feat(go): port binaryCid + targetProofCid + sourceContractCid + EvidenceTerm to Go kit

[TSavo]

Summary

Cross-impl conformance: port the four protocol fields from the Rust
reference into the Go kit so Go-minted .proof bundles + bridge
mementos stay JCS-byte-identical to Rust / TS / C++ / Python.

Per-field landing site

binaryCid (proof envelope back-pin)

Spec: protocol/specs/2026-04-30-proof-file-format.md (v1.3.0).

Site	Status
proof_envelope/builder.go Input.BinaryCID	Added
proof_envelope/builder.go bodyPairsUnsigned	Conditionally appends pair when BinaryCID != "" (mirrors Rust Option<String> skip-when-None)
Verifier-side binaryCid enforcement (running-binary hash check)	Stored only — not enforced. Matches Rust today; per the spec, future verifier work owns the running-binary hash check.

targetProofCid + sourceContractCid (bridge fields)

Spec: protocol/specs/2026-04-30-ir-formal-grammar.md (BridgeDeclaration locked key order, promoted normative in PR #10).

Site	Status
ir/property.go BridgeSpec	Added both fields
ir/property.go BridgeDeclaration	Added both fields
ir/property.go BridgeDeclaration.MarshalJSON	Emits the spec key order: kind, name, sourceSymbol, sourceLayer, sourceContractCid, targetContractCid, targetProofCid, targetLayer, notes?
ir/property.go Bridge() collector	Plumbs both fields from spec to declaration
ir/extensions.go PrimitiveBridgeDeclaration	Added both fields with omitempty (so kit primitives that have not yet been re-emitted by their tooling stay byte-equal across kits)
claim_envelope/bridge_minter.go BridgeMintArgs + MintBridge body map	Added both; included in body when non-empty
verifier/types.go CallSite.BridgeSourceContractCID + .BridgeTargetProofCID	Added
verifier/enumerate_callsites.go	Reads both off bridge body when constructing CallSite records
Cross-bundle targetProofCid resolution (verifier enforcement)	Stored only — not enforced. Matches the Rust CallSite shape; enforcement is owned by the parallel fix/verifier-enforce-target-proof-cid track.

EvidenceTerm

Site	Status
ir/property.go EvidenceTerm + MarshalJSON	Already conformant. Confirmed field-by-field against provekit-ir-types::EvidenceTerm (kind, proofType, certificate.{tool, version, formulaHash, proofData}) and Rust's parse_evidence_at. The Go MarshalJSON hardcodes "kind":"evidence" which matches Rust's serde-derived shape exactly. No code change required.

Golden test status

Two new cross-impl pinning tests added:

• ir/canonical_form_test.go — TestCanonicalFormBridgeWithPinning and TestCanonicalFormBridgeWithPinningAndNotes pin the exact byte sequence of a BridgeDeclaration JSON, including the locked key order and the notes omit-when-empty rule.
• proof_envelope/builder_test.go — three tests mirroring Rust's build_minimal_proof_round_trips. Assert map-head 0xA7 for the minimal envelope, 0xA8 when binaryCid is added, and 0xA7 again when BinaryCID == "" (omit-when-empty).

A full byte-equal cross-impl .proof round-trip would require pinning the deterministic ed25519 signature; that is beyond the scope of this PR (and would re-pin if the Rust deterministic-signing seed changes). The map-head + key-presence assertions are the smallest defensible cross-impl conformance check.

Third-rail issues / scope notes

• Cargo.lock / Rust source / TypeScript source / Python source / spec files / workflows — untouched (parallel agents own those).
• metadata field on Input (Rust has Option<BTreeMap<String, String>> metadata) — out of scope for this PR; not in the task brief. Adding it later is a clean follow-up: same conditional-append pattern as binaryCid.
• PrimitiveBridge() factory signature in ir/extensions.go was NOT extended with the two new fields — kept variadic-stable so existing callers compile. The struct fields are present + JSON-emitted via omitempty. Producers that mint bridge memento bodies through claim_envelope.MintBridge (the canonical mint path) get the fields end-to-end; the kit-primitive convenience factory is a soft-port.
• EvidenceTerm parse-back round-trip (consuming a Rust-emitted evidence JSON) — Go has the marshal side but no parse path today; that is a separate gap from this PR's scope.

Test plan

• go build ./... clean across provekit-ir-symbolic, provekit-self-contracts, provekit-lift-go-tests
• go test ./... clean across all three (existing tests pass; 5 new tests pass)
• No em-dashes / en-dashes in the diff
• Cross-impl JCS round-trip confirmed via map-head + key-presence assertions in proof_envelope/builder_test.go
• Bridge JSON byte-equivalence to Rust's serde-derived shape pinned in ir/canonical_form_test.go

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@TSavo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 4 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0d7ba3bc-c45a-40c9-bba9-6c8796ff49ec

📥 Commits

Reviewing files that changed from the base of the PR and between ede9dce and 2fff221.

📒 Files selected for processing (8)

• implementations/go/provekit-ir-symbolic/claim_envelope/bridge_minter.go
• implementations/go/provekit-ir-symbolic/ir/canonical_form_test.go
• implementations/go/provekit-ir-symbolic/ir/extensions.go
• implementations/go/provekit-ir-symbolic/ir/property.go
• implementations/go/provekit-ir-symbolic/proof_envelope/builder.go
• implementations/go/provekit-ir-symbolic/proof_envelope/builder_test.go
• implementations/go/provekit-ir-symbolic/verifier/enumerate_callsites.go
• implementations/go/provekit-ir-symbolic/verifier/types.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/go-cross-impl-binary-cid-target-proof-cid-source-contract-cid-evidence

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 46 minutes and 4 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR ports newer protocol pinning fields into the Go implementation so Go-authored bridge declarations, bridge mementos, and .proof envelopes can move toward byte-for-byte conformance with the other language kits and the updated v1.3 grammar/specs.

Changes:

• Added binaryCid support to proof-envelope building plus conformance tests for omit-when-empty behavior.
• Added sourceContractCid and targetProofCid across IR bridge declarations, bridge minting, and verifier call-site extraction.
• Added golden tests to pin JSON field order and serialized bridge shape for cross-implementation consistency.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
implementations/go/provekit-ir-symbolic/verifier/types.go	Extends CallSite with stored bridge pinning fields and updates comments.
implementations/go/provekit-ir-symbolic/verifier/enumerate_callsites.go	Plumbs sourceContractCid and targetProofCid from bridge bodies into call sites.
implementations/go/provekit-ir-symbolic/proof_envelope/builder_test.go	Adds proof-envelope tests for binaryCid presence/omission and map size.
implementations/go/provekit-ir-symbolic/proof_envelope/builder.go	Adds optional BinaryCID to proof-envelope input and emitted CBOR body.
implementations/go/provekit-ir-symbolic/ir/property.go	Extends bridge IR structs/serialization with new pinning fields and key order.
implementations/go/provekit-ir-symbolic/ir/extensions.go	Extends primitive bridge declarations with optional new pinning fields.
implementations/go/provekit-ir-symbolic/ir/canonical_form_test.go	Adds golden JSON tests for bridge declarations with pinning fields.
implementations/go/provekit-ir-symbolic/claim_envelope/bridge_minter.go	Extends bridge minting args/body with the new bridge pinning fields.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2fff221c15

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require new bridge pinning fields when minting bridges

MintBridge now adds sourceContractCid and targetProofCid only when the caller sets them, so existing call sites that were updated to the new struct but leave these fields empty will silently mint bridge mementos without the new pins. That defeats the purpose of this port (the verifier later receives empty BridgeSourceContractCID / BridgeTargetProofCID) and creates under-specified bridges even though this function already treats other bridge identity fields as required. This should fail fast (or always emit validated non-empty CID values) instead of quietly omitting the keys.

Useful? React with 👍 / 👎.