npm - sneakoscope - Versions diffs - 0.9.12 → 0.9.13 - Mend

sneakoscope 0.9.12 → 0.9.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/README.md +8 -2
package/crates/sks-core/Cargo.lock +1 -1
package/crates/sks-core/Cargo.toml +1 -1
package/crates/sks-core/src/main.rs +142 -2
package/package.json +4 -2
package/src/cli/command-registry.mjs +3 -3
package/src/cli/feature-commands.mjs +42 -11
package/src/cli/install-helpers.mjs +14 -7
package/src/cli/legacy-main.mjs +5 -4
package/src/commands/codex-app.mjs +30 -0
package/src/commands/codex-lb.mjs +18 -2
package/src/commands/db.mjs +6 -0
package/src/commands/doctor.mjs +46 -0
package/src/commands/proof.mjs +38 -2
package/src/commands/wiki.mjs +53 -2
package/src/core/codex-lb-circuit.mjs +45 -1
package/src/core/db-safety.mjs +17 -2
package/src/core/feature-fixtures.mjs +39 -1
package/src/core/feature-registry.mjs +87 -4
package/src/core/fsx.mjs +1 -1
package/src/core/hooks-runtime.mjs +12 -3
package/src/core/pipeline.mjs +18 -0
package/src/core/proof/evidence-collector.mjs +7 -0
package/src/core/proof/proof-reader.mjs +11 -0
package/src/core/proof/proof-redaction.test-helper.mjs +9 -0
package/src/core/proof/route-adapter.mjs +74 -0
package/src/core/proof/route-proof-gate.mjs +33 -0
package/src/core/proof/route-proof-policy.mjs +96 -0
package/src/core/proof/selftest-proof-fixtures.mjs +54 -0
package/src/core/proof/validation.mjs +1 -0
package/src/core/rust-accelerator.mjs +29 -7
package/src/core/version.mjs +1 -1
package/src/core/wiki-image/callout-parser.mjs +16 -0
package/src/core/wiki-image/computer-use-ledger.mjs +38 -0
package/src/core/wiki-image/image-relation.mjs +2 -0
package/src/core/wiki-image/image-voxel-ledger.mjs +43 -0
package/src/core/wiki-image/proof-linker.mjs +12 -0
package/src/core/wiki-image/validation.mjs +16 -5
package/src/core/wiki-image/visual-anchor.mjs +14 -1

package/src/commands/proof.mjs CHANGED Viewed

@@ -2,7 +2,9 @@ import { projectRoot } from '../core/fsx.mjs';
 import { flag } from '../cli/args.mjs';
 import { printJson } from '../cli/output.mjs';
 import { collectProofEvidence } from '../core/proof/evidence-collector.mjs';
-import { readLatestProof, readLatestProofMarkdown } from '../core/proof/proof-reader.mjs';
+import { findLatestMission } from '../core/mission.mjs';
+import { readLatestProof, readLatestProofMarkdown, readRouteProof } from '../core/proof/proof-reader.mjs';
+import { writeRouteCompletionProof } from '../core/proof/route-adapter.mjs';
 import { renderProofMarkdown, writeCompletionProof } from '../core/proof/proof-writer.mjs';
 import { validateCompletionProof } from '../core/proof/validation.mjs';
@@ -26,10 +28,44 @@ export async function run(_command, args = []) {
     if (!result.ok) process.exitCode = 1;
     return;
   }
+  if (action === 'route') {
+    const missionArg = rest.find((arg) => !String(arg).startsWith('--')) || 'latest';
+    const missionId = missionArg === 'latest' ? await findLatestMission(root) : missionArg;
+    const proof = await readRouteProof(root, missionId);
+    const result = proof
+      ? { schema: 'sks.completion-proof-route.v1', ok: true, mission_id: missionId, proof }
+      : { schema: 'sks.completion-proof-route.v1', ok: false, mission_id: missionId, status: 'blocked', issues: ['completion_proof_missing'] };
+    if (flag(args, '--json')) return printJson(result);
+    if (proof) process.stdout.write(renderProofMarkdown(proof));
+    else console.log(`Completion proof missing for mission ${missionId || 'latest'}`);
+    if (!result.ok) process.exitCode = 1;
+    return;
+  }
   if (action === 'export' && (flag(rest, '--md') || flag(args, '--md'))) {
     process.stdout.write(await readLatestProofMarkdown(root));
     return;
   }
+  if (action === 'repair' && rest[0] === 'latest') {
+    const missionId = await findLatestMission(root);
+    const evidence = await collectProofEvidence(root);
+    const result = await writeRouteCompletionProof(root, {
+      missionId,
+      route: '$SKS',
+      status: 'verified_partial',
+      evidence,
+      summary: {
+        files_changed: evidence.files?.length || 0,
+        commands_run: 1,
+        manual_review_required: true
+      },
+      claims: [{ id: 'proof-repair-latest', status: 'supported', evidence: '.sneakoscope/proof/latest.json' }],
+      unverified: ['Repair proof records current local evidence and remains verified_partial until a route-specific gate passes.']
+    });
+    if (flag(args, '--json')) return printJson({ schema: 'sks.completion-proof-repair.v1', ok: result.ok, mission_id: missionId, files: result.files, validation: result.validation });
+    console.log(`Completion proof repaired: ${result.files.latest_json}`);
+    if (!result.ok) process.exitCode = 1;
+    return;
+  }
   if (action === 'smoke') {
     const evidence = await collectProofEvidence(root);
     const result = await writeCompletionProof(root, {
@@ -50,7 +86,7 @@ export async function run(_command, args = []) {
     console.log(`Completion proof written: ${result.files.latest_json}`);
     return;
   }
-  console.error('Usage: sks proof show|latest|validate|export --md|smoke [--json]');
+  console.error('Usage: sks proof show|latest|validate|route <mission-id|latest>|export --md|repair latest|smoke [--json]');
   process.exitCode = 1;
 }

