Skip to content

v0.2.4 — real seat accountability, v2 content-bound digest, and honest boundaries

Choose a tag to compare

@haeliotang haeliotang released this 11 Jul 18:16
fb4e4de

A sixth adversarial review pass (AI-assisted self-audit) found that v0.2.3's "structural accountability" was again an overclaim — the third round in a row where a governance layer was declared closed and the next pass falsified it. v0.2.4 fixes the real holes and changes how the claims are made, so they stop being falsifiable-by-nitpick.

Pinned to commit ac0ada0..fb4e4de. The credential packet is no longer attached here — it has one canonical home, the credential-packet-v1 evidence release (sha256 af6e4142…), because the evidence has a different lifecycle than the software.

Seats are no longer vacuous (finding 1)

ReviewerSeat(id="") was legal and duplicate seat ids (two people, one seat) were accepted — accountability that points at nothing. Now id/name/role/scope are non-blank and seat ids must be unique within a run.

The digest binds what was reviewed (finding 2)

v1 under-bound the record: deleting the seat a human cleared under, or changing a policy reason, left the debt cleared (the "exact record" claim was false). New v2 binds an explicit allowlist — run id, task id, agent, reviewer seats, per-step digests, and the full policy decisions (id, policy_id, rule_id, decision, reason) — excluding volatile fields. Both attacks now reopen the debt. v1 clearing power is revoked (finding 3: an explicit version-deprecation policy, not silent accumulation).

Claims discipline + registered boundaries

The false "exact record" / "structural accountability closed" language is gone. New docs/limitations.md states what is not enforced, each with a tracking issue: seat authorization vs reference (#29), attestation supersession/contested (#30), goal-prose binding (#31), /metrics N+1 (#32), clinic↔ARO executable interface (#33). A reference implementation that names its own edges can't be falsified by finding one.

Also

  • Single canonical packet source (finding 4); all package versions already aligned to 0.2.x (finding 6).

Honest status

Sequential + concurrent governance semantics ✅ · seat accountability (non-vacuous, unique, content-bound) ✅ · boundaries registered, not hidden ✅. Unchanged and deliberately not overclaimed: independent external reproduction — no third party has run the packet/quickstart (0 stars/forks; CI is the main downloader). After this the engineering line is frozen; the next step is one real external reproducer, which is worth more than any further internal hardening.


Correction / superseded by v0.2.5 (2026-07-11): the line above claiming a limitations doc makes the project "can't be falsified" was itself an overclaim — a seventh review immediately falsified it via an unregistered invariant. The honest framing is "known limitations as of vX + these specific properties are verified," never "unfalsifiable." Two real issues found after this tag and fixed in v0.2.5: (1) uniqueness was enforced only on the Script, not the persisted AgentRun, so a run with duplicate decision ids let one attestation clear two items; (2) this tag's software metadata still reported 0.2.3. History left intact.