sneakoscope 1.14.0 → 1.14.1

package/README.md

@@ -10,7 +10,7 @@ SKS does not try to clone every other harness. It focuses on one thing: making C
 
 ## Current Release
 
-SKS **1.14.0** focuses on Codex hook trust parity and real imagegen route hardening: hooks now prefer managed installs when official hashes are unavailable, `trust-doctor --actual` reports real config state, and UX/PPT image routes validate gpt-image-2 requests before generation while fake blackbox checks stay explicitly mock-like.
+SKS **1.14.1** is an extreme stabilization release for hook trust, real imagegen smoke checks, PPT E2E review evidence, Codex 0.133 compatibility, and Scout multi-session intake. Scout runs now carry `engine_run_id`, `scout_session_id`, output-schema metadata, isolated benchmark artifacts, read-only guard v2 evidence, and speedup-claim caps for mock/static paths.
 
 ```bash
 sks features complete --json

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.14.0"
+version = "1.14.1"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.14.0"
+version = "1.14.1"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.14.0"),
+        Some("--version") => println!("sks-rs 1.14.1"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.14.0';
+const FAST_PACKAGE_VERSION = '1.14.1';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,6 +1,6 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.14.0",
+  "version": "1.14.1",
   "typescript": true,
   "mjs_runtime_files": 0,
   "files": [
@@ -226,6 +226,8 @@
     "core/codex-hooks/codex-hook-hash.js",
     "core/codex-hooks/codex-hook-managed-install.d.ts",
     "core/codex-hooks/codex-hook-managed-install.js",
+    "core/codex-hooks/codex-hook-official-hash-oracle.d.ts",
+    "core/codex-hooks/codex-hook-official-hash-oracle.js",
     "core/codex-hooks/codex-hook-official-parity.d.ts",
     "core/codex-hooks/codex-hook-official-parity.js",
     "core/codex-hooks/codex-hook-state-writer.d.ts",
@@ -370,6 +372,8 @@
     "core/evidence/evidence-schema.js",
     "core/evidence/evidence-store.d.ts",
     "core/evidence/evidence-store.js",
+    "core/evidence/flagship-proof-graph-validator.d.ts",
+    "core/evidence/flagship-proof-graph-validator.js",
     "core/feature-fixture-runner.d.ts",
     "core/feature-fixture-runner.js",
     "core/feature-fixtures.d.ts",

package/dist/cli/feature-commands.js

@@ -151,6 +151,41 @@ export async function hooksCommand(sub = 'explain', args = []) {
             process.exitCode = 1;
         return;
     }
+    if (action === 'repair') {
+        if (flag(args, '--trusted')) {
+            const parity = await writeCodexHookOfficialParityReport(root);
+            if (!parity.official_hash_available) {
+                const blocked = {
+                    schema: 'sks.codex-hooks-repair.v1',
+                    ok: false,
+                    mode: 'trusted',
+                    status: 'blocked',
+                    blocker: 'official_hash_oracle_unavailable',
+                    next_command: 'sks hooks repair --managed --json',
+                    parity
+                };
+                if (flag(args, '--json'))
+                    return console.log(JSON.stringify(blocked, null, 2));
+                console.log('Hooks trusted repair blocked: official hash oracle unavailable. Run `sks hooks repair --managed --json`.');
+                process.exitCode = 1;
+                return;
+            }
+        }
+        const report = await installManagedCodexHooks(root);
+        const result = {
+            ...report,
+            schema: 'sks.codex-hooks-repair.v1',
+            mode: 'managed',
+            next_command: 'sks hooks trust-doctor --actual --json',
+            actions: ['requirements_toml_managed_install_default']
+        };
+        if (flag(args, '--json'))
+            return console.log(JSON.stringify(result, null, 2));
+        console.log(`Hooks managed repair: ${report.ok ? 'ok' : 'blocked'}`);
+        if (!report.ok)
+            process.exitCode = 1;
+        return;
+    }
     if (action === 'install') {
         const report = flag(args, '--managed')
             ? await installManagedCodexHooks(root)
@@ -162,7 +197,7 @@ export async function hooksCommand(sub = 'explain', args = []) {
             process.exitCode = 1;
         return;
     }
-    if (action === 'actual-parity' || action === 'official-parity') {
