sneakoscope 0.9.11 → 0.9.13

package/README.md

@@ -1,6 +1,24 @@
 # Sneakoscope Codex
 
-Sneakoscope Codex (`sks`) is a Codex CLI/App harness for repeatable workflows. It adds terminal commands, Codex App `$` commands, tmux workspaces, Team/QA/Research routes, pipeline plans, Computer Use, imagegen UI/UX review, Goal, Context7, DB safety, TriWiki, design-system routing, skill dreaming, Honest Mode.
+Fast proof-first Codex trust layer with image-based Voxel TriWiki.
+
+Sneakoscope Codex (`sks`) is a Codex CLI/App harness for repeatable workflows. It adds terminal commands, Codex App `$` commands, tmux workspaces, Team/QA/Research routes, pipeline plans, Computer Use, imagegen UI/UX review, Goal, Context7, DB safety, Voxel TriWiki, design-system routing, skill dreaming, completion proof, and Honest Mode.
+
+## 60-second start
+
+```sh
+npm i -g sneakoscope
+sks root
+sks doctor
+sks codex-app check
+sks selftest --mock
+```
+
+## Three core promises
+
+1. Image-based Voxel TriWiki memory
+2. Codex App / codex-lb operational readiness
+3. Completion proof for every serious route
 
 ## Quick Start
 
@@ -12,6 +30,14 @@ sks root
 sks
 ```
 
+`0.9.13` connects serious routes to Completion Proof, visual routes to image voxel anchors, hook replay to shared runtime policy, codex-lb launch failures to circuit health, and Rust accelerator commands to JS fallback parity. Rust accelerator source is included in the npm package; until prebuilt binaries ship, SKS uses JS fallbacks unless `SKS_RS_BIN` or a source-checkout `sks-rs` binary is available.
+
+Learn more:
+- Completion Proof: [docs/completion-proof.md](docs/completion-proof.md)
+- Image Voxel TriWiki: [docs/image-voxel-ledger.md](docs/image-voxel-ledger.md)
+- Codex App Hooks/PAT: [docs/hooks-pat.md](docs/hooks-pat.md)
+- codex-lb: [docs/codex-lb.md](docs/codex-lb.md)
+
 `npm i -g sneakoscope` automatically refreshes the `sks` command shim, global Codex App `$` skills, and SKS bootstrap surface. When the install is run from a project, postinstall bootstraps that project. When it is run outside a repo/project marker, postinstall bootstraps the per-user global runtime root instead of writing `.sneakoscope` into a random current directory. `sks root` tells you which root SKS will use.
 
 If you only want a one-shot run without keeping `sks` installed globally:
@@ -187,7 +213,7 @@ sks codex-lb repair
 sks
 ```
 
-Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the upstream codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = true` as documented by codex-lb. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths, including non-interactive runs, verify that codex-lb can continue a Responses API chain with `previous_response_id`; if that check fails, SKS bypasses codex-lb for that launch with `model_provider="openai"` instead of letting the Codex session fail mid-work.
+Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the upstream codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = true` as documented by codex-lb. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths run a response-chain health check. `previous_response_not_found` is treated as a stateless-LB warning and keeps codex-lb active. Hard failures are surfaced to the user; SKS only bypasses codex-lb when the user chooses OAuth fallback or `SKS_CODEX_LB_AUTOBYPASS=1` is set.
 
 If codex-lb provider auth drifts after launch/reinstall, run `sks doctor --fix` or `sks codex-lb repair`; to replace it, run `sks codex-lb reconfigure --host <domain> --api-key <key>`.
 

