feat(korg-verify): standalone Rust verifier for korg receipts & journals#1
Merged
Conversation
…fix doc-drift korg-server bound 0.0.0.0:8080, exposing the (mostly unauthenticated) control/telemetry routes to the local network. It now binds 127.0.0.1:8080 by default (both run_web_* entry points), with KORG_SERVER_ADDR to opt into other interfaces on purpose. wasm_js_handler/wasm_bytes_handler served empty 200s for a frontend that isn't bundled — now 404. Corrected the module + index_handler docs that claimed a 'glassmorphism SPA dashboard' (it serves a static landing page). TDD: resolve_bind_addr (loopback default + explicit override) and wasm routes 404; 11 korg-server tests green. (Minor follow-up: the startup log/auto-open still print localhost:8080 — accurate for the default, cosmetically stale only under an override.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…tory & revert theater korg-tui rendered fabricated data as if it were real. Removed it: default() no longer seeds fake persona scores [0.92,..], lock latencies, sparkline histories, rubric pass/fail, or velocity/risk (empty/zero until a real TuiUpdate arrives); deleted the 'demo heartbeat' that animated a fake entropy gauge; load_git_commits now shows REAL author/date (git log --pretty) and never fabricates 3 commits when git is empty; the git-revert handlers report real success/failure instead of 'Simulated...success'/'Bypassed...' on failure (and no longer imply per-commit time-travel — they reset the working tree to HEAD); removed the dead update_from_leader no-op. The live TuiUpdate wire (already honest) is untouched. TDD: parse_git_log + default()-honesty; 12 korg-tui tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…efore committing The rewind overlay now shows, per candidate, a Surgical/Strategic scope badge and an honest 'will discard N steps (seq a-b)' line derived from the candidate's REAL invalidates list — so the operator sees the blast radius before choosing a recovery point. No reordering (recovery emits surgical-first), so the cursor->action mapping is unchanged: the highlighted candidate is exactly the one acted on. TDD: format_invalidation (empty/one/range) + scope_badge; 9 korg-tui tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ark it verified) A GOAL band atop the Observability tab derives the goal's true state from real signals (current_verdict + rubric_status + progress): Awaiting / In progress / Claimed-not-verified / Verified. Honesty rule: a completion CLAIM never renders as done — only every acceptance rubric passing marks it Verified; any failing criterion shows 'Claimed - not verified'. Plus the M/N criteria tally and progress%. Real data only; no wire changes. TDD derive_goal_state (one test per branch) + goal_state_label; 14 korg-tui tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…cle signal)
Adds a structured TuiUpdate::WorkerState{node_id,persona,state,elapsed_ms} + WorkerLifecycle enum (tui_bridge.rs), emitted by workers.rs at the REAL spawn/ok/crash/timeout/spawn-error lifecycle points (alongside the existing Trace log; real elapsed via per-node spawn instants). korg-tui upserts them into workers: Vec<WorkerRow> (apply_worker_state keyed by node_id, no dup) and renders a leader->worker tree on the Swarm Console with per-worker status glyphs (crashed/timed-out tagged 'queued for recovery'); empty until real signals arrive. Also fixes the goal band's progress (app.progress is already 0-100; dropped a stray *100). Real data only. TDD apply_worker_state upsert; korg-runtime 103 + korg-tui 15 + korg-registry 26 (conformance intact) green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A dependency-light binary that verifies a korgex receipt or a korg-ledger journal: hash chain + causal DAG (reusing korg-registry's conformance-tested primitives) plus an Ed25519 tip-signature check, with an optional --pubkey signer pin. No network, no Python — the third independent korg-ledger@v1 implementation (Python, JS-in-browser, now Rust), so "verify without trusting the tool that produced it" is provable, not asserted. korg-verify <receipt.json|journal.jsonl> [--key <str>] [--pubkey <hex>] [--json] exit 0 VALID · 1 INVALID/tampered · 2 usage/parse Tests (11): all five shared frozen vectors (basic/hmac/nonbmp/tampered-content/ tampered-deletion) + a REAL receipt minted by `korgex receipt --sign` — cross-impl proof that Rust re-derives the chain AND verifies the Python Ed25519 signature — plus tamper, forged-sig, and signer-pin cases. fmt clean, clippy-clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A new dependency-light binary crate,
korg-verify, that verifies a korgex receipt or a korg-ledger journal — no network, no Python:Checks: hash chain + causal DAG (reusing
korg-registry's conformance-testedverify_chain/verify_dag), the receipt'stipmatches the chain head, and — if signed — the Ed25519 tip signature, with an optional--pubkeysigner pin (rejects any key but the trusted one).Why
It's the third independent implementation of korg-ledger@v1 — Python (
korgex receipt verify), JS (the self-verifying HTML), and now Rust — all checked against the same frozen conformance vectors. That turns "verify a sealed deliverable without trusting the tool that produced it" from a claim into something you can run as one small binary, in CI or by hand.Tests (11, all green)
crates/korg-registry/tests/conformance:basic-intact,hmac-intact(valid only with the key),nonbmp-intact(astral-plane code points),tampered-content(flags seq 2),tampered-deletion(flags seq 3).korgex receipt --sign(fixture, fixed key) → VALID — cross-implementation proof that Rust re-derives the chain and verifies the Python Ed25519 signature; plus tamper, forged-signature, and signer-pin cases.Notes
ci.ymlrunscargo test/clippy -D correctness/fmt --checkworkspace-wide, so the new crate is covered automatically — no CI change.korg-verifyis fmt-clean and clippy-clean (pre-existingkorg-registrywarnings are unrelated).korg-registryrather than re-implementing canonicalization, so chain parity is inherited from its conformance suite; the only new surface is the receipt envelope + Ed25519, both covered by the fixture tests.cargo build --release -p korg-verify.