The killer SOC feature: re-run any provenance chain against an
alternate Scanner policy and see exactly what would have changed.
- InputStore: hash-verified JSONL companion to the provenance chain
- Replayer: walks every guardrail_scan receipt, re-runs counterfactual
- ReplayResult: typed diff (newly_blocked, newly_allowed, newly_alerted,
missing_inputs, unchanged)
- Scanner(input_store=) auto-saves prompts
- CLI: raucle-detect provenance replay <chain> --input-store <store>
- 13 new tests; 311 passing total
First feature that requires the v0.5.0 provenance primitive — uniquely
possible because raucle has hash-keyed receipts + separate input store.
See CHANGELOG.md.