+    if (action === 'actual-parity' || action === 'official-parity' || (action === 'parity' && flag(args, '--official'))) {
         const report = await writeCodexHookOfficialParityReport(root);
         if (flag(args, '--json'))
             return console.log(JSON.stringify(report, null, 2));
@@ -220,7 +255,7 @@ export async function hooksCommand(sub = 'explain', args = []) {
         return;
     }
     if (action !== 'explain') {
-        console.error('Usage: sks hooks explain|status|doctor|trust-report|trust-state|trust-doctor|trust-fix|install|actual-parity|official-parity|replay <fixture.json>|codex-schema|codex-validate|warning-check|replay-codex-fixtures [--json]');
+        console.error('Usage: sks hooks explain|status|doctor|trust-report|trust-state|trust-doctor|trust-fix|install|repair|actual-parity|official-parity|parity --official|replay <fixture.json>|codex-schema|codex-validate|warning-check|replay-codex-fixtures [--json]');
         process.exitCode = 1;
         return;
     }

package/dist/commands/image-ux-review.d.ts

@@ -49,7 +49,8 @@ export declare function run(command: any, args?: any): Promise<void | {
                 privacy: string;
             };
             image_generation_review: {
-                required_for_gate: boolean;
+                required_for_gate: string;
+                missing_generated_image_closeout: string;
                 model: string;
                 preferred_surface: string;
                 codex_app_imagegen_doc: string;
@@ -122,12 +123,17 @@ export declare function run(command: any, args?: any): Promise<void | {
                 gpt_image_2_model_doc: string;
             };
             required: boolean;
+            required_for_full_verification: boolean;
+            reference_closeout_allowed_when_unavailable: boolean;
             generated_review_images: any;
             planned_reviews: any;
             generated_count: any;
             real_generated_count: any;
             required_count: any;
             text_only_count: any;
+            generated_image_file_evidence_checked: boolean;
+            evidence_verified: boolean;
+            reference_closeout_eligible: boolean;
             blockers: string[];
             passed: boolean;
             imagegen_blocker: {
@@ -260,6 +266,7 @@ export declare function run(command: any, args?: any): Promise<void | {
             }[];
             stopped: boolean;
             stop_reason: string;
+            reference_only: boolean;
             passed: boolean;
         };
         output_schema: import("../core/codex-exec-output-schema.js").CodexExecResumeOutputSchemaAvailability | {
@@ -267,8 +274,24 @@ export declare function run(command: any, args?: any): Promise<void | {
             status: string;
             warnings: any[];
         };
+        honest_mode_evidence: {
+            schema: string;
+            ok: boolean;
+            artifact: string;
+            validation: {
+                schema: any;
+                ok: boolean;
+                errors: any;
+                warnings: any;
+                checked_at: string;
+            };
+        };
         gate: {
-            passed: boolean;
+            passed: any;
+            status: string;
+            verified_level: string;
+            full_review_passed: boolean;
+            reference_only: any;
             schema: string;
             schema_version: number;
             created_at: string;
@@ -282,15 +305,26 @@ export declare function run(command: any, args?: any): Promise<void | {
             p0_p1_zero_after_fix: boolean;
             fix_loop_executed_or_not_needed: boolean;
             changed_screens_rechecked: boolean;
+            image_voxel_reference_anchor_created: boolean;
             image_voxel_relations_created: boolean;
             wrongness_checked: boolean;
             honest_mode_complete: boolean;
             required_artifacts: string[];
             blockers: any[];
+            full_verification_blockers: any[];
+            reference_closeout: {
+                eligible: any;
+                reason: string | null;
+                cap: string;
+                cannot_claim: string[];
+            };
+            source_reference_evidence: any;
+            honest_mode_evidence: any;
             verification_caps: {
                 text_only_review: string;