package/src/commands/wiki.mjs CHANGED Viewed

@@ -2,7 +2,8 @@ import path from 'node:path';
 import { projectRoot } from '../core/fsx.mjs';
 import { flag, readOption } from '../cli/args.mjs';
 import { printJson } from '../cli/output.mjs';
-import { ingestImage, imageVoxelSummary, readImageVoxelLedger } from '../core/wiki-image/image-voxel-ledger.mjs';
+import { addImageRelation, addVisualAnchor, ingestImage, imageVoxelSummary, readImageVoxelLedger } from '../core/wiki-image/image-voxel-ledger.mjs';
+import { imageVoxelProofEvidence } from '../core/wiki-image/proof-linker.mjs';
 import { validateImageVoxelLedger } from '../core/wiki-image/validation.mjs';
 export async function run(_command, args = []) {
@@ -23,7 +24,11 @@ export async function run(_command, args = []) {
   if (action === 'image-validate') {
     const ledgerPath = args.find((arg, i) => i > 0 && !String(arg).startsWith('--'));
     const ledger = await readImageVoxelLedger(root, ledgerPath ? path.resolve(root, ledgerPath) : undefined);
-    const result = { schema: 'sks.image-voxel-validation.v1', ...validateImageVoxelLedger(ledger) };
+    const result = { schema: 'sks.image-voxel-validation.v1', ...validateImageVoxelLedger(ledger, {
+      requireAnchors: flag(args, '--require-anchors'),
+      requireRelations: flag(args, '--require-relations'),
+      route: readOption(args, '--route', '$Wiki')
+    }) };
     if (flag(args, '--json')) return printJson(result);
     console.log(`Image voxel ledger: ${result.ok ? 'pass' : 'blocked'}`);
     for (const issue of result.issues) console.log(`- ${issue}`);
@@ -39,6 +44,52 @@ export async function run(_command, args = []) {
     if (!result.ok) process.exitCode = 1;
     return;
   }
+  if (action === 'anchor-add') {
+    const result = await addVisualAnchor(root, {
+      imageId: readOption(args, '--image-id', null),
+      bbox: parseBbox(readOption(args, '--bbox', '')),
+      label: readOption(args, '--label', 'Visual anchor'),
+      source: readOption(args, '--source', 'manual'),
+      evidencePath: readOption(args, '--evidence', null),
+      route: readOption(args, '--route', '$Wiki'),
+      claimId: readOption(args, '--claim-id', null),
+      missionId: readOption(args, '--mission-id', null)
+    });
+    if (flag(args, '--json')) return printJson(result);
+    console.log(`Visual anchor: ${result.ok ? 'added' : 'blocked'} ${result.anchor.id}`);
+    for (const issue of result.validation.issues) console.log(`- ${issue}`);
+    if (!result.ok) process.exitCode = 1;
+    return;
+  }
+  if (action === 'relation-add') {
+    const result = await addImageRelation(root, {
+      type: readOption(args, '--type', 'before_after'),
+      beforeImageId: readOption(args, '--before', null),
+      afterImageId: readOption(args, '--after', null),
+      anchors: String(readOption(args, '--anchors', '') || '').split(',').map((x) => x.trim()).filter(Boolean),
+      verification: readOption(args, '--verification', 'changed-screen-recheck'),
+      status: readOption(args, '--status', 'verified_partial'),
+      route: readOption(args, '--route', '$Wiki'),
+      missionId: readOption(args, '--mission-id', null)
+    });
+    if (flag(args, '--json')) return printJson(result);
+    console.log(`Image relation: ${result.ok ? 'added' : 'blocked'} ${result.relation.type}`);
+    for (const issue of result.validation.issues) console.log(`- ${issue}`);
+    if (!result.ok) process.exitCode = 1;
+    return;
+  }
+  if (action === 'image-link-proof') {
+    const result = await imageVoxelProofEvidence(root);
+    if (flag(args, '--json')) return printJson(result);
+    console.log(`Image voxel proof link: ${result.ok ? 'ok' : 'blocked'}`);
+    if (!result.ok) process.exitCode = 1;
+    return;
+  }
   const legacy = await import('../cli/legacy-main.mjs');
   return legacy.main(['wiki', ...args]);
 }
+function parseBbox(raw) {
+  const parts = String(raw || '').split(',').map((part) => Number(part.trim()));
+  return parts.length === 4 && parts.every(Number.isFinite) ? parts : null;
+}

