budscollab.blueprint.json,
budscollab.package.json, budscollab-app-review.json,
budscollab-showcase.json, and SHOWCASE.md.
Eve sandbox agents also carry sandbox-sdk-handoff.json. That envelope names
the artifacts Eve may return to review, including
budscollab-registry-acceptance-request.json,
budscollab-registry-publisher-verification.json,
budscollab-registry-review-evidence.json, and
budscollab-registry-signing-request.json, and
budscollab-registry-install-policy.json, and keeps
marketplaceInstallAllowed false until a production artifact store, artifact
hash, review storage, artifact signing, and host install policy exist. The
artifact hash must be stored before any install path opens.
They also carry sandbox-artifact-receipt.json. That receipt is local evidence
that the sandbox returned validated SDK artifacts, requires a SHA-256 digest
policy, and keeps liveSandboxInstallAllowed, marketplaceInstallAllowed, and
installableUntilSigned false. It does not claim production artifact storage is
implemented.
Use pnpm verify:eve:local to check the public Eve sandbox contract and the
checked-in Research Bud handoff files when they are present. Use
pnpm verify:eve:artifacts ./sandbox-output after a sandbox run to verify that
the returned artifact directory contains the handoff, receipt, review, showcase,
registry preflight, and signing artifacts before review.