Ship CLI proof receipts

AGENTS.md

@@ -44,3 +44,18 @@ pnpm lint
 Write for developers discovering MartinLoop for the first time.
 Explain what the tool does, how to install it, how to run it,
 and how to verify results.
+
+## Proof Receipt Design Lock
+
+MartinLoop proof-card SVGs must stay in the CLI receipt style:
+
+- dark terminal canvas
+- line-based layout
+- monospaced evidence rows
+- semantic green for verified/pass states
+- semantic red for failed, missing, or boundary states
+
+Do not change proof receipts into rounded cards, blue palettes, gradients,
+certificate layouts, dashboard cards, or decorative marketing graphics unless
+the maintainer explicitly asks for that change and receives side-by-side
+visual renders before approval.

README.md

@@ -79,7 +79,7 @@ npx -y martin-loop@latest preflight "Summarize the demo workspace and prove test
 
 `share --latest` writes three files into the selected run directory under `share/`: `run-receipt.json`, `run-receipt.md`, and `proof-card.svg`.
 
-Release notes for the current root package: [MartinLoop 0.3.4](./docs/release/OSS-0.3.4-RELEASE-NOTES.md).
+Release notes for the current root package: [MartinLoop 0.3.5](./docs/release/OSS-0.3.5-RELEASE-NOTES.md).
 
 ## Visual Proof
 
@@ -95,22 +95,42 @@ Ungoverned agents can retry until cost and scope drift. MartinLoop adds budget c
   <img src="./docs/assets/side-by-side.svg" alt="MartinLoop governed run compared with an unbounded retry loop" width="720" height="1080">
 </div>
 
+## Proof Receipts
+
+Proof receipts are local share bundles for governed AI coding runs. They show the task, spend, budget, verifier result, receipt integrity, and any evidence boundary that should not be rounded into confidence.
+
+This real governed run spent `$0.51` against a `$3.00` budget. The verifier passed and the receipt integrity was signed, but the proof stayed at `EVIDENCE_BOUNDARY` because rollback evidence was not recorded.
+
+<div align="center">
+  <img src="./docs/assets/proof-receipt-live-governed.png" alt="MartinLoop CLI proof receipt for a governed run with spend, budget, verifier, integrity, and evidence boundary" width="720">
+</div>
+
+Generate your own receipt after a governed run:
+
+```sh
+npx -y martin-loop@latest run "Summarize the demo workspace and prove tests still pass" --proof --verify "npm test"
+npx -y martin-loop@latest runs verify --latest
+npx -y martin-loop@latest share --latest
+```
+
+Example receipt files: [Markdown](./docs/examples/proof-receipts/live-governed-run-receipt.md) and [JSON](./docs/examples/proof-receipts/live-governed-run-receipt.json).
+
 ## Run This Audit Yourself
 
 Use this lane from a clean temp directory to verify the public CLI flow exactly as shipped:
 
 ```sh
-npx -y martin-loop@0.3.4 --version
-npx -y martin-loop@0.3.4 start
-npx -y martin-loop@0.3.4 demo
+npx -y martin-loop@0.3.5 --version
+npx -y martin-loop@0.3.5 start
+npx -y martin-loop@0.3.5 demo
 cd martin-loop-demo
 npm install
-npx -y martin-loop@0.3.4 run "Summarize the demo workspace and prove tests still pass" --proof --verify "npm test" --json
-npx -y martin-loop@0.3.4 dossier --latest --json
-npx -y martin-loop@0.3.4 share --latest --json
+npx -y martin-loop@0.3.5 run "Summarize the demo workspace and prove tests still pass" --proof --verify "npm test" --json
+npx -y martin-loop@0.3.5 dossier --latest --json
+npx -y martin-loop@0.3.5 share --latest --json
 ```
 
-For deterministic installs, pin the package line (`martin-loop@0.3.4`) or use `martin-loop@latest`. Plain `npx martin-loop` can resolve a stale local cache on some machines.
+For deterministic installs, pin the package line (`martin-loop@0.3.5`) or use `martin-loop@latest`. Plain `npx martin-loop` can resolve a stale local cache on some machines.
 
 Expected share bundle outputs:
 
