sneakoscope 1.15.0 → 1.15.1

package/README.md

@@ -10,12 +10,13 @@ SKS does not try to clone every other harness. It focuses on one thing: making C
 
 ## Current Release
 
-SKS **1.15.0** promotes MAD-SKS into explicit user-authorized full-system authority while keeping the SKS harness itself immutable. It also closes the 1.14.1 freshness gaps: release gates check for stale `dist`, Codex exec output-schema syntax is verified for both fresh `exec` and `exec resume`, Scout engine-run lookup covers status/consensus/handoff/validate plus opt-in real smoke, and flagship proof graph v3 binds MAD-SKS audit, rollback, immutable guard, Hook, UX/PPT, DFix, and Scout evidence.
+SKS **1.15.1** closes the MAD-SKS actual executor loop: `run/apply` now dispatch through guarded executors, target-file writes are real, shell commands use argv/no-shell execution, package/service/DB and visual handoff scopes are evidence-bound, rollback plans can be applied, and flagship proof graph v4 binds the new executor blackbox reports while the SKS protected core remains immutable.
 
 ```bash
 sks mad-sks plan --target-root <path> --json
 sks mad-sks permissions --json
 sks mad-sks proof --json
+sks mad-sks rollback-apply --rollback-plan <path> --yes --json
 sks features complete --json
 sks scouts status latest --engine-runs --json
 npm run release:readiness
@@ -38,6 +39,7 @@ Detailed release history lives in [CHANGELOG.md](CHANGELOG.md). Current release
 - Package boundary: [docs/package-boundary.md](docs/package-boundary.md)
 - Black-box package tests: [docs/black-box-package-tests.md](docs/black-box-package-tests.md)
 - Codex CLI compatibility: [docs/codex-cli-compat.md](docs/codex-cli-compat.md)
+- MAD-SKS rollback: [docs/mad-sks-rollback.md](docs/mad-sks-rollback.md)
 - MAD-SKS: [docs/mad-sks.md](docs/mad-sks.md)
 - Permission kernel: [docs/permission-kernel.md](docs/permission-kernel.md)
 - Immutable harness guard: [docs/immutable-harness-guard.md](docs/immutable-harness-guard.md)

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.15.0"
+version = "1.15.1"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.15.0"
+version = "1.15.1"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.15.0"),
+        Some("--version") => println!("sks-rs 1.15.1"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "1.15.0",
-  "source_digest": "0edaa5eb690818f453a1c1fdc205d0edda1766ad38fdf0ce69ecbc472e6bd23e",
-  "source_file_count": 1428,
-  "built_at_source_time": 1779511366988
+  "package_version": "1.15.1",
+  "source_digest": "802a53571deae790a749ef30bc4dafb8d32bce159f9b60504676e07caa26ed47",
+  "source_file_count": 1454,
+  "built_at_source_time": 1779520266501
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.15.0';
+const FAST_PACKAGE_VERSION = '1.15.1';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--version' || args[0] === '-v' || args[0] === 'version') {

package/dist/build-manifest.json

@@ -1,11 +1,11 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.15.0",
-  "package_version": "1.15.0",
+  "version": "1.15.1",
+  "package_version": "1.15.1",
   "typescript": true,
   "mjs_runtime_files": 0,
-  "source_digest": "0edaa5eb690818f453a1c1fdc205d0edda1766ad38fdf0ce69ecbc472e6bd23e",
-  "source_file_count": 1428,
+  "source_digest": "802a53571deae790a749ef30bc4dafb8d32bce159f9b60504676e07caa26ed47",
+  "source_file_count": 1454,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
     "bin/sks.d.ts",
@@ -464,14 +464,36 @@
     "core/mad-sks/audit-ledger.js",
     "core/mad-sks/authorization-manifest.d.ts",
     "core/mad-sks/authorization-manifest.js",
+    "core/mad-sks/executors/computer-use-executor.d.ts",
+    "core/mad-sks/executors/computer-use-executor.js",
+    "core/mad-sks/executors/db-write-executor.d.ts",
+    "core/mad-sks/executors/db-write-executor.js",
