feat(governance): commit acceptor evidence runner#492
Merged
neuron7xLab merged 1 commit intofeat/commit-acceptor-layerfrom Apr 27, 2026
Merged
Conversation
…FIED loop) Closes the ACTIVE→VERIFIED transition opened by PR #491. Where #491 shipped the diff-bound acceptor schema + validator + CI gate, this PR adds the runner that actually executes measurement_command and falsifier.command, captures stdout+stderr to declared artifact paths, hashes every artifact (sha256, lowercase 64-char hex), and writes the evidence_sha256 list back to the acceptor YAML. With --promote and a PASS verdict, status flips from ACTIVE to VERIFIED in-place. Files added: - tools/commit_acceptor/run_evidence.py (557 lines) - tests/unit/commit_acceptor/test_run_evidence.py (23 tests) - tmp/run_evidence_dogfood.json (evidence-of-evidence for the runner itself, run against the two existing acceptors) Public API: - EvidenceResult (frozen dataclass, sorted JSON serialisation) - run_acceptor(acceptor, repo_root, *, timeout_s, runner) -> EvidenceResult - update_acceptor_yaml(path, result, *, promote_to_verified) -> None - main(argv) -> int (CLI: --acceptor-id/--all, --promote, --re-verify, --timeout-s [10, 3600], --summary-out, --repo-root) Test count: 23/23 PASS (67/67 in tests/unit/commit_acceptor) Gates: ruff check + ruff format --check + black --check + mypy --strict + validate_commit_acceptor (with and without --require-acceptor- for-code-change) — all green. Falsifier mutation probes (all 6 caught by tests): #1 skip --promote success guard → test 8 FAILS as expected #2 truncate sha256 to 8 chars → test 22 FAILS as expected #3 always return verdict=PASS → tests 2 + 3 FAIL as expected #4 skip artifact existence check → test 4 FAILS as expected #5 stop skipping DRAFT acceptors → test 10 FAILS as expected #6 strip evidence_sha256 sort → test 6 FAILS as expected Dogfood verdict counts (from tmp/run_evidence_dogfood.json): PASS: 1 (commit-acceptor-layer) SIGNAL_FAILED: 1 (canonical-action-result-comparator — tests/unit/control not present in this branch; honest null) Security: subprocess.run(shell=True, ...) trusts maintainer-committed acceptor YAML. Acceptor schema is enforced by the validator (PR #491) before the runner ever sees a file. Per the chronology-discipline contract, this runner is execution proof, NOT chronology proof — it claims only "command exited 0 and these are the artifact hashes". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
neuron7xLab
added a commit
that referenced
this pull request
Apr 27, 2026
…r-layer (#493) The dogfood JSON committed in PR #492 has extension .json which the commit-acceptor policy treats as code, triggering "code change without acceptor" on the diff-binding CI gate. Add it to the self-acceptor's diff_scope so the gate is satisfied. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 52ba6e7f7f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+171
to
+175
| if p.is_absolute(): | ||
| # Reject path traversal via absolute paths in artifact declarations. | ||
| # Acceptor artifact paths must be repo-relative. | ||
| return p | ||
| return (repo_root / p).resolve() |
There was a problem hiding this comment.
_resolve_under_repo currently returns absolute paths unchanged and resolves relative paths without checking containment, so an acceptor can set signal_artifact/falsifier_artifact/evidence to /tmp/... or ../... and the runner will read/write outside the repository. This breaks the tool’s repo-scoped guarantee and can overwrite unrelated files during evidence runs; the resolved path should be rejected unless it is a descendant of repo_root.
Useful? React with 👍 / 👎.
Comment on lines
+499
to
+503
| fa_raw = f.get("falsifier_artifact") or f.get("artifact") | ||
| if isinstance(fa_raw, str): | ||
| fa = fa_raw | ||
| if fa is not None: | ||
| sha_entries.append({"path": fa, "sha256": result.falsifier_artifact_sha256}) |
There was a problem hiding this comment.
run_acceptor always computes a falsifier artifact hash (using a fallback path when falsifier_artifact is not declared), but update_acceptor_yaml only appends that hash when the YAML explicitly contains falsifier_artifact/artifact. For acceptors that rely on the documented fallback path, evidence_sha256 silently omits the falsifier artifact, so the YAML no longer records all produced artifacts and cannot be fully replay-verified.
