settld 0.1.2 → 0.2.0

package/scripts/ci/changelog-guard.mjs

@@ -0,0 +1,145 @@
+import { execFileSync } from "node:child_process";
+import fs from "node:fs";
+
+function loadV1FreezeFiles() {
+  try {
+    const raw = fs.readFileSync("test/fixtures/protocol-v1-freeze.json", "utf8");
+    const json = JSON.parse(raw);
+    const files = json?.files && typeof json.files === "object" && !Array.isArray(json.files) ? Object.keys(json.files) : [];
+    return new Set(files);
+  } catch {
+    return new Set();
+  }
+}
+
+const V1_FROZEN_FILES = loadV1FreezeFiles();
+
+function usage() {
+  // eslint-disable-next-line no-console
+  console.error("usage: node scripts/ci/changelog-guard.mjs --base <sha> --head <sha>");
+  process.exit(2);
+}
+
+function parseArgs(argv) {
+  let base = null;
+  let head = null;
+  for (let i = 0; i < argv.length; i += 1) {
+    const a = argv[i];
+    if (a === "--base") {
+      base = argv[i + 1] ?? null;
+      i += 1;
+      continue;
+    }
+    if (a === "--head") {
+      head = argv[i + 1] ?? null;
+      i += 1;
+      continue;
+    }
+    if (a === "--help" || a === "-h") usage();
+    usage();
+  }
+  if (!base || !head) usage();
+  return { base, head };
+}
+
+function changedFiles(base, head) {
+  const out = execFileSync("git", ["diff", "--name-only", `${base}..${head}`], { encoding: "utf8" });
+  return out
+    .split("\n")
+    .map((s) => s.trim())
+    .filter(Boolean);
+}
+
+function commitMessages(base, head) {
+  try {
+    const out = execFileSync("git", ["log", "--format=%B", `${base}..${head}`], { encoding: "utf8" });
+    return String(out ?? "");
+  } catch {
+    return "";
+  }
+}
+
+function readLabelsFromGithubEvent() {
+  try {
+    const p = process.env.GITHUB_EVENT_PATH ?? null;
+    if (!p || !fs.existsSync(p)) return [];
+    const raw = fs.readFileSync(p, "utf8");
+    const json = JSON.parse(raw);
+    const labels = json?.pull_request?.labels ?? [];
+    if (!Array.isArray(labels)) return [];
+    return labels.map((l) => String(l?.name ?? "")).filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+function readPrBodyFromGithubEvent() {
+  try {
+    const p = process.env.GITHUB_EVENT_PATH ?? null;
+    if (!p || !fs.existsSync(p)) return "";
+    const raw = fs.readFileSync(p, "utf8");
+    const json = JSON.parse(raw);
+    return String(json?.pull_request?.body ?? "");
+  } catch {
+    return "";
+  }
+}
+
+function matchesProtocolSurface(fp) {
+  const prefixes = [
+    "docs/spec/",
+    "scripts/spec/",
+    "test/fixtures/protocol-vectors/",
+    "test/fixtures/bundles/"
+  ];
+  return prefixes.some((p) => fp.startsWith(p));
+}
+
+function isV1FrozenSurface(fp) {
+  return V1_FROZEN_FILES.has(fp);
+}
+
+function hasProtocolChangeMarker(text) {
+  const t = String(text ?? "").toLowerCase();
+  return t.includes("[protocol-change]") || t.includes("protocol-change:");
+}
+
+const { base, head } = parseArgs(process.argv.slice(2));
+const files = changedFiles(base, head);
+const touchedChangelog = files.includes("CHANGELOG.md");
+const protocolSurfaceChanged = files.some(matchesProtocolSurface);
+const v1FrozenChanged = files.some(isV1FrozenSurface);
+const labels = readLabelsFromGithubEvent();
+const hasReleaseNoteLabel = labels.includes("release-note");
+
+if (!touchedChangelog && (protocolSurfaceChanged || hasReleaseNoteLabel)) {
+  // eslint-disable-next-line no-console
+  console.error("CHANGELOG.md must be updated for this PR.");
+  // eslint-disable-next-line no-console
+  if (protocolSurfaceChanged) console.error("- Reason: protocol surface files changed (docs/spec, schemas, vectors, or fixtures).");
+  // eslint-disable-next-line no-console
+  if (hasReleaseNoteLabel) console.error("- Reason: PR is labeled release-note.");
+  process.exit(1);
+}
+
+if (v1FrozenChanged && process.env.ALLOW_PROTOCOL_V1_MUTATION !== "1") {
+  const markerText = `${readPrBodyFromGithubEvent()}\n${commitMessages(base, head)}`;
+  const hasMarker = hasProtocolChangeMarker(markerText);
+  if (!hasMarker || !touchedChangelog) {
+    // eslint-disable-next-line no-console
+    console.error("Protocol v1 freeze gate: v1 schemas/vectors changed.");
+    // eslint-disable-next-line no-console
+    console.error("- This requires (1) CHANGELOG.md update and (2) an explicit protocol-change marker in the PR body or commit message.");
+    // eslint-disable-next-line no-console
+    console.error("- Marker examples: [protocol-change] or protocol-change:");
+    // eslint-disable-next-line no-console
+    console.error("- Override (local only): ALLOW_PROTOCOL_V1_MUTATION=1");
+    // eslint-disable-next-line no-console
+    console.error("Changed frozen files:");
+    for (const fp of files.filter(isV1FrozenSurface)) {
+      // eslint-disable-next-line no-console
+      console.error(`- ${fp}`);
+    }
+    process.exit(1);
+  }
+}

package/scripts/ci/check-kernel-v0-launch-gate.mjs

@@ -0,0 +1,233 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import path from "node:path";
+import process from "node:process";
+
+const DEFAULT_AUDIT_PATH = "planning/kernel-v0-truth-audit.md";
+
+const REQUIRED_TRUE_CLAIMS_BY_MODE = {
+  prepublish: [
+    {
+      key: "dispute_envelope_required",
+      description: "Signed dispute-open envelope required for non-admin opens",
+      match: /signed dispute-open envelope required for non-admin opens/i
+    },
+    {
+      key: "holdback_freeze_open_arbitration",
+      description: "Holdback tick skips auto-release when arbitration is open",
+      match: /holdback tick skips auto-release when arbitration is open/i
+    },
+    {
+      key: "deterministic_holdback_adjustment",
+      description: "Deterministic holdback adjustment flow exists",
+      match: /deterministic holdback adjustment flow exists/i
+    },
+    {
+      key: "tool_call_replay_endpoint",
+      description: "Tool-call replay endpoint exists and is wired",
+      match: /tool-call replay endpoint exists and is wired/i
+    },
+    {
+      key: "run_replay_endpoint",
+      description: "Run settlement replay endpoint exists",
+      match: /run settlement replay endpoint exists/i
+    },
+    {
+      key: "closepack_offline_verify_gated",
+      description: "Closepack export + offline verify exists and is conformance-gated",
+      match: /closepack export \+ offline verify exists and is conformance-gated/i
+    },
+    {
+      key: "deterministic_verifier_meaningful_fail",
+      description: "Deterministic verifier exists with at least one meaningful failing case",
+      match: /deterministic verifier exists with at least one meaningful failing case/i
+    },
+    {
+      key: "reputation_true",
+      description: "Reputation is indexed/readable and idempotent insert paths exist",
+      match: /reputation is indexed\/readable and idempotent insert paths exist/i
+    },
+    {
+      key: "registry_publish_wired",
+      description: "Registry publish is wired",
+      match: /registry publish is wired/i
+    }
+  ],
+  postpublish: [
+    {
+      key: "dispute_envelope_required",
+      description: "Signed dispute-open envelope required for non-admin opens",
+      match: /signed dispute-open envelope required for non-admin opens/i
+    },
+    {
+      key: "holdback_freeze_open_arbitration",
+      description: "Holdback tick skips auto-release when arbitration is open",
+      match: /holdback tick skips auto-release when arbitration is open/i
+    },
+    {
+      key: "deterministic_holdback_adjustment",
+      description: "Deterministic holdback adjustment flow exists",
+      match: /deterministic holdback adjustment flow exists/i
+    },
+    {
+      key: "tool_call_replay_endpoint",
+      description: "Tool-call replay endpoint exists and is wired",
+      match: /tool-call replay endpoint exists and is wired/i
+    },
+    {
+      key: "run_replay_endpoint",
+      description: "Run settlement replay endpoint exists",
+      match: /run settlement replay endpoint exists/i
+    },
+    {
+      key: "closepack_offline_verify_gated",
+      description: "Closepack export + offline verify exists and is conformance-gated",
+      match: /closepack export \+ offline verify exists and is conformance-gated/i
+    },
+    {
+      key: "deterministic_verifier_meaningful_fail",
+      description: "Deterministic verifier exists with at least one meaningful failing case",
+      match: /deterministic verifier exists with at least one meaningful failing case/i
+    },
+    {
+      key: "reputation_true",
+      description: "Reputation is indexed/readable and idempotent insert paths exist",
+      match: /reputation is indexed\/readable and idempotent insert paths exist/i
+    },
+    {
+      key: "npm_publish_proven",
+      description: "First live npm publish proven",
+      match: /first live npm publish proven/i
+    }
+  ]
+};
+
+const REQUIRED_TRUE_CLAIMS = REQUIRED_TRUE_CLAIMS_BY_MODE.prepublish;
+
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  const out = { file: DEFAULT_AUDIT_PATH, mode: "prepublish" };
+  for (let i = 0; i < args.length; i += 1) {
+    const a = args[i];
+    if ((a === "--file" || a === "-f") && args[i + 1]) {
+      out.file = args[i + 1];
+      i += 1;
+    } else if ((a === "--mode" || a === "-m") && args[i + 1]) {
+      const mode = String(args[i + 1]).trim().toLowerCase();
+      if (mode !== "prepublish" && mode !== "postpublish") {
+        throw new Error(`invalid --mode: ${mode} (expected prepublish|postpublish)`);
+      }
+      out.mode = mode;
+      i += 1;
+    } else if (a === "--help" || a === "-h") {
+      out.help = true;
+    } else {
+      throw new Error(`unknown argument: ${a}`);
+    }
+  }
+  return out;
+}
+
+function usage() {
+  return [
+    "Usage: node scripts/ci/check-kernel-v0-launch-gate.mjs [--file <path>] [--mode prepublish|postpublish]",
+    "",
+    "Fails when required Kernel v0 launch claims are not marked TRUE in",
+    "planning/kernel-v0-truth-audit.md."
+  ].join("\n");
+}
+
+function parseClaimStatuses(markdown) {
+  const rows = [];
+  const lines = markdown.split(/\r?\n/);
+  for (const line of lines) {
+    if (!line.startsWith("|")) continue;
+    const cols = line.split("|").map((c) => c.trim());
+    if (cols.length < 4) continue;
+    const claim = cols[1] || "";
+    const statusCell = cols[2] || "";
+    if (!claim || /^-+$/.test(claim.replace(/\s+/g, ""))) continue;
+    const statusMatch = statusCell.match(/\*\*(TRUE|PARTIAL|FALSE)\*\*/i);
+    if (!statusMatch) continue;
+    rows.push({ claim, status: statusMatch[1].toUpperCase() });
+  }
+  return rows;
+}
+
+function findClaim(rows, matcher) {
+  return rows.find((r) => matcher.test(r.claim));
+}
+
+function main() {
+  let opts;
+  try {
+    opts = parseArgs(process.argv);
+  } catch (err) {
+    console.error(String(err?.message || err));
+    console.error("");
+    console.error(usage());
+    process.exit(2);
+  }
+
+  if (opts.help) {
+    console.log(usage());
+    return;
+  }
+
+  const auditPath = path.resolve(process.cwd(), opts.file);
+  if (!fs.existsSync(auditPath)) {
+    console.error(`launch gate audit file not found: ${auditPath}`);
+    process.exit(2);
+  }
+
+  const markdown = fs.readFileSync(auditPath, "utf8");
+  const rows = parseClaimStatuses(markdown);
+  if (rows.length === 0) {
+    console.error(`no TRUE/PARTIAL/FALSE claim rows found in ${auditPath}`);
+    process.exit(2);
+  }
+  const requiredClaims = REQUIRED_TRUE_CLAIMS_BY_MODE[opts.mode] || REQUIRED_TRUE_CLAIMS;
+
+  const failures = [];
+  const passes = [];
+  for (const requirement of requiredClaims) {
+    const row = findClaim(rows, requirement.match);
+    if (!row) {
+      failures.push({
+        key: requirement.key,
+        description: requirement.description,
+        reason: "MISSING_CLAIM_ROW"
+      });
+      continue;
+    }
+    if (row.status !== "TRUE") {
+      failures.push({
+        key: requirement.key,
+        description: requirement.description,
+        reason: `STATUS_${row.status}`
+      });
+      continue;
+    }
+    passes.push({ key: requirement.key, description: requirement.description });
+  }
+
+  console.log("Kernel v0 launch gate checklist");
+  console.log(`Mode: ${opts.mode}`);
+  console.log(`Audit file: ${path.relative(process.cwd(), auditPath)}`);
+  console.log(`Required TRUE claims: ${requiredClaims.length}`);
+  console.log(`Pass: ${passes.length}`);
+  console.log(`Fail: ${failures.length}`);
+
+  if (failures.length > 0) {
+    console.error("\nLaunch gate check failed:");
+    for (const failure of failures) {
+      console.error(`- ${failure.key}: ${failure.description} (${failure.reason})`);
+    }
+    process.exit(1);
+  }
+
+  console.log("\nAll required launch gate claims are TRUE.");
+}
+
+main();

package/scripts/ci/check-secret-hygiene.mjs

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { execFileSync } from "node:child_process";
+
+const PRIVATE_KEY_PATTERNS = Object.freeze([
+  /(^|\r?\n)-----BEGIN PRIVATE KEY-----\r?\n/m,
+  /(^|\r?\n)-----BEGIN EC PRIVATE KEY-----\r?\n/m,
+  /(^|\r?\n)-----BEGIN RSA PRIVATE KEY-----\r?\n/m,
+  /(^|\r?\n)-----BEGIN OPENSSH PRIVATE KEY-----\r?\n/m
+]);
+
+const ALLOWED_PREFIXES = Object.freeze([
+  "test/fixtures/",
+  "conformance/",
+  "docs/spec/examples/",
+  "scripts/pilot/fixtures/"
+]);
+
+function listTrackedFiles() {
+  const output = execFileSync("git", ["ls-files", "-z"], { encoding: "utf8" });
+  return output
+    .split("\0")
+    .map((row) => row.trim())
+    .filter((row) => row.length > 0);
+}
+
+function isAllowedFixturePath(filePath) {
+  return ALLOWED_PREFIXES.some((prefix) => filePath.startsWith(prefix));
+}
+
+function hasPrivateKeyMaterial(filePath) {
+  const absolutePath = path.resolve(process.cwd(), filePath);
+  const buffer = fs.readFileSync(absolutePath);
+  if (buffer.includes(0)) return false;
+  const text = buffer.toString("utf8");
+  return PRIVATE_KEY_PATTERNS.some((pattern) => pattern.test(text));
+}
+
+function main() {
+  const tracked = listTrackedFiles();
+  const violations = [];
+
+  for (const filePath of tracked) {
+    if (filePath.startsWith("keys/")) {
+      violations.push(`${filePath}: tracked key material is forbidden`);
+      continue;
+    }
+    if (isAllowedFixturePath(filePath)) continue;
+    try {
+      if (hasPrivateKeyMaterial(filePath)) {
+        violations.push(`${filePath}: private key marker detected`);
+      }
+    } catch (err) {
+      violations.push(`${filePath}: failed to scan (${err?.message ?? String(err)})`);
+    }
+  }
+
+  if (violations.length > 0) {
+    process.stderr.write("secret hygiene check failed:\n");
+    for (const violation of violations) process.stderr.write(`- ${violation}\n`);
+    process.exit(1);
+  }
+
+  process.stdout.write(
+    JSON.stringify(
+      {
+        ok: true,
+        checkedAt: new Date().toISOString(),
+        trackedFilesScanned: tracked.length
+      },
+      null,
+      2
+    ) + "\n"
+  );
+}
+
+main();

package/scripts/ci/check-version-consistency.mjs

@@ -0,0 +1,42 @@
+import fs from "node:fs";
+import path from "node:path";
+
+function readTrimmed(filePath) {
+  return String(fs.readFileSync(filePath, "utf8")).trim();
+}
+
+function fail(message) {
+  // eslint-disable-next-line no-console
+  console.error(message);
+  process.exit(1);
+}
+
+const repoRoot = process.cwd();
+const settldVersionPath = path.join(repoRoot, "SETTLD_VERSION");
+const artifactVerifyPackagePath = path.join(repoRoot, "packages", "artifact-verify", "package.json");
+
+if (!fs.existsSync(settldVersionPath)) {
+  fail("version consistency check failed: SETTLD_VERSION file is missing");
+}
+if (!fs.existsSync(artifactVerifyPackagePath)) {
+  fail("version consistency check failed: packages/artifact-verify/package.json is missing");
+}
+
+const repoVersion = readTrimmed(settldVersionPath);
+const artifactVerifyPackage = JSON.parse(fs.readFileSync(artifactVerifyPackagePath, "utf8"));
+const artifactVerifyVersion = String(artifactVerifyPackage.version ?? "").trim();
+
+if (!repoVersion) {
+  fail("version consistency check failed: SETTLD_VERSION is empty");
+}
+if (!artifactVerifyVersion) {
+  fail("version consistency check failed: packages/artifact-verify/package.json version is empty");
+}
+if (repoVersion !== artifactVerifyVersion) {
+  fail(
+    `version consistency check failed: SETTLD_VERSION=${repoVersion} does not match packages/artifact-verify/package.json version=${artifactVerifyVersion}`
+  );
+}
+
+// eslint-disable-next-line no-console