package/crates/sks-core/Cargo.lock

@@ -0,0 +1,7 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "sks-core"
+version = "0.9.13"

package/crates/sks-core/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "sks-core"
+version = "0.9.13"
+edition = "2021"
+
+[dependencies]
+
+[[bin]]
+name = "sks-rs"
+path = "src/main.rs"

package/crates/sks-core/src/main.rs

@@ -0,0 +1,202 @@
+use std::fs::File;
+use std::io::{self, Read, Seek, SeekFrom};
+
+fn main() {
+    let mut args = std::env::args().skip(1);
+    match args.next().as_deref() {
+        Some("--version") => println!("sks-rs 0.9.13"),
+        Some("compact-info") => {
+            let mut input = String::new();
+            let _ = io::stdin().read_to_string(&mut input);
+            println!("{{\"ok\":true,\"engine\":\"rust\",\"input_bytes\":{}}}", input.as_bytes().len());
+        }
+        Some("jsonl-tail") => {
+            let path = args.next().unwrap_or_default();
+            let mut bytes: u64 = 262144;
+            while let Some(arg) = args.next() {
+                if arg == "--bytes" {
+                    if let Some(raw) = args.next() {
+                        bytes = raw.parse().unwrap_or(bytes);
+                    }
+                }
+            }
+            match tail_file(&path, bytes) {
+                Ok(text) => print!("{}", text),
+                Err(err) => {
+                    eprintln!("{}", err);
+                    std::process::exit(1);
+                }
+            }
+        }
+        Some("image-hash") => {
+            let path = args.next().unwrap_or_default();
+            match image_hash(&path) {
+                Ok((sha, bytes)) => println!("{{\"ok\":true,\"engine\":\"rust\",\"path\":\"{}\",\"sha256\":\"{}\",\"bytes\":{}}}", json_escape(&path), sha, bytes),
+                Err(err) => {
+                    println!("{{\"ok\":false,\"engine\":\"rust\",\"path\":\"{}\",\"error\":\"{}\"}}", json_escape(&path), json_escape(&err.to_string()));
+                    std::process::exit(1);
+                }
+            }
+        }
+        Some("voxel-validate") => {
+            let path = args.next().unwrap_or_default();
+            match std::fs::read_to_string(&path) {
+                Ok(text) => {
+                    let report = voxel_validate(&text);
+                    println!("{}", report);
+                    if report.contains("\"ok\":false") { std::process::exit(1); }
+                }
+                Err(err) => {
+                    println!("{{\"ok\":false,\"engine\":\"rust\",\"issues\":[\"read_error\"],\"error\":\"{}\"}}", json_escape(&err.to_string()));
+                    std::process::exit(1);
+                }
+            }
+        }
+        Some("secret-scan") => {
+            let path = args.next().unwrap_or_default();
+            match std::fs::read_to_string(&path) {
+                Ok(text) => {
+                    let found = ["CODEX_ACCESS_TOKEN", "OPENAI_API_KEY", "CODEX_LB_API_KEY", "sk-proj-", "sk-clb-", "github_pat_"]
+                        .iter()
+                        .any(|needle| text.contains(needle));
+                    println!("{{\"ok\":{},\"engine\":\"rust\",\"findings\":{}}}", if found { "false" } else { "true" }, if found { 1 } else { 0 });
+                    if found { std::process::exit(1); }
+                }
+                Err(err) => {
+                    eprintln!("{}", err);
+                    std::process::exit(1);
+                }
+            }
+        }
+        _ => {
+            eprintln!("sks-rs optional accelerator. Commands: --version, compact-info, jsonl-tail, secret-scan, image-hash, voxel-validate");
+            std::process::exit(2);
+        }
+    }
+}
+
+fn image_hash(path: &str) -> io::Result<(String, u64)> {
+    let mut file = File::open(path)?;
+    let mut data = Vec::new();
+    file.read_to_end(&mut data)?;
+    let bytes = data.len() as u64;
+    Ok((sha256_hex(&data), bytes))
+}
+
+fn sha256_hex(data: &[u8]) -> String {
+    const K: [u32; 64] = [
+        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+    ];
+    let mut h: [u32; 8] = [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];
+    let bit_len = (data.len() as u64) * 8;
+    let mut msg = data.to_vec();
+    msg.push(0x80);
+    while (msg.len() % 64) != 56 { msg.push(0); }
+    msg.extend_from_slice(&bit_len.to_be_bytes());
+    for chunk in msg.chunks(64) {
+        let mut w = [0u32; 64];
+        for i in 0..16 {
+            w[i] = u32::from_be_bytes([chunk[i * 4], chunk[i * 4 + 1], chunk[i * 4 + 2], chunk[i * 4 + 3]]);
+        }
+        for i in 16..64 {
+            let s0 = w[i - 15].rotate_right(7) ^ w[i - 15].rotate_right(18) ^ (w[i - 15] >> 3);
+            let s1 = w[i - 2].rotate_right(17) ^ w[i - 2].rotate_right(19) ^ (w[i - 2] >> 10);
+            w[i] = w[i - 16].wrapping_add(s0).wrapping_add(w[i - 7]).wrapping_add(s1);
+        }
+        let (mut a, mut b, mut c, mut d, mut e, mut f, mut g, mut hh) = (h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7]);
+        for i in 0..64 {
+            let s1 = e.rotate_right(6) ^ e.rotate_right(11) ^ e.rotate_right(25);
+            let ch = (e & f) ^ ((!e) & g);
+            let temp1 = hh.wrapping_add(s1).wrapping_add(ch).wrapping_add(K[i]).wrapping_add(w[i]);
+            let s0 = a.rotate_right(2) ^ a.rotate_right(13) ^ a.rotate_right(22);
+            let maj = (a & b) ^ (a & c) ^ (b & c);
+            let temp2 = s0.wrapping_add(maj);
+            hh = g;
+            g = f;
+            f = e;
+            e = d.wrapping_add(temp1);
+            d = c;
+            c = b;
+            b = a;
+            a = temp1.wrapping_add(temp2);
+        }
+        h[0] = h[0].wrapping_add(a);
+        h[1] = h[1].wrapping_add(b);
+        h[2] = h[2].wrapping_add(c);
+        h[3] = h[3].wrapping_add(d);
+        h[4] = h[4].wrapping_add(e);
+        h[5] = h[5].wrapping_add(f);
+        h[6] = h[6].wrapping_add(g);
+        h[7] = h[7].wrapping_add(hh);
+    }
+    h.iter().map(|x| format!("{:08x}", x)).collect::<String>()
+}
+
+fn voxel_validate(text: &str) -> String {
+    let mut issues: Vec<&str> = Vec::new();
+    if !text.contains("\"schema\"") || !text.contains("sks.image-voxel-ledger.v1") { issues.push("schema"); }
+    if !text.contains("\"images\"") { issues.push("missing_images"); }
+    if !text.contains("\"anchors\"") { issues.push("missing_anchors"); }
+    let image_count = count_object_entries(text, "images");
+    let anchor_count = count_object_entries(text, "anchors");
+    if image_count == 0 { issues.push("missing_images"); }
+    if anchor_count == 0 { issues.push("missing_anchors"); }
+    issues.sort();
+    issues.dedup();
+    let ok = issues.is_empty();
+    let issue_json = issues.iter().map(|x| format!("\"{}\"", json_escape(x))).collect::<Vec<_>>().join(",");
+    format!("{{\"ok\":{},\"engine\":\"rust\",\"schema\":\"sks.image-voxel-ledger.v1\",\"images\":{},\"anchors\":{},\"issues\":[{}]}}", if ok { "true" } else { "false" }, image_count, anchor_count, issue_json)
+}
+
+fn count_object_entries(text: &str, key: &str) -> usize {
+    let marker = format!("\"{}\"", key);
+    let Some(start) = text.find(&marker) else { return 0; };
+    let Some(open) = text[start..].find('[').map(|i| start + i) else { return 0; };
+    let mut depth = 0i32;
+    let mut entries = 0usize;
+    let mut in_string = false;
