ssot-core 0.2.14.dev1__tar.gz → 0.2.15.dev2__tar.gz

{ssot_core-0.2.14.dev1 → ssot_core-0.2.15.dev2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ssot-core
-Version: 0.2.14.dev1
+Version: 0.2.15.dev2
 Summary: Core Python runtime, registry model, validation, and release workflow APIs for SSOT.
 Author-email: Jacob Stewart <jacob@swarmauri.com>
 License-Expression: Apache-2.0
@@ -34,8 +34,8 @@ Classifier: Topic :: System :: Archiving
 Classifier: Topic :: Utilities
 Requires-Python: <3.14,>=3.10
 Description-Content-Type: text/markdown
-Requires-Dist: ssot-contracts==0.2.14.dev1
-Requires-Dist: ssot-views==0.2.14.dev1
+Requires-Dist: ssot-contracts==0.2.15.dev2
+Requires-Dist: ssot-views==0.2.15.dev2
 Requires-Dist: tomli>=2.0.1; python_version < "3.11"
 
 <div align="center">
@@ -52,7 +52,7 @@ Requires-Dist: tomli>=2.0.1; python_version < "3.11"
 
 `ssot-core` is the core Python runtime package for SSOT.
 
-It owns the canonical registry model, core APIs for loading and mutating registries, validation and guard logic, planning and release workflows, and the domain operations that [ssot-cli](https://pypi.org/project/ssot-cli/) and [ssot-tui](https://pypi.org/project/ssot-tui/) build on top of.
+It owns the canonical registry model, core APIs for loading and mutating registries, validation and guard logic, planning and release workflows, and the domain operations that [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-conformance](https://pypi.org/project/ssot-conformance/), and [ssot-tui](https://pypi.org/project/ssot-tui/) build on top of.
 
 - GitHub: https://github.com/groupsum/ssot-registry
 
@@ -94,8 +94,8 @@ ADR and SPEC companion documents are canonically authored as JSON under `.ssot/a
 
 ```bash
 python -m pip install ssot-core       # core library/runtime only
-python -m pip install ssot-cli        # primary CLI distribution + ssot-core
-python -m pip install ssot-registry   # umbrella bundle: ssot-core + ssot-cli
+python -m pip install ssot-cli        # primary CLI distribution + ssot-core + ssot-conformance
+python -m pip install ssot-registry   # umbrella bundle: ssot-core + ssot-cli + ssot-conformance
 python -m pip install "ssot-registry[tui]"  # optional TUI bundle
 ```
 
@@ -182,6 +182,8 @@ ssot-registry registry --help
 
 CLI screenshots from [ssot-cli](https://pypi.org/project/ssot-cli/):
 
+Regenerate all terminal assets with `python scripts/generate_terminal_screenshots.py`.
+
 ![ssot top-level help](https://raw.githubusercontent.com/groupsum/ssot-registry/main/pkgs/ssot-cli/assets/ssot-cli-help.png)
 
 ![ssot boundary help](https://raw.githubusercontent.com/groupsum/ssot-registry/main/pkgs/ssot-cli/assets/ssot-cli-boundary-help.png)
@@ -932,6 +934,6 @@ ssot-registry registry export . --format toml --output .ssot/exports/registry.to
 
 - Package type: core runtime/library package
 - Depends on: [ssot-contracts](https://pypi.org/project/ssot-contracts/), [ssot-views](https://pypi.org/project/ssot-views/)
-- Consumed by: [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-tui](https://pypi.org/project/ssot-tui/), direct Python integrations, and automation
+- Consumed by: [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-conformance](https://pypi.org/project/ssot-conformance/), [ssot-tui](https://pypi.org/project/ssot-tui/), direct Python integrations, and automation
 
 If you are embedding SSOT behavior inside Python code, this is the package to import. If you need the primary CLI distribution, install [ssot-cli](https://pypi.org/project/ssot-cli/) alongside it.

{ssot_core-0.2.14.dev1 → ssot_core-0.2.15.dev2}/README.md

@@ -12,7 +12,7 @@
 
 `ssot-core` is the core Python runtime package for SSOT.
 