Useful? React with 👍 / 👎.
Comment on lines
+550
to
+553
| try: | ||
| acc = _load_acceptor(p) | ||
| except (OSError, yaml.YAMLError, ValueError): | ||
| continue |
There was a problem hiding this comment.
The selector swallows YAML and file read errors and continues, which lets main() return success even when an acceptor file is malformed/unreadable (as long as remaining selected acceptors pass). In CI this creates a false green governance signal because broken acceptor definitions are ignored rather than treated as a hard failure.
Useful? React with 👍 / 👎.
neuron7xLab
added a commit
that referenced
this pull request
Apr 27, 2026
* feat(governance): diff-bound commit acceptor layer (promise→diff→signal→falsifier→rollback→evidence→memory)
Invariant: every code-modifying commit landing on main MUST be governed by
at least one acceptor under .claude/commit_acceptors/ that declares the
full six-step contract. Unbound code commits are rejected fail-closed by
the new Commit Acceptor Gate workflow on every PR and merge-queue entry.
Files added:
- .claude/commit_acceptor_policy.yaml (claim caps + forbidden imports)
- .claude/commit_acceptor_template.yaml (canonical schema, status DRAFT)
- .claude/commit_acceptors/canonical-action-result-comparator.yaml
(ACTIVE, documents PR #490)
- .claude/commit_acceptors/commit-acceptor-layer.yaml
(ACTIVE, self-acceptor for this PR)
- tools/commit_acceptor/{__init__.py,validate_commit_acceptor.py}
(validator + CLI)
- tests/unit/commit_acceptor/{__init__.py,test_validate_commit_acceptor.py}
(44 tests, all 41 spec probes)
- .github/workflows/commit-acceptor-gate.yml (PR + merge_group, 3.11/3.12)
- docs/reports/diff_bound_commit_acceptor_layer.md (closure report)
Forbidden schema fields (rejected anywhere): forbidden_symbols,
max_files_changed, generated_at. Forbidden import patterns enforced via
AST: trading, execution, forecast, policy. Distinct from CLAIMS layer
(.claude/claims/CLAIMS.yaml) — per-commit, diff-bound, not modified.
Local gates green: validator (static), validator (diff-binding +
require-acceptor-for-code-change), pytest 44/44, ruff, ruff format,
black, mypy --strict. Probe matrix 15/15 with idempotence
(sha256 of acceptor unchanged across two consecutive validator runs).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(governance): commit acceptor evidence runner (closes ACTIVE→VERIFIED loop) (#492)
Closes the ACTIVE→VERIFIED transition opened by PR #491. Where #491
shipped the diff-bound acceptor schema + validator + CI gate, this PR
adds the runner that actually executes measurement_command and
falsifier.command, captures stdout+stderr to declared artifact paths,
hashes every artifact (sha256, lowercase 64-char hex), and writes the
evidence_sha256 list back to the acceptor YAML. With --promote and a
PASS verdict, status flips from ACTIVE to VERIFIED in-place.
Files added:
- tools/commit_acceptor/run_evidence.py (557 lines)
- tests/unit/commit_acceptor/test_run_evidence.py (23 tests)
- tmp/run_evidence_dogfood.json (evidence-of-evidence for the runner
itself, run against the two existing acceptors)
Public API:
- EvidenceResult (frozen dataclass, sorted JSON serialisation)
- run_acceptor(acceptor, repo_root, *, timeout_s, runner) -> EvidenceResult
- update_acceptor_yaml(path, result, *, promote_to_verified) -> None
- main(argv) -> int (CLI: --acceptor-id/--all, --promote, --re-verify,
--timeout-s [10, 3600], --summary-out, --repo-root)
Test count: 23/23 PASS (67/67 in tests/unit/commit_acceptor)
Gates: ruff check + ruff format --check + black --check + mypy --strict
+ validate_commit_acceptor (with and without --require-acceptor-
for-code-change) — all green.
Falsifier mutation probes (all 6 caught by tests):
#1 skip --promote success guard → test 8 FAILS as expected
#2 truncate sha256 to 8 chars → test 22 FAILS as expected
#3 always return verdict=PASS → tests 2 + 3 FAIL as expected
#4 skip artifact existence check → test 4 FAILS as expected
#5 stop skipping DRAFT acceptors → test 10 FAILS as expected
#6 strip evidence_sha256 sort → test 6 FAILS as expected
Dogfood verdict counts (from tmp/run_evidence_dogfood.json):
PASS: 1 (commit-acceptor-layer)
SIGNAL_FAILED: 1 (canonical-action-result-comparator —
tests/unit/control not present in this branch; honest null)
Security: subprocess.run(shell=True, ...) trusts maintainer-committed
acceptor YAML. Acceptor schema is enforced by the validator (PR #491)
before the runner ever sees a file. Per the chronology-discipline
contract, this runner is execution proof, NOT chronology proof — it
claims only "command exited 0 and these are the artifact hashes".
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(governance): bind tmp/run_evidence_dogfood.json to commit-acceptor-layer (#493)
The dogfood JSON committed in PR #492 has extension .json which the
commit-acceptor policy treats as code, triggering "code change without
acceptor" on the diff-binding CI gate. Add it to the self-acceptor's
diff_scope so the gate is satisfied.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ci): install numpy in commit-acceptor-gate workflow
The commit-acceptor-gate job runs `pytest tests/unit/commit_acceptor`
which transitively triggers the global `tests/conftest.py`. That conftest
imports `core/utils/determinism.py`, which imports `numpy`. Without
numpy in the venv, pytest fails during collection (before any test runs)
with `ModuleNotFoundError: No module named 'numpy'` — turning both
3.11 and 3.12 matrix jobs red.
Add `numpy` to the install line. Other deps unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(governance): close 6 adversarial-audit holes in commit acceptor validator
The first-pass validator (PR #491) shipped with six bypasses surfaced by
adversarial audit. All six are now closed; each fix is paired with a
test that fails without it (mutation-probed, both directions where
relevant).
Hole 1 — Relative-import bypass (`from . import trading`):
AST detector skipped relative imports entirely. Fixed: when
node.level > 0, check each `alias.name` against forbidden patterns.
Hole 2 — Relative-import false positive (`from .trading import x`):
Symmetric defect. The relative module name `.trading` is a repo-local
sibling submodule, not the forbidden absolute `trading` runtime.
Fixed: for relative imports, only inspect alias names (NOT node.module).
Hole 3 — Path traversal in `diff_scope.changed_files[*].path`:
`../etc/passwd`, `geosync/../../escape`, `/abs`, `path\\windows` were
accepted silently. Added `_is_safe_repo_relative_path` helper rejecting
leading `/`, backslashes, and any `..` component. Applied to both
`changed_files` and `forbidden_paths` for symmetry.
Hole 4 — Empty/whitespace `id` and `promise` summary:
`id: ""` and `promise: " "` passed schema validation. Fixed: explicit
non-empty-after-strip checks on `id` (string) and on `promise` whether
it is a string or a `{summary: ...}` mapping.
Hole 5 — `promise: null` (None / wrong type):
YAML `promise:` (no value) silently passed. Fixed: explicit
`INVALID_PROMISE_BLOCK` rejection when promise is None or
non-string-non-mapping (lists, ints).
Hole 6 — Theater test for relative-import path:
`test_14_relative_import_skipped` only asserted skip; never asserted
catch on `from . import trading` (Hole 1). Replaced with
`test_14_relative_import_two_directions` that asserts BOTH the catch
(alias is forbidden) and the non-flag (relative module name is
repo-local).
New tests added (parametrized where relevant, 17 cases total):
- test_14_relative_import_two_directions (both directions)
- test_path_traversal_in_changed_files_rejected (6 params)
- test_path_traversal_in_forbidden_paths_rejected (3 params)
- test_empty_id_rejected, test_whitespace_id_rejected
- test_empty_promise_summary_rejected, test_whitespace_promise_summary_rejected
- test_promise_dict_with_empty_summary_rejected
- test_null_promise_block_rejected
- test_promise_wrong_type_rejected
Probe matrix: each new test was mutation-probed by stashing the
validator change and re-running the test selector — all 17 cases failed
without the fix and passed with it. Full gate matrix (validator,
diff binding, pytest, ruff, ruff format, black, mypy --strict) green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ci): scope commit-acceptor pytest with --confcutdir to avoid global conftest deps
The previous fix added numpy to the workflow venv, but tests/conftest.py
also imports pandas (and transitively other deps via core/utils). Rather
than mirror the entire repo's runtime dependency tree into a governance
gate venv, use --confcutdir=tests/unit/commit_acceptor so pytest does
not load the global conftest at all. The commit_acceptor unit tests
are self-contained and need no shared fixtures.
Net effect: workflow dependency line stays minimal (pyyaml/black/ruff
/mypy/pytest only); CI no longer breaks when an unrelated dep is added
to tests/conftest.py.
Verified locally: 83/83 pass with --confcutdir; same set passes without
the flag too.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ci): silence detect-secrets false-positive on evidence-runner artifact + restore mypy plugin
Three coupled fixes for commit-acceptor-validation jobs:
1. Remove tracked tmp/run_evidence_dogfood.json — sha256 hex digests in
the evidence dogfood snapshot looked like high-entropy secrets to
detect-secrets. The runner can produce a fresh snapshot on demand;
committing one stale instance polluted the secret scanner.
2. Add tmp/ to .gitignore so future runner output stays out of git.
3. Add pydantic to commit-acceptor-gate workflow venv. The repo's
mypy.ini declares pydantic.mypy as a plugin; mypy --strict cannot
load it without the package installed, even when the files under
inspection do not import pydantic.
Self-acceptor updated to drop the dogfood path from changed_files.
Verified locally: 83/83 tests pass with --confcutdir; static validator
PASS; diff-binding gate PASS after this commit because the deletion
no longer appears in the net origin/main..HEAD diff.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ci): install types-PyYAML for mypy strict in commit-acceptor-gate
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the ACTIVE→VERIFIED transition opened by #491.
PR #491 shipped the diff-bound acceptor schema + validator + CI gate; VERIFIED was aspirational because nothing actually ran the declared
measurement_commandorfalsifier.command. This PR addstools/commit_acceptor/run_evidence.py— a deterministic runner that executes both commands, captures stdout+stderr to declared artifact paths, computes lowercase 64-char hex sha256 over every artifact, writes the sorted-by-pathevidence_sha256list back to the acceptor YAML, and (with--promote) flipsstatus: ACTIVEtostatus: VERIFIEDonly when the verdict is PASS.What's in the box
tools/commit_acceptor/run_evidence.py— runner with public APIEvidenceResult,run_acceptor,update_acceptor_yaml,main. CLI:--acceptor-id/--all,--promote,--re-verify,--timeout-s(clamped to [10, 3600]),--summary-out,--repo-root. Subprocess withshell=True(documented; trusts maintainer-committed YAML, not user input from PRs).tests/unit/commit_acceptor/test_run_evidence.py— 23 tests via dependency-injected runner callable. Each test docstring lists which mutation probe it kills.tmp/run_evidence_dogfood.json— evidence-of-evidence: runner executed against the two existing acceptors.commit-acceptor-layer→ PASS;canonical-action-result-comparator→ honest SIGNAL_FAILED (its tests/unit/control suite isn't present in this branch).Determinism
JSON output uses
sort_keys=True, nogenerated_at.evidence_sha256list is sorted alphabetically by artifact path. YAML round-trip viayaml.SafeDumperwith key-order preservation. Idempotent: two runs with identical inputs produce byte-identical YAML.Falsifier mutation probes (all 6 caught)
--promotesuccess guardevidence_sha256sortGates (all green)
# type: ignore)--require-acceptor-for-code-change)Chronology discipline
Per the chronology-discipline contract, this runner is execution proof, not chronology proof. It claims only "command exited 0 and these are the artifact hashes" — nothing about ordering, causation, or the validity of the underlying claim.
Test plan
pytest tests/unit/commit_acceptorcommit-acceptor-gate.ymlruns green on this PR🤖 Generated with Claude Code