sneakoscope 1.0.6 → 1.0.8

package/README.md

@@ -4,6 +4,10 @@ Fast legacy-free proof-first Codex trust layer with image-based Voxel TriWiki.
 
 Sneakoscope Codex (`sks`) is a Codex CLI/App harness that makes repeatable Codex work auditable.
 
+SKS **1.0.8** is the Codex 0.132 UX-Review Seal: Codex CLI `rust-v0.132.0` compatibility is explicit, `codex exec resume --output-schema` is the preferred structured-output path, and `$UX-Review this screenshot with gpt-image-2 callouts, then fix the issues` is a real visual trust loop from source screenshot fidelity to generated callout ingestion, issue ledger extraction, bounded safe fixes, recapture/re-review, Image Voxel relations, Wrongness, Completion Proof, and Trust Report gates.
+
+SKS **1.0.7** is the Ultimate Final Completion seal for the Codex trust harness: Computer Use live evidence is an opt-in, local-only macOS evidence path with explicit `probe_only`, `live_capture_attempted`, `live_capture_success`, and `live_capture_blocked` modes; `codex-lb setup` reports durable persistence versus `process_only_ephemeral` honestly; and docs/release readiness checks block mock/probe/live overclaims.
+
 SKS **1.0.6** is the final precision polish for the Codex trust harness: hook compatibility is classified as upstream schema plus an SKS zero-warning strict subset, `sks codex-lb setup` previews and applies the exact choices the user selected, and Computer Use has an optional live smoke surface for macOS capability/evidence status.
 
 SKS **1.0.5** sealed the prior trust harness: hook outputs were validated against both vendored OpenAI Codex CLI `rust-v0.131.0` schemas and runtime semantic parser rules, codex-lb setup survived macOS user-session launches through env-file/Keychain/launchctl-aware repair surfaces, and Computer Use became the preferred macOS visual evidence capability when available.
@@ -20,8 +24,70 @@ Hybrid-free **`1.0.1`** already delivered the CLI entrypoint/router/registry/Tru
 
 SKS does not try to clone every other harness. It focuses on one thing: making Codex work auditable, visual-evidence-bound, safety-gated, and reproducible through Completion Proof.
 
-![Sneakoscope Codex architecture and pipeline](https://raw.githubusercontent.com/mandarange/Sneakoscope-Codex/dev/docs/assets/sneakoscope-architecture-pipeline.jpg)
+![Sneakoscope Codex Trust Layer](docs/assets/sneakoscope-architecture-pipeline.jpg)
+
+
+## 1.0.8 Codex 0.132 UX-Review Seal
+
+1.0.8 makes UX-Review the representative SKS visual trust harness rather than a policy-only fixture. The CLI/App route now records source screenshot original-resolution metadata, requires real `gpt-image-2` generated callout images before verified UX claims, extracts visible callouts into `schemas/codex/image-ux-issue-ledger.schema.json`, plans bounded P0/P1-first fixes, and requires recapture/re-review before visual fix verification.
+
+```bash
+sks codex compatibility --json
+sks ux-review run --image ./screenshot.png --fix --json
+sks ux-review callouts --image ./screenshot.png --json
+sks ux-review extract-issues --generated-image ./generated-callouts.png --json
+sks ux-review fix latest --json
+sks ux-review recapture latest --json
+sks ux-review recheck latest --json
+sks ux-review status latest --json
+```
+
+Release checks now include:
+
+- `npm run codex:0.132-compat`
+- `npm run codex:output-schema-fixture`
+- `npm run image-fidelity:check`
+- `npm run ux-review:real-loop-fixture`
+- `npm run ux-review:no-text-fallback`
+- `npm run ux-review:image-voxel-relations`
+- `npm run memory-summary:rebuild-check`
+- `npm run loop-blocker:check`
+
+`gpt-image-2` output is local-only by default. Text-only critique is blocked, mock fixtures stay `verified_partial` or lower, screenshot binaries are not automatically published to shared TriWiki, and unavailable Codex/App image-generation capability is recorded as a blocker instead of being faked.
+
+## 1.0.7 Ultimate Final Completion
+
+1.0.7 does not add a new route, skill, or competing harness. It closes the last trust gaps around live visual evidence, persistence truth, and release documentation.
+
+Computer Use live evidence stays optional and explicit:
+
+```bash
+sks computer-use smoke --json
+sks computer-use smoke --real --capture-screenshot --json
+sks computer-use smoke --real --require-real --json
+npm run computer-use:live-evidence
+```
+
+Default smoke is `probe_only` and never attempts screen capture. Real mode records `live_capture_attempted`, `live_capture_success`, or `live_capture_blocked`; if Codex App, macOS permission, or the official Computer Use capture surface is unavailable, SKS writes a structured blocker instead of fabricated evidence. Browser Use evidence and manual screenshots remain separate sources. Computer Use screenshots are local-only by default, carry SHA-256 metadata, and link to Image Voxel only when a mission-local anchor can be made.
+
+codex-lb setup now reports the exact persistence truth:
+
+```bash
+sks codex-lb setup --host lb.example.com --api-key-stdin --plan --json
+sks codex-lb setup --host lb.example.com --api-key-stdin --yes --no-env-file --no-keychain --no-launchctl --shell-profile skip --json
+npm run codex-lb:persistence-truth
+```
+
+Durable modes are `durable_env_file`, `durable_keychain`, `durable_launchctl`, and `shell_profile`. If all durable modes are disabled, setup is classified as `process_only_ephemeral`, emits `next_shell_requires_setup_or_env`, and warns that Codex App GUI launches may not see credentials. Use `sks codex-lb setup --write-env-file --keychain --launchctl` to recover durable persistence.
+
+Documentation truthfulness is now a release invariant:
+
+```bash
+npm run docs:truthfulness
+npm run release:readiness
+```
 
