feat: salsa-tracked build_store + TCL workstream B + honest dossier (adversarial-review fixes)#295
Merged
Merged
Conversation
Mobile/Scale lens finding (v0.10.0 adversarial review): `build_store` in `db.rs:646` was a plain `fn`, so every downstream tracked query (`validate_all`, `build_link_graph`, `compute_coverage_tracked`) re-built the entire `Store` HashMap (cloning every `Artifact`) on every salsa revision — defeating the incremental validation claim the dossier makes in §3. This commit: - Marks `build_store` and `build_store_with_extras` `#[salsa::tracked]`. - Adds `PartialEq` to `Store` (required for salsa change-detection). Result: subsequent calls with the same `source_set` / `schema_set` / `extra_set` return the memoized `Store` instead of re-running the function. Single-file edits still re-validate that file (its `parse_artifacts_v2` invalidates), but unchanged files don't get re-parsed or re-inserted into a fresh HashMap. A regression test (`build_store_cache_returns_equal_on_noop_revision`) follows in a separate commit to keep the diffs focused. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Verifies the prior commit's tracked build_store actually memoizes: repeated calls with the same source_set + schema_set return equal Stores. While salsa cache observability isn't directly testable from user code, equality after a no-op revision is a necessary condition. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
DPO-Lens finding (v0.10.0 adversarial review): `ai-session.invoker` collects personal data per DSGVO Art. 4 without a lawful basis, retention period, or erasure mechanism. The dossier section §0 calls this out as a not-yet-defensible gap; this commit ships the typed shape so projects can actually populate the metadata DSGVO Art. 35 expects. New on `ai-session`: - `lawful-basis` (DSGVO Art. 6(1)/(9)(2), enumerated allowed values including `anonymised` for non-PII cases). - `retention-period` (ISO 8601 duration, Art. 5(1)(e)). - `erasure-mechanism` (free-form, Art. 17). New artifact type `dpia` in `schemas/common.yaml`: - `dpo-sign-off`, `personal-data-categories` (required). - `risk-assessment` (low/medium/high). - `mitigation-measures`, `consultation-date` (optional). NOT in this commit (deliberately): - A conditional-rule that forces `invoker`-set artifacts to link to a dpia. Adding that requires validate-time enforcement work and would block release on projects that haven't authored a dpia yet — separate PR with a migration story. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…al gate Auditor + PM/Pragmatiker findings (v0.10.0 adversarial review): the dossier's §3 TD1 detection-layer claim names the ai-found-defect triage loop as the operational primitive — but v0.10.0 shipped only the schema, not the gate. This commit ships the gate. New subcommand `rivet check ai-defects-open` exits non-zero when: **Gate 1 (open-against-released):** an `ai-found-defect` with `triage-status: open` has a `defect-against` link to an artifact whose `status` is `released` or `approved`. Without this gate, release proceeds with un-triaged AI defects against shipped work. **Gate 2 (segregation-of-duties, DPO finding):** a defect's `triaged-by` matches the originating session's `invoker` (resolved via `produced-by` link). The same AI/operator that authored the offending artifact must not mark its own defect "accepted." This is ISO 26262-2 §6.4.7 confirmation-reviewer independence at the AI-loop level. Read-only. JSON for CI consumers, text for humans. Tested: - ai_defects_open_passes_when_triaged_and_no_self_triage - ai_defects_open_fails_on_open_defect_against_released - ai_defects_open_fails_on_self_triage_segregation_violation Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
DPO/Auditor/Formal-Skeptiker findings (v0.10.0 adversarial review): the dossier and the typed claim overstated v0.10.0's defensibility: - Claimed "Kani 2000+ proofs" — real number is 27 harnesses with mostly-trivial 8-24 byte bounded input panic-freedom checks. - Claimed "TD1 high confidence" via "product of miss rates" — common- mode fallacy (all five layers share the same parser + Artifact model). - Cited DO-330/IEC 62304/EN 50128 cross-walks without disclosing the upstream design note's "unverified clause-level" caveat. - Did not mention `vmodel_chain_two_steps` is `Admitted`, nor that `backlink_symmetric` is `assume`'d in Verus. - Did not mention mutation testing runs 29 mutants total. - Did not mention `claim-status: self-claimed` + AI-authored. - Did not mention release SHA256SUMS / git tag are unsigned. - Did not mention DPIA linkage isn't enforced at validate time. This commit adds §0 "Honest scope statement (read this first)" to `docs/design/tool-qualification-dossier.md` enumerating each of the above gaps, and updates the typed claim's `scope` field to match. Strips the "2000+ proofs" claim from §3 and replaces with concrete counts. The dossier is now honest about what v0.10.0 has and hasn't earned. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
📐 Rivet artifact delta
Graphgraph LR
TQ_CONF_RIVET["TQ-CONF-RIVET"]:::modified
classDef added fill:#d4edda,stroke:#28a745,color:#155724
classDef removed fill:#f8d7da,stroke:#dc3545,color:#721c24
classDef modified fill:#fff3cd,stroke:#ffc107,color:#856404
classDef overflow fill:#e2e3e5,stroke:#6c757d,color:#495057,stroke-dasharray: 3 3
Modified
Posted by |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
⚠️ Performance Alert ⚠️
Possible performance regression was detected for benchmark 'Rivet Criterion Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.
