sneakoscope 1.14.1 → 1.15.0

package/README.md

@@ -10,15 +10,15 @@ SKS does not try to clone every other harness. It focuses on one thing: making C
 
 ## Current Release
 
-SKS **1.14.1** is an extreme stabilization release for hook trust, real imagegen smoke checks, PPT E2E review evidence, Codex 0.133 compatibility, and Scout multi-session intake. Scout runs now carry `engine_run_id`, `scout_session_id`, output-schema metadata, isolated benchmark artifacts, read-only guard v2 evidence, and speedup-claim caps for mock/static paths.
+SKS **1.15.0** promotes MAD-SKS into explicit user-authorized full-system authority while keeping the SKS harness itself immutable. It also closes the 1.14.1 freshness gaps: release gates check for stale `dist`, Codex exec output-schema syntax is verified for both fresh `exec` and `exec resume`, Scout engine-run lookup covers status/consensus/handoff/validate plus opt-in real smoke, and flagship proof graph v3 binds MAD-SKS audit, rollback, immutable guard, Hook, UX/PPT, DFix, and Scout evidence.
 
 ```bash
+sks mad-sks plan --target-root <path> --json
+sks mad-sks permissions --json
+sks mad-sks proof --json
 sks features complete --json
-sks ux-review run --image <path> --generate-callouts --json
-sks ppt fixture --mock --json
-sks dfix fixture --json
-sks hooks trust-doctor --actual --json
-sks hooks install --managed --json
+sks scouts status latest --engine-runs --json
+npm run release:readiness
 ```
 
 Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release gate status lives in [docs/release-readiness.md](docs/release-readiness.md).
@@ -38,6 +38,9 @@ Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release
 - Package boundary: [docs/package-boundary.md](docs/package-boundary.md)
 - Black-box package tests: [docs/black-box-package-tests.md](docs/black-box-package-tests.md)
 - Codex CLI compatibility: [docs/codex-cli-compat.md](docs/codex-cli-compat.md)
+- MAD-SKS: [docs/mad-sks.md](docs/mad-sks.md)
+- Permission kernel: [docs/permission-kernel.md](docs/permission-kernel.md)
+- Immutable harness guard: [docs/immutable-harness-guard.md](docs/immutable-harness-guard.md)
 - Codex App: [docs/codex-app.md](docs/codex-app.md)
 - Core dominance: [docs/core-dominance.md](docs/core-dominance.md)
 - Performance budgets: [docs/performance-budgets.md](docs/performance-budgets.md)

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.14.1"
+version = "1.15.0"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.14.1"
+version = "1.15.0"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.14.1"),
+        Some("--version") => println!("sks-rs 1.15.0"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -0,0 +1,8 @@
+{
+  "schema": "sks.dist-build-stamp.v1",
+  "package_name": "sneakoscope",
+  "package_version": "1.15.0",
+  "source_digest": "0edaa5eb690818f453a1c1fdc205d0edda1766ad38fdf0ce69ecbc472e6bd23e",
+  "source_file_count": 1428,
+  "built_at_source_time": 1779511366988
+}

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.14.1';
+const FAST_PACKAGE_VERSION = '1.15.0';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,8 +1,12 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.14.1",
+  "version": "1.15.0",
+  "package_version": "1.15.0",
   "typescript": true,
   "mjs_runtime_files": 0,
+  "source_digest": "0edaa5eb690818f453a1c1fdc205d0edda1766ad38fdf0ce69ecbc472e6bd23e",
+  "source_file_count": 1428,
+  "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
     "bin/sks.d.ts",
     "bin/sks.js",
@@ -456,6 +460,20 @@
     "core/language-preference.js",
     "core/loop-blocker.d.ts",
     "core/loop-blocker.js",
+    "core/mad-sks/audit-ledger.d.ts",
+    "core/mad-sks/audit-ledger.js",
+    "core/mad-sks/authorization-manifest.d.ts",
+    "core/mad-sks/authorization-manifest.js",
+    "core/mad-sks/immutable-harness-guard.d.ts",
+    "core/mad-sks/immutable-harness-guard.js",
+    "core/mad-sks/permission-model.d.ts",
+    "core/mad-sks/permission-model.js",
+    "core/mad-sks/proof-evidence.d.ts",
+    "core/mad-sks/proof-evidence.js",
+    "core/mad-sks/rollback-plan.d.ts",
+    "core/mad-sks/rollback-plan.js",
+    "core/mad-sks/write-guard.d.ts",
+    "core/mad-sks/write-guard.js",
     "core/managed-paths.d.ts",
     "core/managed-paths.js",
     "core/memory-governor.d.ts",

