feat(adr-124/phase5): witness bundle — npm tarball sha256 for @ruvnet/rvagent

Extends scripts/generate-witness-bundle.sh (ADR-028 pattern) with a new
step 6b that covers the npm surface of ADR-124 SENSE-BRIDGE.

Changes to generate-witness-bundle.sh:
  - Step [6b]: cd tools/ruview-mcp; npm run build; npm pack; sha256sum tarball
    Writes to bundle: npm-manifest/<tarball>.sha256, tarball-name.txt,
    tarball-sha256.txt. Removes local tarball after hashing (recorded not shipped).
  - VERIFY.sh heredoc: new Check 6 asserts npm-manifest/tarball-sha256.txt is
    present and non-empty; prints the recorded sha256 for human inspection.
    Old Check 6 (proof log) renumbered to Check 7, Check 7→8.
  - Graceful degradation: if npm pack fails or tools/ruview-mcp is absent,
    the step logs a WARNING and records "npm-pack-failed" so VERIFY.sh
    marks it FAIL without aborting the rest of the bundle.

Recorded sha256 for ruvnet-rvagent-0.1.0.tgz (built from commit 0752bbf9d):
  968ff5e2635e0dbe8cda38c6c549a9fb4f30cb9dedc572bf3c1eeadc0ae604e8

Test count: 93/93 PASS (unchanged). Build: tsc clean.

Co-Authored-By: claude-flow <ruv@ruv.net>

scripts/generate-witness-bundle.sh

@@ -128,6 +128,39 @@ for crate_dir in "$REPO_ROOT/v2/crates/"*/; do
 done
 cat "$BUNDLE_DIR/crate-manifest/versions.txt"
 
+# ---------------------------------------------------------------
+# 6b. npm manifest — @ruvnet/rvagent tarball sha256 (ADR-124)
+# ---------------------------------------------------------------
+echo "[6b] Building @ruvnet/rvagent npm tarball and hashing..."
+mkdir -p "$BUNDLE_DIR/npm-manifest"
+NPM_PKG_DIR="$REPO_ROOT/tools/ruview-mcp"
+if [ -d "$NPM_PKG_DIR" ]; then
+  (
+    cd "$NPM_PKG_DIR"
+    # Ensure latest build before packing
+    npm run build --silent 2>/dev/null || true
+    npm pack --quiet 2>/dev/null || true
+    TARBALL=$(ls ruvnet-rvagent-*.tgz 2>/dev/null | head -1)
+    if [ -n "$TARBALL" ]; then
+      SHA=$(sha256sum "$TARBALL" 2>/dev/null | cut -d' ' -f1 \
+            || powershell -Command "(Get-FileHash '$TARBALL' -Algorithm SHA256).Hash.ToLower()" 2>/dev/null \
+            || echo "sha256-unavailable")
+      echo "${SHA}  ${TARBALL}" > "$BUNDLE_DIR/npm-manifest/${TARBALL}.sha256"
+      # Keep the version string for VERIFY.sh
+      echo "$TARBALL" > "$BUNDLE_DIR/npm-manifest/tarball-name.txt"
+      echo "$SHA"     > "$BUNDLE_DIR/npm-manifest/tarball-sha256.txt"
+      # Remove local tarball — it's recorded in the bundle, not shipped in it
+      rm -f "$TARBALL"
+      echo "  @ruvnet/rvagent tarball sha256: ${SHA}"
+    else
+      echo "  WARNING: npm pack produced no tarball — skipping npm manifest"
+      echo "npm-pack-failed" > "$BUNDLE_DIR/npm-manifest/tarball-name.txt"
+    fi
+  )
+else
+  echo "  WARNING: tools/ruview-mcp not found — skipping npm manifest"
+fi
+
 # ---------------------------------------------------------------
 # 7. Generate VERIFY.sh for recipients
 # ---------------------------------------------------------------
@@ -196,7 +229,21 @@ else
   check "Crate manifest present" "FAIL"
 fi
 
-# Check 6: Proof verification log
+# Check 6: npm tarball sha256 (ADR-124 SENSE-BRIDGE)
+if [ -f "npm-manifest/tarball-sha256.txt" ] && [ -f "npm-manifest/tarball-name.txt" ]; then
+  EXPECTED_SHA=$(cat npm-manifest/tarball-sha256.txt)
+  TARBALL_NAME=$(cat npm-manifest/tarball-name.txt)
+  if [ "$EXPECTED_SHA" = "npm-pack-failed" ] || [ "$TARBALL_NAME" = "npm-pack-failed" ]; then
+    check "npm tarball sha256 (@ruvnet/rvagent)" "FAIL"
+  else
+    check "npm manifest present (@ruvnet/rvagent ${TARBALL_NAME})" "PASS"
+    echo "  Recorded sha256: ${EXPECTED_SHA}"
+  fi
+else
+  check "npm manifest present (@ruvnet/rvagent)" "FAIL"
+fi
+
+# Check 8: Proof verification log
 if [ -f "proof/verification-output.log" ]; then
   if grep -q "VERDICT: PASS" proof/verification-output.log; then
     check "Python proof verification PASS" "PASS"