settld 0.1.1 → 0.1.5

package/scripts/closepack/lib.mjs

@@ -15,6 +15,7 @@ import {
   SETTLEMENT_ADJUSTMENT_KIND,
   validateSettlementAdjustmentV1
 } from "../../src/core/settlement-adjustment.js";
+import { verifyX402ExecutionProofV1 } from "../../src/core/zk-verifier.js";
 import { unzipToTempSafe } from "../../packages/artifact-verify/src/safe-unzip.js";
 
 const CLOSEPACK_SCHEMA_VERSION = "KernelToolCallClosePack.v0";
@@ -210,6 +211,25 @@ function appendFile(files, filepath, jsonObject) {
   files.set(filepath, encodeJson(normalizeForCanonicalJson(jsonObject, { path: "$" })));
 }
 
+function isPlainObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+function extractX402ReceiptZkEvidence(receipt) {
+  if (!isPlainObject(receipt)) return null;
+  if (isPlainObject(receipt.zkProof)) return receipt.zkProof;
+  if (isPlainObject(receipt.bindings?.zkProof)) return receipt.bindings.zkProof;
+  return null;
+}
+
+function canonicalJsonEquals(left, right) {
+  if (!isPlainObject(left) || !isPlainObject(right)) return false;
+  return (
+    canonicalJsonStringify(normalizeForCanonicalJson(left, { path: "$" })) ===
+    canonicalJsonStringify(normalizeForCanonicalJson(right, { path: "$" }))
+  );
+}
+
 function extractArtifactHash(artifact) {
   return typeof artifact?.artifactHash === "string" && artifact.artifactHash.trim() !== "" ? artifact.artifactHash.trim().toLowerCase() : null;
 }
@@ -279,6 +299,40 @@ export async function exportToolCallClosepack({
     method: "GET",
     pathname: `/ops/tool-calls/replay-evaluate?agreementHash=${encodeURIComponent(normalizedAgreementHash)}`
   });
+  let x402Receipt = null;
+  try {
+    const receiptList = await requestJson({
+      ...requestContext,
+      method: "GET",
+      pathname: `/x402/receipts?agreementId=${encodeURIComponent(normalizedAgreementHash)}&limit=1`
+    });
+    const receipts = Array.isArray(receiptList?.receipts) ? receiptList.receipts : [];
+    x402Receipt = receipts[0] ?? null;
+  } catch (err) {
+    addIssue(issues, {
+      code: "CLOSEPACK_X402_RECEIPT_FETCH_FAILED",
+      severity: "warning",
+      message: "failed to fetch x402 receipt for agreementHash",
+      details: { message: err?.message ?? String(err ?? "") }
+    });
+    x402Receipt = null;
+  }
+  const x402ZkEvidence = extractX402ReceiptZkEvidence(x402Receipt);
+  const x402ZkProtocol =
+    typeof x402ZkEvidence?.protocol === "string" && x402ZkEvidence.protocol.trim() !== ""
+      ? x402ZkEvidence.protocol.trim().toLowerCase()
+      : null;
+  const x402ZkPublicSignals = Array.isArray(x402ZkEvidence?.publicSignals) ? x402ZkEvidence.publicSignals : [];
+  const x402ZkProofData =
+    x402ZkEvidence?.proofData && typeof x402ZkEvidence.proofData === "object" && !Array.isArray(x402ZkEvidence.proofData)
+      ? x402ZkEvidence.proofData
+      : null;
+  const x402ZkVerificationKey =
+    x402ZkEvidence?.verificationKey &&
+    typeof x402ZkEvidence.verificationKey === "object" &&
+    !Array.isArray(x402ZkEvidence.verificationKey)
+      ? x402ZkEvidence.verificationKey
+      : null;
 
   const adjustmentId = deterministicAdjustmentId(normalizedAgreementHash);
   const adjustmentResponse = await requestJson({
@@ -432,11 +486,20 @@ export async function exportToolCallClosepack({
         agreementHash: normalizedAgreementHash,
         receiptHash: String(hold?.receiptHash ?? ""),
         holdHash: String(hold?.holdHash ?? ""),
+        x402ReceiptId:
+          typeof x402Receipt?.receiptId === "string" && x402Receipt.receiptId.trim() !== "" ? x402Receipt.receiptId.trim() : null,
         caseId: arbitrationCase?.caseId ?? null,
         adjustmentId
       },
       files: {
         hold: "state/funding_hold.json",
+        x402Receipt: x402Receipt ? "state/x402_receipt.json" : null,
+        x402ZkProof:
+          x402ZkProofData && typeof x402ZkProofData === "object" && x402ZkProtocol ? "evidence/zk/proof.json" : null,
+        x402ZkPublicSignals:
+          Array.isArray(x402ZkPublicSignals) && x402ZkPublicSignals.length > 0 && x402ZkProtocol ? "evidence/zk/public.json" : null,
+        x402ZkVerificationKey:
+          x402ZkVerificationKey && typeof x402ZkVerificationKey === "object" && x402ZkProtocol ? "evidence/zk/verification_key.json" : null,
         arbitrationCase: arbitrationCase ? "state/arbitration_case.json" : null,
         settlementAdjustment: settlementAdjustment ? "state/settlement_adjustment.json" : null,
         reputationEvents: reputationEvents.length > 0 ? "state/reputation_events.json" : null,
@@ -465,6 +528,30 @@ export async function exportToolCallClosepack({
   const files = new Map();
   appendFile(files, "closepack.json", closepack);
   appendFile(files, "state/funding_hold.json", hold);
+  if (x402Receipt && typeof x402Receipt === "object" && !Array.isArray(x402Receipt)) {
+    appendFile(files, "state/x402_receipt.json", x402Receipt);
+  }
+  if (x402ZkProofData && typeof x402ZkProofData === "object" && !Array.isArray(x402ZkProofData) && x402ZkProtocol) {
+    appendFile(files, "evidence/zk/proof.json", {
+      schemaVersion: "X402ExecutionProofData.v1",
+      protocol: x402ZkProtocol,
+      proofData: x402ZkProofData
+    });
+  }
+  if (Array.isArray(x402ZkPublicSignals) && x402ZkPublicSignals.length > 0 && x402ZkProtocol) {
+    appendFile(files, "evidence/zk/public.json", {
+      schemaVersion: "X402ExecutionProofPublicSignals.v1",
+      protocol: x402ZkProtocol,
+      publicSignals: x402ZkPublicSignals
+    });
+  }
+  if (x402ZkVerificationKey && typeof x402ZkVerificationKey === "object" && !Array.isArray(x402ZkVerificationKey) && x402ZkProtocol) {
+    appendFile(files, "evidence/zk/verification_key.json", {
+      schemaVersion: "X402ExecutionProofVerificationKey.v1",
+      protocol: x402ZkProtocol,
+      verificationKey: x402ZkVerificationKey
+    });
+  }
   if (arbitrationCase) appendFile(files, "state/arbitration_case.json", arbitrationCase);
   if (settlementAdjustment) appendFile(files, "state/settlement_adjustment.json", settlementAdjustment);
   if (reputationEvents.length > 0) {
@@ -628,6 +715,41 @@ export async function verifyToolCallClosepackZip({ zipPath } = {}) {
       reputationEvents = [];
       reputationEnvelope = null;
     }
+    const x402ReceiptPath = path.join(tmpDir, "state", "x402_receipt.json");
+    let x402Receipt = null;
+    try {
+      x402Receipt = await readJsonFile(x402ReceiptPath);
+    } catch (err) {
+      if (String(closepack?.files?.x402Receipt ?? "").trim() !== "") {
+        addIssue(issues, {
+          code: "CLOSEPACK_X402_RECEIPT_MISSING",
+          message: "state/x402_receipt.json is missing or invalid",
+          details: { message: err?.message ?? String(err ?? "") }
+        });
+      }
+      x402Receipt = null;
+    }
+    const x402ZkProofPath = path.join(tmpDir, "evidence", "zk", "proof.json");
+    const x402ZkPublicSignalsPath = path.join(tmpDir, "evidence", "zk", "public.json");
+    const x402ZkVerificationKeyPath = path.join(tmpDir, "evidence", "zk", "verification_key.json");
+    let x402ZkProofFile = null;
+    let x402ZkPublicSignalsFile = null;
+    let x402ZkVerificationKeyFile = null;
+    try {
+      x402ZkProofFile = await readJsonFile(x402ZkProofPath);
+    } catch {
+      x402ZkProofFile = null;
+    }
+    try {
+      x402ZkPublicSignalsFile = await readJsonFile(x402ZkPublicSignalsPath);
+    } catch {
+      x402ZkPublicSignalsFile = null;
+    }
+    try {
+      x402ZkVerificationKeyFile = await readJsonFile(x402ZkVerificationKeyPath);
+    } catch {
+      x402ZkVerificationKeyFile = null;
+    }
 
     if (hold && agreementHash && String(hold.agreementHash ?? "").toLowerCase() !== agreementHash) {
       addIssue(issues, {
@@ -1038,6 +1160,167 @@ export async function verifyToolCallClosepackZip({ zipPath } = {}) {
       });
     }
 
+    let x402ZkVerification = null;
+    if (x402Receipt && isPlainObject(x402Receipt)) {
+      const receiptZkEvidence = extractX402ReceiptZkEvidence(x402Receipt);
+      if (receiptZkEvidence && isPlainObject(receiptZkEvidence)) {
+        const required = receiptZkEvidence.required === true;
+        const protocolFromReceipt =
+          typeof receiptZkEvidence.protocol === "string" && receiptZkEvidence.protocol.trim() !== ""
+            ? receiptZkEvidence.protocol.trim().toLowerCase()
+            : null;
+        const proofDataFromReceipt =
+          receiptZkEvidence.proofData && typeof receiptZkEvidence.proofData === "object" && !Array.isArray(receiptZkEvidence.proofData)
+            ? receiptZkEvidence.proofData
+            : null;
+        const publicSignalsFromReceipt = Array.isArray(receiptZkEvidence.publicSignals) ? receiptZkEvidence.publicSignals : null;
+        const verificationKeyFromReceipt =
+          receiptZkEvidence.verificationKey &&
+          typeof receiptZkEvidence.verificationKey === "object" &&
+          !Array.isArray(receiptZkEvidence.verificationKey)
+            ? receiptZkEvidence.verificationKey
+            : null;
+        const verificationKeyRefFromReceipt =
+          typeof receiptZkEvidence.verificationKeyRef === "string" && receiptZkEvidence.verificationKeyRef.trim() !== ""
+            ? receiptZkEvidence.verificationKeyRef.trim()
+            : null;
+
+        const protocolFromFiles =
+          typeof x402ZkProofFile?.protocol === "string" && x402ZkProofFile.protocol.trim() !== ""
+            ? x402ZkProofFile.protocol.trim().toLowerCase()
+            : typeof x402ZkPublicSignalsFile?.protocol === "string" && x402ZkPublicSignalsFile.protocol.trim() !== ""
+              ? x402ZkPublicSignalsFile.protocol.trim().toLowerCase()
+              : typeof x402ZkVerificationKeyFile?.protocol === "string" && x402ZkVerificationKeyFile.protocol.trim() !== ""
+                ? x402ZkVerificationKeyFile.protocol.trim().toLowerCase()
+                : null;
+        const protocol = protocolFromReceipt ?? protocolFromFiles;
+
+        const proofDataFromFiles =
+          x402ZkProofFile?.proofData && typeof x402ZkProofFile.proofData === "object" && !Array.isArray(x402ZkProofFile.proofData)
+            ? x402ZkProofFile.proofData
+            : null;
+        const publicSignalsFromFiles = Array.isArray(x402ZkPublicSignalsFile?.publicSignals) ? x402ZkPublicSignalsFile.publicSignals : null;
+        const verificationKeyFromFiles =
+          x402ZkVerificationKeyFile?.verificationKey &&
+          typeof x402ZkVerificationKeyFile.verificationKey === "object" &&
+          !Array.isArray(x402ZkVerificationKeyFile.verificationKey)
+            ? x402ZkVerificationKeyFile.verificationKey
+            : null;
+
+        if (proofDataFromReceipt && proofDataFromFiles && !canonicalJsonEquals(proofDataFromReceipt, proofDataFromFiles)) {
+          addIssue(issues, {
+            code: "CLOSEPACK_X402_ZK_PROOF_MISMATCH",
+            message: "x402 zk proof in receipt and evidence/zk/proof.json do not match"
+          });
+        }
+        if (
+          Array.isArray(publicSignalsFromReceipt) &&
+          Array.isArray(publicSignalsFromFiles) &&
+          canonicalJsonStringify(normalizeForCanonicalJson(publicSignalsFromReceipt, { path: "$" })) !==
+            canonicalJsonStringify(normalizeForCanonicalJson(publicSignalsFromFiles, { path: "$" }))
+        ) {
+          addIssue(issues, {
+            code: "CLOSEPACK_X402_ZK_PUBLIC_SIGNALS_MISMATCH",
+            message: "x402 zk publicSignals in receipt and evidence/zk/public.json do not match"
+          });
+        }
+        if (verificationKeyFromReceipt && verificationKeyFromFiles && !canonicalJsonEquals(verificationKeyFromReceipt, verificationKeyFromFiles)) {
+          addIssue(issues, {
+            code: "CLOSEPACK_X402_ZK_VERIFICATION_KEY_MISMATCH",
+            message: "x402 zk verification key in receipt and evidence/zk/verification_key.json do not match"
+          });
+        }
+
+        const proofData = proofDataFromFiles ?? proofDataFromReceipt;
+        const publicSignals = publicSignalsFromFiles ?? publicSignalsFromReceipt;
+        const verificationKey = verificationKeyFromFiles ?? verificationKeyFromReceipt;
+        const statementHashSha256 =
+          typeof receiptZkEvidence.statementHashSha256 === "string" && receiptZkEvidence.statementHashSha256.trim() !== ""
+            ? receiptZkEvidence.statementHashSha256.trim().toLowerCase()
+            : typeof x402Receipt?.bindings?.quote?.quoteSha256 === "string" && x402Receipt.bindings.quote.quoteSha256.trim() !== ""
+              ? x402Receipt.bindings.quote.quoteSha256.trim().toLowerCase()
+              : null;
+        const inputDigestSha256 =
+          typeof receiptZkEvidence.inputDigestSha256 === "string" && receiptZkEvidence.inputDigestSha256.trim() !== ""
+            ? receiptZkEvidence.inputDigestSha256.trim().toLowerCase()
+            : typeof x402Receipt?.bindings?.request?.sha256 === "string" && x402Receipt.bindings.request.sha256.trim() !== ""
+              ? x402Receipt.bindings.request.sha256.trim().toLowerCase()
+              : null;
+        const outputDigestSha256 =
+          typeof receiptZkEvidence.outputDigestSha256 === "string" && receiptZkEvidence.outputDigestSha256.trim() !== ""
+            ? receiptZkEvidence.outputDigestSha256.trim().toLowerCase()
+            : typeof x402Receipt?.bindings?.response?.sha256 === "string" && x402Receipt.bindings.response.sha256.trim() !== ""
+              ? x402Receipt.bindings.response.sha256.trim().toLowerCase()
+              : null;
+        const hasProofMaterial =
+          typeof protocol === "string" &&
+          protocol.trim() !== "" &&
+          Array.isArray(publicSignals) &&
+          proofData &&
+          typeof proofData === "object" &&
+          !Array.isArray(proofData);
+
+        if (!hasProofMaterial) {
+          if (required) {
+            addIssue(issues, {
+              code: "CLOSEPACK_X402_ZK_PROOF_MISSING",
+              message: "required x402 zk proof material is missing from closepack",
+              details: {
+                hasProtocol: Boolean(protocol),
+                hasPublicSignals: Array.isArray(publicSignals),
+                hasProofData: Boolean(proofData)
+              }
+            });
+          }
+        } else {
+          x402ZkVerification = await verifyX402ExecutionProofV1({
+            proof: {
+              protocol,
+              publicSignals,
+              proofData,
+              ...(verificationKey ? { verificationKey } : {}),
+              ...(verificationKeyRefFromReceipt ? { verificationKeyRef: verificationKeyRefFromReceipt } : {}),
+              ...(statementHashSha256 ? { statementHashSha256 } : {}),
+              ...(inputDigestSha256 ? { inputDigestSha256 } : {}),
+              ...(outputDigestSha256 ? { outputDigestSha256 } : {})
+            },
+            verificationKey,
+            expectedVerificationKeyRef: verificationKeyRefFromReceipt,
+            requiredProtocol: protocol,
+            expectedBindings: {
+              statementHashSha256,
+              inputDigestSha256,
+              outputDigestSha256
+            },
+            requireBindings: required
+          });
+          if (x402ZkVerification?.verified !== true) {
+            if (required) {
+              addIssue(issues, {
+                code: "CLOSEPACK_X402_ZK_PROOF_INVALID",
+                message: "required x402 zk proof failed offline verification",
+                details: {
+                  status: x402ZkVerification?.status ?? null,
+                  code: x402ZkVerification?.code ?? null,
+                  message: x402ZkVerification?.message ?? null
+                }
+              });
+            } else {
+              addIssue(issues, {
+                code: "CLOSEPACK_X402_ZK_PROOF_OPTIONAL_UNVERIFIED",
+                severity: "warning",
+                message: "optional x402 zk proof did not verify offline",
+                details: {
+                  status: x402ZkVerification?.status ?? null,
+                  code: x402ZkVerification?.code ?? null
+                }
+              });
+            }
+          }
+        }
+      }
+    }
+
     const errorCount = issues.filter((issue) => issue.severity !== "warning").length;
     return {
       schemaVersion: VERIFY_REPORT_SCHEMA_VERSION,
@@ -1056,6 +1339,9 @@ export async function verifyToolCallClosepackZip({ zipPath } = {}) {
         holdHash: hold?.holdHash ?? null,
         caseId: arbitrationCase?.caseId ?? null,
         adjustmentId: settlementAdjustment?.adjustmentId ?? null,
+        x402ReceiptId:
+          typeof x402Receipt?.receiptId === "string" && x402Receipt.receiptId.trim() !== "" ? x402Receipt.receiptId.trim() : null,
+        x402ZkVerified: x402ZkVerification?.verified === true,
         artifacts: artifacts.length,
         identities: identities.length,
         reputationEvents: reputationEvents.length

package/scripts/collect-debug.sh

@@ -0,0 +1,263 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_VERSION="1"
+WORKDIR=""
+
+usage() {
+  cat <<'EOH' >&2
+Collect a Settld debug bundle for quickstart / Docker issues.
+
+This script captures basic host + repo + Docker/Compose info and (optionally) compose logs,
+then packages everything into a single archive you can attach to a GitHub issue.
+
+Usage:
+  scripts/collect-debug.sh [--out <path>] [--project-dir <dir>] [--tail <N>] [--no-logs] [--zip] [--dry-run]
+
+Options:
+  --out <path>         Output archive path. Default: ./settld-debug-<ts>.tar.gz
+  --project-dir <dir>  Directory to run docker compose from. Default: repo root.
+  --tail <N>           Number of log lines to collect per service. Default: 2000
+  --no-logs            Skip collecting compose logs.
+  --zip                Create a .zip (requires `zip`). Default is .tar.gz
+  --dry-run            Print what would be collected and exit.
+  -h, --help           Show this help.
+
+Notes:
+  - Review the bundle before sharing. Logs can contain secrets.
+  - The script will still produce a bundle even if Docker is not installed/running.
+EOH
+}
+
+die() {
+  echo "error: $*" >&2
+  exit 2
+}
+
+quote_cmd() {
+  local out=""
+  local arg
+  for arg in "$@"; do
+    out+="$(printf '%q ' "$arg")"
+  done
+  printf '%s' "${out% }"
+}
+
+run_cmd() {
+  local out_file="$1"
+  shift
+  mkdir -p "$(dirname "$out_file")"
+  local cmd
+  cmd="$(quote_cmd "$@")"
+  {
+    echo "\$ ${cmd}"
+    set +e
+    "$@"
+    local rc=$?
+    set -e
+    echo
+    echo "exit_code=${rc}"
+  } >"$out_file" 2>&1
+  return 0
+}
+
+write_kv_file() {
+  local out_file="$1"
+  shift
+  mkdir -p "$(dirname "$out_file")"
+  {
+    for kv in "$@"; do
+      echo "$kv"
+    done
+  } >"$out_file"
+}
+
+sha256_file() {
+  local p="$1"
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$p" | awk '{print $1}'
+    return 0
+  fi
+  if command -v shasum >/dev/null 2>&1; then
+    shasum -a 256 "$p" | awk '{print $1}'
+    return 0
+  fi
+  echo "unknown"
+}
+
+main() {
+  local root
+  root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+  local out_path=""
+  local project_dir="$root"
+  local tail_lines="2000"
+  local no_logs="0"
+  local want_zip="0"
+  local dry_run="0"
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --out)
+        [[ $# -ge 2 ]] || die "--out requires a value"
+        out_path="$2"
+        shift 2
+        ;;
+      --project-dir)
+        [[ $# -ge 2 ]] || die "--project-dir requires a value"
+        project_dir="$2"
+        shift 2
+        ;;
+      --tail)
+        [[ $# -ge 2 ]] || die "--tail requires a value"
+        tail_lines="$2"
+        shift 2
+        ;;
+      --no-logs)
+        no_logs="1"
+        shift
+        ;;
+      --zip)
+        want_zip="1"
+        shift
+        ;;
+      --dry-run)
+        dry_run="1"
+        shift
+        ;;
+      -h|--help)
+        usage
+        exit 0
+        ;;
+      *)
+        die "unknown argument: $1"
+        ;;
+    esac
+  done
+
+  if [[ ! -d "$project_dir" ]]; then
+    die "project dir not found: $project_dir"
+  fi
+
+  local ts bundle_name
+  ts="$(date -u +%Y%m%dT%H%M%SZ)"
+  bundle_name="settld-debug-${ts}"
+
+  if [[ -z "$out_path" ]]; then
+    if [[ "$want_zip" == "1" ]]; then
+      out_path="./${bundle_name}.zip"
+    else
+      out_path="./${bundle_name}.tar.gz"
+    fi
+  fi
+
+  if [[ "$dry_run" == "1" ]]; then
+    local logs_msg="enabled"
+    if [[ "$no_logs" == "1" ]]; then
+      logs_msg="skipped (--no-logs)"
+    fi
+    cat <<EOF
+Would create:
+  bundle: ${bundle_name}/
+  archive: ${out_path}
+
+Would collect:
+  - Host: uname, os-release (if present), sw_vers (if present)
+  - Runtime: bash/node/npm versions (if present)
+  - Repo: git head + git status (if present)
+  - Docker: version + info (if present)
+  - Compose: version + ps + config
+  - Compose logs: ${logs_msg} (tail=${tail_lines})
+EOF
+    exit 0
+  fi
+
+  WORKDIR="$(mktemp -d)"
+  local bundle_dir
+  bundle_dir="${WORKDIR}/${bundle_name}"
+  mkdir -p "$bundle_dir"
+  trap 'if [ -n "${WORKDIR:-}" ] && [ -d "${WORKDIR:-}" ]; then rm -rf "$WORKDIR"; fi' EXIT
+
+  write_kv_file "${bundle_dir}/meta.txt" \
+    "script=collect-debug.sh" \
+    "script_version=${SCRIPT_VERSION}" \
+    "collected_at_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+    "project_dir=${project_dir}"
+
+  run_cmd "${bundle_dir}/host/uname.txt" uname -a
+  if [[ -f /etc/os-release ]]; then
+    run_cmd "${bundle_dir}/host/os-release.txt" cat /etc/os-release
+  fi
+  if command -v sw_vers >/dev/null 2>&1; then
+    run_cmd "${bundle_dir}/host/sw_vers.txt" sw_vers
+  fi
