settld 0.1.1 → 0.1.5

package/scripts/ci/check-kernel-v0-launch-gate.mjs

@@ -0,0 +1,233 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import path from "node:path";
+import process from "node:process";
+
+const DEFAULT_AUDIT_PATH = "planning/kernel-v0-truth-audit.md";
+
+const REQUIRED_TRUE_CLAIMS_BY_MODE = {
+  prepublish: [
+    {
+      key: "dispute_envelope_required",
+      description: "Signed dispute-open envelope required for non-admin opens",
+      match: /signed dispute-open envelope required for non-admin opens/i
+    },
+    {
+      key: "holdback_freeze_open_arbitration",
+      description: "Holdback tick skips auto-release when arbitration is open",
+      match: /holdback tick skips auto-release when arbitration is open/i
+    },
+    {
+      key: "deterministic_holdback_adjustment",
+      description: "Deterministic holdback adjustment flow exists",
+      match: /deterministic holdback adjustment flow exists/i
+    },
+    {
+      key: "tool_call_replay_endpoint",
+      description: "Tool-call replay endpoint exists and is wired",
+      match: /tool-call replay endpoint exists and is wired/i
+    },
+    {
+      key: "run_replay_endpoint",
+      description: "Run settlement replay endpoint exists",
+      match: /run settlement replay endpoint exists/i
+    },
+    {
+      key: "closepack_offline_verify_gated",
+      description: "Closepack export + offline verify exists and is conformance-gated",
+      match: /closepack export \+ offline verify exists and is conformance-gated/i
+    },
+    {
+      key: "deterministic_verifier_meaningful_fail",
+      description: "Deterministic verifier exists with at least one meaningful failing case",
+      match: /deterministic verifier exists with at least one meaningful failing case/i
+    },
+    {
+      key: "reputation_true",
+      description: "Reputation is indexed/readable and idempotent insert paths exist",
+      match: /reputation is indexed\/readable and idempotent insert paths exist/i
+    },
+    {
+      key: "registry_publish_wired",
+      description: "Registry publish is wired",
+      match: /registry publish is wired/i
+    }
+  ],
+  postpublish: [
+    {
+      key: "dispute_envelope_required",
+      description: "Signed dispute-open envelope required for non-admin opens",
+      match: /signed dispute-open envelope required for non-admin opens/i
+    },
+    {
+      key: "holdback_freeze_open_arbitration",
+      description: "Holdback tick skips auto-release when arbitration is open",
+      match: /holdback tick skips auto-release when arbitration is open/i
+    },
+    {
+      key: "deterministic_holdback_adjustment",
+      description: "Deterministic holdback adjustment flow exists",
+      match: /deterministic holdback adjustment flow exists/i
+    },
+    {
+      key: "tool_call_replay_endpoint",
+      description: "Tool-call replay endpoint exists and is wired",
+      match: /tool-call replay endpoint exists and is wired/i
+    },
+    {
+      key: "run_replay_endpoint",
+      description: "Run settlement replay endpoint exists",
+      match: /run settlement replay endpoint exists/i
+    },
+    {
+      key: "closepack_offline_verify_gated",
+      description: "Closepack export + offline verify exists and is conformance-gated",
+      match: /closepack export \+ offline verify exists and is conformance-gated/i
+    },
+    {
+      key: "deterministic_verifier_meaningful_fail",
+      description: "Deterministic verifier exists with at least one meaningful failing case",
+      match: /deterministic verifier exists with at least one meaningful failing case/i
+    },
+    {
+      key: "reputation_true",
+      description: "Reputation is indexed/readable and idempotent insert paths exist",
+      match: /reputation is indexed\/readable and idempotent insert paths exist/i
+    },
+    {
+      key: "npm_publish_proven",
+      description: "First live npm publish proven",
+      match: /first live npm publish proven/i
+    }
+  ]
+};
+
+const REQUIRED_TRUE_CLAIMS = REQUIRED_TRUE_CLAIMS_BY_MODE.prepublish;
+
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  const out = { file: DEFAULT_AUDIT_PATH, mode: "prepublish" };
+  for (let i = 0; i < args.length; i += 1) {
+    const a = args[i];
+    if ((a === "--file" || a === "-f") && args[i + 1]) {
+      out.file = args[i + 1];
+      i += 1;
+    } else if ((a === "--mode" || a === "-m") && args[i + 1]) {
+      const mode = String(args[i + 1]).trim().toLowerCase();
+      if (mode !== "prepublish" && mode !== "postpublish") {
+        throw new Error(`invalid --mode: ${mode} (expected prepublish|postpublish)`);
+      }
+      out.mode = mode;
+      i += 1;
+    } else if (a === "--help" || a === "-h") {
+      out.help = true;
+    } else {
+      throw new Error(`unknown argument: ${a}`);
+    }
+  }
+  return out;
+}
+
+function usage() {
+  return [
+    "Usage: node scripts/ci/check-kernel-v0-launch-gate.mjs [--file <path>] [--mode prepublish|postpublish]",
+    "",
+    "Fails when required Kernel v0 launch claims are not marked TRUE in",
+    "planning/kernel-v0-truth-audit.md."
+  ].join("\n");
+}
+
+function parseClaimStatuses(markdown) {
+  const rows = [];
+  const lines = markdown.split(/\r?\n/);
+  for (const line of lines) {
+    if (!line.startsWith("|")) continue;
+    const cols = line.split("|").map((c) => c.trim());
+    if (cols.length < 4) continue;
+    const claim = cols[1] || "";
+    const statusCell = cols[2] || "";
+    if (!claim || /^-+$/.test(claim.replace(/\s+/g, ""))) continue;
+    const statusMatch = statusCell.match(/\*\*(TRUE|PARTIAL|FALSE)\*\*/i);
+    if (!statusMatch) continue;
+    rows.push({ claim, status: statusMatch[1].toUpperCase() });
+  }
+  return rows;
+}
+
+function findClaim(rows, matcher) {
+  return rows.find((r) => matcher.test(r.claim));
+}
+
+function main() {
+  let opts;
+  try {
+    opts = parseArgs(process.argv);
+  } catch (err) {
+    console.error(String(err?.message || err));
+    console.error("");
+    console.error(usage());
+    process.exit(2);
+  }
+
+  if (opts.help) {
+    console.log(usage());
+    return;
+  }
+
+  const auditPath = path.resolve(process.cwd(), opts.file);
+  if (!fs.existsSync(auditPath)) {
+    console.error(`launch gate audit file not found: ${auditPath}`);
+    process.exit(2);
+  }
+
+  const markdown = fs.readFileSync(auditPath, "utf8");
+  const rows = parseClaimStatuses(markdown);
+  if (rows.length === 0) {
+    console.error(`no TRUE/PARTIAL/FALSE claim rows found in ${auditPath}`);
+    process.exit(2);
+  }
+  const requiredClaims = REQUIRED_TRUE_CLAIMS_BY_MODE[opts.mode] || REQUIRED_TRUE_CLAIMS;
+
+  const failures = [];
+  const passes = [];
+  for (const requirement of requiredClaims) {
+    const row = findClaim(rows, requirement.match);
+    if (!row) {
+      failures.push({
+        key: requirement.key,
+        description: requirement.description,
+        reason: "MISSING_CLAIM_ROW"
+      });
+      continue;
+    }
+    if (row.status !== "TRUE") {
+      failures.push({
+        key: requirement.key,
+        description: requirement.description,
+        reason: `STATUS_${row.status}`
+      });
+      continue;
+    }
+    passes.push({ key: requirement.key, description: requirement.description });
+  }
+
+  console.log("Kernel v0 launch gate checklist");
+  console.log(`Mode: ${opts.mode}`);
+  console.log(`Audit file: ${path.relative(process.cwd(), auditPath)}`);
+  console.log(`Required TRUE claims: ${requiredClaims.length}`);
+  console.log(`Pass: ${passes.length}`);
+  console.log(`Fail: ${failures.length}`);
+
+  if (failures.length > 0) {
+    console.error("\nLaunch gate check failed:");
+    for (const failure of failures) {
+      console.error(`- ${failure.key}: ${failure.description} (${failure.reason})`);
+    }
+    process.exit(1);
+  }
+
+  console.log("\nAll required launch gate claims are TRUE.");
+}
+
+main();

package/scripts/ci/check-secret-hygiene.mjs

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { execFileSync } from "node:child_process";
+
+const PRIVATE_KEY_PATTERNS = Object.freeze([
+  /(^|\r?\n)-----BEGIN PRIVATE KEY-----\r?\n/m,
+  /(^|\r?\n)-----BEGIN EC PRIVATE KEY-----\r?\n/m,
+  /(^|\r?\n)-----BEGIN RSA PRIVATE KEY-----\r?\n/m,
+  /(^|\r?\n)-----BEGIN OPENSSH PRIVATE KEY-----\r?\n/m
+]);
+
+const ALLOWED_PREFIXES = Object.freeze([
+  "test/fixtures/",
+  "conformance/",
+  "docs/spec/examples/",
+  "scripts/pilot/fixtures/"
+]);
+
+function listTrackedFiles() {
+  const output = execFileSync("git", ["ls-files", "-z"], { encoding: "utf8" });
+  return output
+    .split("\0")
+    .map((row) => row.trim())
+    .filter((row) => row.length > 0);
+}
+
+function isAllowedFixturePath(filePath) {
+  return ALLOWED_PREFIXES.some((prefix) => filePath.startsWith(prefix));
+}
+
+function hasPrivateKeyMaterial(filePath) {
+  const absolutePath = path.resolve(process.cwd(), filePath);
+  const buffer = fs.readFileSync(absolutePath);
+  if (buffer.includes(0)) return false;
+  const text = buffer.toString("utf8");
+  return PRIVATE_KEY_PATTERNS.some((pattern) => pattern.test(text));
+}
+
+function main() {
+  const tracked = listTrackedFiles();
+  const violations = [];
+
+  for (const filePath of tracked) {
+    if (filePath.startsWith("keys/")) {
+      violations.push(`${filePath}: tracked key material is forbidden`);
+      continue;
+    }
+    if (isAllowedFixturePath(filePath)) continue;
+    try {
+      if (hasPrivateKeyMaterial(filePath)) {
+        violations.push(`${filePath}: private key marker detected`);
+      }
+    } catch (err) {
+      violations.push(`${filePath}: failed to scan (${err?.message ?? String(err)})`);
+    }
+  }
+
+  if (violations.length > 0) {
+    process.stderr.write("secret hygiene check failed:\n");
+    for (const violation of violations) process.stderr.write(`- ${violation}\n`);
+    process.exit(1);
+  }
+
+  process.stdout.write(
+    JSON.stringify(
+      {
+        ok: true,
+        checkedAt: new Date().toISOString(),
+        trackedFilesScanned: tracked.length
+      },
+      null,
+      2
+    ) + "\n"
+  );
+}
+
+main();

package/scripts/ci/check-version-consistency.mjs

@@ -0,0 +1,42 @@
+import fs from "node:fs";
+import path from "node:path";
+
+function readTrimmed(filePath) {
+  return String(fs.readFileSync(filePath, "utf8")).trim();
+}
+
+function fail(message) {
+  // eslint-disable-next-line no-console
+  console.error(message);
+  process.exit(1);
+}
+
+const repoRoot = process.cwd();
+const settldVersionPath = path.join(repoRoot, "SETTLD_VERSION");
+const artifactVerifyPackagePath = path.join(repoRoot, "packages", "artifact-verify", "package.json");
+
+if (!fs.existsSync(settldVersionPath)) {
+  fail("version consistency check failed: SETTLD_VERSION file is missing");
+}
+if (!fs.existsSync(artifactVerifyPackagePath)) {
+  fail("version consistency check failed: packages/artifact-verify/package.json is missing");
+}
+
+const repoVersion = readTrimmed(settldVersionPath);
+const artifactVerifyPackage = JSON.parse(fs.readFileSync(artifactVerifyPackagePath, "utf8"));
+const artifactVerifyVersion = String(artifactVerifyPackage.version ?? "").trim();
+
+if (!repoVersion) {
+  fail("version consistency check failed: SETTLD_VERSION is empty");
+}
+if (!artifactVerifyVersion) {
+  fail("version consistency check failed: packages/artifact-verify/package.json version is empty");
+}
+if (repoVersion !== artifactVerifyVersion) {
+  fail(
+    `version consistency check failed: SETTLD_VERSION=${repoVersion} does not match packages/artifact-verify/package.json version=${artifactVerifyVersion}`
+  );
+}
+
+// eslint-disable-next-line no-console
+console.log(`version consistency check passed: ${repoVersion}`);