+    let mut escape = false;
+    for ch in text[open..].chars() {
+        if escape {
+            escape = false;
+            continue;
+        }
+        if ch == '\\' && in_string {
+            escape = true;
+            continue;
+        }
+        if ch == '"' {
+            in_string = !in_string;
+            continue;
+        }
+        if in_string { continue; }
+        if ch == '[' { depth += 1; }
+        else if ch == ']' {
+            depth -= 1;
+            if depth == 0 { break; }
+        }
+        else if ch == '{' && depth == 1 { entries += 1; }
+    }
+    entries
+}
+
+fn json_escape(value: &str) -> String {
+    value.replace('\\', "\\\\").replace('"', "\\\"").replace('\n', "\\n").replace('\r', "\\r")
+}
+
+fn tail_file(path: &str, bytes: u64) -> io::Result<String> {
+    let mut file = File::open(path)?;
+    let len = file.metadata()?.len();
+    let start = len.saturating_sub(bytes);
+    file.seek(SeekFrom::Start(start))?;
+    let mut out = String::new();
+    file.read_to_string(&mut out)?;
+    Ok(out)
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "0.9.11",
-  "description": "Sneakoscope Codex: database-safe Codex CLI/App harness with Team, Goal, AutoResearch, TriWiki, and Honest Mode.",
+  "version": "0.9.13",
+  "description": "Sneakoscope Codex: fast proof-first Codex trust layer with image-based Voxel TriWiki.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",
   "repository": {
@@ -23,6 +23,9 @@
   "files": [
     "bin",
     "src",
+    "crates/sks-core/Cargo.lock",
+    "crates/sks-core/Cargo.toml",
+    "crates/sks-core/src",
     "README.md",
     "LICENSE"
   ],
@@ -36,11 +39,20 @@
     "doctor": "node ./bin/sks.mjs doctor",
     "packcheck": "find bin src scripts -name '*.mjs' -print0 | xargs -0 -n1 node --check",
     "changelog:check": "node ./scripts/changelog-check.mjs",
+    "cli-entrypoint:check": "node ./scripts/check-cli-entrypoint.mjs",
+    "legacy-budget:check": "node ./scripts/check-legacy-budget.mjs",
     "sizecheck": "node ./scripts/sizecheck.mjs",
     "registry:check": "node ./scripts/release-registry-check.mjs",
     "feature:check": "node ./bin/sks.mjs features check --json",
     "all-features:selftest": "node ./bin/sks.mjs all-features selftest --mock --json",
-    "release:check": "npm run repo-audit && npm run changelog:check && npm run packcheck && npm run feature:check && npm run all-features:selftest && npm run selftest && npm run sizecheck && npm run registry:check",
+    "all-features:execute-fixtures": "node ./bin/sks.mjs all-features selftest --mock --execute-fixtures --json",
+    "perf:cold-start": "node ./bin/sks.mjs perf cold-start --json",
+    "perf:gate": "node ./scripts/perf-gate.mjs",
+    "test": "node --test \"test/**/*.test.mjs\"",
+    "test:unit": "node --test \"test/unit/**/*.test.mjs\"",
+    "test:integration:mock": "node --test \"test/integration/**/*.test.mjs\"",
+    "coverage": "node --experimental-test-coverage --test \"test/**/*.test.mjs\"",
+    "release:check": "npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run legacy-budget:check && npm run packcheck && npm run feature:check && npm run all-features:selftest && npm run all-features:execute-fixtures && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run perf:gate && npm run sizecheck && npm run registry:check",
     "publish:dry": "npm run release:check && npm --cache /tmp/sks-npm-cache publish --dry-run --registry https://registry.npmjs.org/ --access public",
     "publish:npm": "npm --cache /tmp/sks-npm-cache publish --registry https://registry.npmjs.org/ --access public",
     "prepublishOnly": "npm run release:check && node ./scripts/release-registry-check.mjs --require-unpublished"

package/src/cli/args.mjs

@@ -0,0 +1,49 @@
+export function flag(args = [], name) {
+  return args.includes(name);
+}
+
+export function readOption(args = [], name, fallback = null) {
+  const i = args.indexOf(name);
+  return i >= 0 && args[i + 1] ? args[i + 1] : fallback;
+}
+
+export function positionalArgs(args = []) {
+  const out = [];
+  const valueFlags = new Set([
+    '--source',
+    '--format',
+    '--iterations',
+    '--out',
+    '--baseline',
+    '--candidate',
+    '--install-scope',
+    '--max-cycles',
+    '--cycle-timeout-minutes',
+    '--depth',
+    '--scope',
+    '--transport',
+    '--query',
+    '--topic',
+    '--tokens',
+    '--timeout-ms',
+    '--sql',
+    '--command',
+    '--project-ref',
+    '--agent',
+    '--phase',
+    '--message',
+    '--role',
+    '--max-anchors',
+    '--lines',
+    '--dir'
+  ]);
+  for (let i = 0; i < args.length; i += 1) {
+    const arg = String(args[i]);
+    if (valueFlags.has(arg)) {
+      i += 1;
+      continue;
+    }
+    if (!arg.startsWith('--')) out.push(arg);
+  }
+  return out;
+}