+The hook compatibility surface remains the upstream schema plus the SKS zero-warning strict subset; SKS does not claim to mirror every upstream runtime parser rule or guarantee universal Computer Use availability.
 
 ## 1.0.6 Final Precision Polish
 

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.0.6"
+version = "1.0.8"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.0.6"
+version = "1.0.8"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.0.6"),
+        Some("--version") => println!("sks-rs 1.0.8"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.0.6';
+const FAST_PACKAGE_VERSION = '1.0.8';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,6 +1,6 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "typescript": true,
   "mjs_runtime_files": 0,
   "files": [
@@ -184,6 +184,8 @@
     "core/codex-adapter.js",
     "core/codex-app.d.ts",
     "core/codex-app.js",
+    "core/codex-compat/codex-0-132.d.ts",
+    "core/codex-compat/codex-0-132.js",
     "core/codex-compat/codex-compat-report.d.ts",
     "core/codex-compat/codex-compat-report.js",
     "core/codex-compat/codex-config-policy.d.ts",
@@ -206,6 +208,8 @@
     "core/codex-compat/codex-version-policy.js",
     "core/codex-compat/codex-version.d.ts",
     "core/codex-compat/codex-version.js",
+    "core/codex-exec-output-schema.d.ts",
+    "core/codex-exec-output-schema.js",
     "core/codex-lb-circuit.d.ts",
     "core/codex-lb-circuit.js",
     "core/codex-lb/codex-lb-env.d.ts",
@@ -286,6 +290,8 @@
     "core/commands/wiki-command.js",
     "core/commands/wrongness-command.d.ts",
     "core/commands/wrongness-command.js",
+    "core/computer-use-live-evidence.d.ts",
+    "core/computer-use-live-evidence.js",
     "core/computer-use-status.d.ts",
     "core/computer-use-status.js",
     "core/context7-client.d.ts",
@@ -368,14 +374,28 @@
     "core/hproof.js",
     "core/image-ux-review.d.ts",
     "core/image-ux-review.js",
+    "core/image-ux-review/callout-extraction.d.ts",
+    "core/image-ux-review/callout-extraction.js",
+    "core/image-ux-review/fix-loop.d.ts",
+    "core/image-ux-review/fix-loop.js",
+    "core/image-ux-review/fix-task-planner.d.ts",
+    "core/image-ux-review/fix-task-planner.js",
+    "core/image-ux-review/imagegen-adapter.d.ts",
+    "core/image-ux-review/imagegen-adapter.js",
+    "core/image-ux-review/recapture.d.ts",
+    "core/image-ux-review/recapture.js",
     "core/init.d.ts",
     "core/init.js",
     "core/language-preference.d.ts",
     "core/language-preference.js",
+    "core/loop-blocker.d.ts",
+    "core/loop-blocker.js",
     "core/managed-paths.d.ts",
     "core/managed-paths.js",
     "core/memory-governor.d.ts",
     "core/memory-governor.js",
+    "core/memory-summary.d.ts",
+    "core/memory-summary.js",
     "core/mission.d.ts",
     "core/mission.js",
     "core/mistake-memory.d.ts",

package/dist/cli/install-helpers.d.ts

@@ -1,3 +1,4 @@
+import { type CodexLbPersistenceSummary } from '../core/codex-lb/codex-lb-setup.js';
 type CodexLbStatusSnapshot = Awaited<ReturnType<typeof codexLbStatus>>;
 /** Install-time shim reconciliation; fields vary by `status`. */
 export type SksPostinstallShimResult = {
@@ -59,6 +60,7 @@ export type ConfigureCodexLbResult = {
     plan?: Record<string, unknown>;
     applied_actions?: Array<Record<string, unknown>>;
     drift?: string[];
+    persistence?: CodexLbPersistenceSummary;
     config_path?: string;
     env_path?: string;
     metadata_path?: string;

package/dist/cli/install-helpers.js

@@ -12,7 +12,7 @@ import { codexLaunchCommand, platformTmuxInstallHint, tmuxReadiness, tmuxReadine
 import { reconcileCodexAppUpgradeProcesses } from '../core/codex-app.js';
 import { recordCodexLbHealthEvent } from '../core/codex-lb-circuit.js';
 import { loadCodexLbEnv, writeCodexLbKeychain, codexLbMetadataPath } from '../core/codex-lb/codex-lb-env.js';
-import { buildCodexLbSetupPlan, installCodexLbShellProfileSnippet } from '../core/codex-lb/codex-lb-setup.js';
+import { buildCodexLbSetupPlan, codexLbPersistenceSummary, installCodexLbShellProfileSnippet, selectedCodexLbPersistenceModes } from '../core/codex-lb/codex-lb-setup.js';
 const DEFAULT_CODEX_APP_PLUGINS = [
     ['browser', 'openai-bundled'],
     ['chrome', 'openai-bundled'],
@@ -324,6 +324,7 @@ export async function configureCodexLb(opts = {}) {
         run_health_check: opts.runHealth === true,
         allow_insecure_localhost: opts.allowInsecureHttp === true || opts.allowInsecureLocalhost === true
     };
+    const selectedPersistenceModes = selectedCodexLbPersistenceModes(setupAnswers);
     const plan = buildCodexLbSetupPlan(setupAnswers, {
         home,
         configPath,
@@ -341,6 +342,7 @@ export async function configureCodexLb(opts = {}) {
     const insecureLocalWarning = /^http:\/\//i.test(baseUrl) && !/^http:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(?::|\/|$)/i.test(baseUrl) && !opts.allowInsecureHttp
         ? ['codex-lb base URL uses http outside localhost; prefer https or pass an explicit allow flag in the calling surface.']
         : [];
+    const beforeState = await captureCodexLbSetupWriteState({ home, configPath, envPath, shellProfile });
     const appliedActions = [];
     await ensureDir(path.dirname(configPath));
     const current = await readText(configPath, '');
@@ -381,6 +383,7 @@ export async function configureCodexLb(opts = {}) {
     const authReconcile = await reconcileCodexLbAuthConflict({ ...opts, home, status: codexLb }).catch((err) => ({ status: 'failed', reason: 'exception', error: err.message }));
     const finalCodexLb = await codexLbStatus({ ...opts, home, configPath, envPath });
     const ok = Boolean(codexEnvironment.ok && codexLogin.ok);
+    const afterState = await captureCodexLbSetupWriteState({ home, configPath, envPath, shellProfile });
     const drift = detectCodexLbSetupDrift({
         useDefaultProvider,
         writeEnvFile,
@@ -391,21 +394,41 @@ export async function configureCodexLb(opts = {}) {
         envFile: finalCodexLb.env_file,
         keychain,
         codexEnvironment,
-        shellProfileResult
+        shellProfileResult,
+        beforeState,
+        afterState
     });
+    const appliedPersistenceModes = appliedCodexLbPersistenceModes({
+        writeEnvFile,
+        storeKeychain,
+        syncLaunchctl,
+        shellProfile,
+        envFile: finalCodexLb.env_file,
+        keychain,
+        codexEnvironment,
+        shellProfileResult,
+        apiKeySource: finalCodexLb.env_loader?.api_key?.source || null
+    });
+    const persistence = codexLbPersistenceSummary({
+        selectedModes: selectedPersistenceModes,
+        appliedModes: appliedPersistenceModes,
+        processOnly: appliedPersistenceModes.includes('process_only_ephemeral')
+    });
+    const warnings = [...insecureLocalWarning, ...persistence.warnings];
     return {
         ok: ok && drift.length === 0,
         status: ok && drift.length === 0 ? 'configured' : drift.length ? 'setup_choice_drift' : (codexEnvironment.status || codexLogin.status),
         plan: plan,
         applied_actions: appliedActions,
         drift,
+        persistence,
         config_path: configPath,
         env_path: envPath,
         metadata_path: metadataPath,
         base_url: baseUrl,
         env_key: 'CODEX_LB_API_KEY',
         keychain,
-        warnings: insecureLocalWarning,
+        warnings,
         auth_reconcile: authReconcile,
         codex_lb: finalCodexLb,
         codex_environment: codexEnvironment,
@@ -1339,7 +1362,9 @@ function detectCodexLbSetupDrift(state = {}) {
         drift.push('default_provider_selected_despite_no_default_provider');
     if (state.writeEnvFile && state.envFile !== true)
         drift.push('env_file_not_written');
-    if (!state.writeEnvFile && state.envFile === true)
+    if (!state.writeEnvFile && state.beforeState && state.afterState && state.beforeState.envHash !== state.afterState.envHash)
+        drift.push('env_file_changed_despite_no_env_file');
+    if (!state.writeEnvFile && !state.beforeState && state.envFile === true)
         drift.push('env_file_written_despite_no_env_file');
     if (!state.storeKeychain && state.keychain?.status && state.keychain.status !== 'skipped')
         drift.push('keychain_touched_despite_no_keychain');
@@ -1347,8 +1372,54 @@ function detectCodexLbSetupDrift(state = {}) {
         drift.push('launchctl_synced_despite_no_launchctl');
     if (state.shellProfile === 'skip' && state.shellProfileResult?.status === 'installed')
         drift.push('shell_profile_written_despite_skip');
+    if (state.shellProfile === 'skip' && state.beforeState && state.afterState && state.beforeState.profileHash !== state.afterState.profileHash)
+        drift.push('shell_profile_changed_despite_skip');
     return drift;
 }
+async function captureCodexLbSetupWriteState({ home, configPath, envPath, shellProfile } = {}) {
+    const profileFiles = profileFilesForDrift(home, shellProfile);
+    return {
+        configHash: await fileHashOrMissing(configPath),
+        envHash: await fileHashOrMissing(envPath),
+        profileHash: (await Promise.all(profileFiles.map((file) => fileHashOrMissing(file)))).join('|')
+    };
+}
+async function fileHashOrMissing(file) {
+    const text = await readText(file, null).catch(() => null);
+    return text === null ? 'missing' : await sha256Text(String(text));
+}
+function profileFilesForDrift(home, shellProfile) {
+    const targets = {
+        zsh: path.join(home, '.zshrc'),
+        bash: path.join(home, '.bashrc'),
+        fish: path.join(home, '.config', 'fish', 'config.fish')
+    };
+    if (shellProfile === 'zsh')
+        return [targets.zsh];
+    if (shellProfile === 'bash')
+        return [targets.bash];
+    if (shellProfile === 'fish')
+        return [targets.fish];
+    if (shellProfile === 'all')
+        return [targets.zsh, targets.bash, targets.fish];
+    return [targets.zsh, targets.bash, targets.fish];
+}
+function appliedCodexLbPersistenceModes(state = {}) {
+    const modes = [];
+    if (state.writeEnvFile && state.envFile === true)
+        modes.push('durable_env_file');
+    if (state.storeKeychain && state.keychain?.ok === true)
+        modes.push('durable_keychain');
+    if (state.syncLaunchctl && state.codexEnvironment?.launch_environment?.status === 'synced')
+        modes.push('durable_launchctl');
+    if (state.shellProfile !== 'skip' && state.shellProfileResult?.status === 'installed')
+        modes.push('shell_profile');
+    if (!modes.length && state.apiKeySource === 'process.env')
+        modes.push('process_only_ephemeral');
+    if (!modes.length)
+        modes.push('none');
+    return modes;
+}
 export async function ensureGlobalCodexFastModeDuringInstall(opts = {}) {
     if (process.env.SKS_SKIP_CODEX_FAST_MODE_REPAIR === '1')
         return { status: 'skipped', reason: 'SKS_SKIP_CODEX_FAST_MODE_REPAIR=1' };

