Skip to content

feat: add Linux F4 evidence promotion gate#131

Merged
SSobol77 merged 1 commit into
mainfrom
feature/f4-linux-evidence-promotion-gate
Jul 9, 2026
Merged

feat: add Linux F4 evidence promotion gate#131
SSobol77 merged 1 commit into
mainfrom
feature/f4-linux-evidence-promotion-gate

Conversation

@SSobol77

@SSobol77 SSobol77 commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

Add a Linux F4 official-source evidence promotion gate.

This PR does not promote any current distro mapping to official-source evidence. It adds schema, helper APIs, manifest fields, verifier hardening, and tests so future promotion from current-policy-baseline to verified-official-source is contract-gated.

What changed

  • Added official-source promotion field support for distro evidence:

    • official_source_name
    • official_source_url
    • official_source_kind
    • verification_scope
    • verified_package_names
    • verified_executable_names
    • verification_note
  • Added official source kind taxonomy:

    • distro-package-index
    • distro-package-recipe
    • upstream-install-doc
    • upstream-release-page
  • Added verification scope taxonomy:

    • package-name-only
    • package-name-and-executable
    • package-name-executable-and-license
  • Added promotion-gate APIs:

    • linux_distro_evidence_promotion_requirements
    • linux_distro_mapping_evidence_promotion_errors
    • linux_distro_mapping_evidence_can_promote
    • linux_distro_mapping_evidence_promotion_matrix
    • linux_distro_mapping_evidence_promotion_summary_for_artifact

Baseline preservation

Generated evidence still defaults to:

  • evidence_source = OS_PACKAGE_NAMES
  • evidence_source_type = repository-local-policy
  • evidence_status = current-policy-baseline
  • external_verification_required_for_new_mappings = true

Generated baseline records do not claim official-source evidence and are not promotable.

No current generated record is promoted to verified-official-source.

Promotion gate behavior

A distro evidence record may be treated as verified-official-source only when it includes complete promotion data:

  • official source name
  • official source URL
  • official source kind
  • verification scope
  • verified package names matching package names
  • verified executable names matching executable names
  • verification note
  • non-repository-local source type
  • external_verification_required_for_new_mappings = false
  • release_blocking = false only when the promotion evidence is complete

Verifier hardening

The verifier now rejects:

  • verified-official-source evidence without official_source_name
  • verified-official-source evidence without official_source_url
  • verified-official-source evidence using repository-local-policy
  • unknown official_source_kind
  • unknown verification_scope
  • mismatched verified_package_names
  • mismatched verified_executable_names
  • missing verification_note
  • verified evidence that still requires external verification
  • baseline evidence with external verification disabled
  • baseline evidence with official-source claims
  • blocked/missing official evidence that is not release-blocking

Explicit non-scope

This PR does not:

  • promote existing mappings to verified-official-source
  • add official-source URLs
  • add package versions
  • add checksums
  • add official package metadata
  • add new package names
  • run package managers
  • download anything
  • vendor binaries or archives
  • weaken the Full-required baseline
  • reclassify required tools as optional
  • touch UI/provider/parser/TextMate/theme code

Validation

Passed locally / by agent report:

uv run ruff check src tests scripts
uv run ruff format --check src tests scripts
uv run python scripts/check_runtime_imports.py
uv run pytest -q tests/packaging/test_f4_linter_linux_provisioning.py
uv run pytest -q tests/packaging
uv run pytest -q tests/extensions/linters
uv run pytest -q tests/docs

Observed results:

tests/packaging/test_f4_linter_linux_provisioning.py: 75 passed
tests/packaging: 448 passed
tests/extensions/linters: 226 passed
tests/docs: 18 passed

Safety:

No mappings promoted.
No new package names.
No official URLs.
No package versions.
No checksums.
No package-manager calls.
No downloads.
No network calls.
No vendored binaries.
No generated release artifacts.
No UI/provider/parser/TextMate/theme changes.

Next work

A follow-up PR can add the first real official-source evidence record for one existing package mapping, using actual official distro documentation and without changing package names.

Summary by CodeRabbit

  • New Features

    • Added support for richer Linux distro evidence tracking, including official-source details, verification scope, and verified package/executable baselines.
    • Introduced visibility into whether evidence can be promoted, plus summary views for promotion status across artifacts.
  • Bug Fixes

    • Tightened manifest validation so evidence is checked against its current status and rejects missing, mismatched, or invalid verification details.
    • Improved handling of baseline and verified evidence to better reflect release-blocking requirements.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds an official-source evidence taxonomy, manifest schema fields, and a new promotion-gate API to the Linux provisioning linter for promoting distro evidence to "verified-official-source" status. Verifier validation is extended with promotion-state-specific rules, and corresponding test coverage/helpers are added.

