diff --git a/evidence/world_class/intake.schema.json b/evidence/world_class/intake.schema.json
index 96fb4484..51ef64fd 100644
--- a/evidence/world_class/intake.schema.json
+++ b/evidence/world_class/intake.schema.json
@@ -185,6 +185,19 @@
},
"then": {
"properties": {
+ "submitted_at": {
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}(?:T\\d{2}:\\d{2}:\\d{2}Z)?$"
+ },
+ "submitted_by": {
+ "not": {
+ "enum": [
+ "operator with provider credentials",
+ "human reviewer",
+ "target client or installer integrator",
+ "Browser/Chrome/IDE/provider client integrator"
+ ]
+ }
+ },
"artifact_refs": {
"items": {
"required": [
diff --git a/registry/index.json b/registry/index.json
index 120f1940..28e5fbcf 100644
--- a/registry/index.json
+++ b/registry/index.json
@@ -16,7 +16,7 @@
"vscode"
],
"package_metadata": "registry/packages/yao-meta-skill.json",
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
}
]
}
diff --git a/registry/packages/yao-meta-skill.json b/registry/packages/yao-meta-skill.json
index 97fafc10..e74fd53f 100644
--- a/registry/packages/yao-meta-skill.json
+++ b/registry/packages/yao-meta-skill.json
@@ -16,8 +16,8 @@
"trust_level": "local",
"license": "MIT",
"checksums": {
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb",
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
"compatibility": {
"openai": "pass",
@@ -48,7 +48,7 @@
},
"distribution": {
"archive_verified": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"package_verification": "reports/package_verification.json",
"install_simulated": true,
"install_simulation": "reports/install_simulation.json"
diff --git a/reports/context_budget.json b/reports/context_budget.json
index f68731a5..a3d01e53 100644
--- a/reports/context_budget.json
+++ b/reports/context_budget.json
@@ -6,15 +6,15 @@
"context_budget_tier": "production",
"context_budget_limit": 1000,
"skill_body_tokens": 751,
- "other_text_tokens": 1191951,
+ "other_text_tokens": 1193567,
"estimated_initial_load_tokens": 944,
- "estimated_total_text_tokens": 1192702,
- "deferred_resource_tokens": 383953,
+ "estimated_total_text_tokens": 1194318,
+ "deferred_resource_tokens": 384567,
"deferred_resource_warn_threshold": 120000,
"deferred_resource_dirs": [
{
"path": "scripts",
- "estimated_tokens": 336470,
+ "estimated_tokens": 337084,
"file_count": 96
},
{
@@ -31,7 +31,7 @@
"large_deferred_resource_dirs": [
{
"path": "scripts",
- "estimated_tokens": 336470,
+ "estimated_tokens": 337084,
"file_count": 96
}
],
@@ -54,7 +54,7 @@
],
"missing": [],
"path": "scripts",
- "estimated_tokens": 336470,
+ "estimated_tokens": 337084,
"file_count": 96,
"rationale": "Script resources are deterministic deferred tools, not initial-load prompt context."
}
diff --git a/reports/context_budget.md b/reports/context_budget.md
index b3db2287..de4fc858 100644
--- a/reports/context_budget.md
+++ b/reports/context_budget.md
@@ -2,7 +2,7 @@
| Target | Path | Tier | Limit | Initial | SKILL | Deferred | Resource Governance | Large Deferred Dirs | Quality Density | Unused Dirs | Status |
| --- | --- | --- | ---: | ---: | ---: | ---: | --- | --- | ---: | --- | --- |
-| root | `.` | `production` | 1000 | 944 | 751 | 383953 | `governed` | scripts:336470 | 137.7 | - | ok |
+| root | `.` | `production` | 1000 | 944 | 751 | 384567 | `governed` | scripts:337084 | 137.7 | - | ok |
| complex-release-orchestrator | `examples/complex-release-orchestrator/generated-skill` | `production` | 1000 | 790 | 718 | 1657 | `not-required` | - | 164.6 | - | ok |
| governed-incident-command | `examples/governed-incident-command/generated-skill` | `production` | 1000 | 760 | 658 | 1030 | `not-required` | - | 171.1 | - | ok |
diff --git a/reports/context_budget_summary.json b/reports/context_budget_summary.json
index 4e2399e3..eb53b5c3 100644
--- a/reports/context_budget_summary.json
+++ b/reports/context_budget_summary.json
@@ -8,11 +8,11 @@
"budget_limit": 1000,
"initial_tokens": 944,
"skill_body_tokens": 751,
- "deferred_resource_tokens": 383953,
+ "deferred_resource_tokens": 384567,
"large_deferred_resource_dirs": [
{
"path": "scripts",
- "estimated_tokens": 336470,
+ "estimated_tokens": 337084,
"file_count": 96
}
],
@@ -35,7 +35,7 @@
],
"missing": [],
"path": "scripts",
- "estimated_tokens": 336470,
+ "estimated_tokens": 337084,
"file_count": 96,
"rationale": "Script resources are deterministic deferred tools, not initial-load prompt context."
}
diff --git a/reports/package_verification.json b/reports/package_verification.json
index 24a09632..c1107239 100644
--- a/reports/package_verification.json
+++ b/reports/package_verification.json
@@ -8,7 +8,7 @@
"target_count": 4,
"adapter_count": 4,
"archive_present": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"archive_entry_count": 575,
"failure_count": 0,
"warning_count": 0
diff --git a/reports/package_verification.md b/reports/package_verification.md
index f2ed4845..9f931315 100644
--- a/reports/package_verification.md
+++ b/reports/package_verification.md
@@ -4,7 +4,7 @@
- Package directory: `dist`
- Targets: `4 / 4` adapters present
- Archive present: `True`
-- Archive SHA256: `54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d`
+- Archive SHA256: `6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8`
- Failures: `0`
- Warnings: `0`
diff --git a/reports/registry_audit.json b/reports/registry_audit.json
index 476fda0d..d7cb45a2 100644
--- a/reports/registry_audit.json
+++ b/reports/registry_audit.json
@@ -21,8 +21,8 @@
"trust_level": "local",
"license": "MIT",
"checksums": {
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb",
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
"compatibility": {
"openai": "pass",
@@ -53,7 +53,7 @@
},
"distribution": {
"archive_verified": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"package_verification": "reports/package_verification.json",
"install_simulated": true,
"install_simulation": "reports/install_simulation.json"
@@ -78,7 +78,7 @@
"vscode"
],
"package_metadata": "registry/packages/yao-meta-skill.json",
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
}
]
},
diff --git a/reports/registry_audit.md b/reports/registry_audit.md
index cc99d634..8b63a7d3 100644
--- a/reports/registry_audit.md
+++ b/reports/registry_audit.md
@@ -6,8 +6,8 @@
- Maturity: `governed`
- Owner: `Yao Team`
- License: `MIT`
-- Package SHA256: `2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb`
-- Archive SHA256: `54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d`
+- Package SHA256: `da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942`
+- Archive SHA256: `6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8`
- Install simulated: `True`
## Compatibility
diff --git a/reports/review-studio.html b/reports/review-studio.html
index 4bd99144..cd0b2591 100644
--- a/reports/review-studio.html
+++ b/reports/review-studio.html
@@ -439,7 +439,7 @@
审查闸门
- 通过
意图画布
intent confidence 100/100; Intent is clear enough to package the first routeable version.
通过
触发实验
13 trigger cases; 0 misroutes; 0 ambiguous
关注
输出实验
5/5 cases; with-skill 100.0; baseline 0.0; file-backed 1; near-neighbor 1; blind A/B 5; exec 10; command 10; model 0; recorded 0; reviewed 0/5; review pending 5
通过
上下文
initial load 944/1000; deferred 383953/120000; top deferred scripts 336470; resource governance governed; quality density 137.7
通过
运行矩阵
5 / 5 targets pass
通过
信任报告
0 secrets; 96 scripts; 3 network-capable scripts; 0 help smoke failures
通过
Python 兼容
Python 3.11; 158 files; 0 compatibility issues; 0 syntax; 0 f-string 3.11 hazards
通过
架构维护
155 Python files; 0 hotspots; 0 blockers; largest 888 lines; 34 CLI handlers
通过
权限批准
3/3 permissions approved; gaps 0; required file_write, network, subprocess
通过
权限探针
4/4 targets probed; native 0; metadata fallback 4; installer 4; residual risks 4
通过
组合治理
12 skills, 1 actionable; 0 actionable route collisions; 0 actionable owner gaps; 0 actionable stale; 0 actionable drift; 24 scoped non-actionable issues
通过
运营回路
1 metadata events; adoption 100.0; missed 0; bad-output 0; risk low
关注
人工批准
0 active waivers; 1 warning gates still need reviewer decision
关注
世界证据
4 pending world-class evidence entries; 1 human pending; 3 external pending; overclaim guard true
通过
注册审计
yao-meta-skill 1.1.0; 6/6 compatibility entries pass; install pass with 4 adapters; installer permissions 12 enforced / 0 failures
通过
发布路线
0 promote; 3 keep current; 0 blocked; upgrade minor declared / minor recommended
+ 通过
意图画布
intent confidence 100/100; Intent is clear enough to package the first routeable version.
通过
触发实验
13 trigger cases; 0 misroutes; 0 ambiguous
关注
输出实验
5/5 cases; with-skill 100.0; baseline 0.0; file-backed 1; near-neighbor 1; blind A/B 5; exec 10; command 10; model 0; recorded 0; reviewed 0/5; review pending 5
通过
上下文
initial load 944/1000; deferred 384567/120000; top deferred scripts 337084; resource governance governed; quality density 137.7
通过
运行矩阵
5 / 5 targets pass
通过
信任报告
0 secrets; 96 scripts; 3 network-capable scripts; 0 help smoke failures
通过
Python 兼容
Python 3.11; 158 files; 0 compatibility issues; 0 syntax; 0 f-string 3.11 hazards
通过
架构维护
155 Python files; 0 hotspots; 0 blockers; largest 888 lines; 34 CLI handlers
通过
权限批准
3/3 permissions approved; gaps 0; required file_write, network, subprocess
通过
权限探针
4/4 targets probed; native 0; metadata fallback 4; installer 4; residual risks 4
通过
组合治理
12 skills, 1 actionable; 0 actionable route collisions; 0 actionable owner gaps; 0 actionable stale; 0 actionable drift; 24 scoped non-actionable issues
通过
运营回路
1 metadata events; adoption 100.0; missed 0; bad-output 0; risk low
关注
人工批准
0 active waivers; 1 warning gates still need reviewer decision
关注
世界证据
4 pending world-class evidence entries; 1 human pending; 3 external pending; overclaim guard true
通过
注册审计
yao-meta-skill 1.1.0; 6/6 compatibility entries pass; install pass with 4 adapters; installer permissions 12 enforced / 0 failures
通过
发布路线
0 promote; 3 keep current; 0 blocked; upgrade minor declared / minor recommended
@@ -501,12 +501,12 @@
- 上下文
initial load 944/1000; deferred 383953/120000; top deferred scripts 336470; resource governance governed; quality density 137.7
+ 上下文
initial load 944/1000; deferred 384567/120000; top deferred scripts 337084; resource governance governed; quality density 137.7
编译证据
Review reports/compiled_targets.md before packaging to inspect target adapter modes, generated files, preserved semantics, warnings, and unsupported features.
- 信任报告
- Secret
- 0
- 脚本数
- 96
- 网络脚本
- 3
- Help 失败
- 0
- 包体哈希
2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb
+ 信任报告
- Secret
- 0
- 脚本数
- 96
- 网络脚本
- 3
- Help 失败
- 0
- 包体哈希
da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942
安全边界
高风险 secret、远程 inline execution、缺失依赖策略或无法解释的脚本接口应阻断 governed release。
@@ -574,12 +574,12 @@
注册审计
yao-meta-skill 1.1.0; 6/6 compatibility entries pass; install pass with 4 adapters; installer permissions 12 enforced / 0 failures
- 包体元数据
- 名称
- yao-meta-skill
- 版本
- 1.1.0
- Maturity
- governed
- Owner
- Yao Team
- License
- MIT
- 信任级别
- local
- 目标平台
- openai, claude, generic, agent-skills-compatible, vscode
- 兼容通过
- 6/6
- 归档哈希
54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d
+ 包体元数据
- 名称
- yao-meta-skill
- 版本
- 1.1.0
- Maturity
- governed
- Owner
- Yao Team
- License
- MIT
- 信任级别
- local
- 目标平台
- openai, claude, generic, agent-skills-compatible, vscode
- 兼容通过
- 6/6
- 归档哈希
6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8
发布路线
0 promote; 3 keep current; 0 blocked; upgrade minor declared / minor recommended
- 包体验证
- 目标数
- 4
- Adapter
- 4
- 归档存在
- 是
- Zip 条目
- 575
- 失败数
- 0
- 警告数
- 0
- 归档哈希
54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d
+ 包体验证
- 目标数
- 4
- Adapter
- 4
- 归档存在
- 是
- Zip 条目
- 575
- 失败数
- 0
- 警告数
- 0
- 归档哈希
6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8
diff --git a/reports/review-studio.json b/reports/review-studio.json
index 0fdf6088..bb4a6535 100644
--- a/reports/review-studio.json
+++ b/reports/review-studio.json
@@ -43,7 +43,7 @@
"key": "context-budget",
"label": "上下文",
"status": "pass",
- "detail": "initial load 944/1000; deferred 383953/120000; top deferred scripts 336470; resource governance governed; quality density 137.7",
+ "detail": "initial load 944/1000; deferred 384567/120000; top deferred scripts 337084; resource governance governed; quality density 137.7",
"evidence": "reports/context_budget.json",
"link": "context_budget.md"
},
@@ -1336,9 +1336,9 @@
"methodology_complete": true,
"required_artifact_count": 24,
"missing_artifact_count": 0,
- "evidence_bundle_sha256": "58baf3fe11e00c2be487239945ab3cc43a70b545507e1f1c891d1aed9a6da25e",
- "source_contract_sha256": "59b0f65b269be1bcd9b8ab46997136fd5c19da796d0797702fb6a0dc96274cb8",
- "archive_sha256": "5f3d7a018d80277336598d3bf78c546f37a301c0e4d8be6691a9f8de349c6576",
+ "evidence_bundle_sha256": "f2e43ceb692ae62a187af57b89bc49fb420f5a747b9b3e9dd5b5e23601f30c4e",
+ "source_contract_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb",
+ "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
"output_case_count": 5,
"failure_disclosure_count": 3,
"command_count": 21,
@@ -1353,9 +1353,9 @@