-It owns the canonical registry model, core APIs for loading and mutating registries, validation and guard logic, planning and release workflows, and the domain operations that [ssot-cli](https://pypi.org/project/ssot-cli/) and [ssot-tui](https://pypi.org/project/ssot-tui/) build on top of.
+It owns the canonical registry model, core APIs for loading and mutating registries, validation and guard logic, planning and release workflows, and the domain operations that [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-conformance](https://pypi.org/project/ssot-conformance/), and [ssot-tui](https://pypi.org/project/ssot-tui/) build on top of.
 
 - GitHub: https://github.com/groupsum/ssot-registry
 
@@ -54,8 +54,8 @@ ADR and SPEC companion documents are canonically authored as JSON under `.ssot/a
 
 ```bash
 python -m pip install ssot-core       # core library/runtime only
-python -m pip install ssot-cli        # primary CLI distribution + ssot-core
-python -m pip install ssot-registry   # umbrella bundle: ssot-core + ssot-cli
+python -m pip install ssot-cli        # primary CLI distribution + ssot-core + ssot-conformance
+python -m pip install ssot-registry   # umbrella bundle: ssot-core + ssot-cli + ssot-conformance
 python -m pip install "ssot-registry[tui]"  # optional TUI bundle
 ```
 
@@ -142,6 +142,8 @@ ssot-registry registry --help
 
 CLI screenshots from [ssot-cli](https://pypi.org/project/ssot-cli/):
 
+Regenerate all terminal assets with `python scripts/generate_terminal_screenshots.py`.
+
 ![ssot top-level help](https://raw.githubusercontent.com/groupsum/ssot-registry/main/pkgs/ssot-cli/assets/ssot-cli-help.png)
 
 ![ssot boundary help](https://raw.githubusercontent.com/groupsum/ssot-registry/main/pkgs/ssot-cli/assets/ssot-cli-boundary-help.png)
@@ -892,6 +894,6 @@ ssot-registry registry export . --format toml --output .ssot/exports/registry.to
 
 - Package type: core runtime/library package
 - Depends on: [ssot-contracts](https://pypi.org/project/ssot-contracts/), [ssot-views](https://pypi.org/project/ssot-views/)
-- Consumed by: [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-tui](https://pypi.org/project/ssot-tui/), direct Python integrations, and automation
+- Consumed by: [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-conformance](https://pypi.org/project/ssot-conformance/), [ssot-tui](https://pypi.org/project/ssot-tui/), direct Python integrations, and automation
 
 If you are embedding SSOT behavior inside Python code, this is the package to import. If you need the primary CLI distribution, install [ssot-cli](https://pypi.org/project/ssot-cli/) alongside it.

{ssot_core-0.2.14.dev1 → ssot_core-0.2.15.dev2}/pyproject.toml

@@ -4,15 +4,15 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "ssot-core"
-version = "0.2.14.dev1"
+version = "0.2.15.dev2"
 description = "Core Python runtime, registry model, validation, and release workflow APIs for SSOT."
 readme = "README.md"
 requires-python = ">=3.10,<3.14"
 license = "Apache-2.0"
 authors = [{ name = "Jacob Stewart", email = "jacob@swarmauri.com" }]
 dependencies = [
-  "ssot-contracts==0.2.14.dev1",
-  "ssot-views==0.2.14.dev1",
+  "ssot-contracts==0.2.15.dev2",
+  "ssot-views==0.2.15.dev2",
   "tomli>=2.0.1; python_version < '3.11'",
 ]
 keywords = ["ssot", "core", "registry", "validation", "release-management", "governance", "compliance"]

{ssot_core-0.2.14.dev1 → ssot_core-0.2.15.dev2}/src/ssot_core.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ssot-core
-Version: 0.2.14.dev1
+Version: 0.2.15.dev2
 Summary: Core Python runtime, registry model, validation, and release workflow APIs for SSOT.
 Author-email: Jacob Stewart <jacob@swarmauri.com>
 License-Expression: Apache-2.0
@@ -34,8 +34,8 @@ Classifier: Topic :: System :: Archiving
 Classifier: Topic :: Utilities
 Requires-Python: <3.14,>=3.10
 Description-Content-Type: text/markdown
-Requires-Dist: ssot-contracts==0.2.14.dev1
-Requires-Dist: ssot-views==0.2.14.dev1
+Requires-Dist: ssot-contracts==0.2.15.dev2
+Requires-Dist: ssot-views==0.2.15.dev2
 Requires-Dist: tomli>=2.0.1; python_version < "3.11"
 
