Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
119 commits
Select commit Hold shift + click to select a range
a013605
docs: add PF-Core trace to PCS trace_certificate mapping
fraware Jun 19, 2026
b5d0dc6
ci: add script to diff hash vectors against pf-core tag
fraware Jun 19, 2026
a6fbf9d
test: gate PCS hash vectors on pf-core adapter parity
fraware Jun 19, 2026
d1414de
ci: run PF-Core hash vector parity on every push
fraware Jun 19, 2026
5da53d5
chore: ignore PF-Core generated Lean trace proofs
fraware Jun 27, 2026
22e1e22
docs(pf-core): state mission and assurance goals
fraware Jun 27, 2026
2ce07db
docs(pf-core): document explicit trust assumptions
fraware Jun 27, 2026
217bc15
docs(pf-core): define PF-Core threat model
fraware Jun 27, 2026
22e581e
docs(pf-core): spell trusted computing boundary
fraware Jun 27, 2026
d835355
docs(pf-core): map claim classes to evidence
fraware Jun 27, 2026
24462a1
docs(pf-core): audit gaps before full assurance
fraware Jun 27, 2026
a78a486
docs(pf-core): specify contract evaluation semantics
fraware Jun 27, 2026
0957e7b
docs(pf-core): document non-interference obligations
fraware Jun 27, 2026
9dcf355
docs(pf-core): describe PCS bridge certificate artifact
fraware Jun 27, 2026
8518c7e
docs(pf-core): add release verification checklist
fraware Jun 27, 2026
4229611
docs(pf-core): add claim-boundary presentation slide
fraware Jun 27, 2026
3e8156a
docs(pf-core): add live demo script
fraware Jun 27, 2026
24b450d
docs(pf-core): summarize key Lean theorems
fraware Jun 27, 2026
3a1b4f9
schema: add shared PF-Core JSON Schema definitions
fraware Jun 27, 2026
0a4d8bf
schema: add PFCorePrincipal v0 artifact schema
fraware Jun 27, 2026
b2fe636
schema: add PFCoreCapability v0 artifact schema
fraware Jun 27, 2026
77e3589
schema: add PFCoreResource v0 artifact schema
fraware Jun 27, 2026
d62b423
schema: add PFCoreEffect v0 artifact schema
fraware Jun 27, 2026
5b58213
schema: add PFCoreAction v0 artifact schema
fraware Jun 27, 2026
3104b01
schema: add PFCoreDecision v0 artifact schema
fraware Jun 27, 2026
45d967a
schema: add PFCoreEvent v0 artifact schema
fraware Jun 27, 2026
688bcde
schema: add PFCoreTrace v0 artifact schema
fraware Jun 27, 2026
3b638eb
schema: add PFCoreContract v0 artifact schema
fraware Jun 27, 2026
23b010d
schema: add PFCoreRuntimeObservation v0 schema
fraware Jun 27, 2026
f031d9b
schema: add PFCoreHandoff v0 artifact schema
fraware Jun 27, 2026
08237c3
schema: add PFCoreCertificate v0 artifact schema
fraware Jun 27, 2026
d5935ff
schema: add ToolUseTrace v0 artifact schema
fraware Jun 27, 2026
c1c968c
schema: add LeanCheckResult v0 artifact schema
fraware Jun 27, 2026
87d1050
schema: add PCSBridgeCertificate v0 artifact schema
fraware Jun 27, 2026
de54a46
lean(pf-core): add Basic types and helpers
fraware Jun 27, 2026
148bb4c
lean(pf-core): model principals in Lean
fraware Jun 27, 2026
9108cc4
lean(pf-core): encode capabilities for policy proofs
fraware Jun 27, 2026
c5274a2
lean(pf-core): formalize resources and tenant scope
fraware Jun 27, 2026
9a36bed
lean(pf-core): define actions linked to trace events
fraware Jun 27, 2026
dc1a8bb
lean(pf-core): define hash-chained events
fraware Jun 27, 2026
e1f1f35
lean(pf-core): define PF-Core trace structure
fraware Jun 27, 2026
dddf2e6
lean(pf-core): formalize contract rules
fraware Jun 27, 2026
fc970d1
lean(pf-core): implement contract decision procedure
fraware Jun 27, 2026
f9e5dbf
lean(pf-core): model authority handoffs
fraware Jun 27, 2026
c6ecabe
lean(pf-core): add trace well-formedness checks
fraware Jun 27, 2026
2590e18
lean(pf-core): state non-interference properties
fraware Jun 27, 2026
1445491
lean(pf-core): relate decide outcomes to traces
fraware Jun 27, 2026
c44f09d
lean(pf-core): model PF-Core certificates in Lean
fraware Jun 27, 2026
ae3dcc2
lean(pf-core): export main PF-Core theorems
fraware Jun 27, 2026
28def06
lean(pf-core): reserve Generated slot for trace codegen
fraware Jun 27, 2026
e2449d7
lean(pf-core): add PFCore library root module
fraware Jun 27, 2026
378ff56
lean: register PCS and PFCore lake libraries
fraware Jun 27, 2026
f0ff79e
lean(pcs): add Basic scaffolding for PCS proofs
fraware Jun 27, 2026
5f36dbf
lean(pcs): add hash conventions for PCS artifacts
fraware Jun 27, 2026
7dc54bd
lean(pcs): model science claim bundles
fraware Jun 27, 2026
4c1bd03
lean(pcs): model trace certificates in Lean
fraware Jun 27, 2026
1409c7c
lean(pcs): add computation witness types
fraware Jun 27, 2026
85d9ed8
lean(pcs): model tool-use linkage to PCS traces
fraware Jun 27, 2026
0d286ba
lean(pcs): formalize release chain integrity
fraware Jun 27, 2026
61b069b
lean(pcs): export PCS certificate theorems
fraware Jun 27, 2026
f4ce206
lean(pcs): add PCS library root module
fraware Jun 27, 2026
a2ae844
lean(pcs): align Artifact module with PF-Core bridge
fraware Jun 27, 2026
ff5056a
feat(pf-core): embed schema registry and claim metadata
fraware Jun 27, 2026
0056935
feat(pf-core): implement claim and boundary audits
fraware Jun 27, 2026
b70201f
feat(pf-core): evaluate contracts against traces
fraware Jun 27, 2026
b37b36a
feat(pf-core): build traces from runtime observations
fraware Jun 27, 2026
74ac385
feat(pf-core): replay traces and emit certificates
fraware Jun 27, 2026
1d9ba06
feat(pf-core): assemble PF-Core certificate payloads
fraware Jun 27, 2026
9879978
feat(pf-core): integrate CertifyEdge property checks
fraware Jun 27, 2026
62e5fca
feat(pf-core): adapt LabTrust fixtures to PF-Core traces
fraware Jun 27, 2026
7cf6203
feat(pf-core): codegen Lean modules from traces
fraware Jun 27, 2026
95c9e05
feat(pf-core): catalog Lean modules for audit-lean-catalog
fraware Jun 27, 2026
b529f7d
feat(pf-core): run lake build and sorry audit for traces
fraware Jun 27, 2026
803f38a
feat(pf-core): compare PCS hash vectors to pf-core tag
fraware Jun 27, 2026
51f788e
feat(pf-core): extend validation for PF-Core artifacts
fraware Jun 27, 2026
9f948c3
feat(pf-core): add pcs pf-core CLI command surface
fraware Jun 27, 2026
3be3af5
scripts: add PF-Core fixture generator
fraware Jun 27, 2026
cca3f72
scripts: add PF-Core bridge demo shell driver
fraware Jun 27, 2026
b7834be
examples(pf-core): add empty trace valid fixture
fraware Jun 27, 2026
a735c29
examples(pf-core): add authorized email send fixture
fraware Jun 27, 2026
e27a978
examples(pf-core): add allowed file read fixture
fraware Jun 27, 2026
46f2221
examples(pf-core): add cross-tenant deny observation fixture
fraware Jun 27, 2026
4870c0b
examples(pf-core): add network deny observation fixture
fraware Jun 27, 2026
b95680b
examples(pf-core): add valid authority handoff fixture
fraware Jun 27, 2026
6989078
examples(pf-core): add assumption-declared certificate fixture
fraware Jun 27, 2026
e02ae6e
examples(pf-core): add contract-checked trace fixture
fraware Jun 27, 2026
2cf86eb
examples(pf-core): add tool-use to PF-Core trace fixture
fraware Jun 27, 2026
cce8d47
examples(pf-core): add LabTrust replay fixture
fraware Jun 27, 2026
76610ac
examples(pf-core): add claim-class overclaim invalid fixture
fraware Jun 27, 2026
de83667
examples(pf-core): add contract violation invalid fixture
fraware Jun 27, 2026
6f93b6a
examples(pf-core): add cross-tenant leak invalid fixture
fraware Jun 27, 2026
4e11e07
examples(pf-core): add dropped denied event invalid fixture
fraware Jun 27, 2026
644c679
examples(pf-core): add event hash mismatch invalid fixture
fraware Jun 27, 2026
3702c8c
examples(pf-core): add trace hash mismatch invalid fixture
fraware Jun 27, 2026
6d86326
examples(pf-core): add handoff authority expansion invalid fixture
fraware Jun 27, 2026
992918c
examples(pf-core): add handoff compile expansion invalid fixture
fraware Jun 27, 2026
67d312c
examples(pf-core): add missing principal invalid fixture
fraware Jun 27, 2026
90813f7
examples(pf-core): add resource scope violation invalid fixture
fraware Jun 27, 2026
83f419a
examples(pf-core): add unknown capability invalid fixture
fraware Jun 27, 2026
fd05fc6
examples(pf-core): add unknown effect invalid fixture
fraware Jun 27, 2026
346ca6b
test(pf-core): add stage1 schema and registry gates
fraware Jun 27, 2026
cce3ae4
test(pf-core): add stage2 trace and event checks
fraware Jun 27, 2026
eb26e84
test(pf-core): add stage3 contract and replay tests
fraware Jun 27, 2026
9255cf5
test(pf-core): add stage4 lean codegen tests
fraware Jun 27, 2026
527211e
test(pf-core): add stage5 certificate and bridge tests
fraware Jun 27, 2026
12c097d
test(pf-core): add stage7 hash vector parity tests
fraware Jun 27, 2026
872a383
test(pf-core): add phase D documentation audit tests
fraware Jun 27, 2026
ac1f4a7
test(pf-core): add phase F CertifyEdge integration tests
fraware Jun 27, 2026
3445099
test(pf-core): add bridge demo smoke test
fraware Jun 27, 2026
173082d
test(pf-core): add cross-language validation parity test
fraware Jun 27, 2026
b1b3668
test: extend hash vector parity harness for PF-Core
fraware Jun 27, 2026
7c466ad
feat(ts): register PF-Core schemas in TypeScript core
fraware Jun 27, 2026
08f18fe
feat(ts): validate PF-Core artifacts in TypeScript
fraware Jun 27, 2026
9b60db8
test(ts): cover PF-Core examples in package tests
fraware Jun 27, 2026
df9f037
feat(rust): add PF-Core artifact validation in Rust
fraware Jun 27, 2026
7a69b0f
ci: gate PF-Core stages, Lean build, and audits
fraware Jun 27, 2026
900032c
Merge origin/main into phase7/shared-hash-vector-ci
fraware Jun 27, 2026
e400898
fix(examples): replace overclaiming phrase in release manifest
fraware Jun 27, 2026
f2d30dd
fix(cli): restore pf-core subcommand after main merge
fraware Jun 27, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 43 additions & 11 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,15 @@ jobs:
run: |
cd python
pip install -e ".[dev]"
pytest -q tests/test_pf_core_stage1.py tests/test_pf_core_stage2.py tests/test_pf_core_stage3.py
pytest -q tests/test_pf_core_phase_f.py
pytest -q
pytest -q tests/test_protocol_conformance.py
pcs schema check
pcs pf-core audit-claims
pcs pf-core audit-boundary
pcs pf-core audit-lean-catalog
pcs pf-core audit-lean-no-sorry
pcs examples check
pcs validate-release-chain ../examples/labtrust-release/
pcs validate-release-chain ../examples/labtrust-release/ --json > /dev/null
Expand Down Expand Up @@ -69,13 +75,50 @@ jobs:
pytest -q tests/test_multidomain_workflows.py
ruff check pcs_core tests
ruff format --check pcs_core tests
- name: PF-Core fixture validation
run: |
cd python
pip install -e .
pcs validate ../examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json
pcs pf-core validate-trace ../examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json
- name: PF-Core CertifyEdge mock check (Phase F3)
run: |
cd python
PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \
--trace ../examples/pf-core-valid/labtrust_replay/trace.json \
--property qc_release.temporal.safety \
--out /tmp/PFCoreCertificate.certifyedge.json
- name: Schema drift check (reference)
run: bash scripts/pcs-schema-diff.sh schemas
- name: PF-Core hash vector parity (Phase 7)
run: bash scripts/verify-pf-core-hash-vectors.sh python/tests/hash_vectors
- name: LabTrust release fixtures
run: |
cd python
pcs validate-release-chain ../examples/labtrust-release/

lean:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install elan
run: curl -sSfL https://github.com/leanprover/elan/releases/download/v4.0.0/elan-x86_64-unknown-linux-gnu.tar.gz | tar xz && ./elan-init -y --default-toolchain none
- name: Build Lean libraries and PF-Core lean-check
run: |
cd lean
elan default leanprover/lean4:v4.14.0
lake build PCS
lake build PFCore
cd ../python
pip install -e .
pcs pf-core lean-check --trace ../examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json
pcs pf-core validate-contracts \
../examples/pf-core-valid/contract_checked/trace.json \
--contracts-dir ../examples/pf-core-valid/contract_checked

rust:
runs-on: ubuntu-latest
steps:
Expand Down Expand Up @@ -106,17 +149,6 @@ jobs:
npm run test:hash-vectors -w @pcs/core
npm run lint

lean:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Lean
run: |
curl -sSfL https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh | sh -s -- -y --default-toolchain stable
echo "$HOME/.elan/bin" >> "$GITHUB_PATH"
- name: Build Lean trust-boundary skeleton
run: cd lean && lake build

validate-cli-contract:
runs-on: ubuntu-latest
needs: python
Expand Down
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ typescript/packages/core/dist/
lake-packages/
lean/lakefile.olean.trace
lean/build/
lean/PFCore/Generated/*.lean
!lean/PFCore/Generated/.gitkeep

.DS_Store
*.swp
Expand Down
83 changes: 83 additions & 0 deletions docs/pf-core-trace-mapping.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# PF-Core trace ↔ PCS trace_certificate mapping

Phase 7 documents how PCS release artifacts relate to PF-Core traces and certificates. PCS and PF-Core use **different certificate schemas**; this document records field correspondence and shared hash rules. It does not unify schemas.

**Reference implementation:** [provability-fabric-core](https://github.com/SentinelOps-CI/provability-fabric-core) tag `pf-core-v0.6.0`, adapter `adapters/pcs/normalize_release.py`.

**PF-Core hash and certificate semantics:** [certificate-semantics.md](https://github.com/SentinelOps-CI/provability-fabric-core/blob/pf-core-v0.6.0/pf-core/docs/certificate-semantics.md) (hash chain section).

---

## PCS `trace_certificate` (v0) vs PF-Core artifacts

| PCS `trace_certificate` field | PF-Core equivalent | Notes |
|------------------------------|-------------------|-------|
| `certificate_id` | `certificate.certificate_id` | PCS uses `cert-*` naming; PF-Core generates `cert-{uuid}` |
| `schema_version` | `certificate.schema_version` | PCS `v0` vs PF-Core `pf-core.certificate.v0` |
| `trace_hash` | `trace.trace_hash`, `certificate.trace_hash` | PCS uses `sha256:` prefix; PF-Core stores hex64 — normalize at boundary |
| `spec_hash` | `certificate.contract_hash` | PCS spec hash binds to PF-Core contract hash |
| `property_id` | (none) | PCS property identifier; map to `policy_ref` or contract id when bridging |
| `checker` | `certificate.checker` | PCS `certifyedge` vs PF-Core `lean4` |
| `checker_version` | `certificate.checker_version` | Version strings differ by design |
| `status` | `certificate.safe` | `CertificateChecked` + `safe: true` documented equivalence |
| `counterexample_ref` | (none) | PCS-only; out of PF-Core scope |
| `created_at` | (none) | Organizational metadata |
| `producer` / `producer_version` | `certificate.created_by` | Optional PF-Core field |
| `source_repo` / `source_commit` | `certificate.proof_ref` | Different semantics; cross-reference only |
| `signature_or_digest` | (none) | PCS bundle integrity; post-incident-proofs layer |

---

## Event / trace hash rules (shared)

Both repos agree on:

1. **Genesis** `previous_event_hash`: 64 ASCII `0` characters.
2. **Canonical JSON:** sorted keys, minimal separators (`separators=(",", ":")`).
3. **`event_hash`:** `sha256(payload)` as lowercase hex; accept `sha256:` prefix at validation.
4. **`trace_hash`:** `sha256(canonical_json(trace \ {trace_hash}))`.

PCS hash vectors under `python/tests/hash_vectors/` must match provability-fabric-core `adapters/pcs/tests/fixtures/hash_vectors/` at the pinned PF-Core tag.

---

## LabTrust replay path

Pinned LabTrust release fixtures (e.g. `examples/labtrust/trace_certificate.valid.json`) feed PF-Core traces via the untrusted adapter:

```
labtrust-release/trace_certificate.valid.json
→ normalize_release.normalize_labtrust_release()
→ pf-core/examples/valid/pcs_replay_trace.json
```

### Release directory fields

| LabTrust / PCS artifact | Role in PF-Core trace |
|-------------------------|----------------------|
| `trace_certificate.valid.json` | Source `trace_hash` / `spec_hash` for mapping docs; adapter reads when present |
| Release observation (when emitted) | Compiles to `pf-core.event.v1` via `compile-observation` |
| PCS `trace_hash` (with `sha256:` prefix) | Normalizes to hex64 for `trace.trace_hash` binding |
| PCS `spec_hash` | Maps to `certificate.contract_hash` when emitting PF-Core certificate |

The reference adapter builds a single-event trace with `lab.release` effect, principal `lab-operator-1`, and genesis hash chain. See `pcs_replay_trace.json` in provability-fabric-core.

### Verification command

```bash
PYTHONPATH=pf-core/validator python -m pf_core.cli core check-trace \
--schemas pf-core/schemas \
--file pf-core/examples/valid/pcs_replay_trace.json
```

---

## Assurance boundary

| Layer | Claim |
|-------|-------|
| PF-Core `safe: true` | T1 (Lean-proved) + T4 (runtime deciders) |
| PCS `CertificateChecked` | PCS checker semantics |
| This mapping doc | Organizational cross-reference only |

PCS does not expand PF-Core TCB. Policy alignment remains vector-tested in provability-fabric-core.
50 changes: 50 additions & 0 deletions docs/pf-core/assumptions.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# PF-Core assumptions

PF-Core proofs and certificates are conditional on explicit assumptions. This document lists assumptions baked into the current implementation (Stages 1–7) and assumptions deferred to later research.

## Cryptographic assumptions

- SHA-256 collision resistance for canonical artifact hashes and event hash chains.
- `signature_or_digest` fields bind artifact bytes; full PKI signing infrastructure is out of scope for v0.1.

## Producer assumptions

- Runtime producers (`AgentRuntime`, LabTrust-Gym, adapters) emit faithful observations unless contradicted by hash-chain validation.
- Adapters that compile PCS artifacts into PF-Core traces are **untrusted**; their output must pass schema and semantic validation.

## Lean bridge (Stages 3–4)

- Default `pcs pf-core lean-check` runs Python deciders aligned with `lean/PFCore/` predicates, then generates a concrete proof file under `lean/PFCore/Generated/` and checks it with `lake env lean`.
- `LeanKernelChecked` is emitted **only** when that concrete proof succeeds (`traceSafeD … = true` via `decide`). `--skip-build` or `--skip-lean-proof` yields `RuntimeChecked` only.
- `lake build PFCore` means the PF-Core library compiles; individual traces still require generated proof files for kernel claims.
- Theorem names in `PF_CORE_THEOREM_CATALOG` exist as Lean symbols (enforced by `pcs pf-core audit-lean-catalog`).
- PCS `pcs lean-check` (without `--trace`) is **not** Lean-backed per trace. It prints the assurance boundary and exits; it must not be described as kernel-verified trace safety.

## Role and capability alignment (permanent boundary)

- Lean `HasCapability` inspects `principal.capabilities` only; **roles are not expanded in the kernel**.
- The PF-Core runtime compiler expands known roles into explicit capability ids on compiled principals.
- Traces submitted to `pcs pf-core lean-check` must list those expanded capabilities explicitly; lean-check rejects principals where `capabilities` does not match role expansion.
- Runtime authorization may still consult roles during compilation; lean-check and Lean proofs rely on the explicit capability list only.
- This role-to-capability split is a **permanent trusted-boundary assumption**, not a temporary Stage 1 gap.

## Registry assumptions

- Registry semantic checks marked `allowed_to_skip: true` are not treated as proved.
- Deferred checks must surface as `AssumptionDeclared` or `OutOfScope` claim classes, never `LeanKernelChecked` or unjustified `ProofChecked`.
- PF-Core certificates with skipped deferrable checks require non-empty `assumption_refs` pointing at `AssumptionSet.v0` ids or documented paths under `docs/pf-core/`.

