sneakoscope 1.0.6 → 1.0.7

package/README.md

@@ -4,6 +4,8 @@ Fast legacy-free proof-first Codex trust layer with image-based Voxel TriWiki.
 
 Sneakoscope Codex (`sks`) is a Codex CLI/App harness that makes repeatable Codex work auditable.
 
+SKS **1.0.7** is the Ultimate Final Completion seal for the Codex trust harness: Computer Use live evidence is an opt-in, local-only macOS evidence path with explicit `probe_only`, `live_capture_attempted`, `live_capture_success`, and `live_capture_blocked` modes; `codex-lb setup` reports durable persistence versus `process_only_ephemeral` honestly; and docs/release readiness checks block mock/probe/live overclaims.
+
 SKS **1.0.6** is the final precision polish for the Codex trust harness: hook compatibility is classified as upstream schema plus an SKS zero-warning strict subset, `sks codex-lb setup` previews and applies the exact choices the user selected, and Computer Use has an optional live smoke surface for macOS capability/evidence status.
 
 SKS **1.0.5** sealed the prior trust harness: hook outputs were validated against both vendored OpenAI Codex CLI `rust-v0.131.0` schemas and runtime semantic parser rules, codex-lb setup survived macOS user-session launches through env-file/Keychain/launchctl-aware repair surfaces, and Computer Use became the preferred macOS visual evidence capability when available.
@@ -20,8 +22,42 @@ Hybrid-free **`1.0.1`** already delivered the CLI entrypoint/router/registry/Tru
 
 SKS does not try to clone every other harness. It focuses on one thing: making Codex work auditable, visual-evidence-bound, safety-gated, and reproducible through Completion Proof.
 
-![Sneakoscope Codex architecture and pipeline](https://raw.githubusercontent.com/mandarange/Sneakoscope-Codex/dev/docs/assets/sneakoscope-architecture-pipeline.jpg)
+![Sneakoscope Codex Trust Layer](docs/assets/sneakoscope-architecture-pipeline.jpg)
+
+
+## 1.0.7 Ultimate Final Completion
+
+1.0.7 does not add a new route, skill, or competing harness. It closes the last trust gaps around live visual evidence, persistence truth, and release documentation.
+
+Computer Use live evidence stays optional and explicit:
+
+```bash
+sks computer-use smoke --json
+sks computer-use smoke --real --capture-screenshot --json
+sks computer-use smoke --real --require-real --json
+npm run computer-use:live-evidence
+```
+
+Default smoke is `probe_only` and never attempts screen capture. Real mode records `live_capture_attempted`, `live_capture_success`, or `live_capture_blocked`; if Codex App, macOS permission, or the official Computer Use capture surface is unavailable, SKS writes a structured blocker instead of fabricated evidence. Browser Use evidence and manual screenshots remain separate sources. Computer Use screenshots are local-only by default, carry SHA-256 metadata, and link to Image Voxel only when a mission-local anchor can be made.
+
+codex-lb setup now reports the exact persistence truth:
+
+```bash
+sks codex-lb setup --host lb.example.com --api-key-stdin --plan --json
+sks codex-lb setup --host lb.example.com --api-key-stdin --yes --no-env-file --no-keychain --no-launchctl --shell-profile skip --json
+npm run codex-lb:persistence-truth
+```
+
+Durable modes are `durable_env_file`, `durable_keychain`, `durable_launchctl`, and `shell_profile`. If all durable modes are disabled, setup is classified as `process_only_ephemeral`, emits `next_shell_requires_setup_or_env`, and warns that Codex App GUI launches may not see credentials. Use `sks codex-lb setup --write-env-file --keychain --launchctl` to recover durable persistence.
+
+Documentation truthfulness is now a release invariant:
+
+```bash
+npm run docs:truthfulness
+npm run release:readiness
+```
 
+The hook compatibility surface remains the upstream schema plus the SKS zero-warning strict subset; SKS does not claim to mirror every upstream runtime parser rule or guarantee universal Computer Use availability.
 
 ## 1.0.6 Final Precision Polish
 

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.0.6"
+version = "1.0.7"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.0.6"
+version = "1.0.7"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.0.6"),
+        Some("--version") => println!("sks-rs 1.0.7"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.0.6';
+const FAST_PACKAGE_VERSION = '1.0.7';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,6 +1,6 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "typescript": true,
   "mjs_runtime_files": 0,
   "files": [
@@ -286,6 +286,8 @@
     "core/commands/wiki-command.js",
     "core/commands/wrongness-command.d.ts",
     "core/commands/wrongness-command.js",
+    "core/computer-use-live-evidence.d.ts",
+    "core/computer-use-live-evidence.js",
     "core/computer-use-status.d.ts",
     "core/computer-use-status.js",
     "core/context7-client.d.ts",

package/dist/cli/install-helpers.d.ts

@@ -1,3 +1,4 @@
+import { type CodexLbPersistenceSummary } from '../core/codex-lb/codex-lb-setup.js';
 type CodexLbStatusSnapshot = Awaited<ReturnType<typeof codexLbStatus>>;
 /** Install-time shim reconciliation; fields vary by `status`. */
 export type SksPostinstallShimResult = {
@@ -59,6 +60,7 @@ export type ConfigureCodexLbResult = {
     plan?: Record<string, unknown>;
     applied_actions?: Array<Record<string, unknown>>;
     drift?: string[];
+    persistence?: CodexLbPersistenceSummary;
     config_path?: string;
     env_path?: string;
     metadata_path?: string;

package/dist/cli/install-helpers.js

@@ -12,7 +12,7 @@ import { codexLaunchCommand, platformTmuxInstallHint, tmuxReadiness, tmuxReadine
 import { reconcileCodexAppUpgradeProcesses } from '../core/codex-app.js';
 import { recordCodexLbHealthEvent } from '../core/codex-lb-circuit.js';
 import { loadCodexLbEnv, writeCodexLbKeychain, codexLbMetadataPath } from '../core/codex-lb/codex-lb-env.js';
-import { buildCodexLbSetupPlan, installCodexLbShellProfileSnippet } from '../core/codex-lb/codex-lb-setup.js';
+import { buildCodexLbSetupPlan, codexLbPersistenceSummary, installCodexLbShellProfileSnippet, selectedCodexLbPersistenceModes } from '../core/codex-lb/codex-lb-setup.js';
 const DEFAULT_CODEX_APP_PLUGINS = [
     ['browser', 'openai-bundled'],
     ['chrome', 'openai-bundled'],
@@ -324,6 +324,7 @@ export async function configureCodexLb(opts = {}) {
         run_health_check: opts.runHealth === true,
         allow_insecure_localhost: opts.allowInsecureHttp === true || opts.allowInsecureLocalhost === true
     };
+    const selectedPersistenceModes = selectedCodexLbPersistenceModes(setupAnswers);
     const plan = buildCodexLbSetupPlan(setupAnswers, {
         home,
         configPath,
@@ -341,6 +342,7 @@ export async function configureCodexLb(opts = {}) {
     const insecureLocalWarning = /^http:\/\//i.test(baseUrl) && !/^http:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(?::|\/|$)/i.test(baseUrl) && !opts.allowInsecureHttp
         ? ['codex-lb base URL uses http outside localhost; prefer https or pass an explicit allow flag in the calling surface.']
         : [];
+    const beforeState = await captureCodexLbSetupWriteState({ home, configPath, envPath, shellProfile });
     const appliedActions = [];
     await ensureDir(path.dirname(configPath));
     const current = await readText(configPath, '');
@@ -381,6 +383,7 @@ export async function configureCodexLb(opts = {}) {
     const authReconcile = await reconcileCodexLbAuthConflict({ ...opts, home, status: codexLb }).catch((err) => ({ status: 'failed', reason: 'exception', error: err.message }));
     const finalCodexLb = await codexLbStatus({ ...opts, home, configPath, envPath });
     const ok = Boolean(codexEnvironment.ok && codexLogin.ok);
+    const afterState = await captureCodexLbSetupWriteState({ home, configPath, envPath, shellProfile });
     const drift = detectCodexLbSetupDrift({
         useDefaultProvider,
         writeEnvFile,
@@ -391,21 +394,41 @@ export async function configureCodexLb(opts = {}) {
         envFile: finalCodexLb.env_file,
         keychain,
         codexEnvironment,
-        shellProfileResult
+        shellProfileResult,
+        beforeState,
+        afterState
     });
+    const appliedPersistenceModes = appliedCodexLbPersistenceModes({
+        writeEnvFile,
+        storeKeychain,
+        syncLaunchctl,
+        shellProfile,
+        envFile: finalCodexLb.env_file,
+        keychain,
+        codexEnvironment,
+        shellProfileResult,
+        apiKeySource: finalCodexLb.env_loader?.api_key?.source || null
+    });
+    const persistence = codexLbPersistenceSummary({
+        selectedModes: selectedPersistenceModes,
+        appliedModes: appliedPersistenceModes,
+        processOnly: appliedPersistenceModes.includes('process_only_ephemeral')
+    });
+    const warnings = [...insecureLocalWarning, ...persistence.warnings];
     return {
         ok: ok && drift.length === 0,
         status: ok && drift.length === 0 ? 'configured' : drift.length ? 'setup_choice_drift' : (codexEnvironment.status || codexLogin.status),
         plan: plan,
         applied_actions: appliedActions,
         drift,
+        persistence,
         config_path: configPath,
         env_path: envPath,
         metadata_path: metadataPath,
         base_url: baseUrl,
         env_key: 'CODEX_LB_API_KEY',
         keychain,
-        warnings: insecureLocalWarning,
+        warnings,
         auth_reconcile: authReconcile,
         codex_lb: finalCodexLb,
         codex_environment: codexEnvironment,
@@ -1339,7 +1362,9 @@ function detectCodexLbSetupDrift(state = {}) {
         drift.push('default_provider_selected_despite_no_default_provider');
     if (state.writeEnvFile && state.envFile !== true)
         drift.push('env_file_not_written');
-    if (!state.writeEnvFile && state.envFile === true)
+    if (!state.writeEnvFile && state.beforeState && state.afterState && state.beforeState.envHash !== state.afterState.envHash)
+        drift.push('env_file_changed_despite_no_env_file');
+    if (!state.writeEnvFile && !state.beforeState && state.envFile === true)
         drift.push('env_file_written_despite_no_env_file');
     if (!state.storeKeychain && state.keychain?.status && state.keychain.status !== 'skipped')
         drift.push('keychain_touched_despite_no_keychain');
@@ -1347,8 +1372,54 @@ function detectCodexLbSetupDrift(state = {}) {
         drift.push('launchctl_synced_despite_no_launchctl');
     if (state.shellProfile === 'skip' && state.shellProfileResult?.status === 'installed')
         drift.push('shell_profile_written_despite_skip');
+    if (state.shellProfile === 'skip' && state.beforeState && state.afterState && state.beforeState.profileHash !== state.afterState.profileHash)
+        drift.push('shell_profile_changed_despite_skip');
     return drift;
 }
+async function captureCodexLbSetupWriteState({ home, configPath, envPath, shellProfile } = {}) {
+    const profileFiles = profileFilesForDrift(home, shellProfile);
+    return {
+        configHash: await fileHashOrMissing(configPath),
+        envHash: await fileHashOrMissing(envPath),
+        profileHash: (await Promise.all(profileFiles.map((file) => fileHashOrMissing(file)))).join('|')
+    };
+}
+async function fileHashOrMissing(file) {
+    const text = await readText(file, null).catch(() => null);
+    return text === null ? 'missing' : await sha256Text(String(text));
+}
+function profileFilesForDrift(home, shellProfile) {
+    const targets = {
+        zsh: path.join(home, '.zshrc'),
+        bash: path.join(home, '.bashrc'),
+        fish: path.join(home, '.config', 'fish', 'config.fish')
+    };
+    if (shellProfile === 'zsh')
+        return [targets.zsh];
+    if (shellProfile === 'bash')
+        return [targets.bash];
+    if (shellProfile === 'fish')
+        return [targets.fish];
+    if (shellProfile === 'all')
+        return [targets.zsh, targets.bash, targets.fish];
+    return [targets.zsh, targets.bash, targets.fish];
+}
+function appliedCodexLbPersistenceModes(state = {}) {
+    const modes = [];
+    if (state.writeEnvFile && state.envFile === true)
+        modes.push('durable_env_file');
+    if (state.storeKeychain && state.keychain?.ok === true)
+        modes.push('durable_keychain');
+    if (state.syncLaunchctl && state.codexEnvironment?.launch_environment?.status === 'synced')
+        modes.push('durable_launchctl');
+    if (state.shellProfile !== 'skip' && state.shellProfileResult?.status === 'installed')
+        modes.push('shell_profile');
+    if (!modes.length && state.apiKeySource === 'process.env')
+        modes.push('process_only_ephemeral');
+    if (!modes.length)
+        modes.push('none');
+    return modes;
+}
 export async function ensureGlobalCodexFastModeDuringInstall(opts = {}) {
     if (process.env.SKS_SKIP_CODEX_FAST_MODE_REPAIR === '1')
         return { status: 'skipped', reason: 'SKS_SKIP_CODEX_FAST_MODE_REPAIR=1' };

package/dist/commands/codex-lb.js

@@ -6,7 +6,7 @@ import { flag, readOption } from '../cli/args.js';
 import { printJson } from '../cli/output.js';
 import { codexLbMetrics, readCodexLbCircuit, recordCodexLbHealthEvent, resetCodexLbCircuit, codexLbProofEvidence } from '../core/codex-lb-circuit.js';
 import { checkCodexLbResponseChain, codexLbStatus, configureCodexLb, formatCodexLbStatusText, releaseCodexLbAuthHold, repairCodexLbAuth, unselectCodexLbProvider } from '../cli/install-helpers.js';
-import { buildCodexLbSetupPlan, renderCodexLbSetupPlan } from '../core/codex-lb/codex-lb-setup.js';
+import { buildCodexLbSetupPlan, codexLbPersistenceSummary, renderCodexLbSetupPlan } from '../core/codex-lb/codex-lb-setup.js';
 export async function run(command, args = []) {
     const root = await projectRoot();
     const action = args[0] || 'status';
@@ -111,7 +111,7 @@ export async function run(command, args = []) {
             return;
         }
         if (flag(args, '--plan')) {
-            const result = { schema: 'sks.codex-lb-setup-plan-result.v1', ok: plan.blockers.length === 0, plan, writes: false };
+            const result = { schema: 'sks.codex-lb-setup-plan-result.v1', ok: plan.blockers.length === 0, plan, writes: false, expected_actions: plan.expected_actions, persistence: plan.persistence };
             if (flag(args, '--json'))
                 return printJson(result);
             process.stdout.write(renderCodexLbSetupPlan(plan));
@@ -119,6 +119,7 @@ export async function run(command, args = []) {
                 process.exitCode = 1;
             return;
         }
+        const processOnly = plan.persistence.effective_mode === 'process_only_ephemeral';
         if (options.interactive && !options.yes) {
             process.stdout.write(renderCodexLbSetupPlan(plan));
             const confirm = (await ask('Apply this codex-lb setup plan? [y/N] ')).trim();
@@ -130,6 +131,39 @@ export async function run(command, args = []) {
                 process.exitCode = 1;
                 return;
             }
+            if (processOnly) {
+                const confirmProcessOnly = (await ask('This setup keeps credentials only in the current process. Type process-only to continue: ')).trim();
+                if (confirmProcessOnly !== 'process-only') {
+                    const result = { schema: 'sks.codex-lb-setup.v1', ok: false, status: 'process_only_cancelled', plan, applied_actions: [], persistence: plan.persistence };
+                    if (flag(args, '--json')) {
+                        printJson(result);
+                        process.exitCode = 1;
+                        return;
+                    }
+                    console.log('codex-lb setup cancelled: process-only ephemeral setup was not confirmed.');
+                    process.exitCode = 1;
+                    return;
+                }
+            }
+        }
+        else if (processOnly && !options.yes) {
+            const result = {
+                schema: 'sks.codex-lb-setup.v1',
+                ok: false,
+                status: 'process_only_requires_yes',
+                plan,
+                applied_actions: [],
+                persistence: plan.persistence,
+                guidance: ['Pass --yes to acknowledge process_only_ephemeral setup, or enable --write-env-file, --keychain, --launchctl, or --shell-profile.']
+            };
+            if (flag(args, '--json')) {
+                printJson(result);
+                process.exitCode = 1;
+                return;
+            }
+            console.error('codex-lb setup would be process-only ephemeral. Pass --yes to acknowledge, or enable a durable persistence mode.');
+            process.exitCode = 1;
+            return;
         }
         const result = await configureCodexLb({
             host: options.host,
@@ -152,6 +186,8 @@ export async function run(command, args = []) {
         if (flag(args, '--json'))
             return printJson(shaped);
         console.log(`codex-lb configured: ${result.base_url || result.status}`);
+        if (shaped.persistence?.warning)
+            console.log(`warning: ${shaped.persistence.warning}`);
         if (!result.ok)
             process.exitCode = 1;
         return;
@@ -190,6 +226,18 @@ export async function run(command, args = []) {
     process.exitCode = 1;
 }
 function shapeCodexLbStatus(status = {}) {
+    const mode = status.env_loader?.api_key?.source === 'env-file'
+        ? 'durable_env_file'
+        : status.env_loader?.api_key?.source === 'keychain'
+            ? 'durable_keychain'
+            : status.env_loader?.api_key?.source === 'process.env'
+                ? 'process_only_ephemeral'
+                : 'none';
+    const persistence = codexLbPersistenceSummary({
+        selectedModes: mode === 'none' ? [] : [mode],
+        appliedModes: mode === 'none' ? ['none'] : [mode],
+        processOnly: mode === 'process_only_ephemeral'
+    });
     return {
         schema: 'sks.codex-lb-status.v1',
         ...status,
@@ -201,6 +249,7 @@ function shapeCodexLbStatus(status = {}) {
             source: status.env_loader?.api_key?.source || null,
             redacted: true
         },
+        persistence,
         env_loader: status.env_loader || null,
         env_auto_load: Boolean(status.env_file && status.env_key_configured),
         guidance: status.ok ? [] : [

package/dist/core/codex-lb/codex-lb-setup.d.ts

@@ -1,5 +1,6 @@
 export type CodexLbApiKeySource = 'hidden_prompt' | 'stdin' | 'cli_option' | 'keychain_existing';
 export type CodexLbShellProfileChoice = 'zsh' | 'bash' | 'fish' | 'all' | 'skip';
+export type CodexLbPersistenceMode = 'durable_env_file' | 'durable_keychain' | 'durable_launchctl' | 'shell_profile' | 'process_only_ephemeral' | 'none';
 export type CodexLbSetupActionType = 'write_config_provider' | 'select_default_provider' | 'write_env_file' | 'store_keychain' | 'sync_launchctl' | 'install_shell_profile_snippet' | 'run_health_check' | 'write_metadata';
 export interface CodexLbSetupAnswers {
     host_or_base_url: string;
@@ -22,9 +23,21 @@ export interface CodexLbSetupPlan {
     schema: 'sks.codex-lb-setup-plan.v1';
     base_url: string;
     actions: CodexLbSetupAction[];
+    expected_actions: CodexLbSetupAction[];
+    selected_persistence_modes: CodexLbPersistenceMode[];
+    persistence: CodexLbPersistenceSummary;
     redactions: string[];
+    warnings: string[];
     blockers: string[];
 }
+export interface CodexLbPersistenceSummary {
+    selected_modes: CodexLbPersistenceMode[];
+    applied_modes: CodexLbPersistenceMode[];
+    effective_mode: CodexLbPersistenceMode;
+    durable: boolean;
+    warning: string | null;
+    warnings: string[];
+}
 export declare function buildCodexLbSetupPlan(answers: CodexLbSetupAnswers, opts?: {
     home?: string;
     configPath?: string;
@@ -43,4 +56,10 @@ export declare function installCodexLbShellProfileSnippet(opts: {
     skipped?: boolean;
     reason?: string;
 }>;
+export declare function selectedCodexLbPersistenceModes(answers: Pick<CodexLbSetupAnswers, 'write_env_file' | 'store_keychain' | 'sync_launchctl' | 'install_shell_profile'>): CodexLbPersistenceMode[];
+export declare function codexLbPersistenceSummary({ selectedModes, appliedModes, processOnly }?: {
+    selectedModes?: CodexLbPersistenceMode[];
+    appliedModes?: CodexLbPersistenceMode[];
+    processOnly?: boolean;
+}): CodexLbPersistenceSummary;
 //# sourceMappingURL=codex-lb-setup.d.ts.map

package/dist/core/codex-lb/codex-lb-setup.js

@@ -35,11 +35,21 @@ export function buildCodexLbSetupPlan(answers, opts = {}) {
         actions.push({ type: 'run_health_check', target: 'codex-lb response chain', effect: 'run codex-lb health check after apply' });
     }
     actions.push({ type: 'write_metadata', target: metadataPath, effect: 'write redacted setup metadata and key fingerprint with chmod 0600' });
+    const selectedModes = selectedCodexLbPersistenceModes(answers);
+    const persistence = codexLbPersistenceSummary({
+        selectedModes,
+        appliedModes: selectedModes.length ? [] : ['process_only_ephemeral'],
+        processOnly: selectedModes.length === 0
+    });
     return {
         schema: 'sks.codex-lb-setup-plan.v1',
         base_url: baseUrl,
         actions,
+        expected_actions: actions,
+        selected_persistence_modes: selectedModes.length ? selectedModes : ['process_only_ephemeral'],
+        persistence,
         redactions: ['CODEX_LB_API_KEY', 'api_key', 'sk-*', 'sk-clb-*'],
+        warnings: persistence.warnings,
         blockers
     };
 }
@@ -51,6 +61,8 @@ export function renderCodexLbSetupPlan(plan) {
     ];
     for (const action of plan.actions)
         lines.push(`- ${action.type}: ${action.target} (${action.effect})`);
+    if (plan.persistence.warning)
+        lines.push(`warning: ${plan.persistence.warning}`);
     if (plan.blockers.length) {
         lines.push('blockers:');
         for (const blocker of plan.blockers)
@@ -74,6 +86,52 @@ export async function installCodexLbShellProfileSnippet(opts) {
     }
     return { ok: true, status: 'installed', files };
 }
+export function selectedCodexLbPersistenceModes(answers) {
+    const modes = [];
+    if (answers.write_env_file)
+        modes.push('durable_env_file');
+    if (answers.store_keychain)
+        modes.push('durable_keychain');
+    if (answers.sync_launchctl)
+        modes.push('durable_launchctl');
+    if (answers.install_shell_profile !== 'skip')
+        modes.push('shell_profile');
+    return modes;
+}
+export function codexLbPersistenceSummary({ selectedModes = [], appliedModes = [], processOnly = false } = {}) {
+    const selected = normalizePersistenceModes(selectedModes);
+    const applied = normalizePersistenceModes(appliedModes);
+    const effective = applied.find((mode) => mode !== 'process_only_ephemeral' && mode !== 'none')
+        || selected.find((mode) => mode !== 'process_only_ephemeral' && mode !== 'none')
+        || (processOnly || applied.includes('process_only_ephemeral') || selected.length === 0 ? 'process_only_ephemeral' : 'none');
+    const durable = ['durable_env_file', 'durable_keychain', 'durable_launchctl', 'shell_profile'].some((mode) => applied.includes(mode) || selected.includes(mode));
+    const warnings = effective === 'process_only_ephemeral'
+        ? [
+            'process_only_ephemeral',
+            'next_shell_requires_setup_or_env',
+            'Codex App GUI launch may not see credentials'
+        ]
+        : [];
+    return {
+        selected_modes: selected.length ? selected : ['process_only_ephemeral'],
+        applied_modes: applied.length ? applied : (effective === 'none' ? ['none'] : [effective]),
+        effective_mode: effective,
+        durable,
+        warning: warnings[0] || null,
+        warnings
+    };
+}
+function normalizePersistenceModes(modes = []) {
+    const allowed = new Set([
+        'durable_env_file',
+        'durable_keychain',
+        'durable_launchctl',
+        'shell_profile',
+        'process_only_ephemeral',
+        'none'
+    ]);
+    return [...new Set(modes.filter((mode) => allowed.has(mode)))];
+}
 function profileTargets(home, choice) {
     const targets = {
         zsh: path.join(home, '.zshrc'),

package/dist/core/commands/computer-use-command.js

@@ -1,10 +1,11 @@
 import path from 'node:path';
 import { nowIso, projectRoot, writeJsonAtomic } from '../fsx.js';
 import { createMission, findLatestMission } from '../mission.js';
-import { flag } from '../../cli/args.js';
+import { flag, readOption } from '../../cli/args.js';
 import { printJson } from '../../cli/output.js';
 import { maybeFinalizeRoute } from '../proof/auto-finalize.js';
 import { computerUseLiveSmoke, computerUseStatusReport } from '../computer-use-status.js';
+import { computerUseLiveEvidencePath } from '../computer-use-live-evidence.js';
 export async function computerUseCommand(command, args = []) {
     const root = await projectRoot();
     const action = args[0] || 'import';
@@ -21,18 +22,33 @@ export async function computerUseCommand(command, args = []) {
         return;
     }
     if (action === 'smoke') {
-        const evidencePath = path.join(root, '.sneakoscope', 'reports', 'computer-use-smoke-evidence.json');
+        const missionArg = readOption(args, '--mission', null);
+        const missionId = missionArg === 'latest' ? await findLatestMission(root) : missionArg;
+        const route = readOption(args, '--route', null);
+        const evidencePath = computerUseLiveEvidencePath(root, { missionId });
         const result = await computerUseLiveSmoke({
+            root,
             real: flag(args, '--real'),
             requireReal: flag(args, '--require-real'),
+            captureScreenshot: flag(args, '--capture-screenshot'),
             allowAction: flag(args, '--allow-action'),
+            route,
+            missionId,
             evidencePath
         });
         if (flag(args, '--json')) {
             printJson(result);
         }
         else {
-            console.log(`Computer Use smoke: ${result.status}`);
+            console.log(`Computer Use smoke: ${result.status} (${result.evidence_mode})`);
+            if (result.live_evidence_path)
+                console.log(`Live evidence: ${result.live_evidence_path}`);
+            if (result.blockers?.length)
+                for (const blocker of result.blockers)
+                    console.log(`- blocker: ${blocker}`);
+            if (result.warnings?.length)
+                for (const warning of result.warnings)
+                    console.log(`- warning: ${warning}`);
             if (result.guidance?.length)
                 for (const line of result.guidance)
                     console.log(`- ${line}`);

package/dist/core/computer-use-live-evidence.d.ts

@@ -0,0 +1,109 @@
+import type { ComputerUseStatus } from './computer-use-status.js';
+export type ComputerUseEvidenceMode = 'probe_only' | 'live_capture_attempted' | 'live_capture_success' | 'live_capture_blocked';
+export type ComputerUseCaptureStatus = 'not_attempted' | 'captured' | 'blocked' | 'failed' | 'redacted' | 'local_only';
+export interface ComputerUseLiveEvidence {
+    schema: 'sks.computer-use-live-evidence.v1';
+    generated_at: string;
+    route: string | null;
+    mission_id: string | null;
+    mode: ComputerUseEvidenceMode;
+    status: ComputerUseStatus;
+    platform: string;
+    mock: false;
+    capability: {
+        codex_app_installed: boolean;
+        capability_detected: boolean;
+        external_capability_blocked: boolean;
+        blocker: ComputerUseStatus | null;
+    };
+    capture: {
+        screenshot: {
+            attempted: boolean;
+            status: ComputerUseCaptureStatus;
+            path: string | null;
+            sha256: string | null;
+            redacted: boolean;
+            local_only: boolean;
+        };
+        action: {
+            attempted: boolean;
+            status: ComputerUseCaptureStatus;
+            actions: unknown[];
+            redacted: boolean;
+            local_only: boolean;
+        };
+    };
+    image_voxel: {
+        linked: boolean;
+        ledger_path: string | null;
+        anchor_ids: string[];
+        reason: string | null;
+    };
+    privacy: {
+        shared_triwiki_publish_allowed: false;
+        contains_screen_content: boolean;
+        redaction_required: boolean;
+    };
+    blockers: string[];
+    warnings: string[];
+}
+export interface ComputerUseScreenshotCaptureAdapter {
+    captureScreenshot: (opts: {
+        root: string;
+        route: string | null;
+        missionId: string | null;
+        outputPath: string;
+    }) => Promise<{
+        ok: boolean;
+        path?: string | null;
+        data?: Buffer | Uint8Array | string | null;
+        blocker?: string | null;
+        warning?: string | null;
+        redacted?: boolean;
+        localOnly?: boolean;
+    }>;
+}
+export interface CodexAppComputerUseCapabilityAdapter {
+    detect: () => Promise<{
+        codex_app_installed: boolean;
+        capability_detected: boolean;
+        external_capability_blocked?: boolean;
+        blocker?: ComputerUseStatus | null;
+    }>;
+}
+export interface BuildComputerUseLiveEvidenceOptions {
+    root?: string;
+    route?: string | null;
+    missionId?: string | null;
+    statusReport: Record<string, any>;
+    realOptIn?: boolean;
+    captureScreenshot?: boolean;
+    allowAction?: boolean;
+    screenshotAdapter?: ComputerUseScreenshotCaptureAdapter | null;
+    capabilityAdapter?: CodexAppComputerUseCapabilityAdapter | null;
+    evidencePath?: string | null;
+}
+export declare function computerUseLiveEvidencePath(root?: string, opts?: {
+    missionId?: string | null;
+}): string;
+export declare function readComputerUseLiveEvidence(root?: string, opts?: {
+    missionId?: string | null;
+    path?: string | null;
+}): Promise<{
+    ok: boolean;
+    path: string;
+    evidence: ComputerUseLiveEvidence;
+} | {
+    ok: boolean;
+    path: null;
+    evidence: null;
+}>;
+export declare function writeComputerUseLiveEvidence(file: string, evidence: ComputerUseLiveEvidence): Promise<{
+    ok: boolean;
+    path: string;
+    evidence: ComputerUseLiveEvidence;
+}>;
+export declare function buildComputerUseLiveEvidence(opts: BuildComputerUseLiveEvidenceOptions): Promise<ComputerUseLiveEvidence>;
+export declare function isComputerUseLiveEvidence(value: unknown): value is ComputerUseLiveEvidence;
+export declare function isComputerUseEvidenceMode(value: unknown): value is ComputerUseEvidenceMode;
+//# sourceMappingURL=computer-use-live-evidence.d.ts.map

package/dist/core/computer-use-live-evidence.js

@@ -0,0 +1,276 @@
+import fsp from 'node:fs/promises';
+import path from 'node:path';
+import { ensureDir, exists, nowIso, packageRoot, readJson, rel, sha256, writeJsonAtomic } from './fsx.js';
+import { addVisualAnchor, ingestImage, missionImageLedgerPath } from './wiki-image/image-voxel-ledger.js';
+export function computerUseLiveEvidencePath(root = packageRoot(), opts = {}) {
+    if (opts.missionId) {
+        return path.join(root, '.sneakoscope', 'missions', opts.missionId, 'computer-use-live-evidence.json');
+    }
+    return path.join(root, '.sneakoscope', 'reports', 'computer-use-live-evidence.json');
+}
+export async function readComputerUseLiveEvidence(root = packageRoot(), opts = {}) {
+    const candidates = [
+        opts.path || null,
+        opts.missionId ? computerUseLiveEvidencePath(root, { missionId: opts.missionId }) : null,
+        computerUseLiveEvidencePath(root)
+    ].filter(Boolean);
+    for (const file of candidates) {
+        const parsed = await readJson(file, null).catch(() => null);
+        if (isComputerUseLiveEvidence(parsed))
+            return { ok: true, path: file, evidence: parsed };
+    }
+    return { ok: false, path: null, evidence: null };
+}
+export async function writeComputerUseLiveEvidence(file, evidence) {
+    await ensureDir(path.dirname(file));
+    await writeJsonAtomic(file, evidence);
+    return { ok: true, path: file, evidence };
+}
+export async function buildComputerUseLiveEvidence(opts) {
+    const root = opts.root || packageRoot();
+    const status = normalizeComputerUseStatus(opts.statusReport?.status);
+    const realOptIn = opts.realOptIn === true;
+    const route = opts.route || null;
+    const missionId = opts.missionId || null;
+    const warnings = [];
+    const blockers = [];
+    const capability = await detectCapability(opts);
+    const platform = String(opts.statusReport?.platform || process.platform);
+    let mode = realOptIn && status !== 'not_macos' ? 'live_capture_attempted' : 'probe_only';
+    const evidence = {
+        schema: 'sks.computer-use-live-evidence.v1',
+        generated_at: nowIso(),
+        route,
+        mission_id: missionId,
+        mode,
+        status,
+        platform,
+        mock: false,
+        capability,
+        capture: {
+            screenshot: {
+                attempted: false,
+                status: 'not_attempted',
+                path: null,
+                sha256: null,
+                redacted: false,
+                local_only: true
+            },
+            action: {
+                attempted: false,
+                status: 'not_attempted',
+                actions: [],
+                redacted: false,
+                local_only: true
+            }
+        },
+        image_voxel: {
+            linked: false,
+            ledger_path: missionId ? rel(root, missionImageLedgerPath(root, missionId)) : null,
+            anchor_ids: [],
+            reason: null
+        },
+        privacy: {
+            shared_triwiki_publish_allowed: false,
+            contains_screen_content: false,
+            redaction_required: false
+        },
+        blockers,
+        warnings
+    };
+    if (!realOptIn) {
+        evidence.image_voxel.reason = 'probe_only_no_live_capture_attempted';
+        return evidence;
+    }
+    if (status === 'not_macos') {
+        blockers.push('not_macos');
+        evidence.mode = 'probe_only';
+        evidence.image_voxel.reason = 'not_macos';
+        return evidence;
+    }
+    if (status !== 'available') {
+        blockers.push(status);
+        evidence.mode = 'live_capture_blocked';
+        evidence.capture.screenshot.status = opts.captureScreenshot ? 'blocked' : 'not_attempted';
+        evidence.capture.screenshot.attempted = opts.captureScreenshot === true;
+        evidence.image_voxel.reason = status;
+        return evidence;
+    }
+    if (opts.captureScreenshot) {
+        await attemptScreenshotCapture(root, evidence, opts);
+    }
+    else {
+        evidence.image_voxel.reason = 'capture_screenshot_not_requested';
+    }
+    if (opts.allowAction) {
+        evidence.capture.action.attempted = true;
+        evidence.capture.action.status = 'blocked';
+        blockers.push('computer_use_action_adapter_missing');
+        warnings.push('Computer Use smoke never runs click/type actions without an official non-destructive Codex App adapter.');
+    }
+    if (evidence.capture.screenshot.status === 'captured') {
+        evidence.mode = 'live_capture_success';
+        evidence.privacy.contains_screen_content = true;
+    }
+    else if (blockers.length) {
+        evidence.mode = 'live_capture_blocked';
+    }
+    return evidence;
+}
+export function isComputerUseLiveEvidence(value) {
+    if (!value || typeof value !== 'object')
+        return false;
+    const evidence = value;
+    return evidence.schema === 'sks.computer-use-live-evidence.v1'
+        && isComputerUseEvidenceMode(evidence.mode)
+        && evidence.mock === false
+        && typeof evidence.capture === 'object'
+        && typeof evidence.privacy === 'object';
+}
+export function isComputerUseEvidenceMode(value) {
+    return value === 'probe_only'
+        || value === 'live_capture_attempted'
+        || value === 'live_capture_success'
+        || value === 'live_capture_blocked';
+}
+async function detectCapability(opts) {
+    if (opts.capabilityAdapter) {
+        const detected = await opts.capabilityAdapter.detect();
+        return {
+            codex_app_installed: Boolean(detected.codex_app_installed),
+            capability_detected: Boolean(detected.capability_detected),
+            external_capability_blocked: detected.external_capability_blocked === true,
+            blocker: detected.blocker || null
+        };
+    }
+    const status = normalizeComputerUseStatus(opts.statusReport?.status);
+    const installed = Boolean(opts.statusReport?.app?.app?.installed);
+    const available = status === 'available';
+    return {
+        codex_app_installed: installed,
+        capability_detected: available,
+        external_capability_blocked: status !== 'available',
+        blocker: available ? null : status
+    };
+}
+async function attemptScreenshotCapture(root, evidence, opts) {
+    evidence.capture.screenshot.attempted = true;
+    const outputPath = screenshotArtifactPath(root, opts);
+    const adapter = opts.screenshotAdapter || null;
+    if (!adapter) {
+        evidence.capture.screenshot.status = 'blocked';
+        evidence.blockers.push('codex_app_capability_missing');
+        evidence.warnings.push('Official Codex App Computer Use screenshot adapter is not exposed to this CLI process.');
+        evidence.image_voxel.reason = 'computer_use_capture_adapter_missing';
+        return;
+    }
+    try {
+        const result = await adapter.captureScreenshot({
+            root,
+            route: opts.route || null,
+            missionId: opts.missionId || null,
+            outputPath
+        });
+        if (!result.ok) {
+            evidence.capture.screenshot.status = 'blocked';
+            evidence.blockers.push(redactCaptureMessage(result.blocker || 'external_capability_blocked'));
+            if (result.warning)
+                evidence.warnings.push(redactCaptureMessage(result.warning));
+            evidence.image_voxel.reason = result.blocker || 'screenshot_capture_blocked';
+            return;
+        }
+        const capturedPath = await materializeScreenshot(result, outputPath);
+        const data = await fsp.readFile(capturedPath);
+        evidence.capture.screenshot.status = result.localOnly === false ? 'captured' : 'captured';
+        evidence.capture.screenshot.path = rel(root, capturedPath);
+        evidence.capture.screenshot.sha256 = sha256(data);
+        evidence.capture.screenshot.redacted = result.redacted === true;
+        evidence.capture.screenshot.local_only = result.localOnly !== false;
+        evidence.privacy.redaction_required = result.redacted === true;
+        await linkScreenshotToImageVoxel(root, evidence, capturedPath, opts);
+    }
+    catch (err) {
+        evidence.capture.screenshot.status = 'failed';
+        evidence.blockers.push('screenshot_capture_failed');
+        evidence.image_voxel.reason = redactCaptureMessage(err instanceof Error ? err.message : String(err));
+    }
+}
+async function materializeScreenshot(result, outputPath) {
+    if (result.path && await exists(result.path))
+        return path.resolve(result.path);
+    if (result.data === undefined || result.data === null)
+        throw new Error('screenshot_capture_returned_no_path_or_data');
+    await ensureDir(path.dirname(outputPath));
+    const bytes = typeof result.data === 'string' ? Buffer.from(result.data, 'base64') : Buffer.from(result.data);
+    await fsp.writeFile(outputPath, bytes);
+    return outputPath;
+}
+async function linkScreenshotToImageVoxel(root, evidence, screenshotPath, opts) {
+    if (!opts.missionId) {
+        evidence.image_voxel.reason = 'mission_id_missing';
+        return;
+    }
+    if (!evidence.capture.screenshot.sha256) {
+        evidence.image_voxel.reason = 'screenshot_sha256_missing';
+        return;
+    }
+    const relative = rel(root, screenshotPath);
+    if (relative.startsWith('..')) {
+        evidence.image_voxel.reason = 'screenshot_path_outside_project';
+        return;
+    }
+    try {
+        const imageId = evidence.capture.screenshot.sha256;
+        const ingested = await ingestImage(root, relative, {
+            missionId: opts.missionId,
+            source: 'computer_use_live_screenshot',
+            id: imageId,
+            capturedAt: evidence.generated_at
+        });
+        const image = ingested.image;
+        const anchorId = `computer-use-${imageId.slice(0, 16)}-screen`;
+        const anchor = await addVisualAnchor(root, {
+            id: anchorId,
+            missionId: opts.missionId,
+            imageId,
+            bbox: [0, 0, image.width || 1, image.height || 1],
+            label: 'Computer Use live screenshot',
+            source: 'computer_use_live_screenshot',
+            evidencePath: relative,
+            route: opts.route || '$Computer-Use',
+            trustScore: 0.86
+        });
+        evidence.image_voxel.linked = Boolean(anchor.ok);
+        evidence.image_voxel.ledger_path = rel(root, missionImageLedgerPath(root, opts.missionId));
+        evidence.image_voxel.anchor_ids = anchor.ok ? [anchorId] : [];
+        evidence.image_voxel.reason = anchor.ok ? null : (anchor.validation?.issues || ['image_voxel_anchor_failed']).join(',');
+    }
+    catch (err) {
+        evidence.image_voxel.reason = redactCaptureMessage(err instanceof Error ? err.message : String(err));
+    }
+}
+function screenshotArtifactPath(root, opts) {
+    if (opts.missionId) {
+        return path.join(root, '.sneakoscope', 'missions', opts.missionId, 'computer-use-live-screenshot.png');
+    }
+    return path.join(root, '.sneakoscope', 'reports', 'computer-use-live-screenshot.png');
+}
+function normalizeComputerUseStatus(value) {
+    const allowed = [
+        'available',
+        'codex_app_missing',
+        'macos_permission_missing',
+        'codex_app_capability_missing',
+        'external_capability_blocked',
+        'not_macos',
+        'unknown'
+    ];
+    return allowed.includes(value) ? value : 'unknown';
+}
+function redactCaptureMessage(value) {
+    return String(value || 'unknown')
+        .replace(/sk-[A-Za-z0-9_-]+/g, '[redacted]')
+        .replace(/CODEX_LB_API_KEY=([^\s]+)/g, 'CODEX_LB_API_KEY=[redacted]')
+        .slice(0, 500);
+}
+//# sourceMappingURL=computer-use-live-evidence.js.map