package/src/core/codex-lb-circuit.mjs CHANGED Viewed

@@ -6,6 +6,7 @@ import { redactSecrets } from './secret-redaction.mjs';
 export const CODEX_LB_CIRCUIT_SCHEMA = 'sks.codex-lb-circuit.v1';
 export function codexLbGlobalHealthPath() {
+  if (process.env.SKS_CODEX_LB_HEALTH_PATH) return process.env.SKS_CODEX_LB_HEALTH_PATH;
   return path.join(os.homedir(), '.codex', 'sks-codex-lb-health.json');
 }
@@ -32,8 +33,30 @@ export async function resetCodexLbCircuit(root = packageRoot()) {
 }
 export async function recordCodexLbFailure(root = packageRoot(), failure = {}) {
+  return recordCodexLbHealthEvent(root, failure);
+}
+export async function recordCodexLbHealthEvent(root = packageRoot(), event = {}) {
   const current = await readCodexLbCircuit(root);
-  const recent = [...(current.recent_failures || []), redactSecrets({ ts: nowIso(), ...failure })].slice(-10);
+  const normalized = normalizeHealthEvent(event);
+  if (normalized.kind === 'chain_ok') {
+    return writeCodexLbCircuit(root, {
+      ...current,
+      state: current.state === 'half_open' || current.state === 'open' ? 'closed' : current.state || 'closed',
+      last_ok_at: nowIso(),
+      recent_failures: current.recent_failures || []
+    });
+  }
+  if (normalized.kind === 'previous_response_not_found') {
+    const warnings = [...(current.recent_warnings || []), redactSecrets({ ts: nowIso(), ...normalized })].slice(-10);
+    return writeCodexLbCircuit(root, {
+      ...current,
+      state: current.state === 'open' ? 'open' : 'closed',
+      recent_warnings: warnings,
+      last_warning_at: nowIso()
+    });
+  }
+  const recent = [...(current.recent_failures || []), redactSecrets({ ts: nowIso(), ...normalized })].slice(-10);
   const open = recent.filter((item) => ['5xx', 'timeout', 'network'].includes(item.kind)).length >= 3
     || recent.some((item) => item.kind === 'auth');
   return writeCodexLbCircuit(root, {
@@ -44,6 +67,23 @@ export async function recordCodexLbFailure(root = packageRoot(), failure = {}) {
   });
 }
+export function normalizeHealthEvent(event = {}) {
+  const status = String(event.status || event.kind || '').toLowerCase();
+  const httpStatus = Number(event.http_status || event.httpStatus || 0);
+  let kind = event.kind || status || 'unknown';
+  if (status === 'chain_ok' || event.ok === true) kind = 'chain_ok';
+  else if (status === 'previous_response_not_found') kind = 'previous_response_not_found';
+  else if (status === 'missing_env_key') kind = 'missing_env_key';
+  else if (status === 'missing_base_url') kind = 'missing_base_url';
+  else if (/auth|401|403/.test(status) || httpStatus === 401 || httpStatus === 403) kind = 'auth';
+  else if (/timeout|timed out/.test(status) || /timeout|timed out/i.test(event.error || '')) kind = 'timeout';
+  else if (httpStatus >= 500 || /5xx|server/.test(status)) kind = '5xx';
+  else if (/network|fetch|econn|enotfound|socket/.test(status) || /network|fetch|econn|enotfound|socket/i.test(event.error || '')) kind = 'network';
+  else if (status === 'first_request_failed') kind = httpStatus >= 500 ? '5xx' : 'network';
+  else if (status === 'second_request_failed') kind = httpStatus >= 500 ? '5xx' : 'network';
+  return redactSecrets({ ...event, kind });
+}
 export function codexLbMetrics(circuit = emptyCircuit()) {
   return {
     schema: 'sks.codex-lb-metrics.v1',
@@ -65,21 +105,25 @@ function emptyCircuit() {
     base_url: null,
     state: 'closed',
     recent_failures: [],
+    recent_warnings: [],
     latency_ms: { p50: null, p95: null },
     last_ok_at: null,
     last_failure_at: null,
+    last_warning_at: null,
     updated_at: nowIso()
   };
 }
 function normalizeCircuit(input = {}, root = packageRoot()) {
   const failures = Array.isArray(input.recent_failures) ? input.recent_failures.slice(-10).map((item) => redactSecrets(item)) : [];
+  const warnings = Array.isArray(input.recent_warnings) ? input.recent_warnings.slice(-10).map((item) => redactSecrets(item)) : [];
   return {
     ...emptyCircuit(),
     ...redactSecrets(input),
     schema: CODEX_LB_CIRCUIT_SCHEMA,
     state: ['closed', 'open', 'half_open'].includes(input.state) ? input.state : 'closed',
     recent_failures: failures,
+    recent_warnings: warnings,
     report_path: codexLbReportPath(root),
     updated_at: nowIso()
   };