 <div align="center">
@@ -52,7 +52,7 @@ Requires-Dist: tomli>=2.0.1; python_version < "3.11"
 
 `ssot-core` is the core Python runtime package for SSOT.
 
-It owns the canonical registry model, core APIs for loading and mutating registries, validation and guard logic, planning and release workflows, and the domain operations that [ssot-cli](https://pypi.org/project/ssot-cli/) and [ssot-tui](https://pypi.org/project/ssot-tui/) build on top of.
+It owns the canonical registry model, core APIs for loading and mutating registries, validation and guard logic, planning and release workflows, and the domain operations that [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-conformance](https://pypi.org/project/ssot-conformance/), and [ssot-tui](https://pypi.org/project/ssot-tui/) build on top of.
 
 - GitHub: https://github.com/groupsum/ssot-registry
 
@@ -94,8 +94,8 @@ ADR and SPEC companion documents are canonically authored as JSON under `.ssot/a
 
 ```bash
 python -m pip install ssot-core       # core library/runtime only
-python -m pip install ssot-cli        # primary CLI distribution + ssot-core
-python -m pip install ssot-registry   # umbrella bundle: ssot-core + ssot-cli
+python -m pip install ssot-cli        # primary CLI distribution + ssot-core + ssot-conformance
+python -m pip install ssot-registry   # umbrella bundle: ssot-core + ssot-cli + ssot-conformance
 python -m pip install "ssot-registry[tui]"  # optional TUI bundle
 ```
 
@@ -182,6 +182,8 @@ ssot-registry registry --help
 
 CLI screenshots from [ssot-cli](https://pypi.org/project/ssot-cli/):
 
+Regenerate all terminal assets with `python scripts/generate_terminal_screenshots.py`.
+
 ![ssot top-level help](https://raw.githubusercontent.com/groupsum/ssot-registry/main/pkgs/ssot-cli/assets/ssot-cli-help.png)
 
 ![ssot boundary help](https://raw.githubusercontent.com/groupsum/ssot-registry/main/pkgs/ssot-cli/assets/ssot-cli-boundary-help.png)
@@ -932,6 +934,6 @@ ssot-registry registry export . --format toml --output .ssot/exports/registry.to
 
 - Package type: core runtime/library package
 - Depends on: [ssot-contracts](https://pypi.org/project/ssot-contracts/), [ssot-views](https://pypi.org/project/ssot-views/)
-- Consumed by: [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-tui](https://pypi.org/project/ssot-tui/), direct Python integrations, and automation
+- Consumed by: [ssot-cli](https://pypi.org/project/ssot-cli/), [ssot-conformance](https://pypi.org/project/ssot-conformance/), [ssot-tui](https://pypi.org/project/ssot-tui/), direct Python integrations, and automation
 
 If you are embedding SSOT behavior inside Python code, this is the package to import. If you need the primary CLI distribution, install [ssot-cli](https://pypi.org/project/ssot-cli/) alongside it.

{ssot_core-0.2.14.dev1 → ssot_core-0.2.15.dev2}/src/ssot_core.egg-info/SOURCES.txt

@@ -25,6 +25,7 @@ src/ssot_registry/api/registry.py
 src/ssot_registry/api/release.py
 src/ssot_registry/api/save.py
 src/ssot_registry/api/status_sync.py
+src/ssot_registry/api/test_execution.py
 src/ssot_registry/api/upgrade.py
 src/ssot_registry/api/validate.py
 src/ssot_registry/cli/__init__.py

ssot_core-0.2.15.dev2/src/ssot_core.egg-info/requires.txt

@@ -0,0 +1,5 @@
+ssot-contracts==0.2.15.dev2
+ssot-views==0.2.15.dev2
+
+[:python_version < "3.11"]
+tomli>=2.0.1

{ssot_core-0.2.14.dev1 → ssot_core-0.2.15.dev2}/src/ssot_registry/api/__init__.py

@@ -18,6 +18,7 @@ from .documents import (
 from .entity_ops import (
     add_boundary_features,
     add_boundary_profiles,
+    add_release_boundaries,
     add_release_claims,
     add_release_evidence,
     create_entity,
@@ -27,6 +28,7 @@ from .entity_ops import (
     list_entities,
     remove_boundary_features,
     remove_boundary_profiles,
+    remove_release_boundaries,
     remove_release_claims,
     remove_release_evidence,
     set_claim_status,
@@ -47,6 +49,7 @@ from .registry import export_registry
 from .release import certify_release, promote_release, publish_release, revoke_release
 from .save import save_registry
 from .status_sync import sync_automated_statuses
+from .test_execution import run_boundary_tests, run_resolved_test_rows, run_spec_tests, run_tests
 from .upgrade import upgrade_registry
 from .validate import validate_registry
 
@@ -83,6 +86,8 @@ __all__ = [
     "add_boundary_profiles",
     "remove_boundary_features",
     "remove_boundary_profiles",
+    "add_release_boundaries",
+    "remove_release_boundaries",
     "add_release_claims",
     "remove_release_claims",
     "add_release_evidence",
@@ -104,5 +109,9 @@ __all__ = [
     "export_graph",
     "export_registry",
     "sync_automated_statuses",
+    "run_tests",
+    "run_spec_tests",
+    "run_boundary_tests",
+    "run_resolved_test_rows",
     "upgrade_registry",
 ]

{ssot_core-0.2.14.dev1 → ssot_core-0.2.15.dev2}/src/ssot_registry/api/entity_ops.py

@@ -47,7 +47,7 @@ LINKABLE_FIELDS = {
     "issues": {"feature_ids", "claim_ids", "test_ids", "evidence_ids", "risk_ids"},
     "risks": {"feature_ids", "claim_ids", "test_ids", "evidence_ids", "issue_ids"},
     "boundaries": {"feature_ids", "profile_ids"},
-    "releases": {"claim_ids", "evidence_ids"},
+    "releases": {"boundary_ids", "claim_ids", "evidence_ids"},
 }
 
 SECTIONS = tuple(SECTION_LABELS)
@@ -366,3 +366,20 @@ def add_release_evidence(path: str | Path, release_id: str, evidence_ids: list[s
 
 def remove_release_evidence(path: str | Path, release_id: str, evidence_ids: list[str]) -> dict[str, Any]:
     return unlink_entities(path, "releases", release_id, {"evidence_ids": evidence_ids})
+
+
+def add_release_boundaries(path: str | Path, release_id: str, boundary_ids: list[str]) -> dict[str, Any]:
+    _registry_path, _repo_root, registry = load_registry(path)
+    release = _entity_row(registry, "releases", release_id)
+    primary_boundary_id = release.get("boundary_id")
+    if isinstance(primary_boundary_id, str):
+        boundary_ids = [primary_boundary_id, *boundary_ids]
+    return link_entities(path, "releases", release_id, {"boundary_ids": boundary_ids})
+
+
+def remove_release_boundaries(path: str | Path, release_id: str, boundary_ids: list[str]) -> dict[str, Any]:
+    _registry_path, _repo_root, registry = load_registry(path)
+    release = _entity_row(registry, "releases", release_id)
+    if release.get("boundary_id") in set(boundary_ids):
+        raise ValueError("Cannot remove the primary boundary_id from release boundary_ids; update the release boundary_id first")
+    return unlink_entities(path, "releases", release_id, {"boundary_ids": boundary_ids})

{ssot_core-0.2.14.dev1 → ssot_core-0.2.15.dev2}/src/ssot_registry/api/release.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 
 from pathlib import Path
 