package/src/cli/command-registry.mjs

@@ -0,0 +1,128 @@
+const legacy = () => import('./legacy-main.mjs');
+
+export const COMMANDS = {
+  help: {
+    maturity: 'stable',
+    summary: 'Show SKS help',
+    lazy: () => import('../commands/help.mjs')
+  },
+  version: {
+    maturity: 'stable',
+    summary: 'Show SKS version',
+    lazy: () => import('../commands/version.mjs')
+  },
+  commands: {
+    maturity: 'stable',
+    summary: 'List SKS commands',
+    lazy: () => import('../commands/help.mjs')
+  },
+  root: {
+    maturity: 'stable',
+    summary: 'Show active SKS root',
+    lazy: () => import('../commands/root.mjs')
+  },
+  features: {
+    maturity: 'beta',
+    summary: 'Validate feature registry',
+    lazy: () => import('../commands/features.mjs')
+  },
+  'all-features': {
+    maturity: 'beta',
+    summary: 'Run all-features selftest',
+    lazy: () => import('../commands/all-features.mjs')
+  },
+  hooks: {
+    maturity: 'beta',
+    summary: 'Explain and inspect Codex hooks',
+    lazy: () => import('../commands/hooks.mjs')
+  },
+  proof: {
+    maturity: 'beta',
+    summary: 'Show and validate completion proof',
+    lazy: () => import('../commands/proof.mjs')
+  },
+  wiki: {
+    maturity: 'beta',
+    summary: 'Manage TriWiki and image voxel ledgers',
+    lazy: () => import('../commands/wiki.mjs')
+  },
+  perf: {
+    maturity: 'beta',
+    summary: 'Run performance checks',
+    lazy: () => import('../commands/perf.mjs')
+  },
+  'codex-lb': {
+    maturity: 'beta',
+    summary: 'Inspect codex-lb status and circuit health',
+    lazy: () => import('../commands/codex-lb.mjs')
+  },
+  auth: {
+    maturity: 'beta',
+    summary: 'Alias for codex-lb auth commands',
+    lazy: () => import('../commands/codex-lb.mjs')
+  },
+  postinstall: { maturity: 'stable', summary: 'Run postinstall bootstrap', lazy: legacy },
+  wizard: { maturity: 'stable', summary: 'Open setup wizard', lazy: legacy },
+  ui: { maturity: 'stable', summary: 'Open setup UI', lazy: legacy },
+  'update-check': { maturity: 'stable', summary: 'Check npm package freshness', lazy: legacy },
+  usage: { maturity: 'stable', summary: 'Show focused usage topic', lazy: legacy },
+  quickstart: { maturity: 'stable', summary: 'Show quickstart flow', lazy: legacy },
+  'codex-app': { maturity: 'beta', summary: 'Check Codex App readiness', lazy: () => import('../commands/codex-app.mjs') },
+  openclaw: { maturity: 'labs', summary: 'Create OpenClaw skill package', lazy: legacy },
+  bootstrap: { maturity: 'stable', summary: 'Initialize SKS project files', lazy: legacy },
+  deps: { maturity: 'stable', summary: 'Check or install local dependencies', lazy: legacy },
+  'qa-loop': { maturity: 'beta', summary: 'Run QA loop missions', lazy: legacy },
+  ppt: { maturity: 'labs', summary: 'Inspect/build PPT artifacts', lazy: legacy },
+  'image-ux-review': { maturity: 'labs', summary: 'Inspect image UX artifacts', lazy: legacy },
+  'ux-review': { maturity: 'labs', summary: 'Alias for image UX review', lazy: legacy },
+  'visual-review': { maturity: 'labs', summary: 'Alias for image UX review', lazy: legacy },
+  'ui-ux-review': { maturity: 'labs', summary: 'Alias for image UX review', lazy: legacy },
+  context7: { maturity: 'beta', summary: 'Context7 checks and docs', lazy: legacy },
+  recallpulse: { maturity: 'labs', summary: 'RecallPulse evidence route', lazy: legacy },
+  pipeline: { maturity: 'beta', summary: 'Inspect pipeline missions', lazy: legacy },
+  guard: { maturity: 'beta', summary: 'Check harness guard', lazy: legacy },
+  conflicts: { maturity: 'beta', summary: 'Check harness conflicts', lazy: legacy },
+  versioning: { maturity: 'stable', summary: 'Manage release version metadata', lazy: legacy },
+  reasoning: { maturity: 'labs', summary: 'Show reasoning route', lazy: legacy },
+  aliases: { maturity: 'stable', summary: 'Show command aliases', lazy: legacy },
+  setup: { maturity: 'stable', summary: 'Initialize SKS state', lazy: legacy },
+  'fix-path': { maturity: 'stable', summary: 'Repair hook command paths', lazy: legacy },
+  doctor: { maturity: 'stable', summary: 'Check and repair SKS install', lazy: () => import('../commands/doctor.mjs') },
+  init: { maturity: 'stable', summary: 'Initialize local control surface', lazy: legacy },
+  selftest: { maturity: 'stable', summary: 'Run local mock selftest', lazy: legacy },
+  goal: { maturity: 'beta', summary: 'Manage Goal bridge workflow', lazy: legacy },
+  research: { maturity: 'labs', summary: 'Run research missions', lazy: legacy },
+  hook: { maturity: 'beta', summary: 'Codex hook entrypoint', lazy: legacy },
+  profile: { maturity: 'labs', summary: 'Inspect/set profile', lazy: legacy },
+  hproof: { maturity: 'beta', summary: 'Evaluate H-Proof gate', lazy: legacy },
+  'validate-artifacts': { maturity: 'beta', summary: 'Validate mission artifacts', lazy: legacy },
+  'proof-field': { maturity: 'beta', summary: 'Scan proof field', lazy: legacy },
+  'skill-dream': { maturity: 'labs', summary: 'Track skill dream counters', lazy: legacy },
+  'code-structure': { maturity: 'labs', summary: 'Scan source structure', lazy: legacy },
+  memory: { maturity: 'labs', summary: 'Run retention checks', lazy: legacy },
+  gx: { maturity: 'labs', summary: 'Render/validate GX cartridges', lazy: legacy },
+  team: { maturity: 'beta', summary: 'Create and observe Team missions', lazy: legacy },
+  db: { maturity: 'beta', summary: 'Inspect DB safety policy', lazy: () => import('../commands/db.mjs') },
+  eval: { maturity: 'labs', summary: 'Run eval reports', lazy: legacy },
+  harness: { maturity: 'labs', summary: 'Run harness fixtures', lazy: legacy },
+  gc: { maturity: 'labs', summary: 'Compact/prune runtime state', lazy: legacy },
+  stats: { maturity: 'labs', summary: 'Show storage stats', lazy: legacy },
+  tmux: { maturity: 'beta', summary: 'Open/check SKS tmux UI', lazy: legacy },
+  'auto-review': { maturity: 'beta', summary: 'Manage auto-review profile', lazy: legacy },
+  autoreview: { maturity: 'beta', summary: 'Alias for auto-review', lazy: legacy },
+  'dollar-commands': { maturity: 'stable', summary: 'List Codex App dollar commands', lazy: legacy },
+  dollars: { maturity: 'stable', summary: 'Alias for dollar-commands', lazy: legacy },
+  '$': { maturity: 'stable', summary: 'Alias for dollar-commands', lazy: legacy },
+  dfix: { maturity: 'stable', summary: 'Explain DFix route', lazy: legacy }
+};
+
+export const COMMAND_ALIASES = {
+  '--help': 'help',
+  '-h': 'help',
+  '--version': 'version',
+  '-v': 'version'
+};
+
+export function commandNames() {
+  return Object.keys(COMMANDS).sort();
+}

package/src/cli/feature-commands.mjs

@@ -1,6 +1,10 @@
 import path from 'node:path';
-import { projectRoot } from '../core/fsx.mjs';
+import os from 'node:os';
+import fs from 'node:fs/promises';
+import { exists, projectRoot, readJson, writeJsonAtomic } from '../core/fsx.mjs';
 import { CODEX_ACCESS_TOKENS_DOCS_URL } from '../core/codex-app.mjs';
+import { redactSecrets } from '../core/secret-redaction.mjs';
+import { evaluateHookPayload } from '../core/hooks-runtime.mjs';
 import { buildAllFeaturesSelftest, buildFeatureRegistry, validateFeatureRegistry, writeFeatureInventoryDocs } from '../core/feature-registry.mjs';
 
 const flag = (args, name) => args.includes(name);
@@ -42,13 +46,13 @@ export async function featuresCommand(sub = 'list', args = []) {
 export async function allFeaturesCommand(sub = 'selftest', args = []) {
   const action = sub || 'selftest';
   if (action !== 'selftest') {
-    console.error('Usage: sks all-features selftest --mock [--json]');
+    console.error('Usage: sks all-features selftest --mock [--execute-fixtures] [--json]');
     process.exitCode = 1;
     return;
   }
   const root = await projectRoot();
   const registry = await buildFeatureRegistry({ root });
-  const result = buildAllFeaturesSelftest(registry);
+  const result = buildAllFeaturesSelftest(registry, { executeFixtures: flag(args, '--execute-fixtures'), root });
   if (flag(args, '--json')) console.log(JSON.stringify(result, null, 2));
   else {
     console.log('SKS all-features selftest');
@@ -59,10 +63,33 @@ export async function allFeaturesCommand(sub = 'selftest', args = []) {
   if (!result.ok) process.exitCode = 1;
 }
 
-export function hooksCommand(sub = 'explain', args = []) {
+export async function hooksCommand(sub = 'explain', args = []) {
   const action = sub || 'explain';
-  if (action !== 'explain' && action !== 'status') {
-    console.error('Usage: sks hooks explain [--json]');
+  const root = await projectRoot();
+  if (action === 'status') {
+    const report = await hooksStatusReport(root);
+    if (flag(args, '--json')) return console.log(JSON.stringify(report, null, 2));
+    console.log(`Hooks: ${report.ok ? 'ok' : 'missing'}`);
+    for (const file of report.hooks_files) console.log(`- ${file.path}: ${file.exists ? 'present' : 'missing'}`);
+    return;
+  }
+  if (action === 'trust-report') {
+    const report = await hooksTrustReport(root);
+    if (flag(args, '--json')) return console.log(JSON.stringify(report, null, 2));
+    console.log(`Hooks trust report: ${report.ok ? 'ok' : 'blocked'}`);
+    for (const event of report.events) console.log(`- ${event.event}: ${event.command}`);
+    return;
+  }
+  if (action === 'replay') {
+    const fixture = args.find((arg) => !String(arg).startsWith('--'));
+    const report = await hooksReplayReport(fixture);
+    if (flag(args, '--json')) return console.log(JSON.stringify(report, null, 2));
+    console.log(`Hook replay: ${report.ok ? 'ok' : 'blocked'} ${report.event || 'unknown'}`);
+    if (report.decision) console.log(`Decision: ${report.decision}`);
+    return;
+  }
+  if (action !== 'explain') {
+    console.error('Usage: sks hooks explain|status|trust-report|replay <fixture.json> [--json]');
     process.exitCode = 1;
     return;
   }
@@ -80,6 +107,85 @@ export function hooksCommand(sub = 'explain', args = []) {
   for (const source of report.sources) console.log(`- ${source.title}: ${source.url}`);
 }
 
+async function hooksStatusReport(root) {
+  const files = [
+    path.join(os.homedir(), '.codex', 'hooks.json'),
+    path.join(root, '.codex', 'hooks.json')
+  ];
+  const hooksFiles = [];
+  for (const file of files) {
+    hooksFiles.push({ path: file, exists: await exists(file) });
+  }
+  return {
+    schema: 'sks.hooks-status.v1',
+    hooks_files: hooksFiles,
+    ok: hooksFiles.some((file) => file.exists)
+  };
+}
+
+async function hooksTrustReport(root) {
+  const status = await hooksStatusReport(root);
+  return redactSecrets({
+    schema: 'sks.hooks-trust-report.v1',
+    hooks_files: status.hooks_files.map((file) => file.path),
+    events: [
+      { event: 'PreToolUse', command: 'sks hook pre-tool', writes: ['.sneakoscope/bus/tool-events.jsonl'], network: false, secret_policy: 'redacted', risk: 'medium' },
+      { event: 'PermissionRequest', command: 'sks hook permission-request', writes: ['.sneakoscope/state'], network: false, secret_policy: 'redacted', risk: 'medium' },
+      { event: 'UserPromptSubmit', command: 'sks hook user-prompt-submit', writes: ['.sneakoscope/missions'], network: false, secret_policy: 'redacted', risk: 'medium' },
+      { event: 'Stop', command: 'sks hook stop', writes: ['.sneakoscope/missions', '.sneakoscope/proof'], network: false, secret_policy: 'redacted', risk: 'high' }
+    ],
+    ok: true,
+    warnings: status.ok ? [] : ['no hooks.json file found in project or user config']
+  });
+}
+
+async function hooksReplayReport(fixturePath) {
+  if (!fixturePath) return { schema: 'sks.hooks-replay.v1', ok: false, reason: 'fixture_required' };
+  const absolute = path.resolve(fixturePath);
+  const fixture = await readJson(absolute, {});
+  const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'sks-hooks-replay-'));
+  const payload = { ...(fixture.payload || fixture), cwd: tempRoot };
+  const state = fixture.state || {};
+  if (state.mission_id && fixture.proof) {
+    await writeJsonAtomic(path.join(tempRoot, '.sneakoscope', 'missions', state.mission_id, 'completion-proof.json'), fixture.proof);
+  }
+  const event = fixture.event || fixture.hook_event_name || fixture.name || 'unknown';
+  const hookName = normalizeReplayHookName(event);
+  const runtime = await evaluateHookPayload(hookName, payload, { root: tempRoot, state });
+  const decision = runtime.decision || runtime.permissionDecision || (runtime.continue === true ? 'continue' : 'continue');
+  const expected = await readExpectedReplay(absolute);
+  const comparable = { decision, reason: runtime.reason || 'fixture_safe' };
+  const matchesExpected = expected ? expected.decision === comparable.decision && (!expected.reason || expected.reason === comparable.reason) : null;
+  const ok = expected ? matchesExpected : decision !== 'block' && decision !== 'deny';
+  return redactSecrets({
+    schema: 'sks.hooks-replay.v1',
+    ok,
+    event,
+    hook: hookName,
+    command: payload.command || payload.tool_input?.command || payload.toolInput?.command || payload.input?.command || '',
+    decision,
+    reason: runtime.reason || 'fixture_safe',
+    matches_expected: matchesExpected,
+    secret_policy: 'redacted'
+  });
+}
+
+function normalizeReplayHookName(event = '') {
+  const normalized = String(event || '').replace(/[_\s]+/g, '-').toLowerCase();
+  if (normalized.includes('pretool') || normalized.includes('pre-tool')) return 'pre-tool';
+  if (normalized.includes('permission')) return 'permission-request';
+  if (normalized.includes('userprompt') || normalized.includes('user-prompt')) return 'user-prompt-submit';
+  if (normalized.includes('posttool') || normalized.includes('post-tool')) return 'post-tool';
+  if (normalized.includes('stop')) return 'stop';
+  return normalized || 'pre-tool';
+}
+
+async function readExpectedReplay(fixturePath) {
+  const expectedPath = path.join(path.dirname(fixturePath), 'expected', `${path.basename(fixturePath, '.json')}.expected.json`);
+  if (!await exists(expectedPath)) return null;
+  return readJson(expectedPath, null);
+}
+
 export function hooksExplainReport() {
   return {
     schema: 'sks.hooks-explain.v1',