rexecop 0.2.2a0__tar.gz

rexecop-0.2.2a0/.cursor/rules/github-workflow-hybrid.mdc

@@ -0,0 +1,69 @@
+---
+description: Hybrid GitHub workflow for rozmiarD/RExecOP (PR vs push-to-main)
+alwaysApply: true
+---
+
+# GitHub workflow — hybrid hard rule
+
+Repository: `rozmiarD/RExecOP` only. Never use other GitHub accounts or repos.
+
+All remote git/gh operations MUST use:
+
+```bash
+/home/probo/.openclaw/workspace/scripts/github-rozmiard-token.sh --exec -- <cmd>
+```
+
+Never put `Co-authored-by` in commit messages.
+
+## Before any push
+
+Run locally and fix failures first:
+
+```bash
+ruff check .
+mypy src/rexecop
+pytest
+```
+
+## When to use PR + merge (default for roadmap work)
+
+Use branch → push → PR → CI green → merge → sync `main` when ANY of:
+
+- roadmap phase or milestone delivery
+- new or changed dependencies (`pyproject.toml`)
+- external integration (GovEngine, SCLite, connectors)
+- non-trivial feature/refactor touching multiple modules
+
+Branch naming: `phase-<id>-<short-topic>` or `fix-<short-topic>`.
+
+## When to push directly to `main`
+
+Allowed only when ALL of:
+
+- small follow-up after a merged PR (docs typo, test fix, review nits)
+- no dependency or integration boundary changes
+- local `ruff` + `mypy` + `pytest` already green
+
+Still run CI on `main` after push; do not assume local-only green is enough.
+
+## Anti-tokenwaste PR checks
+
+Prefer one status poll over blocking watch loops:
+
+```bash
+gh pr checks <n>    # single check; retry only if still pending
+```
+
+Use `gh pr checks --watch` only when the user explicitly asks to wait.
+
+## After merge
+
+```bash
+git checkout main && git pull origin main
+```
+
+Update roadmap status in `/home/probo/projects/audit/rexecoproadmap.txt` when a phase completes.
+
+## On CI failure
+
+Fix on the same branch/PR. Never force-push `main`. Never skip hooks unless the user explicitly requests it.

rexecop-0.2.2a0/.github/workflows/ci.yml

@@ -0,0 +1,92 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@v4
+        with:
+          repository: rozmiarD/tecrax
+          path: tecrax
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install
+        run: |
+          python -m pip install -e ./tecrax
+          python -m pip install -e ".[dev]"
+
+      - name: Validate public truth
+        run: python scripts/validate_public_truth.py
+
+      - name: Ruff
+        run: ruff check . --exclude tecrax
+
+      - name: Mypy
+        run: mypy src/rexecop
+
+      - name: Core boundary check
+        run: |
+          if rg -l 'tecrax_profile|import tecrax' src/rexecop; then
+            echo "domain import detected in rexecop core"
+            exit 1
+          fi
+          if rg -n 'rexecop-fixture-guard-key' src/rexecop/adapters/sclite_port/full_bundle.py; then
+            echo "fixture guard key must not ship in production full_bundle module"
+            exit 1
+          fi
+
+      - name: Secret scan (basic)
+        run: bash scripts/secret_scan.sh
+
+      - name: Package install smoke
+        run: |
+          rexecop version
+          rexecop --help
+
+      - name: Pytest
+        run: pytest
+
+  package-dry-run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tooling and runtime dependencies
+        run: |
+          python -m pip install --upgrade pip build twine
+          python -m pip install "govengine>=0.12.2a0,<0.15" "sclite-core>=1.0.1,<1.1"
+
+      - name: Clean build artifacts
+        run: rm -rf dist build *.egg-info
+
+      - name: Build package
+        run: python -m build
+
+      - name: Check package metadata
+        run: python -m twine check dist/*
+
+      - name: Wheel install smoke
+        run: |
+          python -m venv /tmp/rexecop-wheel-smoke
+          /tmp/rexecop-wheel-smoke/bin/python -m pip install --upgrade pip
+          /tmp/rexecop-wheel-smoke/bin/python -m pip install \
+            "govengine>=0.12.2a0,<0.15" "sclite-core>=1.0.1,<1.1"
+          /tmp/rexecop-wheel-smoke/bin/python -m pip install dist/*.whl
+          /tmp/rexecop-wheel-smoke/bin/python -m pip check
+          /tmp/rexecop-wheel-smoke/bin/rexecop version
+          /tmp/rexecop-wheel-smoke/bin/python -c "import importlib.metadata as md, rexecop; assert md.version('rexecop') == rexecop.__version__"

