pluribus-context 0.3.35 → 0.3.36

package/examples/memory-write-policy/check-memory-update.mjs

@@ -0,0 +1,120 @@
+#!/usr/bin/env node
+import { readFileSync } from 'node:fs'
+
+const [file] = process.argv.slice(2)
+
+if (!file) {
+  console.error('Usage: node check-memory-update.mjs <memory-update-receipt.json>')
+  process.exit(2)
+}
+
+let receipt
+try {
+  receipt = JSON.parse(readFileSync(file, 'utf8'))
+} catch (error) {
+  console.error(JSON.stringify({ ok: false, file, errors: [`invalid JSON: ${error.message}`] }, null, 2))
+  process.exit(2)
+}
+
+const errors = []
+const warnings = []
+
+if (receipt.type !== 'agent.memory_update_receipt.v1') {
+  errors.push('type must be agent.memory_update_receipt.v1')
+}
+
+for (const key of ['update_id', 'run_id']) {
+  if (!receipt[key] || typeof receipt[key] !== 'string') {
+    errors.push(`${key} is required`)
+  }
+}
+
+const source = receipt.source || {}
+if (!source.kind || typeof source.kind !== 'string') {
+  errors.push('source.kind is required')
+}
+if (!source.ref || typeof source.ref !== 'string') {
+  errors.push('source.ref is required')
+}
+if (!source.content_hash || typeof source.content_hash !== 'string') {
+  errors.push('source.content_hash is required; do not rely on raw memory text')
+}
+
+const scope = receipt.scope || {}
+if (!scope.kind || !['repo', 'project', 'org', 'user'].includes(scope.kind)) {
+  errors.push('scope.kind must be repo, project, org, or user')
+}
+if (!scope.id || typeof scope.id !== 'string') {
+  errors.push('scope.id is required so a memory write cannot silently become global')
+}
+if (scope.kind === 'user') {
+  warnings.push('user-scoped durable memory is broad; prefer repo/project scope when possible')
+}
+
+const diff = receipt.proposed_diff || {}
+const changed = ['adds', 'updates', 'supersedes', 'expires'].flatMap((key) => Array.isArray(diff[key]) ? diff[key] : [])
+if (changed.length === 0) {
+  errors.push('proposed_diff must include at least one add, update, supersede, or expire entry')
+}
+for (const [index, item] of changed.entries()) {
+  if (!item.memory_ref || typeof item.memory_ref !== 'string') {
+    errors.push(`proposed_diff item ${index} is missing memory_ref`)
+  }
+  if (!item.summary_hash || typeof item.summary_hash !== 'string') {
+    errors.push(`proposed_diff item ${index} is missing summary_hash; log hashes, not raw memory bodies`)
+  }
+  if (item.raw_text) {
+    errors.push(`proposed_diff item ${index} must not include raw_text`)
+  }
+}
+
+const policy = receipt.write_policy || {}
+if (policy.status !== 'approved') {
+  errors.push(`write_policy.status is ${policy.status || 'missing'}; shared memory write must remain proposed/quarantined until approved`)
+}
+if (!policy.policy_ref || typeof policy.policy_ref !== 'string') {
+  errors.push('write_policy.policy_ref is required')
+}
+if (!policy.approved_by || typeof policy.approved_by !== 'string') {
+  errors.push('write_policy.approved_by is required for durable writes')
+}
+if (policy.private_or_sensitive_detected !== false) {
+  errors.push('write_policy.private_or_sensitive_detected must be false before merge')
+}
+
+const lifecycle = receipt.lifecycle || {}
+if (!lifecycle.expires_at && !lifecycle.review_after) {
+  errors.push('lifecycle.expires_at or lifecycle.review_after is required to avoid immortal stale facts')
+}
+if (lifecycle.supersedes_required === true && (!Array.isArray(diff.supersedes) || diff.supersedes.length === 0)) {
+  errors.push('lifecycle.supersedes_required is true but proposed_diff.supersedes is empty')
+}
+
+const visibility = receipt.injection_visibility || {}
+if (visibility.next_session_visible !== true) {
+  errors.push('injection_visibility.next_session_visible must be true so future agents can see what memory was injected')
+}
+if (!visibility.preview_path || typeof visibility.preview_path !== 'string') {
+  warnings.push('injection_visibility.preview_path is recommended for human review')
+}
+
+const privacy = receipt.privacy || {}
+for (const key of ['raw_memory_text_logged', 'raw_prompts_logged', 'raw_tool_output_logged', 'secrets_logged']) {
+  if (privacy[key] !== false) {
+    errors.push(`privacy.${key} must be false for this gate`)
+  }
+}
+
+const result = {
+  ok: errors.length === 0,
+  file,
+  update_id: receipt.update_id,
+  run_id: receipt.run_id,
+  scope: scope.kind && scope.id ? `${scope.kind}:${scope.id}` : undefined,
+  write_status: policy.status,
+  errors,
+  warnings
+}
+
+console.log(JSON.stringify(result, null, 2))
+process.exit(result.ok ? 0 : 1)

