sneakoscope 0.9.12 → 0.9.13

package/README.md

@@ -30,7 +30,13 @@ sks root
 sks
 ```
 
-`0.9.12` adds the lazy CLI architecture foundation, `sks proof`, image voxel ledger commands, cold-start perf checks, hook trust reports, codex-lb circuit metrics, and feature fixture contracts. Rust accelerator source is included in the npm package; until prebuilt binaries ship, SKS uses JS fallbacks unless `SKS_RS_BIN` or a source-checkout `sks-rs` binary is available.
+`0.9.13` connects serious routes to Completion Proof, visual routes to image voxel anchors, hook replay to shared runtime policy, codex-lb launch failures to circuit health, and Rust accelerator commands to JS fallback parity. Rust accelerator source is included in the npm package; until prebuilt binaries ship, SKS uses JS fallbacks unless `SKS_RS_BIN` or a source-checkout `sks-rs` binary is available.
+
+Learn more:
+- Completion Proof: [docs/completion-proof.md](docs/completion-proof.md)
+- Image Voxel TriWiki: [docs/image-voxel-ledger.md](docs/image-voxel-ledger.md)
+- Codex App Hooks/PAT: [docs/hooks-pat.md](docs/hooks-pat.md)
+- codex-lb: [docs/codex-lb.md](docs/codex-lb.md)
 
 `npm i -g sneakoscope` automatically refreshes the `sks` command shim, global Codex App `$` skills, and SKS bootstrap surface. When the install is run from a project, postinstall bootstraps that project. When it is run outside a repo/project marker, postinstall bootstraps the per-user global runtime root instead of writing `.sneakoscope` into a random current directory. `sks root` tells you which root SKS will use.
 
@@ -207,7 +213,7 @@ sks codex-lb repair
 sks
 ```
 
-Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the upstream codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = true` as documented by codex-lb. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths, including non-interactive runs, verify that codex-lb can continue a Responses API chain with `previous_response_id`; if that check fails, SKS bypasses codex-lb for that launch with `model_provider="openai"` instead of letting the Codex session fail mid-work.
+Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/.codex/sks-codex-lb.env`, writes the upstream codex-lb Codex CLI / IDE Extension provider block into `~/.codex/config.toml` for Codex App routing, loads the provider env key for tmux launches, and syncs the macOS user launch environment so the Codex App can see `CODEX_LB_API_KEY` after restart. If the provider block disappears but the stored env file is still recoverable, bare `sks`, npm postinstall upgrades, `sks doctor --fix`, and `sks codex-lb repair` restore it with `env_key = "CODEX_LB_API_KEY"`, `supports_websockets = true`, and `requires_openai_auth = true` as documented by codex-lb. If an older SKS release left the codex-lb dashboard key only in the shared Codex `auth.json` login cache, SKS migrates that key back into `~/.codex/sks-codex-lb.env` when a codex-lb provider or env base URL is already recoverable. It does not rewrite the shared Codex `auth.json` login cache by default; set `SKS_CODEX_LB_SYNC_CODEX_LOGIN=1` only if you intentionally want the old API-key login-cache behavior. When codex-lb is active, SKS opens a fresh `sks-codex-lb-*` tmux session and sweeps older detached codex-lb sessions for the same repo before launch so stale Responses API chains are not reused. Configured launch paths run a response-chain health check. `previous_response_not_found` is treated as a stateless-LB warning and keeps codex-lb active. Hard failures are surfaced to the user; SKS only bypasses codex-lb when the user chooses OAuth fallback or `SKS_CODEX_LB_AUTOBYPASS=1` is set.
 
 If codex-lb provider auth drifts after launch/reinstall, run `sks doctor --fix` or `sks codex-lb repair`; to replace it, run `sks codex-lb reconfigure --host <domain> --api-key <key>`.
 

package/crates/sks-core/Cargo.lock

@@ -4,4 +4,4 @@ version = 4
 
 [[package]]
 name = "sks-core"
-version = "0.9.12"
+version = "0.9.13"

