proofseal 0.0.1 → 0.1.0

package/dist/core/hash.js

@@ -0,0 +1,81 @@
+/**
+ * SHA-256 helpers. Files are always read as raw bytes (never text mode)
+ * so line-ending normalization can never silently change a hash (R2).
+ */
+import { createHash } from 'node:crypto';
+import { readFileSync } from 'node:fs';
+/** sha256 of a string (utf8) or Buffer, lowercase hex (64 chars). */
+export function sha256Hex(input) {
+    return createHash('sha256').update(input).digest('hex');
+}
+/** sha256 of a string (utf8) or Buffer, raw 32 bytes. */
+export function sha256Bytes(input) {
+    return createHash('sha256').update(input).digest();
+}
+/** sha256 of a file's raw bytes, lowercase hex. */
+export function fileSha256(absPath) {
+    return createHash('sha256').update(readFileSync(absPath)).digest('hex');
+}
+/**
+ * sha256 of a file's bytes with CRLF→LF normalization (premortem #7:
+ * Windows insurance). Used ONLY for diagnostics: when a file-hash claim
+ * regresses but the CRLF-normalized hash still matches the sealed hash,
+ * the cause is almost certainly git autocrlf rewriting line endings —
+ * the regressed detail can then name the cause instead of crying tamper.
+ */
+export function fileSha256CrlfNormalized(absPath) {
+    const raw = readFileSync(absPath);
+    const out = Buffer.alloc(raw.length);
+    let n = 0;
+    for (let i = 0; i < raw.length; i++) {
+        if (raw[i] === 0x0d && raw[i + 1] === 0x0a)
+            continue; // drop CR of CRLF
+        out[n++] = raw[i];
+    }
+    return createHash('sha256').update(out.subarray(0, n)).digest('hex');
+}
+/** True if the file (decoded as utf8) contains the marker substring. */
+export function fileContains(absPath, marker) {
+    return readFileSync(absPath, 'utf8').includes(marker);
+}
+/**
+ * Whitespace normalization for marker matching:
+ *  1. collapse every run of whitespace (spaces, tabs, newlines) to one space;
+ *  2. drop spaces that touch a non-word character (a space is only
+ *     SIGNIFICANT between two identifier characters).
+ *
+ * Step 2 matters because formatters do not just reflow EXISTING whitespace —
+ * a Prettier line-wrap inserts whitespace where there was none (a newline
+ * after `(`, before `)`, around operators). Pure run-collapsing would still
+ * read `computeTotal(\n  items\n)` as missing the marker
+ * `computeTotal(items)`. Keeping only word-adjacent spaces makes any
+ * whitespace-only rewrite match while `foo bar` can never match `foobar`
+ * (so a marker cannot pass via accidental token merging).
+ */
+function normalizeForMarker(s) {
+    return s.replace(/\s+/g, ' ').replace(/ ?([^A-Za-z0-9_ ]) ?/g, '$1').trim();
+}
+/**
+ * Whitespace-normalized marker presence (premortem #7: marker robustness).
+ *
+ * Markers exist to outlive REBUILDS of a file — but a plain substring check
+ * also breaks under routine reformatting (Prettier line-wraps, re-indents,
+ * tabs→spaces). That reads as a false "regressed" and teaches users that
+ * ProofSeal lies. Both the file text and the marker are normalized (see
+ * `normalizeForMarker`) before matching, so whitespace-only rewrites of the
+ * marker's surroundings still match while any non-whitespace edit to the
+ * marker text itself still (correctly) fails.
+ *
+ * Plain `fileContains` is kept for exact-substring use cases.
+ */
+export function markerPresent(text, marker) {
+    return normalizeForMarker(text).includes(normalizeForMarker(marker));
+}
+/** Whitespace-normalized count of (non-overlapping) marker occurrences. */
+export function markerOccurrences(text, marker) {
+    const needle = normalizeForMarker(marker);
+    if (needle === '')
+        return 0;
+    return normalizeForMarker(text).split(needle).length - 1;
+}
+//# sourceMappingURL=hash.js.map

package/dist/core/hash.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/core/hash.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,qEAAqE;AACrE,MAAM,UAAU,SAAS,CAAC,KAAsB;IAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,WAAW,CAAC,KAAsB;IAChD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;AACrD,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,UAAU,CAAC,OAAe;IACxC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1E,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAe;IACtD,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI;YAAE,SAAS,CAAC,kBAAkB;QACxE,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACvE,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,YAAY,CAAC,OAAe,EAAE,MAAc;IAC1D,OAAO,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,kBAAkB,CAAC,CAAS;IACnC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,uBAAuB,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;AAC9E,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY,EAAE,MAAc;IACxD,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,2EAA2E;AAC3E,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,MAAc;IAC5D,MAAM,MAAM,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,MAAM,KAAK,EAAE;QAAE,OAAO,CAAC,CAAC;IAC5B,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AAC3D,CAAC"}

package/dist/core/marker-lint.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Lint a marker string against optional target-file text.
+ * Returns human-readable warning strings (empty array = no concerns).
+ */
+export declare function lintMarker(marker: string, fileText?: string): string[];

package/dist/core/marker-lint.js

@@ -0,0 +1,55 @@
+/**
+ * Authoring-time marker lint (premortem #7: marker robustness).
+ *
+ * Heuristics that flag fragile markers at `claim add` time — the moment the
+ * user can still pick a better one. Lint results are ADVISORY ONLY: they are
+ * printed as warnings and never fail the command (a noisy hard failure here
+ * would push users back to file-hash claims, which are MORE fragile).
+ */
+import { markerOccurrences } from './hash.js';
+const SUGGESTION = 'prefer a function/identifier name or a structural code fragment unique to the fix';
+/**
+ * Lint a marker string against optional target-file text.
+ * Returns human-readable warning strings (empty array = no concerns).
+ */
+export function lintMarker(marker, fileText) {
+    const warnings = [];
+    // (i) Non-unique marker: a duplicate occurrence can mask removal of the
+    // real fix (the OTHER copy keeps the claim green). Whitespace-normalized,
+    // consistent with how presence is verified.
+    if (fileText !== undefined) {
+        const n = markerOccurrences(fileText, marker);
+        if (n > 1) {
+            warnings.push(`marker appears ${n} times in the target file (whitespace-normalized) — ` +
+                `duplicates can mask removal of the real fix; ${SUGGESTION}`);
+        }
+    }
+    // (ii) Looks like a log/exception message. These strings are routinely
+    // reworded during refactors, so they make poor long-lived markers.
+    const trimmed = marker.trim();
+    const quotedWhole = /^["'`].*["'`]$/s.test(trimmed);
+    const hasPlaceholders = /%[sdif]|\$\{|\{\}/.test(marker);
+    const hasLogWords = /\b(error|warn|fail|cannot|invalid|exception)\b/i.test(marker);
+    // "natural-language sentence": several space-separated words starting with a letter.
+    const isSentence = /^[A-Za-z]/.test(trimmed) && trimmed.split(/\s+/).length >= 4;
+    if (quotedWhole || hasPlaceholders || (hasLogWords && isSentence)) {
+        warnings.push('marker looks like a log/exception message — message text is routinely ' +
+            `reworded and will read as a false regression; ${SUGGESTION}`);
+    }
+    // (iii) Formatting-sensitive characters that formatters commonly rewrite.
+    const traits = [];
+    if (marker.includes('`'))
+        traits.push('backticks');
+    if (/ {2,}/.test(marker))
+        traits.push('multiple consecutive spaces');
+    if (/^\s|\s$/.test(marker))
+        traits.push('leading/trailing whitespace');
+    if (marker.length >= 2 && /^["'].*["']$/s.test(marker))
+        traits.push('quotes at both ends');
+    if (traits.length > 0) {
+        warnings.push(`marker contains formatting-sensitive characters (${traits.join(', ')}) — ` +
+            `formatters like Prettier may rewrite these; ${SUGGESTION}`);
+    }
+    return warnings;
+}
+//# sourceMappingURL=marker-lint.js.map

package/dist/core/marker-lint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"marker-lint.js","sourceRoot":"","sources":["../../src/core/marker-lint.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAE9C,MAAM,UAAU,GACd,mFAAmF,CAAC;AAEtF;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,MAAc,EAAE,QAAiB;IAC1D,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,wEAAwE;IACxE,0EAA0E;IAC1E,4CAA4C;IAC5C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC9C,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACV,QAAQ,CAAC,IAAI,CACX,kBAAkB,CAAC,sDAAsD;gBACvE,gDAAgD,UAAU,EAAE,CAC/D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,mEAAmE;IACnE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,eAAe,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,iDAAiD,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnF,qFAAqF;IACrF,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;IACjF,IAAI,WAAW,IAAI,eAAe,IAAI,CAAC,WAAW,IAAI,UAAU,CAAC,EAAE,CAAC;QAClE,QAAQ,CAAC,IAAI,CACX,wEAAwE;YACtE,iDAAiD,UAAU,EAAE,CAChE,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IACrE,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IACvE,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IAC3F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,QAAQ,CAAC,IAAI,CACX,oDAAoD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM;YACzE,+CAA+C,UAAU,EAAE,CAC9D,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/core/paths.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Cross-platform claim-path normalization (premortem #7: Windows insurance).
+ *
+ * Claim file paths are stored and compared with forward slashes ONLY, at
+ * both seal and verify time: a claim authored on Windows with backslashes
+ * must match on POSIX and vice versa. `node:path.join` accepts forward
+ * slashes on every platform, so normalized paths resolve everywhere.
+ */
+/** Normalize a repo-relative claim path to forward slashes. */
+export declare function normalizeClaimPath(p: string): string;

package/dist/core/paths.js

@@ -0,0 +1,13 @@
+/**
+ * Cross-platform claim-path normalization (premortem #7: Windows insurance).
+ *
+ * Claim file paths are stored and compared with forward slashes ONLY, at
+ * both seal and verify time: a claim authored on Windows with backslashes
+ * must match on POSIX and vice versa. `node:path.join` accepts forward
+ * slashes on every platform, so normalized paths resolve everywhere.
+ */
+/** Normalize a repo-relative claim path to forward slashes. */
+export function normalizeClaimPath(p) {
+    return p.replace(/\\/g, '/');
+}
+//# sourceMappingURL=paths.js.map

package/dist/core/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/core/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,+DAA+D;AAC/D,MAAM,UAAU,kBAAkB,CAAC,CAAS;IAC1C,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/B,CAAC"}

package/dist/harness/quantize.d.ts

@@ -0,0 +1,38 @@
+export declare const DEFAULT_DECIMALS = 6;
+export declare const DEFAULT_TOLERANCE: {
+    readonly rtol: 0.0001;
+    readonly atol: 0.000001;
+};
+/**
+ * Round to N decimals with ties going to the even neighbor (banker's
+ * rounding — numpy semantics, NOT JS Math.round half-up; pitfall 7).
+ */
+export declare function roundHalfEven(value: number, decimals: number): number;
+/** Quantize every value (round-half-even at N decimals). */
+export declare function quantizeValues(values: readonly number[], decimals: number): number[];
+/** Pack values as little-endian IEEE-754 float64 (struct.pack "<Nd"). */
+export declare function packLEFloat64(values: readonly number[]): Buffer;
+/**
+ * The full quantize → pack-LE-f64 → SHA-256 pipeline.
+ * Streams in chunks so large vectors never materialize one giant buffer.
+ */
+export declare function hashQuantized(values: readonly number[], decimals?: number): string;
+export interface AllCloseResult {
+    ok: boolean;
+    /** Lengths matched? */
+    lengthMatch: boolean;
+    /** Count of out-of-tolerance elements. */
+    outOfTolerance: number;
+    /** Worst offender, for divergence forensics. */
+    worst?: {
+        index: number;
+        actual: number;
+        expected: number;
+        diff: number;
+    };
+}
+/**
+ * numpy.allclose semantics: |a - b| <= atol + rtol * |b|, element-wise,
+ * with divergence forensics (per-element out-of-tolerance count + worst index).
+ */
+export declare function allClose(actual: readonly number[], expected: readonly number[], rtol?: number, atol?: number): AllCloseResult;