package/examples/memory-write-policy/quarantined-memory-update.json

@@ -0,0 +1,43 @@
+{
+  "type": "agent.memory_update_receipt.v1",
+  "update_id": "memupd_2026_06_01_002",
+  "run_id": "agent_run_8743",
+  "source": {
+    "kind": "claude-code-session",
+    "ref": "repo:acme/shop#debug-chat",
+    "content_hash": "sha256:6d4fa2a2114f83fd8bd9d6eb3c632ff6f20252f978bc9deec0b9d85694e02d4b"
+  },
+  "scope": {
+    "kind": "user",
+    "id": "developer-laptop"
+  },
+  "proposed_diff": {
+    "adds": [
+      {
+        "memory_ref": "memory:global:production-debug-shortcut",
+        "summary_hash": "sha256:5ee95af43fd2fb8b90908ef8cc4a5e6f050a8f52c97c7c93fd7f37bd1dcf3c2a",
+        "raw_text": "do not store raw memory bodies here"
+      }
+    ],
+    "updates": [],
+    "supersedes": [],
+    "expires": []
+  },
+  "write_policy": {
+    "status": "quarantined",
+    "policy_ref": "repo-memory-policy:v2",
+    "private_or_sensitive_detected": true
+  },
+  "lifecycle": {
+    "supersedes_required": false
+  },
+  "injection_visibility": {
+    "next_session_visible": false
+  },
+  "privacy": {
+    "raw_memory_text_logged": true,
+    "raw_prompts_logged": false,
+    "raw_tool_output_logged": false,
+    "secrets_logged": false
+  }
+}

package/examples/parallel-session-review-ledger/README.md

@@ -0,0 +1,13 @@
+# Parallel session review ledger example
+
+This example is a copyable receipt for teams running multiple agent sessions at once. It is designed for the review bottleneck: deciding whether each session can be trusted, continued, or rejected without reading an entire transcript.
+
+```bash
+node examples/parallel-session-review-ledger/check-parallel-session-review-ledger.mjs examples/parallel-session-review-ledger/parallel-session-review-ledger.json
+```
+
+Expected output:
+
+```text
+parallel session review ledger ok: 3 sessions checked
+```

package/examples/parallel-session-review-ledger/check-parallel-session-review-ledger.mjs

@@ -0,0 +1,69 @@
+#!/usr/bin/env node
+import fs from 'node:fs';
+import path from 'node:path';
+
+const file = process.argv[2] || path.join('examples', 'parallel-session-review-ledger', 'parallel-session-review-ledger.json');
+const receipt = JSON.parse(fs.readFileSync(file, 'utf8'));
+const errors = [];
+
+const allowedStates = new Set(['complete', 'partial', 'blocked', 'unsafe_to_resume']);
+const allowedNextActions = new Set([
+  'review_diff',
+  'run_missing_check',
+  'continue_same_scope',
+  'ask_human',
+  'stop_manual_review'
+]);
+
+function add(condition, message) {
+  if (!condition) errors.push(message);
+}
+
+function globPrefix(pattern) {
+  return pattern.replace(/\*\*.*$/, '').replace(/\*.*$/, '');
+}
+
+add(receipt.schema === 'pluribus.parallel_session_review_ledger.v1', 'schema must be pluribus.parallel_session_review_ledger.v1');
+add(Array.isArray(receipt.sessions) && receipt.sessions.length > 0, 'sessions must be a non-empty array');
+
+for (const session of receipt.sessions || []) {
+  const label = session.id || '<missing-id>';
+  add(Boolean(session.id), 'session id is required');
+  add(Boolean(session.assignment), `${label}: assignment is required`);
+  add(Boolean(session.branch), `${label}: branch is required`);
+  add(Boolean(session.allowed_scope), `${label}: allowed_scope is required`);
+  add(Array.isArray(session.allowed_scope?.files) && session.allowed_scope.files.length > 0, `${label}: allowed_scope.files must be non-empty`);
+  add(allowedStates.has(session.state), `${label}: invalid state ${session.state}`);
+  add(allowedNextActions.has(session.safe_next_action), `${label}: invalid safe_next_action ${session.safe_next_action}`);
+
+  const evidence = session.evidence || [];
+  const missingChecks = session.missing_checks || [];
+  const privacyFlags = session.privacy_flags || [];
+
+  if (session.state === 'complete') {
+    add(evidence.length > 0, `${label}: complete sessions need evidence`);
+    add(missingChecks.length === 0, `${label}: complete sessions cannot have missing_checks`);
+    add(privacyFlags.length === 0, `${label}: complete sessions cannot have privacy_flags`);
+  }
+
+  if (session.state === 'partial') {
+    add(missingChecks.length > 0, `${label}: partial sessions must name missing_checks`);
+  }
+
+  if (session.state === 'unsafe_to_resume') {
+    add(session.safe_next_action === 'stop_manual_review', `${label}: unsafe_to_resume must use stop_manual_review`);
+  }
+
+  const allowedPrefixes = (session.allowed_scope?.files || []).map(globPrefix);
+  for (const touched of session.touched_files || []) {
+    add(allowedPrefixes.some((prefix) => touched.startsWith(prefix)), `${label}: touched file outside allowed scope: ${touched}`);
+  }
+}
+
+if (errors.length > 0) {
+  console.error('parallel session review ledger invalid:');
+  for (const error of errors) console.error(`- ${error}`);
+  process.exit(1);
+}
+
+console.log(`parallel session review ledger ok: ${receipt.sessions.length} sessions checked`);

package/examples/parallel-session-review-ledger/parallel-session-review-ledger.json