Changes

Distro evidence promotion gate

Layer / File(s) Summary
Official-source taxonomy and allowed value sets
scripts/f4_linter_linux_provisioning.py
Adds literal types for official source kind and verification scope, plus allowed value sets for official evidence source types, kinds, and scopes.
Manifest schema and evidence record fields
scripts/f4_linter_linux_provisioning.py
Extends manifest field definitions with canonical/baseline/promotion field groups and official-source/verified-name fields; extends LinuxDistroMappingEvidenceRecord accordingly and updates serialization to emit verified_* fields.
Promotion-gate public API
scripts/f4_linter_linux_provisioning.py
Adds functions to compute promotion requirements, per-record promotion errors, promotability, and per-artifact promotion matrices/summaries.
Verifier normalization and promotion-state validation
scripts/f4_linter_linux_provisioning.py
Makes mismatch checking status-aware, normalizes verified_* arrays, and adds promotion-state validation rules for verified-official-source, current-policy-baseline, and blocked evidence.
Promotion and verifier test coverage
tests/packaging/test_f4_linter_linux_provisioning.py
Adds helpers and tests for promotion behavior, negative verifier tests for verified-official-source evidence, refactors tampering tests to use a shared evidence helper, and extends release-blocking summary tests with promotion counts.

Estimated code review effort: 4 (Complex) | ~60 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding a Linux F4 evidence promotion gate.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/f4-linux-evidence-promotion-gate

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/f4_linter_linux_provisioning.py`:
- Around line 1125-1144: The promotion requirements in
linux_distro_evidence_promotion_requirements are duplicating values that are
already enforced by the verifier, so the published contract can drift from the
actual accepted set. Update this function to derive official_source_types,
official_source_kinds, and verification_scopes directly from
LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES,
LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS, and LINUX_ALLOWED_VERIFICATION_SCOPES, and
use sorted() so the returned tuples remain deterministic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e4714ca3-0004-4a7a-9e91-4e5956b8539a

📥 Commits

Reviewing files that changed from the base of the PR and between 97d07b7 and 51b0339.

📒 Files selected for processing (2)
  • scripts/f4_linter_linux_provisioning.py
  • tests/packaging/test_f4_linter_linux_provisioning.py

Comment on lines +1125 to +1144
def linux_distro_evidence_promotion_requirements() -> dict[str, tuple[str, ...]]:
"""Return the official-source fields required to promote distro evidence."""
return {
"required_fields": DISTRO_EVIDENCE_PROMOTION_FIELDS,
"official_source_types": (
"official-distro-metadata",
"upstream-project-docs",
),
"official_source_kinds": (
"distro-package-index",
"distro-package-recipe",
"upstream-install-doc",
"upstream-release-page",
),
"verification_scopes": (
"package-name-only",
"package-name-and-executable",
"package-name-executable-and-license",
),
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Derive the advertised requirements from the validation sets to avoid drift.

official_source_types, official_source_kinds, and verification_scopes are hardcoded here but the verifier validates against LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES, LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS, and LINUX_ALLOWED_VERIFICATION_SCOPES. These two copies can silently diverge (e.g., a kind added to a frozenset but not the tuple), so the published promotion contract would no longer match what the verifier actually accepts. Derive them from the single source of truth, using sorted() for deterministic ordering.

♻️ Derive from the frozensets
     return {
         "required_fields": DISTRO_EVIDENCE_PROMOTION_FIELDS,
-        "official_source_types": (
-            "official-distro-metadata",
-            "upstream-project-docs",
-        ),
-        "official_source_kinds": (
-            "distro-package-index",
-            "distro-package-recipe",
-            "upstream-install-doc",
-            "upstream-release-page",
-        ),
-        "verification_scopes": (
-            "package-name-only",
-            "package-name-and-executable",
-            "package-name-executable-and-license",
-        ),
+        "official_source_types": tuple(sorted(LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES)),
+        "official_source_kinds": tuple(sorted(LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS)),
+        "verification_scopes": tuple(sorted(LINUX_ALLOWED_VERIFICATION_SCOPES)),
     }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
def linux_distro_evidence_promotion_requirements() -> dict[str, tuple[str, ...]]:
"""Return the official-source fields required to promote distro evidence."""
return {
"required_fields": DISTRO_EVIDENCE_PROMOTION_FIELDS,
"official_source_types": (
"official-distro-metadata",
"upstream-project-docs",
),
"official_source_kinds": (
"distro-package-index",
"distro-package-recipe",
"upstream-install-doc",
"upstream-release-page",
),
"verification_scopes": (
"package-name-only",
"package-name-and-executable",
"package-name-executable-and-license",
),
}
def linux_distro_evidence_promotion_requirements() -> dict[str, tuple[str, ...]]:
"""Return the official-source fields required to promote distro evidence."""
return {
"required_fields": DISTRO_EVIDENCE_PROMOTION_FIELDS,
"official_source_types": tuple(sorted(LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES)),
"official_source_kinds": tuple(sorted(LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS)),
"verification_scopes": tuple(sorted(LINUX_ALLOWED_VERIFICATION_SCOPES)),
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/f4_linter_linux_provisioning.py` around lines 1125 - 1144, The
promotion requirements in linux_distro_evidence_promotion_requirements are
duplicating values that are already enforced by the verifier, so the published
contract can drift from the actual accepted set. Update this function to derive
official_source_types, official_source_kinds, and verification_scopes directly
from LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES,
LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS, and LINUX_ALLOWED_VERIFICATION_SCOPES, and
use sorted() so the returned tuples remain deterministic.

@SSobol77 SSobol77 merged commit d97ca0b into main Jul 9, 2026
5 checks passed
@SSobol77 SSobol77 deleted the feature/f4-linux-evidence-promotion-gate branch July 9, 2026 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant