projscan 4.14.0 → 4.15.0

package/README.md

@@ -101,19 +101,25 @@ Success criteria: the agent can name the files to read first, the likely files t
 ```bash
 projscan start --intent "is my agent allowed to change billing retry logic?"
 projscan prove --intent "is my agent allowed to change billing retry logic?" --save-contract .projscan/proof-contract.json
+# Make the bounded edit, then run the proof command.
 projscan prove --run -- npm test -- tests/billing/retry.test.ts
 projscan prove --changed --contract .projscan/proof-contract.json --format markdown
 ```
 
-The path is `start -> prove -> run -> changed`. `start` chooses the contract workflow. `prove --intent` writes the contract only when `--save-contract` is present. `prove --run -- <command...>` executes a local proof command, records the exit code, captures a redacted log, and fingerprints the current changed files. `prove --record-command` remains available for imported CI or external evidence when projscan did not run the command. `prove --changed` checks the current working tree against the contract and local ledger.
+The command path is `start -> prove -> run -> changed`. Make the bounded edit after the contract exists and before `prove --run`. `start` chooses the contract workflow. `prove --intent` writes `.projscan/proof-contract.json` only when `--save-contract` is present. `prove --run -- <command...>` executes a local proof command, records the exit code, captures a redacted log, and fingerprints the current changed files. `prove --record-command` remains available for imported CI or external evidence when projscan did not run the command. `prove --changed` checks the current working tree against the contract and local ledger.
 
-You get a Proof Contract before edits and a Proof Receipt after edits. The contract names allowed files, forbidden files, risky contracts, likely tests, missing regression-test evidence, proof commands, safe change shape, rollback, confidence, and reviewer guidance. The receipt checks the real working tree against that contract and classifies changed files as allowed production, expected tests, documentation, generated proof artifacts, config/security drift, forbidden touches, or unexpected production. It also reports proof replay status, risk delta, commit readiness, and a reviewer checklist.
+You get a Proof Contract before edits and a Proof Receipt after edits. The contract names allowed files, forbidden files, risky contracts, likely tests, missing regression-test evidence, proof commands, safe change shape, rollback, confidence, reviewer guidance, and `proofRequirements` for each risk surface. The receipt checks the real working tree against that contract and classifies changed files as allowed production, expected tests, documentation, generated proof artifacts, config/security drift, forbidden touches, or unexpected production. The receipt reports proof replay status, Proof Sufficiency, risk delta, commit readiness, and a reviewer checklist.
 
-Proof Replay records command, exit code, duration, changed-file fingerprint, redacted summary, log path, and source in `.projscan/proof-ledger.jsonl`. Executed proof logs stay under `.projscan/proof-logs/`. `prove --changed` marks proof as passed, missing, failed, partial, or stale. If the agent edits new files after proof ran, the receipt says the proof is stale before a reviewer reads the diff.
+Proof Replay records command, exit code, duration, changed-file fingerprint, redacted summary, log path, and source in `.projscan/proof-ledger.jsonl`. Executed proof logs stay under `.projscan/proof-logs/`. `prove --changed` marks proof as passed, missing, failed, partial, or stale. The receipt JSON includes `proofReplay` with a replay timeline, `changedAfterProof`, replay command, and local receipt fingerprint. If the agent edits new files after proof ran, the receipt says the proof is stale before a reviewer reads the diff.
 
-Every `prove` report includes `verifiedWorkflow`, a compact JSON summary for agents and MCP clients. It names the phase, next action, next command, scope status, proof status, risk delta direction, reviewer decision, and stale/missing/failed proof flags.
+Proof Sufficiency estimates whether the local ledger covers each changed surface. `proofSufficiency` marks rows as strong, adequate, weak, missing, stale, or failed, then lists the exact gaps reviewers need to resolve.
 
-Success criteria: the reviewer sees whether the agent stayed inside the contract, whether the right proof ran, and whether that proof is still fresh.
+Team Proof Recipes let a repo encode required proof for sensitive paths in `proofRecipes`; when a matching recipe is configured, `prove --intent` adds that recipe's commands, reviewers, and forbidden files to the Proof Contract. `prove --changed` and `projscan evidence-pack --pr-comment` then show missing recipe proof, required reviewers, and recipe drift in the Proof Receipt. The recipe does not run proof commands by itself; use `prove --run -- <command...>` or `prove --record-command` to add evidence to the local ledger.
+Saved contracts are the source of truth for `prove --changed`; update the contract when a team recipe changes.
+
+Every `prove` report includes `verifiedWorkflow`, a compact JSON summary for agents and MCP clients. It names the phase, next action, next command, scope status, proof status, proof sufficiency status, risk delta direction, reviewer decision, and stale/missing/failed proof flags.
+
+Success criteria: the reviewer sees scope, proof execution, proof freshness, and sufficiency for the changed risk surface.
 
 ### Before handoff or commit
 
@@ -124,7 +130,7 @@ projscan preflight --mode before_commit --format json
 projscan evidence-pack --pr-comment
 ```
 
-You get the changed-file risk, one or two trusted next actions, manual review gates, owner routing, baseline trend memory, and exact proof commands for the reviewer. Use `projscan bug-hunt --format json` when you want the raw fix queue behind the assessment.
+You get changed-file risk, one or two ranked next actions, manual review gates, owner routing, baseline trend memory, and exact proof commands for the reviewer. Use `projscan bug-hunt --format json` when you want the raw fix queue behind the assessment.
 
 Success criteria: the reviewer sees the top fix, the remaining proof, and any manual sign-off gate without reading the full scan output.
 
@@ -197,15 +203,15 @@ npm run docs:screenshots
 npm run docs:demos
 ```
 
-## 4.14.0 Notes
+## 4.15.0 Notes
 
-4.14.0 ships the Verified Change Workflow and Executed Proof Runner:
+4.15.0 strengthens the proof-first change loop:
 
 - `projscan prove --intent "<change>"` creates a local Proof Contract before
   editing. It names allowed files, forbidden files, risky contracts, likely
   tests, missing regression-test evidence, proof commands, rollback, confidence,
-  Trust Memory signals, evidence gaps, and reviewer guidance. Noisy feedback or
-  missing-signal feedback lowers the confidence reason instead of hiding it.
+  Trust Memory signals, evidence gaps, reviewer guidance, and
+  `proofRequirements` for each risk surface.
 - `projscan start --intent "is my agent allowed to change billing retry logic?"`
   routes directly to `projscan prove`, so agent-permission prompts start with a
   bounded contract instead of a broad checklist.
@@ -218,22 +224,51 @@ npm run docs:demos
   classes separate allowed production edits, expected tests, documentation,
   generated proof artifacts, config/security drift, forbidden touches, and
   unexpected production changes before giving a copyable reviewer decision.
+  The receipt also includes `proofReplay` with replay status, timeline events,
+  `changedAfterProof`, replay command, and receipt fingerprint. Proof
+  Sufficiency shows whether each `proofRequirements` row has strong, adequate,
+  weak, missing, stale, or failed proof.
+- Team Proof Recipes let a repo add path-matched `proofRecipes` to
+  `.projscanrc.json`. Matching recipes add required commands, reviewers, and
+  forbidden drift to the Proof Contract and Proof Receipt.
 - `projscan prove --record-command "<command>" --exit-code <code>` appends a
   local Proof Ledger row with command, duration, changed-file fingerprint,
   redacted output summary, and optional log path when importing proof from CI or
-  another trusted runner.
+  another runner.
 - Every `prove` JSON report includes `verifiedWorkflow`, so agents can read the
-  next action, next command, scope status, proof status, reviewer decision, and
-  stale/missing/failed proof flags without parsing Markdown.
+  next action, next command, scope status, proof status, `proofSufficiency`
+  status, reviewer decision, and stale/missing/failed proof flags without
+  parsing Markdown.
 - Saved Mission Control bundles append Proof Ledger rows while `mission.sh`
   runs the existing proof queue. The script still writes proof logs and status
   JSONL for humans.
 - `projscan evidence-pack --pr-comment` includes the latest Proof Receipt
   summary when a contract and ledger are available, so PR comments show proof
-  status, reviewer decision, scope, stale proof, failed proof, and the replay
-  command.
+  status, proof replay, reviewer decision, scope, stale proof, failed proof,
+  proof sufficiency, recipe gaps, required reviewers, changed-after-proof files,
+  receipt fingerprint, and the replay command.
+- Proof artifacts are harder to spoof: Proof Contract and Proof Ledger reads
+  reject symlink escapes, proof logs redact more standalone token/key shapes,
+  and generated mission scripts reject shell control syntax before running.
+- The codebase behind the proof workflow is smaller and easier to review:
+  source hotspots in Mission Control, bug-hunt, quality-scorecard, workplan,
+  adoption, start-mode routing, and intent routing were split into focused
+  helpers with architecture tests.
 - MCP now includes `projscan_prove`, bringing the MCP surface to 48 tools.
 
+## 4.14.0 Notes
+
+4.14.0 ships the Verified Change Workflow and Executed Proof Runner:
+
+- `projscan prove --intent "<change>"` creates a local Proof Contract before
+  editing.
+- `projscan prove --run -- <command...>` executes an explicit local proof
+  command with shell execution disabled and writes a redacted Proof Ledger row.
+- `projscan prove --changed` emits a Proof Receipt for PRs, agents, and CI.
+- `projscan evidence-pack --pr-comment` includes the latest Proof Receipt
+  summary when a contract and ledger are available.
+- MCP includes `projscan_prove`, bringing the MCP surface to 48 tools.
+
 ## 4.12.1 Notes
 
 4.12.1 is the simulator precision patch for the Proof Cards V2 release:
@@ -264,7 +299,7 @@ npm run docs:demos
 
 - Added a dedicated Proof Cards screenshot for `projscan assess` and
   `projscan simulate`.
-- Regenerated README screenshots so public media shows the current 47-tool MCP
+- Regenerated README screenshots so public media showed the 47-tool MCP
   surface.
 - Updated website handoff guidance to use immutable `v4.11.1` media URLs.
 
@@ -333,7 +368,7 @@ npx -y projscan mcp --watch
 | `projscan assess`         | proof-first assessment with Proof Cards, risk delta, and fix-first guidance |
 | `projscan simulate`       | risk delta simulator for a proposed change plan before editing              |
 | `projscan prove`          | executable Proof Contracts, Verified Workflow JSON, and Proof Receipts      |
-| `projscan evidence-pack`  | PR-ready proof with risks, owners, and next commands                        |
+| `projscan evidence-pack`  | review evidence with risks, owners, proof receipts, and next commands       |
 | `projscan bug-hunt`       | ranked fix queue from health, hotspots, session, and preflight evidence     |
 | `projscan workplan`       | ordered agent tasks with proof and handoff text                             |
 | `projscan doctor`         | project health, tooling gaps, dead code, and supply-chain signals           |
@@ -400,6 +435,15 @@ Create a `.projscanrc.json` when repo defaults should live in source control:
   "severityOverrides": {
     "missing-prettier": "info"
   },
+  "proofRecipes": [
+    {
+      "id": "billing-critical",
+      "matches": ["src/billing/**"],
+      "requiredCommands": ["npm test -- tests/billing/retry.test.ts"],
+      "requiredReviewers": ["@platform"],
+      "forbiddenFiles": ["src/auth/**"]
+    }
+  ],
   "reportPolicies": {
     "apiEvidence": {
       "reportScope": ["src/api", "packages/backend"],
@@ -416,6 +460,12 @@ the rule everywhere. For one line, add an inline directive next to the value:
 const firebaseKey = 'AIza...'; // projscan-ignore-line hardcoded-secret -- Firebase web keys are public identifiers
 ```
 
+Use `proofRecipes` when a path needs team-specific proof; when a matching recipe
+is configured, `projscan prove` adds its proof commands, reviewers, and forbidden
+files to the contract and receipt. It does not run proof commands by itself.
+Recipes without `requiredCommands` are skipped, and duplicate recipe IDs keep the
+first valid recipe.
+
 Config docs live in [docs/GUIDE.md](docs/GUIDE.md#configuration-projscanrc).
 
 ## CI
@@ -491,7 +541,7 @@ Plugin docs:
 
 ## Supported Repos
 
-projscan reads TypeScript, JavaScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, C, and C++ with AST-aware adapters where available. It also detects file-level signals for Shell, CSS, HTML, SQL, Dart, Lua, Scala, R, and related project files.
+projscan reads TypeScript, JavaScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++ with AST-aware adapters where available. It also detects file-level signals for C, Shell, CSS, HTML, SQL, Dart, Lua, Scala, R, and related project files.
 
 Framework signals cover React, Next.js, Vue, Nuxt, Svelte, Angular, Express, Fastify, NestJS, Vite, Tailwind CSS, Prisma, Remix, SvelteKit, Astro, Hono, Koa, and common monorepo layouts.
 
@@ -507,7 +557,7 @@ JavaScript and TypeScript use `@babel/parser`. Non-JS languages use packaged tre
 | Network      | `audit`, registry checks, opt-in telemetry, and optional semantic model download can contact the network.                                      |
 | Telemetry    | Off until you run `projscan telemetry enable` or accept the `init team` prompt.                                                                |
 | Plugins      | Local plugin code runs after `PROJSCAN_PLUGINS_PREVIEW=1` and an execution path such as `doctor`, `ci`, `analyze`, or `plugin test --execute`. |
-| Repo writes  | Source writes require explicit fix commands. Cache and mission proof files stay under local projscan directories.                              |
+| Repo writes  | Source writes require explicit fix commands. Caches, saved missions, Proof Contracts, Proof Ledger rows, and proof logs stay under `.projscan*` local directories. |
 
 Audit helpers:
 
@@ -522,7 +572,7 @@ Supply-chain scanners may flag package strings or APIs used by `git`, `npm audit
 
 ## Install Notes
 
-`projscan@4.14.0` has seven direct runtime dependencies:
+`projscan@4.15.0` has seven direct runtime dependencies:
 
 - `@babel/parser`
 - `@babel/types`
@@ -532,7 +582,7 @@ Supply-chain scanners may flag package strings or APIs used by `git`, `npm audit
 - `ora`
 - `web-tree-sitter`
 
-If npm prints `allow-scripts` warnings during a global install, check which package names it lists. projscan core does not need `node-gyp` grammar builds at runtime in 4.14.0. Open an issue with the warning text if npm reports install scripts from `projscan@latest`, or run `projscan feedback intake --text "<warning text>" --format json` to turn it into a focused setup-trust task.
+If npm prints `allow-scripts` warnings during a global install, check which package names it lists. projscan core does not need `node-gyp` grammar builds at runtime in 4.15.0. Open an issue with the warning text if npm reports install scripts from `projscan@latest`, or run `projscan feedback intake --text "<warning text>" --format json` to turn it into a focused setup-trust task.
 
 The grammar packages are build-time sources, not global-install dependencies. Published grammar assets include `tree-sitter-python.wasm` and `tree-sitter-c_sharp.wasm`.
 

package/dist/cli/commands/evidencePack.js

@@ -8,6 +8,7 @@ export function registerEvidencePack() {
         .option('--line <line>', 'product line to include, repeatable (default: next six minor lines)', collectLine, [])
         .option('--website-prompt', 'include website-update prompt text')
         .option('--pr-comment', 'print a GitHub PR comment markdown artifact')
+        .option('--base-ref <ref>', 'explicit git base ref for review evidence')
         .option('--max-findings <count>', 'maximum bug-hunt findings to include', parsePositiveInt)
         .action(async (cmdOpts) => {
         setupLogLevel();
@@ -18,6 +19,7 @@ export function registerEvidencePack() {
                 lines: cmdOpts.line,
                 includeWebsitePrompt: cmdOpts.websitePrompt === true,
                 includePrComment: cmdOpts.prComment === true,
+                baseRef: cmdOpts.baseRef,
                 maxFindings: cmdOpts.maxFindings,
             });
             if (format === 'json') {

package/dist/cli/commands/evidencePack.js.map

@@ -1 +1 @@
-{"version":3,"file":"evidencePack.js","sourceRoot":"","sources":["../../../src/cli/commands/evidencePack.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EACL,qBAAqB,EACrB,WAAW,EACX,kBAAkB,EAClB,OAAO,EACP,aAAa,GACd,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAGpE,MAAM,UAAU,oBAAoB;IAClC,OAAO;SACJ,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CACV,6FAA6F,CAC9F;SACA,MAAM,CACL,eAAe,EACf,qEAAqE,EACrE,WAAW,EACX,EAAE,CACH;SACA,MAAM,CAAC,kBAAkB,EAAE,oCAAoC,CAAC;SAChE,MAAM,CAAC,cAAc,EAAE,6CAA6C,CAAC;SACrE,MAAM,CAAC,wBAAwB,EAAE,sCAAsC,EAAE,gBAAgB,CAAC;SAC1F,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,aAAa,EAAE,CAAC;QAChB,kBAAkB,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,qBAAqB,CAAC,eAAe,CAAC,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,WAAW,EAAE,EAAE;gBACtD,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,oBAAoB,EAAE,OAAO,CAAC,aAAa,KAAK,IAAI;gBACpD,gBAAgB,EAAE,OAAO,CAAC,SAAS,KAAK,IAAI;gBAC5C,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC,CAAC,CAAC;YAEH,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC7C,OAAO;YACT,CAAC;YACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO;YACT,CAAC;YACD,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,QAAkB;IACpD,OAAO,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,MAA0B;IACnD,MAAM,KAAK,GACT,MAAM,CAAC,OAAO,KAAK,SAAS;QAC1B,CAAC,CAAC,KAAK,CAAC,GAAG;QACX,CAAC,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS;YAC5B,CAAC,CAAC,KAAK,CAAC,MAAM;YACd,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC;IACpB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,kBAAkB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,cAAc,IAAI,SAAS,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IACrC,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;IACnD,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,QAA8B;IACnD,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,KAAK,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"evidencePack.js","sourceRoot":"","sources":["../../../src/cli/commands/evidencePack.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EACL,qBAAqB,EACrB,WAAW,EACX,kBAAkB,EAClB,OAAO,EACP,aAAa,GACd,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAGpE,MAAM,UAAU,oBAAoB;IAClC,OAAO;SACJ,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CACV,6FAA6F,CAC9F;SACA,MAAM,CACL,eAAe,EACf,qEAAqE,EACrE,WAAW,EACX,EAAE,CACH;SACA,MAAM,CAAC,kBAAkB,EAAE,oCAAoC,CAAC;SAChE,MAAM,CAAC,cAAc,EAAE,6CAA6C,CAAC;SACrE,MAAM,CAAC,kBAAkB,EAAE,2CAA2C,CAAC;SACvE,MAAM,CAAC,wBAAwB,EAAE,sCAAsC,EAAE,gBAAgB,CAAC;SAC1F,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,aAAa,EAAE,CAAC;QAChB,kBAAkB,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,qBAAqB,CAAC,eAAe,CAAC,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,WAAW,EAAE,EAAE;gBACtD,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,oBAAoB,EAAE,OAAO,CAAC,aAAa,KAAK,IAAI;gBACpD,gBAAgB,EAAE,OAAO,CAAC,SAAS,KAAK,IAAI;gBAC5C,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC,CAAC,CAAC;YAEH,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC7C,OAAO;YACT,CAAC;YACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO;YACT,CAAC;YACD,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,QAAkB;IACpD,OAAO,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,MAA0B;IACnD,MAAM,KAAK,GACT,MAAM,CAAC,OAAO,KAAK,SAAS;QAC1B,CAAC,CAAC,KAAK,CAAC,GAAG;QACX,CAAC,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS;YAC5B,CAAC,CAAC,KAAK,CAAC,MAAM;YACd,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC;IACpB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,kBAAkB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,cAAc,IAAI,SAAS,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IACrC,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;IACnD,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,QAA8B;IACnD,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,KAAK,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/cli/commands/prove.js

@@ -1,6 +1,7 @@
 import chalk from 'chalk';
-import { assertFormatSupported, getRootPath, maybeCompactBanner, program, setupLogLevel, } from '../_shared.js';
+import { assertFormatSupported, getRootPath, maybeCompactBanner, program, loadProjectConfig, setupLogLevel, } from '../_shared.js';
 import { computeProve } from '../../core/prove.js';
+import { escapeMarkdownText, markdownInlineCode, markdownInlineList, } from '../../core/markdownSafety.js';
 export function registerProve() {
     program
         .command('prove')
@@ -17,6 +18,7 @@ export function registerProve() {
         .option('--duration-ms <ms>', 'duration in milliseconds for --record-command', parseDurationMs)
         .option('--summary <text>', 'safe proof output summary for --record-command')
         .option('--log <path>', 'redacted proof log path for --record-command')
+        .option('--record-source <source>', 'source for --record-command evidence', parseProofLedgerSource)
         .option('--run', 'execute a local proof command supplied after -- and record the outcome')
         .option('--run-timeout-ms <ms>', 'timeout in milliseconds for --run commands', parseDurationMs)
         .option('--ledger <path>', 'proof ledger JSONL path')
@@ -40,6 +42,10 @@ export function registerProve() {
             if (cmdOpts.run && runArgs.length === 0) {
                 throw new Error('prove --run requires a command after --, for example: projscan prove --run -- npm test');
             }
+            if (cmdOpts.recordSource && !cmdOpts.recordCommand) {
+                throw new Error('prove --record-source requires --record-command');
+            }
+            const config = await loadProjectConfig();
             const report = await computeProve(getRootPath(), {
                 intent: cmdOpts.intent,
                 changed: Boolean(cmdOpts.changed),
@@ -54,8 +60,10 @@ export function registerProve() {
                 durationMs: cmdOpts.durationMs,
                 summary: cmdOpts.summary,
                 logPath: cmdOpts.log,
+                recordSource: cmdOpts.recordSource,
                 runCommand: cmdOpts.run ? runArgs : undefined,
                 runTimeoutMs: cmdOpts.runTimeoutMs,
+                proofRecipes: cmdOpts.changed ? undefined : config.proofRecipes,
             });
             if (format === 'json') {
                 console.log(JSON.stringify(report, null, 2));
@@ -116,6 +124,8 @@ function printContractConsole(contract) {
     printList(contract.proofCommands.slice(0, 8), 'No proof commands inferred');
 }
 function printReceiptConsole(receipt) {
+    const proofReplay = proofReplayForReceipt(receipt);
+    const proofSufficiency = proofSufficiencyForReceipt(receipt);
     console.log(chalk.bold('Scope Decision'));
     console.log(`- ${receipt.scope.status}`);
     console.log('');
@@ -135,10 +145,28 @@ function printReceiptConsole(receipt) {
     console.log('');
     console.log(chalk.bold('Proof Commands'));
     printList(receipt.proofStatus.commandsRequired.slice(0, 8), 'No proof commands required');
+    if (receipt.teamProofRecipes?.length) {
+        console.log('');
+        console.log(chalk.bold('Team Proof Recipes'));
+        for (const recipe of receipt.teamProofRecipes) {
+            const reviewers = recipe.requiredReviewers?.length ? recipe.requiredReviewers.join(', ') : 'none';
+            const drift = recipe.forbiddenTouched?.length ? recipe.forbiddenTouched.join(', ') : 'none';
+            console.log(`- ${recipe.id}: reviewers ${reviewers}; recipe drift ${drift}`);
+        }
+    }
     console.log('');
     console.log(chalk.bold('Proof Replay'));
-    console.log(`- status: ${receipt.proofStatus.status}`);
+    console.log(`- replay status: ${proofReplay.status}`);
+    console.log(`- proof status: ${receipt.proofStatus.status}`);
     console.log(`- reviewer decision: ${receipt.reviewerDecision}`);
+    console.log(`- changed after proof: ${inlineList(proofReplay.changedAfterProof)}`);
+    console.log(`- receipt fingerprint: ${proofReplay.receiptFingerprint}`);
+    console.log('');
+    console.log(chalk.bold('Proof Sufficiency'));
+    console.log(`- status: ${proofSufficiency.status}`);
+    for (const gap of proofSufficiency.gaps.slice(0, 3)) {
+        console.log(`- gap: ${gap}`);
+    }
 }
 export function renderProveMarkdown(report) {
     if (report.receipt)
@@ -153,24 +181,24 @@ function renderLedgerRecordMarkdown(report) {
         record?.source === 'prove-run' ? '# Projscan Executed Proof' : '# Projscan Recorded Proof',
         '',
         `- **Verdict:** ${report.verdict}`,
-        `- **Summary:** ${report.summary}`,
+        `- **Summary:** ${escapeMarkdownText(report.summary)}`,
     ];
     if (!record)
         return lines.join('\n');
     lines.push(`- **Source:** ${record.source}`);
     lines.push(`- **Status:** ${record.status}`);
-    lines.push(`- **Command:** \`${record.command}\``);
+    lines.push(`- **Command:** ${markdownInlineCode(record.command)}`);
     lines.push(`- **Exit code:** ${record.exitCode}`);
     lines.push(`- **Duration:** ${record.durationMs}ms`);
     lines.push(`- **Completed:** ${record.completedAt}`);
     lines.push(`- **Changed-file fingerprint:** ${record.changedFileFingerprint}`);
     if (record.logPath)
-        lines.push(`- **Log:** \`${record.logPath}\``);
+        lines.push(`- **Log:** ${markdownInlineCode(record.logPath)}`);
     lines.push('');
     pushVerifiedWorkflow(lines, report.verifiedWorkflow);
     lines.push('');
     lines.push('## Output Summary');
-    lines.push(record.outputSummary);
+    lines.push(escapeMarkdownText(record.outputSummary));
     lines.push('');
     lines.push('## Changed Files');
     pushList(lines, record.changedFiles, 'No changed files were fingerprinted.');
@@ -183,10 +211,10 @@ function renderContractMarkdown(report) {
     const contract = report.contract;
     const lines = ['# Projscan Proof Contract', ''];
     lines.push(`- **Verdict:** ${report.verdict}`);
-    lines.push(`- **Summary:** ${report.summary}`);
+    lines.push(`- **Summary:** ${escapeMarkdownText(report.summary)}`);
     if (!contract)
         return lines.join('\n');
-    lines.push(`- **Intent:** ${contract.intent}`);
+    lines.push(`- **Intent:** ${escapeMarkdownText(contract.intent)}`);
     lines.push(`- **Confidence:** ${contract.confidence}`);
     lines.push(`- **Evidence strength:** ${contract.evidenceStrength.level} (${contract.evidenceStrength.score})`);
     lines.push('');
@@ -208,13 +236,15 @@ function renderContractMarkdown(report) {
     pushCodeList(lines, contract.proofCommands);
     lines.push('');
     lines.push('## Reviewer Guidance');
-    lines.push(contract.reviewerGuidance);
+    lines.push(escapeMarkdownText(contract.reviewerGuidance));
     return lines.join('\n');
 }
 function renderReceiptMarkdown(report, receipt) {
+    const proofReplay = proofReplayForReceipt(receipt);
+    const proofSufficiency = proofSufficiencyForReceipt(receipt);
     const lines = ['# Projscan Proof Receipt', ''];
     lines.push(`- **Verdict:** ${report.verdict}`);
-    lines.push(`- **Summary:** ${receipt.summary}`);
+    lines.push(`- **Summary:** ${escapeMarkdownText(receipt.summary)}`);
     lines.push(`- **Commit readiness:** ${receipt.commitReadiness}`);
     lines.push(`- **Scope:** ${receipt.scope.status}`);
     lines.push(`- **Proof status:** ${receipt.proofStatus.status}`);
@@ -258,12 +288,34 @@ function renderReceiptMarkdown(report, receipt) {
     lines.push('## Proof Commands');
     pushCodeList(lines, receipt.proofStatus.commandsRequired);
     lines.push('');
+    lines.push('## Team Proof Recipes');
+    pushTeamProofRecipes(lines, receipt);
+    lines.push('');
     lines.push('## Proof Replay');
-    lines.push(`- **Proof status:** ${receipt.proofStatus.status}`);
+    lines.push(`- **replay status:** ${proofReplay.status}`);
+    lines.push(`- **summary:** ${escapeMarkdownText(proofReplay.summary)}`);
+    lines.push(`- **proof status:** ${receipt.proofStatus.status}`);
     lines.push(`- **Reviewer decision:** ${receipt.reviewerDecision}`);
-    lines.push(`- **Risk delta:** ${receipt.riskDeltaDirection} (${receipt.riskDelta.delta})`);
-    lines.push(`- **Commands required:** ${receipt.proofStatus.commandsRequired.length}`);
-    lines.push(`- **Commands recorded:** ${receipt.proofStatus.commandsRun.length}`);
+    lines.push(`- **risk delta:** ${receipt.riskDeltaDirection} (${receipt.riskDelta.delta})`);
+    lines.push(`- **commands required:** ${receipt.proofStatus.commandsRequired.length}`);
+    lines.push(`- **commands recorded:** ${receipt.proofStatus.commandsRun.length}`);
+    lines.push(`- **changed after proof:** ${markdownInlineList(proofReplay.changedAfterProof)}`);
+    lines.push(`- **replay command:** ${markdownInlineCode(proofReplay.replayCommand)}`);
+    lines.push(`- **receipt fingerprint:** ${markdownInlineCode(proofReplay.receiptFingerprint)}`);
+    lines.push('');
+    lines.push('### Replay Timeline');
+    pushReplayEvents(lines, proofReplay.events);
+    lines.push('');
+    lines.push('## Proof Sufficiency');
+    lines.push(`- **sufficiency status:** ${proofSufficiency.status}`);
+    lines.push(`- **summary:** ${escapeMarkdownText(proofSufficiency.summary)}`);
+    lines.push(`- **weak requirements:** ${proofSufficiency.weakRequirements.length}`);
+    lines.push(`- **missing requirements:** ${proofSufficiency.missingRequirements.length}`);
+    lines.push(`- **stale requirements:** ${proofSufficiency.staleRequirements.length}`);
+    lines.push(`- **failed requirements:** ${proofSufficiency.failedRequirements.length}`);
+    lines.push('');
+    lines.push('### Requirement Evidence');
+    pushRequirementEvidence(lines, proofSufficiency.requirements);
     lines.push('');
     lines.push('### Command Evidence');
     pushCommandEvidence(lines, receipt.proofStatus.commandEvidence);
@@ -281,7 +333,7 @@ function renderReceiptMarkdown(report, receipt) {
     pushList(lines, receipt.evidenceGaps, 'No evidence gaps reported.');
     lines.push('');
     lines.push('## Reviewer Guidance');
-    lines.push(receipt.reviewerGuidance);
+    lines.push(escapeMarkdownText(receipt.reviewerGuidance));
     lines.push('');
     lines.push('## Reviewer Checklist');
     lines.push('- [ ] Confirm unexpected production/config/security files are intentional or removed.');
@@ -297,12 +349,15 @@ function pushVerifiedWorkflow(lines, workflow) {
     lines.push('## Verified Workflow');
     lines.push(`- **phase:** ${workflow.phase}`);
     lines.push(`- **status:** ${workflow.status}`);
-    lines.push(`- **next action:** ${workflow.nextAction}`);
-    lines.push(`- **next command:** \`${workflow.nextCommand}\``);
+    lines.push(`- **next action:** ${escapeMarkdownText(workflow.nextAction)}`);
+    lines.push(`- **next command:** ${markdownInlineCode(workflow.nextCommand)}`);
     if (workflow.scopeStatus)
         lines.push(`- **scope:** ${workflow.scopeStatus}`);
     if (workflow.proofStatus)
         lines.push(`- **proof:** ${workflow.proofStatus}`);
+    if (workflow.proofSufficiencyStatus) {
+        lines.push(`- **proof sufficiency:** ${workflow.proofSufficiencyStatus}`);
+    }
     if (workflow.reviewerDecision)
         lines.push(`- **reviewer decision:** ${workflow.reviewerDecision}`);
     if (workflow.riskDeltaDirection)
@@ -325,7 +380,7 @@ function pushList(lines, values, empty) {
         return;
     }
     for (const value of values)
-        lines.push(`- ${value}`);
+        lines.push(`- ${escapeMarkdownText(value)}`);
 }
 function pushCodeList(lines, values) {
     if (values.length === 0) {
@@ -333,7 +388,37 @@ function pushCodeList(lines, values) {
         return;
     }
     for (const value of values)
-        lines.push(`- \`${value}\``);
+        lines.push(`- ${markdownInlineCode(value)}`);
+}
+function pushTeamProofRecipes(lines, receipt) {
+    const recipes = receipt.teamProofRecipes ?? [];
+    if (recipes.length === 0) {
+        lines.push('- No Team Proof Recipes matched this receipt.');
+        return;
+    }
+    for (const recipe of recipes) {
+        lines.push(`- **recipe:** ${markdownInlineCode(recipe.id)}`);
+        lines.push(`  - matched files: ${markdownInlineList(recipe.matchedFiles)}`);
+        lines.push(`  - required reviewers: ${markdownInlineList(recipe.requiredReviewers ?? [])}`);
+        lines.push(`  - recipe drift: ${markdownInlineList(recipe.forbiddenTouched ?? [])}`);
+        lines.push(`  - recipe proof gaps: ${markdownInlineList(recipeGapsForRecipe(recipe))}`);
+    }
+    if (receipt.requiredReviewers?.length) {
+        lines.push(`- **required reviewers:** ${markdownInlineList(receipt.requiredReviewers)}`);
+    }
+    if (receipt.recipeDrift?.length) {
+        lines.push(`- **recipe drift:** ${markdownInlineList(receipt.recipeDrift)}`);
+    }
+    if (receipt.recipeGaps?.length) {
+        lines.push(`- **recipe gaps:** ${markdownInlineList(receipt.recipeGaps)}`);
+    }
+}
+function recipeGapsForRecipe(recipe) {
+    return [
+        ...(recipe.missingCommands ?? []).map((command) => `missing: ${command}`),
+        ...(recipe.failedCommands ?? []).map((command) => `failed: ${command}`),
+        ...(recipe.staleCommands ?? []).map((command) => `stale: ${command}`),
+    ];
 }
 function pushCommandEvidence(lines, values) {
     if (values.length === 0) {
@@ -343,14 +428,72 @@ function pushCommandEvidence(lines, values) {
     for (const value of values)
         lines.push(formatCommandEvidence(value));
 }
+function pushRequirementEvidence(lines, values) {
+    if (values.length === 0) {
+        lines.push('- No proof requirements were evaluated.');
+        return;
+    }
+    for (const value of values)
+        lines.push(formatRequirementEvidence(value));
+}
+function pushReplayEvents(lines, values) {
+    if (values.length === 0) {
+        lines.push('- No proof replay events recorded.');
+        return;
+    }
+    for (const value of values)
+        lines.push(formatReplayEvent(value));
+}
+function formatReplayEvent(value) {
+    const command = value.command ? ` ${markdownInlineCode(value.command)}` : '';
+    const source = value.source ? ` source: ${value.source}.` : '';
+    const changedAfter = value.changedAfterProof && value.changedAfterProof.length > 0
+        ? ` changed after proof: ${markdownInlineList(value.changedAfterProof)}.`
+        : '';
+    const completedAt = value.completedAt ? ` completed: ${escapeMarkdownText(value.completedAt)}.` : '';
+    return `- **${value.status} ${value.kind}:**${command} ${escapeMarkdownText(value.summary)}${source}${changedAfter}${completedAt}`;
+}
+function formatRequirementEvidence(value) {
+    const files = value.files.length > 0 ? value.files.join(', ') : 'contract-only';
+    const commands = value.requiredCommands.length > 0 ? value.requiredCommands.join('; ') : 'no command required';
+    const matched = value.matchedCommands.length > 0 ? value.matchedCommands.join('; ') : 'none';
+    const gaps = value.gaps.length > 0 ? ` gaps: ${value.gaps.join('; ')}` : '';
+    return `- **${value.status} ${value.surface}:** ${escapeMarkdownText(files)}; required: ${escapeMarkdownText(commands)}; matched: ${escapeMarkdownText(matched)}.${escapeMarkdownText(gaps)}`;
+}
 function formatCommandEvidence(value) {
     const state = value.fresh ? 'fresh' : value.staleReason ? 'stale' : value.status;
     const exit = typeof value.exitCode === 'number' ? ` exit ${value.exitCode}` : ' no exit code';
     const duration = typeof value.durationMs === 'number' ? `, ${value.durationMs}ms` : '';
-    const log = value.logPath ? `, log ${value.logPath}` : '';
-    const summary = value.outputSummary ? ` - ${value.outputSummary}` : '';
-    const stale = value.staleReason ? ` (${value.staleReason})` : '';
-    return `- **${value.status} ${state}:** \`${value.command}\` (${exit}${duration}${log})${stale}${summary}`;
+    const source = value.source ? `, source ${value.source}` : '';
+    const log = value.logPath ? `, log ${markdownInlineCode(value.logPath)}` : '';
+    const summary = value.outputSummary ? ` - ${escapeMarkdownText(value.outputSummary)}` : '';
+    const stale = value.staleReason ? ` (${escapeMarkdownText(value.staleReason)})` : '';
+    return `- **${value.status} ${state}:** ${markdownInlineCode(value.command)} (${exit}${duration}${source}${log})${stale}${summary}`;
+}
+function inlineList(values) {
+    return values.length > 0 ? values.join(', ') : 'none';
+}
+function proofReplayForReceipt(receipt) {
+    return (receipt.proofReplay ?? {
+        status: 'needs-proof',
+        summary: 'No proof replay evidence recorded.',
+        events: [],
+        changedAfterProof: [],
+        replayCommand: 'projscan prove --changed --format markdown',
+        receiptFingerprint: 'missing',
+    });
+}
+function proofSufficiencyForReceipt(receipt) {
+    return (receipt.proofSufficiency ?? {
+        status: 'missing',
+        summary: 'No proof sufficiency evidence recorded.',
+        requirements: [],
+        gaps: ['No proof sufficiency evidence recorded.'],
+        weakRequirements: [],
+        missingRequirements: [],
+        staleRequirements: [],
+        failedRequirements: [],
+    });
 }
 function unique(values) {
     return [...new Set(values)];
@@ -376,4 +519,10 @@ function parseDurationMs(value) {
     }
     return parsed;
 }
+function parseProofLedgerSource(value) {
+    if (value === 'prove-record' || value === 'prove-run' || value === 'mission' || value === 'external') {
+        return value;
+    }
+    throw new Error('record-source must be prove-record, prove-run, mission, or external');
+}
 //# sourceMappingURL=prove.js.map