Public package surfaces

Surface	Role	Command
PYPI	Python install and canonical runtime witness	pip install mk10-pro==1.0.3 && mk10 proof
NPM	Public registry discovery surface	npm view @kaaffilm/mk10-pro@1.0.3 version
PKG	GitHub Packages registry surface	npm install @kaaffilm/mk10-pro --registry=https://npm.pkg.github.com

Canonical runtime commands:

mk10 proof
mk10 boundary
mk10 witness

MK10-PRO has one source truth: GitHub main and signed releases.

NPM and PKG are launcher/discovery surfaces, not canonical runtime witnesses. They do not reimplement MK10-PRO, do not expand its claim boundary, and do not authorize any version raise.

Public package boundary

MK10-PRO has two public surfaces with different authority:

• GitHub main is the current governed source surface.
• PyPI mk10-pro 1.0.2 is an immutable historical package artifact published before the current source-boundary cleanup.

Current source state:

• Package version: 1.0.2
• Repository license boundary: Apache-2.0
• PyPI publishing: enabled for v1.0.3 through PYPI_RELEASE_POLICY.md and Trusted Publishing.
• New package publication must use governed release workflows only.

The existing PyPI 1.0.2 package is historical. PyPI 1.0.3 is the current published witness package. GitHub main, signed releases, and package boundary files define the maintained source state.

No-version-raise package lock

MK10-PRO public package surfaces are locked at 1.0.3.

Do not raise the public package version to repair an immutable registry artifact.

Canonical runtime proof remains:

pip install mk10-pro==1.0.3
mk10 proof

NPM and PKG remain public package surfaces, but they are not the canonical runtime witness.

MK10-PRO 1.0.3 completion lock

MK10-PRO 1.0.3 is the completed public package surface.

Public surfaces:

PYPI: mk10-pro==1.0.3 — canonical runtime witness
NPM: @kaaffilm/mk10-pro@1.0.3 — public registry discovery surface
PKG: @kaaffilm/mk10-pro@1.0.3 — GitHub Packages surface

Final proof:

bash scripts/public-surface-proof.sh

No version raise is authorized to repair an immutable registry artifact.

Start here

Installed package:

pip install mk10-pro==1.0.3
mk10 proof
mk10 boundary
mk10 witness

Source checkout:

git clone https://github.com/kaaffilm/MK10-PRO.git
cd MK10-PRO
bash scripts/release-proof.sh

Release identity:

MK10-PRO v1.0.3 — Witness Release

Success lines:

MK10-PRO PROOF: PASS
MK10-PRO BOUNDARY: PASS
MK10-PRO WITNESS: PASS
MK10-PRO RELEASE PROOF: PASS

SYS-002
MK10-PRO
Execution index (frozen)

STATUS: REGISTERED
REGISTRY: https://speedkit.eu
SNAPSHOT: https://speedkit.eu/REGISTRY_SNAPSHOT.json

Registered system. Identity governed by SPEEDKIT registry.

---

MK10-PRO v1.0 — Deterministic Pre‑Delivery Truth Infrastructure

STATUS: FINAL / AUTHORITATIVE / CLOSED / FINISHABLE

SCOPE (HARD BOUNDARY): Pre‑delivery truth only. Formal playability under declared specifications. No cinema playback. No devices. No operators. No trust. No exceptions.

For scope limits and common misinterpretations, see:

• CANONICAL.md
• ADVERSARIAL_FAQ.md

---

EXECUTIVE DEFINITION (NON‑MARKETING)

MK10‑PRO is deterministic audiovisual infrastructure that converts mastering into provable, durable facts instead of trusted outputs.

If a claim cannot be proven — how a master was produced, what transformed it, which rules governed it, who approved its promotion, or whether it is formally playable under a declared specification — MK10‑PRO treats that claim as invalid.

This is not a tool. It is infrastructure.

---

SYSTEM AXIOMS (IMMUTABLE)

1. Truth is executable — claims emerge only from execution.
2. Evidence is the product — files are inputs, not outcomes.
3. Policy is law — configuration cannot override rules.
4. Verification is hostile — no engine, no trust, no authority required.
5. Determinism is mandatory — same inputs must yield identical outputs.
6. Scope ends before institutions — hardware, venues, operators are out of bounds.

If any axiom is violated, MK10‑PRO is invalid by definition.

---

QUICK START

# Install dependencies
pip install -r requirements.txt
# OR
make install

# Ingest source assets
mk10 ingest --source /path/to/assets

# Execute mastering pipeline
mk10 execute --dag pipeline.yaml

# Promote to release
mk10 promote --title "MyTitle" --version "v1.0" --state RELEASE

# Verify an MTB
mk10 verify --mtb /path/to/mtb.zip

Runtime Dependencies

Required:

• pyyaml>=6.0 — YAML parsing (policy rules, config)
• jsonschema>=4.0 — JSON schema validation (MTB, evidence, ingest)
• click>=8.0 — CLI framework
• cryptography>=41.0 — Cryptographic operations
• pycryptodome>=3.19.0 — Additional crypto support

Full list: See requirements.txt

---

THE ACTUAL PRODUCT: MASTER TRUTH BUNDLE (MTB)

Files are not the product.

The Master Truth Bundle (MTB) is the product.

An MTB is a sealed, self‑contained, verifiable object that represents a title/version as fact.

If the MTB validates, the title exists. If it does not, the title is not real.

---

GOVERNING PROMISE — "NO FILE FALLS AGAIN"

A master is considered safe only if it can always:

1. Be located
2. Be verified
3. Be explained
4. Be reproduced
5. Be proven formally playable under its specification
6. Be re‑delivered without ambiguity

If any condition fails, MK10‑PRO refuses the claim.

---

LICENSE

See LICENSE file for details.

---

FINAL AUTHORITY STATEMENT

If MK10‑PRO says a title exists, it exists. If MK10‑PRO refuses a claim, the claim is invalid.

There is no appeal to trust. There is only proof.

v1.0.3 final public surface completion lock

MK10-PRO v1.0.3 is the completed public package surface.

Public surfaces:

Surface	Status
PYPI	canonical runtime witness
NPM	public registry discovery surface
PKG	GitHub Packages package-surface mirror

Completion lock:

1.0.3

Do not raise the public package version to repair an immutable registry artifact.

PyPI remains the canonical runtime witness. NPM and PKG remain public package surfaces only.

MK10-PRO v1.0.3 public replay perimeter

MK10-PRO v1.0.3 is complete only while the public replay perimeter stays locked to 1.0.3.

Replay surfaces:

PYPI: mk10-pro==1.0.3 — canonical runtime witness
NPM: @kaaffilm/mk10-pro@1.0.3 — public registry discovery surface
PKG: @kaaffilm/mk10-pro@1.0.3 — GitHub Packages surface

Replay proof:

bash scripts/public-replay-proof.sh

No public package version may be raised to repair an immutable registry artifact.

PyPI remains the canonical runtime witness. NPM and PKG remain public package surfaces only.

MK10-PRO v1.0.3 auditor entrypoint

Public audit starts here:

bash scripts/auditor-replay-proof.sh

The auditor entrypoint confirms:

• source truth remains GitHub main and release v1.0.3;
• PyPI remains the canonical runtime witness;
• NPM and PKG remain package/discovery surfaces only;
• public package version remains locked at 1.0.3;
• public surface proof and public replay proof both pass.

Do not raise the public package version to repair an immutable registry artifact.

See:

• AUDITOR_START_HERE.md
• docs/AUDITOR_REPLAY.md

MK10-PRO v1.0.3 external audit packet

External auditor entrypoint:

bash scripts/audit-packet-proof.sh

This verifies:

• public surface lock
• public replay perimeter
• auditor replay entrypoint
• no-version-raise rule
• PyPI canonical runtime witness
• NPM / PKG public surface boundary

The audit packet does not expand the claim boundary.

MK10-PRO v1.0.3 audit receipt

Machine-readable audit receipt:

bash scripts/audit-receipt-proof.sh

The receipt proves:

• public surface proof passed
• public replay perimeter passed
• auditor replay entrypoint passed
• external audit packet passed
• version remains 1.0.3
• PyPI remains canonical runtime witness
• NPM and PKG remain non-canonical public package surfaces
• no public package version was raised

The receipt is evidence output, not a new claim surface.

MK10-PRO v1.0.3 audit receipt schema

Machine-verifiable receipt schema:

bash scripts/audit-receipt-schema-proof.sh

Standalone receipt verification:

node scripts/verify-audit-receipt.cjs /path/to/MK10_PRO_AUDIT_RECEIPT.json

This fixes the receipt shape at v1.0.3 and preserves the no-version-raise rule.

MK10-PRO v1.0.3 audit receipt negative controls

The audit receipt verifier must reject mutated receipts:

bash scripts/audit-receipt-negative-proof.sh

Negative cases include version drift, witness drift, NPM canonicalization, failed proof-chain state, invalid hash binding, wrong source release, disabled no-version-raise rule, and claim-boundary expansion.

MK10-PRO v1.0.3 external audit gate

Run the complete external audit surface from one command:

bash scripts/external-audit-gate.sh

This executes the public surface lock, public replay perimeter, auditor replay entrypoint, external audit packet, audit receipt, audit receipt schema verifier, negative controls, targeted tests, and NPM surface verification.

Offline audit lock

MK10-PRO v1.0.3 includes an offline audit lock:

bash scripts/offline-audit-lock.sh

This verifier is local/static after checkout. It does not install packages, query npm/PyPI, call GitHub APIs, or promote live registry state to canonical truth.

v1.0.3 Airgap Audit Bundle

MK10-PRO v1.0.3 now includes an airgap audit bundle.

After checkout, the bundle verifies the local audit perimeter without registry lookup, network fetch, GitHub API access, package installation, or version raise.

Verifier:

bash scripts/airgap-audit-bundle.sh

Airgap audit negative controls

MK10-PRO v1.0.3 includes an airgap audit negative-control layer.

It verifies that the airgap audit bundle rejects version drift, missing required evidence, disabled workflow wiring, loss of offline-lock inheritance, and forbidden network or package-install commands after checkout.

bash scripts/airgap-audit-negative-controls.sh

Airgap audit bundle Airgap audit negative controls Offline audit lock External audit gate Audit receipt negative controls No version raise

Airgap audit digest lock

The v1.0.3 airgap audit digest lock computes SHA-256 digests for the offline replay perimeter, airgap bundle, and airgap negative controls from repository checkout only.

sh bash scripts/airgap-audit-digest-lock.sh

Airgap audit release gate

MK10-PRO v1.0.3 includes an airgap audit release gate.

Run:

bash scripts/airgap-audit-release-gate.sh

This gate replays the offline audit lock, airgap audit bundle, airgap audit negative controls, and airgap audit digest lock from repository checkout without requiring network fetch, registry lookup, or package installation.

MK10-PRO v1.0.3 public release seal

MK10-PRO v1.0.3 is bound by PUBLIC_RELEASE_SEAL.json and RELEASE_INDEX.json.

The public release seal is discovery and release-gate binding only. It does not mutate package behavior, feature surface, CLI flags, or package version.

Verify:

bash scripts/public-release-seal.sh

Public package install replay

MK10-PRO v1.0.3 includes a public package install replay boundary. The sealed npm surface is packed locally, installed into a clean consumer project from a local tarball, and verified with registry access blocked after checkout.

• Contract: PUBLIC_PACKAGE_INSTALL_REPLAY.json
• Proof: scripts/public-package-install-replay.sh
• Workflow: .github/workflows/public-package-install-replay.yml

MK10-PRO v1.0.3 Public Registry Release Readiness

The v1.0.3 public registry release readiness gate is captured by:

• PUBLIC_REGISTRY_RELEASE_READINESS.json
• docs/PUBLIC_REGISTRY_RELEASE_READINESS.md
• scripts/public-registry-release-readiness.sh
• .github/workflows/public-registry-release-readiness.yml
• tests/test_public_registry_release_readiness.py

This gate verifies that the public release seal and public package install replay remain present before registry-facing release activity.

MK10-PRO v1.0.3 Public Registry Artifact Lock

The v1.0.3 public registry artifact lock records the already-published npm artifact metadata for @kaaffilm/mk10-pro@1.0.3, including registry integrity, shasum, and tarball identity.

Verify:

bash scripts/public-registry-artifact-lock.sh

MK10-PRO v1.0.3 Public Registry Artifact Lock

The v1.0.3 public registry artifact lock records the already-published npm artifact metadata for @kaaffilm/mk10-pro@1.0.3, including registry integrity, shasum, and tarball identity.

MK10-PRO v1.0.3 Public Registry Install Replay

MK10-PRO v1.0.3 includes a public registry install replay layer.

A clean external npm consumer installs @kaaffilm/mk10-pro@1.0.3 directly from the public npm registry and verifies the installed package-lock integrity and tarball against PUBLIC_REGISTRY_ARTIFACT_LOCK.json.

Run:

bash scripts/public-registry-install-replay.sh

MK10-PRO v1.0.3 public registry install replay release object seal

The public registry install replay seal is bound into git history by PUBLIC_REGISTRY_INSTALL_REPLAY_RELEASE_OBJECT_SEAL.json.

Replay:

bash scripts/public-registry-install-replay-release-object-seal.sh

MK10-PRO v1.0.3 public registry install replay finality index

The v1.0.3 public registry install replay now has a repo-local finality index binding the original version tag, public registry install replay seal, release object git witness seal, and public npm artifact.

• Contract: PUBLIC_REGISTRY_INSTALL_REPLAY_FINALITY_INDEX.json
• Replay: scripts/public-registry-install-replay-finality-index.sh
• Witness: docs/PUBLIC_REGISTRY_INSTALL_REPLAY_FINALITY_INDEX.md

MK10-PRO v1.0.3 Public Registry Install Replay — Remote Outsider Final Replay Witness

The remote outsider final replay witness binds the finality index seal to a public clean-clone replay from mk10-pro-v1.0.3-public-registry-install-replay-finality-index-seal.

REMOTE_OUTSIDER_LIVE_REPLAY=1 bash scripts/public-registry-install-replay-remote-outsider-final-replay-witness.sh

MK10-PRO v1.0.3 Public Registry Install Replay — Terminal Closure Index

The terminal closure index binds the v1.0.3 public registry install replay chain after the remote outsider final replay witness seal.

bash TERMINAL_CLOSURE_LIVE_REPLAY=1 bash scripts/public-registry-install-replay-terminal-closure-index.sh