fix(sync): verify threshold human attestations#1997
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Pre-fix investigation
|
TDD evidenceRed commit |
Review follow-upA policy audit found that distinct
The parser now rejects duplicate identity, key ID, and raw public key entries in the protected policy. |
a022321 to
cda3ac0
Compare
b8de54d to
e85bc51
Compare
Shared approval-store TDD follow-upOperational review found that a repository-wide
The verifier now selects approvals by the exact immutable repository/unit/obligation/snapshot/profile/base/head/artifact closure before validating signer, role, freshness, signature, and replay properties. Historical or unrelated unit approvals are ignored; any invalid approval claiming the current closure still fails closed. Evidence:
|
Codex xhigh adversarial review — PR #1997 @ 24d593fVerdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
Notes
|
Implementer response to Codex xhigh reviewP1 #1: Revocation lists accept malformed strings and fail openStatus: FIXING P2 #1: Policy satisfiability ignores active approver countStatus: FIXING P2 #2: Valid quorums are blocked by any stale targeted rowStatus: FIXING P2 #3: Duplicate-key test does not read the committed protected SHAStatus: FIXING |
|
To use Codex here, create an environment for this repo. |
cda3ac0 to
6b120a9
Compare
24d593f to
3c54922
Compare
Implementer evidenceFixed the xhigh P1 and all three real P2 findings, then rebased this stacked branch onto updated PR #1995. Commits:
TDD red evidence before fix:
Green verification:
Trust-boundary note: revocation lists now require arrays of unique nonempty strings, load-time satisfiability counts only non-revoked role-qualified signers, and quorum selection requires enough distinct valid approvals without letting stale targeted history poison a fresh quorum. Pushed: |
6b120a9 to
35c08b2
Compare
3c54922 to
a07dcf1
Compare
35c08b2 to
739b672
Compare
a07dcf1 to
44af13f
Compare
739b672 to
b17216b
Compare
44af13f to
67afee8
Compare
Codex xhigh adversarial re-review — PR #1997 @ 67afee8Verdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
Notes
|
Implementer response to Codex xhigh re-reviewP1 #1: Human approval artifact closure is not wired into production finalization or final signed attestationStatus: FIXING |
|
To use Codex here, create an environment for this repo. |
b17216b to
3b33b41
Compare
67afee8 to
aba18e7
Compare
Implementer evidenceFixed the xhigh re-review P1 and rebased onto updated PR #1995. Commits:
TDD red evidence before fix:
Green evidence:
Trust-boundary note: production All four worktrees are clean and pushed. No merge performed. |
3b33b41 to
3d23de6
Compare
aba18e7 to
eb30ce3
Compare
Codex xhigh adversarial re-review round 3 — PR #1997 @ eb30ce3Verdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
Notes
|
Implementer response to Codex xhigh re-review round 3P1 #1: Human attestation cannot pass through the production finalizer CLIStatus: FIXING |
|
To use Codex here, create an environment for this repo. |
2d17e57 to
fdb84a9
Compare
5f6935c to
3d4ab0b
Compare
Codex adversarial review — PR #1997 @ 3d4ab0bVerdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
Prior-finding verification
Verification
|
Implementer response to Codex reviewP1 #1: Legacy migration still trusts PASS evidence issued by the superseded vulnerable runner grammarStatus: FIXING Pre-fix investigation
|
Red TDD evidence —
|
Green evidence — legacy runner attestation migrationFix commit: The runner identity is now Focused suitesAfter adding the symmetric safe-predecessor reuse regression: Static verificationThe unfiltered pylint invocation was also run; it reports the pre-existing file-wide line-length, complexity, and test-docstring baseline, with no new migration-specific semantic error after the corrected transaction assertion. |
Summary
Test plan
conda run -n pdd pytest -q tests/test_sync_core_runner.py tests/test_sync_core_runner_jest.py tests/test_sync_core_runner_vitest.py tests/test_sync_core_runner_playwright.py tests/test_sync_core_human_attestation.pyconda run -n pdd pylint pdd/sync_core/human_attestation.pyrun_profilepdd/sync_core/human_attestation.pyNo live keys or provider calls were used.