| Benchmark suite | Current: a917a85 | Previous: c9151f6 | Ratio |
|---|---|---|---|
link_graph_build/10000 |
37124367 ns/iter (± 2888800) |
29738023 ns/iter (± 2888597) |
1.25 |
diff/10000 |
9504856 ns/iter (± 624668) |
7548192 ns/iter (± 119756) |
1.26 |
This comment was automatically generated by workflow using github-action-benchmark.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
CI format check on #295 flagged collapsed-arm rustfmt diffs in cmd_check_ai_defects_open, the integration tests, and db.rs. Pure formatting; no semantic changes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
4 tasks
avrabe
added a commit
that referenced
this pull request
May 17, 2026
Closes the loop opened by v0.10.0's ai-session schema (#127 Phase 1). New top-level read-only subcommand `rivet audit` walks the current branch's git history and enforces two gates: **Gate 1 — AI-authored commit needs a session.** For every commit detected as AI-authored (`Co-Authored-By:` containing `noreply@anthropic.com`, OR `Generated-With:`/`Created-By:` trailer matching `^(ai|ai-assisted)`), require an `ai-session` artifact in the project with `fields.commit-sha` matching the commit SHA (prefix match either direction, ≥7 chars). **Gate 2 — session must point at a real reachable commit.** For every `ai-session` artifact with `commit-sha` set, verify the commit exists (`git cat-file -e`) AND is reachable from `--until` (`git merge-base --is-ancestor`). Catches drift after rebase / force- push as well as fabricated sessions pointing at vanished commits. CLI: `rivet audit [--since <ref>] [--until <ref>] [--format text|json] [--strict]` - `--since` defaults to `git merge-base origin/main HEAD`, falling back to `HEAD~50`. - `--strict` exits non-zero on violations (CI mode). - JSON envelope per spec: `command`, `passed`, `since`, `until`, `ai_commits_scanned`, `ai_sessions_in_project`, `violations.{ai_commits_without_session,sessions_with_missing_commit}`, `summary.total_violations`. Read-only. Shells out to `git` (no new deps). Composes with `rivet check ai-defects-open` (PR #295) — together they cover the two operational TD1 loops the dossier §3 layer 5 names. Tests (4 integration tests, all green): - audit_passes_when_ai_commits_have_matching_sessions - audit_fails_when_ai_commit_has_no_session - audit_fails_when_session_points_at_missing_commit - audit_json_envelope_shape_on_failure Docs: new `audit` topic in `rivet-cli/src/docs.rs` (~105 lines). OUT OF SCOPE (deferred): - Auto-stamping sessions from `~/.claude/projects/*.jsonl` (Phase 2.5). - session-hash verification (Phase 2.5). - pre-commit / commit-msg hook installation (Phase 3). - DPIA-link enforcement on `invoker`-bearing sessions. Implements: REQ-002, REQ-007 Refs: FEAT-001, #127 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Acts on the v0.10.0 adversarial-review findings (6 lens-personas + VSIX investigation). Four commits, each addressable independently:
Commits
perf(db): track build_store + build_store_with_extras as salsa queries— Mobile/Scale lens finding. Previouslybuild_storewas plainfn, so every downstream tracked query rebuilt the wholeStoreHashMap on every revision. Now memoized.test(db): regression test for build_store salsa cache (REQ-029)— verifies repeated calls return equal Stores (necessary condition for cache hit).feat(schema): add dpia artifact type + retention fields on ai-session— DPO lens finding.ai-session.invokeris DSGVO Art. 4 personal data; schema now declareslawful-basis,retention-period,erasure-mechanism, and adpiaartifact type withdpo-sign-off,personal-data-categories,risk-assessment,mitigation-measures,consultation-date. Validate-time enforcement (invokerset ⇒ DPIA link required) deferred to a separate PR with a migration story.feat(check): rivet check ai-defects-open — TCL workstream B operational gate— Auditor + PM findings. Ships the gate the dossier §3 already claims as the TD1 detection layer. Two gates: (a) open defect against released/approved artifact; (b) self-triage (DPO segregation-of-duties).docs(tcl): honest scope statement in dossier + TQ-CONF-RIVET claim— Auditor + Formal-Skeptiker findings. Adds §0 enumerating what is NOT yet defensible (no independent reviewer; unverified DO-330/EN 50128/IEC 62304 cross-walks; unproven 5-layer independence; 29-mutant testing;Admitted/assume'd obligations; unsigned release; no DPIA enforcement). Strips the "Kani 2000+ proofs" claim — real count is 27 harnesses.NOT in this PR
invoker-bearing sessions (separate PR — needs migration story).Test plan
cargo test --workspace --lib— 995 pass.cargo test -p rivet-cli --test cli_commands ai_defects— 3 pass.cargo test -p rivet-core --lib build_store_cache— 1 pass.rivet docs tool-qualificationrenders the new §0 honest scope.rivet check ai-defects-openexits 0 on rivet's own repo.🤖 Generated with Claude Code