"world_class_task_count": 4,
"world_class_ledger_pending_count": 4,
"working_tree_dirty": true,
- "changed_file_count": 30
+ "changed_file_count": 25
},
- "commit": "d808071fb55a91484e78fe40f4b64bb52815758a",
+ "commit": "3f0b262e5f11fdcf14db8dc70ddcb2a89941e52d",
"missing_artifacts": [],
"limitations": [
"The git commit and dirty flag are generation-time context; the evidence bundle hash is the durable artifact anchor inside a committed report.",
@@ -1460,7 +1460,7 @@
"interactive_script_count": 0,
"package_hash_scope": "source-contract-without-generated-reports",
"package_hash_file_count": 180,
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
},
"skill_atlas": {
"skill_count": 12,
@@ -1498,8 +1498,8 @@
"trust_level": "local",
"license": "MIT",
"checksums": {
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb",
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
"compatibility": {
"openai": "pass",
@@ -1530,7 +1530,7 @@
},
"distribution": {
"archive_verified": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"package_verification": "reports/package_verification.json",
"install_simulated": true,
"install_simulation": "reports/install_simulation.json"
@@ -1546,7 +1546,7 @@
"target_count": 4,
"adapter_count": 4,
"archive_present": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"archive_entry_count": 575,
"failure_count": 0,
"warning_count": 0
@@ -1625,12 +1625,12 @@
{
"field": "archive_sha256",
"from": "",
- "to": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "to": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
{
"field": "package_sha256",
"from": "0000000000000000000000000000000000000000000000000000000000000000",
- "to": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "to": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
}
]
},
@@ -3809,7 +3809,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 29.91,
+ "duration_ms": 29.87,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -3837,7 +3837,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 28.72,
+ "duration_ms": 28.51,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -3860,7 +3860,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 28.83,
+ "duration_ms": 29.77,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -3888,7 +3888,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 28.47,
+ "duration_ms": 28.86,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -3911,7 +3911,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 29.49,
+ "duration_ms": 28.97,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -3939,7 +3939,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 29.13,
+ "duration_ms": 28.24,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -3962,7 +3962,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 28.38,
+ "duration_ms": 28.63,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -3989,7 +3989,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 28.42,
+ "duration_ms": 28.92,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -4012,7 +4012,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 28.69,
+ "duration_ms": 28.27,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -4041,7 +4041,7 @@
"execution_mode": "command",
"model_executed": false,
"command_executed": true,
- "duration_ms": 28.75,
+ "duration_ms": 28.93,
"provider": "local-output-eval-runner",
"model": "",
"usage": {
@@ -10257,7 +10257,7 @@
"interactive_script_count": 0,
"package_hash_scope": "source-contract-without-generated-reports",
"package_hash_file_count": 180,
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
},
"failures": [],
"warnings": [],
@@ -13787,15 +13787,15 @@
"context_budget_tier": "production",
"context_budget_limit": 1000,
"skill_body_tokens": 751,
- "other_text_tokens": 1191951,
+ "other_text_tokens": 1193567,
"estimated_initial_load_tokens": 944,
- "estimated_total_text_tokens": 1192702,
- "deferred_resource_tokens": 383953,
+ "estimated_total_text_tokens": 1194318,
+ "deferred_resource_tokens": 384567,
"deferred_resource_warn_threshold": 120000,
"deferred_resource_dirs": [
{
"path": "scripts",
- "estimated_tokens": 336470,
+ "estimated_tokens": 337084,
"file_count": 96
},
{
@@ -13812,7 +13812,7 @@
"large_deferred_resource_dirs": [
{
"path": "scripts",
- "estimated_tokens": 336470,
+ "estimated_tokens": 337084,
"file_count": 96
}
],
@@ -13835,7 +13835,7 @@
],
"missing": [],
"path": "scripts",
- "estimated_tokens": 336470,
+ "estimated_tokens": 337084,
"file_count": 96,
"rationale": "Script resources are deterministic deferred tools, not initial-load prompt context."