+
+  run_cmd "${bundle_dir}/runtime/bash-version.txt" bash --version
+  if command -v node >/dev/null 2>&1; then
+    run_cmd "${bundle_dir}/runtime/node-version.txt" node --version
+  fi
+  if command -v npm >/dev/null 2>&1; then
+    run_cmd "${bundle_dir}/runtime/npm-version.txt" npm --version
+  fi
+
+  if command -v git >/dev/null 2>&1; then
+    run_cmd "${bundle_dir}/repo/git-head.txt" git -C "$root" rev-parse HEAD
+    run_cmd "${bundle_dir}/repo/git-status.txt" git -C "$root" status -sb
+  fi
+
+  write_kv_file "${bundle_dir}/env/selected.txt" \
+    "PATH=$([[ -n "${PATH:-}" ]] && echo '<set>' || echo '<unset>')" \
+    "DOCKER_HOST=$([[ -n "${DOCKER_HOST:-}" ]] && echo '<set>' || echo '<unset>')" \
+    "DOCKER_CONTEXT=$([[ -n "${DOCKER_CONTEXT:-}" ]] && echo '<set>' || echo '<unset>')" \
+    "COMPOSE_FILE=$([[ -n "${COMPOSE_FILE:-}" ]] && echo '<set>' || echo '<unset>')" \
+    "COMPOSE_PROJECT_NAME=$([[ -n "${COMPOSE_PROJECT_NAME:-}" ]] && echo '<set>' || echo '<unset>')" \
+    "HTTP_PROXY=$([[ -n "${HTTP_PROXY:-}" ]] && echo '<set>' || echo '<unset>')" \
+    "HTTPS_PROXY=$([[ -n "${HTTPS_PROXY:-}" ]] && echo '<set>' || echo '<unset>')" \
+    "NO_PROXY=$([[ -n "${NO_PROXY:-}" ]] && echo '<set>' || echo '<unset>')"
+
+  if command -v docker >/dev/null 2>&1; then
+    run_cmd "${bundle_dir}/docker/docker-version.txt" docker --version
+    run_cmd "${bundle_dir}/docker/docker-info.txt" docker info
+  else
+    write_kv_file "${bundle_dir}/docker/docker-missing.txt" "docker=<missing>"
+  fi
+
+  # Compose info (prefer `docker compose`, fall back to `docker-compose`).
+  local compose_kind="none"
+  local -a compose_cmd=()
+  if command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
+    compose_kind="docker-compose-plugin"
+    compose_cmd=(docker compose)
+  elif command -v docker-compose >/dev/null 2>&1; then
+    compose_kind="docker-compose-standalone"
+    compose_cmd=(docker-compose)
+  fi
+
+  write_kv_file "${bundle_dir}/compose/compose-kind.txt" "compose_kind=${compose_kind}"
+  if [[ "$compose_kind" != "none" ]]; then
+    run_cmd "${bundle_dir}/compose/compose-version.txt" "${compose_cmd[@]}" version
+    run_cmd "${bundle_dir}/compose/compose-ps.txt" "${compose_cmd[@]}" -f "${project_dir}/docker-compose.yml" ps
+    run_cmd "${bundle_dir}/compose/compose-config.txt" "${compose_cmd[@]}" -f "${project_dir}/docker-compose.yml" config
+
+    if [[ "$no_logs" != "1" ]]; then
+      run_cmd "${bundle_dir}/compose/compose-logs.txt" "${compose_cmd[@]}" -f "${project_dir}/docker-compose.yml" logs --no-color --tail "$tail_lines"
+    fi
+  fi
+
+  # Pack archive.
+  mkdir -p "$(dirname "$out_path")" || true
+  if [[ "$want_zip" == "1" ]]; then
+    command -v zip >/dev/null 2>&1 || die "--zip requested but `zip` is not installed"
+    (cd "$WORKDIR" && zip -r -q "$out_path" "$bundle_name")
+  else
+    (cd "$WORKDIR" && tar -czf "$out_path" "$bundle_name")
+  fi
+
+  local sum
+  sum="$(sha256_file "$out_path")"
+  printf '%s  %s\n' "$sum" "$(basename "$out_path")" > "${out_path}.sha256" 2>/dev/null || true
+  echo "wrote: ${out_path}"
+  echo "sha256: ${sum}"
+}
+
+main "$@"