package/src/core/db-safety.mjs CHANGED Viewed

@@ -68,6 +68,21 @@ function stripSqlComments(sql = '') {
 function norm(s = '') { return stripSqlComments(s).toLowerCase(); }
+function stripSqlStringLiterals(sql = '') {
+  let out = '';
+  let quote = null;
+  for (let i = 0; i < String(sql).length; i++) {
+    const ch = sql[i];
+    if ((ch === "'" || ch === '"') && sql[i - 1] !== '\\') {
+      quote = quote === ch ? null : (quote || ch);
+      out += ' ';
+      continue;
+    }
+    out += quote ? ' ' : ch;
+  }
+  return out;
+}
 export function splitSqlStatements(sql = '') {
   const text = stripSqlComments(sql);
   const out = [];
@@ -86,7 +101,7 @@ export function splitSqlStatements(sql = '') {
 function hasWhere(stmt) { return /\bwhere\b/i.test(stmt); }
 function hasLimit(stmt) { return /\blimit\s+\d+\b/i.test(stmt); }
 function isReadOnly(stmt) {
-  const s = norm(stmt);
+  const s = stripSqlStringLiterals(norm(stmt));
   return /^(select|with|show|explain|describe)\b/.test(s) && !/(\binsert\b|\bupdate\b|\bdelete\b|\bdrop\b|\btruncate\b|\balter\b|\bcreate\b|\bgrant\b|\brevoke\b)/.test(s);
 }
@@ -97,7 +112,7 @@ export function classifySql(sql = '') {
   let level = 'safe';
   let kind = 'read';
   for (const stmtRaw of statements) {
-    const stmt = norm(stmtRaw);
+    const stmt = stripSqlStringLiterals(norm(stmtRaw));
     if (!stmt) continue;
     const destructiveChecks = [
       [/\bdrop\s+database\b/, 'drop_database'],

package/src/core/feature-fixtures.mjs CHANGED Viewed

@@ -10,6 +10,36 @@ const FIXTURES = Object.freeze({
   'cli-codex-lb': fixture('mock', 'sks codex-lb metrics --json', ['.sneakoscope/reports/codex-lb-health.json'], 'pass'),
   'cli-hooks': fixture('mock', 'sks hooks trust-report --json', [], 'pass'),
   'cli-features': fixture('static', 'sks features check --json', [], 'pass'),
+  'cli-commands': fixture('static', 'sks commands --json', [], 'pass'),
+  'cli-usage': fixture('static', 'sks usage overview', [], 'pass'),
+  'cli-quickstart': fixture('static', 'sks quickstart', [], 'pass'),
+  'cli-update-check': fixture('static', 'sks update-check --json', [], 'pass'),
+  'cli-guard': fixture('static', 'sks guard check --json', [], 'pass'),
+  'cli-conflicts': fixture('static', 'sks conflicts check --json', [], 'pass'),
+  'cli-versioning': fixture('static', 'sks versioning status --json', [], 'pass'),
+  'cli-aliases': fixture('static', 'sks aliases', [], 'pass'),
+  'cli-fix-path': fixture('static', 'sks fix-path --json', [], 'pass'),
+  'cli-init': fixture('static', 'sks init --local-only', [], 'pass'),
+  'cli-selftest': fixture('static', 'sks selftest --mock', [], 'pass'),
+  'cli-goal': fixture('mock', 'sks goal status latest --json', ['goal-workflow.json'], 'pass'),
+  'cli-research': fixture('mock', 'sks research status latest --json', ['research-gate.json', 'completion-proof.json'], 'pass'),
+  'cli-qa-loop': fixture('mock', 'sks qa-loop status latest --json', ['qa-loop-proof.json', 'completion-proof.json'], 'pass'),
+  'cli-ppt': fixture('mock', 'sks ppt status latest --json', ['ppt-review-ledger.json', 'completion-proof.json'], 'pass'),
+  'cli-image-ux-review': fixture('mock', 'sks image-ux-review status latest --json', ['image-ux-generated-review-ledger.json', 'image-voxel-ledger.json'], 'pass'),
+  'cli-pipeline': fixture('mock', 'sks pipeline status latest --json', ['pipeline-plan.json'], 'pass'),
+  'cli-validate-artifacts': fixture('mock', 'sks validate-artifacts latest --json', ['validation-report.json'], 'pass'),
+  'cli-hproof': fixture('mock', 'sks hproof check latest', ['completion-proof.json'], 'pass'),
+  'cli-proof-field': fixture('static', 'sks proof-field scan --json --intent fixture', [], 'pass'),
+  'cli-recallpulse': fixture('mock', 'sks recallpulse status latest --json', ['recallpulse-report.json'], 'pass'),
+  'cli-gx': fixture('mock', 'sks gx validate fixture', ['gx-validation.json'], 'pass'),
+  'cli-perf': fixture('static', 'sks perf cold-start --json --iterations 1', [], 'pass'),
+  'cli-code-structure': fixture('static', 'sks code-structure scan --json', [], 'pass'),
+  'cli-skill-dream': fixture('static', 'sks skill-dream status --json', [], 'pass'),
+  'cli-gc': fixture('static', 'sks gc --dry-run --json', [], 'pass'),
+  'cli-memory': fixture('static', 'sks memory --dry-run --json', [], 'pass'),
+  'cli-stats': fixture('static', 'sks stats --json', [], 'pass'),
+  'cli-dollar-commands': fixture('static', 'sks dollar-commands --json', [], 'pass'),
+  'cli-dfix': fixture('static', 'sks dfix', [], 'pass'),
   'cli-wiki': fixture('mock', 'sks wiki image-summary --json', ['.sneakoscope/wiki/image-voxel-ledger.json'], 'pass'),
   'cli-db': fixture('static', 'sks db policy', [], 'pass'),
   'cli-proof': fixture('mock', 'sks proof validate --json', ['.sneakoscope/proof/latest.json'], 'pass'),
@@ -18,7 +48,15 @@ const FIXTURES = Object.freeze({
   'route-research': fixture('mock', 'sks research run latest --mock --json', ['completion-proof.json'], 'pass'),
   'route-ppt': fixture('mock', 'sks ppt status latest --json', ['ppt-review-ledger.json', 'completion-proof.json'], 'pass'),
   'route-image-ux-review': fixture('mock', 'sks image-ux-review status latest --json', ['image-ux-generated-review-ledger.json', 'image-voxel-ledger.json'], 'pass'),
-  'route-computer-use': fixture('real_optional', '$Computer-Use mock evidence ledger', ['computer-use-evidence-ledger.json'], 'blocked'),
+  'route-computer-use': fixture('mock', '$Computer-Use mock evidence ledger', ['computer-use-evidence-ledger.json', 'image-voxel-ledger.json', 'completion-proof.json'], 'pass'),
+  'route-cu': fixture('mock', '$CU mock evidence ledger', ['computer-use-evidence-ledger.json', 'image-voxel-ledger.json', 'completion-proof.json'], 'pass'),
+  'route-dfix': fixture('static', '$DFix tiny edit route policy', ['completion-proof.json'], 'pass'),
+  'route-answer': fixture('static', '$Answer answer-only route policy', [], 'pass'),
+  'route-goal': fixture('mock', '$Goal bridge route', ['goal-workflow.json', 'completion-proof.json'], 'pass'),
+  'route-autoresearch': fixture('mock', '$AutoResearch fixture route', ['research-gate.json', 'completion-proof.json'], 'pass'),
+  'route-mad-sks': fixture('mock', '$MAD-SKS permission gate route', ['mad-sks-gate.json', 'completion-proof.json'], 'pass'),
+  'route-from-chat-img': fixture('mock', '$From-Chat-IMG visual work order route', ['from-chat-img-work-order.md', 'image-voxel-ledger.json', 'completion-proof.json'], 'pass'),
+  'route-ux-review': fixture('mock', '$UX-Review image UX alias route', ['image-ux-generated-review-ledger.json', 'image-voxel-ledger.json'], 'pass'),
   'route-db': fixture('static', 'sks db policy', [], 'pass'),
   'route-wiki': fixture('mock', 'sks wiki image-summary --json', ['.sneakoscope/wiki/image-voxel-ledger.json'], 'pass'),
   'route-gx': fixture('mock', 'sks gx validate fixture', [], 'pass')

package/src/core/feature-registry.mjs CHANGED Viewed

@@ -1,8 +1,9 @@
 import fs from 'node:fs/promises';
 import path from 'node:path';
+import { spawnSync } from 'node:child_process';
 import { COMMAND_CATALOG, DOLLAR_COMMAND_ALIASES, DOLLAR_COMMANDS } from './routes.mjs';
 import { fixtureForFeature, fixtureSummary, validateFeatureFixtures } from './feature-fixtures.mjs';
-import { exists, nowIso, packageRoot, readJson, readText, writeTextAtomic } from './fsx.mjs';
+import { exists, nowIso, packageRoot, readJson, readText, runProcess, writeTextAtomic } from './fsx.mjs';
 export const FEATURE_REGISTRY_SCHEMA = 'sks.feature-registry.v1';
 export const FEATURE_INVENTORY_SCHEMA = 'sks.feature-inventory.v1';
@@ -132,10 +133,11 @@ export async function writeFeatureInventoryDocs({ root = packageRoot(), outFile
   return { ok: registry.coverage.ok, path: outFile, registry };
 }
-export function buildAllFeaturesSelftest(registry) {
+export function buildAllFeaturesSelftest(registry, opts = {}) {
   const coverage = validateFeatureRegistry(registry);
   const fixtures = validateFeatureFixtures(registry.features || []);
   const fixturesSummary = fixtureSummary(registry.features || []);
+  const executable = opts.executeFixtures ? executeFeatureFixtures(registry.features || [], opts) : null;
   const checks = [
     checkRow('feature_registry_completeness', coverage.ok, coverage.blockers),
     checkRow('command_lazy_load_availability', coverage.unmapped.cli_command_names.length === 0 && coverage.unmapped.handler_keys.length === 0, [...coverage.unmapped.cli_command_names, ...coverage.unmapped.handler_keys]),
@@ -145,7 +147,10 @@ export function buildAllFeaturesSelftest(registry) {
     checkRow('failure_contracts_present', registry.features.every((feature) => Array.isArray(feature.known_gaps)), missingFeatureField(registry, 'known_gaps')),
     checkRow('fixture_contracts_present', fixtures.ok, fixtures.blockers),
     checkRow('proof_fixture_contract_present', registry.features.some((feature) => feature.id === 'cli-proof' && feature.fixture?.status === 'pass'), ['cli-proof']),
-    checkRow('voxel_fixture_contract_present', registry.features.some((feature) => feature.id === 'cli-wiki' && feature.fixture?.expected_artifacts?.some((artifact) => artifact.includes('image-voxel-ledger'))), ['cli-wiki'])
+    checkRow('voxel_fixture_contract_present', registry.features.some((feature) => feature.id === 'cli-wiki' && feature.fixture?.expected_artifacts?.some((artifact) => artifact.includes('image-voxel-ledger'))), ['cli-wiki']),
+    checkRow('fixture_pass_threshold', (fixturesSummary.counts.pass || 0) >= 45, [`pass=${fixturesSummary.counts.pass || 0}`]),
+    checkRow('fixture_mock_blocked_zero', (fixturesSummary.counts.blocked || 0) === 0, [`blocked=${fixturesSummary.counts.blocked || 0}`]),
+    ...(executable ? [checkRow('executable_fixture_contracts', executable.ok, executable.failures)] : [])
   ];
   const ok = checks.every((check) => check.ok);
   return {
@@ -156,10 +161,88 @@ export function buildAllFeaturesSelftest(registry) {
     checks,
     fixtures: fixturesSummary,
     coverage,
-    note: 'Mock selftest verifies the shared contract spine; feature fixtures remain progressive.'
+    executable_fixtures: executable,
+    note: opts.executeFixtures
+      ? 'Mock executable fixture mode validates release-gated fixture contracts and expected artifact declarations.'
+      : 'Mock selftest verifies the shared contract spine; feature fixtures remain progressive.'
   };
 }
+export function executeFeatureFixtures(features = [], opts = {}) {
+  const selected = features.filter((feature) => feature.fixture?.status === 'pass' && ['mock', 'static'].includes(feature.fixture.kind));
+  const failures = [];
+  const checked = [];
+  const executed = [];
+  for (const feature of selected) {
+    const fx = feature.fixture;
+    if (!fx.command) {
+      failures.push(`${feature.id}:fixture_command_missing`);
+      continue;
+    }
+    const artifactOk = Array.isArray(fx.expected_artifacts);
+    if (!artifactOk) failures.push(`${feature.id}:expected_artifacts`);
+    const execution = executeSafeFixtureCommand(feature.id, opts);
+    if (execution) {
+      executed.push(execution);
+      if (!execution.ok) failures.push(`${feature.id}:command_exit_${execution.status}`);
+    }
+    checked.push({
+      id: feature.id,
+      kind: fx.kind,
+      command: fx.command,
+      expected_artifacts: fx.expected_artifacts,
+      mode: execution ? 'command_and_contract' : 'contract'
+    });
+  }
+  return {
+    schema: 'sks.feature-fixture-execution.v1',
+    mode: 'mock',
+    ok: failures.length === 0,
+    checked: checked.length,
+    executed: executed.length,
+    executed_commands: executed,
+    failures,
+    command_execution: executed.length ? 'safe-allowlist' : 'contract-only',
+    note: 'Release fixture execution runs deterministic safe CLI fixtures and validates mock/static contracts without claiming real external dependency runs.'
+  };
+}
+function executeSafeFixtureCommand(featureId, opts = {}) {
+  const args = SAFE_EXECUTABLE_FIXTURE_ARGS[featureId];
+  if (!args) return null;
+  const root = opts.root || packageRoot();
+  const result = spawnSync(process.execPath, [path.join(packageRoot(), 'bin', 'sks.mjs'), ...args], {
+    cwd: root,
+    encoding: 'utf8',
+    timeout: 15_000,
+    env: { ...process.env, CI: 'true', SKS_SKIP_NPM_FRESHNESS_CHECK: '1' }
+  });
+  return {
+    id: featureId,
+    args,
+    status: result.status,
+    signal: result.signal || null,
+    ok: result.status === 0,
+    stdout_bytes: Buffer.byteLength(result.stdout || ''),
+    stderr_bytes: Buffer.byteLength(result.stderr || '')
+  };
+}
+const SAFE_EXECUTABLE_FIXTURE_ARGS = Object.freeze({
+  'cli-version': ['--version'],
+  'cli-root': ['root', '--json'],
+  'cli-features': ['features', 'check', '--json'],
+  'cli-commands': ['commands', '--json'],
+  'cli-proof-field': ['proof-field', 'scan', '--json', '--intent', 'fixture'],
+  'cli-db': ['db', 'policy'],
+  'cli-wiki': ['wiki', 'image-summary', '--json'],
+  'cli-codex-lb': ['codex-lb', 'metrics', '--json'],
+  'cli-hooks': ['hooks', 'trust-report', '--json'],
+  'cli-perf': ['perf', 'cold-start', '--json', '--iterations', '1'],
+  'route-db': ['db', 'policy'],
+  'route-wiki': ['wiki', 'image-summary', '--json']
+});
 export function renderFeatureInventoryMarkdown(registry) {
   const coverage = registry.coverage || validateFeatureRegistry(registry);
   const lines = [

package/src/core/fsx.mjs CHANGED Viewed

@@ -5,7 +5,7 @@ import os from 'node:os';
 import crypto from 'node:crypto';
 import { spawn } from 'node:child_process';
-export const PACKAGE_VERSION = '0.9.12';
+export const PACKAGE_VERSION = '0.9.13';
 export const DEFAULT_PROCESS_TAIL_BYTES = 256 * 1024;
 export const DEFAULT_PROCESS_TIMEOUT_MS = 30 * 60 * 1000;

package/src/core/hooks-runtime.mjs CHANGED Viewed

@@ -166,8 +166,12 @@ function looksLikeUpdateAccept(prompt) {
 export async function hookMain(name) {
   const payload = await loadHookPayload();
-  const root = await projectRoot(payload.cwd || process.cwd());
-  const state = await loadState(root);
+  return evaluateHookPayload(name, payload);
+}
+export async function evaluateHookPayload(name, payload = {}, opts = {}) {
+  const root = opts.root || await projectRoot(payload.cwd || process.cwd());
+  const state = opts.state || payload.state || await loadState(root);
   const noQuestion = isNoQuestionRunning(state);
   if (name === 'user-prompt-submit') {
     const modelBlock = blockForbiddenClientModel(payload);
@@ -913,7 +917,7 @@ function hasHonestModeUnresolvedGap(text) {
   return honestModeGapLines(text).length > 0;
 }
-function honestModeGapLines(text) {
+export function honestModeGapLines(text) {
   const issue = /(gap|remaining|unverified|not verified|not run|not complete|incomplete|failed|blocked|blocker|could not|couldn't|missing|미완료|미검증|미실행|실패|차단|누락|못했|못 했|안 했|안함|아직|남은)/i;
   return String(text || '')
     .split(/\n/)
@@ -923,6 +927,11 @@ function honestModeGapLines(text) {
 }
 function honestGapLineResolved(line) {
+  if (/(?:unverified|미검증)\s*:\s*\[\s*\]/i.test(line) && /blockers?\s*:\s*\[\s*\]/i.test(line)) return true;
+  if (/(?:^|[\s*-])(?:unverified|미검증|blockers?)\s*:\s*\[\s*\](?:\s*(?:[,.;]|$).*)?$/i.test(line)) return true;
+  if (/(?:미해결|남은)\s*(?:gap|갭|문제|항목)\s*:\s*(?:없음|없습니다|없다|0|0개)(?:\s|,|\.|$)/i.test(line)) return true;
+  if (/unresolved\s+gaps?\s+(?:for|in)[^:]*:\s*(?:none|no|0)\b/i.test(line)) return true;
+  if (/no\s+unresolved\s+gaps?\s+remain/i.test(line)) return true;
   if (/(남은\s*(?:gap|갭|문제)\s*:\s*없음|남은\s*(?:gap|갭|문제)\s*없음|remaining\s+gaps?\s*:\s*(none|no|0)|no\s+remaining\s+gaps?)/i.test(line)) return true;
   if (/no\s+active\s+blocking\s+route\s+gate\s+detected/i.test(line)) return true;
   if (/(non[-\s]?blocker|non[-\s]?blocking|not\s+(?:a\s+)?blocker|no\s+blocker|does\s+not\s+block|not\s+blocking|blocker\s*(?:는|가)?\s*(?:아님|아닙니다|없음)|차단(?:하지|하진|하지는)\s*않|막(?:지|지는)\s*않)/i.test(line)) return true;

