events to ${receiptPath}`);
+console.log(`wrote OpenTelemetry-style trace to ${tracePath}`);

package/examples/context-input-evidence/convert-session-log.mjs

@@ -0,0 +1,186 @@
+#!/usr/bin/env node
+import { createHash } from 'node:crypto';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const inputPath = process.argv[2] ? resolve(process.argv[2]) : join(here, 'sample-session-log.jsonl');
+const receiptPath = process.argv[3] ? resolve(process.argv[3]) : join(here, 'session-receipt.ndjson');
+const tracePath = process.argv[4] ? resolve(process.argv[4]) : join(here, 'session-otel-trace.json');
+
+function sha256(value) {
+  return `sha256:${createHash('sha256').update(value).digest('hex')}`;
+}
+
+function canonicalize(text) {
+  return text.normalize('NFC').replace(/\r\n/g, '\n');
+}
+
+function readJsonl(path) {
+  return readFileSync(path, 'utf8')
+    .trim()
+    .split('\n')
+    .filter(Boolean)
+    .map((line, index) => {
+      try {
+        return JSON.parse(line);
+      } catch (error) {
+        throw new Error(`Invalid JSONL at ${path}:${index + 1}: ${error.message}`);
+      }
+    });
+}
+
+function unixNano(isoTimestamp) {
+  return `${BigInt(Date.parse(isoTimestamp)) * 1_000_000n}`;
+}
+
+function otelValue(value) {
+  if (typeof value === 'boolean') return { boolValue: value };
+  if (typeof value === 'number' && Number.isInteger(value)) return { intValue: String(value) };
+  if (typeof value === 'number') return { doubleValue: value };
+  if (typeof value === 'string') {
+    if (value === 'true' || value === 'false') return { boolValue: value === 'true' };
+    if (/^-?\d+$/.test(value)) return { intValue: value };
+    return { stringValue: value };
+  }
+  if (value == null) return { stringValue: '' };
+  return { stringValue: JSON.stringify(value) };
+}
+
+function attributesToOtel(attributes) {
+  return Object.entries(attributes).map(([key, value]) => ({ key, value: otelValue(value) }));
+}
+
+const records = readJsonl(inputPath);
+const sessionStart = records.find((record) => record.type === 'session.start') ?? {};
+const sessionEnd = [...records].reverse().find((record) => record.type === 'session.end') ?? {};
+const contextRecords = records.filter((record) => record.type === 'context.input');
+
+if (contextRecords.length === 0) {
+  throw new Error(`No context.input records found in ${inputPath}`);
+}
+
+const sessionId = sessionStart.session_id ?? 'unknown-session';
+const conversationId = sessionStart.conversation_id ?? sessionId;
+const traceId = sha256(`${sessionId}:trace`).replace('sha256:', '').slice(0, 32);
+const spanId = sha256(`${sessionId}:span`).replace('sha256:', '').slice(0, 16);
+
+const events = contextRecords.map((record) => {
+  const sourceText = record.source_text ?? '';
+  const deliveredText = record.delivered_text ?? sourceText;
+  const sourceCanonicalText = canonicalize(sourceText);
+  const deliveredHash = sha256(deliveredText);
+  const sourceIdentity = record.source_path ?? record.source_uri ?? 'unknown';
+  const sourceAttributeKey = record.source_uri ? 'context.input.source.uri' : 'context.input.source.path';
+
+  return {
+    trace_id: traceId,
+    span_id: spanId,
+    name: 'context.input.loaded',
+    time: record.time,
+    attributes: {
+      'context.input.kind': record.kind ?? 'unknown',
+      [sourceAttributeKey]: sourceIdentity,
+      'context.input.source.bytes_hash': sha256(sourceText),
+      'context.input.source.canonical.form': 'otel.context.source.nfc_lf.v1_candidate',
+      'context.input.source.canonical.hash': sha256(sourceCanonicalText),
+      'context.input.source.canonicalization': 'utf8,unicode_nfc,crlf_to_lf',
+      'context.input.delivered.hash': deliveredHash,
+      'context.input.delivered.full_render.hash': deliveredHash,
+      'context.input.delivered.full_render.status': 'available',
+      'context.input.delivered.template_hash': '',
+      'context.input.delivered.transform': record.delivery_transform ?? 'as-recorded-by-session-log',
+      'context.input.delivered.nondeterministic': 'false',
+      'context.input.delivered.truncated': 'false',
+      'context.input.loaded_by': record.loaded_by ?? 'unknown',
+      'context.input.activation': record.activation ?? 'unknown',
+      'context.input.scope': record.scope ?? 'unknown',
+      'context.input.applies_to': record.applies_to ?? sessionStart.agent ?? 'unknown',
+      'context.input.why_loaded': record.why_loaded ?? 'unknown',
+      'context.input.expected_benefit': record.expected_benefit ?? 'unknown',
+      'context.input.duplicate.dedupe_key': `${conversationId}:${deliveredHash}`,
+      'context.input.duplicate.dedupe_scope': 'conversation',
+      'context.input.duplicate.suppression_policy': 'suppress_equal_dedupe_key_within_scope',
+      'context.input.duplicate.role': 'selected',
+      'context.input.duplicate.risk': 'unknown',
+      'session.id': sessionId,
+      'gen_ai.conversation.id': conversationId
+    }
+  };
+});
+
+writeFileSync(receiptPath, `${events.map((event) => JSON.stringify(event)).join('\n')}\n`);
+
+const eventTimes = records.map((record) => Date.parse(record.time)).filter(Number.isFinite);
+const startTimeMs = Number.isFinite(Date.parse(sessionStart.time)) ? Date.parse(sessionStart.time) : Math.min(...eventTimes);
+const endTimeMs = Number.isFinite(Date.parse(sessionEnd.time)) ? Date.parse(sessionEnd.time) : Math.max(...eventTimes) + 1;
+const toolCallCount = records.filter((record) => record.type === 'tool.call').length;
+
+const otlpTrace = {
+  resourceSpans: [
+    {
+      resource: {
+        attributes: attributesToOtel({
+          'service.name': 'pluribus-session-log-context-demo',
+          'service.version': '0.0.0-fixture',
+          'deployment.environment.name': 'local-fixture'
+        })
+      },
+      scopeSpans: [
+        {
+          scope: {
+            name: 'pluribus.context_input_evidence.session_log_demo',
+            version: '0.0.0-fixture'
+          },
+          spans: [
+            {
+              traceId,
+              spanId,
+              parentSpanId: '',
+              name: 'agent.session',
+              kind: 1,
+              startTimeUnixNano: `${BigInt(startTimeMs) * 1_000_000n}`,
+              endTimeUnixNano: `${BigInt(endTimeMs) * 1_000_000n}`,
+              attributes: attributesToOtel({
+                'session.id': sessionId,
+                'gen_ai.conversation.id': conversationId,
+                'gen_ai.agent.name': sessionStart.agent ?? 'unknown',
+                'gen_ai.operation.name': 'agent_session',
+                'code.repository.name': sessionStart.repo ?? '',
+                'pluribus.session_log.tool_call.count': toolCallCount
+              }),
+              events: events.map((event) => ({
+                name: event.name,
+                timeUnixNano: unixNano(event.time),
+                attributes: attributesToOtel(event.attributes)
+              }))
+            }
+          ]
+        }
+      ]
+    }
+  ]
+};
+
+writeFileSync(tracePath, `${JSON.stringify(otlpTrace, null, 2)}\n`);
+
+const kindCounts = events.reduce((counts, event) => {
+  const kind = event.attributes['context.input.kind'];
+  counts[kind] = (counts[kind] ?? 0) + 1;
+  return counts;
+}, {});
+
+console.log(JSON.stringify({
+  schema: 'pluribus.contextInputEvidence.sessionLogDemo.v0',
+  inputPath,
+  receiptPath,
+  tracePath,
+  sessionId,
+  conversationId,
+  contextInputEventCount: events.length,
+  toolCallCount,
+  kindCounts,
+  privacyDefault: 'outputs hashes, paths/uris, counts, categorical fields, and session identifiers; does not copy raw context text into receipts or trace events',
+  lesson: 'A post-hoc session log can be converted into context.input.loaded SpanEvents without asking retrieval/search tools to inspect the whole transcript.'
+}, null, 2));