package/dist/harness/quantize.js

@@ -0,0 +1,76 @@
+/**
+ * Deterministic numeric hashing (RuView Trust Kill Switch port):
+ * round-half-even quantization at N decimals → little-endian IEEE-754
+ * float64 packing → streamed SHA-256. Plus the rtol/atol tolerance gate
+ * with divergence forensics (issue #560 dual-gate verdict).
+ */
+import { createHash } from 'node:crypto';
+export const DEFAULT_DECIMALS = 6;
+export const DEFAULT_TOLERANCE = { rtol: 1e-4, atol: 1e-6 };
+/**
+ * Round to N decimals with ties going to the even neighbor (banker's
+ * rounding — numpy semantics, NOT JS Math.round half-up; pitfall 7).
+ */
+export function roundHalfEven(value, decimals) {
+    if (!Number.isFinite(value))
+        return value;
+    const factor = Math.pow(10, decimals);
+    const scaled = value * factor;
+    let rounded = Math.round(scaled); // half-toward-+Infinity
+    // Math.round on an exact .5 tie always lands on floor(scaled)+1; if that
+    // result is odd, the even neighbor is rounded-1 (works for both signs).
+    if (scaled - Math.floor(scaled) === 0.5 && rounded % 2 !== 0) {
+        rounded -= 1;
+    }
+    return rounded / factor;
+}
+/** Quantize every value (round-half-even at N decimals). */
+export function quantizeValues(values, decimals) {
+    return values.map((v) => roundHalfEven(v, decimals));
+}
+/** Pack values as little-endian IEEE-754 float64 (struct.pack "<Nd"). */
+export function packLEFloat64(values) {
+    const buf = Buffer.alloc(values.length * 8);
+    for (let i = 0; i < values.length; i++) {
+        buf.writeDoubleLE(values[i], i * 8);
+    }
+    return buf;
+}
+/**
+ * The full quantize → pack-LE-f64 → SHA-256 pipeline.
+ * Streams in chunks so large vectors never materialize one giant buffer.
+ */
+export function hashQuantized(values, decimals = DEFAULT_DECIMALS) {
+    const hasher = createHash('sha256');
+    const CHUNK = 4096;
+    for (let i = 0; i < values.length; i += CHUNK) {
+        const slice = values.slice(i, i + CHUNK).map((v) => roundHalfEven(v, decimals));
+        hasher.update(packLEFloat64(slice));
+    }
+    return hasher.digest('hex');
+}
+/**
+ * numpy.allclose semantics: |a - b| <= atol + rtol * |b|, element-wise,
+ * with divergence forensics (per-element out-of-tolerance count + worst index).
+ */
+export function allClose(actual, expected, rtol = DEFAULT_TOLERANCE.rtol, atol = DEFAULT_TOLERANCE.atol) {
+    if (actual.length !== expected.length) {
+        return { ok: false, lengthMatch: false, outOfTolerance: Math.abs(actual.length - expected.length) };
+    }
+    let outOfTolerance = 0;
+    let worst;
+    for (let i = 0; i < actual.length; i++) {
+        const a = actual[i];
+        const b = expected[i];
+        const diff = Math.abs(a - b);
+        const bound = atol + rtol * Math.abs(b);
+        if (!(diff <= bound)) {
+            outOfTolerance += 1;
+            if (!worst || diff > worst.diff) {
+                worst = { index: i, actual: a, expected: b, diff };
+            }
+        }
+    }
+    return { ok: outOfTolerance === 0, lengthMatch: true, outOfTolerance, worst };
+}
+//# sourceMappingURL=quantize.js.map

package/dist/harness/quantize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"quantize.js","sourceRoot":"","sources":["../../src/harness/quantize.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAClC,MAAM,CAAC,MAAM,iBAAiB,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAW,CAAC;AAErE;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,QAAgB;IAC3D,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,KAAK,GAAG,MAAM,CAAC;IAC9B,IAAI,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,wBAAwB;IAC1D,yEAAyE;IACzE,wEAAwE;IACxE,IAAI,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,GAAG,IAAI,OAAO,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7D,OAAO,IAAI,CAAC,CAAC;IACf,CAAC;IACD,OAAO,OAAO,GAAG,MAAM,CAAC;AAC1B,CAAC;AAED,4DAA4D;AAC5D,MAAM,UAAU,cAAc,CAAC,MAAyB,EAAE,QAAgB;IACxE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,aAAa,CAAC,MAAyB;IACrD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,MAAyB,EAAE,WAAmB,gBAAgB;IAC1F,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC;IACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC;QAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;QAChF,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAYD;;;GAGG;AACH,MAAM,UAAU,QAAQ,CACtB,MAAyB,EACzB,QAA2B,EAC3B,OAAe,iBAAiB,CAAC,IAAI,EACrC,OAAe,iBAAiB,CAAC,IAAI;IAErC,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC;QACtC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;IACtG,CAAC;IACD,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,KAA8B,CAAC;IACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACpB,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7B,MAAM,KAAK,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;YACrB,cAAc,IAAI,CAAC,CAAC;YACpB,IAAI,CAAC,KAAK,IAAI,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;gBAChC,KAAK,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;YACrD,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,cAAc,KAAK,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;AAChF,CAAC"}

