Skip to content

DYADT verifier: reject always-matching contains: patterns + minor spec/coverage gaps #461

Description

@hyperpolymath

Child of #460. A 3-lens adversarial review of the DYADT reference verifier (scripts/verify-claims.sh) confirmed 16 holes; 15 were fixed in the Wave-4 hardening (#458). This tracks the residual + minor items.

Residual (real, must fix)

Always-matching contains: regex vacuously confirms. The hardening rejects an empty contains: pattern, but not a trivially-always-matching one. expect="contains:.*" (also ^, $, ., .+) passes grep -Eq against any non-empty file → confirmed for content the agent never added.

  • Fix: require a contains: pattern to contain at least one literal (non-metacharacter) character — reject if, after stripping regex metachars/quantifiers, nothing remains. Add a conformance vector (always-match.a2mlunverifiable).
  • Note: stdout-contains: uses fixed-string grep -F, so .* there is a literal search and is NOT vacuous; only the regex contains: is affected.

Minor (spec clarity / coverage)

  • Regex dialect unspecified (contains:<regex>): the reference uses POSIX ERE (grep -E); two conforming verifiers could disagree. Pin the dialect in CLAIM-FORMAT.adoc.
  • Over-broad licence guard (LOW, accepted): any claim whose fields contain licence/license/SPDXunverifiable manual-only. This is fail-safe (a benign claim flagged manual-only is harmless per the Manual-Only policy), but could be narrowed to claim_class/an explicit flag later.
  • Conformance coverage: several normative MUSTs still lack a vector. Add vectors so the production verifier is fully constrained.

Acceptance: the always-match hole is closed with a regression assertion + conformance vector; the spec pins the regex dialect.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions