Feature/#244

[devkade]

Summary

• Implements ilchul-runtime-pi as the first Pi RuntimeAdapter boundary.
• Adds RunContract prompt projection with a full Source Contract Snapshot plus mission, boundary, evidence, verification, and handoff sections, including multiline Markdown/block section parsing.
• Normalizes Pi runtime output into non-authoritative RuntimeOutput, turn observations, adapter-scoped PiStagedArtifact DTOs with pi-inbox://<session>/<artifact-id>/<file> URIs, and evidence candidates.
• Rejects unsafe or ambiguous Pi inbox file names, unsafe session prefixes, and unsafe staged-ref session/artifact URI segments; staged artifacts retain bytes and stable sha256: content digests while leaving ArtifactRef creation, artifact sealing, and canonical state mutation outside the Pi runtime boundary.
• Downgrades Pi runtime completion claims to observations while retaining an audit flag that the runtime attempted to claim completion.
• Documents the TS/Pi facade boundary in README.md.

Automation Assumption

Non-interactive implementation proceeded with the conservative assumption that the first Pi adapter boundary should be an in-process Rust facade crate over the existing core port, without live Pi extension runtime wiring or canonical state mutation. Follow-up review fixes keep Pi-staged material adapter-scoped and non-authoritative until a core artifact-store/sealing boundary records it.

Verification

• cargo fmt --all -- --check
• cargo test -p ilchul-runtime-pi
• cargo test --workspace
• cargo clippy --workspace --all-targets -- -D warnings
• npm test
• git diff --check origin/dev...HEAD

Closes #244

[devkade]

Review round 1

Result: No blocking findings from this review.

I used the local review flow (omx explore for repository/file mapping, plus the available code-review/QA tool) and inspected the PR diff for crates/runtime-pi, its tests, and the README update. The implementation matches the stated conservative assumption: PiRuntimeAdapter is an in-process Rust facade over the core RuntimeAdapter port; project_prompt emits Mission/Boundary/Evidence/Verification/Handoff sections; normalize_output creates core RuntimeOutput, turn observations, pi-inbox://... artifact refs, and evidence candidates; and RuntimeClaimedComplete is downgraded to Observed so runtime output cannot complete a Run.

Real Result from verification:

• cargo fmt --all -- --check — PASS
• cargo test -p ilchul-runtime-pi — PASS; 4 runtime-pi integration tests passed
• cargo test --workspace — PASS; Rust workspace tests passed, including core/store/mcp/runtime-pi suites
• cargo clippy --workspace --all-targets -- -D warnings — PASS
• git diff --check origin/dev...HEAD — PASS
• npm test — BLOCKED in this runner because npm is not installed (zsh:1: command not found: npm; which npm returned not found). Node is present at /Applications/Codex.app/Contents/Resources/node.

Concrete evidence checked:

• crates/runtime-pi/src/lib.rs: PiRuntimeAdapter implements RuntimeAdapter::start/dispatch; normalize_output always returns RuntimeOutputStatus::Observed; artifact refs are staged in the adapter inbox; observations capture session, summary, artifact refs, and evidence candidates.
• crates/runtime-pi/tests/pi_runtime_adapter.rs: covers adapter trait implementation, prompt sections, output normalization, and Run::complete_from_runtime_output(...) rejecting runtime completion with DomainError::RuntimeOutputCannotCompleteRun.
• README.md: updated to describe the Rust/Pi adapter boundary and TS/Pi facade/shim ownership limits.

Non-blocking note: digest() currently uses Rust DefaultHasher while formatting the digest as pi-inbox-sha-*. If these adapter artifact refs become durable integrity evidence, I would follow up by switching to a stable SHA-256-style digest or renaming the scheme so it does not imply SHA. For this initial non-authoritative boundary slice, I did not treat that as merge-blocking.

[devkade]

CODE REVIEW REPORT

Recommendation: REQUEST CHANGES
Architectural Status: BLOCK
Files reviewed: 5 changed files in git diff origin/dev...HEAD

Real Result from verification:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (4 tests passed)
• PASS: cargo test --workspace (workspace Rust tests passed)
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• BLOCKED/ENV: npm test could not run directly because npm is not on PATH (zsh:1: command not found: npm). I also ran the closest local equivalent with the bundled Node binary: /Applications/Codex.app/Contents/Resources/node node_modules/tsx/dist/cli.mjs --test test/*.test.ts; result was 520 pass / 6 fail / 11 skip, and all 6 failures were spawn npm ENOENT from tests that themselves invoke npm.