+console.log(`version consistency check passed: ${repoVersion}`);

package/scripts/ci/cli-pack-smoke.mjs

@@ -0,0 +1,160 @@
+import { spawnSync } from "node:child_process";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+
+function sh(cmd, args, { cwd, env } = {}) {
+  const res = spawnSync(cmd, args, { cwd, env, encoding: "utf8" });
+  if (res.status !== 0) {
+    const err = (res.stderr || res.stdout || "").trim();
+    throw new Error(`${cmd} ${args.join(" ")} failed (exit ${res.status})${err ? `: ${err}` : ""}`);
+  }
+  return res.stdout;
+}
+
+function assert(cond, msg) {
+  if (!cond) throw new Error(msg);
+}
+
+function shellQuote(value) {
+  return `'${String(value).replace(/'/g, `'\"'\"'`)}'`;
+}
+
+async function main() {
+  const repoRoot = process.cwd();
+  const packDir = await fs.mkdtemp(path.join(os.tmpdir(), "settld-cli-pack-"));
+  const unpackDir = await fs.mkdtemp(path.join(os.tmpdir(), "settld-cli-unpack-"));
+  const outDir = await fs.mkdtemp(path.join(os.tmpdir(), "settld-cli-out-"));
+  const npmCacheDir = await fs.mkdtemp(path.join(os.tmpdir(), "settld-cli-cache-"));
+
+  const npmEnv = {
+    ...process.env,
+    NPM_CONFIG_CACHE: npmCacheDir,
+    npm_config_cache: npmCacheDir,
+    npm_config_update_notifier: "false"
+  };
+
+  try {
+    sh("npm", ["--cache", npmCacheDir, "pack", "--silent", "--pack-destination", packDir], { cwd: repoRoot, env: npmEnv });
+    const packed = (await fs.readdir(packDir)).filter((name) => /^settld-.*\.tgz$/.test(name)).sort();
+    assert(packed.length > 0, "npm pack did not produce settld-*.tgz");
+    const tarballPath = path.join(packDir, packed[packed.length - 1]);
+    sh("tar", ["-xzf", tarballPath, "-C", unpackDir], { env: npmEnv });
+    const packageRoot = path.join(unpackDir, "package");
+    const cliPath = path.join(packageRoot, "bin", "settld.js");
+
+    const runTarballCli = (args) => {
+      const cmd = ["npx", "--yes", "--package", tarballPath, "--", "settld", ...args].map(shellQuote).join(" ");
+      const res = spawnSync("bash", ["-lc", cmd], {
+        cwd: packDir,
+        env: npmEnv,
+        encoding: "utf8"
+      });
+      const blockedBySandbox =
+        res.error &&
+        res.error.code === "EPERM" &&
+        res.status === 0 &&
+        String(res.stdout ?? "").trim() === "" &&
+        String(res.stderr ?? "").trim() === "";
+      if (blockedBySandbox) return { stdout: "", blockedBySandbox: true };
+      if (res.status !== 0) {
+        const err = (res.stderr || res.stdout || "").trim();
+        throw new Error(`npx --package <tarball> settld ${args.join(" ")} failed (exit ${res.status})${err ? `: ${err}` : ""}`);
+      }
+      return { stdout: String(res.stdout ?? ""), blockedBySandbox: false };
+    };
+
+    const runCli = (args) => {
+      const cmd = [process.execPath, cliPath, ...args].map(shellQuote).join(" ");
+      const res = spawnSync("bash", ["-lc", cmd], {
+        cwd: packageRoot,
+        env: npmEnv,
+        encoding: "utf8"
+      });
+      const blockedBySandbox =
+        res.error &&
+        res.error.code === "EPERM" &&
+        res.status === 0 &&
+        String(res.stdout ?? "").trim() === "" &&
+        String(res.stderr ?? "").trim() === "";
+      if (blockedBySandbox) return { stdout: "", blockedBySandbox: true };
+      if (res.status !== 0) {
+        const err = (res.stderr || res.stdout || "").trim();
+        throw new Error(`settld ${args.join(" ")} failed (exit ${res.status})${err ? `: ${err}` : ""}`);
+      }
+      return { stdout: String(res.stdout ?? ""), blockedBySandbox: false };
+    };
+
+    const versionResult = runTarballCli(["--version"]);
+    const sandboxBlocked = versionResult.blockedBySandbox === true;
+    if (!sandboxBlocked) {
+      const version = versionResult.stdout.trim();
+      assert(/^[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9A-Za-z-.]+)?$/.test(version), `unexpected settld --version output: ${JSON.stringify(version)}`);
+    }
+
+    if (sandboxBlocked) {
+      // In restricted sandboxes some child-process invocations return EPERM with status=0 and no IO.
+      // Fall back to static package checks; CI environments still execute the full behavioral path above.
+      await fs.access(path.join(packageRoot, "bin", "settld.js"));
+      await fs.access(path.join(packageRoot, "scripts", "init", "capability.mjs"));
+      await fs.access(path.join(packageRoot, "conformance", "kernel-v0", "run.mjs"));
+      await fs.access(path.join(packageRoot, "scripts", "closepack", "verify.mjs"));
+      await fs.access(path.join(packageRoot, "SETTLD_VERSION"));
+      await fs.access(path.join(packageRoot, "Dockerfile"));
+      await fs.access(path.join(packageRoot, "docker-compose.yml"));
+      await fs.access(path.join(packageRoot, "src", "api", "server.js"));
+      await fs.access(path.join(packageRoot, "services", "receiver", "src", "server.js"));
+      try {
+        await fs.access(path.join(packageRoot, "test"));
+        throw new Error("packed CLI unexpectedly includes test/ directory");
+      } catch (err) {
+        if (String(err?.message ?? "").includes("unexpectedly includes")) throw err;
+      }
+      try {
+        await fs.access(path.join(packageRoot, ".github"));
+        throw new Error("packed CLI unexpectedly includes .github/ directory");
+      } catch (err) {
+        if (String(err?.message ?? "").includes("unexpectedly includes")) throw err;
+      }
+      return;
+    }
+
+    const tarballCases = runTarballCli(["conformance", "kernel:list"]).stdout
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter(Boolean);
+    assert(tarballCases.length > 0, "npx --package <tarball> settld conformance kernel:list returned no cases");
+
+    const infoRaw = runCli(["dev", "info"]).stdout.trim();
+    const info = JSON.parse(infoRaw);
+    assert(String(info.baseUrl ?? "") === "http://127.0.0.1:3000", "settld dev info baseUrl mismatch");
+    assert(String(info.tenantId ?? "") === "tenant_default", "settld dev info tenantId mismatch");
+    assert(String(info.opsToken ?? "") === "tok_ops", "settld dev info opsToken mismatch");
+
+    const cases = runCli(["conformance", "kernel:list"]).stdout
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter(Boolean);
+    assert(cases.length > 0, "settld conformance kernel:list returned no cases");
+
+    runCli(["closepack", "verify", "--help"]);
+    runCli(["x402", "receipt", "verify", "--help"]);
+
+    const starterDir = path.join(outDir, "starter-capability");
+    runCli(["init", "capability", "smoke-capability", "--out", starterDir]);
+    await fs.access(path.join(starterDir, "manifest.json"));
+    await fs.access(path.join(starterDir, "manifest.sig.json"));
+    await fs.access(path.join(starterDir, "server.js"));
+    await fs.access(path.join(starterDir, "scripts", "kernel-prove.mjs"));
+    await fs.access(path.join(starterDir, "scripts", "kernel-conformance.mjs"));
+    const kernelProveSource = await fs.readFile(path.join(starterDir, "scripts", "kernel-prove.mjs"), "utf8");
+    assert(kernelProveSource.includes("import(\"settld-api-sdk\")"), "starter kernel-prove script must attempt npm SDK import first");
+  } finally {
+    await fs.rm(packDir, { recursive: true, force: true });
+    await fs.rm(unpackDir, { recursive: true, force: true });
+    await fs.rm(outDir, { recursive: true, force: true });
+    await fs.rm(npmCacheDir, { recursive: true, force: true });
+  }
+}
+
+await main();