rexecop-0.2.2a0/.github/workflows/publish.yml

@@ -0,0 +1,44 @@
+name: Publish PyPI
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Package version to publish (must match pyproject.toml)
+        required: true
+        default: "0.2.2a0"
+
+permissions:
+  contents: read
+
+jobs:
+  publish-rexecop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Validate version and public truth
+        run: |
+          python scripts/validate_public_truth.py
+          test "$(python -c 'import tomllib; print(tomllib.load(open("pyproject.toml","rb"))["project"]["version"])')" = "${{ inputs.version }}"
+
+      - name: Install build tooling
+        run: python -m pip install --upgrade pip build twine
+
+      - name: Build package
+        run: |
+          rm -rf dist build *.egg-info
+          python -m build
+
+      - name: Check metadata
+        run: python -m twine check dist/*
+
+      - name: Publish to PyPI
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        run: python -m twine upload dist/*

rexecop-0.2.2a0/.gitignore

@@ -0,0 +1,14 @@
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+.eggs/
+dist/
+build/
+.venv/
+venv/
+.mypy_cache/
+.ruff_cache/
+.pytest_cache/
+.rexecop/
+*.egg

rexecop-0.2.2a0/.python-version

@@ -0,0 +1 @@
+3.11

rexecop-0.2.2a0/CHANGELOG.md

@@ -0,0 +1,199 @@
+# Changelog
+
+All notable changes to RExecOp (`rexecop`) are documented here.
+
+Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).  
+Versioning: `0.1.0a0` declares the **alpha gate** (roadmap Phase 10). Prior `0.x.0a0` lines
+tracked incremental roadmap delivery.
+
+## [0.2.2a0] - 2026-06-16
+
+### Public PyPI (`15.1c`) and documentation clarity
+
+- Clarify stack diagram: GovEngine gates mutating admission; RExecOp projects lifecycle into SCLite artifacts
+- Publish `rexecop` to PyPI; update [docs/distribution.md](docs/distribution.md) and public-truth validators
+- Canonical delivery test scope (`pytest -m delivery`) and composite runtime routing tests (from `0.2.1a0` batch)
+
+## [0.2.1a0] - 2026-06-20
+
+### Domain connector backend plugin (`tecrax_proxmox`)
+
+- `CompositeConnectorRuntime` routes `backend: <registered EP>` via `load_connector_backend_for_connector`
+- Tecrax: `tecrax_proxmox` entry point builds Proxmox `http_api` config from templates
+- Alpha sign-off: `docs/alpha-sign-off.md`, record template, `scripts/run_alpha_signoff_checks.sh`
+- Delivery coverage: canonical scope in `tests/delivery_scope.py`, `pytest -m delivery`, `test_composite_runtime_routing.py`
+
+## [0.2.0a0] - 2026-06-18
+
+### Phase 15 — distribution & E2E runbook
+
+- CI `package-dry-run` job: `python -m build`, `twine check`, wheel install smoke
+- [docs/distribution.md](docs/distribution.md): source, wheel, Git URL, private index guidance
+- `OPERATOR_LAB_RUNBOOK.md`: full profile → GovEngine → SCLite E2E walkthrough
+- Lab sections for GovEngine adapter posture and evidence vs SCLite authority
+- Worker smoke checklist; package build smoke aligned with CI
+
+## [0.1.5a0] - 2026-06-18
+
+### Phase 14 — connectors
+
