wotann 0.5.95 → 0.5.97

package/dist/ui/components/v3/TranscriptRow.d.ts

@@ -0,0 +1,45 @@
+/**
+ * TranscriptRow — a single memoized conversation row.
+ *
+ * Extracted from `Transcript.tsx`'s inline row map so it can be rendered
+ * in BOTH places the AppV4 inline model needs it:
+ *   1. Committed history inside Ink `<Static>` (write-once → terminal
+ *      scrollback). Static never re-renders an emitted row, so the memo
+ *      is moot there — but identity-stable rows keep the contract clean.
+ *   2. The live in-flight turn (the streaming assistant row + its tool
+ *      rows). Here the memo earns its keep: while the assistant row's
+ *      content grows token-by-token, the sibling rows (the user prompt,
+ *      finished tool rows) MUST NOT re-render.
+ *
+ * Why a CUSTOM comparator (not the default shallow `React.memo`):
+ * `toTranscriptMessages` rebuilds a fresh object for every message on
+ * every render (`messages.map((m) => ({...}))`), so a by-reference memo
+ * would re-render every row on every streamed token — defeating the
+ * point. We compare the fields that actually drive the render. The
+ * `attachments` array survives a reference check because
+ * `toTranscriptMessages` threads the SAME array through (it never copies
+ * it), so an unchanged message keeps an identity-stable attachments ref.
+ *
+ * Rendering is byte-identical to the prior inline map (Phase 1 is a pure
+ * no-op refactor): the horizontal padding stays a concern of the
+ * container/Static call-site, never the row, so this component composes
+ * the same in either mounting context.
+ */
+import React from "react";
+import type { CapabilityProfile } from "../../capability-tier.js";
+import type { TerminalCapabilities } from "../../terminal-capabilities.js";
+import type { TranscriptMessageV3 } from "./Transcript.js";
+export interface TranscriptRowProps {
+    readonly msg: TranscriptMessageV3;
+    readonly profile: CapabilityProfile;
+    readonly terminalCapabilities: TerminalCapabilities;
+}
+declare function TranscriptRowImpl({ msg, profile, terminalCapabilities, }: TranscriptRowProps): React.ReactElement;
+/**
+ * Memo comparator — return TRUE to SKIP a re-render. Exported for direct
+ * unit testing (the streaming hot-path depends on this returning true for
+ * an unchanged sibling row while the assistant row streams).
+ */
+export declare function transcriptRowsEqual(prev: TranscriptRowProps, next: TranscriptRowProps): boolean;
+export declare const TranscriptRow: React.MemoExoticComponent<typeof TranscriptRowImpl>;
+export {};