                 mock_fixture: string;
                 codex_less_than_0_132_fallback: string;
+                missing_generated_image_reference_closeout: string;
             };
             notes: string[];
         };
@@ -397,7 +431,11 @@ export declare function run(command: any, args?: any): Promise<void | {
         contract_hash: any;
     };
     gate: {
-        passed: boolean;
+        passed: any;
+        status: string;
+        verified_level: string;
+        full_review_passed: boolean;
+        reference_only: any;
         schema: string;
         schema_version: number;
         created_at: string;
@@ -411,15 +449,26 @@ export declare function run(command: any, args?: any): Promise<void | {
         p0_p1_zero_after_fix: boolean;
         fix_loop_executed_or_not_needed: boolean;
         changed_screens_rechecked: boolean;
+        image_voxel_reference_anchor_created: boolean;
         image_voxel_relations_created: boolean;
         wrongness_checked: boolean;
         honest_mode_complete: boolean;
         required_artifacts: string[];
         blockers: any[];
+        full_verification_blockers: any[];
+        reference_closeout: {
+            eligible: any;
+            reason: string | null;
+            cap: string;
+            cannot_claim: string[];
+        };
+        source_reference_evidence: any;
+        honest_mode_evidence: any;
         verification_caps: {
             text_only_review: string;
             mock_fixture: string;
             codex_less_than_0_132_fallback: string;
+            missing_generated_image_reference_closeout: string;
         };
         notes: string[];
     };
@@ -466,6 +515,15 @@ export declare function run(command: any, args?: any): Promise<void | {
         blockers: string[];
         passed: boolean;
     };
+} | {
+    schema: string;
+    ok: boolean;
+    mission_id: any;
+    status: any;
+    verified_level: any;
+    reference_only: boolean;
+    blockers: any;
+    next_action: string;
 } | {
     schema: string;
     ok: boolean;

package/dist/core/codex-hooks/codex-hook-official-hash-oracle.d.ts

@@ -0,0 +1,19 @@
+import { type CodexHookEventName } from '../codex-compat/codex-hook-events.js';
+import { type CodexCommandHookIdentity } from './codex-hook-hash.js';
+export declare const CODEX_HOOK_HASH_ORACLE_SCHEMA = "sks.codex-hook-hash-oracle.v1";
+export type CodexHookHashOracleMode = 'cli' | 'rust-helper' | 'golden-fixture' | 'unavailable';
+export interface CodexHookHashOracleResult {
+    schema: typeof CODEX_HOOK_HASH_ORACLE_SCHEMA;
+    ok: boolean;
+    mode: CodexHookHashOracleMode;
+    event_name: CodexHookEventName | null;
+    official_hash_available: boolean;
+    official_hash_proven: boolean;
+    official_hash: string | null;
+    sks_computed_hash: string | null;
+    source: string | null;
+    blocker: string | null;
+    generated_at: string;
+}
+export declare function resolveCodexHookHashOracle(root: string, identity: CodexCommandHookIdentity, opts?: any): Promise<CodexHookHashOracleResult>;
+//# sourceMappingURL=codex-hook-official-hash-oracle.d.ts.map

package/dist/core/codex-hooks/codex-hook-official-hash-oracle.js

@@ -0,0 +1,96 @@
+import path from 'node:path';
+import { exists, nowIso, readJson, runProcess, which } from '../fsx.js';
+import {} from '../codex-compat/codex-hook-events.js';
+import { codexCommandHookCurrentHash } from './codex-hook-hash.js';
+export const CODEX_HOOK_HASH_ORACLE_SCHEMA = 'sks.codex-hook-hash-oracle.v1';
+export async function resolveCodexHookHashOracle(root, identity, opts = {}) {
+    const sksHash = codexCommandHookCurrentHash(identity);
+    const cli = await readCliOracle(identity, opts).catch((err) => unavailable(identity, sksHash, `cli_oracle_failed:${errorMessage(err)}`));
+    if (cli.mode === 'cli' && cli.official_hash_available)
+        return cli;
+    const rust = await readRustOracle(root, identity, opts).catch((err) => unavailable(identity, sksHash, `rust_oracle_failed:${errorMessage(err)}`));
+    if (rust.mode === 'rust-helper' && rust.official_hash_available)
+        return rust;
+    const fixture = await readGoldenFixtureOracle(root, identity, opts).catch((err) => unavailable(identity, sksHash, `golden_fixture_failed:${errorMessage(err)}`));
+    if (fixture.mode === 'golden-fixture' && fixture.official_hash_available)
+        return fixture;
+    return unavailable(identity, sksHash, cli.blocker || rust.blocker || fixture.blocker || 'official_hash_oracle_unavailable');
+}
+async function readCliOracle(identity, opts = {}) {
+    const codexBin = opts.codexBin || await which('codex').catch(() => null);
+    const sksHash = codexCommandHookCurrentHash(identity);
+    if (!codexBin)
+        return unavailable(identity, sksHash, 'codex_binary_missing');
+    const run = await runProcess(codexBin, ['hooks', 'hash', '--json'], {
+        input: `${JSON.stringify(identity)}\n`,
+        timeoutMs: 5000,
+        maxOutputBytes: 64 * 1024
+    }).catch((err) => ({ code: 1, stdout: '', stderr: errorMessage(err) }));
+    if (run.code !== 0)
+        return unavailable(identity, sksHash, 'codex_hooks_hash_json_unavailable');
+    const parsed = JSON.parse(run.stdout || '{}');
+    const officialHash = parsed.official_hash || parsed.hash || parsed.current_hash || null;
+    return oracleResult('cli', identity, sksHash, officialHash, `${codexBin} hooks hash --json`);
+}
+async function readRustOracle(root, identity, opts = {}) {
+    const sksRs = opts.rustHelper || await which('sks-rs').catch(() => null);
+    const sksHash = codexCommandHookCurrentHash(identity);
+    if (!sksRs)
+        return unavailable(identity, sksHash, 'rust_helper_missing');
+    const run = await runProcess(sksRs, ['codex-hook-hash', '--json'], {
+        cwd: root,
+        input: `${JSON.stringify(identity)}\n`,
+        timeoutMs: 5000,
+        maxOutputBytes: 64 * 1024
+    }).catch((err) => ({ code: 1, stdout: '', stderr: errorMessage(err) }));
+    if (run.code !== 0)
+        return unavailable(identity, sksHash, 'rust_helper_hash_unavailable');
+    const parsed = JSON.parse(run.stdout || '{}');
+    const officialHash = parsed.official_hash || parsed.hash || null;
+    return oracleResult('rust-helper', identity, sksHash, officialHash, `${sksRs} codex-hook-hash --json`);
+}
+async function readGoldenFixtureOracle(root, identity, opts = {}) {
+    const fixturePath = opts.fixturePath || path.join(root, 'test', 'fixtures', 'codex-hooks', 'official-hash-oracle.json');
+    const sksHash = codexCommandHookCurrentHash(identity);
+    if (!(await exists(fixturePath)))
+        return unavailable(identity, sksHash, 'golden_fixture_missing');
+    const fixture = await readJson(fixturePath, {});
+    const rows = Array.isArray(fixture?.entries) ? fixture.entries : [];
+    const match = rows.find((row) => row.event_name === identity.event && String(row.command || '') === String(identity.command || '') && String(row.matcher || '') === String(identity.matcher || ''));
+    const officialHash = match?.official_hash || match?.hash || null;
+    return oracleResult('golden-fixture', identity, sksHash, officialHash, fixturePath);
+}
+function oracleResult(mode, identity, sksHash, officialHash, source) {
+    return {
+        schema: CODEX_HOOK_HASH_ORACLE_SCHEMA,
+        ok: Boolean(officialHash) && officialHash === sksHash,
+        mode,
+        event_name: identity.event,
+        official_hash_available: Boolean(officialHash),
+        official_hash_proven: Boolean(officialHash) && officialHash === sksHash,
+        official_hash: officialHash,
+        sks_computed_hash: sksHash,
+        source,
+        blocker: officialHash ? (officialHash === sksHash ? null : 'official_hash_mismatch') : 'official_hash_missing',
+        generated_at: nowIso()
+    };
+}
+function unavailable(identity, sksHash, blocker) {
+    return {
+        schema: CODEX_HOOK_HASH_ORACLE_SCHEMA,
+        ok: true,
+        mode: 'unavailable',
+        event_name: identity.event || null,
+        official_hash_available: false,
+        official_hash_proven: false,
+        official_hash: null,
+        sks_computed_hash: sksHash,
+        source: null,
+        blocker,
+        generated_at: nowIso()
+    };
+}
+function errorMessage(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+//# sourceMappingURL=codex-hook-official-hash-oracle.js.map

package/dist/core/codex-hooks/codex-hook-official-parity.d.ts

@@ -4,6 +4,11 @@ export declare function codexHookOfficialParityReport(root: string, opts?: any):
     status: string;
     created_at: string;
     root: string;
+    oracle_mode: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleMode;
+    official_hash_available: boolean;
+    official_hash_proven: boolean;
+    managed_policy_used: boolean;
+    unmanaged_trusted_hash_writer_enabled: boolean;
     codex: {
         available: boolean;
         version: string | null;
@@ -13,8 +18,10 @@ export declare function codexHookOfficialParityReport(root: string, opts?: any):
     };
     policy: {
         official_hash_available: boolean;
+        official_hash_proven: boolean;
         managed_only_enforced: boolean;
         sks_trusted_hash_fallback_allowed: boolean;
+        unmanaged_trusted_hash_writer_enabled: boolean;
         trusted_hash_writer_policy: string;
     };
     counts: {
@@ -37,6 +44,7 @@ export declare function codexHookOfficialParityReport(root: string, opts?: any):
             async_false_required: boolean;
         }[];
     };
+    oracle_rows: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleResult[];
     entries: {
         key: string;
         source_path: string;
@@ -47,6 +55,9 @@ export declare function codexHookOfficialParityReport(root: string, opts?: any):
         matcher: string | null;
         current_hash_by_sks: string;
         current_hash_by_codex: any;
+        official_oracle_mode: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleMode;
+        official_hash_available: boolean;
+        official_hash_proven: boolean;
         trusted_hash: string | null;
         sks_trust_status: import("./codex-hook-trust-state.js").CodexHookTrustStatus;
         codex_trust_status: any;
@@ -63,12 +74,41 @@ export declare function codexHookOfficialParityReport(root: string, opts?: any):
         matcher: string | null;
         current_hash_by_sks: string;
         current_hash_by_codex: any;
+        official_oracle_mode: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleMode;
+        official_hash_available: boolean;
+        official_hash_proven: boolean;
         trusted_hash: string | null;
         sks_trust_status: import("./codex-hook-trust-state.js").CodexHookTrustStatus;
         codex_trust_status: any;
         hash_match: boolean | null;
         parity_source: string;
     }[];
+    trust_status_mismatches: {
+        key: string;
+        source_path: string;
+        source_format: any;
+        managed: boolean;
+        event: "PreToolUse" | "PermissionRequest" | "PostToolUse" | "PreCompact" | "PostCompact" | "SessionStart" | "UserPromptSubmit" | "SubagentStart" | "SubagentStop" | "Stop";
+        command: string;
+        matcher: string | null;
+        current_hash_by_sks: string;
+        current_hash_by_codex: any;
+        official_oracle_mode: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleMode;
+        official_hash_available: boolean;
+        official_hash_proven: boolean;
+        trusted_hash: string | null;
+        sks_trust_status: import("./codex-hook-trust-state.js").CodexHookTrustStatus;
+        codex_trust_status: any;
+        hash_match: boolean | null;
+        parity_source: string;
+    }[];
+    coverage: {
+        plugin_source: string;
+        requirements_toml: string;
+        config_toml_inline_hooks: string;
+        hooks_json: string;
+        managed_dir: string;
+    };
     blockers: string[];
 }>;
 export declare function writeCodexHookOfficialParityReport(root: string, opts?: any): Promise<{
@@ -78,6 +118,11 @@ export declare function writeCodexHookOfficialParityReport(root: string, opts?:
     status: string;
     created_at: string;
     root: string;
+    oracle_mode: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleMode;
+    official_hash_available: boolean;
+    official_hash_proven: boolean;
+    managed_policy_used: boolean;
+    unmanaged_trusted_hash_writer_enabled: boolean;
     codex: {
         available: boolean;
         version: string | null;
@@ -87,8 +132,10 @@ export declare function writeCodexHookOfficialParityReport(root: string, opts?:
     };
     policy: {
         official_hash_available: boolean;
+        official_hash_proven: boolean;
         managed_only_enforced: boolean;
         sks_trusted_hash_fallback_allowed: boolean;
+        unmanaged_trusted_hash_writer_enabled: boolean;
         trusted_hash_writer_policy: string;
     };
     counts: {
@@ -111,6 +158,7 @@ export declare function writeCodexHookOfficialParityReport(root: string, opts?:
             async_false_required: boolean;
         }[];
     };
