wotann 0.5.96 → 0.5.97

package/dist/index.js

@@ -5379,6 +5379,48 @@ program
             ? chalk.green("  Done — Task completed successfully")
             : chalk.red("  Failed — Task did not complete"));
         console.log();
+        // Independent verify-by-reproduction (opt-in: WOTANN_REPRODUCE=1).
+        // Default-off because re-running the suite in an isolated checkout
+        // roughly doubles run time. Replays the agent's claimed checks in a
+        // clean base+diff worktree (a separate trust boundary, deps symlinked)
+        // and reports a verdict the agent cannot fake. Best-effort — never
+        // breaks the run.
+        if (process.env.WOTANN_REPRODUCE === "1") {
+            try {
+                const [repro, os, path] = await Promise.all([
+                    import("./verification/reproduction/index.js"),
+                    import("node:os"),
+                    import("node:path"),
+                ]);
+                const git = repro.buildExecGitRunner();
+                const lastCycle = result.cycles[result.cycles.length - 1];
+                const verdict = await repro.runWorkspaceReproduction({
+                    cwd: process.cwd(),
+                    claimed: {
+                        testsPass: lastCycle?.testsPass ?? false,
+                        typecheckPass: lastCycle?.typecheckPass ?? false,
+                        lintPass: lastCycle?.lintPass ?? false,
+                    },
+                    commands: { test: ["npm", "test"], typecheck: ["npm", "run", "typecheck"] },
+                    worktreeDir: path.join(os.tmpdir(), `wotann-verify-${Date.now()}`),
+                    linkFromRepo: ["node_modules"],
+                }, { git, replay: repro.buildExecReplayRunner() });
+                const tag = verdict.enforcement.action === "block"
+                    ? chalk.red(`⛔ ${verdict.result.verdict}`)
+                    : verdict.enforcement.action === "allow"
+                        ? chalk.green(`✓ ${verdict.result.verdict}`)
+                        : chalk.yellow(`⚠ ${verdict.result.verdict}`);
+                console.log(chalk.bold("Independent reproduction (separate trust boundary):"));
+                console.log(`  ${tag} — ${verdict.enforcement.reason}`);
+                for (const c of verdict.result.contradictions) {
+                    console.log(chalk.dim(`    • ${c}`));
+                }
+                console.log();
+            }
+            catch (e) {
+                console.log(chalk.dim(`  Reproduction skipped: ${e instanceof Error ? e.message : String(e)}`));
+            }
+        }
         process.exit(result.success ? 0 : 1);
     }
     finally {

package/dist/orchestration/proof-bundles.d.ts

@@ -47,6 +47,14 @@ export interface AutonomousProofBundle {
         readonly visualVerificationEnabled: boolean;
         readonly visualExpectation?: string;
         readonly finalChecks: {
+            /**
+             * Provenance of these checks. "self-reported" = copied from the agent's
+             * own cycle result — a CLAIM, not an independently reproduced result. A
+             * green check is a claim, not proof (verify-by-reproduction, V7); a future
+             * verdict re-runs these in a separate trust boundary and reports a
+             * "reproduced" source instead.
+             */
+            readonly source: "self-reported";
             readonly testsPass: boolean;
             readonly typecheckPass: boolean;
             readonly lintPass: boolean;

package/dist/orchestration/proof-bundles.js

@@ -44,6 +44,8 @@ export function writeAutonomousProofBundle(input) {
             visualExpectation: input.visualExpectation,
             finalChecks: lastCycle
                 ? {
+                    // Self-reported by the agent's own cycle — a claim, not proof (V7).
+                    source: "self-reported",
                     testsPass: lastCycle.testsPass,
                     typecheckPass: lastCycle.typecheckPass,
                     lintPass: lastCycle.lintPass,

package/dist/security/approval-binding.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Exact-bytes approval binding (corpus F4; defeats the OpenClaw CVE-2026-29607
+ * "approval persisted at the wrapper level, not the inner command" class and
+ * the TOCTOU race). Bind the canonicalized action's HMAC at approval time;
+ * re-pin at execution and abort on drift, replay (single-use nonce), or expiry.
+ */
+export interface CanonicalAction {
+    readonly tool: string;
+    readonly args: readonly string[];
+    readonly cwd: string;
+}
+export interface ApprovalBinding {
+    readonly bindingId: string;
+    readonly actionHash: string;
+    readonly nonce: string;
+    readonly expiresAt: number;
+}
+export type VerifyResult = {
+    readonly ok: true;
+} | {
+    readonly ok: false;
+    readonly reason: string;
+};
+/**
+ * Deterministic canonical form of an action. The CALLER must pre-resolve shell
+ * expansion / env-substitution / path resolution BEFORE binding, so the bound
+ * bytes ARE exactly what will execute (the literate wrapper is not what runs).
+ */
+export declare function canonicalizeAction(action: CanonicalAction): string;
+export interface ApprovalBinderOptions {
+    readonly ttlMs?: number;
+    readonly now?: () => number;
+}
+/**
+ * Stateful service: the consumed-nonce set lives inside the instance (QB#7
+ * per-call state, not module-global). Inject `now` for deterministic tests.
+ */
+export declare class ApprovalBinder {
+    private readonly secret;
+    private readonly ttlMs;
+    private readonly now;
+    private readonly consumed;
+    private counter;
+    constructor(secret: Buffer | string, opts?: ApprovalBinderOptions);
+    bind(action: CanonicalAction, nonce?: string): ApprovalBinding;
+    /**
+     * Re-pin at execution: recompute the HMAC from the action that is ABOUT to
+     * run and reject on drift, expiry, or replay. Consumes the nonce on success.
+     * Order matters: replay > expiry > drift (cheapest, most-specific first).
+     */
+    verify(binding: ApprovalBinding, action: CanonicalAction): VerifyResult;
+}

package/dist/security/approval-binding.js

@@ -0,0 +1,57 @@
+import { timingSafeEqual } from "node:crypto";
+import { computeBoundaryHmac } from "./prompt-injection-quarantine.js";
+/**
+ * Deterministic canonical form of an action. The CALLER must pre-resolve shell
+ * expansion / env-substitution / path resolution BEFORE binding, so the bound
+ * bytes ARE exactly what will execute (the literate wrapper is not what runs).
+ */
+export function canonicalizeAction(action) {
+    return JSON.stringify({ tool: action.tool.trim(), args: action.args, cwd: action.cwd });
+}
+/**
+ * Stateful service: the consumed-nonce set lives inside the instance (QB#7
+ * per-call state, not module-global). Inject `now` for deterministic tests.
+ */
+export class ApprovalBinder {
+    secret;
+    ttlMs;
+    now;
+    consumed = new Set();
+    counter = 0;
+    constructor(secret, opts = {}) {
+        this.secret = secret;
+        this.ttlMs = opts.ttlMs ?? 5 * 60_000;
+        this.now = opts.now ?? (() => Date.now());
+    }
+    bind(action, nonce) {
+        const actionHash = computeBoundaryHmac(canonicalizeAction(action), this.secret);
+        const id = ++this.counter;
+        return {
+            bindingId: `bind-${id}`,
+            actionHash,
+            nonce: nonce ?? `n-${this.now()}-${id}`,
+            expiresAt: this.now() + this.ttlMs,
+        };
+    }
+    /**
+     * Re-pin at execution: recompute the HMAC from the action that is ABOUT to
+     * run and reject on drift, expiry, or replay. Consumes the nonce on success.
+     * Order matters: replay > expiry > drift (cheapest, most-specific first).
+     */
+    verify(binding, action) {
+        if (this.consumed.has(binding.nonce)) {
+            return { ok: false, reason: "replay: nonce already consumed" };
+        }
+        if (this.now() > binding.expiresAt) {
+            return { ok: false, reason: "expired: approval window elapsed" };
+        }
+        const recomputed = computeBoundaryHmac(canonicalizeAction(action), this.secret);
+        const a = Buffer.from(recomputed, "utf-8");
+        const b = Buffer.from(binding.actionHash, "utf-8");
+        if (a.length !== b.length || !timingSafeEqual(a, b)) {
+            return { ok: false, reason: "hash drift: action changed since approval" };
+        }
+        this.consumed.add(binding.nonce);
+        return { ok: true };
+    }
+}

package/dist/security/human-approval.d.ts

@@ -19,6 +19,8 @@ export interface ApprovalRequest {
     readonly tool: string;
     readonly args: string;
     readonly reason: string;
+    /** Optional exact-bytes approval-binding hash (see security/approval-binding.ts). */
+    readonly hash?: string;
     readonly risk: "low" | "medium" | "high" | "critical";
     readonly riskLevel: "moderate" | "high" | "critical";
     readonly createdAt: number;

package/dist/security/human-approval.js

@@ -26,7 +26,10 @@ const DEFAULT_POLICIES = [
         riskLevel: "moderate",
         channels: ["cli", "desktop"],
         timeoutMs: 60_000, // 1 minute
-        defaultOnTimeout: "approve",
+        // Fail CLOSED: an absent/stalled human must never auto-approve a write or
+        // edit. An adversarial agent could otherwise stall past the timeout to win
+        // an automatic approval. (bash is already fail-closed; this matches it.)
+        defaultOnTimeout: "deny",
     },
 ];
 // ── Approval Manager ─────────────────────────────────────
@@ -71,7 +74,7 @@ export class HumanApprovalManager {
                         feedback: `Approval timed out after ${timeoutMs}ms. Default: ${defaultOnTimeout}.`,
                         respondedAt: Date.now(),
                     };
-                    this.history.push(response);
+                    this.history.push({ request, response });
                     resolve(response);
                 }
             }, timeoutMs);
@@ -80,7 +83,7 @@ export class HumanApprovalManager {
                 request,
                 resolve: (response) => {
                     clearTimeout(timer);
-                    this.history.push(response);
+                    this.history.push({ request, response });
                     resolve(response);
                 },
             });
@@ -113,7 +116,7 @@ export class HumanApprovalManager {
      * Get approval history.
      */
     getHistory() {
-        return this.history;
+        return this.history.map((record) => record.response);
     }
     /**
      * Add a custom policy.
@@ -146,30 +149,18 @@ export class HumanApprovalManager {
      * Get full audit log of all approval decisions (request + result pairs).
      */
     getAuditLog() {
-        return this.history.map((response) => {
-            // Look up the original request from pending or reconstruct from response
-            const request = {
-                id: response.requestId,
-                action: "tool_call",
-                description: response.feedback ?? "",
-                tool: "",
-                args: "",
-                reason: "",
-                risk: "medium",
-                riskLevel: "moderate",
-                createdAt: response.respondedAt,
-                timestamp: response.respondedAt,
-                timeoutMs: 0,
-                channels: [],
-            };
-            const result = {
+        // The REAL request is recorded at decision time and read back verbatim —
+        // never reconstructed — so the audit trail can never drift from what was
+        // actually approved.
+        return this.history.map(({ request, response }) => ({
+            request,
+            result: {
                 approved: response.decision === "approve",
                 approvedBy: response.respondedBy,
                 feedback: response.feedback,
                 decidedAt: response.respondedAt,
-            };
-            return { request, result };
-        });
+            },
+        }));
     }
     // ── Private ────────────────────────────────────────────
     assessRisk(tool, args) {

package/dist/verification/reproduction/autonomous-gate.d.ts

@@ -0,0 +1,52 @@
+import { type GitRunner } from "./checkout-prep.js";
+import { type ClaimedChecks, type ReproductionResult } from "./verdict.js";
+import { type ProofArtifact } from "./proof-artifact.js";
+import { type EnforcementDecision } from "./enforcement.js";
+import type { ReplayRunner, ReplayCommands } from "./replay-runner.js";
+import type { MutationRunner } from "./mutation-gate.js";
+export interface AutonomousReproduceInput {
+    readonly repoDir: string;
+    readonly baseRef: string;
+    readonly diffText: string;
+    readonly changedPaths: readonly string[];
+    readonly claimed: ClaimedChecks;
+    readonly commands: ReplayCommands;
+    /** A fresh, non-existent directory for the verifier-box worktree. */
+    readonly worktreeDir: string;
+    /** Paths to symlink from repoDir into the worktree (e.g. ["node_modules"]). */
+    readonly linkFromRepo?: readonly string[];
+}
+export interface AutonomousReproduceRunners {
+    readonly git: GitRunner;
+    readonly replay: ReplayRunner;
+    readonly mutation?: MutationRunner;
+}
+export interface AutonomousReproduceOutput {
+    readonly result: ReproductionResult;
+    readonly proof: ProofArtifact;
+    readonly enforcement: EnforcementDecision;
+}
+/**
+ * Full production composition: prepare an isolated checkout (the separate trust
+ * boundary), reproduce the claimed result inside it, decide enforcement, and
+ * ALWAYS clean up the worktree. A failed checkout => infra-error (never an
+ * auto-pass — we couldn't verify, so we don't silently allow).
+ */
+export declare function reproduceAutonomousRun(input: AutonomousReproduceInput, runners: AutonomousReproduceRunners): Promise<AutonomousReproduceOutput>;
+export interface WorkspaceReproduceInput {
+    /** The agent's workspace (its uncommitted changes are captured as the diff). */
+    readonly cwd: string;
+    readonly claimed: ClaimedChecks;
+    readonly commands: ReplayCommands;
+    /** A fresh, non-existent directory for the verifier-box worktree. */
+    readonly worktreeDir: string;
+    /** Paths to symlink from the workspace into the worktree (e.g. ["node_modules"]). */
+    readonly linkFromRepo?: readonly string[];
+}
+/**
+ * Capture the workspace's git state (HEAD as base + the uncommitted diff) and
+ * reproduce. Assumes the agent's changes are UNCOMMITTED (the common autonomous
+ * case): HEAD is the base and `git diff` is the agent's work. If the agent
+ * committed mid-run, the diff is empty and the clean base is reproduced.
+ */
+export declare function runWorkspaceReproduction(input: WorkspaceReproduceInput, runners: AutonomousReproduceRunners): Promise<AutonomousReproduceOutput>;

package/dist/verification/reproduction/autonomous-gate.js

@@ -0,0 +1,71 @@
+import { prepareVerifierCheckout } from "./checkout-prep.js";
+import { reproduceRun } from "./reproduce.js";
+import { decideReproductionVerdict, } from "./verdict.js";
+import { buildProofArtifact } from "./proof-artifact.js";
+import { enforceReproductionVerdict } from "./enforcement.js";
+/**
+ * Full production composition: prepare an isolated checkout (the separate trust
+ * boundary), reproduce the claimed result inside it, decide enforcement, and
+ * ALWAYS clean up the worktree. A failed checkout => infra-error (never an
+ * auto-pass — we couldn't verify, so we don't silently allow).
+ */
+export async function reproduceAutonomousRun(input, runners) {
+    const checkout = await prepareVerifierCheckout({
+        repoDir: input.repoDir,
+        baseRef: input.baseRef,
+        diffText: input.diffText,
+        worktreeDir: input.worktreeDir,
+        ...(input.linkFromRepo ? { linkFromRepo: input.linkFromRepo } : {}),
+    }, runners.git);
+    if (!checkout.ok) {
+        const result = decideReproductionVerdict({
+            claimed: input.claimed,
+            observed: { testsPass: null, typecheckPass: null, lintPass: null },
+            tampered: false,
+            infraError: `checkout:${checkout.error}`,
+        });
+        const proof = buildProofArtifact(result, input.diffText);
+        return { result, proof, enforcement: enforceReproductionVerdict(result.verdict) };
+    }
+    try {
+        const reproRunners = runners.mutation
+            ? { replay: runners.replay, mutation: runners.mutation }
+            : { replay: runners.replay };
+        const { result, proof } = await reproduceRun({
+            claimed: input.claimed,
+            changedPaths: input.changedPaths,
+            checkoutDir: checkout.checkout.checkoutDir,
+            commands: input.commands,
+            diffText: input.diffText,
+            mutationFiles: input.changedPaths,
+        }, reproRunners);
+        return { result, proof, enforcement: enforceReproductionVerdict(result.verdict) };
+    }
+    finally {
+        await checkout.checkout.cleanup();
+    }
+}
+/**
+ * Capture the workspace's git state (HEAD as base + the uncommitted diff) and
+ * reproduce. Assumes the agent's changes are UNCOMMITTED (the common autonomous
+ * case): HEAD is the base and `git diff` is the agent's work. If the agent
+ * committed mid-run, the diff is empty and the clean base is reproduced.
+ */
+export async function runWorkspaceReproduction(input, runners) {
+    const baseRef = (await runners.git.run(input.cwd, ["rev-parse", "HEAD"])).stdout.trim();
+    const diffText = (await runners.git.run(input.cwd, ["diff"])).stdout;
+    const changedPaths = (await runners.git.run(input.cwd, ["diff", "--name-only"])).stdout
+        .split("\n")
+        .map((s) => s.trim())
+        .filter(Boolean);
+    return reproduceAutonomousRun({
+        repoDir: input.cwd,
+        baseRef,
+        diffText,
+        changedPaths,
+        claimed: input.claimed,
+        commands: input.commands,
+        worktreeDir: input.worktreeDir,
+        ...(input.linkFromRepo ? { linkFromRepo: input.linkFromRepo } : {}),
+    }, runners);
+}

package/dist/verification/reproduction/checkout-prep.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Prepare the separate-trust-boundary checkout for verify-by-reproduction
+ * (spec §3.1, the missing prerequisite for a correct production trigger).
+ *
+ * The verifier box MUST run a CLEAN base checkout + ONLY the agent's diff — in
+ * a separate directory — so the agent's dirty workspace (runtime tampering,
+ * stray files, monkeypatched runners) can never influence the result. Running
+ * the replay in the agent's own `process.cwd()` would be the BenchJack V1
+ * violation this defeats.
+ */
+export interface GitRunner {
+    readonly run: (cwd: string, argv: readonly string[]) => Promise<{
+        exitCode: number;
+        stdout: string;
+        stderr: string;
+    }>;
+}
+/** Production GitRunner via execFile (argv-only, injection-safe). */
+export declare function buildExecGitRunner(): GitRunner;
+export interface PrepareCheckoutInput {
+    /** The agent's repository (the worktree is registered here). */
+    readonly repoDir: string;
+    /** The commit the agent started from (before its changes). */
+    readonly baseRef: string;
+    /** The agent's diff (unified, as from `git diff`). Empty = clean base. */
+    readonly diffText: string;
+    /** A fresh, non-existent directory for the detached worktree. */
+    readonly worktreeDir: string;
+    /**
+     * Paths (relative to repoDir) to symlink into the worktree after checkout —
+     * e.g. ["node_modules"]. A fresh worktree lacks gitignored deps, so without
+     * this the replay's `npm test` would fail on missing modules (a FALSE
+     * 'contradicted'). Deps are not the grading surface, so sharing them is safe.
+     */
+    readonly linkFromRepo?: readonly string[];
+}
+export interface VerifierCheckout {
+    readonly checkoutDir: string;
+    readonly cleanup: () => Promise<void>;
+}
+export type CheckoutResult = {
+    readonly ok: true;
+    readonly checkout: VerifierCheckout;
+} | {
+    readonly ok: false;
+    readonly error: string;
+};
+export declare function prepareVerifierCheckout(input: PrepareCheckoutInput, git: GitRunner): Promise<CheckoutResult>;

package/dist/verification/reproduction/checkout-prep.js

@@ -0,0 +1,78 @@
+import { writeFileSync, symlinkSync, existsSync } from "node:fs";
+import { join } from "node:path";
+/** Production GitRunner via execFile (argv-only, injection-safe). */
+export function buildExecGitRunner() {
+    return {
+        run: async (cwd, argv) => {
+            const { execFile } = await import("node:child_process");
+            return new Promise((resolve) => {
+                execFile("git", [...argv], { cwd, maxBuffer: 64 * 1024 * 1024 }, (error, stdout, stderr) => {
+                    const exitCode = error && typeof error.code === "number"
+                        ? Number(error.code)
+                        : error
+                            ? 1
+                            : 0;
+                    resolve({
+                        exitCode,
+                        stdout: stdout?.toString() ?? "",
+                        stderr: stderr?.toString() ?? (error instanceof Error ? error.message : ""),
+                    });
+                });
+            });
+        },
+    };
+}
+export async function prepareVerifierCheckout(input, git) {
+    const add = await git.run(input.repoDir, [
+        "worktree",
+        "add",
+        "--detach",
+        input.worktreeDir,
+        input.baseRef,
+    ]);
+    if (add.exitCode !== 0) {
+        return {
+            ok: false,
+            error: `worktree-add-failed:exit=${add.exitCode}:${add.stderr.trim().slice(0, 240)}`,
+        };
+    }
+    const cleanup = async () => {
+        await git.run(input.repoDir, ["worktree", "remove", "--force", input.worktreeDir]);
+    };
+    if (input.diffText.trim() !== "") {
+        const patchPath = join(input.worktreeDir, ".wotann-verify.patch");
+        try {
+            writeFileSync(patchPath, input.diffText, "utf-8");
+        }
+        catch (e) {
+            await cleanup();
+            return {
+                ok: false,
+                error: `patch-write-failed:${e instanceof Error ? e.message : String(e)}`,
+            };
+        }
+        const apply = await git.run(input.worktreeDir, ["apply", "--whitespace=nowarn", patchPath]);
+        if (apply.exitCode !== 0) {
+            await cleanup();
+            return {
+                ok: false,
+                error: `apply-failed:exit=${apply.exitCode}:${apply.stderr.trim().slice(0, 240)}`,
+            };
+        }
+    }
+    for (const rel of input.linkFromRepo ?? []) {
+        const src = join(input.repoDir, rel);
+        const dst = join(input.worktreeDir, rel);
+        // Best-effort: skip when the source is absent or the target already exists.
+        if (existsSync(src) && !existsSync(dst)) {
+            try {
+                symlinkSync(src, dst, "dir");
+            }
+            catch {
+                // A failed symlink just means the replay may hit missing deps and
+                // report a result the verdict logic handles — never a silent pass.
+            }
+        }
+    }
+    return { ok: true, checkout: { checkoutDir: input.worktreeDir, cleanup } };
+}

package/dist/verification/reproduction/diff-checker.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Grading-surface diff-checker (BenchJack V2/V8 defense). The agent's diff
+ * must touch ONLY source — never the test harness / its own grader. A diff
+ * that edits the grading surface is TAMPER, not a normal failure.
+ *
+ * NOTE: package.json is deliberately NOT protected here (legit dep edits are
+ * common); detecting edits to its `scripts.test` field specifically is a
+ * Phase-B field-level refinement.
+ */
+export declare const DEFAULT_PROTECTED_PATTERNS: readonly RegExp[];
+export interface TestAuthorship {
+    /** Matches files considered "tests" (whose edits are gated). */
+    readonly testFilePattern: RegExp;
+    /** Test files the agent legitimately created/edited THIS task (allowlisted). */
+    readonly authoredTestFiles: readonly string[];
+}
+export interface DiffCheckResult {
+    readonly tampered: boolean;
+    readonly offendingPaths: readonly string[];
+}
+/**
+ * Pure. `changedPaths` are repo-relative POSIX paths the agent's diff touched.
+ * A path is offending if it matches a protected pattern, OR it is a test file
+ * (per `authorship.testFilePattern`) that is not in `authoredTestFiles`.
+ */
+export declare function checkDiff(changedPaths: readonly string[], patterns?: readonly RegExp[], authorship?: TestAuthorship): DiffCheckResult;

package/dist/verification/reproduction/diff-checker.js

@@ -0,0 +1,33 @@
+/**
+ * Grading-surface diff-checker (BenchJack V2/V8 defense). The agent's diff
+ * must touch ONLY source — never the test harness / its own grader. A diff
+ * that edits the grading surface is TAMPER, not a normal failure.
+ *
+ * NOTE: package.json is deliberately NOT protected here (legit dep edits are
+ * common); detecting edits to its `scripts.test` field specifically is a
+ * Phase-B field-level refinement.
+ */
+export const DEFAULT_PROTECTED_PATTERNS = Object.freeze([
+    /(^|\/)conftest\.py$/,
+    /(^|\/)pytest\.ini$/,
+    /(^|\/)tox\.ini$/,
+    /(^|\/)(jest|vitest|playwright)\.config\.[cm]?[jt]s$/,
+    /(^|\/)\.mocharc\.[a-z]+$/,
+    /(^|\/)\.git(\/|$)/,
+]);
+/**
+ * Pure. `changedPaths` are repo-relative POSIX paths the agent's diff touched.
+ * A path is offending if it matches a protected pattern, OR it is a test file
+ * (per `authorship.testFilePattern`) that is not in `authoredTestFiles`.
+ */
+export function checkDiff(changedPaths, patterns = DEFAULT_PROTECTED_PATTERNS, authorship) {
+    const authored = new Set(authorship?.authoredTestFiles ?? []);
+    const offendingPaths = changedPaths.filter((p) => {
+        if (patterns.some((re) => re.test(p)))
+            return true;
+        if (authorship && authorship.testFilePattern.test(p) && !authored.has(p))
+            return true;
+        return false;
+    });
+    return { tampered: offendingPaths.length > 0, offendingPaths };
+}

package/dist/verification/reproduction/enforcement.d.ts

@@ -0,0 +1,14 @@
+import type { ReproductionVerdict } from "./verdict.js";
+export type EnforcementAction = "allow" | "block" | "surface" | "escalate";
+export interface EnforcementDecision {
+    readonly action: EnforcementAction;
+    readonly reason: string;
+}
+/**
+ * Asymmetric enforcement (spec §3.2). A false PASS is the moat-killer; a false
+ * BLOCK is recoverable — so reproduction-sourced tamper/contradicted HARD-BLOCK,
+ * while weaker signals surface or escalate. Keyed on the REPRODUCTION verdict
+ * (trustworthy, executable) — never on bare LLM-judge text (the TNR<25% yes-man
+ * problem is exactly why the enforce-flip waited for the reproduction channel).
+ */
+export declare function enforceReproductionVerdict(verdict: ReproductionVerdict): EnforcementDecision;

package/dist/verification/reproduction/enforcement.js

@@ -0,0 +1,30 @@
+/**
+ * Asymmetric enforcement (spec §3.2). A false PASS is the moat-killer; a false
+ * BLOCK is recoverable — so reproduction-sourced tamper/contradicted HARD-BLOCK,
+ * while weaker signals surface or escalate. Keyed on the REPRODUCTION verdict
+ * (trustworthy, executable) — never on bare LLM-judge text (the TNR<25% yes-man
+ * problem is exactly why the enforce-flip waited for the reproduction channel).
+ */
+export function enforceReproductionVerdict(verdict) {
+    switch (verdict) {
+        case "tamper":
+            return { action: "block", reason: "diff tampered with the grading surface" };
+        case "contradicted":
+            return {
+                action: "block",
+                reason: "claimed success contradicted by independent reproduction",
+            };
+        case "weak-tests":
+            return {
+                action: "surface",
+                reason: "reproduction passed but tests are too weak to trust (low mutation score)",
+            };
+        case "infra-error":
+            return {
+                action: "escalate",
+                reason: "could not reproduce — verify manually before trusting",
+            };
+        case "reproduced":
+            return { action: "allow", reason: "independently reproduced in a separate trust boundary" };
+    }
+}

package/dist/verification/reproduction/exec-runner.d.ts

@@ -0,0 +1,15 @@
+import type { ReplayRunner } from "./replay-runner.js";
+/**
+ * Production `ReplayRunner` backed by `child_process.execFile` (argv-only — no
+ * shell interpolation, so injection-safe regardless of the command content,
+ * matching the codebase's execFileNoThrow contract). Runs the claimed commands
+ * inside `dir`, the verifier-box checkout.
+ *
+ * Honest probe: confirms the Node interpreter is runnable; reports the failure
+ * explicitly otherwise (so runReplay emits `infra-error`, never a silent pass).
+ *
+ * Trust-boundary note: this runs on the HOST in a given directory. Full
+ * separate-trust-boundary isolation (a container, per spec §3.1) is the deferred
+ * production hardening — this is the host-dir baseline so the loop runs for real.
+ */
+export declare function buildExecReplayRunner(): ReplayRunner;

package/dist/verification/reproduction/exec-runner.js

@@ -0,0 +1,47 @@
+/**
+ * Production `ReplayRunner` backed by `child_process.execFile` (argv-only — no
+ * shell interpolation, so injection-safe regardless of the command content,
+ * matching the codebase's execFileNoThrow contract). Runs the claimed commands
+ * inside `dir`, the verifier-box checkout.
+ *
+ * Honest probe: confirms the Node interpreter is runnable; reports the failure
+ * explicitly otherwise (so runReplay emits `infra-error`, never a silent pass).
+ *
+ * Trust-boundary note: this runs on the HOST in a given directory. Full
+ * separate-trust-boundary isolation (a container, per spec §3.1) is the deferred
+ * production hardening — this is the host-dir baseline so the loop runs for real.
+ */
+export function buildExecReplayRunner() {
+    return {
+        probe: async () => {
+            const { execFile } = await import("node:child_process");
+            return new Promise((resolve) => {
+                execFile(process.execPath, ["--version"], (error) => {
+                    resolve(error
+                        ? { ok: false, reason: error instanceof Error ? error.message : String(error) }
+                        : { ok: true });
+                });
+            });
+        },
+        runInDir: async (dir, argv) => {
+            const { execFile } = await import("node:child_process");
+            const [file, ...rest] = argv;
+            if (!file)
+                return { exitCode: 1, stdout: "", stderr: "empty argv" };
+            return new Promise((resolve) => {
+                execFile(file, rest, { cwd: dir, maxBuffer: 10 * 1024 * 1024 }, (error, stdout, stderr) => {
+                    const exitCode = error && typeof error.code === "number"
+                        ? Number(error.code)
+                        : error
+                            ? 1
+                            : 0;
+                    resolve({
+                        exitCode,
+                        stdout: stdout?.toString() ?? "",
+                        stderr: stderr?.toString() ?? (error instanceof Error ? error.message : ""),
+                    });
+                });
+            });
+        },
+    };
+}

package/dist/verification/reproduction/index.d.ts

@@ -0,0 +1,10 @@
+export { decideReproductionVerdict, type ReproductionVerdict, type ClaimedChecks, type ObservedChecks, type ReproductionInput, type ReproductionResult, } from "./verdict.js";
+export { checkDiff, DEFAULT_PROTECTED_PATTERNS, type DiffCheckResult, type TestAuthorship, } from "./diff-checker.js";
+export { runReplay, type ReplayRunner, type ReplayCommands, type ReplayInput, } from "./replay-runner.js";
+export { buildProofArtifact, type ProofArtifact } from "./proof-artifact.js";
+export { gateMutation, runMutationGate, DEFAULT_MUTATION_THRESHOLD, type MutationResult, type MutationGateResult, type MutationRunner, } from "./mutation-gate.js";
+export { enforceReproductionVerdict, type EnforcementAction, type EnforcementDecision, } from "./enforcement.js";
+export { reproduceRun, type ReproduceInput, type ReproduceRunners, type ReproduceOutput, } from "./reproduce.js";
+export { buildExecReplayRunner } from "./exec-runner.js";
+export { prepareVerifierCheckout, buildExecGitRunner, type GitRunner, type PrepareCheckoutInput, type VerifierCheckout, type CheckoutResult, } from "./checkout-prep.js";
+export { reproduceAutonomousRun, runWorkspaceReproduction, type AutonomousReproduceInput, type AutonomousReproduceRunners, type AutonomousReproduceOutput, type WorkspaceReproduceInput, } from "./autonomous-gate.js";

package/dist/verification/reproduction/index.js

@@ -0,0 +1,10 @@
+export { decideReproductionVerdict, } from "./verdict.js";
+export { checkDiff, DEFAULT_PROTECTED_PATTERNS, } from "./diff-checker.js";
+export { runReplay, } from "./replay-runner.js";
+export { buildProofArtifact } from "./proof-artifact.js";
+export { gateMutation, runMutationGate, DEFAULT_MUTATION_THRESHOLD, } from "./mutation-gate.js";
+export { enforceReproductionVerdict, } from "./enforcement.js";
+export { reproduceRun, } from "./reproduce.js";
+export { buildExecReplayRunner } from "./exec-runner.js";
+export { prepareVerifierCheckout, buildExecGitRunner, } from "./checkout-prep.js";
+export { reproduceAutonomousRun, runWorkspaceReproduction, } from "./autonomous-gate.js";

package/dist/verification/reproduction/mutation-gate.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Mutation gate (BenchJack V6 defense): a green test run is worthless if the
+ * tests have no real assertions ("100% coverage, 0% mutation score"). Mutate
+ * the changed code; if the agent's OWN tests don't kill enough mutants,
+ * downgrade a "reproduced" verdict to "weak-tests".
+ *
+ * The gate DECISION is pure. Running the mutation tool (Stryker/mutmut) inside
+ * the verifier box is the injected `MutationRunner` (production wiring deferred,
+ * same DI pattern as replay-runner / vm-isolation).
+ */
+export interface MutationResult {
+    readonly killed: number;
+    readonly total: number;
+}
+export interface MutationGateResult {
+    readonly weakTests: boolean;
+    readonly score: number;
+    readonly threshold: number;
+    readonly reason?: string;
+}
+export declare const DEFAULT_MUTATION_THRESHOLD = 0.6;
+/**
+ * Pure. `total <= 0` means no mutants were generated — the tests do not
+ * exercise the changed code at all — which is the worst case, so it is `weak`.
+ */
+export declare function gateMutation(result: MutationResult, threshold?: number): MutationGateResult;
+/** Injected runner (DI like replay-runner). Production wires Stryker/mutmut; tests stub. */
+export interface MutationRunner {
+    readonly probe: () => Promise<{
+        ok: boolean;
+        reason?: string;
+    }>;
+    readonly run: (dir: string, changedFiles: readonly string[]) => Promise<MutationResult>;
+}
+/**
+ * Honest stub: a failed probe means the mutation tool is unavailable. Mutation
+ * testing is a BONUS downgrade (the reproduction channel carries enforcement),
+ * so "unavailable" does NOT set `weakTests` — it just records why it was skipped.
+ */
+export declare function runMutationGate(dir: string, changedFiles: readonly string[], runner: MutationRunner, threshold?: number): Promise<MutationGateResult & {
+    readonly unavailable?: string;
+}>;

package/dist/verification/reproduction/mutation-gate.js

@@ -0,0 +1,43 @@
+export const DEFAULT_MUTATION_THRESHOLD = 0.6;
+/**
+ * Pure. `total <= 0` means no mutants were generated — the tests do not
+ * exercise the changed code at all — which is the worst case, so it is `weak`.
+ */
+export function gateMutation(result, threshold = DEFAULT_MUTATION_THRESHOLD) {
+    if (result.total <= 0) {
+        return {
+            weakTests: true,
+            score: 0,
+            threshold,
+            reason: "no mutants generated — tests do not exercise the changed code",
+        };
+    }
+    const score = result.killed / result.total;
+    if (score < threshold) {
+        return {
+            weakTests: true,
+            score,
+            threshold,
+            reason: `mutation score ${score.toFixed(2)} < threshold ${threshold}`,
+        };
+    }
+    return { weakTests: false, score, threshold };
+}
+/**
+ * Honest stub: a failed probe means the mutation tool is unavailable. Mutation
+ * testing is a BONUS downgrade (the reproduction channel carries enforcement),
+ * so "unavailable" does NOT set `weakTests` — it just records why it was skipped.
+ */
+export async function runMutationGate(dir, changedFiles, runner, threshold = DEFAULT_MUTATION_THRESHOLD) {
+    const probe = await runner.probe();
+    if (!probe.ok) {
+        return {
+            weakTests: false,
+            score: 0,
+            threshold,
+            unavailable: `mutation:unavailable${probe.reason ? `:${probe.reason}` : ""}`,
+        };
+    }
+    const result = await runner.run(dir, changedFiles);
+    return gateMutation(result, threshold);
+}

package/dist/verification/reproduction/proof-artifact.d.ts

@@ -0,0 +1,16 @@
+import { type ChainExport } from "../../security/hash-audit-chain.js";
+import type { ReproductionResult, ReproductionVerdict, ClaimedChecks, ObservedChecks } from "./verdict.js";
+/**
+ * The verdict is a first-class, hash-chained, harness-signed PROOF ARTIFACT —
+ * not a bare boolean. `chainExport` is tamper-evident (SHA-256 linked); any
+ * post-hoc edit to the recorded verdict/observed breaks `HashAuditChain.verify()`.
+ */
+export interface ProofArtifact {
+    readonly verdict: ReproductionVerdict;
+    readonly diffCid: string;
+    readonly claimed: ClaimedChecks;
+    readonly observed: ObservedChecks;
+    readonly contradictions: readonly string[];
+    readonly chainExport: ChainExport;
+}
+export declare function buildProofArtifact(result: ReproductionResult, diffText: string, actor?: string): ProofArtifact;

package/dist/verification/reproduction/proof-artifact.js

@@ -0,0 +1,22 @@
+import { HashAuditChain } from "../../security/hash-audit-chain.js";
+import { cidOf } from "../../core/content-cid.js";
+export function buildProofArtifact(result, diffText, actor = "wotann-verifier") {
+    const diffCid = cidOf(diffText);
+    const chain = new HashAuditChain();
+    chain.append("reproduction.verdict", actor, {
+        verdict: result.verdict,
+        diffCid,
+        claimed: result.claimed,
+        observed: result.observed,
+        contradictions: result.contradictions,
+        ...(result.infraError ? { infraError: result.infraError } : {}),
+    });
+    return {
+        verdict: result.verdict,
+        diffCid,
+        claimed: result.claimed,
+        observed: result.observed,
+        contradictions: result.contradictions,
+        chainExport: chain.exportChain(),
+    };
+}

package/dist/verification/reproduction/replay-runner.d.ts

@@ -0,0 +1,37 @@
+import type { ObservedChecks } from "./verdict.js";
+/**
+ * Structural runner (mirrors VmRunner in computer-use/vm-isolation.ts). Tests
+ * inject an in-memory stub; production wires this to run argv INSIDE the
+ * verifier box (container/sandbox = the separate trust boundary). Argv-only,
+ * never a shell string — no interpolation.
+ */
+export interface ReplayRunner {
+    readonly probe: () => Promise<{
+        ok: boolean;
+        reason?: string;
+    }>;
+    readonly runInDir: (dir: string, argv: readonly string[]) => Promise<{
+        exitCode: number;
+        stdout: string;
+        stderr: string;
+    }>;
+}
+export interface ReplayCommands {
+    readonly test?: readonly string[];
+    readonly typecheck?: readonly string[];
+    readonly lint?: readonly string[];
+}
+export interface ReplayInput {
+    /** The clean, applied-diff checkout in the verifier box (separate trust boundary). */
+    readonly checkoutDir: string;
+    readonly commands: ReplayCommands;
+}
+/**
+ * Re-run the claimed commands in the verifier box and report the HARNESS's own
+ * pass/fail (exit code 0 = pass). NEVER reads the agent's self-reported result.
+ * Honest stub: a failed probe yields all-null observed + infraError, so the
+ * verdict logic emits `infra-error` and never auto-passes.
+ */
+export declare function runReplay(input: ReplayInput, runner: ReplayRunner): Promise<ObservedChecks & {
+    readonly infraError?: string;
+}>;

package/dist/verification/reproduction/replay-runner.js

@@ -0,0 +1,28 @@
+/**
+ * Re-run the claimed commands in the verifier box and report the HARNESS's own
+ * pass/fail (exit code 0 = pass). NEVER reads the agent's self-reported result.
+ * Honest stub: a failed probe yields all-null observed + infraError, so the
+ * verdict logic emits `infra-error` and never auto-passes.
+ */
+export async function runReplay(input, runner) {
+    const probe = await runner.probe();
+    if (!probe.ok) {
+        return {
+            testsPass: null,
+            typecheckPass: null,
+            lintPass: null,
+            infraError: `replay:unavailable${probe.reason ? `:${probe.reason}` : ""}`,
+        };
+    }
+    const observe = async (argv) => {
+        if (!argv || argv.length === 0)
+            return null;
+        const r = await runner.runInDir(input.checkoutDir, argv);
+        return r.exitCode === 0;
+    };
+    return {
+        testsPass: await observe(input.commands.test),
+        typecheckPass: await observe(input.commands.typecheck),
+        lintPass: await observe(input.commands.lint),
+    };
+}

package/dist/verification/reproduction/reproduce.d.ts

@@ -0,0 +1,34 @@
+import { type TestAuthorship } from "./diff-checker.js";
+import { type ReplayRunner, type ReplayCommands } from "./replay-runner.js";
+import { type MutationRunner } from "./mutation-gate.js";
+import { type ClaimedChecks, type ReproductionResult } from "./verdict.js";
+import { type ProofArtifact } from "./proof-artifact.js";
+export interface ReproduceInput {
+    readonly claimed: ClaimedChecks;
+    /** Repo-relative POSIX paths the agent's diff touched. */
+    readonly changedPaths: readonly string[];
+    /** The clean, applied-diff checkout in the verifier box (separate trust boundary). */
+    readonly checkoutDir: string;
+    readonly commands: ReplayCommands;
+    /** The diff text (for the proof artifact's content identity). */
+    readonly diffText: string;
+    readonly authorship?: TestAuthorship;
+    /** Changed source files to mutation-test (Phase-B bonus gate). */
+    readonly mutationFiles?: readonly string[];
+}
+export interface ReproduceRunners {
+    readonly replay: ReplayRunner;
+    /** Optional — when present and the reproduction is clean, gates weak-tests. */
+    readonly mutation?: MutationRunner;
+}
+export interface ReproduceOutput {
+    readonly result: ReproductionResult;
+    readonly proof: ProofArtifact;
+}
+/**
+ * Compose the reproduction library into one call: tamper-check the diff, replay
+ * the claimed commands in the verifier box (capturing the harness's OWN result),
+ * optionally mutation-gate a clean reproduction, decide the verdict, and emit
+ * the hash-chained proof artifact. Pure orchestration over injected runners.
+ */
+export declare function reproduceRun(input: ReproduceInput, runners: ReproduceRunners): Promise<ReproduceOutput>;

package/dist/verification/reproduction/reproduce.js

@@ -0,0 +1,31 @@
+import { checkDiff } from "./diff-checker.js";
+import { runReplay } from "./replay-runner.js";
+import { runMutationGate } from "./mutation-gate.js";
+import { decideReproductionVerdict, } from "./verdict.js";
+import { buildProofArtifact } from "./proof-artifact.js";
+/**
+ * Compose the reproduction library into one call: tamper-check the diff, replay
+ * the claimed commands in the verifier box (capturing the harness's OWN result),
+ * optionally mutation-gate a clean reproduction, decide the verdict, and emit
+ * the hash-chained proof artifact. Pure orchestration over injected runners.
+ */
+export async function reproduceRun(input, runners) {
+    const diff = checkDiff(input.changedPaths, undefined, input.authorship);
+    const observed = await runReplay({ checkoutDir: input.checkoutDir, commands: input.commands }, runners.replay);
+    // The mutation gate is a BONUS downgrade — only meaningful on an otherwise
+    // clean reproduction (skip it when we already have tamper or infra-error).
+    let weakTests = false;
+    if (runners.mutation && !diff.tampered && !observed.infraError) {
+        const gate = await runMutationGate(input.checkoutDir, input.mutationFiles ?? [], runners.mutation);
+        weakTests = gate.weakTests;
+    }
+    const result = decideReproductionVerdict({
+        claimed: input.claimed,
+        observed,
+        tampered: diff.tampered,
+        weakTests,
+        infraError: observed.infraError,
+    });
+    const proof = buildProofArtifact(result, input.diffText);
+    return { result, proof };
+}

package/dist/verification/reproduction/verdict.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Reproduction verdict — the harness's OWN judgment, produced by re-running
+ * the claimed work in a separate trust boundary. NEVER the agent's self-report
+ * (that is the V7 violation this whole module exists to defeat).
+ */
+export type ReproductionVerdict = "reproduced" | "contradicted" | "weak-tests" | "tamper" | "infra-error";
+export interface ClaimedChecks {
+    readonly testsPass: boolean;
+    readonly typecheckPass: boolean;
+    readonly lintPass: boolean;
+}
+/** `null` = the check was not run / unavailable, so it cannot contradict a claim. */
+export interface ObservedChecks {
+    readonly testsPass: boolean | null;
+    readonly typecheckPass: boolean | null;
+    readonly lintPass: boolean | null;
+}
+export interface ReproductionInput {
+    readonly claimed: ClaimedChecks;
+    readonly observed: ObservedChecks;
+    readonly tampered: boolean;
+    /** Set by the Phase-B mutation gate; Phase A never sets it. */
+    readonly weakTests?: boolean;
+    /** Set when the replay could not run at all. */
+    readonly infraError?: string;
+}
+export interface ReproductionResult {
+    readonly verdict: ReproductionVerdict;
+    readonly claimed: ClaimedChecks;
+    readonly observed: ObservedChecks;
+    readonly contradictions: readonly string[];
+    readonly infraError?: string;
+}
+/**
+ * Pure decision. Precedence (a false PASS is the moat-killer; a false BLOCK is
+ * recoverable, so we bias toward blocking): tamper > infra-error > contradicted
+ * > weak-tests > reproduced.
+ */
+export declare function decideReproductionVerdict(input: ReproductionInput): ReproductionResult;

package/dist/verification/reproduction/verdict.js

@@ -0,0 +1,40 @@
+const CHECKS = [
+    { name: "tests", claimedKey: "testsPass", observedKey: "testsPass" },
+    { name: "typecheck", claimedKey: "typecheckPass", observedKey: "typecheckPass" },
+    { name: "lint", claimedKey: "lintPass", observedKey: "lintPass" },
+];
+/**
+ * Pure decision. Precedence (a false PASS is the moat-killer; a false BLOCK is
+ * recoverable, so we bias toward blocking): tamper > infra-error > contradicted
+ * > weak-tests > reproduced.
+ */
+export function decideReproductionVerdict(input) {
+    const contradictions = [];
+    for (const c of CHECKS) {
+        const claimed = input.claimed[c.claimedKey];
+        const observed = input.observed[c.observedKey];
+        // Only a claimed-PASS that the harness observed as FAIL is a contradiction.
+        // observed === null means "not run", which cannot contradict anything.
+        if (claimed === true && observed === false) {
+            contradictions.push(`${c.name}: agent claimed pass, harness observed fail`);
+        }
+    }
+    let verdict;
+    if (input.tampered)
+        verdict = "tamper";
+    else if (input.infraError)
+        verdict = "infra-error";
+    else if (contradictions.length > 0)
+        verdict = "contradicted";
+    else if (input.weakTests)
+        verdict = "weak-tests";
+    else
+        verdict = "reproduced";
+    return {
+        verdict,
+        claimed: input.claimed,
+        observed: input.observed,
+        contradictions,
+        ...(input.infraError ? { infraError: input.infraError } : {}),
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wotann",
-  "version": "0.5.96",
+  "version": "0.5.97",
   "description": "WOTANN — The All-Father of AI Agent Harnesses",
   "type": "module",
   "main": "dist/index.js",