package/dist/commands/codex-lb.js

@@ -6,7 +6,7 @@ import { flag, readOption } from '../cli/args.js';
 import { printJson } from '../cli/output.js';
 import { codexLbMetrics, readCodexLbCircuit, recordCodexLbHealthEvent, resetCodexLbCircuit, codexLbProofEvidence } from '../core/codex-lb-circuit.js';
 import { checkCodexLbResponseChain, codexLbStatus, configureCodexLb, formatCodexLbStatusText, releaseCodexLbAuthHold, repairCodexLbAuth, unselectCodexLbProvider } from '../cli/install-helpers.js';
-import { buildCodexLbSetupPlan, renderCodexLbSetupPlan } from '../core/codex-lb/codex-lb-setup.js';
+import { buildCodexLbSetupPlan, codexLbPersistenceSummary, renderCodexLbSetupPlan } from '../core/codex-lb/codex-lb-setup.js';
 export async function run(command, args = []) {
     const root = await projectRoot();
     const action = args[0] || 'status';
@@ -111,7 +111,7 @@ export async function run(command, args = []) {
             return;
         }
         if (flag(args, '--plan')) {
-            const result = { schema: 'sks.codex-lb-setup-plan-result.v1', ok: plan.blockers.length === 0, plan, writes: false };
+            const result = { schema: 'sks.codex-lb-setup-plan-result.v1', ok: plan.blockers.length === 0, plan, writes: false, expected_actions: plan.expected_actions, persistence: plan.persistence };
             if (flag(args, '--json'))
                 return printJson(result);
             process.stdout.write(renderCodexLbSetupPlan(plan));
@@ -119,6 +119,7 @@ export async function run(command, args = []) {
                 process.exitCode = 1;
             return;
         }
+        const processOnly = plan.persistence.effective_mode === 'process_only_ephemeral';
         if (options.interactive && !options.yes) {
             process.stdout.write(renderCodexLbSetupPlan(plan));
             const confirm = (await ask('Apply this codex-lb setup plan? [y/N] ')).trim();
@@ -130,6 +131,39 @@ export async function run(command, args = []) {
                 process.exitCode = 1;
                 return;
             }
+            if (processOnly) {
+                const confirmProcessOnly = (await ask('This setup keeps credentials only in the current process. Type process-only to continue: ')).trim();
+                if (confirmProcessOnly !== 'process-only') {
+                    const result = { schema: 'sks.codex-lb-setup.v1', ok: false, status: 'process_only_cancelled', plan, applied_actions: [], persistence: plan.persistence };
+                    if (flag(args, '--json')) {
+                        printJson(result);
+                        process.exitCode = 1;
+                        return;
+                    }
+                    console.log('codex-lb setup cancelled: process-only ephemeral setup was not confirmed.');
+                    process.exitCode = 1;
+                    return;
+                }
+            }
+        }
+        else if (processOnly && !options.yes) {
+            const result = {
+                schema: 'sks.codex-lb-setup.v1',
+                ok: false,
+                status: 'process_only_requires_yes',
+                plan,
+                applied_actions: [],
+                persistence: plan.persistence,
+                guidance: ['Pass --yes to acknowledge process_only_ephemeral setup, or enable --write-env-file, --keychain, --launchctl, or --shell-profile.']
+            };
+            if (flag(args, '--json')) {
+                printJson(result);
+                process.exitCode = 1;
+                return;
+            }
+            console.error('codex-lb setup would be process-only ephemeral. Pass --yes to acknowledge, or enable a durable persistence mode.');
+            process.exitCode = 1;
+            return;
         }
         const result = await configureCodexLb({
             host: options.host,
@@ -152,6 +186,8 @@ export async function run(command, args = []) {
         if (flag(args, '--json'))
             return printJson(shaped);
         console.log(`codex-lb configured: ${result.base_url || result.status}`);
+        if (shaped.persistence?.warning)
+            console.log(`warning: ${shaped.persistence.warning}`);
         if (!result.ok)
             process.exitCode = 1;
         return;
@@ -190,6 +226,18 @@ export async function run(command, args = []) {
     process.exitCode = 1;
 }
 function shapeCodexLbStatus(status = {}) {
+    const mode = status.env_loader?.api_key?.source === 'env-file'
+        ? 'durable_env_file'
+        : status.env_loader?.api_key?.source === 'keychain'
+            ? 'durable_keychain'
+            : status.env_loader?.api_key?.source === 'process.env'
+                ? 'process_only_ephemeral'
+                : 'none';
+    const persistence = codexLbPersistenceSummary({
+        selectedModes: mode === 'none' ? [] : [mode],
+        appliedModes: mode === 'none' ? ['none'] : [mode],
+        processOnly: mode === 'process_only_ephemeral'
+    });
     return {
         schema: 'sks.codex-lb-status.v1',
         ...status,
@@ -201,6 +249,7 @@ function shapeCodexLbStatus(status = {}) {
             source: status.env_loader?.api_key?.source || null,
             redacted: true
         },
+        persistence,
         env_loader: status.env_loader || null,
         env_auto_load: Boolean(status.env_file && status.env_key_configured),
         guidance: status.ok ? [] : [