}
@@ -15697,7 +15697,7 @@
"adoption_drift": {
"ok": true,
"schema_version": "2.0",
- "generated_at": "2026-06-14T02:29:07Z",
+ "generated_at": "2026-06-14T02:40:09Z",
"skill_dir": ".",
"privacy_contract": {
"storage": "local-first",
@@ -17322,8 +17322,8 @@
"trust_level": "local",
"license": "MIT",
"checksums": {
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb",
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
"compatibility": {
"openai": "pass",
@@ -17354,7 +17354,7 @@
},
"distribution": {
"archive_verified": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"package_verification": "reports/package_verification.json",
"install_simulated": true,
"install_simulation": "reports/install_simulation.json"
@@ -17379,7 +17379,7 @@
"vscode"
],
"package_metadata": "registry/packages/yao-meta-skill.json",
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
}
]
},
@@ -17402,7 +17402,7 @@
"target_count": 4,
"adapter_count": 4,
"archive_present": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"archive_entry_count": 575,
"failure_count": 0,
"warning_count": 0
@@ -18410,12 +18410,12 @@
{
"field": "archive_sha256",
"from": "",
- "to": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "to": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
{
"field": "package_sha256",
"from": "0000000000000000000000000000000000000000000000000000000000000000",
- "to": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "to": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
}
]
},
diff --git a/reports/security_trust_report.json b/reports/security_trust_report.json
index d0fceaad..acf0c1ee 100644
--- a/reports/security_trust_report.json
+++ b/reports/security_trust_report.json
@@ -23,7 +23,7 @@
"interactive_script_count": 0,
"package_hash_scope": "source-contract-without-generated-reports",
"package_hash_file_count": 180,
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
},
"failures": [],
"warnings": [],
diff --git a/reports/security_trust_report.md b/reports/security_trust_report.md
index 1aaf342f..0bac3f8c 100644
--- a/reports/security_trust_report.md
+++ b/reports/security_trust_report.md
@@ -16,7 +16,7 @@
- Interactive scripts: `0`
- Package hash scope: `source-contract-without-generated-reports`
- Package hash files: `180`
-- Package SHA256: `2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb`
+- Package SHA256: `da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942`
## Failures
diff --git a/reports/skill-overview.json b/reports/skill-overview.json
index 218202eb..9ba8f417 100644
--- a/reports/skill-overview.json
+++ b/reports/skill-overview.json
@@ -922,9 +922,9 @@
"methodology_complete": true,
"required_artifact_count": 24,
"missing_artifact_count": 0,
- "evidence_bundle_sha256": "58baf3fe11e00c2be487239945ab3cc43a70b545507e1f1c891d1aed9a6da25e",
- "source_contract_sha256": "59b0f65b269be1bcd9b8ab46997136fd5c19da796d0797702fb6a0dc96274cb8",
- "archive_sha256": "5f3d7a018d80277336598d3bf78c546f37a301c0e4d8be6691a9f8de349c6576",
+ "evidence_bundle_sha256": "f2e43ceb692ae62a187af57b89bc49fb420f5a747b9b3e9dd5b5e23601f30c4e",
+ "source_contract_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb",
+ "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
"output_case_count": 5,
"failure_disclosure_count": 3,
"command_count": 21,
@@ -939,9 +939,9 @@
"world_class_task_count": 4,
"world_class_ledger_pending_count": 4,
"working_tree_dirty": true,
- "changed_file_count": 30
+ "changed_file_count": 25
},
- "commit": "d808071fb55a91484e78fe40f4b64bb52815758a",
+ "commit": "3f0b262e5f11fdcf14db8dc70ddcb2a89941e52d",
"missing_artifacts": [],
"limitations": [
"The git commit and dirty flag are generation-time context; the evidence bundle hash is the durable artifact anchor inside a committed report.",
@@ -1046,7 +1046,7 @@
"interactive_script_count": 0,
"package_hash_scope": "source-contract-without-generated-reports",
"package_hash_file_count": 180,
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
},
"skill_atlas": {
"skill_count": 12,
@@ -1084,8 +1084,8 @@
"trust_level": "local",
"license": "MIT",
"checksums": {
- "package_sha256": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb",
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "package_sha256": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
"compatibility": {
"openai": "pass",
@@ -1116,7 +1116,7 @@
},
"distribution": {
"archive_verified": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"package_verification": "reports/package_verification.json",
"install_simulated": true,
"install_simulation": "reports/install_simulation.json"
@@ -1132,7 +1132,7 @@
"target_count": 4,
"adapter_count": 4,
"archive_present": true,
- "archive_sha256": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d",
+ "archive_sha256": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8",
"archive_entry_count": 575,
"failure_count": 0,
"warning_count": 0
@@ -1211,12 +1211,12 @@
{
"field": "archive_sha256",
"from": "",
- "to": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "to": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
{
"field": "package_sha256",
"from": "0000000000000000000000000000000000000000000000000000000000000000",
- "to": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "to": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
}
]
},
diff --git a/reports/upgrade_check.json b/reports/upgrade_check.json
index 0800ab27..1e92f3c4 100644
--- a/reports/upgrade_check.json
+++ b/reports/upgrade_check.json
@@ -70,12 +70,12 @@
{
"field": "archive_sha256",
"from": "",
- "to": "54e6b60578526fb40d38c7105cc61f59f0ca93c2811b1074b9ebc1620cfe853d"
+ "to": "6756fa63a5db07a3441347153ffb566e22b0a14ae4605b4ed3ab87d548a956b8"
},
{
"field": "package_sha256",
"from": "0000000000000000000000000000000000000000000000000000000000000000",
- "to": "2af3b1e7638215a67244ed897737e1d0b42b8c930c3a8ac66d87d818b3ba01bb"
+ "to": "da5488b7d14d1599f3d13ac30a6d4a9de1690867697e0f12426b3631bed47942"
}
]
},
diff --git a/reports/world_class_evidence_intake.md b/reports/world_class_evidence_intake.md
index ec83cee8..ab44a4b2 100644
--- a/reports/world_class_evidence_intake.md
+++ b/reports/world_class_evidence_intake.md
@@ -202,6 +202,7 @@ This report validates the intake contract for human and external evidence. A val
- Templates and planned work do not count as accepted evidence.
- Real submissions must include the evidence-key critical artifact paths with verified SHA-256 digests.
+- Real submissions must replace template submitter, date, and provenance placeholders with concrete evidence metadata.
- Local command-runner output does not count as provider-backed model evidence.
- Metadata fallback does not count as native permission enforcement.
- Pending reviewer work does not count as human adjudication.
diff --git a/scripts/render_world_class_evidence_intake.py b/scripts/render_world_class_evidence_intake.py
index 4bdf781f..cc8a4d2f 100644
--- a/scripts/render_world_class_evidence_intake.py
+++ b/scripts/render_world_class_evidence_intake.py
@@ -297,6 +297,7 @@ def render_markdown(report: dict[str, Any]) -> str:
"",
"- Templates and planned work do not count as accepted evidence.",
"- Real submissions must include the evidence-key critical artifact paths with verified SHA-256 digests.",
+ "- Real submissions must replace template submitter, date, and provenance placeholders with concrete evidence metadata.",
"- Local command-runner output does not count as provider-backed model evidence.",
"- Metadata fallback does not count as native permission enforcement.",
"- Pending reviewer work does not count as human adjudication.",
diff --git a/scripts/world_class_evidence_contract.py b/scripts/world_class_evidence_contract.py
index 28747e78..ae057061 100644
--- a/scripts/world_class_evidence_contract.py
+++ b/scripts/world_class_evidence_contract.py
@@ -49,6 +49,7 @@ EXPECTED_SOURCE_TYPES = {
"native-client-telemetry": "native-client-telemetry",
}
SHA256_RE = re.compile(r"^[0-9a-fA-F]{64}$")
+SUBMITTED_AT_RE = re.compile(r"^\d{4}-\d{2}-\d{2}(?:T\d{2}:\d{2}:\d{2}Z)?$")
DISALLOWED_REAL_ARTIFACTS = {"reports/telemetry_events.jsonl"}
REQUIRED_REAL_ARTIFACT_PATHS = {
"provider-holdout": {"reports/output_execution_runs.json"},
@@ -65,6 +66,18 @@ REQUIRED_REAL_ARTIFACT_PATHS = {
"reports/telemetry_hook_recipes.json",
},
}
+PLACEHOLDER_FRAGMENTS = (
+ "YYYY-MM-DD",
+ "name or team handle",
+ "operator with provider credentials",
+ "human reviewer",
+ "target client or installer integrator",
+ "Browser/Chrome/IDE/provider client integrator",
+ "Browser/Chrome/IDE/provider client",
+ "openai|claude|generic|vscode|other",
+ "client or installer component",
+ "/local/path/not/committed",
+)
def load_json(path: Path) -> dict[str, Any]:
@@ -101,6 +114,20 @@ def add_error(errors: list[str], condition: bool, message: str) -> None:
errors.append(message)
+def has_placeholder_text(value: Any) -> bool:
+ text = str(value or "").strip()
+ if not text:
+ return False
+ lowered = text.lower()
+ return any(fragment.lower() in lowered for fragment in PLACEHOLDER_FRAGMENTS)
+
+
+def require_real_text(errors: list[str], value: Any, field: str) -> None:
+ text = str(value or "").strip()
+ add_error(errors, bool(text), f"{field} is required")
+ add_error(errors, not has_placeholder_text(text), f"{field} must not use template placeholder text")
+
+
def sha256_file(path: Path) -> str:
digest = hashlib.sha256()
with path.open("rb") as handle:
@@ -197,6 +224,7 @@ def validate_artifact_refs(
def validate_evidence_specific(payload: dict[str, Any], errors: list[str]) -> None:
key = str(payload.get("evidence_key", ""))
+ template_expected = payload.get("template_only") is True
provenance = payload.get("provenance", {}) if isinstance(payload.get("provenance", {}), dict) else {}
if key == "provider-holdout":
add_error(errors, bool(str(provenance.get("provider", "")).strip()), "provider-holdout provenance.provider is required")
@@ -208,6 +236,8 @@ def validate_evidence_specific(payload: dict[str, Any], errors: list[str]) -> No
)
elif key == "human-adjudication":
add_error(errors, bool(str(provenance.get("reviewer", "")).strip()), "human-adjudication provenance.reviewer is required")
+ if not template_expected:
+ require_real_text(errors, provenance.get("reviewer", ""), "human-adjudication provenance.reviewer")
add_error(
errors,
provenance.get("answer_key_opened_after_decisions") is True,
@@ -215,11 +245,19 @@ def validate_evidence_specific(payload: dict[str, Any], errors: list[str]) -> No
)
elif key == "native-permission-enforcement":
add_error(errors, bool(str(provenance.get("target", "")).strip()), "native-permission-enforcement provenance.target is required")
+ if not template_expected:
+ require_real_text(errors, provenance.get("target", ""), "native-permission-enforcement provenance.target")
add_error(
errors,
bool(str(provenance.get("guard_location", "")).strip()),
"native-permission-enforcement provenance.guard_location is required",
)
+ if not template_expected:
+ require_real_text(
+ errors,
+ provenance.get("guard_location", ""),
+ "native-permission-enforcement provenance.guard_location",
+ )
add_error(
errors,
str(provenance.get("guard_scope", "")).strip()
@@ -238,6 +276,14 @@ def validate_evidence_specific(payload: dict[str, Any], errors: list[str]) -> No
)
elif key == "native-client-telemetry":
add_error(errors, bool(str(provenance.get("client", "")).strip()), "native-client-telemetry provenance.client is required")
+ if not template_expected:
+ require_real_text(errors, provenance.get("client", ""), "native-client-telemetry provenance.client")
+ if str(provenance.get("native_host_manifest", "")).strip():
+ require_real_text(
+ errors,
+ provenance.get("native_host_manifest", ""),
+ "native-client-telemetry provenance.native_host_manifest",
+ )
add_error(errors, provenance.get("event_source") == "external", "native-client-telemetry event_source must be external")
add_error(errors, provenance.get("metadata_only") is True, "native-client-telemetry must be metadata_only")
@@ -266,6 +312,13 @@ def validate_payload(
add_error(errors, bool(str(payload.get("submitted_by", "")).strip()), "submitted_by is required")
add_error(errors, bool(str(payload.get("submitted_at", "")).strip()), "submitted_at is required")
add_error(errors, bool(str(payload.get("summary", "")).strip()), "summary is required")
+ if not template_expected:
+ require_real_text(errors, payload.get("submitted_by", ""), "submitted_by")
+ add_error(
+ errors,
+ bool(SUBMITTED_AT_RE.match(str(payload.get("submitted_at", "")).strip())),
+ "submitted_at must use YYYY-MM-DD or YYYY-MM-DDTHH:MM:SSZ",
+ )
artifact_integrity = validate_artifact_refs(payload, errors, root=root, template_expected=template_expected)
privacy = payload.get("privacy", {}) if isinstance(payload.get("privacy", {}), dict) else {}
for key in REQUIRED_PRIVACY_FALSE:
diff --git a/tests/verify_world_class_evidence_intake.py b/tests/verify_world_class_evidence_intake.py
index a4c84edf..e175f5ff 100644
--- a/tests/verify_world_class_evidence_intake.py
+++ b/tests/verify_world_class_evidence_intake.py
@@ -159,6 +159,7 @@ def main() -> None:
assert "`python3 scripts/yao.py world-class-ledger .`" in markdown, markdown
assert "Templates and planned work do not count as accepted evidence." in markdown, markdown
assert "Real submissions must include the evidence-key critical artifact paths with verified SHA-256 digests." in markdown, markdown
+ assert "Real submissions must replace template submitter, date, and provenance placeholders with concrete evidence metadata." in markdown, markdown
kit_dir = TMP / "submission_kit"
kit_proc = run_kit("--output-dir", str(kit_dir), "--evidence-key", "provider-holdout")
@@ -219,6 +220,23 @@ def main() -> None:
assert valid_checklist["provider-holdout"]["submission_path"].endswith("tests/tmp_world_class_evidence_intake/valid_submissions/provider-holdout.json"), valid_checklist["provider-holdout"]
assert "tests/tmp_world_class_evidence_intake/valid_submissions" in valid_checklist["provider-holdout"]["commands"]["validate_intake"], valid_checklist["provider-holdout"]
+ placeholder_dir = TMP / "placeholder_submissions"
+ placeholder_dir.mkdir()
+ placeholder_submission = provider_submission(valid=True)
+ placeholder_submission["submitted_by"] = "operator with provider credentials"
+ placeholder_submission["submitted_at"] = "YYYY-MM-DD"
+ (placeholder_dir / "provider-holdout.json").write_text(
+ json.dumps(placeholder_submission, ensure_ascii=False, indent=2) + "\n",
+ encoding="utf-8",
+ )
+ placeholder_payload = run_intake("--submissions-dir", str(placeholder_dir))
+ assert placeholder_payload["ok"] is False, placeholder_payload
+ assert placeholder_payload["summary"]["decision"] == "fix-intake", placeholder_payload["summary"]
+ assert placeholder_payload["summary"]["invalid_submission_count"] == 1, placeholder_payload["summary"]
+ placeholder_errors = placeholder_payload["submissions"][0]["errors"]
+ assert any("submitted_by must not use template placeholder text" in error for error in placeholder_errors), placeholder_errors
+ assert any("submitted_at must use YYYY-MM-DD" in error for error in placeholder_errors), placeholder_errors
+
invalid_dir = TMP / "invalid_submissions"
invalid_dir.mkdir()
(invalid_dir / "provider-holdout.json").write_text(
diff --git a/tests/verify_world_class_evidence_ledger.py b/tests/verify_world_class_evidence_ledger.py
index 7dbe2dcf..4196e9fa 100644
--- a/tests/verify_world_class_evidence_ledger.py
+++ b/tests/verify_world_class_evidence_ledger.py
@@ -263,6 +263,50 @@ def main() -> None:
for error in unrelated_accepted_provider["submission_state"]["errors"]
), unrelated_accepted_provider
+ placeholder_accepted_submissions = TMP / "placeholder_accepted_submissions"
+ placeholder_accepted_submissions.mkdir()
+ placeholder_submission = provider_submission(accepted_source_skill)
+ placeholder_submission["submitted_by"] = "operator with provider credentials"
+ placeholder_submission["submitted_at"] = "YYYY-MM-DD"
+ (placeholder_accepted_submissions / "provider-holdout.json").write_text(
+ json.dumps(placeholder_submission, ensure_ascii=False, indent=2) + "\n",
+ encoding="utf-8",
+ )
+ placeholder_accepted_proc = subprocess.run(
+ [
+ sys.executable,
+ str(SCRIPT),
+ str(accepted_source_skill),
+ "--output-json",
+ str(TMP / "placeholder_accepted_provider_ledger.json"),
+ "--output-md",
+ str(TMP / "placeholder_accepted_provider_ledger.md"),
+ "--submissions-dir",
+ str(placeholder_accepted_submissions),
+ "--generated-at",
+ "2026-06-13",
+ ],
+ cwd=ROOT,
+ capture_output=True,
+ text=True,
+ check=True,
+ )
+ placeholder_accepted_payload = json.loads(placeholder_accepted_proc.stdout)
+ placeholder_accepted_summary = placeholder_accepted_payload["summary"]
+ assert placeholder_accepted_summary["source_accepted_count"] == 1, placeholder_accepted_summary
+ assert placeholder_accepted_summary["accepted_count"] == 0, placeholder_accepted_summary
+ assert placeholder_accepted_summary["invalid_submission_count"] == 1, placeholder_accepted_summary
+ placeholder_accepted_provider = {
+ entry["key"]: entry for entry in placeholder_accepted_payload["entries"]
+ }["provider-holdout"]
+ assert placeholder_accepted_provider["source_accepted"] is True, placeholder_accepted_provider
+ assert placeholder_accepted_provider["status"] == "pending", placeholder_accepted_provider
+ assert placeholder_accepted_provider["submission_state"]["status"] == "invalid-contract", placeholder_accepted_provider
+ assert any(
+ "submitted_by must not use template placeholder text" in error
+ for error in placeholder_accepted_provider["submission_state"]["errors"]
+ ), placeholder_accepted_provider
+
accepted_submissions = TMP / "accepted_submissions"
accepted_submissions.mkdir()
(accepted_submissions / "provider-holdout.json").write_text(