package/scripts/ci/cli-pack-smoke.mjs

@@ -0,0 +1,160 @@
+import { spawnSync } from "node:child_process";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+
+function sh(cmd, args, { cwd, env } = {}) {
+  const res = spawnSync(cmd, args, { cwd, env, encoding: "utf8" });
+  if (res.status !== 0) {
+    const err = (res.stderr || res.stdout || "").trim();
+    throw new Error(`${cmd} ${args.join(" ")} failed (exit ${res.status})${err ? `: ${err}` : ""}`);
+  }
+  return res.stdout;
+}
+
+function assert(cond, msg) {
+  if (!cond) throw new Error(msg);
+}
+
+function shellQuote(value) {
+  return `'${String(value).replace(/'/g, `'\"'\"'`)}'`;
+}
+
+async function main() {
+  const repoRoot = process.cwd();
+  const packDir = await fs.mkdtemp(path.join(os.tmpdir(), "settld-cli-pack-"));
+  const unpackDir = await fs.mkdtemp(path.join(os.tmpdir(), "settld-cli-unpack-"));
+  const outDir = await fs.mkdtemp(path.join(os.tmpdir(), "settld-cli-out-"));
+  const npmCacheDir = await fs.mkdtemp(path.join(os.tmpdir(), "settld-cli-cache-"));
+
+  const npmEnv = {
+    ...process.env,
+    NPM_CONFIG_CACHE: npmCacheDir,
+    npm_config_cache: npmCacheDir,
+    npm_config_update_notifier: "false"
+  };
+
+  try {
+    sh("npm", ["--cache", npmCacheDir, "pack", "--silent", "--pack-destination", packDir], { cwd: repoRoot, env: npmEnv });
+    const packed = (await fs.readdir(packDir)).filter((name) => /^settld-.*\.tgz$/.test(name)).sort();
+    assert(packed.length > 0, "npm pack did not produce settld-*.tgz");
+    const tarballPath = path.join(packDir, packed[packed.length - 1]);
+    sh("tar", ["-xzf", tarballPath, "-C", unpackDir], { env: npmEnv });
+    const packageRoot = path.join(unpackDir, "package");
+    const cliPath = path.join(packageRoot, "bin", "settld.js");
+
+    const runTarballCli = (args) => {
+      const cmd = ["npx", "--yes", "--package", tarballPath, "--", "settld", ...args].map(shellQuote).join(" ");
+      const res = spawnSync("bash", ["-lc", cmd], {
+        cwd: packDir,
+        env: npmEnv,
+        encoding: "utf8"
+      });
+      const blockedBySandbox =
+        res.error &&
+        res.error.code === "EPERM" &&
+        res.status === 0 &&
+        String(res.stdout ?? "").trim() === "" &&
+        String(res.stderr ?? "").trim() === "";
+      if (blockedBySandbox) return { stdout: "", blockedBySandbox: true };
+      if (res.status !== 0) {
+        const err = (res.stderr || res.stdout || "").trim();
+        throw new Error(`npx --package <tarball> settld ${args.join(" ")} failed (exit ${res.status})${err ? `: ${err}` : ""}`);
+      }
+      return { stdout: String(res.stdout ?? ""), blockedBySandbox: false };
+    };
+
+    const runCli = (args) => {
+      const cmd = [process.execPath, cliPath, ...args].map(shellQuote).join(" ");
+      const res = spawnSync("bash", ["-lc", cmd], {
+        cwd: packageRoot,
+        env: npmEnv,
+        encoding: "utf8"
+      });
+      const blockedBySandbox =
+        res.error &&
+        res.error.code === "EPERM" &&
+        res.status === 0 &&
+        String(res.stdout ?? "").trim() === "" &&
+        String(res.stderr ?? "").trim() === "";
+      if (blockedBySandbox) return { stdout: "", blockedBySandbox: true };
+      if (res.status !== 0) {
+        const err = (res.stderr || res.stdout || "").trim();
+        throw new Error(`settld ${args.join(" ")} failed (exit ${res.status})${err ? `: ${err}` : ""}`);
+      }
+      return { stdout: String(res.stdout ?? ""), blockedBySandbox: false };
+    };
+
+    const versionResult = runTarballCli(["--version"]);
+    const sandboxBlocked = versionResult.blockedBySandbox === true;
+    if (!sandboxBlocked) {