-from ssot_registry.guards.certification import evaluate_release_certification_guard
+from ssot_registry.guards.certification import evaluate_release_certification_guard, release_boundary_ids
 from ssot_registry.guards.promotion import evaluate_release_promotion_guard
 from ssot_registry.guards.publication import evaluate_release_publication_guard
 from ssot_registry.model.enums import CLAIM_STATUS_RANK
@@ -27,6 +27,10 @@ def _entity_lookup(registry: dict[str, object], section: str) -> dict[str, dict[
     return {row["id"]: row for row in registry[section]}
 
 
+def _release_boundaries(release: dict[str, object], boundary_lookup: dict[str, dict[str, object]]) -> list[dict[str, object]]:
+    return [boundary_lookup[boundary_id] for boundary_id in release_boundary_ids(release)]
+
+
 def certify_release(path: str | Path, release_id: str | None = None, write_report: bool = False) -> dict[str, object]:
     registry_path, repo_root, registry = load_registry(path)
     preflight = validate_registry(registry_path)
@@ -85,7 +89,7 @@ def promote_release(path: str | Path, release_id: str | None = None) -> dict[str
     boundary_lookup = _entity_lookup(registry, "boundaries")
 
     release = release_lookup[selected_release_id]
-    boundary = boundary_lookup[release["boundary_id"]]
+    boundaries = _release_boundaries(release, boundary_lookup)
     release["status"] = "promoted"
     for claim_id in release.get("claim_ids", []):
         if claim_id in claim_lookup and CLAIM_STATUS_RANK[claim_lookup[claim_id]["status"]] < CLAIM_STATUS_RANK["promoted"]:
@@ -98,9 +102,14 @@ def promote_release(path: str | Path, release_id: str | None = None) -> dict[str
     save_registry(registry_path, registry)
 
     release_claims = [claim_lookup[claim_id] for claim_id in release.get("claim_ids", []) if claim_id in claim_lookup]
-    boundary_feature_ids = resolve_boundary_feature_ids(boundary, index)
+    boundary_feature_ids = sorted({feature_id for boundary in boundaries for feature_id in resolve_boundary_feature_ids(boundary, index)})
     boundary_features = [feature_lookup[feature_id] for feature_id in boundary_feature_ids if feature_id in feature_lookup]
-    boundary_profiles = [index["profiles"][profile_id] for profile_id in boundary.get("profile_ids", []) if profile_id in index["profiles"]]
+    boundary_profiles = [
+        index["profiles"][profile_id]
+        for boundary in boundaries
+        for profile_id in boundary.get("profile_ids", [])
+        if profile_id in index["profiles"]
+    ]
     profile_evaluations = [evaluate_profile(profile, index, registry.get("guard_policies", {})) for profile in boundary_profiles]
     release_test_ids = sorted({test_id for claim in release_claims for test_id in claim.get("test_ids", []) if test_id in test_lookup})
     release_evidence_ids = sorted(
@@ -113,7 +122,7 @@ def promote_release(path: str | Path, release_id: str | None = None) -> dict[str
         repo_root,
         registry_path,
         release,
-        boundary,
+        boundaries,
         boundary_features,
         boundary_profiles,
         profile_evaluations,
@@ -155,7 +164,7 @@ def publish_release(path: str | Path, release_id: str | None = None) -> dict[str
     boundary_lookup = _entity_lookup(registry, "boundaries")
 
     release = release_lookup[selected_release_id]
-    boundary = boundary_lookup[release["boundary_id"]]
+    boundaries = _release_boundaries(release, boundary_lookup)
     release["status"] = "published"
     for claim_id in release.get("claim_ids", []):
         if claim_id in claim_lookup and CLAIM_STATUS_RANK[claim_lookup[claim_id]["status"]] < CLAIM_STATUS_RANK["published"]:
@@ -174,7 +183,7 @@ def publish_release(path: str | Path, release_id: str | None = None) -> dict[str
         repo_root,
         registry_path,
         release,
-        boundary,
+        boundaries,
         claims,
         evidence,
     )