package/dist/ui/components/v3/TranscriptRow.js

@@ -0,0 +1,102 @@
+import { jsx as _jsx, jsxs as _jsxs } from "#wotann-jsx/jsx-runtime";
+/**
+ * TranscriptRow — a single memoized conversation row.
+ *
+ * Extracted from `Transcript.tsx`'s inline row map so it can be rendered
+ * in BOTH places the AppV4 inline model needs it:
+ *   1. Committed history inside Ink `<Static>` (write-once → terminal
+ *      scrollback). Static never re-renders an emitted row, so the memo
+ *      is moot there — but identity-stable rows keep the contract clean.
+ *   2. The live in-flight turn (the streaming assistant row + its tool
+ *      rows). Here the memo earns its keep: while the assistant row's
+ *      content grows token-by-token, the sibling rows (the user prompt,
+ *      finished tool rows) MUST NOT re-render.
+ *
+ * Why a CUSTOM comparator (not the default shallow `React.memo`):
+ * `toTranscriptMessages` rebuilds a fresh object for every message on
+ * every render (`messages.map((m) => ({...}))`), so a by-reference memo
+ * would re-render every row on every streamed token — defeating the
+ * point. We compare the fields that actually drive the render. The
+ * `attachments` array survives a reference check because
+ * `toTranscriptMessages` threads the SAME array through (it never copies
+ * it), so an unchanged message keeps an identity-stable attachments ref.
+ *
+ * Rendering is byte-identical to the prior inline map (Phase 1 is a pure
+ * no-op refactor): the horizontal padding stays a concern of the
+ * container/Static call-site, never the row, so this component composes
+ * the same in either mounting context.
+ */
+import React from "react";
+import { Box, Text } from "ink";
+import { glyph } from "../../theme/tokens.js";
+import { useThemeTone } from "../../theme/context.js";
+import { parseSlashResultMessage, SystemMessageCard } from "./SystemMessageCard.js";
+import { KittyGraphics } from "./KittyGraphics.js";
+// Minimal role markers — Claude Code / Codex parity. User gets a
+// single subtle ❯ (same glyph as the composer prompt); the assistant
+// is PURE content (no badge, no label, no gutter) — the biggest
+// declutter; system/tool get a dim · marker. No per-message gutter
+// bar, no Norse runes, nothing bold.
+const ROLE_STYLES_AB = {
+    user: { gutterTone: "primary", badge: glyph.prompt, label: "" },
+    assistant: { gutterTone: "muted", badge: "", label: "" },
+    system: { gutterTone: "warning", badge: "·", label: "system" },
+    tool: { gutterTone: "muted", badge: "·", label: "tool" },
+};
+const ROLE_STYLES_C = {
+    user: { gutterTone: "primary", badge: ">", label: "" },
+    assistant: { gutterTone: "muted", badge: "", label: "" },
+    system: { gutterTone: "warning", badge: "*", label: "system" },
+    tool: { gutterTone: "muted", badge: "*", label: "tool" },
+};
+function formatTime(timestamp) {
+    if (typeof timestamp !== "number" || !Number.isFinite(timestamp))
+        return null;
+    const d = new Date(timestamp);
+    const hh = String(d.getHours()).padStart(2, "0");
+    const mm = String(d.getMinutes()).padStart(2, "0");
+    return `${hh}:${mm}`;
+}
+function TranscriptRowImpl({ msg, profile, terminalCapabilities, }) {
+    const { tone } = useThemeTone();
+    const styles = profile.tier === "C" ? ROLE_STYLES_C : ROLE_STYLES_AB;
+    // Route slash-command results to the richer SystemMessageCard so a
+    // `/model` dispatch reads as a harness response rather than a user
+    // message. The marker-based handshake keeps the Transcript schema
+    // unchanged — system messages without the marker fall through to the
+    // default render below.
+    if (msg.role === "system") {
+        const payload = parseSlashResultMessage(msg.content);
+        if (payload !== null) {
+            return _jsx(SystemMessageCard, { payload: payload, profile: profile });
+        }
+    }
+    const style = styles[msg.role];
+    const gutterColor = tone[style.gutterTone];
+    const timeString = formatTime(msg.timestamp);
+    const lines = msg.content.length === 0 ? [""] : msg.content.split("\n");
+    const attachments = msg.attachments ?? [];
+    const hasHeader = style.badge !== "" || style.label !== "" || timeString !== null;
+    return (_jsxs(Box, { flexDirection: "column", marginBottom: 1, children: [hasHeader && (_jsxs(Box, { justifyContent: "space-between", children: [_jsxs(Box, { gap: 1, children: [style.badge !== "" && _jsx(Text, { color: gutterColor, children: style.badge }), style.label !== "" && _jsx(Text, { color: gutterColor, children: style.label })] }), timeString !== null && _jsx(Text, { color: tone.muted, children: timeString })] })), lines.map((line, i) => (_jsx(Text, { color: tone.text, children: line.length === 0 ? " " : line }, `msg-${msg.id}-line-${i}`))), attachments.map((attachment, i) => {
+                if (attachment.kind === "image" && attachment.dataUri !== undefined) {
+                    return (_jsx(KittyGraphics, { source: attachment.dataUri, capabilities: terminalCapabilities, rows: profile.tier === "C" ? 3 : 5, columns: profile.tier === "C" ? 28 : 40, caption: attachment.path }, `msg-${msg.id}-att-${i}`));
+                }
+                const label = attachment.kind === "image" ? "image" : "file";
+                return (_jsxs(Text, { color: tone.muted, italic: true, children: ["[", label, ": ", attachment.path, "]"] }, `msg-${msg.id}-att-${i}`));
+            })] }));
+}
+/**
+ * Memo comparator — return TRUE to SKIP a re-render. Exported for direct
+ * unit testing (the streaming hot-path depends on this returning true for
+ * an unchanged sibling row while the assistant row streams).
+ */
+export function transcriptRowsEqual(prev, next) {
+    return (prev.msg.id === next.msg.id &&
+        prev.msg.content === next.msg.content &&
+        prev.msg.role === next.msg.role &&
+        prev.msg.timestamp === next.msg.timestamp &&
+        prev.msg.attachments === next.msg.attachments &&
+        prev.profile === next.profile &&
+        prev.terminalCapabilities === next.terminalCapabilities);
+}
+export const TranscriptRow = React.memo(TranscriptRowImpl, transcriptRowsEqual);

package/dist/ui/inline-render.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Inline-render mode gate (AppV4 flicker fix, phased rollout).
+ *
+ * The complete streaming-flicker fix renders the chat surface INLINE in
+ * the terminal's MAIN buffer (committed history written once into native
+ * scrollback via Ink `<Static>`) instead of the alternate screen buffer.
+ * The alt buffer has no scrollback, so `<Static>` is incompatible with it
+ * (committed rows would scroll off irrecoverably) — see
+ * docs/phase-0-redesign/phase-1-inline-architecture.md §0.
+ *
+ * Why a flag (not default-on yet): the mount-path change can only be
+ * validated for "feel" + cross-terminal correctness (iTerm2 / Terminal.app
+ * / tmux) on a PHYSICAL terminal, which CI/headless harnesses cannot
+ * reproduce (this is the same fragility that drove the PR #35-#38
+ * raw-mode/mount hardening). So inline mode ships behind
+ * `WOTANN_TUI_INLINE=1` for opt-in verification; once confirmed on a real
+ * terminal it becomes the default for the chat surface.
+ *
+ * The objective gate (eraseLines-sequence drop ≥90% vs the alt-buffer
+ * baseline) is exercised by the PTY byte-trace test, which DOES run here.
+ */
+/**
+ * Whether this session should render the chat surface inline in the main
+ * buffer (Ink `<Static>` committed history) rather than in the alt-screen
+ * buffer. Reads `WOTANN_TUI_INLINE`; defaults OFF during the phased
+ * rollout. Pass an explicit env for tests.
+ */
+export declare function isInlineRenderRequested(env?: NodeJS.ProcessEnv): boolean;

package/dist/ui/inline-render.js

@@ -0,0 +1,35 @@
+/**
+ * Inline-render mode gate (AppV4 flicker fix, phased rollout).
+ *
+ * The complete streaming-flicker fix renders the chat surface INLINE in
+ * the terminal's MAIN buffer (committed history written once into native
+ * scrollback via Ink `<Static>`) instead of the alternate screen buffer.
+ * The alt buffer has no scrollback, so `<Static>` is incompatible with it
+ * (committed rows would scroll off irrecoverably) — see
+ * docs/phase-0-redesign/phase-1-inline-architecture.md §0.
+ *
+ * Why a flag (not default-on yet): the mount-path change can only be
+ * validated for "feel" + cross-terminal correctness (iTerm2 / Terminal.app
+ * / tmux) on a PHYSICAL terminal, which CI/headless harnesses cannot
+ * reproduce (this is the same fragility that drove the PR #35-#38
+ * raw-mode/mount hardening). So inline mode ships behind
+ * `WOTANN_TUI_INLINE=1` for opt-in verification; once confirmed on a real
+ * terminal it becomes the default for the chat surface.
+ *
+ * The objective gate (eraseLines-sequence drop ≥90% vs the alt-buffer
+ * baseline) is exercised by the PTY byte-trace test, which DOES run here.
+ */
+/** Truthy values that opt a session into inline main-buffer rendering. */
+const TRUTHY = new Set(["1", "true", "yes", "on"]);
+/**
+ * Whether this session should render the chat surface inline in the main
+ * buffer (Ink `<Static>` committed history) rather than in the alt-screen
+ * buffer. Reads `WOTANN_TUI_INLINE`; defaults OFF during the phased
+ * rollout. Pass an explicit env for tests.
+ */
+export function isInlineRenderRequested(env = process.env) {
+    const value = env["WOTANN_TUI_INLINE"];
+    if (value === undefined)
+        return false;
+    return TRUTHY.has(value.trim().toLowerCase());
+}

package/dist/verification/reproduction/autonomous-gate.d.ts

@@ -0,0 +1,52 @@
+import { type GitRunner } from "./checkout-prep.js";
+import { type ClaimedChecks, type ReproductionResult } from "./verdict.js";
+import { type ProofArtifact } from "./proof-artifact.js";
+import { type EnforcementDecision } from "./enforcement.js";
+import type { ReplayRunner, ReplayCommands } from "./replay-runner.js";
+import type { MutationRunner } from "./mutation-gate.js";
+export interface AutonomousReproduceInput {
+    readonly repoDir: string;
+    readonly baseRef: string;
+    readonly diffText: string;
+    readonly changedPaths: readonly string[];
+    readonly claimed: ClaimedChecks;
+    readonly commands: ReplayCommands;
+    /** A fresh, non-existent directory for the verifier-box worktree. */
+    readonly worktreeDir: string;
+    /** Paths to symlink from repoDir into the worktree (e.g. ["node_modules"]). */
+    readonly linkFromRepo?: readonly string[];
+}
+export interface AutonomousReproduceRunners {
+    readonly git: GitRunner;
+    readonly replay: ReplayRunner;
+    readonly mutation?: MutationRunner;
+}
+export interface AutonomousReproduceOutput {
+    readonly result: ReproductionResult;
+    readonly proof: ProofArtifact;
+    readonly enforcement: EnforcementDecision;
+}
+/**
+ * Full production composition: prepare an isolated checkout (the separate trust
+ * boundary), reproduce the claimed result inside it, decide enforcement, and
+ * ALWAYS clean up the worktree. A failed checkout => infra-error (never an
+ * auto-pass — we couldn't verify, so we don't silently allow).
+ */
+export declare function reproduceAutonomousRun(input: AutonomousReproduceInput, runners: AutonomousReproduceRunners): Promise<AutonomousReproduceOutput>;
+export interface WorkspaceReproduceInput {
+    /** The agent's workspace (its uncommitted changes are captured as the diff). */
+    readonly cwd: string;
+    readonly claimed: ClaimedChecks;
+    readonly commands: ReplayCommands;
+    /** A fresh, non-existent directory for the verifier-box worktree. */
+    readonly worktreeDir: string;
+    /** Paths to symlink from the workspace into the worktree (e.g. ["node_modules"]). */
+    readonly linkFromRepo?: readonly string[];
+}
+/**
+ * Capture the workspace's git state (HEAD as base + the uncommitted diff) and
+ * reproduce. Assumes the agent's changes are UNCOMMITTED (the common autonomous
+ * case): HEAD is the base and `git diff` is the agent's work. If the agent
+ * committed mid-run, the diff is empty and the clean base is reproduced.
+ */
+export declare function runWorkspaceReproduction(input: WorkspaceReproduceInput, runners: AutonomousReproduceRunners): Promise<AutonomousReproduceOutput>;