package/src/core/pipeline.mjs CHANGED Viewed

@@ -18,6 +18,8 @@ import { writeQaLoopArtifacts } from './qa-loop.mjs';
 import { IMAGE_UX_REVIEW_GATE_ARTIFACT, IMAGE_UX_REVIEW_POLICY_ARTIFACT, IMAGE_UX_REVIEW_SCREEN_INVENTORY_ARTIFACT, IMAGE_UX_REVIEW_GENERATED_REVIEW_LEDGER_ARTIFACT, IMAGE_UX_REVIEW_ISSUE_LEDGER_ARTIFACT, IMAGE_UX_REVIEW_ITERATION_REPORT_ARTIFACT, IMAGE_UX_REVIEW_REQUIRED_GATE_FIELDS, writeImageUxReviewRouteArtifacts } from './image-ux-review.mjs';
 import { responseLanguageInstruction } from './language-preference.mjs';
 import { SPEED_LANE_POLICY } from './proof-field.mjs';
+import { validateRouteCompletionProof } from './proof/route-proof-gate.mjs';
+import { routeFromState, routeRequiresCompletionProof } from './proof/route-proof-policy.mjs';
 import { permissionGateSummary } from './permission-gates.mjs';
 import { CODEX_APP_IMAGE_GENERATION_DOC_URL, CODEX_COMPUTER_USE_EVIDENCE_SOURCE, CODEX_COMPUTER_USE_ONLY_POLICY, CODEX_IMAGEGEN_REQUIRED_POLICY, FROM_CHAT_IMG_CHECKLIST_ARTIFACT, FROM_CHAT_IMG_COVERAGE_ARTIFACT, FROM_CHAT_IMG_QA_LOOP_ARTIFACT, FROM_CHAT_IMG_TEMP_TRIWIKI_ARTIFACT, FROM_CHAT_IMG_TEMP_TRIWIKI_SESSIONS, SOLUTION_SCOUT_STAGE_ID, chatCaptureIntakeText, context7RequirementText, dollarCommand, evidenceMentionsForbiddenBrowserAutomation, getdesignReferencePolicyText, hasFromChatImgSignal, hasMadSksSignal, imageUxReviewPipelinePolicyText, looksLikeProblemSolvingRequest, noUnrequestedFallbackCodePolicyText, outcomeRubricPolicyText, pptPipelineAllowlistPolicyText, reflectionRequiredForRoute, reasoningInstruction, routeNeedsContext7, routePrompt, routeReasoning, routeRequiresSubagents, solutionScoutPolicyText, speedLanePolicyText, stripDollarCommand, stripMadSksSignal, stripVisibleDecisionAnswerBlocks, subagentExecutionPolicyText, stackCurrentDocsPolicyText, triwikiContextTracking, triwikiContextTrackingText, triwikiStagePolicyText } from './routes.mjs';
 import { TEAM_DECOMPOSITION_ARTIFACT, TEAM_GRAPH_ARTIFACT, TEAM_INBOX_DIR, TEAM_RUNTIME_TASKS_ARTIFACT, teamRuntimePlanMetadata, teamRuntimeRequiredArtifacts, validateTeamRuntimeArtifacts, writeTeamRuntimeArtifacts } from './team-dag.mjs';
@@ -1357,11 +1359,27 @@ export async function evaluateStop(root, state, payload, opts = {}) {
       return complianceBlock(root, state, `SKS ${state.route_command || state.mode} route cannot stop yet. Pass ${gate.file || state.stop_gate} or record a hard blocker with evidence before finishing.${missing}`, { gate: gate.file || state.stop_gate, missing: gate.missing });
     }
   }
+  const proofGate = await routeProofGateStatus(root, state);
+  if (!proofGate.ok) {
+    return complianceBlock(root, state, `SKS ${state.route_command || state.mode || 'route'} route cannot finalize without a valid Completion Proof. Missing or invalid proof issues: ${proofGate.issues.join(', ')}.`, { gate: 'completion-proof', missing: proofGate.issues });
+  }
   const reflection = await reflectionGateStatus(root, state);
   if (!reflection.ok) return complianceBlock(root, state, reflectionStopReason(state, reflection), { gate: 'reflection', missing: reflection.missing });
   return null;
 }
+async function routeProofGateStatus(root, state = {}) {
+  const route = routeFromState(state);
+  const required = state.proof_required === true || routeRequiresCompletionProof(route);
+  if (!required || !state?.mission_id) return { ok: true, required: false, issues: [] };
+  return validateRouteCompletionProof(root, {
+    missionId: state.mission_id,
+    route,
+    state,
+    visualClaim: state.visual_claim !== false
+  });
+}
 function clarificationGatePending(state = {}) {
   const phase = String(state.phase || '');
   return Boolean(state?.clarification_required && phase.includes('CLARIFICATION_AWAITING_ANSWERS'))

package/src/core/proof/evidence-collector.mjs CHANGED Viewed

@@ -1,5 +1,6 @@
 import path from 'node:path';
 import { packageRoot, readJson, runProcess, which } from '../fsx.mjs';
+import { codexLbMetrics, readCodexLbCircuit } from '../codex-lb-circuit.mjs';
 import { imageVoxelSummary } from '../wiki-image/image-voxel-ledger.mjs';
 export async function collectProofEvidence(root = packageRoot()) {
@@ -10,6 +11,12 @@ export async function collectProofEvidence(root = packageRoot()) {
       status: 'present',
       schema: pack.schema || null,
       claims: pack.trust_summary?.claims || pack.wiki?.a?.length || 0
+    } : null).catch(() => null),
+    codex_lb: await readCodexLbCircuit(root).then((circuit) => codexLbMetrics(circuit)).catch(() => null),
+    db_safety: await readJson(path.join(root, '.sneakoscope', 'db-safety.json'), null).then((policy) => policy ? {
+      status: 'present',
+      mode: policy.mode || null,
+      destructive_operations: policy.destructive_operations || null
     } : null).catch(() => null)
   };
 }

package/src/core/proof/proof-reader.mjs CHANGED Viewed

@@ -17,3 +17,14 @@ export async function readLatestProofMarkdown(root = packageRoot()) {
   if (!await exists(file)) return '# SKS Completion Proof\n\nNo completion proof has been written yet.\n';
   return readText(file);
 }
+export async function readRouteProof(root = packageRoot(), missionId = null) {
+  if (missionId) {
+    const missionProof = path.join(root, '.sneakoscope', 'missions', missionId, 'completion-proof.json');
+    if (await exists(missionProof)) return readJson(missionProof);
+    return null;
+  }
+  const latest = path.join(proofDir(root), 'latest.json');
+  if (await exists(latest)) return readJson(latest);
+  return null;
+}

package/src/core/proof/proof-redaction.test-helper.mjs ADDED Viewed

@@ -0,0 +1,9 @@
+import { containsPlaintextSecret, redactSecrets } from '../secret-redaction.mjs';
+export function assertProofRedaction(value) {
+  const redacted = redactSecrets(value);
+  return {
+    ok: !containsPlaintextSecret(redacted),
+    redacted
+  };
+}