CRITICAL (0)

(none)

HIGH (2)

1. crates/runtime-pi/src/lib.rs:275-289, crates/runtime-pi/src/lib.rs:365-368
   Issue: The Pi runtime adapter constructs domain ArtifactRefs directly from in-memory PiArtifactInbox bytes and computes the digest with DefaultHasher, formatted as pi-inbox-sha-*.
   Risk: These refs look like stable evidence/artifact refs to downstream core/store code, but they are not produced by the artifact sealing boundary and are not SHA-256/digest-sealed like the existing artifact adapter. This weakens the evidence integrity model: later evidence recording can treat runtime-staged material as canonical artifact evidence without durable immutable storage or a stable content digest.
   Evidence: crates/artifacts/src/lib.rs:219-221 writes immutable artifact bytes and returns an ArtifactRef; crates/artifacts/src/lib.rs:383-386 uses sha256:<hex>. The new adapter bypasses that path and uses a 64-bit DefaultHasher digest.
   Fix: Either keep Pi artifacts as staged adapter DTOs until an artifact-store/sealing boundary converts them into ArtifactRefs, or integrate with the existing artifact inbox/sealing path. If this crate must emit refs now, use sha256:<hex> and add tests asserting stable digest format and byte identity.

2. crates/runtime-pi/src/lib.rs:346-363
   Issue: safe_file_name silently rewrites artifact file names instead of rejecting unsafe or ambiguous inputs.
   Risk: Distinct runtime artifacts can alias to the same pi-inbox://<session>/<file> location (a/b and a-b, whitespace-only names becoming artifact.bin, reserved . / .. names, etc.). That makes staged evidence refs ambiguous and can point reviewers/verifiers at the wrong runtime material.
   Fix: Make artifact inbox construction/normalization fallible and reject empty names, path separators, . / .., and names that change under normalization; include artifact id or another stable disambiguator in the location if duplicate file names are valid.

MEDIUM (1)

1. crates/runtime-pi/src/lib.rs:317-343
   Issue: Prompt projection extracts only same-line Mission:, Boundary:, Evidence:, Verification:, and Handoff: values from the free-form RunContract body.
   Risk: Realistic multi-line or Markdown-style RunContract sections are silently dropped or replaced by defaults, so Pi can receive an incomplete/altered contract projection while tests still pass for one-line labels.
   Fix: Define the expected projection schema explicitly or parse section blocks until the next known label/heading. Add tests for multi-line sections and Markdown headings.

ARCHITECTURE WATCHLIST / BLOCKER

• BLOCK: The PR correctly keeps runtime output from completing a run, but completion integrity also depends on evidence integrity. Because runtime-pi emits canonical-looking ArtifactRefs before artifact sealing/durable storage, the boundary currently blurs “adapter-staged runtime material” with “digest-sealed evidence artifact.” Please separate staged Pi artifacts from sealed ArtifactRef creation, or route through the artifact authority before exposing refs as evidence candidates.

SYNTHESIS

• code-reviewer recommendation: REQUEST CHANGES
• architect status: BLOCK
• final recommendation: REQUEST CHANGES

The Rust verification is strong, and the core direction is good, but I would not treat this merge-ready until the artifact ref/digest/sealing boundary is fixed.

[devkade]

Implemented the PR #253 review-round follow-up for issue #244.

Fixes made:

• Replaced DefaultHasher/pi-inbox-sha-* staged digests with stable sha256: content digests for Pi runtime staged artifact refs.
• Scoped Pi staged artifact locations by artifact id: pi-inbox://<session>/<artifact-id>/<file>, so duplicate file names no longer alias.
• Made PiArtifactInbox::new(...) fallible and reject empty, path-like, reserved, or normalized/ambiguous file names instead of silently rewriting them.
• Extended RunContract prompt projection to preserve multiline Markdown headings and multiline Mission:/Boundary:/Evidence:/Verification:/Handoff: blocks.
• Updated README.md and the PR body to document adapter-scoped, non-authoritative Pi staged refs and the artifact-store sealing boundary.