@@ -0,0 +1,72 @@
+{
+  "schema": "pluribus.parallel_session_review_ledger.v1",
+  "generated_at": "2026-06-04T19:00:00Z",
+  "run": {
+    "orchestrator": "human",
+    "repo": "redacted-service",
+    "coordination_mode": "parallel_sessions"
+  },
+  "sessions": [
+    {
+      "id": "session-a",
+      "agent": "claude-code",
+      "assignment": "update validation for billing webhook retries",
+      "branch": "agent/billing-webhook-retry-validation",
+      "allowed_scope": {
+        "files": ["src/billing/**", "test/billing/**"],
+        "commands": ["npm test -- --test-name-pattern=billing"],
+        "network": "none"
+      },
+      "touched_files": ["src/billing/retries.js", "test/billing/retries.test.js"],
+      "agent_claim": "added retry validation and regression coverage",
+      "evidence": [
+        { "type": "commit", "ref": "abc1234" },
+        { "type": "test", "name": "billing retry validation", "status": "passed" }
+      ],
+      "missing_checks": [],
+      "privacy_flags": [],
+      "state": "complete",
+      "safe_next_action": "review_diff"
+    },
+    {
+      "id": "session-b",
+      "agent": "cursor-agent",
+      "assignment": "draft migration notes for webhook retry config",
+      "branch": "agent/retry-config-notes",
+      "allowed_scope": {
+        "files": ["docs/**"],
+        "commands": ["npm test -- --test-name-pattern=docs"],
+        "network": "none"
+      },
+      "touched_files": ["docs/webhook-retry-config.md"],
+      "agent_claim": "documented retry config and rollback notes",
+      "evidence": [
+        { "type": "diff", "ref": "docs-only" }
+      ],
+      "missing_checks": ["link-check docs/webhook-retry-config.md"],
+      "privacy_flags": [],
+      "state": "partial",
+      "safe_next_action": "run_missing_check"
+    },
+    {
+      "id": "session-c",
+      "agent": "codex-cli",
+      "assignment": "investigate retry metrics regression",
+      "branch": "agent/retry-metrics-investigation",
+      "allowed_scope": {
+        "files": ["src/metrics/**", "test/metrics/**"],
+        "commands": ["npm test -- --test-name-pattern=metrics"],
+        "network": "none"
+      },
+      "touched_files": ["src/metrics/retry-metrics.js"],
+      "agent_claim": "found possible metrics label mismatch, not fixed",
+      "evidence": [
+        { "type": "note", "ref": "suspected-label-mismatch" }
+      ],
+      "missing_checks": ["confirm label contract with owner"],
+      "privacy_flags": ["scope_expanded_without_approval"],
+      "state": "unsafe_to_resume",
+      "safe_next_action": "stop_manual_review"
+    }
+  ]
+}

package/examples/phase-boundary-contract/README.md

@@ -0,0 +1,23 @@
+# Phase-boundary contract example
+
+This example is for multi-model coding workflows where one phase plans, another phase applies, and another verifies. It records the exact handoff boundary without storing prompts, transcripts, raw source, secrets, or full command output.
+
+Run:
+
+```bash
+node check-phase-boundary.mjs phase-boundary-contract.json
+```
+
+Expected output:
+
+```text
+phase-boundary contract ok: checkout-refactor-2026-06-03 apply->verify
+```
+
+Use the shape as a small gate before moving from Apply to Verify:
+
+- approved plan/task refs and hashes entered the phase;
+- output artifact hash exists;
+- changed file-set hash and tests are present;
+- open risks are explicit;
+- stale exploration transcript or rejected designs are intentionally dropped.