+    oracle_rows: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleResult[];
     entries: {
         key: string;
         source_path: string;
@@ -121,6 +169,9 @@ export declare function writeCodexHookOfficialParityReport(root: string, opts?:
         matcher: string | null;
         current_hash_by_sks: string;
         current_hash_by_codex: any;
+        official_oracle_mode: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleMode;
+        official_hash_available: boolean;
+        official_hash_proven: boolean;
         trusted_hash: string | null;
         sks_trust_status: import("./codex-hook-trust-state.js").CodexHookTrustStatus;
         codex_trust_status: any;
@@ -137,12 +188,41 @@ export declare function writeCodexHookOfficialParityReport(root: string, opts?:
         matcher: string | null;
         current_hash_by_sks: string;
         current_hash_by_codex: any;
+        official_oracle_mode: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleMode;
+        official_hash_available: boolean;
+        official_hash_proven: boolean;
         trusted_hash: string | null;
         sks_trust_status: import("./codex-hook-trust-state.js").CodexHookTrustStatus;
         codex_trust_status: any;
         hash_match: boolean | null;
         parity_source: string;
     }[];
+    trust_status_mismatches: {
+        key: string;
+        source_path: string;
+        source_format: any;
+        managed: boolean;
+        event: "PreToolUse" | "PermissionRequest" | "PostToolUse" | "PreCompact" | "PostCompact" | "SessionStart" | "UserPromptSubmit" | "SubagentStart" | "SubagentStop" | "Stop";
+        command: string;
+        matcher: string | null;
+        current_hash_by_sks: string;
+        current_hash_by_codex: any;
+        official_oracle_mode: import("./codex-hook-official-hash-oracle.js").CodexHookHashOracleMode;
+        official_hash_available: boolean;
+        official_hash_proven: boolean;
+        trusted_hash: string | null;
+        sks_trust_status: import("./codex-hook-trust-state.js").CodexHookTrustStatus;
+        codex_trust_status: any;
+        hash_match: boolean | null;
+        parity_source: string;
+    }[];
+    coverage: {
+        plugin_source: string;
+        requirements_toml: string;
+        config_toml_inline_hooks: string;
+        hooks_json: string;
+        managed_dir: string;
+    };
     blockers: string[];
 }>;
 //# sourceMappingURL=codex-hook-official-parity.d.ts.map

package/dist/core/codex-hooks/codex-hook-official-parity.js

@@ -2,12 +2,23 @@ import path from 'node:path';
 import { ensureDir, nowIso, runProcess, which, writeJsonAtomic } from '../fsx.js';
 import { readCodexHookActualState } from './codex-hook-actual-discovery.js';
 import { CODEX_HOOK_EVENTS } from '../codex-compat/codex-hook-events.js';
+import { resolveCodexHookHashOracle } from './codex-hook-official-hash-oracle.js';
 export async function codexHookOfficialParityReport(root, opts = {}) {
     const actual = await readCodexHookActualState(root);
     const codex = await tryReadCodexHookList(opts);
-    const entries = actual.entries.map((entry) => {
+    const oracleRows = await Promise.all(actual.entries.map((entry) => resolveCodexHookHashOracle(root, {
+        event: entry.event,
+        matcher: entry.matcher,
+        command: entry.command,
+        timeout: entry.timeout,
+        async: entry.async,
+        statusMessage: entry.statusMessage || null,
+        commandWindows: entry.commandWindows || null
+    }, opts)));
+    const entries = actual.entries.map((entry, index) => {
         const codexEntry = findCodexEntry(codex.entries, entry);
-        const codexHash = codexEntry?.current_hash || codexEntry?.hash || null;
+        const oracle = oracleRows[index];
+        const codexHash = codexEntry?.current_hash || codexEntry?.hash || oracle?.official_hash || null;
         return {
             key: entry.key,
             source_path: entry.source_path,
@@ -18,6 +29,9 @@ export async function codexHookOfficialParityReport(root, opts = {}) {
             matcher: entry.matcher,
             current_hash_by_sks: entry.current_hash,
             current_hash_by_codex: codexHash,
+            official_oracle_mode: oracle?.mode || 'unavailable',
+            official_hash_available: oracle?.official_hash_available === true || Boolean(codexHash),
