feat(tcl): tool-qualification workstream A + AI session provenance (#127)

[avrabe]

Summary

Ships the smallest viable surface of TCL design workstream A (docs/design/tool-confidence-level.md §7.4) and closes the schema half of #127 AI session provenance. The ai-session and ai-found-defect schemas compose: an AI-introduced defect points back to the session that produced it.

Schema additions

schemas/common.yaml:

• ai-session (feat: AI session provenance — link Claude Code session logs to traceability chain #127) — pins a Claude Code (or other AI) session to a commit. session-id, session-hash, model-id, tool-version, commit-sha, started-at, ended-at, invoker.
• ai-found-defect (TCL A3) — typed record for AI-introduced errors that rivet's detection machinery caught. severity (critical/major/minor/info), triage-status (open/accepted/rejected/deduplicated), detected-by, …
• Link types: defect-against, corrects, produced-by.

schemas/iso-26262.yaml:

• tool-confidence (TCL A2) — typed claim per ISO 26262-8 §11.4.7. ti (TI1/TI2), td (TD1/TD2/TD3), tcl, regime (8 standards regimes), claim-status (self-claimed/qualified/conditional/target), scope, plus qualification-evidence link-field.

Dogfood (TCL A1)

• Fixed inverted TCL/TQL convention in safety/stpa/tool-qualification.yaml header (now follows ISO 26262 Table 3: TCL1 = lowest demand).
• New typed claim TQ-CONF-RIVET at safety/tool-qualification/rivet-tool-confidence.yaml — rivet's own TI2/TD1/TCL1 self-claim, links to the seven dogfood hazards.
• rivet.yaml now loads iso-26262 schema + scans safety/tool-qualification/.

CLI (TCL A4, A5)

• rivet docs tool-qualification — renders the new dossier (docs/design/tool-qualification-dossier.md).
• rivet stats --qualification — JSON-only baseline manifest: rivet version, schemas in use, every tool-confidence claim, ai-found-defect aggregates. The snapshot a safety manager pastes into the dossier.
• --qualification-mode top-level flag — initial gate refuses rivet sync (Phase 2 federation, out of scope per dossier §4). Read-only commands stay allowed.

What's NOT in this PR

• rivet check ai-defects-open oracle (needs agent-pipelines wiring, bigger refactor).
• Phase 2 of feat: AI session provenance — link Claude Code session logs to traceability chain #127 (commit hook to auto-stamp ai-session metadata, rivet audit to enforce coverage).
• Independent qualification assessment (claim-status stays self-claimed).
• Migrate-command qualification gate (Migrate is nested under Schema, deferred to keep the gate's scope simple).

Test plan

• cargo test --workspace --lib — 994 pass.
• cargo test --workspace — green.
• New integration tests: stats_qualification_emits_baseline_manifest_for_dogfood (asserts TQ-CONF-RIVET surfaces at TCL1), qualification_mode_blocks_sync (asserts gate produces non-zero exit with discoverable message).
• cargo clippy --workspace --all-targets — clean.
• cargo fmt --all — clean.
• Manual: rivet docs tool-qualification renders the dossier; rivet stats --qualification produces the manifest with TQ-CONF-RIVET present.

🤖 Generated with Claude Code

[github-actions]

📐 Rivet artifact delta

Change	Count
Added	1
Removed	0
Modified	0
Downstream impacted (depth ≤ 5)	0

Graph

graph LR
  TQ_CONF_RIVET["TQ-CONF-RIVET"]:::added
  classDef added fill:#d4edda,stroke:#28a745,color:#155724
  classDef removed fill:#f8d7da,stroke:#dc3545,color:#721c24
  classDef modified fill:#fff3cd,stroke:#ffc107,color:#856404
  classDef overflow fill:#e2e3e5,stroke:#6c757d,color:#495057,stroke-dasharray: 3 3

Loading

Added

• TQ-CONF-RIVET

📎 Full HTML dashboard attached as workflow artifact rivet-delta-pr-289 — download from the workflow run.

_{Posted by rivet-delta workflow. The graph shows only changed artifacts; open the HTML dashboard (above) for full context.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!