package/dist/verification/reproduction/autonomous-gate.js

@@ -0,0 +1,71 @@
+import { prepareVerifierCheckout } from "./checkout-prep.js";
+import { reproduceRun } from "./reproduce.js";
+import { decideReproductionVerdict, } from "./verdict.js";
+import { buildProofArtifact } from "./proof-artifact.js";
+import { enforceReproductionVerdict } from "./enforcement.js";
+/**
+ * Full production composition: prepare an isolated checkout (the separate trust
+ * boundary), reproduce the claimed result inside it, decide enforcement, and
+ * ALWAYS clean up the worktree. A failed checkout => infra-error (never an
+ * auto-pass — we couldn't verify, so we don't silently allow).
+ */
+export async function reproduceAutonomousRun(input, runners) {
+    const checkout = await prepareVerifierCheckout({
+        repoDir: input.repoDir,
+        baseRef: input.baseRef,
+        diffText: input.diffText,
+        worktreeDir: input.worktreeDir,
+        ...(input.linkFromRepo ? { linkFromRepo: input.linkFromRepo } : {}),
+    }, runners.git);
+    if (!checkout.ok) {
+        const result = decideReproductionVerdict({
+            claimed: input.claimed,
+            observed: { testsPass: null, typecheckPass: null, lintPass: null },
+            tampered: false,
+            infraError: `checkout:${checkout.error}`,
+        });
+        const proof = buildProofArtifact(result, input.diffText);
+        return { result, proof, enforcement: enforceReproductionVerdict(result.verdict) };
+    }
+    try {
+        const reproRunners = runners.mutation
+            ? { replay: runners.replay, mutation: runners.mutation }
+            : { replay: runners.replay };
+        const { result, proof } = await reproduceRun({
+            claimed: input.claimed,
+            changedPaths: input.changedPaths,
+            checkoutDir: checkout.checkout.checkoutDir,
+            commands: input.commands,
+            diffText: input.diffText,
+            mutationFiles: input.changedPaths,
+        }, reproRunners);
+        return { result, proof, enforcement: enforceReproductionVerdict(result.verdict) };
+    }
+    finally {
+        await checkout.checkout.cleanup();
+    }
+}
+/**
+ * Capture the workspace's git state (HEAD as base + the uncommitted diff) and
+ * reproduce. Assumes the agent's changes are UNCOMMITTED (the common autonomous
+ * case): HEAD is the base and `git diff` is the agent's work. If the agent
+ * committed mid-run, the diff is empty and the clean base is reproduced.
+ */
+export async function runWorkspaceReproduction(input, runners) {
+    const baseRef = (await runners.git.run(input.cwd, ["rev-parse", "HEAD"])).stdout.trim();
+    const diffText = (await runners.git.run(input.cwd, ["diff"])).stdout;
+    const changedPaths = (await runners.git.run(input.cwd, ["diff", "--name-only"])).stdout
+        .split("\n")
+        .map((s) => s.trim())
+        .filter(Boolean);
+    return reproduceAutonomousRun({
+        repoDir: input.cwd,
+        baseRef,
+        diffText,
+        changedPaths,
+        claimed: input.claimed,
+        commands: input.commands,
+        worktreeDir: input.worktreeDir,
+        ...(input.linkFromRepo ? { linkFromRepo: input.linkFromRepo } : {}),
+    }, runners);
+}

package/dist/verification/reproduction/checkout-prep.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Prepare the separate-trust-boundary checkout for verify-by-reproduction
+ * (spec §3.1, the missing prerequisite for a correct production trigger).
+ *
+ * The verifier box MUST run a CLEAN base checkout + ONLY the agent's diff — in
+ * a separate directory — so the agent's dirty workspace (runtime tampering,
+ * stray files, monkeypatched runners) can never influence the result. Running
+ * the replay in the agent's own `process.cwd()` would be the BenchJack V1
+ * violation this defeats.
+ */
+export interface GitRunner {
+    readonly run: (cwd: string, argv: readonly string[]) => Promise<{
+        exitCode: number;
+        stdout: string;
+        stderr: string;
+    }>;
+}
+/** Production GitRunner via execFile (argv-only, injection-safe). */
+export declare function buildExecGitRunner(): GitRunner;
+export interface PrepareCheckoutInput {
+    /** The agent's repository (the worktree is registered here). */
+    readonly repoDir: string;
+    /** The commit the agent started from (before its changes). */
+    readonly baseRef: string;
+    /** The agent's diff (unified, as from `git diff`). Empty = clean base. */
+    readonly diffText: string;
+    /** A fresh, non-existent directory for the detached worktree. */
+    readonly worktreeDir: string;
+    /**
+     * Paths (relative to repoDir) to symlink into the worktree after checkout —
+     * e.g. ["node_modules"]. A fresh worktree lacks gitignored deps, so without
+     * this the replay's `npm test` would fail on missing modules (a FALSE
+     * 'contradicted'). Deps are not the grading surface, so sharing them is safe.
+     */
+    readonly linkFromRepo?: readonly string[];
+}
+export interface VerifierCheckout {
+    readonly checkoutDir: string;
+    readonly cleanup: () => Promise<void>;
+}
+export type CheckoutResult = {
+    readonly ok: true;
+    readonly checkout: VerifierCheckout;
+} | {
+    readonly ok: false;
+    readonly error: string;
+};
+export declare function prepareVerifierCheckout(input: PrepareCheckoutInput, git: GitRunner): Promise<CheckoutResult>;