+            official_hash_proven: oracle?.official_hash_proven === true || (Boolean(codexHash) && codexHash === entry.current_hash),
             trusted_hash: entry.trusted_hash,
             sks_trust_status: entry.trust_status,
             codex_trust_status: codexEntry?.trust_status || (codex.available ? 'unknown' : 'integration_optional'),
@@ -27,14 +41,21 @@ export async function codexHookOfficialParityReport(root, opts = {}) {
     });
     const mismatches = entries.filter((entry) => entry.hash_match === false);
     const fixtureParity = buildVendoredFixtureParity();
-    const officialHashAvailable = codex.available && entries.some((entry) => entry.current_hash_by_codex);
+    const officialHashAvailable = entries.some((entry) => entry.official_hash_available);
+    const officialHashProven = entries.length > 0 && entries.every((entry) => entry.official_hash_proven || entry.managed);
+    const oracleMode = oracleRows.find((row) => row.mode !== 'unavailable')?.mode || (codex.available ? 'cli' : 'unavailable');
     const managedOnlyEnforced = actual.managed_dirs.length > 0 || entries.every((entry) => entry.managed === true);
     return {
-        schema: 'sks.codex-hook-official-parity.v1',
+        schema: 'sks.codex-hook-official-parity.v2',
         ok: mismatches.length === 0 && fixtureParity.ok && (officialHashAvailable || managedOnlyEnforced || entries.length === 0),
         status: officialHashAvailable ? 'official_hash_parity_checked' : 'integration_optional_managed_policy',
         created_at: nowIso(),
         root,
+        oracle_mode: oracleMode,
+        official_hash_available: officialHashAvailable,
+        official_hash_proven: officialHashProven,
+        managed_policy_used: !officialHashAvailable,
+        unmanaged_trusted_hash_writer_enabled: officialHashAvailable,
         codex: {
             available: codex.available,
             version: codex.version,
@@ -44,8 +65,10 @@ export async function codexHookOfficialParityReport(root, opts = {}) {
         },
         policy: {
             official_hash_available: officialHashAvailable,
+            official_hash_proven: officialHashProven,
             managed_only_enforced: managedOnlyEnforced,
             sks_trusted_hash_fallback_allowed: false,
+            unmanaged_trusted_hash_writer_enabled: officialHashAvailable,
             trusted_hash_writer_policy: 'managed_install_required_when_official_hash_is_unavailable'
         },
         counts: {
@@ -55,8 +78,17 @@ export async function codexHookOfficialParityReport(root, opts = {}) {
             codex_hashes_seen: entries.filter((entry) => entry.current_hash_by_codex).length
         },
         fixture_parity: fixtureParity,
+        oracle_rows: oracleRows,
         entries,
         mismatches,
+        trust_status_mismatches: entries.filter((entry) => entry.codex_trust_status !== 'integration_optional' && entry.codex_trust_status !== 'unknown' && entry.codex_trust_status !== entry.sks_trust_status),
+        coverage: {
+            plugin_source: actual.warnings.some((warning) => String(warning).includes('plugin_source_not_available')) ? 'warning' : 'not_detected_or_not_required',
+            requirements_toml: actual.sources.some((source) => source.source_format === 'requirements_toml' && source.exists) ? 'covered' : 'absent',
+            config_toml_inline_hooks: actual.sources.some((source) => source.source_format === 'config_toml' && source.inline_hooks) ? 'covered' : 'absent',
+            hooks_json: actual.sources.some((source) => source.source_format === 'hooks_json' && source.exists) ? 'covered' : 'absent',
+            managed_dir: actual.managed_dirs.length ? 'covered' : 'absent'
+        },
         blockers: [
             ...(mismatches.length ? ['codex_hook_hash_mismatch'] : []),
             ...actual.blockers
@@ -65,7 +97,7 @@ export async function codexHookOfficialParityReport(root, opts = {}) {
 }
 export async function writeCodexHookOfficialParityReport(root, opts = {}) {
     const report = await codexHookOfficialParityReport(root, opts);
-    const out = opts.outputPath || path.join(root, '.sneakoscope', 'reports', 'codex-hook-parity-1.14.0.json');
+    const out = opts.outputPath || path.join(root, '.sneakoscope', 'reports', 'codex-hook-parity-1.14.1.json');
     await ensureDir(path.dirname(out));
     await writeJsonAtomic(out, report);
     return { ...report, path: out };