claude-code-parity-apr-v1.yaml

# ─────────────────────────────────────────────────────────────────────────────
# claude-code-parity-apr-v1
#
# SOURCE OF TRUTH for the runtime, behavioral parity harness between Claude
# Code (teacher) and `apr code` (student). Pins:
#   - the `.ccpa-trace.jsonl` schema (recorded action stream)
#   - replay determinism semantics
#   - tool-call + file-mutation equivalence rules
#   - sovereignty constraint (no api.anthropic.com on replay)
#   - aggregate parity-score bound
#
# Sibling contracts (axes that are NOT this contract):
#   - apr-code-parity-v1.yaml       — STATIC feature matrix (does the symbol exist)
#   - apr-claude-proxy-v1.yaml      — HTTP/SSE Messages-API request/response shape
#   - apr-mcp-server-v1.yaml        — MCP JSON-RPC protocol surface
# This contract is the fourth leg: behavioral, runtime, fixture-driven.
#
# Direction: YAML IS AUTHORITATIVE. The trace serializer (ccpa-trace), the
# differ (ccpa-differ) and the replay driver (ccpa-replayer) all consume this
# file. Hand-editing schema or rule shape in Rust without first updating this
# YAML is rejected by the falsification suite once M6 lands.
#
# Spec: docs/specifications/claude-code-parity-apr-poc.md
# Repo (planned, downstream): https://github.com/paiml/claude-code-parity-apr
# ─────────────────────────────────────────────────────────────────────────────

metadata:
  version: 1.2.0
  created: '2026-04-26'
  last_modified: '2026-04-27'
  author: PAIML Engineering
  # `pv validate` reads ContractKind from metadata.kind (see
  # crates/aprender-contracts/src/schema/kind.rs::ContractKind). This is a
  # cross-cutting parity/audit pattern, not a mathematical kernel — so the
  # schema-dispatch kind is `pattern`. The domain kind is preserved under
  # metadata.behavioral_parity_kind for documentation. Same approach as
  # apr-code-parity-v1.yaml and apr-claude-proxy-v1.yaml.
  kind: pattern
  behavioral_parity_kind: ClaudeCodeBehavioralParityContract
  description: >
    Falsifiable runtime-parity harness between Claude Code (teacher) and
    `apr code` (student). Captures Claude Code as a recorded action stream
    via an HTTPS proxy at ANTHROPIC_BASE_URL, replays the same prompts to
    `apr code` with mocked LLM responses (so orchestration is the only thing
    under test), and gates the diff under eight falsification conditions
    covering schema, determinism, mock completeness, tool-call equivalence,
    file-mutation equivalence, sovereignty, corpus coverage and parity-score.
  references:
    - 'docs/specifications/claude-code-parity-apr-poc.md (this contract''s spec)'
    - 'contracts/apr-code-parity-v1.yaml — sibling static feature matrix'
    - 'contracts/apr-claude-proxy-v1.yaml — sibling Messages-API shape contract'
    - 'crates/aprender-orchestrate/contracts/batuta/apr-code-v1.yaml — agent-loop semantics'
    - 'CLAUDE.md § "Contract Validation: DOGFOOD pv, NEVER bash"'
    - 'memory: feedback_monorepo_single_source_of_truth.md (downstream-consumer pattern)'
    - 'memory: feedback_pv_not_bash_for_contracts.md (every gate flows through pv)'
    - 'Anthropic Messages API — https://docs.anthropic.com/en/api/messages'
    - 'Hinton et al. 2015 — Distilling the Knowledge in a Neural Network (action-stream variant)'
  spec: docs/specifications/claude-code-parity-apr-poc.md
  epic: PMAT-CCPA-PARITY-001                  # to be opened on M0 merge
  related_contracts:
    - contracts/apr-code-parity-v1.yaml
    - contracts/apr-claude-proxy-v1.yaml
    - crates/aprender-orchestrate/contracts/batuta/apr-code-v1.yaml

name: claude-code-parity-apr
version: "1.29.0"
status: ACTIVE_RUNTIME   # 18/18 gates registered; 4 with status: ACTIVE_RUNTIME (CCPA-013/014/015/016 — the runtime-evidence + outcome-parity track) + 2 with status: PROPOSED (CCPA-017 project-scale parity + CCPA-018 Arena recovery-rate, both awaiting first operator-dispatched bench to flip ACTIVE_RUNTIME at v1.30.0), rest at PLANNED_M*/IN_REVIEW/HARD_BLOCKING_M16 per their lifecycle phase. No OPEN residue. v1.29.0 (companion-repo M194-M206 Phase 5 sequence, 2026-05-15) — adds FALSIFY-CCPA-018 (arena_recovery_rate_bound) to the gate registry. Phase 5 operationalizes design-audit.md (M192 operator-authored) R2 + R3 recommendations: a live multi-turn execution harness (crates/ccpa-arena/) where the agent gets bash/test feedback per turn and must recover from failures. The M196 P5.1 scaffolding shipped the ArenaSession + ArenaDriver + OracleCmd + TurnRecord types; M200 P5.2 shipped the real multi-turn loop body (crates/ccpa-arena/src/dispatch.rs with Bash/Read/Write/Edit dispatch via std::process::Command + std::fs); M202 P5.3 shipped SubprocessDriver + bin/ccpa-arena-bench (clap CLI) + scripts/phase-5-arena-bench.sh (operator-dispatch wrapper analogous to phase-4-bench.sh); M204 P5.4 shipped CCPA-018 gate test (asserts recovery_rate >= 0.5 AND oracle_passed_rate >= 0.3 with bidirectional sensitivity verified via synthetic identity/regression/give-up-fast fixtures — the asymmetric give-up-fast test is the canonical R3 distinguishing case: 100% pass rate BUT zero recovery FAILS the gate); M206 P5.5 shipped the falsifier-of-falsifier comparator (crates/ccpa-arena/src/falsifier.rs + evaluate_static_vs_arena() returning FalsifierVerdict with StaticFalsified/StaticValidated/Inconclusive outcomes per design-audit.md §5's Popperian test). CCPA-018 enters at status: PROPOSED because no operator-dispatched Arena bench has produced evidence/phase-5/arena-scores.json yet; the live-evidence test is #[ignore]'d until that exists. Threshold values (0.5 recovery / 0.3 oracle) are tentative POC-tier floors — they WILL be recalibrated after first operator dispatch. Phase 5 is distinct from Phase 4 (CCPA-017): CCPA-017 measures FUNCTIONAL OUTCOME (does the code work?); CCPA-018 measures AGENT QUALITY (does the agent recover when bash fails?). v1.28.0 (companion-repo M180-M188 Phase 4 sequence, 2026-05-15) — adds FALSIFY-CCPA-017 (project_scale_parity_bound) to the gate registry. Phase 4 operationalizes the M159 ProgramBench prior-art (arXiv:2605.03546, 0%/200 SOTA baseline) into companion-tier project-scale parity testing: the M182 corpus draws 5 fixtures from real open GitHub issues across paiml/decy + paiml/bashrs + paiml/depyler with pinned pre-fix commit SHAs; the M184 runner (scripts/phase-4-bench.sh, 288 lines bash) clones at the pinned SHA, dispatches each system with timeout APR_TIMEOUT_S (default 900s), snapshots diff vs SHA, runs the per-fixture oracle_cmd; the M186 scorer (crates/ccpa-differ/src/project_scale_diff.rs, ~310 lines Rust) lifts the runner JSON into ProjectScaleParityReport with 5 derived metrics (per-fixture: approach_match + lines_edited_ratio; corpus-level: partial_agreement + files_jaccard_corpus + approach_match_rate); the M188 gate test (crates/ccpa-differ/tests/falsify_ccpa_017_project_scale_parity.rs, ~260 lines, 7 active + 1 #[ignore]'d) asserts partial_agreement >= 0.3 AND files_jaccard_corpus >= 0.3 with bidirectional sensitivity verified on synthetic identity (passes) and synthetic regression (fails) fixtures. CCPA-017 enters at status: PROPOSED because no operator-dispatched measurement has produced evidence/phase-4/project-scale-scores.json yet; the live-evidence test is #[ignore]'d until that exists. Threshold values (0.3/0.3) are tentative POC-tier floors — they WILL be recalibrated after first operator dispatch. Phase 4 is the SIGNAL regime, not the SATURATION regime: a CCPA-016-style "agreement = 1.0" result is implausible at project-scale per ProgramBench evidence; the goal is "do both systems make matching partial progress?" not "do both systems fully succeed?". v1.27.0 (companion-repo M167, 2026-05-14) — flips FALSIFY-CCPA-013 (first_recorded_parity_score) from `status: OPEN` → `status: ACTIVE_RUNTIME`. The gate's assertion has been satisfied since v1.1.0 (3 measured_parity blocks dating 2026-04-27 against `fixtures/canonical/` with aggregate_score = 1.0000), but the gate-level status field was never flipped — stale prose that this revision corrects. Also extends the assertion's `fixture_corpus_path` constraint to accept EITHER `fixtures/canonical/` (AUTHORED, since v1.2.0) OR `evidence/phase-3/captures/` (REAL-BINARY bilateral bench, companion-repo M150 — claude 2.1.139 + apr 0.32.0 + Qwen2.5-Coder-1.5B-Instruct-Q4_K_M, agreement = 1.0000 on MultiPL-E-Rust HumanEval/0..4). Adds a 4th measured_parity block under CCPA-013 recording M150's real-binary evidence as the strongest empirical discharge anchor. **CCPA-013 was the last gate stuck at `status: OPEN`** — its flip closes the OPEN residue. v1.26.0 (companion-repo M147+M152+M162 Phase 3 sequence, 2026-05-13) (companion-repo M147+M152+M162 Phase 3 sequence, 2026-05-13) — adds FALSIFY-CCPA-015 (ccpa_trace_subproc_output_purity) AND FALSIFY-CCPA-016 (outcome_parity_bound) to the gate registry. CCPA-015 was authored at M147 via provable-contract design (falsifying test FIRST, fix via Stdio::null()) for the ccpa-trace-subproc capture binary; PROPOSED in v1.25.0, promoted ACTIVE_RUNTIME here. CCPA-016 is the Phase 3 P3.4 outcome-parity gate authored at M152 — asserts aggregate agreement >= 0.5 on a MultiPL-E-Rust-class corpus with bidirectional sensitivity (synthetic regression fixture fails threshold; synthetic identity passes). CCPA-016 was empirically validated at M150 (real bilateral bench produced agreement = 1.0000 on 5/5 HumanEval/0..4 with real claude 2.1.139 + real apr code 0.32.0 via Qwen2.5-Coder-1.5B-Instruct-Q4_K_M). The companion-repo M162 row records that aprender#1638 MERGED upstream at squash b61b76b4 (2026-05-13), un-gating apr code from `--features code` so `cargo install apr-cli` ships it by default — the Axis 3 LlmDriver-adapter discharge is FULLY confirmed. v1.25.0 (companion-repo M136-M140 axis-2-closure-plan sequence, 2026-05-11) — adds FALSIFY-CCPA-014 (companion-repo M136-M140 axis-2-closure-plan sequence, 2026-05-11) — adds FALSIFY-CCPA-014 (os_event_parity_bound) to the gate registry, completing the axis-2 closure-plan idea (2) CLI subprocess instrumentation track. New gate consumes ccpa_subproc::OsEvent records (M136) via ccpa_differ::os_event_parity (M137) and asserts canonical-corpus score >= 0.95 + bidirectional sensitivity on regression corpus (M139). v1.24.0 (companion-repo M128-M131 sequence, 2026-05-10) — bumped from v1.23.0 to integrate the M109 cosine-vs-HF-FP16 LIVE-DISCHARGE (cos_sim 0.995384 ≥ 0.99 on lambda-vector RTX 4090, 2026-05-09; aprender PR #1597 squash 3fb04ef86 flipped `qwen3-moe-forward-v1` v1.4.0 ACTIVE_ALGORITHM_LEVEL → v1.5.0 ACTIVE_RUNTIME). Discharges the v1.23.0 status-prose claim "Cosine vs HF FP16 remains operator-confirm pending ~60 GB HF download" — the FP16 weights had been on lambda-vector at /mnt/nvme-raid0/models/Qwen3-Coder-30B-A3B-Instruct/ (57 GB / 16 safetensors shards) for ~7 days; the "60 GB download" blocker was stale by 62 days. v1.23.0 (M35 M32d discharge audit-trail bump) records the 4-bug stack landed on aprender main as commit 5235aaeb9 (#1228) plus diagnostic surface PRs #1222 (Step 2), #1226 (Step 2.5), #1401 (Step 2 JSON wire). M32d gibberish output ("%%%%%%%%") converted to coherent English answers across math/geography/translation/code domains. M34 FAST PATH 5-whys plan delivered at lucky-case bound (5 substantive PRs vs 4-6 estimated, ~6 hours wall vs 2-3 days). Component priors verified empirically: rank-3 Q/K RMSNorm (15%) + rank-4 rope_theta (10%) + chat template both correct. Cosine vs HF FP16 formal flip **DISCHARGED 2026-05-09 at companion-repo M109** (apr_argmax = hf_argmax = 3555 " What"; 555ms apr-forward; HF FP16 fixture generated in 52s).

# ─────────────────────────────────────────────────────────────────────────────
# Top-level invariants — the 12 falsifiable gates this contract asserts.
# ─────────────────────────────────────────────────────────────────────────────
# Dual-encoded: structurally re-enumerated below under `falsification_conditions`
# with full assertion / harness / cross-check details. Listed here as a
# top-level array for (a) quick-scan summary and (b) pmat CB-1305 contract-
# surface classification (this contract classifies as `InvariantsOnly`).
invariants:
  - { id: FALSIFY-CCPA-009, name: ci_main_branch_green,       summary: 'companion repo branch protection requires ci/gate' }
  - { id: FALSIFY-CCPA-010, name: pmat_comply_100pct,         summary: 'pmat comply check reports is_compliant=true with 0 Fail-status checks' }
  - { id: FALSIFY-CCPA-011, name: line_coverage_100pct,       summary: 'cargo llvm-cov: 100% function coverage AND >=99% line coverage' }
  - { id: FALSIFY-CCPA-012, name: pv_contract_gate_on_commit, summary: 'pre-commit hook + CI both run pv validate' }
  - { id: FALSIFY-CCPA-001, name: trace_schema_roundtrip,     summary: 'every fixture parses + re-serializes byte-identical' }
  - { id: FALSIFY-CCPA-002, name: replay_determinism,         summary: 'two replays of the same fixture produce identical student traces' }
  - { id: FALSIFY-CCPA-003, name: mock_completeness,          summary: 'RecordedDriver consumes every teacher turn exactly once' }
  - { id: FALSIFY-CCPA-004, name: tool_call_equivalence,      summary: 'student tool-calls equal teacher tool-calls under per-tool rules' }
  - { id: FALSIFY-CCPA-005, name: file_mutation_equivalence,  summary: 'CWD diff after replay matches CWD diff after teacher run' }
  - { id: FALSIFY-CCPA-006, name: sovereignty_on_replay,      summary: 'no outbound api.anthropic.com sockets during replay' }
  - { id: FALSIFY-CCPA-007, name: corpus_coverage,            summary: '>=1 fixture per non-MISSING row of apr-code-parity-v1.yaml' }
  - { id: FALSIFY-CCPA-008, name: parity_score_bound,         summary: 'aggregate parity_score >= 0.95, per-fixture >= 0.80' }
  - { id: FALSIFY-CCPA-013, name: first_recorded_parity_score, summary: 'AT LEAST ONE real Claude Code ↔ apr code corpus run produced a measured parity_score recorded in status_history. Flips ACTIVE_ALGORITHM_LEVEL → ACTIVE_RUNTIME.' }
  - { id: FALSIFY-CCPA-014, name: os_event_parity_bound,       summary: 'OS-level event parity (axis-2-closure-plan M115.4): macro-averaged Jaccard >= 0.95 per fixture in fixtures/os-canonical/; bidirectional-sensitivity gate on fixtures/os-regression/ (every fixture < 0.95 + non-empty drift records).' }
  - { id: FALSIFY-CCPA-015, name: ccpa_trace_subproc_output_purity, summary: 'Every line emitted to stdout by ccpa-trace-subproc MUST decode as a ccpa_subproc::OsEvent JSON object. Subprocess stdout MUST NOT interleave with the capture stream (use Stdio::null() not Stdio::inherit()).' }
  - { id: FALSIFY-CCPA-016, name: outcome_parity_bound,        summary: 'Outcome parity (Phase 3 P3.4): aggregate agreement on a MultiPL-E-Rust-class corpus >= 0.5 (POC-tier); bidirectional-sensitivity via synthetic regression (< 0.5 → fail) + synthetic identity (1.0 → pass) fixtures.' }
  - { id: FALSIFY-CCPA-017, name: project_scale_parity_bound,  summary: 'Project-scale parity (Phase 4 P4.4): aggregate partial_agreement >= 0.3 AND files_jaccard_corpus >= 0.3 on a multi-file Cargo-workspace task corpus drawn from real GitHub issues (companion-repo M182). Bidirectional-sensitivity via synthetic identity (passes) + synthetic regression (fails) fixtures. PROPOSED at v1.28.0; ACTIVE_RUNTIME pending first operator-dispatched measurement.' }
  - { id: FALSIFY-CCPA-018, name: arena_recovery_rate_bound,   summary: 'Arena recovery-rate (Phase 5 P5.4): aggregate recovery_rate >= 0.5 AND oracle_passed_rate >= 0.3 on a multi-turn live Arena bench (companion-repo M196-M206). Measures AGENT QUALITY (does the agent recover from failed bash/test runs?) distinct from CCPA-016/017 functional-outcome metrics. Bidirectional-sensitivity via synthetic identity (passes) + regression (fails) + give-up-fast (asymmetric: 100% pass but zero recovery FAILS recovery floor — the canonical R3 distinguishing test). PROPOSED at v1.29.0; ACTIVE_RUNTIME pending first operator-dispatched Arena bench.' }

scope: >
  every recorded fixture under <ccpa-repo>/fixtures/, every replay run the
  ccpa-cli produces, AND every CI run on the companion repo. The four
  source-of-truth invariants (FALSIFY-CCPA-009..012) gate every PR from M0
  onward; the eight parity gates (001..008) come online M1..M6. Out of
  scope: live api.anthropic.com calls during CI; teacher-side semantic
  content of assistant messages.

# ─────────────────────────────────────────────────────────────────────────────
# Companion-repo source-of-truth policy
# ─────────────────────────────────────────────────────────────────────────────
# `claude-code-parity-apr` (the companion repo) is canonical for ENFORCEMENT —
# implementation, fixtures, CI, coverage, pmat-comply, and the running binary
# that consumes this contract. The contract TEXT (this YAML) lives in
# aprender/contracts/ per the monorepo single-source-of-truth policy
# (memory: feedback_monorepo_single_source_of_truth.md). The companion repo
# pins this contract by commit hash via contracts/pin.lock, and gates every
# PR against it via FALSIFY-CCPA-012.
#
# This split is intentional: aprender stays the canonical home for contract
# TEXT (the schema lives there, `pv` validates from there), while the
# companion repo is canonical for runtime ENFORCEMENT (its CI is the gate
# users see when they open a PR; its coverage is what users measure; its
# pmat-comply config is what users edit). M1 relocates this YAML into the
# companion repo as the canonical copy and replaces the aprender-side copy
# with a redirect note.

companion_repo:
  url: 'https://github.com/paiml/claude-code-parity-apr'
  branch: main
  branch_protection:
    required_status_checks:
      - 'ci/gate'
    enforce_admins: true
    require_linear_history: true
    allow_force_pushes: false
    allow_deletions: false
  required_invariants:
    - FALSIFY-CCPA-009   # ci_main_branch_green
    - FALSIFY-CCPA-010   # pmat_comply_100pct
    - FALSIFY-CCPA-011   # line_coverage_100pct
    - FALSIFY-CCPA-012   # pv_contract_gate_on_commit
  contract_pin:
    file: 'contracts/pin.lock'
    schema: 'aprender_commit_hash + aprender_contract_path + sha256(yaml)'
    refreshed_by: 'PR-time GitHub Action that fetches aprender@main, recomputes sha256, fails if drift'
  forbidden_tools:
    - cargo-tarpaulin   # CLAUDE.md § "Prohibited Tools" — slow, unreliable
    - 'bash gates re-implementing pv' # CLAUDE.md § "DOGFOOD pv, NEVER bash"

# ─────────────────────────────────────────────────────────────────────────────
# Harness policy (mirrors apr-code-parity-v1.yaml § harness_policy)
# ─────────────────────────────────────────────────────────────────────────────
# Every falsification gate below MUST be enforced via `pv validate` (binary
# from the in-tree `aprender-contracts-cli` crate). Bash/yq/python wrappers
# are explicitly rejected by CLAUDE.md § "Contract Validation: DOGFOOD pv,
# NEVER bash" and by memory feedback_pv_not_bash_for_contracts.md.
#
# If `pv validate` does not yet support a needed assertion shape (e.g. the
# parity-score reduction in FALSIFY-CCPA-008), the fix is to extend
# aprender-contracts/src/schema/ and aprender-contracts/src/eval/ — never to
# bypass with a shell script. Schema-extension ticket: PMAT-CONTRACTS-CCPA-001.
harness_policy:
  dogfood_tool: aprender-contracts-cli
  binary: pv
  forbidden_alternatives: [bash, shell, yq-wrapper, python-script]
  schema_extension_ticket: PMAT-CONTRACTS-CCPA-001
  rationale_ref: 'CLAUDE.md § "Contract Validation: DOGFOOD pv, NEVER bash"'

# ─────────────────────────────────────────────────────────────────────────────
# Roles + binary surfaces
# ─────────────────────────────────────────────────────────────────────────────

roles:
  teacher:
    binary: claude
    label: Anthropic Claude Code (closed-source)
    instrumentation: 'recording HTTPS proxy at $ANTHROPIC_BASE_URL'
    api_target: 'api.anthropic.com (live, recording phase only)'
  student:
    binary: apr
    subcommand: 'apr code'
    label: aprender code agent (open-source, this monorepo)
    instrumentation: 'crates/aprender-orchestrate `LlmDriver` impl swapped to RecordedDriver'
    model_default: 'unsloth/Qwen3-Coder-30B-A3B-Instruct-GGUF Q4_K_M (per apr-claude-proxy-v1)'
  recorder:
    binary: ccpa
    subcommand: 'ccpa record'
    label: 'mitm-style HTTPS proxy that mints fixtures'
  replayer:
    binary: ccpa
    subcommand: 'ccpa replay'
  differ:
    binary: ccpa
    subcommand: 'ccpa diff'

# ─────────────────────────────────────────────────────────────────────────────
# Trace schema (.ccpa-trace.jsonl) — JSONL, one record per line
# ─────────────────────────────────────────────────────────────────────────────
# Consumed by ccpa-trace (serde Rust) and ccpa-differ. Schema below is the
# source-of-truth; Rust types must be `serde(deny_unknown_fields)`. New record
# kinds bump trace_schema_version and require a contract revision.

trace_schema:
  version: 2  # M15 — added HookEvent + SkillInvocation; per-record `v` field still 1 (record-level back-compat layer unused so far)
  format: 'application/x-ndjson'
  filename_pattern: 'fixtures/[0-9]{4}-[a-z0-9-]+.ccpa-trace.jsonl'
  envelope:
    type: object
    required: [v, kind]
    properties:
      v:
        type: integer
        const: 1
        description: 'per-record schema version; trace_schema.version is the file-level surface (now v2)'
      kind:
        type: string
        enum: [session_start, user_prompt, assistant_turn, tool_result, session_end, hook_event, skill_invocation]
  records:
    session_start:
      required: [v, kind, session_id, ts, actor, model, cwd_sha256]
      properties:
        session_id: { type: string, format: uuid, description: 'UUIDv7 — normalized to <SESSION> on diff' }
        ts:         { type: string, format: date-time, description: 'ISO-8601 UTC — normalized to <TS> on diff' }
        actor:      { type: string, enum: [claude-code, apr-code] }
        model:      { type: string, description: 'Model id; teacher and student differ here by design' }
        cwd_sha256: { type: string, pattern: '^[0-9a-f]{64}$', description: 'git tree hash of CWD at session start; teacher==student is asserted' }
    user_prompt:
      required: [v, kind, turn, text]
      properties:
        turn: { type: integer, minimum: 0 }
        text: { type: string }
    assistant_turn:
      required: [v, kind, turn, blocks, stop_reason]
      properties:
        turn:        { type: integer, minimum: 1 }
        blocks:
          type: array
          minItems: 1
          items:
            oneOf:
              - { $ref: '#/definitions/block_text' }
              - { $ref: '#/definitions/block_thinking' }
              - { $ref: '#/definitions/block_tool_use' }
        stop_reason: { type: string, enum: [end_turn, max_tokens, stop_sequence, tool_use] }
    tool_result:
      required: [v, kind, turn, tool_use_id, ok, content]
      properties:
        turn:        { type: integer, minimum: 2 }
        tool_use_id: { type: string, description: 'Normalized to <TOOL-N> on diff' }
        ok:          { type: boolean }
        content:     { type: string, description: 'Tool stdout/stderr concatenation OR structured JSON' }
        side_effects:
          type: object
          additionalProperties: false
          properties:
            files_read:    { type: array, items: { type: string } }
            files_written: { type: array, items: { type: string } }
            exit_code:     { type: integer }
    session_end:
      required: [v, kind, turn, stop_reason]
      properties:
        turn:        { type: integer, minimum: 1 }
        stop_reason: { type: string, enum: [end_turn, max_tokens, stop_sequence, error] }
        elapsed_ms:  { type: integer, minimum: 0 }
        tokens_in:   { type: integer, minimum: 0 }
        tokens_out:  { type: integer, minimum: 0 }
  normalization_rules:
    - 'session_id → <SESSION> for diff purposes'
    - 'ts → <TS> for diff purposes'
    - 'tool_use.id and tool_result.tool_use_id → <TOOL-N> per turn, dense-numbered'
    - 'absolute paths under CWD → ${CWD}-relative'
    - 'all other fields are byte-exact under diff'
  definitions:
    block_text:
      type: object
      required: [type, text]
      additionalProperties: false
      properties:
        type: { const: text }
        text: { type: string }
    block_thinking:
      type: object
      required: [type, thinking]
      additionalProperties: false
      properties:
        type:      { const: thinking }
        thinking:  { type: string }
        signature: { type: string }
    block_tool_use:
      type: object
      required: [type, id, name, input]
      additionalProperties: false
      properties:
        type:  { const: tool_use }
        id:    { type: string }
        name:  { type: string }
        input: { type: object }

# ─────────────────────────────────────────────────────────────────────────────
# Tool-call equivalence rules (consumed by FALSIFY-CCPA-004)
# ─────────────────────────────────────────────────────────────────────────────
# Each tool the teacher emits MUST have an equivalence rule below.
# Adding a new tool to apr code's registry requires a new entry here.

tool_equivalence_rules:
  - tool: Bash
    semantic_input: 'normalize(command) — collapse runs of whitespace, drop trailing semicolons'
    equality: 'string equality after normalize'
  - tool: Read
    semantic_input: '(path_normalized, offset?, limit?)'
    equality: 'tuple equality; offset/limit absent ≡ 0/EOF'
  - tool: Write
    semantic_input: '(path_normalized, content_sha256)'
    equality: 'tuple equality; content compared by sha256, not bytes-in-trace'
  - tool: Edit
    semantic_input: '(path_normalized, post_state_sha256)'
    equality: 'apply edit to the pre-state file, sha256 the result; teacher and student must produce the same post_state_sha256'
    rationale: 'Different patch texts that produce the same file are equivalent. Same-file-after is what users actually care about.'
  - tool: Glob
    semantic_input: 'pattern (verbatim)'
    equality: 'string equality'
  - tool: Grep
    semantic_input: '(pattern, path_normalized, regex_or_literal)'
    equality: 'tuple equality after pattern.trim()'
  - tool: Agent
    semantic_input: '(subagent_type, prompt_sha256)'
    equality: 'tuple equality; subagent_type drawn from the closed Claude Code roster (general-purpose|explore|plan)'
    note: 'agent_id not compared — it''s session-scoped'
  - tool: '*'   # default rule for any tool not enumerated above
    semantic_input: 'JSON canonicalize(input) sha256'
    equality: 'sha256 equality'

# ─────────────────────────────────────────────────────────────────────────────
# File-mutation equivalence (consumed by FALSIFY-CCPA-005)
# ─────────────────────────────────────────────────────────────────────────────

file_mutation_equivalence:
  measured_at: 'session_end'
  algorithm: |
    1. snapshot CWD git tree hash at session_start (cwd_sha256)
    2. snapshot CWD git tree hash at session_end (after_sha256)
    3. compute diff = (after_teacher_sha256, after_student_sha256)
    4. equivalent iff diff is empty OR every differing file passes per_file_rule below
  per_file_rule:
    - filetype: '*.rs'
      rule: 'rustfmt --check on both produces same canonical form'
    - filetype: '*.toml'
      rule: 'taplo fmt --stdin produces same canonical form'
    - filetype: '*.md'
      rule: 'normalize trailing whitespace + final newline; compare'
    - filetype: '*'
      rule: 'byte-exact'
  excluded_paths:
    - 'target/**'
    - '.git/**'
    - '*.lock'    # Cargo.lock churn from teacher tooling does not count

# ─────────────────────────────────────────────────────────────────────────────
# Parity score reduction (consumed by FALSIFY-CCPA-008)
# ─────────────────────────────────────────────────────────────────────────────

parity_score:
  per_fixture: |
    score = (matched_actions / total_teacher_actions)
    matched_actions = sum over teacher.assistant_turn[*].tool_use[*]:
        1 if student emitted an equivalent (tool, semantic_input) at the same turn position
        else 0
    file_mutation_match adds 1 to numerator and denominator
  thresholds:
    aggregate_min: 0.95   # corpus mean; FALSIFY-CCPA-008 fails below this
    individual_min: 0.80  # any single fixture below this also fails the gate
    drift_categories:
      - extraneous_llm_call   # student called LLM at unexpected point
      - missing_tool_call     # teacher called Bash, student didn't
      - mismatched_tool_input # tool name matched, semantic_input didn't
      - mismatched_file_state # file_mutation_equivalence failed
      - extra_tool_call       # student called Bash, teacher didn't
      - turn_order_skew       # right calls, wrong order

# ─────────────────────────────────────────────────────────────────────────────
# Sovereignty constraint (consumed by FALSIFY-CCPA-006)
# ─────────────────────────────────────────────────────────────────────────────

sovereignty:
  forbidden_replay_egress:
    - 'api.anthropic.com'
    - '*.anthropic.com'
  enforcement: 'CI test container drops all outbound except 127.0.0.1; network policy asserted by ccpa-replayer test harness, not by trust'
  rationale: >
    Sovereign-AI is aprender''s core value prop. A replay run that silently
    talks to api.anthropic.com (e.g. via a leaked teacher API key in env) is a
    ship-blocker bug — same posture as apr-claude-proxy-v1 § FALSIFY-CLAUDE-PROXY-006.

# ─────────────────────────────────────────────────────────────────────────────
# Falsification conditions
# ─────────────────────────────────────────────────────────────────────────────
# Each gate maps 1:1 to a Rust test in the planned ccpa-* crates.
# Status legend:
#   PLANNED_M{n}     — defined here, lands when milestone M{n} ships
#   ACTIVE           — green in CI on the planned ccpa-cli repo
# Promotion gate: contract status DRAFT → ACTIVE only when all 8 are ACTIVE.

falsification_conditions:

  - id: FALSIFY-CCPA-001
    name: trace_schema_roundtrip
    status: PLANNED_M1
    assertion: >
      Every committed fixture under fixtures/*.ccpa-trace.jsonl parses cleanly
      against trace_schema, re-serializes byte-identical (modulo lexicographic
      JSON key ordering), and round-trips through ccpa-trace::Trace::{from_jsonl,
      to_jsonl} without loss.
    test_harness: 'ccpa-trace/tests/falsify_ccpa_001_roundtrip.rs (planned)'
    failing_examples:
      - 'unknown record kind'
      - 'session_start with non-uuid session_id'
      - 'cwd_sha256 not 64-hex-chars'
      - 'extra field on assistant_turn (deny_unknown_fields)'

  - id: FALSIFY-CCPA-002
    name: replay_determinism
    status: PLANNED_M3
    assertion: >
      Replaying the same fixture twice with the same `apr code` revision and
      empty $TMPDIR produces byte-identical student traces after applying
      trace_schema.normalization_rules. Determinism is across two
      back-to-back runs in the same container.
    test_harness: 'ccpa-replayer/tests/falsify_ccpa_002_determinism.rs (planned)'
    failing_examples:
      - 'wallclock leaking into a tool argument'
      - 'HashMap iteration order in a tool input'

  - id: FALSIFY-CCPA-003
    name: mock_completeness
    status: PLANNED_M3
    assertion: >
      RecordedDriver consumes exactly len(teacher.assistant_turns) responses;
      no missing turn (panic), no extra turn (assertion). On a well-formed
      fixture, ccpa replay exits 0 with stdout containing
      "consumed all N teacher turns".
    test_harness: 'ccpa-replayer/tests/falsify_ccpa_003_mock.rs (planned)'

  - id: FALSIFY-CCPA-004
    name: tool_call_equivalence
    status: PLANNED_M4
    assertion: >
      Per turn, the multiset of (tool_name, semantic_input) pairs in the
      student trace equals the multiset in the teacher trace under
      tool_equivalence_rules. Inequivalence is reported with a typed
      drift_category (one of parity_score.drift_categories).
    test_harness: 'ccpa-differ/tests/falsify_ccpa_004_tool_equivalence.rs (planned)'

  - id: FALSIFY-CCPA-005
    name: file_mutation_equivalence
    status: PLANNED_M4
    assertion: >
      The git-tree hash of the CWD at session_end satisfies
      file_mutation_equivalence between teacher and student runs of the same
      fixture against the same starting cwd_sha256. Differing files must each
      pass per_file_rule.
    test_harness: 'ccpa-differ/tests/falsify_ccpa_005_file_state.rs (planned)'

  - id: FALSIFY-CCPA-006
    name: sovereignty_on_replay
    status: PLANNED_M5
    assertion: >
      During `ccpa replay`, zero outbound socket connections are opened to
      hosts in sovereignty.forbidden_replay_egress. Asserted by running the
      replay inside a network-namespaced container that drops all egress
      except 127.0.0.1; any outbound connection attempt is logged and fails
      the test.
    test_harness: 'ccpa-replayer/tests/falsify_ccpa_006_sovereignty.rs (planned)'
    parity_with: 'apr-claude-proxy-v1 § FALSIFY-CLAUDE-PROXY-006'

  - id: FALSIFY-CCPA-007
    name: corpus_coverage
    status: HARD_BLOCKING_M16
    assertion: >
      For every row in apr-code-parity-v1.yaml § categories[*] whose status
      is in {SHIPPED, PARTIAL} AND whose id is NOT in the contract-declared
      out-of-scope list {keyboard-shortcuts, status-line}, at least one
      fixture in fixtures/canonical/ exercises that capability (fixture's
      meta.toml declares `covers = [<row.id>, ...]`).
      MISSING rows are exempt; OOS rows are explicitly excluded.
      Reachable = (SHIPPED ∪ PARTIAL) \ OOS.
      As of M16, gate semantics are HARD-BLOCKING: a PR that drops any
      reachable row from coverage fails CI.
    oos_rows:
      - id: keyboard-shortcuts
        reason: |
          REPL keystroke handling (Shift+Tab cycle, Ctrl+C, REPL Phase
          1/2 keys). REPL events never cross the trace boundary. The
          `!` shell-prefix and `@path` file-injection sub-features are
          partially observable via UserPrompt.text but not faithfully
          distinguishable from the literal-text alternative. OOS at
          schema v2.
      - id: status-line
        reason: |
          REPL render artifact (`StatusLine { model, mode, cost_usd,
          branch, cwd_short }`). Pure UI; rendered each frame but
          never crosses a trace boundary. Apr-code's `status_line.rs`
          primitive is unit-tested in-repo; parity at the rendering
          level is a separate concern from action-stream parity. OOS
          at schema v2.
    test_harness: 'crates/ccpa-differ/tests/falsify_ccpa_007_coverage.rs (15 tests inc. 4 OOS-handling tests added M16)'
    cross_check_command: |
      ccpa coverage \
        --apr-code-parity-yaml ../aprender/contracts/apr-code-parity-v1.yaml \
        --fixtures-dir fixtures/canonical/ \
        --oos-rows keyboard-shortcuts,status-line
    expected_exit: 0  # any non-zero exit FAILS the gate
    ci_step: '.github/workflows/ci.yml § "corpus_coverage hard-blocking gate"'

  - id: FALSIFY-CCPA-013
    name: first_recorded_parity_score
    status: ACTIVE_RUNTIME
    assertion: |
      The contract's status field reaches ACTIVE_RUNTIME if and only if
      at least one row of `status_history` contains a `measured_parity:`
      block of shape:
        { date, fixture_corpus_path, fixture_count, aggregate_score: <float>,
          per_fixture: [{id, score, drift_count}],
          teacher_source, student_source }
      where:
        - aggregate_score >= parity_score.thresholds.aggregate_min (0.95)
        - every per_fixture[*].score >= parity_score.thresholds.individual_min (0.80)
        - fixture_corpus_path is EITHER `fixtures/canonical/` (AUTHORED
          canonical-corpus runs, since v1.2.0) OR `evidence/phase-3/captures/`
          (REAL-BINARY bilateral bench, since v1.27.0 / companion-repo M150)
          containing >=5 paired teacher/student records
        - teacher_source documents how teachers were authored or captured
          (e.g. "curated canonical reference; assume Claude Code", or
          "real claude binary 2.1.139 on operator's host")
        - student_source documents how students were generated or captured
          (e.g. "curated", or "ccpa replay vs apr code @<sha>", or
          "real apr 0.32.0 + Qwen2.5-Coder-1.5B-Instruct-Q4_K_M")
    test_harness: |
      companion-repo: `ccpa corpus fixtures/canonical/ --json` produces
      the aggregate_score + per_fixture array. The PR landing the
      `measured_parity` entry into status_history is what flips the
      gate from OPEN -> DISCHARGED.
    rationale: |
      Through M6 the contract reached ACTIVE because every gate had an
      algorithm-level detector. That is necessary but NOT sufficient to
      claim "apr code is identical to Claude Code".

      v1.0.0 over-claimed by labeling 12 algorithm gates as ACTIVE
      without runtime evidence.

      v1.1.0 introduced FALSIFY-CCPA-013 as the runtime-discharge gate
      and required a fixture corpus recorded from a real Claude Code
      HTTPS session via M2.3 proxy.

      v1.2.0 (this revision) drops the proxy/recording requirement.
      Per project policy "we will not call api, we will assume claude
      code", the canonical Claude Code reference is now AUTHORED into
      `fixtures/canonical/<id>/teacher.ccpa-trace.jsonl` rather than
      recorded over a live network. This is honest: parity is defined
      against a CURATED specification of what Claude Code SHOULD do
      for each scenario, not against a snapshot of one specific
      Claude Code build's network behaviour.

      Student traces in `fixtures/canonical/<id>/student.ccpa-trace.jsonl`
      can be either:
        - curated (representing the apr-code-equivalent we declare correct), or
        - generated (recorded from an actual `apr code` run once the
          aprender-orchestrate LlmDriver adapter exists)
      The `student_source` field of measured_parity records which.

      M2.3 (HTTPS proxy) is removed from the spec's path. M3.0
      mock-replayer remains; its real-driver follow-up is now
      independent of FALSIFY-CCPA-013 discharge.
    semantic_change_log:
      - { date: '2026-04-27', version_before: '1.0.0', version_after: '1.1.0',
          change: 'Added FALSIFY-CCPA-013. Refined status enum: ACTIVE_ALGORITHM_LEVEL ⊂ ACTIVE_RUNTIME. v1.0.0 over-claimed by labeling the 12-gate state as ACTIVE without clarifying that runtime parity was unmeasured.' }
      - { date: '2026-04-27', version_before: '1.1.0', version_after: '1.2.0',
          change: 'Dropped HTTPS-proxy / live-Claude-Code-recording requirement from FALSIFY-CCPA-013 discharge path per project policy "we will not call api, we will assume claude code". Canonical reference is now AUTHORED in fixtures/canonical/. Per-fixture student traces can be curated or generated. M2.3 proxy removed from spec.' }
      - { date: '2026-05-14', version_before: '1.26.0', version_after: '1.27.0',
          change: 'Flipped CCPA-013 status from OPEN → ACTIVE_RUNTIME. The assertion has been satisfied since v1.1.0 (3 measured_parity blocks dating 2026-04-27 against fixtures/canonical/), but the gate-level status field was never flipped — stale prose corrected. Also extended fixture_corpus_path constraint to accept evidence/phase-3/captures/ in addition to fixtures/canonical/, recognizing M150 real-binary bilateral bench (claude 2.1.139 + apr 0.32.0 + Qwen2.5-Coder-1.5B-Instruct-Q4_K_M; agreement = 1.0000 on MultiPL-E-Rust HumanEval/0..4) as the strongest empirical discharge anchor. New 4th measured_parity block added below this change-log entry recording the M150 evidence.' }

    measured_parity:
      date: '2026-05-12'
      fixture_corpus_path: 'evidence/phase-3/captures/'
      fixture_count: 5
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      per_fixture:
        - { id: 'HumanEval_0_has_close_elements',      score: 1.0, drift_count: 0, passes_individual: true }
        - { id: 'HumanEval_1_separate_paren_groups',   score: 1.0, drift_count: 0, passes_individual: true }
        - { id: 'HumanEval_2_truncate_number',         score: 1.0, drift_count: 0, passes_individual: true }
        - { id: 'HumanEval_3_below_zero',              score: 1.0, drift_count: 0, passes_individual: true }
        - { id: 'HumanEval_4_mean_absolute_deviation', score: 1.0, drift_count: 0, passes_individual: true }
      teacher_source: |
        REAL claude binary 2.1.139 invoked on operator's noah-Lambda-Vector
        host via /home/noah/.local/bin/claude. Per-fixture invocation:
        `claude -p "<prompt from fixtures/multipl-e-rust/<id>/prompt.txt>"`.
        Generated Rust written to evidence/phase-3/captures/<id>/teacher.src.rs
        as audit-trail evidence. cargo test against fixture's reference
        Cargo.toml = PASS for all 5.
      student_source: |
        REAL apr-cli 0.32.0 invoked on the same host with
        --model qwen2.5-coder-1.5b-instruct-q4_k_m.gguf --max-turns 1.
        Per-fixture invocation: `apr code -p "<same prompt>"`. Generated
        Rust written to evidence/phase-3/captures/<id>/student.src.rs;
        cargo test = PASS for all 5. Companion-repo evidence:
        evidence/phase-3/multipl-e-rust-scores.json.
      capture_milestone: M150
      capture_pr: 'companion-repo #136 squash 47bed37'
      orthogonal_metrics:
        structural_similarity_lines_jaccard: 0.5201  # M153
        test_survival_rate_cross_swap: 1.0000        # M154 (10/10 cross-swaps pass)
      note: |
        Strongest empirical CCPA-013 discharge anchor. Unlike the
        2026-04-27 measured_parity blocks (AUTHORED canonical-corpus,
        teacher_source = "Curated canonical reference; AUTHORED, not
        recorded"), this block records REAL bilateral capture of an
        operator-installed claude binary AND an operator-installed apr
        code binary on a public benchmark (MultiPL-E-Rust, Cassano et
        al. 2022 / arXiv:2208.08227). The M2.3 rescope walked away
        from real-teacher recording; M150 walked back to it via outcome
        parity (claude generates code → apr code generates code → both
        pass the same test oracle). Honest caveats live in
        companion-repo docs/specifications/outcome-parity-results.md
        § "What this does NOT prove" — 5-problem POC saturates at 1.0;
        full 164-problem MultiPL-E-Rust expansion (M167+ future-work)
        will produce a more honest pass@1 curve.

  - id: FALSIFY-CCPA-014
    name: os_event_parity_bound
    status: ACTIVE_RUNTIME
    assertion: |
      OS-level event parity (axis-2-closure-plan idea (2): CLI
      subprocess instrumentation). For every paired fixture in
      `fixtures/os-canonical/`:
        ccpa_differ::os_event_parity(teacher, student).score() >= 0.95
      where the score is a macro-averaged Jaccard over four sets:
        - file_open paths
        - file_write fd projections
        - file_unlink paths
        - exec paths

      Bidirectional sensitivity: every paired fixture in
      `fixtures/os-regression/` MUST score `< 0.95` AND emit
      non-empty drift records. A regression fixture that scores
      `>= 0.95` is a meter false-negative and ship-blocking.

      Trace schema: each fixture file is JSONL where each line is
      a `ccpa_subproc::OsEvent` JSON object:
        { "pid": <u32>, "kind": <OsEventKind>, "seq": <u64> }
      `OsEventKind` is a tagged enum with variants:
        { "kind": "file_open", "path": "...", "flags": "..." }
        { "kind": "file_write", "fd": "...", "bytes": <u64> }
        { "kind": "file_unlink", "path": "..." }
        { "kind": "exec", "path": "..." }
    test_harness: |
      `cargo test -p ccpa-differ --test falsify_ccpa_014_os_event_parity`
      runs 3 functions:
        - canonical_corpus_meets_os_parity_threshold  (every fixture >= 0.95)
        - regression_corpus_below_os_parity_threshold (every fixture < 0.95 + non-empty drifts)
        - identical_traces_score_perfect              (self-compare == 1.0)
      All three GREEN on the M139 corpus (3 canonical + 1 regression fixtures).

      Capture path: `ccpa-trace-subproc <cmd> [args...]` (binary in
      crates/ccpa-subproc/, M136) wraps a subprocess under
      `strace -f -e trace=open,openat,write,unlink,unlinkat,execve,execveat`
      and emits OS-event JSONL to stdout. The differ
      (`ccpa_differ::os_event_parity`, M137) consumes those records.
    rationale: |
      Axis 2 (real differential test against actual Claude Code) was
      stuck at ~30% since M2.3 rescope. The completeness-assessment
      identified 5 closure paths; idea (2) — CLI subprocess
      instrumentation under `strace` — is the cheapest path to
      real-input-system-under-test evidence (no Anthropic API
      budget needed, no upstream `LlmDriver-public` dependency).

      The OS-level differ works at a coarser granularity than the
      API-level differ because libc / kernel / runtime layers emit
      different ancillary syscalls in different orders between
      systems. Multiset Jaccard sidesteps order-sensitivity while
      preserving "did both systems touch roughly the same set of
      files / spawn the same set of programs?" semantics.

      The 0.95 threshold mirrors FALSIFY-CCPA-008's `0.80`
      per-fixture floor plus a 0.15 margin: OS-level Jaccard is
      set-based and intolerant to single-path divergence, so the
      threshold can be tighter than the API-level position-aligned
      score.

      DRAFT → ACTIVE_RUNTIME at v1.25.0 (this revision) once the
      M139 corpus + gate test land.
    semantic_change_log:
      - { date: '2026-05-11', version_before: '1.24.0', version_after: '1.25.0',
          change: 'Added FALSIFY-CCPA-014 to gate registry. Companion-repo M139 ships the corpus + runtime gate; this revision (M140 / M115.5) flips the contract to recognize CCPA-014 as ACTIVE_RUNTIME from authoring.' }

  - id: FALSIFY-CCPA-015
    name: ccpa_trace_subproc_output_purity
    status: ACTIVE_RUNTIME
    assertion: |
      The `ccpa-trace-subproc` capture binary (crates/ccpa-subproc/, M136)
      MUST emit OsEvent JSONL to its stdout WITHOUT contamination by the
      wrapped subprocess's own stdout. Every line read from
      `ccpa-trace-subproc <cmd> [args...]` stdout MUST decode as a valid
      `ccpa_subproc::OsEvent` JSON object:
        { "pid": <u32>, "kind": <OsEventKind>, "seq": <u64> }

      Implementation requirement: the spawned subprocess's stdout MUST
      be redirected to `Stdio::null()`. Using `Stdio::inherit()` (the
      pre-M147 bug) causes the wrapped subprocess's prose output to
      interleave with the capture stream — every text line that isn't
      valid OsEvent JSON corrupts the trace.
    test_harness: |
      `cargo test -p ccpa-subproc --test falsify_ccpa_015_output_purity`
      spawns `ccpa-trace-subproc /bin/echo CHATTY_TEXT` and asserts that
      every line of stdout decodes as `OsEvent`. The test verifies
      bidirectional sensitivity: pre-M147 (with Stdio::inherit()) FAILS
      because "CHATTY_TEXT" leaks into stdout; post-M147 (with
      Stdio::null()) PASSES because only OsEvent records reach stdout.

      36 tests green on the current ccpa-subproc workspace: 32 unit
      tests + 3 binary smoke tests + 1 falsify_ccpa_015 test.
    rationale: |
      Phase 2 first-real-capture (M147) surfaced a class of "capture
      stream contamination" bugs: the wrapped subprocess's prose output
      can leak through the same file descriptor used for the JSONL
      capture stream, producing a `teacher.ccpa-os-trace.jsonl` file
      that mixes claude's natural-language response with the
      OsEvent records the differ expects.

      The output-purity invariant is a precondition for any meaningful
      OS-level parity analysis: if the trace is corrupted, every
      downstream differ produces noise.

      Provable-contract design (operator directive "use provable-
      contract based design"): the falsifying test was authored BEFORE
      the fix, asserted to FAIL on the buggy `Stdio::inherit()` code,
      then PASS on the fixed `Stdio::null()` code. The lint encoded by
      this gate is now permanent.

      PROPOSED at v1.25.0 (M147); promoted ACTIVE_RUNTIME at v1.26.0
      (this revision) once Phase 3 work confirmed the invariant holds
      across both teacher (claude) and student (apr code) captures on
      the operator's host.
    semantic_change_log:
      - { date: '2026-05-13', version_before: '1.25.0', version_after: '1.26.0',
          change: 'Added FALSIFY-CCPA-015 to gate registry. Companion-repo M147 ships the runtime test asserting Stdio::null() output purity for ccpa-trace-subproc; this revision flips the contract to recognize CCPA-015 as ACTIVE_RUNTIME from authoring.' }

  - id: FALSIFY-CCPA-016
    name: outcome_parity_bound
    status: ACTIVE_RUNTIME
    assertion: |
      Outcome parity (Phase 3 P3.4). On a MultiPL-E-Rust-class corpus of
      function-level code-generation tasks where both teacher (claude)
      and student (apr code) are asked to produce Rust code:
        aggregate `agreement` on the corpus MUST be >= 0.5

      Where `agreement` is fraction-of-prompts-where-both-systems-pass:
        agreement = (both_passed + both_failed) / corpus_size

      Plus consistency invariants:
        - `corpus_size >= 3` (minimum sample size for statistical meaning)
        - `corpus_size == per_fixture.len()` (record-count match)
        - `teacher_pass_rate >= 0.5` (validity: teacher must do better
          than chance on the corpus for agreement to be informative)
        - `both_passed + both_failed <= corpus_size` (count consistency)

      Bidirectional sensitivity (mandatory):
        - A synthetic regression fixture with `agreement: 0.4` MUST fail
          the threshold check (catches false-negative meter bugs).
        - A synthetic identity fixture with `agreement: 1.0` MUST pass
          (catches false-positive meter bugs).

      Source of truth: `evidence/phase-3/multipl-e-rust-scores.json`
      produced by `scripts/phase-3-bench.sh` on the companion repo.
    test_harness: |
      `cargo test -p ccpa-differ --test falsify_ccpa_016_outcome_parity`
      runs 4 assertions:
        - live_evidence_meets_outcome_parity_threshold
        - live_evidence_per_fixture_exit_codes_consistent_with_aggregate
        - synthetic_regression_below_outcome_parity_threshold
        - synthetic_identity_passes_outcome_parity_threshold

      All four GREEN on the companion-repo M150 bench output:
      agreement = 1.0000 over 5 fixtures (HumanEval/0..4, Cassano et
      al. 2022 / arXiv:2208.08227).
    rationale: |
      The M149 operator reframe ("so we can ask apr code to generate
      same code as claude code and 'it works'") elevated outcome parity
      to the primary user-facing parity test, alongside the pre-existing
      procedural-parity track (CCPA-014). Outcome parity asks "does the
      generated code work?"; procedural parity asks "do both systems
      make the same syscalls?" — these can disagree (different runtimes
      produce different syscall sets even when generating equivalent
      code) and CCPA-016 was designed to capture the user-facing claim
      independently of CCPA-014.

      The 0.5 threshold is POC-tier per the outcome-parity-plan.md
      § P3.4 design note ("probably 0.5 initially — both systems pass
      on half the corpus is a reasonable bar for a POC"). Expanding the
      corpus from the 5-fixture M150 POC to the full 164-problem
      MultiPL-E-Rust (M164+) will justify raising the threshold to ~0.8.

      M150 (PR #136 squash 47bed37) produced the empirical evidence:
      teacher_pass_rate = 1.0000 (5/5), student_pass_rate = 1.0000 (5/5),
      agreement = 1.0000, both_passed = 5, both_failed = 0. This was a
      REAL bilateral bench using claude 2.1.139 + apr 0.32.0 on the
      operator's noah-Lambda-Vector host with Qwen2.5-Coder-1.5B as the
      apr-code backing model. Companion-repo M153 added the
      orthogonal structural-similarity metric (line-set Jaccard =
      0.5201; the systems generate functionally-equivalent but
      stylistically-divergent Rust). Companion-repo M154 added the
      test-survival metric (10/10 cross-swaps pass; the structural
      divergence is purely stylistic, not semantic).

      PROPOSED at v1.25.0 (M152); promoted ACTIVE_RUNTIME at v1.26.0
      (this revision) once M157's consolidated outcome-parity-results
      doc shipped and M162 (aprender#1638 MERGED) confirmed the upstream
      LlmDriver-adapter discharge.
    semantic_change_log:
      - { date: '2026-05-13', version_before: '1.25.0', version_after: '1.26.0',
          change: 'Added FALSIFY-CCPA-016 to gate registry. Companion-repo M152 ships the gate test against live evidence/phase-3/multipl-e-rust-scores.json; M150 produced the bilateral bench empirical evidence; this revision flips the contract to recognize CCPA-016 as ACTIVE_RUNTIME from authoring.' }

  - id: FALSIFY-CCPA-017
    name: project_scale_parity_bound
    status: PROPOSED
    assertion: |
      Project-scale parity (Phase 4 P4.4). On a multi-file Cargo-workspace
      task corpus where each task is drawn from a real open GitHub issue
      (companion-repo M182: fixtures/project-scale/ initially 5 fixtures
      across paiml/decy + paiml/bashrs + paiml/depyler), both teacher
      (claude) and student (apr code) are dispatched in a clone of the
      pinned pre_fix_commit SHA + given the issue body as their prompt
      + their final repo state is scored against the per-fixture
      completion oracle_cmd. The aggregate project-scale parity report
      MUST satisfy BOTH:
        - aggregate `partial_agreement` >= 0.3
        - aggregate `files_jaccard_corpus` >= 0.3

      Where derived metrics are:
        partial_agreement     = mean over fixtures of
                                 min(teacher.oracle_pass, student.oracle_pass)
        files_jaccard_corpus  = mean over fixtures of
                                 |teacher.files_touched ∩ student.files_touched|
                                 / |teacher.files_touched ∪ student.files_touched|

      Plus consistency invariants:
        - `corpus_size >= 3` (minimum sample size for statistical meaning)
        - `corpus_size == per_fixture.len()` (record-count match)

      Bidirectional sensitivity (mandatory):
        - A synthetic regression fixture (one side passes, other fails,
          disjoint files-touched lists) MUST fail BOTH thresholds.
        - A synthetic identity fixture (both sides pass on same files
          with identical files_touched_jaccard = 1.0) MUST pass.
        - An empty-corpus report MUST fail (prevents "no-data" from
          being claimed as success).

      Source of truth: `evidence/phase-4/project-scale-scores.json`
      produced by `scripts/phase-4-bench.sh` on the companion repo.
    test_harness: |
      `cargo test -p ccpa-differ --test falsify_ccpa_017_project_scale_parity`
      runs 7 active assertions + 1 `#[ignore]`'d live-evidence assertion:
        - synthetic_identity_corpus_passes_gate
        - synthetic_regression_corpus_fails_gate
        - empty_corpus_vacuously_fails_threshold
        - exactly_at_threshold_passes (verifies >= not >)
        - just_below_partial_threshold_fails (single-gate sensitivity)
        - just_below_files_threshold_fails  (single-gate sensitivity)
        - threshold_constants_match_plan (sentinel)
        - live_evidence_meets_project_scale_threshold (#[ignore]'d
          until operator dispatches `bash scripts/phase-4-bench.sh`)

      All 7 active GREEN on the companion-repo M188 scaffold (synthetic
      fixtures constructed in-test, no on-disk corpus dependency).
    rationale: |
      The M180 Phase 4 plan operationalizes the M159 ProgramBench
      prior-art (arXiv:2605.03546) into companion-tier project-scale
      parity testing. ProgramBench reports 0%/200 fully-resolved across
      Claude Opus/Sonnet/Haiku + GPT + Gemini at the project-scale
      layer; this evidence validates the M159 caveat "function-level
      1.0 does not extrapolate to project-scale" and establishes the
      Phase 4 SIGNAL regime: the user-facing parity question is
      "do both systems make matching partial progress?" not "do both
      systems fully succeed?".

      The DUAL-threshold design (partial_agreement >= 0.3 AND
      files_jaccard_corpus >= 0.3) is intentional: project-scale parity
      has two orthogonal signal channels — pass-rate agreement AND
      files-touched overlap. A system could match pass rate without
      touching the same files (different solutions to same problem);
      or touch the same files without matching pass rate (one fixes
      the bug, the other breaks more). Both channels must show
      agreement for "project-scale parity" to mean anything.

      Threshold values (0.3/0.3) are tentative POC-tier floors. They
      WILL be recalibrated after first operator-dispatched measurement
      against the M182 corpus. A 0.5/0.5 threshold à la CCPA-016 would
      assume saturation that ProgramBench evidence shows doesn't exist
      at project-scale; 0.3 is "at least 30% of fixtures see matching
      progress" — a plausible POC-tier floor that the M182 corpus
      might actually meet.

      Status PROPOSED (not ACTIVE_RUNTIME) because no
      operator-dispatched measurement has produced
      evidence/phase-4/project-scale-scores.json yet. The
      live-evidence test is `#[ignore]`'d until that file exists.
      Once the operator runs `bash scripts/phase-4-bench.sh` and the
      gate passes against real data, a v1.29.0 bump will flip
      PROPOSED → ACTIVE_RUNTIME.

      Companion-repo Phase 4 sequence (M180-M188):
        M180 (PR #167 squash c7107b9) — phase-4-project-scale-plan.md
          authored; P4.1-P4.5 sub-deliverables defined.
        M182 (PR #169 squash b36ceb6) — P4.1 corpus: 5 fixtures from
          paiml/decy#40 + paiml/decy#39 + paiml/bashrs#209 +
          paiml/depyler#223 + paiml/depyler#224. Operator directive
          "why not use ../decy ../bashrs and ../depy corpus" steered
          authoring toward real GitHub issues over synthetic stretch
          goals.
        M184 (PR #171 squash 0f8c451) — P4.2 runner: phase-4-bench.sh
          (288 lines bash); clones at pre_fix_commit SHA + dispatches
          + snapshots + runs oracle + emits per-fixture and aggregate
          JSON with files_touched_jaccard via jq set-arithmetic.
        M186 (PR #173 squash c115966) — P4.3 scoring: project_scale_diff.rs
          (~310 lines Rust) consumes runner JSON + adds 5 derived
          metrics + passes_threshold predicate; 14 unit tests GREEN.
        M188 (PR #175 squash a574655) — P4.4 gate test:
          falsify_ccpa_017_project_scale_parity.rs (~260 lines); 7
          synthetic-fixture tests verify bidirectional sensitivity
          before any real measurement exists.
    semantic_change_log:
      - { date: '2026-05-15', version_before: '1.27.0', version_after: '1.28.0',
          change: "Added FALSIFY-CCPA-017 to gate registry at status: PROPOSED. Companion-repo M188 ships the gate test scaffold (7 synthetic-fixture tests + 1 #[ignore]'d live-evidence test); thresholds (partial_agreement >= 0.3 AND files_jaccard_corpus >= 0.3) are tentative POC-tier floors awaiting first operator-dispatched measurement to calibrate. Phase 4 P4.5 contract bump." }

  - id: FALSIFY-CCPA-018
    name: arena_recovery_rate_bound
    status: PROPOSED
    assertion: |
      Arena recovery-rate (Phase 5 P5.4). On a multi-turn live Arena
      bench against the M182 project-scale corpus (companion-repo
      fixtures/project-scale/) where each task is driven through an
      ArenaSession with up to max_turns=20 multi-turn dialog turns and
      bash/test execution feedback per turn, the aggregate Arena scores
      MUST satisfy BOTH:
        - aggregate `recovery_rate` >= 0.5
        - aggregate `oracle_passed_rate` >= 0.3

      Where derived metrics are:
        recovery_rate = (teacher_recovered + student_recovered) /
                        (corpus_size * 2)
        oracle_passed_rate = (teacher_passed + student_passed) /
                             (corpus_size * 2)
        recovery_observed = OraclePassed AND any_bash_failure_in_history
                            (per side per fixture)

      Plus consistency invariants:
        - `corpus_size >= 3` (minimum sample size for statistical meaning)
        - `corpus_size == per_fixture.len()` (record-count match)

      Bidirectional sensitivity (mandatory):
        - A synthetic identity fixture (all pass + all recovered) MUST
          pass.
        - A synthetic regression fixture (no pass, no recovery) MUST fail.
        - A synthetic give-up-fast fixture (100% pass BUT zero recovery)
          MUST fail on the recovery floor — this is the canonical R3
          distinguishing test: a system that solves easy tasks zero-shot
          but never recovers from a hard task's first failure is NOT
          accepted by CCPA-018.
        - An empty-corpus report MUST fail (prevents "no-data" from
          being claimed as success).

      Source of truth: `evidence/phase-5/arena-scores.json` produced
      by `scripts/phase-5-arena-bench.sh` on the companion repo.

      CCPA-018 measures AGENT QUALITY (does the agent recover?),
      distinct from CCPA-016/017 which measure FUNCTIONAL OUTCOME
      (does the code work?). Direct empirical answer to
      design-audit.md §6 R3 "self-correction over zero-shot
      determinism".
    test_harness: |
      `cargo test -p ccpa-arena --test falsify_ccpa_018_arena_recovery_rate`
      runs 7 active assertions + 1 `#[ignore]`'d live-evidence assertion:
        - synthetic_identity_corpus_passes_gate
        - synthetic_regression_corpus_fails_gate
        - synthetic_give_up_fast_fails_on_recovery_floor (THE canonical
          R3 distinguishing test)
        - empty_corpus_vacuously_fails_threshold
        - exactly_at_thresholds_passes (verifies >= not >)
        - just_below_recovery_threshold_fails (single-gate sensitivity)
        - threshold_constants_match_plan (sentinel)
        - live_evidence_meets_arena_recovery_threshold (#[ignore]'d
          until operator dispatches `bash scripts/phase-5-arena-bench.sh`)

      Plus the falsifier-of-falsifier comparator at
      `cargo test -p ccpa-arena --test falsify_static_vs_arena`
      (companion-repo M206 P5.5): 4 active synthetic tests + 1
      `#[ignore]`'d live-evidence test that loads BOTH evidence files
      (CCPA-016 + CCPA-018) and emits a `FalsifierVerdict` per
      design-audit.md §5's Popperian test.

      All 7 + 4 active GREEN on the companion-repo M206 scaffold
      (synthetic fixtures constructed in-test, no on-disk corpus
      dependency).
    rationale: |
      The M192 design audit (operator-authored, integrated into
      companion spec at companion-repo M192) identified three tactical
      recommendations for faster project-scale convergence:
      (R1) soft-deprecate FALSIFY-CCPA-014; (R2) pivot to a live Arena
      runner; (R3) prioritize error recovery over zero-shot determinism.
      CCPA-018 operationalizes R3 explicitly: the recovery_rate metric
      counts fixtures where the agent's earlier turn produced a
      non-zero bash exit BUT the session continued and the oracle
      eventually passed — the canonical "self-correction" signal.

      The DUAL-threshold design (recovery_rate >= 0.5 AND
      oracle_passed_rate >= 0.3) is intentional: recovery_rate alone
      passes a "always fail with retry-on-error" agent (degenerate);
      oracle_passed_rate alone passes a "always succeed zero-shot"
      agent (fails the R3 framing). Both together require: agent makes
      progress (oracle passes) AND agent recovers (oracle passes AFTER
      bash failure). The asymmetric give-up-fast synthetic fixture
      distinguishes CCPA-018 from CCPA-017: a system passing CCPA-017
      (functional outcome) but failing CCPA-018 (zero recovery) is
      empirically detected by the dual-floor predicate.

      Threshold values (0.5/0.3) are tentative POC-tier floors. They
      WILL be recalibrated after first operator-dispatched Arena bench
      against the M182 5-fixture corpus.

      Status PROPOSED (not ACTIVE_RUNTIME) because no operator-dispatched
      Arena bench has produced evidence/phase-5/arena-scores.json yet.
      The live-evidence test is `#[ignore]`'d until that file exists.
      Once the operator runs `bash scripts/phase-5-arena-bench.sh` and
      the gate passes against real data, a v1.30.0 bump will flip
      PROPOSED → ACTIVE_RUNTIME.

      Companion-repo Phase 5 sequence (M180-M206):
        M180 (PR #167 squash c7107b9) — phase-5-arena-runner-plan.md
          authored. P5.1-P5.5 sub-deliverables defined. Operationalizes
          design-audit.md R2 + R3.
        M192 (PR #179 squash d9ae48a) — design-audit.md integrated.
        M196 (PR #183 squash 6a7fe39) — P5.1 Arena harness scaffolding
          (crates/ccpa-arena/, 4 modules, 19 tests).
        M200 (PR #187 squash 75ef8e6) — P5.2 multi-turn loop body
          (crates/ccpa-arena/src/dispatch.rs with Bash/Read/Write/Edit
          dispatch + run_oracle + render_history + 29 new tests).
        M202 (PR #189 squash e381d05) — P5.3 Arena bench runner
          (SubprocessDriver + bin/ccpa-arena-bench clap CLI +
          scripts/phase-5-arena-bench.sh wrapper).
        M204 (PR #191 squash aa58ed6) — P5.4 CCPA-018 gate test
          scaffold (~230 LOC, 7 active synthetic tests + 1 ignored
          live-evidence). Tentative thresholds 0.5/0.3.
        M206 (PR #193 squash b95be66) — P5.5 falsifier-of-falsifier
          (crates/ccpa-arena/src/falsifier.rs comparator +
          evidence/phase-5/static-fixture-falsification.md template).
          Phase 5 arc COMPLETE at substantive level.
    semantic_change_log:
      - { date: '2026-05-15', version_before: '1.28.0', version_after: '1.29.0',
          change: "Added FALSIFY-CCPA-018 to gate registry at status: PROPOSED. Companion-repo M204 ships the gate test scaffold (7 synthetic-fixture tests + 1 #[ignore]'d live-evidence test); thresholds (recovery_rate >= 0.5 AND oracle_passed_rate >= 0.3) are tentative POC-tier floors awaiting first operator-dispatched Arena bench to calibrate. Phase 5 P5.5+ contract bump (P5.5 falsifier-of-falsifier shipped at M206)." }

  - id: FALSIFY-CCPA-008
    name: parity_score_bound
    status: PLANNED_M6
    assertion: >
      Aggregate parity_score over fixtures/ ≥ parity_score.thresholds.aggregate_min
      AND every individual fixture ≥ parity_score.thresholds.individual_min.
      Failure is a ship-blocker for the next `apr code` release.
    test_harness: 'ccpa-cli/tests/falsify_ccpa_008_parity_bound.rs (planned)'
    drift_report_format: |
      ccpa diff fixtures/ --json
        → { "aggregate": 0.97, "fixtures": [{ "id":"0001-...", "score":0.95, "drifts":[...]}, ...] }

  # ── Source-of-truth invariants (online from M0+, before any parity work) ──

  - id: FALSIFY-CCPA-009
    name: ci_main_branch_green
    status: PLANNED_M0
    assertion: >
      Branch protection on companion_repo.branch (`main`) requires the
      `ci/gate` GitHub-Actions status check before merge. Direct pushes to
      main are blocked. Force-push and branch-deletion are disabled.
    test_harness: 'companion-repo: scripts/falsify_ccpa_009_branch_protection.sh, executed in CI via gh api; mirrors aprender CLAUDE.md § "CRITICAL GIT WORKFLOW RULES"'
    cross_check_command: |
      gh api repos/paiml/claude-code-parity-apr/branches/main/protection \
        --jq '.required_status_checks.contexts | index("ci/gate") != null'
    expected_output: 'true'
    rationale: 'PR cannot ship if CI is red — applies the same protection aprender@main has.'

  - id: FALSIFY-CCPA-010
    name: pmat_comply_100pct
    status: PLANNED_M0
    assertion: >
      `pmat comply check --format json` reports `is_compliant: true` AND
      zero `status: Fail` entries on every CI run. Failures are
      ship-blockers; `Warn`-status entries are tracked but advisory.
      No `--allow` flags, no per-rule excludes. If pmat comply *fails*
      on a pattern aprender uses, fix companion-repo code to comply,
      not the gate.
    test_harness: |
      companion-repo: ci.yml step
        `pmat comply check --format json > comply.json &&
         jq -e '.is_compliant == true and ([.checks[] | select(.status == "Fail")] | length == 0)' comply.json`
    expected_output: 'jq exit 0'
    rationale: |
      `pmat comply check --strict` (which exits 2 on ANY Warn) was the
      original framing in v0.2.0. After empirical validation in
      paiml/claude-code-parity-apr#1 CI, several `Warn`-status checks
      were found to be informational rather than actionable (e.g.
      CB-301 "Reproducibility: Bronze - Lockfile present" is a STATUS,
      not a defect; CB-141 missing dhat/jemalloc is unjustified for a
      tiny library crate). v0.3.0 of this contract refines the gate to
      `is_compliant=true ∧ Fail count = 0` — matching how teams
      operationally use pmat comply (failures gate, warnings inform).
    semantic_change_log:
      - { date: '2026-04-27', version_before: '0.2.0', version_after: '0.3.0',
          change: 'Drop --strict requirement; gate on is_compliant=true + Fail count = 0' }

  - id: FALSIFY-CCPA-011
    name: line_coverage_100pct   # legacy name; threshold refined in v0.4.0
    status: PLANNED_M0
    assertion: >
      `cargo llvm-cov --workspace --fail-under-functions 100
      --fail-under-lines 99` exits 0 on every CI run. Function coverage
      MUST equal 100.0 %. Line coverage MUST be ≥ 99.0 % AND every
      uncovered line is traceable to a generic-monomorphization
      reporting artifact (no business logic uncovered). Branch coverage
      tracked but not gated until M6.
    test_harness: |
      companion-repo: ci.yml step
        `cargo llvm-cov --workspace --all-features
                        --fail-under-functions 100
                        --fail-under-lines 99`
    expected_output: 'cargo exit 0'
    forbidden_tools: ['cargo-tarpaulin']  # per CLAUDE.md § "Prohibited Tools"
    rationale: |
      v0.3.0 framing was "100 % line coverage". After M2.2 ship-test on
      paiml/claude-code-parity-apr#4, llvm-cov reported 1 line
      "missed" in a generic `RecorderSession<W: Write>` even though
      every line had ≥1 segment hit across all monomorphizations
      (verified via segment-walk in JSON output). This is a known
      llvm-cov reporting artifact for generics on stable Rust — fixable
      only by abandoning generics or using nightly `#[coverage(off)]`,
      neither of which justifies the contortion.

      v0.4.0 refines:
        - 100 % function coverage (every fn is hit)
        - ≥ 99 % line coverage (allows 1-line monomorphization gap)
        - cross-validation that every "missed" line has hits in
          another monomorphization (spec § FALSIFY-CCPA-011 cross-check)

      Aligns with how `is_compliant=true ∧ Fail count = 0` replaced
      `--strict` in v0.3.0 — gate the load-bearing semantics, not the
      tool's noisier flags.
    semantic_change_log:
      - { date: '2026-04-27', version_before: '0.3.0', version_after: '0.4.0',
          change: 'Drop --fail-under-lines 100 + --fail-uncovered-lines 0 in favor of --fail-under-functions 100 + --fail-under-lines 99 + segment cross-validation for the 1-line gap' }

  - id: FALSIFY-CCPA-012
    name: pv_contract_gate_on_commit
    status: PLANNED_M0
    assertion: >
      `pv validate contracts/claude-code-parity-apr-v1.yaml` exits 0 on
      every commit. Enforcement is double-rooted: a pre-commit hook blocks
      the commit locally, and the CI job re-runs the same command. Stale
      pin.lock (mismatched sha256 vs aprender@main) MUST also fail this
      gate, via an additional CI step `pv pin-check`.
    test_harness: 'companion-repo: pre-commit hook + ci.yml step `pv validate contracts/claude-code-parity-apr-v1.yaml && pv pin-check contracts/pin.lock`'
    expected_output: 'pv exit 0'
    forbidden_alternatives: ['bash', 'shell', 'yq-wrapper', 'python-script']  # per CLAUDE.md
    rationale: 'Every gate in this contract is only as trustworthy as the gate that validates the contract itself. Doubly enforced (hook + CI) so a missed hook install does not bypass.'

# ─────────────────────────────────────────────────────────────────────────────
# Phase / milestone roll-up (mirrors spec § Phases)
# ─────────────────────────────────────────────────────────────────────────────

milestones:
  M0:
    name: 'Spec + DRAFT contract + companion-repo source-of-truth invariants'
    deliverable: 'this PR (aprender side) + empty companion-repo scaffold PR (claude-code-parity-apr side, follow-up)'
    gates_online: [FALSIFY-CCPA-009, FALSIFY-CCPA-010, FALSIFY-CCPA-011, FALSIFY-CCPA-012]
    status: IN_REVIEW
    note: 'Invariants 009-012 must be GREEN on the empty-scaffold PR before any parity work begins. 100% coverage / 100% pmat-comply on an empty workspace is trivially achievable; the discipline is established before scope grows.'
  M1:
    name: 'Trace crate + schema roundtrip + relocate spec/contract to companion repo'
    deliverable: 'crates/ccpa-trace, fixtures/ scaffold, this YAML moves to companion repo'
    gates_online: [FALSIFY-CCPA-001, FALSIFY-CCPA-009, FALSIFY-CCPA-010, FALSIFY-CCPA-011, FALSIFY-CCPA-012]
    status: PLANNED
  M2:
    name: 'Recorder + first 3 fixtures'
    deliverable: 'crates/ccpa-recorder, ccpa record, fixtures/0001..0003'
    gates_online: [FALSIFY-CCPA-001, FALSIFY-CCPA-009, FALSIFY-CCPA-010, FALSIFY-CCPA-011, FALSIFY-CCPA-012]
    status: PLANNED
  M3:
    name: 'Replayer + determinism'
    deliverable: 'crates/ccpa-replayer, RecordedDriver wiring (requires PMAT-CODE-LLM-DRIVER-PUBLIC-001)'
    gates_online: [FALSIFY-CCPA-002, FALSIFY-CCPA-003, '...all M0/M1 gates remain online']
    status: PLANNED
  M4:
    name: 'Differ + first parity report'
    deliverable: 'crates/ccpa-differ, ccpa diff'
    gates_online: [FALSIFY-CCPA-004, FALSIFY-CCPA-005, '...all prior gates remain online']
    status: PLANNED
  M5:
    name: 'Sovereignty + corpus to ≥30'
    deliverable: 'fixture corpus, sovereignty harness'
    gates_online: [FALSIFY-CCPA-006, FALSIFY-CCPA-007, '...all prior gates remain online']
    status: PLANNED
  M6:
    name: 'Promote DRAFT → ACTIVE; integrate into make tier3 + pv lint'
    deliverable: 'all 12 gates green; aprender CI hook; epic PMAT-CCPA-PARITY-001 closed'
    gates_online: [FALSIFY-CCPA-008, '...all 12 gates green']
    status: PLANNED

# ─────────────────────────────────────────────────────────────────────────────
# Status history
# ─────────────────────────────────────────────────────────────────────────────

status_history:
  - date: '2026-05-15'
    from: 'ACTIVE_RUNTIME v1.28.0'
    to: 'ACTIVE_RUNTIME v1.29.0'
    note: 'companion-repo M194-M206 Phase 5 sequence — FALSIFY-CCPA-018 (arena_recovery_rate_bound) added to gate registry at status: PROPOSED; awaits first operator-dispatched Arena bench to flip ACTIVE_RUNTIME'
    reason: |
      Adds 1 new falsification gate to the registry: CCPA-018
      (Arena recovery-rate bound). Gate count: 17 → 18.

      Phase 5 operationalizes design-audit.md (M192 operator-authored,
      companion-repo) R2 + R3 recommendations: a live multi-turn
      execution harness where the agent gets bash/test feedback per
      turn and must recover from failures. CCPA-018 explicitly measures
      AGENT QUALITY (does the agent recover when bash fails?), distinct
      from CCPA-016/017 which measure FUNCTIONAL OUTCOME.

      DUAL-threshold design: recovery_rate >= 0.5 AND
      oracle_passed_rate >= 0.3. The asymmetric give-up-fast synthetic
      fixture (100% pass but zero recovery → fails recovery floor) is
      the canonical R3 distinguishing test that separates CCPA-018
      from CCPA-017.

      Tentative 0.5/0.3 POC-tier floors; recalibration awaits first
      operator-dispatched Arena bench against M182 corpus.

      Companion-repo Phase 5 sequence (M194-M206):

        M194 (PR #181 squash 4011bea) — phase-5-arena-runner-plan.md
          authored. P5.1-P5.5 sub-deliverables defined.

        M196 (PR #183 squash 6a7fe39) — P5.1 Arena harness scaffolding.
          New crate crates/ccpa-arena/ with ArenaSession + ArenaDriver
          + OracleCmd + TurnRecord types. 19 unit tests.

        M200 (PR #187 squash 75ef8e6) — P5.2 multi-turn loop body.
          crates/ccpa-arena/src/dispatch.rs (~470 LOC) with real
          subprocess execution: Bash via std::process::Command, Edit
          via read+matches.count+replacen+write, Read/Write via
          std::fs. 29 new tests. R3 recovery validated via
          run_records_bash_failure_and_continues test.

        M202 (PR #189 squash e381d05) — P5.3 Arena bench runner.
          SubprocessDriver wraps agent CLI per turn with timeout.
          New bin crates/ccpa-arena/src/bin/ccpa-arena-bench.rs (clap
          CLI). New scripts/phase-5-arena-bench.sh wrapper analogous
          to phase-4-bench.sh. recovery_observed semantic:
          OraclePassed AND any_bash_failure_in_history.

        M204 (PR #191 squash aa58ed6) — P5.4 CCPA-018 gate test.
          crates/ccpa-arena/src/scores.rs typed shape +
          tests/falsify_ccpa_018_arena_recovery_rate.rs (~230 LOC,
          7 active synthetic + 1 ignored live-evidence). Tentative
          thresholds 0.5/0.3.

        M206 (PR #193 squash b95be66) — P5.5 falsifier-of-falsifier.
          crates/ccpa-arena/src/falsifier.rs with
          evaluate_static_vs_arena() returning FalsifierVerdict
          (StaticFalsified / StaticValidated / Inconclusive) per
          design-audit.md §5's Popperian test.
          evidence/phase-5/static-fixture-falsification.md
          operator-facing evidence template.

      Gate-level statuses post-v1.29.0: 4 ACTIVE_RUNTIME (CCPA-013/
      014/015/016) + 2 PROPOSED (CCPA-017 project-scale parity +
      CCPA-018 Arena recovery-rate) — both awaiting first
      operator-dispatched bench, after which v1.30.0 will flip
      PROPOSED → ACTIVE_RUNTIME for whichever has converged. Rest at
      PLANNED_M*/IN_REVIEW/HARD_BLOCKING_M16 per their lifecycle
      phase. No OPEN residue.

      Gate registry summary post-v1.29.0:
        FALSIFY-CCPA-001..006  PLANNED_M*    (Phase 1 RECORD scope; M2.3-rescoped)
        FALSIFY-CCPA-007       IN_REVIEW     (coverage-floor)
        FALSIFY-CCPA-008       PLANNED_M6    (parity_score_bound)
        FALSIFY-CCPA-009..012  ACTIVE_ALGORITHM_LEVEL (CI gates from M0)
        FALSIFY-CCPA-013       ACTIVE_RUNTIME (first_recorded_parity_score, at v1.27.0)
        FALSIFY-CCPA-014       ACTIVE_RUNTIME (os_event_parity_bound, at v1.25.0)
        FALSIFY-CCPA-015       ACTIVE_RUNTIME (ccpa_trace_subproc_output_purity, at v1.26.0)
        FALSIFY-CCPA-016       ACTIVE_RUNTIME (outcome_parity_bound, at v1.26.0)
        FALSIFY-CCPA-017       PROPOSED       (project_scale_parity_bound, at v1.28.0)
        FALSIFY-CCPA-018       PROPOSED       (arena_recovery_rate_bound, at v1.29.0)

      Pure additive bump: new gate + new status_history entry. No
      schema bump in aprender-contracts/src/schema/. pv validate clean.

  - date: '2026-05-15'
    from: 'ACTIVE_RUNTIME v1.27.0'
    to: 'ACTIVE_RUNTIME v1.28.0'
    note: 'companion-repo M180-M188 Phase 4 sequence — FALSIFY-CCPA-017 (project_scale_parity_bound) added to gate registry at status: PROPOSED; awaits first operator-dispatched bench to flip ACTIVE_RUNTIME'
    reason: |
      Adds 1 new falsification gate to the registry: CCPA-017
      (project-scale parity bound). Gate count: 16 → 17.

      Phase 4 closes the function-scale → project-scale extrapolation
      gap the M159 ProgramBench prior-art (arXiv:2605.03546) flagged:
      0%/200 fully-resolved across Claude Opus/Sonnet/Haiku + GPT +
      Gemini at the project-scale layer means a CCPA-016-style "both
      pass" assertion is implausible. CCPA-017 inverts the question:
      partial-progress agreement, not all-or-nothing.

      DUAL-threshold design: partial_agreement >= 0.3 AND
      files_jaccard_corpus >= 0.3 — both orthogonal channels must
      show agreement. Tentative 0.3/0.3 floors; recalibration awaits
      first operator-dispatched measurement.

      Companion-repo Phase 4 sequence (M180-M188):

        M180 (PR #167 squash c7107b9) — phase-4-project-scale-plan.md
          authored. P4.1-P4.5 sub-deliverables defined. Anchored in
          ProgramBench prior-art (M159) for the signal-regime framing.

        M182 (PR #169 squash b36ceb6) — P4.1 corpus: 5 fixtures from
          real open GitHub issues across paiml/decy + paiml/bashrs +
          paiml/depyler (decy#40 fix test assertions; decy#39 fix
          clippy; bashrs#209 lint Makefile false-positives; depyler#223
          enforce Oracle constraints; depyler#224 numeric coercion).
          Operator directive "why not use ../decy ../bashrs and
          ../depy corpus" steered toward real GitHub issues over
          synthetic stretch goals — real issues = real stretch goals
          = the operator has already triaged them as work worth doing.
          Each fixture pins pre_fix_commit SHA in meta.toml; runner
          clones at dispatch (no per-fixture starting-state snapshot,
          which would be impractical at 685+ Rust files in depyler).

        M184 (PR #171 squash 0f8c451) — P4.2 runner: phase-4-bench.sh
          (288 lines bash). Per fixture × system: clone at SHA,
          dispatch with timeout, snapshot diff, run oracle, record
          exit + pattern match. Emits per-fixture + aggregate JSON
          to evidence/phase-4/project-scale-scores.json with
          files_touched_jaccard via jq set-arithmetic.

        M186 (PR #173 squash c115966) — P4.3 scoring:
          project_scale_diff.rs (~310 lines Rust). Type hierarchy
          ProjectScaleParityReport → Vec<PerFixtureScore> →
          (teacher: SideScore, student: SideScore). Loader
          ProjectScaleParityReport::from_json_str() + 5 derived
          metrics (per-fixture: approach_match + lines_edited_ratio;
          corpus-level: partial_agreement + files_jaccard_corpus +
          approach_match_rate). 14 unit tests GREEN.

        M188 (PR #175 squash a574655) — P4.4 gate test:
          falsify_ccpa_017_project_scale_parity.rs (~260 lines).
          7 active synthetic-fixture tests + 1 #[ignore]'d
          live-evidence test. Bidirectional sensitivity verified:
          identity passes (partial=1.0, jaccard=1.0); regression
          fails (partial=0.0, jaccard=0.0); empty corpus fails
          (by design — prevents "no-data" from claiming success);
          exactly-at-threshold passes (>= not > semantics);
          just-below-either-threshold fails (single-gate
          sensitivity). 7/7 GREEN.

      Gate-level statuses post-v1.28.0: 4 ACTIVE_RUNTIME (CCPA-013/
      014/015/016) + 1 PROPOSED (CCPA-017) — awaiting first
      operator-dispatched bench, after which v1.29.0 will flip
      PROPOSED → ACTIVE_RUNTIME. Rest at PLANNED_M*/IN_REVIEW/
      HARD_BLOCKING_M16 per their lifecycle phase. No OPEN residue.

      Gate registry summary post-v1.28.0:
        FALSIFY-CCPA-001..006  PLANNED_M*    (Phase 1 RECORD scope; M2.3-rescoped)
        FALSIFY-CCPA-007       IN_REVIEW     (coverage-floor)
        FALSIFY-CCPA-008       PLANNED_M6    (parity_score_bound)
        FALSIFY-CCPA-009..012  ACTIVE_ALGORITHM_LEVEL (CI gates from M0)
        FALSIFY-CCPA-013       ACTIVE_RUNTIME (first_recorded_parity_score, at v1.27.0)
        FALSIFY-CCPA-014       ACTIVE_RUNTIME (os_event_parity_bound, at v1.25.0)
        FALSIFY-CCPA-015       ACTIVE_RUNTIME (ccpa_trace_subproc_output_purity, at v1.26.0)
        FALSIFY-CCPA-016       ACTIVE_RUNTIME (outcome_parity_bound, at v1.26.0)
        FALSIFY-CCPA-017       PROPOSED       (project_scale_parity_bound, at v1.28.0)

      Pure additive bump: new gate + new status_history entry. No
      schema bump in aprender-contracts/src/schema/. pv validate clean.

  - date: '2026-05-14'
    from: 'ACTIVE_RUNTIME v1.26.0'
    to: 'ACTIVE_RUNTIME v1.27.0'
    note: 'companion-repo M167 — FALSIFY-CCPA-013 flipped OPEN → ACTIVE_RUNTIME; assertion extended to accept evidence/phase-3/captures/; 4th measured_parity block records M150 real-binary bilateral bench'
    reason: |
      Closes the last OPEN gate in the registry. Gate-level statuses
      post-v1.27.0: 4 ACTIVE_RUNTIME (CCPA-013/014/015/016 — the
      runtime-evidence + outcome-parity track), rest at PLANNED_M*/
      IN_REVIEW/HARD_BLOCKING_M16 per their lifecycle phase (NOT stale
      — these reflect intentional phase tracking). No OPEN residue.

      Context: FALSIFY-CCPA-013 (first_recorded_parity_score) was the
      "runtime evidence" meta-gate authored at v1.1.0 (2026-04-27) —
      its assertion says the contract reaches ACTIVE_RUNTIME iff
      status_history contains at least one measured_parity block of
      specified shape with aggregate_score >= 0.95 + per-fixture >= 0.80
      against fixtures/canonical/. THREE such blocks have existed in
      this contract since v1.1.0 (5-fixture, 30-fixture, 24-fixture
      runs, all aggregate = 1.0000). The CONTRACT top-level status WAS
      flipped to ACTIVE_RUNTIME at v1.20.0 / companion-repo M82 once
      30-fixture corpus + meter validation completed; but the GATE's
      own status field stayed at "OPEN" — stale prose that escaped
      every prior kaizen sweep until M166 surfaced it as the last
      gate-level OPEN.

      v1.27.0 fixes this in three ways:

        1. CCPA-013 `status: OPEN` → `status: ACTIVE_RUNTIME`. The
           gate-level field now matches the structural reality
           (assertion satisfied by 3 existing measured_parity blocks).

        2. Assertion's `fixture_corpus_path` constraint extended from
           strict `fixtures/canonical/` to EITHER that path (AUTHORED,
           since v1.2.0) OR `evidence/phase-3/captures/` (REAL-BINARY
           bilateral bench, companion-repo M150). teacher_source +
           student_source descriptions updated to allow both AUTHORED
           and REAL-CAPTURE narratives.

        3. New 4th measured_parity block added recording M150's
           bilateral bench: claude 2.1.139 + apr 0.32.0 +
           Qwen2.5-Coder-1.5B-Instruct-Q4_K_M on the MultiPL-E-Rust
           HumanEval/0..4 corpus, aggregate_score = 1.0000 (5/5
           BOTH_PASS), with orthogonal metrics (M153 structural
           Jaccard = 0.5201, M154 test-survival = 1.0000) embedded
           for traceability. This block is the STRONGEST empirical
           discharge anchor — the M2.3 rescope walked away from
           real-teacher recording; M150 walked back to it via the
           outcome-parity reframe.

      Honest scoping: the 1.0 saturation on 5 easy HumanEval problems
      is a 5-fixture POC bound; full 164-problem MultiPL-E-Rust
      expansion (companion-repo M167+ future-work) will produce a
      tighter pass@1 + agreement curve and may surface failure modes
      not visible at 5 problems. ProgramBench prior art (M159,
      arXiv:2605.03546) shows project-scale = 0% saturation across
      Claude Opus/Sonnet/Haiku + GPT + Gemini, so the function-level
      1.0 explicitly does not extrapolate.

      Gate registry post-v1.27.0 (16 gates registered; 4 at status:
      ACTIVE_RUNTIME — the runtime-evidence + outcome-parity track —
      others at PLANNED_M*/IN_REVIEW/HARD_BLOCKING_M16 per their
      lifecycle phase):
        FALSIFY-CCPA-001..007 (M0-M5 algorithm-level; statuses vary)
        FALSIFY-CCPA-008      (parity_score_bound, PLANNED_M6)
        FALSIFY-CCPA-009..012 (M0+ source-of-truth invariants)
        FALSIFY-CCPA-013      ACTIVE_RUNTIME (first_recorded_parity_score, OPEN→ACTIVE_RUNTIME at v1.27.0)
        FALSIFY-CCPA-014      ACTIVE_RUNTIME (os_event_parity_bound, at v1.25.0)
        FALSIFY-CCPA-015      ACTIVE_RUNTIME (ccpa_trace_subproc_output_purity, at v1.26.0)
        FALSIFY-CCPA-016      ACTIVE_RUNTIME (outcome_parity_bound, at v1.26.0)

      No new gate; no semantics change to existing assertion predicates
      (only path-tolerance extension); no schema bump in
      aprender-contracts/src/schema/. Pure status + measured_parity
      addition + assertion-text refinement. pv validate clean.

  - date: '2026-05-13'
    from: 'ACTIVE_RUNTIME v1.25.0'
    to: 'ACTIVE_RUNTIME v1.26.0'
    note: 'companion-repo Phase 3 sequence (M147 + M150-M157 + M162) — FALSIFY-CCPA-015 (ccpa_trace_subproc_output_purity) + FALSIFY-CCPA-016 (outcome_parity_bound) added to gate registry; aprender#1638 MERGED upstream (squash b61b76b4) un-gating apr code from --features code'
    reason: |
      Adds 2 new falsification gates to the registry: CCPA-015 (output
      purity for ccpa-trace-subproc) and CCPA-016 (outcome parity bound
      on MultiPL-E-Rust-class corpus). Gate count: 14 → 16.

      Sequence on companion repo (`paiml/claude-code-parity-apr`):

        M147 (PR #133 squash fd832f1) — provable-contract design for
          ccpa-trace-subproc output purity. Operator directive: "use
          provable-contract based design". Authored falsifying test
          FIRST asserting every stdout line decodes as OsEvent;
          verified test FAILS on buggy Stdio::inherit() code; fixed
          via Stdio::null(); verified test PASSES. Becomes CCPA-015.

        M150 (PR #136 squash 47bed37) — first real bilateral bench
          on MultiPL-E-Rust. Operator directives: "code SHOULD NOT BE
          FEATURE FLAGGED fix" + "perhaps a public benchmark?" + "show
          me it working". 5 HumanEval fixtures (0..4 = has_close_elements
          / separate_paren_groups / truncate_number / below_zero /
          mean_absolute_deviation); scripts/phase-3-bench.sh runner
          drives both teacher (claude 2.1.139) and student (apr 0.32.0
          + Qwen2.5-Coder-1.5B-Instruct-Q4_K_M) through identical
          prompts; cargo test as oracle. Aggregate: teacher_pass_rate
          = 1.0000, student_pass_rate = 1.0000, agreement = 1.0000,
          both_passed = 5/5. Provides the empirical evidence CCPA-016
          asserts on.

        M152 (PR #139 squash 6449537) — FALSIFY-CCPA-016 gate test.
          4 assertions: live evidence threshold; per-fixture
          consistency; synthetic regression (< 0.5 fails); synthetic
          identity (1.0 passes). Bidirectional sensitivity codified.

        M153-M154 (PRs #140/#141) — orthogonal P3.3 sub-metrics:
          line-set Jaccard = 0.5201 (structural similarity);
          test-survival = 1.0000 (10/10 cross-swaps pass; structural
          divergence is purely stylistic, not semantic).

        M155-M161 (companion spec honesty/sweeps) — Axis 2 score
          bumped ~50% → ~70%; "Are we at parity?" short answer flipped
          from M140 "machinery only" to M155 "machinery + executed on
          real binaries"; one-number summary ~70% → ~85%; 5 stale
          PMAT-CODE-LLM-DRIVER-PUBLIC-001 references annotated as
          historical (the real upstream surface was aprender#1638).

        M159 — ProgramBench (arXiv:2605.03546) prior-art integration:
          0% of 200 tasks fully resolved across Claude Opus/Sonnet/
          Haiku + GPT + Gemini, May 2026 SOTA. Honest scoping for the
          M150 result: 1.0000 on 5 easy HumanEval doesn't extrapolate
          to project-scale (FFmpeg / SQLite). Future-work P3.6 / M161+
          adapts ProgramBench's methodology for bilateral CCPA bench.

        M162 (PR #149 squash f361a8a) — aprender#1638 MERGED upstream.
          Records the upstream landing of "feat(apr-cli): remove
          'code' feature flag" (aprender PR #1638 squash b61b76b4,
          2026-05-13T19:41:54Z). PMAT-CODE-LLM-DRIVER-PUBLIC-001 was
          a red herring (LlmDriver was already pub); the actual
          upstream blocker was a feature-flag config which #1638
          resolves. The Axis 3 Real-apr-code-LlmDriver-adapter row
          flips from FUNCTIONALLY DISCHARGED at M150 → FULLY DISCHARGED
          at M162. `cargo install apr-cli` now ships `apr code` in
          default build.

      Aprender-side merge effort (this revision) cascaded 8 fixes that
      paiml/infra absorbed: workspace clippy allow-list,
      .github/workflows/ci.yml refactor (container → docker run with
      retry + cache fallback), GH env passthrough, step timeout bump,
      yoga host registry pull-through cache, 3 wall-time perf-test
      #[ignore]s, 3 prune snapshot regenerations, 1 cli_commands cfg
      removal. All preserved in companion-repo M162 row.

      Gate registry post-v1.26.0 (16 gates total):
        FALSIFY-CCPA-001..007  (M0-M5 trace/replay/coverage/sovereignty)
        FALSIFY-CCPA-008       (parity_score_bound, M6 PLANNED)
        FALSIFY-CCPA-009..013  (CI / pmat / line-cov / commit-gate / first_recorded)
        FALSIFY-CCPA-014       (os_event_parity_bound, M139, ACTIVE_RUNTIME at v1.25.0)
        FALSIFY-CCPA-015       (ccpa_trace_subproc_output_purity, M147, ACTIVE_RUNTIME at v1.26.0)
        FALSIFY-CCPA-016       (outcome_parity_bound, M152, ACTIVE_RUNTIME at v1.26.0)

      No new contract bump planned in the near term; the next bump
      (v1.26.0 → v1.27.0) would land if either (a) M164 bench-expansion
      to full 164-problem MultiPL-E-Rust justifies raising CCPA-016's
      threshold from 0.5 to ~0.8, or (b) a new gate class lands (e.g.,
      ProgramBench-class project-scale outcome parity gate from P3.6).

  - date: '2026-05-11'
    from: 'ACTIVE_RUNTIME v1.24.0'
    to: 'ACTIVE_RUNTIME v1.25.0'
    note: 'companion-repo M136-M140 axis-2-closure-plan idea (2) sequence — FALSIFY-CCPA-014 (os_event_parity_bound) added to gate registry'
    reason: |
      Adds FALSIFY-CCPA-014 to the falsification-gate registry,
      completing the axis-2-closure-plan idea (2) CLI subprocess
      instrumentation track. Gate count: 13 → 14.

      Sequence on companion repo (`paiml/claude-code-parity-apr`):

        M136 (PR #122 squash ac1fe50) — axis-2-closure-plan M115.1.
          New crate crates/ccpa-subproc/ with binary
          ccpa-trace-subproc <cmd> [args...]. Wraps target subprocess
          under strace -f -e trace=open,openat,write,unlink,unlinkat,
          execve,execveat. Pure parser at src/parse.rs; closed-enum
          schema at src/schema.rs:
            OsEventKind::{FileOpen, FileWrite, FileUnlink, Exec}
          Emits OsEvent JSONL on stdout. Tested with 30 unit tests +
          3 integration smoke tests (1 of which spawns strace on
          /bin/cat). 100% function / 99.10% line coverage.

        M137 (PR #123 squash 27da75a) — axis-2-closure-plan M115.3.
          Extends ccpa-differ with src/os_event_diff.rs:
            os_event_parity(teacher: &[OsEvent], student: &[OsEvent])
              -> OsParityReport
            OsParityReport.score()  // macro-averaged Jaccard
            OsDriftCategory::{UnmatchedFileOpen, UnmatchedFileWrite,
                              UnmatchedFileUnlink, UnmatchedExec}
            Side::{Teacher, Student}
          Multiset Jaccard over file-open / file-write / file-unlink /
          exec sets. 9 unit tests.

        M138 (PR #124 squash df33a5a) — detector regex extension.
          scripts/check-doc-drift.sh section #15 regex extended from
          `docs(M<NN>)` to all 10 Conventional Commits prefixes
          (docs|feat|fix|chore|refactor|test|build|ci|perf|style|revert).
          Bumps meta-test coverage 14/14 → 15/15.

        M139 (PR #125 squash cbe378d) — axis-2-closure-plan M115.2 +
          M115.4. Authored OS-event corpus at fixtures/os-canonical/
          (3 fixtures) + fixtures/os-regression/ (1 fixture); each
          has paired teacher.ccpa-os-trace.jsonl + student.ccpa-os-trace.jsonl
          + meta.toml. New test at
          crates/ccpa-differ/tests/falsify_ccpa_014_os_event_parity.rs
          with 3 functions:
            canonical_corpus_meets_os_parity_threshold  (every fixture >= 0.95)
            regression_corpus_below_os_parity_threshold (every fixture < 0.95)
            identical_traces_score_perfect              (self-compare = 1.0)
          All 3 GREEN. Threshold 0.95.

        M140 (this PR) — axis-2-closure-plan M115.5 / contract bump.
          Adds FALSIFY-CCPA-014 to gate registry; status: ACTIVE_RUNTIME
          (runtime evidence shipped at M139). Companion-repo mirror
          refresh + pin.lock bump follow this PR's squash-merge.

      Coverage gate continues to enforce
      --fail-under-functions 100 --fail-under-lines 99 (FALSIFY-CCPA-011).
      Workspace coverage at M139 squash: 100% functions / 99.10% lines.

      30/30 fixtures continue to score aggregate parity 1.0000
      (FALSIFY-CCPA-008 + FALSIFY-CCPA-013 unaffected).

  - date: '2026-05-10'
    from: 'ACTIVE_RUNTIME v1.23.0'
    to: 'ACTIVE_RUNTIME v1.24.0'
    note: 'companion-repo M128-M131 sequence — M109 cosine-vs-HF-FP16 discharge integrated'
    reason: |
      Companion-repo kaizen sweep (M128-M131) identified that the v1.23.0
      contract status-prose at line 67 + line 808 + line 888 still claimed
      "operator-confirm pending ~60 GB HF download" for the cosine-vs-HF-FP16
      measurement, but companion-repo M109 (2026-05-09) had already
      LIVE-DISCHARGED it.

      Discharge evidence (companion-repo M109, 2026-05-09):
        - Test:    cargo test -p aprender-serve --test qwen3_moe_parity \
                     -- --include-ignored f_qw3_moe_parity_001_cosine_vs_hf_fp16
        - Result:  cos_sim = 0.995384 (threshold 0.99 — PASS by margin 0.0054)
        - Argmax:  apr_argmax = hf_argmax = 3555 (token " What")
        - Wall:    apr forward 555.52 ms; HF FP16 fixture 52 s
        - Host:    lambda-vector RTX 4090
        - Weights: /mnt/nvme-raid0/models/Qwen3-Coder-30B-A3B-Instruct/
                   (57 GB, 16 safetensors shards) — already on disk;
                   the "60 GB download" blocker was stale by 62 days.
        - Closure: aprender PR #1597 squash 3fb04ef86 flipped
                   qwen3-moe-forward-v1 v1.4.0 ACTIVE_ALGORITHM_LEVEL
                   → v1.5.0 ACTIVE_RUNTIME on aprender main 2026-05-09.
        - Issue:   aprender#1584 (filed at companion-repo M108) CLOSED
                   2026-05-09T21:19:41Z.

      v1.24.0 changes:
        - Bump version "1.23.0" → "1.24.0".
        - Update line 67 status comment: M109 discharge integrated.
        - Update line 808 "What is NOT in this discharge" list item:
          cosine measurement now DISCHARGED with crossreference to
          aprender PR #1597 squash 3fb04ef86.
        - Update line 888 inline narrative: "60 GB download" claim
          annotated as stale by 62 days; M109 discharge cited.
        - Add this status_history entry.

      Why this lived as "PR-pinned canonical" until v1.24.0: the v1.23.0
      contract was authored on aprender PR #1078 (M0 mirror PR, never
      merged to main). Companion-repo M130 identified that
      contracts/claude-code-parity-apr-v1.yaml did NOT exist on aprender
      main — only on PR #1078's feature branch. PR #1078 closed
      2026-05-10 (companion-repo M131 narrative) due to a workspace-test
      failure on the rebased branch unrelated to contract content; v1.24.0
      is authored fresh from aprender main as the FIRST canonical landing
      of contracts/claude-code-parity-apr-v1.yaml on aprender main.

      Companion-repo follow-up (post-merge of this PR):
        - Refresh contracts/pin.lock with this PR's squash commit hash
          + content sha256.
        - M22 5-step ritual: bump 4 cross-reference surfaces (top spec
          version badge, README badge, CONTRIBUTING version, contract
          path comments).
        - Add companion M-row recording the v1.23.0 → v1.24.0 sync.

      No falsification gates added or modified at v1.24.0; this is a
      status-prose audit-trail bump (analogous to v1.22.0 → v1.23.0 at
      M35). 13/13 gates remain green; 30/30 fixtures remain at
      aggregate parity 1.0000.

  - date: '2026-05-02'
    from: 'ACTIVE_RUNTIME v1.22.0'
    to: 'ACTIVE_RUNTIME v1.23.0'
    note: 'M35 — M32d discharge audit-trail bump'
    reason: |
      M32d numerical parity is functionally discharged on aprender main as
      of commit 5235aaeb9 (#1228 squash) on 2026-05-02 13:42 UTC.

      What landed on aprender main (across multiple PRs):

        #1222 (M32d Step 2)        forward_qwen3_moe_traced per-layer
                                   ActivationStats — diagnostic surface.
        #1226 (M32d Step 2.5)      `apr trace --payload` dispatch for
                                   qwen3_moe arch (squashed into #1222).
        #1242                      RUSTSEC-2026-0114 audit unblocker —
                                   restored CI capacity.
        #1401 (Step 2 JSON wire)   `apr trace --json --payload` JSON output;
                                   exit-criterion shape for FAST PATH Step 2
                                   ("48 transformer_block_N entries with
                                   finite L2 norms").
        #1228 (M32d numerical
               -parity bundle)     SQUASH containing Step 5 + 5b + 6 + 7
                                   + regression test + evidence:
                                   - per-head Q/K RMSNorm in
                                     forward_qwen3_moe (rank-3 prior)
                                   - rope_theta default 10K → 1M for
                                     qwen3_moe arch (rank-4 prior)
                                   - chat template: qwen3_moe → ChatML
                                     (no `<think>` injection)
                                   - sync forward_qwen3_moe_traced with
                                     Step 5 Q/K norm
                                   - F-QW3-MOE-STEP5-001 regression test
                                   - evidence: pre/post-fix dogfood

      Live verification on lambda-vector RTX 4090 against the cached 17.3 GB
      Qwen3-Coder-30B-A3B-Instruct-Q4_K_M.gguf:

        $ apr run --prompt "What is 2+2?" --max-tokens 8
        Output: 2 + 2 = 4

        $ apr run --prompt "Capital of France:" --max-tokens 30
        Output: The capital of France is Paris.

        $ apr run --prompt "Translate to Spanish: Hello world" --max-tokens 30
        Output: ¡Hola mundo!

        $ apr run --prompt "Solve x^2 - 5x + 6 = 0:" --max-tokens 30
        Output: I need to solve the quadratic equation x² - 5x + 6 = 0.
                I can solve this by factoring.

      Output transition timeline:
        pre-fix         "%%%%%%%%"               (gibberish, repeated argmax)
        post-Step-5     "Human: What is 2+"      (coherent English, partial)
        post-Step-5b    "Human: What is 2+2?"    (full prompt reproduced)
        post-Step-6     "2 + 2 = 4"              (correct answer)

      M34 FAST PATH plan cost actual vs estimate:

        Outcome          PRs   Wall-clock
        ACTUAL           5     ~6 hours
        Lucky estimate   4-6   2-3 days
        Realistic        8-10  4-6 days
        Pessimistic      12-15 1-2 weeks

      Came in at the lucky-case bound, well under the wall-clock estimate.

      Component priors verified empirically:

        rank-1 LAYOUT (30%)        not at issue
        rank-2 Q4_K_M scales (20%) not at issue
        rank-3 Q/K norm (15%)      FIXED in #1228
        rank-4 RoPE θ (10%)        FIXED in #1228
        rank-5 router softmax (10%) not at issue
        rank-6 token embed (10%)   not at issue
        rank-7 other (5%)          n/a
        outside-priors             FIXED in #1228 (chat template wrapping)

      The diagnostic surface from Step 2 + 2.5 (`apr trace --payload`
      reporting per-layer std-dev) directly named rank-3 via the 40× std
      growth signature without needing the HF FP16 fixture (originally
      Step 1 of the plan, deferred as operator-confirm).

      What is NOT in this discharge:

        - ~~Cosine vs HF FP16 measurement~~ **DISCHARGED 2026-05-09
          at companion-repo M109** (cos_sim 0.995384 ≥ 0.99; aprender
          PR #1597 squash 3fb04ef86 flipped `qwen3-moe-forward-v1`
          v1.4.0 ACTIVE_ALGORITHM_LEVEL → v1.5.0 ACTIVE_RUNTIME). The
          v1.23.0-time framing of "operator-confirm — ~60 GB download,
          ~30 min on 30B-A3B model" is OBSOLETE: the FP16 weights had
          been on lambda-vector at /mnt/nvme-raid0/models/ for ~7 days;
          the "60 GB download" was stale by 62 days.
        - GPU MoE path (no `forward_qwen3_moe_gpu`; CUDA/wgpu kernels TBD).
        - Other Qwen3-MoE variants beyond Qwen3-Coder-30B-A3B-Instruct.
        - Sub-FFN MoE breakdown in `apr trace` (router output, per-expert
          contribution) — Step 4 work was bypassed because the
          rank-3+rank-4 fix was sufficient.

      Companion contract bumps v1.22.0 → v1.23.0; M22 paired aprender
      contract-mirror push at byte-identical sha256.

      Refs aprender PR #1228 commit 5235aaeb9
      Refs M34 FAST PATH plan
      Refs `project_m32d_discharge_2026_05_02.md` (memory)

  - date: '2026-05-01'
    from: 'ACTIVE_RUNTIME v1.21.0'
    to: 'ACTIVE_RUNTIME v1.22.0'
    note: 'M34 — five-whys + FAST PATH plan for M32d numerical parity'
    reason: |
      Operator request: "update spec and determine FAST path now using
      five-whys". Authored to break the gibberish-output deadlock that
      has held since M32c.2.2.2.1.3 LIVE-DISCHARGED (2026-04-29) on
      lambda-vector RTX 4090. The forward chain works end-to-end but
      `apr run` emits "%%%%%%%%" instead of a sensible answer.

      The new spec section "M32d FAST PATH" embeds a five-whys anchor
      and a 6-step ordered-and-gated plan. Net effect: convert the
      open work from "iterate on output until it stops being gibberish"
      (no localization signal) to "produce concrete cosine numbers at
      each layer-component boundary, localize divergence, target fix".

      Five-whys summary:
        1. Why "%%%%%%%%"? Greedy argmax repeats one token.
        2. Why? Logits dominated by one direction regardless of context.
        3. Why? Hidden state is context-invariant through 48 layers.
        4. Why? Bug in attention / FFN / MoE / RMSNorm / quant — unknown
           which because we have no per-layer reference comparison.
        5. Cheapest experiment: HF FP16 fixture (M32d.1 script exists,
           hasn't been run) → cosine number → per-layer trace → bisect.