package/dist/core/computer-use-status.d.ts

@@ -1,3 +1,4 @@
+export type { ComputerUseCaptureStatus, ComputerUseEvidenceMode, ComputerUseLiveEvidence } from './computer-use-live-evidence.js';
 export type ComputerUseStatus = 'available' | 'codex_app_missing' | 'macos_permission_missing' | 'codex_app_capability_missing' | 'external_capability_blocked' | 'not_macos' | 'unknown';
 export declare function computerUseStatusReport(opts?: any): Promise<any>;
 export declare function computerUseEvidenceSkeleton(status?: ComputerUseStatus): {
@@ -11,7 +12,8 @@ export declare function computerUseEvidenceSkeleton(status?: ComputerUseStatus):
 export declare function computerUseLiveSmoke(opts?: any): Promise<{
     schema: string;
     ok: boolean;
-    mode: string;
+    mode: import("./computer-use-live-evidence.js").ComputerUseEvidenceMode;
+    evidence_mode: import("./computer-use-live-evidence.js").ComputerUseEvidenceMode;
     status: any;
     platform: any;
     codex_app: {
@@ -22,12 +24,17 @@ export declare function computerUseLiveSmoke(opts?: any): Promise<{
         screen_recording: any;
         accessibility: string;
     };
+    live_evidence_path: any;
+    image_voxel_linked: boolean;
+    blockers: string[];
+    warnings: string[];
     evidence: {
         screenshot_captured: boolean;
         action_captured: boolean;
         image_voxel_linked: boolean;
         evidence_path: any;
     };
+    live_evidence: import("./computer-use-live-evidence.js").ComputerUseLiveEvidence | null;
     external_capability_blocked: boolean;
     mock: boolean;
     guidance: any;

package/dist/core/computer-use-status.js

@@ -1,4 +1,5 @@
 import { codexAppIntegrationStatus } from './codex-app.js';
+import { buildComputerUseLiveEvidence, computerUseLiveEvidencePath, writeComputerUseLiveEvidence } from './computer-use-live-evidence.js';
 export async function computerUseStatusReport(opts = {}) {
     if (process.platform !== 'darwin' && !opts.forceMacos) {
         return baseReport('not_macos', {
@@ -54,47 +55,65 @@ export function computerUseEvidenceSkeleton(status = 'unknown') {
 export async function computerUseLiveSmoke(opts = {}) {
     const realOptIn = opts.real === true || process.env.SKS_TEST_REAL_COMPUTER_USE === '1';
     const requireReal = opts.requireReal === true;
+    const captureScreenshot = opts.captureScreenshot === true || requireReal;
     const status = await computerUseStatusReport(opts);
-    const available = status.status === 'available';
-    const realAllowed = realOptIn && available;
-    const evidencePath = opts.evidencePath || null;
+    const root = opts.root || process.cwd();
+    const evidencePath = opts.evidencePath || (realOptIn ? computerUseLiveEvidencePath(root, { missionId: opts.missionId || null }) : null);
+    const liveEvidence = realOptIn
+        ? await buildComputerUseLiveEvidence({
+            root,
+            route: opts.route || null,
+            missionId: opts.missionId || null,
+            statusReport: status,
+            realOptIn,
+            captureScreenshot,
+            allowAction: opts.allowAction === true,
+            screenshotAdapter: opts.screenshotAdapter || null,
+            capabilityAdapter: opts.capabilityAdapter || null,
+            evidencePath
+        })
+        : null;
+    if (liveEvidence && evidencePath)
+        await writeComputerUseLiveEvidence(evidencePath, liveEvidence);
+    const evidenceMode = liveEvidence?.mode || 'probe_only';
+    const liveCaptureSuccess = evidenceMode === 'live_capture_success';
+    const blockers = [...(liveEvidence?.blockers || [])];
+    if (!realOptIn && status.status === 'not_macos')
+        blockers.push('not_macos');
+    const warnings = [...(liveEvidence?.warnings || [])];
+    const ok = requireReal ? liveCaptureSuccess : true;
     const smoke = {
-        schema: 'sks.computer-use-live-smoke.v1',
-        ok: realAllowed || !requireReal,
-        mode: realOptIn ? 'optional_real' : 'optional_probe',
+        schema: 'sks.computer-use-live-smoke.v2',
+        ok,
+        mode: evidenceMode,
+        evidence_mode: evidenceMode,
         status: status.status,
         platform: status.platform || process.platform,
         codex_app: {
             installed: Boolean(status.app?.app?.installed),
-            capability_detected: available
+            capability_detected: status.status === 'available'
         },
         permission: {
             screen_recording: status.permission_status || 'unknown',
             accessibility: 'unknown'
         },
+        live_evidence_path: liveEvidence && evidencePath ? evidencePath : null,
+        image_voxel_linked: liveEvidence?.image_voxel?.linked === true,
+        blockers,
+        warnings,
         evidence: {
-            screenshot_captured: false,
-            action_captured: false,
-            image_voxel_linked: false,
-            evidence_path: evidencePath
+            screenshot_captured: liveEvidence?.capture?.screenshot?.status === 'captured',
+            action_captured: liveEvidence?.capture?.action?.status === 'captured',
+            image_voxel_linked: liveEvidence?.image_voxel?.linked === true,
+            evidence_path: liveEvidence && evidencePath ? evidencePath : null
         },
+        live_evidence: liveEvidence,
         external_capability_blocked: status.external_capability_blocked === true || ['codex_app_missing', 'macos_permission_missing', 'codex_app_capability_missing', 'unknown'].includes(status.status),
         mock: false,
-        guidance: realAllowed
-            ? ['Computer Use capability appears available. Capture screenshots through official Codex Computer Use in the active route; SKS smoke does not synthesize evidence.']
+        guidance: status.status === 'available' && realOptIn
+            ? ['Computer Use capability appears available. SKS records only official, local-only live evidence and does not synthesize screenshots.']
             : status.guidance || []
     };
-    if (available && realOptIn && evidencePath) {
-        const { writeJsonAtomic } = await import('./fsx.js');
-        await writeJsonAtomic(evidencePath, smoke);
-        return {
-            ...smoke,
-            evidence: {
-                ...smoke.evidence,
-                evidence_path: evidencePath
-            }
-        };
-    }
     return smoke;
 }
 function baseReport(status, extra = {}) {

package/dist/core/evidence/evidence-router.js

@@ -51,6 +51,7 @@ export async function evidenceCandidatesForProof(root, proof = {}, opts = {}) {
     addDbCandidates(candidates, proof.evidence?.db || proof.evidence?.db_safety, missionId);
     addTestCandidates(candidates, proof.evidence?.tests, missionId);
     addWrongnessCandidates(candidates, proof.evidence?.wrongness, missionId);
+    addComputerUseCandidates(candidates, proof.evidence?.computer_use, missionId);
     if (missionId && routeRequiresImageVoxelAnchors(route)) {
         candidates.push({ kind: 'image_voxel', relPath: `.sneakoscope/missions/${missionId}/image-voxel-ledger.json`, source: proof.evidence?.image_voxels?.mock ? 'mock' : sourceForProof(proof) });
     }
@@ -140,6 +141,13 @@ function addWrongnessCandidates(candidates, wrongness = null, missionId = null)
     if (missionId)
         candidates.push({ kind: 'image_wrongness', relPath: `.sneakoscope/missions/${missionId}/image-wrongness-ledger.json`, source: 'real', optional: true, ignoreStale: true });
 }
+function addComputerUseCandidates(candidates, computerUse = null, missionId = null) {
+    const relPath = computerUse?.live_evidence_path || computerUse?.live_evidence?.path || null;
+    if (relPath)
+        candidates.push({ kind: 'computer_use', relPath: normalizeRelPath(relPath, missionId), source: 'real', ignoreStale: true });
+    else if (missionId)
+        candidates.push({ kind: 'computer_use', relPath: `.sneakoscope/missions/${missionId}/computer-use-live-evidence.json`, source: 'blocked', optional: true, ignoreStale: true });
+}
 function uniqueCandidates(candidates) {
     const seen = new Set();
     const out = [];
@@ -200,6 +208,8 @@ function inferKind(relPath = '') {
         return 'wrongness';
     if (/image-voxel-ledger\.json$|visual-anchors\.json$|image-assets\.json$/.test(relPath))
         return 'image_voxel';
+    if (/computer-use-live-evidence\.json$|computer-use.*evidence/.test(relPath))
+        return 'computer_use';
     if (/scout/.test(relPath))
         return 'scout';
     if (/db/.test(relPath))

package/dist/core/fsx.d.ts

@@ -1,4 +1,4 @@
-export declare const PACKAGE_VERSION = "1.0.6";
+export declare const PACKAGE_VERSION = "1.0.7";
 export declare const DEFAULT_PROCESS_TAIL_BYTES: number;
 export declare const DEFAULT_PROCESS_TIMEOUT_MS: number;
 export interface RunProcessOptions {

package/dist/core/fsx.js

@@ -5,7 +5,7 @@ import os from 'node:os';
 import crypto from 'node:crypto';
 import { spawn } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
-export const PACKAGE_VERSION = '1.0.6';
+export const PACKAGE_VERSION = '1.0.7';
 export const DEFAULT_PROCESS_TAIL_BYTES = 256 * 1024;
 export const DEFAULT_PROCESS_TIMEOUT_MS = 30 * 60 * 1000;
 export function nowIso() {

package/dist/core/proof/route-finalizer.js

@@ -5,6 +5,7 @@ import { ensureRouteImageEvidence } from '../wiki-image/route-image-evidence.js'
 import { readScoutProofEvidence } from '../scouts/scout-proof-evidence.js';
 import { wrongnessProofEvidence } from '../triwiki-wrongness/wrongness-proof-linker.js';
 import { computerUseStatusReport } from '../computer-use-status.js';
+import { readComputerUseLiveEvidence } from '../computer-use-live-evidence.js';
 export async function finalizeRouteWithProof(root, { missionId, route, gateFile = null, gate = null, artifacts = [], visualEvidence = null, dbEvidence = null, testEvidence = null, commandEvidence = null, claims = [], unverified = [], blockers = [], statusHint = 'verified_partial', strict = false, mock = false, fixClaim = false, requireRelation = false, visualClaim = undefined } = {}) {
     const policy = routeFinalizerPolicy(route, { strict, fixClaim, requireRelation, visualClaim });
     const localBlockers = [...blockers];
@@ -27,13 +28,33 @@ export async function finalizeRouteWithProof(root, { missionId, route, gateFile
     const computerUse = policy.requires_image_voxel_anchors
         ? await computerUseStatusReport().catch((err) => ({ schema: 'sks.computer-use-status.v1', status: 'unknown', ok: false, guidance: [err.message], evidence: { status: 'unknown' } }))
         : null;
+    const computerUseLive = policy.requires_image_voxel_anchors
+        ? await readComputerUseLiveEvidence(root, { missionId }).catch(() => ({ ok: false, path: null, evidence: null }))
+        : null;
     if (computerUse && computerUse.status !== 'available') {
         unverified.push(`Computer Use evidence unavailable: ${computerUse.status}. Visual claim remains verified_partial unless explicit screenshot/image evidence covers it.`);
     }
+    if (computerUse && !computerUseLive?.evidence) {
+        unverified.push('Computer Use live evidence is missing for this visual route; high-confidence visual claims require live evidence or explicit screenshot/image coverage.');
+        if (strict)
+            localBlockers.push('computer_use_live_evidence_missing');
+    }
+    if (computerUseLive?.evidence?.mode === 'probe_only') {
+        unverified.push('Computer Use evidence mode is probe_only; visual claim confidence is capped below high confidence.');
+    }
+    if (computerUseLive?.evidence?.mode === 'live_capture_blocked') {
+        unverified.push(`Computer Use live capture blocked: ${(computerUseLive.evidence.blockers || []).join(',') || computerUseLive.evidence.status}.`);
+    }
+    if (computerUseLive?.evidence && computerUseLive.evidence.image_voxel?.linked !== true && statusHint === 'verified') {
+        unverified.push(`Computer Use live evidence is not linked to Image Voxel: ${computerUseLive.evidence.image_voxel?.reason || 'missing_relation'}.`);
+    }
     if (Number(wrongnessEvidence?.high_severity_active || 0) > 0) {
         localBlockers.push('active_high_severity_wrongness');
     }
-    const visualComputerUseDowngrade = Boolean(computerUse && computerUse.status !== 'available' && statusHint === 'verified');
+    const visualComputerUseDowngrade = Boolean(statusHint === 'verified' && ((computerUse && computerUse.status !== 'available')
+        || !computerUseLive?.evidence
+        || computerUseLive.evidence.mode !== 'live_capture_success'
+        || computerUseLive.evidence.image_voxel?.linked !== true));
     const status = localBlockers.length
         ? (strict ? 'blocked' : statusHint === 'verified' ? 'verified_partial' : statusHint)
         : visualComputerUseDowngrade ? 'verified_partial'
@@ -61,7 +82,11 @@ export async function finalizeRouteWithProof(root, { missionId, route, gateFile
                 ok: Boolean(computerUse.ok),
                 mad_sks_independent: computerUse.mad_sks_independent === true,
                 external_capability_blocked: computerUse.external_capability_blocked === true,
-                evidence: computerUse.evidence || null
+                evidence_mode: computerUseLive?.evidence?.mode || 'missing',
+                live_evidence_path: computerUseLive?.path || null,
+                image_voxel_linked: computerUseLive?.evidence?.image_voxel?.linked === true,
+                evidence: computerUse.evidence || null,
+                live_evidence: computerUseLive?.evidence || null
             } } : {}),
         route_gate: gate || (gateFile ? { source: gateFile } : null)
     };

package/dist/core/version.d.ts

@@ -1,2 +1,2 @@
-export declare const PACKAGE_VERSION = "1.0.6";
+export declare const PACKAGE_VERSION = "1.0.7";
 //# sourceMappingURL=version.d.ts.map

package/dist/core/version.js

@@ -1,2 +1,2 @@
-export const PACKAGE_VERSION = '1.0.6';
+export const PACKAGE_VERSION = '1.0.7';
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "Sneakoscope Codex: fast proof-first Codex trust layer with image-based Voxel TriWiki.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",
@@ -101,12 +101,16 @@
     "hooks:strict-subset-check": "node ./scripts/codex-hook-strict-subset-check.mjs",
     "codex-lb:setup-fixture": "node ./scripts/codex-lb-setup-fixture-check.mjs",
     "codex-lb:setup-truthfulness": "node ./scripts/codex-lb-setup-truthfulness-check.mjs",
+    "codex-lb:persistence-truth": "node ./scripts/codex-lb-persistence-truth-check.mjs",
     "codex-lb:missing-env-regression": "node ./scripts/codex-lb-missing-env-regression.mjs",
     "computer-use:policy-check": "node ./scripts/computer-use-policy-check.mjs",
     "computer-use:visual-route-fixture": "node ./scripts/computer-use-visual-route-fixture-check.mjs",
     "computer-use:live-optional": "node ./scripts/computer-use-live-optional-check.mjs",
+    "computer-use:live-evidence": "node ./scripts/computer-use-live-evidence-check.mjs",
+    "docs:truthfulness": "node ./scripts/docs-truthfulness-check.mjs",
+    "release:readiness": "node ./scripts/release-readiness-report.mjs",
     "coverage": "node --experimental-test-coverage --test \"test/**/*.test.mjs\"",
-    "release:check": "npm run typecheck:suppressions && npm run build && npm run typecheck && npm run typecheck:contracts && npm run test:types && npm run schema:check && npm run dist:check && npm run codex:compat && npm run hooks:codex-validate && npm run hooks:warning-check && npm run hooks:semantic-check && npm run hooks:strict-subset-check && npm run codex-lb:setup-fixture && npm run codex-lb:setup-truthfulness && npm run codex-lb:missing-env-regression && npm run computer-use:policy-check && npm run computer-use:visual-route-fixture && npm run computer-use:live-optional && npm run package-boundary:check && npm run blackbox:command-import-smoke && npm run test:blackbox && npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run legacy-free:check && npm run architecture:check && npm run route-modularity:check && npm run command-budget:check && npm run pipeline-budget:check && npm run pipeline-runtime:check && npm run packcheck && npm run feature:check && npm run feature-quality:check && npm run all-features:selftest && npm run scout-engines:check && npm run scouts:parser-check && npm run scouts:selftest && npm run scouts:check && npm run trust:check && npm run wrongness:fixtures && npm run wrongness:check && npm run git-hygiene:check && npm run git-precommit:fixture && npm run shared-memory:check && npm run git-collaboration:e2e && npm run evidence:check && npm run safety:check && npm run chaos:check && npm run bench:core && npm run feature-fixtures:strict && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run test:e2e:mock && npm run rust:check && npm run rust:smoke && npm run perf:gate && npm run blackbox:matrix && npm run blackbox:check && npm run sizecheck && npm run registry:check && npm run typescript:migration-report && node ./scripts/release-check-stamp.mjs write",
+    "release:check": "npm run typecheck:suppressions && npm run build && npm run typecheck && npm run typecheck:contracts && npm run test:types && npm run schema:check && npm run dist:check && npm run codex:compat && npm run hooks:codex-validate && npm run hooks:warning-check && npm run hooks:semantic-check && npm run hooks:strict-subset-check && npm run codex-lb:setup-fixture && npm run codex-lb:setup-truthfulness && npm run codex-lb:persistence-truth && npm run codex-lb:missing-env-regression && npm run computer-use:policy-check && npm run computer-use:visual-route-fixture && npm run computer-use:live-optional && npm run computer-use:live-evidence && npm run docs:truthfulness && npm run release:readiness && npm run package-boundary:check && npm run blackbox:command-import-smoke && npm run test:blackbox && npm run repo-audit && npm run changelog:check && npm run cli-entrypoint:check && npm run legacy-free:check && npm run architecture:check && npm run route-modularity:check && npm run command-budget:check && npm run pipeline-budget:check && npm run pipeline-runtime:check && npm run packcheck && npm run feature:check && npm run feature-quality:check && npm run all-features:selftest && npm run scout-engines:check && npm run scouts:parser-check && npm run scouts:selftest && npm run scouts:check && npm run trust:check && npm run wrongness:fixtures && npm run wrongness:check && npm run git-hygiene:check && npm run git-precommit:fixture && npm run shared-memory:check && npm run git-collaboration:e2e && npm run evidence:check && npm run safety:check && npm run chaos:check && npm run bench:core && npm run feature-fixtures:strict && npm run selftest && npm run test:unit && npm run test:integration:mock && npm run test:e2e:mock && npm run rust:check && npm run rust:smoke && npm run perf:gate && npm run blackbox:matrix && npm run blackbox:check && npm run sizecheck && npm run registry:check && npm run typescript:migration-report && node ./scripts/release-check-stamp.mjs write && npm run release:readiness",
     "release:publish": "npm run publish:npm",
     "publish:dry": "npm --cache /tmp/sks-npm-cache publish --dry-run --registry https://registry.npmjs.org/ --access public",
     "publish:npm": "npm --cache /tmp/sks-npm-cache publish --registry https://registry.npmjs.org/ --access public",