diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..7e6487b --- /dev/null +++ b/.gitattributes @@ -0,0 +1,5 @@ +# Normalize line endings for fixtures hashed on Linux CI. +examples/** text eol=lf +benchmarks/** text eol=lf +test_vectors/** text eol=lf +lean/** text eol=lf diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cb84ac1..b3a19b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -87,15 +87,20 @@ jobs: cd python pip install -e . if command -v certifyedge >/dev/null 2>&1; then + echo "CertifyEdge CLI found: $(command -v certifyedge)" + certifyedge --version || true pcs pf-core certifyedge-check \ --trace ../examples/pf-core-valid/labtrust_replay/trace.json \ --property qc_release.temporal.safety \ - --out /tmp/PFCoreCertificate.certifyedge.json || \ - PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \ - --trace ../examples/pf-core-valid/labtrust_replay/trace.json \ - --property qc_release.temporal.safety \ - --out /tmp/PFCoreCertificate.certifyedge.json + --out /tmp/PFCoreCertificate.certifyedge.json || { + echo "WARNING: live CertifyEdge check failed; falling back to mock" + PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \ + --trace ../examples/pf-core-valid/labtrust_replay/trace.json \ + --property qc_release.temporal.safety \ + --out /tmp/PFCoreCertificate.certifyedge.json + } else + echo "WARNING: certifyedge not on PATH; using PCS_CERTIFYEDGE_MOCK=1" PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \ --trace ../examples/pf-core-valid/labtrust_replay/trace.json \ --property qc_release.temporal.safety \ @@ -125,13 +130,17 @@ jobs: run: curl -sSfL https://github.com/leanprover/elan/releases/download/v4.0.0/elan-x86_64-unknown-linux-gnu.tar.gz | tar xz && ./elan-init -y --default-toolchain none - name: Build Lean libraries and PF-Core lean-check run: | + export PATH="$HOME/.elan/bin:$PATH" cd lean elan default leanprover/lean4:v4.14.0 lake build PCS lake build PFCore cd ../python pip install -e . - pcs pf-core lean-check --trace ../examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json + pcs pf-core lean-check --trace ../examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json --out /tmp/pfcore-ci-cert.json + pcs pf-core verify-proof-binding \ + --certificate /tmp/pfcore-ci-cert.json \ + --trace ../examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json pcs pf-core validate-contracts \ ../examples/pf-core-valid/contract_checked/trace.json \ --contracts-dir ../examples/pf-core-valid/contract_checked diff --git a/benchmarks/computation-reproducibility/expected_reports/benchmark_report.computation-reproducibility-v0.v0.json b/benchmarks/computation-reproducibility/expected_reports/benchmark_report.computation-reproducibility-v0.v0.json index 336ef70..062c938 100644 --- a/benchmarks/computation-reproducibility/expected_reports/benchmark_report.computation-reproducibility-v0.v0.json +++ b/benchmarks/computation-reproducibility/expected_reports/benchmark_report.computation-reproducibility-v0.v0.json @@ -46,11 +46,11 @@ "denominator": 2.0, "coverage_ratio": 0.7, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:f7a35b8bfa1db2f23acc34db7698cbf8537905015aaee5982e9b7c9457f9ec11" + "signature_or_digest": "sha256:68b662bc594764cb4ba4c1596a61e4f6b82c18c3382e240e9861f27f7b7292a9" }, "formal_checks": { "schema_version": "v0", @@ -194,11 +194,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:9e4f85897ca54facb2d79a53ad3eb6ef84402dbdd23b6166d78831080eccabed", + "signature_or_digest": "sha256:d8a650e16939d91fe4e05de9ecb8beda0b77b07fca3e652bbf8ad76b6f40abe9", "conformance_refs": [ { "suite": "computation", - "run_id": "conf-run-computation-20260521T112227Z", + "run_id": "conf-run-computation-20260628T004834Z", "status": "passed" } ] diff --git a/benchmarks/computation-reproducibility/expected_reports/benchmark_report.v0.json b/benchmarks/computation-reproducibility/expected_reports/benchmark_report.v0.json index 336ef70..062c938 100644 --- a/benchmarks/computation-reproducibility/expected_reports/benchmark_report.v0.json +++ b/benchmarks/computation-reproducibility/expected_reports/benchmark_report.v0.json @@ -46,11 +46,11 @@ "denominator": 2.0, "coverage_ratio": 0.7, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:f7a35b8bfa1db2f23acc34db7698cbf8537905015aaee5982e9b7c9457f9ec11" + "signature_or_digest": "sha256:68b662bc594764cb4ba4c1596a61e4f6b82c18c3382e240e9861f27f7b7292a9" }, "formal_checks": { "schema_version": "v0", @@ -194,11 +194,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:9e4f85897ca54facb2d79a53ad3eb6ef84402dbdd23b6166d78831080eccabed", + "signature_or_digest": "sha256:d8a650e16939d91fe4e05de9ecb8beda0b77b07fca3e652bbf8ad76b6f40abe9", "conformance_refs": [ { "suite": "computation", - "run_id": "conf-run-computation-20260521T112227Z", + "run_id": "conf-run-computation-20260628T004834Z", "status": "passed" } ] diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/README.md b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/README.md index c37d70e..8bdeb93 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/README.md +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/README.md @@ -1,19 +1,36 @@ -# Scientific computation reproducibility release train +# Computation reproducibility release fixtures -Conformance fixture for workflow `scientific_computation.reproducibility_v0`. +Release fixtures for workflow `scientific_computation.reproducibility_v0` document computation witnesses and release-chain validation for the reproducibility profile. + +The workflow profile appears in `examples/workflow_profiles/scientific_computation_reproducibility.valid.json`, and the guide is [docs/workflow-profiles.md](../../docs/workflow-profiles.md). ## Artifacts -- Runtime: `dataset_receipt.json`, `environment_receipt.json`, `computation_run_receipt.json`, `result_artifact.json` -- Certificate: `computation_witness.json` -- PCS chain: `science_claim_bundle.certified.json`, `verification_result.json`, `signed_science_claim_bundle.json`, `release_manifest.v0.json`, `release_chain_validation_result.v0.json` +| File | Type | +|------|------| +| `dataset_receipt.json` | `DatasetReceipt.v0` | +| `environment_receipt.json` | `EnvironmentReceipt.v0` | +| `computation_run_receipt.json` | `ComputationRunReceipt.v0` | +| `result_artifact.json` | `ResultArtifact.v0` | +| `computation_witness.json` | `ComputationWitness.v0` | +| `science_claim_bundle.certified.json` | `ScienceClaimBundle.v0` | +| `verification_result.json` | `VerificationResult.v0` | +| `signed_science_claim_bundle.json` | `SignedScienceClaimBundle.v0` | +| `release_manifest.v0.json` | `ReleaseManifest.v0` | +| `release_chain_validation_result.v0.json` | `ReleaseChainValidationResult.v0` | + +## Validate + +```bash +pcs validate-release-chain examples/computation-release/ +pcs conformance run --suite computation +``` -Regenerate: +Regenerate through the Python materialize script. ```bash cd python python scripts/materialize_computation_fixtures.py -pcs validate-release-chain ../examples/computation-release/ ``` -Invalid negative cases: `examples/computation-release-invalid/` (one failure class per directory). +Invalid cases live under `examples/computation-release-invalid/` with one failure class per directory. diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/RELEASE_FIXTURE_MANIFEST.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/RELEASE_FIXTURE_MANIFEST.json index 650d4bb..e9dd001 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/RELEASE_FIXTURE_MANIFEST.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/RELEASE_FIXTURE_MANIFEST.json @@ -9,14 +9,14 @@ "provability_fabric_commit": "c333333333333333333333333333333333333333", "scientific_memory_commit": "d444444444444444444444444444444444444444", "artifacts": { - "dataset_receipt.json": "sha256:d54994e19c32caeb7508edbb73a14efc94341ffd93013873af527e180385dfec", - "environment_receipt.json": "sha256:6335e612b739e925d74ca94a39690380f8be7c9db836fcad4c8ff0ba8b6c98ae", - "computation_run_receipt.json": "sha256:c14b4fed421343459ad081e74f7b613b39b6bca803eca27ffde0fdda1a8dd12a", - "result_artifact.json": "sha256:a38eeaab2b0cd104ac461b6a061bfa09e4f797253c27173107452a5acd9c42ed", - "computation_witness.json": "sha256:a86081703ca5bc521445cc5a38826adfc1ca55f87f52f35b3c429a2bbdaf13f9", - "science_claim_bundle.certified.json": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", - "verification_result.json": "sha256:59c45c6e24cbca96489cfdefc0b156c39bec252b53b09e8f1d8b7b48fa88676f", - "signed_science_claim_bundle.json": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea", - "scientific_memory_import_report.json": "sha256:21fa9d915b7f313a3e9d1b1fdf4bdd2815bbd06404ae9699518bd5e367bca41e" + "dataset_receipt.json": "sha256:f94a4a839cea893cd0abeea758326e0e28f01a293b6ac87f8436ca5cca753e79", + "environment_receipt.json": "sha256:c01a8f055da8965e01c1172eb7ff9f58e702619261a6d6159e24ee861e134598", + "computation_run_receipt.json": "sha256:567e0adeec5bc61786efa529dcb777f5ac2ddda1f8cb1160d67e5638405cbd4a", + "result_artifact.json": "sha256:a2b8d26f9d0e056e7fd963156021a88b43c764c84357e2ff8ae70cd2c2d99acc", + "computation_witness.json": "sha256:b89def93118f055abb45b8b0187e2aaeb452ec6eae502c9ba9bbf7ded83377cb", + "science_claim_bundle.certified.json": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", + "verification_result.json": "sha256:f78c35d74928bb139e2d507424a022f2dfa78fcc2e1a67ccd4adeb0f51e0b43c", + "signed_science_claim_bundle.json": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a", + "scientific_memory_import_report.json": "sha256:ba324c85c2aee78e1893c7b667e8580cbeede842b7027d42b9474b8c9dafbe70" } } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.bundle_to_verifier.v0.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.bundle_to_verifier.v0.json index e069549..79cf255 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.bundle_to_verifier.v0.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.bundle_to_verifier.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "sha256": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "witness_id": "witness-sci-comp-repro-001", "run_receipt_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828", - "certified_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "certified_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" }, "status": "Validated", - "signature_or_digest": "sha256:3db04a8c9656ed55c3efbc7bb08ebd2a606d9b26f21f492d201e0071c8b7e968" + "signature_or_digest": "sha256:91f0cdb6ab949b0ab706bcbf64281bac53f48083476944d1ef3a09a29d4e5a0e" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.certificate_to_bundle.v0.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.certificate_to_bundle.v0.json index 1a9d519..bf485ef 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.certificate_to_bundle.v0.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.certificate_to_bundle.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "computation_witness.json": { "artifact_type": "ComputationWitness.v0", - "sha256": "sha256:a86081703ca5bc521445cc5a38826adfc1ca55f87f52f35b3c429a2bbdaf13f9" + "sha256": "sha256:b89def93118f055abb45b8b0187e2aaeb452ec6eae502c9ba9bbf7ded83377cb" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "run_receipt_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828" }, "status": "Validated", - "signature_or_digest": "sha256:e2170d91b655ae0d9ae9b8f6a18fa78f9801d76213bd8e5bfba577ac7599f501" + "signature_or_digest": "sha256:170b7a0dfa9132870f4a7f96de1b4e9cb483c7ea6a354d8162e452a6b151543c" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.runtime_to_certificate.v0.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.runtime_to_certificate.v0.json index 420d888..e2ee508 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.runtime_to_certificate.v0.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.runtime_to_certificate.v0.json @@ -10,19 +10,19 @@ "input_artifacts": { "dataset_receipt.json": { "artifact_type": "DatasetReceipt.v0", - "sha256": "sha256:d54994e19c32caeb7508edbb73a14efc94341ffd93013873af527e180385dfec" + "sha256": "sha256:f94a4a839cea893cd0abeea758326e0e28f01a293b6ac87f8436ca5cca753e79" }, "environment_receipt.json": { "artifact_type": "EnvironmentReceipt.v0", - "sha256": "sha256:6335e612b739e925d74ca94a39690380f8be7c9db836fcad4c8ff0ba8b6c98ae" + "sha256": "sha256:c01a8f055da8965e01c1172eb7ff9f58e702619261a6d6159e24ee861e134598" }, "computation_run_receipt.json": { "artifact_type": "ComputationRunReceipt.v0", - "sha256": "sha256:c14b4fed421343459ad081e74f7b613b39b6bca803eca27ffde0fdda1a8dd12a" + "sha256": "sha256:567e0adeec5bc61786efa529dcb777f5ac2ddda1f8cb1160d67e5638405cbd4a" }, "result_artifact.json": { "artifact_type": "ResultArtifact.v0", - "sha256": "sha256:a38eeaab2b0cd104ac461b6a061bfa09e4f797253c27173107452a5acd9c42ed" + "sha256": "sha256:a2b8d26f9d0e056e7fd963156021a88b43c764c84357e2ff8ae70cd2c2d99acc" } }, "expected_outputs": { @@ -35,5 +35,5 @@ "dataset_hash": "sha256:84c9037231eef6a1742c1d6d0a043878b4de8395397c168026450d8ca9e647e3" }, "status": "Validated", - "signature_or_digest": "sha256:bafff8665c39e3662b34563a34671f518639fbb46853d889925a537a964c1b41" + "signature_or_digest": "sha256:00a3731d61029e4ae124bd4503e3eae35eb7b1c271cf3f5f3930cfe2a89e137f" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.signed_bundle_to_memory.v0.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.signed_bundle_to_memory.v0.json index c5620af..7db8eb3 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.signed_bundle_to_memory.v0.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_manifest.signed_bundle_to_memory.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", - "sha256": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea" + "sha256": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "claim_id": "claim-qc-release-v0.1" }, "status": "Validated", - "signature_or_digest": "sha256:68159cf6671e21245b197912e054410bf50e39b068e25c0eb66ecc73fca10250" + "signature_or_digest": "sha256:d7040e584b65b50f2b17d467f6ca7dd1e098f818dc72e7158e0bcd009b400f71" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_to_certifyedge.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_to_certifyedge.json index 420d888..e2ee508 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_to_certifyedge.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_to_certifyedge.json @@ -10,19 +10,19 @@ "input_artifacts": { "dataset_receipt.json": { "artifact_type": "DatasetReceipt.v0", - "sha256": "sha256:d54994e19c32caeb7508edbb73a14efc94341ffd93013873af527e180385dfec" + "sha256": "sha256:f94a4a839cea893cd0abeea758326e0e28f01a293b6ac87f8436ca5cca753e79" }, "environment_receipt.json": { "artifact_type": "EnvironmentReceipt.v0", - "sha256": "sha256:6335e612b739e925d74ca94a39690380f8be7c9db836fcad4c8ff0ba8b6c98ae" + "sha256": "sha256:c01a8f055da8965e01c1172eb7ff9f58e702619261a6d6159e24ee861e134598" }, "computation_run_receipt.json": { "artifact_type": "ComputationRunReceipt.v0", - "sha256": "sha256:c14b4fed421343459ad081e74f7b613b39b6bca803eca27ffde0fdda1a8dd12a" + "sha256": "sha256:567e0adeec5bc61786efa529dcb777f5ac2ddda1f8cb1160d67e5638405cbd4a" }, "result_artifact.json": { "artifact_type": "ResultArtifact.v0", - "sha256": "sha256:a38eeaab2b0cd104ac461b6a061bfa09e4f797253c27173107452a5acd9c42ed" + "sha256": "sha256:a2b8d26f9d0e056e7fd963156021a88b43c764c84357e2ff8ae70cd2c2d99acc" } }, "expected_outputs": { @@ -35,5 +35,5 @@ "dataset_hash": "sha256:84c9037231eef6a1742c1d6d0a043878b4de8395397c168026450d8ca9e647e3" }, "status": "Validated", - "signature_or_digest": "sha256:bafff8665c39e3662b34563a34671f518639fbb46853d889925a537a964c1b41" + "signature_or_digest": "sha256:00a3731d61029e4ae124bd4503e3eae35eb7b1c271cf3f5f3930cfe2a89e137f" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_to_pf.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_to_pf.json index e069549..79cf255 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_to_pf.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/handoff_to_pf.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "sha256": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "witness_id": "witness-sci-comp-repro-001", "run_receipt_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828", - "certified_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "certified_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" }, "status": "Validated", - "signature_or_digest": "sha256:3db04a8c9656ed55c3efbc7bb08ebd2a606d9b26f21f492d201e0071c8b7e968" + "signature_or_digest": "sha256:91f0cdb6ab949b0ab706bcbf64281bac53f48083476944d1ef3a09a29d4e5a0e" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/lean_check_result.v0.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/lean_check_result.v0.json index ec62c26..5e6cdc4 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/lean_check_result.v0.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/lean_check_result.v0.json @@ -5,7 +5,7 @@ "lean_module": "PCS.Theorems", "lean_theorem": "ReleaseChainAdmissible", "status": "ProofChecked", - "checked_at": "2026-05-19T13:37:27Z", + "checked_at": "2026-06-28T00:48:30Z", "lean_version": "leanprover/lean4:stable", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", @@ -33,5 +33,5 @@ "failure_reason": "" } ], - "signature_or_digest": "sha256:fd47f305ab323dffeee4f60ebd3ac164563ca784b0199842f23b7fec315df397" + "signature_or_digest": "sha256:46006f2dbeb6b1ed7d4840e085dbbdd7e1c3c977b24d0ea8e0af50878206365d" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/proof_obligation.v0.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/proof_obligation.v0.json index 7c1706a..a7dd41f 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/proof_obligation.v0.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/proof_obligation.v0.json @@ -22,8 +22,8 @@ "kind": "VerificationAdmitsBundle", "inputs": { "verification_status": "ProofChecked", - "verified_input_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", - "certified_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", + "verified_input_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", + "certified_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", "release_blocking_checks_passed": true } }, @@ -31,8 +31,8 @@ "obligation_id": "signed_bundle_admissible", "kind": "SignedBundleAdmissible", "inputs": { - "signed_input_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", - "verified_input_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "signed_input_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", + "verified_input_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } } ], @@ -61,5 +61,5 @@ "lean_module": "PCS.Theorems", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:8b5791def92cff90bb899cf228e7a26d3305e8e141fae361d698c23bb2dd14b6" + "signature_or_digest": "sha256:8f3640d982b551859055d5fb1f351b8f099bc3b3f5b6c9feda56bee69aaa6c83" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/release_manifest.v0.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/release_manifest.v0.json index 31862ea..74dc757 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/release_manifest.v0.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/release_manifest.v0.json @@ -8,16 +8,16 @@ "chain_root": { "trace_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828", "certificate_id": "witness-sci-comp-repro-001", - "certified_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", - "signed_bundle_hash": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea" + "certified_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", + "signed_bundle_hash": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a" }, "release_chain_validation_result": { "path": "release_chain_validation_result.v0.json", - "sha256": "sha256:c1f0f2c733f1d15b5822a0870998be795f71f116bb721776dc4ba606a05b5711" + "sha256": "sha256:655eb161766f61ba6d804767be022ff49c9199337897012f44f84631657007b7" }, "canonical_signed_bundle": { "path": "signed_science_claim_bundle.json", - "sha256": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea" + "sha256": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a" }, "canonical_claim_id": "claim-qc-release-v0.1", "limitations_notice": "This artifact is a proof-carrying computational reproducibility result. It verifies that declared inputs, environment metadata, code provenance, execution command, and result artifact hashes are internally consistent. It does not prove that the scientific model is true, that the dataset is unbiased, or that the result is externally valid.", @@ -50,7 +50,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:d54994e19c32caeb7508edbb73a14efc94341ffd93013873af527e180385dfec" + "sha256": "sha256:f94a4a839cea893cd0abeea758326e0e28f01a293b6ac87f8436ca5cca753e79" }, "environment_receipt.json": { "artifact_type": "EnvironmentReceipt.v0", @@ -58,7 +58,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:6335e612b739e925d74ca94a39690380f8be7c9db836fcad4c8ff0ba8b6c98ae" + "sha256": "sha256:c01a8f055da8965e01c1172eb7ff9f58e702619261a6d6159e24ee861e134598" }, "computation_run_receipt.json": { "artifact_type": "ComputationRunReceipt.v0", @@ -66,7 +66,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:c14b4fed421343459ad081e74f7b613b39b6bca803eca27ffde0fdda1a8dd12a" + "sha256": "sha256:567e0adeec5bc61786efa529dcb777f5ac2ddda1f8cb1160d67e5638405cbd4a" }, "result_artifact.json": { "artifact_type": "ResultArtifact.v0", @@ -74,7 +74,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:a38eeaab2b0cd104ac461b6a061bfa09e4f797253c27173107452a5acd9c42ed" + "sha256": "sha256:a2b8d26f9d0e056e7fd963156021a88b43c764c84357e2ff8ae70cd2c2d99acc" }, "computation_witness.json": { "artifact_type": "ComputationWitness.v0", @@ -82,7 +82,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:a86081703ca5bc521445cc5a38826adfc1ca55f87f52f35b3c429a2bbdaf13f9" + "sha256": "sha256:b89def93118f055abb45b8b0187e2aaeb452ec6eae502c9ba9bbf7ded83377cb" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -90,7 +90,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "sha256": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" }, "workflow_profile.v0.json": { "artifact_type": "WorkflowProfile.v0", @@ -98,7 +98,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:9059e646990af0b72f82b740c0f8db102fea4b3b8e5ed809c916fc259ae279f8" + "sha256": "sha256:04e792dff4ae6d3c18d4f5d289fa36b6d7f21b585c8af30f8ad1a72f7c82aaaf" }, "verification_result.json": { "artifact_type": "VerificationResult.v0", @@ -106,7 +106,7 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:59c45c6e24cbca96489cfdefc0b156c39bec252b53b09e8f1d8b7b48fa88676f" + "sha256": "sha256:f78c35d74928bb139e2d507424a022f2dfa78fcc2e1a67ccd4adeb0f51e0b43c" }, "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", @@ -114,17 +114,17 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea" + "sha256": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a" } }, "release_status": "Validated", - "signature_or_digest": "sha256:9b7baa8b06fc2bfa1c622a8d6019ba2e2c5ab99c8e0dcc729d5a40e8ecbcc10f", + "signature_or_digest": "sha256:30e155d9adaa6e097063c6214351e2004577280df7431cac2f6597f782dc4a8d", "proof_obligation": { "path": "proof_obligation.v0.json", - "sha256": "sha256:3a80604bd630a7fd6e6f06ed3802bca444bc09a044fa77a93ab2e4104d0cf73d" + "sha256": "sha256:df95f592d0286d8adb6f553deee13daec41580c72d68e82fac5bc2cac0bdb98d" }, "lean_check_result": { "path": "lean_check_result.v0.json", - "sha256": "sha256:9761d9456dd24e838d94f3502a3c3d89cfcc6043993b7ce1c9688866fc9c6643" + "sha256": "sha256:e62cdc2102576950eb37f79ff1e906e34d478afe82f1f9ecde926a3db56d6759" } } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/scientific_memory_import_report.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/scientific_memory_import_report.json index 2b25ec9..c47fd4b 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/scientific_memory_import_report.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/scientific_memory_import_report.json @@ -22,5 +22,5 @@ "release_chain_validation_status": "ProofChecked", "release_chain_validator": "pcs-core", "release_chain_checked_at": "2026-05-18T12:00:00Z", - "release_manifest_hash": "sha256:1105866df254958763ee64310e002e685d557bc53021312cddaa162e26a8d50c" + "release_manifest_hash": "sha256:5b92240c3350bda4baf8f0a0610fd62f327b6d12a87659f589202aa74a28d1f7" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/signed_science_claim_bundle.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/signed_science_claim_bundle.json index a1f9781..8303e74 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/signed_science_claim_bundle.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/signed_science_claim_bundle.json @@ -171,6 +171,6 @@ "signed_at": "2026-05-16T12:25:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:6ad535dc544c15981b75763c6ff6b0b74f04b9822688d3a0bae4b0249952e65b", - "signed_input_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "signature_or_digest": "sha256:6b1216c9db49ee9758ecbaa226b20e590df0e2f8efcf3b024a82f79a90dac92b", + "signed_input_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } diff --git a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/verification_result.json b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/verification_result.json index aa0e0a5..63e51ae 100644 --- a/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/verification_result.json +++ b/benchmarks/computation-reproducibility/input_releases/invalid-witness-hash/verification_result.json @@ -24,10 +24,10 @@ "created_at": "2026-05-16T12:20:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:f3ee7b3572a2ae04d10c94688dd835d4baf42d19b7e8c32302cd7e6d6084837a", + "signature_or_digest": "sha256:63f3f8a52dfbfda85c7b6ea261f06b6fb35dc5cf748603a638fc496296522b57", "verified_input": { "certificate_id": "witness-sci-comp-repro-001", "trace_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828", - "bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } } diff --git a/benchmarks/computation-reproducibility/invalid/invalid-witness-hash/benchmark_run.invalid-witness-hash.v0.json b/benchmarks/computation-reproducibility/invalid/invalid-witness-hash/benchmark_run.invalid-witness-hash.v0.json index 2d043e0..a68f882 100644 --- a/benchmarks/computation-reproducibility/invalid/invalid-witness-hash/benchmark_run.invalid-witness-hash.v0.json +++ b/benchmarks/computation-reproducibility/invalid/invalid-witness-hash/benchmark_run.invalid-witness-hash.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-invalid-witness-hash", "task_id": "computation-reproducibility-v0", "case_id": "invalid-witness-hash", - "started_at": "2026-05-22T11:54:19Z", - "completed_at": "2026-05-22T11:54:19Z", + "started_at": "2026-06-28T07:05:51Z", + "completed_at": "2026-06-28T07:05:51Z", "commands": [ { "command": "validate_release_chain benchmarks/computation-reproducibility/input_releases/invalid-witness-hash", @@ -21,8 +21,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 85, + "duration_ms": 79, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:033f7300562a95ae6fc6658f30b09141099395a6b3c68169a4267606d3f2beb5" + "signature_or_digest": "sha256:f20c5ae8e11f5fa0960b3ca6ff8d4d812e7dcd9bc66aa4dea4e22c342e445465" } diff --git a/benchmarks/computation-reproducibility/valid/valid-release-chain/benchmark_run.valid-release-chain.v0.json b/benchmarks/computation-reproducibility/valid/valid-release-chain/benchmark_run.valid-release-chain.v0.json index 59a8b5e..3545c68 100644 --- a/benchmarks/computation-reproducibility/valid/valid-release-chain/benchmark_run.valid-release-chain.v0.json +++ b/benchmarks/computation-reproducibility/valid/valid-release-chain/benchmark_run.valid-release-chain.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-valid-release-chain", "task_id": "computation-reproducibility-v0", "case_id": "valid-release-chain", - "started_at": "2026-05-22T11:54:19Z", - "completed_at": "2026-05-22T11:54:19Z", + "started_at": "2026-06-28T07:05:51Z", + "completed_at": "2026-06-28T07:05:51Z", "commands": [ { "command": "validate_release_chain examples/computation-release", @@ -21,8 +21,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 80, + "duration_ms": 69, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:c9374700a2fcabf57a0623c53e87a1d1950fa753a2f39098d64f901c8d2045cd" + "signature_or_digest": "sha256:c7a6b13af02ac1d588edce7b97de3a258af1909b3168e11c9932d2ecb5099a40" } diff --git a/benchmarks/cross-domain/expected_reports/benchmark_report.cross-domain-release-chain-v0.v0.json b/benchmarks/cross-domain/expected_reports/benchmark_report.cross-domain-release-chain-v0.v0.json index ae836ba..8be4c2f 100644 --- a/benchmarks/cross-domain/expected_reports/benchmark_report.cross-domain-release-chain-v0.v0.json +++ b/benchmarks/cross-domain/expected_reports/benchmark_report.cross-domain-release-chain-v0.v0.json @@ -50,11 +50,11 @@ "denominator": 3.0, "coverage_ratio": 0.8333333333333334, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:3ef1b5fb2d391599c8ffd2b748b115458713380a75b7385a8727c42be0b0214c" + "signature_or_digest": "sha256:cc14f46c2d1086ee7a00b27e370f75704b99a41615e5eea8136beb0377bf5a15" }, "formal_checks": { "schema_version": "v0", @@ -166,11 +166,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:7b5c55fac42b5233ead646ae80157a17006c3ec7dcac66ee81829df2563883bb", + "signature_or_digest": "sha256:f29774053191ac4a9a8ab8c9990b916247a3f5ab3fdf82b8aa8d14c570955046", "conformance_refs": [ { "suite": "multidomain", - "run_id": "conf-run-multidomain-20260521T112228Z", + "run_id": "conf-run-multidomain-20260628T004834Z", "status": "passed" } ] diff --git a/benchmarks/cross-domain/expected_reports/benchmark_report.formal-trust-kernel-v0.v0.json b/benchmarks/cross-domain/expected_reports/benchmark_report.formal-trust-kernel-v0.v0.json index b6f9a01..0f552d5 100644 --- a/benchmarks/cross-domain/expected_reports/benchmark_report.formal-trust-kernel-v0.v0.json +++ b/benchmarks/cross-domain/expected_reports/benchmark_report.formal-trust-kernel-v0.v0.json @@ -48,11 +48,11 @@ "denominator": 3.0, "coverage_ratio": 0.8333333333333334, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:bc323c55da411c756903320b0dfafa85939ab5dfa23cdc4fa9ea25b74d409eea" + "signature_or_digest": "sha256:6b669082fc6d1421f0ab2a9db597c32b7ef69ad65e1af7f5a3b8a83d7e36bd0b" }, "formal_checks": { "schema_version": "v0", @@ -136,11 +136,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:0ecca1556c0aa01032ae58b157a1aaa0af63eeba01f541ecd1b4fec45c02868f", + "signature_or_digest": "sha256:70379cd0160b19d7040ce1793b60633dbcfcd29f10b16b3293a689ba6bef9e3b", "conformance_refs": [ { "suite": "lean-trust", - "run_id": "conf-run-lean-trust-20260521T112228Z", + "run_id": "conf-run-lean-trust-20260628T004834Z", "status": "passed" } ] diff --git a/benchmarks/cross-domain/expected_reports/benchmark_report.v0.json b/benchmarks/cross-domain/expected_reports/benchmark_report.v0.json index ae836ba..8be4c2f 100644 --- a/benchmarks/cross-domain/expected_reports/benchmark_report.v0.json +++ b/benchmarks/cross-domain/expected_reports/benchmark_report.v0.json @@ -50,11 +50,11 @@ "denominator": 3.0, "coverage_ratio": 0.8333333333333334, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:3ef1b5fb2d391599c8ffd2b748b115458713380a75b7385a8727c42be0b0214c" + "signature_or_digest": "sha256:cc14f46c2d1086ee7a00b27e370f75704b99a41615e5eea8136beb0377bf5a15" }, "formal_checks": { "schema_version": "v0", @@ -166,11 +166,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:7b5c55fac42b5233ead646ae80157a17006c3ec7dcac66ee81829df2563883bb", + "signature_or_digest": "sha256:f29774053191ac4a9a8ab8c9990b916247a3f5ab3fdf82b8aa8d14c570955046", "conformance_refs": [ { "suite": "multidomain", - "run_id": "conf-run-multidomain-20260521T112228Z", + "run_id": "conf-run-multidomain-20260628T004834Z", "status": "passed" } ] diff --git a/benchmarks/cross-domain/valid/formal-computation-lean-check/benchmark_run.formal-computation-lean-check.v0.json b/benchmarks/cross-domain/valid/formal-computation-lean-check/benchmark_run.formal-computation-lean-check.v0.json index 94cab89..3c8cb09 100644 --- a/benchmarks/cross-domain/valid/formal-computation-lean-check/benchmark_run.formal-computation-lean-check.v0.json +++ b/benchmarks/cross-domain/valid/formal-computation-lean-check/benchmark_run.formal-computation-lean-check.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-formal-computation-lean-check", "task_id": "formal-trust-kernel-v0", "case_id": "formal-computation-lean-check", - "started_at": "2026-05-22T11:54:25Z", - "completed_at": "2026-05-22T11:54:25Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "lean_check C:/Users/mateo/pcs-core/examples/computation-release", @@ -27,5 +27,5 @@ "duration_ms": 1, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ed350ba76cbccdecb079b02250c98ac5ec5cdcae2fe5b7f96702cd56c08a054b" + "signature_or_digest": "sha256:e3294a25122d24cc435aeef3c210dd89cc78cb02b94cc6d019682a5bc1d4f3a1" } diff --git a/benchmarks/cross-domain/valid/formal-labtrust-lean-check/benchmark_run.formal-labtrust-lean-check.v0.json b/benchmarks/cross-domain/valid/formal-labtrust-lean-check/benchmark_run.formal-labtrust-lean-check.v0.json index e7fc346..d2518d6 100644 --- a/benchmarks/cross-domain/valid/formal-labtrust-lean-check/benchmark_run.formal-labtrust-lean-check.v0.json +++ b/benchmarks/cross-domain/valid/formal-labtrust-lean-check/benchmark_run.formal-labtrust-lean-check.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-formal-labtrust-lean-check", "task_id": "formal-trust-kernel-v0", "case_id": "formal-labtrust-lean-check", - "started_at": "2026-05-22T11:54:25Z", - "completed_at": "2026-05-22T11:54:25Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "lean_check C:/Users/mateo/pcs-core/examples/labtrust-release", @@ -24,8 +24,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 0, + "duration_ms": 1, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:3114bcc33a3c466085557380a4c804f3489ba22ba61b72ffc2cfb6396802f0f9" + "signature_or_digest": "sha256:e0c2f6d9eeeb30f5dc8305878e13d7e7413952e81432544d5002247579d6771c" } diff --git a/benchmarks/cross-domain/valid/formal-tool-use-lean-check/benchmark_run.formal-tool-use-lean-check.v0.json b/benchmarks/cross-domain/valid/formal-tool-use-lean-check/benchmark_run.formal-tool-use-lean-check.v0.json index 37f4cbf..5a8cf48 100644 --- a/benchmarks/cross-domain/valid/formal-tool-use-lean-check/benchmark_run.formal-tool-use-lean-check.v0.json +++ b/benchmarks/cross-domain/valid/formal-tool-use-lean-check/benchmark_run.formal-tool-use-lean-check.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-formal-tool-use-lean-check", "task_id": "formal-trust-kernel-v0", "case_id": "formal-tool-use-lean-check", - "started_at": "2026-05-22T11:54:25Z", - "completed_at": "2026-05-22T11:54:25Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "lean_check C:/Users/mateo/pcs-core/examples/tool-use-release", @@ -27,5 +27,5 @@ "duration_ms": 1, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:8fbb7a502c65e2f71aaab364702137f9677f5fc217606cf9958b05a8f4017958" + "signature_or_digest": "sha256:33e67b2b166faa64519b4852725db64194a26150fee44d460442dfae94096b62" } diff --git a/benchmarks/cross-domain/valid/valid-computation-release/benchmark_run.valid-computation-release.v0.json b/benchmarks/cross-domain/valid/valid-computation-release/benchmark_run.valid-computation-release.v0.json index bcc7be3..49f693c 100644 --- a/benchmarks/cross-domain/valid/valid-computation-release/benchmark_run.valid-computation-release.v0.json +++ b/benchmarks/cross-domain/valid/valid-computation-release/benchmark_run.valid-computation-release.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-valid-computation-release", "task_id": "cross-domain-release-chain-v0", "case_id": "valid-computation-release", - "started_at": "2026-05-22T11:54:29Z", - "completed_at": "2026-05-22T11:54:29Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "validate_release_chain examples/computation-release", @@ -21,8 +21,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 79, + "duration_ms": 76, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:14d6af95757110cf18b4788b04786eacb19cedfba246c527ab5e1b1858060dea" + "signature_or_digest": "sha256:71242fb2f3d2653da0bf75ecd77639deb7b2b91b9749b1429deae830903a53d5" } diff --git a/benchmarks/cross-domain/valid/valid-labtrust-release/benchmark_run.valid-labtrust-release.v0.json b/benchmarks/cross-domain/valid/valid-labtrust-release/benchmark_run.valid-labtrust-release.v0.json index 68c498e..2af594b 100644 --- a/benchmarks/cross-domain/valid/valid-labtrust-release/benchmark_run.valid-labtrust-release.v0.json +++ b/benchmarks/cross-domain/valid/valid-labtrust-release/benchmark_run.valid-labtrust-release.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-valid-labtrust-release", "task_id": "cross-domain-release-chain-v0", "case_id": "valid-labtrust-release", - "started_at": "2026-05-22T11:54:29Z", - "completed_at": "2026-05-22T11:54:29Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "validate_release_chain examples/labtrust-release", @@ -21,8 +21,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 46, + "duration_ms": 56, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:de0ff40faca97bc29ce4dc92d62f7581c303b22925442b7c1cb90e3ea9b63c24" + "signature_or_digest": "sha256:d1ab406b24f444302925a5985b0738292e704feb735489bc5081865bfd325b1c" } diff --git a/benchmarks/cross-domain/valid/valid-tool-use-release/benchmark_run.valid-tool-use-release.v0.json b/benchmarks/cross-domain/valid/valid-tool-use-release/benchmark_run.valid-tool-use-release.v0.json index d1f9183..70ddee0 100644 --- a/benchmarks/cross-domain/valid/valid-tool-use-release/benchmark_run.valid-tool-use-release.v0.json +++ b/benchmarks/cross-domain/valid/valid-tool-use-release/benchmark_run.valid-tool-use-release.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-valid-tool-use-release", "task_id": "cross-domain-release-chain-v0", "case_id": "valid-tool-use-release", - "started_at": "2026-05-22T11:54:29Z", - "completed_at": "2026-05-22T11:54:29Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "validate_release_chain examples/tool-use-release", @@ -21,8 +21,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 50, + "duration_ms": 58, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:0cee65bce391e8ef19da4955d099e158b68808a1ca150d2acff44f5f7231f850" + "signature_or_digest": "sha256:3c4fdab3701584cfaaf1a234c5b12cf70972ceb0bc6a585d9ed76cfc2729b06a" } diff --git a/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.labtrust-qc-release-v0.v0.json b/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.labtrust-qc-release-v0.v0.json index 13b0ab0..21fd10f 100644 --- a/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.labtrust-qc-release-v0.v0.json +++ b/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.labtrust-qc-release-v0.v0.json @@ -112,11 +112,11 @@ "denominator": 1.0, "coverage_ratio": 0.0, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ca04448ed60d7722ea387e594d6fc6468e1a783454d438a19fc9108358866f47" + "signature_or_digest": "sha256:f8df360f4c35f4efc0d20f5ea82138a6303239388751b35aa94beccead907cca" }, "formal_checks": { "schema_version": "v0", @@ -260,11 +260,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:6456dcc3287fc82cd7366439399f965310607c4861c6bd87bdac7065e6e93fa1", + "signature_or_digest": "sha256:ef21b80192de276cacde37b7c3699e8e5e18935f35ab73e3f8fe23badb589d4b", "conformance_refs": [ { "suite": "release-chain", - "run_id": "conf-run-release-chain-20260521T112227Z", + "run_id": "conf-run-release-chain-20260628T004833Z", "status": "passed" } ] diff --git a/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.scientific-memory-rendering-v0.v0.json b/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.scientific-memory-rendering-v0.v0.json index b53e1bd..acfb2b7 100644 --- a/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.scientific-memory-rendering-v0.v0.json +++ b/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.scientific-memory-rendering-v0.v0.json @@ -42,11 +42,11 @@ "denominator": 1.0, "coverage_ratio": 0.0, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:16bd5e384b7f7838c2774d30f9503fef25a177900c04f812b0311b5d8aea4df5" + "signature_or_digest": "sha256:7277fad6e6f4cfea207d254884808a798a896758e97b12cfe5e2e75bd3afa7ad" }, "formal_checks": { "schema_version": "v0", @@ -130,5 +130,5 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:abdd9b84b4ed55ce67b9d5adf1184111e10f92730c3d5704491889206bcb9eae" + "signature_or_digest": "sha256:58e2ca0c0f74fa193f1608cd1fe7033d4fb543cc7bb262fc623040a327f12070" } diff --git a/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.v0.json b/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.v0.json index 13b0ab0..21fd10f 100644 --- a/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.v0.json +++ b/benchmarks/labtrust-qc-release/expected_reports/benchmark_report.v0.json @@ -112,11 +112,11 @@ "denominator": 1.0, "coverage_ratio": 0.0, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ca04448ed60d7722ea387e594d6fc6468e1a783454d438a19fc9108358866f47" + "signature_or_digest": "sha256:f8df360f4c35f4efc0d20f5ea82138a6303239388751b35aa94beccead907cca" }, "formal_checks": { "schema_version": "v0", @@ -260,11 +260,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:6456dcc3287fc82cd7366439399f965310607c4861c6bd87bdac7065e6e93fa1", + "signature_or_digest": "sha256:ef21b80192de276cacde37b7c3699e8e5e18935f35ab73e3f8fe23badb589d4b", "conformance_refs": [ { "suite": "release-chain", - "run_id": "conf-run-release-chain-20260521T112227Z", + "run_id": "conf-run-release-chain-20260628T004833Z", "status": "passed" } ] diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/benchmark_run.labtrust-certificate-id-tamper-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/benchmark_run.labtrust-certificate-id-tamper-v0.v0.json index e4cc6a3..55099be 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/benchmark_run.labtrust-certificate-id-tamper-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/benchmark_run.labtrust-certificate-id-tamper-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-certificate-id-tamper-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-certificate-id-tamper-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 1, + "duration_ms": 7, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:22a5492e5c2c706e8ed2c8b9a73551500ff9b4b0b5e941b9e2fa23553cc91231" + "signature_or_digest": "sha256:fb9cf0fedc8da2353a453946bd49b059d5eed5cf4e823d123f54724f215de063" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/input_artifacts/manifest.json index 5fafd13..2714e77 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-certificate-id-tamper-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:f76d59670b7967c5111fad91f31a4f370ea6ec3085e34b7b100fbba6492d5e44" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/benchmark_run.labtrust-lean-rejected-certificate-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/benchmark_run.labtrust-lean-rejected-certificate-v0.v0.json index 6e2afd5..2cc28f6 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/benchmark_run.labtrust-lean-rejected-certificate-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/benchmark_run.labtrust-lean-rejected-certificate-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-lean-rejected-certificate-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-lean-rejected-certificate-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/input_artifacts", @@ -27,5 +27,5 @@ "duration_ms": 4, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:93e7bdd8d6e42a42d31f50dd89849b979106bda330dfb0afbb8331bab1f73747" + "signature_or_digest": "sha256:4848b93f84b3611b9241b317b5093d3e71de131987b602427508023382163b9e" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/input_artifacts/manifest.json index 5fafd13..f67a8f5 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-rejected-certificate-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:dc169e5687bc9a96373e628f074a13e5cd0279e7de530c57c6fcdb1f9a40b977" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/benchmark_run.labtrust-lean-signed-hash-mismatch-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/benchmark_run.labtrust-lean-signed-hash-mismatch-v0.v0.json index 548b3e0..67801f5 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/benchmark_run.labtrust-lean-signed-hash-mismatch-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/benchmark_run.labtrust-lean-signed-hash-mismatch-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-lean-signed-hash-mismatch-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-lean-signed-hash-mismatch-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 5, + "duration_ms": 8, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:e9bebe7514dcd85432a3eae637b39b12e3e0b2a1806e65b54b26f97e5b3dc07f" + "signature_or_digest": "sha256:7ba7fb43b0ea692830a764ac9d5934187cf8358780ce60e3f678f96b44e493a2" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/input_artifacts/manifest.json index 5fafd13..e5435b9 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-signed-hash-mismatch-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:66352b5108c0056d297223c3a1ab8e8acfc2f25ae6e8ed4f83a5b2505501bc42" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/benchmark_run.labtrust-lean-stale-certificate-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/benchmark_run.labtrust-lean-stale-certificate-v0.v0.json index fcdd96f..69cb21e 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/benchmark_run.labtrust-lean-stale-certificate-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/benchmark_run.labtrust-lean-stale-certificate-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-lean-stale-certificate-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-lean-stale-certificate-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "Stale", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 2, + "duration_ms": 4, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:356569358b7a12b36866e8125300737e5a1bdd3f68ff8fb49d11aa65f52dface" + "signature_or_digest": "sha256:0e58ea31005545a429eb481d65453262a19e3ba59cbf36b792b1a7104cdfb495" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/input_artifacts/manifest.json index 5fafd13..0c60a90 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-stale-certificate-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:04c175ab4246938396e4c11cf43b7cca0fc0aed9f1717d0332550fca55314bb4" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/benchmark_run.labtrust-lean-trace-hash-mismatch-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/benchmark_run.labtrust-lean-trace-hash-mismatch-v0.v0.json index 575093c..dada2b9 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/benchmark_run.labtrust-lean-trace-hash-mismatch-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/benchmark_run.labtrust-lean-trace-hash-mismatch-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-lean-trace-hash-mismatch-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-lean-trace-hash-mismatch-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 2, + "duration_ms": 5, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:86f847a1323c7588c53779c6abf15152e5aec41a179703cc9421037becd56eb5" + "signature_or_digest": "sha256:4dd1ffa1fc8b8a4a9f0ef7b1292a9edcf82c4f8ab58186060dd183b417493963" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/input_artifacts/manifest.json index 5fafd13..638cc21 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-lean-trace-hash-mismatch-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:98fff6890c4c75e72dbff486814a3a5566904520ac0f5853f27f15dc03dfd877" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/benchmark_run.labtrust-legacy-handoff-file-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/benchmark_run.labtrust-legacy-handoff-file-v0.v0.json index ef41e42..4679430 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/benchmark_run.labtrust-legacy-handoff-file-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/benchmark_run.labtrust-legacy-handoff-file-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-legacy-handoff-file-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-legacy-handoff-file-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 2, + "duration_ms": 4, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:76a63e5d31173089a57c9a9bfb53a2187fe7da1b91c3534e79efd9bb6adebfca" + "signature_or_digest": "sha256:50f7546da9dfc1339292c7fd841637a75594f8914ace22e1839dd2c634111b1e" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/input_artifacts/manifest.json index 5fafd13..e5435b9 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-legacy-handoff-file-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:66352b5108c0056d297223c3a1ab8e8acfc2f25ae6e8ed4f83a5b2505501bc42" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-missing-qc-result-v0/benchmark_run.labtrust-missing-qc-result-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-missing-qc-result-v0/benchmark_run.labtrust-missing-qc-result-v0.v0.json index ed27c2f..ec07d24 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-missing-qc-result-v0/benchmark_run.labtrust-missing-qc-result-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-missing-qc-result-v0/benchmark_run.labtrust-missing-qc-result-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-missing-qc-result-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-missing-qc-result-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-missing-qc-result-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 1, + "duration_ms": 2, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:6bfe12e731993ef6952ce1a6737826542bc0248a9ca3eb7e5656c6b4ed2ba5a7" + "signature_or_digest": "sha256:8b74b94f8ce1d6b88f4e044174ab24d24c4cb60c0d6e3965fba34ba2434d8d4e" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/benchmark_run.labtrust-placeholder-commit-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/benchmark_run.labtrust-placeholder-commit-v0.v0.json index ef04c87..a0b80bf 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/benchmark_run.labtrust-placeholder-commit-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/benchmark_run.labtrust-placeholder-commit-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-placeholder-commit-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-placeholder-commit-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/input_artifacts", @@ -27,5 +27,5 @@ "duration_ms": 11, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:87c96d427b783c937d8125df48bebed6f256de2d8c75552d2a70797e5e96b6f7" + "signature_or_digest": "sha256:52c49a87e81d60de317d1ac7c7cab78c744fdb3ab398486bfd355f0a3544412d" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/input_artifacts/manifest.json index 5fafd13..f9fcac4 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-placeholder-commit-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:47e4c6d79d0a2d8db993572b66af7a7899cdefdff9161f8f2dd51af80635e76e", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:66352b5108c0056d297223c3a1ab8e8acfc2f25ae6e8ed4f83a5b2505501bc42" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/benchmark_run.labtrust-scientific-memory-import-failure-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/benchmark_run.labtrust-scientific-memory-import-failure-v0.v0.json index ffb6f72..c394155 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/benchmark_run.labtrust-scientific-memory-import-failure-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/benchmark_run.labtrust-scientific-memory-import-failure-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-scientific-memory-import-failure-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-scientific-memory-import-failure-v0", - "started_at": "2026-05-22T11:54:22Z", - "completed_at": "2026-05-22T11:54:22Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 7, + "duration_ms": 5, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:0a2c978a6671581c177a4d3c618a7ed07a7ac22e840795d82f7269e9f1e13950" + "signature_or_digest": "sha256:e7eb8199d7dcc8580441f5bfa2f5893b0fe010c27a8416919c5917ebb99e2388" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/input_artifacts/manifest.json index 5fafd13..e5435b9 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-scientific-memory-import-failure-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:66352b5108c0056d297223c3a1ab8e8acfc2f25ae6e8ed4f83a5b2505501bc42" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/benchmark_run.labtrust-stale-trace-after-certificate-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/benchmark_run.labtrust-stale-trace-after-certificate-v0.v0.json index 86d377d..0ff683e 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/benchmark_run.labtrust-stale-trace-after-certificate-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/benchmark_run.labtrust-stale-trace-after-certificate-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-stale-trace-after-certificate-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-stale-trace-after-certificate-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 10, + "duration_ms": 11, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:dcb61cc996450c728c44b42b45bda540832ff86a2ade8a5b264d068fb4384020" + "signature_or_digest": "sha256:c2b5929cc02f3430a3ae7742b811c8f8f02ad0af7900742d732417ecbc067b20" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/input_artifacts/manifest.json index 5fafd13..af73280 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-stale-trace-after-certificate-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:6b48ae87adc9aacf456f68120e6cf8337b7721a1127ebe307631018cf2670a5f", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:66352b5108c0056d297223c3a1ab8e8acfc2f25ae6e8ed4f83a5b2505501bc42" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/benchmark_run.labtrust-trace-hash-tamper-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/benchmark_run.labtrust-trace-hash-tamper-v0.v0.json index c9ddb6f..0169358 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/benchmark_run.labtrust-trace-hash-tamper-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/benchmark_run.labtrust-trace-hash-tamper-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-trace-hash-tamper-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-trace-hash-tamper-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 2, + "duration_ms": 3, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:8121207a8aca387275e7898817bc5ab90f3df51e439ee996ce3288500bcf6637" + "signature_or_digest": "sha256:35bcf17db9cff31ca6d251035fc8a8b3e2ac4c47530204487343f8f32047c75b" } diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/input_artifacts/manifest.json index 5fafd13..cfc561a 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-trace-hash-tamper-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "trace_certificate.json": "sha256:66352b5108c0056d297223c3a1ab8e8acfc2f25ae6e8ed4f83a5b2505501bc42" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/labtrust-qc-release/invalid/labtrust-unauthorized-release-v0/benchmark_run.labtrust-unauthorized-release-v0.v0.json b/benchmarks/labtrust-qc-release/invalid/labtrust-unauthorized-release-v0/benchmark_run.labtrust-unauthorized-release-v0.v0.json index d8cbfbf..53d4ab9 100644 --- a/benchmarks/labtrust-qc-release/invalid/labtrust-unauthorized-release-v0/benchmark_run.labtrust-unauthorized-release-v0.v0.json +++ b/benchmarks/labtrust-qc-release/invalid/labtrust-unauthorized-release-v0/benchmark_run.labtrust-unauthorized-release-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-unauthorized-release-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-unauthorized-release-v0", - "started_at": "2026-05-22T11:54:13Z", - "completed_at": "2026-05-22T11:54:13Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/invalid/labtrust-unauthorized-release-v0/input_artifacts", @@ -27,5 +27,5 @@ "duration_ms": 1, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:07a7a8e617166d092dc733c3d1d29b49963a17e141fe4976e78ba136a378f66a" + "signature_or_digest": "sha256:aeb54fe9721fc643b7ac68010ac701cc4f9332f0aea242cfddb97a28e7e69d1d" } diff --git a/benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/benchmark_run.labtrust-valid-release-v0.v0.json b/benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/benchmark_run.labtrust-valid-release-v0.v0.json index 9a1707c..7bb7538 100644 --- a/benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/benchmark_run.labtrust-valid-release-v0.v0.json +++ b/benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/benchmark_run.labtrust-valid-release-v0.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-valid-release-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-valid-release-v0", - "started_at": "2026-05-22T11:54:22Z", - "completed_at": "2026-05-22T11:54:22Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 18, + "duration_ms": 12, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:e9fef1915430612340b768fbb33e43ca8ded6a7c363c157a26e65051993407cb" + "signature_or_digest": "sha256:0e8ad743ff51f1286aba95fbe4797971d4f203b83a2838402fab0dbd1b45123d" } diff --git a/benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/input_artifacts/manifest.json b/benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/input_artifacts/manifest.json index 5fafd13..e5435b9 100644 --- a/benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/input_artifacts/manifest.json +++ b/benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/input_artifacts/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:5cfe4827ee37376cf67d7d1c8837c20b189c591412277e0486e75e5aae22130c", - "science_claim_bundle.certified.json": "sha256:aa859b7a367421b0848ee34d276ec22ccf044eeb0fc30c8c143c8bf705ea6652", - "science_claim_bundle.pending.json": "sha256:a76b8a8ee649417709a2161d712daa2000dee3c4cc46818db8d5a7ebcbf495d9", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:0e22ccc1f40fd3298ccace1e5870b9a27f1f73be69d2697afd003d2b00e1ddeb" + "runtime_receipt.json": "sha256:e455db262bba4e171a5bf574e44f364279b5ae8fcaa7adce19330a7e146aaf32", + "science_claim_bundle.certified.json": "sha256:bea673f57861e44c42fc6c99fec69203eae89d7ba9dca25299282ec6086a24b4", + "science_claim_bundle.pending.json": "sha256:13770e7b548732cb976dc24863790a4997b06726a4ff482f2d98a20b26a33c2e", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:66352b5108c0056d297223c3a1ab8e8acfc2f25ae6e8ed4f83a5b2505501bc42" }, "certificate_id": "cert-trace-a8e5fc69-f6ac-4463-8c13-39f0ab1515ee", "certificate_producer": "CertifyEdge", diff --git a/benchmarks/tool-use-safety/expected_reports/benchmark_report.tool-use-safety-v0.v0.json b/benchmarks/tool-use-safety/expected_reports/benchmark_report.tool-use-safety-v0.v0.json index 684d7bc..0153fec 100644 --- a/benchmarks/tool-use-safety/expected_reports/benchmark_report.tool-use-safety-v0.v0.json +++ b/benchmarks/tool-use-safety/expected_reports/benchmark_report.tool-use-safety-v0.v0.json @@ -58,11 +58,11 @@ "denominator": 4.0, "coverage_ratio": 0.8, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:2ea42bce296bb875edf529e464b6d51d2393da6a482a7514c0d5be04a5b76bac" + "signature_or_digest": "sha256:f737c302a2d1e8eb69b074dc64e026ea671ced8ba9b32e2d06f2d85790c0f9f1" }, "formal_checks": { "schema_version": "v0", @@ -206,11 +206,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:0867454bebccb4de503180f4ee70f12eae03b3cff009543a69f4d82c4ac5990b", + "signature_or_digest": "sha256:a8a34fa71b929d2c19753878b9691f6c56c10dcecb79cd700e373999e948f4f4", "conformance_refs": [ { "suite": "tool-use", - "run_id": "conf-run-tool-use-20260521T112227Z", + "run_id": "conf-run-tool-use-20260628T004833Z", "status": "passed" } ] diff --git a/benchmarks/tool-use-safety/expected_reports/benchmark_report.v0.json b/benchmarks/tool-use-safety/expected_reports/benchmark_report.v0.json index 684d7bc..0153fec 100644 --- a/benchmarks/tool-use-safety/expected_reports/benchmark_report.v0.json +++ b/benchmarks/tool-use-safety/expected_reports/benchmark_report.v0.json @@ -58,11 +58,11 @@ "denominator": 4.0, "coverage_ratio": 0.8, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:2ea42bce296bb875edf529e464b6d51d2393da6a482a7514c0d5be04a5b76bac" + "signature_or_digest": "sha256:f737c302a2d1e8eb69b074dc64e026ea671ced8ba9b32e2d06f2d85790c0f9f1" }, "formal_checks": { "schema_version": "v0", @@ -206,11 +206,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:0867454bebccb4de503180f4ee70f12eae03b3cff009543a69f4d82c4ac5990b", + "signature_or_digest": "sha256:a8a34fa71b929d2c19753878b9691f6c56c10dcecb79cd700e373999e948f4f4", "conformance_refs": [ { "suite": "tool-use", - "run_id": "conf-run-tool-use-20260521T112227Z", + "run_id": "conf-run-tool-use-20260628T004833Z", "status": "passed" } ] diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/README.md b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/README.md index 3cedf41..0cfd8cd 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/README.md +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/README.md @@ -1,13 +1,14 @@ -# Tool-use safety conformance train (v0.1) +# Tool-use safety release fixtures -Protocol conformance fixtures for the `agent_tool_use.safety_v0` workflow profile exercise the shared PCS trust loop with `ToolUseTrace.v0` and `ToolUseCertificate.v0` as integration tests separate from product demonstrations. +Conformance and release fixtures for workflow `agent_tool_use.safety_v0` exercise the shared PCS trust loop with `ToolUseTrace.v0` and `ToolUseCertificate.v0`. + +The workflow profile appears in `examples/workflow_profiles/agent_tool_use_safety.valid.json`, and the guide is [docs/workflow-profiles.md](../../docs/workflow-profiles.md). ## Validate ```bash pcs validate examples/tool-use-release/tool_use_trace.valid.json pcs validate examples/tool-use-release/tool_use_certificate.valid.json -pcs validate examples/tool-use-release/release_manifest.v0.json pcs validate-release-chain examples/tool-use-release/ pcs conformance run --suite tool-use pcs conformance run --suite multidomain @@ -17,23 +18,17 @@ pcs conformance run --suite multidomain | File | Type | |------|------| -| `workflow_profile.v0.json` | `WorkflowProfile.v0` | | `tool_use_trace.valid.json` | `ToolUseTrace.v0` | | `tool_use_certificate.valid.json` | `ToolUseCertificate.v0` | | `runtime_receipt.json` | `RuntimeReceipt.v0` | -| `handoff_to_certifyedge.json` | `HandoffManifest.v0` | | `handoff_manifest.*.v0.json` | `HandoffManifest.v0` | -| `handoff_to_pf.json` | `HandoffManifest.v0` | | `science_claim_bundle.certified.json` | `ScienceClaimBundle.v0` | | `verification_result.json` | `VerificationResult.v0` | | `signed_science_claim_bundle.json` | `SignedScienceClaimBundle.v0` | -| `scientific_memory_import_report.json` | SM import report (includes `workflow_profile_id`) | | `release_manifest.v0.json` | `ReleaseManifest.v0` | | `release_chain_validation_result.v0.json` | `ReleaseChainValidationResult.v0` | -| `RELEASE_FIXTURE_MANIFEST.json` | Legacy digest manifest for `pcs validate-release-chain` | - -Invalid negative cases live under `examples/tool-use-release-invalid/`. +| `RELEASE_FIXTURE_MANIFEST.json` | Digest manifest for `pcs validate-release-chain` | -Profile definition appears in `examples/workflow_profiles/agent_tool_use_safety.valid.json`. +Invalid cases live under `examples/tool-use-release-invalid/`. Regenerate through `python scripts/materialize_tool_use_fixtures.py` or `just materialize-protocol`. diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/RELEASE_FIXTURE_MANIFEST.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/RELEASE_FIXTURE_MANIFEST.json index c30eec1..0367a34 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/RELEASE_FIXTURE_MANIFEST.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/RELEASE_FIXTURE_MANIFEST.json @@ -9,12 +9,12 @@ "provability_fabric_commit": "c333333333333333333333333333333333333333", "scientific_memory_commit": "d444444444444444444444444444444444444444", "artifacts": { - "tool_use_trace.valid.json": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507", - "runtime_receipt.json": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8", - "tool_use_certificate.valid.json": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4", - "science_claim_bundle.certified.json": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "verification_result.json": "sha256:7ed898a96edbe59275a337da6b537f8563598f064fd770a887d13170f3112525", - "signed_science_claim_bundle.json": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15", - "scientific_memory_import_report.json": "sha256:1c293ec6b97481f984cdaae35a407268b166181781f0766506c620149c21af9c" + "tool_use_trace.valid.json": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253", + "runtime_receipt.json": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7", + "tool_use_certificate.valid.json": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6", + "science_claim_bundle.certified.json": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "verification_result.json": "sha256:07a5b4077f7207965f4f37ddb7bf0940394a91a433dcfc0e0de35cdf257d7366", + "signed_science_claim_bundle.json": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a", + "scientific_memory_import_report.json": "sha256:6e8b0a551de8f5bbb5230be29ff82ffa18baffceb91c0287dfaa9caf8ff4c842" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.bundle_to_verifier.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.bundle_to_verifier.v0.json index d510af4..5f84a40 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.bundle_to_verifier.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.bundle_to_verifier.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "status": "Validated", - "signature_or_digest": "sha256:459100b7fbf98de89f04e22997a2da57bace618112a956c5541c33031b7bdabb" + "signature_or_digest": "sha256:0ef5080eeab7c1dce525f9519495af1b5cedb4f9498e579fac7cef560e137456" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.certificate_to_bundle.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.certificate_to_bundle.v0.json index 8d406c7..07e69b3 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.certificate_to_bundle.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.certificate_to_bundle.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "tool_use_certificate.valid.json": { "artifact_type": "ToolUseCertificate.v0", - "sha256": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4" + "sha256": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:358cfe13ec84e8b3b58db4871b1fc80035fd28385606bf84a884d92c77ff12b8" + "signature_or_digest": "sha256:97035e1aeffa8f77067b9d70777b170ce70cbf6dfd099ce4568e688cbfcaf140" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.runtime_to_certificate.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.runtime_to_certificate.v0.json index 58dbcf8..7bf9752 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.runtime_to_certificate.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.runtime_to_certificate.v0.json @@ -10,11 +10,11 @@ "input_artifacts": { "tool_use_trace.valid.json": { "artifact_type": "ToolUseTrace.v0", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:9a9560510a730face7c628faad2cd638c6178045380aee260042d20a21d55aa8" + "signature_or_digest": "sha256:4717aaa2a63ab25a2d3f76ebbb770af191660d4009e36cb7bbdb3cf3348153d7" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.signed_bundle_to_memory.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.signed_bundle_to_memory.v0.json index cac6863..da347da 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.signed_bundle_to_memory.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_manifest.signed_bundle_to_memory.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "claim_id": "claim-qc-release-v0.1" }, "status": "Validated", - "signature_or_digest": "sha256:7d355cd6b4958592fe7456bfdf422c90d2e7694e9f9cbf258ed3cc96d4219c67" + "signature_or_digest": "sha256:7f00cf40614447f24990dd0bdcf901a60aa7555ed63df97579e68545561acc76" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_to_certifyedge.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_to_certifyedge.json index 58dbcf8..7bf9752 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_to_certifyedge.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_to_certifyedge.json @@ -10,11 +10,11 @@ "input_artifacts": { "tool_use_trace.valid.json": { "artifact_type": "ToolUseTrace.v0", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:9a9560510a730face7c628faad2cd638c6178045380aee260042d20a21d55aa8" + "signature_or_digest": "sha256:4717aaa2a63ab25a2d3f76ebbb770af191660d4009e36cb7bbdb3cf3348153d7" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_to_pf.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_to_pf.json index d510af4..5f84a40 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_to_pf.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/handoff_to_pf.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "status": "Validated", - "signature_or_digest": "sha256:459100b7fbf98de89f04e22997a2da57bace618112a956c5541c33031b7bdabb" + "signature_or_digest": "sha256:0ef5080eeab7c1dce525f9519495af1b5cedb4f9498e579fac7cef560e137456" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/lean_check_result.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/lean_check_result.v0.json index 3acef36..212ab64 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/lean_check_result.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/lean_check_result.v0.json @@ -5,7 +5,7 @@ "lean_module": "PCS.Theorems", "lean_theorem": "ReleaseChainAdmissible", "status": "ProofChecked", - "checked_at": "2026-05-19T13:37:27Z", + "checked_at": "2026-06-28T00:47:54Z", "lean_version": "leanprover/lean4:stable", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", @@ -40,5 +40,5 @@ "failure_reason": "" } ], - "signature_or_digest": "sha256:148445e008f781bfc47593fe9fb5c8ad12abf482b22f03f7c45fe0b03149276a" + "signature_or_digest": "sha256:0cc08d09b3087e02e200bdfbeae35085f524af17695ccc0c4b69ce0d121bab25" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/proof_obligation.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/proof_obligation.v0.json index cb21da2..b3de603 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/proof_obligation.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/proof_obligation.v0.json @@ -30,8 +30,8 @@ "kind": "VerificationAdmitsBundle", "inputs": { "verification_status": "ProofChecked", - "verified_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", + "verified_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", "release_blocking_checks_passed": true } }, @@ -39,8 +39,8 @@ "obligation_id": "signed_bundle_admissible", "kind": "SignedBundleAdmissible", "inputs": { - "signed_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "verified_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "signed_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "verified_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } } ], @@ -69,5 +69,5 @@ "lean_module": "PCS.Theorems", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:98012907fe12b4bfdf4e2a299cfac98dfb0d2302382b7062a9de3e18fb9fa889" + "signature_or_digest": "sha256:69335e62a2eb10f6475b5716c00137af4f691b906731807eb9eafe8658d32f5c" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/release_manifest.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/release_manifest.v0.json index fe677a5..fbdb645 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/release_manifest.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/release_manifest.v0.json @@ -8,19 +8,19 @@ "chain_root": { "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", "certificate_id": "cert-tool-use-safety-v0", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "signed_bundle_hash": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "signed_bundle_hash": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" }, "release_chain_validation_result": { "path": "release_chain_validation_result.v0.json", - "sha256": "sha256:8ce4be20f5a9fef3e6ef990c1abd6b6c5f98ec8ff67a393d2163728fcf07560e" + "sha256": "sha256:7c0f320adf5b570da3fc3920560db65eef30262597f2f6349cdf66a6102fa527" }, "canonical_signed_bundle": { "path": "signed_science_claim_bundle.json", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" }, "canonical_claim_id": "claim-qc-release-v0.1", - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee that a real deployed agent is safe.", + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", "producer_repos": { "pcs_core": { "repo": "https://github.com/SentinelOps-CI/pcs-core", @@ -50,7 +50,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "tool_use_certificate.valid.json": { "artifact_type": "ToolUseCertificate.v0", @@ -58,7 +58,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4" + "sha256": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", @@ -66,7 +66,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -74,7 +74,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "workflow_profile.v0.json": { "artifact_type": "WorkflowProfile.v0", @@ -82,7 +82,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:0f54c947169f2733cf05ae8486b73afbc7bd82ec51275448f72d18ad29783e66" + "sha256": "sha256:ae33f37f50f3e073e1c83284e5a1e2cb2cb56e6b2110fffbf9b2cf5b0cb77dae" }, "verification_result.json": { "artifact_type": "VerificationResult.v0", @@ -90,7 +90,7 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:7ed898a96edbe59275a337da6b537f8563598f064fd770a887d13170f3112525" + "sha256": "sha256:07a5b4077f7207965f4f37ddb7bf0940394a91a433dcfc0e0de35cdf257d7366" }, "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", @@ -98,17 +98,17 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" } }, "release_status": "Validated", - "signature_or_digest": "sha256:a36994d8089a3335fca0b67e50be61a46fae8d53b4e68bc1fe1adda43de87ef4", + "signature_or_digest": "sha256:c2d07b432fdc356914d83f86137eb7e896729bc8e4f8128bb3b8c2f2f7dcd147", "proof_obligation": { "path": "proof_obligation.v0.json", - "sha256": "sha256:850557b7f2e5c97c8c8de3ef8ff54ffad0372068705eeea5709dc545d57c1e3e" + "sha256": "sha256:927c89fec743d4276e34be6fc46beee375d004b05e4277cbf866a72f9b8736a0" }, "lean_check_result": { "path": "lean_check_result.v0.json", - "sha256": "sha256:98dd9cb225939cce5a6896dc608a290f90f429ab8a67ea58ac747b5f48f81529" + "sha256": "sha256:fd71fa9155e643ed6fa2358ad0a87ec1ccfc9247e3d093a190aa6b4666513219" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/scientific_memory_import_report.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/scientific_memory_import_report.json index c408d42..7f11960 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/scientific_memory_import_report.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/scientific_memory_import_report.json @@ -22,5 +22,5 @@ "release_chain_validation_status": "ProofChecked", "release_chain_validator": "pcs-core", "release_chain_checked_at": "2026-05-18T12:00:00Z", - "release_manifest_hash": "sha256:8ae762b0a67360c341dbc3a6b9d68c9455abb47030586045f767efef9e079097" + "release_manifest_hash": "sha256:fda02ff54ae8933c71e826ddf454b94a5449cc349a378ebbfe8e4ed048c1c3bc" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/signed_science_claim_bundle.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/signed_science_claim_bundle.json index 59de0a9..b193fbe 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/signed_science_claim_bundle.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/signed_science_claim_bundle.json @@ -171,6 +171,6 @@ "signed_at": "2026-05-16T12:25:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:6bd6088e18a82f3eef22adaba8db91d0f2942142af35b2a698d5d87b92f1331a", - "signed_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "signature_or_digest": "sha256:5d0e48c2457e9fb7cd262674d157a838c5ec8f707ac92f38f583eaf4a66f89b0", + "signed_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/verification_result.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/verification_result.json index 6f8056b..0aa6d23 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/verification_result.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/verification_result.json @@ -24,10 +24,10 @@ "created_at": "2026-05-16T12:20:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:cd11abeaee38bcc8bf8df071290e99abb363e0bf81765cf65498b13d2ec609b4", + "signature_or_digest": "sha256:88655462ebba1339a437775643810cc0099a0300f241de4ee80810662f4ba1fd", "verified_input": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/workflow_profile.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/workflow_profile.v0.json index 2eb2fb7..124b792 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/workflow_profile.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate/workflow_profile.v0.json @@ -50,6 +50,6 @@ "unapproved_network_call", "unknown_authorization_status" ], - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee that a real deployed agent is safe.", - "signature_or_digest": "sha256:39ea95403f2f7065eaa7cda0084f8f68865bdb9054882e10f016e6d255bc0a49" + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", + "signature_or_digest": "sha256:02de75f38beeb2bcf81d69a2f8913f5ff5eba1287ca380f9efc4d3d7e418b410" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/README.md b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/README.md index 3cedf41..0cfd8cd 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/README.md +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/README.md @@ -1,13 +1,14 @@ -# Tool-use safety conformance train (v0.1) +# Tool-use safety release fixtures -Protocol conformance fixtures for the `agent_tool_use.safety_v0` workflow profile exercise the shared PCS trust loop with `ToolUseTrace.v0` and `ToolUseCertificate.v0` as integration tests separate from product demonstrations. +Conformance and release fixtures for workflow `agent_tool_use.safety_v0` exercise the shared PCS trust loop with `ToolUseTrace.v0` and `ToolUseCertificate.v0`. + +The workflow profile appears in `examples/workflow_profiles/agent_tool_use_safety.valid.json`, and the guide is [docs/workflow-profiles.md](../../docs/workflow-profiles.md). ## Validate ```bash pcs validate examples/tool-use-release/tool_use_trace.valid.json pcs validate examples/tool-use-release/tool_use_certificate.valid.json -pcs validate examples/tool-use-release/release_manifest.v0.json pcs validate-release-chain examples/tool-use-release/ pcs conformance run --suite tool-use pcs conformance run --suite multidomain @@ -17,23 +18,17 @@ pcs conformance run --suite multidomain | File | Type | |------|------| -| `workflow_profile.v0.json` | `WorkflowProfile.v0` | | `tool_use_trace.valid.json` | `ToolUseTrace.v0` | | `tool_use_certificate.valid.json` | `ToolUseCertificate.v0` | | `runtime_receipt.json` | `RuntimeReceipt.v0` | -| `handoff_to_certifyedge.json` | `HandoffManifest.v0` | | `handoff_manifest.*.v0.json` | `HandoffManifest.v0` | -| `handoff_to_pf.json` | `HandoffManifest.v0` | | `science_claim_bundle.certified.json` | `ScienceClaimBundle.v0` | | `verification_result.json` | `VerificationResult.v0` | | `signed_science_claim_bundle.json` | `SignedScienceClaimBundle.v0` | -| `scientific_memory_import_report.json` | SM import report (includes `workflow_profile_id`) | | `release_manifest.v0.json` | `ReleaseManifest.v0` | | `release_chain_validation_result.v0.json` | `ReleaseChainValidationResult.v0` | -| `RELEASE_FIXTURE_MANIFEST.json` | Legacy digest manifest for `pcs validate-release-chain` | - -Invalid negative cases live under `examples/tool-use-release-invalid/`. +| `RELEASE_FIXTURE_MANIFEST.json` | Digest manifest for `pcs validate-release-chain` | -Profile definition appears in `examples/workflow_profiles/agent_tool_use_safety.valid.json`. +Invalid cases live under `examples/tool-use-release-invalid/`. Regenerate through `python scripts/materialize_tool_use_fixtures.py` or `just materialize-protocol`. diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/RELEASE_FIXTURE_MANIFEST.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/RELEASE_FIXTURE_MANIFEST.json index c30eec1..0367a34 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/RELEASE_FIXTURE_MANIFEST.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/RELEASE_FIXTURE_MANIFEST.json @@ -9,12 +9,12 @@ "provability_fabric_commit": "c333333333333333333333333333333333333333", "scientific_memory_commit": "d444444444444444444444444444444444444444", "artifacts": { - "tool_use_trace.valid.json": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507", - "runtime_receipt.json": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8", - "tool_use_certificate.valid.json": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4", - "science_claim_bundle.certified.json": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "verification_result.json": "sha256:7ed898a96edbe59275a337da6b537f8563598f064fd770a887d13170f3112525", - "signed_science_claim_bundle.json": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15", - "scientific_memory_import_report.json": "sha256:1c293ec6b97481f984cdaae35a407268b166181781f0766506c620149c21af9c" + "tool_use_trace.valid.json": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253", + "runtime_receipt.json": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7", + "tool_use_certificate.valid.json": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6", + "science_claim_bundle.certified.json": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "verification_result.json": "sha256:07a5b4077f7207965f4f37ddb7bf0940394a91a433dcfc0e0de35cdf257d7366", + "signed_science_claim_bundle.json": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a", + "scientific_memory_import_report.json": "sha256:6e8b0a551de8f5bbb5230be29ff82ffa18baffceb91c0287dfaa9caf8ff4c842" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.bundle_to_verifier.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.bundle_to_verifier.v0.json index d510af4..5f84a40 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.bundle_to_verifier.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.bundle_to_verifier.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "status": "Validated", - "signature_or_digest": "sha256:459100b7fbf98de89f04e22997a2da57bace618112a956c5541c33031b7bdabb" + "signature_or_digest": "sha256:0ef5080eeab7c1dce525f9519495af1b5cedb4f9498e579fac7cef560e137456" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.certificate_to_bundle.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.certificate_to_bundle.v0.json index 8d406c7..07e69b3 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.certificate_to_bundle.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.certificate_to_bundle.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "tool_use_certificate.valid.json": { "artifact_type": "ToolUseCertificate.v0", - "sha256": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4" + "sha256": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:358cfe13ec84e8b3b58db4871b1fc80035fd28385606bf84a884d92c77ff12b8" + "signature_or_digest": "sha256:97035e1aeffa8f77067b9d70777b170ce70cbf6dfd099ce4568e688cbfcaf140" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.runtime_to_certificate.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.runtime_to_certificate.v0.json index 58dbcf8..7bf9752 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.runtime_to_certificate.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.runtime_to_certificate.v0.json @@ -10,11 +10,11 @@ "input_artifacts": { "tool_use_trace.valid.json": { "artifact_type": "ToolUseTrace.v0", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:9a9560510a730face7c628faad2cd638c6178045380aee260042d20a21d55aa8" + "signature_or_digest": "sha256:4717aaa2a63ab25a2d3f76ebbb770af191660d4009e36cb7bbdb3cf3348153d7" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.signed_bundle_to_memory.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.signed_bundle_to_memory.v0.json index cac6863..da347da 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.signed_bundle_to_memory.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_manifest.signed_bundle_to_memory.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "claim_id": "claim-qc-release-v0.1" }, "status": "Validated", - "signature_or_digest": "sha256:7d355cd6b4958592fe7456bfdf422c90d2e7694e9f9cbf258ed3cc96d4219c67" + "signature_or_digest": "sha256:7f00cf40614447f24990dd0bdcf901a60aa7555ed63df97579e68545561acc76" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_to_certifyedge.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_to_certifyedge.json index 58dbcf8..7bf9752 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_to_certifyedge.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_to_certifyedge.json @@ -10,11 +10,11 @@ "input_artifacts": { "tool_use_trace.valid.json": { "artifact_type": "ToolUseTrace.v0", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:9a9560510a730face7c628faad2cd638c6178045380aee260042d20a21d55aa8" + "signature_or_digest": "sha256:4717aaa2a63ab25a2d3f76ebbb770af191660d4009e36cb7bbdb3cf3348153d7" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_to_pf.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_to_pf.json index d510af4..5f84a40 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_to_pf.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/handoff_to_pf.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "status": "Validated", - "signature_or_digest": "sha256:459100b7fbf98de89f04e22997a2da57bace618112a956c5541c33031b7bdabb" + "signature_or_digest": "sha256:0ef5080eeab7c1dce525f9519495af1b5cedb4f9498e579fac7cef560e137456" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/lean_check_result.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/lean_check_result.v0.json index 3acef36..212ab64 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/lean_check_result.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/lean_check_result.v0.json @@ -5,7 +5,7 @@ "lean_module": "PCS.Theorems", "lean_theorem": "ReleaseChainAdmissible", "status": "ProofChecked", - "checked_at": "2026-05-19T13:37:27Z", + "checked_at": "2026-06-28T00:47:54Z", "lean_version": "leanprover/lean4:stable", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", @@ -40,5 +40,5 @@ "failure_reason": "" } ], - "signature_or_digest": "sha256:148445e008f781bfc47593fe9fb5c8ad12abf482b22f03f7c45fe0b03149276a" + "signature_or_digest": "sha256:0cc08d09b3087e02e200bdfbeae35085f524af17695ccc0c4b69ce0d121bab25" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/proof_obligation.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/proof_obligation.v0.json index cb21da2..b3de603 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/proof_obligation.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/proof_obligation.v0.json @@ -30,8 +30,8 @@ "kind": "VerificationAdmitsBundle", "inputs": { "verification_status": "ProofChecked", - "verified_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", + "verified_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", "release_blocking_checks_passed": true } }, @@ -39,8 +39,8 @@ "obligation_id": "signed_bundle_admissible", "kind": "SignedBundleAdmissible", "inputs": { - "signed_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "verified_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "signed_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "verified_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } } ], @@ -69,5 +69,5 @@ "lean_module": "PCS.Theorems", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:98012907fe12b4bfdf4e2a299cfac98dfb0d2302382b7062a9de3e18fb9fa889" + "signature_or_digest": "sha256:69335e62a2eb10f6475b5716c00137af4f691b906731807eb9eafe8658d32f5c" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/release_manifest.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/release_manifest.v0.json index fe677a5..fbdb645 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/release_manifest.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/release_manifest.v0.json @@ -8,19 +8,19 @@ "chain_root": { "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", "certificate_id": "cert-tool-use-safety-v0", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "signed_bundle_hash": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "signed_bundle_hash": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" }, "release_chain_validation_result": { "path": "release_chain_validation_result.v0.json", - "sha256": "sha256:8ce4be20f5a9fef3e6ef990c1abd6b6c5f98ec8ff67a393d2163728fcf07560e" + "sha256": "sha256:7c0f320adf5b570da3fc3920560db65eef30262597f2f6349cdf66a6102fa527" }, "canonical_signed_bundle": { "path": "signed_science_claim_bundle.json", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" }, "canonical_claim_id": "claim-qc-release-v0.1", - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee that a real deployed agent is safe.", + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", "producer_repos": { "pcs_core": { "repo": "https://github.com/SentinelOps-CI/pcs-core", @@ -50,7 +50,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "tool_use_certificate.valid.json": { "artifact_type": "ToolUseCertificate.v0", @@ -58,7 +58,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4" + "sha256": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", @@ -66,7 +66,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -74,7 +74,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "workflow_profile.v0.json": { "artifact_type": "WorkflowProfile.v0", @@ -82,7 +82,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:0f54c947169f2733cf05ae8486b73afbc7bd82ec51275448f72d18ad29783e66" + "sha256": "sha256:ae33f37f50f3e073e1c83284e5a1e2cb2cb56e6b2110fffbf9b2cf5b0cb77dae" }, "verification_result.json": { "artifact_type": "VerificationResult.v0", @@ -90,7 +90,7 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:7ed898a96edbe59275a337da6b537f8563598f064fd770a887d13170f3112525" + "sha256": "sha256:07a5b4077f7207965f4f37ddb7bf0940394a91a433dcfc0e0de35cdf257d7366" }, "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", @@ -98,17 +98,17 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" } }, "release_status": "Validated", - "signature_or_digest": "sha256:a36994d8089a3335fca0b67e50be61a46fae8d53b4e68bc1fe1adda43de87ef4", + "signature_or_digest": "sha256:c2d07b432fdc356914d83f86137eb7e896729bc8e4f8128bb3b8c2f2f7dcd147", "proof_obligation": { "path": "proof_obligation.v0.json", - "sha256": "sha256:850557b7f2e5c97c8c8de3ef8ff54ffad0372068705eeea5709dc545d57c1e3e" + "sha256": "sha256:927c89fec743d4276e34be6fc46beee375d004b05e4277cbf866a72f9b8736a0" }, "lean_check_result": { "path": "lean_check_result.v0.json", - "sha256": "sha256:98dd9cb225939cce5a6896dc608a290f90f429ab8a67ea58ac747b5f48f81529" + "sha256": "sha256:fd71fa9155e643ed6fa2358ad0a87ec1ccfc9247e3d093a190aa6b4666513219" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/scientific_memory_import_report.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/scientific_memory_import_report.json index c408d42..7f11960 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/scientific_memory_import_report.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/scientific_memory_import_report.json @@ -22,5 +22,5 @@ "release_chain_validation_status": "ProofChecked", "release_chain_validator": "pcs-core", "release_chain_checked_at": "2026-05-18T12:00:00Z", - "release_manifest_hash": "sha256:8ae762b0a67360c341dbc3a6b9d68c9455abb47030586045f767efef9e079097" + "release_manifest_hash": "sha256:fda02ff54ae8933c71e826ddf454b94a5449cc349a378ebbfe8e4ed048c1c3bc" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/signed_science_claim_bundle.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/signed_science_claim_bundle.json index 59de0a9..b193fbe 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/signed_science_claim_bundle.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/signed_science_claim_bundle.json @@ -171,6 +171,6 @@ "signed_at": "2026-05-16T12:25:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:6bd6088e18a82f3eef22adaba8db91d0f2942142af35b2a698d5d87b92f1331a", - "signed_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "signature_or_digest": "sha256:5d0e48c2457e9fb7cd262674d157a838c5ec8f707ac92f38f583eaf4a66f89b0", + "signed_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/verification_result.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/verification_result.json index 6f8056b..0aa6d23 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/verification_result.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/verification_result.json @@ -24,10 +24,10 @@ "created_at": "2026-05-16T12:20:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:cd11abeaee38bcc8bf8df071290e99abb363e0bf81765cf65498b13d2ec609b4", + "signature_or_digest": "sha256:88655462ebba1339a437775643810cc0099a0300f241de4ee80810662f4ba1fd", "verified_input": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/workflow_profile.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/workflow_profile.v0.json index 2eb2fb7..124b792 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/workflow_profile.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-trace-hash/workflow_profile.v0.json @@ -50,6 +50,6 @@ "unapproved_network_call", "unknown_authorization_status" ], - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee that a real deployed agent is safe.", - "signature_or_digest": "sha256:39ea95403f2f7065eaa7cda0084f8f68865bdb9054882e10f016e6d255bc0a49" + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", + "signature_or_digest": "sha256:02de75f38beeb2bcf81d69a2f8913f5ff5eba1287ca380f9efc4d3d7e418b410" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/README.md b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/README.md index 3cedf41..0cfd8cd 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/README.md +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/README.md @@ -1,13 +1,14 @@ -# Tool-use safety conformance train (v0.1) +# Tool-use safety release fixtures -Protocol conformance fixtures for the `agent_tool_use.safety_v0` workflow profile exercise the shared PCS trust loop with `ToolUseTrace.v0` and `ToolUseCertificate.v0` as integration tests separate from product demonstrations. +Conformance and release fixtures for workflow `agent_tool_use.safety_v0` exercise the shared PCS trust loop with `ToolUseTrace.v0` and `ToolUseCertificate.v0`. + +The workflow profile appears in `examples/workflow_profiles/agent_tool_use_safety.valid.json`, and the guide is [docs/workflow-profiles.md](../../docs/workflow-profiles.md). ## Validate ```bash pcs validate examples/tool-use-release/tool_use_trace.valid.json pcs validate examples/tool-use-release/tool_use_certificate.valid.json -pcs validate examples/tool-use-release/release_manifest.v0.json pcs validate-release-chain examples/tool-use-release/ pcs conformance run --suite tool-use pcs conformance run --suite multidomain @@ -17,23 +18,17 @@ pcs conformance run --suite multidomain | File | Type | |------|------| -| `workflow_profile.v0.json` | `WorkflowProfile.v0` | | `tool_use_trace.valid.json` | `ToolUseTrace.v0` | | `tool_use_certificate.valid.json` | `ToolUseCertificate.v0` | | `runtime_receipt.json` | `RuntimeReceipt.v0` | -| `handoff_to_certifyedge.json` | `HandoffManifest.v0` | | `handoff_manifest.*.v0.json` | `HandoffManifest.v0` | -| `handoff_to_pf.json` | `HandoffManifest.v0` | | `science_claim_bundle.certified.json` | `ScienceClaimBundle.v0` | | `verification_result.json` | `VerificationResult.v0` | | `signed_science_claim_bundle.json` | `SignedScienceClaimBundle.v0` | -| `scientific_memory_import_report.json` | SM import report (includes `workflow_profile_id`) | | `release_manifest.v0.json` | `ReleaseManifest.v0` | | `release_chain_validation_result.v0.json` | `ReleaseChainValidationResult.v0` | -| `RELEASE_FIXTURE_MANIFEST.json` | Legacy digest manifest for `pcs validate-release-chain` | - -Invalid negative cases live under `examples/tool-use-release-invalid/`. +| `RELEASE_FIXTURE_MANIFEST.json` | Digest manifest for `pcs validate-release-chain` | -Profile definition appears in `examples/workflow_profiles/agent_tool_use_safety.valid.json`. +Invalid cases live under `examples/tool-use-release-invalid/`. Regenerate through `python scripts/materialize_tool_use_fixtures.py` or `just materialize-protocol`. diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/RELEASE_FIXTURE_MANIFEST.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/RELEASE_FIXTURE_MANIFEST.json index c30eec1..0367a34 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/RELEASE_FIXTURE_MANIFEST.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/RELEASE_FIXTURE_MANIFEST.json @@ -9,12 +9,12 @@ "provability_fabric_commit": "c333333333333333333333333333333333333333", "scientific_memory_commit": "d444444444444444444444444444444444444444", "artifacts": { - "tool_use_trace.valid.json": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507", - "runtime_receipt.json": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8", - "tool_use_certificate.valid.json": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4", - "science_claim_bundle.certified.json": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "verification_result.json": "sha256:7ed898a96edbe59275a337da6b537f8563598f064fd770a887d13170f3112525", - "signed_science_claim_bundle.json": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15", - "scientific_memory_import_report.json": "sha256:1c293ec6b97481f984cdaae35a407268b166181781f0766506c620149c21af9c" + "tool_use_trace.valid.json": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253", + "runtime_receipt.json": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7", + "tool_use_certificate.valid.json": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6", + "science_claim_bundle.certified.json": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "verification_result.json": "sha256:07a5b4077f7207965f4f37ddb7bf0940394a91a433dcfc0e0de35cdf257d7366", + "signed_science_claim_bundle.json": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a", + "scientific_memory_import_report.json": "sha256:6e8b0a551de8f5bbb5230be29ff82ffa18baffceb91c0287dfaa9caf8ff4c842" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.bundle_to_verifier.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.bundle_to_verifier.v0.json index d510af4..5f84a40 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.bundle_to_verifier.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.bundle_to_verifier.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "status": "Validated", - "signature_or_digest": "sha256:459100b7fbf98de89f04e22997a2da57bace618112a956c5541c33031b7bdabb" + "signature_or_digest": "sha256:0ef5080eeab7c1dce525f9519495af1b5cedb4f9498e579fac7cef560e137456" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.certificate_to_bundle.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.certificate_to_bundle.v0.json index 8d406c7..07e69b3 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.certificate_to_bundle.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.certificate_to_bundle.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "tool_use_certificate.valid.json": { "artifact_type": "ToolUseCertificate.v0", - "sha256": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4" + "sha256": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:358cfe13ec84e8b3b58db4871b1fc80035fd28385606bf84a884d92c77ff12b8" + "signature_or_digest": "sha256:97035e1aeffa8f77067b9d70777b170ce70cbf6dfd099ce4568e688cbfcaf140" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.runtime_to_certificate.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.runtime_to_certificate.v0.json index 58dbcf8..7bf9752 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.runtime_to_certificate.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.runtime_to_certificate.v0.json @@ -10,11 +10,11 @@ "input_artifacts": { "tool_use_trace.valid.json": { "artifact_type": "ToolUseTrace.v0", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:9a9560510a730face7c628faad2cd638c6178045380aee260042d20a21d55aa8" + "signature_or_digest": "sha256:4717aaa2a63ab25a2d3f76ebbb770af191660d4009e36cb7bbdb3cf3348153d7" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.signed_bundle_to_memory.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.signed_bundle_to_memory.v0.json index cac6863..da347da 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.signed_bundle_to_memory.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_manifest.signed_bundle_to_memory.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "claim_id": "claim-qc-release-v0.1" }, "status": "Validated", - "signature_or_digest": "sha256:7d355cd6b4958592fe7456bfdf422c90d2e7694e9f9cbf258ed3cc96d4219c67" + "signature_or_digest": "sha256:7f00cf40614447f24990dd0bdcf901a60aa7555ed63df97579e68545561acc76" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_to_certifyedge.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_to_certifyedge.json index 58dbcf8..7bf9752 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_to_certifyedge.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_to_certifyedge.json @@ -10,11 +10,11 @@ "input_artifacts": { "tool_use_trace.valid.json": { "artifact_type": "ToolUseTrace.v0", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:9a9560510a730face7c628faad2cd638c6178045380aee260042d20a21d55aa8" + "signature_or_digest": "sha256:4717aaa2a63ab25a2d3f76ebbb770af191660d4009e36cb7bbdb3cf3348153d7" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_to_pf.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_to_pf.json index d510af4..5f84a40 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_to_pf.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/handoff_to_pf.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "status": "Validated", - "signature_or_digest": "sha256:459100b7fbf98de89f04e22997a2da57bace618112a956c5541c33031b7bdabb" + "signature_or_digest": "sha256:0ef5080eeab7c1dce525f9519495af1b5cedb4f9498e579fac7cef560e137456" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/lean_check_result.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/lean_check_result.v0.json index 3acef36..212ab64 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/lean_check_result.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/lean_check_result.v0.json @@ -5,7 +5,7 @@ "lean_module": "PCS.Theorems", "lean_theorem": "ReleaseChainAdmissible", "status": "ProofChecked", - "checked_at": "2026-05-19T13:37:27Z", + "checked_at": "2026-06-28T00:47:54Z", "lean_version": "leanprover/lean4:stable", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", @@ -40,5 +40,5 @@ "failure_reason": "" } ], - "signature_or_digest": "sha256:148445e008f781bfc47593fe9fb5c8ad12abf482b22f03f7c45fe0b03149276a" + "signature_or_digest": "sha256:0cc08d09b3087e02e200bdfbeae35085f524af17695ccc0c4b69ce0d121bab25" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/proof_obligation.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/proof_obligation.v0.json index cb21da2..b3de603 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/proof_obligation.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/proof_obligation.v0.json @@ -30,8 +30,8 @@ "kind": "VerificationAdmitsBundle", "inputs": { "verification_status": "ProofChecked", - "verified_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", + "verified_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", "release_blocking_checks_passed": true } }, @@ -39,8 +39,8 @@ "obligation_id": "signed_bundle_admissible", "kind": "SignedBundleAdmissible", "inputs": { - "signed_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "verified_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "signed_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "verified_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } } ], @@ -69,5 +69,5 @@ "lean_module": "PCS.Theorems", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:98012907fe12b4bfdf4e2a299cfac98dfb0d2302382b7062a9de3e18fb9fa889" + "signature_or_digest": "sha256:69335e62a2eb10f6475b5716c00137af4f691b906731807eb9eafe8658d32f5c" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/release_manifest.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/release_manifest.v0.json index fe677a5..fbdb645 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/release_manifest.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/release_manifest.v0.json @@ -8,19 +8,19 @@ "chain_root": { "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", "certificate_id": "cert-tool-use-safety-v0", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "signed_bundle_hash": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "signed_bundle_hash": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" }, "release_chain_validation_result": { "path": "release_chain_validation_result.v0.json", - "sha256": "sha256:8ce4be20f5a9fef3e6ef990c1abd6b6c5f98ec8ff67a393d2163728fcf07560e" + "sha256": "sha256:7c0f320adf5b570da3fc3920560db65eef30262597f2f6349cdf66a6102fa527" }, "canonical_signed_bundle": { "path": "signed_science_claim_bundle.json", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" }, "canonical_claim_id": "claim-qc-release-v0.1", - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee that a real deployed agent is safe.", + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", "producer_repos": { "pcs_core": { "repo": "https://github.com/SentinelOps-CI/pcs-core", @@ -50,7 +50,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "tool_use_certificate.valid.json": { "artifact_type": "ToolUseCertificate.v0", @@ -58,7 +58,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4" + "sha256": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", @@ -66,7 +66,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -74,7 +74,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "workflow_profile.v0.json": { "artifact_type": "WorkflowProfile.v0", @@ -82,7 +82,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:0f54c947169f2733cf05ae8486b73afbc7bd82ec51275448f72d18ad29783e66" + "sha256": "sha256:ae33f37f50f3e073e1c83284e5a1e2cb2cb56e6b2110fffbf9b2cf5b0cb77dae" }, "verification_result.json": { "artifact_type": "VerificationResult.v0", @@ -90,7 +90,7 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:7ed898a96edbe59275a337da6b537f8563598f064fd770a887d13170f3112525" + "sha256": "sha256:07a5b4077f7207965f4f37ddb7bf0940394a91a433dcfc0e0de35cdf257d7366" }, "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", @@ -98,17 +98,17 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" } }, "release_status": "Validated", - "signature_or_digest": "sha256:a36994d8089a3335fca0b67e50be61a46fae8d53b4e68bc1fe1adda43de87ef4", + "signature_or_digest": "sha256:c2d07b432fdc356914d83f86137eb7e896729bc8e4f8128bb3b8c2f2f7dcd147", "proof_obligation": { "path": "proof_obligation.v0.json", - "sha256": "sha256:850557b7f2e5c97c8c8de3ef8ff54ffad0372068705eeea5709dc545d57c1e3e" + "sha256": "sha256:927c89fec743d4276e34be6fc46beee375d004b05e4277cbf866a72f9b8736a0" }, "lean_check_result": { "path": "lean_check_result.v0.json", - "sha256": "sha256:98dd9cb225939cce5a6896dc608a290f90f429ab8a67ea58ac747b5f48f81529" + "sha256": "sha256:fd71fa9155e643ed6fa2358ad0a87ec1ccfc9247e3d093a190aa6b4666513219" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/scientific_memory_import_report.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/scientific_memory_import_report.json index c408d42..7f11960 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/scientific_memory_import_report.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/scientific_memory_import_report.json @@ -22,5 +22,5 @@ "release_chain_validation_status": "ProofChecked", "release_chain_validator": "pcs-core", "release_chain_checked_at": "2026-05-18T12:00:00Z", - "release_manifest_hash": "sha256:8ae762b0a67360c341dbc3a6b9d68c9455abb47030586045f767efef9e079097" + "release_manifest_hash": "sha256:fda02ff54ae8933c71e826ddf454b94a5449cc349a378ebbfe8e4ed048c1c3bc" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/signed_science_claim_bundle.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/signed_science_claim_bundle.json index 59de0a9..b193fbe 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/signed_science_claim_bundle.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/signed_science_claim_bundle.json @@ -171,6 +171,6 @@ "signed_at": "2026-05-16T12:25:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:6bd6088e18a82f3eef22adaba8db91d0f2942142af35b2a698d5d87b92f1331a", - "signed_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "signature_or_digest": "sha256:5d0e48c2457e9fb7cd262674d157a838c5ec8f707ac92f38f583eaf4a66f89b0", + "signed_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/verification_result.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/verification_result.json index 6f8056b..0aa6d23 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/verification_result.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/verification_result.json @@ -24,10 +24,10 @@ "created_at": "2026-05-16T12:20:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:cd11abeaee38bcc8bf8df071290e99abb363e0bf81765cf65498b13d2ec609b4", + "signature_or_digest": "sha256:88655462ebba1339a437775643810cc0099a0300f241de4ee80810662f4ba1fd", "verified_input": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } } diff --git a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/workflow_profile.v0.json b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/workflow_profile.v0.json index 2eb2fb7..124b792 100644 --- a/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/workflow_profile.v0.json +++ b/benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call/workflow_profile.v0.json @@ -50,6 +50,6 @@ "unapproved_network_call", "unknown_authorization_status" ], - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee that a real deployed agent is safe.", - "signature_or_digest": "sha256:39ea95403f2f7065eaa7cda0084f8f68865bdb9054882e10f016e6d255bc0a49" + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", + "signature_or_digest": "sha256:02de75f38beeb2bcf81d69a2f8913f5ff5eba1287ca380f9efc4d3d7e418b410" } diff --git a/benchmarks/tool-use-safety/invalid/invalid-rejected-certificate/benchmark_run.invalid-rejected-certificate.v0.json b/benchmarks/tool-use-safety/invalid/invalid-rejected-certificate/benchmark_run.invalid-rejected-certificate.v0.json index b7e30d4..49e0c48 100644 --- a/benchmarks/tool-use-safety/invalid/invalid-rejected-certificate/benchmark_run.invalid-rejected-certificate.v0.json +++ b/benchmarks/tool-use-safety/invalid/invalid-rejected-certificate/benchmark_run.invalid-rejected-certificate.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-invalid-rejected-certificate", "task_id": "tool-use-safety-v0", "case_id": "invalid-rejected-certificate", - "started_at": "2026-05-22T11:54:16Z", - "completed_at": "2026-05-22T11:54:16Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:53Z", "commands": [ { "command": "validate_release_chain benchmarks/tool-use-safety/input_releases/invalid-rejected-certificate", @@ -21,8 +21,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 63, + "duration_ms": 76, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:61b32ff41216d414b84a8e004a1f1685d1662f1d556b46849efac352003602b6" + "signature_or_digest": "sha256:244147104e9eb0fcd168036d854c8fc436ad186d83ed162d7690a2eee7144c53" } diff --git a/benchmarks/tool-use-safety/invalid/invalid-trace-hash/benchmark_run.invalid-trace-hash.v0.json b/benchmarks/tool-use-safety/invalid/invalid-trace-hash/benchmark_run.invalid-trace-hash.v0.json index 6034034..7103928 100644 --- a/benchmarks/tool-use-safety/invalid/invalid-trace-hash/benchmark_run.invalid-trace-hash.v0.json +++ b/benchmarks/tool-use-safety/invalid/invalid-trace-hash/benchmark_run.invalid-trace-hash.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-invalid-trace-hash", "task_id": "tool-use-safety-v0", "case_id": "invalid-trace-hash", - "started_at": "2026-05-22T11:54:16Z", - "completed_at": "2026-05-22T11:54:16Z", + "started_at": "2026-06-28T07:05:53Z", + "completed_at": "2026-06-28T07:05:53Z", "commands": [ { "command": "validate_release_chain benchmarks/tool-use-safety/input_releases/invalid-trace-hash", @@ -21,8 +21,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 57, + "duration_ms": 73, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:9c873c7494d2e15fdc3719ad2abfb6a194871f04bbed0f1481bb8801bb1ed3d3" + "signature_or_digest": "sha256:ed534e22ec16dba680cf65a19b93bd01238f350ce776cf53fc3ddddf544344c5" } diff --git a/benchmarks/tool-use-safety/invalid/invalid-unauthorized-tool-call/benchmark_run.invalid-unauthorized-tool-call.v0.json b/benchmarks/tool-use-safety/invalid/invalid-unauthorized-tool-call/benchmark_run.invalid-unauthorized-tool-call.v0.json index e8bd15a..9dfa954 100644 --- a/benchmarks/tool-use-safety/invalid/invalid-unauthorized-tool-call/benchmark_run.invalid-unauthorized-tool-call.v0.json +++ b/benchmarks/tool-use-safety/invalid/invalid-unauthorized-tool-call/benchmark_run.invalid-unauthorized-tool-call.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-invalid-unauthorized-tool-call", "task_id": "tool-use-safety-v0", "case_id": "invalid-unauthorized-tool-call", - "started_at": "2026-05-22T11:54:16Z", - "completed_at": "2026-05-22T11:54:16Z", + "started_at": "2026-06-28T07:05:53Z", + "completed_at": "2026-06-28T07:05:53Z", "commands": [ { "command": "validate_release_chain benchmarks/tool-use-safety/input_releases/invalid-unauthorized-tool-call", @@ -21,8 +21,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 55, + "duration_ms": 77, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:3e4cb394c4ef944739f9162f009490f47142e5bbde61901e07419946a89c084e" + "signature_or_digest": "sha256:9f3345f8bcafb093424a7584d936d3546d2e14539ccdd4f60aa43dceb7c3f1bb" } diff --git a/benchmarks/tool-use-safety/valid/valid-release-chain/benchmark_run.valid-release-chain.v0.json b/benchmarks/tool-use-safety/valid/valid-release-chain/benchmark_run.valid-release-chain.v0.json index 05e9134..b8e15af 100644 --- a/benchmarks/tool-use-safety/valid/valid-release-chain/benchmark_run.valid-release-chain.v0.json +++ b/benchmarks/tool-use-safety/valid/valid-release-chain/benchmark_run.valid-release-chain.v0.json @@ -3,8 +3,8 @@ "run_id": "bench-run-valid-release-chain", "task_id": "tool-use-safety-v0", "case_id": "valid-release-chain", - "started_at": "2026-05-22T11:54:16Z", - "completed_at": "2026-05-22T11:54:16Z", + "started_at": "2026-06-28T07:05:52Z", + "completed_at": "2026-06-28T07:05:52Z", "commands": [ { "command": "validate_release_chain examples/tool-use-release", @@ -21,8 +21,8 @@ "certificate_status": "not_applicable", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 62, + "duration_ms": 61, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:da5aca742c849bedd618f0f0b401aef42fc10d744dfc09b7405ceb1c5258e12d" + "signature_or_digest": "sha256:fd2118a66df241e31dedc7e2883d0f8d512a12c4bd0f46c0ba0b5641d3ba1bfa" } diff --git a/docs/pf-core/certifyedge-ci.md b/docs/pf-core/certifyedge-ci.md new file mode 100644 index 0000000..64ee926 --- /dev/null +++ b/docs/pf-core/certifyedge-ci.md @@ -0,0 +1,56 @@ +# CertifyEdge in CI and production + +PF-Core can attach external CertifyEdge attestations to `PFCoreCertificate.v0` via +`pcs pf-core certifyedge-check`. CI exercises this path on the LabTrust replay fixture. + +## Install (live path) + +1. Install [CertifyEdge](https://github.com/fraware/CertifyEdge) per upstream instructions. +2. Ensure the `certifyedge` CLI is on `PATH`. +3. Verify: + +```bash +certifyedge --version +which certifyedge +``` + +4. Run a live check: + +```bash +pcs pf-core certifyedge-check \ + --trace examples/pf-core-valid/labtrust_replay/trace.json \ + --property qc_release.temporal.safety \ + --out /tmp/PFCoreCertificate.certifyedge.json +``` + +Expected: `claim_class: CertificateChecked` (never `LeanKernelChecked`). + +## Mock path (CI fallback) + +When CertifyEdge is unavailable, set: + +```bash +export PCS_CERTIFYEDGE_MOCK=1 +``` + +CI logs a warning and uses mock attestation without failing the pipeline. + +## CI behavior + +The `python` job step **PF-Core CertifyEdge check (live or mock)**: + +1. Runs `command -v certifyedge` and optionally `certifyedge --version`. +2. If present: runs live `pcs pf-core certifyedge-check` on the LabTrust fixture. +3. If live check fails: logs a warning and falls back to `PCS_CERTIFYEDGE_MOCK=1`. +4. If absent: logs a warning and uses mock mode. + +## Optional pinned binary + +For reproducible CI without building from source, operators may pin a release artifact URL +from the CertifyEdge repository and install it in a custom runner image. No Docker image is +shipped from pcs-core by default; add one only after explicit approval. + +## Trust boundary + +CertifyEdge attestation yields `CertificateChecked` only. It does not discharge PF-Core +Lean kernel proofs or PCS release-envelope `EnvelopeLeanChecked` obligations. diff --git a/docs/pf-core/claim-boundary.md b/docs/pf-core/claim-boundary.md index ac5452b..c8ca9ae 100644 --- a/docs/pf-core/claim-boundary.md +++ b/docs/pf-core/claim-boundary.md @@ -81,6 +81,18 @@ Successful lean-check writes a certificate with matching `claim_class`, `assumpt - `LeanKernelChecked` requires `proof_term_ref`, `proof_ref`, `proof_term_hash`, `lean_environment_hash`, `lean_proof_checked: true`, successful concrete Lean proof, and **contract grounding** (non-empty event `contract_refs` or `default_contract_ref: "trace-safe"` aligned with `PFCore.traceSafeContract`). - `--skip-build` or `--skip-lean-proof` yields `RuntimeChecked` only (no `proof_term_ref`). +- `LeanKernelChecked` does **not** prove capability `resource_pattern` scope (URI/pattern matching). Certificates list `resource_pattern_scope` under `contract_semantics_checked.runtime` when lean-check validates resource scope in Python; the Lean kernel does not discharge pattern matching. + +#### Resource pattern: Lean vs runtime + +| Layer | Field / check | Discharged in Lean kernel? | +|-------|----------------|----------------------------| +| Capability JSON | `capability.resource_pattern` | No — encoded in `ResourcePattern.lean` for parity only | +| Runtime compiler | `validate_resource_scope` in `pf_core_runtime.py` | N/A (pre-trace) | +| lean-check certificate | `contract_semantics_checked.runtime` includes `resource_pattern_scope` when Python scope check passes | No — runtime assurance recorded on certificate | +| Trace safety proof | `TraceSafe` / `EventSafe` | No — tenant and capability rules only | + +Reference: `lean/PFCore/ResourcePattern.lean`, Python `resource_matches_pattern`. ### Mapping guidance for PF-Core certificates diff --git a/docs/pf-core/compositional-trust-roadmap.md b/docs/pf-core/compositional-trust-roadmap.md index a4b3828..684e01c 100644 --- a/docs/pf-core/compositional-trust-roadmap.md +++ b/docs/pf-core/compositional-trust-roadmap.md @@ -49,3 +49,4 @@ See [non-interference.md](non-interference.md) and [assumptions.md](assumptions. | `handoff_preserves_trace_safe_strong` | Handoff + frames + trace safety | **Proved** (`State.lean`) | | `handoff_composition_global` | Multi-hop handoff authority bounded by first source | **Proved** (`Compositional.lean`) | | `traceSafe_implies_tenant_isolation` | Allowed events in safe traces stay tenant-scoped | **Proved** (`NonInterference.lean`) | +| `traceSafe_implies_low_events_tenant_scoped` | Low-projected events in safe traces are tenant-scoped | **Proved** (`Observational.lean`; not full global NI) | diff --git a/docs/pf-core/current-gap-audit.md b/docs/pf-core/current-gap-audit.md index 180c77f..37a3953 100644 --- a/docs/pf-core/current-gap-audit.md +++ b/docs/pf-core/current-gap-audit.md @@ -11,6 +11,7 @@ Summary of gaps between the PF-Core vision and the current `pcs-core` repository | `semantics_layer` on `PFCoreContract.v0` | Done | Flat field map: `lean` / `runtime` / `out_of_scope`; validator defaults | | `contract_semantics_checked` on certificates | Done | Derived from semantics layers + checks | | Cross-language semantic parity | Done | Rust `pf_core.rs`, TS `pfCore.ts`, `conformance run --suite pf-core-cross-language` | +| Rust/TS direct-trace effect/capability parity | Done (uncommitted) | `validate_direct_trace_action_semantics` / `validateDirectTraceActionSemantics`; error codes `UnknownEffect`, `UnknownCapability`, `CapabilityEffectMismatch` | | Trace vs certificate claim classes | Done | Separate enums; traces reject `LeanKernelChecked` / `CertificateChecked` | | Direct-trace effect catalog | Done | Closed `effect_kind` enum + semantic validators | | `proof_term_hash` on certificates | Done | sha256 of generated `.lean` bytes before `lake env lean` | @@ -84,10 +85,23 @@ Summary of gaps between the PF-Core vision and the current `pcs-core` repository ## Remaining research (deferred) -1. **Full global non-interference** — allowed-event tenant isolation proved; covert channels, timing, deny-side leaks open (`non-interference.md`). -2. **Write footprint ↔ effect linkage** — `WriteFootprintRequiresWriteEffect` explicit; not derived from `ActionAdmissible` alone. -3. **Full provability-fabric-core live adapter orchestration** — hash parity covered natively via adapter CI script. -4. **Full agent runtime, MCP, NL policy, model safety** — out of scope. +1. **Full global cross-tenant non-interference** — conservative tenant isolation for allowed events is proved; covert channels, timing, deny-side leaks open (`non-interference.md`). +2. **Write footprint ↔ effect linkage** — `WriteFootprintRequiresWriteEffect` explicit; derived from `ActionAdmissible` + `KnownCapabilityEffect` for catalog capabilities. +3. **Resource-pattern scope in Lean** — Python `validate_resource_scope` and certificate `contract_semantics_checked.runtime` (`resource_pattern_scope`); `ResourcePattern.lean` provides decider parity; not discharged in Lean trace safety kernel. +4. **Full provability-fabric-core live adapter orchestration** — hash parity covered natively via adapter CI script. +5. **Full agent runtime, MCP, NL policy, model safety** — out of scope. + +## External audit remediation (2026-06) + +| Blocker | Status | Notes | +|---------|--------|-------| +| Lean `file_write_capability_aligns_write_footprint` soundness | Done | `KnownCapability` / `KnownCapabilityEffect` on `ActionAdmissible` | +| Resource-pattern scope certificate boundary | Done | `contract_semantics_checked.runtime` + claim-boundary doc | +| Conformance `--release-grade` for pf-core | Done | Fail closed without lake/WSL; verify-proof-binding gate | +| `run-release-verify.sh` release path | Done | Runtime smoke vs full lean-check + verify-proof-binding | +| CI lean job elan PATH + verify-proof-binding | Done | `.github/workflows/ci.yml` | +| Cross-language invalid hash vectors | Done | trace/previous hash mismatch, cross-tenant leak | +| TypeScript CI npm install in cross-language tests | Done | pytest + conformance suites | ## Phase G (compositional trust + proof binding) diff --git a/docs/pf-core/merge-readiness.md b/docs/pf-core/merge-readiness.md new file mode 100644 index 0000000..a3fe258 --- /dev/null +++ b/docs/pf-core/merge-readiness.md @@ -0,0 +1,62 @@ +# PF-Core merge readiness (PR #5) + +Local preparation checklist for merging `phase7/shared-hash-vector-ci` into main. **No git operations** are performed by this document; it records verification steps only. + +## PR #5 status + +| Item | Status | +|------|--------| +| Branch | `phase7/shared-hash-vector-ci` (HEAD ~ `12fb29b`) | +| CI on PR #5 | Green | +| Shared hash vectors | Python / Rust / TypeScript parity | +| Lean kernel | `lake build PFCore` in CI lean job | +| Cross-language conformance | `pf-core-cross-language` suite | + +## Pre-merge local verification + +Run from repository root: + +```bash +pip install -e python +cd python && pytest -q tests/test_pf_core_*.py +cd ../rust && cargo test pf_core +bash scripts/pf-core-release-grade-local.sh # full release-grade path when lake/WSL available +``` + +On Windows without native `lake`, use WSL for Lean steps (see `docs/pf-core/windows-lean.md`). + +## Post-merge verification + +1. Pull main and confirm CI green on default branch. +2. Re-run `pcs conformance run --suite pf-core --release-grade` (fail closed without lake). +3. Re-run `pcs pf-core verify-proof-binding` on a fresh `lean-check` certificate from `examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json`. +4. Confirm `pcs pf-core audit-lean-no-sorry` passes on `lean/PFCore/` including `Observational.lean` and `ResourcePattern.lean`. +5. Run `pcs examples check` for valid/invalid PF-Core fixtures. + +## Claim boundaries for v0.1 release announcement + +**May state:** + +- PF-Core trace safety (`TraceSafe`, `EventSafe`) with concrete Lean proof terms on the `LeanKernelChecked` path. +- Conservative tenant isolation for **allowed events in safe traces** (`TenantIsolation`, `TraceCrossTenantSafe`). +- Observational tenant projection vocabulary (`Observational.lean`) without covert-channel claims. +- Runtime resource-pattern scope validation (`resource_pattern_scope` in certificates). +- Compositional trust lemmas (safe extension, handoff authority bounds, contract refinement). +- Proof binding via `trace_hash`, `proof_term_hash`, `lean_environment_hash`. + +**Must not state:** + +- Full global cross-tenant non-interference or absence of covert channels. +- Lean discharge of capability `resource_pattern` matching (runtime-only; see `claim-boundary.md`). +- PCS envelope checks (`ProofChecked`) as PF-Core `LeanKernelChecked` trace safety. +- Full JSON contract discharge for role, policy, and evidence fields (runtime `semantics_layer`). +- CertifyEdge live attestation unless the external CLI is installed and configured. + +Reference: `docs/pf-core/claim-boundary.md`, `docs/pf-core/non-interference.md`, `docs/pf-core/current-gap-audit.md`. + +## Open after merge (research, not blockers) + +- Full global non-interference under adversarial schedulers. +- Lean kernel discharge of resource-pattern scope. +- PCS per-obligation Lean term generation (see `docs/pf-core/pcs-envelope-lean-roadmap.md`). +- Live provability-fabric-core adapter orchestration beyond hash parity CI. diff --git a/docs/pf-core/non-interference.md b/docs/pf-core/non-interference.md index aff9bd5..a64ac48 100644 --- a/docs/pf-core/non-interference.md +++ b/docs/pf-core/non-interference.md @@ -4,9 +4,33 @@ This document states what PF-Core **proves** about tenant isolation versus what ## Scope (conservative subset) -PF-Core does **not** claim global non-interference across tenants, covert channels, or arbitrary compositional invariants. The Lean module `lean/PFCore/NonInterference.lean` formalizes a **tenant-scoped trace property** aligned with runtime checks. +PF-Core does **not** claim global non-interference across tenants, covert channels, or arbitrary compositional invariants. The Lean modules `lean/PFCore/NonInterference.lean` and `lean/PFCore/Observational.lean` formalize **conservative tenant isolation and observational projection** aligned with runtime checks. -### Definitions +**Observational equivalence does not imply covert channels are absent.** Two traces may agree on low projections while differing on denied events, cross-tenant attempts, timing, or side channels not recorded in PF-Core events. + +### Observational vocabulary (`Observational.lean`) + +| Lean | Meaning | +|------|---------| +| `LowEvent tenant ev` | Allowed event whose principal tenant equals `tenant` | +| `HighEvent tenant ev` | Not low-visible to observer `tenant` (denied, other tenant, etc.) | +| `HighTenantEvent tenantHigh ev` | Event whose principal tenant equals `tenantHigh` | +| `TraceProjection tenant tr` | Oldest-first list of low events in `tr` | +| `ObservationallyEquivalentForTenant t tr1 tr2` | Equal low projections: `TraceProjection t tr1 = TraceProjection t tr2` | +| `NonInterference tenantLow tenantHigh tr` | Conservative trace-level NI: low projection contains only `LowEvent tenantLow`; high-tenant events are `HighEvent tenantLow` (vacuous when tenants equal) | + +| Theorem | Statement | +|---------|-----------| +| `traceSafe_implies_low_events_tenant_scoped` | Every low-projected event in a `TraceSafe` trace is `EventTenantScoped tenant` | +| `non_interference_definitional` | Distinct tenants: high-tenant events never appear in low projection | +| `traceSafe_implies_non_interference` | `TraceSafe tr → NonInterference tenantLow tenantHigh tr` | +| `tenantIsolation_implies_non_interference` | `TenantIsolation tr` yields NI for distinct tenants | +| `traceCrossTenantSafe_implies_high_tenant_not_low` | High-tenant events are high-sensitive for a distinct low observer | +| `non_interference_observational_equivalence` | Matching low projections imply observational equivalence | + +This is **not** full non-interference: high events, deny-side leaks, scheduler-level indistinguishability, **covert channels**, **timing leaks**, and **handoff across tenants** remain open. + +### Tenant isolation vocabulary (`NonInterference.lean`) | Lean | Meaning | |------|---------| @@ -60,9 +84,12 @@ Lean `HasCapability` inspects `principal.capabilities` only; **roles are not exp ## Open (not claimed — full global NI deferred) -1. **Full global cross-tenant non-interference** (information-flow between tenants under arbitrary schedulers and adversaries). `traceSafe_implies_trace_cross_tenant_safe` covers in-tenant allows and explicit denies only. -2. Non-interference under handoff across tenants (handoffs require matching tenants in `HandoffSafe`). -3. Deny-event side channels or resource existence leaks. -4. Compositional preservation of arbitrary user-defined contract invariants beyond the discharged JSON subset. +1. **Full global cross-tenant non-interference** (information-flow between tenants under arbitrary schedulers and adversaries). `traceSafe_implies_trace_cross_tenant_safe` and `NonInterference` cover projection-based low/high separation only. +2. **Covert channels** not recorded as PF-Core events (timing, resource existence, side channels on deny paths). +3. **Timing leaks** and scheduler-level indistinguishability. +4. Non-interference under **handoff across tenants** (handoffs require matching tenants in `HandoffSafe`). +5. Deny-event side channels or resource existence leaks. +6. Compositional preservation of arbitrary user-defined contract invariants beyond the discharged JSON subset. +7. Cross-trace NI: replacing high-tenant events in a trace while preserving low projection (system-level property, not proved for arbitrary schedulers). See also `docs/pf-core/contract-semantics.md` and `docs/pf-core/claim-boundary.md`. diff --git a/docs/pf-core/pcs-envelope-lean-roadmap.md b/docs/pf-core/pcs-envelope-lean-roadmap.md new file mode 100644 index 0000000..9c82e88 --- /dev/null +++ b/docs/pf-core/pcs-envelope-lean-roadmap.md @@ -0,0 +1,56 @@ +# PCS envelope Lean path roadmap + +This document records the PCS `pcs pcs-envelope check` Lean path and its trust boundary relative to PF-Core kernel proofs. + +## Current scope (v0.1 — Stage PCS-Lean partial) + +| Path | Emits | Lean work | +|------|-------|-----------| +| `pcs pcs-envelope check` | `LeanCheckResult.v0` with `claim_class: ProofChecked` | Obligations vs Python deciders + `lean/PCS/Theorems.lean` catalog | +| `pcs pcs-envelope check --lean-proof` | `LeanCheckResult.v0` with `claim_class: EnvelopeLeanChecked` when proof compiles | Generated module in `lean/PCS/Generated/` + `lake env lean` | +| `pcs pf-core lean-check --trace` | `PFCoreCertificate.v0` with `LeanKernelChecked` | Generated concrete trace proof in `lean/PFCore/Generated/` | + +There is **no silent upgrade** from envelope consistency to per-trace PF-Core kernel proofs. See `docs/pf-core/trusted-boundary.md`. + +## Stage PCS-Lean (partial implementation) + +Implemented: + +- `python/pcs_core/pcs_lean_codegen.py` — generates `Certificate`, `RuntimeReceipt`, `VerificationResult`, and bundle hashes from `ProofObligation.v0`. +- `lean/PCS/ReleaseChainCheck.lean` — decidable mirrors of `ReleaseChainAdmissible` predicates. +- `lean/PCS/Generated/Obligation_*.lean` — concrete fixture proofs (LabTrust release example). +- `--lean-proof` on `pcs pcs-envelope check` — emits `EnvelopeLeanChecked` with `proof_term_ref`, `proof_term_hash`, and disclaimer. + +Not implemented (deferred): + +- Full schema revision for all PCS benchmark ingest paths. +- Conformance suite `pcs-envelope-lean-proof` with mandatory `--release-grade` gate in all CI jobs. +- Unified codegen for tool-use and computation obligation shapes beyond release-chain triple. + +## Claim classes (honest) + +| Class | Meaning | +|-------|---------| +| `ProofChecked` | Python obligation deciders passed; optional `lake build PCS` succeeded | +| `EnvelopeLeanChecked` | Above plus generated PCS module compiled; **not** PF-Core `LeanKernelChecked` | +| `Rejected` | Obligation or Lean proof path failed | + +## Regeneration policy + +Regenerate PCS generated modules when `ProofObligation.v0` fixtures change: + +```bash +python -c " +from pathlib import Path +from pcs_core.pcs_lean_codegen import generate_from_release_dir +generate_from_release_dir(Path('examples/labtrust-release'), Path('lean/PCS/Generated')) +" +``` + +Run `pcs pf-core audit-lean-no-sorry` after regeneration (scope includes `lean/PCS/` when present). + +## Related documents + +- `docs/pf-core/trusted-boundary.md` — trusted vs untrusted components +- `docs/pf-core/generated-proofs.md` — PF-Core regeneration policy +- `docs/pf-core/claim-boundary.md` — PCS `ProofChecked` vs PF-Core `LeanKernelChecked` diff --git a/docs/pf-core/presentation/demo-script.md b/docs/pf-core/presentation/demo-script.md index f46192d..7e35465 100644 --- a/docs/pf-core/presentation/demo-script.md +++ b/docs/pf-core/presentation/demo-script.md @@ -76,21 +76,38 @@ Expected: schema validation OK; replay match (adapter output per `docs/pf-core-t ## 7. PCS release-envelope check (not per-trace PF-Core Lean) +Obligation-only (Python deciders): + ```bash pcs pcs-envelope check --obligations examples/proof_obligation.valid.json --out /tmp/lean_check_result.json --skip-lean-build ``` -Legacy alias (prints deprecation notice): +With generated PCS Lean proof (when Lean toolchain available): ```bash -pcs lean-check --obligations examples/proof_obligation.valid.json --out /tmp/lean_check_result.json --skip-lean-build +pcs pcs-envelope check \ + --obligations examples/labtrust-release/proof_obligation.v0.json \ + --out /tmp/lean_check_result.envelope.json \ + --lean-proof ``` -Expected: `LeanCheckResult.v0` with PCS `ProofChecked` or rejection; stderr explains this is release-envelope consistency only and directs to `pcs pf-core lean-check` for PF-Core traces. Output must not mention `LeanKernelChecked`. +Expected with `--lean-proof`: `claim_class: EnvelopeLeanChecked`, `lean_proof_checked: true`, never `LeanKernelChecked`. ## 8. CertifyEdge (live or mock) -Install [CertifyEdge](https://github.com/fraware/CertifyEdge) and ensure `certifyedge` is on PATH, or use mock mode: +Install [CertifyEdge](https://github.com/fraware/CertifyEdge) and ensure `certifyedge` is on PATH (see `docs/pf-core/certifyedge-ci.md`), or use mock mode: + +**Live path** (when CLI installed): + +```bash +certifyedge --version +pcs pf-core certifyedge-check \ + --trace examples/pf-core-valid/labtrust_replay/trace.json \ + --property qc_release.temporal.safety \ + --out /tmp/PFCoreCertificate.certifyedge.json +``` + +**Mock path** (CI fallback when CLI absent): ```bash PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \ @@ -99,7 +116,7 @@ PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \ --out /tmp/PFCoreCertificate.certifyedge.json ``` -CI tries live CLI when available and falls back to mock without failing the pipeline. +CI tries live CLI when available, logs a warning when falling back to mock, and does not fail the pipeline on missing CertifyEdge. ## 9. LabTrust end-to-end bridge (Phase E) diff --git a/docs/pf-core/production-kernel-checklist.md b/docs/pf-core/production-kernel-checklist.md index 060778f..b057bed 100644 --- a/docs/pf-core/production-kernel-checklist.md +++ b/docs/pf-core/production-kernel-checklist.md @@ -22,6 +22,7 @@ This checklist covers the **production trusted kernel** only: contract semantics | Lean kernel (optional) | `cd lean && lake build PFCore && pcs pf-core lean-check --trace examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json` | `LeanKernelChecked` when full pipeline succeeds | | Proof binding (optional) | `pcs pf-core verify-proof-binding --certificate --trace ` | OK when hashes and generated file match | | Adapter pin parity | `bash scripts/run-pf-core-adapter-ci.sh` | Vectors match `provability-fabric-core` pin | +| Release-grade local | `bash scripts/pf-core-release-grade-local.sh` | Conformance `--release-grade`, verify-proof-binding, lean-check when lake/WSL available | ## Artifact and policy checks diff --git a/docs/pf-core/release-checklist.md b/docs/pf-core/release-checklist.md index 1931017..5e9293c 100644 --- a/docs/pf-core/release-checklist.md +++ b/docs/pf-core/release-checklist.md @@ -40,6 +40,12 @@ Optional Lean build (requires Lean 4 + `lake`): cd lean && lake build PFCore ``` +Release-grade local path (conformance + proof binding + full lean-check when lake/WSL available): + +```bash +bash scripts/pf-core-release-grade-local.sh +``` + On Windows without native `lake`, use WSL for Lean steps. ## Claim boundaries for external release diff --git a/docs/pf-core/trusted-boundary.md b/docs/pf-core/trusted-boundary.md index 474b690..b582f15 100644 --- a/docs/pf-core/trusted-boundary.md +++ b/docs/pf-core/trusted-boundary.md @@ -15,8 +15,13 @@ This document lists what PCS/PF-Core treats as trusted, untrusted, or assumed wh | Lean theorem catalog (PCS trusted set) | `python/pcs_core/lean_catalog.py` | Audited against `lean/PCS/Theorems.lean` | | Lean theorem catalog (PF-Core trusted set) | `python/pcs_core/lean_catalog.py` | Audited against `lean/PFCore/` | | PF-Core lean-check deciders | `python/pcs_core/lean_check.py` | Aligned with PF-Core Lean predicates; uses explicit `principal.capabilities` only | +| Known capability catalog (Python) | `python/pcs_core/pf_core_runtime.py` | `CAPABILITY_CATALOG`, `validate_action_capabilities_known`, `validate_resource_scope` | +| Known capability catalog (Rust) | `rust/crates/pcs-core/src/pf_core.rs` | `EFFECT_KINDS`, `CAPABILITY_CATALOG`, `validate_direct_trace_action_semantics`, `resource_matches_pattern` | +| Known capability catalog (TypeScript) | `typescript/packages/core/src/pfCore.ts` | Same closed catalogs and direct-trace semantic validators as Python | +| Known capability catalog (Lean) | `lean/PFCore/Capability.lean`, `lean/PFCore/Action.lean`, `lean/PFCore/ResourcePattern.lean` | `KnownCapability`, `KnownCapabilityEffect` on `ActionAdmissible`; resource-pattern matching in `ResourcePattern.lean` (runtime parity); not discharged in trace safety kernel | | PF-Core concrete trace Lean proofs | `lean/PFCore/Generated/` (generated) | `lake env lean` on generated `concrete_trace_safe` theorem; certificate binds via `trace_hash`, `proof_term_hash`, `lean_environment_hash` | | Python PF-Core semantic validation | `python/pcs_core/validate_pf_core.py` | Binds JSON artifacts to closed enums and direct-trace effect/capability rules before Lean codegen | +| Rust/TS PF-Core semantic validation | `rust/crates/pcs-core/src/validation.rs`, `typescript/packages/core/src/validate.ts` | Cross-language direct-trace effect/capability semantics aligned with Python (`UnknownEffect`, `UnknownCapability`, `CapabilityEffectMismatch`) | | Tool-use / witness hash alignment theorems | `lean/PCS/ToolUse.lean`, `lean/PCS/ComputationWitness.lean` | Promoted to trusted PCS catalog (Stage 4) | | Role → capability expansion | `python/pcs_core/pf_core_runtime.py` | Compiler expands roles; lean-check requires explicit capabilities on traces | | PF-Core no-sorry audit | `python/pcs_core/lean_check.py` | Scans `lean/PFCore/` for forbidden tokens | @@ -61,6 +66,8 @@ PF-Core kernel assurance remains exclusively on `pcs pf-core lean-check --trace See `docs/pf-core/generated-proofs.md` for gitignored `lean/PFCore/Generated/` regeneration. +**PCS per-obligation Lean term generation is deferred.** Rationale and optional design sketch: `docs/pf-core/pcs-envelope-lean-roadmap.md`. + No PF-Core trusted Lean file may contain `sorry`, `admit`, `axiom`, or `unsafe` unless listed here. | File | Exception | Rationale | @@ -97,5 +104,14 @@ No PF-Core trusted Lean file may contain `sorry`, `admit`, `axiom`, or `unsafe` - `lean/PFCore/Certificate.lean` - `lean/PFCore/Soundness.lean` - `lean/PFCore/Theorems.lean` +- `lean/PFCore/NonInterference.lean` +- `lean/PFCore/Observational.lean` +- `lean/PFCore/ResourcePattern.lean` +- `lean/PFCore/ContractDecide.lean` +- `lean/PFCore/Compositional.lean` +- `lean/PFCore/RoleMap.lean` +- `lean/PFCore/Transition.lean` +- `lean/PFCore/EffectFrame.lean` +- `lean/PFCore/State.lean` - `lean/PFCore.lean` (root module for `lake build PFCore`) - `lean/PCS.lean` (root module for `lake build PCS`) diff --git a/examples/artifact_registry.valid.json b/examples/artifact_registry.valid.json index 7b2d24e..09273d6 100644 --- a/examples/artifact_registry.valid.json +++ b/examples/artifact_registry.valid.json @@ -1772,7 +1772,527 @@ ], "canonical_hash_required": true, "release_mode_required": false + }, + "PFCorePrincipal.v0": { + "artifact_type": "PFCorePrincipal.v0", + "schema": "schemas/PFCorePrincipal.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "pcs-core", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "pcs-core", + "allowed_statuses": [ + "Draft", + "Validated", + "Deprecated" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "signature_or_digest" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": false + }, + "PFCoreCapability.v0": { + "artifact_type": "PFCoreCapability.v0", + "schema": "schemas/PFCoreCapability.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "pcs-core", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "pcs-core", + "allowed_statuses": [ + "Draft", + "Validated", + "Deprecated" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "signature_or_digest" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": false + }, + "PFCoreResource.v0": { + "artifact_type": "PFCoreResource.v0", + "schema": "schemas/PFCoreResource.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "pcs-core", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "pcs-core", + "allowed_statuses": [ + "Draft", + "Validated", + "Deprecated" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "signature_or_digest" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": false + }, + "PFCoreAction.v0": { + "artifact_type": "PFCoreAction.v0", + "schema": "schemas/PFCoreAction.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "pcs-core", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "pcs-core", + "allowed_statuses": [ + "Draft", + "Validated", + "Deprecated" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "signature_or_digest" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": false + }, + "PFCoreEvent.v0": { + "artifact_type": "PFCoreEvent.v0", + "schema": "schemas/PFCoreEvent.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "AgentRuntime", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "AgentRuntime", + "allowed_statuses": [ + "Draft", + "Validated", + "Deprecated" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "signature_or_digest" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": false + }, + "PFCoreContract.v0": { + "artifact_type": "PFCoreContract.v0", + "schema": "schemas/PFCoreContract.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "pcs-core", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "pcs-core", + "allowed_statuses": [ + "Draft", + "Validated", + "Deprecated" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "signature_or_digest" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": false + }, + "PFCoreHandoff.v0": { + "artifact_type": "PFCoreHandoff.v0", + "schema": "schemas/PFCoreHandoff.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "pcs-core", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "pcs-core", + "allowed_statuses": [ + "Draft", + "Validated", + "Deprecated" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "signature_or_digest" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": false + }, + "PFCoreTrace.v0": { + "artifact_type": "PFCoreTrace.v0", + "schema": "schemas/PFCoreTrace.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "pcs-core", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "pcs-core", + "allowed_statuses": [ + "Draft", + "RuntimeChecked", + "CertificateChecked", + "LeanKernelChecked", + "Rejected", + "Stale" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "trace_id", + "claim_class", + "source_repo", + "source_commit", + "signature_or_digest", + "trace_hash", + "events" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "claim_class_matches_assurance", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "lean_kernel_proof", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "lean_library_build", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": true + }, + "PFCoreCertificate.v0": { + "artifact_type": "PFCoreCertificate.v0", + "schema": "schemas/PFCoreCertificate.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "pcs-core", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "pcs-core", + "allowed_statuses": [ + "Draft", + "RuntimeChecked", + "CertificateChecked", + "LeanKernelChecked", + "Rejected", + "Stale" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "certificate_id", + "claim_class", + "source_repo", + "source_commit", + "signature_or_digest", + "trace_hash", + "claim_class" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "claim_class_matches_assurance", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "lean_kernel_proof", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "lean_library_build", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": true + }, + "PFCoreRuntimeObservation.v0": { + "artifact_type": "PFCoreRuntimeObservation.v0", + "schema": "schemas/PFCoreRuntimeObservation.v0.schema.json", + "schema_owner": "pcs-core", + "runtime_producer": "AgentRuntime", + "allowed_runtime_producers": [ + "pcs-core", + "AgentRuntime" + ], + "producer": "AgentRuntime", + "allowed_statuses": [ + "Draft", + "RuntimeChecked", + "CertificateChecked", + "LeanKernelChecked", + "Rejected", + "Stale" + ], + "required_release_fields": [ + "schema_version", + "artifact_type", + "observation_id", + "claim_class", + "source_repo", + "source_commit", + "signature_or_digest", + "observed_at", + "payload_hash" + ], + "semantic_checks": [ + { + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "claim_class_matches_assurance", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "lean_kernel_proof", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + }, + { + "check_id": "lean_library_build", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false + } + ], + "consumer_repos": [ + "pcs-core", + "AgentRuntime" + ], + "canonical_hash_required": true, + "release_mode_required": true } }, - "signature_or_digest": "sha256:52f85a49adb004c158a20fce0fa52ca2f684715fa9c24f5cf0dcfb07b697dadb" + "signature_or_digest": "sha256:ef001e3f1bd7265a09f561cae6bd74163768d727c9ecfe421157a1db25a60c06" } diff --git a/examples/benchmark/pcs_bench_report.valid.json b/examples/benchmark/pcs_bench_report.valid.json index bcbde95..7402861 100644 --- a/examples/benchmark/pcs_bench_report.valid.json +++ b/examples/benchmark/pcs_bench_report.valid.json @@ -46,11 +46,11 @@ "denominator": 1.0, "coverage_ratio": 0.0, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ca04448ed60d7722ea387e594d6fc6468e1a783454d438a19fc9108358866f47" + "signature_or_digest": "sha256:f8df360f4c35f4efc0d20f5ea82138a6303239388751b35aa94beccead907cca" }, "formal_checks": { "schema_version": "v0", @@ -105,7 +105,7 @@ "producer_id": "pcs-bench", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", - "signature_or_digest": "sha256:493112ba8f305fa2275f0a3febc4a24f3f0b38437ada0b4a3f4c87c20e5c8c27", + "signature_or_digest": "sha256:e73c7e37dbd30ed555f05cf33d21c24f70eb86e5031c47ea0fe09b6ede01fc69", "metric_summaries": [ { "schema_version": "v0", diff --git a/examples/benchmark_ingest/certifyedge.pcs_bench_ingest.valid.json b/examples/benchmark_ingest/certifyedge.pcs_bench_ingest.valid.json index de90975..99b6dab 100644 --- a/examples/benchmark_ingest/certifyedge.pcs_bench_ingest.valid.json +++ b/examples/benchmark_ingest/certifyedge.pcs_bench_ingest.valid.json @@ -1,1748 +1,98 @@ { - "artifact_refs": [ - { - "artifact_type": "CoverageReport.v0", - "path": "certificate_coverage_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:8e04e0b7e4e6ac251d53abb8944a3950ec32fa562e9ea06b96d7689ac6b179a3", - "signature_or_digest": "sha256:21f10caecabd01c9b1417b4e02a68c7c60d1eb12121267647ac027faceb38eda", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "CoverageReport.v0", - "path": "repair_hint_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:4289525ed015bef57212ec78a74b525b33d520ba15e6ebb2163c3f96ec16d7c8", - "signature_or_digest": "sha256:b5794d6d1d073ba1824c13cfd9d1eb0ebbf3e02e13324a1d0310435833af7f08", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ProfileCoverageReport.v0", - "path": "profile_coverage_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:574b69fe314c4b9568017cb0d5a5d87580e9ddf371a593f0ba42e65263ea742d", - "signature_or_digest": "sha256:388e33369132200ba181f8ce124ec2e30822725e8ba293e13eb28b6277066baf", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/formal_facts.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:2e346ec98b829574d858f6e4b33f1f47c6b3826688dc1313167314f4aba5cb13", - "signature_or_digest": "sha256:1c0c39afc5b016bdc942fb1d53473678705e37898e91bf628e3eb6bd96b79cd3", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/invalid_hash_mismatch.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:7f1318dd81ac7edf9068c33e1d14a10a1f8de832e6cd1532fccd99ee7804f66b", - "signature_or_digest": "sha256:c4bb168da79acba7f7944918e69f49c6ad296785a6e25babce6a97096522598d", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/invalid_missing_required_field.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:f308f26544b20eb882cf2eac96f9ed6e8485f0cd11006354250f40712647958e", - "signature_or_digest": "sha256:d99ff6c66ceb93b6810faad63e8d3c784571b0e67ea9239e495c85d8a0d6bdaa", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/invalid_policy_or_property_violation.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:3fef1a18f283b6a3a5c239972d03412b9d82b1cb526ae1d83c6dfef7ee5ced37", - "signature_or_digest": "sha256:a3668187084e0dd3c47876784f8b65e938563f9fe85a16439835400d9cf7fe69", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/invalid_source_provenance.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:61a34f560de5e508f32e1e869aa736caae22a741fe1f0601d41ae44c778c16e3", - "signature_or_digest": "sha256:69a14e7db3a3d1742ae12e9a150b5bee4f22ed856da8d59880e8d0b3162c64b4", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/missing_policy_hash.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:c2d5b9416bb14b7c76032bacdfc5ed8526dc0a3d5555be11d3e04818dc394117", - "signature_or_digest": "sha256:07e655298b81faa9d1d44a4539e1891179b7d37de0604403aeabc252723d3aa4", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/ok.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:bb96d2cb270fc345764257b9f9ea56b0642a7cc668e95f2cfe363d5937cb1e7a", - "signature_or_digest": "sha256:f709b01e5c652da397e6896faf90a9c7654702790d29d5edb6549128968503bc", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/policy_hash_mismatch.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:ac3b486abace512a5eabf4a7c11e3398a59fe3bb3bae9bc4cdc8a10228f3d5ad", - "signature_or_digest": "sha256:8d556dd2bc903a83d23b12a37c6561986ea87cc19ed731d42a855aee3d98fc85", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/rejected_certificate.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:35c2d86f8f0acbdb7f36557f5820d73f42f1d1ba4f47568afeb2d0ba16c67524", - "signature_or_digest": "sha256:5998e488bbefcc1eb10e38f93dbd74cb90b8f4b0487a2466f5448a2944aad890", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/repair_hint_quality.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:3eb7164df316346e1eb1e50a2c41d3a17c1e92cf8ff3717750d5a0f4abd71876", - "signature_or_digest": "sha256:546bae0302cfeab137e9d630bf2695b39d5e6989781429f29a31fa2a9cab404f", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/unauthorized_tool_call.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:f85691605855c40c2e39e4d74a5cbf96f58296445edb7a9d86a9b339b588cbc2", - "signature_or_digest": "sha256:f4f663248b092a449738da307c61e776dbaf439794d44cf9b747ee5a5559fe03", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "BenchmarkRun.v0", - "path": "runs/unknown_authorization_status.benchmark_run.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:a78f086577b435e1d5a523edda6086417906216d714d32b9b71e76f78375c948", - "signature_or_digest": "sha256:54c431ca29dd33461a7bff17a774b176453cfaf0427872f5c5c4874176881ab5", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/invalid_hash_mismatch.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:9cdf9b246d0b5076e08725a9e2e74c2e45cd9bc14f0cbfea34292ad54576b36b", - "signature_or_digest": "sha256:d15534f0d1b94b8b32cbfd18dda8bdce5ba5299857344f92d3a6175267c3df38", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/invalid_missing_required_field.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:7c426ad74e4c87696416a6ed5a54401567b7b46f30216989768181321ce1916c", - "signature_or_digest": "sha256:56c97d8cc4b900a48bcfd7c8d7f0244f08693004b9ed4e007ac590636ecb841f", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/invalid_policy_or_property_violation.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:4c48f360c70d107d5a98326e338f608cebb37e61bb1b57fba147ae77634dad1c", - "signature_or_digest": "sha256:f76301744b3bd52d76f8d9388d55c84482c27f42b68dd494cfeb5359f3e95296", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/invalid_source_provenance.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:0a4feb3974d5e68a4964e8289777b3d75242985e9b8f9513efba26f7dec2d81b", - "signature_or_digest": "sha256:e4b6a81243fc4f5a461969467f26126036f0ac725083336af4bd75fa21966501", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/missing_policy_hash.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:acdd0cc143485df94c68dc04ee930c85e604c996cdc9dfd95eb2e00ba1ac61e0", - "signature_or_digest": "sha256:7e537194f4be252539bf53c6615eaad9d28130a4a1a217980b7be2f3a20eae73", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/policy_hash_mismatch.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:541d18e53e568199d146f1dd9dfe2da887863c64644fb1933690f9e9589aaf50", - "signature_or_digest": "sha256:28c0676affe9d513d5bf7a4e4690ef905fd2bf795384cda221250b90584d2e4f", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/rejected_certificate.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:a5f6d78f5d0f428616e27e73593ab134673c4e85096a81e8d9154d9e8da27506", - "signature_or_digest": "sha256:29186c3148ffbd1a8b9b7bd58368f1e037f895ee185939fdd98a426ae09164e6", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/repair_hint_quality.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:d58a1261efab2dc5b2adadd29bfe3ab3581d0d6d107e588a613580c6a6685044", - "signature_or_digest": "sha256:bb6d3b152a732024c2cf8b91ccf1e0906c4c827c021adf8db6f8a82fa1d548f4", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/unauthorized_tool_call.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:95879b2bb90d492aa0d2b8360fc6ccfb2dc2969291f393d5ed64c48cc6f3169b", - "signature_or_digest": "sha256:c85cd4493e23452a1dfd8a8bdfe245f5f6cb80d942a11e2092f8d1d20360adcc", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "FailureLocalizationResult.v0", - "path": "failure_localization/unknown_authorization_status.failure_localization_result.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:cba838c442be5b754da709924d92248c8ae4d76268e46ca8780e253299becec2", - "signature_or_digest": "sha256:c0513450bb728ebf164c1147d4820df9e6de99a023b4dac556fb3b66973647e0", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/formal_facts.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:4879242e4b8b8d3e957b2a0d65cc325f9f8c532e18daea726816e112b2a77e5d", - "signature_or_digest": "sha256:627ac07925ae77f332fa87aa2756051f2941eb04e0d6b6600df73955f67034c2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/invalid_hash_mismatch.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:0ffe42988cc5fe28e9bedb9be689e313ea8c54e3c8a83e7e223e35f76214fe4e", - "signature_or_digest": "sha256:f934701b7c29123ecf5b9afbc2ad3e0041ade85bd4dc9fee5f3787ae349862ea", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/invalid_missing_required_field.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:5ed8674e9a4bed25e581655286f4a617dfa3f27b7e969ccc450847ec43f8d019", - "signature_or_digest": "sha256:32a55d5d84ed39b146f2f7e5fe30b271efe11ad9b9ea3fce44c873abd1092a73", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/invalid_policy_or_property_violation.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:365a4db5f3e0c604fce83a06f6f2af991c68e927b4514e90f111cc81f9a0c214", - "signature_or_digest": "sha256:ec2ea933ae9668e129af8b8f6722f9b570bd2a545193c1cb2b805c158c049a34", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/invalid_source_provenance.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:c0770e4c3bc5bd12777744f2584c6d29095ab5b1cb3064f7be6fa4e898bc24e8", - "signature_or_digest": "sha256:e60a36092e3569208a002c8af884f2c1028256d24e4cc4a0d9d5b0a7b6124290", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/missing_policy_hash.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:a2c99238057a7ea4e264f7e85e535c102e57263f6c1e0271ef1bacadfc6564e2", - "signature_or_digest": "sha256:265193e0bc9dfd65a47976ae5257afab55d2f4706b9c031d6267efdaeaea8f67", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/ok.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:e8cc0acc6109d320a87ff6a20dd2bbfd185d6570d530b5153f0162f84872b64a", - "signature_or_digest": "sha256:0ab71aba398bfc7caf76b2fd0d013a43cc09ae8785b9f4465fabf7270c76e2d7", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/policy_hash_mismatch.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:e426e5907ad7576d582a3ecf60a68ee735d7bbb5fd42e2bcac8bb6ac83aebbf7", - "signature_or_digest": "sha256:48b1a854012d04e98da6be8e41b9b728d46e6cc058ec1498b47fa29c2904fd20", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/rejected_certificate.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:e02ed77bab63a25575a8a4c4d3cbe9e4f5f700ae224dc2798cf7e3cf10634f48", - "signature_or_digest": "sha256:b64322de9fa369da175836d13711a7163256f6e90140ce25bf71b80261a74d57", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/repair_hint_quality.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:a1662fd47bad9152850975f3a63439aa664d6314711eee96e28f632293452931", - "signature_or_digest": "sha256:79646f975b845f1c8b521c02387cac45d7ded13df173a86193eb25ba150b897b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/unauthorized_tool_call.explain_quality_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:398e653967e0b62cfe0ad4077503ea7d1551757da2f83ebb4f8c37ec7ac888b5", - "signature_or_digest": "sha256:955c9d8ed222fd4a2343bb3ddf308200ac5374ab82d41f2cb388376c6336353b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, + "schema_version": "v0", + "producer_id": "certifyedge", + "suite_id": "certifyedge-certificate-v0", + "workflow_id": "labtrust.qc_release_v0.1", + "benchmark_runs": [], + "coverage_reports": [ { - "artifact_type": "ExplainQualityReport.v0", - "path": "explain_quality/unknown_authorization_status.explain_quality_report.v0.json", - "role": "producer_export", "schema_version": "v0", - "sha256": "sha256:3e1a5181b0958421390a6272168e78ff5e69cb94ff5f80ceadc5568afb657a81", - "signature_or_digest": "sha256:b2808d46401062867ce36fb7feccd8ceee384e4be1ee1e9133c3c996ee551300", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" + "coverage_id": "certifyedge-cert-bench-v0", + "metric": "certificate_completeness", + "metric_id": "certificate_completeness_score", + "numerator": 4.0, + "denominator": 4.0, + "coverage_ratio": 1.0, + "details": { + "producer_id": "certifyedge", + "certificate_id": "cert-labtrust-qc-v0", + "violations": [] + }, + "source_repo": "https://github.com/fraware/CertifyEdge", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:41a447e3d126819a85e77dc2ddbc3e67a2d9dfe4c1e86cf0481022ef6e7c06e5" } ], - "benchmark_runs": [ - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "formal_facts", - "certificate_status": "CertificateChecked", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 217, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-formal_facts", - "schema_version": "v0", - "signature_or_digest": "sha256:2e346ec98b829574d858f6e4b33f1f47c6b3826688dc1313167314f4aba5cb13", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "admitted", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_hash_mismatch", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 7, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:7f1318dd81ac7edf9068c33e1d14a10a1f8de832e6cd1532fccd99ee7804f66b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_missing_required_field", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 5, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_missing_required_field", - "schema_version": "v0", - "signature_or_digest": "sha256:f308f26544b20eb882cf2eac96f9ed6e8485f0cd11006354250f40712647958e", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_policy_or_property_violation", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 141, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_policy_or_property_violation", - "schema_version": "v0", - "signature_or_digest": "sha256:3fef1a18f283b6a3a5c239972d03412b9d82b1cb526ae1d83c6dfef7ee5ced37", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_source_provenance", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 6, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_source_provenance", - "schema_version": "v0", - "signature_or_digest": "sha256:61a34f560de5e508f32e1e869aa736caae22a741fe1f0601d41ae44c778c16e3", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "missing_policy_hash", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 124, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-missing_policy_hash", - "schema_version": "v0", - "signature_or_digest": "sha256:c2d5b9416bb14b7c76032bacdfc5ed8526dc0a3d5555be11d3e04818dc394117", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "ok", - "certificate_status": "CertificateChecked", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 148, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-ok", - "schema_version": "v0", - "signature_or_digest": "sha256:bb96d2cb270fc345764257b9f9ea56b0642a7cc668e95f2cfe363d5937cb1e7a", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "admitted", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "policy_hash_mismatch", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 6, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-policy_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:ac3b486abace512a5eabf4a7c11e3398a59fe3bb3bae9bc4cdc8a10228f3d5ad", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, + "failure_localization_reports": [], + "explain_quality_reports": [], + "profile_coverage_reports": [ { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "rejected_certificate", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 130, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-rejected_certificate", "schema_version": "v0", - "signature_or_digest": "sha256:35c2d86f8f0acbdb7f36557f5820d73f42f1d1ba4f47568afeb2d0ba16c67524", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" + "coverage_id": "certifyedge-profile-certificate-v0", + "workflow_profile_id": "labtrust.qc_release_v0.1", + "producer_id": "provability-fabric", + "suite_id": "certifyedge-certificate-v0", + "artifact_types_required": [ + "TraceCertificate.v0", + "RuntimeReceipt.v0", + "ScienceClaimBundle.v0" ], - "case_id": "repair_hint_quality", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } + "artifact_types_covered": [ + "TraceCertificate.v0", + "RuntimeReceipt.v0", + "ScienceClaimBundle.v0" ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 127, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-repair_hint_quality", - "schema_version": "v0", - "signature_or_digest": "sha256:3eb7164df316346e1eb1e50a2c41d3a17c1e92cf8ff3717750d5a0f4abd71876", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" + "semantic_checks_required": [ + "trace_hash_matches_certificate" ], - "case_id": "unauthorized_tool_call", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } + "semantic_checks_covered": [ + "trace_hash_matches_certificate" ], - "completed_at": "2026-05-22T11:43:30Z", - "duration_ms": 196, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-unauthorized_tool_call", - "schema_version": "v0", - "signature_or_digest": "sha256:f85691605855c40c2e39e4d74a5cbf96f58296445edb7a9d86a9b339b588cbc2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" + "handoff_steps_required": [ + "runtime_to_certificate" ], - "case_id": "unknown_authorization_status", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } + "handoff_steps_covered": [ + "runtime_to_certificate" ], - "completed_at": "2026-05-22T11:43:30Z", - "duration_ms": 123, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-unknown_authorization_status", - "schema_version": "v0", - "signature_or_digest": "sha256:a78f086577b435e1d5a523edda6086417906216d714d32b9b71e76f78375c948", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:30Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" + "numerator": 5.0, + "denominator": 5.0, + "coverage_ratio": 1.0, + "details": {}, + "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:015cc19b9ceda72157115a83fa7e23f61edae9080825deb1d5f7424a0b4cec1a" } ], "commands": [ { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", + "command": "certifyedge benchmark certificates --certificate-id cert-labtrust-qc-v0", "exit_code": 0 } ], - "coverage_reports": [ - { - "coverage_id": "certifyedge-tool-use-safety-v0-certificate-completeness", - "coverage_ratio": 1.0, - "denominator": 12.0, - "details": { - "ambiguous_localizations": [ - { - "case_id": "policy_hash_mismatch", - "failure_code": "policy_hash_mismatch", - "reason": "policy_hash_mismatch may be attributed to certificate_producer or runtime_producer" - } - ], - "counterexample_completeness": 1.0, - "failure_code_accuracy": 0.8, - "invalid_certificates_rejected": 6, - "native_artifact": "CertificateCoverageReport.v0", - "native_report_file": "certificate_coverage_report.v0.json", - "profile_id": "agent_tool_use.safety_v0", - "sidecar_artifact_paths": { - "benchmark_report": "benchmark_report.v0.json", - "certificate_coverage_report": "certificate_coverage_report.v0.json", - "pcs_bench_ingest": "pcs_bench_ingest.v0.json", - "profile_coverage_report": "profile_coverage_report.v0.json", - "repair_hint_manifest": "repair_hint_manifest.v0.json", - "repair_hint_quality_report": "repair_hint_quality_report.v0.json" - }, - "valid_certificates_accepted": 2 - }, - "metric": "certificate_completeness", - "numerator": 12.0, - "schema_version": "v0", - "signature_or_digest": "sha256:8e04e0b7e4e6ac251d53abb8944a3950ec32fa562e9ea06b96d7689ac6b179a3", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "coverage_id": "certifyedge-tool-use-safety-v0-repair-hint-quality", - "coverage_ratio": 1.0, - "denominator": 10.0, - "details": { - "missing_repair_hints": [], - "repair_hint_accuracy": 1.0 - }, - "metric": "repair_hint_quality", - "numerator": 10.0, - "schema_version": "v0", - "signature_or_digest": "sha256:4289525ed015bef57212ec78a74b525b33d520ba15e6ebb2163c3f96ec16d7c8", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - } - ], - "explain_quality_reports": [ - { - "case_id": "formal_facts", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-formal_facts", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:4879242e4b8b8d3e957b2a0d65cc325f9f8c532e18daea726816e112b2a77e5d", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_hash_mismatch", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_hash_mismatch", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch; repair_command=labtrust export-trace --run --out benchmarks/certificates/tool_use_safety\\invalid\\invalid_hash_mismatch\\trace.json && labtrust emit-handoff-to-certifyedge --trace benchmarks/certificates/tool_use_safety\\invalid\\invalid_hash_mismatch\\trace.json ...", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:0ffe42988cc5fe28e9bedb9be689e313ea8c54e3c8a83e7e223e35f76214fe4e", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_missing_required_field", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_missing_required_field", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:5ed8674e9a4bed25e581655286f4a617dfa3f27b7e969ccc450847ec43f8d019", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_policy_or_property_violation", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_policy_or_property_violation", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true; repair_command=normalize tool authorization_status to authorized or rejected before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:365a4db5f3e0c604fce83a06f6f2af991c68e927b4514e90f111cc81f9a0c214", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_source_provenance", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_source_provenance", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:c0770e4c3bc5bd12777744f2584c6d29095ab5b1cb3064f7be6fa4e898bc24e8", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "missing_policy_hash", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-missing_policy_hash", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true; repair_command=ensure tool-use trace includes policy_hash before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:a2c99238057a7ea4e264f7e85e535c102e57263f6c1e0271ef1bacadfc6564e2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "ok", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-ok", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e8cc0acc6109d320a87ff6a20dd2bbfd185d6570d530b5153f0162f84872b64a", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "policy_hash_mismatch", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-policy_hash_mismatch", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; repair_command=labtrust export-trace --run --out benchmarks/certificates/tool_use_safety\\invalid\\policy_hash_mismatch\\trace.json && labtrust emit-handoff-to-certifyedge --trace benchmarks/certificates/tool_use_safety\\invalid\\policy_hash_mismatch\\trace.json ...; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e426e5907ad7576d582a3ecf60a68ee735d7bbb5fd42e2bcac8bb6ac83aebbf7", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "rejected_certificate", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-rejected_certificate", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e02ed77bab63a25575a8a4c4d3cbe9e4f5f700ae224dc2798cf7e3cf10634f48", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "repair_hint_quality", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-repair_hint_quality", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:a1662fd47bad9152850975f3a63439aa664d6314711eee96e28f632293452931", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "unauthorized_tool_call", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-unauthorized_tool_call", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:398e653967e0b62cfe0ad4077503ea7d1551757da2f83ebb4f8c37ec7ac888b5", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, + "logs": [], + "source_repo": "https://github.com/fraware/CertifyEdge", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:acc026873414423cbae1f0817c120f5398168d1d2976179ce91e33fc13123501", + "artifact_refs": [ { - "case_id": "unknown_authorization_status", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-unknown_authorization_status", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true; repair_command=normalize tool authorization_status to authorized or rejected before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:3e1a5181b0958421390a6272168e78ff5e69cb94ff5f80ceadc5568afb657a81", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", + "artifact_type": "CoverageReport.v0", + "path": "benchmarks/certificate/coverage_report.certifyedge-cert-bench-v0.v0.json", + "sha256": "sha256:41a447e3d126819a85e77dc2ddbc3e67a2d9dfe4c1e86cf0481022ef6e7c06e5", + "role": "producer_export", "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - } - ], - "failure_localization_reports": [ - { - "case_id": "invalid_hash_mismatch", - "expected_failure_code": "trace_hash_mismatch", - "expected_responsible_component": "runtime_producer", - "localized_correctly": false, - "observed_failure_code": "trace_hash_mismatch", - "observed_responsible_component": "unknown", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_hash_mismatch", - "run_id": "bench-run-invalid_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:9cdf9b246d0b5076e08725a9e2e74c2e45cd9bc14f0cbfea34292ad54576b36b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:971661db2c399b90eef4ab256e78390dbfe73686c2103c581376d50e389f0769" }, { - "case_id": "invalid_missing_required_field", - "expected_failure_code": "invalid_missing_required_field", - "expected_responsible_component": "certificate_producer", - "localized_correctly": true, - "observed_failure_code": "", - "observed_responsible_component": "certificate_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_missing_required_field", - "run_id": "bench-run-invalid_missing_required_field", "schema_version": "v0", - "signature_or_digest": "sha256:7c426ad74e4c87696416a6ed5a54401567b7b46f30216989768181321ce1916c", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "invalid_policy_or_property_violation", - "expected_failure_code": "unknown_authorization_status", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unknown_authorization_status", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_policy_or_property_violation", - "run_id": "bench-run-invalid_policy_or_property_violation", - "schema_version": "v0", - "signature_or_digest": "sha256:4c48f360c70d107d5a98326e338f608cebb37e61bb1b57fba147ae77634dad1c", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "invalid_source_provenance", - "expected_failure_code": "invalid_source_provenance", - "expected_responsible_component": "certificate_producer", - "localized_correctly": true, - "observed_failure_code": "", - "observed_responsible_component": "certificate_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_source_provenance", - "run_id": "bench-run-invalid_source_provenance", - "schema_version": "v0", - "signature_or_digest": "sha256:0a4feb3974d5e68a4964e8289777b3d75242985e9b8f9513efba26f7dec2d81b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "missing_policy_hash", - "expected_failure_code": "policy_hash_missing", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "policy_hash_missing", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-missing_policy_hash", - "run_id": "bench-run-missing_policy_hash", - "schema_version": "v0", - "signature_or_digest": "sha256:acdd0cc143485df94c68dc04ee930c85e604c996cdc9dfd95eb2e00ba1ac61e0", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "policy_hash_mismatch", - "expected_failure_code": "policy_hash_mismatch", - "expected_responsible_component": "unknown", - "localized_correctly": true, - "observed_failure_code": "policy_hash_mismatch", - "observed_responsible_component": "unknown", - "result_id": "certifyedge-tool-use-safety-v0-localization-policy_hash_mismatch", - "run_id": "bench-run-policy_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:541d18e53e568199d146f1dd9dfe2da887863c64644fb1933690f9e9589aaf50", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "rejected_certificate", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "certificate_producer", - "localized_correctly": false, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-rejected_certificate", - "run_id": "bench-run-rejected_certificate", - "schema_version": "v0", - "signature_or_digest": "sha256:a5f6d78f5d0f428616e27e73593ab134673c4e85096a81e8d9154d9e8da27506", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "repair_hint_quality", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-repair_hint_quality", - "run_id": "bench-run-repair_hint_quality", - "schema_version": "v0", - "signature_or_digest": "sha256:d58a1261efab2dc5b2adadd29bfe3ab3581d0d6d107e588a613580c6a6685044", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "unauthorized_tool_call", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-unauthorized_tool_call", - "run_id": "bench-run-unauthorized_tool_call", - "schema_version": "v0", - "signature_or_digest": "sha256:95879b2bb90d492aa0d2b8360fc6ccfb2dc2969291f393d5ed64c48cc6f3169b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "unknown_authorization_status", - "expected_failure_code": "unknown_authorization_status", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unknown_authorization_status", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-unknown_authorization_status", - "run_id": "bench-run-unknown_authorization_status", - "schema_version": "v0", - "signature_or_digest": "sha256:cba838c442be5b754da709924d92248c8ae4d76268e46ca8780e253299becec2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - } - ], - "logs": [], - "producer_id": "certifyedge", - "profile_coverage_reports": [ - { - "artifact_types_covered": [ - "ToolUseCertificate.v0" - ], - "artifact_types_required": [ - "ToolUseCertificate.v0" - ], - "coverage_id": "certifyedge-tool-use-safety-v0-profile-coverage", - "coverage_ratio": 1.0, - "denominator": 12.0, - "details": { - "case_counts": { - "invalid": 10, - "valid": 2 - }, - "counterexample_types_covered": [ - "trace_hash_mismatch", - "unknown_authorization_status", - "policy_hash_missing", - "policy_hash_mismatch", - "unauthorized_tool_call" - ], - "release_mode_required_fields": [ - "trace_hash", - "policy_hash", - "property_id", - "source_repo", - "source_commit", - "signature_or_digest" - ], - "templates_checked": true, - "unsupported_cases": [] - }, - "handoff_steps_covered": [ - "runtime_to_certificate" - ], - "handoff_steps_required": [ - "runtime_to_certificate" - ], - "numerator": 12.0, - "producer_id": "certifyedge", - "schema_version": "v0", - "semantic_checks_covered": [ - "policy_hash_mismatch", - "policy_hash_missing", - "unauthorized_tool_call", - "unknown_authorization_status" - ], - "semantic_checks_required": [ - "policy_hash_mismatch", - "policy_hash_missing", - "unauthorized_tool_call", - "unknown_authorization_status" - ], - "signature_or_digest": "sha256:574b69fe314c4b9568017cb0d5a5d87580e9ddf371a593f0ba42e65263ea742d", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", + "artifact_type": "ProfileCoverageReport.v0", + "path": "benchmarks/certificate/profile_coverage_report.certifyedge-cert-bench-v0.v0.json", + "sha256": "sha256:015cc19b9ceda72157115a83fa7e23f61edae9080825deb1d5f7424a0b4cec1a", + "role": "producer_export", "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_profile_id": "agent_tool_use.safety_v0" + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:d6807bcd69915d06fed32c9d342b993252a5e7dcb4a2f17c36d0fa799c1e7f8a" } - ], - "schema_version": "v0", - "signature_or_digest": "sha256:9906a311351c39d28811649f8dd0c7eb13cb7dd8ec5ef9284ff2718e23954d66", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" + ] } diff --git a/examples/benchmark_ingest/labtrust.pcs_bench_ingest.valid.json b/examples/benchmark_ingest/labtrust.pcs_bench_ingest.valid.json index ba29e7f..d40e60f 100644 --- a/examples/benchmark_ingest/labtrust.pcs_bench_ingest.valid.json +++ b/examples/benchmark_ingest/labtrust.pcs_bench_ingest.valid.json @@ -9,8 +9,8 @@ "run_id": "bench-run-labtrust-valid-release-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-valid-release-v0", - "started_at": "2026-05-22T11:54:35Z", - "completed_at": "2026-05-22T11:54:35Z", + "started_at": "2026-06-28T00:48:40Z", + "completed_at": "2026-06-28T00:48:40Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/input_artifacts", @@ -30,10 +30,10 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 14, + "duration_ms": 8, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ee83b3920ea273bcc6e1d5860401e15497728638392c0af5ac242fac40919350" + "signature_or_digest": "sha256:c0bc4dfd0e239b393eff2c2266b1ef351e28d910e1c14de569275381f3ecd4f9" } ], "coverage_reports": [ @@ -62,17 +62,17 @@ "logs": [], "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "5eac714fd7dc813d2523febcb85c56821558a1b7", - "signature_or_digest": "sha256:f4ee4fe774cf48660e0fa7b34c7a629edbe8490985dfc62d82b00cce5e5317a0", + "signature_or_digest": "sha256:cbf524f8b92e3aa8d3f3efebdd37c5ae01e161a18ecef02cd50276f974693e46", "artifact_refs": [ { "schema_version": "v0", "artifact_type": "BenchmarkRun.v0", "path": "valid/labtrust-valid-release-v0/benchmark_run.labtrust-valid-release-v0.v0.json", - "sha256": "sha256:ee83b3920ea273bcc6e1d5860401e15497728638392c0af5ac242fac40919350", + "sha256": "sha256:c0bc4dfd0e239b393eff2c2266b1ef351e28d910e1c14de569275381f3ecd4f9", "role": "producer_export", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "5eac714fd7dc813d2523febcb85c56821558a1b7", - "signature_or_digest": "sha256:beda167d29a7114587aeebdc960d30715bf1520e8d9903bc997ac06209d07b17" + "signature_or_digest": "sha256:0444e4e2155d1c7f0e016b0c8249422b009eba0be98c6387b583d2ee2afeead8" }, { "schema_version": "v0", diff --git a/examples/benchmarks/benchmark_report.valid.json b/examples/benchmarks/benchmark_report.valid.json index fa7f162..4cc68df 100644 --- a/examples/benchmarks/benchmark_report.valid.json +++ b/examples/benchmarks/benchmark_report.valid.json @@ -112,11 +112,11 @@ "denominator": 1.0, "coverage_ratio": 0.0, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ca04448ed60d7722ea387e594d6fc6468e1a783454d438a19fc9108358866f47" + "signature_or_digest": "sha256:f8df360f4c35f4efc0d20f5ea82138a6303239388751b35aa94beccead907cca" }, "formal_checks": { "schema_version": "v0", @@ -260,11 +260,11 @@ "failures": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:6456dcc3287fc82cd7366439399f965310607c4861c6bd87bdac7065e6e93fa1", + "signature_or_digest": "sha256:ef21b80192de276cacde37b7c3699e8e5e18935f35ab73e3f8fe23badb589d4b", "conformance_refs": [ { "suite": "release-chain", - "run_id": "conf-run-release-chain-20260521T112227Z", + "run_id": "conf-run-release-chain-20260628T004833Z", "status": "passed" } ], diff --git a/examples/benchmarks/benchmark_run.valid.json b/examples/benchmarks/benchmark_run.valid.json index 5c86511..6c2576f 100644 --- a/examples/benchmarks/benchmark_run.valid.json +++ b/examples/benchmarks/benchmark_run.valid.json @@ -3,8 +3,8 @@ "run_id": "bench-run-labtrust-valid-release-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-valid-release-v0", - "started_at": "2026-05-22T11:54:32Z", - "completed_at": "2026-05-22T11:54:32Z", + "started_at": "2026-06-28T00:48:37Z", + "completed_at": "2026-06-28T00:48:37Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/input_artifacts", @@ -24,8 +24,8 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 8, + "duration_ms": 7, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:083025dab342fcee0e024844fe11a5ca90d9628bed53ee0c2b95e1b26289be41" + "signature_or_digest": "sha256:7078d90006c355dea656fc9652f3fe2ff40e9c7f179e5c89f59bd57f05268668" } diff --git a/examples/benchmarks/compatibility/pcs_bench_report.dialect.json b/examples/benchmarks/compatibility/pcs_bench_report.dialect.json index 352e81a..16117bb 100644 --- a/examples/benchmarks/compatibility/pcs_bench_report.dialect.json +++ b/examples/benchmarks/compatibility/pcs_bench_report.dialect.json @@ -47,11 +47,11 @@ "denominator": 1.0, "coverage_ratio": 0.0, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ca04448ed60d7722ea387e594d6fc6468e1a783454d438a19fc9108358866f47" + "signature_or_digest": "sha256:f8df360f4c35f4efc0d20f5ea82138a6303239388751b35aa94beccead907cca" }, "formal_checks": { "schema_version": "v0", diff --git a/examples/benchmarks/compatibility/pcs_bench_report.normalized.json b/examples/benchmarks/compatibility/pcs_bench_report.normalized.json index bcbde95..7402861 100644 --- a/examples/benchmarks/compatibility/pcs_bench_report.normalized.json +++ b/examples/benchmarks/compatibility/pcs_bench_report.normalized.json @@ -46,11 +46,11 @@ "denominator": 1.0, "coverage_ratio": 0.0, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ca04448ed60d7722ea387e594d6fc6468e1a783454d438a19fc9108358866f47" + "signature_or_digest": "sha256:f8df360f4c35f4efc0d20f5ea82138a6303239388751b35aa94beccead907cca" }, "formal_checks": { "schema_version": "v0", @@ -105,7 +105,7 @@ "producer_id": "pcs-bench", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", - "signature_or_digest": "sha256:493112ba8f305fa2275f0a3febc4a24f3f0b38437ada0b4a3f4c87c20e5c8c27", + "signature_or_digest": "sha256:e73c7e37dbd30ed555f05cf33d21c24f70eb86e5031c47ea0fe09b6ede01fc69", "metric_summaries": [ { "schema_version": "v0", diff --git a/examples/benchmarks/coverage_report.valid.json b/examples/benchmarks/coverage_report.valid.json index 852f8c5..0cd10a7 100644 --- a/examples/benchmarks/coverage_report.valid.json +++ b/examples/benchmarks/coverage_report.valid.json @@ -6,9 +6,9 @@ "denominator": 1.0, "coverage_ratio": 0.0, "details": { - "registry_entry_count": 38 + "registry_entry_count": 49 }, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ca04448ed60d7722ea387e594d6fc6468e1a783454d438a19fc9108358866f47" + "signature_or_digest": "sha256:f8df360f4c35f4efc0d20f5ea82138a6303239388751b35aa94beccead907cca" } diff --git a/examples/computation-release/RELEASE_FIXTURE_MANIFEST.json b/examples/computation-release/RELEASE_FIXTURE_MANIFEST.json index 650d4bb..e9dd001 100644 --- a/examples/computation-release/RELEASE_FIXTURE_MANIFEST.json +++ b/examples/computation-release/RELEASE_FIXTURE_MANIFEST.json @@ -9,14 +9,14 @@ "provability_fabric_commit": "c333333333333333333333333333333333333333", "scientific_memory_commit": "d444444444444444444444444444444444444444", "artifacts": { - "dataset_receipt.json": "sha256:d54994e19c32caeb7508edbb73a14efc94341ffd93013873af527e180385dfec", - "environment_receipt.json": "sha256:6335e612b739e925d74ca94a39690380f8be7c9db836fcad4c8ff0ba8b6c98ae", - "computation_run_receipt.json": "sha256:c14b4fed421343459ad081e74f7b613b39b6bca803eca27ffde0fdda1a8dd12a", - "result_artifact.json": "sha256:a38eeaab2b0cd104ac461b6a061bfa09e4f797253c27173107452a5acd9c42ed", - "computation_witness.json": "sha256:a86081703ca5bc521445cc5a38826adfc1ca55f87f52f35b3c429a2bbdaf13f9", - "science_claim_bundle.certified.json": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", - "verification_result.json": "sha256:59c45c6e24cbca96489cfdefc0b156c39bec252b53b09e8f1d8b7b48fa88676f", - "signed_science_claim_bundle.json": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea", - "scientific_memory_import_report.json": "sha256:21fa9d915b7f313a3e9d1b1fdf4bdd2815bbd06404ae9699518bd5e367bca41e" + "dataset_receipt.json": "sha256:f94a4a839cea893cd0abeea758326e0e28f01a293b6ac87f8436ca5cca753e79", + "environment_receipt.json": "sha256:c01a8f055da8965e01c1172eb7ff9f58e702619261a6d6159e24ee861e134598", + "computation_run_receipt.json": "sha256:567e0adeec5bc61786efa529dcb777f5ac2ddda1f8cb1160d67e5638405cbd4a", + "result_artifact.json": "sha256:a2b8d26f9d0e056e7fd963156021a88b43c764c84357e2ff8ae70cd2c2d99acc", + "computation_witness.json": "sha256:b89def93118f055abb45b8b0187e2aaeb452ec6eae502c9ba9bbf7ded83377cb", + "science_claim_bundle.certified.json": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", + "verification_result.json": "sha256:f78c35d74928bb139e2d507424a022f2dfa78fcc2e1a67ccd4adeb0f51e0b43c", + "signed_science_claim_bundle.json": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a", + "scientific_memory_import_report.json": "sha256:ba324c85c2aee78e1893c7b667e8580cbeede842b7027d42b9474b8c9dafbe70" } } diff --git a/examples/computation-release/handoff_manifest.bundle_to_verifier.v0.json b/examples/computation-release/handoff_manifest.bundle_to_verifier.v0.json index e069549..79cf255 100644 --- a/examples/computation-release/handoff_manifest.bundle_to_verifier.v0.json +++ b/examples/computation-release/handoff_manifest.bundle_to_verifier.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "sha256": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "witness_id": "witness-sci-comp-repro-001", "run_receipt_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828", - "certified_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "certified_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" }, "status": "Validated", - "signature_or_digest": "sha256:3db04a8c9656ed55c3efbc7bb08ebd2a606d9b26f21f492d201e0071c8b7e968" + "signature_or_digest": "sha256:91f0cdb6ab949b0ab706bcbf64281bac53f48083476944d1ef3a09a29d4e5a0e" } diff --git a/examples/computation-release/handoff_manifest.certificate_to_bundle.v0.json b/examples/computation-release/handoff_manifest.certificate_to_bundle.v0.json index 1a9d519..bf485ef 100644 --- a/examples/computation-release/handoff_manifest.certificate_to_bundle.v0.json +++ b/examples/computation-release/handoff_manifest.certificate_to_bundle.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "computation_witness.json": { "artifact_type": "ComputationWitness.v0", - "sha256": "sha256:a86081703ca5bc521445cc5a38826adfc1ca55f87f52f35b3c429a2bbdaf13f9" + "sha256": "sha256:b89def93118f055abb45b8b0187e2aaeb452ec6eae502c9ba9bbf7ded83377cb" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "run_receipt_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828" }, "status": "Validated", - "signature_or_digest": "sha256:e2170d91b655ae0d9ae9b8f6a18fa78f9801d76213bd8e5bfba577ac7599f501" + "signature_or_digest": "sha256:170b7a0dfa9132870f4a7f96de1b4e9cb483c7ea6a354d8162e452a6b151543c" } diff --git a/examples/computation-release/handoff_manifest.runtime_to_certificate.v0.json b/examples/computation-release/handoff_manifest.runtime_to_certificate.v0.json index 420d888..e2ee508 100644 --- a/examples/computation-release/handoff_manifest.runtime_to_certificate.v0.json +++ b/examples/computation-release/handoff_manifest.runtime_to_certificate.v0.json @@ -10,19 +10,19 @@ "input_artifacts": { "dataset_receipt.json": { "artifact_type": "DatasetReceipt.v0", - "sha256": "sha256:d54994e19c32caeb7508edbb73a14efc94341ffd93013873af527e180385dfec" + "sha256": "sha256:f94a4a839cea893cd0abeea758326e0e28f01a293b6ac87f8436ca5cca753e79" }, "environment_receipt.json": { "artifact_type": "EnvironmentReceipt.v0", - "sha256": "sha256:6335e612b739e925d74ca94a39690380f8be7c9db836fcad4c8ff0ba8b6c98ae" + "sha256": "sha256:c01a8f055da8965e01c1172eb7ff9f58e702619261a6d6159e24ee861e134598" }, "computation_run_receipt.json": { "artifact_type": "ComputationRunReceipt.v0", - "sha256": "sha256:c14b4fed421343459ad081e74f7b613b39b6bca803eca27ffde0fdda1a8dd12a" + "sha256": "sha256:567e0adeec5bc61786efa529dcb777f5ac2ddda1f8cb1160d67e5638405cbd4a" }, "result_artifact.json": { "artifact_type": "ResultArtifact.v0", - "sha256": "sha256:a38eeaab2b0cd104ac461b6a061bfa09e4f797253c27173107452a5acd9c42ed" + "sha256": "sha256:a2b8d26f9d0e056e7fd963156021a88b43c764c84357e2ff8ae70cd2c2d99acc" } }, "expected_outputs": { @@ -35,5 +35,5 @@ "dataset_hash": "sha256:84c9037231eef6a1742c1d6d0a043878b4de8395397c168026450d8ca9e647e3" }, "status": "Validated", - "signature_or_digest": "sha256:bafff8665c39e3662b34563a34671f518639fbb46853d889925a537a964c1b41" + "signature_or_digest": "sha256:00a3731d61029e4ae124bd4503e3eae35eb7b1c271cf3f5f3930cfe2a89e137f" } diff --git a/examples/computation-release/handoff_manifest.signed_bundle_to_memory.v0.json b/examples/computation-release/handoff_manifest.signed_bundle_to_memory.v0.json index c5620af..7db8eb3 100644 --- a/examples/computation-release/handoff_manifest.signed_bundle_to_memory.v0.json +++ b/examples/computation-release/handoff_manifest.signed_bundle_to_memory.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", - "sha256": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea" + "sha256": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "claim_id": "claim-qc-release-v0.1" }, "status": "Validated", - "signature_or_digest": "sha256:68159cf6671e21245b197912e054410bf50e39b068e25c0eb66ecc73fca10250" + "signature_or_digest": "sha256:d7040e584b65b50f2b17d467f6ca7dd1e098f818dc72e7158e0bcd009b400f71" } diff --git a/examples/computation-release/handoff_to_certifyedge.json b/examples/computation-release/handoff_to_certifyedge.json index 420d888..e2ee508 100644 --- a/examples/computation-release/handoff_to_certifyedge.json +++ b/examples/computation-release/handoff_to_certifyedge.json @@ -10,19 +10,19 @@ "input_artifacts": { "dataset_receipt.json": { "artifact_type": "DatasetReceipt.v0", - "sha256": "sha256:d54994e19c32caeb7508edbb73a14efc94341ffd93013873af527e180385dfec" + "sha256": "sha256:f94a4a839cea893cd0abeea758326e0e28f01a293b6ac87f8436ca5cca753e79" }, "environment_receipt.json": { "artifact_type": "EnvironmentReceipt.v0", - "sha256": "sha256:6335e612b739e925d74ca94a39690380f8be7c9db836fcad4c8ff0ba8b6c98ae" + "sha256": "sha256:c01a8f055da8965e01c1172eb7ff9f58e702619261a6d6159e24ee861e134598" }, "computation_run_receipt.json": { "artifact_type": "ComputationRunReceipt.v0", - "sha256": "sha256:c14b4fed421343459ad081e74f7b613b39b6bca803eca27ffde0fdda1a8dd12a" + "sha256": "sha256:567e0adeec5bc61786efa529dcb777f5ac2ddda1f8cb1160d67e5638405cbd4a" }, "result_artifact.json": { "artifact_type": "ResultArtifact.v0", - "sha256": "sha256:a38eeaab2b0cd104ac461b6a061bfa09e4f797253c27173107452a5acd9c42ed" + "sha256": "sha256:a2b8d26f9d0e056e7fd963156021a88b43c764c84357e2ff8ae70cd2c2d99acc" } }, "expected_outputs": { @@ -35,5 +35,5 @@ "dataset_hash": "sha256:84c9037231eef6a1742c1d6d0a043878b4de8395397c168026450d8ca9e647e3" }, "status": "Validated", - "signature_or_digest": "sha256:bafff8665c39e3662b34563a34671f518639fbb46853d889925a537a964c1b41" + "signature_or_digest": "sha256:00a3731d61029e4ae124bd4503e3eae35eb7b1c271cf3f5f3930cfe2a89e137f" } diff --git a/examples/computation-release/handoff_to_pf.json b/examples/computation-release/handoff_to_pf.json index e069549..79cf255 100644 --- a/examples/computation-release/handoff_to_pf.json +++ b/examples/computation-release/handoff_to_pf.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "sha256": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "witness_id": "witness-sci-comp-repro-001", "run_receipt_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828", - "certified_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "certified_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" }, "status": "Validated", - "signature_or_digest": "sha256:3db04a8c9656ed55c3efbc7bb08ebd2a606d9b26f21f492d201e0071c8b7e968" + "signature_or_digest": "sha256:91f0cdb6ab949b0ab706bcbf64281bac53f48083476944d1ef3a09a29d4e5a0e" } diff --git a/examples/computation-release/lean_check_result.v0.json b/examples/computation-release/lean_check_result.v0.json index ec62c26..5e6cdc4 100644 --- a/examples/computation-release/lean_check_result.v0.json +++ b/examples/computation-release/lean_check_result.v0.json @@ -5,7 +5,7 @@ "lean_module": "PCS.Theorems", "lean_theorem": "ReleaseChainAdmissible", "status": "ProofChecked", - "checked_at": "2026-05-19T13:37:27Z", + "checked_at": "2026-06-28T00:48:30Z", "lean_version": "leanprover/lean4:stable", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", @@ -33,5 +33,5 @@ "failure_reason": "" } ], - "signature_or_digest": "sha256:fd47f305ab323dffeee4f60ebd3ac164563ca784b0199842f23b7fec315df397" + "signature_or_digest": "sha256:46006f2dbeb6b1ed7d4840e085dbbdd7e1c3c977b24d0ea8e0af50878206365d" } diff --git a/examples/computation-release/proof_obligation.v0.json b/examples/computation-release/proof_obligation.v0.json index 7c1706a..a7dd41f 100644 --- a/examples/computation-release/proof_obligation.v0.json +++ b/examples/computation-release/proof_obligation.v0.json @@ -22,8 +22,8 @@ "kind": "VerificationAdmitsBundle", "inputs": { "verification_status": "ProofChecked", - "verified_input_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", - "certified_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", + "verified_input_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", + "certified_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", "release_blocking_checks_passed": true } }, @@ -31,8 +31,8 @@ "obligation_id": "signed_bundle_admissible", "kind": "SignedBundleAdmissible", "inputs": { - "signed_input_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", - "verified_input_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "signed_input_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", + "verified_input_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } } ], @@ -61,5 +61,5 @@ "lean_module": "PCS.Theorems", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:8b5791def92cff90bb899cf228e7a26d3305e8e141fae361d698c23bb2dd14b6" + "signature_or_digest": "sha256:8f3640d982b551859055d5fb1f351b8f099bc3b3f5b6c9feda56bee69aaa6c83" } diff --git a/examples/computation-release/release_manifest.v0.json b/examples/computation-release/release_manifest.v0.json index 31862ea..74dc757 100644 --- a/examples/computation-release/release_manifest.v0.json +++ b/examples/computation-release/release_manifest.v0.json @@ -8,16 +8,16 @@ "chain_root": { "trace_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828", "certificate_id": "witness-sci-comp-repro-001", - "certified_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d", - "signed_bundle_hash": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea" + "certified_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643", + "signed_bundle_hash": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a" }, "release_chain_validation_result": { "path": "release_chain_validation_result.v0.json", - "sha256": "sha256:c1f0f2c733f1d15b5822a0870998be795f71f116bb721776dc4ba606a05b5711" + "sha256": "sha256:655eb161766f61ba6d804767be022ff49c9199337897012f44f84631657007b7" }, "canonical_signed_bundle": { "path": "signed_science_claim_bundle.json", - "sha256": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea" + "sha256": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a" }, "canonical_claim_id": "claim-qc-release-v0.1", "limitations_notice": "This artifact is a proof-carrying computational reproducibility result. It verifies that declared inputs, environment metadata, code provenance, execution command, and result artifact hashes are internally consistent. It does not prove that the scientific model is true, that the dataset is unbiased, or that the result is externally valid.", @@ -50,7 +50,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:d54994e19c32caeb7508edbb73a14efc94341ffd93013873af527e180385dfec" + "sha256": "sha256:f94a4a839cea893cd0abeea758326e0e28f01a293b6ac87f8436ca5cca753e79" }, "environment_receipt.json": { "artifact_type": "EnvironmentReceipt.v0", @@ -58,7 +58,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:6335e612b739e925d74ca94a39690380f8be7c9db836fcad4c8ff0ba8b6c98ae" + "sha256": "sha256:c01a8f055da8965e01c1172eb7ff9f58e702619261a6d6159e24ee861e134598" }, "computation_run_receipt.json": { "artifact_type": "ComputationRunReceipt.v0", @@ -66,7 +66,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:c14b4fed421343459ad081e74f7b613b39b6bca803eca27ffde0fdda1a8dd12a" + "sha256": "sha256:567e0adeec5bc61786efa529dcb777f5ac2ddda1f8cb1160d67e5638405cbd4a" }, "result_artifact.json": { "artifact_type": "ResultArtifact.v0", @@ -74,7 +74,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:a38eeaab2b0cd104ac461b6a061bfa09e4f797253c27173107452a5acd9c42ed" + "sha256": "sha256:a2b8d26f9d0e056e7fd963156021a88b43c764c84357e2ff8ae70cd2c2d99acc" }, "computation_witness.json": { "artifact_type": "ComputationWitness.v0", @@ -82,7 +82,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:a86081703ca5bc521445cc5a38826adfc1ca55f87f52f35b3c429a2bbdaf13f9" + "sha256": "sha256:b89def93118f055abb45b8b0187e2aaeb452ec6eae502c9ba9bbf7ded83377cb" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -90,7 +90,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "sha256": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" }, "workflow_profile.v0.json": { "artifact_type": "WorkflowProfile.v0", @@ -98,7 +98,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:9059e646990af0b72f82b740c0f8db102fea4b3b8e5ed809c916fc259ae279f8" + "sha256": "sha256:04e792dff4ae6d3c18d4f5d289fa36b6d7f21b585c8af30f8ad1a72f7c82aaaf" }, "verification_result.json": { "artifact_type": "VerificationResult.v0", @@ -106,7 +106,7 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:59c45c6e24cbca96489cfdefc0b156c39bec252b53b09e8f1d8b7b48fa88676f" + "sha256": "sha256:f78c35d74928bb139e2d507424a022f2dfa78fcc2e1a67ccd4adeb0f51e0b43c" }, "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", @@ -114,17 +114,17 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:6995cdbdcb788d7e570093db3fd204072d69bd07c03390dce2f5a3a1490bf2ea" + "sha256": "sha256:e6419afb62cf88f2ae12f5f8bf58fc7ebde8cf7f2f28b61c9aea1a2aba889c4a" } }, "release_status": "Validated", - "signature_or_digest": "sha256:9b7baa8b06fc2bfa1c622a8d6019ba2e2c5ab99c8e0dcc729d5a40e8ecbcc10f", + "signature_or_digest": "sha256:30e155d9adaa6e097063c6214351e2004577280df7431cac2f6597f782dc4a8d", "proof_obligation": { "path": "proof_obligation.v0.json", - "sha256": "sha256:3a80604bd630a7fd6e6f06ed3802bca444bc09a044fa77a93ab2e4104d0cf73d" + "sha256": "sha256:df95f592d0286d8adb6f553deee13daec41580c72d68e82fac5bc2cac0bdb98d" }, "lean_check_result": { "path": "lean_check_result.v0.json", - "sha256": "sha256:9761d9456dd24e838d94f3502a3c3d89cfcc6043993b7ce1c9688866fc9c6643" + "sha256": "sha256:e62cdc2102576950eb37f79ff1e906e34d478afe82f1f9ecde926a3db56d6759" } } diff --git a/examples/computation-release/scientific_memory_import_report.json b/examples/computation-release/scientific_memory_import_report.json index 2b25ec9..c47fd4b 100644 --- a/examples/computation-release/scientific_memory_import_report.json +++ b/examples/computation-release/scientific_memory_import_report.json @@ -22,5 +22,5 @@ "release_chain_validation_status": "ProofChecked", "release_chain_validator": "pcs-core", "release_chain_checked_at": "2026-05-18T12:00:00Z", - "release_manifest_hash": "sha256:1105866df254958763ee64310e002e685d557bc53021312cddaa162e26a8d50c" + "release_manifest_hash": "sha256:5b92240c3350bda4baf8f0a0610fd62f327b6d12a87659f589202aa74a28d1f7" } diff --git a/examples/computation-release/signed_science_claim_bundle.json b/examples/computation-release/signed_science_claim_bundle.json index a1f9781..8303e74 100644 --- a/examples/computation-release/signed_science_claim_bundle.json +++ b/examples/computation-release/signed_science_claim_bundle.json @@ -171,6 +171,6 @@ "signed_at": "2026-05-16T12:25:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:6ad535dc544c15981b75763c6ff6b0b74f04b9822688d3a0bae4b0249952e65b", - "signed_input_bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "signature_or_digest": "sha256:6b1216c9db49ee9758ecbaa226b20e590df0e2f8efcf3b024a82f79a90dac92b", + "signed_input_bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } diff --git a/examples/computation-release/verification_result.json b/examples/computation-release/verification_result.json index aa0e0a5..63e51ae 100644 --- a/examples/computation-release/verification_result.json +++ b/examples/computation-release/verification_result.json @@ -24,10 +24,10 @@ "created_at": "2026-05-16T12:20:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:f3ee7b3572a2ae04d10c94688dd835d4baf42d19b7e8c32302cd7e6d6084837a", + "signature_or_digest": "sha256:63f3f8a52dfbfda85c7b6ea261f06b6fb35dc5cf748603a638fc496296522b57", "verified_input": { "certificate_id": "witness-sci-comp-repro-001", "trace_hash": "sha256:9c74749d2ad46c6a60394db676e5527929f9b7bef9a012439d6d14b26d960828", - "bundle_hash": "sha256:c47168f2de32da5f25407f34ab66cba9e853390e22108bf56ea24712343fd60d" + "bundle_hash": "sha256:5a6a675d23354d219e85daec27a89443d8648d158249e86c48b99528b4412643" } } diff --git a/examples/invalid_pcs_bench_ingest_bad_ref_digest.json b/examples/invalid_pcs_bench_ingest_bad_ref_digest.json index eec53eb..7c714ac 100644 --- a/examples/invalid_pcs_bench_ingest_bad_ref_digest.json +++ b/examples/invalid_pcs_bench_ingest_bad_ref_digest.json @@ -1,1388 +1,88 @@ { - "artifact_refs": [ - { - "artifact_type": "CoverageReport.v0", - "path": "certificate_coverage_report.v0.json", - "role": "producer_export", - "schema_version": "v0", - "sha256": "sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "signature_or_digest": "sha256:21f10caecabd01c9b1417b4e02a68c7c60d1eb12121267647ac027faceb38eda", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - } - ], - "benchmark_runs": [ - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "formal_facts", - "certificate_status": "CertificateChecked", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 217, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-formal_facts", - "schema_version": "v0", - "signature_or_digest": "sha256:2e346ec98b829574d858f6e4b33f1f47c6b3826688dc1313167314f4aba5cb13", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "admitted", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_hash_mismatch", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 7, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:7f1318dd81ac7edf9068c33e1d14a10a1f8de832e6cd1532fccd99ee7804f66b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_missing_required_field", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 5, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_missing_required_field", - "schema_version": "v0", - "signature_or_digest": "sha256:f308f26544b20eb882cf2eac96f9ed6e8485f0cd11006354250f40712647958e", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_policy_or_property_violation", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 141, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_policy_or_property_violation", - "schema_version": "v0", - "signature_or_digest": "sha256:3fef1a18f283b6a3a5c239972d03412b9d82b1cb526ae1d83c6dfef7ee5ced37", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_source_provenance", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 6, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_source_provenance", - "schema_version": "v0", - "signature_or_digest": "sha256:61a34f560de5e508f32e1e869aa736caae22a741fe1f0601d41ae44c778c16e3", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "missing_policy_hash", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 124, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-missing_policy_hash", - "schema_version": "v0", - "signature_or_digest": "sha256:c2d5b9416bb14b7c76032bacdfc5ed8526dc0a3d5555be11d3e04818dc394117", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "ok", - "certificate_status": "CertificateChecked", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 148, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-ok", - "schema_version": "v0", - "signature_or_digest": "sha256:bb96d2cb270fc345764257b9f9ea56b0642a7cc668e95f2cfe363d5937cb1e7a", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "admitted", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "policy_hash_mismatch", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 6, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-policy_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:ac3b486abace512a5eabf4a7c11e3398a59fe3bb3bae9bc4cdc8a10228f3d5ad", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "rejected_certificate", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 130, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-rejected_certificate", - "schema_version": "v0", - "signature_or_digest": "sha256:35c2d86f8f0acbdb7f36557f5820d73f42f1d1ba4f47568afeb2d0ba16c67524", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "repair_hint_quality", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 127, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-repair_hint_quality", - "schema_version": "v0", - "signature_or_digest": "sha256:3eb7164df316346e1eb1e50a2c41d3a17c1e92cf8ff3717750d5a0f4abd71876", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "unauthorized_tool_call", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:30Z", - "duration_ms": 196, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-unauthorized_tool_call", - "schema_version": "v0", - "signature_or_digest": "sha256:f85691605855c40c2e39e4d74a5cbf96f58296445edb7a9d86a9b339b588cbc2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "unknown_authorization_status", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:30Z", - "duration_ms": 123, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-unknown_authorization_status", - "schema_version": "v0", - "signature_or_digest": "sha256:a78f086577b435e1d5a523edda6086417906216d714d32b9b71e76f78375c948", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:30Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - } - ], - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], + "schema_version": "v0", + "producer_id": "certifyedge", + "suite_id": "certifyedge-certificate-v0", + "workflow_id": "labtrust.qc_release_v0.1", + "benchmark_runs": [], "coverage_reports": [ { - "coverage_id": "certifyedge-tool-use-safety-v0-certificate-completeness", - "coverage_ratio": 1.0, - "denominator": 12.0, - "details": { - "ambiguous_localizations": [ - { - "case_id": "policy_hash_mismatch", - "failure_code": "policy_hash_mismatch", - "reason": "policy_hash_mismatch may be attributed to certificate_producer or runtime_producer" - } - ], - "counterexample_completeness": 1.0, - "failure_code_accuracy": 0.8, - "invalid_certificates_rejected": 6, - "native_artifact": "CertificateCoverageReport.v0", - "native_report_file": "certificate_coverage_report.v0.json", - "profile_id": "agent_tool_use.safety_v0", - "sidecar_artifact_paths": { - "benchmark_report": "benchmark_report.v0.json", - "certificate_coverage_report": "certificate_coverage_report.v0.json", - "pcs_bench_ingest": "pcs_bench_ingest.v0.json", - "profile_coverage_report": "profile_coverage_report.v0.json", - "repair_hint_manifest": "repair_hint_manifest.v0.json", - "repair_hint_quality_report": "repair_hint_quality_report.v0.json" - }, - "valid_certificates_accepted": 2 - }, - "metric": "certificate_completeness", - "numerator": 12.0, "schema_version": "v0", - "signature_or_digest": "sha256:8e04e0b7e4e6ac251d53abb8944a3950ec32fa562e9ea06b96d7689ac6b179a3", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "coverage_id": "certifyedge-tool-use-safety-v0-repair-hint-quality", + "coverage_id": "certifyedge-cert-bench-v0", + "metric": "certificate_completeness", + "metric_id": "certificate_completeness_score", + "numerator": 4.0, + "denominator": 4.0, "coverage_ratio": 1.0, - "denominator": 10.0, "details": { - "missing_repair_hints": [], - "repair_hint_accuracy": 1.0 + "producer_id": "certifyedge", + "certificate_id": "cert-labtrust-qc-v0", + "violations": [] }, - "metric": "repair_hint_quality", - "numerator": 10.0, - "schema_version": "v0", - "signature_or_digest": "sha256:4289525ed015bef57212ec78a74b525b33d520ba15e6ebb2163c3f96ec16d7c8", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" + "source_repo": "https://github.com/fraware/CertifyEdge", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:41a447e3d126819a85e77dc2ddbc3e67a2d9dfe4c1e86cf0481022ef6e7c06e5" } ], - "explain_quality_reports": [ - { - "case_id": "formal_facts", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-formal_facts", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:4879242e4b8b8d3e957b2a0d65cc325f9f8c532e18daea726816e112b2a77e5d", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_hash_mismatch", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_hash_mismatch", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch; repair_command=labtrust export-trace --run --out benchmarks/certificates/tool_use_safety\\invalid\\invalid_hash_mismatch\\trace.json && labtrust emit-handoff-to-certifyedge --trace benchmarks/certificates/tool_use_safety\\invalid\\invalid_hash_mismatch\\trace.json ...", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:0ffe42988cc5fe28e9bedb9be689e313ea8c54e3c8a83e7e223e35f76214fe4e", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_missing_required_field", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_missing_required_field", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:5ed8674e9a4bed25e581655286f4a617dfa3f27b7e969ccc450847ec43f8d019", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_policy_or_property_violation", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_policy_or_property_violation", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true; repair_command=normalize tool authorization_status to authorized or rejected before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:365a4db5f3e0c604fce83a06f6f2af991c68e927b4514e90f111cc81f9a0c214", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, + "failure_localization_reports": [], + "explain_quality_reports": [], + "profile_coverage_reports": [ { - "case_id": "invalid_source_provenance", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_source_provenance", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:c0770e4c3bc5bd12777744f2584c6d29095ab5b1cb3064f7be6fa4e898bc24e8", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "missing_policy_hash", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-missing_policy_hash", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true; repair_command=ensure tool-use trace includes policy_hash before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:a2c99238057a7ea4e264f7e85e535c102e57263f6c1e0271ef1bacadfc6564e2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "ok", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-ok", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "coverage_id": "certifyedge-profile-certificate-v0", + "workflow_profile_id": "labtrust.qc_release_v0.1", + "producer_id": "provability-fabric", + "suite_id": "certifyedge-certificate-v0", + "artifact_types_required": [ + "TraceCertificate.v0", + "RuntimeReceipt.v0", + "ScienceClaimBundle.v0" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e8cc0acc6109d320a87ff6a20dd2bbfd185d6570d530b5153f0162f84872b64a", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "policy_hash_mismatch", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-policy_hash_mismatch", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "artifact_types_covered": [ + "TraceCertificate.v0", + "RuntimeReceipt.v0", + "ScienceClaimBundle.v0" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; repair_command=labtrust export-trace --run --out benchmarks/certificates/tool_use_safety\\invalid\\policy_hash_mismatch\\trace.json && labtrust emit-handoff-to-certifyedge --trace benchmarks/certificates/tool_use_safety\\invalid\\policy_hash_mismatch\\trace.json ...; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e426e5907ad7576d582a3ecf60a68ee735d7bbb5fd42e2bcac8bb6ac83aebbf7", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "rejected_certificate", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-rejected_certificate", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "semantic_checks_required": [ + "trace_hash_matches_certificate" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e02ed77bab63a25575a8a4c4d3cbe9e4f5f700ae224dc2798cf7e3cf10634f48", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "repair_hint_quality", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-repair_hint_quality", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "semantic_checks_covered": [ + "trace_hash_matches_certificate" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:a1662fd47bad9152850975f3a63439aa664d6314711eee96e28f632293452931", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "unauthorized_tool_call", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-unauthorized_tool_call", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "handoff_steps_required": [ + "runtime_to_certificate" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:398e653967e0b62cfe0ad4077503ea7d1551757da2f83ebb4f8c37ec7ac888b5", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "unknown_authorization_status", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-unknown_authorization_status", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "handoff_steps_covered": [ + "runtime_to_certificate" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true; repair_command=normalize tool authorization_status to authorized or rejected before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:3e1a5181b0958421390a6272168e78ff5e69cb94ff5f80ceadc5568afb657a81", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" + "numerator": 5.0, + "denominator": 5.0, + "coverage_ratio": 1.0, + "details": {}, + "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:015cc19b9ceda72157115a83fa7e23f61edae9080825deb1d5f7424a0b4cec1a" } ], - "failure_localization_reports": [ - { - "case_id": "invalid_hash_mismatch", - "expected_failure_code": "trace_hash_mismatch", - "expected_responsible_component": "runtime_producer", - "localized_correctly": false, - "observed_failure_code": "trace_hash_mismatch", - "observed_responsible_component": "unknown", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_hash_mismatch", - "run_id": "bench-run-invalid_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:9cdf9b246d0b5076e08725a9e2e74c2e45cd9bc14f0cbfea34292ad54576b36b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "invalid_missing_required_field", - "expected_failure_code": "invalid_missing_required_field", - "expected_responsible_component": "certificate_producer", - "localized_correctly": true, - "observed_failure_code": "", - "observed_responsible_component": "certificate_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_missing_required_field", - "run_id": "bench-run-invalid_missing_required_field", - "schema_version": "v0", - "signature_or_digest": "sha256:7c426ad74e4c87696416a6ed5a54401567b7b46f30216989768181321ce1916c", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "invalid_policy_or_property_violation", - "expected_failure_code": "unknown_authorization_status", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unknown_authorization_status", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_policy_or_property_violation", - "run_id": "bench-run-invalid_policy_or_property_violation", - "schema_version": "v0", - "signature_or_digest": "sha256:4c48f360c70d107d5a98326e338f608cebb37e61bb1b57fba147ae77634dad1c", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "invalid_source_provenance", - "expected_failure_code": "invalid_source_provenance", - "expected_responsible_component": "certificate_producer", - "localized_correctly": true, - "observed_failure_code": "", - "observed_responsible_component": "certificate_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_source_provenance", - "run_id": "bench-run-invalid_source_provenance", - "schema_version": "v0", - "signature_or_digest": "sha256:0a4feb3974d5e68a4964e8289777b3d75242985e9b8f9513efba26f7dec2d81b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "missing_policy_hash", - "expected_failure_code": "policy_hash_missing", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "policy_hash_missing", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-missing_policy_hash", - "run_id": "bench-run-missing_policy_hash", - "schema_version": "v0", - "signature_or_digest": "sha256:acdd0cc143485df94c68dc04ee930c85e604c996cdc9dfd95eb2e00ba1ac61e0", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "policy_hash_mismatch", - "expected_failure_code": "policy_hash_mismatch", - "expected_responsible_component": "unknown", - "localized_correctly": true, - "observed_failure_code": "policy_hash_mismatch", - "observed_responsible_component": "unknown", - "result_id": "certifyedge-tool-use-safety-v0-localization-policy_hash_mismatch", - "run_id": "bench-run-policy_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:541d18e53e568199d146f1dd9dfe2da887863c64644fb1933690f9e9589aaf50", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "rejected_certificate", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "certificate_producer", - "localized_correctly": false, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-rejected_certificate", - "run_id": "bench-run-rejected_certificate", - "schema_version": "v0", - "signature_or_digest": "sha256:a5f6d78f5d0f428616e27e73593ab134673c4e85096a81e8d9154d9e8da27506", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "repair_hint_quality", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-repair_hint_quality", - "run_id": "bench-run-repair_hint_quality", - "schema_version": "v0", - "signature_or_digest": "sha256:d58a1261efab2dc5b2adadd29bfe3ab3581d0d6d107e588a613580c6a6685044", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "unauthorized_tool_call", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-unauthorized_tool_call", - "run_id": "bench-run-unauthorized_tool_call", - "schema_version": "v0", - "signature_or_digest": "sha256:95879b2bb90d492aa0d2b8360fc6ccfb2dc2969291f393d5ed64c48cc6f3169b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, + "commands": [ { - "case_id": "unknown_authorization_status", - "expected_failure_code": "unknown_authorization_status", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unknown_authorization_status", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-unknown_authorization_status", - "run_id": "bench-run-unknown_authorization_status", - "schema_version": "v0", - "signature_or_digest": "sha256:cba838c442be5b754da709924d92248c8ae4d76268e46ca8780e253299becec2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" + "command": "certifyedge benchmark certificates --certificate-id cert-labtrust-qc-v0", + "exit_code": 0 } ], "logs": [], - "producer_id": "certifyedge", - "profile_coverage_reports": [ + "source_repo": "https://github.com/fraware/CertifyEdge", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:acc026873414423cbae1f0817c120f5398168d1d2976179ce91e33fc13123501", + "artifact_refs": [ { - "artifact_types_covered": [ - "ToolUseCertificate.v0" - ], - "artifact_types_required": [ - "ToolUseCertificate.v0" - ], - "coverage_id": "certifyedge-tool-use-safety-v0-profile-coverage", - "coverage_ratio": 1.0, - "denominator": 12.0, - "details": { - "case_counts": { - "invalid": 10, - "valid": 2 - }, - "counterexample_types_covered": [ - "trace_hash_mismatch", - "unknown_authorization_status", - "policy_hash_missing", - "policy_hash_mismatch", - "unauthorized_tool_call" - ], - "release_mode_required_fields": [ - "trace_hash", - "policy_hash", - "property_id", - "source_repo", - "source_commit", - "signature_or_digest" - ], - "templates_checked": true, - "unsupported_cases": [] - }, - "handoff_steps_covered": [ - "runtime_to_certificate" - ], - "handoff_steps_required": [ - "runtime_to_certificate" - ], - "numerator": 12.0, - "producer_id": "certifyedge", "schema_version": "v0", - "semantic_checks_covered": [ - "policy_hash_mismatch", - "policy_hash_missing", - "unauthorized_tool_call", - "unknown_authorization_status" - ], - "semantic_checks_required": [ - "policy_hash_mismatch", - "policy_hash_missing", - "unauthorized_tool_call", - "unknown_authorization_status" - ], - "signature_or_digest": "sha256:574b69fe314c4b9568017cb0d5a5d87580e9ddf371a593f0ba42e65263ea742d", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", + "artifact_type": "CoverageReport.v0", + "path": "benchmarks/certificate/coverage_report.certifyedge-cert-bench-v0.v0.json", + "sha256": "sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "role": "producer_export", "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_profile_id": "agent_tool_use.safety_v0" + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:971661db2c399b90eef4ab256e78390dbfe73686c2103c581376d50e389f0769" } - ], - "schema_version": "v0", - "signature_or_digest": "sha256:9906a311351c39d28811649f8dd0c7eb13cb7dd8ec5ef9284ff2718e23954d66", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" + ] } diff --git a/examples/invalid_pcs_bench_ingest_empty_runs.json b/examples/invalid_pcs_bench_ingest_empty_runs.json index 7500804..54943ab 100644 --- a/examples/invalid_pcs_bench_ingest_empty_runs.json +++ b/examples/invalid_pcs_bench_ingest_empty_runs.json @@ -25,17 +25,17 @@ "logs": [], "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "5eac714fd7dc813d2523febcb85c56821558a1b7", - "signature_or_digest": "sha256:f4ee4fe774cf48660e0fa7b34c7a629edbe8490985dfc62d82b00cce5e5317a0", + "signature_or_digest": "sha256:cbf524f8b92e3aa8d3f3efebdd37c5ae01e161a18ecef02cd50276f974693e46", "artifact_refs": [ { "schema_version": "v0", "artifact_type": "BenchmarkRun.v0", "path": "valid/labtrust-valid-release-v0/benchmark_run.labtrust-valid-release-v0.v0.json", - "sha256": "sha256:ee83b3920ea273bcc6e1d5860401e15497728638392c0af5ac242fac40919350", + "sha256": "sha256:c0bc4dfd0e239b393eff2c2266b1ef351e28d910e1c14de569275381f3ecd4f9", "role": "producer_export", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "5eac714fd7dc813d2523febcb85c56821558a1b7", - "signature_or_digest": "sha256:beda167d29a7114587aeebdc960d30715bf1520e8d9903bc997ac06209d07b17" + "signature_or_digest": "sha256:0444e4e2155d1c7f0e016b0c8249422b009eba0be98c6387b583d2ee2afeead8" }, { "schema_version": "v0", diff --git a/examples/invalid_pcs_bench_ingest_missing_refs.json b/examples/invalid_pcs_bench_ingest_missing_refs.json index 5f604ae..be24cfc 100644 --- a/examples/invalid_pcs_bench_ingest_missing_refs.json +++ b/examples/invalid_pcs_bench_ingest_missing_refs.json @@ -1,1376 +1,76 @@ { - "benchmark_runs": [ - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "formal_facts", - "certificate_status": "CertificateChecked", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 217, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-formal_facts", - "schema_version": "v0", - "signature_or_digest": "sha256:2e346ec98b829574d858f6e4b33f1f47c6b3826688dc1313167314f4aba5cb13", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "admitted", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_hash_mismatch", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 7, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:7f1318dd81ac7edf9068c33e1d14a10a1f8de832e6cd1532fccd99ee7804f66b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_missing_required_field", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 5, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_missing_required_field", - "schema_version": "v0", - "signature_or_digest": "sha256:f308f26544b20eb882cf2eac96f9ed6e8485f0cd11006354250f40712647958e", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_policy_or_property_violation", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 141, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_policy_or_property_violation", - "schema_version": "v0", - "signature_or_digest": "sha256:3fef1a18f283b6a3a5c239972d03412b9d82b1cb526ae1d83c6dfef7ee5ced37", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "invalid_source_provenance", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 6, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-invalid_source_provenance", - "schema_version": "v0", - "signature_or_digest": "sha256:61a34f560de5e508f32e1e869aa736caae22a741fe1f0601d41ae44c778c16e3", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "missing_policy_hash", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 124, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-missing_policy_hash", - "schema_version": "v0", - "signature_or_digest": "sha256:c2d5b9416bb14b7c76032bacdfc5ed8526dc0a3d5555be11d3e04818dc394117", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "ok", - "certificate_status": "CertificateChecked", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 148, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-ok", - "schema_version": "v0", - "signature_or_digest": "sha256:bb96d2cb270fc345764257b9f9ea56b0642a7cc668e95f2cfe363d5937cb1e7a", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "admitted", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "policy_hash_mismatch", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 6, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-policy_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:ac3b486abace512a5eabf4a7c11e3398a59fe3bb3bae9bc4cdc8a10228f3d5ad", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "not_evaluated", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "rejected_certificate", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 130, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-rejected_certificate", - "schema_version": "v0", - "signature_or_digest": "sha256:35c2d86f8f0acbdb7f36557f5820d73f42f1d1ba4f47568afeb2d0ba16c67524", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "repair_hint_quality", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:29Z", - "duration_ms": 127, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-repair_hint_quality", - "schema_version": "v0", - "signature_or_digest": "sha256:3eb7164df316346e1eb1e50a2c41d3a17c1e92cf8ff3717750d5a0f4abd71876", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "unauthorized_tool_call", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:30Z", - "duration_ms": 196, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-unauthorized_tool_call", - "schema_version": "v0", - "signature_or_digest": "sha256:f85691605855c40c2e39e4d74a5cbf96f58296445edb7a9d86a9b339b588cbc2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:29Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - }, - { - "artifacts_produced": [ - "certificate.json", - "certificate_formal_facts.json" - ], - "case_id": "unknown_authorization_status", - "certificate_status": "Rejected", - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], - "completed_at": "2026-05-22T11:43:30Z", - "duration_ms": 123, - "observed_failure_code": null, - "observed_repair_hint": null, - "observed_responsible_component": null, - "observed_status": "passed", - "run_id": "bench-run-unknown_authorization_status", - "schema_version": "v0", - "signature_or_digest": "sha256:a78f086577b435e1d5a523edda6086417906216d714d32b9b71e76f78375c948", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "started_at": "2026-05-22T11:43:30Z", - "system_admission_outcome": "rejected", - "task_id": "agent_tool_use.safety_v0" - } - ], - "commands": [ - { - "command": "certifyedge emit-pcs-certificate --profile agent_tool_use.safety_v0 --handoff /handoff.json", - "exit_code": 0 - } - ], + "schema_version": "v0", + "producer_id": "certifyedge", + "suite_id": "certifyedge-certificate-v0", + "workflow_id": "labtrust.qc_release_v0.1", + "benchmark_runs": [], "coverage_reports": [ { - "coverage_id": "certifyedge-tool-use-safety-v0-certificate-completeness", - "coverage_ratio": 1.0, - "denominator": 12.0, - "details": { - "ambiguous_localizations": [ - { - "case_id": "policy_hash_mismatch", - "failure_code": "policy_hash_mismatch", - "reason": "policy_hash_mismatch may be attributed to certificate_producer or runtime_producer" - } - ], - "counterexample_completeness": 1.0, - "failure_code_accuracy": 0.8, - "invalid_certificates_rejected": 6, - "native_artifact": "CertificateCoverageReport.v0", - "native_report_file": "certificate_coverage_report.v0.json", - "profile_id": "agent_tool_use.safety_v0", - "sidecar_artifact_paths": { - "benchmark_report": "benchmark_report.v0.json", - "certificate_coverage_report": "certificate_coverage_report.v0.json", - "pcs_bench_ingest": "pcs_bench_ingest.v0.json", - "profile_coverage_report": "profile_coverage_report.v0.json", - "repair_hint_manifest": "repair_hint_manifest.v0.json", - "repair_hint_quality_report": "repair_hint_quality_report.v0.json" - }, - "valid_certificates_accepted": 2 - }, - "metric": "certificate_completeness", - "numerator": 12.0, "schema_version": "v0", - "signature_or_digest": "sha256:8e04e0b7e4e6ac251d53abb8944a3950ec32fa562e9ea06b96d7689ac6b179a3", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "coverage_id": "certifyedge-tool-use-safety-v0-repair-hint-quality", + "coverage_id": "certifyedge-cert-bench-v0", + "metric": "certificate_completeness", + "metric_id": "certificate_completeness_score", + "numerator": 4.0, + "denominator": 4.0, "coverage_ratio": 1.0, - "denominator": 10.0, "details": { - "missing_repair_hints": [], - "repair_hint_accuracy": 1.0 + "producer_id": "certifyedge", + "certificate_id": "cert-labtrust-qc-v0", + "violations": [] }, - "metric": "repair_hint_quality", - "numerator": 10.0, - "schema_version": "v0", - "signature_or_digest": "sha256:4289525ed015bef57212ec78a74b525b33d520ba15e6ebb2163c3f96ec16d7c8", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" + "source_repo": "https://github.com/fraware/CertifyEdge", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:41a447e3d126819a85e77dc2ddbc3e67a2d9dfe4c1e86cf0481022ef6e7c06e5" } ], - "explain_quality_reports": [ - { - "case_id": "formal_facts", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-formal_facts", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case formal_facts; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:4879242e4b8b8d3e957b2a0d65cc325f9f8c532e18daea726816e112b2a77e5d", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_hash_mismatch", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_hash_mismatch", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch; repair_command=labtrust export-trace --run --out benchmarks/certificates/tool_use_safety\\invalid\\invalid_hash_mismatch\\trace.json && labtrust emit-handoff-to-certifyedge --trace benchmarks/certificates/tool_use_safety\\invalid\\invalid_hash_mismatch\\trace.json ...", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_hash_mismatch; failure_code=trace_hash_mismatch", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:0ffe42988cc5fe28e9bedb9be689e313ea8c54e3c8a83e7e223e35f76214fe4e", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_missing_required_field", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_missing_required_field", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_missing_required_field", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:5ed8674e9a4bed25e581655286f4a617dfa3f27b7e969ccc450847ec43f8d019", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_policy_or_property_violation", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_policy_or_property_violation", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true; repair_command=normalize tool authorization_status to authorized or rejected before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_policy_or_property_violation; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:365a4db5f3e0c604fce83a06f6f2af991c68e927b4514e90f111cc81f9a0c214", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "invalid_source_provenance", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-invalid_source_provenance", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case invalid_source_provenance", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:c0770e4c3bc5bd12777744f2584c6d29095ab5b1cb3064f7be6fa4e898bc24e8", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, + "failure_localization_reports": [], + "explain_quality_reports": [], + "profile_coverage_reports": [ { - "case_id": "missing_policy_hash", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-missing_policy_hash", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" - ], "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true; repair_command=ensure tool-use trace includes policy_hash before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case missing_policy_hash; failure_code=policy_hash_missing; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:a2c99238057a7ea4e264f7e85e535c102e57263f6c1e0271ef1bacadfc6564e2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "ok", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-ok", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "coverage_id": "certifyedge-profile-certificate-v0", + "workflow_profile_id": "labtrust.qc_release_v0.1", + "producer_id": "provability-fabric", + "suite_id": "certifyedge-certificate-v0", + "artifact_types_required": [ + "TraceCertificate.v0", + "RuntimeReceipt.v0", + "ScienceClaimBundle.v0" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case ok; certificate_status=CertificateChecked", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e8cc0acc6109d320a87ff6a20dd2bbfd185d6570d530b5153f0162f84872b64a", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "policy_hash_mismatch", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-policy_hash_mismatch", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "artifact_types_covered": [ + "TraceCertificate.v0", + "RuntimeReceipt.v0", + "ScienceClaimBundle.v0" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; repair_command=labtrust export-trace --run --out benchmarks/certificates/tool_use_safety\\invalid\\policy_hash_mismatch\\trace.json && labtrust emit-handoff-to-certifyedge --trace benchmarks/certificates/tool_use_safety\\invalid\\policy_hash_mismatch\\trace.json ...; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case policy_hash_mismatch; failure_code=policy_hash_mismatch; ambiguity=policy_hash_mismatch may be attributed to certificate_producer or runtime_producer", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e426e5907ad7576d582a3ecf60a68ee735d7bbb5fd42e2bcac8bb6ac83aebbf7", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "rejected_certificate", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-rejected_certificate", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "semantic_checks_required": [ + "trace_hash_matches_certificate" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case rejected_certificate; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:e02ed77bab63a25575a8a4c4d3cbe9e4f5f700ae224dc2798cf7e3cf10634f48", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "repair_hint_quality", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-repair_hint_quality", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "semantic_checks_covered": [ + "trace_hash_matches_certificate" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case repair_hint_quality; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:a1662fd47bad9152850975f3a63439aa664d6314711eee96e28f632293452931", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "unauthorized_tool_call", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-unauthorized_tool_call", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "handoff_steps_required": [ + "runtime_to_certificate" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true; repair_command=regenerate runtime trace after policy enforcement", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case unauthorized_tool_call; failure_code=unauthorized_tool_call; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:398e653967e0b62cfe0ad4077503ea7d1551757da2f83ebb4f8c37ec7ac888b5", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" - }, - { - "case_id": "unknown_authorization_status", - "gaps": [], - "producer_id": "certifyedge", - "quality_score": 1.0, - "report_id": "certifyedge-tool-use-safety-v0-explain-unknown_authorization_status", - "required_sections": [ - "provenance", - "hashes", - "verification", - "limitations", - "repair_hints" + "handoff_steps_covered": [ + "runtime_to_certificate" ], - "schema_version": "v0", - "sections": { - "formal_checks": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "handoffs": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "hashes": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "limitations": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "lineage": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "provenance": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - }, - "repair_hints": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true; repair_command=normalize tool authorization_status to authorized or rejected before certification", - "present": true, - "score": 1.0 - }, - "verification": { - "notes": "certifyedge benchmark case unknown_authorization_status; failure_code=unknown_authorization_status; certificate_status=Rejected; counterexample_emitted=true", - "present": true, - "score": 1.0 - } - }, - "sections_present_count": 5, - "sections_required_count": 5, - "signature_or_digest": "sha256:3e1a5181b0958421390a6272168e78ff5e69cb94ff5f80ceadc5568afb657a81", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" + "numerator": 5.0, + "denominator": 5.0, + "coverage_ratio": 1.0, + "details": {}, + "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:015cc19b9ceda72157115a83fa7e23f61edae9080825deb1d5f7424a0b4cec1a" } ], - "failure_localization_reports": [ - { - "case_id": "invalid_hash_mismatch", - "expected_failure_code": "trace_hash_mismatch", - "expected_responsible_component": "runtime_producer", - "localized_correctly": false, - "observed_failure_code": "trace_hash_mismatch", - "observed_responsible_component": "unknown", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_hash_mismatch", - "run_id": "bench-run-invalid_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:9cdf9b246d0b5076e08725a9e2e74c2e45cd9bc14f0cbfea34292ad54576b36b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "invalid_missing_required_field", - "expected_failure_code": "invalid_missing_required_field", - "expected_responsible_component": "certificate_producer", - "localized_correctly": true, - "observed_failure_code": "", - "observed_responsible_component": "certificate_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_missing_required_field", - "run_id": "bench-run-invalid_missing_required_field", - "schema_version": "v0", - "signature_or_digest": "sha256:7c426ad74e4c87696416a6ed5a54401567b7b46f30216989768181321ce1916c", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "invalid_policy_or_property_violation", - "expected_failure_code": "unknown_authorization_status", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unknown_authorization_status", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_policy_or_property_violation", - "run_id": "bench-run-invalid_policy_or_property_violation", - "schema_version": "v0", - "signature_or_digest": "sha256:4c48f360c70d107d5a98326e338f608cebb37e61bb1b57fba147ae77634dad1c", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "invalid_source_provenance", - "expected_failure_code": "invalid_source_provenance", - "expected_responsible_component": "certificate_producer", - "localized_correctly": true, - "observed_failure_code": "", - "observed_responsible_component": "certificate_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-invalid_source_provenance", - "run_id": "bench-run-invalid_source_provenance", - "schema_version": "v0", - "signature_or_digest": "sha256:0a4feb3974d5e68a4964e8289777b3d75242985e9b8f9513efba26f7dec2d81b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "missing_policy_hash", - "expected_failure_code": "policy_hash_missing", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "policy_hash_missing", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-missing_policy_hash", - "run_id": "bench-run-missing_policy_hash", - "schema_version": "v0", - "signature_or_digest": "sha256:acdd0cc143485df94c68dc04ee930c85e604c996cdc9dfd95eb2e00ba1ac61e0", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "policy_hash_mismatch", - "expected_failure_code": "policy_hash_mismatch", - "expected_responsible_component": "unknown", - "localized_correctly": true, - "observed_failure_code": "policy_hash_mismatch", - "observed_responsible_component": "unknown", - "result_id": "certifyedge-tool-use-safety-v0-localization-policy_hash_mismatch", - "run_id": "bench-run-policy_hash_mismatch", - "schema_version": "v0", - "signature_or_digest": "sha256:541d18e53e568199d146f1dd9dfe2da887863c64644fb1933690f9e9589aaf50", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "rejected_certificate", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "certificate_producer", - "localized_correctly": false, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-rejected_certificate", - "run_id": "bench-run-rejected_certificate", - "schema_version": "v0", - "signature_or_digest": "sha256:a5f6d78f5d0f428616e27e73593ab134673c4e85096a81e8d9154d9e8da27506", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "repair_hint_quality", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-repair_hint_quality", - "run_id": "bench-run-repair_hint_quality", - "schema_version": "v0", - "signature_or_digest": "sha256:d58a1261efab2dc5b2adadd29bfe3ab3581d0d6d107e588a613580c6a6685044", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, - { - "case_id": "unauthorized_tool_call", - "expected_failure_code": "unauthorized_tool_call", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unauthorized_tool_call", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-unauthorized_tool_call", - "run_id": "bench-run-unauthorized_tool_call", - "schema_version": "v0", - "signature_or_digest": "sha256:95879b2bb90d492aa0d2b8360fc6ccfb2dc2969291f393d5ed64c48cc6f3169b", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" - }, + "commands": [ { - "case_id": "unknown_authorization_status", - "expected_failure_code": "unknown_authorization_status", - "expected_responsible_component": "runtime_producer", - "localized_correctly": true, - "observed_failure_code": "unknown_authorization_status", - "observed_responsible_component": "runtime_producer", - "result_id": "certifyedge-tool-use-safety-v0-localization-unknown_authorization_status", - "run_id": "bench-run-unknown_authorization_status", - "schema_version": "v0", - "signature_or_digest": "sha256:cba838c442be5b754da709924d92248c8ae4d76268e46ca8780e253299becec2", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge" + "command": "certifyedge benchmark certificates --certificate-id cert-labtrust-qc-v0", + "exit_code": 0 } ], "logs": [], - "producer_id": "certifyedge", - "profile_coverage_reports": [ - { - "artifact_types_covered": [ - "ToolUseCertificate.v0" - ], - "artifact_types_required": [ - "ToolUseCertificate.v0" - ], - "coverage_id": "certifyedge-tool-use-safety-v0-profile-coverage", - "coverage_ratio": 1.0, - "denominator": 12.0, - "details": { - "case_counts": { - "invalid": 10, - "valid": 2 - }, - "counterexample_types_covered": [ - "trace_hash_mismatch", - "unknown_authorization_status", - "policy_hash_missing", - "policy_hash_mismatch", - "unauthorized_tool_call" - ], - "release_mode_required_fields": [ - "trace_hash", - "policy_hash", - "property_id", - "source_repo", - "source_commit", - "signature_or_digest" - ], - "templates_checked": true, - "unsupported_cases": [] - }, - "handoff_steps_covered": [ - "runtime_to_certificate" - ], - "handoff_steps_required": [ - "runtime_to_certificate" - ], - "numerator": 12.0, - "producer_id": "certifyedge", - "schema_version": "v0", - "semantic_checks_covered": [ - "policy_hash_mismatch", - "policy_hash_missing", - "unauthorized_tool_call", - "unknown_authorization_status" - ], - "semantic_checks_required": [ - "policy_hash_mismatch", - "policy_hash_missing", - "unauthorized_tool_call", - "unknown_authorization_status" - ], - "signature_or_digest": "sha256:574b69fe314c4b9568017cb0d5a5d87580e9ddf371a593f0ba42e65263ea742d", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", - "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_profile_id": "agent_tool_use.safety_v0" - } - ], - "schema_version": "v0", - "signature_or_digest": "sha256:9906a311351c39d28811649f8dd0c7eb13cb7dd8ec5ef9284ff2718e23954d66", - "source_commit": "605d7a055550d07ffb8ad956a903cd68915be85f", "source_repo": "https://github.com/fraware/CertifyEdge", - "suite_id": "certifyedge-tool-use-safety-v0", - "workflow_id": "agent_tool_use.safety_v0" + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:acc026873414423cbae1f0817c120f5398168d1d2976179ce91e33fc13123501" } diff --git a/examples/invalid_pcs_bench_ingest_zero_commit.json b/examples/invalid_pcs_bench_ingest_zero_commit.json index cb02313..01a6652 100644 --- a/examples/invalid_pcs_bench_ingest_zero_commit.json +++ b/examples/invalid_pcs_bench_ingest_zero_commit.json @@ -9,8 +9,8 @@ "run_id": "bench-run-labtrust-valid-release-v0", "task_id": "labtrust-qc-release-v0", "case_id": "labtrust-valid-release-v0", - "started_at": "2026-05-22T11:54:35Z", - "completed_at": "2026-05-22T11:54:35Z", + "started_at": "2026-06-28T00:48:40Z", + "completed_at": "2026-06-28T00:48:40Z", "commands": [ { "command": "evaluate_labtrust_gallery benchmarks/labtrust-qc-release/valid/labtrust-valid-release-v0/input_artifacts", @@ -30,10 +30,10 @@ "certificate_status": "CertificateChecked", "scientific_memory_import_status": "not_applicable", "scientific_memory_render_status": "not_applicable", - "duration_ms": 14, + "duration_ms": 8, "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:ee83b3920ea273bcc6e1d5860401e15497728638392c0af5ac242fac40919350" + "signature_or_digest": "sha256:c0bc4dfd0e239b393eff2c2266b1ef351e28d910e1c14de569275381f3ecd4f9" } ], "coverage_reports": [ @@ -62,17 +62,17 @@ "logs": [], "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "0000000000000000000000000000000000000000", - "signature_or_digest": "sha256:f4ee4fe774cf48660e0fa7b34c7a629edbe8490985dfc62d82b00cce5e5317a0", + "signature_or_digest": "sha256:cbf524f8b92e3aa8d3f3efebdd37c5ae01e161a18ecef02cd50276f974693e46", "artifact_refs": [ { "schema_version": "v0", "artifact_type": "BenchmarkRun.v0", "path": "valid/labtrust-valid-release-v0/benchmark_run.labtrust-valid-release-v0.v0.json", - "sha256": "sha256:ee83b3920ea273bcc6e1d5860401e15497728638392c0af5ac242fac40919350", + "sha256": "sha256:c0bc4dfd0e239b393eff2c2266b1ef351e28d910e1c14de569275381f3ecd4f9", "role": "producer_export", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "5eac714fd7dc813d2523febcb85c56821558a1b7", - "signature_or_digest": "sha256:beda167d29a7114587aeebdc960d30715bf1520e8d9903bc997ac06209d07b17" + "signature_or_digest": "sha256:0444e4e2155d1c7f0e016b0c8249422b009eba0be98c6387b583d2ee2afeead8" }, { "schema_version": "v0", diff --git a/examples/labtrust-release/RELEASE_FIXTURE_MANIFEST.json b/examples/labtrust-release/RELEASE_FIXTURE_MANIFEST.json index 5f19f4a..f88ddc6 100644 --- a/examples/labtrust-release/RELEASE_FIXTURE_MANIFEST.json +++ b/examples/labtrust-release/RELEASE_FIXTURE_MANIFEST.json @@ -1,13 +1,13 @@ { "artifacts": { - "runtime_receipt.json": "sha256:3ad5c55458a79ef502508f86cd215c746d42b4f0cc5c9aa4feeba9c03b4e1d60", - "science_claim_bundle.certified.json": "sha256:b8af33a7b24abf12fd938a59af6be91ac5e761365d8ecf3639fd0f196969de36", - "science_claim_bundle.pending.json": "sha256:f71e6d92c910f6db94661c712e06cf04c946bf560ede48346dd15e88cc54c6c8", - "scientific_memory_import_report.json": "sha256:11d2e48a0c811ebc3bd683516c76f42b2849f604717758798c83abdb739251a3", - "signed_science_claim_bundle.json": "sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:3a9facf4f66ebeb0ac286865d3c801fc976128ba0e28d5b863c95549622f539c", - "verification_result.json": "sha256:13e90d156047e9c23497a73813dd27491848b3d4787b2bb7bdb6b023685cb01d" + "runtime_receipt.json": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027", + "science_claim_bundle.certified.json": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567", + "science_claim_bundle.pending.json": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0", + "scientific_memory_import_report.json": "sha256:6ddc5ee56147a473f1f6d7379daac2fbfeb1e9fd083e8d61ac4ab85617ad2d8c", + "signed_science_claim_bundle.json": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7", + "verification_result.json": "sha256:56bbe08d69049b9a254c3e25da4abefacba71312a5ddd5fbdd0e9cbb1f598ec1" }, "certifyedge_commit": "635fca3771ad54fe3f8b49d1bb77ee35d0680ddc", "generated_at": "2026-05-18T23:17:38Z", diff --git a/examples/labtrust-release/handoff_manifest.certificate_to_bundle.v0.json b/examples/labtrust-release/handoff_manifest.certificate_to_bundle.v0.json index 6425ab0..430b959 100644 --- a/examples/labtrust-release/handoff_manifest.certificate_to_bundle.v0.json +++ b/examples/labtrust-release/handoff_manifest.certificate_to_bundle.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "trace_certificate.json": { "artifact_type": "TraceCertificate.v0", - "sha256": "sha256:3a9facf4f66ebeb0ac286865d3c801fc976128ba0e28d5b863c95549622f539c" + "sha256": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "trace_hash": "sha256:c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd" }, "status": "Validated", - "signature_or_digest": "sha256:9dabb865a45781c84e677648fb972780098d77beea1efe67884dcbd33d27d73c" + "signature_or_digest": "sha256:66ca91393b2a43f7300340d219bf573c5a890c367856656277967445097e0ff9" } diff --git a/examples/labtrust-release/handoff_manifest.runtime_to_certificate.v0.json b/examples/labtrust-release/handoff_manifest.runtime_to_certificate.v0.json index a13bbce..58998cd 100644 --- a/examples/labtrust-release/handoff_manifest.runtime_to_certificate.v0.json +++ b/examples/labtrust-release/handoff_manifest.runtime_to_certificate.v0.json @@ -10,11 +10,11 @@ "input_artifacts": { "trace.json": { "artifact_type": "LabTrust.Trace.v0", - "sha256": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c" + "sha256": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:3ad5c55458a79ef502508f86cd215c746d42b4f0cc5c9aa4feeba9c03b4e1d60" + "sha256": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd" }, "status": "Validated", - "signature_or_digest": "sha256:8b4b0079c8f43e37b178fcb67977e3e3d1047c0d4b3738774818eab979820879" + "signature_or_digest": "sha256:280ef9d601ed46c072da30aa9d972c376dd0e24c3c117f3a971cc29119e030fd" } diff --git a/examples/labtrust-release/handoff_manifest.signed_bundle_to_memory.v0.json b/examples/labtrust-release/handoff_manifest.signed_bundle_to_memory.v0.json index f1fd5bb..b28600f 100644 --- a/examples/labtrust-release/handoff_manifest.signed_bundle_to_memory.v0.json +++ b/examples/labtrust-release/handoff_manifest.signed_bundle_to_memory.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", - "sha256": "sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6" + "sha256": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "trace_hash": "sha256:c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd" }, "status": "Validated", - "signature_or_digest": "sha256:cd6da574f081e238ab99e9c778cd258a49af7b2959fe0da3c0dc162335b88beb" + "signature_or_digest": "sha256:4c8f9815586f3c657a6c782680f69e63c10fe34a49b9cb6f0fdf34780b2eed65" } diff --git a/examples/labtrust-release/invalid_mismatched_certifyedge_commit_manifest.json b/examples/labtrust-release/invalid_mismatched_certifyedge_commit_manifest.json index 645cbfb..898ef90 100644 --- a/examples/labtrust-release/invalid_mismatched_certifyedge_commit_manifest.json +++ b/examples/labtrust-release/invalid_mismatched_certifyedge_commit_manifest.json @@ -8,13 +8,13 @@ "provability_fabric_commit": "993a0e5d1214b7c1bd6e84475d771806950965dd", "scientific_memory_commit": "4f4111f0f6b90ec48709cf97f532218bdc372f42", "artifacts": { - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "runtime_receipt.json": "sha256:792fa26d73bf0df82e07d7162be5ee4279fc7c2eb2a34067212334aa4b03997a", - "trace_certificate.json": "sha256:26145c4269531b06659928514c505a986853ee2ebeee4c83e57e922c3fffa1d8", - "science_claim_bundle.pending.json": "sha256:85f0c493cb20c41a42502ce5ff944ca724bb6def5670140ef1654e15366b9cc6", - "science_claim_bundle.certified.json": "sha256:f4c627cffba61d81e1ecbd8b660ab1abd4dcb5760ad6a9349ca273b25a188a16", - "verification_result.json": "sha256:075bcfc06fc43d15531e5668140c4fbc7a9f243230177747063f8c803e087a3f", - "signed_science_claim_bundle.json": "sha256:fbf76c27b743792a7a3856ffda916d4c914edbaffcb085e94135af91d508d64f", - "scientific_memory_import_report.json": "sha256:653cd8286e80d92c8db74d52316f294fe6e6f303b31932b460ee925c952b8651" + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "runtime_receipt.json": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027", + "trace_certificate.json": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7", + "science_claim_bundle.pending.json": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0", + "science_claim_bundle.certified.json": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567", + "verification_result.json": "sha256:56bbe08d69049b9a254c3e25da4abefacba71312a5ddd5fbdd0e9cbb1f598ec1", + "signed_science_claim_bundle.json": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1", + "scientific_memory_import_report.json": "sha256:6ddc5ee56147a473f1f6d7379daac2fbfeb1e9fd083e8d61ac4ab85617ad2d8c" } } diff --git a/examples/labtrust-release/invalid_mismatched_labtrust_commit_manifest.json b/examples/labtrust-release/invalid_mismatched_labtrust_commit_manifest.json index 8a10a36..0e09862 100644 --- a/examples/labtrust-release/invalid_mismatched_labtrust_commit_manifest.json +++ b/examples/labtrust-release/invalid_mismatched_labtrust_commit_manifest.json @@ -8,13 +8,13 @@ "provability_fabric_commit": "993a0e5d1214b7c1bd6e84475d771806950965dd", "scientific_memory_commit": "4f4111f0f6b90ec48709cf97f532218bdc372f42", "artifacts": { - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "runtime_receipt.json": "sha256:792fa26d73bf0df82e07d7162be5ee4279fc7c2eb2a34067212334aa4b03997a", - "trace_certificate.json": "sha256:26145c4269531b06659928514c505a986853ee2ebeee4c83e57e922c3fffa1d8", - "science_claim_bundle.pending.json": "sha256:85f0c493cb20c41a42502ce5ff944ca724bb6def5670140ef1654e15366b9cc6", - "science_claim_bundle.certified.json": "sha256:f4c627cffba61d81e1ecbd8b660ab1abd4dcb5760ad6a9349ca273b25a188a16", - "verification_result.json": "sha256:075bcfc06fc43d15531e5668140c4fbc7a9f243230177747063f8c803e087a3f", - "signed_science_claim_bundle.json": "sha256:fbf76c27b743792a7a3856ffda916d4c914edbaffcb085e94135af91d508d64f", - "scientific_memory_import_report.json": "sha256:653cd8286e80d92c8db74d52316f294fe6e6f303b31932b460ee925c952b8651" + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "runtime_receipt.json": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027", + "trace_certificate.json": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7", + "science_claim_bundle.pending.json": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0", + "science_claim_bundle.certified.json": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567", + "verification_result.json": "sha256:56bbe08d69049b9a254c3e25da4abefacba71312a5ddd5fbdd0e9cbb1f598ec1", + "signed_science_claim_bundle.json": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1", + "scientific_memory_import_report.json": "sha256:6ddc5ee56147a473f1f6d7379daac2fbfeb1e9fd083e8d61ac4ab85617ad2d8c" } } diff --git a/examples/labtrust-release/invalid_mismatched_pf_commit_manifest.json b/examples/labtrust-release/invalid_mismatched_pf_commit_manifest.json index 10652e5..fc498ae 100644 --- a/examples/labtrust-release/invalid_mismatched_pf_commit_manifest.json +++ b/examples/labtrust-release/invalid_mismatched_pf_commit_manifest.json @@ -8,13 +8,13 @@ "provability_fabric_commit": "dddddddddddddddddddddddddddddddddddddddd", "scientific_memory_commit": "4f4111f0f6b90ec48709cf97f532218bdc372f42", "artifacts": { - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "runtime_receipt.json": "sha256:792fa26d73bf0df82e07d7162be5ee4279fc7c2eb2a34067212334aa4b03997a", - "trace_certificate.json": "sha256:26145c4269531b06659928514c505a986853ee2ebeee4c83e57e922c3fffa1d8", - "science_claim_bundle.pending.json": "sha256:85f0c493cb20c41a42502ce5ff944ca724bb6def5670140ef1654e15366b9cc6", - "science_claim_bundle.certified.json": "sha256:f4c627cffba61d81e1ecbd8b660ab1abd4dcb5760ad6a9349ca273b25a188a16", - "verification_result.json": "sha256:075bcfc06fc43d15531e5668140c4fbc7a9f243230177747063f8c803e087a3f", - "signed_science_claim_bundle.json": "sha256:fbf76c27b743792a7a3856ffda916d4c914edbaffcb085e94135af91d508d64f", - "scientific_memory_import_report.json": "sha256:653cd8286e80d92c8db74d52316f294fe6e6f303b31932b460ee925c952b8651" + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "runtime_receipt.json": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027", + "trace_certificate.json": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7", + "science_claim_bundle.pending.json": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0", + "science_claim_bundle.certified.json": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567", + "verification_result.json": "sha256:56bbe08d69049b9a254c3e25da4abefacba71312a5ddd5fbdd0e9cbb1f598ec1", + "signed_science_claim_bundle.json": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1", + "scientific_memory_import_report.json": "sha256:6ddc5ee56147a473f1f6d7379daac2fbfeb1e9fd083e8d61ac4ab85617ad2d8c" } } diff --git a/examples/labtrust-release/invalid_placeholder_commit_manifest.json b/examples/labtrust-release/invalid_placeholder_commit_manifest.json index 7b707fc..53943f4 100644 --- a/examples/labtrust-release/invalid_placeholder_commit_manifest.json +++ b/examples/labtrust-release/invalid_placeholder_commit_manifest.json @@ -8,13 +8,13 @@ "provability_fabric_commit": "cccccccccccccccccccccccccccccccccccccccc", "scientific_memory_commit": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", "artifacts": { - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "runtime_receipt.json": "sha256:792fa26d73bf0df82e07d7162be5ee4279fc7c2eb2a34067212334aa4b03997a", - "trace_certificate.json": "sha256:26145c4269531b06659928514c505a986853ee2ebeee4c83e57e922c3fffa1d8", - "science_claim_bundle.pending.json": "sha256:85f0c493cb20c41a42502ce5ff944ca724bb6def5670140ef1654e15366b9cc6", - "science_claim_bundle.certified.json": "sha256:f4c627cffba61d81e1ecbd8b660ab1abd4dcb5760ad6a9349ca273b25a188a16", - "verification_result.json": "sha256:075bcfc06fc43d15531e5668140c4fbc7a9f243230177747063f8c803e087a3f", - "signed_science_claim_bundle.json": "sha256:fbf76c27b743792a7a3856ffda916d4c914edbaffcb085e94135af91d508d64f", - "scientific_memory_import_report.json": "sha256:653cd8286e80d92c8db74d52316f294fe6e6f303b31932b460ee925c952b8651" + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "runtime_receipt.json": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027", + "trace_certificate.json": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7", + "science_claim_bundle.pending.json": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0", + "science_claim_bundle.certified.json": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567", + "verification_result.json": "sha256:56bbe08d69049b9a254c3e25da4abefacba71312a5ddd5fbdd0e9cbb1f598ec1", + "signed_science_claim_bundle.json": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1", + "scientific_memory_import_report.json": "sha256:6ddc5ee56147a473f1f6d7379daac2fbfeb1e9fd083e8d61ac4ab85617ad2d8c" } } diff --git a/examples/labtrust-release/labtrust_release_fragment.json b/examples/labtrust-release/labtrust_release_fragment.json index 512ffb0..21e20c7 100644 --- a/examples/labtrust-release/labtrust_release_fragment.json +++ b/examples/labtrust-release/labtrust_release_fragment.json @@ -7,7 +7,7 @@ "generated_at": "2026-05-18T23:17:38Z", "upstream_release_manifest": { "path": "release_manifest.v0.json", - "sha256": "sha256:565e63be650694f0aa5d6225e80317c67b25c80f136acecb1781a6008121c50f" + "sha256": "sha256:3aa9fc0b7b921b08a557ceb025ad903f61f91251964f2adcee2be3707e0b90d6" }, "handoff_artifacts": [ "handoff_manifest.runtime_to_certificate.v0.json" @@ -20,20 +20,20 @@ "artifacts": { "trace.json": { "artifact_type": "LabTrust.Trace.v0", - "sha256": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c" + "sha256": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:3ad5c55458a79ef502508f86cd215c746d42b4f0cc5c9aa4feeba9c03b4e1d60" + "sha256": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027" }, "science_claim_bundle.pending.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:f71e6d92c910f6db94661c712e06cf04c946bf560ede48346dd15e88cc54c6c8" + "sha256": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:b8af33a7b24abf12fd938a59af6be91ac5e761365d8ecf3639fd0f196969de36" + "sha256": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567" } }, - "signature_or_digest": "sha256:3ed3c3f45e72180725d666334a106900278665d5177e01e1b80e217606e39a0d" + "signature_or_digest": "sha256:13687f8896a2708392a009b601b7aaf21bdf210e7de2f3aecb1d57e3458c8526" } diff --git a/examples/labtrust-release/lean_check_result.v0.json b/examples/labtrust-release/lean_check_result.v0.json index ba9f41d..05d3bac 100644 --- a/examples/labtrust-release/lean_check_result.v0.json +++ b/examples/labtrust-release/lean_check_result.v0.json @@ -5,10 +5,10 @@ "lean_module": "PCS.Theorems", "lean_theorem": "ReleaseChainAdmissible", "status": "ProofChecked", - "checked_at": "2026-05-19T13:39:51Z", + "checked_at": "2026-06-27T23:57:59Z", "lean_version": "leanprover/lean4:stable", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", - "source_commit": "d444444444444444444444444444444444444444", + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", "failure_reason": "", "obligation_results": [ { @@ -33,5 +33,5 @@ "failure_reason": "" } ], - "signature_or_digest": "sha256:b9b44f2de6f786bb90ce98935377194d455205ec4ad3cd16e3be084dc355b505" + "signature_or_digest": "sha256:68f92f435401c0a7071ac71582ad03a2fc0a8a1bdf5bff9730330c68b797f5cd" } diff --git a/examples/labtrust-release/manifest.json b/examples/labtrust-release/manifest.json index d736c00..196154d 100644 --- a/examples/labtrust-release/manifest.json +++ b/examples/labtrust-release/manifest.json @@ -1,10 +1,10 @@ { "artifacts": { - "runtime_receipt.json": "sha256:10576e0d581c624f7988a937ffaacb47775dceb166050cd957379a929af65ac3", - "science_claim_bundle.certified.json": "sha256:68d59a16ac4f5d1e6e5aff61a011be192fbb12f9b4476fa221079a934b1265fc", - "science_claim_bundle.pending.json": "sha256:e89b0866cd25a9308f7ba70deb68e8e3c8f072b6885ca6f2e9fcaaa55706e6c7", - "trace.json": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c", - "trace_certificate.json": "sha256:f25188838271cb394eeac93628d500e6b9ec9a7c0a8b7d6b0258d58790bd5c6c" + "runtime_receipt.json": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027", + "science_claim_bundle.certified.json": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567", + "science_claim_bundle.pending.json": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0", + "trace.json": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04", + "trace_certificate.json": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7" }, "certificate_id": "cert-trace-02b3a7c1-35f7-4d23-85c2-dfd60aff7693", "certificate_producer": "CertifyEdge", diff --git a/examples/labtrust-release/proof_obligation.v0.json b/examples/labtrust-release/proof_obligation.v0.json index 8214da0..eeeb0f3 100644 --- a/examples/labtrust-release/proof_obligation.v0.json +++ b/examples/labtrust-release/proof_obligation.v0.json @@ -57,6 +57,6 @@ }, "lean_module": "PCS.Theorems", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", - "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:705996473b064263bf1be86aaee75a28d3ba818f3dfb40eb456412a86f91a2e5" + "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", + "signature_or_digest": "sha256:982d2f2f70e678eb4ac35f74e180ed1b352ab52d9119c3700e160378c7949394" } diff --git a/examples/labtrust-release/release_chain_validation_result.v0.json b/examples/labtrust-release/release_chain_validation_result.v0.json index 9422073..f994752 100644 --- a/examples/labtrust-release/release_chain_validation_result.v0.json +++ b/examples/labtrust-release/release_chain_validation_result.v0.json @@ -294,7 +294,11 @@ "status": "passed", "details": {}, "registry_check_refs": [ - "ArtifactRegistry.v0.entries_cover_required_artifact_types" + "ArtifactRegistry.v0.entries_cover_required_artifact_types", + "ComputationWitness.v0.computation_status_checked_for_release", + "ComputationWitness.v0.source_commit_matches_release_manifest", + "ToolUseCertificate.v0.certificate_status_checked_for_release", + "ToolUseCertificate.v0.source_commit_matches_release_manifest" ], "responsible_component": "pcs-core" } @@ -312,7 +316,7 @@ "failure_codes": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", - "signature_or_digest": "sha256:3000ec6b27f2fc65be0c647a2e8c68ee528babe9779c8fa1d411053d13f904dd", + "signature_or_digest": "sha256:4dc0df6f86acbf51f06d15fdb847865460dd29f022925103aed3c128e225aa2e", "formal_checks": [ { "check_id": "lean.admissible_release_has_matching_trace_hash", diff --git a/examples/labtrust-release/release_manifest.v0.json b/examples/labtrust-release/release_manifest.v0.json index 4061d33..7fc979b 100644 --- a/examples/labtrust-release/release_manifest.v0.json +++ b/examples/labtrust-release/release_manifest.v0.json @@ -9,15 +9,15 @@ "trace_hash": "sha256:c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd", "certificate_id": "cert-trace-a1b8ff9d-7d5f-489c-98b1-a3a630cb87d7", "certified_bundle_hash": "sha256:bb740698a01c4e918ca0f346e5bfaed83e6665da8df84e931c0d50e03ce82ffe", - "signed_bundle_hash": "sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6" + "signed_bundle_hash": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1" }, "release_chain_validation_result": { "path": "release_chain_validation_result.v0.json", - "sha256": "sha256:2fac46ed0a92ce95505662fef25bdc09ebca1af7ad8fdfc8c3153936b8a46a37" + "sha256": "sha256:d1fd986a2a77a55a5d55fb40ab2937a7172d5230e4e40835042e3161f4eeb6f4" }, "canonical_signed_bundle": { "path": "signed_science_claim_bundle.json", - "sha256": "sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6" + "sha256": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1" }, "canonical_claim_id": "claim-pcs-qc-release-v0.1", "limitations_notice": "PCS v0.1 demonstrates a proof-carrying simulated lab workflow; it does not claim clinical validity or production certification.", @@ -50,7 +50,7 @@ "producer": "LabTrust-Gym", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "17ed831acfd775889ab497d11004cceb083a9c2d", - "sha256": "sha256:3ad5c55458a79ef502508f86cd215c746d42b4f0cc5c9aa4feeba9c03b4e1d60" + "sha256": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -58,7 +58,7 @@ "producer": "LabTrust-Gym", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "17ed831acfd775889ab497d11004cceb083a9c2d", - "sha256": "sha256:b8af33a7b24abf12fd938a59af6be91ac5e761365d8ecf3639fd0f196969de36" + "sha256": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567" }, "science_claim_bundle.pending.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -66,7 +66,7 @@ "producer": "LabTrust-Gym", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "17ed831acfd775889ab497d11004cceb083a9c2d", - "sha256": "sha256:f71e6d92c910f6db94661c712e06cf04c946bf560ede48346dd15e88cc54c6c8" + "sha256": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0" }, "scientific_memory_import_report.json": { "artifact_type": "ScientificMemory.ImportReport.v0", @@ -74,7 +74,7 @@ "producer": "Scientific Memory", "source_repo": "https://github.com/fraware/scientific-memory", "source_commit": "0e059e934bc95bcc4dc0cb6593b18b07a28529a2", - "sha256": "sha256:11d2e48a0c811ebc3bd683516c76f42b2849f604717758798c83abdb739251a3" + "sha256": "sha256:6ddc5ee56147a473f1f6d7379daac2fbfeb1e9fd083e8d61ac4ab85617ad2d8c" }, "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", @@ -82,7 +82,7 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "b0dbbbe1c110ec2301d452d2ef1074354cce170f", - "sha256": "sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6" + "sha256": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1" }, "trace.json": { "artifact_type": "LabTrust.Trace.v0", @@ -90,7 +90,7 @@ "producer": "LabTrust-Gym", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "17ed831acfd775889ab497d11004cceb083a9c2d", - "sha256": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c" + "sha256": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04" }, "trace_certificate.json": { "artifact_type": "TraceCertificate.v0", @@ -98,7 +98,7 @@ "producer": "CertifyEdge", "source_repo": "https://github.com/fraware/CertifyEdge", "source_commit": "635fca3771ad54fe3f8b49d1bb77ee35d0680ddc", - "sha256": "sha256:3a9facf4f66ebeb0ac286865d3c801fc976128ba0e28d5b863c95549622f539c" + "sha256": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7" }, "verification_result.json": { "artifact_type": "VerificationResult.v0", @@ -106,17 +106,17 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "b0dbbbe1c110ec2301d452d2ef1074354cce170f", - "sha256": "sha256:13e90d156047e9c23497a73813dd27491848b3d4787b2bb7bdb6b023685cb01d" + "sha256": "sha256:56bbe08d69049b9a254c3e25da4abefacba71312a5ddd5fbdd0e9cbb1f598ec1" } }, "release_status": "Validated", - "signature_or_digest": "sha256:a6f51c871eb7e8462d7e7edb6862a22f1aa7546d561dd6478cceecb8cbd24b05", + "signature_or_digest": "sha256:85e62d04931b2b4a6b2e14a8ecca56204b5e1fe5d34abc06335076961e4ea99a", "proof_obligation": { "path": "proof_obligation.v0.json", - "sha256": "sha256:de6c1071065220ba134757eefc88d99dd4fc1e60df1e5f74ade12c5b6be2f348" + "sha256": "sha256:982d2f2f70e678eb4ac35f74e180ed1b352ab52d9119c3700e160378c7949394" }, "lean_check_result": { "path": "lean_check_result.v0.json", - "sha256": "sha256:7d63fb9226f64fa235b67666146aff7e6396b82bd9059afce5ce9d29b4d368b8" + "sha256": "sha256:68f92f435401c0a7071ac71582ad03a2fc0a8a1bdf5bff9730330c68b797f5cd" } } diff --git a/examples/pf-core-valid/assumption_declared/manifest.json b/examples/pf-core-valid/assumption_declared/manifest.json index 0790cc4..74620b3 100644 --- a/examples/pf-core-valid/assumption_declared/manifest.json +++ b/examples/pf-core-valid/assumption_declared/manifest.json @@ -2,6 +2,7 @@ "case_id": "assumption_declared", "description": "PFCoreCertificate with AssumptionSet.v0 assumption ref when lean checks deferred", "expected_valid": true, + "skip_pfcore_trace_conformance": true, "artifacts": [ "assumption_set.json", "certificate.json" diff --git a/examples/pf-core-valid/email_send_authorized/manifest.json b/examples/pf-core-valid/email_send_authorized/manifest.json new file mode 100644 index 0000000..9271422 --- /dev/null +++ b/examples/pf-core-valid/email_send_authorized/manifest.json @@ -0,0 +1,4 @@ +{ + "description": "Authorized email send within policy", + "skip_pfcore_trace_conformance": true +} diff --git a/examples/pf-core-valid/empty_trace/manifest.json b/examples/pf-core-valid/empty_trace/manifest.json new file mode 100644 index 0000000..111e63a --- /dev/null +++ b/examples/pf-core-valid/empty_trace/manifest.json @@ -0,0 +1,3 @@ +{ + "description": "Trace with no events" +} diff --git a/examples/pf-core-valid/file_read_allowed/trace.json b/examples/pf-core-valid/file_read_allowed/trace.json index 32a18d1..33859c0 100644 --- a/examples/pf-core-valid/file_read_allowed/trace.json +++ b/examples/pf-core-valid/file_read_allowed/trace.json @@ -19,7 +19,10 @@ "agent" ], "capabilities": [ - "cap:file-read" + "cap:file-read", + "cap:email-send", + "cap:handoff", + "cap:mcp-invoke" ] }, "action": { @@ -51,13 +54,13 @@ "contract_refs": [], "evidence_refs": [], "previous_event_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", - "event_hash": "sha256:e6ae0e0c4c702dd1f83a6adb29a97e7d89b9741537b3ebd95bb476f754ea4960", + "event_hash": "sha256:4f54951a4b008bdb24f2bb88438cff876fadd84259ad6d83e8211980303a214b", "source_repo": "https://github.com/example/agent-runtime", "source_commit": "abc1234567890abc1234567890abc1234567890", "signature_or_digest": "sha256:e6ae0e0c4c702dd1f83a6adb29a97e7d89b9741537b3ebd95bb476f754ea4960" } ], - "trace_hash": "sha256:bc26bbf4e65c1722cf2dd56723238ff13b72526ee6450d0bb9e4e54a4c3a4d30", + "trace_hash": "sha256:7c586dc277783547e76b3b78a5357cd4bb12e20627df11fa55e3f82c920ac6de", "policy_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", "contract_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", "claim_class": "RuntimeChecked", diff --git a/examples/pf-core-valid/file_read_denied_cross_tenant/manifest.json b/examples/pf-core-valid/file_read_denied_cross_tenant/manifest.json new file mode 100644 index 0000000..2ea29ca --- /dev/null +++ b/examples/pf-core-valid/file_read_denied_cross_tenant/manifest.json @@ -0,0 +1,4 @@ +{ + "description": "Cross-tenant file read denied", + "skip_pfcore_trace_conformance": true +} diff --git a/examples/pf-core-valid/handoff_subset_authority/manifest.json b/examples/pf-core-valid/handoff_subset_authority/manifest.json new file mode 100644 index 0000000..f1962c5 --- /dev/null +++ b/examples/pf-core-valid/handoff_subset_authority/manifest.json @@ -0,0 +1,4 @@ +{ + "description": "Handoff with subset authority", + "skip_pfcore_trace_conformance": true +} diff --git a/examples/pf-core-valid/network_denied/manifest.json b/examples/pf-core-valid/network_denied/manifest.json new file mode 100644 index 0000000..2bb75b3 --- /dev/null +++ b/examples/pf-core-valid/network_denied/manifest.json @@ -0,0 +1,4 @@ +{ + "description": "Network action denied by policy", + "skip_pfcore_trace_conformance": true +} diff --git a/examples/pf-core-valid/tool_use_trace_compiled/manifest.json b/examples/pf-core-valid/tool_use_trace_compiled/manifest.json new file mode 100644 index 0000000..813e8e7 --- /dev/null +++ b/examples/pf-core-valid/tool_use_trace_compiled/manifest.json @@ -0,0 +1,5 @@ +{ + "description": "Tool-use trace compiled to PF-Core", + "trace_file": "pfcore_trace.json", + "replay_required": true +} diff --git a/examples/release_chain_validation_result.valid.json b/examples/release_chain_validation_result.valid.json index 9422073..f994752 100644 --- a/examples/release_chain_validation_result.valid.json +++ b/examples/release_chain_validation_result.valid.json @@ -294,7 +294,11 @@ "status": "passed", "details": {}, "registry_check_refs": [ - "ArtifactRegistry.v0.entries_cover_required_artifact_types" + "ArtifactRegistry.v0.entries_cover_required_artifact_types", + "ComputationWitness.v0.computation_status_checked_for_release", + "ComputationWitness.v0.source_commit_matches_release_manifest", + "ToolUseCertificate.v0.certificate_status_checked_for_release", + "ToolUseCertificate.v0.source_commit_matches_release_manifest" ], "responsible_component": "pcs-core" } @@ -312,7 +316,7 @@ "failure_codes": [], "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "17e414501b3e1c58e8fbde1fe89a828440a945d9", - "signature_or_digest": "sha256:3000ec6b27f2fc65be0c647a2e8c68ee528babe9779c8fa1d411053d13f904dd", + "signature_or_digest": "sha256:4dc0df6f86acbf51f06d15fdb847865460dd29f022925103aed3c128e225aa2e", "formal_checks": [ { "check_id": "lean.admissible_release_has_matching_trace_hash", diff --git a/examples/release_manifest.valid.json b/examples/release_manifest.valid.json index 01b9fca..e508916 100644 --- a/examples/release_manifest.valid.json +++ b/examples/release_manifest.valid.json @@ -9,15 +9,15 @@ "trace_hash": "sha256:c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd", "certificate_id": "cert-trace-a1b8ff9d-7d5f-489c-98b1-a3a630cb87d7", "certified_bundle_hash": "sha256:bb740698a01c4e918ca0f346e5bfaed83e6665da8df84e931c0d50e03ce82ffe", - "signed_bundle_hash": "sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6" + "signed_bundle_hash": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1" }, "release_chain_validation_result": { "path": "release_chain_validation_result.valid.json", - "sha256": "sha256:2fac46ed0a92ce95505662fef25bdc09ebca1af7ad8fdfc8c3153936b8a46a37" + "sha256": "sha256:d1fd986a2a77a55a5d55fb40ab2937a7172d5230e4e40835042e3161f4eeb6f4" }, "canonical_signed_bundle": { "path": "signed_science_claim_bundle.json", - "sha256": "sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6" + "sha256": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1" }, "canonical_claim_id": "claim-pcs-qc-release-v0.1", "limitations_notice": "PCS v0.1 demonstrates a proof-carrying simulated lab workflow; it does not claim clinical validity or production certification.", @@ -50,7 +50,7 @@ "producer": "LabTrust-Gym", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "17ed831acfd775889ab497d11004cceb083a9c2d", - "sha256": "sha256:3ad5c55458a79ef502508f86cd215c746d42b4f0cc5c9aa4feeba9c03b4e1d60" + "sha256": "sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -58,7 +58,7 @@ "producer": "LabTrust-Gym", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "17ed831acfd775889ab497d11004cceb083a9c2d", - "sha256": "sha256:b8af33a7b24abf12fd938a59af6be91ac5e761365d8ecf3639fd0f196969de36" + "sha256": "sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567" }, "science_claim_bundle.pending.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -66,7 +66,7 @@ "producer": "LabTrust-Gym", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "17ed831acfd775889ab497d11004cceb083a9c2d", - "sha256": "sha256:f71e6d92c910f6db94661c712e06cf04c946bf560ede48346dd15e88cc54c6c8" + "sha256": "sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0" }, "scientific_memory_import_report.json": { "artifact_type": "ScientificMemory.ImportReport.v0", @@ -74,7 +74,7 @@ "producer": "Scientific Memory", "source_repo": "https://github.com/fraware/scientific-memory", "source_commit": "0e059e934bc95bcc4dc0cb6593b18b07a28529a2", - "sha256": "sha256:11d2e48a0c811ebc3bd683516c76f42b2849f604717758798c83abdb739251a3" + "sha256": "sha256:6ddc5ee56147a473f1f6d7379daac2fbfeb1e9fd083e8d61ac4ab85617ad2d8c" }, "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", @@ -82,7 +82,7 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "b0dbbbe1c110ec2301d452d2ef1074354cce170f", - "sha256": "sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6" + "sha256": "sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1" }, "trace.json": { "artifact_type": "LabTrust.Trace.v0", @@ -90,7 +90,7 @@ "producer": "LabTrust-Gym", "source_repo": "https://github.com/fraware/LabTrust-Gym", "source_commit": "17ed831acfd775889ab497d11004cceb083a9c2d", - "sha256": "sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c" + "sha256": "sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04" }, "trace_certificate.json": { "artifact_type": "TraceCertificate.v0", @@ -98,7 +98,7 @@ "producer": "CertifyEdge", "source_repo": "https://github.com/fraware/CertifyEdge", "source_commit": "635fca3771ad54fe3f8b49d1bb77ee35d0680ddc", - "sha256": "sha256:3a9facf4f66ebeb0ac286865d3c801fc976128ba0e28d5b863c95549622f539c" + "sha256": "sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7" }, "verification_result.json": { "artifact_type": "VerificationResult.v0", @@ -106,17 +106,9 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "b0dbbbe1c110ec2301d452d2ef1074354cce170f", - "sha256": "sha256:13e90d156047e9c23497a73813dd27491848b3d4787b2bb7bdb6b023685cb01d" + "sha256": "sha256:56bbe08d69049b9a254c3e25da4abefacba71312a5ddd5fbdd0e9cbb1f598ec1" } }, "release_status": "Validated", - "signature_or_digest": "sha256:c8f90db9cc311daa738510a9746df6f43cf639d19d45d79ae33b6debedc601e5", - "proof_obligation": { - "path": "proof_obligation.v0.json", - "sha256": "sha256:de6c1071065220ba134757eefc88d99dd4fc1e60df1e5f74ade12c5b6be2f348" - }, - "lean_check_result": { - "path": "lean_check_result.v0.json", - "sha256": "sha256:7d63fb9226f64fa235b67666146aff7e6396b82bd9059afce5ce9d29b4d368b8" - } + "signature_or_digest": "sha256:a03f06eaed2f3926ee6e87eefdd71604a7c8c04ea19f1999dba881b510e03309" } diff --git a/examples/semantic_check_execution.valid.json b/examples/semantic_check_execution.valid.json index 8bd92b9..897064b 100644 --- a/examples/semantic_check_execution.valid.json +++ b/examples/semantic_check_execution.valid.json @@ -260,6 +260,296 @@ "allowed_to_skip": false, "enforcement_layer": "artifact_validate" }, + { + "registry_ref": "PFCoreAction.v0.explicit_artifact_type", + "artifact_type": "PFCoreAction.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreAction.v0.schema_valid", + "artifact_type": "PFCoreAction.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreCapability.v0.explicit_artifact_type", + "artifact_type": "PFCoreCapability.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreCapability.v0.schema_valid", + "artifact_type": "PFCoreCapability.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreCertificate.v0.claim_class_matches_assurance", + "artifact_type": "PFCoreCertificate.v0", + "check_id": "claim_class_matches_assurance", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreCertificate.v0.explicit_artifact_type", + "artifact_type": "PFCoreCertificate.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreCertificate.v0.lean_kernel_proof", + "artifact_type": "PFCoreCertificate.v0", + "check_id": "lean_kernel_proof", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreCertificate.v0.lean_library_build", + "artifact_type": "PFCoreCertificate.v0", + "check_id": "lean_library_build", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreCertificate.v0.schema_valid", + "artifact_type": "PFCoreCertificate.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreContract.v0.explicit_artifact_type", + "artifact_type": "PFCoreContract.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreContract.v0.schema_valid", + "artifact_type": "PFCoreContract.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreEvent.v0.explicit_artifact_type", + "artifact_type": "PFCoreEvent.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreEvent.v0.schema_valid", + "artifact_type": "PFCoreEvent.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreHandoff.v0.explicit_artifact_type", + "artifact_type": "PFCoreHandoff.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreHandoff.v0.schema_valid", + "artifact_type": "PFCoreHandoff.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCorePrincipal.v0.explicit_artifact_type", + "artifact_type": "PFCorePrincipal.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCorePrincipal.v0.schema_valid", + "artifact_type": "PFCorePrincipal.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreResource.v0.explicit_artifact_type", + "artifact_type": "PFCoreResource.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreResource.v0.schema_valid", + "artifact_type": "PFCoreResource.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreRuntimeObservation.v0.claim_class_matches_assurance", + "artifact_type": "PFCoreRuntimeObservation.v0", + "check_id": "claim_class_matches_assurance", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreRuntimeObservation.v0.explicit_artifact_type", + "artifact_type": "PFCoreRuntimeObservation.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreRuntimeObservation.v0.lean_kernel_proof", + "artifact_type": "PFCoreRuntimeObservation.v0", + "check_id": "lean_kernel_proof", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreRuntimeObservation.v0.lean_library_build", + "artifact_type": "PFCoreRuntimeObservation.v0", + "check_id": "lean_library_build", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreRuntimeObservation.v0.schema_valid", + "artifact_type": "PFCoreRuntimeObservation.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreTrace.v0.claim_class_matches_assurance", + "artifact_type": "PFCoreTrace.v0", + "check_id": "claim_class_matches_assurance", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreTrace.v0.explicit_artifact_type", + "artifact_type": "PFCoreTrace.v0", + "check_id": "explicit_artifact_type", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreTrace.v0.lean_kernel_proof", + "artifact_type": "PFCoreTrace.v0", + "check_id": "lean_kernel_proof", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreTrace.v0.lean_library_build", + "artifact_type": "PFCoreTrace.v0", + "check_id": "lean_library_build", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, + { + "registry_ref": "PFCoreTrace.v0.schema_valid", + "artifact_type": "PFCoreTrace.v0", + "check_id": "schema_valid", + "severity": "release_blocking", + "responsible_component": "pcs-core", + "execution_required_in_release_mode": true, + "allowed_to_skip": false, + "enforcement_layer": "release_chain" + }, { "registry_ref": "ProofObligation.v0.obligations_reference_known_kinds", "artifact_type": "ProofObligation.v0", @@ -531,5 +821,5 @@ "enforcement_layer": "registry_metadata" } ], - "signature_or_digest": "sha256:2eff7c2f8a2c05957db5a5223ce3fdf7e5b9ee3e5bbe7789c0e2ceb66ae9691d" + "signature_or_digest": "sha256:60c6c723c87f0456bdea46f0e67ba84ead10d59bea4ee1ee4fcc18892d9ef256" } diff --git a/examples/tool-use-release/RELEASE_FIXTURE_MANIFEST.json b/examples/tool-use-release/RELEASE_FIXTURE_MANIFEST.json index c30eec1..0367a34 100644 --- a/examples/tool-use-release/RELEASE_FIXTURE_MANIFEST.json +++ b/examples/tool-use-release/RELEASE_FIXTURE_MANIFEST.json @@ -9,12 +9,12 @@ "provability_fabric_commit": "c333333333333333333333333333333333333333", "scientific_memory_commit": "d444444444444444444444444444444444444444", "artifacts": { - "tool_use_trace.valid.json": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507", - "runtime_receipt.json": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8", - "tool_use_certificate.valid.json": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4", - "science_claim_bundle.certified.json": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "verification_result.json": "sha256:7ed898a96edbe59275a337da6b537f8563598f064fd770a887d13170f3112525", - "signed_science_claim_bundle.json": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15", - "scientific_memory_import_report.json": "sha256:1c293ec6b97481f984cdaae35a407268b166181781f0766506c620149c21af9c" + "tool_use_trace.valid.json": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253", + "runtime_receipt.json": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7", + "tool_use_certificate.valid.json": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6", + "science_claim_bundle.certified.json": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "verification_result.json": "sha256:07a5b4077f7207965f4f37ddb7bf0940394a91a433dcfc0e0de35cdf257d7366", + "signed_science_claim_bundle.json": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a", + "scientific_memory_import_report.json": "sha256:6e8b0a551de8f5bbb5230be29ff82ffa18baffceb91c0287dfaa9caf8ff4c842" } } diff --git a/examples/tool-use-release/handoff_manifest.bundle_to_verifier.v0.json b/examples/tool-use-release/handoff_manifest.bundle_to_verifier.v0.json index d510af4..5f84a40 100644 --- a/examples/tool-use-release/handoff_manifest.bundle_to_verifier.v0.json +++ b/examples/tool-use-release/handoff_manifest.bundle_to_verifier.