package/dist/verification/reproduction/checkout-prep.js

@@ -0,0 +1,78 @@
+import { writeFileSync, symlinkSync, existsSync } from "node:fs";
+import { join } from "node:path";
+/** Production GitRunner via execFile (argv-only, injection-safe). */
+export function buildExecGitRunner() {
+    return {
+        run: async (cwd, argv) => {
+            const { execFile } = await import("node:child_process");
+            return new Promise((resolve) => {
+                execFile("git", [...argv], { cwd, maxBuffer: 64 * 1024 * 1024 }, (error, stdout, stderr) => {
+                    const exitCode = error && typeof error.code === "number"
+                        ? Number(error.code)
+                        : error
+                            ? 1
+                            : 0;
+                    resolve({
+                        exitCode,
+                        stdout: stdout?.toString() ?? "",
+                        stderr: stderr?.toString() ?? (error instanceof Error ? error.message : ""),
+                    });
+                });
+            });
+        },
+    };
+}
+export async function prepareVerifierCheckout(input, git) {
+    const add = await git.run(input.repoDir, [
+        "worktree",
+        "add",
+        "--detach",
+        input.worktreeDir,
+        input.baseRef,
+    ]);
+    if (add.exitCode !== 0) {
+        return {
+            ok: false,
+            error: `worktree-add-failed:exit=${add.exitCode}:${add.stderr.trim().slice(0, 240)}`,
+        };
+    }
+    const cleanup = async () => {
+        await git.run(input.repoDir, ["worktree", "remove", "--force", input.worktreeDir]);
+    };
+    if (input.diffText.trim() !== "") {
+        const patchPath = join(input.worktreeDir, ".wotann-verify.patch");
+        try {
+            writeFileSync(patchPath, input.diffText, "utf-8");
+        }
+        catch (e) {
+            await cleanup();
+            return {
+                ok: false,
+                error: `patch-write-failed:${e instanceof Error ? e.message : String(e)}`,
+            };
+        }
+        const apply = await git.run(input.worktreeDir, ["apply", "--whitespace=nowarn", patchPath]);
+        if (apply.exitCode !== 0) {
+            await cleanup();
+            return {
+                ok: false,
+                error: `apply-failed:exit=${apply.exitCode}:${apply.stderr.trim().slice(0, 240)}`,
+            };
+        }
+    }
+    for (const rel of input.linkFromRepo ?? []) {
+        const src = join(input.repoDir, rel);
+        const dst = join(input.worktreeDir, rel);
+        // Best-effort: skip when the source is absent or the target already exists.
+        if (existsSync(src) && !existsSync(dst)) {
+            try {
+                symlinkSync(src, dst, "dir");
+            }
+            catch {
+                // A failed symlink just means the replay may hit missing deps and
+                // report a result the verdict logic handles — never a silent pass.
+            }
+        }
+    }
+    return { ok: true, checkout: { checkoutDir: input.worktreeDir, cleanup } };
+}

package/dist/verification/reproduction/diff-checker.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Grading-surface diff-checker (BenchJack V2/V8 defense). The agent's diff
+ * must touch ONLY source — never the test harness / its own grader. A diff
+ * that edits the grading surface is TAMPER, not a normal failure.
+ *
+ * NOTE: package.json is deliberately NOT protected here (legit dep edits are
+ * common); detecting edits to its `scripts.test` field specifically is a
+ * Phase-B field-level refinement.
+ */
+export declare const DEFAULT_PROTECTED_PATTERNS: readonly RegExp[];
+export interface TestAuthorship {
+    /** Matches files considered "tests" (whose edits are gated). */
+    readonly testFilePattern: RegExp;
+    /** Test files the agent legitimately created/edited THIS task (allowlisted). */
+    readonly authoredTestFiles: readonly string[];
+}
+export interface DiffCheckResult {
+    readonly tampered: boolean;
+    readonly offendingPaths: readonly string[];
+}
+/**
+ * Pure. `changedPaths` are repo-relative POSIX paths the agent's diff touched.
+ * A path is offending if it matches a protected pattern, OR it is a test file
+ * (per `authorship.testFilePattern`) that is not in `authoredTestFiles`.
+ */
+export declare function checkDiff(changedPaths: readonly string[], patterns?: readonly RegExp[], authorship?: TestAuthorship): DiffCheckResult;