package/dist/commands/wiki.d.ts

@@ -15,7 +15,7 @@ export declare function run(_command: any, args?: any): Promise<void | {
     };
     active_records: {
         id: string;
-        kind: "callout_extraction_schema_failed" | "missing_evidence" | "incorrect_claim" | "overconfident_claim" | "stale_evidence" | "test_failure" | "route_misclassification" | "scout_error" | "visual_anchor_error" | "image_bbox_error" | "db_safety_false_positive" | "db_safety_false_negative" | "hook_policy_mismatch" | "hook_semantic_mismatch" | "hook_strict_subset_misclassified" | "codex_lb_health_misread" | "codex_lb_missing_env_raw_message" | "codex_lb_setup_choice_drift" | "codex_lb_env_persistence_failure" | "computer_use_policy_misclassification" | "computer_use_live_smoke_mismatch" | "computer_use_external_block_overclaimed" | "mock_real_confusion" | "user_intent_misread" | "artifact_schema_error" | "trust_status_overclaim" | "ux_review_text_only_fallback" | "ux_generated_image_not_real" | "ux_fake_generic_callout_detected" | "ux_callout_ocr_uncertain" | "gpt_image_2_callout_generation_failed" | "callout_bbox_out_of_bounds" | "ux_patch_applied_without_recheck" | "ux_after_recheck_regression" | "ux_image_fidelity_mismatch" | "ux_output_schema_unavailable_fallback" | "fix_loop_noop_patch" | "visual_fix_not_rechecked" | "post_fix_regression_detected" | "ppt_text_only_review_fallback" | "ppt_slide_export_failed" | "ppt_imagegen_callout_generation_failed" | "ppt_slide_callout_extraction_failed" | "ppt_slide_bbox_out_of_bounds" | "ppt_deck_patch_noop" | "ppt_fix_not_reexported" | "ppt_slide_not_rechecked" | "ppt_post_fix_regression_detected" | "dfix_diagnosis_missing" | "dfix_root_cause_missing" | "dfix_patch_plan_missing" | "dfix_verification_missing" | "dfix_noop_patch" | "repeated_blocker_stop";
+        kind: "callout_extraction_schema_failed" | "missing_evidence" | "incorrect_claim" | "overconfident_claim" | "stale_evidence" | "test_failure" | "route_misclassification" | "scout_error" | "visual_anchor_error" | "image_bbox_error" | "db_safety_false_positive" | "db_safety_false_negative" | "hook_policy_mismatch" | "hook_semantic_mismatch" | "hook_strict_subset_misclassified" | "codex_lb_health_misread" | "codex_lb_missing_env_raw_message" | "codex_lb_setup_choice_drift" | "codex_lb_env_persistence_failure" | "computer_use_policy_misclassification" | "computer_use_live_smoke_mismatch" | "computer_use_external_block_overclaimed" | "mock_real_confusion" | "user_intent_misread" | "artifact_schema_error" | "trust_status_overclaim" | "ux_review_text_only_fallback" | "ux_generated_image_not_real" | "ux_fake_generic_callout_detected" | "ux_callout_ocr_uncertain" | "gpt_image_2_callout_generation_failed" | "callout_bbox_out_of_bounds" | "ux_patch_applied_without_recheck" | "ux_after_recheck_regression" | "ux_image_fidelity_mismatch" | "ux_output_schema_unavailable_fallback" | "fix_loop_noop_patch" | "visual_fix_not_rechecked" | "post_fix_regression_detected" | "ppt_text_only_review_fallback" | "ppt_slide_export_failed" | "ppt_imagegen_callout_generation_failed" | "ppt_slide_callout_extraction_failed" | "ppt_slide_bbox_out_of_bounds" | "ppt_deck_patch_noop" | "ppt_fix_not_reexported" | "ppt_slide_not_rechecked" | "ppt_post_fix_regression_detected" | "dfix_diagnosis_missing" | "dfix_root_cause_missing" | "dfix_patch_plan_missing" | "dfix_verification_missing" | "dfix_noop_patch" | "mad_sks_protected_core_write_attempt" | "mad_sks_symlink_escape_attempt" | "mad_sks_unapproved_system_access" | "mad_sks_missing_rollback_plan" | "mad_sks_secret_leak_detected" | "mad_sks_unverified_system_change" | "mad_sks_db_write_without_snapshot" | "mad_sks_service_control_without_previous_state" | "repeated_blocker_stop";
         severity: "high" | "low" | "medium" | "critical";
         route: string | null;
         claim: string;

package/dist/core/codex-exec-output-schema.d.ts

@@ -8,6 +8,26 @@ export interface CodexExecResumeOutputSchemaAvailability {
     output_last_message_supported: boolean;
     warnings: string[];
 }
+export interface CodexExecOutputSchemaSyntaxAvailability {
+    schema: 'sks.codex-exec-output-schema-syntax.v1';
+    ok: boolean;
+    status: 'available' | 'integration_optional' | 'degraded_supported';
+    codex_bin: string | null;
+    version: string | null;
+    exec: {
+        output_schema_supported: boolean;
+        output_last_message_supported: boolean;
+        help_checked: boolean;
+    };
+    resume: {
+        output_schema_supported: boolean;
+        output_last_message_supported: boolean;
+        help_checked: boolean;
+    };
+    parity: boolean;
+    blockers: string[];
+    warnings: string[];
+}
 export interface CodexResumeOutputSchemaCommandInput {
     sessionId: string;
     prompt?: string;
@@ -16,6 +36,14 @@ export interface CodexResumeOutputSchemaCommandInput {
     json?: boolean;
     extraArgs?: readonly string[];
 }
+export interface CodexExecOutputSchemaCommandInput {
+    prompt: string;
+    outputSchemaPath: string;
+    outputFile?: string | null;
+    json?: boolean;
+    extraArgs?: readonly string[];
+}
+export declare function detectCodexExecOutputSchemaSyntax(opts?: any): Promise<CodexExecOutputSchemaSyntaxAvailability>;
 export interface CodexExecResumeOutputSchemaRunResult {
     schema: 'sks.codex-exec-output-schema-run.v1';
     ok: boolean;
@@ -35,6 +63,7 @@ export interface CodexExecResumeOutputSchemaRunResult {
     exit_code: number | null;
 }
 export declare function detectCodexExecResumeOutputSchema(opts?: any): Promise<CodexExecResumeOutputSchemaAvailability>;
+export declare function buildCodexExecOutputSchemaArgs(input: CodexExecOutputSchemaCommandInput): Promise<string[]>;
 export declare function codexSchemaPath(name: string): Promise<string>;
 export declare function assertCodexSchemaFile(schemaPath: string): Promise<{
     ok: boolean;