Verification run:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (8 tests)
• PASS: cargo test --workspace
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• PASS: npm test using a temporary PATH shim to the bundled Node/npm because npm is not directly on PATH in this runner (526 pass / 0 fail / 11 skip)
• PASS: git diff --check origin/dev...HEAD
• PASS: Ralph architect verification returned APPROVED for the review blockers.

Commit pushed: 7840fd0 (Protect Pi runtime evidence boundaries).

[devkade]

CODE REVIEW REPORT

Recommendation: REQUEST CHANGES
Architectural Status: BLOCK
Files reviewed: 5 changed files in git diff origin/dev...HEAD

I ran the requested $code-review workflow with separate code-reviewer and architect lanes, then verified locally. The round-1 fixes address the previous DefaultHasher, filename separator, duplicate filename, and multiline prompt-section issues, but round 2 found one remaining boundary blocker around URI segment safety.

Real Result from verification:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (8 runtime-pi tests passed)
• PASS: cargo test --workspace
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• PASS: npm test using a temporary PATH shim for npm with the bundled Codex Node runtime because npm is not directly on PATH in this runner (526 pass / 0 fail / 11 skip)
• PASS: git diff --check origin/dev...HEAD

CRITICAL (0)

(none)

HIGH (2)

1. crates/runtime-pi/src/lib.rs:279-284, crates/core/src/value.rs:11-18, crates/core/src/artifact/mod.rs:46-49
   Issue: pi-inbox:// locations still interpolate raw RuntimeSessionId and ArtifactId values as URI path/authority components. Core IDs only reject empty strings, and ArtifactRef only checks for a stable-looking absolute/scheme location, so IDs such as a/b, ../x, x?y, or session/run IDs containing / can create ambiguous staged refs despite the filename hardening.
   Risk: The advertised adapter-scoped location shape pi-inbox://<session>/<artifact-id>/<file> is not reliably parseable or scoped. A future resolver/sealer could read the wrong session/artifact segment, undermining the evidence boundary this PR is meant to protect.
   Evidence: artifact_ref_for(...) formats session.id().as_str() and artifact.artifact_id().as_str() directly; validate_file_name(...) protects only the final filename; tests at crates/runtime-pi/tests/pi_runtime_adapter.rs:93-154 cover duplicate simple IDs and unsafe filenames, but not unsafe ID/session URI segments.
   Fix: Validate or percent-encode every pi-inbox:// URI component owned by this adapter before constructing ArtifactRef. Add regression tests for unsafe ArtifactId values (a/b, ../x, reserved URI characters) and unsafe session/run-derived IDs.

2. crates/runtime-pi/src/lib.rs:392-401
   Issue: validate_file_name trims and accepts the trimmed result, so names like " report.md", "report.md ", or tab/newline-padded names are silently normalized instead of rejected.
   Risk: This conflicts with the README/PR claim that normalized/ambiguous Pi inbox names are rejected, and can collapse distinct runtime-submitted names into the same staged location.
   Fix: Reject when the input differs from its trimmed form before applying the safe-character check, and add regression tests for leading/trailing whitespace around otherwise-valid names.

MEDIUM (1)

1. crates/runtime-pi/src/lib.rs:245-258
   Issue: RuntimeClaimedComplete is accepted as raw input but then discarded; TurnObservation does not retain the original runtime claim.
   Risk: Completion remains safely kernel-owned, but auditability is weaker than the wording “downgraded to observations” implies because reviewers cannot observe that Pi attempted to claim completion.
   Fix: Keep RuntimeOutput non-authoritative, but retain raw status or a runtime_claimed_complete flag in normalized metadata/turn observations.

ARCHITECTURE WATCHLIST / BLOCKER

• BLOCK: The PR correctly moved to sha256: digests and artifact-id-scoped staged refs, but the scoped URI contract is incomplete until all URI segments are either encoded or rejected. Core ID objects are transport-neutral and should not be assumed URI-safe at the Pi adapter boundary.
• WATCH: PiArtifactInbox contains bytes before normalization, but the adapter-owned inbox() retains only ArtifactRefs. That is acceptable for this conservative MVP if intentional, but the future sealing handoff will need a byte-owning staged-artifact API or clearer naming so refs-only inbox state is not mistaken for sealable material storage.

Positive evidence checked:

• crates/runtime-pi/src/lib.rs:236-252 trims runtime summaries, emits RuntimeOutput, and normalizes all statuses to Observed.
• crates/runtime-pi/tests/pi_runtime_adapter.rs:201-221 verifies runtime-claimed completion cannot complete a Run and core returns DomainError::RuntimeOutputCannotCompleteRun.
• crates/runtime-pi/tests/pi_runtime_adapter.rs:93-134 verifies sha256: digests and artifact-id-scoped locations for duplicate simple file names.
• crates/runtime-pi/tests/pi_runtime_adapter.rs:156-199 verifies multiline Markdown and colon section prompt projection.
• README.md documents the intended Rust/Pi adapter boundary and non-authoritative staged refs.

SYNTHESIS

• code-reviewer recommendation: REQUEST CHANGES
• architect status: BLOCK
• final recommendation: REQUEST CHANGES

The implementation is close, and verification is green, but I would not treat this merge-ready until pi-inbox:// URI segment safety is fixed.

[devkade]

Implemented the PR #253 review-round follow-up for issue #244.

Fixes made:

• Added failing-first regression coverage for unsafe pi-inbox:// session segments, run-derived session segments, artifact-id URI segments, and filenames that would require trimming.
• Validates every adapter-owned pi-inbox://<session>/<artifact-id>/<file> segment with the same fail-closed safe segment policy before constructing staged ArtifactRefs.
• Rejects leading/trailing whitespace in Pi inbox file names instead of silently trimming and aliasing staged material.
• Keeps runtime completion non-authoritative while retaining a runtime_claimed_complete audit flag on normalized output and turn observations.
• Updated README.md and the PR body to describe URI segment rejection and audit-only runtime completion claims.

Verification run:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (13 runtime-pi tests)
• PASS: cargo test --workspace
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• PASS: npm test using a temporary PATH shim for the bundled Codex Node runtime because npm is not directly on PATH in this runner (526 pass / 0 fail / 11 skip)
• PASS: git diff --check origin/dev...HEAD
• PASS: Ralph architect verification returned Architectural Status: CLEAR with no blockers.

Commit pushed: a237913 (Protect Pi inbox URI boundaries).

[devkade]

Implemented the PR #253 round-2 follow-up for issue #244.

Fixes made:

• Added TDD regressions for unsafe pi-inbox:// session/run/artifact URI segments, leading/trailing whitespace in Pi artifact file names, and runtime-completion audit retention.
• Made Pi staged artifact ref construction fail closed by validating the session-derived and artifact-id URI segments before creating pi-inbox://<session>/<artifact-id>/<file> refs.
• Changed Pi artifact file-name validation to reject names that differ from their trimmed form instead of silently normalizing them.
• Retained RuntimeClaimedComplete as an audit-only flag on normalized output and turn observations while continuing to expose only non-authoritative Observed runtime output to core completion logic.
• Updated README.md to document URI-segment rejection and audit-only completion claims.

Verification run:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (13 runtime-pi tests)
• PASS: cargo test --workspace
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• PASS: npm test using a temporary PATH shim for npm with the bundled Codex Node runtime because npm is not directly on PATH in this runner (526 pass / 0 fail / 11 skip)
• PASS: git diff --check origin/dev...HEAD
• PASS: Ralph architect verification approved the boundary fix.
• PASS: Scoped deslop pass over changed files found no masking fallback/slop edits needed; post-deslop regression gates remained green.

Commit pushed: a237913 (Protect Pi inbox URI boundaries).

[devkade]

Implemented the PR #253 review-round 2 follow-up for issue #244.

Fixes made:

• Added strict validation for every adapter-owned pi-inbox://<session>/<artifact-id>/<file> URI segment before constructing staged ArtifactRefs.
• Rejected unsafe session/run-derived segments and unsafe ArtifactId URI segments such as path separators, dot segments, URI delimiters, spaces, and trim-normalized values.
• Tightened Pi inbox filename validation so leading/trailing whitespace is rejected instead of silently trimmed.
• Retained RuntimeClaimedComplete as an audit flag on normalized output and turn observations while still exposing only non-authoritative Observed runtime output.
• Updated README.md to document unsafe URI segment rejection and the audit-only completion claim flag.

Verification run:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (13 tests)
• PASS: cargo test --workspace
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• PASS: npm test using a temporary PATH shim to the bundled Codex Node runtime because npm is not directly on PATH in this runner (526 pass / 0 fail / 11 skip)
• PASS: git diff --check origin/dev...HEAD
• PASS: Ralph architect verification returned CLEAR.

Commit pushed: a237913 (Protect Pi inbox URI boundaries).

[devkade]

CODE REVIEW REPORT

Recommendation: REQUEST CHANGES
Architectural Status: BLOCK
Files reviewed: 5 changed files in git diff origin/dev...HEAD

I ran the requested $code-review workflow with separate code-reviewer and architect lanes, then verified locally. The round-2 fixes address the previous URI segment safety and runtime-completion audit concerns, but round 3 found two remaining boundary blockers around preserving the full authoritative contract projection and keeping Pi-staged artifacts distinct from canonical artifact refs.

Real Result from verification:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (13 runtime-pi tests passed)
• PASS: cargo test --workspace
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• PASS: npm test using a temporary PATH shim for the bundled Codex Node/npm runtime because npm is not directly on PATH in this runner (526 pass / 0 fail / 11 skip; 537 total tests)
• PASS: git diff --check origin/dev...HEAD

CRITICAL (0)

(none)

HIGH (2)

1. crates/runtime-pi/src/lib.rs:226-237, crates/runtime-pi/src/lib.rs:331-405, crates/core/src/contract/mod.rs:1-5, crates/core/src/contract/mod.rs:52-93
   Issue: PiRuntimeAdapter::project_prompt can silently under-project the authoritative RunContract snapshot. It emits only Mission, Boundary, Evidence, Verification, and Handoff, and the parser recognizes only those five labels. Preamble text and unknown but potentially authoritative sections such as ## Security, ## Acceptance Criteria, or ## Constraints are dropped rather than preserved for Pi.
   Risk: Core documents RunContract as the immutable snapshot, while README says TS/Pi surfaces are facade/shim layers that do not own canonical semantics. If the adapter reshapes the contract into only five known sections, Pi can execute from an incomplete contract even though tests pass for the recognized labels.
   Fix: Preserve the full contract.snapshot_body() in the prompt, for example as ## Source Contract Snapshot or an explicit “Additional Contract Clauses” section. Add regression coverage proving unknown sections and preamble text survive projection.

2. crates/runtime-pi/src/lib.rs:60-79, crates/runtime-pi/src/lib.rs:203-208, crates/runtime-pi/src/lib.rs:248-254, crates/core/src/ports/mod.rs:78-81, crates/core/src/services/mod.rs:148-172, README.md:58
   Issue: Pi-staged artifacts are converted into plain core ArtifactRefs before artifact-store sealing, and the adapter-owned inbox() retains only ArtifactRefs rather than a byte-owning staged artifact record.
   Risk: README says pi-inbox:// refs remain non-authoritative until a core artifact-store/sealing boundary records them, but the type boundary does not enforce that distinction. Core services can already accept an ArtifactRef into recorded evidence and artifact storage, while the filesystem artifact crate only issues ArtifactRefs after writing/sealing bytes. This keeps the staged/canonical artifact boundary too easy to blur in follow-up integration.
   Fix: Keep Pi output as a distinct staged DTO (for example PiStagedArtifact { id, uri, digest, bytes } or StagedArtifactRef) until an explicit seal/canonicalize step returns a core ArtifactRef, or make pi-inbox:// a durable retrievable sealed location before exposing it as ArtifactRef.

MEDIUM (1)

1. crates/runtime-pi/src/lib.rs:211-217, crates/runtime-pi/src/lib.rs:427-435, README.md:58
   Issue: PiRuntimeAdapter::new trims session_prefix before storing it, while staged-ref segment validation later rejects values that require trimming. This means prefixes like "pi" and " pi " collapse before URI segment validation.
   Risk: This is inconsistent with the README claim that whitespace-normalized staged-ref segments are rejected, and it weakens the fail-closed segment policy added in round 2.
   Fix: Validate session_prefix with the same safe segment policy and reject leading/trailing whitespace instead of trimming.

ARCHITECTURE WATCHLIST / BLOCKER

• BLOCK: The previous pi-inbox:// URI segment safety issue is fixed for final constructed refs, and completion claims remain non-authoritative. However, the adapter still needs to preserve the full immutable RunContract snapshot in Pi prompts and make the staged-artifact-vs-canonical-ArtifactRef boundary type-safe before I would call the PR merge-ready.

Positive evidence checked:

• crates/runtime-pi/src/lib.rs:287-304 validates session and artifact URI segments before constructing pi-inbox://<session>/<artifact-id>/<file> and uses sha256: content digests.
• crates/runtime-pi/src/lib.rs:407-440 rejects empty, reserved, whitespace-normalized, path-like, and URI-ambiguous Pi inbox segments.
• crates/runtime-pi/tests/pi_runtime_adapter.rs:136-252 covers unsafe file names, leading/trailing whitespace, unsafe session/run-derived segments, and unsafe artifact-id URI segments.
• crates/runtime-pi/src/lib.rs:246-271 downgrades runtime completion to Observed while retaining runtime_claimed_complete on normalized output and turn observations.
• crates/runtime-pi/tests/pi_runtime_adapter.rs:299-338 verifies runtime completion claims are audit-only and cannot complete a Run.

SYNTHESIS

• code-reviewer recommendation: APPROVE
• architect status: BLOCK
• final recommendation: REQUEST CHANGES

The implementation is close and the verification suite is green, but I would not treat this merge-ready until the full contract projection and staged artifact type boundary are tightened.

[devkade]

Implemented the PR #253 round-3 follow-up for issue #244.

Fixes made:

• Added TDD regressions for preserving preamble/unknown RunContract sections in Pi prompt projection, keeping Pi staged artifacts distinct from core ArtifactRef, and rejecting unsafe or trim-normalized session prefixes.
• project_prompt now includes the full immutable Source Contract Snapshot before derived Mission/Boundary/Evidence/Verification/Handoff sections so Pi cannot lose authoritative clauses such as Security or Acceptance Criteria.
• Replaced pre-sealed ArtifactRef exposure from runtime-pi normalized output, turn observations, and adapter inbox with adapter-owned PiStagedArtifact DTOs that retain artifact id, file name, pi-inbox://... URI, sha256: digest, and bytes until a future artifact-store sealing boundary canonicalizes them.
• Tightened PiRuntimeAdapter::new so unsafe/whitespace-normalized session prefixes fail closed instead of being trimmed before staged URI validation.
• Updated README.md and the PR body to document the full snapshot projection and staged-artifact-vs-canonical-ArtifactRef boundary.
• Ran the Ralph deslop pass on the changed files; only stale test naming was cleaned up, with no masking fallback/slop findings.

Verification run:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (15 runtime-pi tests)
• PASS: cargo test --workspace
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• PASS: npm test (526 pass / 0 fail / 11 skip; 537 total tests)
• PASS: git diff --check origin/dev...HEAD
• PASS: Ralph architect verification returned Architectural Status: CLEAR with no blockers.

Commit pushed: ad3664f (Keep Pi runtime evidence staged until sealing).

[devkade]

Verdict: APPROVE

Short reason: The round-3 follow-up resolves the prior merge blockers. The Pi adapter now preserves the full authoritative RunContract snapshot in prompts, keeps Pi-staged artifacts as adapter-owned DTOs rather than core ArtifactRefs, rejects unsafe/trim-normalized pi-inbox:// segments, and retains runtime completion claims only as audit observations.

Real Result from actual verification:

• PASS: cargo fmt --all -- --check
• PASS: cargo test -p ilchul-runtime-pi (15/15 runtime-pi tests)
• PASS: cargo test --workspace
• PASS: cargo clippy --workspace --all-targets -- -D warnings
• PASS: npm test (526 pass / 0 fail / 11 skip; 537 total)
• PASS: git diff --check origin/dev...HEAD

Concrete evidence checked:

• crates/runtime-pi/src/lib.rs projects ## Source Contract Snapshot using contract.snapshot_body() before the derived Mission/Boundary/Evidence/Verification/Handoff sections.
• NormalizedPiRuntimeOutput, TurnObservation, and PiRuntimeAdapter::inbox() expose PiStagedArtifact values with URI, digest, and bytes; the runtime-pi crate no longer constructs core ArtifactRefs for staged Pi material.
• PiRuntimeAdapter::new, validate_uri_segment, and validate_file_name share the fail-closed safe segment policy for session prefixes, run-derived session IDs, artifact IDs, and filenames.
• Regression tests cover full snapshot preservation, staged DTO separation, unsafe URI segments, trim-normalized filenames, SHA-256 digests, duplicate filenames, and audit-only runtime completion claims.
• README.md matches the implemented boundary: Pi staged artifacts are non-authoritative until a future artifact-store/sealing boundary canonicalizes them.

No remaining merge-blocking issues found in this final pass.