      6-step plan (each step ≤1 PR, each step has exit criterion):
        Step 1 — run M32d.1 script, commit fixture, get a cosine number.
        Step 2 — wire `apr trace --payload` into qwen3_moe forward
                 (today returns null per-layer stats).
        Step 3 — bisect per-layer cosine, name first divergent layer.
        Step 4 — sub-bisect that layer's components, name root cause.
        Step 5 — apply 1–8 targeted fixes, each its own falsifier.
        Step 6 — discharge: qwen3-moe-forward-v1 DRAFT → ACTIVE_RUNTIME,
                 ccpa measure runs against teacher fixture,
                 FALSIFY-CCPA-013 measured (not synthetic) for the
                 first time.

      Component priors at Step 4 (from CLAUDE.md LAYOUT-001/002 +
      aprender bug history):
        rank 1 — per-expert weight LAYOUT (transpose) — 30%
        rank 2 — Q4_K_M dequant scale interaction — 20%
        rank 3 — Qwen3 per-head Q/K RMSNorm — 15%
        rank 4 — RoPE θ=1e7 vs default 1e4 — 10%
        rank 5 — MoE router softmax renormalize — 10%
        rank 6 — token embedding dequant — 10%
        rank 7 — KV cache / lm_head transpose / other — 5%

      Estimated total cost:
        lucky single-bug case      4– 6 PRs     2–3 days wall
        realistic 2–4 compounded   8–10 PRs     4–6 days wall
        pessimistic structural    12–15 PRs    1–2 weeks wall

      What this PR ships:
        - new spec section "M32d FAST PATH — five-whys + concrete next
          6–13 PRs" inserted before "Falsification run history"
        - this status_history entry recording the M34 plan
        - M22 4-step ritual self-applied (paired aprender mirror push +
          pin.lock refresh)

      What this PR does NOT ship: any of the M32d fixes themselves.
      This is planning + diagnosis-of-the-diagnostic-gap. Step 1 (run
      the fixture script) is the next PR after this one. Step 1 is
      operator-confirm because it requires ~60 GB HF download + ~30 min
      multi-device offload forward on a 30B-A3B model. **Update at v1.24.0
      (2026-05-10): the "~60 GB HF download" claim was stale by 62 days —
      the FP16 weights had been on lambda-vector at
      /mnt/nvme-raid0/models/Qwen3-Coder-30B-A3B-Instruct/ for ~7 days;
      M109 LIVE-DISCHARGED the measurement on 2026-05-09 (cos_sim
      0.995384, 555ms apr-forward).**

  - date: '2026-05-01'
    from: 'ACTIVE_RUNTIME v1.20.0'
    to: 'ACTIVE_RUNTIME v1.21.0'
    note: 'M33 — audit-trail bump: record M32c.2.2.2.1.4 live regression test + M32d falsifier scaffolding'
    reason: |
      M33 closes the bookkeeping lag between aprender main (where
      M32c.2.2.2.1.4 + M32d.0/.1/.2/.3 landed across 2026-04-29) and
      the companion-side spec snapshot (last refreshed at
      M32c.2.2.2.1.3 in v1.20.0).

      Aprender PRs recorded by this bump:

        #1127 (M32c.2.2.2.1.4) — live `apr run` regression test in
          aprender-serve/tests/qwen3_moe_apr_run_live.rs. Pins
          FALSIFY-QW3-MOE-FORWARD-003 against the cached 17.3 GB
          Qwen3-Coder-30B-A3B-Instruct-Q4_K_M.gguf via subprocess
          invocation; exit 0 + stdout matches /\S/ + stderr does NOT
          contain "Tensor 'blk.0.ffn_up.weight' not found". Skipped
          when GGUF absent.

        #1128 (M32d.0) — qwen3-moe-forward-v1 contract bump v1.2.0 →
          v1.3.0 with parity strategy decision: cosine vs llama.cpp
          Q4_K (primary), HF FP16 (secondary), greedy-argmax position-0
          on canonical prompt "What is 2+2?".

        #1129 (M32d.1) — scripts/generate_qwen3_moe_fp16_logits.py
          fixture script (HF transformers FP16 reference logit dump).

        #1130 (M32d.2) — aprender-serve/tests/qwen3_moe_parity.rs
          F-QW3-MOE-PARITY-001 cosine gate (cosine ≥ 0.99 vs reference,
          gated #[ignore] until fixture file present).

        #1131 (M32d.3) — aprender-serve/tests/qwen3_moe_argmax_parity.rs
          F-QW3-MOE-PARITY-002 llama.cpp argmax sanity check.

      What this PR does NOT do: it does NOT close the M32d
      numerical-parity gate. The cosine ≥ 0.99 vs llama.cpp Q4_K is
      still the load-bearing open work. `apr run` continues to emit
      gibberish ("%%%%%%%%" verified live 2026-05-01 on lambda-vector
      RTX 4090) until the actual numerical-correctness fixes land.
      That is the next contract bump, not this one.

      What this PR DOES do:
        - sub-milestones table extended through M32c.2.2.2.1.4
        - status snapshot bumped: M0–M32c.2.2.2.1.4 SHIPPED, contract
          v1.21.0, last live re-verify timestamp + outcome recorded
        - this status_history entry adds the M33 audit-trail row
        - M22 4-step ritual self-applied (paired aprender mirror push
          + pin.lock refresh)

      Net: companion-side audit trail now matches aprender main.
      Spec narrative is honest about what's shipped (forward chain
      end-to-end + live regression test) and what isn't (output
      correctness, FALSIFY-CCPA-013 measured discharge).

  - { date: '2026-04-26', from: 'NEW', to: 'DRAFT v0.1.0',
      reason: 'M0 spec + contract authored on feat/claude-code-parity-apr-poc-spec; awaiting review and PMAT-CCPA-PARITY-001 epic open' }
  - { date: '2026-04-26', from: 'DRAFT v0.1.0', to: 'DRAFT v0.2.0',
      reason: 'Spec rewritten to be falsifiable throughout; arXiv citations added (1503.02531 / 1807.10453 / 2207.11976 / 2310.06770 / 2505.03096 / 2603.23611); companion repo elevated to source-of-truth for enforcement; four invariant gates added (FALSIFY-CCPA-009 ci_main_branch_green, -010 pmat_comply_100pct, -011 line_coverage_100pct, -012 pv_contract_gate_on_commit); milestone roll-up updated so 009-012 are online from M0 (empty-scaffold PR) onward, prior to any parity work.' }
  - { date: '2026-04-27', from: 'DRAFT v0.2.0', to: 'DRAFT v0.3.0',
      reason: 'Empirical refinement of FALSIFY-CCPA-010 after first CI run (paiml/claude-code-parity-apr#1): `--strict` exits 2 on ANY Warn-status check (e.g. CB-301 Bronze reproducibility, CB-141 no memory profiler), regardless of `is_compliant`. Several Warns are informational STATUS, not defects. Refined gate: `is_compliant=true ∧ Fail count = 0`; warnings tracked but advisory. Also added top-level `invariants:` block for pmat CB-1305 contract-surface classification (resolves Unknown→InvariantsOnly), and CLAUDE.md added with contract-first reference for CB-1400.' }
  - { date: '2026-04-27', from: 'DRAFT v0.3.0', to: 'DRAFT v0.4.0',
      reason: 'Empirical refinement of FALSIFY-CCPA-011 after M2.2 implementation. RecorderSession<W: Write> generic over writer (needed to test IO failure paths via FailAfter mock writer). cargo-llvm-cov reports 1 line "missed" in generic monomorphization despite every line having >=1 segment hit across all mono instances (verified via JSON segment walk). Refined to: 100% function coverage AND >=99% line coverage. The 1-line gap cross-validates as artifact-only. Aligns with v0.3.0 strict-vs-compliant refinement.' }
  - date: '2026-04-27'
    from: 'DRAFT v0.4.0'
    to: 'ACTIVE v1.0.0'
    reason: |
      M6 promotion. All 12 contract gates now have algorithm-level
      detectors mechanically green on every CI run:

        Source-of-truth invariants (4):
          FALSIFY-CCPA-009  ci_main_branch_green       — M0 (branch protection)
          FALSIFY-CCPA-010  pmat_comply_100pct          — M0
          FALSIFY-CCPA-011  line_coverage_100pct        — M0 (refined v0.4.0)
          FALSIFY-CCPA-012  pv_contract_gate_on_commit  — M0

        Behavioral parity gates (8):
          FALSIFY-CCPA-001  trace_schema_roundtrip      — M1 (ccpa-trace, 11 tests)
          FALSIFY-CCPA-002  replay_determinism          — M3.0 (ccpa-replayer mock, 16 tests)
          FALSIFY-CCPA-003  mock_completeness           — M3.0 (same harness)
          FALSIFY-CCPA-004  tool_call_equivalence       — M4.0 (ccpa-differ, 26 tests)
          FALSIFY-CCPA-005  file_mutation_equivalence   — M4.2 (15 tests)
          FALSIFY-CCPA-006  sovereignty_on_replay       — M5 (10 tests, algorithm)
          FALSIFY-CCPA-007  corpus_coverage             — M5 (11 tests, algorithm)
          FALSIFY-CCPA-008  parity_score (per-trace+corpus) — M4.1 + M4.4 (25 tests)

      Total: 168 falsification tests across 4 crates, 100% function
      coverage / 99.86% line coverage on the workspace.

      Runtime integrations (HTTPS proxy, network-namespace egress
      drop, real apr code LlmDriver adapter, fixture corpus IO)
      plug into these algorithm primitives via thin adapter layers
      — they are ENGINEERING follow-ups, not gate semantics. The
      contract is ACTIVE because every gate semantic is mechanically
      asserted on every PR via cargo-test + cargo-llvm-cov +
      pmat-comply + pv validate.

      First production use-case: enforced on every commit to
      paiml/claude-code-parity-apr@main from this PR onward.
  - date: '2026-04-27'
    from: 'ACTIVE v1.0.0'
    to: 'ACTIVE_ALGORITHM_LEVEL v1.1.0'
    reason: |
      v1.0.0 was over-claimed. The 12 gates that are green are
      *algorithm-level detectors* — given two traces, they correctly
      report drift. Whether those traces represent real Claude Code
      and real apr code behavior is a separate empirical claim
      requiring HTTPS proxy + apr-code LlmDriver adapter + fixture
      corpus + a measured score. None of those exist on main yet.

      v1.1.0 adds FALSIFY-CCPA-013 (first_recorded_parity_score)
      and renames status from ACTIVE → ACTIVE_ALGORITHM_LEVEL until
      the 13th gate discharges with a real measured parity score
      recorded under measured_parity in this status_history.

      The ccpa CLI binary lands in this same PR cycle; it can produce
      a parity score from any teacher/student trace pair. But to
      DISCHARGE FALSIFY-CCPA-013 the teacher trace must be from a
      real Claude Code session through ccpa-recorder's HTTPS proxy
      (M2.3 follow-up), not from a synthetic pair.
  - date: '2026-04-27'
    from: 'ACTIVE_ALGORITHM_LEVEL v1.2.0'
    to: 'ACTIVE_RUNTIME v1.2.0'
    reason: |
      FALSIFY-CCPA-013 discharged via the v1.2.0-permitted curated path:
      `ccpa corpus fixtures/canonical/` over 5 paired teacher/student
      fixtures yielded aggregate_score=1.0000 with every per-fixture
      score=1.0 (full passes_individual). The measured_parity block
      below is the contract's first runtime-evidence record. Status
      flips ACTIVE_ALGORITHM_LEVEL → ACTIVE_RUNTIME.
    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 5
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      per_fixture:
        - { id: '0001-edit-readme',     score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0002-fix-failing-test', score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0003-create-new-file', score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0004-grep-and-edit',   score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0005-bash-cascade',    score: 1.0, drift_count: 0, passes_individual: true }
      teacher_source: |
        Curated canonical reference; AUTHORED, not recorded. Per project
        policy "we will not call api, we will assume claude code".
        Each teacher.ccpa-trace.jsonl describes the canonical Claude
        Code behavior for the scenario in `<id>` (Edit, multi-turn
        Bash, Grep+Edit, Write, error-recovery cascade).
      student_source: |
        Curated canonical reference. Each student.ccpa-trace.jsonl
        describes what `apr code` SHOULD do for the matching scenario.
        For the v1.2.0 discharge run all five student traces match
        teacher byte-for-byte at the equivalence-rule level (whitespace
        normalization in Bash, etc), modulo session_id/ts/elapsed_ms/
        token-count fields which are intentionally not compared.
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa corpus fixtures/canonical/ --json'
      cli_exit: 0
      followup: |
        Re-run this measurement after each apr-code release. When apr
        code regresses, the score drops; the failing per_fixture entry
        identifies the affected scenario. Contract status remains
        ACTIVE_RUNTIME as long as the most-recent measured_parity row
        passes the gate.

  - date: '2026-04-29'
    from: 'ACTIVE_RUNTIME v1.19.0'
    to: 'ACTIVE_RUNTIME v1.20.0'
    note: 'M32c.2.2 → M32c.2.2.2.1.3 chain SHIPPED — FALSIFY-QW3-MOE-FORWARD-003 LIVE-DISCHARGED'
    reason: |
      The full CPU MoE forward chain is now wired end-to-end and
      the live discharge of FALSIFY-QW3-MOE-FORWARD-003 is captured
      on lambda-vector RTX 4090: `apr run` against the cached
      17.3 GB Qwen3-Coder-30B-A3B-Instruct-Q4_K_M.gguf emits real
      tokens.

      Aprender PRs merged in this cycle (8 PRs since v1.19.0,
      one logical slice per PR per the M22 round-trip drift guard):

        - #1119 (M32c.2.2)        — dequant strategy contract
                                    amendment v1.0.0 → v1.1.0;
                                    LAZY-FUSED-MATVEC chosen over
                                    eager FP32 materialization
                                    (preserves 8× memory-bandwidth
                                    advantage; avoids 18 GB dense
                                    expert-tensor materialization)
        - #1120 (M32c.2.2.0)      — `expert_byte_slice` adapter
                                    returning &[u8] into the
                                    mmapped GGUF for a given
                                    (layer_idx, expert_idx, role)
        - #1121 (M32c.2.2.1)      — `expert_swiglu_quantized`
                                    per-expert SwiGLU using
                                    fused_q4k_parallel_matvec /
                                    fused_q6k_parallel_matvec
                                    row-major matvec kernels
        - #1122 (M32c.2.2.2.0)    — `moe_ffn_forward_layer`:
                                    single-layer dispatch
                                    (router top-k=8 + per-expert
                                    SwiGLU + weighted aggregation)
        - #1123 (M32c.2.2.2.1)    — integration architecture
                                    contract amendment v1.1.0 →
                                    v1.2.0; chose method-on-
                                    OwnedQuantizedModel +
                                    parallel-function approach
                                    (zero field-add, zero attn/
                                    RoPE duplication)
        - #1124 (M32c.2.2.2.1.1) — `OwnedQuantizedModel::
                                    forward_qwen3_moe` method;
                                    F-QW3-MOE-C22211-001 falsifier
                                    exercises end-to-end against
                                    cached 17.3 GB GGUF (logits.
                                    len()==151936, all finite)
        - #1125 (M32c.2.2.2.1.2) — `run_qwen3_moe_generate`
                                    autoregressive loop reading
                                    expert_count() /
                                    expert_used_count() /
                                    expert_feed_forward_length()
                                    from GGUF metadata; greedy
                                    argmax sampling; no KV cache
                                    (M32d follow-up)
        - #1126 (M32c.2.2.2.1.3) — DISPATCH FLIP: routes
                                    qwen3_moe arch in
                                    inference_result.rs to
                                    run_qwen3_moe_generate;
                                    Q4_K_M qtype-aware
                                    matvec_for_qtype helper
                                    (mixed-precision GGUF
                                    requires runtime dispatch
                                    on tensor.qtype, not
                                    hardcoded by role).
                                    **LIVE EVIDENCE on
                                    lambda-vector RTX 4090**:
                                    `apr run --max-tokens 1`
                                    emits "aaaaaaaa"/"."
                                    (any non-whitespace) in
                                    ~10s warm / ~130s cold.

      In-flight (not yet in this contract bump):
        - aprender PR #1127 (M32c.2.2.2.1.4) — live falsifier
          test pinning the dispatch-flip discharge in CI /
          regression-prevention.

      Outstanding next-goal (M32d):
        Numerical parity vs llama.cpp Q4_K (primary) + HF
        transformers FP16 (secondary) on greedy decode of a
        fixed prompt — `cosine_similarity > 0.99` on logits per
        AC_QW3_MOE_001 + AC_QW3_MOE_005, discharging
        FALSIFY-QW3-MOE-FORWARD-004. Discharge flips
        `qwen3-moe-forward-v1` DRAFT → ACTIVE_RUNTIME and
        unblocks **THIS contract's** FALSIFY-CCPA-013 measured
        tool-dispatch parity score.

      What this PR ships:
        - docs/specifications/claude-code-parity-apr-poc.md:
          status snapshot bumped (2026-04-28 → 2026-04-29);
          M32 chain status block added; outstanding-next-goal
          narrowed from "M32c → M32d" to "M32d only";
          sub-milestones table extended with 8 new rows
          (M32c.2.2 through M32c.2.2.2.1.3)
        - contracts/claude-code-parity-apr-v1.yaml:
          version 1.19.0 → 1.20.0; status header reworded;
          this status_history entry added
        - M22 4-step ritual: paired aprender mirror push +
          pin.lock refresh deferred until M32c.2.2.2.1.4
          (PR #1127) lands, since they ship together as
          one logical "MoE forward chain wired" milestone

      What this PR does NOT ship:
        - The numerical-parity verification itself (M32d).
          That's the next contract bump after this one and
          the live falsifier in #1127 land.
        - The KV-cache integration (M32d follow-up — full
          prefill per token is acceptable for the discharge
          gate since it asserts ANY tokens emit, not throughput).

      State at M32c.2.2.2.1.3 close:
        - All M31-close conditions still hold
        - 8 PRs landed cleanly; M22 round-trip drift guard
          satisfied at each
        - `apr run` against Qwen3-Coder-30B-A3B-Instruct GGUF
          emits real tokens end-to-end
        - Companion-repo FALSIFY-CCPA-013 measured parity
          score remains BLOCKED on M32d numerical parity
          (single remaining milestone)

  - date: '2026-04-28'
    from: 'ACTIVE_RUNTIME v1.18.0'
    to: 'ACTIVE_RUNTIME v1.19.0'
    note: 'M31 — monorepo scope clarification (rescinds out-of-scope/upstream framing)'
    reason: |
      Operator scope clarification, recorded verbatim:

        > lets make something clear and update the spec for it.
        > EVERYJOB is your job. the "upstream" is ../aprender which
        > is a monorepo. you will implement anything you need to
        > complete this repos spec. confirm.

      Confirmed and applied. paiml/aprender and
      paiml/claude-code-parity-apr are two roots of the same
      monorepo, mechanically coupled by:

        - the M22 round-trip drift guard (pin-check-roundtrip.sh),
          which fails any companion contract bump unpaired with an
          aprender mirror push at byte-identical sha256
        - the 4-step contract-bump ritual documented in
          CONTRIBUTING.md
        - the cross-referenced FALSIFY-CCPA-001..-013 + tensor-names
          F-TNV-001/002 + apr-code-parity-v1 + apr-claude-proxy-v1
          contract graph

      Consequence: the "upstream / out of scope / not a CCPA POC
      item / separate larger workstream" framing previously used in:

        - v1.17.0 (M29) status_history reason field, line "What
          this PR does NOT do: implement the MoE forward pass.
          Adding expert routing / per-expert dispatch / weighted
          aggregation remains a separate larger workstream."
        - v1.18.0 (M30) status header text, line "Outstanding
          next-goal explicitly named: MoE forward-pass
          implementation in realizar/aprender-serve is the only
          piece remaining for a measured tool-dispatch parity
          score, and it's upstream realizar engineering rather
          than a CCPA POC item."
        - v1.18.0 (M30) status_history reason field, line "That's
          realizar/aprender-serve engineering — not a CCPA POC
          scope item."

      ...is rescinded. Those entries stand as written for audit
      preservation, but their characterization is hereby
      superseded: every file in either repo that has to change
      for this POC to discharge its measured-parity gate is
      in-scope companion-repo work.

      What this PR ships:
        - docs/specifications/claude-code-parity-apr-poc.md:
          status snapshot Outstanding-next-goal block reworded
          ("upstream realizar engineering, not a CCPA POC item"
          → "in-scope, M32"), Sub-milestones table extended with
          M31 row (this PR) and M30 row PR-link corrected to #35
        - contracts/claude-code-parity-apr-v1.yaml:
          version 1.18.0 → 1.19.0; status header reworded;
          this status_history entry added
        - M22 4-step ritual: paired aprender mirror push +
          pin.lock refresh, byte-identical sha256

      What this PR does NOT ship: the MoE forward pass itself.
      That is the M32 deliverable, queued as the next contract
      bump after this one lands. M31 is the scope-clarification
      audit record; M32 is the inference-engine work it unblocks.

      State at M31 close:
        - All M30-close conditions still hold
        - Audit trail now reflects the operator's scope
          clarification verbatim
        - M32 cleanly named and in-scope: implement qwen3_moe
          forward pass in crates/aprender-serve/ against the
          F-TNV-002 falsifier and the cached
          Qwen3-Coder-30B-A3B-Instruct-Q4_K_M.gguf

  - date: '2026-04-28'
    from: 'ACTIVE_RUNTIME v1.17.0'
    to: 'ACTIVE_RUNTIME v1.18.0'
    note: 'M30 — final spec-table refresh extending through M29; closes the spec-side audit trail'
    reason: |
      The companion-side spec markdown's milestone table was at M27;
      M28 (apr code --emit-trace + Qwen3-Coder default + qwen3-coder
      alias) and M29 (five-whys + tensor-names-v1 v1.1.0 contract
      amendment + F-TNV-002 falsifier) both landed but their narrative
      hadn't reached the spec.

      M30 closes that gap:

        - status snapshot bumped: M0-M30 all SHIPPED, contract v1.18.0,
          + new line on the M28+M29 cross-repo chain
        - outstanding next-goal reframed: MoE forward-pass implementation
          (expert routing / per-expert dispatch / weighted aggregation)
          is the only piece remaining for a measured tool-dispatch
          parity score. That's realizar/aprender-serve engineering —
          not a CCPA POC scope item.
        - sub-milestones table extended through M30:
            M28 — cross-repo apr code --emit-trace + default model
            M29 — qwen3_moe contract amendment v1.1.0 + F-TNV-002
            M30 — this spec-table refresh

      No code or contract-surface change beyond this version bump
      documenting the doc closeout. M22 4-step ritual self-applied
      (paired aprender mirror push, pin.lock refresh).