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "0.9.12"
+version = "0.9.13"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 0.9.12"),
+        Some("--version") => println!("sks-rs 0.9.13"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);
@@ -28,6 +28,30 @@ fn main() {
                 }
             }
         }
+        Some("image-hash") => {
+            let path = args.next().unwrap_or_default();
+            match image_hash(&path) {
+                Ok((sha, bytes)) => println!("{{\"ok\":true,\"engine\":\"rust\",\"path\":\"{}\",\"sha256\":\"{}\",\"bytes\":{}}}", json_escape(&path), sha, bytes),
+                Err(err) => {
+                    println!("{{\"ok\":false,\"engine\":\"rust\",\"path\":\"{}\",\"error\":\"{}\"}}", json_escape(&path), json_escape(&err.to_string()));
+                    std::process::exit(1);
+                }
+            }
+        }
+        Some("voxel-validate") => {
+            let path = args.next().unwrap_or_default();
+            match std::fs::read_to_string(&path) {
+                Ok(text) => {
+                    let report = voxel_validate(&text);
+                    println!("{}", report);
+                    if report.contains("\"ok\":false") { std::process::exit(1); }
+                }
+                Err(err) => {
+                    println!("{{\"ok\":false,\"engine\":\"rust\",\"issues\":[\"read_error\"],\"error\":\"{}\"}}", json_escape(&err.to_string()));
+                    std::process::exit(1);
+                }
+            }
+        }
         Some("secret-scan") => {
             let path = args.next().unwrap_or_default();
             match std::fs::read_to_string(&path) {
@@ -45,12 +69,128 @@ fn main() {
             }
         }
         _ => {
-            eprintln!("sks-rs optional accelerator. Commands: --version, compact-info, jsonl-tail, secret-scan");
+            eprintln!("sks-rs optional accelerator. Commands: --version, compact-info, jsonl-tail, secret-scan, image-hash, voxel-validate");
             std::process::exit(2);
         }
     }
 }
 
