docs(README): retire TQL aspiration; spell out independence + MC/DC limits#114
Merged
docs(README): retire TQL aspiration; spell out independence + MC/DC limits#114
Conversation
…imits
Three honesty edits to the v0.1.3 README's "For Auditors" section,
following a critical-review pass that flagged places where the
positioning oversells what the tool actually delivers today.
1. **Verification independence**: the previous wording suggested
`sha256sum -c SHA256SUMS` constitutes an independent verification
path. It does not — that command re-checks integrity of the
recorded hashes but cannot answer the auditor's actual question:
*did the tool record the correct hashes in the first place?*
New text spells this out and points at the cross-host CI gate
as the closest current proxy. A real second-implementation
verifier is now explicitly listed in the 1.0 backlog.
2. **MC/DC coverage at DAL-A**: the upstream reality is that
stable Rust no longer exposes MC/DC instrumentation
(`-Zcoverage-options=mcdc` was removed by
rust-lang/rust#144999, merged 2025-08-08). A DAL-A project
running `cargo evidence generate --profile cert` today
produces a bundle whose A7-10 objective reports `NotMet` —
terminal can still be `VERIFY_OK` because branch coverage was
met. New section names this asymmetry explicitly, points at
the auxiliary-qualified-tool path (LDRA / VectorCAST / Rapita)
as the practical 2026 answer, and flags two follow-up items
for the 0.2 backlog: fail-loud on missing MC/DC at DAL-A,
and a `[dal.A].auxiliary_mcdc_tool` schema hook to record
external evidence by reference.
3. **TQL aspiration retired**: the old text said "treat any TQL
number you may see in older notes as an aspirational target,
not a current claim." That left the aspiration faintly alive
in the prose. Retired explicitly here with a list of the
minimum-viable DO-330 qualification artefacts (PSAC, SVVP,
SVR, SCM Plan, SQA Plan, Qualification Report) that don't
exist yet, and a pointer at the 1.0-backlog
`cert/DO-330-TEMPLATE/` placeholder.
No code change. No trace change. No floor bumps.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Doc-only honesty pass on the v0.1.3 README's "For Auditors" section. No code change, no trace change, no floor bumps.
Three edits
1. Verification independence — the wording was overclaim
Before: "For independent verification, run
sha256sum -c SHA256SUMSagainst the bundle with a separate utility, or use a different verifier."After: spells out that
sha256sum -cre-checks integrity of the recorded hashes but cannot answer the auditor's actual question — did the tool-under-qualification record the correct hashes in the first place? The current closest-proxy is the cross-host CI gate (which re-runs the tool on a different OS and comparescontent_hashbyte-for-byte). A real second-implementation verifier is now explicitly named as a 1.0-backlog item.2. MC/DC at DAL-A — currently unavailable
New subsection. Tells projects upfront that stable Rust does not currently expose MC/DC instrumentation (rust-lang/rust#144999 removed
-Zcoverage-options=mcdcon 2025-08-08; rust-lang/rust#124144 tracking issue is open with no active reimplementation). Calls out the asymmetric failure mode: a DAL-A project runningcargo evidence generate --profile certtoday getscompliance/<crate>.json.A7-10 = NotMetbut the bundle terminal can still beVERIFY_OKbecause branch coverage was met. A careful auditor reads the A7-10 line; a careless one signs off. Names the practical 2026 answer (auxiliary qualified tool: LDRA / VectorCAST / Rapita) and flags two follow-ups for 0.2: fail-loud on missing MC/DC at DAL-A, and a `[dal.A].auxiliary_mcdc_tool` schema hook.3. TQL aspiration retired
The old text said "treat any TQL number you may see in older notes as an aspirational target, not a current claim", which left the aspiration faintly alive. The new text retires it explicitly with a list of the minimum-viable DO-330 qualification artefacts (PSAC, SVVP, SVR, SCM Plan, SQA Plan, Qualification Report, signed by an independent DER) that don't exist yet, and points at `cert/DO-330-TEMPLATE/` as the 1.0-backlog placeholder.
Test plan
🤖 Generated with Claude Code