@@ -229,7 +249,7 @@ npx martin-loop mcp print-config --host gemini --transport stdio --profile full-
 npx martin-loop mcp print-config --host generic --transport stdio --profile github-review
 ```
 
-The root `martin-loop` package and the standalone `@martinloop/mcp` package move on separate version lines. The root package line here is `0.3.4`; the current standalone MCP package is `0.3.1`.
+The root `martin-loop` package and the standalone `@martinloop/mcp` package move on separate version lines. The root package line here is `0.3.5`; the current standalone MCP package is `0.3.1`.
 
 The public MCP release train labels are:
 

docs/examples/proof-receipts/live-governed-run-receipt.json

@@ -0,0 +1,17 @@
+{
+  "title": "Martin Loop Proof Receipt",
+  "loopId": "loop_82emkgkf",
+  "proofVerdict": "EVIDENCE_BOUNDARY",
+  "evidenceLine": "Incomplete Martin proof: missing budget, rollback, or verifier evidence.",
+  "verifier": "passed",
+  "costSpend": "$0.51",
+  "budget": "$3.00",
+  "remainingBudget": "$2.49",
+  "overspendRatio": "0.17x",
+  "attempts": "1",
+  "rollback": "not-recorded",
+  "receiptIntegrity": "signed",
+  "verificationSteps": "1",
+  "runtime": "claude / claude-sonnet-4-6 / agent-cli:claude",
+  "generatedAt": "2026-06-10T20:01:03.635Z"
+}

docs/examples/proof-receipts/live-governed-run-receipt.md

@@ -0,0 +1,25 @@
+# Martin Loop Proof Receipt
+
+Incomplete Martin proof: missing budget, rollback, or verifier evidence.
+
+| Field | Evidence |
+| --- | --- |
+| Loop ID | loop_82emkgkf |
+| Objective | Audit the MartinLoop CLI proof receipt guard for a shareable governed run receipt. |
+| Status | exited |
+| Lifecycle | budget_exit |
+| Verifier | passed |
+| Cost / spend | $0.51 |
+| Budget | $3.00 |
+| Attempts | 1 |
+| Rollback | not-recorded |
+| Halt reason | Martin exited because the budget governor hit a hard limit. |
+| Evidence boundary | Generated from a local Martin Loop run record.; Hosted dashboards and private team telemetry are intentionally excluded from OSS proof cards. |
+| Remaining budget | $2.49 |
+| Overspend ratio | 0.17x |
+| Verification steps | 1 |
+| Run mode | not recorded |
+| Runtime | claude / claude-sonnet-4-6 / agent-cli:claude |
+| Receipt integrity | signed |
+| Generated at | 2026-06-10T20:01:03.635Z |
+

docs/oss/AGENT-RUN-RECEIPTS.md

@@ -85,6 +85,8 @@ Expected bundle output under the selected run directory in `share/`:
 - `run-receipt.md` (human-readable recap)
 - `proof-card.svg` (portable visual card)
 
+The proof card is intentionally a terminal-style receipt, not a marketing card. It uses a dark CLI layout, line rules, monospaced evidence rows, green only for verified/pass states, and red only for failed, missing, or boundary states. Do not restyle it into rounded boxes, blue palettes, gradients, certificate layouts, or dashboard cards without an explicit visual review.
+
 4. Optional custom output directory:
 
 ```sh
@@ -126,3 +128,13 @@ If exact replay is not possible because the workspace changed, the `warnings` an
 - usage is presented with provenance (`actual`, `estimated`, or `unavailable`)
 - verifier failures are explicit and not reinterpreted as success
 - inspection remains read-only
+
+## Public proof receipt example
+
+This repository includes a public-safe proof receipt generated from a real governed run:
+
+- [visual proof card](../assets/proof-receipt-live-governed.png)
+- [Markdown receipt](../examples/proof-receipts/live-governed-run-receipt.md)
+- [JSON receipt](../examples/proof-receipts/live-governed-run-receipt.json)
+
+The example shows a verifier-passed run with signed receipt integrity and an explicit evidence boundary. The boundary is kept visible because rollback evidence was not recorded.

docs/oss/AGENT-START-HERE.md

@@ -28,6 +28,17 @@ npx martin-loop dossier --latest
 
 Expected value: the dossier tells you what happened, what Martin prevented, verifier status, rollback/artifact evidence, clearly labeled token/cost estimates, and the next safe action.
 
+## Proof Receipts
+
+After a governed run, create a share bundle:
+
+```sh
+npx martin-loop runs verify --latest
+npx martin-loop share --latest
+```
+
+The bundle includes `run-receipt.json`, `run-receipt.md`, and `proof-card.svg`. The proof card should look like a terminal receipt: dark canvas, rows, divider lines, monospaced evidence, green pass states, and red boundary states. Keep uncertainty visible. If rollback, integrity, cost, or verifier evidence is missing, render it as missing instead of turning the run into a success claim.
+
 ## MCP Profile Defaults
 
 - `minimal` is the default: `martin_doctor`, `martin_preflight`, `martin_list_runs`, `martin_triage_runs`, and `martin_run_dossier`.

docs/release/OSS-0.3.5-RELEASE-NOTES.md

@@ -0,0 +1,29 @@
+# MartinLoop 0.3.5 Proof Receipt Release
+
+`0.3.5` upgrades MartinLoop share receipts so governed runs produce a sharper CLI-style proof card and clearer public documentation.
+
+## What Changed
+
+- Proof cards now render as dark terminal receipts with line rules, monospaced evidence rows, and explicit pass/boundary coloring.
+- Share receipts include stronger visible context: task class, spend, budget, remaining budget, overspend ratio, verifier status, integrity state, runtime, and event rail when present in the local run record.
+- Missing rollback, verifier, budget, or integrity evidence stays visible as an evidence boundary instead of being softened into a success claim.
+- README and agent docs now show how to create and inspect share bundles with `runs verify --latest` and `share --latest`.
+- Public tests now block rounded-card, blue-palette, gradient, and typography regressions in proof-card SVG output.
+
+## Why This Matters
+
+AI coding work needs evidence that can be checked after the run. A verifier pass is useful, but it is not the whole proof. The receipt should also show what it cost, what evidence exists, and what evidence is missing.
+
+## Quick Check
+
+```sh
+npx -y martin-loop@0.3.5 run "Summarize the demo workspace and prove tests still pass" --proof --verify "npm test"
+npx -y martin-loop@0.3.5 runs verify --latest
+npx -y martin-loop@0.3.5 share --latest
+```
+
+Expected share bundle outputs:
+
+- `share/run-receipt.json`
+- `share/run-receipt.md`
+- `share/proof-card.svg`

docs/release/VERSION-LEDGER.md

@@ -4,16 +4,16 @@ This file is the release source of truth for package/version mapping in this rep
 
 ## Root package: `martin-loop`
 
-- live npm dist-tag `latest`: `0.3.4`
-- live public GitHub release: `v0.3.4`
+- live npm dist-tag `latest`: `0.3.4` before the `0.3.5` proof receipt release publishes
+- live public GitHub release: `v0.3.4` before the `v0.3.5` release workflow completes
 - live public baseline in this train: `0.3.4`
 - root public baseline: `0.3.4`
 - releases consumed since the original `0.2.8` launch:
   - `0.2.9` fixed proof-run classification, Windows `.cmd` resolution, and public provider defaults
   - `0.2.10` tightened verifier evidence, `--runs-dir` consistency, and public help output
   - `0.2.11` fixed `runs verify --latest` selector parity in the public CLI
-- current in-repo root release line: `0.3.4` for governed integrity hardening across path-policy, selector, and receipt verification surfaces
-- next planned root follow-on: `0.3.5` for additional cross-host reliability follow-ups
+- current in-repo root release line: `0.3.5` for CLI-style proof receipts and share-bundle documentation
+- next planned root follow-on: `0.3.6` for additional cross-host reliability follow-ups
 
 ## Standalone package: `@martinloop/mcp`
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "martin-loop",
   "private": false,
-  "version": "0.3.4",
+  "version": "0.3.5",
   "type": "module",
   "description": "Open-source command center for governed AI coding agents with built-in onboarding, hard gates, MCP, and shareable run receipts.",
   "packageManager": "pnpm@10.33.0",

packages/cli/src/index.ts

@@ -3004,6 +3004,22 @@ function proofCardInputFromLoop(loop: LoopRecord): MartinProofCardInput {
   )
     ? "captured"
     : "not-recorded";
+  const remainingBudget = Math.max(0, loop.budget.maxUsd - loop.cost.actualUsd);
+  const overspendRatio =
+    loop.budget.maxUsd > 0 ? `${(loop.cost.actualUsd / loop.budget.maxUsd).toFixed(2)}x` : "unknown";
+  const verificationStepCount = loop.events.filter((event) => event.type === "verification.completed").length;
+  const latestAttempt = loop.attempts.at(-1);
+  const runtime = latestAttempt
+    ? `${latestAttempt.adapterId} / ${latestAttempt.model}`
+    : loop.events
+        .map((event) => event.payload)
+        .find((payload) => typeof payload["adapterId"] === "string" || typeof payload["model"] === "string");
+  const runtimeLabel =
+    typeof runtime === "string"
+      ? runtime
+      : runtime
+        ? `${String(runtime["adapterId"] ?? "unknown")} / ${String(runtime["model"] ?? "unknown")}`
+        : "not recorded";
 
   return {
     loopId: loop.loopId,
@@ -3013,8 +3029,14 @@ function proofCardInputFromLoop(loop: LoopRecord): MartinProofCardInput {
     verifierStatus: verification.status,
     costSpend: `$${loop.cost.actualUsd.toFixed(2)}`,
     budget: `$${loop.budget.maxUsd.toFixed(2)}`,
+    remainingBudget: `$${remainingBudget.toFixed(2)}`,
+    overspendRatio,
     attempts: loop.attempts.length,
     rollbackStatus,
+    verificationStepCount,
+    runMode: loop.task.mutationMode ?? "not recorded",
+    runtime: runtimeLabel,
+    timelineEvents: loop.events.map((event) => event.type),
     haltReason: latestExitReason(loop),
     evidenceBoundaryNotes: [
       "Generated from a local Martin Loop run record.",
@@ -3034,8 +3056,14 @@ function defaultChallengeProofCardInput(): MartinProofCardInput {
     verifierStatus: "passed",
     costSpend: "$2.30",
     budget: "$3.00",
+    remainingBudget: "$0.70",
+    overspendRatio: "0.77x",
     attempts: 2,
     rollbackStatus: "captured",
+    verificationStepCount: 1,
+    runMode: "mutating",
+    runtime: "demo / local-fixture",
+    timelineEvents: ["run.started", "attempt.started", "verification.completed", "budget.updated", "run.completed"],
     haltReason: "verifier_passed",
     evidenceBoundaryNotes: [
       "Generated from a local Martin Loop run record.",