+    "core/mad-sks/executors/executor-base.d.ts",
+    "core/mad-sks/executors/executor-base.js",
+    "core/mad-sks/executors/file-write-executor.d.ts",
+    "core/mad-sks/executors/file-write-executor.js",
+    "core/mad-sks/executors/index.d.ts",
+    "core/mad-sks/executors/index.js",
+    "core/mad-sks/executors/package-install-executor.d.ts",
+    "core/mad-sks/executors/package-install-executor.js",
+    "core/mad-sks/executors/service-control-executor.d.ts",
+    "core/mad-sks/executors/service-control-executor.js",
+    "core/mad-sks/executors/shell-command-executor.d.ts",
+    "core/mad-sks/executors/shell-command-executor.js",
+    "core/mad-sks/guard-middleware.d.ts",
+    "core/mad-sks/guard-middleware.js",
     "core/mad-sks/immutable-harness-guard.d.ts",
     "core/mad-sks/immutable-harness-guard.js",
     "core/mad-sks/permission-model.d.ts",
     "core/mad-sks/permission-model.js",
     "core/mad-sks/proof-evidence.d.ts",
     "core/mad-sks/proof-evidence.js",
+    "core/mad-sks/rollback-apply.d.ts",
+    "core/mad-sks/rollback-apply.js",
     "core/mad-sks/rollback-plan.d.ts",
     "core/mad-sks/rollback-plan.js",
+    "core/mad-sks/shell-argv-classifier.d.ts",
+    "core/mad-sks/shell-argv-classifier.js",
     "core/mad-sks/write-guard.d.ts",
     "core/mad-sks/write-guard.js",
     "core/managed-paths.d.ts",

package/dist/commands/mad-sks.d.ts

@@ -8,6 +8,7 @@ export declare function run(_command: any, args?: any): Promise<void | {
         tmux: any;
         app: any;
         codexArgs: any[];
+        launchEnv: any;
         attach_command: string;
         ready: boolean;
         warnings: any;
@@ -30,6 +31,7 @@ export declare function run(_command: any, args?: any): Promise<void | {
         tmux: any;
         app: any;
         codexArgs: any[];
+        launchEnv: any;
         attach_command: string;
         ready: boolean;
         warnings: any;

package/dist/core/commands/mad-sks-command.d.ts

@@ -8,6 +8,7 @@ export declare function madHighCommand(args?: any, deps?: any): Promise<void | {
         tmux: any;
         app: any;
         codexArgs: any[];
+        launchEnv: any;
         attach_command: string;
         ready: boolean;
         warnings: any;
@@ -30,6 +31,7 @@ export declare function madHighCommand(args?: any, deps?: any): Promise<void | {
         tmux: any;
         app: any;
         codexArgs: any[];
+        launchEnv: any;
         attach_command: string;
         ready: boolean;
         warnings: any;

package/dist/core/commands/mad-sks-command.js

@@ -11,6 +11,8 @@ import { compareProtectedCoreSnapshots, evaluateMadSksWrite, resolveProtectedCor
 import { buildMadSksPermissionModel, parseMadSksFlags } from '../mad-sks/permission-model.js';
 import { createMadSksProofEvidence, writeMadSksProofEvidence } from '../mad-sks/proof-evidence.js';
 import { createMadSksRollbackPlan, writeMadSksRollbackPlan } from '../mad-sks/rollback-plan.js';
+import { runMadSksExecutor } from '../mad-sks/executors/index.js';
+import { applyMadSksRollbackPlan } from '../mad-sks/rollback-apply.js';
 export async function madHighCommand(args = [], deps = {}) {
     const subcommand = firstSubcommand(args);
     if (subcommand)
@@ -54,7 +56,12 @@ export async function madHighCommand(args = [], deps = {}) {
     console.log(`SKS MAD ready: ${madHighProfileName()} | gate ${madLaunch.mission_id}`);
     console.log('Live full-access active; catastrophic DB wipe/all-row/project-management guards remain.');
     const launchLb = lb.status === 'present' ? { ...lb, status: 'configured' } : lb;
-    const launchOpts = codexLbImmediateLaunchOpts(cleanArgs, launchLb, { codexArgs: profile.launch_args, autoInstallTmux: !args.includes('--no-auto-install-tmux'), conciseBlockers: true });
+    const madSksEnv = {
+        SKS_PROTECTED_CORE_POLICY: madLaunch.gate.protected_core_policy,
+        SKS_MAD_SKS_TARGET_ROOT: madLaunch.gate.cwd,
+        SKS_MAD_SKS_PROTECTED_CORE_DIGEST: madLaunch.gate.protected_core_digest
+    };
+    const launchOpts = codexLbImmediateLaunchOpts(cleanArgs, launchLb, { codexArgs: profile.launch_args, autoInstallTmux: !args.includes('--no-auto-install-tmux'), conciseBlockers: true, madSksEnv, launchEnv: madSksEnv });
     const workspace = readOption(cleanArgs, '--workspace', readOption(cleanArgs, '--session', launchOpts.session || `sks-mad-${defaultTmuxSessionName(process.cwd())}`));
     return launchMadTmuxUi([...cleanArgs, '--workspace', workspace], { ...launchOpts, codexArgs: profile.launch_args, autoInstallTmux: !args.includes('--no-auto-install-tmux'), conciseBlockers: true, missionId: madLaunch.mission_id });
 }
@@ -63,6 +70,18 @@ async function activateMadTmuxPermissionState(cwd = process.cwd()) {
     if (!(await exists(path.join(root, '.sneakoscope'))))
         await initProject(root, {});
     const { id, dir } = await createMission(root, { mode: 'mad-sks', prompt: 'sks --mad tmux live full-access session' });
+    const protectedCore = resolveProtectedCore({ packageRoot: packageRoot(), targetRoot: cwd });
+    const protectedCoreBefore = await snapshotProtectedCore(packageRoot(), 'mad-live-before');
+    const protectedCorePolicyPath = path.join(dir, 'mad-sks-protected-core-policy.json');
+    const protectedCoreBeforePath = path.join(dir, 'mad-sks-live-protected-core-before.json');
+    await writeJsonAtomic(protectedCorePolicyPath, {
+        schema: 'sks.mad-sks-live-protected-core-policy.v1',
+        generated_at: nowIso(),
+        target_root: path.resolve(cwd || process.cwd()),
+        protected_core: protectedCore,
+        immutable_harness_guard: 'always_on'
+    });
+    await writeJsonAtomic(protectedCoreBeforePath, protectedCoreBefore);
     const gate = {
         schema_version: 1,
         passed: false,
@@ -75,6 +94,9 @@ async function activateMadTmuxPermissionState(cwd = process.cwd()) {
         migration_apply_allowed: true,
         catastrophic_safety_guard_active: true,
         permission_profile: permissionGateSummary(),
+        protected_core_policy: protectedCorePolicyPath,
+        protected_core_before: protectedCoreBeforePath,
+        protected_core_digest: protectedCoreBefore.digest,
         activated_by: 'sks --mad',
         cwd: path.resolve(cwd || process.cwd())
     };
@@ -93,6 +115,8 @@ async function activateMadTmuxPermissionState(cwd = process.cwd()) {
         mad_sks_modifier: true,
         mad_sks_gate_file: 'mad-sks-gate.json',
         mad_sks_gate_ready: true,
+        mad_sks_protected_core_policy: protectedCorePolicyPath,
+        mad_sks_protected_core_digest: protectedCoreBefore.digest,
         live_server_writes_allowed: true,
         supabase_mcp_schema_cleanup_allowed: true,
         direct_execute_sql_allowed: true,
@@ -145,6 +169,7 @@ const MAD_SKS_COMMAND_SURFACE = Object.freeze([
     'permissions',
     'proof',
     'rollback-plan',
+    'rollback-apply',
     'audit',
     'explain'
 ]);
@@ -241,10 +266,23 @@ async function madSksSubcommand(subcommand, args = []) {
             process.exitCode = 1;
             return emit(result, json);
         }
-        return materializeMadSksRun(root, targetRoot, permission, userIntent, json, { action: 'apply', authorizationManifest: validation.manifest, authorizationManifestPath: path.resolve(manifestPath) });
+        return materializeMadSksRun(root, targetRoot, permission, userIntent, json, { action: 'apply', args, authorizationManifest: validation.manifest, authorizationManifestPath: path.resolve(manifestPath) });
     }
     if (subcommand === 'run') {
-        return materializeMadSksRun(root, targetRoot, permission, userIntent, json, { action: 'run' });