+      const version = versionResult.stdout.trim();
+      assert(/^[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9A-Za-z-.]+)?$/.test(version), `unexpected settld --version output: ${JSON.stringify(version)}`);
+    }
+
+    if (sandboxBlocked) {
+      // In restricted sandboxes some child-process invocations return EPERM with status=0 and no IO.
+      // Fall back to static package checks; CI environments still execute the full behavioral path above.
+      await fs.access(path.join(packageRoot, "bin", "settld.js"));
+      await fs.access(path.join(packageRoot, "scripts", "init", "capability.mjs"));
+      await fs.access(path.join(packageRoot, "conformance", "kernel-v0", "run.mjs"));
+      await fs.access(path.join(packageRoot, "scripts", "closepack", "verify.mjs"));
+      await fs.access(path.join(packageRoot, "SETTLD_VERSION"));
+      await fs.access(path.join(packageRoot, "Dockerfile"));
+      await fs.access(path.join(packageRoot, "docker-compose.yml"));
+      await fs.access(path.join(packageRoot, "src", "api", "server.js"));
+      await fs.access(path.join(packageRoot, "services", "receiver", "src", "server.js"));
+      try {
+        await fs.access(path.join(packageRoot, "test"));
+        throw new Error("packed CLI unexpectedly includes test/ directory");
+      } catch (err) {
+        if (String(err?.message ?? "").includes("unexpectedly includes")) throw err;
+      }
+      try {
+        await fs.access(path.join(packageRoot, ".github"));
+        throw new Error("packed CLI unexpectedly includes .github/ directory");
+      } catch (err) {
+        if (String(err?.message ?? "").includes("unexpectedly includes")) throw err;
+      }
+      return;
+    }
+
+    const tarballCases = runTarballCli(["conformance", "kernel:list"]).stdout
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter(Boolean);
+    assert(tarballCases.length > 0, "npx --package <tarball> settld conformance kernel:list returned no cases");
+
+    const infoRaw = runCli(["dev", "info"]).stdout.trim();
+    const info = JSON.parse(infoRaw);
+    assert(String(info.baseUrl ?? "") === "http://127.0.0.1:3000", "settld dev info baseUrl mismatch");
+    assert(String(info.tenantId ?? "") === "tenant_default", "settld dev info tenantId mismatch");
+    assert(String(info.opsToken ?? "") === "tok_ops", "settld dev info opsToken mismatch");
+
+    const cases = runCli(["conformance", "kernel:list"]).stdout
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter(Boolean);
+    assert(cases.length > 0, "settld conformance kernel:list returned no cases");
+
+    runCli(["closepack", "verify", "--help"]);
+    runCli(["x402", "receipt", "verify", "--help"]);
+
+    const starterDir = path.join(outDir, "starter-capability");
+    runCli(["init", "capability", "smoke-capability", "--out", starterDir]);
+    await fs.access(path.join(starterDir, "manifest.json"));
+    await fs.access(path.join(starterDir, "manifest.sig.json"));
+    await fs.access(path.join(starterDir, "server.js"));
+    await fs.access(path.join(starterDir, "scripts", "kernel-prove.mjs"));
+    await fs.access(path.join(starterDir, "scripts", "kernel-conformance.mjs"));
+    const kernelProveSource = await fs.readFile(path.join(starterDir, "scripts", "kernel-prove.mjs"), "utf8");
+    assert(kernelProveSource.includes("import(\"settld-api-sdk\")"), "starter kernel-prove script must attempt npm SDK import first");
+  } finally {
+    await fs.rm(packDir, { recursive: true, force: true });
+    await fs.rm(unpackDir, { recursive: true, force: true });
+    await fs.rm(outDir, { recursive: true, force: true });
+    await fs.rm(npmCacheDir, { recursive: true, force: true });
+  }
+}
+
+await main();

package/scripts/ci/flake-budget-guard.mjs

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+
+const ROOT = process.cwd();
+const WORKFLOW_PATH = path.join(ROOT, ".github", "workflows", "tests.yml");
+const POLICY_DOC_PATH = path.join(ROOT, "docs", "ops", "CI_FLAKE_BUDGET.md");
+
+function fail(msg) {
+  process.stderr.write(`[flake-budget-guard] ${msg}\n`);
+  process.exit(1);
+}
+
+function requirePattern({ text, pattern, label }) {
+  if (!pattern.test(text)) {
+    fail(`missing required policy marker: ${label}`);
+  }
+}
+
+function forbidPattern({ text, pattern, label }) {
+  if (pattern.test(text)) {
+    fail(`forbidden flaky tolerance detected: ${label}`);
+  }
+}
+
+async function main() {
+  const [workflowText, policyText] = await Promise.all([
+    readFile(WORKFLOW_PATH, "utf8"),
+    readFile(POLICY_DOC_PATH, "utf8")
+  ]);
+
+  // Guard against silent flake debt by forbidding retry/continue-on-error patterns
+  // in the canonical tests workflow.
+  forbidPattern({
+    text: workflowText,
+    pattern: /\bcontinue-on-error\s*:\s*true\b/i,
+    label: "continue-on-error: true"
+  });
+  forbidPattern({
+    text: workflowText,
+    pattern: /\b--retries?\b/i,
+    label: "explicit retry flag"
+  });
+
+  // Keep policy explicit and discoverable.
+  requirePattern({
+    text: policyText,
+    pattern: /^#\s*CI Flake Budget/m,
+    label: "CI Flake Budget heading"
+  });
+  requirePattern({
+    text: policyText,
+    pattern: /\bBudget:\s*0\b/i,
+    label: "Budget: 0 policy"
+  });
+  requirePattern({
+    text: policyText,
+    pattern: /\bEscalation\b/i,
+    label: "Escalation section"
+  });
+
+  process.stdout.write("[flake-budget-guard] ok\n");
+}
+
+main().catch((err) => {
+  fail(err?.message ?? String(err ?? ""));
+});

package/scripts/ci/generate-error-codes.mjs

@@ -0,0 +1,54 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+
+async function walk(dir) {
+  const out = [];
+  const entries = await fs.readdir(dir, { withFileTypes: true });
+  for (const e of entries) {
+    const fp = path.join(dir, e.name);
+    if (e.isDirectory()) {
+      // eslint-disable-next-line no-await-in-loop
+      out.push(...(await walk(fp)));
+    } else if (e.isFile() && fp.endsWith(".js")) out.push(fp);
+  }
+  return out;
+}
+
+function stableSortStrings(list) {
+  return [...list].sort((a, b) => (a < b ? -1 : a > b ? 1 : 0));
+}
+
+function extractErrorCodesFromJsSource(source) {
+  const codes = new Set();
+  const re = /\berror\s*:\s*"([^"]+)"/g;
+  let m;
+  while ((m = re.exec(source)) !== null) {
+    codes.add(m[1]);
+  }
+  // CLI-specific "errors[]" code (not an `error:` field).
+  if (source.includes('code: "FAIL_ON_WARNINGS"')) codes.add("FAIL_ON_WARNINGS");
+  // Defensive fallback used by CLI when no `result.error` exists.
+  if (source.includes('"FAILED"')) codes.add("FAILED");
+  return codes;
+}
+
+async function main() {
+  const repoRoot = process.cwd();
+  const srcFiles = await walk(path.join(repoRoot, "packages", "artifact-verify", "src"));
+  const cliFile = path.join(repoRoot, "packages", "artifact-verify", "bin", "settld-verify.js");
+  const files = [...srcFiles, cliFile];
+
+  const codes = new Set();
+  for (const fp of files) {
+    // eslint-disable-next-line no-await-in-loop
+    const text = await fs.readFile(fp, "utf8");
+    for (const c of extractErrorCodesFromJsSource(text)) codes.add(c);
+  }
+
+  const outPath = path.join(repoRoot, "docs", "spec", "error-codes.v1.txt");
+  const lines = stableSortStrings(codes);
+  await fs.writeFile(outPath, lines.join("\n") + "\n", "utf8");
+}
+
+await main();
+