package/dist/harness/run.d.ts

@@ -0,0 +1,61 @@
+import { type AllCloseResult } from './quantize.js';
+export interface HarnessDef {
+    name: string;
+    /** Shell command; spawned with PROOFSEAL_SEED set. */
+    cmd: string;
+    /** Working directory (defaults to process.cwd()). */
+    cwd?: string;
+    seed?: number;
+    quantizeDecimals?: number;
+    /** Named output blocks to skip when stdout is a JSON object (pitfall 6). */
+    exclude?: string[];
+    /** Committed expectation hash; absent = no expectation yet. */
+    expectedSha256?: string;
+    /** Path to committed JSON array of full-precision reference numbers. */
+    referenceVector?: string;
+    tolerance?: {
+        rtol: number;
+        atol: number;
+    };
+    timeoutMs?: number;
+}
+export type HarnessStatus = 'pass' | 'drift' | 'regressed' | 'missing' | 'error';
+export interface HarnessResult {
+    name: string;
+    status: HarnessStatus;
+    /** sha256 of quantized LE-f64 output (present when the run produced output). */
+    hash?: string;
+    expectedSha256?: string;
+    hashMatch?: boolean;
+    toleranceMatch?: boolean;
+    forensics?: AllCloseResult;
+    /** Full-precision parsed values (for --update reference regeneration). */
+    values?: number[];
+    quantized?: number[];
+    seed: number;
+    quantizeDecimals: number;
+    exitCode: number | null;
+    error?: string;
+    /**
+     * The harness command itself could not be found (spawn ENOENT or shell
+     * exit 127). CI footgun: a missing interpreter is an environment
+     * precondition, not a regression.
+     */
+    commandNotFound?: boolean;
+    /**
+     * A referenceVector path is declared but the file is absent at run time.
+     * CI footgun: the seal outputs were probably never committed.
+     */
+    referenceVectorMissing?: boolean;
+}
+/**
+ * Parse numeric output from harness stdout.
+ * Accepted shapes:
+ *  - JSON array of numbers (arbitrarily nested) → flattened in order
+ *  - JSON object of named numeric blocks → keys sorted, excluded keys
+ *    skipped, values flattened
+ *  - plain whitespace/comma-separated numbers
+ */
+export declare function parseNumericOutput(stdout: string, exclude?: string[]): number[];
+/** Run a harness and render the dual hash/tolerance verdict. */
+export declare function runHarness(def: HarnessDef): Promise<HarnessResult>;