+- `http_api`: configurable retry backoff (`base_delay`, `max_delay`), action-level retry override
+- `http_api`: optional pagination (`items_path`, `next_path`, `max_pages`)
+- `http_api`: HTTP `error_class` mapping with redacted `body_snippet` on failures
+- `local_shell_readonly`: allowlist validation via `govengine.execution.command_shape`
+- `ssh_readonly` connector (temporary read-only allowlist; documented non-production policy path)
+- Staging HTTP stub: paginated and transient/auth-error endpoints for lab tests
+- Tecrax: `tecrax.connectors.proxmox.build_http_api_connector_config()` templates
+
+## [0.1.4a2] - 2026-06-17
+
+### Phase 13.3 — fixture path isolation
+
+- `REXECOP_FIXTURE_GUARD_KEY` moved to `fixture_bundle.py` (tests/lab only)
+- Production `emit_operation_bundle` skips kernel guard unless `REXECOP_KERNEL_GUARD_KEY` is set
+- `emit_fixture_operation_bundle` for CI/lab bundles with fixture HMAC sidecar
+- `export_placeholder_receipt` deprecated; implementation in `rexecop.examples.bootstrap_receipt`
+- CI boundary grep: fixture key must not appear in `full_bundle.py`
+
+## [0.1.4a1] - 2026-06-17
+
+### Phase 13.2 — execution receipt honesty
+
+- `executed_command_count` and `network_execution_performed` derived from connector
+  `step_completed` evidence and `shared_state.connector_results`
+- Ticket `max_runs` aligned with planned connector step count; relaxed strict profile for multi-connector plans
+- Dry-run receipts keep `receipt_does_not_claim_live_target_execution` non-claim
+- E2E assertions on staging `http_api` receipts
+
+## [0.1.4a0] - 2026-06-17
+
+### Phase 13.1 — SQLite storage backend
+
+- `SqliteStore` implementing `OperationStoragePort` for operations, plans, and evidence
+- Storage factory: `REXECOP_STORAGE=file|sqlite` or CLI `--storage`
+- SCLite bundles, receipts, approvals, queue, and locks remain on disk under `.rexecop/`
+- Parametrized tests: file vs sqlite backend parity
+
+## [0.1.3a0] - 2026-06-17
+
+### Phase 12 — runtime worker & triggery
+
+- `rexecop worker run` with `--once`, `--poll-interval`, `--max-iterations`, `--watch-inbox`
+- `rexecop queue --drain` one-shot queue processing
+- `rexecop trigger` from JSON stdin or CLI flags; evidence `operation_triggered`
+- `docs/operator-scheduler-pattern.md` (systemd/cron pattern — host-owned scheduling)
+
+## [0.1.2a0] - 2026-06-17
+
+### Phase 11 — neutral core
+
+- Internal action plugin registry (`rexecop.internal_actions` entry points)
+- Connector fixture loader (`rexecop.connector_backends` entry points)
+- Generic `MockConnectorRuntime` in core; domain mock moved to `tecrax` (`tecrax_fixture`)
+- `http-health-fixture` profile + `http_health_check` golden-path E2E (http_api-only)
+- `InMemoryStore` for tests; storage boundary documented
+- `OPERATOR_LAB_RUNBOOK.md` for lab validation
+- Requires `tecrax>=0.3.1a0` for domain handlers and offline fixture mock
+
+## [0.1.1a0] - 2026-06-17
+
+### Profile consolidation
+
+- Tecrax RExecOp profile now ships in [`tecrax`](https://github.com/rozmiarD/tecrax) (`tecrax:profile_root`)
+- Optional dependency `tecrax>=0.3.0a0` replaces `tecrax-profile`
+- CI checks out `rozmiarD/tecrax` instead of `tecrax-profile`
+- Docs and runbook updated; `tecrax-profile` repo retired
+
+## [0.1.0a0] - 2026-06-17
+
+### Alpha gate (Phase 10)
+
+- Declares RExecOp **alpha** for operator evaluation with documented limits
+- Adds `OPERATOR_RUNBOOK.md`, `docs/known-limitations.md`, `CHANGELOG.md`
+- CI: basic secret scan (`scripts/secret_scan.sh`), package install smoke
+- Version reset to `0.1.0a0` as the alpha release line
+
+### Included from Phases 0–9
+
+- Operation core: state machine, `OperationPlan`, file storage, evidence with redaction
+- GovEngine port: real `GovEngineClient` + bootstrap `StaticGovEngineAdapter`
+- SCLite port: full GovEngine-integration bundle (scoped ticket v0.3, review pass)
+- Vertical slices: `check_backup_status` (read-only), `restart_zabbix_agent` (apply)
+- Orchestration: approve, pause, resume, cancel, retry, rollback, queue, target lock, maintenance
+- External `tecrax-profile` package integration (`rexecop.profiles` entry point)
+- Connectors: `mock`, `http_api`, `local_shell_readonly`; secrets port
+- 97 pytest tests; document truth pass on README and `docs/`
+
+### Alpha claims
+
+Allowed: GovEngine-bound control-plane, profile-defined workflows, SCLite emission on
+completion, mock and `http_api` read-only paths.
+
+Not claimed: production governance authority, full Tecrax product, HA scheduler, UI,
+unmanned apply on critical targets.
+
+## [0.11.0a0] - 2026-06-17
+
+### Phase 9 — Production connectors
+
+- `http_api` config-driven REST connector
+- `local_shell_readonly` allowlisted commands
+- `CompositeConnectorRuntime` and secrets port (`REXECOP_SECRET_*`, `REXECOP_SECRETS_FILE`)
+- Staging environment template and E2E tests
+
+## [0.10.0a0] - 2026-06-17
+
+### Phase 8 — Tecrax profile package
+
+- External `tecrax-profile` repo with `rexecop.profiles` entry point
+- Profile resolver and declarative validation rules in profile YAML
+- CI boundary grep for domain imports in core
+
+## [0.9.0a0] - 2026-06-16
+
+### Phase 6 — Operational maturity
+
+- Target lock, FIFO queue, maintenance windows, rollback executor
+- `OperationStoragePort` protocol; CLI `retry`, `rollback`, `queue`
+
+## [0.8.0a0] - 2026-06-16
+
+### Phase 5 — Apply vertical slice
+
+- `restart_zabbix_agent` apply workflow; approve, pause, resume, retry, cancel
+
+## [0.7.0a0] - 2026-06-16
+
+### Phase 3C — Full SCLite bundle
+
+- GovEngine-integration parity bundle; `review_bundle` pass
+
+## [0.6.0a0] - 2026-06-16
+
+### Phase 4 — Read-only vertical slice
+
+- Orchestrator, mock connectors, `check_backup_status` E2E
+
+## [0.5.0a0] - 2026-06-16
+
+### Phase 3B — SCLite emitter
+
+- Real SCLite artifact emission on completion path
+
+## [0.4.0a0] - 2026-06-16
+
+### Phase 3A — SCLite placeholder port
+
+- Placeholder emitter with schema refs (deprecated path)
+
+## [0.3.0a0] - 2026-06-16
+
+### Phase 2B — GovEngine client
+
+- Real `GovEngineClient` adapter
+
+## Earlier
+
+- Phases 0–2A: repository bootstrap, operation core, static GovEngine gating
+
+[0.1.0a0]: https://github.com/rozmiarD/RExecOP/compare/f483bed...75eb006

rexecop-0.2.2a0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 rozmiarD
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

rexecop-0.2.2a0/OPERATOR_LAB_RUNBOOK.md

@@ -0,0 +1,240 @@
+# Operator lab runbook
+
+RExecOp `0.2.2a0` — validate neutral core, plugin boundaries, read-only paths, and the full
+profile → GovEngine → SCLite emission path before apply.
+
+Runtime data is written to `.rexecop/` in the **current working directory**. Run lab commands
+from a dedicated directory (for example `~/lab/rexecop-runtime`) so artifacts stay isolated.
+
+## Prerequisites
+
+| Item | Command / check |
+|------|-----------------|
+| Python 3.11+ | `python --version` |
+| RExecOp | `pip install -e ".[dev]"` from repo root (see [docs/distribution.md](docs/distribution.md)) |
+| Tecrax (domain plugins) | `pip install -e ../tecrax` |
+| GovEngine / SCLite | Installed via rexecop dependencies |
+| Secrets file | `~/.rexecop/secrets.yaml` mode `0600` |
+
+```bash
+export REXECOP_SECRETS_FILE=~/.rexecop/secrets.yaml
+rexecop version    # 0.2.2a0
+export REXECOP_STORAGE=sqlite   # optional SQLite backend for operations/plans/evidence
+python scripts/validate_public_truth.py
+```
+
+## Lab checklist
+
+### 1. Core boundary
+
+- [ ] `python scripts/validate_public_truth.py` passes
+- [ ] `ruff check . --exclude tecrax` passes
+- [ ] `rg 'vm-101|proxmox|pbs|zabbix' src/rexecop` returns **no matches**
+- [ ] `rg 'import tecrax' src/rexecop` returns **no matches**
+
+### 2. Secrets hygiene
+
+- [ ] No plaintext tokens in git or committed `.rexecop/`
+- [ ] Environment YAML uses `secret_ref` / `base_url_secret_ref` only
+- [ ] After a run: `rg -i 'api_key|token|password' .rexecop/` shows only `[REDACTED]` or no hits
+
+### 3. http_api-only golden path (no domain internals)
+
+Uses `examples/profiles/http-health-fixture` — single connector step, no Tecrax internal actions.
+
+```bash
+pytest tests/test_http_health_check_e2e.py -q
+```
+
+Manual path: copy a staging env with `backend: http_api` pointing at your `/health` endpoint.
+
+- [ ] `plan` + `start` → `completed`
+- [ ] `validate` → `passed: true`, rule `http_health_check.probe_ok`
+
+### 4. Tecrax offline fixture (bootstrap)
+
+Requires `tecrax` installed (`rexecop.internal_actions` + `tecrax_fixture` mock).
+
+```bash
+rexecop plan \
+  --profile examples/profiles/tecrax-fixture/profile.yaml \
+  --env examples/environments/small-public-unit-proxmox.example.yaml \
+  --intent check_backup_status \
+  --target all_critical_vms \
+  --mode dry_run
+
+rexecop start --operation <id>
+rexecop validate --operation <id>
+```
+
+- [ ] Final state `completed`
+- [ ] `.rexecop/sclite/<id>/` contains bundle artifacts
+- [ ] No secrets in evidence JSON
+
+### 5. Tecrax product profile (optional)
+
+```bash
+rexecop plan --profile tecrax --env <env> \
+  --intent check_backup_status --target all_critical_vms --mode dry_run
+rexecop start --operation <id>
+```
+
+### 6. Staging HTTP (CI pattern)
+
+```bash
+pytest tests/test_staging_connectors_e2e.py -q
+```
+
+Uses local HTTP stub — same shape as production `http_api` config.
+
+### 7. Worker and queue smoke
+
+```bash
+pytest tests/test_worker_runtime.py -q
+# or manual:
+rexecop worker run --once
+rexecop queue --drain
+```
+
+- [ ] Queue drain works without a long-running daemon
+- [ ] Scheduling remains **host-owned** (systemd/cron) — see [docs/operator-scheduler-pattern.md](docs/operator-scheduler-pattern.md)
+
+### 8. Alpha sign-off
+
+- [ ] Run `bash scripts/run_alpha_signoff_checks.sh`
+- [ ] Complete human checklist in [docs/alpha-sign-off-record.md](docs/alpha-sign-off-record.md)
+- [ ] Read [docs/alpha-sign-off.md](docs/alpha-sign-off.md)
+
+## Full E2E lab: profile YAML → GovEngine → SCLite bundle
+
+This walkthrough uses the neutral `http-health-fixture` profile so domain plugins are optional.
+It exercises planning, workflow execution, validation, and SCLite bundle emission.
+
+### Step 1 — Prepare environment
+
+Copy the staging template outside git and point connectors at a reachable `/health` endpoint,
+or run the pytest E2E which starts an embedded HTTP stub:
+
+```bash
+pytest tests/test_http_health_check_e2e.py -q
+```
+
+For a manual run, create `~/lab/http-health.env.yaml` with `backend: http_api` and a `health`
+connector action (see `examples/environments/` patterns).
+
+### Step 2 — Plan
+
+```bash
+mkdir -p ~/lab/rexecop-runtime && cd ~/lab/rexecop-runtime
+
+rexecop plan \
+  --profile /path/to/RExecOP/examples/profiles/http-health-fixture/profile.yaml \
+  --env ~/lab/http-health.env.yaml \
+  --intent http_health_check \
+  --target local \
+  --mode dry_run
+```
+
+Record `<operation-id>` from output.
+
+For mutating `apply` plans, verify GovEngine decision events in evidence:
+
+```bash
+rg 'govengine_decision' .rexecop/evidence/<operation-id>/ || true
+```
+
+### Step 3 — Start workflow
+
+```bash
+cd ~/lab/rexecop-runtime
+rexecop start --operation <operation-id>
+rexecop status --operation <operation-id>
+```
+
+Expect terminal state `completed` for the golden path.
+
+### Step 4 — Validate profile rules
+
+```bash
+rexecop validate --operation <operation-id>
+```
+
+Expect `passed: true` and rule `http_health_check.probe_ok`.
+
+### Step 5 — Inspect SCLite bundle (truth authority)
+
+```bash
+ls -la .rexecop/sclite/<operation-id>/
+```
+
+Expect contract artifacts, scoped ticket, receipt, and evidence sidecars. Receipt
+`executed_command_count` should reflect connector steps on staging/http paths.
+
+Compare with non-authoritative export:
+
+```bash
+test -f .rexecop/receipts/<operation-id>.json && \
+  echo "receipt export is summary only — sclite/ is authoritative"
+```
+
+### Step 6 — History and redaction
+
+```bash
+rexecop history --operation <operation-id>
+rg -i 'api_key|token|password' .rexecop/evidence/<operation-id>/ || echo "no secret leaks"
+```
+
+## GovEngine adapter posture (production vs tests)
+
+| Adapter | Production? | Where used |
+| --- | --- | --- |
+| `GovEngineClient` | **Yes** — default via `default_govengine_adapter()` | Operator hosts, real governance |
+| `StaticGovEngineAdapter` | **No** — bootstrap/tests only | `tests/test_*`, local fixtures |
+
+Rules:
+
+- Do **not** configure `StaticGovEngineAdapter` on operator hosts.
+- Pytest and vertical-slice tests may inject the static adapter to avoid external GovEngine
+  services — that is not a production governance boundary.
+- Mutating `apply` requires a positive GovEngine admission decision **and** satisfied approval
+  state; see [docs/govengine-integration.md](docs/govengine-integration.md).
+
+Verify default adapter in code/docs:
+
+```bash
+rg 'StaticGovEngineAdapter' tests/ src/rexecop/adapters/govengine_port/
+```
+
+Production CLI paths use `default_govengine_adapter()` unless tests inject a substitute.
+
+## Evidence vs SCLite truth
+
+| Location | Role | Authority |
+| --- | --- | --- |
+| `.rexecop/evidence/<op>/` | Append-only redacted runtime events (`EvidenceManager`) | Operator telemetry / debugging |
+| `.rexecop/sclite/<op>/` | Full GovEngine-integration bundle (`SCLiteArtifactEmitter`) | **Auditable truth** (SCLite) |
+| `.rexecop/receipts/<op>.json` | Export summary pointing at sclite descriptors | **Not** parallel truth |
+| `.rexecop/operations/`, `plans/` or `rexecop.db` | Runtime operation state (`file` or `sqlite` backend) | RExecOp operator store |
+| `.rexecop/queue/`, `locks/` | Concurrency and run-now backlog | Ephemeral operator mechanics |
+
+Evidence events include `govengine_decision_requested`, `step_completed`, `receipt_generated`.
+SCLite owns review semantics (`verify_ticket_use`, review bundles). When both exist, treat
+`sclite/` as authoritative for audit — see [docs/evidence-model.md](docs/evidence-model.md)
+and [docs/sclite-integration.md](docs/sclite-integration.md).
+
+## Package build smoke
+
+```bash
+python -m pip install build twine
+rm -rf dist build *.egg-info
+python -m build && python -m twine check dist/*
+```
+
+CI runs the same checks in the `package-dry-run` job. Details: [docs/distribution.md](docs/distribution.md).
+
+## Related
+
+- [OPERATOR_RUNBOOK.md](OPERATOR_RUNBOOK.md)
+- [docs/architecture.md](docs/architecture.md)
+- [docs/profile-contract.md](docs/profile-contract.md)
+- [docs/distribution.md](docs/distribution.md)