sneakoscope 0.9.17 → 0.9.19

package/README.md

@@ -2,20 +2,22 @@
 
 Fast legacy-free proof-first Codex trust layer with image-based Voxel TriWiki.
 
-Sneakoscope Codex (`sks`) is a Codex CLI/App harness that makes repeatable Codex work auditable. `0.9.17` removes the old route command monolith, adds a read-only five-scout intake before serious route implementation, automatically seals serious route fixture paths with Completion Proof, binds visual/UI claims to Image Voxel TriWiki anchors and relations, and release-gates real command fixtures, route modularity, Rust fallback parity, and DB safety evidence.
+Sneakoscope Codex (`sks`) is a Codex CLI/App harness that makes repeatable Codex work auditable. `0.9.19` binds real Scout engine output to structured `sks.scout-result.v1` evidence, keeps `pipeline-runtime.mjs` as a small compatibility facade, and release-gates packed npm/npx/global install behavior with explicit feature quality boundaries.
 
 ![Sneakoscope Codex architecture and pipeline](https://raw.githubusercontent.com/mandarange/Sneakoscope-Codex/dev/docs/assets/sneakoscope-architecture-pipeline.jpg)
 
-## 0.9.17 Current Release
+## 0.9.19 Current Release
 
-`0.9.17` completes the route modularity cleanup that started in 0.9.14. `src/core/commands/route-cli.mjs` is gone; every serious route now owns a focused command module, and release checks fail if the monolith returns or if command modules drift past their budget.
+0.9.19 makes SKS Scout evidence parse-bound and package-install verified. Real Codex/tmux/Codex App subagent engines must write parseable scout output before consensus can use them as primary evidence. If an engine is unavailable or output cannot be parsed, SKS records a blocked or verified-partial result instead of substituting static evidence. Packed package checks now cover temp install, npx one-shot, and global shim behavior.
 
 Highlights:
 
-- Serious route mock/fixture commands call `maybeFinalizeRoute`, so Team, QA-LOOP, Research, PPT, Image UX Review, Computer Use, DB, Wiki, and GX fixtures produce route-local `completion-proof.json` without a separate repair/finalize step.
-- Serious routes run or validate five read-only scouts for code surface, verification, safety/DB, visual/Voxel evidence, and simplification/integration before proof is written.
-- E2E route tests run actual route commands such as `sks team fixture --mock --json`, `sks qa-loop run <mission> --mock --json`, and `sks wiki image-ingest ... --json`.
-- Feature fixtures execute deterministic allowlisted commands and validate artifacts generated by those commands, including mission-local proof, visual ledgers, DB reports, and GX/Wiki evidence.
+- Real Scout outputs are parsed from pure JSON, fenced JSON, `SCOUT_RESULT_JSON:` markdown, or final JSON blocks into `sks.scout-result.v1`.
+- `scout-consensus.json` records whether primary evidence came from parsed real outputs or local static fixtures.
+- `tmux-lanes` has an opt-in session/window/watcher/cleanup path; release gates skip or block honestly when live tmux/Codex is unavailable.
+- Codex App subagents require a local `sks.codex-app-subagents-capability.v1` descriptor; `SKS_CODEX_APP_SUBAGENTS=1` alone is not enough.
+- `npm run release:check` includes `pipeline-runtime:check`, `feature-quality:check`, `scouts:parser-check`, and `blackbox:check`.
+- Feature fixtures report `runtime_verified`, `runtime_mock_verified`, `integration_optional`, `static_contract`, and `missing` counts.
 - `sks rust status|smoke --json` reports optional Rust availability, detects stale native binaries, and proves JS fallback parity when native Rust is missing or version-mismatched.
 - `npm run release:check` includes `route-modularity:check`, `command-budget:check`, and `feature-fixtures:strict`.
 
@@ -36,6 +38,9 @@ Learn more:
 - Image Voxel TriWiki: [docs/image-voxel-ledger.md](docs/image-voxel-ledger.md)
 - Route finalization: [docs/route-finalization.md](docs/route-finalization.md)
 - Feature fixtures: [docs/feature-fixtures.md](docs/feature-fixtures.md)
+- Scout engines: [docs/scout-engines.md](docs/scout-engines.md)
+- Hermetic E2E: [docs/testing-hermetic-e2e.md](docs/testing-hermetic-e2e.md)
+- Pipeline architecture: [docs/pipeline-architecture.md](docs/pipeline-architecture.md)
 - Rust accelerator: [docs/rust-accelerator.md](docs/rust-accelerator.md)
 - Codex App Hooks/PAT: [docs/hooks-pat.md](docs/hooks-pat.md)
 - codex-lb: [docs/codex-lb.md](docs/codex-lb.md)

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "0.9.17"
+version = "0.9.19"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "0.9.17"
+version = "0.9.19"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 0.9.17"),
+        Some("--version") => println!("sks-rs 0.9.19"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "0.9.17",
+  "version": "0.9.19",
   "description": "Sneakoscope Codex: fast proof-first Codex trust layer with image-based Voxel TriWiki.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",
@@ -23,6 +23,9 @@
   "files": [
     "bin",
     "src",
+    "!src/core/pipeline/route-prep-*.mjs",
+    "!src/core/pipeline/prompt-context-*.mjs",
+    "!src/core/pipeline/stop-gate-*.mjs",
     "crates/sks-core/Cargo.lock",
     "crates/sks-core/Cargo.toml",
     "crates/sks-core/src",
@@ -43,24 +46,34 @@
     "legacy-free:check": "node ./scripts/check-legacy-free.mjs",
     "route-modularity:check": "node ./scripts/check-route-modularity.mjs",
     "command-budget:check": "node ./scripts/check-command-module-budget.mjs",
+    "pipeline-budget:check": "node ./scripts/check-pipeline-budget.mjs",
+    "pipeline-runtime:check": "node ./scripts/check-pipeline-runtime.mjs",
     "sizecheck": "node ./scripts/sizecheck.mjs",
     "registry:check": "node ./scripts/release-registry-check.mjs",
     "feature:check": "node ./bin/sks.mjs features check --json",
+    "feature-quality:check": "node ./scripts/check-feature-quality.mjs",
     "all-features:selftest": "node ./bin/sks.mjs all-features selftest --mock --json",
     "all-features:execute-fixtures": "node ./bin/sks.mjs all-features selftest --mock --execute-fixtures --strict-artifacts --json",
-    "feature-fixtures:strict": "node ./bin/sks.mjs all-features selftest --mock --execute-fixtures --strict-artifacts --json",
-    "scouts:selftest": "node ./bin/sks.mjs scouts run latest --mock --json",
-    "scouts:check": "node ./bin/sks.mjs scouts validate latest --json",
+    "feature-fixtures:strict": "node ./bin/sks.mjs all-features selftest --mock --execute-fixtures --strict-artifacts --hermetic --json",
+    "scout-engines:check": "node ./bin/sks.mjs scouts engines --json",
+    "scouts:parser-check": "node --test \"test/unit/scout-output-parser.test.mjs\"",
+    "scouts:selftest": "node ./bin/sks.mjs scouts run latest --engine local-static --mock --json",
+    "scouts:check": "node ./bin/sks.mjs scouts validate latest --strict --json",
     "perf:cold-start": "node ./bin/sks.mjs perf cold-start --json",
     "perf:gate": "node ./scripts/perf-gate.mjs",
     "test": "node --test \"test/**/*.test.mjs\"",
     "test:unit": "node --test \"test/unit/**/*.test.mjs\"",
     "test:integration:mock": "node --test \"test/integration/**/*.test.mjs\"",
     "test:e2e:mock": "node --test \"test/e2e/**/*.test.mjs\"",
+    "test:real-scouts": "node --test \"test/real/**/*.test.mjs\"",
+    "blackbox:pack-install": "node ./scripts/blackbox-pack-install.mjs",
+    "blackbox:npx": "node ./scripts/blackbox-npx-one-shot.mjs",
+    "blackbox:global-shim": "node ./scripts/blackbox-global-shim.mjs",
+    "blackbox:check": "npm run blackbox:pack-install && npm run blackbox:npx && npm run blackbox:global-shim",
     "rust:check": "cargo check --manifest-path crates/sks-core/Cargo.toml",
     "rust:smoke": "node ./scripts/rust-smoke.mjs",
     "coverage": "node --experimental-test-coverage --test \"test/**/*.test.mjs\"",
-    "release:check": "npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run legacy-free:check && npm run packcheck && npm run route-modularity:check && npm run command-budget:check && npm run feature:check && npm run all-features:selftest && npm run scouts:selftest && npm run scouts:check && npm run feature-fixtures:strict && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run test:e2e:mock && npm run rust:check && npm run rust:smoke && npm run perf:gate && npm run sizecheck && npm run registry:check",
+    "release:check": "npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run legacy-free:check && npm run route-modularity:check && npm run command-budget:check && npm run pipeline-budget:check && npm run pipeline-runtime:check && npm run packcheck && npm run feature:check && npm run feature-quality:check && npm run all-features:selftest && npm run scout-engines:check && npm run scouts:parser-check && npm run scouts:selftest && npm run scouts:check && npm run feature-fixtures:strict && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run test:e2e:mock && npm run rust:check && npm run rust:smoke && npm run perf:gate && npm run blackbox:check && npm run sizecheck && npm run registry:check",
     "publish:dry": "npm run release:check && npm --cache /tmp/sks-npm-cache publish --dry-run --registry https://registry.npmjs.org/ --access public",
     "publish:npm": "npm --cache /tmp/sks-npm-cache publish --registry https://registry.npmjs.org/ --access public",
     "prepublishOnly": "npm run release:check && node ./scripts/release-registry-check.mjs --require-unpublished"

package/src/core/commands/command-utils.mjs

@@ -30,7 +30,7 @@ export function positionalArgs(args = []) {
     '--lines', '--intent', '--changed', '--route', '--skills', '--prompt-signature',
     '--mission-id', '--source', '--image-id', '--bbox', '--label', '--evidence',
     '--claim-id', '--type', '--before', '--after', '--anchors', '--verification',
-    '--status', '--scouts'
+    '--status', '--scouts', '--engine'
   ]);
   for (let i = 0; i < args.length; i += 1) {
     const arg = String(args[i]);

package/src/core/commands/ppt-command.mjs

@@ -81,7 +81,7 @@ function mockPptFixtureGate(gate = {}) {
 
 function fixtureAnswers() {
   return {
-    PRESENTATION_AUDIENCE_PROFILE: 'Release reviewer validating SKS 0.9.17 route evidence.',
+    PRESENTATION_AUDIENCE_PROFILE: 'Release reviewer validating SKS 0.9.18 route evidence.',
     PRESENTATION_STP_STRATEGY: 'Segment: developer tooling. Target: Codex trust-layer maintainers. Positioning: proof-first release readiness.',
     PRESENTATION_DELIVERY_CONTEXT: 'Mock release gate fixture.',
     PRESENTATION_PAINPOINT_SOLUTION_MAP: [

package/src/core/commands/scouts-command.mjs

@@ -1,15 +1,17 @@
 import path from 'node:path';
-import { exists, projectRoot, readJson, writeJsonAtomic } from '../fsx.mjs';
+import { ensureDir, exists, projectRoot, readJson, writeJsonAtomic } from '../fsx.mjs';
 import { createMission, loadMission, missionDir, setCurrent, stateFile } from '../mission.mjs';
 import { routePrompt } from '../routes.mjs';
 import { buildScoutTeamPlan, normalizeScoutPolicy, routeRequiresScoutIntake, scoutRouteLabel } from '../scouts/scout-plan.mjs';
 import { readScoutGateStatus, readScoutResults } from '../scouts/scout-gate.mjs';
 import { runFiveScoutIntake } from '../scouts/scout-runner.mjs';
 import { readScoutProofEvidence } from '../scouts/scout-proof-evidence.mjs';
+import { detectScoutEngines } from '../scouts/engines/scout-engine-detect.mjs';
+import { selectScoutEngine } from '../scouts/engines/scout-engine-policy.mjs';
 import { SCOUT_COUNT } from '../scouts/scout-schema.mjs';
 import { flag, readFlagValue, resolveMissionId } from './command-utils.mjs';
 
-const ACTIONS = new Set(['plan', 'run', 'status', 'consensus', 'handoff', 'validate', 'help', '--help', '-h']);
+const ACTIONS = new Set(['plan', 'run', 'status', 'consensus', 'handoff', 'validate', 'engines', 'bench', 'help', '--help', '-h']);
 
 export async function scoutsCommand(args = []) {
   const root = await projectRoot();
@@ -18,10 +20,19 @@ export async function scoutsCommand(args = []) {
   if (action === 'help' || action === '--help' || action === '-h') return scoutsHelp();
   const json = flag(actionArgs, '--json');
   const mock = flag(actionArgs, '--mock');
+  const strict = flag(actionArgs, '--strict');
+  const requestedEngine = readFlagValue(actionArgs, '--engine', 'auto');
+  const requireRealParallel = flag(actionArgs, '--require-real-parallel');
   const force = flag(actionArgs, '--force-scouts') || flag(actionArgs, '--force');
   const noScouts = flag(actionArgs, '--no-scouts');
   const missionArg = actionArgs.find((arg) => !String(arg).startsWith('--')) || 'latest';
-  const { id, dir, mission, created } = await resolveOrCreateScoutMission(root, missionArg, { mock, action });
+  if (action === 'engines') {
+    const result = await detectScoutEngines(root, {});
+    if (json) return console.log(JSON.stringify(result, null, 2));
+    for (const engine of result.engines) console.log(`${engine.name}: ${engine.available ? 'available' : 'blocked'}${engine.reason ? ` (${engine.reason})` : ''}`);
+    return;
+  }
+  const { id, dir, mission, created } = await resolveOrCreateScoutMission(root, missionArg, { mock, action, strict });
   const context = await inferScoutContext(root, id, { route: readFlagValue(actionArgs, '--route', null), task: readFlagValue(actionArgs, '--task', null) });
   if (action === 'plan') {
     const parallelMode = flag(actionArgs, '--sequential') ? 'sequential_fallback' : 'parallel';
@@ -51,6 +62,8 @@ export async function scoutsCommand(args = []) {
       task: context.task,
       mode: mock ? 'mock' : 'manual',
       parallel: !flag(actionArgs, '--sequential'),
+      engine: requestedEngine,
+      requireRealParallel,
       mock
     });
     await setCurrent(root, {
@@ -75,6 +88,8 @@ export async function scoutsCommand(args = []) {
       route: context.route,
       scout_count: SCOUT_COUNT,
       completed_scouts: results.filter((row) => row.status === 'done').length,
+      engine: gate.gate?.engine || null,
+      real_parallel: gate.gate?.real_parallel === true,
       gate: gate.gate,
       missing: gate.missing
     };
@@ -112,13 +127,14 @@ export async function scoutsCommand(args = []) {
   }
   if (action === 'validate') {
     let gate = await readScoutGateStatus(root, id);
-    if (!gate.ok && !flag(actionArgs, '--strict')) {
+    if (!gate.ok && !strict) {
       const run = await runFiveScoutIntake(root, {
         missionId: id,
         route: context.route,
         task: context.task,
         mode: 'validate-fixture',
         parallel: true,
+        engine: 'local-static',
         mock: true
       });
       gate = { ok: run.gate?.passed === true, gate: run.gate, missing: run.gate?.blockers || [] };
@@ -136,13 +152,79 @@ export async function scoutsCommand(args = []) {
     console.log(`Scout validation: ${result.ok ? 'pass' : 'blocked'}`);
     return;
   }
+  if (action === 'bench') {
+    const selection = await selectScoutEngine(root, {
+      requested: requestedEngine,
+      requireRealParallel,
+      missionId: id,
+      route: context.route,
+      mock
+    });
+    const parallelRun = await runFiveScoutIntake(root, {
+      missionId: id,
+      route: context.route,
+      task: context.task,
+      mode: 'bench-parallel',
+      parallel: true,
+      engine: selection.selected,
+      requireRealParallel,
+      mock
+    });
+    const sequentialRun = await runFiveScoutIntake(root, {
+      missionId: id,
+      route: context.route,
+      task: context.task,
+      mode: 'bench-sequential',
+      parallel: false,
+      engine: 'sequential-fallback',
+      mock: true
+    });
+    const sequentialMs = Number(sequentialRun.performance?.duration_ms || 0);
+    const parallelMs = Number(parallelRun.performance?.duration_ms || 0);
+    const parsedRealOutputs = Number(parallelRun.consensus?.source_policy?.counts?.parsed_scout_output || 0);
+    const speedup = selection.real_parallel && parallelMs > 0 ? Number((sequentialMs / parallelMs).toFixed(2)) : null;
+    const claimAllowed = selection.real_parallel === true
+      && parsedRealOutputs === SCOUT_COUNT
+      && parallelRun.performance?.claim_allowed === true
+      && speedup > 1.1
+      && parallelRun.gate?.read_only_guard === true
+      && !parallelRun.gate?.blockers?.length;
+    const result = {
+      schema: 'sks.scout-benchmark.v2',
+      mission_id: id,
+      engine: selection.selected,
+      real_parallel: selection.real_parallel === true,
+      parsed_real_outputs: parsedRealOutputs,
+      sequential_ms: sequentialMs,
+      parallel_ms: parallelMs,
+      speedup,
+      claim_allowed: claimAllowed,
+      confidence: selection.real_parallel ? 'medium' : 'low',
+      read_only_guard: parallelRun.gate?.read_only_guard === true ? 'passed' : 'blocked',
+      notes: selection.real_parallel ? [] : ['mock/static benchmarks cannot claim real speedup']
+    };
+    await writeJsonAtomic(path.join(dir, 'scout-benchmark.json'), result);
+    const reportDir = path.join(root, '.sneakoscope', 'reports');
+    await ensureDir(reportDir);
+    await writeJsonAtomic(path.join(reportDir, 'scout-benchmark-summary.json'), {
+      schema: 'sks.scout-benchmark-summary.v1',
+      updated_at: new Date().toISOString(),
+      latest: result
+    });
+    if (json) return console.log(JSON.stringify(result, null, 2));
+    console.log(`Scout benchmark: ${result.claim_allowed ? 'claim allowed' : 'claim not allowed'}`);
+    return;
+  }
 }
 
 async function resolveOrCreateScoutMission(root, missionArg, opts = {}) {
   const resolved = await resolveMissionId(root, missionArg);
   if (resolved) return { id: resolved, ...(await loadMission(root, resolved)), created: false };
+  if (opts.strict) {
+    throw new Error('No mission found for strict scout validation; strict mode never creates scout artifacts.');
+  }
   if (!opts.mock && opts.action !== 'validate' && opts.action !== 'run' && opts.action !== 'plan') {
-    throw new Error('No mission found. Use sks scouts run latest --mock --json to create a fixture mission.');
+    throw new Error('No mission found. Use sks scouts run latest --engine local-static --mock --json to create a fixture mission.');
   }
   const created = await createMission(root, { mode: 'scouts', prompt: 'Five Scout fixture intake' });
   return { id: created.id, dir: created.dir, mission: created.mission, created: true };
@@ -189,11 +271,15 @@ function scoutsHelp() {
 
 Usage:
   sks scouts plan latest --json
-  sks scouts run latest --mock --json
+  sks scouts run latest --engine auto --json
+  sks scouts run latest --engine local-static --mock --json
+  sks scouts run latest --require-real-parallel --json
   sks scouts status latest --json
+  sks scouts engines --json
+  sks scouts bench latest --engine local-static --mock --json
   sks scouts consensus latest --json
   sks scouts handoff latest
-  sks scouts validate latest --json
+  sks scouts validate latest --strict --json
 
 Alias:
   sks scout run latest --json

package/src/core/feature-fixture-runner.mjs

@@ -12,12 +12,14 @@ export function runFeatureFixture(feature, {
 } = {}) {
   const fixture = feature.fixture || {};
   const expected = normalizeExpectedArtifacts(fixture.expected_artifacts);
-  const latestBefore = latestMissionId(root);
-  const execution = execute && commandArgs ? executeCommand(root, commandArgs) : null;
-  const latestAfter = execution?.mission_id || latestMissionId(root) || latestBefore;
+  const useHermeticRoot = fixture.root_mode !== 'source_checkout_required' && (execute || validateArtifacts || fixture.kind === 'execute_and_validate_artifacts');
+  const projectRoot = useHermeticRoot ? prepareHermeticFixtureRoot(root, tempRoot) : root;
+  const latestBefore = latestMissionId(projectRoot);
+  const execution = execute && commandArgs ? executeCommand(root, projectRoot, commandArgs, fixture) : null;
+  const latestAfter = execution?.mission_id || latestMissionId(projectRoot) || latestBefore;
   const shouldValidateArtifacts = validateArtifacts && (fixture.kind === 'execute_and_validate_artifacts' || execution);
   const artifacts = shouldValidateArtifacts
-    ? expected.map((artifact) => inspectExpectedArtifact(root, tempRoot, artifact, { latestMissionId: latestAfter }))
+    ? expected.map((artifact) => inspectExpectedArtifact(projectRoot, tempRoot, artifact, { latestMissionId: latestAfter }))
     : expected.map((artifact) => ({ path: artifact.path, requested_path: artifact.path, schema: artifact.schema || inferSchema(artifact.path), exists: null, schema_ok: null, content_ok: null, skipped: 'contract_only' }));
   const artifactFailures = shouldValidateArtifacts
     ? artifacts.filter((artifact) => !artifact.exists || !artifact.schema_ok || !artifact.content_ok).map((artifact) => `${feature.id}:${artifact.path}:${artifact.failure || 'artifact_invalid'}`)
@@ -26,17 +28,20 @@ export function runFeatureFixture(feature, {
     id: feature.id,
     kind: fixture.kind || 'static',
     command: fixture.command || null,
-    temp_root: tempRoot,
+    temp_root: useHermeticRoot ? projectRoot : tempRoot,
+    root_mode: useHermeticRoot ? 'hermetic_temp_project' : 'source_checkout_required',
     latest_mission_id: latestAfter,
     executed: Boolean(execution),
     execution,
     expected_artifacts: artifacts,
     artifact_schema_validated: validateArtifacts,
-    ok: (!execution || execution.ok) && artifactFailures.length === 0 && !(validateArtifacts && fixture.kind === 'execute_and_validate_artifacts' && expected.length && !execution),
+    no_plaintext_secrets: validateNoPlaintextSecrets(projectRoot),
+    ok: (!execution || execution.ok) && artifactFailures.length === 0 && validateNoPlaintextSecrets(projectRoot) && !(validateArtifacts && fixture.kind === 'execute_and_validate_artifacts' && expected.length && !execution),
     failures: [
       ...(!fixture.command && fixture.status === 'pass' ? [`${feature.id}:fixture_command_missing`] : []),
       ...(validateArtifacts && fixture.kind === 'execute_and_validate_artifacts' && expected.length && !execution ? [`${feature.id}:command_not_executed_for_artifact_validation`] : []),
       ...(execution && !execution.ok ? [`${feature.id}:command_exit_${execution.status}`] : []),
+      ...(validateNoPlaintextSecrets(projectRoot) ? [] : [`${feature.id}:plaintext_secret_detected`]),
       ...artifactFailures
     ]
   };
@@ -52,12 +57,15 @@ export function writeFeatureFixtureReports(root, report) {
   return { json: jsonPath, md: mdPath };
 }
 
-function executeCommand(root, spec) {
+function executeCommand(sourceRoot, projectRoot, spec, fixture = {}) {
   const normalized = Array.isArray(spec) ? { command: spec } : spec;
-  const setup = normalized.setup || [];
-  const setupResults = setup.map((args) => spawnSks(root, args));
+  const setup = [
+    ...(fixture.root_mode === 'source_checkout_required' ? [] : [['setup', '--local-only', '--json']]),
+    ...(normalized.setup || [])
+  ];
+  const setupResults = setup.map((args) => spawnSks(sourceRoot, projectRoot, args));
   const command = normalized.command || normalized.args || [];
-  const result = command.length ? spawnSks(root, command) : { status: 0, signal: null, ok: true, stdout_bytes: 0, stderr_bytes: 0, args: [] };
+  const result = command.length ? spawnSks(sourceRoot, projectRoot, command) : { status: 0, signal: null, ok: true, stdout_bytes: 0, stderr_bytes: 0, args: [] };
   const missionId = result.mission_id || [...setupResults].reverse().find((row) => row.mission_id)?.mission_id || null;
   return {
     args: command,
@@ -71,9 +79,9 @@ function executeCommand(root, spec) {
   };
 }
 
-function spawnSks(root, args = []) {
-  const result = spawnSync(process.execPath, [path.join(root, 'bin', 'sks.mjs'), ...args], {
-    cwd: root,
+function spawnSks(sourceRoot, projectRoot, args = []) {
+  const result = spawnSync(process.execPath, [path.join(sourceRoot, 'bin', 'sks.mjs'), ...args], {
+    cwd: projectRoot,
     encoding: 'utf8',
     timeout: 30_000,
     env: { ...process.env, CI: 'true', SKS_SKIP_NPM_FRESHNESS_CHECK: '1' }
@@ -91,6 +99,26 @@ function spawnSks(root, args = []) {
   };
 }
 
+function prepareHermeticFixtureRoot(sourceRoot, tempRoot) {
+  fs.mkdirSync(tempRoot, { recursive: true });
+  const packageFile = path.join(tempRoot, 'package.json');
+  if (!fs.existsSync(packageFile)) {
+    fs.writeFileSync(packageFile, `${JSON.stringify({ name: 'sks-hermetic-fixture', private: true, version: '0.0.0' }, null, 2)}\n`);
+  }
+  const readme = path.join(tempRoot, 'README.md');
+  if (!fs.existsSync(readme)) fs.writeFileSync(readme, '# SKS Hermetic Fixture\n');
+  copyFixtureFile(sourceRoot, tempRoot, 'test/fixtures/images/one-by-one.png');
+  return tempRoot;
+}
+
+function copyFixtureFile(sourceRoot, tempRoot, rel) {
+  const src = path.join(sourceRoot, rel);
+  const dest = path.join(tempRoot, rel);
+  if (!fs.existsSync(src) || fs.existsSync(dest)) return;
+  fs.mkdirSync(path.dirname(dest), { recursive: true });
+  fs.copyFileSync(src, dest);
+}
+
 function parseJsonOutput(text = '') {
   const trimmed = String(text || '').trim();
   if (!trimmed) return null;
@@ -198,7 +226,7 @@ export function validateImageVoxelArtifact(file, { requireAnchors = true, requir
 }
 
 export function validateNoPlaintextSecrets(root) {
-  const secretPattern = /(sk-proj-|sk-clb-|github_pat_|CODEX_ACCESS_TOKEN|OPENAI_API_KEY)/;
+  const secretPattern = /(sk-proj-[A-Za-z0-9_-]{8,}|sk-clb-[A-Za-z0-9_-]{8,}|github_pat_[A-Za-z0-9_]{8,}|(?:CODEX_ACCESS_TOKEN|OPENAI_API_KEY)\s*[:=]\s*["']?(?:sk-[A-Za-z0-9_-]{8,}|[A-Za-z0-9_-]{32,}))/;
   const reportDir = path.join(root, '.sneakoscope');
   if (!fs.existsSync(reportDir)) return true;
   const stack = [reportDir];

package/src/core/feature-fixtures.mjs

@@ -1,4 +1,11 @@
 export const FEATURE_FIXTURE_SCHEMA = 'sks.feature-fixtures.v1';
+export const FEATURE_QUALITY_LEVELS = Object.freeze([
+  'runtime_verified',
+  'runtime_mock_verified',
+  'integration_optional',
+  'static_contract',
+  'missing'
+]);
 
 const FIXTURES = Object.freeze({
   'cli-help': fixture('static', 'sks help', [], 'pass'),
@@ -31,7 +38,7 @@ const FIXTURES = Object.freeze({
   'cli-hproof': fixture('mock', 'sks hproof check latest', ['completion-proof.json'], 'pass'),
   'cli-proof-field': fixture('static', 'sks proof-field scan --json --intent fixture', [], 'pass'),
   'cli-recallpulse': fixture('mock', 'sks recallpulse status latest --json', ['recallpulse-report.json'], 'pass'),
-  'cli-scouts': fixture('execute_and_validate_artifacts', 'sks scouts run latest --mock --json', ['scout-team-plan.json', 'scout-consensus.json', 'scout-handoff.md', 'scout-gate.json'], 'pass'),
+  'cli-scouts': fixture('execute_and_validate_artifacts', 'sks scouts run latest --engine local-static --mock --json', ['scout-team-plan.json', 'scout-consensus.json', 'scout-handoff.md', 'scout-gate.json', 'scout-engine-result.json'], 'pass'),
   'cli-scout': fixture('mock', 'sks scout status latest --json', ['scout-gate.json'], 'pass'),
   'cli-gx': fixture('mock', 'sks gx validate fixture', ['gx-validation.json'], 'pass'),
   'cli-perf': fixture('static', 'sks perf cold-start --json --iterations 1', [], 'pass'),
@@ -53,8 +60,8 @@ const FIXTURES = Object.freeze({
   'route-image-ux-review': fixture('execute_and_validate_artifacts', 'sks image-ux-review fixture --mock --json', ['completion-proof.json', { path: 'image-voxel-ledger.json', schema: 'sks.image-voxel-ledger.v1' }, 'image-ux-generated-review-ledger.json'], 'pass'),
   'route-computer-use': fixture('execute_and_validate_artifacts', 'sks computer-use import-fixture --mock --json', ['computer-use-evidence-ledger.json', { path: 'image-voxel-ledger.json', schema: 'sks.image-voxel-ledger.v1' }, 'completion-proof.json'], 'pass'),
   'route-cu': fixture('mock', '$CU mock evidence ledger', ['computer-use-evidence-ledger.json', 'image-voxel-ledger.json', 'completion-proof.json'], 'pass'),
-  'route-dfix': fixture('static', '$DFix tiny edit route policy', ['completion-proof.json'], 'pass'),
-  'route-answer': fixture('static', '$Answer answer-only route policy', [], 'pass'),
+  'route-dfix': fixture('mock', '$DFix tiny edit route policy', ['completion-proof.json'], 'pass'),
+  'route-answer': fixture('mock', '$Answer answer-only route policy', [], 'pass'),
   'route-goal': fixture('mock', '$Goal bridge route', ['goal-workflow.json', 'completion-proof.json'], 'pass'),
   'route-autoresearch': fixture('mock', '$AutoResearch fixture route', ['research-gate.json', 'completion-proof.json'], 'pass'),
   'route-mad-sks': fixture('mock', '$MAD-SKS permission gate route', ['mad-sks-gate.json', 'completion-proof.json'], 'pass'),
@@ -63,25 +70,75 @@ const FIXTURES = Object.freeze({
   'route-db': fixture('execute_and_validate_artifacts', 'sks db check --sql "SELECT 1" --json', ['completion-proof.json', 'db-operation-report.json'], 'pass'),
   'route-wiki': fixture('execute_and_validate_artifacts', 'sks wiki image-ingest test/fixtures/images/one-by-one.png --json', [{ path: 'completion-proof.json', schema: 'sks.completion-proof.v1' }, { path: 'image-voxel-ledger.json', schema: 'sks.image-voxel-ledger.v1' }], 'pass'),
   'route-gx': fixture('execute_and_validate_artifacts', 'sks gx validate fixture --mock --json', ['completion-proof.json', { path: 'image-voxel-ledger.json', schema: 'sks.image-voxel-ledger.v1' }, 'gx-validation.json'], 'pass'),
-  'route-five-scout-intake': fixture('mock', 'sks scouts validate latest --json', ['scout-team-plan.json', 'scout-consensus.json', 'scout-handoff.md', 'scout-gate.json'], 'pass'),
+  'route-sks': fixture('mock', '$SKS control-surface route', ['completion-proof.json'], 'pass'),
+  'route-help': fixture('mock', '$Help lightweight route', [], 'pass'),
+  'route-commit': fixture('mock', '$Commit git route', ['completion-proof.json'], 'pass'),
+  'route-commit-and-push': fixture('mock', '$Commit-And-Push git route', ['completion-proof.json'], 'pass'),
+  'route-five-scout-intake': fixture('mock', 'sks scouts validate latest --strict --json', ['scout-team-plan.json', 'scout-consensus.json', 'scout-handoff.md', 'scout-gate.json'], 'pass'),
   'proof-scout-evidence': fixture('mock', 'sks team "fixture" --mock --json', ['completion-proof.json', 'scout-gate.json'], 'pass')
 });
 
+const STATIC_CONTRACT_FEATURES = new Set([
+  'cli-wizard',
+  'cli-bootstrap',
+  'cli-deps',
+  'cli-auth',
+  'cli-openclaw',
+  'cli-tmux',
+  'cli-mad',
+  'cli-auto-review',
+  'cli-commit',
+  'cli-commit-and-push',
+  'cli-context7',
+  'cli-all-features',
+  'cli-eval',
+  'cli-harness',
+  'cli-team',
+  'cli-reasoning',
+  'cli-profile',
+  'handler-$',
+  'handler-autoresearch',
+  'handler-autoreview',
+  'handler-computer-use',
+  'handler-cu',
+  'handler-dollars',
+  'handler-mad-sks',
+  'handler-postinstall'
+]);
+
 export function fixtureForFeature(featureId) {
-  return FIXTURES[featureId] || fixture('static', 'sks features check --json', [], 'pass');
+  if (FIXTURES[featureId]) return FIXTURES[featureId];
+  if (STATIC_CONTRACT_FEATURES.has(featureId)) {
+    return fixture('static', `explicit static contract fixture: ${featureId}`, [], 'pass', {
+      quality: 'static_contract',
+      root_mode: 'source_checkout_required'
+    });
+  }
+  if (String(featureId || '').startsWith('skill-')) {
+    return fixture('static', `skill contract: ${featureId}`, [], 'pass', { quality: 'static_contract', root_mode: 'source_checkout_required' });
+  }
+  return fixture('not_available', null, [], 'missing', {
+    quality: 'missing',
+    fallback_removed: true,
+    reason: 'No explicit fixture registered for this feature.'
+  });
 }
 
 export function fixtureSummary(features = []) {
   const counts = {};
+  const quality_counts = Object.fromEntries(FEATURE_QUALITY_LEVELS.map((level) => [level, 0]));
   const missing = [];
   for (const feature of features) {
     const status = feature.fixture?.status || 'missing';
     counts[status] = (counts[status] || 0) + 1;
+    const quality = feature.fixture?.quality || 'missing';
+    quality_counts[quality] = (quality_counts[quality] || 0) + 1;
     if (!feature.fixture) missing.push(feature.id);
   }
   return {
     schema: FEATURE_FIXTURE_SCHEMA,
     counts,
+    quality_counts,
     missing,
     ok: missing.length === 0 && !counts.missing
   };
@@ -96,6 +153,7 @@ export function validateFeatureFixtures(features = []) {
       continue;
     }
     if (!['contract', 'execute', 'execute_and_validate_artifacts', 'mock', 'static', 'real_optional', 'not_available'].includes(fx.kind)) blockers.push(`${feature.id}:fixture_kind`);
+    if (!FEATURE_QUALITY_LEVELS.includes(fx.quality)) blockers.push(`${feature.id}:fixture_quality`);
     if (!['pass', 'missing', 'blocked', 'not_required'].includes(fx.status)) blockers.push(`${feature.id}:fixture_status`);
     if ((fx.kind === 'mock' || fx.kind === 'static') && !fx.command && fx.status !== 'not_required') blockers.push(`${feature.id}:fixture_command`);
     if (!Array.isArray(fx.expected_artifacts)) blockers.push(`${feature.id}:fixture_expected_artifacts`);
@@ -103,6 +161,26 @@ export function validateFeatureFixtures(features = []) {
   return { ok: blockers.length === 0, blockers };
 }
 
-function fixture(kind, command, expected_artifacts, status) {
-  return { kind, command, expected_artifacts, status };
+function fixture(kind, command, expected_artifacts, status, extra = {}) {
+  const quality = extra.quality || qualityForKind(kind);
+  const rootMode = extra.root_mode || (kind === 'execute_and_validate_artifacts' || kind === 'execute' || kind === 'mock' ? 'hermetic_temp_project' : 'source_checkout_required');
+  return {
+    kind,
+    quality,
+    root_mode: rootMode,
+    command,
+    expected_artifacts,
+    status,
+    explicit: true,
+    fallback_removed: true,
+    ...extra
+  };
+}
+
+function qualityForKind(kind) {
+  if (kind === 'execute' || kind === 'execute_and_validate_artifacts') return 'runtime_verified';
+  if (kind === 'mock') return 'runtime_mock_verified';
+  if (kind === 'real_optional') return 'integration_optional';
+  if (kind === 'not_available') return 'missing';
+  return 'static_contract';
 }