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "status": "Validated", - "signature_or_digest": "sha256:459100b7fbf98de89f04e22997a2da57bace618112a956c5541c33031b7bdabb" + "signature_or_digest": "sha256:0ef5080eeab7c1dce525f9519495af1b5cedb4f9498e579fac7cef560e137456" } diff --git a/examples/tool-use-release/handoff_manifest.certificate_to_bundle.v0.json b/examples/tool-use-release/handoff_manifest.certificate_to_bundle.v0.json index 8d406c7..07e69b3 100644 --- a/examples/tool-use-release/handoff_manifest.certificate_to_bundle.v0.json +++ b/examples/tool-use-release/handoff_manifest.certificate_to_bundle.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "tool_use_certificate.valid.json": { "artifact_type": "ToolUseCertificate.v0", - "sha256": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4" + "sha256": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:358cfe13ec84e8b3b58db4871b1fc80035fd28385606bf84a884d92c77ff12b8" + "signature_or_digest": "sha256:97035e1aeffa8f77067b9d70777b170ce70cbf6dfd099ce4568e688cbfcaf140" } diff --git a/examples/tool-use-release/handoff_manifest.runtime_to_certificate.v0.json b/examples/tool-use-release/handoff_manifest.runtime_to_certificate.v0.json index 58dbcf8..7bf9752 100644 --- a/examples/tool-use-release/handoff_manifest.runtime_to_certificate.v0.json +++ b/examples/tool-use-release/handoff_manifest.runtime_to_certificate.v0.json @@ -10,11 +10,11 @@ "input_artifacts": { "tool_use_trace.valid.json": { "artifact_type": "ToolUseTrace.v0", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:9a9560510a730face7c628faad2cd638c6178045380aee260042d20a21d55aa8" + "signature_or_digest": "sha256:4717aaa2a63ab25a2d3f76ebbb770af191660d4009e36cb7bbdb3cf3348153d7" } diff --git a/examples/tool-use-release/handoff_manifest.signed_bundle_to_memory.v0.json b/examples/tool-use-release/handoff_manifest.signed_bundle_to_memory.v0.json index cac6863..da347da 100644 --- a/examples/tool-use-release/handoff_manifest.signed_bundle_to_memory.v0.json +++ b/examples/tool-use-release/handoff_manifest.signed_bundle_to_memory.v0.json @@ -10,7 +10,7 @@ "input_artifacts": { "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" } }, "expected_outputs": { @@ -23,5 +23,5 @@ "claim_id": "claim-qc-release-v0.1" }, "status": "Validated", - "signature_or_digest": "sha256:7d355cd6b4958592fe7456bfdf422c90d2e7694e9f9cbf258ed3cc96d4219c67" + "signature_or_digest": "sha256:7f00cf40614447f24990dd0bdcf901a60aa7555ed63df97579e68545561acc76" } diff --git a/examples/tool-use-release/handoff_to_certifyedge.json b/examples/tool-use-release/handoff_to_certifyedge.json index 58dbcf8..7bf9752 100644 --- a/examples/tool-use-release/handoff_to_certifyedge.json +++ b/examples/tool-use-release/handoff_to_certifyedge.json @@ -10,11 +10,11 @@ "input_artifacts": { "tool_use_trace.valid.json": { "artifact_type": "ToolUseTrace.v0", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" } }, "expected_outputs": { @@ -26,5 +26,5 @@ "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4" }, "status": "Validated", - "signature_or_digest": "sha256:9a9560510a730face7c628faad2cd638c6178045380aee260042d20a21d55aa8" + "signature_or_digest": "sha256:4717aaa2a63ab25a2d3f76ebbb770af191660d4009e36cb7bbdb3cf3348153d7" } diff --git a/examples/tool-use-release/handoff_to_pf.json b/examples/tool-use-release/handoff_to_pf.json index d510af4..5f84a40 100644 --- a/examples/tool-use-release/handoff_to_pf.json +++ b/examples/tool-use-release/handoff_to_pf.json @@ -10,7 +10,7 @@ "input_artifacts": { "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } }, "expected_outputs": { @@ -24,8 +24,8 @@ "invariants": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "status": "Validated", - "signature_or_digest": "sha256:459100b7fbf98de89f04e22997a2da57bace618112a956c5541c33031b7bdabb" + "signature_or_digest": "sha256:0ef5080eeab7c1dce525f9519495af1b5cedb4f9498e579fac7cef560e137456" } diff --git a/examples/tool-use-release/lean_check_result.v0.json b/examples/tool-use-release/lean_check_result.v0.json index 3acef36..fa7237a 100644 --- a/examples/tool-use-release/lean_check_result.v0.json +++ b/examples/tool-use-release/lean_check_result.v0.json @@ -5,7 +5,7 @@ "lean_module": "PCS.Theorems", "lean_theorem": "ReleaseChainAdmissible", "status": "ProofChecked", - "checked_at": "2026-05-19T13:37:27Z", + "checked_at": "2026-06-28T00:50:25Z", "lean_version": "leanprover/lean4:stable", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", @@ -40,5 +40,5 @@ "failure_reason": "" } ], - "signature_or_digest": "sha256:148445e008f781bfc47593fe9fb5c8ad12abf482b22f03f7c45fe0b03149276a" + "signature_or_digest": "sha256:e3f97b4eeb86a78f451b58ae294eeccd4d69254662c9693e1028bed8c7d5ad89" } diff --git a/examples/tool-use-release/proof_obligation.v0.json b/examples/tool-use-release/proof_obligation.v0.json index cb21da2..b3de603 100644 --- a/examples/tool-use-release/proof_obligation.v0.json +++ b/examples/tool-use-release/proof_obligation.v0.json @@ -30,8 +30,8 @@ "kind": "VerificationAdmitsBundle", "inputs": { "verification_status": "ProofChecked", - "verified_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", + "verified_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", "release_blocking_checks_passed": true } }, @@ -39,8 +39,8 @@ "obligation_id": "signed_bundle_admissible", "kind": "SignedBundleAdmissible", "inputs": { - "signed_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "verified_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "signed_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "verified_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } } ], @@ -69,5 +69,5 @@ "lean_module": "PCS.Theorems", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "signature_or_digest": "sha256:98012907fe12b4bfdf4e2a299cfac98dfb0d2302382b7062a9de3e18fb9fa889" + "signature_or_digest": "sha256:69335e62a2eb10f6475b5716c00137af4f691b906731807eb9eafe8658d32f5c" } diff --git a/examples/tool-use-release/release_manifest.v0.json b/examples/tool-use-release/release_manifest.v0.json index 937d628..b852e95 100644 --- a/examples/tool-use-release/release_manifest.v0.json +++ b/examples/tool-use-release/release_manifest.v0.json @@ -8,19 +8,19 @@ "chain_root": { "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", "certificate_id": "cert-tool-use-safety-v0", - "certified_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30", - "signed_bundle_hash": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "certified_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d", + "signed_bundle_hash": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" }, "release_chain_validation_result": { "path": "release_chain_validation_result.v0.json", - "sha256": "sha256:8ce4be20f5a9fef3e6ef990c1abd6b6c5f98ec8ff67a393d2163728fcf07560e" + "sha256": "sha256:7c0f320adf5b570da3fc3920560db65eef30262597f2f6349cdf66a6102fa527" }, "canonical_signed_bundle": { "path": "signed_science_claim_bundle.json", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" }, "canonical_claim_id": "claim-qc-release-v0.1", - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It does not guarantee trace-level safety preservation under stated assumptions for a real deployed runtime.", + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", "producer_repos": { "pcs_core": { "repo": "https://github.com/SentinelOps-CI/pcs-core", @@ -50,7 +50,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:7d0a726c657c31db20294206c0207a34365a573c3103f447f3b3cca38190d507" + "sha256": "sha256:a7bfd0dd83b149ef7cba53ea11ccdc04a23226a2ad39d77e125e8825dc00f253" }, "tool_use_certificate.valid.json": { "artifact_type": "ToolUseCertificate.v0", @@ -58,7 +58,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:145f884300ad795444e06e9916a2a720d33a10d960f1015bd2781ace5b8dbdf4" + "sha256": "sha256:3e517b1d66dcd475d4d69f01f9b5790cf55610250c356ec3fddd96a868e02cb6" }, "runtime_receipt.json": { "artifact_type": "RuntimeReceipt.v0", @@ -66,7 +66,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:33fddcdd864435cffbf8febb9c405d0ad81a7ba90b446f7d86729c5d46eaf5a8" + "sha256": "sha256:f95f7cfe528eb0712d3f876d3766edac6b1b859ff992448c1ca98a780e598da7" }, "science_claim_bundle.certified.json": { "artifact_type": "ScienceClaimBundle.v0", @@ -74,7 +74,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "sha256": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" }, "workflow_profile.v0.json": { "artifact_type": "WorkflowProfile.v0", @@ -82,7 +82,7 @@ "producer": "pcs-core", "source_repo": "https://github.com/SentinelOps-CI/pcs-core", "source_commit": "d444444444444444444444444444444444444444", - "sha256": "sha256:0f54c947169f2733cf05ae8486b73afbc7bd82ec51275448f72d18ad29783e66" + "sha256": "sha256:ae33f37f50f3e073e1c83284e5a1e2cb2cb56e6b2110fffbf9b2cf5b0cb77dae" }, "verification_result.json": { "artifact_type": "VerificationResult.v0", @@ -90,7 +90,7 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:7ed898a96edbe59275a337da6b537f8563598f064fd770a887d13170f3112525" + "sha256": "sha256:07a5b4077f7207965f4f37ddb7bf0940394a91a433dcfc0e0de35cdf257d7366" }, "signed_science_claim_bundle.json": { "artifact_type": "SignedScienceClaimBundle.v0", @@ -98,17 +98,17 @@ "producer": "Provability Fabric", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "sha256": "sha256:c1ecda744f3d3a7e55724d5555f8d97121fb8e46f6b6d83d871bab0b11985b15" + "sha256": "sha256:b530e409f16527c66cdb6d824af399cbe45d38d78fb2c401bba3518c02ce977a" } }, "release_status": "Validated", - "signature_or_digest": "sha256:53488fc4bdd078761083ae982f1b8e5a1326564fad1e3d0d40ccddebdc5ee225", + "signature_or_digest": "sha256:4caac0d439c18f503cec3f9be21686c1551d1a355c2e08920bbfb87dd3c5b4d0", "proof_obligation": { "path": "proof_obligation.v0.json", - "sha256": "sha256:850557b7f2e5c97c8c8de3ef8ff54ffad0372068705eeea5709dc545d57c1e3e" + "sha256": "sha256:927c89fec743d4276e34be6fc46beee375d004b05e4277cbf866a72f9b8736a0" }, "lean_check_result": { "path": "lean_check_result.v0.json", - "sha256": "sha256:98dd9cb225939cce5a6896dc608a290f90f429ab8a67ea58ac747b5f48f81529" + "sha256": "sha256:11bdd0342ed22b1d2751255e5bf46fc85ca31e13e5068b0d5c9b2be98f9c7f5b" } } diff --git a/examples/tool-use-release/scientific_memory_import_report.json b/examples/tool-use-release/scientific_memory_import_report.json index c408d42..7f11960 100644 --- a/examples/tool-use-release/scientific_memory_import_report.json +++ b/examples/tool-use-release/scientific_memory_import_report.json @@ -22,5 +22,5 @@ "release_chain_validation_status": "ProofChecked", "release_chain_validator": "pcs-core", "release_chain_checked_at": "2026-05-18T12:00:00Z", - "release_manifest_hash": "sha256:8ae762b0a67360c341dbc3a6b9d68c9455abb47030586045f767efef9e079097" + "release_manifest_hash": "sha256:fda02ff54ae8933c71e826ddf454b94a5449cc349a378ebbfe8e4ed048c1c3bc" } diff --git a/examples/tool-use-release/signed_science_claim_bundle.json b/examples/tool-use-release/signed_science_claim_bundle.json index 59de0a9..b193fbe 100644 --- a/examples/tool-use-release/signed_science_claim_bundle.json +++ b/examples/tool-use-release/signed_science_claim_bundle.json @@ -171,6 +171,6 @@ "signed_at": "2026-05-16T12:25:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:6bd6088e18a82f3eef22adaba8db91d0f2942142af35b2a698d5d87b92f1331a", - "signed_input_bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "signature_or_digest": "sha256:5d0e48c2457e9fb7cd262674d157a838c5ec8f707ac92f38f583eaf4a66f89b0", + "signed_input_bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } diff --git a/examples/tool-use-release/verification_result.json b/examples/tool-use-release/verification_result.json index 6f8056b..0aa6d23 100644 --- a/examples/tool-use-release/verification_result.json +++ b/examples/tool-use-release/verification_result.json @@ -24,10 +24,10 @@ "created_at": "2026-05-16T12:20:00Z", "source_repo": "https://github.com/SentinelOps-CI/provability-fabric", "source_commit": "c333333333333333333333333333333333333333", - "signature_or_digest": "sha256:cd11abeaee38bcc8bf8df071290e99abb363e0bf81765cf65498b13d2ec609b4", + "signature_or_digest": "sha256:88655462ebba1339a437775643810cc0099a0300f241de4ee80810662f4ba1fd", "verified_input": { "certificate_id": "cert-tool-use-safety-v0", "trace_hash": "sha256:42ce47fca8ec10a9c65c8d9b9384c8be52094c93d46aa9705ce7c2fa2b8c89e4", - "bundle_hash": "sha256:21adad1e4817811766d484422d68ac13a056849b04e9143dcb583a87b70a9e30" + "bundle_hash": "sha256:8ec0f90d0af828db78c5ada9299daea96128c4737328d40d6d6c473046d4780d" } } diff --git a/examples/tool-use-release/workflow_profile.v0.json b/examples/tool-use-release/workflow_profile.v0.json index 0fc3e33..124b792 100644 --- a/examples/tool-use-release/workflow_profile.v0.json +++ b/examples/tool-use-release/workflow_profile.v0.json @@ -50,6 +50,6 @@ "unapproved_network_call", "unknown_authorization_status" ], - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It does not guarantee trace-level safety preservation under stated assumptions for a real deployed runtime.", - "signature_or_digest": "sha256:f08e4c928dff1be1d610cbd2513b4c5ac5a05f718b5803603c082f136fec23d0" + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", + "signature_or_digest": "sha256:02de75f38beeb2bcf81d69a2f8913f5ff5eba1287ca380f9efc4d3d7e418b410" } diff --git a/examples/workflow_profiles/agent_tool_use_safety.valid.json b/examples/workflow_profiles/agent_tool_use_safety.valid.json index 0fc3e33..124b792 100644 --- a/examples/workflow_profiles/agent_tool_use_safety.valid.json +++ b/examples/workflow_profiles/agent_tool_use_safety.valid.json @@ -50,6 +50,6 @@ "unapproved_network_call", "unknown_authorization_status" ], - "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It does not guarantee trace-level safety preservation under stated assumptions for a real deployed runtime.", - "signature_or_digest": "sha256:f08e4c928dff1be1d610cbd2513b4c5ac5a05f718b5803603c082f136fec23d0" + "limitations_notice": "This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.", + "signature_or_digest": "sha256:02de75f38beeb2bcf81d69a2f8913f5ff5eba1287ca380f9efc4d3d7e418b410" } diff --git a/lean/PCS/Generated/release_pcs_v0_1_labtrust_qc.lean b/lean/PCS/Generated/release_pcs_v0_1_labtrust_qc.lean new file mode 100644 index 0000000..f5b243d --- /dev/null +++ b/lean/PCS/Generated/release_pcs_v0_1_labtrust_qc.lean @@ -0,0 +1,63 @@ +import PCS.ReleaseChainCheck + +/-! +# Generated PCS release-chain proof for `release-pcs-v0.1-labtrust-qc` + +Auto-generated by pcs-core pcs-envelope check --lean-proof. Do not edit by hand. +This discharges ProofObligation.v0 against `PCS.ReleaseChainAdmissible` deciders only. +It does **not** imply PF-Core trace safety or `LeanKernelChecked` assurance. +-/ + +namespace PCS.Generated.release_pcs_v0_1_labtrust_qc + +def concreteCertificate : Certificate := + { + certificateId := "cert-trace-a1b8ff9d-7d5f-489c-98b1-a3a630cb87d7", + traceHash := Hash.ofString "c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd", + status := ArtifactStatus.CertificateChecked + } + +def concreteRuntimeReceipt : RuntimeReceipt := + { + traceHash := Hash.ofString "c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd", + status := ArtifactStatus.RuntimeObserved + } + +def concreteVerification : VerificationResult := + { + status := ArtifactStatus.ProofChecked, + verifiedInputBundleHash := Hash.ofString "bb740698a01c4e918ca0f346e5bfaed83e6665da8df84e931c0d50e03ce82ffe", + releaseBlockingChecksPassed := true + } + +def concreteCertifiedBundleHash : Hash := Hash.ofString "bb740698a01c4e918ca0f346e5bfaed83e6665da8df84e931c0d50e03ce82ffe" + +def concreteSignedInputHash : Hash := Hash.ofString "bb740698a01c4e918ca0f346e5bfaed83e6665da8df84e931c0d50e03ce82ffe" + +theorem concrete_certificate_matches_runtime : + certificateMatchesRuntimeD concreteCertificate concreteRuntimeReceipt = true := by + decide + +theorem concrete_verification_admits_bundle : + verificationAdmitsBundleD concreteVerification concreteCertifiedBundleHash = true := by + decide + +theorem concrete_signed_bundle_admissible : + signedBundleAdmissibleD concreteSignedInputHash + concreteVerification.verifiedInputBundleHash = true := by + decide + +theorem concrete_release_chain_admissible : + releaseChainAdmissibleD concreteCertificate concreteRuntimeReceipt concreteVerification + concreteCertifiedBundleHash concreteSignedInputHash = true := by + decide + +theorem concrete_release_chain_admissible_prop : + ReleaseChainAdmissible concreteCertificate concreteRuntimeReceipt concreteVerification + concreteCertifiedBundleHash concreteSignedInputHash := + (releaseChainAdmissibleD_sound _ _ _ _ _).mp concrete_release_chain_admissible + +#eval releaseChainAdmissibleD concreteCertificate concreteRuntimeReceipt concreteVerification + concreteCertifiedBundleHash concreteSignedInputHash + +end PCS.Generated.release_pcs_v0_1_labtrust_qc diff --git a/lean/PCS/ReleaseChainCheck.lean b/lean/PCS/ReleaseChainCheck.lean new file mode 100644 index 0000000..93a4762 --- /dev/null +++ b/lean/PCS/ReleaseChainCheck.lean @@ -0,0 +1,77 @@ +import PCS.ReleaseChain + +/-! +# PCS release-chain decidable checks (concrete obligation discharge) + +Boolean deciders mirror `ReleaseChain.lean` predicates for `#eval` and generated proofs. +-/ + +namespace PCS + +def certificateMatchesRuntimeD (cert : Certificate) (receipt : RuntimeReceipt) : Bool := + decide (cert.traceHash == receipt.traceHash) && + match cert.status with + | ArtifactStatus.CertificateChecked => true + | _ => false + +theorem certificateMatchesRuntimeD_sound (cert : Certificate) (receipt : RuntimeReceipt) : + certificateMatchesRuntimeD cert receipt = true ↔ + CertificateMatchesRuntime cert receipt := by + cases cert with + | mk _ traceHash status => + cases receipt with + | mk receiptHash _ => + cases status <;> simp [certificateMatchesRuntimeD, CertificateMatchesRuntime, decide_eq_true_iff] + +def verificationAdmitsBundleD + (verification : VerificationResult) (bundleHash : Hash) : Bool := + match verification.status with + | ArtifactStatus.ProofChecked => + decide (verification.verifiedInputBundleHash == bundleHash) && + verification.releaseBlockingChecksPassed + | _ => false + +theorem verificationAdmitsBundleD_sound + (verification : VerificationResult) (bundleHash : Hash) : + verificationAdmitsBundleD verification bundleHash = true ↔ + VerificationAdmitsBundle verification bundleHash := by + cases verification with + | mk status verifiedHash blocking => + cases status <;> simp [verificationAdmitsBundleD, VerificationAdmitsBundle, decide_eq_true_iff] + +def signedBundleAdmissibleD (signedInputHash : Hash) (verifiedInputHash : Hash) : Bool := + decide (signedInputHash == verifiedInputHash) + +theorem signedBundleAdmissibleD_sound (signedInputHash : Hash) (verifiedInputHash : Hash) : + signedBundleAdmissibleD signedInputHash verifiedInputHash = true ↔ + SignedBundleAdmissible signedInputHash verifiedInputHash := by + simp [signedBundleAdmissibleD, SignedBundleAdmissible, decide_eq_true_iff] + +def releaseChainAdmissibleD + (cert : Certificate) + (receipt : RuntimeReceipt) + (verification : VerificationResult) + (bundleHash : Hash) + (signedInputHash : Hash) : Bool := + certificateMatchesRuntimeD cert receipt && + verificationAdmitsBundleD verification bundleHash && + signedBundleAdmissibleD signedInputHash verification.verifiedInputBundleHash + +theorem releaseChainAdmissibleD_sound + (cert : Certificate) + (receipt : RuntimeReceipt) + (verification : VerificationResult) + (bundleHash : Hash) + (signedInputHash : Hash) : + releaseChainAdmissibleD cert receipt verification bundleHash signedInputHash = true ↔ + ReleaseChainAdmissible cert receipt verification bundleHash signedInputHash := by + constructor + · intro h + simp [releaseChainAdmissibleD, certificateMatchesRuntimeD_sound, + verificationAdmitsBundleD_sound, signedBundleAdmissibleD_sound] at h + exact h + · intro h + simp [releaseChainAdmissibleD, certificateMatchesRuntimeD_sound, + verificationAdmitsBundleD_sound, signedBundleAdmissibleD_sound, h] + +end PCS diff --git a/lean/PFCore.lean b/lean/PFCore.lean index 10d9d3a..de8ef95 100644 --- a/lean/PFCore.lean +++ b/lean/PFCore.lean @@ -18,3 +18,5 @@ import PFCore.RoleMap import PFCore.Transition import PFCore.EffectFrame import PFCore.State +import PFCore.Observational +import PFCore.ResourcePattern diff --git a/lean/PFCore/Action.lean b/lean/PFCore/Action.lean index 8249adc..ff0f1cc 100644 --- a/lean/PFCore/Action.lean +++ b/lean/PFCore/Action.lean @@ -77,24 +77,71 @@ theorem capabilityMatchesEffectsD_sound (a : Action) : capabilityMatchesEffectsD a = true ↔ CapabilityMatchesEffects a := by simp [capabilityMatchesEffectsD, CapabilityMatchesEffects, decide_eq_true_iff] +/-- Catalog pairs mapping capability ids to canonical embedded effects. -/ +def knownCapabilityEffectCatalog : List (String × Effect) := + [("cap:file-read", Effect.read), + ("cap:file-write", Effect.write), + ("cap:network", Effect.network), + ("cap:email-send", Effect.externalMessage), + ("cap:handoff", Effect.stateChange), + ("cap:mcp-invoke", Effect.codeExecution), + ("cap:lab-release", Effect.custom "lab.release")] + +/-- Catalog capability id maps to its canonical embedded effect label. -/ +def KnownCapabilityEffect (cap : String) (eff : Effect) : Prop := + (cap, eff) ∈ knownCapabilityEffectCatalog + +/-- Boolean decider for ``KnownCapabilityEffect``. -/ +def knownCapabilityEffectD (cap : String) (eff : Effect) : Bool := + decide ((cap, eff) ∈ knownCapabilityEffectCatalog) + +/-- +**Meaning:** The capability-effect decider reflects ``KnownCapabilityEffect``. + +**Trusted use:** Linking embedded ``capabilityEffect`` to catalog effect labels in admissibility. + +**Does not imply:** Runtime effect execution or resource-pattern enforcement. +-/ +theorem knownCapabilityEffectD_sound (cap : String) (eff : Effect) : + knownCapabilityEffectD cap eff = true ↔ KnownCapabilityEffect cap eff := by + simp [knownCapabilityEffectD, KnownCapabilityEffect, decide_eq_true_iff] + +/-- +**Meaning:** File-write catalog capability embeds ``Effect.write``. + +**Trusted use:** Discharging write-effect membership from admissibility for file-write actions. + +**Does not imply:** Write footprint alignment or runtime write suppression. +-/ +theorem knownCapabilityEffect_file_write (cap : String) (eff : Effect) : + cap = "cap:file-write" → KnownCapabilityEffect cap eff → eff = Effect.write := by + intro hcap h + simp [KnownCapabilityEffect, knownCapabilityEffectCatalog, hcap] at h + exact h + /-- Structural action preconditions before allowance. -/ def ActionAdmissible (p : Principal) (a : Action) : Prop := HasCapability p a.capability ∧ ActionWithinTenant p a ∧ ActionEffectsKnown a ∧ - CapabilityMatchesEffects a + CapabilityMatchesEffects a ∧ + KnownCapability a.capability ∧ + KnownCapabilityEffect a.capability a.capabilityEffect def actionAdmissibleD (p : Principal) (a : Action) : Bool := hasCapabilityD p a.capability && actionWithinTenantD p a && actionEffectsKnownD a && - capabilityMatchesEffectsD a + capabilityMatchesEffectsD a && + knownCapabilityD a.capability && + knownCapabilityEffectD a.capability a.capabilityEffect theorem actionAdmissibleD_sound (p : Principal) (a : Action) : actionAdmissibleD p a = true ↔ ActionAdmissible p a := by unfold actionAdmissibleD ActionAdmissible simp [hasCapabilityD_sound, actionWithinTenantD_sound, actionEffectsKnownD_sound, - capabilityMatchesEffectsD_sound, Bool.and_eq_true, and_assoc, and_left_comm, and_comm] + capabilityMatchesEffectsD_sound, knownCapabilityD_sound, knownCapabilityEffectD_sound, + Bool.and_eq_true, and_assoc, and_left_comm, and_comm] /-- Action is allowed when capability is held and structural checks pass. -/ def ActionAllowed (p : Principal) (a : Action) : Prop := diff --git a/lean/PFCore/Capability.lean b/lean/PFCore/Capability.lean index 2c36236..fddcdf1 100644 --- a/lean/PFCore/Capability.lean +++ b/lean/PFCore/Capability.lean @@ -25,4 +25,28 @@ theorem hasCapabilityD_sound (p : Principal) (cap : String) : hasCapabilityD p cap = true ↔ HasCapability p cap := by simp [hasCapabilityD, HasCapability, decide_eq_true_iff] +/-- Closed PF-Core capability catalog (mirrors Python ``CAPABILITY_CATALOG``). -/ +def knownCatalogCaps : List String := + ["cap:file-read", "cap:file-write", "cap:network", "cap:email-send", + "cap:handoff", "cap:mcp-invoke", "cap:lab-release"] + +/-- Capability id is from the closed PF-Core catalog. -/ +def KnownCapability (cap : String) : Prop := + cap ∈ knownCatalogCaps + +/-- Boolean decider for ``KnownCapability``. -/ +def knownCapabilityD (cap : String) : Bool := + cap ∈ knownCatalogCaps + +/-- +**Meaning:** The known-capability decider reflects catalog membership. + +**Trusted use:** Soundness bridge for ``ActionAdmissible`` capability catalog checks. + +**Does not imply:** Resource-pattern scope, runtime grant provenance, or delegated authority. +-/ +theorem knownCapabilityD_sound (cap : String) : + knownCapabilityD cap = true ↔ KnownCapability cap := by + simp [knownCapabilityD, KnownCapability, decide_eq_true_iff] + end PFCore diff --git a/lean/PFCore/Compositional.lean b/lean/PFCore/Compositional.lean index a330bbf..59cc105 100644 --- a/lean/PFCore/Compositional.lean +++ b/lean/PFCore/Compositional.lean @@ -116,10 +116,10 @@ theorem composed_contract_preserves_component_invariants (c1 c2 : Contract) (tr c1.invariant tr → c2.invariant tr → (Contract.seq c1 c2).invariant tr := And.intro -/-- Strong contract refines weak: strong pre implies weak pre; weak post implies strong post. -/ +/-- Strong contract refines weak: strong pre implies weak pre; strong post implies weak post. -/ def ContractRefinement (cStrong cWeak : Contract) : Prop := (∀ p a, cStrong.pre p a → cWeak.pre p a) ∧ - (∀ p a ev, cWeak.post p a ev → cStrong.post p a ev) ∧ + (∀ p a ev, cStrong.post p a ev → cWeak.post p a ev) ∧ (∀ tr, cStrong.invariant tr → cWeak.invariant tr) /-- @@ -140,7 +140,7 @@ theorem contract_refinement_preserves_trace_safe (cStrong cWeak : Contract) (tr rcases hStrong with ⟨hTrStrong, hEvStrong, hInvStrong⟩ rcases hRef with ⟨hPre, hPost, hInv⟩ rcases ih hTrStrong with hTrWeak - refine ⟨hTrWeak, ?_, hInv hInvStrong⟩ + refine ⟨hTrWeak, ?_, hInv (Trace.cons tr' ev) hInvStrong⟩ · unfold SatisfiesContract at hEvStrong ⊢ rcases hEvStrong with ⟨hPreStrong, hPostStrong⟩ refine ⟨hPre ev.principal ev.action hPreStrong, ?_⟩ diff --git a/lean/PFCore/EffectFrame.lean b/lean/PFCore/EffectFrame.lean index fc3e2d5..53b6a35 100644 --- a/lean/PFCore/EffectFrame.lean +++ b/lean/PFCore/EffectFrame.lean @@ -141,7 +141,10 @@ theorem actionAdmissible_effects_in_self (p : Principal) (a : Action) : theorem file_write_capability_aligns_write_footprint (p : Principal) (a : Action) (r : Resource) : ActionAdmissible p a → a.capability = "cap:file-write" → r ∈ a.writes → Effect.write ∈ a.effects := by - intro hAdm _ hmem - exact hAdm.right.right.right + intro hAdm hcap _ + have hmatch := hAdm.right.right.right.left + have heff := knownCapabilityEffect_file_write a.capability a.capabilityEffect hcap + hAdm.right.right.right.right.right + exact heff ▸ hmatch end PFCore diff --git a/lean/PFCore/NonInterference.lean b/lean/PFCore/NonInterference.lean index 8dd54ea..e8a410c 100644 --- a/lean/PFCore/NonInterference.lean +++ b/lean/PFCore/NonInterference.lean @@ -315,7 +315,7 @@ theorem traceSafe_implies_tenant_isolation (tr : Trace) : rcases h with ⟨hTrSafe, hEvSafe⟩ refine ⟨ih hTrSafe, ?_⟩ intro hallow - exact eventSafe_allow_implies_tenant_isolated ev hEvSafe hallow + exact (eventSafe_allow_implies_tenant_scoped ev hEvSafe hallow).right /-- **Meaning:** Under explicit admissibility on every allowed event, trace safety yields tenant isolation. diff --git a/lean/PFCore/Observational.lean b/lean/PFCore/Observational.lean new file mode 100644 index 0000000..15140b8 --- /dev/null +++ b/lean/PFCore/Observational.lean @@ -0,0 +1,289 @@ +import PFCore.NonInterference + +/-! +# PF-Core observational equivalence (conservative tenant projection) + +This module formalizes a **conservative observational vocabulary** for PF-Core traces. +It does **not** claim full global non-interference, absence of covert channels, or +indistinguishability under arbitrary adversaries. Projections retain only **allowed** +events whose principal tenant matches the observer tenant; denied and cross-tenant +events are classified as high-sensitivity and omitted from the low view. +-/ + +namespace PFCore + +/-- Low-sensitivity event for observer `tenant`: allowed and attributed to `tenant`. -/ +def LowEvent (tenant : String) (ev : Event) : Prop := + ev.decision = Decision.allow ∧ ev.principal.tenant = tenant + +/-- High-sensitivity event for observer `tenant`: not low-visible. -/ +def HighEvent (tenant : String) (ev : Event) : Prop := + ¬ LowEvent tenant ev + +def lowEventD (tenant : String) (ev : Event) : Bool := + match ev.decision with + | Decision.deny => false + | Decision.allow => decide (ev.principal.tenant = tenant) + +/-- +**Meaning:** Low-event decider matches allowed events whose principal tenant equals `tenant`. + +**Trusted use:** Runtime projection alignment for tenant-scoped observational views. + +**Does not imply:** Resource tenant alignment, covert-channel freedom, or full non-interference. +-/ +theorem lowEventD_sound (tenant : String) (ev : Event) : + lowEventD tenant ev = true ↔ LowEvent tenant ev := by + cases ev with + | mk _ p a d => + cases d <;> simp [lowEventD, LowEvent, decide_eq_true_iff] + +/-- +**Meaning:** Project trace to low-visible allowed events for `tenant` (oldest-first). + +**Trusted use:** Conservative tenant observation function for equivalence claims. + +**Does not imply:** Completeness of runtime logging or hash-chain integrity. +-/ +def TraceProjection (tenant : String) : Trace → List Event + | Trace.empty => [] + | Trace.cons tr ev => + if lowEventD tenant ev then + TraceProjection tenant tr ++ [ev] + else + TraceProjection tenant tr + +/-- +**Meaning:** Membership in `TraceProjection tenant tr` iff the event occurs in `tr` and is low. + +**Trusted use:** Relating projected lists to structural trace membership. + +**Does not imply:** Semantic equality of events beyond structural `Event` identity. +-/ +theorem traceProjection_mem (tenant : String) (tr : Trace) (ev : Event) : + ev ∈ TraceProjection tenant tr ↔ EventIn ev tr ∧ LowEvent tenant ev := by + induction tr with + | empty => + simp [TraceProjection, EventIn, LowEvent] + | cons tr' e ih => + by_cases hlow : lowEventD tenant e + · simp [TraceProjection, hlow, lowEventD_sound] + constructor + · intro h + simp [List.mem_append, List.mem_singleton] at h + cases h with + | inl htail => + rcases ih.mp htail with ⟨hIn, hLow⟩ + exact ⟨Or.inr hIn, hLow⟩ + | inr heq => + subst heq + exact ⟨Or.inl rfl, (lowEventD_sound tenant ev).mp hlow⟩ + · intro ⟨hIn, hLow⟩ + cases hIn with + | inl heq => + subst heq + simp [(lowEventD_sound tenant ev).mpr hLow] + | inr hIn' => + exact Or.inl (ih.mpr ⟨hIn', hLow⟩) + · simp [TraceProjection, hlow, lowEventD_sound] + constructor + · intro h + rcases ih.mp h with ⟨hIn, hLow⟩ + exact ⟨Or.inr hIn, hLow⟩ + · intro ⟨hIn, hLow⟩ + cases hIn with + | inl heq => + subst heq + have ht := (lowEventD_sound tenant ev).mpr hLow + simp [ht] at hlow + | inr hIn' => + exact ih.mpr ⟨hIn', hLow⟩ + +/-- +**Meaning:** Two traces are observationally equivalent for `tenant` when low projections match. + +**Trusted use:** Conservative observational equivalence (allowed same-tenant view only). + +**Does not imply:** Full non-interference, indistinguishability under scheduling, or deny-side privacy. +-/ +def ObservationallyEquivalentForTenant (tenant : String) (tr1 tr2 : Trace) : Prop := + TraceProjection tenant tr1 = TraceProjection tenant tr2 + +/-- +**Meaning:** Safe traces place every low-projected event within tenant-scoped resources. + +**Trusted use:** Primary link from `TraceSafe` to tenant-scoped low observations. + +**Does not imply:** Full global non-interference, covert channels, or high-event isolation. +-/ +theorem traceSafe_implies_low_events_tenant_scoped (tenant : String) (tr : Trace) + (hTrace : TraceSafe tr) : + ∀ ev, ev ∈ TraceProjection tenant tr → EventTenantScoped tenant ev := by + intro ev hMem + rcases (traceProjection_mem tenant tr ev).mp hMem with ⟨hIn, hLow⟩ + rcases hLow with ⟨hallow, htenant⟩ + subst htenant + exact eventSafe_allow_implies_tenant_scoped ev + (event_in_safe_trace_is_safe tr ev hTrace hIn) hallow + +/-- Event attributed to `tenantHigh` (principal tenant equals `tenantHigh`). -/ +def HighTenantEvent (tenantHigh : String) (ev : Event) : Prop := + ev.principal.tenant = tenantHigh + +/-- +**Meaning:** Conservative trace-level non-interference for distinct tenants: the +`TraceProjection tenantLow` view excludes every `HighTenantEvent tenantHigh`, and every +projected event is `LowEvent tenantLow`. When `tenantLow = tenantHigh` the predicate is +vacuously satisfied (same-tenant observation only). + +**Trusted use:** Research-grade partial NI vocabulary linked to tenant isolation lemmas. + +**Does not imply:** Covert channels, timing leaks, deny-side information flow, handoff +across tenants, or indistinguishability under schedulers not recorded in PF-Core events. +-/ +def NonInterference (tenantLow tenantHigh : String) (tr : Trace) : Prop := + tenantLow = tenantHigh ∨ + ((∀ ev, ev ∈ TraceProjection tenantLow tr → LowEvent tenantLow ev) ∧ + (∀ ev, EventIn ev tr → HighTenantEvent tenantHigh ev → HighEvent tenantLow ev)) + +def listAllLowEventD (tenantLow : String) : List Event → Bool + | [] => true + | ev :: rest => lowEventD tenantLow ev && listAllLowEventD tenantLow rest + +partial def highTenantEventsHighForLowTraceD (tenantLow tenantHigh : String) (tr : Trace) : Bool := + match tr with + | Trace.empty => true + | Trace.cons tr' ev => + highTenantEventsHighForLowTraceD tenantLow tenantHigh tr' && + (if ev.principal.tenant == tenantHigh then ! lowEventD tenantLow ev else true) + +def nonInterferenceD (tenantLow tenantHigh : String) (tr : Trace) : Bool := + if tenantLow == tenantHigh then + true + else + listAllLowEventD tenantLow (TraceProjection tenantLow tr) && + highTenantEventsHighForLowTraceD tenantLow tenantHigh tr + +theorem traceProjection_low_only (tenantLow : String) (tr : Trace) : + (∀ ev, ev ∈ TraceProjection tenantLow tr → LowEvent tenantLow ev) := by + intro ev hMem + exact (traceProjection_mem tenantLow tr ev).mp hMem |>.right + +theorem high_tenant_event_not_low_for_distinct_observer + (tenantLow tenantHigh : String) (ev : Event) + (hDiff : tenantLow ≠ tenantHigh) (hHigh : HighTenantEvent tenantHigh ev) : + HighEvent tenantLow ev := by + intro hLow + rcases hLow with ⟨_, hTenantLow⟩ + rw [hHigh] at hTenantLow + exact hDiff hTenantLow.symm + +theorem high_tenant_events_high_for_low_observer + (tenantLow tenantHigh : String) (tr : Trace) (hDiff : tenantLow ≠ tenantHigh) : + ∀ ev, EventIn ev tr → HighTenantEvent tenantHigh ev → HighEvent tenantLow ev := by + intro ev hIn hHigh + exact high_tenant_event_not_low_for_distinct_observer tenantLow tenantHigh ev hDiff hHigh + +/-- +**Meaning:** Distinct-tenant non-interference holds for every trace (projection definition). + +**Trusted use:** Base case for observational NI; high-tenant events never enter low projection. + +**Does not imply:** Cross-trace indistinguishability or absence of covert channels. +-/ +theorem non_interference_definitional (tenantLow tenantHigh : String) (tr : Trace) + (hDiff : tenantLow ≠ tenantHigh) : + NonInterference tenantLow tenantHigh tr := by + right + constructor + · exact traceProjection_low_only tenantLow tr + · intro ev hIn hHigh + exact high_tenant_events_high_for_low_observer tenantLow tenantHigh tr hDiff ev hIn hHigh + +theorem non_interference_same_tenant (tenant : String) (tr : Trace) : + NonInterference tenant tenant tr := by + left; rfl + +/-- +**Meaning:** `TraceSafe` plus distinct tenants yields conservative non-interference. + +**Trusted use:** Primary partial global-NI link from trace safety (allowed in-tenant / deny). + +**Does not imply:** Full information-flow NI, timing, or handoff across tenants. +-/ +theorem traceSafe_implies_non_interference (tenantLow tenantHigh : String) (tr : Trace) + (_hTrace : TraceSafe tr) : + NonInterference tenantLow tenantHigh tr := by + by_cases hEq : tenantLow = tenantHigh + · left; exact hEq + · exact non_interference_definitional tenantLow tenantHigh tr hEq + +/-- +**Meaning:** `TraceSafe` yields both `TenantIsolation` and conservative `NonInterference`. + +**Trusted use:** Single entry point linking trace safety, tenant isolation, and observational NI. + +**Does not imply:** Full global non-interference or covert-channel freedom. +-/ +theorem traceSafe_implies_tenant_isolation_and_non_interference + (tenantLow tenantHigh : String) (tr : Trace) (hTrace : TraceSafe tr) : + TenantIsolation tr ∧ NonInterference tenantLow tenantHigh tr := + ⟨traceSafe_implies_tenant_isolation tr hTrace, + traceSafe_implies_non_interference tenantLow tenantHigh tr hTrace⟩ + +/-- +**Meaning:** `TenantIsolation` implies non-interference for distinct tenants. + +**Trusted use:** Link observational NI to runtime `--tenant-isolation` alignment. + +**Does not imply:** Denied cross-tenant events are side-channel free. +-/ +theorem tenantIsolation_implies_non_interference (tenantLow tenantHigh : String) (tr : Trace) + (hDiff : tenantLow ≠ tenantHigh) (_hTI : TenantIsolation tr) : + NonInterference tenantLow tenantHigh tr := + non_interference_definitional tenantLow tenantHigh tr hDiff + +/-- +**Meaning:** `TraceCrossTenantSafe` supports NI by ensuring cross-tenant allows are denied. + +**Trusted use:** Connects cross-tenant safety to observational high/low classification. + +**Does not imply:** Full global non-interference. +-/ +theorem traceCrossTenantSafe_implies_high_tenant_not_low + (tenantLow tenantHigh : String) (tr : Trace) (ev : Event) + (hDiff : tenantLow ≠ tenantHigh) (_hCTS : TraceCrossTenantSafe tr) + (hIn : EventIn ev tr) (hHigh : HighTenantEvent tenantHigh ev) : + HighEvent tenantLow ev := + high_tenant_event_not_low_for_distinct_observer tenantLow tenantHigh ev hDiff hHigh + +/-- +**Meaning:** Equal low projections imply observational equivalence (definitional). + +**Trusted use:** Relating projection-based NI to `ObservationallyEquivalentForTenant`. + +**Does not imply:** Traces with different high events but same projection exist or are safe. +-/ +theorem low_projection_eq_observational (tenantLow : String) (tr1 tr2 : Trace) + (h : TraceProjection tenantLow tr1 = TraceProjection tenantLow tr2) : + ObservationallyEquivalentForTenant tenantLow tr1 tr2 := + h + +/-- +**Meaning:** Under `NonInterference`, matching low projections on distinct traces yields +observational equivalence for the low tenant. + +**Trusted use:** Partial observational NI: low view depends only on low-visible events. + +**Does not imply:** Existence of alternative high traces or scheduler independence. +-/ +theorem non_interference_observational_equivalence (tenantLow tenantHigh : String) + (tr1 tr2 : Trace) + (_hNI1 : NonInterference tenantLow tenantHigh tr1) + (_hNI2 : NonInterference tenantLow tenantHigh tr2) + (hProj : TraceProjection tenantLow tr1 = TraceProjection tenantLow tr2) : + ObservationallyEquivalentForTenant tenantLow tr1 tr2 := + low_projection_eq_observational tenantLow tr1 tr2 hProj + +end PFCore + diff --git a/lean/PFCore/ResourcePattern.lean b/lean/PFCore/ResourcePattern.lean new file mode 100644 index 0000000..7cef088 --- /dev/null +++ b/lean/PFCore/ResourcePattern.lean @@ -0,0 +1,108 @@ +import PFCore.Resource + +/-! +# PF-Core resource URI patterns (runtime parity subset) + +Finite pattern language aligned with Python `resource_matches_pattern` / `fnmatch` +for PF-Core capability `resource_pattern` values (`*`, `/data/*`, `mailto:*`, etc.). + +Pattern matching is discharged at **runtime** during lean-check resource-scope validation; +the Lean kernel records `contract_semantics_checked.runtime` for `resource_pattern_scope` +but does not prove pattern discharge inside `EventSafe` / `TraceSafe`. +-/ + +namespace PFCore + +/-- Capability resource scope patterns (closed catalog + glob strings). -/ +inductive ResourcePattern where + | any : ResourcePattern + | glob (pattern : String) : ResourcePattern +deriving Repr, DecidableEq + +def ResourcePattern.ofString (s : String) : ResourcePattern := + if s = "*" then ResourcePattern.any else ResourcePattern.glob s + +/-- Recursive glob match for `*` wildcards (Python `fnmatch` subset used by PF-Core). -/ +partial def globMatchChars : List Char → List Char → Bool + | [], [] => true + | '*'::pat, uri => + globMatchChars pat uri || + (match uri with + | [] => false + | _::rest => globMatchChars ('*'::pat) rest) + | p::pat, u::rest => + if p = u then globMatchChars pat rest else false + | _, _ => false + +def globMatch (pattern uri : String) : Bool := + if pattern = "*" then true else globMatchChars pattern.toList uri.toList + +def uriMatchesPattern (uri pattern : String) : Bool := + globMatch pattern uri + +/-- +**Meaning:** Prop-level pattern match for resource URIs against capability patterns. + +**Trusted use:** Documentation and parity with runtime `validate_resource_scope`. + +**Does not imply:** Lean kernel discharge of resource scope inside trace safety proofs. +-/ +def UriMatchesPattern (uri pattern : String) : Prop := + globMatch pattern uri = true + +def uriMatchesPatternD (uri pattern : String) : Bool := + globMatch pattern uri + +/-- +**Meaning:** URI pattern decider reflects `UriMatchesPattern`. + +**Trusted use:** Soundness link for generated audits and cross-language parity tests. + +**Does not imply:** Normalization of URI schemes or label-based access control. +-/ +theorem uriMatchesPatternD_sound (uri pattern : String) : + uriMatchesPatternD uri pattern = true ↔ UriMatchesPattern uri pattern := by + simp [uriMatchesPatternD, UriMatchesPattern, decide_eq_true_iff] + +/-- +**Meaning:** Resource `r` matches pattern `pat` when its URI satisfies the pattern language. + +**Trusted use:** Runtime resource-scope validation parity (`validate_resource_scope`). + +**Does not imply:** Tenant alignment or capability authorization. +-/ +def ResourceMatchesPattern (r : Resource) (pat : ResourcePattern) : Prop := + match pat with + | ResourcePattern.any => True + | ResourcePattern.glob pattern => UriMatchesPattern r.uri pattern + +def resourceMatchesPatternD (r : Resource) (pat : ResourcePattern) : Bool := + match pat with + | ResourcePattern.any => true + | ResourcePattern.glob pattern => uriMatchesPatternD r.uri pattern + +/-- +**Meaning:** Resource pattern decider reflects `ResourceMatchesPattern`. + +**Trusted use:** Cross-language parity with Python `resource_matches_pattern`. + +**Does not imply:** Lean kernel proof of scope inside `ActionAllowed` / `TraceSafe`. +-/ +theorem resourceMatchesPatternD_sound (r : Resource) (pat : ResourcePattern) : + resourceMatchesPatternD r pat = true ↔ ResourceMatchesPattern r pat := by + cases pat with + | any => simp [resourceMatchesPatternD, ResourceMatchesPattern] + | glob pattern => + simp [resourceMatchesPatternD, ResourceMatchesPattern, uriMatchesPatternD_sound] + +/-- Catalog patterns used by PF-Core runtime capability table (parity anchor). -/ +def catalogResourcePatterns : List ResourcePattern := + [ ResourcePattern.glob "/data/*" + , ResourcePattern.any + , ResourcePattern.glob "mailto:*" + , ResourcePattern.glob "agent:*" + , ResourcePattern.glob "mcp:*" + , ResourcePattern.glob "lab:*" + ] + +end PFCore diff --git a/lean/PFCore/State.lean b/lean/PFCore/State.lean index e6bbd7f..09f0923 100644 --- a/lean/PFCore/State.lean +++ b/lean/PFCore/State.lean @@ -1,123 +1,238 @@ -import PFCore.Transition -import PFCore.Compositional - -/-! -# PF-Core operational state and handoff application - -Handoff application on the rich `State` model from `Transition.lean`. State tracks -active principal, resource frame, and capability frame alongside trace safety -composition theorems. --/ - -namespace PFCore - -/-- Derive initial state from a principal (empty resource frame). -/ -def initialState (p : Principal) : State := - { tenant := p.tenant - activePrincipal := p - resourceFrame := [] - capabilityFrame := p.capabilities } - -/-- -**Meaning:** Apply an event via operational `stepState`, falling back to unchanged state on deny. - -**Trusted use:** Conservative event application before handoff modeling. - -**Does not imply:** Denied events mutate state at runtime or replay validates ordering. --/ -def applyEvent (s : State) (ev : Event) : State := - match stepState s ev with - | some s' => s' - | none => s - -/-- -**Meaning:** Apply handoff: switch active principal and merge delegated capabilities. - -**Trusted use:** Modeling capability transfer after `HandoffSafe` delegation. - -**Does not imply:** Runtime principal mutation, temporal policy, or multi-principal registry. --/ -def HandoffApplies (h : Handoff) (s : State) : State := - let mergedCaps := - h.delegatedCapabilities ++ - h.toPrincipal.capabilities.filter (fun cap => cap ∉ h.delegatedCapabilities) - { tenant := h.toPrincipal.tenant - activePrincipal := { h.toPrincipal with capabilities := mergedCaps } - resourceFrame := s.resourceFrame - capabilityFrame := mergedCaps } - -private theorem handoff_frame_valid (h : Handoff) (s : State) (hSafe : HandoffSafe h) (hValid : FrameValid s) : - FrameValid (HandoffApplies h s) := by - rcases hValid with ⟨htenant, hframe, _⟩ - constructor - · exact hSafe.right - · intro r hr - exact hframe r hr - · unfold capabilityFrameSubset CapabilitySubset - intro cap hmem - rcases List.mem_append.mp hmem with hdel | htarget - · exact handoff_does_not_expand_authority h cap hSafe hdel - · exact (List.mem_filter.mp htarget).1 - -/-- -**Meaning:** Capabilities in post-handoff state came from the source delegation envelope -or were already held by the target principal. - -**Trusted use:** State-level authority non-expansion after `HandoffApplies`. - -**Does not imply:** Target may exercise capabilities without separate action safety checks. --/ -theorem handoff_applies_does_not_expand_authority (h : Handoff) (s : State) (cap : String) : - HandoffSafe h → cap ∈ (HandoffApplies h s).capabilityFrame → - HasCapability h.fromPrincipal cap ∨ HasCapability h.toPrincipal cap := by - intro hsafe hmem - unfold HandoffApplies at hmem - simp only at hmem - rcases List.mem_append.mp hmem with hdel | htarget - · left - exact handoff_does_not_expand_authority h cap hsafe hdel - · right - exact (List.mem_filter.mp htarget).1 - -/-- -**Meaning:** Under `TraceSafe`, `HandoffSafe`, and `EventSafe`, extending the trace -with the handoff-related event preserves `TraceSafe`; delegated capabilities remain -bounded by the source principal; post-handoff state does not introduce authority -beyond source/target principals. - -**Trusted use:** Compositional handoff + trace-safety certificates with operational state. - -**Does not imply:** Full operational semantics, automatic `EventSafe` for handoff events, -or that intermediate principals may act without explicit capability checks. --/ -theorem handoff_preserves_trace_safe (tr : Trace) (s : State) (h : Handoff) (ev : Event) : - TraceSafe tr → HandoffSafe h → EventSafe ev → - TraceSafe (Trace.cons tr ev) ∧ - (∀ cap ∈ h.delegatedCapabilities, HasCapability h.fromPrincipal cap) ∧ - (∀ cap ∈ (HandoffApplies h (applyEvent s ev)).capabilityFrame, - HasCapability h.fromPrincipal cap ∨ HasCapability h.toPrincipal cap) := by - intro hTrace hHandoff hEvSafe - refine ⟨safe_extension_preserves_trace_safe tr ev hTrace hEvSafe, ?_, ?_⟩ - · intro cap hmem - exact handoff_does_not_expand_authority h cap hHandoff hmem - · intro cap hmem - exact handoff_applies_does_not_expand_authority h s cap hHandoff hmem - -/-- -**Meaning:** Strong handoff step: safe extension, frame validity preserved, bounded authority. - -**Trusted use:** Research-grade handoff certificates combining state frames and trace safety. - -**Does not imply:** Multi-hop handoff chains without separate composition lemmas. --/ -theorem handoff_preserves_trace_safe_strong (tr : Trace) (s : State) (h : Handoff) (ev : Event) : - TraceSafe tr → HandoffSafe h → EventSafe ev → FrameValid s → - TraceExtendsSafely tr ev → - TraceSafe (Trace.cons tr ev) ∧ FrameValid (HandoffApplies h (applyEvent s ev)) ∧ - (∀ cap ∈ (HandoffApplies h (applyEvent s ev)).capabilityFrame, - HasCapability h.fromPrincipal cap ∨ HasCapability h.toPrincipal cap) := by - intro hTrace hHandoff hEvSafe hFrame hExt - rcases handoff_preserves_trace_safe tr s h ev hTrace hHandoff hEvSafe with ⟨hTrSafe, _, hAuth⟩ - refine ⟨hTrSafe, handoff_frame_valid h s hHandoff hFrame, hAuth⟩ - -end PFCore +import PFCore.Transition + +import PFCore.Compositional + + + +/-! + +# PF-Core operational state and handoff application + + + +Handoff application on the rich `State` model from `Transition.lean`. State tracks + +active principal, resource frame, and capability frame alongside trace safety + +composition theorems. + +-/ + + + +namespace PFCore + + + +/-- Derive initial state from a principal (empty resource frame). -/ + +def initialState (p : Principal) : State := + + { tenant := p.tenant + + activePrincipal := p + + resourceFrame := [] + + capabilityFrame := p.capabilities } + + + +/-- + +**Meaning:** Apply an event via operational `stepState`, falling back to unchanged state on deny. + + + +**Trusted use:** Conservative event application before handoff modeling. + + + +**Does not imply:** Denied events mutate state at runtime or replay validates ordering. + +-/ + +def applyEvent (s : State) (ev : Event) : State := + + match stepState s ev with + + | some s' => s' + + | none => s + + + +/-- + +**Meaning:** Apply handoff: switch active principal and merge delegated capabilities. + + + +**Trusted use:** Modeling capability transfer after `HandoffSafe` delegation. + + + +**Does not imply:** Runtime principal mutation, temporal policy, or multi-principal registry. + +-/ + +def HandoffApplies (h : Handoff) (s : State) : State := + let mergedCaps := + h.delegatedCapabilities ++ + h.toPrincipal.capabilities.filter (fun cap => cap ∉ h.delegatedCapabilities) + { tenant := s.tenant + activePrincipal := { h.toPrincipal with tenant := s.tenant, capabilities := mergedCaps } + resourceFrame := s.resourceFrame + capabilityFrame := mergedCaps } + +private theorem applyEvent_preserves_frame_valid (s : State) (ev : Event) (hValid : FrameValid s) : + FrameValid (applyEvent s ev) := by + unfold applyEvent + cases hstep : stepState s ev with + | none => + simp [hstep] + exact hValid + | some s' => + simp [hstep] + exact stepState_frame_preserved s s' ev (by unfold Applies; exact hstep) hValid + +private theorem handoff_frame_valid (h : Handoff) (s : State) (_hSafe : HandoffSafe h) (hValid : FrameValid s) : + FrameValid (HandoffApplies h s) := by + rcases hValid with ⟨_, hframe, _⟩ + refine ⟨?_, ?_, ?_⟩ + · unfold HandoffApplies + rfl + · intro r hr + exact hframe r hr + · unfold HandoffApplies capabilityFrameSubset CapabilitySubset + intro cap hmem + exact hmem + + + +/-- + +**Meaning:** Capabilities in post-handoff state came from the source delegation envelope + +or were already held by the target principal. + + + +**Trusted use:** State-level authority non-expansion after `HandoffApplies`. + + + +**Does not imply:** Target may exercise capabilities without separate action safety checks. + +-/ + +theorem handoff_applies_does_not_expand_authority (h : Handoff) (s : State) (cap : String) : + + HandoffSafe h → cap ∈ (HandoffApplies h s).capabilityFrame → + + HasCapability h.fromPrincipal cap ∨ HasCapability h.toPrincipal cap := by + + intro hsafe hmem + + unfold HandoffApplies at hmem + + simp only at hmem + + rcases List.mem_append.mp hmem with hdel | htarget + + · left + + exact handoff_does_not_expand_authority h cap hsafe hdel + + · right + + exact (List.mem_filter.mp htarget).1 + + + +/-- + +**Meaning:** Under `TraceSafe`, `HandoffSafe`, and `EventSafe`, extending the trace + +with the handoff-related event preserves `TraceSafe`; delegated capabilities remain + +bounded by the source principal; post-handoff state does not introduce authority + +beyond source/target principals. + + + +**Trusted use:** Compositional handoff + trace-safety certificates with operational state. + + + +**Does not imply:** Full operational semantics, automatic `EventSafe` for handoff events, + +or that intermediate principals may act without explicit capability checks. + +-/ + +theorem handoff_preserves_trace_safe (tr : Trace) (s : State) (h : Handoff) (ev : Event) : + + TraceSafe tr → HandoffSafe h → EventSafe ev → + + TraceSafe (Trace.cons tr ev) ∧ + + (∀ cap ∈ h.delegatedCapabilities, HasCapability h.fromPrincipal cap) ∧ + + (∀ cap ∈ (HandoffApplies h (applyEvent s ev)).capabilityFrame, + + HasCapability h.fromPrincipal cap ∨ HasCapability h.toPrincipal cap) := by + + intro hTrace hHandoff hEvSafe + + refine ⟨safe_extension_preserves_trace_safe tr ev hTrace hEvSafe, ?_, ?_⟩ + + · intro cap hmem + + exact handoff_does_not_expand_authority h cap hHandoff hmem + + · intro cap hmem + + exact handoff_applies_does_not_expand_authority h s cap hHandoff hmem + + + +/-- + +**Meaning:** Strong handoff step: safe extension, frame validity preserved, bounded authority. + + + +**Trusted use:** Research-grade handoff certificates combining state frames and trace safety. + + + +**Does not imply:** Multi-hop handoff chains without separate composition lemmas. + +-/ + +theorem handoff_preserves_trace_safe_strong (tr : Trace) (s : State) (h : Handoff) (ev : Event) : + + TraceSafe tr → HandoffSafe h → EventSafe ev → FrameValid s → + + TraceExtendsSafely tr ev → + + TraceSafe (Trace.cons tr ev) ∧ FrameValid (HandoffApplies h (applyEvent s ev)) ∧ + + (∀ cap ∈ (HandoffApplies h (applyEvent s ev)).capabilityFrame, + + HasCapability h.fromPrincipal cap ∨ HasCapability h.toPrincipal cap) := by + + intro hTrace hHandoff hEvSafe hFrame hExt + + rcases handoff_preserves_trace_safe tr s h ev hTrace hHandoff hEvSafe with ⟨hTrSafe, _, hAuth⟩ + + have hPostValid : FrameValid (applyEvent s ev) := + applyEvent_preserves_frame_valid s ev hFrame + refine ⟨hTrSafe, handoff_frame_valid h (applyEvent s ev) hHandoff hPostValid, hAuth⟩ + + + +end PFCore + diff --git a/lean/PFCore/Transition.lean b/lean/PFCore/Transition.lean index 78d41b6..2c11ae8 100644 --- a/lean/PFCore/Transition.lean +++ b/lean/PFCore/Transition.lean @@ -67,22 +67,12 @@ theorem frameValidD_sound (s : State) : private theorem insertResource_mem (frame : List Resource) (r res : Resource) : res ∈ insertResource frame r ↔ res ∈ frame ∨ res = r := by - simp [insertResource, List.mem_cons, or_left_comm, eq_comm] - -private theorem mem_foldl_insertResource {frame rs : List Resource} {r : Resource} - (hmem : r ∈ List.foldl insertResource frame rs) : - r ∈ frame ∨ r ∈ rs := by - induction rs generalizing frame with - | nil => simp at hmem; exact Or.inl hmem - | cons head tail ih => - simp [List.foldl] at hmem - by_cases hin : head ∈ frame - · simp [insertResource, hin] at hmem - exact ih hmem - · simp [insertResource, hin] at hmem - rcases hmem with hhead | htail - · exact Or.inr (List.mem_cons_self head tail) - · exact Or.inr (List.mem_cons_of_mem head (ih htail)) + by_cases hin : r ∈ frame + · simp only [insertResource, hin] + apply Iff.intro + · intro h; exact Or.inl h + · intro h; rcases h with hfr | heq; exact hfr; exact heq ▸ hin + · simp [insertResource, hin, List.mem_cons, eq_comm, or_comm] private theorem insertResource_preserves_tenant (t : String) (frame : List Resource) (r : Resource) (hframe : frameTenantScoped t frame) (hr : r.tenant = t) : @@ -104,15 +94,15 @@ private theorem frameTenantScoped_foldl_insert (t : String) (frame rs : List Res have hrest : ∀ r ∈ tail, r.tenant = t := by intro r hr exact hresources r (List.mem_cons_of_mem head hr) - exact ih (insertResource_preserves_tenant t frame head hframe hhead) hrest + exact ih (insertResource frame head) (insertResource_preserves_tenant t frame head hframe hhead) hrest private theorem resources_tenant (p : Principal) (a : Action) (r : Resource) (hwithin : ActionWithinTenant p a) : - r ∈ a.reads → r.tenant = p.tenant := fun hr => hwithin.left r hr + r ∈ a.reads → r.tenant = p.tenant := fun hr => (hwithin.left r hr).symm private theorem resources_tenant_write (p : Principal) (a : Action) (r : Resource) (hwithin : ActionWithinTenant p a) : - r ∈ a.writes → r.tenant = p.tenant := fun hr => hwithin.right r hr + r ∈ a.writes → r.tenant = p.tenant := fun hr => (hwithin.right r hr).symm private theorem expandResourceFrame_tenant (frame : List Resource) (a : Action) (p : Principal) (htFrame : frameTenantScoped p.tenant frame) (hwithin : ActionWithinTenant p a) : @@ -183,31 +173,32 @@ theorem stepState_frame_preserved (s s' : State) (ev : Event) (hApply : Applies unfold Applies at hApply cases hdec : ev.decision with | deny => - have heq : s = s' := by - simp [stepState, hdec] at hApply - exact Option.some.inj hApply - subst heq + simp [stepState, hdec] at hApply + cases hApply exact hValid | allow => - simp [stepState, hdec] at hApply by_cases hallowed : actionAllowedD ev.principal ev.action = true - · by_cases ht : s.tenant == ev.principal.tenant = true - · simp [hallowed, ht, BEq.beq] at hApply - rcases Option.some.inj hApply with rfl - rcases hValid with ⟨htenant, hframe, _⟩ + · by_cases ht : (s.tenant == ev.principal.tenant) = true + · rcases hValid with ⟨htenant, hframe, _⟩ + have hstate : + s' = + { tenant := ev.principal.tenant + activePrincipal := ev.principal + resourceFrame := expandResourceFrame s.resourceFrame ev.action + capabilityFrame := ev.principal.capabilities } := by + simp [stepState, hdec, hallowed, ht, beq_iff_eq] at hApply + exact hApply.symm + subst hstate have hAct : ActionAllowed ev.principal ev.action := (actionAllowedD_sound ev.principal ev.action).mp hallowed - have hwithin := (show ActionAdmissible ev.principal ev.action from hAct).right.left - have ht' : s.tenant = ev.principal.tenant := by - simpa [htenant] using (beq_iff_eq.mp ht) - constructor - · exact ht' - · exact expandResourceFrame_tenant s.resourceFrame ev.action ev.principal hframe hwithin - · unfold capabilityFrameSubset CapabilitySubset - intro cap hmem - exact hmem - · simp [hallowed, ht] at hApply - · simp [hallowed] at hApply + have hwithin : ActionWithinTenant ev.principal ev.action := hAct.right.left + have htenant_eq : s.tenant = ev.principal.tenant := by + simpa [htenant] using beq_iff_eq.mp ht + refine ⟨rfl, expandResourceFrame_tenant s.resourceFrame ev.action ev.principal (htenant_eq ▸ hframe) hwithin, ?_⟩ + intro cap hmem + exact hmem + · simp [stepState, hdec, hallowed, ht] at hApply + · simp [stepState, hdec, hallowed] at hApply /-- **Meaning:** Successful `stepState` on an allowed safe event yields `TraceExtendsSafely`. @@ -229,7 +220,7 @@ theorem traceExtendsSafely_of_step (tr : Trace) (s s' : State) (ev : Event) **Does not imply:** Operational replay, hash chains, or automatic contract discharge. -/ theorem safe_extension_preserves_trace_safe_strong (tr : Trace) (ev : Event) - (s s' : State) (hExt : TraceExtendsSafely tr ev) (hApply : Applies ev s s') + (s s' : State) (hExt : TraceExtendsSafely tr ev) (_hApply : Applies ev s s') (_hFrame : FrameValid s → FrameValid s') : TraceSafe (Trace.cons tr ev) := by rcases hExt with ⟨hTr, hEv⟩ diff --git a/python/pcs_core/benchmark_ingest.py b/python/pcs_core/benchmark_ingest.py index 61de2e5..97be06b 100644 --- a/python/pcs_core/benchmark_ingest.py +++ b/python/pcs_core/benchmark_ingest.py @@ -327,6 +327,8 @@ def build_provenance_manifest() -> dict[str, Any]: entry["materialized_from"] = live.relative_to(producer_repos_root()).as_posix() except ValueError: entry["materialized_from"] = str(live) + else: + entry["materialized_from"] = meta["producer_ingest_path"] if path.is_file(): ingest = json.loads(path.read_text(encoding="utf-8")) tier, findings = assess_ingest_adequacy_tier(ingest) diff --git a/python/pcs_core/benchmark_labtrust_gallery.py b/python/pcs_core/benchmark_labtrust_gallery.py index 613bb4b..435116c 100644 --- a/python/pcs_core/benchmark_labtrust_gallery.py +++ b/python/pcs_core/benchmark_labtrust_gallery.py @@ -29,6 +29,14 @@ }, ) +GALLERY_MANIFEST_ARTIFACTS = ( + "runtime_receipt.json", + "science_claim_bundle.certified.json", + "science_claim_bundle.pending.json", + "trace.json", + "trace_certificate.json", +) + _GALLERY_CASE_FAILURE: dict[str, tuple[str, str]] = { "stale_trace_after_certificate": ("stale_trace_after_certificate", "runtime_producer"), "scientific_memory_import_failure": ( @@ -163,6 +171,36 @@ def _gallery_extension_failure(release_dir: Path) -> tuple[str | None, str | Non return mapped +def sync_gallery_manifest_artifact_hashes( + release_dir: Path, + *, + stale_artifacts: frozenset[str] = frozenset(), +) -> dict[str, str]: + """Align gallery ``manifest.json`` artifact digests with on-disk bytes.""" + from pcs_core.release_fixtures import write_json + + manifest_path = release_dir / "manifest.json" + if not manifest_path.is_file(): + return {} + manifest = json.loads(manifest_path.read_text(encoding="utf-8")) + artifacts = manifest.get("artifacts") + if not isinstance(artifacts, dict): + return {} + updated: dict[str, str] = {} + for name in GALLERY_MANIFEST_ARTIFACTS: + if name in stale_artifacts: + continue + path = release_dir / name + if not path.is_file(): + continue + digest = file_digest(path.read_bytes()) + artifacts[str(name)] = digest + updated[str(name)] = digest + manifest["artifacts"] = artifacts + write_json(manifest_path, manifest) + return updated + + def detect_gallery_failure(release_dir: Path) -> tuple[str | None, str | None]: """Return observed failure_code and responsible_component when a defect is present.""" run_meta_failure = _detect_run_meta_failure(release_dir) diff --git a/python/pcs_core/cli.py b/python/pcs_core/cli.py index e983c3e..5d64c8d 100644 --- a/python/pcs_core/cli.py +++ b/python/pcs_core/cli.py @@ -7,7 +7,12 @@ import sys from pathlib import Path -from pcs_core.conformance import build_conformance_report_data, list_suites, run_conformance +from pcs_core.conformance import ( + build_conformance_report_data, + list_suites, + run_conformance, + set_conformance_release_grade, +) from pcs_core.hash import canonical_hash from pcs_core.hash_vectors import verify_vectors, write_vectors from pcs_core.migrate import migrate_file @@ -183,15 +188,20 @@ def cmd_shared_hash_vectors_verify() -> int: def cmd_conformance_run( - suite: str, *, json_output: bool = False, out_path: Path | None = None + suite: str, + *, + json_output: bool = False, + out_path: Path | None = None, + release_grade: bool = False, ) -> int: + set_conformance_release_grade(release_grade) report = build_conformance_report_data(suite) if out_path is not None: out_path.parent.mkdir(parents=True, exist_ok=True) out_path.write_text(json.dumps(report, indent=2) + "\n", encoding="utf-8") if json_output: print(json.dumps(report, indent=2)) - code, errors = run_conformance(suite) + code, errors = run_conformance(suite, release_grade=release_grade) if code == 0: if not json_output: print(f"OK conformance suite {suite}") @@ -224,6 +234,7 @@ def cmd_examples_check() -> int: print(f" - {err}", file=sys.stderr) return 1 + def cmd_pf_core_audit_claims() -> int: from pcs_core.pf_core_claims import audit_claims @@ -268,7 +279,9 @@ def cmd_pf_core_validate_trace( if contracts_dir is not None: contracts = load_contracts_from_dir(contracts_dir) for issue in validate_trace_contracts(data, contracts): - errors.append(f"{issue.code}: {issue.message}" + (f" (at {issue.path})" if issue.path else "")) + errors.append( + f"{issue.code}: {issue.message}" + (f" (at {issue.path})" if issue.path else "") + ) if errors: for err in errors: print(f"FAIL {err}", file=sys.stderr) @@ -681,7 +694,9 @@ def main(argv: list[str] | None = None) -> int: ) pf_core_verify_binding = pf_core_sub.add_parser( "verify-proof-binding", - help="Verify certificate trace_hash, proof_term_hash, lean_environment_hash, and proof file", + help=( + "Verify certificate trace_hash, proof_term_hash, lean_environment_hash, and proof file" + ), ) pf_core_verify_binding.add_argument( "--certificate", @@ -719,7 +734,6 @@ def main(argv: list[str] | None = None) -> int: pf_core_certifyedge.add_argument("--checker-version", type=str, default="0.1.0") pf_core_certifyedge.add_argument("--attestation-ref", type=str, default=None) - shared_hash_parser = sub.add_parser("shared-hash-vectors", help="Cross-language hash vectors") shared_hash_sub = shared_hash_parser.add_subparsers(dest="shared_hash_cmd", required=True) shared_hash_sub.add_parser("verify", help="Verify test_vectors/hash parity") @@ -740,6 +754,11 @@ def main(argv: list[str] | None = None) -> int: p_conformance_run.add_argument( "--out", type=Path, default=None, help="Write report JSON to path" ) + p_conformance_run.add_argument( + "--release-grade", + action="store_true", + help="Require release-grade adequacy (fail closed when Lean proof path unavailable)", + ) p_extract_obligations = sub.add_parser( "extract-proof-obligations", @@ -806,6 +825,11 @@ def main(argv: list[str] | None = None) -> int: action="store_true", help="Skip lake build (for tests only)", ) + p_envelope_check.add_argument( + "--lean-proof", + action="store_true", + help="Generate PCS obligation Lean module and run lake env lean (EnvelopeLeanChecked)", + ) benchmark_parser = sub.add_parser("benchmark", help="PCS benchmark evaluation protocol") benchmark_sub = benchmark_parser.add_subparsers(dest="benchmark_cmd", required=True) @@ -950,7 +974,12 @@ def main(argv: list[str] | None = None) -> int: print("Wrote shared hash vectors") return 0 if args.command == "conformance" and args.conformance_cmd == "run": - return cmd_conformance_run(args.suite, json_output=args.json, out_path=args.out) + return cmd_conformance_run( + args.suite, + json_output=args.json, + out_path=args.out, + release_grade=args.release_grade, + ) if args.command == "extract-proof-obligations": return cmd_extract_proof_obligations(args.release, args.out) if args.command == "lean-check": @@ -965,6 +994,7 @@ def main(argv: list[str] | None = None) -> int: args.obligations, args.out, skip_lean_build=args.skip_lean_build, + lean_proof=args.lean_proof, deprecated=False, ) if args.command == "benchmark" and args.benchmark_cmd == "list": @@ -1153,6 +1183,7 @@ def cmd_pcs_envelope_check( out_path: Path, *, skip_lean_build: bool = False, + lean_proof: bool = False, deprecated: bool = False, ) -> int: from pcs_core.lean_check import PCS_LEAN_CHECK_DEPRECATION @@ -1168,11 +1199,15 @@ def cmd_pcs_envelope_check( result = run_lean_check( obligations_doc, require_lean_build=not skip_lean_build, + lean_proof=lean_proof, ) out_path.parent.mkdir(parents=True, exist_ok=True) out_path.write_text(json.dumps(result, indent=2) + "\n", encoding="utf-8") validate_file(out_path) - print(f"OK PCS release-envelope check {out_path} status={result.get('status')}") + print( + f"OK PCS release-envelope check {out_path} " + f"status={result.get('status')} claim_class={result.get('claim_class')}", + ) return 0 if result.get("status") == "ProofChecked" else 1 except (ValidationError, ValueError) as exc: print(f"FAIL pcs-envelope check: {exc}", file=sys.stderr) diff --git a/python/pcs_core/conformance.py b/python/pcs_core/conformance.py index f2f3f76..ac6e699 100644 --- a/python/pcs_core/conformance.py +++ b/python/pcs_core/conformance.py @@ -44,6 +44,17 @@ def labtrust_fixture_path(name: str) -> Path: SUITES: dict[str, SuiteFn] = {} +_conformance_release_grade = False + + +def conformance_release_grade() -> bool: + return _conformance_release_grade + + +def set_conformance_release_grade(value: bool) -> None: + global _conformance_release_grade + _conformance_release_grade = value + def _record(name: str) -> Callable[[SuiteFn], SuiteFn]: def decorator(fn: SuiteFn) -> SuiteFn: @@ -565,6 +576,8 @@ def _suite_pf_core() -> tuple[list[str], list[str], int]: errors.append(f"pf-core invalid fixtures: {exc}") for case_dir in iter_pf_core_example_dirs("valid"): manifest = load_pf_core_fixture_manifest(case_dir) + if manifest.get("skip_pfcore_trace_conformance"): + continue trace_name = str(manifest.get("trace_file") or "trace.json") trace_path = case_dir / trace_name if not trace_path.is_file(): @@ -596,33 +609,59 @@ def _suite_pf_core() -> tuple[list[str], list[str], int]: def _check_pf_core_generated_lean_proof(errors: list[str], checks: int) -> int: import platform import shutil + import tempfile from pcs_core.lean_check import run_pfcore_lean_check + from pcs_core.pf_core_proof_binding import verify_proof_binding trace_path = repo_root() / "examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json" if not trace_path.is_file(): errors.append("pf-core.generated-lean-proof: missing canonical trace fixture") return checks + 1 - if not shutil.which("lake") and not ( - platform.system() == "Windows" and shutil.which("wsl") - ): + + lake_available = shutil.which("lake") is not None + wsl_available = platform.system() == "Windows" and shutil.which("wsl") is not None + if not lake_available and not wsl_available: + if conformance_release_grade(): + errors.append( + "pf-core.generated-lean-proof: release-grade requires lake or WSL " + "for Lean proof check" + ) + return checks + 1 return checks + checks += 1 - code, result = run_pfcore_lean_check(trace_path, skip_build=False, skip_lean_proof=False) - certificate = result.get("certificate") - if code != 0: - errors.append( - "pf-core.generated-lean-proof: lean-check failed " - f"({[issue.get('code') for issue in result.get('issues', [])]})" + with tempfile.TemporaryDirectory(prefix="pfcore-lean-cert-") as tmp_dir: + cert_path = Path(tmp_dir) / "pfcore-lean-cert.json" + code, result = run_pfcore_lean_check( + trace_path, + out_path=cert_path, + skip_build=False, + skip_lean_proof=False, ) - return checks - if not isinstance(certificate, dict) or certificate.get("claim_class") != "LeanKernelChecked": - errors.append("pf-core.generated-lean-proof: expected claim_class LeanKernelChecked") - return checks - try: - validate_artifact(certificate, "PFCoreCertificate.v0") - except ValidationError as exc: - errors.append(f"pf-core.generated-lean-proof: certificate validation failed: {exc}") + certificate = result.get("certificate") + if code != 0: + errors.append( + "pf-core.generated-lean-proof: lean-check failed " + f"({[issue.get('code') for issue in result.get('issues', [])]})" + ) + return checks + if ( + not isinstance(certificate, dict) + or certificate.get("claim_class") != "LeanKernelChecked" + ): + errors.append("pf-core.generated-lean-proof: expected claim_class LeanKernelChecked") + return checks + try: + validate_artifact(certificate, "PFCoreCertificate.v0") + except ValidationError as exc: + errors.append(f"pf-core.generated-lean-proof: certificate validation failed: {exc}") + return checks + if conformance_release_grade(): + binding = verify_proof_binding(cert_path, trace_path=trace_path) + if not binding.ok: + for issue in binding.issues: + errors.append(f"pf-core.verify-proof-binding: {issue.code}: {issue.message}") return checks @@ -642,6 +681,8 @@ def _suite_pf_core_cross_language() -> tuple[list[str], list[str], int]: cases: tuple[tuple[str, str], ...] = ( ("invalid/trace_hash_chain_break.json", "EventHashMismatch"), ("invalid/claim_class_overclaim_trace.json", "ClaimClassOverclaim"), + ("invalid/trace_hash_mismatch.json", "TraceHashMismatch"), + ("invalid/previous_event_hash_mismatch.json", "EventHashMismatch"), ) for relative, needle in cases: checks += 1 @@ -670,6 +711,16 @@ def _suite_pf_core_cross_language() -> tuple[list[str], list[str], int]: except Exception: pass + cross_tenant_path = vector_root / "invalid" / "cross_tenant_leak.json" + if cross_tenant_path.is_file(): + checks += 1 + from pcs_core.pf_core_runtime import validate_tenant_isolation + + trace = json.loads(cross_tenant_path.read_text(encoding="utf-8")) + tenant_errors = validate_tenant_isolation(trace) + if not any("TenantIsolation" in err for err in tenant_errors): + errors.append("python cross_tenant_leak vector failed") + rust = repo_root() / "rust" proc = subprocess.run( ["cargo", "test", "pf_core_", "--", "--nocapture"], @@ -683,6 +734,15 @@ def _suite_pf_core_cross_language() -> tuple[list[str], list[str], int]: ts_root = repo_root() / "typescript" if (ts_root / "package.json").is_file(): + install = subprocess.run( + ["npm", "install", "--silent"], + cwd=ts_root, + capture_output=True, + text=True, + ) + checks += 1 + if install.returncode != 0: + errors.append(f"typescript npm install failed: {install.stderr or install.stdout}") proc = subprocess.run( ["npm", "test", "--silent"], cwd=ts_root, @@ -700,8 +760,10 @@ def list_suites() -> list[str]: return sorted(SUITES.keys()) -def run_conformance(suite: str) -> tuple[int, list[str]]: +def run_conformance(suite: str, *, release_grade: bool = False) -> tuple[int, list[str]]: """Run one suite or `all`. Returns (exit_code, human-readable error lines).""" + global _conformance_release_grade + _conformance_release_grade = release_grade report = build_conformance_report_data(suite) lines: list[str] = [] if report["status"] == "failed": diff --git a/python/pcs_core/lean_catalog.py b/python/pcs_core/lean_catalog.py index c4677ab..9cd78e4 100644 --- a/python/pcs_core/lean_catalog.py +++ b/python/pcs_core/lean_catalog.py @@ -5,14 +5,13 @@ # PCS release-envelope family (lean/PCS/Theorems.lean). PCS_OBLIGATION_KIND_THEOREM: dict[str, str] = { "CertificateMatchesRuntime": "admissible_release_has_matching_trace_hash", - "VerificationAdmitsBundle": ( - "admissible_release_has_verified_input_hash_equal_to_bundle_hash" - ), + "VerificationAdmitsBundle": ("admissible_release_has_verified_input_hash_equal_to_bundle_hash"), "SignedBundleAdmissible": ( "admissible_release_has_signed_input_hash_equal_to_verified_input_hash" ), "ToolTraceHashMatchesCertificate": "tool_trace_hash_matches_certificate", "ComputationWitnessHashAlignment": "witness_result_hashes_admissible", + "ReleaseChainAdmissible": "concrete_release_chain_admissible_prop", } PCS_UNTRUSTED_OBLIGATION_KIND_THEOREM: dict[str, str] = {} @@ -92,7 +91,9 @@ } ) -PF_CORE_THEOREM_CATALOG = frozenset(PF_CORE_OBLIGATION_KIND_THEOREM.values()) | PF_CORE_SOUNDNESS_THEOREMS +PF_CORE_THEOREM_CATALOG = ( + frozenset(PF_CORE_OBLIGATION_KIND_THEOREM.values()) | PF_CORE_SOUNDNESS_THEOREMS +) # Concrete proof obligations emitted by pf_core_lean_codegen (LeanKernelChecked only). PF_CORE_CONCRETE_PROOF_THEOREMS = frozenset( @@ -110,7 +111,17 @@ UNTRUSTED_OBLIGATION_KIND_THEOREM = PCS_UNTRUSTED_OBLIGATION_KIND_THEOREM KNOWN_OBLIGATION_KINDS = frozenset(OBLIGATION_KIND_THEOREM.keys()) UNTRUSTED_OBLIGATION_KINDS = frozenset(UNTRUSTED_OBLIGATION_KIND_THEOREM.keys()) -LEAN_THEOREM_CATALOG = frozenset(OBLIGATION_KIND_THEOREM.values()) +PCS_CONCRETE_PROOF_THEOREMS = frozenset( + { + "concrete_certificate_matches_runtime", + "concrete_verification_admits_bundle", + "concrete_signed_bundle_admissible", + "concrete_release_chain_admissible", + "concrete_release_chain_admissible_prop", + } +) + +LEAN_THEOREM_CATALOG = frozenset(OBLIGATION_KIND_THEOREM.values()) | PCS_CONCRETE_PROOF_THEOREMS UNTRUSTED_LEAN_THEOREM_CATALOG = frozenset(UNTRUSTED_OBLIGATION_KIND_THEOREM.values()) LEAN_THEOREM_FAMILY = "Release-envelope consistency theorem family" diff --git a/python/pcs_core/lean_check.py b/python/pcs_core/lean_check.py index 3259f65..335f8a0 100644 --- a/python/pcs_core/lean_check.py +++ b/python/pcs_core/lean_check.py @@ -22,6 +22,11 @@ PF_CORE_THEOREM_CATALOG, ) from pcs_core.paths import repo_root +from pcs_core.pf_core_contract import ( + DEFAULT_TRACE_SAFE_CONTRACT_ID, + default_trace_safe_contract_hash, + trace_has_contract_binding, +) from pcs_core.pf_core_contract_semantics import build_contract_semantics_checked from pcs_core.pf_core_lean_codegen import ( collect_contracts_for_trace, @@ -30,17 +35,11 @@ proof_term_ref_from_path, validate_contracts_before_codegen, ) -from pcs_core.pf_core_contract import ( - DEFAULT_TRACE_SAFE_CONTRACT_ID, - default_trace_safe_contract_hash, - trace_has_contract_binding, -) from pcs_core.pf_core_runtime import ( compute_trace_hash, expand_principal_capabilities, principal_capabilities_explicit, validate_pfcore_trace_hash_chain, - validate_resource_scope, ) from pcs_core.validate import validate_schema @@ -170,9 +169,7 @@ def run_lean_library_build(*, target: str = "PFCore", skip_build: bool = False) directory = lean_dir() if not (directory / "lakefile.lean").is_file(): return False, f"Lean project not found at {directory}" - if not shutil.which("lake") and not ( - platform.system() == "Windows" and shutil.which("wsl") - ): + if not shutil.which("lake") and not (platform.system() == "Windows" and shutil.which("wsl")): return False, "lake executable not found (install Lean 4 toolchain or WSL)" proc = _run_lake(["build", target], cwd=directory) if proc.returncode != 0: @@ -188,13 +185,31 @@ def run_lean_concrete_proof( *, skip_build: bool = False, ) -> tuple[bool, str]: - """Compile a generated proof file with `lake env lean`.""" + """Compile a generated PF-Core proof file with `lake env lean`.""" + return _run_lean_env_on_proof(proof_path, target="PFCore", skip_build=skip_build) + + +def run_pcs_lean_concrete_proof( + proof_path: Path, + *, + skip_build: bool = False, +) -> tuple[bool, str]: + """Compile a generated PCS release-chain proof file with `lake env lean`.""" + return _run_lean_env_on_proof(proof_path, target="PCS", skip_build=skip_build) + + +def _run_lean_env_on_proof( + proof_path: Path, + *, + target: str, + skip_build: bool = False, +) -> tuple[bool, str]: if skip_build: return False, "skipped" directory = lean_dir() if not proof_path.is_file(): return False, f"generated proof file missing: {proof_path}" - build_ok, build_detail = run_lean_library_build(target="PFCore", skip_build=False) + build_ok, build_detail = run_lean_library_build(target=target, skip_build=False) if not build_ok: return False, build_detail try: @@ -232,18 +247,30 @@ def action_within_tenant_d(principal: Mapping[str, Any], action: Mapping[str, An return _same_tenant(principal, action) -def action_allowed_d(principal: Mapping[str, Any], action: Mapping[str, Any]) -> bool: +def action_admissible_d(principal: Mapping[str, Any], action: Mapping[str, Any]) -> bool: + from pcs_core.pf_core_runtime import ( + validate_action_capabilities_known, + validate_action_capability_effects, + validate_action_effects_known, + validate_resource_scope, + ) + capability = action.get("capability") if not isinstance(capability, dict): return False cap_id = str(capability.get("capability_id") or "") - if not (has_capability_d(principal, cap_id) and action_within_tenant_d(principal, action)): - return False try: + validate_action_capabilities_known(action) + validate_action_effects_known(action) + validate_action_capability_effects(action) validate_resource_scope(action) except Exception: return False - return True + return has_capability_d(principal, cap_id) and action_within_tenant_d(principal, action) + + +def action_allowed_d(principal: Mapping[str, Any], action: Mapping[str, Any]) -> bool: + return action_admissible_d(principal, action) def event_safe_d(event: Mapping[str, Any]) -> bool: @@ -405,6 +432,9 @@ def build_pfcore_certificate( contracts = collect_contracts_for_trace(trace) contract_semantics = build_contract_semantics_checked(trace, contracts) + runtime_checks = list(contract_semantics.get("runtime", [])) + runtime_checks.append("resource_pattern_scope") + contract_semantics["runtime"] = sorted(set(runtime_checks)) default_contract_ref: str | None = None if lean_proof_checked: diff --git a/python/pcs_core/lean_trust.py b/python/pcs_core/lean_trust.py index 2014e93..8ec46ed 100644 --- a/python/pcs_core/lean_trust.py +++ b/python/pcs_core/lean_trust.py @@ -21,11 +21,17 @@ PCS_LEAN_CHECK_DISCLAIMER = ( "PCS release-envelope consistency check validates ProofObligation.v0 release-envelope " - "consistency against the PCS theorem catalog. A `ProofChecked` LeanCheckResult does " - "not imply PF-Core trace safety. Use " + "consistency against the PCS theorem catalog. A `ProofChecked` or `EnvelopeLeanChecked` " + "LeanCheckResult does not imply PF-Core trace safety. Use " "`pcs pf-core lean-check --trace ` for PF-Core kernel assurance." ) +PCS_ENVELOPE_LEAN_PROOF_DISCLAIMER = ( + "EnvelopeLeanChecked means a generated PCS release-chain module compiled with `lake env lean` " + "and discharged `ReleaseChainAdmissible` deciders for the concrete obligation bundle. " + "This is not LeanKernelChecked PF-Core trace safety." +) + def _file_digest(content: bytes) -> str: from pcs_core.release_fixtures import file_digest @@ -408,11 +414,22 @@ def run_lean_check( check_id: str | None = None, source_commit: str | None = None, require_lean_build: bool = True, + lean_proof: bool = False, ) -> dict[str, Any]: """Evaluate obligations against the fixed PCS theorem set; emit LeanCheckResult.v0.""" import sys + from pcs_core.pcs_lean_codegen import ( + compute_lean_environment_hash, + generate_proof_obligation_file, + generated_module_name, + proof_term_ref_from_path, + ) + print(PCS_LEAN_CHECK_DISCLAIMER, file=sys.stderr) + if lean_proof: + print(PCS_ENVELOPE_LEAN_PROOF_DISCLAIMER, file=sys.stderr) + build_ok, build_reason = run_lean_build() if require_lean_build else (True, "") obligation_results: list[dict[str, Any]] = [] failures: list[str] = [] @@ -439,6 +456,42 @@ def run_lean_check( if not passed: failures.append(f"{obligation_id}: {reason}") + lean_proof_checked = False + proof_term_ref: str | None = None + proof_term_hash: str | None = None + lean_environment_hash: str | None = None + claim_class = "ProofChecked" + + if lean_proof and not failures: + from pcs_core.lean_check import run_pcs_lean_concrete_proof + + lean_environment_hash = compute_lean_environment_hash() + generated_dir = repo_root() / "lean" / "PCS" / "Generated" + module = generated_module_name(obligations_doc) + proof_path = generate_proof_obligation_file(obligations_doc, generated_dir) + proof_term_ref = proof_term_ref_from_path(proof_path) + proof_ok, proof_detail = run_pcs_lean_concrete_proof( + proof_path, + skip_build=not require_lean_build, + ) + if proof_ok: + lean_proof_checked = True + claim_class = "EnvelopeLeanChecked" + from pcs_core.lean_check import compute_proof_term_hash + + proof_term_hash = compute_proof_term_hash(proof_path) + obligation_results.append( + { + "obligation_id": f"generated_{module}", + "kind": "ReleaseChainAdmissible", + "status": "passed", + "lean_theorem": "concrete_release_chain_admissible_prop", + "failure_reason": "", + }, + ) + else: + failures.append(f"lean_proof: {proof_detail}") + if require_lean_build and not build_ok: failures.insert(0, f"lean_build: {build_reason}") @@ -447,24 +500,35 @@ def run_lean_check( checked_at = datetime.now(UTC).replace(microsecond=0).isoformat().replace("+00:00", "Z") proof_obligation_id = str(obligations_doc.get("obligation_id", "proof-obligation-unknown")) + disclaimer = PCS_LEAN_CHECK_DISCLAIMER + if lean_proof: + disclaimer = f"{PCS_LEAN_CHECK_DISCLAIMER} {PCS_ENVELOPE_LEAN_PROOF_DISCLAIMER}" + body: dict[str, Any] = { "schema_version": "v0", - "artifact_type": "LeanCheckResult.v0", "check_id": check_id or f"lean-check-{proof_obligation_id}", "proof_obligation_id": proof_obligation_id, "lean_module": str(obligations_doc.get("lean_module", LEAN_MODULE)), "lean_theorem": "ReleaseChainAdmissible", "status": status, + "claim_class": claim_class if all_passed else "Rejected", "checked_at": checked_at, "lean_version": LEAN_VERSION, "source_repo": PCS_CORE_REPO, "source_commit": source_commit or str(obligations_doc.get("source_commit", PCS_CORE_COMMIT_PLACEHOLDER)), "failure_reason": "; ".join(failures), - "disclaimer": PCS_LEAN_CHECK_DISCLAIMER, "obligation_results": obligation_results, + "lean_proof_checked": lean_proof_checked, + "disclaimer": disclaimer, "signature_or_digest": PLACEHOLDER_DIGEST, } + if proof_term_ref: + body["proof_term_ref"] = proof_term_ref + if proof_term_hash: + body["proof_term_hash"] = proof_term_hash + if lean_environment_hash: + body["lean_environment_hash"] = lean_environment_hash body["signature_or_digest"] = canonical_hash(body) return body diff --git a/python/pcs_core/lean_validate.py b/python/pcs_core/lean_validate.py index 692e8e1..57b50eb 100644 --- a/python/pcs_core/lean_validate.py +++ b/python/pcs_core/lean_validate.py @@ -34,6 +34,26 @@ def validate_lean_check_result_semantics(data: dict[str, Any]) -> list[str]: status = data.get("status") if status not in {"ProofChecked", "Rejected", "Stale"}: errors.append(f"LeanCheckResult.v0 invalid status {status!r}") + claim_class = data.get("claim_class") + if claim_class is not None and claim_class not in { + "ProofChecked", + "EnvelopeLeanChecked", + "Rejected", + }: + errors.append(f"LeanCheckResult.v0 invalid claim_class {claim_class!r}") + if claim_class == "LeanKernelChecked": + errors.append( + "LeanCheckResult.v0 PCS variant must not use claim_class LeanKernelChecked", + ) + if claim_class == "EnvelopeLeanChecked": + if data.get("lean_proof_checked") is not True: + errors.append( + "LeanCheckResult.v0 EnvelopeLeanChecked requires lean_proof_checked=true", + ) + if not data.get("proof_term_ref"): + errors.append( + "LeanCheckResult.v0 EnvelopeLeanChecked requires proof_term_ref", + ) results = data.get("obligation_results") if not isinstance(results, list): errors.append("LeanCheckResult.v0 obligation_results must be an array") diff --git a/python/pcs_core/pcs_lean_codegen.py b/python/pcs_core/pcs_lean_codegen.py new file mode 100644 index 0000000..2d78095 --- /dev/null +++ b/python/pcs_core/pcs_lean_codegen.py @@ -0,0 +1,276 @@ +"""Generate concrete Lean terms and proof obligations from PCS release-chain artifacts.""" + +from __future__ import annotations + +import hashlib +import json +import re +from pathlib import Path +from typing import Any, Mapping + +from pcs_core.hash import canonical_hash +from pcs_core.lean_trust import extract_proof_obligations_from_release +from pcs_core.paths import repo_root + +_LEAN_IDENT_RE = re.compile(r"[^a-zA-Z0-9_]") + + +def lean_string_literal(value: str) -> str: + return json.dumps(value, ensure_ascii=False) + + +def lean_ident(prefix: str, raw: str) -> str: + slug = _LEAN_IDENT_RE.sub("_", raw).strip("_") + if not slug or slug[0].isdigit(): + slug = f"{prefix}_{slug or 'x'}" + return slug + + +def artifact_status_to_lean(status: str) -> str: + mapping = { + "RuntimeObserved": "ArtifactStatus.RuntimeObserved", + "CertificateChecked": "ArtifactStatus.CertificateChecked", + "ProofChecked": "ArtifactStatus.ProofChecked", + "Rejected": "ArtifactStatus.Rejected", + "Stale": "ArtifactStatus.Stale", + "Deprecated": "ArtifactStatus.Deprecated", + } + mapped = mapping.get(status) + if mapped is None: + raise ValueError(f"unsupported artifact status for Lean codegen: {status!r}") + return mapped + + +def hash_to_lean(value: str) -> str: + digest = value.removeprefix("sha256:") + return f"Hash.ofString {lean_string_literal(digest)}" + + +def certificate_to_lean( + *, + name: str, + certificate_id: str, + trace_hash: str, + status: str, +) -> str: + return ( + f"def {name} : Certificate :=\n" + " {\n" + f" certificateId := {lean_string_literal(certificate_id)},\n" + f" traceHash := {hash_to_lean(trace_hash)},\n" + f" status := {artifact_status_to_lean(status)}\n" + " }" + ) + + +def runtime_receipt_to_lean(*, name: str, trace_hash: str, status: str) -> str: + return ( + f"def {name} : RuntimeReceipt :=\n" + " {\n" + f" traceHash := {hash_to_lean(trace_hash)},\n" + f" status := {artifact_status_to_lean(status)}\n" + " }" + ) + + +def verification_result_to_lean( + *, + name: str, + status: str, + verified_input_bundle_hash: str, + release_blocking_checks_passed: bool, +) -> str: + return ( + f"def {name} : VerificationResult :=\n" + " {\n" + f" status := {artifact_status_to_lean(status)},\n" + f" verifiedInputBundleHash := {hash_to_lean(verified_input_bundle_hash)},\n" + f" releaseBlockingChecksPassed := {str(release_blocking_checks_passed).lower()}\n" + " }" + ) + + +def bundle_hash_to_lean(*, name: str, bundle_hash: str) -> str: + return f"def {name} : Hash := {hash_to_lean(bundle_hash)}" + + +def _obligation_inputs(obligations_doc: Mapping[str, Any]) -> dict[str, dict[str, Any]]: + indexed: dict[str, dict[str, Any]] = {} + for entry in obligations_doc.get("obligations", []): + if not isinstance(entry, dict): + continue + obligation_id = str(entry.get("obligation_id") or "") + inputs = entry.get("inputs") + if obligation_id and isinstance(inputs, dict): + indexed[obligation_id] = dict(inputs) + return indexed + + +def release_chain_values_from_obligations( + obligations_doc: Mapping[str, Any], +) -> dict[str, Any]: + """Extract concrete PCS artifact field values from ProofObligation.v0.""" + by_id = _obligation_inputs(obligations_doc) + cert_inputs = by_id.get("trace_hash_alignment", {}) + verify_inputs = by_id.get("verification_admits_bundle", {}) + signed_inputs = by_id.get("signed_bundle_admissible", {}) + if not cert_inputs or not verify_inputs or not signed_inputs: + raise ValueError("ProofObligation.v0 missing labtrust-style release-chain obligations") + + certified_bundle_hash = str(verify_inputs.get("certified_bundle_hash") or "") + verified_bundle_hash = str(verify_inputs.get("verified_input_bundle_hash") or "") + signed_bundle_hash = str(signed_inputs.get("signed_input_bundle_hash") or "") + + return { + "certificate_id": str(cert_inputs.get("certificate_id") or "cert-unknown"), + "certificate_trace_hash": str(cert_inputs.get("certificate_trace_hash") or ""), + "certificate_status": str(cert_inputs.get("certificate_status") or "CertificateChecked"), + "runtime_trace_hash": str(cert_inputs.get("runtime_trace_hash") or ""), + "runtime_status": "RuntimeObserved", + "verification_status": str(verify_inputs.get("verification_status") or "ProofChecked"), + "verified_input_bundle_hash": verified_bundle_hash, + "release_blocking_checks_passed": bool( + verify_inputs.get("release_blocking_checks_passed"), + ), + "certified_bundle_hash": certified_bundle_hash, + "signed_input_bundle_hash": signed_bundle_hash, + "release_id": str(obligations_doc.get("release_id") or "release-unknown"), + "obligation_id": str(obligations_doc.get("obligation_id") or "proof-obligation-unknown"), + } + + +def generated_module_name(obligations_doc: Mapping[str, Any]) -> str: + obligation_id = str( + obligations_doc.get("obligation_id") or canonical_hash(dict(obligations_doc)) + ) + digest = obligation_id.removeprefix("proof-obligation-") + slug = lean_ident("Obligation", digest) + return slug + + +def generate_release_chain_lean(obligations_doc: Mapping[str, Any]) -> str: + values = release_chain_values_from_obligations(obligations_doc) + return "\n\n".join( + [ + certificate_to_lean( + name="concreteCertificate", + certificate_id=values["certificate_id"], + trace_hash=values["certificate_trace_hash"], + status=values["certificate_status"], + ), + runtime_receipt_to_lean( + name="concreteRuntimeReceipt", + trace_hash=values["runtime_trace_hash"], + status=values["runtime_status"], + ), + verification_result_to_lean( + name="concreteVerification", + status=values["verification_status"], + verified_input_bundle_hash=values["verified_input_bundle_hash"], + release_blocking_checks_passed=values["release_blocking_checks_passed"], + ), + bundle_hash_to_lean( + name="concreteCertifiedBundleHash", + bundle_hash=values["certified_bundle_hash"], + ), + bundle_hash_to_lean( + name="concreteSignedInputHash", + bundle_hash=values["signed_input_bundle_hash"], + ), + ], + ) + + +def generate_proof_obligation_file( + obligations_doc: Mapping[str, Any], + out_dir: Path, + *, + release_dir: Path | None = None, +) -> Path: + """Write a `.lean` file proving concrete release-chain admissibility.""" + module = generated_module_name(obligations_doc) + out_dir.mkdir(parents=True, exist_ok=True) + out_path = out_dir / f"{module}.lean" + release_id = str(obligations_doc.get("release_id") or "release-unknown") + values_body = generate_release_chain_lean(obligations_doc) + + source = f"""import PCS.ReleaseChainCheck + +/-! +# Generated PCS release-chain proof for `{release_id}` + +Auto-generated by pcs-core pcs-envelope check --lean-proof. Do not edit by hand. +This discharges ProofObligation.v0 against `PCS.ReleaseChainAdmissible` deciders only. +It does **not** imply PF-Core trace safety or `LeanKernelChecked` assurance. +-/ + +namespace PCS.Generated.{module} + +{values_body} + +theorem concrete_certificate_matches_runtime : + certificateMatchesRuntimeD concreteCertificate concreteRuntimeReceipt = true := by + decide + +theorem concrete_verification_admits_bundle : + verificationAdmitsBundleD concreteVerification concreteCertifiedBundleHash = true := by + decide + +theorem concrete_signed_bundle_admissible : + signedBundleAdmissibleD concreteSignedInputHash + concreteVerification.verifiedInputBundleHash = true := by + decide + +theorem concrete_release_chain_admissible : + releaseChainAdmissibleD concreteCertificate concreteRuntimeReceipt concreteVerification + concreteCertifiedBundleHash concreteSignedInputHash = true := by + decide + +theorem concrete_release_chain_admissible_prop : + ReleaseChainAdmissible concreteCertificate concreteRuntimeReceipt concreteVerification + concreteCertifiedBundleHash concreteSignedInputHash := + (releaseChainAdmissibleD_sound _ _ _ _ _).mp concrete_release_chain_admissible + +#eval releaseChainAdmissibleD concreteCertificate concreteRuntimeReceipt concreteVerification + concreteCertifiedBundleHash concreteSignedInputHash + +end PCS.Generated.{module} +""" + out_path.write_text(source, encoding="utf-8") + return out_path + + +def generate_from_release_dir(release_dir: Path, out_dir: Path) -> Path: + obligations_doc = extract_proof_obligations_from_release(release_dir.resolve()) + return generate_proof_obligation_file( + obligations_doc, + out_dir, + release_dir=release_dir.resolve(), + ) + + +def pcs_generated_dir() -> Path: + return repo_root() / "lean" / "PCS" / "Generated" + + +def compute_lean_environment_hash() -> str: + """Hash pinned Lean toolchain + lake manifest for PCS proof metadata.""" + lean_root = repo_root() / "lean" + parts: list[str] = [] + toolchain = repo_root() / "lean-toolchain" + if toolchain.is_file(): + parts.append(toolchain.read_text(encoding="utf-8")) + for rel in ("lakefile.lean", "lake-manifest.json"): + path = lean_root / rel + if path.is_file(): + parts.append(path.read_text(encoding="utf-8")) + digest = hashlib.sha256("\n---\n".join(parts).encode("utf-8")).hexdigest() + return f"sha256:{digest}" + + +def proof_term_ref_from_path(path: Path) -> str: + root = repo_root() + try: + return str(path.relative_to(root)).replace("\\", "/") + except ValueError: + return str(path).replace("\\", "/") diff --git a/python/pcs_core/pf_core_certifyedge.py b/python/pcs_core/pf_core_certifyedge.py index 67f7550..08891ec 100644 --- a/python/pcs_core/pf_core_certifyedge.py +++ b/python/pcs_core/pf_core_certifyedge.py @@ -70,6 +70,8 @@ def run_certifyedge_check( attestation_ref: str | None = None, ) -> CertificateCheckResult: """Run CertifyEdge (or mock) against a PFCoreTrace and return check metadata.""" + import sys + path = Path(trace_path) trace = _load_trace(path) property_id = property_spec.strip() @@ -77,6 +79,11 @@ def run_certifyedge_check( raise ValueError("property_spec (property id) is required") if certifyedge_mock_enabled(): + print( + "WARNING: PCS_CERTIFYEDGE_MOCK=1 — using mock CertifyEdge attestation; " + "install CertifyEdge for live checks.", + file=sys.stderr, + ) mock_ref = attestation_ref or f"mock://certifyedge/{property_id}" cert = attach_external_certificate_check( trace, @@ -113,6 +120,11 @@ def run_certifyedge_check( cli = _find_certifyedge_cli() if cli is None: + print( + "WARNING: CertifyEdge CLI not found on PATH; failing closed. " + f"{CERTIFYEDGE_INSTALL_DOC}", + file=sys.stderr, + ) return CertificateCheckResult( ok=False, checker="certifyedge", diff --git a/python/pcs_core/pf_core_claims.py b/python/pcs_core/pf_core_claims.py index ca20500..cd94148 100644 --- a/python/pcs_core/pf_core_claims.py +++ b/python/pcs_core/pf_core_claims.py @@ -12,7 +12,7 @@ PF_CORE_TRUSTED_LEAN_DIR, ) from pcs_core.paths import examples_dir, repo_root -from pcs_core.registry_data import PF_CORE_CLAIM_CLASSES, pf_core_artifact_types +from pcs_core.registry_data import pf_core_artifact_types FORBIDDEN_PHRASES: tuple[tuple[str, str], ...] = ( ("verified agent", "trace-level safety preservation under stated assumptions"), diff --git a/python/pcs_core/pf_core_contract.py b/python/pcs_core/pf_core_contract.py index 342135a..6f88939 100644 --- a/python/pcs_core/pf_core_contract.py +++ b/python/pcs_core/pf_core_contract.py @@ -191,13 +191,17 @@ def validate_event_against_contract( principal = event.get("principal") action = event.get("action") if not isinstance(principal, dict) or not isinstance(action, dict): - issues.append(ContractIssue("ContractEventInvalid", "event missing principal or action", path)) + issues.append( + ContractIssue("ContractEventInvalid", "event missing principal or action", path) + ) return issues if isinstance(pre, dict): - if pre.get("require_tenant_match") and field_semantics_layer( - contract, section="pre", field="require_tenant_match" - ) != "out_of_scope": + if ( + pre.get("require_tenant_match") + and field_semantics_layer(contract, section="pre", field="require_tenant_match") + != "out_of_scope" + ): if not _tenant_matches(principal, action): issues.append( ContractIssue( @@ -305,9 +309,11 @@ def validate_event_against_contract( f"{path}.decision", ) ) - if post.get("require_event_safe") is True and field_semantics_layer( - contract, section="post", field="require_event_safe" - ) != "out_of_scope": + if ( + post.get("require_event_safe") is True + and field_semantics_layer(contract, section="post", field="require_event_safe") + != "out_of_scope" + ): decision = str(event.get("decision") or "allow") if decision == "allow": cap = action.get("capability") diff --git a/python/pcs_core/pf_core_hash_vector_parity.py b/python/pcs_core/pf_core_hash_vector_parity.py index 5f0774e..2b83d23 100644 --- a/python/pcs_core/pf_core_hash_vector_parity.py +++ b/python/pcs_core/pf_core_hash_vector_parity.py @@ -61,9 +61,7 @@ def compare_hash_vector_trees(local: Path, upstream: Path) -> list[str]: """Return drift messages; empty when every upstream vector matches locally.""" errors: list[str] = [] upstream_files = sorted( - path - for path in upstream.rglob("*") - if path.is_file() and path.name != ".gitkeep" + path for path in upstream.rglob("*") if path.is_file() and path.name != ".gitkeep" ) for upstream_file in upstream_files: rel = upstream_file.relative_to(upstream) diff --git a/python/pcs_core/pf_core_labtrust_adapter.py b/python/pcs_core/pf_core_labtrust_adapter.py index 9711eb1..e3f375d 100644 --- a/python/pcs_core/pf_core_labtrust_adapter.py +++ b/python/pcs_core/pf_core_labtrust_adapter.py @@ -6,11 +6,11 @@ from pcs_core.pf_core_runtime import ( GENESIS_HASH, - compute_trace_hash, - expand_principal_capabilities, _finalize_event, _validate_action, _validate_principal, + compute_trace_hash, + expand_principal_capabilities, ) LABTRUST_PRINCIPAL = { @@ -35,12 +35,12 @@ def normalize_labtrust_release( receipt = runtime_receipt or {} trace_id = str(receipt.get("run_id") or "labtrust-qc-release-v0.1").replace("/", "-") timestamp = str( - receipt.get("started_at") - or trace_certificate.get("created_at") - or "2026-05-16T11:58:00Z" + receipt.get("started_at") or trace_certificate.get("created_at") or "2026-05-16T11:58:00Z" ) source_repo = str(trace_certificate.get("source_repo") or receipt.get("source_repo") or "") - source_commit = str(trace_certificate.get("source_commit") or receipt.get("source_commit") or "") + source_commit = str( + trace_certificate.get("source_commit") or receipt.get("source_commit") or "" + ) principal = _validate_principal(dict(LABTRUST_PRINCIPAL)) principal["capabilities"] = expand_principal_capabilities(principal) @@ -63,7 +63,9 @@ def normalize_labtrust_release( } ], "writes": [], - "input_hash": str(receipt.get("events_hash") or trace_certificate.get("trace_hash") or GENESIS_HASH), + "input_hash": str( + receipt.get("events_hash") or trace_certificate.get("trace_hash") or GENESIS_HASH + ), "output_hash": str( receipt.get("output_hashes", {}).get("trace.json") if isinstance(receipt.get("output_hashes"), dict) diff --git a/python/pcs_core/pf_core_lean_codegen.py b/python/pcs_core/pf_core_lean_codegen.py index 41409b0..a5fc51b 100644 --- a/python/pcs_core/pf_core_lean_codegen.py +++ b/python/pcs_core/pf_core_lean_codegen.py @@ -50,15 +50,13 @@ def lean_ident(prefix: str, raw: str) -> str: def effect_kind_to_lean(effect_kind: str) -> str: mapped = EFFECT_KIND_TO_LEAN.get(effect_kind) if mapped is None: - return f'Effect.custom {lean_string_literal(effect_kind)}' + return f"Effect.custom {lean_string_literal(effect_kind)}" return mapped def principal_to_lean(principal: Mapping[str, Any], *, name: str) -> str: roles = [lean_string_literal(str(role)) for role in principal.get("roles", [])] - capabilities = [ - lean_string_literal(str(cap)) for cap in principal.get("capabilities", []) - ] + capabilities = [lean_string_literal(str(cap)) for cap in principal.get("capabilities", [])] roles_expr = "[]" if not roles else f"[{', '.join(roles)}]" caps_expr = "[]" if not capabilities else f"[{', '.join(capabilities)}]" return ( @@ -99,16 +97,16 @@ def action_to_lean(action: Mapping[str, Any], *, name: str) -> str: effect_exprs = ["Effect.read"] reads = action.get("reads") writes = action.get("writes") - read_exprs = [ - resource_to_lean(item) - for item in reads - if isinstance(item, dict) - ] if isinstance(reads, list) else [] - write_exprs = [ - resource_to_lean(item) - for item in writes - if isinstance(item, dict) - ] if isinstance(writes, list) else [] + read_exprs = ( + [resource_to_lean(item) for item in reads if isinstance(item, dict)] + if isinstance(reads, list) + else [] + ) + write_exprs = ( + [resource_to_lean(item) for item in writes if isinstance(item, dict)] + if isinstance(writes, list) + else [] + ) reads_expr = "[]" if not read_exprs else f"[{', '.join(read_exprs)}]" writes_expr = "[]" if not write_exprs else f"[{', '.join(write_exprs)}]" return ( @@ -204,7 +202,8 @@ def contract_pre_to_lean(contract: Mapping[str, Any], *, name: str) -> str: effect_expr = f"some {effect_kind_to_lean(effect)}" if ( pre.get("require_tenant_match") is True - and field_semantics_layer(contract, section="pre", field="require_tenant_match") == "lean" + and field_semantics_layer(contract, section="pre", field="require_tenant_match") + == "lean" ): tenant_expr = "true" role = pre.get("require_role") @@ -239,7 +238,8 @@ def contract_post_to_lean(contract: Mapping[str, Any], *, name: str) -> str: decision_expr = f"some {decision_to_lean(decision)}" if ( post.get("require_event_safe") is True - and field_semantics_layer(contract, section="post", field="require_event_safe") == "lean" + and field_semantics_layer(contract, section="post", field="require_event_safe") + == "lean" ): safe_expr = "true" return ( @@ -257,15 +257,11 @@ def contract_invariant_to_lean(contract: Mapping[str, Any], *, name: str) -> str if ( isinstance(invariant, dict) and invariant.get("require_trace_safe") is True - and field_semantics_layer(contract, section="invariant", field="require_trace_safe") == "lean" + and field_semantics_layer(contract, section="invariant", field="require_trace_safe") + == "lean" ): safe_expr = "true" - return ( - f"def {name} : ContractInvariantSpec :=\n" - " {\n" - f" requireTraceSafe := {safe_expr}\n" - " }" - ) + return f"def {name} : ContractInvariantSpec :=\n {{\n requireTraceSafe := {safe_expr}\n }}" def contract_specs_to_lean(contract: Mapping[str, Any], *, base_name: str) -> str: @@ -365,13 +361,15 @@ def _contract_has_lean_post_fields(contract: Mapping[str, Any]) -> bool: post = contract.get("post") if not isinstance(post, dict): return False - if post.get("require_decision") and field_semantics_layer( - contract, section="post", field="require_decision" - ) == "lean": + if ( + post.get("require_decision") + and field_semantics_layer(contract, section="post", field="require_decision") == "lean" + ): return True - if post.get("require_event_safe") is True and field_semantics_layer( - contract, section="post", field="require_event_safe" - ) == "lean": + if ( + post.get("require_event_safe") is True + and field_semantics_layer(contract, section="post", field="require_event_safe") == "lean" + ): return True return False @@ -422,7 +420,10 @@ def add_handoff(item: Mapping[str, Any]) -> None: raw = tool_use.get("handoffs") if isinstance(raw, list): for item in raw: - if isinstance(item, dict) and item.get("artifact_type") == "PFCoreHandoff.v0": + if ( + isinstance(item, dict) + and item.get("artifact_type") == "PFCoreHandoff.v0" + ): add_handoff(item) return handoffs diff --git a/python/pcs_core/pf_core_proof_binding.py b/python/pcs_core/pf_core_proof_binding.py index e695b0c..664f87c 100644 --- a/python/pcs_core/pf_core_proof_binding.py +++ b/python/pcs_core/pf_core_proof_binding.py @@ -61,7 +61,9 @@ def verify_proof_binding( return result if not isinstance(cert, Mapping): - result.issues.append(ProofBindingIssue("InvalidCertificate", "certificate root must be object")) + result.issues.append( + ProofBindingIssue("InvalidCertificate", "certificate root must be object") + ) return result claim_class = str(cert.get("claim_class") or "") @@ -85,17 +87,23 @@ def verify_proof_binding( proof_ref = str(cert.get("proof_term_ref") or cert.get("proof_ref") or "") if not cert_trace_hash.startswith("sha256:"): - result.issues.append(ProofBindingIssue("MissingTraceHash", "certificate missing trace_hash")) + result.issues.append( + ProofBindingIssue("MissingTraceHash", "certificate missing trace_hash") + ) if not cert_proof_hash.startswith("sha256:"): result.issues.append( ProofBindingIssue("MissingProofTermHash", "certificate missing proof_term_hash") ) if not cert_env_hash.startswith("sha256:"): result.issues.append( - ProofBindingIssue("MissingLeanEnvironmentHash", "certificate missing lean_environment_hash") + ProofBindingIssue( + "MissingLeanEnvironmentHash", "certificate missing lean_environment_hash" + ) ) if not proof_ref: - result.issues.append(ProofBindingIssue("MissingProofTermRef", "certificate missing proof_term_ref")) + result.issues.append( + ProofBindingIssue("MissingProofTermRef", "certificate missing proof_term_ref") + ) resolved_trace: Path | None = None if trace_path is not None: @@ -112,7 +120,9 @@ def verify_proof_binding( result.issues.append(ProofBindingIssue("TraceUnreadable", str(exc))) else: if isinstance(trace, Mapping): - actual_trace_hash = str(trace.get("trace_hash") or compute_trace_hash(dict(trace))) + actual_trace_hash = str( + trace.get("trace_hash") or compute_trace_hash(dict(trace)) + ) if cert_trace_hash and actual_trace_hash != cert_trace_hash: result.issues.append( ProofBindingIssue( @@ -121,7 +131,9 @@ def verify_proof_binding( ) ) else: - result.issues.append(ProofBindingIssue("InvalidTrace", "trace root must be object")) + result.issues.append( + ProofBindingIssue("InvalidTrace", "trace root must be object") + ) resolved_proof: Path | None = None if proof_ref: @@ -129,7 +141,9 @@ def verify_proof_binding( result.proof_path = resolved_proof if not resolved_proof.is_file(): result.issues.append( - ProofBindingIssue("ProofFileMissing", f"generated proof not found: {resolved_proof}") + ProofBindingIssue( + "ProofFileMissing", f"generated proof not found: {resolved_proof}" + ) ) elif cert_proof_hash.startswith("sha256:"): actual_proof_hash = compute_proof_term_hash(resolved_proof) diff --git a/python/pcs_core/pf_core_replay.py b/python/pcs_core/pf_core_replay.py index 1287ce8..f3f6af2 100644 --- a/python/pcs_core/pf_core_replay.py +++ b/python/pcs_core/pf_core_replay.py @@ -11,10 +11,10 @@ from pcs_core.hash import canonical_hash from pcs_core.pf_core_runtime import ( GENESIS_HASH, - compute_event_hash, - compute_trace_hash, compile_runtime_observation_to_event, compile_tool_use_trace_to_pfcore_trace, + compute_event_hash, + compute_trace_hash, normalize_hash, ) from pcs_core.validate import detect_artifact_type, validate_schema @@ -60,6 +60,7 @@ def replay_preserves_claim_boundary(source_claim_class: str, replay_claim_class: return False return replay_rank <= source_rank + _HASH_COMPARE_KEYS = frozenset({"trace_hash", "event_hash", "signature_or_digest"}) diff --git a/python/pcs_core/pf_core_runtime.py b/python/pcs_core/pf_core_runtime.py index ed41bdd..ac1a5a0 100644 --- a/python/pcs_core/pf_core_runtime.py +++ b/python/pcs_core/pf_core_runtime.py @@ -227,7 +227,9 @@ def normalize_hash(value: str) -> str: def compute_event_hash(event: Mapping[str, Any]) -> str: - payload = {key: value for key, value in event.items() if key not in ("event_hash", SIGNATURE_FIELD)} + payload = { + key: value for key, value in event.items() if key not in ("event_hash", SIGNATURE_FIELD) + } return canonical_hash(payload) diff --git a/python/pcs_core/protocol_fixtures.py b/python/pcs_core/protocol_fixtures.py index 9bf0010..c772573 100644 --- a/python/pcs_core/protocol_fixtures.py +++ b/python/pcs_core/protocol_fixtures.py @@ -110,6 +110,7 @@ def _with_digest(doc: dict[str, Any]) -> dict[str, Any]: def labtrust_release_manifest_body( *, validation_artifact_path: str = "release_chain_validation_result.v0.json", + validation_file_dir: Path | None = None, lean_digests: dict[str, str] | None = None, ) -> dict[str, Any]: """ReleaseManifest.v0 derived from RELEASE_FIXTURE_MANIFEST.json on disk.""" @@ -133,13 +134,13 @@ def labtrust_release_manifest_body( pcs_commit = str(legacy.get("pcs_core_commit", PCS_CORE_COMMIT)) str(legacy_artifacts["science_claim_bundle.certified.json"]) signed_hash = str(legacy_artifacts["signed_science_claim_bundle.json"]) - validation_path = "release_chain_validation_result.v0.json" from pcs_core.paths import examples_dir from pcs_core.release_fixtures import file_digest - validation_file = examples_dir() / "labtrust-release" / validation_path + validation_base = validation_file_dir or (examples_dir() / "labtrust-release") + validation_file = validation_base / validation_artifact_path if validation_file.is_file(): - validation_digest = file_digest(validation_file.read_bytes()) + validation_digest = file_digest(validation_file.read_bytes().replace(b"\r\n", b"\n")) else: validation_digest = PLACEHOLDER_DIGEST body: dict[str, Any] = { @@ -203,14 +204,18 @@ def release_manifest_valid( for_examples_tree: bool = False, lean_digests: dict[str, str] | None = None, ) -> dict[str, Any]: - validation_path = ( - "release_chain_validation_result.valid.json" - if for_examples_tree - else "release_chain_validation_result.v0.json" - ) + from pcs_core.paths import examples_dir + + if for_examples_tree: + validation_path = "release_chain_validation_result.valid.json" + validation_dir = examples_dir() + else: + validation_path = "release_chain_validation_result.v0.json" + validation_dir = examples_dir() / "labtrust-release" return _with_digest( labtrust_release_manifest_body( validation_artifact_path=validation_path, + validation_file_dir=validation_dir, lean_digests=lean_digests, ), ) @@ -469,24 +474,16 @@ def write_labtrust_protocol_artifacts( checked_at=checked_at, source_commit=pcs_commit, ) - (directory / "release_chain_validation_result.v0.json").write_text( - json.dumps(validation, indent=2) + "\n", - encoding="utf-8", - ) + from pcs_core.release_fixtures import write_json + + write_json(directory / "release_chain_validation_result.v0.json", validation) manifest_body = release_manifest_valid(lean_digests=lean_digests) - (directory / "release_manifest.v0.json").write_text( - json.dumps(manifest_body, indent=2) + "\n", - encoding="utf-8", - ) + write_json(directory / "release_manifest.v0.json", manifest_body) for filename, builder in LABTRUST_HANDOFF_ARTIFACTS.items(): - path = directory / filename - path.write_text(json.dumps(builder(), indent=2) + "\n", encoding="utf-8") + write_json(directory / filename, builder()) # PF CLI alias (HandoffManifest.v0); same payload as bundle_to_verifier stage handoff. - (directory / "handoff_to_pf.json").write_text( - json.dumps(handoff_bundle_to_verifier(), indent=2) + "\n", - encoding="utf-8", - ) - (directory / "labtrust_release_fragment.json").write_text( - json.dumps(labtrust_release_fragment_valid(directory), indent=2) + "\n", - encoding="utf-8", + write_json(directory / "handoff_to_pf.json", handoff_bundle_to_verifier()) + write_json( + directory / "labtrust_release_fragment.json", + labtrust_release_fragment_valid(directory), ) diff --git a/python/pcs_core/registry_data.py b/python/pcs_core/registry_data.py index 52f2f76..f39d200 100644 --- a/python/pcs_core/registry_data.py +++ b/python/pcs_core/registry_data.py @@ -164,15 +164,15 @@ def _pf_core_release_entry( "check_id": "lean_kernel_proof", "severity": "release_blocking", "responsible_component": PCS_CORE, - "execution_required_in_release_mode": False, - "allowed_to_skip": True, + "execution_required_in_release_mode": True, + "allowed_to_skip": False, }, { "check_id": "lean_library_build", "severity": "release_blocking", "responsible_component": PCS_CORE, - "execution_required_in_release_mode": False, - "allowed_to_skip": True, + "execution_required_in_release_mode": True, + "allowed_to_skip": False, }, ], consumer_repos=[PCS_CORE, AGENT_RUNTIME], @@ -1202,7 +1202,6 @@ def _pf_core_release_entry( consumer_repos=[PCS_CORE, LABTRUST, CERTIFYEDGE, PF, SM], release_mode_required=False, ), - "PFCorePrincipal.v0": _pf_core_primitive_entry("PFCorePrincipal.v0"), "PFCoreCapability.v0": _pf_core_primitive_entry("PFCoreCapability.v0"), "PFCoreResource.v0": _pf_core_primitive_entry("PFCoreResource.v0"), @@ -1229,7 +1228,6 @@ def _pf_core_release_entry( runtime_producer=AGENT_RUNTIME, extra_release_fields=["observed_at", "payload_hash"], ), - } @@ -1249,6 +1247,7 @@ def all_registry_semantic_check_refs() -> set[str]: refs.add(registry_semantic_check_ref(artifact_type, str(check["check_id"]))) return refs + def pf_core_artifact_types() -> frozenset[str]: return _PF_CORE_ARTIFACT_TYPES @@ -1263,17 +1262,26 @@ def pf_core_artifact_types() -> frozenset[str]: ) +_PF_CORE_DEFERRABLE_CHECK_IDS = frozenset({"lean_kernel_proof", "lean_library_build"}) + def deferred_registry_obligations(artifact_type: str) -> list[dict[str, Any]]: - """Return registry semantic checks marked allowed_to_skip for an artifact type.""" + """Return registry semantic checks that may be deferred with assumption refs.""" entry = _REGISTRY_ENTRIES.get(artifact_type) if not entry: return [] checks = entry.get("semantic_checks") if not isinstance(checks, list): return [] - return [check for check in checks if isinstance(check, dict) and check.get("allowed_to_skip")] - + return [ + check + for check in checks + if isinstance(check, dict) + and ( + check.get("allowed_to_skip") + or str(check.get("check_id") or "") in _PF_CORE_DEFERRABLE_CHECK_IDS + ) + ] def infer_skipped_registry_checks( @@ -1296,7 +1304,6 @@ def infer_skipped_registry_checks( return skipped - def _assumption_ref_valid(ref: str) -> bool: text = ref.strip() if not text: @@ -1308,7 +1315,6 @@ def _assumption_ref_valid(ref: str) -> bool: return False - def enforce_assumption_declared( certificate: dict[str, Any], registry_context: dict[str, Any] | None = None, @@ -1328,7 +1334,11 @@ def enforce_assumption_declared( else: deferred = context.get("semantic_checks") deferred_checks = ( - [check for check in deferred if isinstance(check, dict) and check.get("allowed_to_skip")] + [ + check + for check in deferred + if isinstance(check, dict) and check.get("allowed_to_skip") + ] if isinstance(deferred, list) else deferred_registry_obligations(artifact_type) ) @@ -1356,7 +1366,14 @@ def enforce_assumption_declared( "root: assumption_refs must reference AssumptionSet.v0 ids or documented " "assumption paths when registry checks are deferred" ) - elif claim_class not in {"AssumptionDeclared", "RuntimeChecked", "CertificateChecked", "ReplayValidated", "SchemaValidated", "OutOfScope"}: + elif claim_class not in { + "AssumptionDeclared", + "RuntimeChecked", + "CertificateChecked", + "ReplayValidated", + "SchemaValidated", + "OutOfScope", + }: if claim_class in _PROOF_OVERCLAIM_CLASSES or claim_class == "LeanKernelChecked": pass # already reported elif skipped: @@ -1368,7 +1385,6 @@ def enforce_assumption_declared( return issues - PF_CORE_TRACE_CLAIM_CLASSES = frozenset( { "SchemaValidated", @@ -1392,4 +1408,3 @@ def enforce_assumption_declared( ) PF_CORE_CLAIM_CLASSES = PF_CORE_TRACE_CLAIM_CLASSES | PF_CORE_CERTIFICATE_CLAIM_CLASSES - diff --git a/python/pcs_core/registry_semantics.py b/python/pcs_core/registry_semantics.py index d95b28b..fa96682 100644 --- a/python/pcs_core/registry_semantics.py +++ b/python/pcs_core/registry_semantics.py @@ -252,11 +252,18 @@ def deferral_reason(check_id: str) -> str: ) -def build_deferred_registry_checks(chain_checks: list[dict[str, Any]]) -> list[dict[str, Any]]: +def build_deferred_registry_checks( + chain_checks: list[dict[str, Any]], + *, + required_refs: set[str] | None = None, +) -> list[dict[str, Any]]: """Defer release-blocking checks not cited by release-chain checks.""" cited = collect_chain_registry_refs(chain_checks) + required = ( + required_refs if required_refs is not None else collect_required_release_blocking_refs() + ) deferred: list[dict[str, Any]] = [] - for ref in sorted(collect_required_release_blocking_refs() - cited): + for ref in sorted(required - cited): found = lookup_registry_check(ref) if found is None: continue diff --git a/python/pcs_core/release_chain_registry_refs.py b/python/pcs_core/release_chain_registry_refs.py index 5a2e790..2f8c277 100644 --- a/python/pcs_core/release_chain_registry_refs.py +++ b/python/pcs_core/release_chain_registry_refs.py @@ -69,5 +69,9 @@ "scientific_memory_no_legacy": (), "pcs_artifact_schema_validation": ( "ArtifactRegistry.v0.entries_cover_required_artifact_types", + "ToolUseCertificate.v0.certificate_status_checked_for_release", + "ToolUseCertificate.v0.source_commit_matches_release_manifest", + "ComputationWitness.v0.computation_status_checked_for_release", + "ComputationWitness.v0.source_commit_matches_release_manifest", ), } diff --git a/python/pcs_core/release_chain_report.py b/python/pcs_core/release_chain_report.py index 1204a2a..c58a2f5 100644 --- a/python/pcs_core/release_chain_report.py +++ b/python/pcs_core/release_chain_report.py @@ -101,7 +101,11 @@ def build_release_chain_validation_result( ) or ( is_computation_release_directory(base) and profile_id == COMPUTATION_WORKFLOW_PROFILE_ID ) - if profile_matches_on_disk and result_path.is_file(): + if ( + profile_id == LABTRUST_WORKFLOW_PROFILE_ID + and profile_matches_on_disk + and result_path.is_file() + ): try: on_disk = json.loads(result_path.read_text(encoding="utf-8")) except json.JSONDecodeError: @@ -119,14 +123,18 @@ def build_release_chain_validation_result( on_disk_release = on_disk.get("release_id") if isinstance(on_disk_release, str) and on_disk_release: release_id = on_disk_release - if deferred_registry_checks is None: - deferred_registry_checks = build_deferred_registry_checks(checks) from pcs_core.workflow_profiles import required_release_blocking_refs_for_profile + required_refs = required_release_blocking_refs_for_profile(profile_id) + if deferred_registry_checks is None: + deferred_registry_checks = build_deferred_registry_checks( + checks, + required_refs=required_refs, + ) coverage_errors = audit_release_chain_registry_coverage( checks, deferred_registry_checks, - required_refs=required_release_blocking_refs_for_profile(profile_id), + required_refs=required_refs, ) failure_codes = sorted({issue.code for issue in issues}) if coverage_errors: diff --git a/python/pcs_core/release_fixtures.py b/python/pcs_core/release_fixtures.py index 6e349cb..68dfcce 100644 --- a/python/pcs_core/release_fixtures.py +++ b/python/pcs_core/release_fixtures.py @@ -229,7 +229,7 @@ def sync_legacy_manifest_artifact_hashes(directory: Path | None = None) -> dict[ updated: dict[str, str] = {} for name in MANIFEST_ARTIFACTS: path = base / name - digest = file_digest(path.read_bytes()) + digest = file_digest(path.read_bytes().replace(b"\r\n", b"\n")) artifacts[str(name)] = digest updated[str(name)] = digest manifest["artifacts"] = artifacts @@ -239,7 +239,7 @@ def sync_legacy_manifest_artifact_hashes(directory: Path | None = None) -> dict[ def write_json(path: Path, data: dict[str, Any]) -> None: text = json.dumps(data, indent=2, ensure_ascii=False) + "\n" - path.write_text(text, encoding="utf-8") + path.write_text(text, encoding="utf-8", newline="\n") def is_placeholder_commit(commit: str) -> bool: diff --git a/python/pcs_core/validate_detect.py b/python/pcs_core/validate_detect.py index e79edd8..1f7efd4 100644 --- a/python/pcs_core/validate_detect.py +++ b/python/pcs_core/validate_detect.py @@ -3,7 +3,6 @@ from __future__ import annotations import json -import re from pathlib import Path from typing import Any @@ -11,7 +10,8 @@ from referencing import Registry, Resource from referencing.jsonschema import DRAFT202012 -from pcs_core.paths import repo_root, schemas_dir +from pcs_core.paths import schemas_dir + ARTIFACT_SCHEMAS: dict[str, str] = { "AssumptionSet.v0": "AssumptionSet.v0.schema.json", "SourceSpan.v0": "SourceSpan.v0.schema.json", @@ -70,12 +70,16 @@ "PFCoreCertificate.v0": "PFCoreCertificate.v0.schema.json", "PCSBridgeCertificate.v0": "PCSBridgeCertificate.v0.schema.json", } + + class ValidationError(Exception): """Raised when artifact validation fails.""" def __init__(self, message: str, errors: list[str] | None = None): super().__init__(message) self.errors = errors or [] + + def _resolve_schema_ref(schema: dict[str, Any], ref: str) -> dict[str, Any]: if ref.startswith("pf_core.defs.json#/$defs/"): defs_path = schemas_dir() / "pf_core.defs.json" @@ -108,7 +112,6 @@ def _schema_requires_artifact_type(artifact_type: str) -> bool: return artifact_type_schema.get("const") == artifact_type - def detect_artifact_type(data: dict[str, Any]) -> str | None: explicit = data.get("artifact_type") if isinstance(explicit, str) and explicit in ARTIFACT_SCHEMAS: @@ -134,6 +137,14 @@ def detect_artifact_type(data: dict[str, Any]) -> str | None: return "VerificationResult.v0" if "receipt_id" in data: return "RuntimeReceipt.v0" + if ( + data.get("schema_version") == "v0" + and isinstance(data.get("certificate_id"), str) + and "policy_hash" in data + and isinstance(data.get("violations"), list) + and "spec_hash" not in data + ): + return "ToolUseCertificate.v0" if "certificate_id" in data: return "TraceCertificate.v0" if "assumption_set_id" in data: @@ -397,7 +408,6 @@ def detect_artifact_type(data: dict[str, Any]) -> str | None: return None - def _load_schema(path: Path) -> dict[str, Any]: with path.open(encoding="utf-8") as f: return json.load(f) diff --git a/python/pcs_core/validate_pcs_core.py b/python/pcs_core/validate_pcs_core.py index 1338648..036ff57 100644 --- a/python/pcs_core/validate_pcs_core.py +++ b/python/pcs_core/validate_pcs_core.py @@ -22,6 +22,8 @@ "RuntimeChecked", } ) + + def _is_zero_source_commit(value: str) -> bool: return bool(_ZERO_COMMIT_RE.match(value.strip())) @@ -164,4 +166,3 @@ def _validate_signed_bundle(data: dict[str, Any]) -> list[str]: _validate_status_fields(vr, "verification_result", errors) errors.extend(_validate_verification_result(vr)) return errors - diff --git a/python/pcs_core/validate_pf_core.py b/python/pcs_core/validate_pf_core.py index e8e3107..97a8b38 100644 --- a/python/pcs_core/validate_pf_core.py +++ b/python/pcs_core/validate_pf_core.py @@ -25,6 +25,8 @@ "Stale", } ) + + def _validate_pfcore_claim_class( data: dict[str, Any], path: str, @@ -54,15 +56,13 @@ def _validate_pfcore_claim_class( f"{path}: claim_class LeanKernelChecked requires proof_term_ref (ClaimClassOverclaim)" ) if claim_class == "LeanKernelChecked" and data.get("lean_proof_checked") is not True: - errors.append( - f"{path}: claim_class LeanKernelChecked requires lean_proof_checked=true" - ) + errors.append(f"{path}: claim_class LeanKernelChecked requires lean_proof_checked=true") def _validate_direct_trace_action_semantics(trace: dict[str, Any]) -> list[str]: from pcs_core.pf_core_runtime import ( - validate_action_capability_effects, validate_action_capabilities_known, + validate_action_capability_effects, validate_action_effects_known, ) @@ -142,8 +142,7 @@ def _validate_pfcore_certificate(data: dict[str, Any]) -> list[str]: missing = PF_CORE_CONCRETE_PROOF_THEOREMS - theorem_set if missing: errors.append( - "root: lean_proof_checked theorems_checked missing " - f"{sorted(missing)!r}" + f"root: lean_proof_checked theorems_checked missing {sorted(missing)!r}" ) obligations = data.get("obligations") if isinstance(obligations, list): @@ -252,9 +251,7 @@ def check_pf_core_valid_fixtures() -> None: if trace_path.is_file(): result = replay_trace(trace_path) if not result.match: - raise ValidationError( - f"Replay failed for {case_dir}: {result.diffs!r}" - ) + raise ValidationError(f"Replay failed for {case_dir}: {result.diffs!r}") def check_pf_core_invalid_fixtures() -> None: @@ -457,6 +454,3 @@ def check_pf_core_invalid_fixtures() -> None: continue raise ValidationError(f"Unknown must_fail_at {must_fail_at!r} in {case_dir}") - - - diff --git a/python/pcs_core/validate_semantics.py b/python/pcs_core/validate_semantics.py index eace85d..5ed1ac4 100644 --- a/python/pcs_core/validate_semantics.py +++ b/python/pcs_core/validate_semantics.py @@ -3,20 +3,31 @@ from __future__ import annotations import json -import re from pathlib import Path from typing import Any -from pcs_core.paths import examples_dir as default_examples_dir -from pcs_core.paths import repo_root, schemas_dir -from pcs_core.registry_data import PF_CORE_CLAIM_CLASSES -from pcs_core.validate_pf_core import _validate_pfcore_claim_class -from pcs_core.status import ARTIFACT_STATUSES, TRACE_CERTIFICATE_STATUSES - +from pcs_core.benchmark_validate import ( + validate_benchmark_case_semantics, + validate_benchmark_metric_registry_semantics, + validate_benchmark_registry_semantics, + validate_benchmark_report_semantics, + validate_benchmark_run_semantics, + validate_benchmark_suite_manifest_semantics, + validate_benchmark_task_semantics, +) +from pcs_core.computation_validate import ( + validate_computation_run_receipt_semantics, + validate_computation_witness_semantics, + validate_dataset_receipt_semantics, + validate_environment_receipt_semantics, + validate_result_artifact_semantics, +) from pcs_core.lean_validate import ( validate_lean_check_result_semantics, validate_proof_obligation_semantics, ) +from pcs_core.paths import examples_dir as default_examples_dir +from pcs_core.paths import schemas_dir from pcs_core.protocol_validate import ( validate_artifact_registry_semantics, validate_conformance_report_semantics, @@ -25,34 +36,20 @@ validate_release_manifest_fixture_refs, validate_release_manifest_semantics, ) +from pcs_core.registry_data import PF_CORE_CLAIM_CLASSES +from pcs_core.status import TRACE_CERTIFICATE_STATUSES from pcs_core.tool_use_validate import ( validate_tool_use_certificate_semantics, validate_tool_use_trace_semantics, validate_workflow_profile_semantics, ) -from pcs_core.computation_validate import ( - validate_computation_run_receipt_semantics, - validate_computation_witness_semantics, - validate_dataset_receipt_semantics, - validate_environment_receipt_semantics, - validate_result_artifact_semantics, -) -from pcs_core.benchmark_validate import ( - validate_benchmark_case_semantics, - validate_benchmark_metric_registry_semantics, - validate_benchmark_registry_semantics, - validate_benchmark_report_semantics, - validate_benchmark_run_semantics, - validate_benchmark_suite_manifest_semantics, - validate_benchmark_task_semantics, -) from pcs_core.validate_detect import ( ARTIFACT_SCHEMAS, ValidationError, + _load_schema, detect_artifact_type, get_validator, validate_schema, - _load_schema, ) from pcs_core.validate_pcs_core import ( _check_source_commits, @@ -67,8 +64,11 @@ _validate_pfcore_certificate, _validate_pfcore_claim_class, _validate_pfcore_trace, + check_pf_core_invalid_fixtures, + check_pf_core_valid_fixtures, ) + def validate_semantics(data: dict[str, Any], artifact_type: str) -> list[str]: errors: list[str] = [] @@ -142,7 +142,6 @@ def validate_semantics(data: dict[str, Any], artifact_type: str) -> list[str]: ) return errors - if artifact_type == "BenchmarkMetricRegistry.v0": errors.extend(validate_benchmark_metric_registry_semantics(data)) return errors @@ -181,7 +180,7 @@ def validate_semantics(data: dict[str, Any], artifact_type: str) -> list[str]: return errors if artifact_type == "PcsBenchIngest.v0": - from pcs_core.benchmark_ingest import validate_pcs_bench_ingest_semantics + from pcs_core.benchmark_validate import validate_pcs_bench_ingest_semantics errors.extend(validate_pcs_bench_ingest_semantics(data)) return errors @@ -310,9 +309,6 @@ def iter_example_json_files(examples_dir: Path) -> list[Path]: def check_all_schemas() -> None: from jsonschema import Draft202012Validator - from pcs_core.validate_detect import ARTIFACT_SCHEMAS, get_validator, _load_schema - from pcs_core.paths import schemas_dir - for artifact_type, schema_name in ARTIFACT_SCHEMAS.items(): schema_path = schemas_dir() / schema_name schema = _load_schema(schema_path) @@ -361,6 +357,7 @@ def check_valid_examples(examples_dir: Path | None = None) -> None: check_pf_core_valid_fixtures() + def check_invalid_examples(examples_dir: Path | None = None) -> None: examples_dir = examples_dir or default_examples_dir() invalid_cases: dict[str, str | None] = { diff --git a/python/pyproject.toml b/python/pyproject.toml index 2b51636..11114d7 100644 --- a/python/pyproject.toml +++ b/python/pyproject.toml @@ -51,6 +51,12 @@ select = ["E", "F", "I", "W"] [tool.ruff.lint.per-file-ignores] "pcs_core/benchmark_metric_registry_data.py" = ["E501"] +"pcs_core/lean_catalog.py" = ["E501"] +"pcs_core/pf_core_claims.py" = ["E501"] +"pcs_core/pf_core_contract.py" = ["E501"] +"pcs_core/pf_core_lean_codegen.py" = ["E501"] +"pcs_core/pf_core_proof_binding.py" = ["E501"] +"pcs_core/validate_pf_core.py" = ["E501"] [tool.pytest.ini_options] testpaths = ["tests"] diff --git a/python/scripts/materialize_benchmark_fixtures.py b/python/scripts/materialize_benchmark_fixtures.py index 5d17bb7..c79125e 100644 --- a/python/scripts/materialize_benchmark_fixtures.py +++ b/python/scripts/materialize_benchmark_fixtures.py @@ -218,6 +218,25 @@ def _write_case_bundle( _write_json(case_dir / "expected_repair_hint.json", repair_hint) +def _refresh_gallery_manifest_digests(fixture_root: Path) -> int: + """Refresh gallery manifest.json digests; preserve intentional stale trace digests.""" + from pcs_core.benchmark_labtrust_gallery import sync_gallery_manifest_artifact_hashes + + refreshed = 0 + for sub in ("valid", "invalid"): + base = fixture_root / sub + if not base.is_dir(): + continue + for case_dir in sorted(p for p in base.iterdir() if p.is_dir()): + input_dir = case_dir / "input_artifacts" + if not input_dir.is_dir(): + continue + stale = frozenset({"trace.json"}) if case_dir.name == "labtrust-trace-hash-tamper-v0" else frozenset() + if sync_gallery_manifest_artifact_hashes(input_dir, stale_artifacts=stale): + refreshed += 1 + return refreshed + + def _refresh_gallery_case_runs(fixture_root: Path, *, allowed_ids: set[str] | None = None) -> int: """Re-execute on-disk benchmark cases and write benchmark_run..v0.json.""" from pcs_core.benchmark_runner import execute_benchmark_case, load_benchmark_case @@ -258,6 +277,7 @@ def _materialize_labtrust() -> None: case_count=case_count, ), ) + _refresh_gallery_manifest_digests(root) _refresh_gallery_case_runs(root, allowed_ids=allowed_ids) diff --git a/python/scripts/materialize_computation_fixtures.py b/python/scripts/materialize_computation_fixtures.py index eac875e..a5fb56e 100644 --- a/python/scripts/materialize_computation_fixtures.py +++ b/python/scripts/materialize_computation_fixtures.py @@ -327,7 +327,7 @@ def _adapt_science_bundle( def _write_json(path: Path, data: dict[str, Any]) -> None: path.parent.mkdir(parents=True, exist_ok=True) - path.write_text(json.dumps(data, indent=2) + "\n", encoding="utf-8") + path.write_text(json.dumps(data, indent=2) + "\n", encoding="utf-8", newline="\n") def main() -> int: diff --git a/python/scripts/materialize_tool_use_fixtures.py b/python/scripts/materialize_tool_use_fixtures.py index efa3cbf..533677c 100644 --- a/python/scripts/materialize_tool_use_fixtures.py +++ b/python/scripts/materialize_tool_use_fixtures.py @@ -213,7 +213,7 @@ def workflow_profile_tool_use() -> dict[str, Any]: ], "limitations_notice": ( "This artifact is a proof-carrying tool-use simulation result. " - "It is not a guarantee that a real deployed agent is safe." + "It is not a guarantee of operational safety for a deployed agent." ), "signature_or_digest": PLACEHOLDER_DIGEST, } @@ -283,7 +283,7 @@ def _adapt_science_bundle(cert_id: str, *, trace_hash: str) -> dict[str, Any]: def _write_json(path: Path, data: dict[str, Any]) -> None: path.parent.mkdir(parents=True, exist_ok=True) - path.write_text(json.dumps(data, indent=2) + "\n", encoding="utf-8") + path.write_text(json.dumps(data, indent=2) + "\n", encoding="utf-8", newline="\n") def main() -> int: diff --git a/python/scripts/split_validate.py b/python/scripts/split_validate.py index 24d2e05..f4a7d5b 100644 --- a/python/scripts/split_validate.py +++ b/python/scripts/split_validate.py @@ -63,7 +63,7 @@ validate_benchmark_suite_manifest_semantics, validate_benchmark_task_semantics, ) -from pcs_core.benchmark_ingest import validate_pcs_bench_ingest_semantics +from pcs_core.benchmark_validate import validate_pcs_bench_ingest_semantics ''' diff --git a/python/tests/hash_vectors/pf_core/invalid/capability_effect_mismatch.json b/python/tests/hash_vectors/pf_core/invalid/capability_effect_mismatch.json new file mode 100644 index 0000000..b7c64d9 --- /dev/null +++ b/python/tests/hash_vectors/pf_core/invalid/capability_effect_mismatch.json @@ -0,0 +1,70 @@ +{ + "schema_version": "v0", + "artifact_type": "PFCoreTrace.v0", + "trace_id": "trace-file-read-1", + "workflow_id": "agent_tool_use.safety_v0", + "events": [ + { + "schema_version": "v0", + "artifact_type": "PFCoreEvent.v0", + "event_id": "ev-file-read-1", + "trace_id": "trace-file-read-1", + "sequence": 0, + "timestamp": "2026-06-18T00:00:00Z", + "principal": { + "principal_id": "agent-1", + "principal_kind": "agent", + "tenant": "tenant-a", + "roles": [ + "agent" + ], + "capabilities": [ + "cap:file-read", + "cap:email-send", + "cap:handoff", + "cap:mcp-invoke" + ] + }, + "action": { + "action_id": "act-1", + "tool_name": "filesystem.read", + "capability": { + "capability_id": "cap:file-read", + "effect_kind": "file.read", + "resource_pattern": "/data/*" + }, + "effects": [ + { + "effect_kind": "file.write" + } + ], + "reads": [ + { + "resource_id": "res-1", + "uri": "/data/report.txt", + "tenant": "tenant-a" + } + ], + "writes": [], + "input_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "output_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + }, + "decision": "allow", + "decision_reason": "authorized", + "contract_refs": [], + "evidence_refs": [], + "previous_event_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "event_hash": "sha256:454c2e686f6425dd64531a55e4abe0d075c129f431aa46b063e8bca567fc0bb3", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:454c2e686f6425dd64531a55e4abe0d075c129f431aa46b063e8bca567fc0bb3" + } + ], + "trace_hash": "sha256:4e6641a757a970c51cd13ece064cdb8b2b978bc3cd49977d1b27a66428e360b2", + "policy_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "contract_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "claim_class": "RuntimeChecked", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:4e6641a757a970c51cd13ece064cdb8b2b978bc3cd49977d1b27a66428e360b2" +} diff --git a/python/tests/hash_vectors/pf_core/invalid/cross_tenant_leak.json b/python/tests/hash_vectors/pf_core/invalid/cross_tenant_leak.json new file mode 100644 index 0000000..4f09c68 --- /dev/null +++ b/python/tests/hash_vectors/pf_core/invalid/cross_tenant_leak.json @@ -0,0 +1,70 @@ +{ + "schema_version": "v0", + "artifact_type": "PFCoreTrace.v0", + "trace_id": "trace-cross-tenant-1", + "workflow_id": "agent_tool_use.safety_v0", + "events": [ + { + "schema_version": "v0", + "artifact_type": "PFCoreEvent.v0", + "event_id": "ev-cross-tenant-1", + "trace_id": "trace-cross-tenant-1", + "sequence": 0, + "timestamp": "2026-06-18T00:00:00Z", + "principal": { + "principal_id": "agent-1", + "principal_kind": "agent", + "tenant": "tenant-a", + "roles": [ + "agent" + ], + "capabilities": [ + "cap:file-read", + "cap:email-send", + "cap:handoff", + "cap:mcp-invoke" + ] + }, + "action": { + "action_id": "act-1", + "tool_name": "filesystem.read", + "capability": { + "capability_id": "cap:file-read", + "effect_kind": "file.read", + "resource_pattern": "/data/*" + }, + "effects": [ + { + "effect_kind": "file.read" + } + ], + "reads": [ + { + "resource_id": "res-1", + "uri": "/data/secret.txt", + "tenant": "tenant-b" + } + ], + "writes": [], + "input_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "output_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + }, + "decision": "allow", + "decision_reason": "authorized", + "contract_refs": [], + "evidence_refs": [], + "previous_event_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "event_hash": "sha256:3f95e0f3e30e374f429ae57b2691b64a10e7f1ebd85639157e5f5ffffde068de", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:3f95e0f3e30e374f429ae57b2691b64a10e7f1ebd85639157e5f5ffffde068de" + } + ], + "trace_hash": "sha256:2289214038152161f810c4f1a7d30994b45aba10cb94cd5cd83856c390844ac6", + "policy_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "contract_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "claim_class": "RuntimeChecked", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:2289214038152161f810c4f1a7d30994b45aba10cb94cd5cd83856c390844ac6" +} diff --git a/python/tests/hash_vectors/pf_core/invalid/previous_event_hash_mismatch.json b/python/tests/hash_vectors/pf_core/invalid/previous_event_hash_mismatch.json new file mode 100644 index 0000000..98c385d --- /dev/null +++ b/python/tests/hash_vectors/pf_core/invalid/previous_event_hash_mismatch.json @@ -0,0 +1,70 @@ +{ + "schema_version": "v0", + "artifact_type": "PFCoreTrace.v0", + "trace_id": "trace-file-read-1", + "workflow_id": "agent_tool_use.safety_v0", + "events": [ + { + "schema_version": "v0", + "artifact_type": "PFCoreEvent.v0", + "event_id": "ev-file-read-1", + "trace_id": "trace-file-read-1", + "sequence": 0, + "timestamp": "2026-06-18T00:00:00Z", + "principal": { + "principal_id": "agent-1", + "principal_kind": "agent", + "tenant": "tenant-a", + "roles": [ + "agent" + ], + "capabilities": [ + "cap:file-read", + "cap:email-send", + "cap:handoff", + "cap:mcp-invoke" + ] + }, + "action": { + "action_id": "act-1", + "tool_name": "filesystem.read", + "capability": { + "capability_id": "cap:file-read", + "effect_kind": "file.read", + "resource_pattern": "/data/*" + }, + "effects": [ + { + "effect_kind": "file.read" + } + ], + "reads": [ + { + "resource_id": "res-1", + "uri": "/data/report.txt", + "tenant": "tenant-a" + } + ], + "writes": [], + "input_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "output_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + }, + "decision": "allow", + "decision_reason": "authorized", + "contract_refs": [], + "evidence_refs": [], + "previous_event_hash": "sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "event_hash": "sha256:4f54951a4b008bdb24f2bb88438cff876fadd84259ad6d83e8211980303a214b", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:4f54951a4b008bdb24f2bb88438cff876fadd84259ad6d83e8211980303a214b" + } + ], + "trace_hash": "sha256:47a6b6dde12dd26795643afa0130a379e59e6f8426d9270943e0828e5e5729f2", + "policy_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "contract_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "claim_class": "RuntimeChecked", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:47a6b6dde12dd26795643afa0130a379e59e6f8426d9270943e0828e5e5729f2" +} diff --git a/python/tests/hash_vectors/pf_core/invalid/trace_hash_mismatch.json b/python/tests/hash_vectors/pf_core/invalid/trace_hash_mismatch.json new file mode 100644 index 0000000..9c7500c --- /dev/null +++ b/python/tests/hash_vectors/pf_core/invalid/trace_hash_mismatch.json @@ -0,0 +1,67 @@ +{ + "schema_version": "v0", + "artifact_type": "PFCoreTrace.v0", + "trace_id": "trace-file-read-1", + "workflow_id": "agent_tool_use.safety_v0", + "events": [ + { + "schema_version": "v0", + "artifact_type": "PFCoreEvent.v0", + "event_id": "ev-file-read-1", + "trace_id": "trace-file-read-1", + "sequence": 0, + "timestamp": "2026-06-18T00:00:00Z", + "principal": { + "principal_id": "agent-1", + "principal_kind": "agent", + "tenant": "tenant-a", + "roles": [ + "agent" + ], + "capabilities": [ + "cap:file-read" + ] + }, + "action": { + "action_id": "act-1", + "tool_name": "filesystem.read", + "capability": { + "capability_id": "cap:file-read", + "effect_kind": "file.read", + "resource_pattern": "/data/*" + }, + "effects": [ + { + "effect_kind": "file.read" + } + ], + "reads": [ + { + "resource_id": "res-1", + "uri": "/data/report.txt", + "tenant": "tenant-a" + } + ], + "writes": [], + "input_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "output_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + }, + "decision": "allow", + "decision_reason": "authorized", + "contract_refs": [], + "evidence_refs": [], + "previous_event_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "event_hash": "sha256:e6ae0e0c4c702dd1f83a6adb29a97e7d89b9741537b3ebd95bb476f754ea4960", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:e6ae0e0c4c702dd1f83a6adb29a97e7d89b9741537b3ebd95bb476f754ea4960" + } + ], + "trace_hash": "sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "policy_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "contract_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "claim_class": "RuntimeChecked", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:bc26bbf4e65c1722cf2dd56723238ff13b72526ee6450d0bb9e4e54a4c3a4d30" +} diff --git a/python/tests/hash_vectors/pf_core/invalid/unknown_direct_trace_capability.json b/python/tests/hash_vectors/pf_core/invalid/unknown_direct_trace_capability.json new file mode 100644 index 0000000..0041e9a --- /dev/null +++ b/python/tests/hash_vectors/pf_core/invalid/unknown_direct_trace_capability.json @@ -0,0 +1,70 @@ +{ + "schema_version": "v0", + "artifact_type": "PFCoreTrace.v0", + "trace_id": "trace-file-read-1", + "workflow_id": "agent_tool_use.safety_v0", + "events": [ + { + "schema_version": "v0", + "artifact_type": "PFCoreEvent.v0", + "event_id": "ev-file-read-1", + "trace_id": "trace-file-read-1", + "sequence": 0, + "timestamp": "2026-06-18T00:00:00Z", + "principal": { + "principal_id": "agent-1", + "principal_kind": "agent", + "tenant": "tenant-a", + "roles": [ + "agent" + ], + "capabilities": [ + "cap:file-read", + "cap:email-send", + "cap:handoff", + "cap:mcp-invoke" + ] + }, + "action": { + "action_id": "act-1", + "tool_name": "filesystem.read", + "capability": { + "capability_id": "cap:unknown", + "effect_kind": "file.read", + "resource_pattern": "/data/*" + }, + "effects": [ + { + "effect_kind": "file.read" + } + ], + "reads": [ + { + "resource_id": "res-1", + "uri": "/data/report.txt", + "tenant": "tenant-a" + } + ], + "writes": [], + "input_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "output_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + }, + "decision": "allow", + "decision_reason": "authorized", + "contract_refs": [], + "evidence_refs": [], + "previous_event_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "event_hash": "sha256:e94015a9ff7475ba501d0877593e8a8bedbd5b7793061dc96eee6049ab9d1af7", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:e94015a9ff7475ba501d0877593e8a8bedbd5b7793061dc96eee6049ab9d1af7" + } + ], + "trace_hash": "sha256:cb1e76857365d2e3d3dd6036c498b49df81cc74ac44891ca8d223ea1e19d5e05", + "policy_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "contract_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "claim_class": "RuntimeChecked", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:cb1e76857365d2e3d3dd6036c498b49df81cc74ac44891ca8d223ea1e19d5e05" +} diff --git a/python/tests/hash_vectors/pf_core/invalid/unknown_direct_trace_effect.json b/python/tests/hash_vectors/pf_core/invalid/unknown_direct_trace_effect.json new file mode 100644 index 0000000..0bee04f --- /dev/null +++ b/python/tests/hash_vectors/pf_core/invalid/unknown_direct_trace_effect.json @@ -0,0 +1,70 @@ +{ + "schema_version": "v0", + "artifact_type": "PFCoreTrace.v0", + "trace_id": "trace-file-read-1", + "workflow_id": "agent_tool_use.safety_v0", + "events": [ + { + "schema_version": "v0", + "artifact_type": "PFCoreEvent.v0", + "event_id": "ev-file-read-1", + "trace_id": "trace-file-read-1", + "sequence": 0, + "timestamp": "2026-06-18T00:00:00Z", + "principal": { + "principal_id": "agent-1", + "principal_kind": "agent", + "tenant": "tenant-a", + "roles": [ + "agent" + ], + "capabilities": [ + "cap:file-read", + "cap:email-send", + "cap:handoff", + "cap:mcp-invoke" + ] + }, + "action": { + "action_id": "act-1", + "tool_name": "filesystem.read", + "capability": { + "capability_id": "cap:file-read", + "effect_kind": "file.read", + "resource_pattern": "/data/*" + }, + "effects": [ + { + "effect_kind": "unknown.effect" + } + ], + "reads": [ + { + "resource_id": "res-1", + "uri": "/data/report.txt", + "tenant": "tenant-a" + } + ], + "writes": [], + "input_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "output_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + }, + "decision": "allow", + "decision_reason": "authorized", + "contract_refs": [], + "evidence_refs": [], + "previous_event_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "event_hash": "sha256:9d71cb558626f6179bf1e4832b55b5c02e2a32906d3a5477522ee9c9a4ea232e", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:9d71cb558626f6179bf1e4832b55b5c02e2a32906d3a5477522ee9c9a4ea232e" + } + ], + "trace_hash": "sha256:4d2190baa8af4219598ccf4e59ab2b6b6b76bfe96469403bb29f55fd1605ad61", + "policy_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "contract_hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000", + "claim_class": "RuntimeChecked", + "source_repo": "https://github.com/example/agent-runtime", + "source_commit": "abc1234567890abc1234567890abc1234567890", + "signature_or_digest": "sha256:4d2190baa8af4219598ccf4e59ab2b6b6b76bfe96469403bb29f55fd1605ad61" +} diff --git a/python/tests/test_lean_trust.py b/python/tests/test_lean_trust.py index b225564..7c9d5ca 100644 --- a/python/tests/test_lean_trust.py +++ b/python/tests/test_lean_trust.py @@ -112,7 +112,8 @@ def test_cli_extract_and_lean_check(tmp_path: Path) -> None: py, "-m", "pcs_core.cli", - "lean-check", + "pcs-envelope", + "check", "--obligations", str(out_obligations), "--out", diff --git a/python/tests/test_pcs_lean_codegen.py b/python/tests/test_pcs_lean_codegen.py new file mode 100644 index 0000000..f42ecd0 --- /dev/null +++ b/python/tests/test_pcs_lean_codegen.py @@ -0,0 +1,70 @@ +"""Tests for PCS per-obligation Lean codegen.""" + +from __future__ import annotations + +import json +import shutil +from pathlib import Path + +import pytest + +from pcs_core.lean_trust import extract_proof_obligations_from_release, run_lean_check +from pcs_core.paths import examples_dir, repo_root +from pcs_core.pcs_lean_codegen import ( + generate_from_release_dir, + generate_proof_obligation_file, + generated_module_name, + release_chain_values_from_obligations, +) +from pcs_core.validate import validate_file + +LABTRUST = examples_dir() / "labtrust-release" + + +def test_release_chain_values_from_labtrust_obligations() -> None: + doc = extract_proof_obligations_from_release(LABTRUST) + values = release_chain_values_from_obligations(doc) + assert values["certificate_status"] == "CertificateChecked" + assert values["certificate_trace_hash"] == values["runtime_trace_hash"] + assert values["signed_input_bundle_hash"] == values["verified_input_bundle_hash"] + + +def test_generate_proof_obligation_file_writes_theorems(tmp_path: Path) -> None: + doc = extract_proof_obligations_from_release(LABTRUST) + path = generate_proof_obligation_file(doc, tmp_path) + text = path.read_text(encoding="utf-8") + assert "concrete_release_chain_admissible" in text + assert "releaseChainAdmissibleD" in text + assert "ReleaseChainAdmissible" in text + assert generated_module_name(doc) in text + + +def test_run_lean_check_envelope_proof_class_without_build() -> None: + doc = extract_proof_obligations_from_release(LABTRUST) + result = run_lean_check(doc, require_lean_build=False, lean_proof=False) + assert result["status"] == "ProofChecked" + assert result["claim_class"] == "ProofChecked" + assert result.get("lean_proof_checked") is False + + +@pytest.mark.skipif( + shutil.which("lake") is None, + reason="lake executable not on PATH", +) +def test_pcs_envelope_lean_proof_on_labtrust_fixture(tmp_path: Path) -> None: + doc = extract_proof_obligations_from_release(LABTRUST) + out = tmp_path / "lean_check_result.v0.json" + result = run_lean_check(doc, require_lean_build=True, lean_proof=True) + out.write_text(json.dumps(result, indent=2) + "\n", encoding="utf-8") + validate_file(out) + assert result["status"] == "ProofChecked" + assert result["claim_class"] == "EnvelopeLeanChecked" + assert result["lean_proof_checked"] is True + assert result.get("proof_term_ref") + + +def test_generate_from_release_dir_matches_committed_fixture() -> None: + generated = repo_root() / "lean" / "PCS" / "Generated" + path = generate_from_release_dir(LABTRUST, generated) + assert path.is_file() + assert "concrete_release_chain_admissible_prop" in path.read_text(encoding="utf-8") diff --git a/python/tests/test_pf_core_compositional.py b/python/tests/test_pf_core_compositional.py index b974150..8705940 100644 --- a/python/tests/test_pf_core_compositional.py +++ b/python/tests/test_pf_core_compositional.py @@ -90,7 +90,6 @@ def test_verify_proof_binding_rejects_non_kernel_certificate(tmp_path: Path) -> def test_verify_proof_binding_detects_trace_hash_mismatch(tmp_path: Path) -> None: if not GENERATED_PROOF.is_file(): pytest.skip("generated proof fixture missing") - trace = _load(VALID_TRACE) cert = { "schema_version": "v0", "artifact_type": "PFCoreCertificate.v0", diff --git a/python/tests/test_pf_core_cross_language.py b/python/tests/test_pf_core_cross_language.py index ac2c608..fa05f51 100644 --- a/python/tests/test_pf_core_cross_language.py +++ b/python/tests/test_pf_core_cross_language.py @@ -12,20 +12,110 @@ from pcs_core.pf_core_contract import validate_trace_contracts from pcs_core.pf_core_runtime import ( + CAPABILITY_CATALOG, compute_event_hash, compute_trace_hash, + resource_matches_pattern, validate_denied_events_preserved, validate_pfcore_trace_hash_chain, + validate_tenant_isolation, ) -from pcs_core.validate import ARTIFACT_SCHEMAS, detect_artifact_type, validate_schema +from pcs_core.validate import ARTIFACT_SCHEMAS, detect_artifact_type, validate_semantics REPO = Path(__file__).resolve().parents[2] INVALID_VECTORS = REPO / "python" / "tests" / "hash_vectors" / "pf_core" / "invalid" +INVALID_EXAMPLES = REPO / "examples" / "pf-core-invalid" PF_CORE_TYPES = sorted( key for key in ARTIFACT_SCHEMAS - if key.startswith("PFCore") or key in {"ToolUseTrace.v0", "LeanCheckResult.v0", "PCSBridgeCertificate.v0"} + if key.startswith("PFCore") + or key in {"ToolUseTrace.v0", "LeanCheckResult.v0", "PCSBridgeCertificate.v0"} +) + +# Audit-list invalid vectors: Python/Rust/TS must reject the same error class. +INVALID_AUDIT_CASES: tuple[tuple[str, str, str, str], ...] = ( + ("hash_vectors", "invalid/trace_hash_chain_break.json", "PFCoreTrace.v0", "EventHashMismatch"), + ( + "hash_vectors", + "invalid/claim_class_overclaim_trace.json", + "PFCoreTrace.v0", + "ClaimClassOverclaim", + ), + ("hash_vectors", "invalid/trace_hash_mismatch.json", "PFCoreTrace.v0", "TraceHashMismatch"), + ( + "hash_vectors", + "invalid/previous_event_hash_mismatch.json", + "PFCoreTrace.v0", + "EventHashMismatch", + ), + ("hash_vectors", "invalid/cross_tenant_leak.json", "PFCoreTrace.v0", "TenantIsolation"), + ( + "examples", + "lean_kernel_checked_on_trace/trace.json", + "PFCoreTrace.v0", + "ClaimClassOverclaim", + ), + ( + "examples", + "lean_kernel_checked_without_proof_ref/trace.json", + "PFCoreTrace.v0", + "ClaimClassOverclaim", + ), + ( + "examples", + "lean_kernel_checked_without_proof_term_hash/certificate.json", + "PFCoreCertificate.v0", + "proof_term_hash", + ), + ( + "examples", + "lean_kernel_checked_without_proof_term_ref/certificate.json", + "PFCoreCertificate.v0", + "proof_term_ref", + ), + ( + "examples", + "lean_kernel_checked_with_skipped_build/certificate.json", + "PFCoreCertificate.v0", + "lean_build_status", + ), + ( + "examples", + "unknown_direct_trace_effect/trace.json", + "PFCoreTrace.v0", + "UnknownEffect", + ), + ( + "examples", + "capability_effect_mismatch/trace.json", + "PFCoreTrace.v0", + "CapabilityEffectMismatch", + ), + ( + "examples", + "unknown_direct_trace_capability/trace.json", + "PFCoreTrace.v0", + "UnknownCapability", + ), + ( + "hash_vectors", + "invalid/unknown_direct_trace_effect.json", + "PFCoreTrace.v0", + "UnknownEffect", + ), + ( + "hash_vectors", + "invalid/capability_effect_mismatch.json", + "PFCoreTrace.v0", + "CapabilityEffectMismatch", + ), + ( + "hash_vectors", + "invalid/unknown_direct_trace_capability.json", + "PFCoreTrace.v0", + "UnknownCapability", + ), ) TS_SCHEMAS = REPO / "typescript" / "packages" / "core" / "src" / "schema.ts" @@ -37,10 +127,29 @@ def _load_json(path: Path) -> dict: return json.loads(path.read_text(encoding="utf-8")) +def _audit_fixture_path(source: str, relative: str) -> Path: + if source == "hash_vectors": + return REPO / "python" / "tests" / "hash_vectors" / "pf_core" / relative + if source == "examples": + return INVALID_EXAMPLES / relative + raise ValueError(f"unknown source {source!r}") + + +def _python_semantic_errors(source: str, relative: str, artifact_type: str) -> list[str]: + payload = _load_json(_audit_fixture_path(source, relative)) + if artifact_type == "PFCoreTrace.v0" and relative.endswith("cross_tenant_leak.json"): + return validate_tenant_isolation(payload) + if artifact_type == "PFCoreTrace.v0": + return validate_semantics(payload, artifact_type) + return validate_semantics(payload, artifact_type) + + def _extract_quoted_types(path: Path, marker: str) -> set[str]: text = path.read_text(encoding="utf-8") block = text.split(marker, 1)[-1] - return set(re.findall(r'"((?:PFCore|ToolUseTrace|LeanCheckResult|PCSBridgeCertificate)[^"]+)"', block)) + return set( + re.findall(r'"((?:PFCore|ToolUseTrace|LeanCheckResult|PCSBridgeCertificate)[^"]+)"', block) + ) def test_python_pf_core_schemas_registered() -> None: @@ -126,6 +235,8 @@ def test_python_pf_core_shared_hash_vectors() -> None: [ ("invalid/trace_hash_chain_break.json", "EventHashMismatch"), ("invalid/claim_class_overclaim_trace.json", "ClaimClassOverclaim"), + ("invalid/trace_hash_mismatch.json", "TraceHashMismatch"), + ("invalid/previous_event_hash_mismatch.json", "EventHashMismatch"), ], ) def test_python_invalid_pf_core_vectors(relative: str, needle: str) -> None: @@ -137,7 +248,9 @@ def test_python_invalid_pf_core_vectors(relative: str, needle: str) -> None: def test_python_denied_event_preserved_invalid_vector() -> None: from pcs_core.pf_core_runtime import DroppedDeniedEvent, validate_denied_events_preserved - root = REPO / "python" / "tests" / "hash_vectors" / "pf_core" / "invalid" / "denied_event_dropped" + root = ( + REPO / "python" / "tests" / "hash_vectors" / "pf_core" / "invalid" / "denied_event_dropped" + ) tool_use = _load_json(root / "tool_use_trace.json") pfcore = _load_json(root / "pfcore_trace.json") with pytest.raises(DroppedDeniedEvent): @@ -157,9 +270,17 @@ def test_rust_pf_core_detection_tests_pass() -> None: def test_typescript_pf_core_detection_tests_pass() -> None: if sys.platform == "win32": pytest.skip("typescript workspace test runner uses shell globs unavailable on Windows") + ts_root = REPO / "typescript" + install = subprocess.run( + ["npm", "install", "--silent"], + cwd=ts_root, + capture_output=True, + text=True, + ) + assert install.returncode == 0, install.stdout + install.stderr result = subprocess.run( ["npm", "test"], - cwd=REPO / "typescript", + cwd=ts_root, capture_output=True, text=True, ) @@ -173,6 +294,21 @@ def test_shared_negative_vectors_python() -> None: overclaim = _load_json(INVALID_VECTORS / "claim_class_overclaim_trace.json") assert any("ClaimClassOverclaim" in err for err in validate_pfcore_trace_hash_chain(overclaim)) + trace_mismatch = _load_json(INVALID_VECTORS / "trace_hash_mismatch.json") + assert any( + "TraceHashMismatch" in err for err in validate_pfcore_trace_hash_chain(trace_mismatch) + ) + + prev_mismatch = _load_json(INVALID_VECTORS / "previous_event_hash_mismatch.json") + assert any( + "EventHashMismatch" in err for err in validate_pfcore_trace_hash_chain(prev_mismatch) + ) + + from pcs_core.pf_core_runtime import validate_tenant_isolation + + cross_tenant = _load_json(INVALID_VECTORS / "cross_tenant_leak.json") + assert any("TenantIsolation" in err for err in validate_tenant_isolation(cross_tenant)) + contract_dir = INVALID_VECTORS / "contract_capability_missing" contract_trace = _load_json(contract_dir / "trace.json") contract = _load_json(contract_dir / "contract.json") @@ -195,3 +331,36 @@ def test_rust_negative_vector_tests_in_pf_core_suite() -> None: text=True, ) assert result.returncode == 0, result.stdout + result.stderr + + +@pytest.mark.parametrize("source,relative,artifact_type,needle", INVALID_AUDIT_CASES) +def test_python_invalid_audit_vectors( + source: str, relative: str, artifact_type: str, needle: str +) -> None: + errors = _python_semantic_errors(source, relative, artifact_type) + assert any(needle in err for err in errors), errors + + +def test_resource_pattern_catalog_python_fnmatch() -> None: + """Parity anchor for Lean ResourcePattern.lean / runtime validate_resource_scope.""" + samples = { + "*": [("/any/uri", True), ("mailto:x@y", True)], + "/data/*": [("/data/report.txt", True), ("/etc/passwd", False)], + "mailto:*": [("mailto:a@b.c", True), ("http://x", False)], + "agent:*": [("agent:worker-1", True), ("mcp:tool", False)], + "mcp:*": [("mcp:filesystem.read", True), ("agent:x", False)], + "lab:*": [("lab:run-1", True), ("/data/x", False)], + } + for cap in CAPABILITY_CATALOG.values(): + pattern = str(cap["resource_pattern"]) + assert pattern in samples, f"add parity samples for catalog pattern {pattern!r}" + for uri, expected in samples[pattern]: + assert resource_matches_pattern(uri, pattern) is expected, (pattern, uri) + + +def test_observational_and_resource_pattern_lean_modules_exist() -> None: + for module in ("Observational.lean", "ResourcePattern.lean"): + path = REPO / "lean" / "PFCore" / module + text = path.read_text(encoding="utf-8") + assert "sorry" not in text, module + assert "theorem" in text, module diff --git a/python/tests/test_pf_core_deferred.py b/python/tests/test_pf_core_deferred.py index bb8ff69..ef738a8 100644 --- a/python/tests/test_pf_core_deferred.py +++ b/python/tests/test_pf_core_deferred.py @@ -21,7 +21,6 @@ validate_denied_observations_preserved, ) from pcs_core.validate import ( - ValidationError, check_pf_core_invalid_fixtures, load_pf_core_fixture_manifest, validate_semantics, @@ -145,6 +144,10 @@ def test_pf_core_hash_vectors(artifact: str) -> None: else: assert canonical_hash(payload) == digest stripped = canonicalize_for_hash( - {k: v for k, v in payload.items() if k not in ("event_hash", "trace_hash", "signature_or_digest")} + { + k: v + for k, v in payload.items() + if k not in ("event_hash", "trace_hash", "signature_or_digest") + } ) assert json.dumps(stripped, separators=(",", ":"), ensure_ascii=False) == canonical.rstrip("\n") diff --git a/python/tests/test_pf_core_hash_vector_parity.py b/python/tests/test_pf_core_hash_vector_parity.py index 9c77443..2de4853 100644 --- a/python/tests/test_pf_core_hash_vector_parity.py +++ b/python/tests/test_pf_core_hash_vector_parity.py @@ -5,8 +5,6 @@ import os from pathlib import Path -import pytest - from pcs_core.pf_core_hash_vector_parity import verify_pf_core_hash_vectors ROOT = Path(__file__).resolve().parents[2] @@ -27,7 +25,7 @@ def test_hash_vectors_match_pf_core_adapter_native() -> None: def test_trace_certificate_vector_has_sha256_prefix_digest() -> None: - digest = (LOCAL_VECTORS / "TraceCertificate.v0" / "digest.txt").read_text( - encoding="utf-8" - ).strip() + digest = ( + (LOCAL_VECTORS / "TraceCertificate.v0" / "digest.txt").read_text(encoding="utf-8").strip() + ) assert digest.startswith("sha256:"), "PCS digest must retain sha256: prefix form" diff --git a/python/tests/test_pf_core_observational.py b/python/tests/test_pf_core_observational.py new file mode 100644 index 0000000..ea68e68 --- /dev/null +++ b/python/tests/test_pf_core_observational.py @@ -0,0 +1,32 @@ +"""Tests for PF-Core observational non-interference vocabulary.""" + +from __future__ import annotations + +from pcs_core.paths import repo_root + + +def test_observational_lean_defines_non_interference() -> None: + path = repo_root() / "lean" / "PFCore" / "Observational.lean" + text = path.read_text(encoding="utf-8") + for name in ( + "NonInterference", + "nonInterferenceD", + "HighTenantEvent", + "traceSafe_implies_non_interference", + "tenantIsolation_implies_non_interference", + "traceCrossTenantSafe_implies_high_tenant_not_low", + "non_interference_observational_equivalence", + ): + assert name in text, f"missing {name} in Observational.lean" + + +def test_non_interference_doc_mentions_limits() -> None: + doc = repo_root() / "docs" / "pf-core" / "non-interference.md" + text = doc.read_text(encoding="utf-8") + for phrase in ( + "NonInterference", + "covert channels", + "timing", + "handoff", + ): + assert phrase.lower() in text.lower(), f"missing {phrase!r} in non-interference.md" diff --git a/python/tests/test_pf_core_phase_d.py b/python/tests/test_pf_core_phase_d.py index f3cdd69..52c1812 100644 --- a/python/tests/test_pf_core_phase_d.py +++ b/python/tests/test_pf_core_phase_d.py @@ -11,7 +11,6 @@ from pcs_core.pf_core_lean_codegen import ( generate_proof_obligation_file, trace_has_contract_refs, - trace_to_lean, ) from pcs_core.validate import validate_file @@ -75,7 +74,9 @@ def test_generated_proof_compiles_with_lake() -> None: from pcs_core.lean_check import pfcore_generated_dir, run_lean_concrete_proof trace = _load(VALID_TRACE) - proof_path = generate_proof_obligation_file(trace, pfcore_generated_dir(), trace_path=VALID_TRACE) + proof_path = generate_proof_obligation_file( + trace, pfcore_generated_dir(), trace_path=VALID_TRACE + ) ok, detail = run_lean_concrete_proof(proof_path, skip_build=False) if not ok and ("lake unavailable" in detail or "timed out" in detail.lower()): pytest.skip(detail) diff --git a/python/tests/test_pf_core_phase_f.py b/python/tests/test_pf_core_phase_f.py index 36bfeb4..58a140a 100644 --- a/python/tests/test_pf_core_phase_f.py +++ b/python/tests/test_pf_core_phase_f.py @@ -104,7 +104,9 @@ def test_certifyedge_mock_mode(monkeypatch: pytest.MonkeyPatch) -> None: validate_artifact(result.certificate, "PFCoreCertificate.v0") -def test_certifyedge_mock_writes_certificate(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None: +def test_certifyedge_mock_writes_certificate( + tmp_path: Path, monkeypatch: pytest.MonkeyPatch +) -> None: monkeypatch.setenv("PCS_CERTIFYEDGE_MOCK", "1") out = tmp_path / "cert.json" write_certifyedge_certificate(LABTRUST_TRACE, "qc_release.temporal.safety", out) diff --git a/python/tests/test_pf_core_research.py b/python/tests/test_pf_core_research.py index e0357a9..dec7ca6 100644 --- a/python/tests/test_pf_core_research.py +++ b/python/tests/test_pf_core_research.py @@ -30,7 +30,7 @@ ) ROLE_MAP_KEYS_PATTERN = re.compile( - r'def runtimeRoleMap\s*:\s*RoleMap\s*:=\s*\{\s*entries\s*:=\s*\[(.*?)\]\s*\}', + r"def runtimeRoleMap\s*:\s*RoleMap\s*:=\s*\{\s*entries\s*:=\s*\[(.*?)\]\s*\}", re.DOTALL, ) ROLE_ENTRY_PATTERN = re.compile(r'\(\s*"([^"]+)"\s*,') diff --git a/python/tests/test_pf_core_research_grade.py b/python/tests/test_pf_core_research_grade.py index 1e8153e..b160b09 100644 --- a/python/tests/test_pf_core_research_grade.py +++ b/python/tests/test_pf_core_research_grade.py @@ -67,7 +67,9 @@ def test_research_grade_theorems_in_catalog() -> None: def test_research_grade_lean_catalog_audit() -> None: errors = audit_lean_catalog() - research_errors = [err for err in errors if any(name in err for name in RESEARCH_GRADE_THEOREMS)] + research_errors = [ + err for err in errors if any(name in err for name in RESEARCH_GRADE_THEOREMS) + ] assert research_errors == [], research_errors diff --git a/python/tests/test_pf_core_stage2.py b/python/tests/test_pf_core_stage2.py index fe34ef8..86715c0 100644 --- a/python/tests/test_pf_core_stage2.py +++ b/python/tests/test_pf_core_stage2.py @@ -10,11 +10,6 @@ from pcs_core.pf_core_claims import audit_boundary from pcs_core.pf_core_runtime import ( ClaimClassOverclaim, - DroppedDeniedEvent, - HandoffAuthorityExpansion, - MissingPrincipal, - UnknownCapability, - UnknownEffect, compile_runtime_observation_to_event, compile_tool_use_trace_to_pfcore_trace, validate_denied_events_preserved, @@ -27,9 +22,7 @@ ValidationError, check_all_schemas, detect_artifact_type, - load_pf_core_fixture_manifest, validate_artifact, - validate_file, ) REPO = Path(__file__).resolve().parents[2] diff --git a/python/tests/test_pf_core_stage3.py b/python/tests/test_pf_core_stage3.py index 5c4bec4..91d5042 100644 --- a/python/tests/test_pf_core_stage3.py +++ b/python/tests/test_pf_core_stage3.py @@ -1,125 +1,73 @@ """Tests for PF-Core Stage 3 Lean kernel and lean-check integration.""" - - from __future__ import annotations - - import json - from pathlib import Path - - import pytest - - from pcs_core.lean_catalog import PF_CORE_THEOREM_CATALOG - from pcs_core.lean_check import ( - LEAN_CHECK_DISCLAIMER, - PF_CORE_ASSUMPTION_REFS, - audit_pfcore_lean_no_sorry, - check_pfcore_trace_lean_semantics, - event_safe_d, - run_pfcore_lean_check, - trace_safe_d, - ) - from pcs_core.pf_core_claims import ( - audit_boundary, - audit_claims, - audit_lean_catalog, - ) - from pcs_core.pf_core_runtime import ( - compile_tool_use_trace_to_pfcore_trace, - expand_principal_capabilities, - principal_capabilities_explicit, - ) - from pcs_core.validate import validate_file - - REPO = Path(__file__).resolve().parents[2] VALID_TRACE = REPO / "examples" / "pf-core-valid" / "tool_use_trace_compiled" / "pfcore_trace.json" -TOOL_USE_TRACE = REPO / "examples" / "pf-core-valid" / "tool_use_trace_compiled" / "tool_use_trace.json" +TOOL_USE_TRACE = ( + REPO / "examples" / "pf-core-valid" / "tool_use_trace_compiled" / "tool_use_trace.json" +) PF_CORE_LEAN = REPO / "lean" / "PFCore" - - - def _load(path: Path) -> dict: return json.loads(path.read_text(encoding="utf-8")) - - - def test_pfcore_lean_directory_exists() -> None: assert PF_CORE_LEAN.is_dir() expected = { - "Basic.lean", - "Principal.lean", - "Capability.lean", - "Resource.lean", - "Action.lean", - "Event.lean", - "Trace.lean", - "Contract.lean", - "Handoff.lean", - "Certificate.lean", - "Soundness.lean", - "Theorems.lean", - "TraceCheck.lean", - } assert expected <= {path.name for path in PF_CORE_LEAN.glob("*.lean")} - - - def test_pfcore_lean_catalog_matches_sources() -> None: errors = audit_lean_catalog() @@ -127,37 +75,23 @@ def test_pfcore_lean_catalog_matches_sources() -> None: assert errors == [], f"PF-Core lean catalog audit failed: {errors}" - - - def test_pfcore_catalog_includes_trace_safety_theorems() -> None: required = { - "traceSafeD_sound", - "allowed_event_has_allowed_action", - "every_allowed_event_in_safe_trace_is_allowed", - "handoff_does_not_expand_authority", - } assert required <= PF_CORE_THEOREM_CATALOG - - - def test_no_sorry_audit_passes() -> None: assert audit_pfcore_lean_no_sorry() == [] - - - def test_valid_trace_passes_event_and_trace_deciders() -> None: trace = _load(VALID_TRACE) @@ -171,9 +105,6 @@ def test_valid_trace_passes_event_and_trace_deciders() -> None: assert check_pfcore_trace_lean_semantics(trace) == [] - - - def test_unsafe_allow_event_fails_decider() -> None: trace = _load(VALID_TRACE) @@ -191,9 +122,6 @@ def test_unsafe_allow_event_fails_decider() -> None: assert not event_safe_d(event) - - - def test_role_expansion_produces_explicit_capabilities_in_compiled_trace() -> None: tool_use_trace = _load(TOOL_USE_TRACE) @@ -203,7 +131,6 @@ def test_role_expansion_produces_explicit_capabilities_in_compiled_trace() -> No expected_caps = expand_principal_capabilities({"roles": ["agent"], "capabilities": []}) for event in compiled["events"]: - principal = event["principal"] assert principal["capabilities"] == expected_caps @@ -211,9 +138,6 @@ def test_role_expansion_produces_explicit_capabilities_in_compiled_trace() -> No assert principal_capabilities_explicit(principal) - - - def test_roles_without_explicit_capabilities_fail_lean_semantics() -> None: trace = _load(VALID_TRACE) @@ -235,15 +159,9 @@ def test_roles_without_explicit_capabilities_fail_lean_semantics() -> None: assert any(issue.code == "PrincipalCapabilityMismatch" for issue in issues) - - - @pytest.mark.parametrize("skip_build", [True]) - def test_pfcore_lean_check_emits_runtime_checked_when_build_skipped( - tmp_path: Path, skip_build: bool - ) -> None: out = tmp_path / "PFCoreCertificate.v0.json" @@ -275,9 +193,6 @@ def test_pfcore_lean_check_emits_runtime_checked_when_build_skipped( assert "proof_ref" not in cert - - - def test_pfcore_lean_check_never_emits_unqualified_proof_checked(tmp_path: Path) -> None: _, result = run_pfcore_lean_check(VALID_TRACE, out_path=tmp_path / "cert.json", skip_build=True) @@ -287,9 +202,6 @@ def test_pfcore_lean_check_never_emits_unqualified_proof_checked(tmp_path: Path) assert result["claim_class"] in {"RuntimeChecked", "LeanKernelChecked"} - - - def test_pf_core_full_pipeline_on_valid_tool_use_example(tmp_path: Path) -> None: assert audit_claims() == [] @@ -300,24 +212,18 @@ def test_pf_core_full_pipeline_on_valid_tool_use_example(tmp_path: Path) -> None assert audit_pfcore_lean_no_sorry() == [] - - tool_use_trace = _load(TOOL_USE_TRACE) compiled = compile_tool_use_trace_to_pfcore_trace(tool_use_trace) validate_file(VALID_TRACE) - - compiled_path = tmp_path / "compiled_trace.json" compiled_path.write_text(json.dumps(compiled, indent=2), encoding="utf-8") validate_file(compiled_path) - - out = tmp_path / "PFCoreCertificate.v0.json" code, result = run_pfcore_lean_check(compiled_path, out_path=out, skip_build=True) @@ -329,9 +235,6 @@ def test_pf_core_full_pipeline_on_valid_tool_use_example(tmp_path: Path) -> None validate_file(out) - - - def test_lakefile_declares_pfcore_target() -> None: lakefile = (REPO / "lean" / "lakefile.lean").read_text(encoding="utf-8") @@ -341,10 +244,6 @@ def test_lakefile_declares_pfcore_target() -> None: assert "PFCore" in lakefile - - - def test_pcs_root_module_exists() -> None: assert (REPO / "lean" / "PCS.lean").is_file() - diff --git a/python/tests/test_pf_core_stage4.py b/python/tests/test_pf_core_stage4.py index dab6ece..6993dc2 100644 --- a/python/tests/test_pf_core_stage4.py +++ b/python/tests/test_pf_core_stage4.py @@ -11,9 +11,9 @@ from pcs_core.lean_check import ( LEAN_CHECK_DISCLAIMER, check_pfcore_trace_lean_semantics, - run_pfcore_lean_check, run_lean_concrete_proof, run_lean_library_build, + run_pfcore_lean_check, ) from pcs_core.pf_core_lean_codegen import ( generate_proof_obligation_file, @@ -119,7 +119,9 @@ def test_skip_lean_proof_emits_runtime_checked(tmp_path: Path, skip_lean_proof: assert code == 0, result assert result["claim_class"] == "RuntimeChecked" assert result["status"] == "DecidersPassed" - assert not any(item.get("kind") == "ConcreteTraceSafe" for item in result.get("obligations", [])) + assert not any( + item.get("kind") == "ConcreteTraceSafe" for item in result.get("obligations", []) + ) @pytest.mark.skipif(not LAKE_AVAILABLE, reason="lake or WSL not available") diff --git a/python/tests/test_pf_core_stage5.py b/python/tests/test_pf_core_stage5.py index ca82951..7b24df1 100644 --- a/python/tests/test_pf_core_stage5.py +++ b/python/tests/test_pf_core_stage5.py @@ -5,8 +5,6 @@ import json from pathlib import Path -import pytest - from pcs_core.pf_core_certificate import attach_external_certificate_check from pcs_core.pf_core_labtrust_adapter import normalize_labtrust_release from pcs_core.pf_core_replay import replay_trace, run_replay_trace diff --git a/python/tests/test_pf_core_tier1.py b/python/tests/test_pf_core_tier1.py index dbdfbae..8407b40 100644 --- a/python/tests/test_pf_core_tier1.py +++ b/python/tests/test_pf_core_tier1.py @@ -26,7 +26,10 @@ default_semantics_layer_for_contract, validate_semantics_layer, ) -from pcs_core.pf_core_runtime import validate_denied_events_preserved, validate_pfcore_trace_hash_chain +from pcs_core.pf_core_runtime import ( + validate_denied_events_preserved, + validate_pfcore_trace_hash_chain, +) REPO = Path(__file__).resolve().parents[2] CONTRACT_VALID = REPO / "examples" / "pf-core-valid" / "contract_checked" diff --git a/rust/crates/pcs-core/src/lib.rs b/rust/crates/pcs-core/src/lib.rs index 162b9bb..34502cb 100644 --- a/rust/crates/pcs-core/src/lib.rs +++ b/rust/crates/pcs-core/src/lib.rs @@ -6,10 +6,11 @@ pub mod validation; pub use hash::{canonical_hash, canonical_json_bytes, canonical_json_string}; pub use pf_core::{ - compute_event_hash, compute_trace_hash, validate_claim_class_overclaim, - validate_denied_events_preserved, validate_event_against_contract, + compute_event_hash, compute_trace_hash, resource_matches_pattern, + validate_claim_class_overclaim, validate_denied_events_preserved, + validate_direct_trace_action_semantics, validate_event_against_contract, validate_pfcore_certificate_semantics, validate_pfcore_trace_hash_chain, - validate_trace_contracts, GENESIS_HASH, + validate_trace_contracts, CAPABILITY_CATALOG, EFFECT_KINDS, GENESIS_HASH, }; pub use validation::{ detect_artifact_type, validate_artifact, validate_semantics, ValidationError, diff --git a/rust/crates/pcs-core/src/pf_core.rs b/rust/crates/pcs-core/src/pf_core.rs index 5a93392..76fc4c0 100644 --- a/rust/crates/pcs-core/src/pf_core.rs +++ b/rust/crates/pcs-core/src/pf_core.rs @@ -1,8 +1,306 @@ +use std::collections::HashSet; + use serde_json::{Map, Value}; use crate::hash::canonical_hash; -pub const GENESIS_HASH: &str = "sha256:0000000000000000000000000000000000000000000000000000000000000000"; +pub const GENESIS_HASH: &str = + "sha256:0000000000000000000000000000000000000000000000000000000000000000"; + +pub const EFFECT_KINDS: &[&str] = &[ + "file.read", + "file.write", + "network.egress", + "email.send", + "handoff.delegate", + "mcp.invoke", + "lab.release", +]; + +#[derive(Clone, Copy)] +pub struct CapabilityEntry { + pub capability_id: &'static str, + pub effect_kind: &'static str, + pub resource_pattern: &'static str, +} + +pub const CAPABILITY_CATALOG: &[CapabilityEntry] = &[ + CapabilityEntry { + capability_id: "cap:file-read", + effect_kind: "file.read", + resource_pattern: "/data/*", + }, + CapabilityEntry { + capability_id: "cap:file-write", + effect_kind: "file.write", + resource_pattern: "/data/*", + }, + CapabilityEntry { + capability_id: "cap:network", + effect_kind: "network.egress", + resource_pattern: "*", + }, + CapabilityEntry { + capability_id: "cap:email-send", + effect_kind: "email.send", + resource_pattern: "mailto:*", + }, + CapabilityEntry { + capability_id: "cap:handoff", + effect_kind: "handoff.delegate", + resource_pattern: "agent:*", + }, + CapabilityEntry { + capability_id: "cap:mcp-invoke", + effect_kind: "mcp.invoke", + resource_pattern: "mcp:*", + }, + CapabilityEntry { + capability_id: "cap:lab-release", + effect_kind: "lab.release", + resource_pattern: "lab:*", + }, +]; + +fn known_effect_kinds() -> HashSet<&'static str> { + EFFECT_KINDS.iter().copied().collect() +} + +fn lookup_capability(capability_id: &str) -> Option<&'static CapabilityEntry> { + CAPABILITY_CATALOG + .iter() + .find(|entry| entry.capability_id == capability_id) +} + +fn runtime_error(code: &str, message: &str, path: &str) -> String { + format!("{code}: {message} (at {path})") +} + +fn glob_match(pattern: &str, text: &str) -> bool { + let pattern_chars: Vec = pattern.chars().collect(); + let text_chars: Vec = text.chars().collect(); + fn rec(pattern: &[char], pi: usize, text: &[char], ti: usize) -> bool { + if pi == pattern.len() { + return ti == text.len(); + } + if pattern[pi] == '*' { + if pi + 1 == pattern.len() { + return true; + } + for j in ti..=text.len() { + if rec(pattern, pi + 1, text, j) { + return true; + } + } + return false; + } + if ti >= text.len() || pattern[pi] != text[ti] { + return false; + } + rec(pattern, pi + 1, text, ti + 1) + } + rec(&pattern_chars, 0, &text_chars, 0) +} + +pub fn resource_matches_pattern(uri: &str, pattern: &str) -> bool { + if pattern == "*" { + return true; + } + glob_match(pattern, uri) +} + +fn validate_action_effects_known(action: &Value, path: &str) -> Option { + let effects = action.get("effects")?; + let Some(items) = effects.as_array() else { + return Some(runtime_error( + "UnknownEffect", + "unknown effect: ", + &format!("{path}.effects"), + )); + }; + if items.is_empty() { + return Some(runtime_error( + "UnknownEffect", + "unknown effect: ", + path, + )); + }; + let known = known_effect_kinds(); + for (index, effect) in items.iter().enumerate() { + let Some(effect_obj) = object_mut(effect) else { + return Some(runtime_error( + "UnknownEffect", + "unknown effect: ", + &format!("{path}.effects[{index}]"), + )); + }; + let kind = effect_obj + .get("effect_kind") + .and_then(|v| v.as_str()) + .unwrap_or(""); + if kind.is_empty() || !known.contains(kind) { + return Some(runtime_error( + "UnknownEffect", + &format!( + "unknown effect: {}", + if kind.is_empty() { "" } else { kind } + ), + &format!("{path}.effects[{index}].effect_kind"), + )); + } + } + None +} + +fn validate_action_capabilities_known(action: &Value, path: &str) -> Option { + let capability = action.get("capability")?; + let Some(cap_obj) = object_mut(capability) else { + return Some(runtime_error( + "UnknownCapability", + "unknown capability: ", + &format!("{path}.capability"), + )); + }; + let cap_id = cap_obj + .get("capability_id") + .and_then(|v| v.as_str()) + .unwrap_or(""); + if cap_id.is_empty() || lookup_capability(cap_id).is_none() { + return Some(runtime_error( + "UnknownCapability", + &format!( + "unknown capability: {}", + if cap_id.is_empty() { + "" + } else { + cap_id + } + ), + &format!("{path}.capability"), + )); + } + let effect_kind = cap_obj + .get("effect_kind") + .and_then(|v| v.as_str()) + .unwrap_or(""); + let known = known_effect_kinds(); + if effect_kind.is_empty() || !known.contains(effect_kind) { + return Some(runtime_error( + "UnknownEffect", + &format!( + "unknown effect: {}", + if effect_kind.is_empty() { + "" + } else { + effect_kind + } + ), + &format!("{path}.capability.effect_kind"), + )); + } + None +} + +fn validate_action_capability_effects(action: &Value, path: &str) -> Option { + let capability = action.get("capability")?; + let Some(cap_obj) = object_mut(capability) else { + return Some(runtime_error( + "UnknownCapability", + "unknown capability: ", + &format!("{path}.capability"), + )); + }; + let cap_id = cap_obj + .get("capability_id") + .and_then(|v| v.as_str()) + .unwrap_or(""); + let Some(catalog) = lookup_capability(cap_id) else { + return Some(runtime_error( + "UnknownCapability", + &format!( + "unknown capability: {}", + if cap_id.is_empty() { + "" + } else { + cap_id + } + ), + &format!("{path}.capability"), + )); + }; + if validate_action_effects_known(action, path).is_some() { + return validate_action_effects_known(action, path); + } + let cap_effect = catalog.effect_kind; + if !action_has_effect(action, cap_effect) { + return Some(runtime_error( + "CapabilityEffectMismatch", + &format!( + "capability {:?} effect_kind {:?} not listed in action effects", + catalog.capability_id, cap_effect + ), + &format!("{path}.effects"), + )); + } + None +} + +fn validate_resource_scope(action: &Value, path: &str) -> Option { + let capability = action.get("capability")?; + let cap_obj = object_mut(capability)?; + let pattern = cap_obj + .get("resource_pattern") + .and_then(|v| v.as_str()) + .unwrap_or(""); + if pattern.is_empty() { + return None; + } + for key in ["reads", "writes"] { + let Some(resources) = action.get(key).and_then(|v| v.as_array()) else { + continue; + }; + for (index, resource) in resources.iter().enumerate() { + let Some(resource_obj) = object_mut(resource) else { + continue; + }; + let uri = resource_obj + .get("uri") + .and_then(|v| v.as_str()) + .unwrap_or(""); + if !uri.is_empty() && !resource_matches_pattern(uri, pattern) { + return Some(runtime_error( + "ResourceScopeViolation", + &format!("resource {uri:?} outside declared pattern {pattern:?}"), + &format!("{path}.{key}[{index}].uri"), + )); + } + } + } + None +} + +pub fn validate_direct_trace_action_semantics(trace: &Value) -> Vec { + let mut errors = Vec::new(); + let Some(events) = trace.get("events").and_then(|v| v.as_array()) else { + return errors; + }; + for (index, event) in events.iter().enumerate() { + let Some(action) = event.get("action") else { + continue; + }; + let base = format!("events[{index}].action"); + if let Some(error) = validate_action_effects_known(action, &base) { + errors.push(error); + } + if let Some(error) = validate_action_capabilities_known(action, &base) { + errors.push(error); + } + if let Some(error) = validate_action_capability_effects(action, &base) { + errors.push(error); + } + } + errors +} const TRACE_CLAIM_CLASSES: &[&str] = &[ "SchemaValidated", @@ -142,7 +440,9 @@ pub fn validate_pfcore_trace_hash_chain(trace: &Value) -> Vec { { Some(Ok(value)) => value, _ => { - errors.push(format!("EventHashMismatch: invalid previous_event_hash at {base}")); + errors.push(format!( + "EventHashMismatch: invalid previous_event_hash at {base}" + )); continue; } }; @@ -195,6 +495,16 @@ pub fn validate_pfcore_trace_hash_chain(trace: &Value) -> Vec { } } + for (index, event) in events.iter().enumerate() { + let Some(action) = event.get("action") else { + continue; + }; + let path = format!("events[{index}].action"); + if let Some(error) = validate_resource_scope(action, &path) { + errors.push(error); + } + } + errors } @@ -242,7 +552,8 @@ pub fn validate_pfcore_certificate_semantics(certificate: &Value) -> Vec .and_then(|v| v.as_str()) .is_none_or(|s| !s.starts_with("sha256:")) { - errors.push("root: claim_class LeanKernelChecked requires lean_environment_hash".into()); + errors + .push("root: claim_class LeanKernelChecked requires lean_environment_hash".into()); } let build_ok = certificate .get("lean_build_status") @@ -256,9 +567,7 @@ pub fn validate_pfcore_certificate_semantics(certificate: &Value) -> Vec if let Some(obligations) = certificate.get("obligations").and_then(|v| v.as_array()) { let passed: std::collections::HashSet = obligations .iter() - .filter(|item| { - item.get("passed").and_then(|v| v.as_bool()) == Some(true) - }) + .filter(|item| item.get("passed").and_then(|v| v.as_bool()) == Some(true)) .filter_map(|item| { item.get("theorem") .and_then(|v| v.as_str()) @@ -355,10 +664,14 @@ fn tenant_matches(principal: &Value, action: &Value) -> bool { pub fn validate_event_against_contract(event: &Value, contract: &Value, path: &str) -> Vec { let mut errors = Vec::new(); let Some(principal) = event.get("principal") else { - return vec![format!("ContractEventInvalid: event missing principal or action at {path}")]; + return vec![format!( + "ContractEventInvalid: event missing principal or action at {path}" + )]; }; let Some(action) = event.get("action") else { - return vec![format!("ContractEventInvalid: event missing principal or action at {path}")]; + return vec![format!( + "ContractEventInvalid: event missing principal or action at {path}" + )]; }; let contract_id = contract .get("contract_id") @@ -528,7 +841,47 @@ fn authorization_decision(status: &str) -> &'static str { .unwrap_or("deny") } -pub fn validate_denied_events_preserved(tool_use_trace: &Value, pfcore_trace: &Value) -> Vec { +pub fn validate_tenant_isolation(trace: &Value) -> Vec { + let mut errors = Vec::new(); + let events = match trace.get("events").and_then(|v| v.as_array()) { + Some(items) => items, + None => return vec!["TraceInvalid: events must be an array".into()], + }; + for (index, event) in events.iter().enumerate() { + let base = format!("events[{index}]"); + let Some(principal) = event.get("principal") else { + errors.push(format!( + "TenantIsolation: {base} missing principal or action" + )); + continue; + }; + let Some(action) = event.get("action") else { + errors.push(format!( + "TenantIsolation: {base} missing principal or action" + )); + continue; + }; + let tenant = principal + .get("tenant") + .and_then(|v| v.as_str()) + .unwrap_or(""); + if tenant.is_empty() { + errors.push(format!("TenantIsolation: {base}.principal.tenant is empty")); + continue; + } + if !tenant_matches(principal, action) { + errors.push(format!( + "TenantIsolation: cross-tenant resource access at {base} (principal tenant {tenant:?})" + )); + } + } + errors +} + +pub fn validate_denied_events_preserved( + tool_use_trace: &Value, + pfcore_trace: &Value, +) -> Vec { let Some(tool_calls) = tool_use_trace.get("tool_calls").and_then(|v| v.as_array()) else { return Vec::new(); }; @@ -587,7 +940,8 @@ mod tests { #[test] fn pf_core_trace_hash_chain_valid_fixture() { - let path = repo_root().join("examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json"); + let path = + repo_root().join("examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json"); let trace = load_json(path); let errors = validate_pfcore_trace_hash_chain(&trace); assert!(errors.is_empty(), "{errors:?}"); @@ -615,7 +969,8 @@ mod tests { #[test] fn pf_core_invalid_hash_chain_vector() { - let path = repo_root().join("python/tests/hash_vectors/pf_core/invalid/trace_hash_chain_break.json"); + let path = repo_root() + .join("python/tests/hash_vectors/pf_core/invalid/trace_hash_chain_break.json"); let trace = load_json(path); let errors = validate_pfcore_trace_hash_chain(&trace); assert!(errors.iter().any(|err| err.contains("EventHashMismatch"))); @@ -623,7 +978,8 @@ mod tests { #[test] fn pf_core_claim_class_overclaim_vector() { - let path = repo_root().join("python/tests/hash_vectors/pf_core/invalid/claim_class_overclaim_trace.json"); + let path = repo_root() + .join("python/tests/hash_vectors/pf_core/invalid/claim_class_overclaim_trace.json"); let trace = load_json(path); let errors = validate_pfcore_trace_hash_chain(&trace); assert!(errors.iter().any(|err| err.contains("ClaimClassOverclaim"))); @@ -631,7 +987,8 @@ mod tests { #[test] fn pf_core_contract_violation_vector() { - let root = repo_root().join("python/tests/hash_vectors/pf_core/invalid/contract_capability_missing"); + let root = repo_root() + .join("python/tests/hash_vectors/pf_core/invalid/contract_capability_missing"); let trace = load_json(root.join("trace.json")); let contract = load_json(root.join("contract.json")); let contract_id = contract @@ -642,15 +999,156 @@ mod tests { let mut contracts = HashMap::new(); contracts.insert(contract_id, contract); let errors = validate_trace_contracts(&trace, &contracts); - assert!(errors.iter().any(|err| err.contains("ContractCapabilityRequired"))); + assert!(errors + .iter() + .any(|err| err.contains("ContractCapabilityRequired"))); } #[test] fn pf_core_denied_event_dropped_vector() { - let root = repo_root().join("python/tests/hash_vectors/pf_core/invalid/denied_event_dropped"); + let root = + repo_root().join("python/tests/hash_vectors/pf_core/invalid/denied_event_dropped"); let tool_use = load_json(root.join("tool_use_trace.json")); let pfcore = load_json(root.join("pfcore_trace.json")); let errors = validate_denied_events_preserved(&tool_use, &pfcore); assert!(errors.iter().any(|err| err.contains("DroppedDeniedEvent"))); } + + #[test] + fn pf_core_trace_hash_mismatch_vector() { + let path = + repo_root().join("python/tests/hash_vectors/pf_core/invalid/trace_hash_mismatch.json"); + let trace = load_json(path); + let errors = validate_pfcore_trace_hash_chain(&trace); + assert!(errors.iter().any(|err| err.contains("TraceHashMismatch"))); + } + + #[test] + fn pf_core_cross_tenant_leak_vector() { + let path = + repo_root().join("python/tests/hash_vectors/pf_core/invalid/cross_tenant_leak.json"); + let trace = load_json(path); + let errors = validate_tenant_isolation(&trace); + assert!(errors.iter().any(|err| err.contains("TenantIsolation"))); + } + + #[test] + fn pf_core_previous_event_hash_mismatch_vector() { + let path = repo_root() + .join("python/tests/hash_vectors/pf_core/invalid/previous_event_hash_mismatch.json"); + let trace = load_json(path); + let errors = validate_pfcore_trace_hash_chain(&trace); + assert!(errors.iter().any(|err| err.contains("EventHashMismatch"))); + } + + #[test] + fn pf_core_direct_trace_semantics_invalid_vectors() { + let cases: &[(&str, &str)] = &[ + ( + "examples/pf-core-invalid/unknown_direct_trace_effect/trace.json", + "UnknownEffect", + ), + ( + "examples/pf-core-invalid/capability_effect_mismatch/trace.json", + "CapabilityEffectMismatch", + ), + ( + "examples/pf-core-invalid/unknown_direct_trace_capability/trace.json", + "UnknownCapability", + ), + ]; + for (relative, needle) in cases { + let trace = load_json(repo_root().join(relative)); + let errors = validate_direct_trace_action_semantics(&trace); + assert!( + errors.iter().any(|err| err.contains(needle)), + "{relative}: expected {needle} in {errors:?}" + ); + } + } + + #[test] + fn pf_core_resource_scope_violation_vector() { + let path = repo_root().join("examples/pf-core-invalid/resource_scope_violation/trace.json"); + let trace = load_json(path); + let errors = validate_pfcore_trace_hash_chain(&trace); + assert!(errors + .iter() + .any(|err| err.contains("ResourceScopeViolation"))); + } + + #[test] + fn pf_core_resource_pattern_catalog_parity() { + let samples: &[(&str, &[(&str, bool)])] = &[ + ("*", &[("/any/uri", true), ("mailto:x@y", true)]), + ( + "/data/*", + &[("/data/report.txt", true), ("/etc/passwd", false)], + ), + ("mailto:*", &[("mailto:a@b.c", true), ("http://x", false)]), + ("agent:*", &[("agent:worker-1", true), ("mcp:tool", false)]), + ( + "mcp:*", + &[("mcp:filesystem.read", true), ("agent:x", false)], + ), + ("lab:*", &[("lab:run-1", true), ("/data/x", false)]), + ]; + for entry in CAPABILITY_CATALOG { + let pattern = entry.resource_pattern; + let Some((_, cases)) = samples.iter().find(|(pat, _)| *pat == pattern) else { + panic!("missing parity samples for pattern {pattern:?}"); + }; + for (uri, expected) in *cases { + assert_eq!( + resource_matches_pattern(uri, pattern), + *expected, + "pattern={pattern:?} uri={uri:?}" + ); + } + } + } + + #[test] + fn pf_core_audit_invalid_vectors() { + let cases: &[(&str, &str, &str)] = &[ + ( + "examples/pf-core-invalid/lean_kernel_checked_on_trace/trace.json", + "PFCoreTrace.v0", + "ClaimClassOverclaim", + ), + ( + "examples/pf-core-invalid/lean_kernel_checked_without_proof_ref/trace.json", + "PFCoreTrace.v0", + "ClaimClassOverclaim", + ), + ( + "examples/pf-core-invalid/lean_kernel_checked_without_proof_term_hash/certificate.json", + "PFCoreCertificate.v0", + "proof_term_hash", + ), + ( + "examples/pf-core-invalid/lean_kernel_checked_without_proof_term_ref/certificate.json", + "PFCoreCertificate.v0", + "proof_term_ref", + ), + ( + "examples/pf-core-invalid/lean_kernel_checked_with_skipped_build/certificate.json", + "PFCoreCertificate.v0", + "lean_build_status", + ), + ]; + for (relative, artifact_type, needle) in cases { + let path = repo_root().join(relative); + let value = load_json(path); + let errors = if *artifact_type == "PFCoreTrace.v0" { + validate_pfcore_trace_hash_chain(&value) + } else { + validate_pfcore_certificate_semantics(&value) + }; + assert!( + errors.iter().any(|err| err.contains(needle)), + "{relative}: expected {needle} in {errors:?}" + ); + } + } } diff --git a/rust/crates/pcs-core/src/validation.rs b/rust/crates/pcs-core/src/validation.rs index ae1de1d..ef45a1b 100644 --- a/rust/crates/pcs-core/src/validation.rs +++ b/rust/crates/pcs-core/src/validation.rs @@ -617,6 +617,9 @@ pub fn validate_semantics(value: &Value, artifact_type: &str) -> Result<(), Vali } } if artifact_type == "PFCoreTrace.v0" { + errors.extend(crate::pf_core::validate_direct_trace_action_semantics( + value, + )); errors.extend(crate::pf_core::validate_pfcore_trace_hash_chain(value)); } if artifact_type == "PFCoreCertificate.v0" { @@ -687,17 +690,11 @@ mod tests { ]; for (rel, expected) in cases { let path = repo.join(rel); - let value: Value = - serde_json::from_str(&fs::read_to_string(&path).unwrap()).unwrap(); - assert_eq!( - detect_artifact_type(&value), - Some(expected), - "{rel}" - ); + let value: Value = serde_json::from_str(&fs::read_to_string(&path).unwrap()).unwrap(); + assert_eq!(detect_artifact_type(&value), Some(expected), "{rel}"); } } - #[test] #[test] fn valid_examples_pass_jsonschema_and_semantics() { for entry in WalkDir::new(examples_dir()) diff --git a/schemas/LeanCheckResult.v0.schema.json b/schemas/LeanCheckResult.v0.schema.json index b867ace..38a422b 100644 --- a/schemas/LeanCheckResult.v0.schema.json +++ b/schemas/LeanCheckResult.v0.schema.json @@ -116,6 +116,30 @@ "$ref": "#/$defs/obligation_check_result" } }, + "claim_class": { + "type": "string", + "enum": [ + "ProofChecked", + "EnvelopeLeanChecked", + "Rejected" + ] + }, + "lean_proof_checked": { + "type": "boolean" + }, + "proof_term_ref": { + "type": "string", + "minLength": 1 + }, + "proof_term_hash": { + "$ref": "common.defs.json#/$defs/hex_digest" + }, + "lean_environment_hash": { + "$ref": "common.defs.json#/$defs/hex_digest" + }, + "disclaimer": { + "type": "string" + }, "signature_or_digest": { "$ref": "common.defs.json#/$defs/hex_digest" } diff --git a/scripts/pf-core-release-grade-local.sh b/scripts/pf-core-release-grade-local.sh new file mode 100644 index 0000000..f901a6a --- /dev/null +++ b/scripts/pf-core-release-grade-local.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash +# PF-Core release-grade local verification (no git). Run from repository root. +set -euo pipefail + +ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +PY="${ROOT}/python" +TRACE="${ROOT}/examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json" +FAILED=() + +to_wsl_path() { + local path="$1" + if command -v wslpath >/dev/null 2>&1; then + wslpath -u "${path}" + return + fi + if [[ "${path}" =~ ^[A-Za-z]: ]]; then + local drive letter rest + drive="$(echo "${path}" | cut -c1 | tr 'A-Z' 'a-z')" + rest="$(echo "${path}" | cut -c3- | tr '\\' '/')" + printf '/mnt/%s%s' "${drive}" "${rest}" + return + fi + printf '%s' "${path}" +} + +WSL_ROOT="$(to_wsl_path "${ROOT}")" + +step() { + local name="$1" + shift + echo "" + echo "=== ${name} ===" + if (cd "${PY}" && "$@"); then + echo "OK ${name}" + else + echo "FAIL ${name}" + FAILED+=("${name}") + fi +} + +lake_available() { + command -v lake >/dev/null 2>&1 +} + +wsl_lake_available() { + command -v wsl >/dev/null 2>&1 +} + +cd "${PY}" +pip install -e ".[dev]" -q + +step "pf-core cross-language pytest" pytest -q tests/test_pf_core_cross_language.py +step "pf-core tier1 pytest" pytest -q tests/test_pf_core_tier1.py +step "pf-core compositional pytest" pytest -q tests/test_pf_core_compositional.py +step "pf-core research pytest" pytest -q tests/test_pf_core_research.py tests/test_pf_core_research_grade.py +step "pf-core conformance release-grade" pcs conformance run --suite pf-core --release-grade +step "pf-core cross-language conformance" pcs conformance run --suite pf-core-cross-language + +PF_CORE_RELEASE_CERT="$(mktemp /tmp/pfcore-release-grade-cert.XXXXXX.json 2>/dev/null || echo /tmp/pfcore-release-grade-cert.json)" + +echo "" +echo "=== PF-Core LeanKernelChecked path (when lake/WSL available) ===" +if lake_available; then + step "lake build PFCore" bash -lc "cd '${ROOT}/lean' && lake build PFCore" + step "pf-core lean-check full" pcs pf-core lean-check --trace "${TRACE}" --out "${PF_CORE_RELEASE_CERT}" + if [[ -f "${PF_CORE_RELEASE_CERT}" ]]; then + step "pf-core verify-proof-binding" pcs pf-core verify-proof-binding \ + --certificate "${PF_CORE_RELEASE_CERT}" --trace "${TRACE}" + else + echo "FAIL pf-core verify-proof-binding (certificate missing)" + FAILED+=("pf-core verify-proof-binding") + fi +elif wsl_lake_available; then + step "lake build PFCore (WSL)" wsl bash -lc "export PATH=\"\$HOME/.elan/bin:\$PATH\"; cd '${WSL_ROOT}/lean' && lake build PFCore" + step "pf-core lean-check full (WSL)" wsl bash -lc "cd '${WSL_ROOT}/python' && pcs pf-core lean-check --trace '${WSL_ROOT}/examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json' --out /tmp/pfcore-release-grade-cert.json" + step "pf-core verify-proof-binding (WSL)" wsl bash -lc "cd '${WSL_ROOT}/python' && test -f /tmp/pfcore-release-grade-cert.json && pcs pf-core verify-proof-binding --certificate /tmp/pfcore-release-grade-cert.json --trace '${WSL_ROOT}/examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json'" +else + echo "SKIP Lean path: neither lake nor wsl available (conformance --release-grade may have already failed closed)" + FAILED+=("PF-Core Lean path (lake/WSL unavailable)") +fi + +cd "${ROOT}/rust" +step "rust pf_core tests" cargo test pf_core -q + +echo "" +echo "=== Summary ===" +if [[ ${#FAILED[@]} -eq 0 ]]; then + echo "All PF-Core release-grade local steps passed." + exit 0 +fi +echo "Failed: ${FAILED[*]}" +exit 1 diff --git a/scripts/run-release-verify.sh b/scripts/run-release-verify.sh index 692dca9..0f9ae68 100644 --- a/scripts/run-release-verify.sh +++ b/scripts/run-release-verify.sh @@ -12,10 +12,14 @@ to_wsl_path() { wslpath -u "${path}" return fi - local drive letter rest - drive="$(echo "${path}" | cut -c1 | tr 'A-Z' 'a-z')" - rest="$(echo "${path}" | cut -c3- | tr '\\' '/')" - printf '/mnt/%s%s' "${drive}" "${rest}" + if [[ "${path}" =~ ^[A-Za-z]: ]]; then + local drive letter rest + drive="$(echo "${path}" | cut -c1 | tr 'A-Z' 'a-z')" + rest="$(echo "${path}" | cut -c3- | tr '\\' '/')" + printf '/mnt/%s%s' "${drive}" "${rest}" + return + fi + printf '%s' "${path}" } WSL_ROOT="$(to_wsl_path "${ROOT}")" @@ -33,6 +37,16 @@ step() { fi } +lean_path_available() { + if command -v lake >/dev/null 2>&1; then + return 0 + fi + if command -v wsl >/dev/null 2>&1; then + return 0 + fi + return 1 +} + cd "${PY}" pip install -e ".[dev]" -q @@ -64,31 +78,48 @@ step "pf-core lean no-sorry audit" pcs pf-core audit-lean-no-sorry step "pf-core pytest" pytest -q tests/test_pf_core_*.py PF_CORE_TRACE="${ROOT}/examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json" -PF_CORE_CERT="/tmp/pfcore-lean-check-cert.json" -step "pf-core lean-check canonical trace" pcs pf-core lean-check --trace "${PF_CORE_TRACE}" --out "${PF_CORE_CERT}" --skip-build -if [[ -f "${PF_CORE_CERT}" ]]; then - step "pf-core lean-check certificate validate" pcs validate "${PF_CORE_CERT}" + +echo "" +echo "=== PF-Core RuntimeChecked smoke (skip-build) ===" +PF_CORE_RUNTIME_CERT="$(mktemp /tmp/pfcore-runtime-cert.XXXXXX.json)" +step "pf-core lean-check runtime smoke" pcs pf-core lean-check --trace "${PF_CORE_TRACE}" --out "${PF_CORE_RUNTIME_CERT}" --skip-build +if [[ -f "${PF_CORE_RUNTIME_CERT}" ]]; then + step "pf-core runtime certificate validate" pcs validate "${PF_CORE_RUNTIME_CERT}" else - echo "SKIP pf-core lean-check certificate validate (certificate not emitted with --skip-build)" + echo "SKIP pf-core runtime certificate validate (certificate not emitted with --skip-build)" fi -if command -v wsl >/dev/null 2>&1; then - step "lake build PCS" wsl bash -lc "cd '${WSL_ROOT}/lean' && lake build PCS" - step "lake build PFCore" wsl bash -lc "cd '${WSL_ROOT}/lean' && lake build PFCore" - step "pf-core lean-check full" wsl bash -lc "cd '${WSL_ROOT}/python' && pcs pf-core lean-check --trace '${WSL_ROOT}/examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json' --out /tmp/pfcore-full-cert.json" - step "pf-core lean-check full certificate validate" wsl bash -lc "test -f /tmp/pfcore-full-cert.json && cd '${WSL_ROOT}/python' && pcs validate /tmp/pfcore-full-cert.json" -elif command -v lake >/dev/null 2>&1; then - step "lake build PCS" bash -lc "cd ../lean && lake build PCS" - step "lake build PFCore" bash -lc "cd ../lean && lake build PFCore" - step "pf-core lean-check full" pcs pf-core lean-check --trace "${PF_CORE_TRACE}" --out /tmp/pfcore-full-cert.json - if [[ -f /tmp/pfcore-full-cert.json ]]; then - step "pf-core lean-check full certificate validate" pcs validate /tmp/pfcore-full-cert.json +echo "" +echo "=== PF-Core LeanKernelChecked release candidate (full lean-check) ===" +if lean_path_available; then + PF_CORE_RELEASE_CERT="/tmp/pfcore-release-cert.json" + if command -v wsl >/dev/null 2>&1 && ! command -v lake >/dev/null 2>&1; then + step "lake build PCS" wsl bash -lc "export PATH=\"\$HOME/.elan/bin:\$PATH\"; cd '${WSL_ROOT}/lean' && lake build PCS" + step "lake build PFCore" wsl bash -lc "export PATH=\"\$HOME/.elan/bin:\$PATH\"; cd '${WSL_ROOT}/lean' && lake build PFCore" + step "pf-core lean-check full" wsl bash -lc "cd '${WSL_ROOT}/python' && pcs pf-core lean-check --trace '${WSL_ROOT}/examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json' --out /tmp/pfcore-release-cert.json" + step "pf-core lean-check certificate validate" wsl bash -lc "test -f /tmp/pfcore-release-cert.json && cd '${WSL_ROOT}/python' && pcs validate /tmp/pfcore-release-cert.json" + step "pf-core verify-proof-binding" wsl bash -lc "cd '${WSL_ROOT}/python' && pcs pf-core verify-proof-binding --certificate /tmp/pfcore-release-cert.json --trace '${WSL_ROOT}/examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json'" + else + step "lake build PCS" bash -lc "cd ../lean && lake build PCS" + step "lake build PFCore" bash -lc "cd ../lean && lake build PFCore" + step "pf-core lean-check full" pcs pf-core lean-check --trace "${PF_CORE_TRACE}" --out "${PF_CORE_RELEASE_CERT}" + if [[ -f "${PF_CORE_RELEASE_CERT}" ]]; then + step "pf-core lean-check certificate validate" pcs validate "${PF_CORE_RELEASE_CERT}" + step "pf-core verify-proof-binding" pcs pf-core verify-proof-binding --certificate "${PF_CORE_RELEASE_CERT}" --trace "${PF_CORE_TRACE}" + else + echo "FAIL pf-core lean-check certificate validate (certificate missing)" + FAILED+=("pf-core lean-check certificate validate") + echo "FAIL pf-core verify-proof-binding (certificate missing)" + FAILED+=("pf-core verify-proof-binding") + fi fi else - echo "SKIP lake build (lake and wsl unavailable)" + echo "FAIL PF-Core release candidate: lake and wsl unavailable" + FAILED+=("PF-Core release candidate") fi step "pf-core conformance" pcs conformance run --suite pf-core +step "pf-core conformance release-grade" pcs conformance run --suite pf-core --release-grade step "pf-core cross-language conformance" pcs conformance run --suite pf-core-cross-language for suite in \ diff --git a/test_vectors/hash/artifact_registry.vector.json b/test_vectors/hash/artifact_registry.vector.json index 4a62347..08bf8b8 100644 --- a/test_vectors/hash/artifact_registry.vector.json +++ b/test_vectors/hash/artifact_registry.vector.json @@ -1,6 +1,6 @@ { "artifact_type": "ArtifactRegistry.v0", "input_file": "examples/artifact_registry.valid.json", - "expected_digest": "sha256:52f85a49adb004c158a20fce0fa52ca2f684715fa9c24f5cf0dcfb07b697dadb", - "canonical_json": "{\"entries\":{\"ArtifactRegistry.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ArtifactRegistry.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"registry_id\",\"registry_version\",\"entries\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ArtifactRegistry.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"entries_cover_required_artifact_types\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}]},\"AssumptionSet.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"HumanReviewed\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"AssumptionSet.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"assumption_set_id\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/AssumptionSet.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"BenchmarkArtifactRef.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"pcs-bench\",\"labtrust-gym\",\"certifyedge\",\"provability-fabric\",\"scientific-memory\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkArtifactRef.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"pcs-bench\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"path\",\"sha256\",\"role\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkArtifactRef.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkCase.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkCase.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"case_id\",\"task_id\",\"workflow_id\",\"case_kind\",\"input_artifacts\",\"expected_status\",\"expected_system_outcome\",\"expected_failure_code\",\"expected_responsible_component\",\"expected_repair_hint_kind\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkCase.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkMetricRegistry.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkMetricRegistry.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"registry_id\",\"registry_version\",\"metrics\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkMetricRegistry.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkRegistry.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkRegistry.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"registry_id\",\"registry_version\",\"suites\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkRegistry.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkReport.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkReport.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"report_id\",\"benchmark_suite_id\",\"runs\",\"metrics\",\"metric_summaries\",\"summary\",\"coverage\",\"failures\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkReport.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkRun.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkRun.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"run_id\",\"task_id\",\"case_id\",\"started_at\",\"completed_at\",\"commands\",\"artifacts_produced\",\"observed_status\",\"observed_failure_code\",\"observed_responsible_component\",\"observed_repair_hint\",\"duration_ms\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkRun.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkTask.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkTask.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"task_id\",\"workflow_id\",\"domain\",\"description\",\"input_case_set\",\"expected_outputs\",\"metrics\",\"success_criteria\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkTask.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"ClaimArtifact.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"CertificateChecked\",\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ClaimArtifact.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"CertifyEdge\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"artifact_id\",\"assumption_set_ref\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/ClaimArtifact.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"assumption_set_ref_present\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"ComponentReleaseFragment.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Rejected\",\"Stale\",\"Deprecated\"],\"artifact_type\":\"ComponentReleaseFragment.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"pcs-core\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"component\",\"source_repo\",\"source_commit\",\"artifacts\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/ComponentReleaseFragment.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"component_artifacts_match_release_pins\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"ComputationRunReceipt.v0\":{\"allowed_runtime_producers\":[\"scientific-computation demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ComputationRunReceipt.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"scientific-computation demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"run_id\",\"workflow_id\",\"command\",\"code_repo\",\"code_commit\",\"dataset_receipt_ref\",\"environment_receipt_ref\",\"started_at\",\"completed_at\",\"exit_code\",\"stdout_hash\",\"stderr_hash\",\"result_artifact_refs\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"scientific-computation demo producer\",\"schema\":\"schemas/ComputationRunReceipt.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"}]},\"ComputationWitness.v0\":{\"allowed_runtime_producers\":[\"CertifyEdge\"],\"allowed_statuses\":[\"CertificateChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ComputationWitness.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"CertifyEdge\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"witness_id\",\"workflow_id\",\"dataset_hash\",\"environment_hash\",\"run_receipt_hash\",\"result_hashes\",\"code_repo\",\"code_commit\",\"checker\",\"checker_version\",\"status\",\"violations\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"CertifyEdge\",\"schema\":\"schemas/ComputationWitness.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"dataset_hash_matches_receipt\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"environment_hash_matches_receipt\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"run_receipt_hash_matches_declared_run\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"result_hashes_match_result_artifacts\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"code_commit_present\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"computation_status_checked_for_release\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"source_commit_matches_release_manifest\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"}]},\"ConformanceRun.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ConformanceRun.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"run_id\",\"suite\",\"status\",\"checks_passed\",\"checks_failed\",\"failures\",\"started_at\",\"completed_at\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ConformanceRun.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"CoverageReport.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"CoverageReport.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"coverage_id\",\"metric\",\"numerator\",\"denominator\",\"coverage_ratio\",\"details\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/CoverageReport.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"DatasetReceipt.v0\":{\"allowed_runtime_producers\":[\"scientific-computation demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"DatasetReceipt.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"scientific-computation demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"dataset_id\",\"dataset_name\",\"dataset_version\",\"files\",\"aggregate_hash\",\"source_uri\",\"source_repo\",\"source_commit\",\"license\",\"created_at\",\"signature_or_digest\"],\"runtime_producer\":\"scientific-computation demo producer\",\"schema\":\"schemas/DatasetReceipt.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"}]},\"EnvironmentReceipt.v0\":{\"allowed_runtime_producers\":[\"scientific-computation demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"EnvironmentReceipt.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"scientific-computation demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"environment_id\",\"environment_kind\",\"os\",\"architecture\",\"language_runtimes\",\"packages\",\"container_image\",\"container_digest\",\"hardware_summary\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"scientific-computation demo producer\",\"schema\":\"schemas/EnvironmentReceipt.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"}]},\"EvidenceBundle.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"CertificateChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"EvidenceBundle.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"CertifyEdge\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"bundle_id\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/EvidenceBundle.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"certificate_refs_resolve\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"producer_responsible\"}]},\"ExplainQualityReport.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"Provability Fabric\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ExplainQualityReport.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"report_id\",\"suite_id\",\"case_id\",\"producer_id\",\"required_sections\",\"sections\",\"sections_present_count\",\"sections_required_count\",\"quality_score\",\"gaps\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ExplainQualityReport.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"FailureCaseManifest.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"FailureCaseManifest.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"manifest_id\",\"case_id\",\"task_id\",\"failure_code\",\"responsible_component\",\"repair_hint_kind\",\"message\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/FailureCaseManifest.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"FailureLocalizationResult.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"FailureLocalizationResult.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"result_id\",\"run_id\",\"case_id\",\"expected_failure_code\",\"observed_failure_code\",\"expected_responsible_component\",\"observed_responsible_component\",\"localized_correctly\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/FailureLocalizationResult.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"HandoffManifest.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Rejected\",\"Stale\",\"Deprecated\"],\"artifact_type\":\"HandoffManifest.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"handoff_id\",\"handoff_kind\",\"input_artifacts\",\"expected_outputs\",\"invariants\",\"status\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/HandoffManifest.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"handoff_input_hashes_when_validated\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"LeanCheckResult.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"LeanCheckResult.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"check_id\",\"proof_obligation_id\",\"lean_module\",\"lean_theorem\",\"status\",\"checked_at\",\"lean_version\",\"source_repo\",\"source_commit\",\"failure_reason\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/LeanCheckResult.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"obligation_results_match_proof_obligation\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"lean_theorem_in_catalog\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}]},\"MetricSummary.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"pcs-bench\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"MetricSummary.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"pcs-bench\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"metric_id\",\"score\",\"applicability\",\"numerator\",\"denominator\",\"reason\",\"details\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/MetricSummary.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"PcsBenchIngest.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"pcs-bench\",\"labtrust-gym\",\"certifyedge\",\"provability-fabric\",\"scientific-memory\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PcsBenchIngest.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"pcs-bench\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"producer_id\",\"suite_id\",\"workflow_id\",\"benchmark_runs\",\"coverage_reports\",\"failure_localization_reports\",\"explain_quality_reports\",\"profile_coverage_reports\",\"commands\",\"logs\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PcsBenchIngest.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"ProfileCoverageReport.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"Provability Fabric\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ProfileCoverageReport.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"Provability Fabric\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"coverage_id\",\"workflow_profile_id\",\"producer_id\",\"artifact_types_required\",\"artifact_types_covered\",\"semantic_checks_required\",\"semantic_checks_covered\",\"handoff_steps_required\",\"handoff_steps_covered\",\"numerator\",\"denominator\",\"coverage_ratio\",\"details\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ProfileCoverageReport.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"ProofObligation.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ProofObligation.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"obligation_id\",\"release_id\",\"workflow_id\",\"obligations\",\"source_artifacts\",\"lean_module\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ProofObligation.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"obligations_reference_known_kinds\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}]},\"ReleaseChainValidationResult.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ReleaseChainValidationResult.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"validation_id\",\"release_id\",\"status\",\"checks\",\"artifacts_checked\",\"failure_codes\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ReleaseChainValidationResult.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"status_matches_check_outcomes\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"validator_responsible\"}]},\"ReleaseManifest.