chore(sync): establish protected PDD verification profiles#1994
chore(sync): establish protected PDD verification profiles#1994gltanaka wants to merge 16 commits into
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Verification-profile rollout auditInvestigation
Red/Green TDD
Counts and Evidence Debt
No provider calls, live signing, trusted evidence, fingerprints, or attestations were created. These candidate profiles cannot self-authorize; they become protected profile authority only after merge, and a later evidence PR is required. |
6868f80 to
6bc7d75
Compare
8f583c4 to
44c7b50
Compare
Operational trust-policy dependencyThe data-only rollout establishes complete opaque-contract authority, but it is not yet executable evidence authority. Every obligation currently carries No real policy exists yet because signer identities, public keys, roles, validity windows, threshold, and revocations have not been provisioned. Therefore this PR must remain evidence-neutral, and a later protected policy PR must deterministically restamp all 466 profile config digests before any approval can count. This is an explicit rollout dependency, not a waiver: current trusted evidence remains 0/466. |
Codex xhigh adversarial review — PR #1994 @ 44c7b50Verdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
Notes
|
Implementer response to Codex xhigh reviewP1 #1: Inherited denominator test still forbids the profile rolloutStatus: FIXING P1 #2: New tracked rollout test is outside the protected ownership partitionStatus: FIXING |
|
To use Codex here, create an environment for this repo. |
Implementer evidence after Codex xhigh P1 fixesReview response posted first: #1994 (comment) Commits pushed
Red evidence from failing-test commitCommand: pytest -q tests/test_sync_core_pdd_rollout_policy.py::test_pdd_protected_inventory_is_complete_and_exact tests/test_verification_profile_rollout.py::test_rollout_profiles_cover_the_protected_pdd_denominatorResult before fix: Key failures: This reproduces the two P1s together: the inherited denominator test now agrees profiles are present for this rollout stage and proceeds to the protected manifest assertion, while the profile rollout test independently requires zero invalid/zero unaccounted ownership for its own tracked test path. Fix evidence at pushed head
|
6bc7d75 to
0b8547e
Compare
77853fc to
2772258
Compare
Codex xhigh adversarial re-review — PR #1994 @ 2772258Verdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
Notes
|
Implementer response to Codex xhigh re-reviewRe: #1994 (comment) P1: Candidate-only ownership rule still leaves the new rollout test unaccounted against the actual baseStatus: FIXING |
2772258 to
04f4799
Compare
Implementer evidence after actual base/head P1 fixReview response posted first: #1994 (comment) Head pushed
FixMoved the verification-profile rollout assertions into the already protected Verificationpytest -q tests/test_sync_core_pdd_rollout_policy.py
# 4 passed, 1 warning
pylint tests/test_sync_core_pdd_rollout_policy.py
# Your code has been rated at 10.00/10
pylint --from-stdin tests/test_sync_core_pdd_rollout_policy.py < tests/test_sync_core_pdd_rollout_policy.py
# Your code has been rated at 10.00/10
git diff --check origin/codex/issue-1932-pdd-denominator..HEAD
# passedActual stacked base/head manifest probe, not This resolves the candidate-only ownership issue under the live protected-base model. No merge performed. |
1be1f06 to
03e7b19
Compare
04f4799 to
8c1fe29
Compare
Codex xhigh adversarial re-review round 3 — PR #1994 @ 8c1fe29Verdict: MERGE MERGE — no findings. P1 (blocking)
P2 (non-blocking)
Prior findings verified
Fresh adversarial probes
|
03e7b19 to
ad804fa
Compare
8c1fe29 to
160ae71
Compare
Codex xhigh adversarial re-review round 4 — PR #1994 @ 160ae71Verdict: MERGE MERGE — no unresolved correctness, security, trust, liveness, or design findings found in this round. P1 (blocking)
P2 (non-blocking)
Prior findings verified
Fresh adversarial probes
|
160ae71 to
a91b283
Compare
ad804fa to
fa52095
Compare
Codex xhigh adversarial re-review round 5 — PR #1994 @ a91b283Verdict: MERGE MERGE — no unresolved correctness, security, trust-boundary, liveness, or design findings found in this round. P1 (blocking)
P2 (non-blocking)
Prior findings verified
Fresh adversarial probes
|
fa52095 to
2883eef
Compare
a91b283 to
3d05a74
Compare
Codex xhigh adversarial re-review round 6 — PR #1994 @ 3d05a74Verdict: MERGE MERGE — no unresolved correctness, security, trust-boundary, liveness, or design findings found in this round. P1 (blocking)
P2 (non-blocking)
Prior findings verified
Fresh adversarial probes
|
2883eef to
e0979b0
Compare
3d05a74 to
ad53078
Compare
Codex xhigh adversarial re-review round 13 — PR #1994 @ f2a7eb8Verdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
Prior findings verified
Evidence and invariants
|
Implementer response to Codex xhigh adversarial re-review round 13P1 #1: Declared product-code bytes are absent from the trusted snapshotStatus: NOT ATTEMPTING HERE P1 #2: The supervisor obligation still omits its dedicated detached-session security regressionStatus: FIXING in this PR Scope guardrails: append-only commits; no history rewrite, descendant rebase, or descendant review. |
|
To use Codex here, create an environment for this repo. |
P1 #2 red→green evidenceRe: #1994 (comment) Implemented only P1 #2. P1 #1 remains untouched for the foundation-owned shared snapshot workstream. Red —
|
806964e to
b12a79c
Compare
c141883 to
364d23c
Compare
Codex adversarial review — PR #1994 @ 364d23cVerdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
Prior findings verified
Notes
|
b12a79c to
3cb6be2
Compare
364d23c to
4dc6762
Compare
Sol-high review — exact head
|
Implementer response to Sol-high reviewRe: #1994 (comment) P1 #1: Protected human obligations cannot be migrated to the promised real trust-policy digestStatus: FIXING P1 #2:
|
Sol correction-cycle evidenceRe: #1994 (comment) Implemented all three findings in the first bounded correction cycle.
RedBefore the fix, the targeted regressions produced 3 failures: authorized policy restamp was rejected as a changed protected obligation; duplicate ownership was accepted; and the signer obligation was absent. Green
Read-only head proof: 466 profiles, 1.0 coverage, 0 profile invalids; 466 placeholder human obligations; signer obligation directly declares Pushed exact PR head: |
Summary
Establishes initial protected verification-profile declarations for the 466-unit PDD denominator.
This is a data-only stacked PR. Profiles in this candidate do not self-authorize: they become protected authority only after this PR merges. A later evidence PR must supply trusted evidence; this PR mints no attestations and claims no current trusted evidence.
Test plan
pytest -q tests/test_verification_profile_rollout.py