+fn image_hash(path: &str) -> io::Result<(String, u64)> {
+    let mut file = File::open(path)?;
+    let mut data = Vec::new();
+    file.read_to_end(&mut data)?;
+    let bytes = data.len() as u64;
+    Ok((sha256_hex(&data), bytes))
+}
+
+fn sha256_hex(data: &[u8]) -> String {
+    const K: [u32; 64] = [
+        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+    ];
+    let mut h: [u32; 8] = [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];
+    let bit_len = (data.len() as u64) * 8;
+    let mut msg = data.to_vec();
+    msg.push(0x80);
+    while (msg.len() % 64) != 56 { msg.push(0); }
+    msg.extend_from_slice(&bit_len.to_be_bytes());
+    for chunk in msg.chunks(64) {
+        let mut w = [0u32; 64];
+        for i in 0..16 {
+            w[i] = u32::from_be_bytes([chunk[i * 4], chunk[i * 4 + 1], chunk[i * 4 + 2], chunk[i * 4 + 3]]);
+        }
+        for i in 16..64 {
+            let s0 = w[i - 15].rotate_right(7) ^ w[i - 15].rotate_right(18) ^ (w[i - 15] >> 3);
+            let s1 = w[i - 2].rotate_right(17) ^ w[i - 2].rotate_right(19) ^ (w[i - 2] >> 10);
+            w[i] = w[i - 16].wrapping_add(s0).wrapping_add(w[i - 7]).wrapping_add(s1);
+        }
+        let (mut a, mut b, mut c, mut d, mut e, mut f, mut g, mut hh) = (h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7]);
+        for i in 0..64 {
+            let s1 = e.rotate_right(6) ^ e.rotate_right(11) ^ e.rotate_right(25);
+            let ch = (e & f) ^ ((!e) & g);
+            let temp1 = hh.wrapping_add(s1).wrapping_add(ch).wrapping_add(K[i]).wrapping_add(w[i]);
+            let s0 = a.rotate_right(2) ^ a.rotate_right(13) ^ a.rotate_right(22);
+            let maj = (a & b) ^ (a & c) ^ (b & c);
+            let temp2 = s0.wrapping_add(maj);
+            hh = g;
+            g = f;
+            f = e;
+            e = d.wrapping_add(temp1);
+            d = c;
+            c = b;
+            b = a;
+            a = temp1.wrapping_add(temp2);
+        }
+        h[0] = h[0].wrapping_add(a);
+        h[1] = h[1].wrapping_add(b);
+        h[2] = h[2].wrapping_add(c);
+        h[3] = h[3].wrapping_add(d);
+        h[4] = h[4].wrapping_add(e);
+        h[5] = h[5].wrapping_add(f);
+        h[6] = h[6].wrapping_add(g);
+        h[7] = h[7].wrapping_add(hh);
+    }
+    h.iter().map(|x| format!("{:08x}", x)).collect::<String>()
+}
+
+fn voxel_validate(text: &str) -> String {
+    let mut issues: Vec<&str> = Vec::new();
+    if !text.contains("\"schema\"") || !text.contains("sks.image-voxel-ledger.v1") { issues.push("schema"); }
+    if !text.contains("\"images\"") { issues.push("missing_images"); }
+    if !text.contains("\"anchors\"") { issues.push("missing_anchors"); }
+    let image_count = count_object_entries(text, "images");
+    let anchor_count = count_object_entries(text, "anchors");
+    if image_count == 0 { issues.push("missing_images"); }
+    if anchor_count == 0 { issues.push("missing_anchors"); }
+    issues.sort();
+    issues.dedup();
+    let ok = issues.is_empty();
+    let issue_json = issues.iter().map(|x| format!("\"{}\"", json_escape(x))).collect::<Vec<_>>().join(",");
+    format!("{{\"ok\":{},\"engine\":\"rust\",\"schema\":\"sks.image-voxel-ledger.v1\",\"images\":{},\"anchors\":{},\"issues\":[{}]}}", if ok { "true" } else { "false" }, image_count, anchor_count, issue_json)
+}
+
+fn count_object_entries(text: &str, key: &str) -> usize {
+    let marker = format!("\"{}\"", key);
+    let Some(start) = text.find(&marker) else { return 0; };
+    let Some(open) = text[start..].find('[').map(|i| start + i) else { return 0; };
+    let mut depth = 0i32;
+    let mut entries = 0usize;
+    let mut in_string = false;
+    let mut escape = false;
+    for ch in text[open..].chars() {
+        if escape {
+            escape = false;
+            continue;
+        }
+        if ch == '\\' && in_string {
+            escape = true;
+            continue;
+        }
+        if ch == '"' {
+            in_string = !in_string;
+            continue;
+        }
+        if in_string { continue; }
+        if ch == '[' { depth += 1; }
+        else if ch == ']' {
+            depth -= 1;
+            if depth == 0 { break; }
+        }
+        else if ch == '{' && depth == 1 { entries += 1; }
+    }
+    entries
+}
+
+fn json_escape(value: &str) -> String {
+    value.replace('\\', "\\\\").replace('"', "\\\"").replace('\n', "\\n").replace('\r', "\\r")
+}
+
 fn tail_file(path: &str, bytes: u64) -> io::Result<String> {
     let mut file = File::open(path)?;
     let len = file.metadata()?.len();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "0.9.12",
+  "version": "0.9.13",
   "description": "Sneakoscope Codex: fast proof-first Codex trust layer with image-based Voxel TriWiki.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",
@@ -40,17 +40,19 @@
     "packcheck": "find bin src scripts -name '*.mjs' -print0 | xargs -0 -n1 node --check",
     "changelog:check": "node ./scripts/changelog-check.mjs",
     "cli-entrypoint:check": "node ./scripts/check-cli-entrypoint.mjs",
+    "legacy-budget:check": "node ./scripts/check-legacy-budget.mjs",
     "sizecheck": "node ./scripts/sizecheck.mjs",
     "registry:check": "node ./scripts/release-registry-check.mjs",
     "feature:check": "node ./bin/sks.mjs features check --json",
     "all-features:selftest": "node ./bin/sks.mjs all-features selftest --mock --json",
+    "all-features:execute-fixtures": "node ./bin/sks.mjs all-features selftest --mock --execute-fixtures --json",
     "perf:cold-start": "node ./bin/sks.mjs perf cold-start --json",
     "perf:gate": "node ./scripts/perf-gate.mjs",
     "test": "node --test \"test/**/*.test.mjs\"",
     "test:unit": "node --test \"test/unit/**/*.test.mjs\"",
     "test:integration:mock": "node --test \"test/integration/**/*.test.mjs\"",
     "coverage": "node --experimental-test-coverage --test \"test/**/*.test.mjs\"",
-    "release:check": "npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run packcheck && npm run feature:check && npm run all-features:selftest && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run perf:gate && npm run sizecheck && npm run registry:check",
+    "release:check": "npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run legacy-budget:check && npm run packcheck && npm run feature:check && npm run all-features:selftest && npm run all-features:execute-fixtures && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run perf:gate && npm run sizecheck && npm run registry:check",
     "publish:dry": "npm run release:check && npm --cache /tmp/sks-npm-cache publish --dry-run --registry https://registry.npmjs.org/ --access public",
     "publish:npm": "npm --cache /tmp/sks-npm-cache publish --registry https://registry.npmjs.org/ --access public",
     "prepublishOnly": "npm run release:check && node ./scripts/release-registry-check.mjs --require-unpublished"

