Skip to content

v0.2.2 — audit hardening: real governance semantics + a standing evidence gate

Choose a tag to compare

@haeliotang haeliotang released this 10 Jul 18:31
aecf068

A fourth adversarial review pass (AI-assisted self-audit) found that v0.2.1's "credibility complete" was said a step early: the engineering was done, but the load-bearing governance semantics had gaps and the evidence was verified once, not continuously. v0.2.2 closes those.

Pinned to commit aecf068. The credential packet is attached to this release (sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1); links below point at the tag, not a moving branch.

Review-debt consumption is now real, not a self-declaration (findings 1–3)

The audit submitted a blank name, a forged seat, and a duplicate id and got a 200 with the debt cleared. No longer:

  • Identity — a blank attested_by/declared_scope is rejected; seat_id, when given, must reference a seat the run actually declared (runs now carry reviewer_seats). Identity remains self-declared, not authenticated — stated plainly in SECURITY.md, not pretended away.
  • Digest binding — clearing is bound to the exact record reviewed. If the run is overwritten after the fact, the digest no longer matches, the debt reopens, and the item is flagged stale_attestation. "The attestation pins the record" is now enforced, not asserted.
  • Idempotency — duplicate ids in one request are deduped; the cleared metric counts only open→cleared transitions, so re-clearing never double-counts.

Each attack is now a regression test.

Evidence is a standing gate, not a one-time check (finding 4)

New release-evidence CI job downloads the credential packet by fixed URL on every push, checks the pinned sha256, verifies the 7/7 internal SHA chain, and reproduces the verdict table with stock python3. If the published asset ever drifts, CI goes red. CI is now 9 jobs.

Also

  • clinic hygiene — the missing-artifact→skip hook no longer raises during teardown: 441 passed / 82 skipped, 0 warnings (was 61). Public suite vs private-compatibility suite documented.
  • Doc drift fixed — threat-model no longer claims "no rate limiting yet"; "nine objects" and "every claim by a test" softened to match reality; object-model documents all five debt-consumption rules.
  • Issue split#12 (OTel GenAI semconv) and #21 (TRACE_VERSION reject/migration) are now separate failure surfaces.
  • v0.2.0's notes were corrected in place (the packet is published); v0.2.1 was left untouched.

Honest status

Engineering ✅ · internal reproducibility ✅ · public self-attestation ✅ · governance semantics ✅ (this release). Still open, and not overclaimed: independent external reproduction — no third party has yet run the packet/quickstart (0 stars/forks; this is a new repo). That, plus a 90-second demo, is the next step — worth more right now than more infra.