package/dist/verification/reproduction/diff-checker.js

@@ -0,0 +1,33 @@
+/**
+ * Grading-surface diff-checker (BenchJack V2/V8 defense). The agent's diff
+ * must touch ONLY source — never the test harness / its own grader. A diff
+ * that edits the grading surface is TAMPER, not a normal failure.
+ *
+ * NOTE: package.json is deliberately NOT protected here (legit dep edits are
+ * common); detecting edits to its `scripts.test` field specifically is a
+ * Phase-B field-level refinement.
+ */
+export const DEFAULT_PROTECTED_PATTERNS = Object.freeze([
+    /(^|\/)conftest\.py$/,
+    /(^|\/)pytest\.ini$/,
+    /(^|\/)tox\.ini$/,
+    /(^|\/)(jest|vitest|playwright)\.config\.[cm]?[jt]s$/,
+    /(^|\/)\.mocharc\.[a-z]+$/,
+    /(^|\/)\.git(\/|$)/,
+]);
+/**
+ * Pure. `changedPaths` are repo-relative POSIX paths the agent's diff touched.
+ * A path is offending if it matches a protected pattern, OR it is a test file
+ * (per `authorship.testFilePattern`) that is not in `authoredTestFiles`.
+ */
+export function checkDiff(changedPaths, patterns = DEFAULT_PROTECTED_PATTERNS, authorship) {
+    const authored = new Set(authorship?.authoredTestFiles ?? []);
+    const offendingPaths = changedPaths.filter((p) => {
+        if (patterns.some((re) => re.test(p)))
+            return true;
+        if (authorship && authorship.testFilePattern.test(p) && !authored.has(p))
+            return true;
+        return false;
+    });
+    return { tampered: offendingPaths.length > 0, offendingPaths };
+}

package/dist/verification/reproduction/enforcement.d.ts

@@ -0,0 +1,14 @@
+import type { ReproductionVerdict } from "./verdict.js";
+export type EnforcementAction = "allow" | "block" | "surface" | "escalate";
+export interface EnforcementDecision {
+    readonly action: EnforcementAction;
+    readonly reason: string;
+}
+/**
+ * Asymmetric enforcement (spec §3.2). A false PASS is the moat-killer; a false
+ * BLOCK is recoverable — so reproduction-sourced tamper/contradicted HARD-BLOCK,
+ * while weaker signals surface or escalate. Keyed on the REPRODUCTION verdict
+ * (trustworthy, executable) — never on bare LLM-judge text (the TNR<25% yes-man
+ * problem is exactly why the enforce-flip waited for the reproduction channel).
+ */
+export declare function enforceReproductionVerdict(verdict: ReproductionVerdict): EnforcementDecision;

package/dist/verification/reproduction/enforcement.js

@@ -0,0 +1,30 @@
+/**
+ * Asymmetric enforcement (spec §3.2). A false PASS is the moat-killer; a false
+ * BLOCK is recoverable — so reproduction-sourced tamper/contradicted HARD-BLOCK,
+ * while weaker signals surface or escalate. Keyed on the REPRODUCTION verdict
+ * (trustworthy, executable) — never on bare LLM-judge text (the TNR<25% yes-man
+ * problem is exactly why the enforce-flip waited for the reproduction channel).
+ */
+export function enforceReproductionVerdict(verdict) {
+    switch (verdict) {
+        case "tamper":
+            return { action: "block", reason: "diff tampered with the grading surface" };
+        case "contradicted":
+            return {
+                action: "block",
+                reason: "claimed success contradicted by independent reproduction",
+            };
+        case "weak-tests":
+            return {
+                action: "surface",
+                reason: "reproduction passed but tests are too weak to trust (low mutation score)",
+            };
+        case "infra-error":
+            return {
+                action: "escalate",
+                reason: "could not reproduce — verify manually before trusting",
+            };
+        case "reproduced":
+            return { action: "allow", reason: "independently reproduced in a separate trust boundary" };
+    }
+}

package/dist/verification/reproduction/exec-runner.d.ts

@@ -0,0 +1,15 @@
+import type { ReplayRunner } from "./replay-runner.js";
+/**
+ * Production `ReplayRunner` backed by `child_process.execFile` (argv-only — no
+ * shell interpolation, so injection-safe regardless of the command content,
+ * matching the codebase's execFileNoThrow contract). Runs the claimed commands
+ * inside `dir`, the verifier-box checkout.
+ *
+ * Honest probe: confirms the Node interpreter is runnable; reports the failure
+ * explicitly otherwise (so runReplay emits `infra-error`, never a silent pass).
+ *
+ * Trust-boundary note: this runs on the HOST in a given directory. Full
+ * separate-trust-boundary isolation (a container, per spec §3.1) is the deferred
+ * production hardening — this is the host-dir baseline so the loop runs for real.
+ */
+export declare function buildExecReplayRunner(): ReplayRunner;

package/dist/verification/reproduction/exec-runner.js

@@ -0,0 +1,47 @@
+/**
+ * Production `ReplayRunner` backed by `child_process.execFile` (argv-only — no
+ * shell interpolation, so injection-safe regardless of the command content,
+ * matching the codebase's execFileNoThrow contract). Runs the claimed commands
+ * inside `dir`, the verifier-box checkout.
+ *
+ * Honest probe: confirms the Node interpreter is runnable; reports the failure
+ * explicitly otherwise (so runReplay emits `infra-error`, never a silent pass).
+ *
+ * Trust-boundary note: this runs on the HOST in a given directory. Full
+ * separate-trust-boundary isolation (a container, per spec §3.1) is the deferred
+ * production hardening — this is the host-dir baseline so the loop runs for real.
+ */
+export function buildExecReplayRunner() {
+    return {
+        probe: async () => {
+            const { execFile } = await import("node:child_process");
+            return new Promise((resolve) => {
+                execFile(process.execPath, ["--version"], (error) => {
+                    resolve(error
+                        ? { ok: false, reason: error instanceof Error ? error.message : String(error) }
+                        : { ok: true });
+                });
+            });
+        },
+        runInDir: async (dir, argv) => {
+            const { execFile } = await import("node:child_process");
+            const [file, ...rest] = argv;
+            if (!file)
+                return { exitCode: 1, stdout: "", stderr: "empty argv" };
+            return new Promise((resolve) => {
+                execFile(file, rest, { cwd: dir, maxBuffer: 10 * 1024 * 1024 }, (error, stdout, stderr) => {
+                    const exitCode = error && typeof error.code === "number"
+                        ? Number(error.code)
+                        : error
+                            ? 1
+                            : 0;
+                    resolve({
+                        exitCode,
+                        stdout: stdout?.toString() ?? "",
+                        stderr: stderr?.toString() ?? (error instanceof Error ? error.message : ""),
+                    });
+                });
+            });
+        },
+    };
+}

package/dist/verification/reproduction/index.d.ts

@@ -0,0 +1,10 @@
+export { decideReproductionVerdict, type ReproductionVerdict, type ClaimedChecks, type ObservedChecks, type ReproductionInput, type ReproductionResult, } from "./verdict.js";
+export { checkDiff, DEFAULT_PROTECTED_PATTERNS, type DiffCheckResult, type TestAuthorship, } from "./diff-checker.js";
+export { runReplay, type ReplayRunner, type ReplayCommands, type ReplayInput, } from "./replay-runner.js";
+export { buildProofArtifact, type ProofArtifact } from "./proof-artifact.js";
+export { gateMutation, runMutationGate, DEFAULT_MUTATION_THRESHOLD, type MutationResult, type MutationGateResult, type MutationRunner, } from "./mutation-gate.js";
+export { enforceReproductionVerdict, type EnforcementAction, type EnforcementDecision, } from "./enforcement.js";
+export { reproduceRun, type ReproduceInput, type ReproduceRunners, type ReproduceOutput, } from "./reproduce.js";
+export { buildExecReplayRunner } from "./exec-runner.js";
+export { prepareVerifierCheckout, buildExecGitRunner, type GitRunner, type PrepareCheckoutInput, type VerifierCheckout, type CheckoutResult, } from "./checkout-prep.js";
+export { reproduceAutonomousRun, runWorkspaceReproduction, type AutonomousReproduceInput, type AutonomousReproduceRunners, type AutonomousReproduceOutput, type WorkspaceReproduceInput, } from "./autonomous-gate.js";