ssot_core-0.2.15.dev2/src/ssot_registry/api/test_execution.py

@@ -0,0 +1,324 @@
+from __future__ import annotations
+
+import os
+import subprocess
+import sys
+from pathlib import Path
+from typing import Any
+
+from ssot_registry.util.jcs import dump_jcs_json
+
+from .load import load_registry
+from .profile_resolution import resolve_boundary_feature_ids
+
+
+def _row_lookup(registry: dict[str, Any], section: str) -> dict[str, dict[str, Any]]:
+    return {
+        row["id"]: row
+        for row in registry.get(section, [])
+        if isinstance(row, dict) and isinstance(row.get("id"), str)
+    }
+
+
+def _dedupe_preserve(values: list[str]) -> list[str]:
+    seen: set[str] = set()
+    ordered: list[str] = []
+    for value in values:
+        if value not in seen:
+            seen.add(value)
+            ordered.append(value)
+    return ordered
+
+
+def _validate_execution_contract(test: dict[str, Any]) -> dict[str, Any]:
+    execution = test.get("execution")
+    test_id = str(test.get("id", "<missing>"))
+    if not isinstance(execution, dict):
+        raise ValueError(f"Test {test_id} is not runnable; missing execution metadata")
+    if execution.get("mode") != "command":
+        raise ValueError(f"Test {test_id} execution.mode must be 'command'")
+    argv = execution.get("argv")
+    if not isinstance(argv, list) or not argv or not all(isinstance(item, str) and item.strip() for item in argv):
+        raise ValueError(f"Test {test_id} execution.argv must be a non-empty list of strings")
+    cwd = execution.get("cwd")
+    if not isinstance(cwd, str) or not cwd.strip():
+        raise ValueError(f"Test {test_id} execution.cwd must be a non-empty string")
+    env = execution.get("env")
+    if not isinstance(env, dict) or not all(isinstance(key, str) and isinstance(value, str) for key, value in env.items()):
+        raise ValueError(f"Test {test_id} execution.env must be a string-to-string object")
+    timeout_seconds = execution.get("timeout_seconds")
+    if not isinstance(timeout_seconds, int) or timeout_seconds <= 0:
+        raise ValueError(f"Test {test_id} execution.timeout_seconds must be a positive integer")
+    success = execution.get("success")
+    if not isinstance(success, dict):
+        raise ValueError(f"Test {test_id} execution.success must be an object")
+    if success.get("type") != "exit_code":
+        raise ValueError(f"Test {test_id} execution.success.type must be 'exit_code'")
+    expected = success.get("expected")
+    if not isinstance(expected, int):
+        raise ValueError(f"Test {test_id} execution.success.expected must be an integer")
+    return execution
+
+
+def _resolve_command_cwd(repo_root: Path, cwd: str, *, test_id: str) -> Path:
+    relative = Path(cwd)
+    if relative.is_absolute():
+        raise ValueError(f"Test {test_id} execution.cwd must be repo-relative")
+    target = (repo_root / relative).resolve()
+    if repo_root not in {target, *target.parents}:
+        raise ValueError(f"Test {test_id} execution.cwd must stay within the repo root")
+    return target
+
+
+def _write_evidence_output(path: str | Path, payload: dict[str, Any]) -> str:
+    target = Path(path)
+    target.parent.mkdir(parents=True, exist_ok=True)
+    target.write_text(dump_jcs_json(payload), encoding="utf-8")
+    return target.as_posix()
+
+
+def _build_evidence_payload(
+    *,
+    repo_root: Path,
+    target: dict[str, Any],
+    resolved_test_ids: list[str],
+    cases: list[dict[str, Any]],
+) -> dict[str, Any]:
+    summary = {"passed": 0, "failed": 0, "skipped": 0, "total": len(cases)}
+    for case in cases:
+        outcome = str(case.get("outcome", "unknown"))
+        if outcome in summary:
+            summary[outcome] += 1
+    return {
+        "kind": "ssot-conformance-evidence",
+        "repo_root": repo_root.as_posix(),
+        "profiles": [],
+        "families": [],
+        "target": target,
+        "resolved_test_ids": list(resolved_test_ids),
+        "summary": summary,