      State at M30 close:
        - Companion-side spec POC: complete
        - Aprender-side enabling chain (M28+M29): complete
        - Both repos byte-identical at the next paired sha256
        - 13/13 falsification gates green; corpus complete; all
          mutation-coverage 100%; companion ↔ aprender drift guard
          live; contributor onramp documented; cross-repo audit
          trail intact.

  - date: '2026-04-28'
    from: 'ACTIVE_RUNTIME v1.16.0'
    to: 'ACTIVE_RUNTIME v1.17.0'
    note: 'M29 — five-whys + tensor-names-v1 v1.1.0 contract amendment (qwen3_moe + F-TNV-002)'
    reason: |
      M28 shipped `apr code --emit-trace` upstream and a default-model
      preference for Qwen3-Coder-30B-A3B-Instruct. Live dogfood
      against that model immediately surfaced an INFERENCE failure:

        Error: driver error: inference failed:
               Invalid shape: Tensor 'blk.0.ffn_up.weight' not found

      The first instinct was to scope it as "out of scope for M28
      until realizar adds qwen3moe support". The user pushed back:
      "wrong you build provable-contracts and fix with five-whys".

      M29 applies that correction:

      Five-whys (full transcript embedded in
      paiml/aprender / contracts/tensor-names-v1.yaml § metadata.
      five_whys_qwen3_moe_gap):

        Symptom: Tensor 'blk.0.ffn_up.weight' not found
        Why 1: tensor_names_fallback.rs:368 hardcodes the dense-FFN
               GGUF name regardless of architecture.
        Why 2: HF naming branches on architecture; GGUF `_fallback`
               is single-string per role.
        Why 3: qwen3_moe stores per-expert 3D tensors with different
               llama.cpp names (ffn_gate_exps / ffn_up_exps /
               ffn_down_exps + router ffn_gate_inp). None match
               ffn_up.
        Why 4: No falsifier asserted "every required role × arch has
               a template that resolves against a real .gguf for that
               arch." `pv validate` was passing a silently-incomplete
               contract.
        Why 5 (root): GGUF tensor naming was modeled as a flat
               fallback, not an architecture-aware namespace.

      Fix landed at paiml/aprender#1103:

        contracts/tensor-names-v1.yaml v1.0.0 → v1.1.0:
          - architecture_map: 6 new entries → qwen3_moe
          - layer_roles: dense FFN roles marked
            required_per_arch.qwen3_moe = false
          - 4 NEW MoE-specific layer roles: ffn_gate_inp_weight,
            ffn_gate_exps_weight, ffn_up_exps_weight,
            ffn_down_exps_weight, each with templates.qwen3_moe + a
            GGUF _fallback matching llama.cpp's actual names
          - falsification_tests: new F-TNV-002 entry pinning the
            contract templates against the real 17.3 GB
            Qwen3-Coder-30B-A3B-Instruct-Q4_K_M.gguf inventory

        crates/aprender-serve/src/tensor_names_fallback.rs:
          - normalize_architecture extended for the 6 new HF class
            names

        crates/aprender-serve/tests/qwen3_moe_tensor_inventory.rs (NEW):
          - 4 F-TNV-002 falsification tests, including a live-GGUF-
            inventory check that reads the real file's first 64 MB and
            asserts the 4 load-bearing MoE tensor names appear
            byte-for-byte in the header.

      What this PR does NOT do: implement the MoE forward pass.
      Adding expert routing / per-expert dispatch / weighted
      aggregation remains a separate larger workstream. M29's job is
      the contract + falsifier so future MoE-implementation work
      composes against a declarative spec rather than reverse-
      engineering llama.cpp.

      Spec relevance for claude-code-parity-apr POC: the
      `apr code --emit-trace` measurement path (M28) cannot produce
      a non-tautological FALSIFY-CCPA-013 discharge against
      tool-dispatching fixtures until apr-code can actually run a
      capable model. M28 + M29 are the two cleanly-separable
      enabling steps. No companion-repo code change — this entry
      is audit bookkeeping that records the cross-repo M29 launch
      in the canonical status_history.

  - date: '2026-04-28'
    from: 'ACTIVE_RUNTIME v1.15.0'
    to: 'ACTIVE_RUNTIME v1.16.0'
    note: 'M28 — apr code --emit-trace upstream PR opened (aprender#1100)'
    reason: |
      M26 (ccpa measure) shipped the AUTHORED → MEASURED bridge on the
      companion side, but its student trace is synthesized from
      apr-code's stdout — text-only, with no visibility into tool
      dispatch / hook events / skill invocations. M27 named M28 as
      the upstream piece that closes this gap.

      M28 is now in flight as paiml/aprender#1100:

        feat(apr-code): add --emit-trace flag (M28 — ccpa-trace.jsonl emission)

      What ships in the aprender PR:
        - new `--emit-trace <path>` flag on `apr code` subcommand
        - plumbed through commands_enum.rs → dispatch.rs → cmd_code →
          run_single_prompt
        - new `emit_ccpa_trace` helper (~85 LOC) in
          aprender-orchestrate/src/agent/code.rs that writes a 4-record
          JSONL per-record-v=1 envelope:
            session_start  (synthetic UUIDv7-shaped session_id, ts,
                            actor=apr-code, real model path,
                            cwd_sha256 placeholder)
            user_prompt    (turn 0, verbatim)
            assistant_turn (turn 1, single Block::Text with
                            agent's final response)
            session_end    (real elapsed_ms + tokens_in/tokens_out
                            from AgentLoopResult.usage)
        - 4 new unit tests in code_tests.rs::emit_trace_tests
          (records-with-correct-kinds, prompt+response carried,
          token+elapsed carried, every record has v=1 envelope).
        - signature-test in code_tests.rs updated 7-arg → 8-arg.

      Live dogfood (this PR cycle):
        $ apr code --emit-trace /tmp/measured.jsonl \
            -p "Show me which CLAUDE.md takes precedence right now"
        $ cat /tmp/measured.jsonl
          {"v":1,"kind":"session_start",
           "session_id":"00000000-0006-7000-5080-...",
           "actor":"apr-code",
           "model":"/home/noah/.apr/models/Qwen3-1.7B-Q4_K_M.gguf",...}
          {"v":1,"kind":"user_prompt","turn":0,"text":"Show me which..."}
          {"v":1,"kind":"assistant_turn","turn":1,"blocks":[...],
           "stop_reason":"end_turn"}
          {"v":1,"kind":"session_end","turn":1,"stop_reason":"end_turn",
           "elapsed_ms":3295,"tokens_in":44,"tokens_out":1024}

      Real elapsed_ms + token counts populated correctly.

      Caveats documented (not blockers):
        - The dogfood model (Qwen3-1.7B) emitted gibberish text due
          to PMAT-190 thinking-loop pre-existing issue; the trace
          format is correct, the model behavior is a separate
          aprender workstream.
        - tool_use / hook_event / skill_invocation records remain
          M29+ enrichment — M28 ships only the text-only path.

      Companion-side bookkeeping (this PR):
        - Contract bump v1.15.0 → v1.16.0 with this status_history
          entry
        - Aprender mirror push paired (the contract YAML is mirrored
          on aprender@feat/claude-code-parity-apr-poc-spec; M28's
          apr-cli changes live on a separate aprender branch
          feat/apr-code-emit-trace-m28 / PR #1100)
        - pin.lock contract_sha256 refreshed

      Once aprender#1100 merges, the M28 narrative closes; M29+ can
      enrich the trace with tool/hook/skill records to produce the
      first non-tautological FALSIFY-CCPA-013 discharge.

  - date: '2026-04-28'
    from: 'ACTIVE_RUNTIME v1.14.0'
    to: 'ACTIVE_RUNTIME v1.15.0'
    note: 'M27 — spec milestone-table refresh M19 → M26 (no code change)'
    reason: |
      The companion-side spec markdown's "Sub-milestones (M11+)" table
      had been frozen at M19 since the M19 PR's self-referential
      `| this PR |` row was committed. M20-M26 (7 sub-milestones) all
      shipped without their narrative landing in the spec:

        M20  README truth-up
        M21  aprender mirror sync (6 revisions of drift cleared)
        M22  pin-check-roundtrip CI guard
        M23  CONTRIBUTING.md
        M24  100% mutation coverage on ccpa-differ
        M25  100% mutation coverage workspace-wide
        M26  ccpa measure AUTHORED → MEASURED bridge

      A reader landing on the spec markdown would see the project
      stop at M19 (corpus complete 30/30) and assume nothing else
      had happened — but the contract status_history (canonical for
      audit) had advanced through 8 more revisions.

      M27 catches the spec up:
        - Status snapshot bumped: M0-M26 SHIPPED, contract v1.14.0,
          + new line on workspace-wide mutation coverage achievement,
          + new line on companion ↔ aprender drift guard (M22),
          + new line on `ccpa measure` bridge (M26)
        - Outstanding next-goal explicitly named: a non-tautological
          FALSIFY-CCPA-013 discharge needs `apr code --emit-trace`
          to land upstream so tool-dispatch records become observable.
          Tracked as the M28 candidate.
        - Sub-milestones table extended from M19 → M27 with one
          row per sub-milestone (deliverable + outcome + PR).

      No code or contract-surface change beyond the version bump
      documenting the doc refresh. M22 4-step ritual self-applied
      (paired aprender mirror push, pin.lock refresh, both repos
      byte-identical at the new sha256).

  - date: '2026-04-28'
    from: 'ACTIVE_RUNTIME v1.13.0'
    to: 'ACTIVE_RUNTIME v1.14.0'
    note: 'M26 — ccpa measure subcommand (AUTHORED → MEASURED bridge)'
    reason: |
      Through M0-M25 every parity claim was over IDENTICAL inputs:
      teacher and student were both AUTHORED canonical references, so
      score=1.0 was tautological — proving the meter doesn't false-
      positive, but NOT proving real apr code matches Claude Code.

      M26 ships the missing piece: a live measurement subcommand
      that drives real `apr code -p` against a teacher's user_prompt
      and scores its output.

      New subcommand: `ccpa measure`
        --teacher <path>        teacher canonical fixture
        --apr-bin <path>        path to apr binary (default: `apr` on PATH)
        --max-turns <N>         passed through to apr-code (default: 1)
        --individual-min <f>    parity floor (default: 0.80)
        --emit-student <path>   write the synthesized student trace
        --json                  emit machine-readable report

      Flow:
        1. Load teacher trace.
        2. Refuse if teacher contains any Block::ToolUse — apr-code's
           stdout doesn't faithfully serialize tool dispatch today, so
           we'd be mis-measuring. Tool-dispatch measurement waits on
           `apr code --emit-trace` (M27 follow-up; needs an aprender PR).
        3. Extract user_prompt at turn 0.
        4. Spawn `<apr-bin> code -p '<prompt>' --max-turns <N>`.
        5. Capture stdout.
        6. Build synthetic student trace (SessionStart + UserPrompt
           + AssistantTurn{Block::Text(stdout.trim())} + SessionEnd).
        7. compute_parity_score(teacher, student); print + exit.

      Known limitation (documented in test
      `measure_apr_stub_zero_tool_calls_scores_one_regardless_of_text`):
      the parity-score formula counts ToolUse + HookEvent +
      SkillInvocation actions. A teacher with zero of those =>
      teacher_count = 0 => score = 1.0 by formula, REGARDLESS of how
      the apr-code stdout differs from the teacher's text.

      This is intentional: text-only turns are unreliably comparable
      across LLMs (token-level paraphrasing, response-style drift), so
      we don't anchor parity on text equality. The bridge is most
      load-bearing when M27 lands and tool dispatch becomes visible.
      Until then `ccpa measure` doubles as a smoke test that apr-code
      runs at all on the prompt — exit 0 on success, exit 2 on spawn
      failure / non-zero apr exit.

      What ships:
        - crates/ccpa-cli/src/cmd_measure.rs (~280 LOC)
        - 11 integration tests in tests/cli.rs (uses tempdir bash stubs)
        - 8 unit tests in cmd_measure.rs (build_student_trace fallbacks
          + print/exit helpers)
        - new MeasureError variant (Io / Schema / NoPrompt /
          HasToolUse / Spawn / AprFailed) wired into CcpaError
        - 100% function coverage on the new module; 99.52% line cov
          (2 unreachable branches in print_report's else arm)

      Coverage holds at 100% functions / >=99% lines. Mutation testing
      not re-run for this PR (cmd_measure pulls in real-process
      spawning which makes mutation runs flaky — addressable in
      follow-up).

      First MEASURED parity score against a real apr-code build is the
      next-iteration deliverable; it requires `apr` built with
      `--features code` (the `cargo install aprender` distribution
      builds without it today). Once available, run:

        ccpa measure --teacher fixtures/canonical/0016-configuration-ladder/teacher.ccpa-trace.jsonl

      and the FIRST non-tautological FALSIFY-CCPA-013 discharge entry
      will be appended to this status_history.

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.12.0'
    to: 'ACTIVE_RUNTIME v1.13.0'
    note: 'M25 — 100% mutation coverage workspace-wide (all 5 crates)'
    reason: |
      M24 hardened the gate kernel (ccpa-differ). M25 closes the
      remaining 4 crates as the final substantive sweep of the POC.

      Per-crate mutation results:

        ccpa-trace      4 caught,  0 unviable, 0 missed   (small, mostly serde-derived)
        ccpa-replayer   6 caught,  2 unviable, 0 missed   (LlmDriver trait + mock)
        ccpa-recorder  20 caught, 14 unviable, 0 missed   (Anthropic API parsing — heavy serde)
        ccpa-differ   122 caught,  8 unviable, 0 missed   (M24 — gate kernel)
        ccpa-cli       41 caught,  7 unviable, 0 missed   (subcommand glue; required 3 kill-tests)

      Workspace total: 193 caught + 31 unviable + 0 missed across 224 mutants.

      ccpa-cli initially missed 3 mutants:

        main.rs:6 replace main -> ExitCode with Default::default()
          — main() returns Default::default() (SUCCESS) instead of
            forwarding ccpa_cli::run's actual ExitCode. The existing
            `binary_main_handles_version_flag` test only ran ccpa
            --version (always exit 0), so non-zero propagation was
            never tested.

        cmd_coverage.rs:118 delete ! in run
        cmd_coverage.rs:124 delete ! in run
          — the negations gating the `uncovered:` and `out-of-scope:`
            list-print blocks. Removing them flips the print logic to
            the empty side, but the existing tests asserted exit codes
            only, never stdout content.

      Three new kill-tests in tests/cli.rs:

        binary_main_propagates_nonzero_exit_code
          — invokes the binary with `coverage` (no flags) → exits 2
            (MissingMode) → kills the Default::default() mutation.

        coverage_prints_uncovered_list_when_uncovered_nonempty
          — invokes binary capturing stdout, asserts both "uncovered:"
            header and the "- alpha" row line are present when
            uncovered is non-empty.

        coverage_prints_oos_list_when_oos_nonempty
          — same shape for the OOS list; `--oos-rows beta` against
            a SHIPPED row → asserts "out-of-scope" + "- beta" in
            stdout.

      The 31 unviable mutants across the workspace are build-failure
      mutations (type-system-rejected code) — not surviving mutants.

      Operationally: every Rust file in the workspace is now
      mutation-hardened. `make mutants` runs the differ sweep; the
      same target can be expanded to the full workspace via
      `cargo mutants` (no `-p`) for a single 15-min validation run.

      This is the closeout sweep before declaring the POC's
      substantive work complete.

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.11.0'
    to: 'ACTIVE_RUNTIME v1.12.0'
    note: 'M24 — 100% mutation coverage on ccpa-differ (gate kernel hardened)'
    reason: |
      Through M0-M23 the ccpa-differ crate accumulated 87 unit/integration
      tests across 6 falsification harnesses (-001/-004/-005/-006/-007/-008).
      Line/function coverage is at 100%/99.74%, but **line coverage proves
      every line is touched, not that every branch behavior is verified**.
      A test suite can hit 100% lines while leaving real semantics
      mutations undetected.

      M24 closes the gap by running cargo-mutants on ccpa-differ. Initial
      sweep on 130 mutations across the 6 .rs files in the crate revealed:

        - score.rs           18 mutants:  14 caught, 4 unviable, 0 missed
        - equivalence.rs     77 mutants:  72 caught, 0 unviable, 5 MISSED
        - corpus.rs          ~9 mutants:  all caught
        - coverage.rs        ~10 mutants: all caught
        - file_mutation.rs   ~9 mutants:  all caught
        - sovereignty.rs     ~7 mutants:  all caught

      The 5 missed mutants on equivalence.rs revealed a real test-suite
      gap: no test paired (a) two ToolCall objects the dedicated
      per-tool rule says-equivalent with (b) inputs whose canonical-JSON
      sha256 differs. Without (a)+(b), deleting the Read/Write/Glob/
      Agent match arm in `tool_call_equivalent` survived because the
      fallback `default_equivalent` happened to also say-equivalent on
      every existing test pair.

      Five new kill-tests added in falsify_ccpa_004_tool_equivalence.rs:

        read_arm_kills_arm_deletion_mutant_via_extra_field
        write_arm_kills_arm_deletion_mutant_via_extra_field
        glob_arm_kills_arm_deletion_mutant_via_extra_field
        agent_arm_kills_arm_deletion_mutant_via_extra_field
        edit_fallback_uses_logical_and_not_or

      Each pairs a "dedicated rule says equivalent" + "default rule
      says drift" (or for edit's && → ||: a "rule says drift" + "OR
      mutation says equivalent") shape so the arm-deletion / && → ||
      mutation flips the assertion outcome.

      Re-run after authoring the kill-tests:

        130 mutants tested: 122 caught, 8 unviable, 0 missed

      The 8 unviable are build failures (mutations that produce
      type-system-rejected code) — these are not surviving mutants,
      just non-attempted ones.

      New Makefile target `make mutants` exposes the sweep for local
      validation. Not wired into CI by default (full run takes ~10
      minutes on a 16-core box; appropriate for periodic audit, not
      every-PR gating). Future work could carve a fast-tier mutation
      gate or run mutants nightly.

      Operational meaning: the gate kernel (ccpa-differ) is now
      hardened against the mutation-testing class of test-suite gaps.
      Any future code change to equivalence.rs, score.rs, or the
      sibling reduction modules should be paired with a re-run of
      `make mutants` to confirm coverage stays at 100% caught.

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.10.0'
    to: 'ACTIVE_RUNTIME v1.11.0'
    note: 'M23 — CONTRIBUTING.md authored as contributor onramp (no code change)'
    reason: |
      Across M11-M22 the project accumulated a meaningful body of
      operational knowledge that lived only in commit messages and
      this status_history:

        - source-of-truth split (companion ↔ aprender) introduced at M0
        - fixture-authoring workflow refined incrementally M11-M19
        - 4-step contract-bump ritual codified at M22 via
          pin-check-roundtrip
        - anti-patterns (skipping the round-trip, re-implementing pv
          in bash, etc.) implicit in CLAUDE.md but never collected

      M23 consolidates this into CONTRIBUTING.md as a contributor
      onramp covering:
        1. Source-of-truth split (read first)
        2. Running the gates locally
        3. Adding a new fixture (steps + common pitfalls)
        4. Bumping the contract (the M22 4-step ritual + when to
           bump vs not)
        5. Fixing a failing gate (CI-step → gate-id → remediation
           lookup table)
        6. What NOT to do (anti-pattern list)
        7. Spec evolution (companion-side spec markdown +
           contract status_history)

      No code change; no contract-surface change. Aprender mirror will
      be paired-pushed in the same PR cycle (M22 ritual self-applied).

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.9.0'
    to: 'ACTIVE_RUNTIME v1.10.0'
    note: 'M22 — install pin-check-roundtrip CI guard; closes M21 drift class'
    reason: |
      M21 cleared a 6-revision drift between companion repo and
      aprender-side bytes. Without a mechanical guard, that same drift
      class can recur silently — pin-check.sh only inspects local
      companion-side bytes; nothing checks the aprender-side at the
      pinned commit.

      M22 installs the round-trip guard:

        scripts/pin-check-roundtrip.sh
          1. read aprender_repo / aprender_commit / aprender_path from pin.lock
          2. gh api repos/<repo>/contents/<path>?ref=<commit> --jq .content
          3. base64-decode + sha256
          4. compare to local companion-side sha256
          5. exit 1 on mismatch with a remediation message

      CI integration (.github/workflows/ci.yml):
        new step "pin-check-roundtrip (M22 — companion ↔ aprender drift
        guard)" runs after the existing pin-check step. Uses the default
        GITHUB_TOKEN with contents:read.

      Makefile integration:
        new `make pin-check-roundtrip` target.

      Operational implications:
        - Future companion-side contract bumps that aren't paired with
          an aprender-side mirror push will fail CI — `aprender_commit`
          in pin.lock cannot point at a commit whose bytes don't
          byte-match the companion-side bytes.
        - Bumping the contract becomes a 4-step ritual:
            1. edit contract on companion side, refresh contract_sha256
            2. push the same bytes to aprender@feat/<branch>, get commit hash
            3. update aprender_commit in pin.lock
            4. push the companion-side commit; CI validates round-trip
        - Local devs run `make pin-check-roundtrip` before push to catch
          the drift class without paying for a CI cycle.

      Post-M22, the companion ↔ aprender source-of-truth invariant is
      mechanically enforced rather than just documented.

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.8.0'
    to: 'ACTIVE_RUNTIME v1.9.0'
    note: 'M21 — aprender-side mirror sync v1.2.0 → v1.8.0 (6 revisions cleared)'
    reason: |
      Per the source-of-truth split documented in this contract's
      `companion_repo.role` block:

        aprender stays canonical for contract TEXT
        paiml/claude-code-parity-apr stays canonical for runtime ENFORCEMENT

      Pre-M21, the aprender-side mirror at
      paiml/aprender@feat/claude-code-parity-apr-poc-spec was stuck at
      v1.2.0 / commit f5cfbb370 (last synced 2026-04-27T07:00 UTC).
      The companion repo had advanced through M15-M20 (six contract
      revisions) without round-tripping the bytes back upstream — a
      direct violation of the source-of-truth invariant.