package/dist/harness/run.js

@@ -0,0 +1,137 @@
+/**
+ * Deterministic-output harness runner (ADR-0001 D9, RuView verify.py port).
+ *
+ * Spawns the harness command with PROOFSEAL_SEED in the environment,
+ * parses numeric output from stdout, quantizes (round-half-even, N
+ * decimals), packs LE float64, streams SHA-256, and renders a dual
+ * verdict: bit-exact hash match OR rtol/atol tolerance vs a committed
+ * reference vector (JSON array of numbers).
+ */
+import { spawn } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { allClose, hashQuantized, quantizeValues, DEFAULT_DECIMALS, DEFAULT_TOLERANCE, } from './quantize.js';
+/**
+ * Parse numeric output from harness stdout.
+ * Accepted shapes:
+ *  - JSON array of numbers (arbitrarily nested) → flattened in order
+ *  - JSON object of named numeric blocks → keys sorted, excluded keys
+ *    skipped, values flattened
+ *  - plain whitespace/comma-separated numbers
+ */
+export function parseNumericOutput(stdout, exclude = []) {
+    const text = stdout.trim();
+    if (!text)
+        return [];
+    try {
+        const parsed = JSON.parse(text);
+        return flattenNumbers(parsed, exclude);
+    }
+    catch {
+        return text
+            .split(/[\s,]+/)
+            .map(Number)
+            .filter((n) => Number.isFinite(n));
+    }
+}
+function flattenNumbers(value, exclude) {
+    if (typeof value === 'number')
+        return [value];
+    if (Array.isArray(value))
+        return value.flatMap((v) => flattenNumbers(v, exclude));
+    if (value !== null && typeof value === 'object') {
+        const obj = value;
+        return Object.keys(obj)
+            .sort()
+            .filter((k) => !exclude.includes(k))
+            .flatMap((k) => flattenNumbers(obj[k], exclude));
+    }
+    return [];
+}
+function execHarness(def, seed) {
+    return new Promise((resolvePromise) => {
+        const child = spawn(def.cmd, {
+            shell: true,
+            cwd: def.cwd ?? process.cwd(),
+            env: {
+                ...process.env,
+                PROOFSEAL_SEED: String(seed),
+                // Legacy alias kept one release for harnesses written pre-rename
+                // (and the bench fixtures); PROOFSEAL_SEED is the documented name.
+                PROOFKIT_SEED: String(seed),
+            },
+            timeout: def.timeoutMs ?? 120_000,
+        });
+        let stdout = '';
+        child.stdout.on('data', (d) => {
+            stdout += d.toString('utf8');
+        });
+        child.on('error', (err) => resolvePromise({
+            stdout,
+            exitCode: null,
+            error: err.message,
+            commandNotFound: err.code === 'ENOENT',
+        }));
+        child.on('close', (code) => 
+        // shell:true means "command not found" surfaces as exit 127 on POSIX
+        // (cmd.exe uses other codes; the ENOENT path above covers direct spawn).
+        resolvePromise({ stdout, exitCode: code, commandNotFound: code === 127 }));
+    });
+}
+/** Run a harness and render the dual hash/tolerance verdict. */
+export async function runHarness(def) {
+    const seed = def.seed ?? 42;
+    const decimals = def.quantizeDecimals ?? DEFAULT_DECIMALS;
+    const base = { name: def.name, seed, quantizeDecimals: decimals };
+    const run = await execHarness(def, seed);
+    if (run.error || run.exitCode !== 0) {
+        return {
+            ...base,
+            status: 'error',
+            exitCode: run.exitCode,
+            error: run.error ?? `harness exited with code ${run.exitCode}`,
+            ...(run.commandNotFound ? { commandNotFound: true } : {}),
+        };
+    }
+    const values = parseNumericOutput(run.stdout, def.exclude ?? []);
+    const quantized = quantizeValues(values, decimals);
+    const hash = hashQuantized(values, decimals);
+    if (!def.expectedSha256) {
+        return { ...base, status: 'missing', exitCode: run.exitCode, hash, values, quantized, error: 'no committed expectedSha256 — run `proofseal harness run --update`' };
+    }
+    const hashMatch = hash === def.expectedSha256;
+    if (hashMatch) {
+        return { ...base, status: 'pass', exitCode: run.exitCode, hash, expectedSha256: def.expectedSha256, hashMatch, values, quantized };
+    }
+    // Tolerance fallback against the committed full-precision reference vector.
+    let toleranceMatch = false;
+    let forensics;
+    let referenceVectorMissing = false;
+    if (def.referenceVector) {
+        const refPath = resolve(def.cwd ?? process.cwd(), def.referenceVector);
+        if (existsSync(refPath)) {
+            const reference = JSON.parse(readFileSync(refPath, 'utf8'));
+            const tol = def.tolerance ?? DEFAULT_TOLERANCE;
+            forensics = allClose(values, reference, tol.rtol, tol.atol);
+            toleranceMatch = forensics.ok;
+        }
+        else {
+            // Declared but absent — almost always "seal outputs never committed".
+            referenceVectorMissing = true;
+        }
+    }
+    return {
+        ...(referenceVectorMissing ? { referenceVectorMissing: true } : {}),
+        ...base,
+        status: toleranceMatch ? 'drift' : 'regressed',
+        exitCode: run.exitCode,
+        hash,
+        expectedSha256: def.expectedSha256,
+        hashMatch,
+        toleranceMatch,
+        forensics,
+        values,
+        quantized,
+    };
+}
+//# sourceMappingURL=run.js.map

package/dist/harness/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../src/harness/run.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EACL,QAAQ,EACR,aAAa,EACb,cAAc,EACd,gBAAgB,EAChB,iBAAiB,GAElB,MAAM,eAAe,CAAC;AAmDvB;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,UAAoB,EAAE;IACvE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,OAAO,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI;aACR,KAAK,CAAC,QAAQ,CAAC;aACf,GAAG,CAAC,MAAM,CAAC;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAc,EAAE,OAAiB;IACvD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IAClF,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;aACpB,IAAI,EAAE;aACN,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;aACnC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,WAAW,CAClB,GAAe,EACf,IAAY;IAEZ,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,EAAE;QACpC,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;YAC3B,KAAK,EAAE,IAAI;YACX,GAAG,EAAE,GAAG,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC7B,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC;gBAC5B,iEAAiE;gBACjE,mEAAmE;gBACnE,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC;aAC5B;YACD,OAAO,EAAE,GAAG,CAAC,SAAS,IAAI,OAAO;SAClC,CAAC,CAAC;QACH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACpC,MAAM,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CACxB,cAAc,CAAC;YACb,MAAM;YACN,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,GAAG,CAAC,OAAO;YAClB,eAAe,EAAG,GAA6B,CAAC,IAAI,KAAK,QAAQ;SAClE,CAAC,CACH,CAAC;QACF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;QACzB,qEAAqE;QACrE,yEAAyE;QACzE,cAAc,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,KAAK,GAAG,EAAE,CAAC,CAC1E,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,gEAAgE;AAChE,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,GAAe;IAC9C,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAG,GAAG,CAAC,gBAAgB,IAAI,gBAAgB,CAAC;IAC1D,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC;IAElE,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACzC,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,GAAG,IAAI;YACP,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,4BAA4B,GAAG,CAAC,QAAQ,EAAE;YAC9D,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1D,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,cAAc,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAE7C,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;QACxB,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,oEAAoE,EAAE,CAAC;IACtK,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,KAAK,GAAG,CAAC,cAAc,CAAC;IAC9C,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,CAAC,cAAc,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACrI,CAAC;IAED,4EAA4E;IAC5E,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,IAAI,SAAqC,CAAC;IAC1C,IAAI,sBAAsB,GAAG,KAAK,CAAC;IACnC,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,eAAe,CAAC,CAAC;QACvE,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAa,CAAC;YACxE,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,IAAI,iBAAiB,CAAC;YAC/C,SAAS,GAAG,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;YAC5D,cAAc,GAAG,SAAS,CAAC,EAAE,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,sEAAsE;YACtE,sBAAsB,GAAG,IAAI,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO;QACL,GAAG,CAAC,sBAAsB,CAAC,CAAC,CAAC,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnE,GAAG,IAAI;QACP,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW;QAC9C,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,IAAI;QACJ,cAAc,EAAE,GAAG,CAAC,cAAc;QAClC,SAAS;QACT,cAAc;QACd,SAAS;QACT,MAAM;QACN,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/history/gitinfo.d.ts

@@ -0,0 +1,16 @@
+import type { RegressionIntroduction } from './queries.js';
+export interface RegressionGitInfo {
+    /** false = git rejects the SHA (rewritten history?); undefined = not checked. */
+    lastPassReachable?: boolean;
+    regressedAtReachable?: boolean;
+    /** `git rev-list --count lastPass..regressedAt` when both SHAs are reachable. */
+    rangeCommitCount?: number;
+}
+export type EnrichedRegression = RegressionIntroduction & RegressionGitInfo;
+/** Tag appended to a SHA that git can no longer resolve. */
+export declare const UNREACHABLE_TAG = "(unreachable \u2014 rewritten history?)";
+/**
+ * Annotate regressions with reachability + range width. Fail-open: outside
+ * a git repo (or git missing) the regressions pass through untouched.
+ */
+export declare function enrichRegressionsWithGit(root: string, regressions: RegressionIntroduction[]): EnrichedRegression[];

package/dist/history/gitinfo.js

@@ -0,0 +1,69 @@
+/**
+ * Cheap git-side validation of bisect results (premortem hazards b/c/d):
+ * recorded SHAs can be orphaned by squash-merge, rebase, or force-push, and
+ * bisect granularity is seal frequency, not commits. We check reachability
+ * with `git cat-file -e <sha>^{commit}` and measure range width with
+ * `git rev-list --count`. Everything here is best-effort: git absent or
+ * not-a-repo → skip validation silently and return the input unchanged.
+ */
+import { execFileSync } from 'node:child_process';
+/** Tag appended to a SHA that git can no longer resolve. */
+export const UNREACHABLE_TAG = '(unreachable — rewritten history?)';
+const SHA_RE = /^[0-9a-f]{7,40}$/i;
+function git(root, args) {
+    return execFileSync('git', args, {
+        cwd: root,
+        stdio: ['ignore', 'pipe', 'ignore'],
+        timeout: 10_000,
+    }).toString();
+}
+function insideGitRepo(root) {
+    try {
+        git(root, ['rev-parse', '--git-dir']);
+        return true;
+    }
+    catch {
+        return false; // git absent, or root is not a repo → skip validation
+    }
+}
+function commitReachable(root, sha) {
+    try {
+        git(root, ['cat-file', '-e', `${sha}^{commit}`]);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function revListCount(root, from, to) {
+    try {
+        const n = Number(git(root, ['rev-list', '--count', `${from}..${to}`]).trim());
+        return Number.isFinite(n) ? n : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Annotate regressions with reachability + range width. Fail-open: outside
+ * a git repo (or git missing) the regressions pass through untouched.
+ */
+export function enrichRegressionsWithGit(root, regressions) {
+    if (regressions.length === 0 || !insideGitRepo(root)) {
+        return regressions.map((r) => ({ ...r }));
+    }
+    return regressions.map((r) => {
+        const info = {};
+        if (r.lastPassCommit && SHA_RE.test(r.lastPassCommit)) {
+            info.lastPassReachable = commitReachable(root, r.lastPassCommit);
+        }
+        if (SHA_RE.test(r.regressedAtCommit)) {
+            info.regressedAtReachable = commitReachable(root, r.regressedAtCommit);
+        }
+        if (info.lastPassReachable && info.regressedAtReachable) {
+            info.rangeCommitCount = revListCount(root, r.lastPassCommit, r.regressedAtCommit);
+        }
+        return { ...r, ...info };
+    });
+}
+//# sourceMappingURL=gitinfo.js.map

package/dist/history/gitinfo.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitinfo.js","sourceRoot":"","sources":["../../src/history/gitinfo.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAalD,4DAA4D;AAC5D,MAAM,CAAC,MAAM,eAAe,GAAG,oCAAoC,CAAC;AAEpE,MAAM,MAAM,GAAG,mBAAmB,CAAC;AAEnC,SAAS,GAAG,CAAC,IAAY,EAAE,IAAc;IACvC,OAAO,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE;QAC/B,GAAG,EAAE,IAAI;QACT,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;QACnC,OAAO,EAAE,MAAM;KAChB,CAAC,CAAC,QAAQ,EAAE,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,IAAI,CAAC;QACH,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC,CAAC,sDAAsD;IACtE,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,GAAW;IAChD,IAAI,CAAC;QACH,GAAG,CAAC,IAAI,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,IAAY,EAAE,EAAU;IAC1D,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,GAAG,IAAI,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9E,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,IAAY,EACZ,WAAqC;IAErC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;QACrD,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3B,MAAM,IAAI,GAAsB,EAAE,CAAC;QACnC,IAAI,CAAC,CAAC,cAAc,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,iBAAiB,GAAG,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC,cAAc,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,IAAI,CAAC,oBAAoB,GAAG,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;QACzE,CAAC;QACD,IAAI,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;YACxD,IAAI,CAAC,gBAAgB,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC,cAAe,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;QACrF,CAAC;QACD,OAAO,EAAE,GAAG,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/history/jsonl.d.ts

@@ -0,0 +1,28 @@
+import type { Manifest } from '../manifest/schema.js';
+export interface HistoryClaimState {
+    sha256: string;
+    verified: boolean;
+}
+export interface HistoryEntry {
+    v: 1;
+    commit: string;
+    issuedAt: string;
+    branch: string;
+    manifestHash: string;
+    summary: {
+        totalClaims: number;
+        verified: number;
+        missing: number;
+    };
+    claims: Record<string, HistoryClaimState>;
+}
+/** Was this claim verified at seal time? (per-type semantics) */
+export declare function claimVerified(claim: Manifest['claims'][number]): boolean;
+/** Append a compact snapshot of a sealed manifest. Exactly one '\n' per line. */
+export declare function appendHistory(historyPath: string, manifest: Manifest, manifestHash: string): HistoryEntry;
+/**
+ * Load JSONL history in FILE order. File order is not chronology (union
+ * merges can interleave branches) — queries sort by issuedAt via
+ * sortByIssuedAt(). Tolerates blank lines / no trailing newline.
+ */
+export declare function loadHistory(historyPath: string): HistoryEntry[];