package/dist/core/codex-exec-output-schema.js

@@ -3,6 +3,72 @@ import fsp from 'node:fs/promises';
 import { ensureDir, exists, packageRoot, readJson, runProcess, which } from './fsx.js';
 import { codexVersionPolicy, compareSemverLike, parseCodexVersionText } from './codex-compat/codex-version-policy.js';
 import { validateJsonSchemaRecursive } from './json-schema-validator.js';
+export async function detectCodexExecOutputSchemaSyntax(opts = {}) {
+    const codexBin = opts.codexBin || await which('codex').catch(() => null);
+    if (!codexBin) {
+        return {
+            schema: 'sks.codex-exec-output-schema-syntax.v1',
+            ok: true,
+            status: 'integration_optional',
+            codex_bin: null,
+            version: null,
+            exec: { output_schema_supported: false, output_last_message_supported: false, help_checked: false },
+            resume: { output_schema_supported: false, output_last_message_supported: false, help_checked: false },
+            parity: false,
+            blockers: [],
+            warnings: ['codex binary not detected; output-schema syntax check is integration_optional']
+        };
+    }
+    const versionResult = opts.versionText
+        ? { code: 0, stdout: String(opts.versionText), stderr: '' }
+        : await runProcess(codexBin, ['--version'], { timeoutMs: opts.timeoutMs || 3000, maxOutputBytes: 16 * 1024 });
+    const execHelpResult = opts.execHelpText
+        ? { code: 0, stdout: String(opts.execHelpText), stderr: '' }
+        : await runProcess(codexBin, ['exec', '--help'], { timeoutMs: opts.timeoutMs || 5000, maxOutputBytes: 64 * 1024 });
+    const resumeHelpResult = opts.resumeHelpText
+        ? { code: 0, stdout: String(opts.resumeHelpText), stderr: '' }
+        : await runProcess(codexBin, ['exec', 'resume', '--help'], { timeoutMs: opts.timeoutMs || 5000, maxOutputBytes: 64 * 1024 });
+    const rawVersion = `${versionResult.stdout || ''}\n${versionResult.stderr || ''}`;
+    const version = parseCodexVersionText(rawVersion);
+    const execHelp = `${execHelpResult.stdout || ''}\n${execHelpResult.stderr || ''}`;
+    const resumeHelp = `${resumeHelpResult.stdout || ''}\n${resumeHelpResult.stderr || ''}`;
+    const execSupported = /--output-schema\b/.test(execHelp);
+    const resumeSupported = /--output-schema\b/.test(resumeHelp) || Boolean(version && compareSemverLike(version, '0.132.0') >= 0 && /--output-schema\b/.test(resumeHelp));
+    const execLastMessage = /--output-last-message\b|-o,/.test(execHelp);
+    const resumeLastMessage = /--output-last-message\b|-o,/.test(resumeHelp);
+    const policy = codexVersionPolicy({ available: Boolean(version), version, source: 'codex --version' });
+    const blockers = [
+        ...(execHelpResult.code === 0 ? [] : ['codex_exec_help_failed']),
+        ...(resumeHelpResult.code === 0 ? [] : ['codex_exec_resume_help_failed'])
+    ];
+    const status = policy.status === 'integration_optional'
+        ? 'integration_optional'
+        : execSupported || resumeSupported ? 'available' : 'degraded_supported';
+    return {
+        schema: 'sks.codex-exec-output-schema-syntax.v1',
+        ok: blockers.length === 0,
+        status,
+        codex_bin: codexBin,
+        version,
+        exec: {
+            output_schema_supported: execSupported,
+            output_last_message_supported: execLastMessage,
+            help_checked: execHelpResult.code === 0
+        },
+        resume: {
+            output_schema_supported: resumeSupported,
+            output_last_message_supported: resumeLastMessage,
+            help_checked: resumeHelpResult.code === 0
+        },
+        parity: execSupported === resumeSupported,
+        blockers,
+        warnings: [
+            ...policy.warnings,
+            ...(execSupported ? [] : ['codex exec --output-schema unavailable']),
+            ...(resumeSupported ? [] : ['codex exec resume --output-schema unavailable'])
+        ]
+    };
+}
 export async function detectCodexExecResumeOutputSchema(opts = {}) {
     const codexBin = opts.codexBin || await which('codex').catch(() => null);
     if (!codexBin) {
@@ -47,6 +113,21 @@ export async function detectCodexExecResumeOutputSchema(opts = {}) {
         warnings
     };
 }
+export async function buildCodexExecOutputSchemaArgs(input) {
+    const schemaPath = path.resolve(input.outputSchemaPath);
+    const schema = await assertCodexSchemaFile(schemaPath);
+    if (!schema.ok)
+        throw new Error(`Invalid output schema: ${schema.issues.join(', ')}`);
+    const args = ['exec'];
+    if (input.json !== false)
+        args.push('--json');
+    args.push('--output-schema', schemaPath);
+    if (input.outputFile)
+        args.push('--output-last-message', path.resolve(input.outputFile));
+    args.push(...Array.from(input.extraArgs || []));
+    args.push(String(input.prompt || ''));
+    return args;
+}
 export async function codexSchemaPath(name) {
     const clean = String(name || '').replace(/[^A-Za-z0-9_.-]+/g, '');
     const file = clean.endsWith('.json') ? clean : `${clean}.schema.json`;

package/dist/core/commands/mad-sks-command.js

@@ -1,11 +1,20 @@
 import path from 'node:path';
-import { appendJsonlBounded, exists, nowIso, readJson, sksRoot, writeJsonAtomic } from '../fsx.js';
+import { appendJsonlBounded, exists, nowIso, packageRoot, readJson, sksRoot, writeJsonAtomic } from '../fsx.js';
 import { initProject } from '../init.js';
 import { createMission, setCurrent } from '../mission.js';
 import { enableMadHighProfile, madHighProfileName } from '../auto-review.js';
 import { permissionGateSummary } from '../permission-gates.js';
 import { defaultTmuxSessionName, launchMadTmuxUi, sanitizeTmuxSessionName } from '../tmux-ui.js';
+import { createMadSksAuthorizationManifest, validateMadSksAuthorizationManifest } from '../mad-sks/authorization-manifest.js';
+import { createMadSksAuditLedger, madSksAuditAction, writeMadSksAuditLedger } from '../mad-sks/audit-ledger.js';
+import { compareProtectedCoreSnapshots, evaluateMadSksWrite, resolveProtectedCore, snapshotProtectedCore } from '../mad-sks/immutable-harness-guard.js';
+import { buildMadSksPermissionModel, parseMadSksFlags } from '../mad-sks/permission-model.js';
+import { createMadSksProofEvidence, writeMadSksProofEvidence } from '../mad-sks/proof-evidence.js';
+import { createMadSksRollbackPlan, writeMadSksRollbackPlan } from '../mad-sks/rollback-plan.js';
 export async function madHighCommand(args = [], deps = {}) {
+    const subcommand = firstSubcommand(args);
+    if (subcommand)
+        return madSksSubcommand(subcommand, args.filter((arg) => String(arg) !== subcommand));
     const cleanArgs = args.filter((arg) => !['--mad', '--MAD', '--mad-sks', '--high', '--no-auto-install-tmux'].includes(arg));
     if (args.includes('--json')) {
         const profile = await enableMadHighProfile();
@@ -127,4 +136,247 @@ export async function madSksFixture(root) {
     await writeJsonAtomic(path.join(dir, 'mad-sks-gate.json'), gate);
     return { mission_id: id, dir, gate };
 }
+const MAD_SKS_COMMAND_SURFACE = Object.freeze([
+    'plan',
+    'run',
+    'apply',
+    'doctor',
+    'status',
+    'permissions',
+    'proof',
+    'rollback-plan',
+    'audit',
+    'explain'
+]);
+async function madSksSubcommand(subcommand, args = []) {
+    const json = args.includes('--json');
+    const targetRoot = path.resolve(readOption(args, '--target-root', process.cwd()));
+    const userIntent = readOption(args, '--intent', 'MAD-SKS user-authorized maintenance');
+    const flags = parseMadSksFlags(['--mad-sks', subcommand === 'plan' ? '--plan-only' : '', ...args].filter(Boolean));
+    const permission = buildMadSksPermissionModel({ targetRoot, userIntent, flags });
+    const root = await sksRoot();
+    if (subcommand === 'permissions') {
+        return emit({
+            schema: 'sks.mad-sks-permissions.v1',
+            ok: true,
+            command_surface: [...MAD_SKS_COMMAND_SURFACE],
+            permission_flags: [
+                '--mad-sks',
+                '--allow-system',
+                '--allow-db-write',
+                '--allow-package-install',
+                '--allow-service-control',
+                '--allow-admin',
+                '--allow-network',
+                '--allow-computer-use',
+                '--allow-browser-use',
+                '--allow-generated-assets',
+                '--allow-file-permissions',
+                '--allow-delete',
+                '--confirm-delete'
+            ],
+            permission_model: permission,
+            protected_core: resolveProtectedCore({ packageRoot: packageRoot(), targetRoot }),
+            protected_core_immutable: true,
+            protected_core_write_allowed: false
+        }, json);
+    }
+    if (subcommand === 'explain') {
+        return emit({
+            schema: 'sks.mad-sks-explain.v1',
+            ok: true,
+            summary: 'MAD-SKS is a user-authorized high-power maintenance mode. Target project work can be widened by explicit flags, while SKS harness/package/dist/scripts/schemas/release metadata remain immutable protected core.',
+            command_surface: [...MAD_SKS_COMMAND_SURFACE],
+            catastrophic_safeguards: permission.forbidden_scopes,
+            immutable_harness_guard: 'always_on'
+        }, json);
+    }
+    if (subcommand === 'doctor' || subcommand === 'status') {
+        const protectedCore = resolveProtectedCore({ packageRoot: packageRoot(), targetRoot });
+        const before = await snapshotProtectedCore(packageRoot(), 'status');
+        return emit({
+            schema: subcommand === 'doctor' ? 'sks.mad-sks-doctor.v1' : 'sks.mad-sks-status.v1',
+            ok: true,
+            target_root: targetRoot,
+            permission_model: permission,
+            protected_core: protectedCore,
+            protected_core_snapshot: before,
+            protected_core_immutable: true,
+            permission_active: false
+        }, json);
+    }
+    if (subcommand === 'plan') {
+        const manifest = createMadSksAuthorizationManifest({ permission, userIntent });
+        return emit({
+            schema: 'sks.mad-sks-plan.v1',
+            ok: true,
+            dry_run: true,
+            writes_performed: false,
+            permission_model: permission,
+            authorization_manifest_preview: manifest,
+            protected_core: resolveProtectedCore({ packageRoot: packageRoot(), targetRoot }),
+            required_artifacts: [
+                'mad-sks-authorization.json',
+                'mad-sks-audit-ledger.json',
+                'mad-sks-rollback-plan.json',
+                'mad-sks-proof-evidence.json',
+                'mad-sks-protected-core-before.json',
+                'mad-sks-protected-core-after.json'
+            ]
+        }, json);
+    }
+    if (subcommand === 'apply') {
+        const manifestPath = readOption(args, '--authorization-manifest', null);
+        const manifest = manifestPath ? await readJson(path.resolve(manifestPath), null) : null;
+        const validation = validateMadSksAuthorizationManifest(manifest);
+        if (!validation.ok) {
+            const result = {
+                schema: 'sks.mad-sks-apply.v1',
+                ok: false,
+                status: 'blocked',
+                target_root: targetRoot,
+                issues: ['authorization_manifest_required', ...validation.issues],
+                permission_model: permission
+            };
+            process.exitCode = 1;
+            return emit(result, json);
+        }
+        return materializeMadSksRun(root, targetRoot, permission, userIntent, json, { action: 'apply', authorizationManifest: validation.manifest, authorizationManifestPath: path.resolve(manifestPath) });
+    }
+    if (subcommand === 'run') {
+        return materializeMadSksRun(root, targetRoot, permission, userIntent, json, { action: 'run' });
+    }
+    if (subcommand === 'rollback-plan' || subcommand === 'audit' || subcommand === 'proof') {
+        const latest = await latestMadSksArtifact(root, subcommand);
+        if (!latest) {
+            const result = { schema: `sks.mad-sks-${subcommand}.v1`, ok: false, status: 'missing', missing: [`mad-sks-${subcommand}.json`] };
+            process.exitCode = 1;
+            return emit(result, json);
+        }
+        return emit(latest, json);
+    }
+}
+async function materializeMadSksRun(root, targetRoot, permission, userIntent, json, opts = {}) {
+    if (!(await exists(path.join(root, '.sneakoscope'))))
+        await initProject(root, {});
+    const { id, dir } = await createMission(root, { mode: 'mad-sks', prompt: userIntent });
+    const before = await snapshotProtectedCore(packageRoot(), 'before');
+    const authorization = opts.authorizationManifest || createMadSksAuthorizationManifest({ permission, userIntent });
+    const authorizationPath = opts.authorizationManifestPath || path.join(dir, 'mad-sks-authorization.json');
+    if (!opts.authorizationManifestPath)
+        await writeJsonAtomic(authorizationPath, authorization);
+    const targetProbe = await evaluateMadSksWrite({ packageRoot: packageRoot(), targetRoot, operation: 'file_write', path: path.join(targetRoot, '.sneakoscope', 'mad-sks-target-probe') });
+    const protectedProbe = await evaluateMadSksWrite({ packageRoot: packageRoot(), targetRoot, operation: 'file_write', path: path.join(packageRoot(), 'src', 'core', 'version.ts') });
+    const audit = createMadSksAuditLedger({
+        authorizationManifestPath: authorizationPath,
+        targetRoot,
+        actions: [
+            madSksAuditAction({
+                type: 'file_write',
+                target: targetProbe.path,
+                rollback_available: true,
+                risk_level: 'low',
+                protected_core_impact: 'none',
+                notes: ['probe_only_no_target_write_performed']
+            })
+        ],
+        blockedActions: [protectedProbe]
+    });
+    const rollback = createMadSksRollbackPlan({
+        targetRoot,
+        fileRollbacks: [{ path: targetProbe.path, previous_content_hash: null, status: 'snapshot_required_before_real_write' }],
+        unavailable: permission.high_risk_confirmation_required ? ['high_risk_final_confirmation_required_before_apply'] : []
+    });
+    const after = await snapshotProtectedCore(packageRoot(), 'after');
+    const comparison = compareProtectedCoreSnapshots(before, after);
+    const auditPath = path.join(dir, 'mad-sks-audit-ledger.json');
+    const rollbackPath = path.join(dir, 'mad-sks-rollback-plan.json');
+    const beforePath = path.join(dir, 'mad-sks-protected-core-before.json');
+    const afterPath = path.join(dir, 'mad-sks-protected-core-after.json');
+    const proofPath = path.join(dir, 'mad-sks-proof-evidence.json');
+    await writeJsonAtomic(beforePath, before);
+    await writeJsonAtomic(afterPath, after);
+    await writeJsonAtomic(path.join(dir, 'mad-sks-protected-core-comparison.json'), comparison);
+    await writeMadSksAuditLedger(auditPath, audit);
+    await writeMadSksRollbackPlan(rollbackPath, rollback);
+    const proof = createMadSksProofEvidence({
+        authorizationManifestPath: authorizationPath,
+        auditLedgerPath: auditPath,
+        rollbackPlanPath: rollbackPath,
+        immutableHarnessGuard: protectedProbe,
+        protectedCoreBefore: beforePath,
+        protectedCoreAfter: afterPath,
+        protectedCoreComparison: comparison,
+        changedTargetFiles: [],
+        blockedActions: [protectedProbe],
+        verification: [{ command: 'mad-sks protected core snapshot compare', ok: comparison.ok }]
+    });
+    await writeMadSksProofEvidence(proofPath, proof);
+    const gate = {
+        schema_version: 1,
+        passed: proof.ok === true,
+        mad_sks_permission_active: true,
+        permissions_deactivated: true,
+        full_system_authority: permission.mode === 'full_system_authority',
+        immutable_harness_guard_passed: comparison.ok === true,
+        audit_ledger: auditPath,
+        rollback_plan: rollbackPath,
+        proof_evidence: proofPath,
+        permission_profile: permissionGateSummary()
+    };
+    await writeJsonAtomic(path.join(dir, 'mad-sks-gate.json'), gate);
+    await setCurrent(root, {
+        mission_id: id,
+        route: 'MadSKS',
+        route_command: '$MAD-SKS',
+        mode: 'MADSKS',
+        phase: 'MADSKS_PERMISSION_CLOSED',
+        mad_sks_active: false,
+        mad_sks_modifier: true,
+        mad_sks_gate_file: 'mad-sks-gate.json',
+        prompt: userIntent
+    });
+    return emit({
+        schema: opts.action === 'apply' ? 'sks.mad-sks-apply.v1' : 'sks.mad-sks-run.v1',
+        ok: proof.ok === true,
+        status: proof.status,
+        mission_id: id,
+        target_root: targetRoot,
+        permission_model: permission,
+        authorization_manifest: authorizationPath,
+        audit_ledger: auditPath,
+        rollback_plan: rollbackPath,
+        proof_evidence: proofPath,
+        protected_core_before: beforePath,
+        protected_core_after: afterPath,
+        protected_core_unchanged: comparison.ok === true,
+        blocked_actions: [protectedProbe]
+    }, json);
+}
+async function latestMadSksArtifact(root, kind) {
+    const current = await readJson(path.join(root, '.sneakoscope', 'current.json'), null);
+    const missionId = current?.mission_id;
+    if (!missionId)
+        return null;
+    const fileMap = {
+        proof: 'mad-sks-proof-evidence.json',
+        audit: 'mad-sks-audit-ledger.json',
+        'rollback-plan': 'mad-sks-rollback-plan.json'
+    };
+    const file = path.join(root, '.sneakoscope', 'missions', missionId, fileMap[kind] || '');
+    return readJson(file, null);
+}
+function firstSubcommand(args = []) {
+    const found = args.find((arg) => MAD_SKS_COMMAND_SURFACE.includes(String(arg)));
+    return found ? String(found) : null;
+}
+function emit(result, json) {
+    if (json)
+        return console.log(JSON.stringify(result, null, 2));
+    if (result.ok === false) {
+        console.error(`${result.schema}: ${result.status || 'blocked'}`);
+        return;
+    }
+    console.log(JSON.stringify(result, null, 2));
+}
 //# sourceMappingURL=mad-sks-command.js.map