package/src/cli/command-registry.mjs

@@ -67,7 +67,7 @@ export const COMMANDS = {
   'update-check': { maturity: 'stable', summary: 'Check npm package freshness', lazy: legacy },
   usage: { maturity: 'stable', summary: 'Show focused usage topic', lazy: legacy },
   quickstart: { maturity: 'stable', summary: 'Show quickstart flow', lazy: legacy },
-  'codex-app': { maturity: 'beta', summary: 'Check Codex App readiness', lazy: legacy },
+  'codex-app': { maturity: 'beta', summary: 'Check Codex App readiness', lazy: () => import('../commands/codex-app.mjs') },
   openclaw: { maturity: 'labs', summary: 'Create OpenClaw skill package', lazy: legacy },
   bootstrap: { maturity: 'stable', summary: 'Initialize SKS project files', lazy: legacy },
   deps: { maturity: 'stable', summary: 'Check or install local dependencies', lazy: legacy },
@@ -87,7 +87,7 @@ export const COMMANDS = {
   aliases: { maturity: 'stable', summary: 'Show command aliases', lazy: legacy },
   setup: { maturity: 'stable', summary: 'Initialize SKS state', lazy: legacy },
   'fix-path': { maturity: 'stable', summary: 'Repair hook command paths', lazy: legacy },
-  doctor: { maturity: 'stable', summary: 'Check and repair SKS install', lazy: legacy },
+  doctor: { maturity: 'stable', summary: 'Check and repair SKS install', lazy: () => import('../commands/doctor.mjs') },
   init: { maturity: 'stable', summary: 'Initialize local control surface', lazy: legacy },
   selftest: { maturity: 'stable', summary: 'Run local mock selftest', lazy: legacy },
   goal: { maturity: 'beta', summary: 'Manage Goal bridge workflow', lazy: legacy },
@@ -102,7 +102,7 @@ export const COMMANDS = {
   memory: { maturity: 'labs', summary: 'Run retention checks', lazy: legacy },
   gx: { maturity: 'labs', summary: 'Render/validate GX cartridges', lazy: legacy },
   team: { maturity: 'beta', summary: 'Create and observe Team missions', lazy: legacy },
-  db: { maturity: 'beta', summary: 'Inspect DB safety policy', lazy: legacy },
+  db: { maturity: 'beta', summary: 'Inspect DB safety policy', lazy: () => import('../commands/db.mjs') },
   eval: { maturity: 'labs', summary: 'Run eval reports', lazy: legacy },
   harness: { maturity: 'labs', summary: 'Run harness fixtures', lazy: legacy },
   gc: { maturity: 'labs', summary: 'Compact/prune runtime state', lazy: legacy },

package/src/cli/feature-commands.mjs

@@ -1,8 +1,10 @@
 import path from 'node:path';
 import os from 'node:os';
-import { exists, projectRoot, readJson } from '../core/fsx.mjs';
+import fs from 'node:fs/promises';
+import { exists, projectRoot, readJson, writeJsonAtomic } from '../core/fsx.mjs';
 import { CODEX_ACCESS_TOKENS_DOCS_URL } from '../core/codex-app.mjs';
 import { redactSecrets } from '../core/secret-redaction.mjs';
+import { evaluateHookPayload } from '../core/hooks-runtime.mjs';
 import { buildAllFeaturesSelftest, buildFeatureRegistry, validateFeatureRegistry, writeFeatureInventoryDocs } from '../core/feature-registry.mjs';
 
 const flag = (args, name) => args.includes(name);
@@ -44,13 +46,13 @@ export async function featuresCommand(sub = 'list', args = []) {
 export async function allFeaturesCommand(sub = 'selftest', args = []) {
   const action = sub || 'selftest';
   if (action !== 'selftest') {
-    console.error('Usage: sks all-features selftest --mock [--json]');
+    console.error('Usage: sks all-features selftest --mock [--execute-fixtures] [--json]');
     process.exitCode = 1;
     return;
   }
   const root = await projectRoot();
   const registry = await buildFeatureRegistry({ root });
-  const result = buildAllFeaturesSelftest(registry);
+  const result = buildAllFeaturesSelftest(registry, { executeFixtures: flag(args, '--execute-fixtures'), root });
   if (flag(args, '--json')) console.log(JSON.stringify(result, null, 2));
   else {
     console.log('SKS all-features selftest');
@@ -139,22 +141,51 @@ async function hooksTrustReport(root) {
 
 async function hooksReplayReport(fixturePath) {
   if (!fixturePath) return { schema: 'sks.hooks-replay.v1', ok: false, reason: 'fixture_required' };
-  const fixture = await readJson(path.resolve(fixturePath), {});
-  const command = fixture.command || fixture.tool_input?.command || fixture.toolInput?.command || fixture.input?.command || '';
+  const absolute = path.resolve(fixturePath);
+  const fixture = await readJson(absolute, {});
+  const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'sks-hooks-replay-'));
+  const payload = { ...(fixture.payload || fixture), cwd: tempRoot };
+  const state = fixture.state || {};
+  if (state.mission_id && fixture.proof) {
+    await writeJsonAtomic(path.join(tempRoot, '.sneakoscope', 'missions', state.mission_id, 'completion-proof.json'), fixture.proof);
+  }
   const event = fixture.event || fixture.hook_event_name || fixture.name || 'unknown';
-  const dangerousDb = /\b(?:drop\s+table|delete\s+from|truncate|supabase\s+db\s+reset)\b/i.test(command);
-  const missingProof = /route-without-proof|without-proof/i.test(fixturePath) || fixture.requires_proof === true;
+  const hookName = normalizeReplayHookName(event);
+  const runtime = await evaluateHookPayload(hookName, payload, { root: tempRoot, state });
+  const decision = runtime.decision || runtime.permissionDecision || (runtime.continue === true ? 'continue' : 'continue');
+  const expected = await readExpectedReplay(absolute);
+  const comparable = { decision, reason: runtime.reason || 'fixture_safe' };
+  const matchesExpected = expected ? expected.decision === comparable.decision && (!expected.reason || expected.reason === comparable.reason) : null;
+  const ok = expected ? matchesExpected : decision !== 'block' && decision !== 'deny';
   return redactSecrets({
     schema: 'sks.hooks-replay.v1',
-    ok: !dangerousDb && !missingProof,
+    ok,
     event,
-    command,
-    decision: dangerousDb || missingProof ? 'block' : 'continue',
-    reason: dangerousDb ? 'dangerous_database_command' : (missingProof ? 'route_completion_without_proof' : 'fixture_safe'),
+    hook: hookName,
+    command: payload.command || payload.tool_input?.command || payload.toolInput?.command || payload.input?.command || '',
+    decision,
+    reason: runtime.reason || 'fixture_safe',
+    matches_expected: matchesExpected,
     secret_policy: 'redacted'
   });
 }
 
+function normalizeReplayHookName(event = '') {
+  const normalized = String(event || '').replace(/[_\s]+/g, '-').toLowerCase();
+  if (normalized.includes('pretool') || normalized.includes('pre-tool')) return 'pre-tool';
+  if (normalized.includes('permission')) return 'permission-request';
+  if (normalized.includes('userprompt') || normalized.includes('user-prompt')) return 'user-prompt-submit';
+  if (normalized.includes('posttool') || normalized.includes('post-tool')) return 'post-tool';
+  if (normalized.includes('stop')) return 'stop';
+  return normalized || 'pre-tool';
+}
+
+async function readExpectedReplay(fixturePath) {
+  const expectedPath = path.join(path.dirname(fixturePath), 'expected', `${path.basename(fixturePath, '.json')}.expected.json`);
+  if (!await exists(expectedPath)) return null;
+  return readJson(expectedPath, null);
+}
+
 export function hooksExplainReport() {
   return {
     schema: 'sks.hooks-explain.v1',

package/src/cli/install-helpers.mjs

@@ -10,6 +10,7 @@ import { initProject, installSkills } from '../core/init.mjs';
 import { context7ConfigToml, DOLLAR_SKILL_NAMES, GETDESIGN_REFERENCE, hasContext7ConfigText, RECOMMENDED_SKILLS } from '../core/routes.mjs';
 import { codexLaunchCommand, platformTmuxInstallHint, tmuxReadiness } from '../core/tmux-ui.mjs';
 import { reconcileCodexAppUpgradeProcesses } from '../core/codex-app.mjs';
+import { recordCodexLbHealthEvent } from '../core/codex-lb-circuit.mjs';
 
 const DEFAULT_CODEX_APP_PLUGINS = [
   ['browser', 'openai-bundled'],
@@ -513,10 +514,10 @@ export async function checkCodexLbResponseChain(status = {}, opts = {}) {
   const env = opts.env || process.env;
   if (!codexLbChainCheckEnabled(env) && !opts.force) return { ok: true, status: 'skipped', skipped: true, reason: 'SKS_CODEX_LB_CHAIN_CHECK=0' };
   const endpoint = codexLbResponsesEndpoint(opts.baseUrl || status.base_url);
-  if (!endpoint) return { ok: false, status: 'missing_base_url', chain_unhealthy: true };
+  if (!endpoint) return recordCodexLbChainHealth({ ok: false, status: 'missing_base_url', chain_unhealthy: true }, opts);
   const home = opts.home || env.HOME || os.homedir();
   const apiKey = opts.apiKey || parseCodexLbEnvKey(await readText(opts.envPath || status.env_path || codexLbEnvPath(home), ''));
-  if (!apiKey) return { ok: false, status: 'missing_env_key', chain_unhealthy: true };
+  if (!apiKey) return recordCodexLbChainHealth({ ok: false, status: 'missing_env_key', chain_unhealthy: true }, opts);
   const cached = await readCodexLbChainCache({ endpoint, home, opts, env });
   if (cached) return cached;
   const fetchImpl = opts.fetch || globalThis.fetch;
@@ -535,19 +536,19 @@ export async function checkCodexLbResponseChain(status = {}, opts = {}) {
   };
   const first = await fetchCodexLbResponse(fetchImpl, endpoint, apiKey, baseBody, timeoutMs);
   if (!first.ok || !first.response_id) {
-    return writeCodexLbChainCache({
+    return recordCodexLbChainHealth(await writeCodexLbChainCache({
       ok: false,
       status: first.ok ? 'missing_response_id' : 'first_request_failed',
       chain_unhealthy: true,
       endpoint,
       http_status: first.status,
       error: redactSecretText(first.error_payload?.error?.message || first.error_payload?.response?.error?.message || first.text || 'codex-lb first Responses request failed', [apiKey])
-    }, { endpoint, home, opts, env });
+    }, { endpoint, home, opts, env }), opts);
   }
   const second = await fetchCodexLbResponse(fetchImpl, endpoint, apiKey, { ...baseBody, previous_response_id: first.response_id }, timeoutMs);
-  if (second.ok) return writeCodexLbChainCache({ ok: true, status: 'chain_ok', endpoint, response_id: first.response_id, chained_response_id: second.response_id || null, http_status: second.status }, { endpoint, home, opts, env });
+  if (second.ok) return recordCodexLbChainHealth(await writeCodexLbChainCache({ ok: true, status: 'chain_ok', endpoint, response_id: first.response_id, chained_response_id: second.response_id || null, http_status: second.status }, { endpoint, home, opts, env }), opts);
   const previousMissing = isPreviousResponseNotFound(second.error_payload || second.json || second.text);
-  return writeCodexLbChainCache({
+  return recordCodexLbChainHealth(await writeCodexLbChainCache({
     ok: false,
     status: previousMissing ? 'previous_response_not_found' : 'second_request_failed',
     chain_unhealthy: true,
@@ -555,7 +556,13 @@ export async function checkCodexLbResponseChain(status = {}, opts = {}) {
     response_id: first.response_id,
     http_status: second.status,
     error: redactSecretText(second.error_payload?.error?.message || second.error_payload?.response?.error?.message || second.text || 'codex-lb chained Responses request failed', [apiKey])
-  }, { endpoint, home, opts, env });
+  }, { endpoint, home, opts, env }), opts);
+}
+
+async function recordCodexLbChainHealth(result, opts = {}) {
+  if (!result || result.skipped || opts.recordCircuit === false) return result;
+  await recordCodexLbHealthEvent(packageRoot(), result).catch(() => null);
+  return result;
 }
 
 function hasTopLevelCodexLbSelected(text = '') {

package/src/cli/legacy-main.mjs

@@ -77,6 +77,7 @@ import { renderTeamDashboardState, writeTeamDashboardState } from '../core/team-
 import { GOAL_WORKFLOW_ARTIFACT } from '../core/goal-workflow.mjs';
 import { CODEX_APP_DOCS_URL, codexAccessTokenStatus, codexAppIntegrationStatus, findCodexAppUpgradeRepairTargets, formatCodexAppStatus, parseProcessRows } from '../core/codex-app.mjs';
 import { buildAllFeaturesSelftest, buildFeatureRegistry, validateFeatureRegistry } from '../core/feature-registry.mjs';
+import { writeSelftestRouteProof } from '../core/proof/selftest-proof-fixtures.mjs';
 import { codexAppRemoteControlCommand } from './codex-app-command.mjs';
 import { allFeaturesCommand, featuresCommand, hooksCommand, hooksExplainReport } from './feature-commands.mjs';
 import { OPENCLAW_SKILL_NAME, installOpenClawSkill } from '../core/openclaw.mjs';
@@ -2088,10 +2089,7 @@ function readFlagValue(args, name, fallback) {
 }
 
