Skip to content

P0: make verification identity and portable execution reproducible#273

Merged
pengfei-threemoonslab merged 3 commits into
mainfrom
codex/p0-verification-identity
Jul 14, 2026
Merged

P0: make verification identity and portable execution reproducible#273
pengfei-threemoonslab merged 3 commits into
mainfrom
codex/p0-verification-identity

Conversation

@pengfei-threemoonslab

@pengfei-threemoonslab pengfei-threemoonslab commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds content-addressed verification plans, exact Git subjects, complete input-blob sets, engine requirements, decision-free unit results, artifact manifests, and terminal receipts.
  • Binds a plan evaluation date as reproducibility provenance while keeping hard trust decay conservative: acknowledgement, severity-override, and baseline expiry use the later of the plan date and the verifier wall clock.
  • Makes committed snapshots independent of git archive attributes.
  • Binds report, packet, verifier, verify-run, handoff, attestation, registry, organization evidence, and GitHub Action outputs to the same request and decision graph.
  • Adds prepare, worker, assemble, and reproduce commands with fail-closed input, engine, task, projection, and artifact validation.
  • Publishes package 0.16.0b6, runtime contract 17, report 0.34, packet 0.12, verifier 0.5, verify-run v3, handoff v5, and verification identity schemas v1.

Trust boundary and intentional limitation

The v1 protocol defines one deterministic evaluate task. The worker validates exact transport inputs and runtime compatibility and emits decision-free IR; it does not offload the scan or policy engine. The verifier remains the sole policy engine, and assembly only re-closes that decision over a validated worker unit. This is a portable fail-closed execution boundary, not distributed policy evaluation, arbitrary sharding, parallel speedup, executor attestation, or a signature system.

The content-bound evaluation date is provenance, not authority to renew reviewer consent. Hard expiry is intentionally monotonic and may make a later reproduction stricter after a human grant expires. Historical receipts still bind the exact decision and artifacts assembled at the original evaluation.

Safety properties

  • Mutable refs are resolved to exact commit, tree, merge-base, diff, and worktree-overlay identities.
  • Source checkouts and built wheels produce the same full engine requirement, including package assets, runtime dependencies, adapters, enabled plugin distributions and dependencies, and the policy catalog.
  • Commit-controlled author and committer dates cannot extend acknowledgements, severity overrides, or baseline exceptions; future dates can only make expiry more restrictive.
  • Workers cannot emit decision, merge verdict, control, or merge authority fields.
  • Failed or incomplete executions cannot produce a terminal receipt.
  • Receipt validation rehashes every artifact and verifies all report, packet, verifier, verify-run, handoff, attestation, registry, and organization identity mirrors.
  • GitHub pull-request runs evaluate github.sha while recording the source PR head separately.

Validation

  • Post-fix local suite: 3,866 passed and 5 skipped across 3,871 collected tests.
  • 66 of 66 verification-identity canaries passed, including conservative backdated and future-dated clock cases.
  • A real Git repository with author and committer dates forged ten years backward still rejects an expired rich severity override on the main verify path.
  • The expired acknowledgement, rich override, and baseline paths all have direct regression coverage.
  • All 4 isolated performance tests passed.
  • Fresh GitHub CI on commit e32b369: 3,464 passed, 3 skipped, 88.36 percent coverage; the 4-test isolated latency suite passed in 5.64 seconds.
  • Fresh GitHub Shipgate and self-dogfood checks passed.
  • Coverage-instrumented merge-blocking large-scan latency check passed locally with the 10-second budget unchanged.
  • Ruff, generated-schema checks, public-surface checks, and git diff checks passed.
  • Built wheel passes twine check and reports Agents Shipgate 0.16.0b6.
  • A clean isolated environment installed the wheel and computed an engine requirement successfully.
  • Source checkout and installed wheel emitted byte-identical engine requirement JSON when evaluated against the same runtime dependency set.
  • Shipgate self-verification produced a valid reproducible receipt, then correctly returned insufficient_evidence with control.state human_review_required because this PR edits release trust roots.

Review focus

Please review the wall-clock floor on hard trust expiry, Git subject and worktree-overlay completeness, engine-distribution closure, worker and assembler authority separation, terminal receipt construction order, Action merge-SHA handling, cache normalization, legacy-reader behavior, and all new public schema/version migrations.

This PR must not be self-approved by a coding agent.

@pengfei-threemoonslab
pengfei-threemoonslab marked this pull request as ready for review July 14, 2026 21:35
@pengfei-threemoonslab
pengfei-threemoonslab merged commit eb9cae4 into main Jul 14, 2026
4 checks passed
@pengfei-threemoonslab
pengfei-threemoonslab deleted the codex/p0-verification-identity branch July 14, 2026 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant