feat(v0.4-0.7): Multi-assistant provenance + semantic blame + evidence packs

.claude-plugin/marketplace.json

@@ -51,7 +51,7 @@
     "platforms": ["darwin", "linux"]
   },
   "optionalDependencies": {
-    "openai": "AI-powered summaries via /timeline --summarize"
+    "anthropic": "AI-powered summaries via /timeline --summarize (ANTHROPIC_API_KEY)"
   },
   "files": [
     "diachron.md",

.github/workflows/benchmark.yml

@@ -7,6 +7,11 @@ on:
     branches: [master]
   workflow_dispatch:
 
+# Required for posting PR comments
+permissions:
+  contents: read
+  pull-requests: write
+
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
@@ -22,7 +27,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Rust
-        uses: dtolnay/rust-action@stable
+        uses: dtolnay/rust-toolchain@stable
         with:
           components: clippy
 

CHANGELOG.md

@@ -97,10 +97,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Tool filtering with `--tool`
   - Statistics with `--stats`
   - Export to Markdown and JSON
-  - AI summaries with `--summarize` (requires OpenAI API key)
+  - AI summaries with `--summarize` (requires ANTHROPIC_API_KEY)
 
 - **AI Summaries**
-  - On-demand summarization via OpenAI gpt-4o-mini
+  - On-demand summarization via Anthropic Claude Haiku
   - Batch processing with configurable limits
   - 10-word concise summaries
   - ~$0.03 per 1000 events
@@ -133,6 +133,77 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.3.0] - 2026-01-11
+
+### Added
+
+- **Hash-Chain Tamper Evidence**
+  - SHA256 hash chain linking all events (cryptographic tamper detection)
+  - `prev_hash` and `event_hash` columns on every event
+  - Genesis hash for chain origin
+  - Daily checkpoints with `chain_checkpoints` table
+  - `diachron verify` command to validate chain integrity
+
+- **PR Narrative Generation**
+  - `diachron export-evidence` - Generate JSON evidence packs
+  - `diachron pr-comment` - Post formatted Markdown to PRs via `gh` CLI
+  - Event → Commit → PR correlation with 3-tier confidence:
+    - HIGH: Direct `git_commit_sha` linkage
+    - MEDIUM: Same session as commit event
+    - LOW: Time-window correlation (5min before commit)
+  - Coverage metrics showing matched vs unmatched events
+
+- **Content Fingerprinting**
+  - `content_hash` and `context_hash` for stable blame across refactors
+  - SHA256 content hashing with normalized whitespace
+  - Context hashing (±5 lines surrounding code)
+  - Optional semantic signature (384-dim embeddings)
+  - Three-tier matching: ContentHash → ContextHash → SemanticSimilarity
+
+- **Semantic Blame (v0.4 Preview)**
+  - `diachron blame <file:line>` - Find the AI session that wrote code
+  - `--json` flag for CI/IDE integration
+  - `--mode strict|best-effort|inferred` for confidence control
+  - Shows intent, session, timestamp, and verification status
+
+- **GitHub Action**
+  - `wolfiesch/diachron/github-action@main` for automated PR comments
+  - Reads `diachron.evidence.json` and posts formatted narrative
+  - Supports `update` mode (edit existing comment) or `new` mode
+  - Outputs: `comment-id`, `coverage`, `verified`
+
+- **Schema Migration v4**
+  - Hash chain columns: `prev_hash`, `event_hash`
+  - Fingerprint columns: `content_hash`, `context_hash`
+  - `chain_checkpoints` table for verification anchors
+  - Indexes on `event_hash` for fast lookups
+
+### Changed
+
+- Daemon `save_event()` now computes hash chain on every insert
+- Evidence pack renders verification checklist: chain, tests, build, human review
+- 42 tests passing across all crates
+
+### Performance
+
+| Metric | v0.2.0 | v0.3.0 | Notes |
+|--------|--------|--------|-------|
+| Hash computation | N/A | ~0.5ms | SHA256 per event |
+| Chain verification | N/A | ~100ms/1000 events | Full chain scan |
+| PR correlation | N/A | ~50ms | Typical PR size |
+| Evidence export | N/A | ~10ms | JSON serialization |
+
+### New Commands
+
+```bash
+diachron verify              # Verify hash chain integrity
+diachron export-evidence     # Generate evidence pack JSON
+diachron pr-comment --pr 142 # Post PR narrative comment
+diachron blame src/auth.rs:42 # Semantic blame for line
+```
+
+---
+
 ## [Unreleased]
 
 ### Planned

INSTALL.md

@@ -45,7 +45,7 @@ The installer automatically handles everything:
 | macOS/Linux | Any | Windows is untested |
 
 **Optional:**
-- OpenAI API key (for AI-powered summaries via `/timeline --summarize`)
+- Anthropic API key (for AI-powered summaries via `/timeline --summarize`)
 - Rust 1.70+ (for building from source on non-ARM64 systems)
 
 ---
@@ -272,7 +272,7 @@ After installation:
 2. Work normally - events are captured automatically
 3. Run `/timeline` to see your history
 4. Check `/timeline --stats` for statistics
-5. Try `/timeline --summarize` for AI-powered summaries (requires OpenAI API key)
+5. Try `/timeline --summarize` for AI-powered summaries (requires ANTHROPIC_API_KEY)
 
 See [README.md](./README.md) for full usage documentation.
 

README.md

@@ -1,6 +1,6 @@
 # Diachron
 
-[![Version](https://img.shields.io/badge/version-0.1.0-blue.svg)](https://github.com/wolfiesch/diachron)
+[![Version](https://img.shields.io/badge/version-0.7.0-blue.svg)](https://github.com/wolfiesch/diachron)
 [![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 [![Platform](https://img.shields.io/badge/platform-macOS%20%7C%20Linux-lightgrey.svg)]()
 [![Claude Code](https://img.shields.io/badge/Claude%20Code-2.1%2B-orange.svg)]()
@@ -46,8 +46,12 @@ Diachron uses **Claude Code 2.1's hook architecture** to transparently capture e
 
 - **Automatic Capture** - Every Write, Edit, and Bash command logged
 - **Git Integration** - Captures branch name and commit SHAs
+- **Hash-Chain Integrity** - SHA256 tamper-evidence for every event (v0.3)
+- **PR Narratives** - Generate evidence packs for pull request comments (v0.3)
+- **Semantic Blame** - Find which AI session wrote specific code lines (v0.3)
 - **Semantic Bash Parsing** - Categories: git, test, build, deploy, file_ops
-- **AI Summaries** - On-demand summaries via OpenAI (optional)
+- **AI Summaries** - On-demand summaries via Anthropic Claude API (optional)
+- **Multi-Assistant Support** - Track Codex CLI alongside Claude Code (v0.7)
 - **Fast** - Rust hook adds only ~12ms latency per operation
 - **Privacy-First** - All data stored locally, never uploaded
 
@@ -109,9 +113,19 @@ See [INSTALL.md](./INSTALL.md) for complete manual installation instructions.
 | `/diachron config` | View/edit configuration |
 | `/timeline` | View change timeline |
 | `/timeline --stats` | Show database statistics |
-| `/timeline --summarize` | Generate AI summaries (requires OpenAI API key) |
+| `/timeline --watch` | Watch for new events in real-time (Ctrl+C to stop) |
+| `/timeline --summarize` | Generate AI summaries (requires ANTHROPIC_API_KEY) |
 | `/timeline --export markdown` | Export to TIMELINE.md |
 
+### v0.3 Commands
+
+| Command | Description |
+|---------|-------------|
+| `diachron verify` | Verify hash chain integrity |
+| `diachron export-evidence` | Generate JSON evidence pack |
+| `diachron pr-comment --pr <N>` | Post PR narrative comment via `gh` CLI |
+| `diachron blame <file:line>` | Semantic blame for a code line |
+
 ## Timeline Output
 
 ```
@@ -173,6 +187,108 @@ See [INSTALL.md](./INSTALL.md) for complete manual installation instructions.
 /timeline --export json
 ```
 
+## v0.3: Trust & Verification
+
+### Hash-Chain Verification
+
+Every event is cryptographically linked to the previous event using SHA256:
+
+```bash
+$ diachron verify
+✅ Chain integrity verified
+   Events: 296 (12 checkpoints)
+   First event: 2026-01-01 00:00:00
+   Last event: 2026-01-11 00:45:00
+   Chain root: 8f3a2b...
+```
+
+If tampering is detected:
+```bash
+$ diachron verify
+❌ Chain broken at event #142
+   Expected: 8f3a2b...
+   Actual: deadbeef...
+   Timestamp: 2026-01-10 14:30:00
+```
+
+### PR Narrative Generation
+
+Generate evidence packs showing which AI sessions contributed to a PR:
+
+```bash
+# Export evidence to JSON
+$ diachron export-evidence --output diachron.evidence.json
+
+# Post comment directly to PR (requires gh CLI)
+$ diachron pr-comment --pr 142
+```
+
+Example PR comment:
+```markdown
+## PR #142: AI Provenance Evidence
+
+### Intent
+> Fix the 401 errors on page refresh
+
+### What Changed
+- **Files modified**: 2
+- **Lines**: +45 / -10
+- **Tool operations**: 3
+- **Sessions**: 1
+
+### Evidence Trail
+- **Coverage**: 100.0% of events matched to commits
+
+**Commit `abc1234`**: Fix OAuth2 refresh (HIGH)
+  - `Write` create → src/auth.rs
+  - `Edit` modify → src/auth.rs
+
+### Verification
+- [x] Hash chain integrity
+- [x] Tests executed after changes
+- [x] Build succeeded
+- [ ] Human review
+```
+
+### Semantic Blame (v0.4 Preview)
+
+Find which AI session wrote specific code:
+
+```bash
+$ diachron blame src/auth/login.ts:42
+
+Line 42: const token = await refreshToken(user.id);
+
+📍 Source: Claude Code (Session abc123)
+⏰ When: 01/10/2026 10:32 AM PST
+💬 Intent: "Fix the 401 errors on page refresh"
+📊 Confidence: HIGH (explicit tool call linkage)
+```
+
+Use `--json` for CI/IDE integration:
+```bash
+$ diachron blame src/auth/login.ts:42 --json | jq
+```
+
+### GitHub Action
+
+Automatically post evidence to PRs:
+
+```yaml
+# .github/workflows/diachron.yml
+name: Diachron PR Narrative
+on: [pull_request]
+
+jobs:
+  post-evidence:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: wolfiesch/diachron/github-action@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
 ## Configuration
 
 Edit `.diachron/config.json`:
@@ -194,7 +310,7 @@ Edit `.diachron/config.json`:
 2. **Context Extraction** - Captures file path, operation, git branch, and diff summary
 3. **SQLite Storage** - Events stored in `.diachron/events.db` for fast querying
 4. **Timeline Generation** - Query by time, file, or tool to see your project's history
-5. **AI Summaries** - Optional on-demand summaries via OpenAI gpt-4o-mini
+5. **AI Summaries** - Optional on-demand summaries via Anthropic Claude Haiku
 
 ## Requirements
 
@@ -205,7 +321,7 @@ Edit `.diachron/config.json`:
 | macOS/Linux | Any | Windows is untested |
 
 **Optional:**
-- OpenAI API key (for AI-powered summaries via `/timeline --summarize`)
+- Anthropic API key (for AI-powered summaries via `/timeline --summarize`)
 - Rust 1.70+ (only if building from source)
 
 ## Performance
@@ -252,11 +368,63 @@ install.sh --doctor     # Run diagnostics
 install.sh --uninstall  # Remove completely
 ```
 
+## Multi-Assistant Support (v0.7)
+
+Diachron can track file changes from multiple AI assistants, not just Claude Code. Currently supported:
+
+### OpenAI Codex CLI
+
+#### Via `/handoffcodex` (Recommended)
+
+When using Claude Code's `/handoffcodex` skill to delegate work to Codex, provenance is captured automatically after execution completes. Events appear in your timeline with `tool_name: "Codex"`.
+
+#### Standalone Wrapper
+
+For direct Codex usage without Claude Code orchestration:
+
+```bash
+# Build the wrapper
+cd ~/.claude/skills/diachron/rust
+cargo build --release -p diachron-codex
+
+# Use instead of `codex exec`
+diachron-codex exec "implement the login feature"
+```
+
+This transparently wraps Codex, capturing all file operations to Diachron.
+
+#### Manual Capture
+
+To capture a completed Codex session manually:
+
+```bash
+# Capture most recent Codex session
+python3 ~/.claude/skills/diachron/lib/codex_capture.py --latest
+
+# With git branch correlation
+python3 ~/.claude/skills/diachron/lib/codex_capture.py --latest --git-branch "feature/auth"
+
+# Preview without sending to daemon
+python3 ~/.claude/skills/diachron/lib/codex_capture.py --latest --dry-run --verbose
+```
+
+### Future Assistants
+
+The IPC API (see `docs/IPC-API.md`) enables community integrations for:
+- **Cursor** - Hook into Cursor's file modification events
+- **GitHub Copilot** - VS Code extension integration
+- **Aider** - Parse session logs similar to Codex
+
 ## Roadmap
 
-- [x] ~~AI-powered change summaries~~
-- [x] ~~Git branch/commit correlation~~
-- [x] ~~Semantic Bash command parsing~~
+- [x] ~~AI-powered change summaries~~ (v0.1)
+- [x] ~~Git branch/commit correlation~~ (v0.1)
+- [x] ~~Semantic Bash command parsing~~ (v0.1)
+- [x] ~~Semantic search + conversation memory~~ (v0.2)
+- [x] ~~Hash-chain tamper evidence~~ (v0.3)
+- [x] ~~PR narrative generation~~ (v0.3)
+- [x] ~~Semantic blame~~ (v0.3/v0.4 preview)
+- [x] ~~Multi-assistant support (Codex)~~ (v0.7)
 - [ ] Web dashboard visualization
 - [ ] Team sync (cloud option)
 - [ ] VS Code extension