 async function selftest() {
-  // Force non-interactive mode for the entire selftest so any in-process call that hits
-  // canAskYesNo() (codex-lb provider-restore prompt, chain-failure prompt, etc.) takes the
-  // non-interactive fallback path instead of bubbling a live readline prompt up to the
-  // user's terminal (e.g. during `npm publish` -> prepublishOnly -> release:check -> selftest).
+  // Keep selftest non-interactive even when install helpers would normally prompt.
   process.env.CI = 'true';
   const tmp = tmpdir();
   process.chdir(tmp);
@@ -2115,6 +2113,7 @@ async function selftest() {
   if (trippedStop) throw new Error('selftest: compliance loop guard did not terminally trip');
   const loopBlocker = await readJson(path.join(loopMission.dir, 'hard-blocker.json'), null);
   if (loopBlocker?.reason !== 'compliance_loop_guard_tripped') throw new Error('selftest: compliance loop guard did not write hard blocker');
+  await writeSelftestRouteProof(tmp, { missionId: loopMission.id, kind: 'hard_blocker' });
   const hardBlockerUnblocked = await evaluateStop(tmp, loopState, { last_assistant_message: 'done' });
   if (hardBlockerUnblocked?.decision === 'block' && !String(hardBlockerUnblocked.reason || '').includes('reflection')) throw new Error('selftest: hard blocker did not unblock incomplete active gate');
   const clarificationMission = await createMission(tmp, { mode: 'team', prompt: 'visible question gate selftest' });
@@ -3406,6 +3405,7 @@ async function selftest() {
   const missingCleanupStop = await evaluateStop(routeGateTmp, gateState, { last_assistant_message: 'SKS Honest Mode verification evidence gap' }, { noQuestion: false });
   if (missingCleanupStop?.decision !== 'block' || !String(missingCleanupStop.reason || '').includes(TEAM_SESSION_CLEANUP_ARTIFACT)) throw new Error('selftest: Team route did not block missing session cleanup gate');
   await writeJsonAtomic(path.join(gateDir, TEAM_SESSION_CLEANUP_ARTIFACT), passedTeamSessionCleanup);
+  await writeSelftestRouteProof(routeGateTmp, { missionId: gateId, kind: 'team_gate' });
   const missingReflectionStop = await evaluateStop(routeGateTmp, gateState, { last_assistant_message: 'SKS Honest Mode verification evidence gap' }, { noQuestion: false });
   if (missingReflectionStop?.decision !== 'block' || !String(missingReflectionStop.reason || '').includes('reflection')) throw new Error('selftest: full route did not block missing reflection gate');
   const missingReflectionNoQuestionStop = await evaluateStop(routeGateTmp, gateState, { last_assistant_message: 'SKS Honest Mode verification evidence gap' }, { noQuestion: true });
@@ -3430,6 +3430,7 @@ async function selftest() {
   await writeJsonAtomic(path.join(subagentGateDir, TEAM_SESSION_CLEANUP_ARTIFACT), passedTeamSessionCleanup);
   await writeTextAtomic(path.join(subagentGateDir, REFLECTION_ARTIFACT), '# Post-Route Reflection\n\nNo issue selftest.\n');
   await writeJsonAtomic(path.join(subagentGateDir, REFLECTION_GATE), { schema_version: 1, passed: true, mission_id: subagentGateId, route: '$Team', reflection_artifact: true, lessons_recorded: false, no_issue_acknowledged: true, triwiki_recorded: false, wiki_refreshed_or_packed: true, wiki_validated: true, created_at: nowIso() });
+  await writeSelftestRouteProof(subagentGateTmp, { missionId: subagentGateId, kind: 'subagent_gate' });
   const subagentUnblocked = await evaluateStop(subagentGateTmp, subagentGateState, { last_assistant_message: 'SKS Honest Mode verification evidence gap' }, { noQuestion: false });
   if (subagentUnblocked?.decision === 'block') throw new Error('selftest: subagent evidence did not unblock route gate');
   const { id: teamId, dir: teamDir } = await createMission(tmp, { mode: 'team', prompt: '병렬 구현 팀 테스트' });

package/src/commands/codex-app.mjs

@@ -0,0 +1,30 @@
+import { flag } from '../cli/args.mjs';
+import { printJson } from '../cli/output.mjs';
+import { codexAccessTokenStatus, codexAppIntegrationStatus, formatCodexAppStatus } from '../core/codex-app.mjs';
+import { codexAppRemoteControlCommand } from '../cli/codex-app-command.mjs';
+
+export async function run(_command, args = []) {
+  const action = args[0] || 'check';
+  if (action === 'remote-control' || action === 'remote') return codexAppRemoteControlCommand(args.slice(1));
+  if (action === 'pat') {
+    const status = codexAccessTokenStatus();
+    if (flag(args, '--json')) return printJson(status);
+    console.log('Codex App PAT status');
+    console.log(`Status: ${status.status}`);
+    for (const entry of status.access_token_env_vars) console.log(`${entry.name}: ${entry.present ? entry.value : 'missing'}`);
+    return;
+  }
+  if (action === 'check' || action === 'status') {
+    const status = await codexAppIntegrationStatus();
+    if (flag(args, '--json')) {
+      printJson(status);
+      if (!status.ok) process.exitCode = 1;
+      return;
+    }
+    console.log(formatCodexAppStatus(status, { includeRaw: flag(args, '--verbose') }));
+    if (!status.ok) process.exitCode = 1;
+    return;
+  }
+  console.error('Usage: sks codex-app check|status|pat status|remote-control [--json]');
+  process.exitCode = 1;
+}

package/src/commands/codex-lb.mjs

@@ -1,7 +1,8 @@
+import path from 'node:path';
 import { projectRoot } from '../core/fsx.mjs';
-import { flag } from '../cli/args.mjs';
+import { flag, readOption } from '../cli/args.mjs';
 import { printJson } from '../cli/output.mjs';
-import { codexLbMetrics, readCodexLbCircuit, resetCodexLbCircuit } from '../core/codex-lb-circuit.mjs';
+import { codexLbMetrics, readCodexLbCircuit, recordCodexLbHealthEvent, resetCodexLbCircuit } from '../core/codex-lb-circuit.mjs';
 
 export async function run(command, args = []) {
   const root = await projectRoot();
@@ -26,6 +27,21 @@ export async function run(command, args = []) {
     console.log('codex-lb circuit reset');
     return;
   }
+  if (action === 'circuit' && args[1] === 'record-fixture') {
+    const fixturePath = args[2] || readOption(args, '--fixture', null);
+    if (!fixturePath) {
+      console.error('Usage: sks codex-lb circuit record-fixture <fixture.json> [--json]');
+      process.exitCode = 1;
+      return;
+    }
+    const { readJson } = await import('../core/fsx.mjs');
+    const event = await readJson(path.isAbsolute(fixturePath) ? fixturePath : path.resolve(root, fixturePath), {});
+    const circuit = await recordCodexLbHealthEvent(root, event);
+    const result = { schema: 'sks.codex-lb-circuit-record-fixture.v1', ok: true, fixture: fixturePath, circuit };
+    if (flag(args, '--json')) return printJson(result);
+    console.log(`codex-lb circuit: ${circuit.state}`);
+    return;
+  }
   const legacy = await import('../cli/legacy-main.mjs');
   return legacy.main([command, ...args]);
 }

package/src/commands/db.mjs

@@ -0,0 +1,6 @@
+import { dbCommand } from '../cli/maintenance-commands.mjs';
+
+export async function run(_command, args = []) {
+  const [sub = 'policy', ...rest] = args;
+  return dbCommand(sub, rest);
+}

package/src/commands/doctor.mjs

@@ -0,0 +1,46 @@
+import { projectRoot, dirSize, exists, formatBytes } from '../core/fsx.mjs';
+import { flag } from '../cli/args.mjs';
+import { printJson } from '../cli/output.mjs';
+import { getCodexInfo } from '../core/codex-adapter.mjs';
+import { rustInfo } from '../core/rust-accelerator.mjs';
+import { codexAppIntegrationStatus } from '../core/codex-app.mjs';
+import { codexLbMetrics, readCodexLbCircuit } from '../core/codex-lb-circuit.mjs';
+
+export async function run(_command, args = []) {
+  if (flag(args, '--fix')) {
+    const legacy = await import('../cli/legacy-main.mjs');
+    return legacy.main(['doctor', ...args]);
+  }
+  const root = await projectRoot();
+  const codex = await getCodexInfo().catch((err) => ({ available: false, error: err.message }));
+  const rust = await rustInfo().catch((err) => ({ available: false, error: err.message }));
+  const codexApp = await codexAppIntegrationStatus({ codex }).catch((err) => ({ ok: false, error: err.message }));
+  const codexLb = codexLbMetrics(await readCodexLbCircuit(root).catch(() => ({})));
+  const pkgBytes = await dirSize(root).catch(() => 0);
+  const result = {
+    schema: 'sks.doctor-status.v1',
+    ok: Boolean(codex.bin) && codexApp.ok && codexLb.ok,
+    root,
+    node: { ok: Number(process.versions.node.split('.')[0]) >= 20, version: process.version },
+    codex,
+    rust,
+    codex_app: codexApp,
+    codex_lb: codexLb,
+    sneakoscope: { ok: await exists(`${root}/.sneakoscope`) },
+    package: { bytes: pkgBytes, human: formatBytes(pkgBytes) }
+  };
+  if (flag(args, '--json')) {
+    printJson(result);
+    if (!result.ok) process.exitCode = 1;
+    return;
+  }
+  console.log('SKS Doctor');
+  console.log(`Root:      ${root}`);
+  console.log(`Node:      ${result.node.ok ? 'ok' : 'fail'} ${result.node.version}`);
+  console.log(`Codex:     ${codex.bin ? 'ok' : 'missing'} ${codex.version || ''}`);
+  console.log(`Rust acc.: ${rust.available ? rust.version : 'optional-missing'}`);
+  console.log(`Codex App: ${codexApp.ok ? 'ok' : 'needs setup'}`);
+  console.log(`codex-lb:  ${codexLb.ok ? 'ok' : `blocked ${codexLb.circuit?.state || 'unknown'}`}`);
+  console.log(`Ready:     ${result.ok ? 'yes' : 'no'}`);
+  if (!result.ok) process.exitCode = 1;
+}