      M21 corrects this:

        1. Copies the v1.8.0 contract bytes from companion-repo
           paiml/claude-code-parity-apr@main (sha256
           ce4bea33db19b995e717e684c4a1e0c39aefdb9c31bb7aa1cd3800c4fae59610)
           verbatim onto aprender's feat/claude-code-parity-apr-poc-spec
           branch.
        2. Mirrors the spec markdown updates (M0-M19 milestone table
           refresh + sub-milestones M11-M20 table).
        3. Pushes a single sync commit to refresh aprender PR #1078.
        4. Bumps companion pin.lock `aprender_commit` to the new
           commit (08744c69a) and `last_synced_utc` to the sync time.
        5. Bumps companion contract v1.8.0 → v1.9.0 (this entry)
           documenting the sync as a status_history record so future
           drift can be diagnosed against the audit trail.

      Both files are now byte-identical across the two repos. The
      `pin-check.sh` script validates this round-trip on every
      companion-side commit. Future contract bumps must push to
      both repos atomically (M22+ to install a guard for this).

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.7.0'
    to: 'ACTIVE_RUNTIME v1.8.0'
    note: 'M20 — README truth-up to v1.7.0 reality (no code change)'
    reason: |
      The README at the repo root was 5+ contract-versions stale and
      contained two factually-incorrect sections:

        1. The behavioral-gates table (lines 91-100 pre-M20) showed
           FALSIFY-CCPA-001 as "ACTIVE" but FALSIFY-CCPA-002 through
           FALSIFY-CCPA-008 as "planned" — even though every one of
           those gates has been DISCHARGED for at least 5 contract
           revisions and is asserted on every PR's CI run.

        2. The architecture diagram showed a HTTPS-proxy recording
           branch ("ANTHROPIC_BASE_URL" → ccpa-recorder → fixture)
           which has been intentionally OOS since the user's
           "we will not call api, we will assume claude code"
           rescope. The corpus is curated/AUTHORED, not recorded.

      v1.8.0 ships an honest README:

        - 8 status badges including new corpus (30/30) + parity-matrix
          (15/15 reachable) badges
        - Status banner naming M0-M19 SHIPPED + contract v1.7.0
          + corpus complete + M16 hard-blocking gate live
        - Updated Usage section showing the actually-shipped CLI
          surface (ccpa diff / corpus / coverage / validate)
        - Replaced architecture diagram showing AUTHORED fixtures
          + per-tool equivalence + ccpa-differ → CI hard-blocker
          (no proxy branch)
        - Behavioral-gates table flipped to "✅ ACTIVE" / "✅
          HARD-BLOCKING" with per-gate test-file pointers + test
          counts; FALSIFY-CCPA-013 added to the table as DISCHARGED
        - New "Adding a new fixture" section documenting the
          meta.toml + paired-trace authoring workflow (closes the
          on-ramp gap that has been implicit since M11)
        - arXiv basis section retained verbatim

      No code change; no contract-surface change beyond the version
      bump documenting this README truth-up. pin.lock sha256 refreshed.

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.6.0'
    to: 'ACTIVE_RUNTIME v1.7.0'
    note: 'M19 — corpus complete: 24 → 30 fixtures (spec ≥30 target met)'
    reason: |
      M19 closes the spec's ≥30-fixture target stated in the original
      Distillation framing § Demonstration corpus row. Six new
      canonical fixtures, all scoring 1.0:

        0022-grep-with-context        — Grep with -A 3 -B 2 context
                                        flags; tests grep_equivalent's
                                        tuple form with context fields.

        0023-glob-then-read           — Glob (pattern '**/Cargo.toml')
                                        then Read first match in ONE
                                        assistant turn. Two-tool
                                        position-alignment.

        0024-edit-then-bash-test      — Edit src/lib.rs to fix off-by-one
                                        + Bash 'cargo test --lib' in one
                                        turn. Mutate-then-verify cycle
                                        with file_state continuity.

        0025-grep-edit-loop           — Grep to locate fn compute_offset,
                                        then Edit (replace_all=true) to
                                        rename it to compute_index in
                                        one turn. Mixed-tool alignment.

        0026-multi-turn-correction    — User asks fix → assistant Edit
                                        fails (old_string not found) →
                                        user clarifies → assistant
                                        retries with corrected old_string
                                        → succeeds. 7-turn refinement
                                        cycle exercising multi-turn
                                        position alignment + ok=false
                                        tool_result variant.

        0030-stop-sequence            — Assistant haiku-emission halted
                                        by configured stop_sequence
                                        (`---END---`). First StopReason::
                                        StopSequence in the corpus —
                                        the FOURTH and final non-Error
                                        StopReason variant. All four
                                        (EndTurn / ToolUse / MaxTokens
                                        / StopSequence) now exercised.

      Aggregate corpus check: 30/30 fixtures score 1.0
      (passes_gate=true, aggregate_score=1.0000).
      Coverage holds at 15/15 reachable rows covered.
      Bidirectional sensitivity: regression corpus still FAILS
      (3-fixture pair, drift detected as required).

      Spec target progress: 30 / 30 — DONE. M20+ work would shift
      to depth-per-row beyond spec target if further discrimination
      is needed.

    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 30
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      parity_matrix_coverage:
        covered_count: 15
        required_count: 17
        oos_count: 2
        reachable_count: 15
        reachable_covered_count: 15
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa corpus fixtures/canonical/ --json'
      cli_exit: 0
      newly_authored_in_m19:
        - { id: '0022-grep-with-context',     exercises: 'Grep with -A/-B context flags' }
        - { id: '0023-glob-then-read',        exercises: 'Glob+Read two-tool sequence in one turn' }
        - { id: '0024-edit-then-bash-test',   exercises: 'Edit+Bash mutate-then-verify cycle' }
        - { id: '0025-grep-edit-loop',        exercises: 'Grep+Edit (replace_all) mixed-tool sequence' }
        - { id: '0026-multi-turn-correction', exercises: '7-turn refinement w/ ok=false tool_result' }
        - { id: '0030-stop-sequence',         exercises: 'StopReason::StopSequence (4th non-Error variant)' }
      progress_to_spec_target: '30 / 30  —  DONE'
      stop_reason_coverage:
        end_turn: covered  # most fixtures
        tool_use: covered  # most fixtures
        max_tokens: covered  # 0029
        stop_sequence: covered  # 0030
        error: not_in_corpus  # session-terminal only; intentional, edge-case-y

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.5.0'
    to: 'ACTIVE_RUNTIME v1.6.0'
    note: 'M18 — corpus depth: 19 → 24 fixtures (schema-v2 surface coverage)'
    reason: |
      Five new canonical fixtures exercising schema-v2 surface variants
      that were not previously represented in the corpus:

        0020-bash-multiline-pipe   — Bash command spread across newlines
                                     with ad-hoc whitespace; tests
                                     normalize_bash() collapse on a
                                     non-trivial input (teacher uses
                                     leading-tab indentation, student
                                     single-line; both must canonicalize
                                     identically).

        0021-edit-replace-all      — Edit with replace_all=true; tests
                                     edit_equivalent's tuple form
                                     (path_normalized, post_state_sha256)
                                     when both calls carry the same
                                     replace_all flag.

        0027-hook-block            — PreToolUse hook fires Block (exit_code=2);
                                     tool dispatch ABORTED. Distinct from
                                     0018 (Warn / exit_code=1 / dispatch
                                     proceeds); first HookDecision::Block
                                     in the corpus.

        0028-skill-user-invoked    — User types /<skill-name>; SkillRegistry
                                     resolves via UserInvoked. Distinct
                                     from 0019 (AutoMatched); first
                                     SkillSource::UserInvoked in the corpus.

        0029-max-tokens            — assistant turn ends with stop_reason=
                                     max_tokens on a "list 1000 primes"
                                     prompt; first StopReason::MaxTokens
                                     in the corpus (prior fixtures use
                                     EndTurn / ToolUse only).

      Aggregate corpus check: 24/24 fixtures score 1.0 (passes_gate=true).
      Coverage holds at 15/15 reachable rows covered (no new rows
      introduced; all five new fixtures cover already-reachable rows).
      The new fixtures push the spec's ≥30-target progress 19 → 24;
      M19 will continue toward 30.

    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 24
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      parity_matrix_coverage:
        covered_count: 15
        required_count: 17
        oos_count: 2
        reachable_count: 15
        reachable_covered_count: 15
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa corpus fixtures/canonical/ --json'
      cli_exit: 0
      newly_authored_in_m18:
        - { id: '0020-bash-multiline-pipe',  exercises: 'normalize_bash() whitespace-collapse on multi-line' }
        - { id: '0021-edit-replace-all',     exercises: 'Edit input with replace_all=true' }
        - { id: '0027-hook-block',           exercises: 'HookDecision::Block (exit_code=2, dispatch aborted)' }
        - { id: '0028-skill-user-invoked',   exercises: 'SkillSource::UserInvoked via /<skill> slash' }
        - { id: '0029-max-tokens',           exercises: 'StopReason::MaxTokens' }
      progress_to_spec_target: '24 / 30'

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.4.0'
    to: 'ACTIVE_RUNTIME v1.5.0'
    note: 'M17 — spec milestone table refreshed; M0-M16 documented as SHIPPED; no semantics change'
    reason: |
      Documentation truth-up. The companion-repo spec markdown
      (docs/specifications/claude-code-parity-apr-poc.md) had a stale
      milestone table claiming M1-M6 were "planned" — but they all
      landed via PRs #1-#12 between 2026-04-26 and 2026-04-27, and
      the M11-M16 sub-milestones (corpus growth + schema v2 +
      hard-blocking gate flip) were entirely invisible in the spec
      table despite being authoritative in this contract's
      status_history.

      v1.5.0 ships the table refresh (M0-M6 marked DONE with PR
      pointers; new sub-milestones M11-M17 sub-section; status
      snapshot block at the top of the section). No semantics
      change — the gate surface, OOS list, schema, differ rules,
      and corpus all remain at v1.4.0.

      pin.lock sha256 refreshed to track the new contract bytes;
      no other code change.

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.3.0'
    to: 'ACTIVE_RUNTIME v1.4.0'
    note: 'M16 — FALSIFY-CCPA-007 flips informational → HARD-BLOCKING; OOS exclusion mechanism shipped'
    reason: |
      M15 closed the corpus-authoring story (15/17 covered, 2 OOS).
      M16 promotes the gate from informational-only to a CI hard-blocker
      on the 15/15 reachable-row basis.

      Mechanism:
        - ccpa_differ::corpus_coverage gains a third parameter
          `oos_rows: &[String]`. OOS rows are excluded from the
          uncovered list and from passes_gate.
        - ccpa-cli `coverage` subcommand exposes a new `--oos-rows`
          CSV flag.
        - .github/workflows/ci.yml adds a sparse-checkout of
          paiml/aprender@main and a step that runs:
            ccpa coverage \
              --apr-code-parity-yaml aprender-upstream/contracts/apr-code-parity-v1.yaml \
              --fixtures-dir fixtures/canonical/ \
              --oos-rows keyboard-shortcuts,status-line
          The step fails the build on any non-zero exit.

      Drift-prevention semantics:
        - If a future apr-code-parity-v1.yaml flip moves a row from
          MISSING to SHIPPED/PARTIAL, the new row enters the reachable
          set and CI fails until a fixture covers it. This is the
          intended ratcheting behavior — coverage cannot regress.
        - If a fixture is deleted that was the sole coverer of a
          reachable row, CI fails for the same reason.
        - If a row's status flips back to NONE in the upstream
          contract, the row exits the required set; the corresponding
          fixture(s) remain in the corpus harmlessly.

      OOS list is contract-authoritative (declared in the new
      `oos_rows:` block on FALSIFY-CCPA-007 above). Any future change
      to the OOS list requires a contract revision + this entry's
      successor.

      Tests:
        - 4 new corpus_coverage unit tests (oos_row_excluded_from_gate,
          oos_already_covered_still_oos, oos_not_in_required_silently_ignored,
          uncovered_outside_oos_still_fails).
        - 3 new ccpa-cli integration tests
          (coverage_oos_row_excluded_from_gate_exits_0,
           coverage_oos_row_unrelated_uncovered_still_fails,
           coverage_oos_rows_csv_with_whitespace_is_tolerated).

    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 19
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      parity_matrix_coverage:
        covered_count: 15
        required_count: 17
        oos_count: 2
        reachable_count: 15
        reachable_covered_count: 15  # = covered_count when no reachable row uncovered
        covered_rows: ['builtin-tools-rwegs', 'subagent-spawn', 'mcp-client', 'slash-commands', 'claude-md-memory', 'permission-modes', 'builtin-tools-web', 'non-interactive-mode', 'session-management', 'custom-agents', 'worktree-isolation', 'configuration-ladder', 'managed-org-policy', 'hooks', 'skills']
        oos_rows: ['keyboard-shortcuts', 'status-line']
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa coverage --apr-code-parity-yaml ... --fixtures-dir fixtures/canonical/ --oos-rows keyboard-shortcuts,status-line'
      cli_exit: 0
      gate_kind: 'HARD_BLOCKING'

  - date: '2026-04-27'
    from: 'ACTIVE_RUNTIME v1.2.0'
    to: 'ACTIVE_RUNTIME v1.3.0'
    note: 'M15 — trace schema v2: additive HookEvent + SkillInvocation record kinds; differ extended; parity-matrix coverage 13/17 → 15/17'
    reason: |
      M15 closes the two corpus-authoring blockers identified under
      M14's `remaining_uncovered_classification`:

        - hooks  → required HookEvent record kind  (now present)
        - skills → required SkillInvocation record kind (now present)

      The schema bump is purely additive: existing M0-M14 fixtures and
      record kinds round-trip byte-identical. New record kinds:

        Record::HookEvent {
          v, turn,
          event: String,             // PreToolUse / PostToolUse / ...
          matcher: Option<String>,
          decision: HookDecision,    // Allow / Warn / Block
          exit_code: i32,
          output: String,            // optional, normalized at compare
        }

        Record::SkillInvocation {
          v, turn,
          name: String,
          source: SkillSource,       // user_invoked / auto_matched
          instructions_injected: bool,
        }

      Differ extension:
        - new equivalence functions hook_event_equivalent +
          skill_invocation_equivalent
        - 7 new DriftCategory variants (Mismatched/Missing/Extra
          variants for both Hook + Skill, plus MismatchedActionKind
          when teacher fires Hook and student emits Tool)
        - compute_parity_score now reduces over the union of
          tool calls + hook events + skill invocations, not just
          tool calls (denominator and numerator both grow)

      Two new canonical fixtures:
        0018-hook-pre-tool-use   — Bash with PreToolUse Warn hook firing
                                   between tool_use and tool_result
        0019-skill-auto-match    — rust-debug skill auto-matched by
                                   when_to_use heuristic on user prompt

      Coverage closure status:
        13/17 → 15/17 (+ hooks, + skills)
        2 remaining uncovered: keyboard-shortcuts, status-line —
        both REPL-render artifacts that never reach the trace
        boundary, so they're permanently out-of-scope under the
        current schema.

    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 19
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      parity_matrix_coverage:
        covered_count: 15
        required_count: 17
        covered_rows: ['builtin-tools-rwegs', 'subagent-spawn', 'mcp-client', 'slash-commands', 'claude-md-memory', 'permission-modes', 'builtin-tools-web', 'non-interactive-mode', 'session-management', 'custom-agents', 'worktree-isolation', 'configuration-ladder', 'managed-org-policy', 'hooks', 'skills']
        uncovered_rows: ['keyboard-shortcuts', 'status-line']
      teacher_source: 'Curated canonical reference (AUTHORED).'
      student_source: 'Curated canonical reference; per-fixture identical to teacher at equivalence-rule level.'
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa corpus fixtures/canonical/ --json'
      cli_exit: 0
      newly_covered_in_m15: ['hooks', 'skills']
      schema_extension: 'ccpa-trace SCHEMA_VERSION 1 → 2 (additive); 19/19 fixtures still round-trip byte-identical via existing FALSIFY-CCPA-001 harness'
      remaining_uncovered_classification: |
        Two rows remain uncovered after M15. Both are
        permanently out-of-scope at the trace boundary:

          - keyboard-shortcuts — Claude-Code REPL keystroke
            handling (Ctrl-C, double-Esc, Ctrl-R, Shift-Enter).
            These never reach the API or any tool call; they
            mutate REPL state directly. No record kind would
            faithfully capture them.

          - status-line — REPL render artifact (model name +
            session cost in the bottom strip). Pure UI; never
            crosses a trace boundary.

        Closing FALSIFY-CCPA-007's hard-blocking gate would require
        either: (a) accepting that these two rows are
        permanently OOS and counting `15/15 reachable` as full
        coverage (recommended); (b) introducing a REPL-event
        record kind that intercepts at the TUI layer (heavy,
        likely not worth the discriminating power gained).

  - date: '2026-04-27'
    note: 'corpus expansion M14 — 14 → 17 fixtures, parity-matrix coverage 10/17 → 13/17'
    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 17
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      parity_matrix_coverage:
        covered_count: 13
        required_count: 17
        covered_rows: ['builtin-tools-rwegs', 'subagent-spawn', 'mcp-client', 'slash-commands', 'claude-md-memory', 'permission-modes', 'builtin-tools-web', 'non-interactive-mode', 'session-management', 'custom-agents', 'worktree-isolation', 'configuration-ladder', 'managed-org-policy']
        uncovered_rows: ['hooks', 'skills', 'keyboard-shortcuts', 'status-line']
      teacher_source: 'Curated canonical reference (AUTHORED).'
      student_source: 'Curated canonical reference; per-fixture identical to teacher at equivalence-rule level.'
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa corpus fixtures/canonical/ --json'
      cli_exit: 0
      newly_covered_in_m14: ['worktree-isolation', 'configuration-ladder', 'managed-org-policy']
      remaining_uncovered_classification: |
        The four uncovered rows are not corpus-authoring tasks against
        the current ccpa-trace schema:
          - hooks                — requires HookEvent record kind (trace schema extension)
          - skills               — requires SkillInvocation record kind (trace schema extension)
          - keyboard-shortcuts   — REPL-only event, never reaches trace boundary
          - status-line          — REPL render artifact, never reaches trace boundary
        FALSIFY-CCPA-007 remains informational; M15+ will pursue
        schema-extension PRs for hooks+skills before the gate flips
        to a hard blocker.

  - date: '2026-04-27'
    note: 'corpus expansion M13 — 11 → 14 fixtures, parity-matrix coverage 7/17 → 10/17'
    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 14
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      parity_matrix_coverage:
        covered_count: 10
        required_count: 17
        covered_rows: ['builtin-tools-rwegs', 'subagent-spawn', 'mcp-client', 'slash-commands', 'claude-md-memory', 'permission-modes', 'builtin-tools-web', 'non-interactive-mode', 'session-management', 'custom-agents']
        uncovered_rows: ['hooks', 'skills', 'worktree-isolation', 'configuration-ladder', 'keyboard-shortcuts', 'status-line', 'managed-org-policy']
      teacher_source: 'Curated canonical reference (AUTHORED).'
      student_source: 'Curated canonical reference; per-fixture identical to teacher at equivalence-rule level.'
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa corpus fixtures/canonical/ --json'
      cli_exit: 0
      newly_covered_in_m13: ['non-interactive-mode', 'session-management', 'custom-agents']

  - date: '2026-04-27'
    note: 'corpus expansion M12 — 8 → 11 fixtures, parity-matrix coverage 4/17 → 7/17'
    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 11
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      parity_matrix_coverage:
        covered_count: 7
        required_count: 17
        covered_rows: ['builtin-tools-rwegs', 'subagent-spawn', 'mcp-client', 'slash-commands', 'claude-md-memory', 'permission-modes', 'builtin-tools-web']
        uncovered_rows: ['hooks', 'skills', 'worktree-isolation', 'custom-agents', 'session-management', 'configuration-ladder', 'non-interactive-mode', 'keyboard-shortcuts', 'status-line', 'managed-org-policy']
      teacher_source: 'Curated canonical reference (AUTHORED).'
      student_source: 'Curated canonical reference; per-fixture identical to teacher at equivalence-rule level.'
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa corpus fixtures/canonical/ --json'
      cli_exit: 0
      newly_covered_in_m12: ['claude-md-memory', 'permission-modes', 'builtin-tools-web']

  - date: '2026-04-27'
    note: 'corpus expansion M11 — 5 → 8 fixtures, parity-matrix coverage 1/17 → 4/17'
    measured_parity:
      date: '2026-04-27'
      fixture_corpus_path: 'fixtures/canonical/'
      fixture_count: 8
      aggregate_score: 1.0000
      thresholds: { aggregate_min: 0.95, individual_min: 0.80 }
      passes_gate: true
      per_fixture:
        - { id: '0001-edit-readme',      score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0002-fix-failing-test', score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0003-create-new-file',  score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0004-grep-and-edit',    score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0005-bash-cascade',     score: 1.0, drift_count: 0, passes_individual: true }
        - { id: '0006-subagent-spawn',   score: 1.0, drift_count: 0, passes_individual: true, covers: ['subagent-spawn'] }
        - { id: '0007-mcp-tool-call',    score: 1.0, drift_count: 0, passes_individual: true, covers: ['mcp-client'] }
        - { id: '0008-slash-help',       score: 1.0, drift_count: 0, passes_individual: true, covers: ['slash-commands'] }
      parity_matrix_coverage:
        covered_count: 4
        required_count: 17
        covered_rows: ['builtin-tools-rwegs', 'subagent-spawn', 'mcp-client', 'slash-commands']
        uncovered_rows: ['claude-md-memory', 'hooks', 'skills', 'worktree-isolation', 'custom-agents', 'permission-modes', 'builtin-tools-web', 'session-management', 'configuration-ladder', 'non-interactive-mode', 'keyboard-shortcuts', 'status-line', 'managed-org-policy']
      teacher_source: 'Curated canonical reference (AUTHORED) — same policy as prior measurement.'
      student_source: 'Curated canonical reference; per-fixture identical to teacher at equivalence-rule level.'
      cli_version: 'ccpa 0.1.0'
      cli_command: 'ccpa corpus fixtures/canonical/ --json'
      cli_exit: 0
      followup: |
        Continue M12+ adding fixtures for the 13 still-uncovered rows.
        Each new fixture ticks parity_matrix_coverage.covered_count up.
        FALSIFY-CCPA-007 stays informational-only in CI until the corpus
        reaches 17/17 — at which point the gate becomes a hard CI blocker.