+        "cases": cases,
+    }
+
+
+def _resolve_tests_from_ids(registry: dict[str, Any], test_ids: list[str]) -> list[dict[str, Any]]:
+    tests = _row_lookup(registry, "tests")
+    missing = [test_id for test_id in test_ids if test_id not in tests]
+    if missing:
+        raise ValueError(f"Unknown test ids: {', '.join(sorted(missing))}")
+    return [tests[test_id] for test_id in _dedupe_preserve(test_ids)]
+
+
+def _resolve_tests_for_spec(registry: dict[str, Any], spec_id: str) -> tuple[list[str], list[dict[str, Any]]]:
+    specs = _row_lookup(registry, "specs")
+    if spec_id not in specs:
+        raise ValueError(f"Unknown spec id: {spec_id}")
+    feature_ids = [
+        row["id"]
+        for row in registry.get("features", [])
+        if isinstance(row, dict) and spec_id in row.get("spec_ids", [])
+    ]
+    resolved_test_ids: list[str] = []
+    for row in registry.get("features", []):
+        if isinstance(row, dict) and row.get("id") in feature_ids:
+            resolved_test_ids.extend(row.get("test_ids", []))
+    return feature_ids, _resolve_tests_from_ids(registry, resolved_test_ids)
+
+
+def _resolve_tests_for_boundary(registry: dict[str, Any], boundary_id: str | None) -> tuple[str, list[str], list[dict[str, Any]]]:
+    boundaries = _row_lookup(registry, "boundaries")
+    if boundary_id is None:
+        program = registry.get("program", {})
+        if not isinstance(program, dict):
+            raise ValueError("Registry program section is malformed")
+        active_boundary_id = program.get("active_boundary_id")
+        if not isinstance(active_boundary_id, str) or not active_boundary_id.strip():
+            raise ValueError("Registry program.active_boundary_id is missing")
+        boundary_id = active_boundary_id
+    boundary = boundaries.get(boundary_id)
+    if boundary is None:
+        raise ValueError(f"Unknown boundary id: {boundary_id}")
+    index = {
+        "features": _row_lookup(registry, "features"),
+        "profiles": _row_lookup(registry, "profiles"),
+    }
+    feature_ids = list(resolve_boundary_feature_ids(boundary, index))
+    resolved_test_ids: list[str] = []
+    for row in registry.get("features", []):
+        if isinstance(row, dict) and row.get("id") in feature_ids:
+            resolved_test_ids.extend(row.get("test_ids", []))
+    return boundary_id, feature_ids, _resolve_tests_from_ids(registry, resolved_test_ids)
+
+
+def _run_test_cases(
+    *,
+    repo_root: Path,
+    target: dict[str, Any],
+    tests: list[dict[str, Any]],
+    evidence_output: str | Path | None,
+    dry_run: bool,
+) -> dict[str, Any]:
+    resolved_tests = [
+        {
+            "id": row["id"],
+            "title": row["title"],
+            "kind": row["kind"],
+            "path": row["path"],
+            "execution": row.get("execution"),
+        }
+        for row in tests
+    ]
+    if dry_run:
+        return {
+            "passed": True,
+            "dry_run": True,
+            "target": target,
+            "resolved_tests": resolved_tests,
+        }
+
+    execution_specs = {row["id"]: _validate_execution_contract(row) for row in tests}
+    cases: list[dict[str, Any]] = []
+    for row in tests:
+        test_id = str(row["id"])
+        execution = execution_specs[test_id]
+        command = list(execution["argv"])
+        if command and command[0] == "python":
+            command[0] = sys.executable
+        command_cwd = _resolve_command_cwd(repo_root, str(execution["cwd"]), test_id=test_id)
+        env = os.environ.copy()
+        env.update(execution["env"])
+        expected_exit = int(execution["success"]["expected"])
+        timeout_seconds = int(execution["timeout_seconds"])
+
+        case = {
+            "nodeid": test_id,
+            "test_id": test_id,
+            "title": row["title"],
+            "kind": row["kind"],
+            "path": row["path"],
+            "runner": "command",
+            "command": command,
+            "cwd": Path(execution["cwd"]).as_posix(),
+            "expected_exit_code": expected_exit,
+        }
+        try:
+            result = subprocess.run(
+                command,
+                cwd=str(command_cwd),
+                env=env,
+                text=True,
+                capture_output=True,
+                timeout=timeout_seconds,
+                check=False,
+            )
+            case["returncode"] = result.returncode
+            case["outcome"] = "passed" if result.returncode == expected_exit else "failed"
+            if result.stdout:
+                case["stdout"] = result.stdout
+            if result.stderr:
+                case["stderr"] = result.stderr
+        except subprocess.TimeoutExpired as exc:
+            case["returncode"] = None
+            case["outcome"] = "failed"
+            case["stderr"] = f"Command timed out after {timeout_seconds} seconds"
+            if exc.stdout:
+                case["stdout"] = exc.stdout
+            if exc.stderr:
+                case["stderr_detail"] = exc.stderr
+        except FileNotFoundError as exc:
+            case["returncode"] = None
+            case["outcome"] = "failed"
+            case["stderr"] = str(exc)
+        cases.append(case)
+
+    resolved_test_ids = [row["id"] for row in tests]
+    evidence_payload = _build_evidence_payload(
+        repo_root=repo_root,
+        target=target,
+        resolved_test_ids=resolved_test_ids,
+        cases=cases,
+    )
+    passed = evidence_payload["summary"]["failed"] == 0
+    payload: dict[str, Any] = {
+        "passed": passed,
+        "dry_run": False,
+        "target": target,
+        "resolved_tests": resolved_tests,
+        "summary": evidence_payload["summary"],
+    }
+    if evidence_output is not None:
+        payload["evidence_output"] = _write_evidence_output(evidence_output, evidence_payload)
+    else:
+        payload["cases"] = cases
+    return payload
+
+
+def run_resolved_test_rows(
+    repo_root: str | Path,
+    *,
+    target: dict[str, Any],
+    tests: list[dict[str, Any]],
+    evidence_output: str | Path | None = None,
+    dry_run: bool = False,
+) -> dict[str, Any]:
+    return _run_test_cases(
+        repo_root=Path(repo_root).resolve(),
+        target=target,
+        tests=tests,
+        evidence_output=evidence_output,
+        dry_run=dry_run,
+    )
+
+
+def run_tests(
+    path: str | Path,
+    *,
+    test_ids: list[str],
+    evidence_output: str | Path | None = None,
+    dry_run: bool = False,
+) -> dict[str, Any]:
+    _registry_path, repo_root, registry = load_registry(path)
+    tests = _resolve_tests_from_ids(registry, test_ids)
+    return _run_test_cases(
+        repo_root=repo_root,
+        target={"kind": "test", "ids": [row["id"] for row in tests]},
+        tests=tests,
+        evidence_output=evidence_output,
+        dry_run=dry_run,
+    )
+
+
+def run_spec_tests(
+    path: str | Path,
+    *,
+    spec_id: str,
+    evidence_output: str | Path | None = None,
+    dry_run: bool = False,
+) -> dict[str, Any]:
+    _registry_path, repo_root, registry = load_registry(path)
+    feature_ids, tests = _resolve_tests_for_spec(registry, spec_id)
+    return _run_test_cases(
+        repo_root=repo_root,
+        target={"kind": "spec", "id": spec_id, "feature_ids": feature_ids},
+        tests=tests,
+        evidence_output=evidence_output,
+        dry_run=dry_run,
+    )
+
+
+def run_boundary_tests(
+    path: str | Path,
+    *,
+    boundary_id: str | None = None,
+    evidence_output: str | Path | None = None,
+    dry_run: bool = False,
+) -> dict[str, Any]:
+    _registry_path, repo_root, registry = load_registry(path)
+    resolved_boundary_id, feature_ids, tests = _resolve_tests_for_boundary(registry, boundary_id)
+    return _run_test_cases(
+        repo_root=repo_root,
+        target={"kind": "boundary", "id": resolved_boundary_id, "feature_ids": feature_ids},
+        tests=tests,
+        evidence_output=evidence_output,
+        dry_run=dry_run,
+    )