## Out of scope (not assumed by PF-Core)

- Model correctness or alignment.
- Clinical or production safety of real-world systems.
- Natural-language policy interpretation.
- Global non-interference across tenants before event-level trace safety is proved.

## Assumption artifacts

Domain assumptions must be recorded in `AssumptionSet.v0` (PCS) or referenced from PF-Core certificates. Simulation scope disclaimers from the LabTrust profile remain mandatory for QC-release demonstrations. Prefer citing `assumption_set_id` values (for example `as-labtrust-qc-v0.1`) over documentation paths alone when issuing `AssumptionDeclared` certificates.

## Contract and invariant simplification

See [contract-semantics.md](contract-semantics.md) for the mapping between `PFCoreContract.v0` JSON fields and runtime/Lean predicates.
70 changes: 70 additions & 0 deletions docs/pf-core/bridge-artifact.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# PCS TraceCertificate to PFCoreCertificate bridge artifact

This document specifies the organizational bridge between PCS release-layer
`TraceCertificate.v0` artifacts and PF-Core `PFCoreCertificate.v0` claim objects.
It is a cross-reference spec for demos and adapters; it does not unify schemas.

## Purpose

PCS science bundles attach `TraceCertificate.v0` objects checked by external
tools (e.g. CertifyEdge). PF-Core certificates carry explicit `claim_class`
values that state what assurance was obtained. The bridge maps PCS checker output
into PF-Core certificate fields without expanding the PF-Core TCB.

## Field mapping

| PCS `TraceCertificate.v0` | PF-Core `PFCoreCertificate.v0` | Bridge rule |
|---------------------------|-------------------------------|-------------|
| `certificate_id` | `certificate_id` | Prefix optional; preserve id for cross-reference |
| `trace_hash` | `trace_hash` | Normalize `sha256:` prefix at boundary |
| `spec_hash` | `contract_hash` | Direct bind |
| `checker` | `checker` | Copy verbatim |
| `checker_version` | `checker_version` | Copy verbatim |
| `status: CertificateChecked` | `claim_class: CertificateChecked` | Required when external checker attests |
| `source_repo` | `source_repo` | Copy verbatim |
| `source_commit` | `source_commit` | Copy verbatim |
| `property_id` | (none) | Record in trace event `contract_refs` when compiling |
| `counterexample_ref` | (none) | PCS-only; PF-Core `OutOfScope` if replay needed |
| `signature_or_digest` | (none) | PCS bundle integrity; recompute PF-Core digest |

## Claim class selection

| Bridge operation | Required `claim_class` |
|------------------|------------------------|
| External checker attestation only | `CertificateChecked` |
| PF-Core runtime compiler + hash chain | `RuntimeChecked` |
| Deterministic hash replay | `ReplayValidated` |
| Lean kernel concrete proof | `LeanKernelChecked` |
| Deferred registry checks documented | `AssumptionDeclared` |

Do not emit `LeanKernelChecked` from the bridge when only PCS
`CertificateChecked` status is available.

## Bridge workflow (demo)

```
examples/labtrust/trace_certificate.valid.json
→ pf_core_labtrust_adapter.normalize_labtrust_release()
→ examples/pf-core-valid/labtrust_replay/trace.json
→ pcs pf-core replay-trace trace.json
→ pcs pf-core attach-certificate-check --trace trace.json ...
→ PFCoreCertificate.v0 (claim_class: CertificateChecked)
```

## Assurance boundary

| Layer | What the bridge claims |
|-------|------------------------|
| PCS `CertificateChecked` | External checker semantics for the declared property |
| PF-Core `CertificateChecked` | Same attestation recorded in PF-Core schema |
| PF-Core `ReplayValidated` | Hash chain reproducibility only |
| PF-Core `LeanKernelChecked` | Not implied by this bridge |

Adapters that perform the bridge are **untrusted**. All bridged artifacts must
pass PCS schema and PF-Core semantic validation before release.

## Related documents

- [claim-boundary.md](claim-boundary.md) — claim class definitions
- [pf-core-trace-mapping.md](../pf-core-trace-mapping.md) — trace field mapping
- [assumptions.md](assumptions.md) — deferred registry obligations
Loading
Loading