package/examples/phase-boundary-contract/check-phase-boundary.mjs

@@ -0,0 +1,73 @@
+#!/usr/bin/env node
+import fs from 'node:fs';
+
+const file = process.argv[2] || 'phase-boundary-contract.json';
+const contract = JSON.parse(fs.readFileSync(file, 'utf8'));
+const errors = [];
+
+const phases = ['explore', 'propose', 'spec', 'design', 'tasks', 'apply', 'verify'];
+const hashRe = /^sha256:[a-f0-9]{64}$/;
+const unsafeRefRe = /(^\/|\.\.|[A-Za-z]:\\|secret|token|password|private_key)/i;
+const requiredGateKeys = ['changed_files', 'tests_run', 'open_risks', 'stop_conditions'];
+
+function expect(condition, message) {
+  if (!condition) errors.push(message);
+}
+
+expect(contract.schema === 'pluribus.phase-boundary-contract.v1', 'schema must be pluribus.phase-boundary-contract.v1');
+expect(typeof contract.workflowId === 'string' && contract.workflowId.length >= 6, 'workflowId is required');
+expect(phases.includes(contract.currentPhase), 'currentPhase must be a known phase');
+expect(phases.includes(contract.nextPhase), 'nextPhase must be a known phase');
+expect(contract.currentPhase !== contract.nextPhase, 'currentPhase and nextPhase must differ');
+
+expect(Array.isArray(contract.allowedInput) && contract.allowedInput.length > 0, 'allowedInput must list at least one source');
+for (const [index, input] of (contract.allowedInput || []).entries()) {
+  expect(typeof input.kind === 'string' && input.kind.length > 0, `allowedInput[${index}].kind is required`);
+  expect(typeof input.ref === 'string' && !unsafeRefRe.test(input.ref), `allowedInput[${index}].ref must be a non-secret relative/logical ref`);
+  expect(hashRe.test(input.contentHash || ''), `allowedInput[${index}].contentHash must be sha256:<64 hex>`);
+}
+
+expect(contract.outputArtifact && typeof contract.outputArtifact.kind === 'string', 'outputArtifact.kind is required');
+expect(contract.outputArtifact && typeof contract.outputArtifact.ref === 'string' && !unsafeRefRe.test(contract.outputArtifact.ref), 'outputArtifact.ref must be a non-secret logical ref');
+expect(contract.outputArtifact && hashRe.test(contract.outputArtifact.contentHash || ''), 'outputArtifact.contentHash must be sha256:<64 hex>');
+
+const gate = contract.evidenceGate || {};
+expect(gate.status === 'pass' || gate.status === 'needs_review' || gate.status === 'fail', 'evidenceGate.status must be pass, needs_review, or fail');
+expect(Array.isArray(gate.requiredBeforeNextPhase), 'evidenceGate.requiredBeforeNextPhase must be an array');
+for (const key of requiredGateKeys) {
+  expect((gate.requiredBeforeNextPhase || []).includes(key), `evidenceGate.requiredBeforeNextPhase must include ${key}`);
+}
+expect(gate.changedFiles && Number.isInteger(gate.changedFiles.count) && gate.changedFiles.count >= 0, 'evidenceGate.changedFiles.count is required');
+expect(gate.changedFiles && hashRe.test(gate.changedFiles.fileSetHash || ''), 'evidenceGate.changedFiles.fileSetHash must be sha256:<64 hex>');
+expect(Array.isArray(gate.testsRun), 'evidenceGate.testsRun must be an array');
+for (const [index, test] of (gate.testsRun || []).entries()) {
+  expect(typeof test.name === 'string' && test.name.length > 0, `testsRun[${index}].name is required`);
+  expect(hashRe.test(test.commandHash || ''), `testsRun[${index}].commandHash must be sha256:<64 hex>`);
+  expect(['pass', 'fail', 'skipped'].includes(test.status), `testsRun[${index}].status must be pass/fail/skipped`);
+}
+expect(Array.isArray(gate.openRisks), 'evidenceGate.openRisks must be an array');
+for (const [index, risk] of (gate.openRisks || []).entries()) {
+  expect(typeof risk.riskClass === 'string' && risk.riskClass.length > 0, `openRisks[${index}].riskClass is required`);
+  expect(['low', 'medium', 'high'].includes(risk.severity), `openRisks[${index}].severity must be low/medium/high`);
+  expect(typeof risk.safeToContinue === 'boolean', `openRisks[${index}].safeToContinue must be boolean`);
+}
+
+expect(Array.isArray(contract.droppedContext), 'droppedContext must be an array');
+for (const [index, dropped] of (contract.droppedContext || []).entries()) {
+  expect(typeof dropped.kind === 'string' && dropped.kind.length > 0, `droppedContext[${index}].kind is required`);
+  expect(typeof dropped.reason === 'string' && dropped.reason.length > 0, `droppedContext[${index}].reason is required`);
+}
+expect(Array.isArray(contract.stopConditions), 'stopConditions must be an array');
+
+if (gate.status === 'pass') {
+  expect((contract.stopConditions || []).length === 0, 'pass contracts must not have active stopConditions');
+  expect((gate.openRisks || []).every((risk) => risk.safeToContinue), 'pass contracts require all open risks to be safeToContinue');
+}
+
+if (errors.length) {
+  console.error(`phase-boundary contract failed (${errors.length}):`);
+  for (const error of errors) console.error(`- ${error}`);
+  process.exit(1);
+}
+
+console.log(`phase-boundary contract ok: ${contract.workflowId} ${contract.currentPhase}->${contract.nextPhase}`);

package/examples/phase-boundary-contract/phase-boundary-contract.json

@@ -0,0 +1,68 @@
+{
+  "schema": "pluribus.phase-boundary-contract.v1",
+  "workflowId": "checkout-refactor-2026-06-03",
+  "currentPhase": "apply",
+  "nextPhase": "verify",
+  "allowedInput": [
+    {
+      "kind": "approved_plan",
+      "ref": "plans/checkout-refactor.md",
+      "contentHash": "sha256:0b70d75d6c8f0e54c74e1d7ea90e7c7b3d83e15dd3a3f7b4b9e9e73339d2b22e",
+      "required": true
+    },
+    {
+      "kind": "task_list",
+      "ref": "tasks/checkout-refactor.md#apply",
+      "contentHash": "sha256:63ccf4555f0adbe64bbff5a8f7c4b24708fdb2b5e4d0e417a5cb057b9ed39a76",
+      "required": true
+    }
+  ],
+  "outputArtifact": {
+    "kind": "patch",
+    "ref": "git:working-tree",
+    "contentHash": "sha256:3f9d6216dc7dcb53e6f29ad23433de97f0c172be6a6f46d574aa67e0edfd0789"
+  },
+  "evidenceGate": {
+    "requiredBeforeNextPhase": [
+      "changed_files",
+      "tests_run",
+      "open_risks",
+      "stop_conditions"
+    ],
+    "status": "pass",
+    "changedFiles": {
+      "count": 4,
+      "fileSetHash": "sha256:5f6c8b62349d527cd2e24c6913b8c5f0af8775be1a836bf942853c39efc11f91"
+    },
+    "testsRun": [
+      {
+        "name": "unit-tests",
+        "commandHash": "sha256:1f2cc9d3f4ce8cb118198c7da4d6951de2f21485af126eb1a0fe5f1d7e0139de",
+        "status": "pass"
+      },
+      {
+        "name": "typecheck",
+        "commandHash": "sha256:54d29f16fd215f74b4c03da61e37e71918f2e5c8db454a76f5f582b76471cb13",
+        "status": "pass"
+      }
+    ],
+    "openRisks": [
+      {
+        "riskClass": "manual_browser_flow_not_verified",
+        "severity": "medium",
+        "safeToContinue": true
+      }
+    ]
+  },
+  "droppedContext": [
+    {
+      "kind": "exploration_transcript",
+      "reason": "not authoritative after approved plan"
+    },
+    {
+      "kind": "rejected_design_option",
+      "reason": "kept as citation only; not input to verify phase"
+    }
+  ],
+  "stopConditions": []
+}

package/examples/skill-install-receipts/README.md

@@ -0,0 +1,31 @@
+# Skill install/load receipt example
+
+This example is for setup tools that install Skills across multiple agents and then need to prove whether each target can discover/load the installed resource before the first real session.
+
+It complements:
+
+- `examples/install-plan-receipts/` — pre-write plan proof (`writes_started=false`);
+- `examples/loaded-resource-boundary/` — runtime proof that an existing resource crossed discovery/attachment/injection/readability stages.
+
+## Smoke test
+
+```bash
+node examples/skill-install-receipts/check-skill-install-receipt.mjs \
+  examples/skill-install-receipts/skill-install-receipt.json
+```
+
+Expected output:
+
+```text
+skill install receipt ok: 3 targets checked
+```
+
+## Review checklist
+
+A useful receipt should answer:
+
+- What installer/source ref was used, without credentials?
+- Which agent targets and scopes were touched?
+- Which targets were installed, skipped, discovered, deferred, injected, or readable?
+- Was any required target unsafe before the first session?
+- Did the receipt avoid raw skill bodies, prompts, transcripts, env dumps, secrets, and private paths?

package/examples/skill-install-receipts/check-skill-install-receipt.mjs

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+import fs from 'node:fs';
+
+const file = process.argv[2] || new URL('./skill-install-receipt.json', import.meta.url);
+const receipt = JSON.parse(fs.readFileSync(file, 'utf8'));
+
+const allowedInstall = new Set(['installed', 'skipped', 'failed']);
+const allowedDiscovery = new Set(['discovered', 'not_discovered', 'not_tested', 'failed']);
+const allowedLoad = new Set(['injected', 'readable', 'activation_required', 'deferred', 'not_tested', 'failed']);
+const allowedCost = new Set(['0-1k', '1k-5k', '5k-20k', 'over_budget', 'unknown']);
+const requiredPrivacy = [
+  'raw_skill_body',
+  'raw_prompt',
+  'transcript',
+  'secrets',
+  'env_dump',
+  'private_absolute_path'
+];
+
+function assert(condition, message) {
+  if (!condition) {
+    throw new Error(message);
+  }
+}
+
+assert(receipt.receipt_type === 'agent.skill_install_receipt.v1', 'unexpected receipt_type');
+assert(receipt.run_id, 'missing run_id');
+assert(receipt.installer?.name, 'missing installer.name');
+assert(receipt.installer?.source?.kind, 'missing installer.source.kind');
+assert(receipt.installer?.source?.ref, 'missing installer.source.ref');
+assert(receipt.installer.source.credentials_in_ref === false, 'source ref must not carry credentials');
+assert(Array.isArray(receipt.targets) && receipt.targets.length > 0, 'targets must be a non-empty array');
+assert(Array.isArray(receipt.privacy_exclusions), 'missing privacy_exclusions');
+
+for (const item of requiredPrivacy) {
+  assert(receipt.privacy_exclusions.includes(item), `privacy_exclusions must include ${item}`);
+}
+
+let computedOverallSafe = true;
+for (const [index, target] of receipt.targets.entries()) {
+  assert(target.agent, `targets[${index}].agent missing`);
+  assert(['project', 'global', 'workspace', 'unknown'].includes(target.scope), `targets[${index}].scope invalid`);
+  assert(typeof target.required === 'boolean', `targets[${index}].required must be boolean`);
+  assert(allowedInstall.has(target.install_status), `targets[${index}].install_status invalid`);
+  assert(allowedDiscovery.has(target.discovery_status), `targets[${index}].discovery_status invalid`);
+  assert(allowedLoad.has(target.load_status), `targets[${index}].load_status invalid`);
+  assert(allowedCost.has(target.context_cost_bucket), `targets[${index}].context_cost_bucket invalid`);
+  assert(typeof target.safe_to_start_session === 'boolean', `targets[${index}].safe_to_start_session must be boolean`);
+
+  if (target.evidence) {
+    assert(target.evidence.raw_body_logged === false, `targets[${index}] must not log raw skill body`);
+  }
+
+  const requiredTargetUnsafe = target.required && (
+    target.install_status !== 'installed' ||
+    target.discovery_status !== 'discovered' ||
+    target.load_status === 'failed' ||
+    target.load_status === 'not_tested' ||
+    target.context_cost_bucket === 'over_budget' ||
+    target.safe_to_start_session !== true
+  );
+
+  if (requiredTargetUnsafe) {
+    computedOverallSafe = false;
+  }
+}
+
+assert(receipt.overall_safe_to_start_session === computedOverallSafe, 'overall_safe_to_start_session does not match required target safety');
+
+const serialized = JSON.stringify(receipt).toLowerCase();
+for (const forbidden of ['private_key', 'api_key=', 'ghp_', 'github_pat_', 'npm_', 'bearer ']) {
+  assert(!serialized.includes(forbidden), `receipt appears to include secret marker: ${forbidden}`);
+}
+
+console.log(`skill install receipt ok: ${receipt.targets.length} targets checked`);