+        return materializeMadSksRun(root, targetRoot, permission, userIntent, json, { action: 'run', args });
+    }
+    if (subcommand === 'rollback-apply') {
+        const rollbackPlanPath = readOption(args, '--rollback-plan', readOption(args, '--plan', null));
+        const result = await applyMadSksRollbackPlan({
+            rollbackPlanPath,
+            targetRoot,
+            dryRun: args.includes('--dry-run'),
+            yes: args.includes('--yes'),
+            root: packageRoot()
+        });
+        if (!result.ok)
+            process.exitCode = 1;
+        return emit(result, json);
     }
     if (subcommand === 'rollback-plan' || subcommand === 'audit' || subcommand === 'proof') {
         const latest = await latestMadSksArtifact(root, subcommand);
@@ -265,27 +303,63 @@ async function materializeMadSksRun(root, targetRoot, permission, userIntent, js
     const authorizationPath = opts.authorizationManifestPath || path.join(dir, 'mad-sks-authorization.json');
     if (!opts.authorizationManifestPath)
         await writeJsonAtomic(authorizationPath, authorization);
-    const targetProbe = await evaluateMadSksWrite({ packageRoot: packageRoot(), targetRoot, operation: 'file_write', path: path.join(targetRoot, '.sneakoscope', 'mad-sks-target-probe') });
+    const args = Array.isArray(opts.args) ? opts.args : [];
+    const executorId = readOption(args, '--executor', inferMadSksExecutor(args));
+    const targetFile = readOption(args, '--write-file', readOption(args, '--path', path.join('.sneakoscope', 'mad-sks-target-file.txt')));
+    const executorInput = {
+        executor: executorId,
+        dry_run: opts.action !== 'apply' || args.includes('--dry-run'),
+        target_root: targetRoot,
+        target_path: targetFile,
+        path: targetFile,
+        content: readOption(args, '--content', 'MAD-SKS authorized target mutation\n'),
+        cwd: readOption(args, '--cwd', targetRoot),
+        artifact_dir: dir,
+        authorization_manifest: authorization,
+        authorization_manifest_path: authorizationPath,
+        permission_model: permission,
+        yes: args.includes('--yes')
+    };
+    const operation = readOption(args, '--operation', null);
+    const command = readOption(args, '--command', null);
+    const argv = readRepeatedOption(args, '--argv');
+    const sql = readOption(args, '--sql', null);
+    const rollbackSql = readOption(args, '--rollback-sql', null);
+    if (operation)
+        executorInput.operation = operation;
+    if (command)
+        executorInput.command = command;
+    if (argv)
+        executorInput.argv = argv;
+    if (sql)
+        executorInput.sql = sql;
+    if (rollbackSql)
+        executorInput.rollback_sql = rollbackSql;
+    const executorResult = await runMadSksExecutor(executorInput);
     const protectedProbe = await evaluateMadSksWrite({ packageRoot: packageRoot(), targetRoot, operation: 'file_write', path: path.join(packageRoot(), 'src', 'core', 'version.ts') });
     const audit = createMadSksAuditLedger({
         authorizationManifestPath: authorizationPath,
         targetRoot,
         actions: [
             madSksAuditAction({
-                type: 'file_write',
-                target: targetProbe.path,
-                rollback_available: true,
-                risk_level: 'low',
+                type: executorResult.action_type || 'file_write',
+                target: executorResult.changed_files?.[0] || path.resolve(targetRoot, targetFile),
+                rollback_available: Boolean(executorResult.rollback_plan_path),
+                risk_level: executorResult.ok ? 'low' : 'high',
                 protected_core_impact: 'none',
-                notes: ['probe_only_no_target_write_performed']
+                notes: [`executor:${executorResult.executor}`, `status:${executorResult.status}`]
             })
         ],
-        blockedActions: [protectedProbe]
+        blockedActions: [protectedProbe, ...(executorResult.blocked_actions || [])]
     });
     const rollback = createMadSksRollbackPlan({
         targetRoot,
-        fileRollbacks: [{ path: targetProbe.path, previous_content_hash: null, status: 'snapshot_required_before_real_write' }],
-        unavailable: permission.high_risk_confirmation_required ? ['high_risk_final_confirmation_required_before_apply'] : []
+        authorizationManifestPath: authorizationPath,
+        fileRollbacks: executorResult.rollback_plan_path ? [{ executor: executorResult.executor, rollback_plan_path: executorResult.rollback_plan_path }] : [],
+        unavailable: [
+            ...(permission.high_risk_confirmation_required ? ['high_risk_final_confirmation_required_before_apply'] : []),
+            ...(executorResult.rollback_plan_path ? [] : ['executor_rollback_plan_missing'])
+        ]
     });
     const after = await snapshotProtectedCore(packageRoot(), 'after');
     const comparison = compareProtectedCoreSnapshots(before, after);
@@ -307,14 +381,17 @@ async function materializeMadSksRun(root, targetRoot, permission, userIntent, js
         protectedCoreBefore: beforePath,
         protectedCoreAfter: afterPath,
         protectedCoreComparison: comparison,
-        changedTargetFiles: [],
-        blockedActions: [protectedProbe],
-        verification: [{ command: 'mad-sks protected core snapshot compare', ok: comparison.ok }]
+        changedTargetFiles: executorResult.changed_files || [],
+        blockedActions: [protectedProbe, ...(executorResult.blocked_actions || [])],
+        verification: [
+            { command: 'mad-sks executor result', ok: executorResult.ok === true, executor: executorResult.executor, status: executorResult.status },
+            { command: 'mad-sks protected core snapshot compare', ok: comparison.ok }
+        ]
     });
     await writeMadSksProofEvidence(proofPath, proof);
     const gate = {
         schema_version: 1,
-        passed: proof.ok === true,
+        passed: proof.ok === true && executorResult.ok === true,
         mad_sks_permission_active: true,
         permissions_deactivated: true,
         full_system_authority: permission.mode === 'full_system_authority',
@@ -338,8 +415,8 @@ async function materializeMadSksRun(root, targetRoot, permission, userIntent, js
     });
     return emit({
         schema: opts.action === 'apply' ? 'sks.mad-sks-apply.v1' : 'sks.mad-sks-run.v1',
-        ok: proof.ok === true,
-        status: proof.status,
+        ok: proof.ok === true && executorResult.ok === true,
+        status: executorResult.status,
         mission_id: id,
         target_root: targetRoot,
         permission_model: permission,
@@ -347,12 +424,40 @@ async function materializeMadSksRun(root, targetRoot, permission, userIntent, js
         audit_ledger: auditPath,
         rollback_plan: rollbackPath,
         proof_evidence: proofPath,
+        executor_result: executorResult,
         protected_core_before: beforePath,
         protected_core_after: afterPath,
         protected_core_unchanged: comparison.ok === true,
-        blocked_actions: [protectedProbe]
+        blocked_actions: [protectedProbe, ...(executorResult.blocked_actions || [])]
     }, json);
 }
+function inferMadSksExecutor(args = []) {
+    if (readOption(args, '--sql', null))
+        return 'db-write';
+    if (readOption(args, '--command', null) || args.includes('--argv'))
+        return 'shell-command';
+    if (readOption(args, '--package', null) || args.includes('--allow-package-install'))
+        return 'package-install';
+    if (readOption(args, '--service', null) || args.includes('--allow-service-control'))
+        return 'service-control';
+    if (args.includes('--allow-computer-use'))
+        return 'computer-use';
+    if (args.includes('--allow-browser-use') || args.includes('--allow-browser'))
+        return 'browser-use';
+    if (args.includes('--allow-generated-assets'))
+        return 'generated-asset';
+    return 'file-write';
+}
+function readRepeatedOption(args = [], name) {
+    const values = [];
+    for (let i = 0; i < args.length; i += 1) {
+        if (args[i] !== name)
+            continue;
+        if (args[i + 1])
+            values.push(String(args[i + 1]));
+    }
+    return values.length ? values : undefined;
+}
 async function latestMadSksArtifact(root, kind) {
     const current = await readJson(path.join(root, '.sneakoscope', 'current.json'), null);
     const missionId = current?.mission_id;

package/dist/core/evidence/flagship-proof-graph-validator.d.ts

@@ -1,5 +1,6 @@
 export declare const FLAGSHIP_PROOF_GRAPH_SCHEMA = "sks.flagship-proof-graph.v2";
 export declare const FLAGSHIP_PROOF_GRAPH_V3_SCHEMA = "sks.flagship-proof-graph.v3";
+export declare const FLAGSHIP_PROOF_GRAPH_V4_SCHEMA = "sks.flagship-proof-graph.v4";
 export declare function validateFlagshipProofGraph(root: string, opts?: any): Promise<{
     schema: string;
     ok: boolean;
@@ -22,4 +23,18 @@ export declare function validateFlagshipProofGraphV3(root: string, opts?: any):
     local_only_policy: boolean;
     blockers: any[];
 }>;
+export declare function validateFlagshipProofGraphV4(root: string, opts?: any): Promise<{
+    schema: string;
+    ok: boolean;
+    mission_id: any;
+    routes: any[];
+    mad_sks_actual_executor_closure_linked: boolean;
+    target_file_write_verified: boolean;
+    shell_argv_classifier_verified: boolean;
+    package_service_db_boundaries_verified: boolean;
+    rollback_apply_verified: boolean;
+    live_protected_core_guard_verified: boolean;
+    local_only_policy: boolean;
+    blockers: any[];
+}>;
 //# sourceMappingURL=flagship-proof-graph-validator.d.ts.map

package/dist/core/evidence/flagship-proof-graph-validator.js

@@ -3,6 +3,7 @@ import { exists, readJson } from '../fsx.js';
 import { missionDir } from '../mission.js';
 export const FLAGSHIP_PROOF_GRAPH_SCHEMA = 'sks.flagship-proof-graph.v2';
 export const FLAGSHIP_PROOF_GRAPH_V3_SCHEMA = 'sks.flagship-proof-graph.v3';
+export const FLAGSHIP_PROOF_GRAPH_V4_SCHEMA = 'sks.flagship-proof-graph.v4';
 export async function validateFlagshipProofGraph(root, opts = {}) {
     const missionId = opts.missionId || null;
     const missionPath = missionId ? missionDir(root, missionId) : null;
@@ -30,7 +31,7 @@ export async function validateFlagshipProofGraphV3(root, opts = {}) {
     ]);
     const scoutUx = await validateReportSet(root, 'scout_engine_run_ux', [
         '.sneakoscope/reports/scouts-engine-run-ux.json',
-        '.sneakoscope/reports/scouts-real-smoke-1.15.0.json'
+        '.sneakoscope/reports/scouts-real-smoke-1.15.1.json'
     ], { allowIntegrationOptional: true });
     const codexSyntax = await validateReportSet(root, 'codex_exec_output_schema_actual_syntax', [
         '.sneakoscope/reports/codex-exec-output-schema-actual-syntax.json'
@@ -57,6 +58,39 @@ export async function validateFlagshipProofGraphV3(root, opts = {}) {
         blockers
     };
 }
+export async function validateFlagshipProofGraphV4(root, opts = {}) {
+    const v3 = await validateFlagshipProofGraphV3(root, opts);
+    const executorClosure = await validateReportSet(root, 'mad_sks_actual_executor_closure', [
+        '.sneakoscope/reports/mad-sks-actual-executor-blackbox.json',
+        '.sneakoscope/reports/mad-sks-file-write-executor.json',
+        '.sneakoscope/reports/mad-sks-shell-executor.json',
+        '.sneakoscope/reports/mad-sks-package-executor.json',
+        '.sneakoscope/reports/mad-sks-service-executor.json',
+        '.sneakoscope/reports/mad-sks-db-executor.json',
+        '.sneakoscope/reports/mad-sks-rollback-apply.json',
+        '.sneakoscope/reports/mad-sks-live-protected-core-smoke.json',
+        '.sneakoscope/reports/mad-sks-executor-proof-graph.json'
+    ]);
+    const routes = [...(v3.routes || []), executorClosure];
+    const blockers = [
+        ...(v3.blockers || []),
+        ...routes.flatMap((route) => route.blockers || [])
+    ];
+    return {
+        schema: FLAGSHIP_PROOF_GRAPH_V4_SCHEMA,
+        ok: blockers.length === 0,
+        mission_id: opts.missionId || null,
+        routes,
+        mad_sks_actual_executor_closure_linked: executorClosure.ok === true,
+        target_file_write_verified: executorClosure.artifacts.some((artifact) => /file-write-executor/.test(artifact.path) && artifact.ok === true),
+        shell_argv_classifier_verified: executorClosure.artifacts.some((artifact) => /shell-executor/.test(artifact.path) && artifact.ok === true),
+        package_service_db_boundaries_verified: ['package-executor', 'service-executor', 'db-executor'].every((name) => executorClosure.artifacts.some((artifact) => artifact.path.includes(name) && artifact.ok === true)),
+        rollback_apply_verified: executorClosure.artifacts.some((artifact) => /rollback-apply/.test(artifact.path) && artifact.ok === true),
+        live_protected_core_guard_verified: executorClosure.artifacts.some((artifact) => /live-protected-core-smoke/.test(artifact.path) && artifact.ok === true),
+        local_only_policy: routes.every((route) => route.local_only_policy !== 'blocked'),
+        blockers
+    };
+}
 async function validateReportSet(root, route, required, opts = {}) {
     const artifacts = [];
     const blockers = [];

package/dist/core/feature-fixtures.js

@@ -69,7 +69,7 @@ const FIXTURES = Object.freeze({
     'cli-commit': fixture('mock', 'sks commit --dry-run', [], 'pass'),
     'cli-commit-and-push': fixture('mock', 'sks commit-and-push --dry-run', [], 'pass'),
     'cli-context7': fixture('real_optional', 'sks context7 check --json', [], 'pass'),
-    'cli-all-features': fixture('mock', 'sks all-features complete --json', ['.sneakoscope/reports/all-feature-completion-1.15.0.json'], 'pass'),
+    'cli-all-features': fixture('mock', 'sks all-features complete --json', ['.sneakoscope/reports/all-feature-completion-1.15.1.json'], 'pass'),
     'cli-init': fixture('mock', 'sks init --local-only --dry-run', [], 'pass'),
     'cli-eval': fixture('mock', 'sks eval run --mock --json', [], 'pass'),
     'cli-harness': fixture('mock', 'sks harness fixture --mock --json', [], 'pass'),

package/dist/core/fsx.d.ts

@@ -1,4 +1,4 @@
-export declare const PACKAGE_VERSION = "1.15.0";
+export declare const PACKAGE_VERSION = "1.15.1";
 export declare const DEFAULT_PROCESS_TAIL_BYTES: number;
 export declare const DEFAULT_PROCESS_TIMEOUT_MS: number;
 export interface RunProcessOptions {

package/dist/core/fsx.js

@@ -5,7 +5,7 @@ import os from 'node:os';
 import crypto from 'node:crypto';
 import { spawn } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
-export const PACKAGE_VERSION = '1.15.0';
+export const PACKAGE_VERSION = '1.15.1';
 export const DEFAULT_PROCESS_TAIL_BYTES = 256 * 1024;
 export const DEFAULT_PROCESS_TIMEOUT_MS = 30 * 60 * 1000;
 export function nowIso() {

package/dist/core/mad-sks/executors/computer-use-executor.d.ts

@@ -0,0 +1,5 @@
+import { type MadSksExecutor } from './executor-base.js';
+export declare const computerUseExecutor: MadSksExecutor;
+export declare const browserUseExecutor: MadSksExecutor;
+export declare const generatedAssetExecutor: MadSksExecutor;
+//# sourceMappingURL=computer-use-executor.d.ts.map

package/dist/core/mad-sks/executors/computer-use-executor.js

@@ -0,0 +1,73 @@
+import { runMadSksGuardMiddleware } from '../guard-middleware.js';
+import { madSksAuditAction } from '../audit-ledger.js';
+import { resultFromEvidence, writeExecutorEvidence } from './executor-base.js';
+export const computerUseExecutor = {
+    id: 'computer-use',
+    action_type: 'computer_use',
+    async dryRun(input, context) {
+        return runVisualHandoff(input, context, 'computer_use', true);
+    },
+    async apply(input, context) {
+        return runVisualHandoff(input, context, 'computer_use', false);
+    }
+};
+export const browserUseExecutor = {
+    id: 'browser-use',
+    action_type: 'browser_use',
+    async dryRun(input, context) {
+        return runVisualHandoff(input, context, 'browser_use', true);
+    },
+    async apply(input, context) {
+        return runVisualHandoff(input, context, 'browser_use', false);
+    }
+};
+export const generatedAssetExecutor = {
+    id: 'generated-asset',
+    action_type: 'generated_asset_edit',
+    async dryRun(input, context) {
+        return runVisualHandoff(input, context, 'generated_assets', true);
+    },
+    async apply(input, context) {
+        return runVisualHandoff(input, context, 'generated_assets', false);
+    }
+};
+async function runVisualHandoff(input, context, scope, dryRun) {
+    const actionType = scope === 'browser_use' ? 'browser_use' : scope === 'generated_assets' ? 'generated_asset_edit' : 'computer_use';
+    const guard = await runMadSksGuardMiddleware({
+        input: { action_type: actionType, required_scope: scope, target_path: input.target_path || input.path || null, dry_run: dryRun, high_risk: scope !== 'generated_assets' },
+        permission: context.permission_model,
+        authorizationManifest: context.authorization_manifest,
+        targetRoot: context.target_root,
+        root: context.package_root
+    });
+    if (!guard.ok) {
+        return resultFromEvidence({ executor: `${scope}-handoff`, actionType, context, status: 'blocked', blockedActions: [guard], blockers: guard.issues });
+    }
+    const verification = [{
+            kind: `${scope}_handoff`,
+            ok: true,
+            local_only_evidence: true,
+            target_boundary: context.target_root,
+            ux_ppt_proof_graph_linked: scope === 'generated_assets' ? true : null,
+            shared_triwiki_auto_publish: false
+        }];
+    const evidence = await writeExecutorEvidence({
+        context,
+        executor: `${scope}-handoff`,
+        actionType,
+        rollbackUnavailable: scope === 'generated_assets' ? [] : [`${scope}_external_state_rollback_requires_route_specific_adapter`],
+        auditActions: [madSksAuditAction({ type: actionType, target: String(input.target_path || input.path || context.target_root), rollback_available: scope === 'generated_assets', risk_level: scope === 'generated_assets' ? 'medium' : 'high' })],
+        verification
+    });
+    return resultFromEvidence({
+        executor: `${scope}-handoff`,
+        actionType,
+        context,
+        status: dryRun ? 'dry_run' : 'handoff_ready',
+        evidence,
+        verification,
+        writesPerformed: false,
+        extra: { guard, handoff: true, local_only_artifact_policy: true }
+    });
+}
+//# sourceMappingURL=computer-use-executor.js.map

package/dist/core/mad-sks/executors/db-write-executor.d.ts

@@ -0,0 +1,4 @@
+import { type MadSksExecutor, type MadSksExecutorContext, type MadSksExecutorInput } from './executor-base.js';
+export declare const dbWriteExecutor: MadSksExecutor;
+export declare function runDbWrite(input: MadSksExecutorInput, context: MadSksExecutorContext, dryRun?: boolean): Promise<import("./executor-base.js").MadSksExecutorResult>;
+//# sourceMappingURL=db-write-executor.d.ts.map