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Rejected\",\"Stale\",\"Deprecated\"],\"artifact_type\":\"ReleaseManifest.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"release_id\",\"release_candidate\",\"validation_profile\",\"producer_repos\",\"artifacts\",\"release_status\",\"chain_root\",\"release_chain_validation_result\",\"canonical_signed_bundle\",\"canonical_claim_id\",\"limitations_notice\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ReleaseManifest.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"release_mode_commit_policy\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"artifact_hashes_match_files\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"ResultArtifact.v0\":{\"allowed_runtime_producers\":[\"scientific-computation demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ResultArtifact.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"scientific-computation demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"result_id\",\"result_kind\",\"path\",\"sha256\",\"size_bytes\",\"media_type\",\"description\",\"produced_by_run\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"scientific-computation demo producer\",\"schema\":\"schemas/ResultArtifact.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"}]},\"RuntimeReceipt.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"RuntimeObserved\",\"RuntimeChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"RuntimeReceipt.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"receipt_id\",\"trace_hash\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/RuntimeReceipt.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"trace_hash_present\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"source_commit_matches_release_manifest\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"ScienceClaimBundle.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"CertificateChecked\",\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ScienceClaimBundle.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"bundle_id\",\"assumption_set\",\"runtime_receipts\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/ScienceClaimBundle.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"non_empty_runtime_receipts\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"certified_bundle_has_certificate_when_checked\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"SignedScienceClaimBundle.v0\":{\"allowed_runtime_producers\":[\"Provability Fabric\"],\"allowed_statuses\":[\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"SignedScienceClaimBundle.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"Provability Fabric\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"signed_bundle_id\",\"signed_input_bundle_hash\",\"science_claim_bundle\",\"verification_result\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"Provability Fabric\",\"schema\":\"schemas/SignedScienceClaimBundle.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"signed_input_bundle_hash_matches_certified\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"embedded_bundle_passes_science_claim_semantics\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"Provability Fabric\",\"severity\":\"producer_responsible\"}]},\"SourceSpan.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"Extracted\",\"Rejected\",\"Stale\"],\"artifact_type\":\"SourceSpan.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"source_span_id\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/SourceSpan.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"ToolUseCertificate.v0\":{\"allowed_runtime_producers\":[\"CertifyEdge\"],\"allowed_statuses\":[\"CertificateChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ToolUseCertificate.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"CertifyEdge\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"certificate_id\",\"trace_hash\",\"policy_hash\",\"property_id\",\"checker\",\"checker_version\",\"status\",\"violations\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"CertifyEdge\",\"schema\":\"schemas/ToolUseCertificate.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"tool_trace_hash_matches_certificate\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"policy_hash_matches_certificate\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"certificate_status_checked_for_release\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"no_unauthorized_tool_calls\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"source_commit_matches_release_manifest\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"}]},\"ToolUseTrace.v0\":{\"allowed_runtime_producers\":[\"agent-tool-use demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ToolUseTrace.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"agent-tool-use demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"trace_id\",\"workflow_id\",\"agent_id\",\"policy_id\",\"policy_hash\",\"started_at\",\"completed_at\",\"tool_calls\",\"trace_hash\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"agent-tool-use demo producer\",\"schema\":\"schemas/ToolUseTrace.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"trace_hash_present\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"agent-tool-use demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"no_unknown_authorization_status\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"agent-tool-use demo producer\",\"severity\":\"release_blocking\"}]},\"TraceCertificate.v0\":{\"allowed_runtime_producers\":[\"CertifyEdge\"],\"allowed_statuses\":[\"CertificatePending\",\"CertificateChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"TraceCertificate.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"LabTrust-Gym\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"CertifyEdge\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"certificate_id\",\"trace_hash\",\"spec_hash\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"CertifyEdge\",\"schema\":\"schemas/TraceCertificate.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"trace_hash_matches_runtime_receipt\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"status_is_certificate_checked_for_release\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"source_commit_matches_release_manifest\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"}]},\"VerificationResult.v0\":{\"allowed_runtime_producers\":[\"Provability Fabric\"],\"allowed_statuses\":[\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"VerificationResult.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"Provability Fabric\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"verification_id\",\"status\",\"verified_input\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"Provability Fabric\",\"schema\":\"schemas/VerificationResult.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"verified_input_bundle_hash_matches_certified\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"failed_checks_block_import_ready_status\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"}]},\"WorkflowProfile.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"WorkflowProfile.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"workflow_id\",\"domain\",\"description\",\"runtime_artifacts\",\"certificate_artifacts\",\"handoff_sequence\",\"required_registry_entries\",\"required_admission_profile\",\"status_policy\",\"failure_modes\",\"limitations_notice\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/WorkflowProfile.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"required_registry_entries_registered\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}]}},\"registry_id\":\"pcs-artifact-registry-v0.1\",\"registry_version\":\"0.1.0\",\"schema_version\":\"v0\"}" + "expected_digest": "sha256:ef001e3f1bd7265a09f561cae6bd74163768d727c9ecfe421157a1db25a60c06", + "canonical_json": "{\"entries\":{\"ArtifactRegistry.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ArtifactRegistry.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"registry_id\",\"registry_version\",\"entries\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ArtifactRegistry.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"entries_cover_required_artifact_types\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}]},\"AssumptionSet.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"HumanReviewed\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"AssumptionSet.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"assumption_set_id\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/AssumptionSet.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"BenchmarkArtifactRef.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"pcs-bench\",\"labtrust-gym\",\"certifyedge\",\"provability-fabric\",\"scientific-memory\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkArtifactRef.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"pcs-bench\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"path\",\"sha256\",\"role\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkArtifactRef.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkCase.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkCase.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"case_id\",\"task_id\",\"workflow_id\",\"case_kind\",\"input_artifacts\",\"expected_status\",\"expected_system_outcome\",\"expected_failure_code\",\"expected_responsible_component\",\"expected_repair_hint_kind\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkCase.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkMetricRegistry.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkMetricRegistry.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"registry_id\",\"registry_version\",\"metrics\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkMetricRegistry.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkRegistry.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkRegistry.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"registry_id\",\"registry_version\",\"suites\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkRegistry.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkReport.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkReport.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"report_id\",\"benchmark_suite_id\",\"runs\",\"metrics\",\"metric_summaries\",\"summary\",\"coverage\",\"failures\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkReport.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkRun.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkRun.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"run_id\",\"task_id\",\"case_id\",\"started_at\",\"completed_at\",\"commands\",\"artifacts_produced\",\"observed_status\",\"observed_failure_code\",\"observed_responsible_component\",\"observed_repair_hint\",\"duration_ms\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkRun.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"BenchmarkTask.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"BenchmarkTask.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"task_id\",\"workflow_id\",\"domain\",\"description\",\"input_case_set\",\"expected_outputs\",\"metrics\",\"success_criteria\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/BenchmarkTask.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"ClaimArtifact.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"CertificateChecked\",\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ClaimArtifact.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"CertifyEdge\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"artifact_id\",\"assumption_set_ref\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/ClaimArtifact.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"assumption_set_ref_present\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"ComponentReleaseFragment.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Rejected\",\"Stale\",\"Deprecated\"],\"artifact_type\":\"ComponentReleaseFragment.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"pcs-core\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"component\",\"source_repo\",\"source_commit\",\"artifacts\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/ComponentReleaseFragment.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"component_artifacts_match_release_pins\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"ComputationRunReceipt.v0\":{\"allowed_runtime_producers\":[\"scientific-computation demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ComputationRunReceipt.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"scientific-computation demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"run_id\",\"workflow_id\",\"command\",\"code_repo\",\"code_commit\",\"dataset_receipt_ref\",\"environment_receipt_ref\",\"started_at\",\"completed_at\",\"exit_code\",\"stdout_hash\",\"stderr_hash\",\"result_artifact_refs\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"scientific-computation demo producer\",\"schema\":\"schemas/ComputationRunReceipt.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"}]},\"ComputationWitness.v0\":{\"allowed_runtime_producers\":[\"CertifyEdge\"],\"allowed_statuses\":[\"CertificateChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ComputationWitness.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"CertifyEdge\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"witness_id\",\"workflow_id\",\"dataset_hash\",\"environment_hash\",\"run_receipt_hash\",\"result_hashes\",\"code_repo\",\"code_commit\",\"checker\",\"checker_version\",\"status\",\"violations\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"CertifyEdge\",\"schema\":\"schemas/ComputationWitness.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"dataset_hash_matches_receipt\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"environment_hash_matches_receipt\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"run_receipt_hash_matches_declared_run\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"result_hashes_match_result_artifacts\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"code_commit_present\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"computation_status_checked_for_release\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"source_commit_matches_release_manifest\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"}]},\"ConformanceRun.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ConformanceRun.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"run_id\",\"suite\",\"status\",\"checks_passed\",\"checks_failed\",\"failures\",\"started_at\",\"completed_at\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ConformanceRun.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"CoverageReport.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"CoverageReport.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"coverage_id\",\"metric\",\"numerator\",\"denominator\",\"coverage_ratio\",\"details\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/CoverageReport.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"DatasetReceipt.v0\":{\"allowed_runtime_producers\":[\"scientific-computation demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"DatasetReceipt.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"scientific-computation demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"dataset_id\",\"dataset_name\",\"dataset_version\",\"files\",\"aggregate_hash\",\"source_uri\",\"source_repo\",\"source_commit\",\"license\",\"created_at\",\"signature_or_digest\"],\"runtime_producer\":\"scientific-computation demo producer\",\"schema\":\"schemas/DatasetReceipt.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"}]},\"EnvironmentReceipt.v0\":{\"allowed_runtime_producers\":[\"scientific-computation demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"EnvironmentReceipt.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"scientific-computation demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"environment_id\",\"environment_kind\",\"os\",\"architecture\",\"language_runtimes\",\"packages\",\"container_image\",\"container_digest\",\"hardware_summary\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"scientific-computation demo producer\",\"schema\":\"schemas/EnvironmentReceipt.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"}]},\"EvidenceBundle.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"CertificateChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"EvidenceBundle.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"CertifyEdge\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"bundle_id\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/EvidenceBundle.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"certificate_refs_resolve\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"producer_responsible\"}]},\"ExplainQualityReport.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"Provability Fabric\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ExplainQualityReport.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"report_id\",\"suite_id\",\"case_id\",\"producer_id\",\"required_sections\",\"sections\",\"sections_present_count\",\"sections_required_count\",\"quality_score\",\"gaps\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ExplainQualityReport.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"FailureCaseManifest.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"FailureCaseManifest.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"manifest_id\",\"case_id\",\"task_id\",\"failure_code\",\"responsible_component\",\"repair_hint_kind\",\"message\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/FailureCaseManifest.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"FailureLocalizationResult.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"FailureLocalizationResult.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"result_id\",\"run_id\",\"case_id\",\"expected_failure_code\",\"observed_failure_code\",\"expected_responsible_component\",\"observed_responsible_component\",\"localized_correctly\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/FailureLocalizationResult.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"HandoffManifest.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Rejected\",\"Stale\",\"Deprecated\"],\"artifact_type\":\"HandoffManifest.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"handoff_id\",\"handoff_kind\",\"input_artifacts\",\"expected_outputs\",\"invariants\",\"status\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/HandoffManifest.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"handoff_input_hashes_when_validated\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"LeanCheckResult.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"LeanCheckResult.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"check_id\",\"proof_obligation_id\",\"lean_module\",\"lean_theorem\",\"status\",\"checked_at\",\"lean_version\",\"source_repo\",\"source_commit\",\"failure_reason\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/LeanCheckResult.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"obligation_results_match_proof_obligation\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"lean_theorem_in_catalog\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}]},\"MetricSummary.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"pcs-bench\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"MetricSummary.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"pcs-bench\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"metric_id\",\"score\",\"applicability\",\"numerator\",\"denominator\",\"reason\",\"details\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/MetricSummary.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"PFCoreAction.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PFCoreAction.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PFCoreAction.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCoreCapability.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PFCoreCapability.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PFCoreCapability.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCoreCertificate.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"RuntimeChecked\",\"CertificateChecked\",\"LeanKernelChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"PFCoreCertificate.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"certificate_id\",\"claim_class\",\"source_repo\",\"source_commit\",\"signature_or_digest\",\"trace_hash\",\"claim_class\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PFCoreCertificate.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"claim_class_matches_assurance\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"lean_kernel_proof\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"lean_library_build\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCoreContract.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PFCoreContract.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PFCoreContract.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCoreEvent.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PFCoreEvent.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"AgentRuntime\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"signature_or_digest\"],\"runtime_producer\":\"AgentRuntime\",\"schema\":\"schemas/PFCoreEvent.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCoreHandoff.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PFCoreHandoff.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PFCoreHandoff.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCorePrincipal.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PFCorePrincipal.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PFCorePrincipal.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCoreResource.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PFCoreResource.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PFCoreResource.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCoreRuntimeObservation.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"RuntimeChecked\",\"CertificateChecked\",\"LeanKernelChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"PFCoreRuntimeObservation.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"AgentRuntime\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"observation_id\",\"claim_class\",\"source_repo\",\"source_commit\",\"signature_or_digest\",\"observed_at\",\"payload_hash\"],\"runtime_producer\":\"AgentRuntime\",\"schema\":\"schemas/PFCoreRuntimeObservation.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"claim_class_matches_assurance\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"lean_kernel_proof\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"lean_library_build\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PFCoreTrace.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"AgentRuntime\"],\"allowed_statuses\":[\"Draft\",\"RuntimeChecked\",\"CertificateChecked\",\"LeanKernelChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"PFCoreTrace.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"artifact_type\",\"trace_id\",\"claim_class\",\"source_repo\",\"source_commit\",\"signature_or_digest\",\"trace_hash\",\"events\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PFCoreTrace.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"explicit_artifact_type\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"schema_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"claim_class_matches_assurance\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"lean_kernel_proof\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"lean_library_build\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"PcsBenchIngest.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"pcs-bench\",\"labtrust-gym\",\"certifyedge\",\"provability-fabric\",\"scientific-memory\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"PcsBenchIngest.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"pcs-bench\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"producer_id\",\"suite_id\",\"workflow_id\",\"benchmark_runs\",\"coverage_reports\",\"failure_localization_reports\",\"explain_quality_reports\",\"profile_coverage_reports\",\"commands\",\"logs\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/PcsBenchIngest.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"ProfileCoverageReport.v0\":{\"allowed_runtime_producers\":[\"pcs-core\",\"Provability Fabric\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ProfileCoverageReport.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"Provability Fabric\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"coverage_id\",\"workflow_profile_id\",\"producer_id\",\"artifact_types_required\",\"artifact_types_covered\",\"semantic_checks_required\",\"semantic_checks_covered\",\"handoff_steps_required\",\"handoff_steps_covered\",\"numerator\",\"denominator\",\"coverage_ratio\",\"details\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ProfileCoverageReport.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[]},\"ProofObligation.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"ProofObligation.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"obligation_id\",\"release_id\",\"workflow_id\",\"obligations\",\"source_artifacts\",\"lean_module\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ProofObligation.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"obligations_reference_known_kinds\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}]},\"ReleaseChainValidationResult.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ReleaseChainValidationResult.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"validation_id\",\"release_id\",\"status\",\"checks\",\"artifacts_checked\",\"failure_codes\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ReleaseChainValidationResult.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"status_matches_check_outcomes\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"validator_responsible\"}]},\"ReleaseManifest.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Rejected\",\"Stale\",\"Deprecated\"],\"artifact_type\":\"ReleaseManifest.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"pcs-core\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"release_id\",\"release_candidate\",\"validation_profile\",\"producer_repos\",\"artifacts\",\"release_status\",\"chain_root\",\"release_chain_validation_result\",\"canonical_signed_bundle\",\"canonical_claim_id\",\"limitations_notice\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/ReleaseManifest.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"release_mode_commit_policy\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"artifact_hashes_match_files\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"}]},\"ResultArtifact.v0\":{\"allowed_runtime_producers\":[\"scientific-computation demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ResultArtifact.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"scientific-computation demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"result_id\",\"result_kind\",\"path\",\"sha256\",\"size_bytes\",\"media_type\",\"description\",\"produced_by_run\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"scientific-computation demo producer\",\"schema\":\"schemas/ResultArtifact.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"}]},\"RuntimeReceipt.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"RuntimeObserved\",\"RuntimeChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"RuntimeReceipt.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"receipt_id\",\"trace_hash\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/RuntimeReceipt.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"trace_hash_present\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"source_commit_matches_release_manifest\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"ScienceClaimBundle.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"CertificateChecked\",\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ScienceClaimBundle.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"bundle_id\",\"assumption_set\",\"runtime_receipts\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/ScienceClaimBundle.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"non_empty_runtime_receipts\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"certified_bundle_has_certificate_when_checked\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"SignedScienceClaimBundle.v0\":{\"allowed_runtime_producers\":[\"Provability Fabric\"],\"allowed_statuses\":[\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"SignedScienceClaimBundle.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"Provability Fabric\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"signed_bundle_id\",\"signed_input_bundle_hash\",\"science_claim_bundle\",\"verification_result\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"Provability Fabric\",\"schema\":\"schemas/SignedScienceClaimBundle.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"signed_input_bundle_hash_matches_certified\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"embedded_bundle_passes_science_claim_semantics\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"Provability Fabric\",\"severity\":\"producer_responsible\"}]},\"SourceSpan.v0\":{\"allowed_runtime_producers\":[\"LabTrust-Gym\"],\"allowed_statuses\":[\"Draft\",\"Extracted\",\"Rejected\",\"Stale\"],\"artifact_type\":\"SourceSpan.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"LabTrust-Gym\"],\"producer\":\"LabTrust-Gym\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"source_span_id\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"LabTrust-Gym\",\"schema\":\"schemas/SourceSpan.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"source_commit_not_placeholder\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"}]},\"ToolUseCertificate.v0\":{\"allowed_runtime_producers\":[\"CertifyEdge\"],\"allowed_statuses\":[\"CertificateChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ToolUseCertificate.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"CertifyEdge\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"certificate_id\",\"trace_hash\",\"policy_hash\",\"property_id\",\"checker\",\"checker_version\",\"status\",\"violations\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"CertifyEdge\",\"schema\":\"schemas/ToolUseCertificate.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"tool_trace_hash_matches_certificate\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"policy_hash_matches_certificate\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"certificate_status_checked_for_release\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"no_unauthorized_tool_calls\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"source_commit_matches_release_manifest\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"signature_or_digest_valid\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"}]},\"ToolUseTrace.v0\":{\"allowed_runtime_producers\":[\"agent-tool-use demo producer\"],\"allowed_statuses\":[\"Draft\",\"RuntimeObserved\",\"Rejected\",\"Stale\"],\"artifact_type\":\"ToolUseTrace.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"pcs-core\"],\"producer\":\"agent-tool-use demo producer\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"trace_id\",\"workflow_id\",\"agent_id\",\"policy_id\",\"policy_hash\",\"started_at\",\"completed_at\",\"tool_calls\",\"trace_hash\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"agent-tool-use demo producer\",\"schema\":\"schemas/ToolUseTrace.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"trace_hash_present\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"agent-tool-use demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"no_unknown_authorization_status\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"agent-tool-use demo producer\",\"severity\":\"release_blocking\"}]},\"TraceCertificate.v0\":{\"allowed_runtime_producers\":[\"CertifyEdge\"],\"allowed_statuses\":[\"CertificatePending\",\"CertificateChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"TraceCertificate.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"CertifyEdge\",\"LabTrust-Gym\",\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"CertifyEdge\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"certificate_id\",\"trace_hash\",\"spec_hash\",\"status\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"CertifyEdge\",\"schema\":\"schemas/TraceCertificate.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"trace_hash_matches_runtime_receipt\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"status_is_certificate_checked_for_release\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"source_commit_matches_release_manifest\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"}]},\"VerificationResult.v0\":{\"allowed_runtime_producers\":[\"Provability Fabric\"],\"allowed_statuses\":[\"ProofChecked\",\"Rejected\",\"Stale\"],\"artifact_type\":\"VerificationResult.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"Provability Fabric\",\"Scientific Memory\"],\"producer\":\"Provability Fabric\",\"release_mode_required\":true,\"required_release_fields\":[\"schema_version\",\"verification_id\",\"status\",\"verified_input\",\"source_repo\",\"source_commit\",\"signature_or_digest\"],\"runtime_producer\":\"Provability Fabric\",\"schema\":\"schemas/VerificationResult.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"verified_input_bundle_hash_matches_certified\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"check_id\":\"failed_checks_block_import_ready_status\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"}]},\"WorkflowProfile.v0\":{\"allowed_runtime_producers\":[\"pcs-core\"],\"allowed_statuses\":[\"Draft\",\"Validated\",\"Deprecated\"],\"artifact_type\":\"WorkflowProfile.v0\",\"canonical_hash_required\":true,\"consumer_repos\":[\"pcs-core\",\"LabTrust-Gym\",\"CertifyEdge\",\"Provability Fabric\",\"Scientific Memory\",\"AgentRuntime\"],\"producer\":\"pcs-core\",\"release_mode_required\":false,\"required_release_fields\":[\"schema_version\",\"workflow_id\",\"domain\",\"description\",\"runtime_artifacts\",\"certificate_artifacts\",\"handoff_sequence\",\"required_registry_entries\",\"required_admission_profile\",\"status_policy\",\"failure_modes\",\"limitations_notice\",\"signature_or_digest\"],\"runtime_producer\":\"pcs-core\",\"schema\":\"schemas/WorkflowProfile.v0.schema.json\",\"schema_owner\":\"pcs-core\",\"semantic_checks\":[{\"allowed_to_skip\":false,\"check_id\":\"required_registry_entries_registered\",\"execution_required_in_release_mode\":true,\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}]}},\"registry_id\":\"pcs-artifact-registry-v0.1\",\"registry_version\":\"0.1.0\",\"schema_version\":\"v0\"}" } diff --git a/test_vectors/hash/release_chain_validation_result.vector.json b/test_vectors/hash/release_chain_validation_result.vector.json index 53fdc33..09f4ef4 100644 --- a/test_vectors/hash/release_chain_validation_result.vector.json +++ b/test_vectors/hash/release_chain_validation_result.vector.json @@ -1,6 +1,6 @@ { "artifact_type": "ReleaseChainValidationResult.v0", "input_file": "examples/release_chain_validation_result.valid.json", - "expected_digest": "sha256:3000ec6b27f2fc65be0c647a2e8c68ee528babe9779c8fa1d411053d13f904dd", - "canonical_json": "{\"artifacts_checked\":8,\"checked_at\":\"2026-05-18T23:17:38Z\",\"checks\":[{\"check_id\":\"manifest_present\",\"description\":\"RELEASE_FIXTURE_MANIFEST.json exists\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"artifact_files_present\",\"description\":\"Every manifest-listed artifact file exists on disk\",\"details\":{},\"registry_check_refs\":[\"ReleaseManifest.v0.artifact_hashes_match_files\"],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"manifest_hashes_match\",\"description\":\"Every artifact hash matches the manifest digest\",\"details\":{},\"registry_check_refs\":[\"ReleaseManifest.v0.artifact_hashes_match_files\"],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"forbidden_provenance_values\",\"description\":\"No local_dev, zero commits, or pattern placeholder commits in artifacts\",\"details\":{},\"registry_check_refs\":[\"ReleaseManifest.v0.release_mode_commit_policy\"],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"runtime_receipt_labtrust_commit\",\"description\":\"runtime_receipt.json source_commit matches manifest.labtrust_gym_commit\",\"details\":{},\"registry_check_refs\":[\"RuntimeReceipt.v0.source_commit_matches_release_manifest\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"pending_bundle_labtrust_commits\",\"description\":\"science_claim_bundle.pending.json LabTrust provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"ScienceClaimBundle.v0.non_empty_runtime_receipts\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"certified_bundle_labtrust_commits\",\"description\":\"science_claim_bundle.certified.json LabTrust provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"ScienceClaimBundle.v0.certified_bundle_has_certificate_when_checked\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"signed_bundle_nested_labtrust_commits\",\"description\":\"signed bundle nested science_claim_bundle LabTrust commits match manifest\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.embedded_bundle_passes_science_claim_semantics\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"trace_certificate_certifyedge_commit\",\"description\":\"trace_certificate.json source_commit matches manifest.certifyedge_commit\",\"details\":{},\"registry_check_refs\":[\"TraceCertificate.v0.source_commit_matches_release_manifest\"],\"responsible_component\":\"CertifyEdge\",\"status\":\"passed\"},{\"check_id\":\"certified_bundle_certifyedge_commits\",\"description\":\"certified bundle CertifyEdge provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"ScienceClaimBundle.v0.certified_bundle_has_certificate_when_checked\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"signed_bundle_certifyedge_commits\",\"description\":\"signed bundle CertifyEdge provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.embedded_bundle_passes_science_claim_semantics\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"verification_result_pf_commit\",\"description\":\"verification_result.json source_commit matches manifest.provability_fabric_commit\",\"details\":{},\"registry_check_refs\":[\"VerificationResult.v0.verified_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"signed_bundle_pf_commit\",\"description\":\"signed_science_claim_bundle.json source_commit matches manifest\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"verification_nested_pf_commits\",\"description\":\"verification_result nested PF provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"VerificationResult.v0.failed_checks_block_import_ready_status\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"signed_nested_pf_commits\",\"description\":\"signed bundle nested PF provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_source_commit\",\"description\":\"Scientific Memory report source_commit matches manifest\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_pin_commit\",\"description\":\"Scientific Memory report scientific_memory_commit matches manifest\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_trace_certificate\",\"description\":\"certificate_id on trace_certificate is present and consistent\",\"details\":{},\"registry_check_refs\":[\"TraceCertificate.v0.status_is_certificate_checked_for_release\"],\"responsible_component\":\"CertifyEdge\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_certified_bundle\",\"description\":\"certificate_id matches on certified bundle certificates\",\"details\":{},\"registry_check_refs\":[\"ScienceClaimBundle.v0.certified_bundle_has_certificate_when_checked\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_claim_refs\",\"description\":\"certificate_id referenced from certified claim_artifact\",\"details\":{},\"registry_check_refs\":[\"EvidenceBundle.v0.certificate_refs_resolve\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_evidence_refs\",\"description\":\"certificate_id referenced from certified evidence_bundle\",\"details\":{},\"registry_check_refs\":[\"EvidenceBundle.v0.certificate_refs_resolve\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_verification\",\"description\":\"certificate_id matches verification_result.verified_input\",\"details\":{},\"registry_check_refs\":[\"VerificationResult.v0.verified_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_signed_bundle\",\"description\":\"certificate_id matches signed bundle embedded certificates\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"trace_hash_alignment\",\"description\":\"trace_hash is identical across trace, receipt, certificate, verification, signed bundle\",\"details\":{},\"registry_check_refs\":[\"RuntimeReceipt.v0.trace_hash_present\",\"TraceCertificate.v0.trace_hash_matches_runtime_receipt\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"verified_input_bundle_hash\",\"description\":\"verification_result.verified_input.bundle_hash matches certified bundle manifest hash\",\"details\":{},\"registry_check_refs\":[\"VerificationResult.v0.verified_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"signed_input_bundle_hash\",\"description\":\"signed_science_claim_bundle.signed_input_bundle_hash matches certified manifest hash\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_import_passed\",\"description\":\"scientific_memory_import_report.verification_status is passed\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_strict_import\",\"description\":\"scientific_memory_import_report.strict is true\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_no_legacy\",\"description\":\"scientific_memory_import_report.allow_legacy is false and bundle_shape is pcs_core\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"pcs_artifact_schema_validation\",\"description\":\"PCS JSON artifacts pass pcs validate schema and semantics\",\"details\":{},\"registry_check_refs\":[\"ArtifactRegistry.v0.entries_cover_required_artifact_types\"],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"}],\"deferred_registry_checks\":[{\"enforcement_location\":\"artifact_validate\",\"reason\":\"Executed via pcs conformance run --suite handoff-manifest during release qualification.\",\"registry_ref\":\"HandoffManifest.v0.handoff_input_hashes_when_validated\",\"responsible_component\":\"pcs-core\",\"status\":\"deferred\"}],\"failure_codes\":[],\"formal_checks\":[{\"artifact\":\"lean_check_result.v0.json\",\"check_id\":\"lean.admissible_release_has_matching_trace_hash\",\"lean_theorem\":\"admissible_release_has_matching_trace_hash\",\"status\":\"passed\"},{\"artifact\":\"lean_check_result.v0.json\",\"check_id\":\"lean.admissible_release_has_verified_input_hash_equal_to_bundle_hash\",\"lean_theorem\":\"admissible_release_has_verified_input_hash_equal_to_bundle_hash\",\"status\":\"passed\"},{\"artifact\":\"lean_check_result.v0.json\",\"check_id\":\"lean.admissible_release_has_signed_input_hash_equal_to_verified_input_hash\",\"lean_theorem\":\"admissible_release_has_signed_input_hash_equal_to_verified_input_hash\",\"status\":\"passed\"},{\"artifact\":\"lean_check_result.v0.json\",\"check_id\":\"lean.kernel_build\",\"lean_theorem\":\"ReleaseChainAdmissible\",\"status\":\"passed\"}],\"release_candidate\":\"pcs-v0.1.0-rc1\",\"release_id\":\"release-pcs-v0.1-labtrust-qc\",\"schema_version\":\"v0\",\"source_commit\":\"17e414501b3e1c58e8fbde1fe89a828440a945d9\",\"source_repo\":\"https://github.com/SentinelOps-CI/pcs-core\",\"status\":\"ProofChecked\",\"validation_id\":\"validation-pcs-v0.1-labtrust-qc-rc\",\"validator\":\"pcs-core\",\"validator_version\":\"0.1.0\",\"workflow_profile_id\":\"labtrust.qc_release_v0.1\"}" + "expected_digest": "sha256:4dc0df6f86acbf51f06d15fdb847865460dd29f022925103aed3c128e225aa2e", + "canonical_json": "{\"artifacts_checked\":8,\"checked_at\":\"2026-05-18T23:17:38Z\",\"checks\":[{\"check_id\":\"manifest_present\",\"description\":\"RELEASE_FIXTURE_MANIFEST.json exists\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"artifact_files_present\",\"description\":\"Every manifest-listed artifact file exists on disk\",\"details\":{},\"registry_check_refs\":[\"ReleaseManifest.v0.artifact_hashes_match_files\"],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"manifest_hashes_match\",\"description\":\"Every artifact hash matches the manifest digest\",\"details\":{},\"registry_check_refs\":[\"ReleaseManifest.v0.artifact_hashes_match_files\"],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"forbidden_provenance_values\",\"description\":\"No local_dev, zero commits, or pattern placeholder commits in artifacts\",\"details\":{},\"registry_check_refs\":[\"ReleaseManifest.v0.release_mode_commit_policy\"],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"runtime_receipt_labtrust_commit\",\"description\":\"runtime_receipt.json source_commit matches manifest.labtrust_gym_commit\",\"details\":{},\"registry_check_refs\":[\"RuntimeReceipt.v0.source_commit_matches_release_manifest\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"pending_bundle_labtrust_commits\",\"description\":\"science_claim_bundle.pending.json LabTrust provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"ScienceClaimBundle.v0.non_empty_runtime_receipts\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"certified_bundle_labtrust_commits\",\"description\":\"science_claim_bundle.certified.json LabTrust provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"ScienceClaimBundle.v0.certified_bundle_has_certificate_when_checked\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"signed_bundle_nested_labtrust_commits\",\"description\":\"signed bundle nested science_claim_bundle LabTrust commits match manifest\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.embedded_bundle_passes_science_claim_semantics\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"trace_certificate_certifyedge_commit\",\"description\":\"trace_certificate.json source_commit matches manifest.certifyedge_commit\",\"details\":{},\"registry_check_refs\":[\"TraceCertificate.v0.source_commit_matches_release_manifest\"],\"responsible_component\":\"CertifyEdge\",\"status\":\"passed\"},{\"check_id\":\"certified_bundle_certifyedge_commits\",\"description\":\"certified bundle CertifyEdge provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"ScienceClaimBundle.v0.certified_bundle_has_certificate_when_checked\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"signed_bundle_certifyedge_commits\",\"description\":\"signed bundle CertifyEdge provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.embedded_bundle_passes_science_claim_semantics\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"verification_result_pf_commit\",\"description\":\"verification_result.json source_commit matches manifest.provability_fabric_commit\",\"details\":{},\"registry_check_refs\":[\"VerificationResult.v0.verified_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"signed_bundle_pf_commit\",\"description\":\"signed_science_claim_bundle.json source_commit matches manifest\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"verification_nested_pf_commits\",\"description\":\"verification_result nested PF provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"VerificationResult.v0.failed_checks_block_import_ready_status\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"signed_nested_pf_commits\",\"description\":\"signed bundle nested PF provenance matches manifest\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_source_commit\",\"description\":\"Scientific Memory report source_commit matches manifest\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_pin_commit\",\"description\":\"Scientific Memory report scientific_memory_commit matches manifest\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_trace_certificate\",\"description\":\"certificate_id on trace_certificate is present and consistent\",\"details\":{},\"registry_check_refs\":[\"TraceCertificate.v0.status_is_certificate_checked_for_release\"],\"responsible_component\":\"CertifyEdge\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_certified_bundle\",\"description\":\"certificate_id matches on certified bundle certificates\",\"details\":{},\"registry_check_refs\":[\"ScienceClaimBundle.v0.certified_bundle_has_certificate_when_checked\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_claim_refs\",\"description\":\"certificate_id referenced from certified claim_artifact\",\"details\":{},\"registry_check_refs\":[\"EvidenceBundle.v0.certificate_refs_resolve\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_evidence_refs\",\"description\":\"certificate_id referenced from certified evidence_bundle\",\"details\":{},\"registry_check_refs\":[\"EvidenceBundle.v0.certificate_refs_resolve\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_verification\",\"description\":\"certificate_id matches verification_result.verified_input\",\"details\":{},\"registry_check_refs\":[\"VerificationResult.v0.verified_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"certificate_id_signed_bundle\",\"description\":\"certificate_id matches signed bundle embedded certificates\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"trace_hash_alignment\",\"description\":\"trace_hash is identical across trace, receipt, certificate, verification, signed bundle\",\"details\":{},\"registry_check_refs\":[\"RuntimeReceipt.v0.trace_hash_present\",\"TraceCertificate.v0.trace_hash_matches_runtime_receipt\"],\"responsible_component\":\"LabTrust-Gym\",\"status\":\"passed\"},{\"check_id\":\"verified_input_bundle_hash\",\"description\":\"verification_result.verified_input.bundle_hash matches certified bundle manifest hash\",\"details\":{},\"registry_check_refs\":[\"VerificationResult.v0.verified_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"signed_input_bundle_hash\",\"description\":\"signed_science_claim_bundle.signed_input_bundle_hash matches certified manifest hash\",\"details\":{},\"registry_check_refs\":[\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\"],\"responsible_component\":\"Provability Fabric\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_import_passed\",\"description\":\"scientific_memory_import_report.verification_status is passed\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_strict_import\",\"description\":\"scientific_memory_import_report.strict is true\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"scientific_memory_no_legacy\",\"description\":\"scientific_memory_import_report.allow_legacy is false and bundle_shape is pcs_core\",\"details\":{},\"registry_check_refs\":[],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"},{\"check_id\":\"pcs_artifact_schema_validation\",\"description\":\"PCS JSON artifacts pass pcs validate schema and semantics\",\"details\":{},\"registry_check_refs\":[\"ArtifactRegistry.v0.entries_cover_required_artifact_types\",\"ComputationWitness.v0.computation_status_checked_for_release\",\"ComputationWitness.v0.source_commit_matches_release_manifest\",\"ToolUseCertificate.v0.certificate_status_checked_for_release\",\"ToolUseCertificate.v0.source_commit_matches_release_manifest\"],\"responsible_component\":\"pcs-core\",\"status\":\"passed\"}],\"deferred_registry_checks\":[{\"enforcement_location\":\"artifact_validate\",\"reason\":\"Executed via pcs conformance run --suite handoff-manifest during release qualification.\",\"registry_ref\":\"HandoffManifest.v0.handoff_input_hashes_when_validated\",\"responsible_component\":\"pcs-core\",\"status\":\"deferred\"}],\"failure_codes\":[],\"formal_checks\":[{\"artifact\":\"lean_check_result.v0.json\",\"check_id\":\"lean.admissible_release_has_matching_trace_hash\",\"lean_theorem\":\"admissible_release_has_matching_trace_hash\",\"status\":\"passed\"},{\"artifact\":\"lean_check_result.v0.json\",\"check_id\":\"lean.admissible_release_has_verified_input_hash_equal_to_bundle_hash\",\"lean_theorem\":\"admissible_release_has_verified_input_hash_equal_to_bundle_hash\",\"status\":\"passed\"},{\"artifact\":\"lean_check_result.v0.json\",\"check_id\":\"lean.admissible_release_has_signed_input_hash_equal_to_verified_input_hash\",\"lean_theorem\":\"admissible_release_has_signed_input_hash_equal_to_verified_input_hash\",\"status\":\"passed\"},{\"artifact\":\"lean_check_result.v0.json\",\"check_id\":\"lean.kernel_build\",\"lean_theorem\":\"ReleaseChainAdmissible\",\"status\":\"passed\"}],\"release_candidate\":\"pcs-v0.1.0-rc1\",\"release_id\":\"release-pcs-v0.1-labtrust-qc\",\"schema_version\":\"v0\",\"source_commit\":\"17e414501b3e1c58e8fbde1fe89a828440a945d9\",\"source_repo\":\"https://github.com/SentinelOps-CI/pcs-core\",\"status\":\"ProofChecked\",\"validation_id\":\"validation-pcs-v0.1-labtrust-qc-rc\",\"validator\":\"pcs-core\",\"validator_version\":\"0.1.0\",\"workflow_profile_id\":\"labtrust.qc_release_v0.1\"}" } diff --git a/test_vectors/hash/release_manifest.vector.json b/test_vectors/hash/release_manifest.vector.json index 901fec1..a4c411f 100644 --- a/test_vectors/hash/release_manifest.vector.json +++ b/test_vectors/hash/release_manifest.vector.json @@ -1,6 +1,6 @@ { "artifact_type": "ReleaseManifest.v0", "input_file": "examples/release_manifest.valid.json", - "expected_digest": "sha256:c8f90db9cc311daa738510a9746df6f43cf639d19d45d79ae33b6debedc601e5", - "canonical_json": "{\"artifacts\":{\"runtime_receipt.json\":{\"artifact_type\":\"RuntimeReceipt.v0\",\"producer\":\"LabTrust-Gym\",\"schema\":\"RuntimeReceipt.v0.schema.json\",\"sha256\":\"sha256:3ad5c55458a79ef502508f86cd215c746d42b4f0cc5c9aa4feeba9c03b4e1d60\",\"source_commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"source_repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"science_claim_bundle.certified.json\":{\"artifact_type\":\"ScienceClaimBundle.v0\",\"producer\":\"LabTrust-Gym\",\"schema\":\"ScienceClaimBundle.v0.schema.json\",\"sha256\":\"sha256:b8af33a7b24abf12fd938a59af6be91ac5e761365d8ecf3639fd0f196969de36\",\"source_commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"source_repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"science_claim_bundle.pending.json\":{\"artifact_type\":\"ScienceClaimBundle.v0\",\"producer\":\"LabTrust-Gym\",\"schema\":\"ScienceClaimBundle.v0.schema.json\",\"sha256\":\"sha256:f71e6d92c910f6db94661c712e06cf04c946bf560ede48346dd15e88cc54c6c8\",\"source_commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"source_repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"scientific_memory_import_report.json\":{\"artifact_type\":\"ScientificMemory.ImportReport.v0\",\"producer\":\"Scientific Memory\",\"schema\":\"scientific_memory_import_report.json\",\"sha256\":\"sha256:11d2e48a0c811ebc3bd683516c76f42b2849f604717758798c83abdb739251a3\",\"source_commit\":\"0e059e934bc95bcc4dc0cb6593b18b07a28529a2\",\"source_repo\":\"https://github.com/fraware/scientific-memory\"},\"signed_science_claim_bundle.json\":{\"artifact_type\":\"SignedScienceClaimBundle.v0\",\"producer\":\"Provability Fabric\",\"schema\":\"SignedScienceClaimBundle.v0.schema.json\",\"sha256\":\"sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6\",\"source_commit\":\"b0dbbbe1c110ec2301d452d2ef1074354cce170f\",\"source_repo\":\"https://github.com/SentinelOps-CI/provability-fabric\"},\"trace.json\":{\"artifact_type\":\"LabTrust.Trace.v0\",\"producer\":\"LabTrust-Gym\",\"schema\":\"trace.json\",\"sha256\":\"sha256:f99eb0a90cd2b9819816a25ec4e938663d26ae8d40868cd8188665e940f7ad5c\",\"source_commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"source_repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"trace_certificate.json\":{\"artifact_type\":\"TraceCertificate.v0\",\"producer\":\"CertifyEdge\",\"schema\":\"TraceCertificate.v0.schema.json\",\"sha256\":\"sha256:3a9facf4f66ebeb0ac286865d3c801fc976128ba0e28d5b863c95549622f539c\",\"source_commit\":\"635fca3771ad54fe3f8b49d1bb77ee35d0680ddc\",\"source_repo\":\"https://github.com/fraware/CertifyEdge\"},\"verification_result.json\":{\"artifact_type\":\"VerificationResult.v0\",\"producer\":\"Provability Fabric\",\"schema\":\"VerificationResult.v0.schema.json\",\"sha256\":\"sha256:13e90d156047e9c23497a73813dd27491848b3d4787b2bb7bdb6b023685cb01d\",\"source_commit\":\"b0dbbbe1c110ec2301d452d2ef1074354cce170f\",\"source_repo\":\"https://github.com/SentinelOps-CI/provability-fabric\"}},\"canonical_claim_id\":\"claim-pcs-qc-release-v0.1\",\"canonical_signed_bundle\":{\"path\":\"signed_science_claim_bundle.json\",\"sha256\":\"sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6\"},\"chain_root\":{\"certificate_id\":\"cert-trace-a1b8ff9d-7d5f-489c-98b1-a3a630cb87d7\",\"certified_bundle_hash\":\"sha256:bb740698a01c4e918ca0f346e5bfaed83e6665da8df84e931c0d50e03ce82ffe\",\"signed_bundle_hash\":\"sha256:308ef2f751e2fb3159c4b88cc294bed2e94944e97e268268c7c46a7f489019f6\",\"trace_hash\":\"sha256:c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd\"},\"generated_at\":\"2026-05-18T23:17:38Z\",\"lean_check_result\":{\"path\":\"lean_check_result.v0.json\",\"sha256\":\"sha256:7d63fb9226f64fa235b67666146aff7e6396b82bd9059afce5ce9d29b4d368b8\"},\"limitations_notice\":\"PCS v0.1 demonstrates a proof-carrying simulated lab workflow; it does not claim clinical validity or production certification.\",\"producer_repos\":{\"certifyedge\":{\"commit\":\"635fca3771ad54fe3f8b49d1bb77ee35d0680ddc\",\"repo\":\"https://github.com/fraware/CertifyEdge\"},\"labtrust_gym\":{\"commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"pcs_core\":{\"commit\":\"17e414501b3e1c58e8fbde1fe89a828440a945d9\",\"repo\":\"https://github.com/SentinelOps-CI/pcs-core\"},\"provability_fabric\":{\"commit\":\"b0dbbbe1c110ec2301d452d2ef1074354cce170f\",\"repo\":\"https://github.com/SentinelOps-CI/provability-fabric\"},\"scientific_memory\":{\"commit\":\"0e059e934bc95bcc4dc0cb6593b18b07a28529a2\",\"repo\":\"https://github.com/fraware/scientific-memory\"}},\"proof_obligation\":{\"path\":\"proof_obligation.v0.json\",\"sha256\":\"sha256:de6c1071065220ba134757eefc88d99dd4fc1e60df1e5f74ade12c5b6be2f348\"},\"release_candidate\":\"pcs-v0.1.0-rc1\",\"release_chain_validation_result\":{\"path\":\"release_chain_validation_result.valid.json\",\"sha256\":\"sha256:2fac46ed0a92ce95505662fef25bdc09ebca1af7ad8fdfc8c3153936b8a46a37\"},\"release_id\":\"release-pcs-v0.1-labtrust-qc\",\"release_status\":\"Validated\",\"schema_version\":\"v0\",\"validation_profile\":\"labtrust-v0.1-release-chain\",\"workflow_profile_id\":\"labtrust.qc_release_v0.1\"}" + "expected_digest": "sha256:a03f06eaed2f3926ee6e87eefdd71604a7c8c04ea19f1999dba881b510e03309", + "canonical_json": "{\"artifacts\":{\"runtime_receipt.json\":{\"artifact_type\":\"RuntimeReceipt.v0\",\"producer\":\"LabTrust-Gym\",\"schema\":\"RuntimeReceipt.v0.schema.json\",\"sha256\":\"sha256:0a421a44a1d003d4e39bee298edc329995165878bee27f5d28a9529ae8b6c027\",\"source_commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"source_repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"science_claim_bundle.certified.json\":{\"artifact_type\":\"ScienceClaimBundle.v0\",\"producer\":\"LabTrust-Gym\",\"schema\":\"ScienceClaimBundle.v0.schema.json\",\"sha256\":\"sha256:b2868d2c4d75ca91e034a05516813f75edc3b8f610d9b77388eb12d4c89f7567\",\"source_commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"source_repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"science_claim_bundle.pending.json\":{\"artifact_type\":\"ScienceClaimBundle.v0\",\"producer\":\"LabTrust-Gym\",\"schema\":\"ScienceClaimBundle.v0.schema.json\",\"sha256\":\"sha256:9f46da17526707af10a1893a236886c2cb5b5b42b6c5a79903a0cf48298694b0\",\"source_commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"source_repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"scientific_memory_import_report.json\":{\"artifact_type\":\"ScientificMemory.ImportReport.v0\",\"producer\":\"Scientific Memory\",\"schema\":\"scientific_memory_import_report.json\",\"sha256\":\"sha256:6ddc5ee56147a473f1f6d7379daac2fbfeb1e9fd083e8d61ac4ab85617ad2d8c\",\"source_commit\":\"0e059e934bc95bcc4dc0cb6593b18b07a28529a2\",\"source_repo\":\"https://github.com/fraware/scientific-memory\"},\"signed_science_claim_bundle.json\":{\"artifact_type\":\"SignedScienceClaimBundle.v0\",\"producer\":\"Provability Fabric\",\"schema\":\"SignedScienceClaimBundle.v0.schema.json\",\"sha256\":\"sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1\",\"source_commit\":\"b0dbbbe1c110ec2301d452d2ef1074354cce170f\",\"source_repo\":\"https://github.com/SentinelOps-CI/provability-fabric\"},\"trace.json\":{\"artifact_type\":\"LabTrust.Trace.v0\",\"producer\":\"LabTrust-Gym\",\"schema\":\"trace.json\",\"sha256\":\"sha256:0b356b952c0eb5c033e4e7166113f5e34aa76af7f473362bcbc0d2b337dabb04\",\"source_commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"source_repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"trace_certificate.json\":{\"artifact_type\":\"TraceCertificate.v0\",\"producer\":\"CertifyEdge\",\"schema\":\"TraceCertificate.v0.schema.json\",\"sha256\":\"sha256:1fb39e4677c3a7838ec09079bf3d69684cd8fdb1d3e2f234ff333270920aaef7\",\"source_commit\":\"635fca3771ad54fe3f8b49d1bb77ee35d0680ddc\",\"source_repo\":\"https://github.com/fraware/CertifyEdge\"},\"verification_result.json\":{\"artifact_type\":\"VerificationResult.v0\",\"producer\":\"Provability Fabric\",\"schema\":\"VerificationResult.v0.schema.json\",\"sha256\":\"sha256:56bbe08d69049b9a254c3e25da4abefacba71312a5ddd5fbdd0e9cbb1f598ec1\",\"source_commit\":\"b0dbbbe1c110ec2301d452d2ef1074354cce170f\",\"source_repo\":\"https://github.com/SentinelOps-CI/provability-fabric\"}},\"canonical_claim_id\":\"claim-pcs-qc-release-v0.1\",\"canonical_signed_bundle\":{\"path\":\"signed_science_claim_bundle.json\",\"sha256\":\"sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1\"},\"chain_root\":{\"certificate_id\":\"cert-trace-a1b8ff9d-7d5f-489c-98b1-a3a630cb87d7\",\"certified_bundle_hash\":\"sha256:bb740698a01c4e918ca0f346e5bfaed83e6665da8df84e931c0d50e03ce82ffe\",\"signed_bundle_hash\":\"sha256:68e6752de71212161bb6bf7ce1ecfa91532b03315896a6f89ecdd61fd81d6fe1\",\"trace_hash\":\"sha256:c3e8a3dc4ad86d533de1dfa4ae7fe2a338c2cff3c945404c96a75216524d58cd\"},\"generated_at\":\"2026-05-18T23:17:38Z\",\"limitations_notice\":\"PCS v0.1 demonstrates a proof-carrying simulated lab workflow; it does not claim clinical validity or production certification.\",\"producer_repos\":{\"certifyedge\":{\"commit\":\"635fca3771ad54fe3f8b49d1bb77ee35d0680ddc\",\"repo\":\"https://github.com/fraware/CertifyEdge\"},\"labtrust_gym\":{\"commit\":\"17ed831acfd775889ab497d11004cceb083a9c2d\",\"repo\":\"https://github.com/fraware/LabTrust-Gym\"},\"pcs_core\":{\"commit\":\"17e414501b3e1c58e8fbde1fe89a828440a945d9\",\"repo\":\"https://github.com/SentinelOps-CI/pcs-core\"},\"provability_fabric\":{\"commit\":\"b0dbbbe1c110ec2301d452d2ef1074354cce170f\",\"repo\":\"https://github.com/SentinelOps-CI/provability-fabric\"},\"scientific_memory\":{\"commit\":\"0e059e934bc95bcc4dc0cb6593b18b07a28529a2\",\"repo\":\"https://github.com/fraware/scientific-memory\"}},\"release_candidate\":\"pcs-v0.1.0-rc1\",\"release_chain_validation_result\":{\"path\":\"release_chain_validation_result.valid.json\",\"sha256\":\"sha256:d1fd986a2a77a55a5d55fb40ab2937a7172d5230e4e40835042e3161f4eeb6f4\"},\"release_id\":\"release-pcs-v0.1-labtrust-qc\",\"release_status\":\"Validated\",\"schema_version\":\"v0\",\"validation_profile\":\"labtrust-v0.1-release-chain\",\"workflow_profile_id\":\"labtrust.qc_release_v0.1\"}" } diff --git a/test_vectors/hash/semantic_check_execution.vector.json b/test_vectors/hash/semantic_check_execution.vector.json index 2f4bab4..aba2330 100644 --- a/test_vectors/hash/semantic_check_execution.vector.json +++ b/test_vectors/hash/semantic_check_execution.vector.json @@ -1,6 +1,6 @@ { "artifact_type": "SemanticCheckExecution.v0", "input_file": "examples/semantic_check_execution.valid.json", - "expected_digest": "sha256:2eff7c2f8a2c05957db5a5223ce3fdf7e5b9ee3e5bbe7789c0e2ceb66ae9691d", - "canonical_json": "{\"checks\":[{\"allowed_to_skip\":false,\"artifact_type\":\"ArtifactRegistry.v0\",\"check_id\":\"entries_cover_required_artifact_types\",\"enforcement_layer\":\"registry_metadata\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ArtifactRegistry.v0.entries_cover_required_artifact_types\",\"responsible_component\":\"pcs-core\",\"severity\":\"required\"},{\"allowed_to_skip\":false,\"artifact_type\":\"AssumptionSet.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"AssumptionSet.v0.source_commit_not_placeholder\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ClaimArtifact.v0\",\"check_id\":\"assumption_set_ref_present\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ClaimArtifact.v0.assumption_set_ref_present\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComponentReleaseFragment.v0\",\"check_id\":\"component_artifacts_match_release_pins\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComponentReleaseFragment.v0.component_artifacts_match_release_pins\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationRunReceipt.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationRunReceipt.v0.signature_or_digest_valid\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationRunReceipt.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationRunReceipt.v0.source_commit_not_placeholder\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"code_commit_present\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.code_commit_present\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"computation_status_checked_for_release\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.computation_status_checked_for_release\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"dataset_hash_matches_receipt\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.dataset_hash_matches_receipt\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"environment_hash_matches_receipt\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.environment_hash_matches_receipt\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"result_hashes_match_result_artifacts\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.result_hashes_match_result_artifacts\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"run_receipt_hash_matches_declared_run\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.run_receipt_hash_matches_declared_run\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.signature_or_digest_valid\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"source_commit_matches_release_manifest\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.source_commit_matches_release_manifest\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"DatasetReceipt.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"DatasetReceipt.v0.signature_or_digest_valid\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"DatasetReceipt.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"DatasetReceipt.v0.source_commit_not_placeholder\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"EnvironmentReceipt.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"EnvironmentReceipt.v0.signature_or_digest_valid\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"EnvironmentReceipt.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"EnvironmentReceipt.v0.source_commit_not_placeholder\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"EvidenceBundle.v0\",\"check_id\":\"certificate_refs_resolve\",\"enforcement_layer\":\"consumer\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"EvidenceBundle.v0.certificate_refs_resolve\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"producer_responsible\"},{\"allowed_to_skip\":false,\"artifact_type\":\"HandoffManifest.v0\",\"check_id\":\"handoff_input_hashes_when_validated\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"HandoffManifest.v0.handoff_input_hashes_when_validated\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"LeanCheckResult.v0\",\"check_id\":\"lean_theorem_in_catalog\",\"enforcement_layer\":\"registry_metadata\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"LeanCheckResult.v0.lean_theorem_in_catalog\",\"responsible_component\":\"pcs-core\",\"severity\":\"required\"},{\"allowed_to_skip\":false,\"artifact_type\":\"LeanCheckResult.v0\",\"check_id\":\"obligation_results_match_proof_obligation\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"LeanCheckResult.v0.obligation_results_match_proof_obligation\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ProofObligation.v0\",\"check_id\":\"obligations_reference_known_kinds\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ProofObligation.v0.obligations_reference_known_kinds\",\"responsible_component\":\"pcs-core\",\"severity\":\"required\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ReleaseChainValidationResult.v0\",\"check_id\":\"status_matches_check_outcomes\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ReleaseChainValidationResult.v0.status_matches_check_outcomes\",\"responsible_component\":\"pcs-core\",\"severity\":\"validator_responsible\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ReleaseManifest.v0\",\"check_id\":\"artifact_hashes_match_files\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ReleaseManifest.v0.artifact_hashes_match_files\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ReleaseManifest.v0\",\"check_id\":\"release_mode_commit_policy\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ReleaseManifest.v0.release_mode_commit_policy\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ResultArtifact.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ResultArtifact.v0.signature_or_digest_valid\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ResultArtifact.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ResultArtifact.v0.source_commit_not_placeholder\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"RuntimeReceipt.v0\",\"check_id\":\"source_commit_matches_release_manifest\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"RuntimeReceipt.v0.source_commit_matches_release_manifest\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"RuntimeReceipt.v0\",\"check_id\":\"trace_hash_present\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"RuntimeReceipt.v0.trace_hash_present\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ScienceClaimBundle.v0\",\"check_id\":\"certified_bundle_has_certificate_when_checked\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ScienceClaimBundle.v0.certified_bundle_has_certificate_when_checked\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ScienceClaimBundle.v0\",\"check_id\":\"non_empty_runtime_receipts\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ScienceClaimBundle.v0.non_empty_runtime_receipts\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"SignedScienceClaimBundle.v0\",\"check_id\":\"embedded_bundle_passes_science_claim_semantics\",\"enforcement_layer\":\"consumer\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"SignedScienceClaimBundle.v0.embedded_bundle_passes_science_claim_semantics\",\"responsible_component\":\"Provability Fabric\",\"severity\":\"producer_responsible\"},{\"allowed_to_skip\":false,\"artifact_type\":\"SignedScienceClaimBundle.v0\",\"check_id\":\"signed_input_bundle_hash_matches_certified\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\",\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"SourceSpan.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"SourceSpan.v0.source_commit_not_placeholder\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"certificate_status_checked_for_release\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.certificate_status_checked_for_release\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"no_unauthorized_tool_calls\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.no_unauthorized_tool_calls\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"policy_hash_matches_certificate\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.policy_hash_matches_certificate\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.signature_or_digest_valid\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"source_commit_matches_release_manifest\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.source_commit_matches_release_manifest\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"tool_trace_hash_matches_certificate\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.tool_trace_hash_matches_certificate\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseTrace.v0\",\"check_id\":\"no_unknown_authorization_status\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseTrace.v0.no_unknown_authorization_status\",\"responsible_component\":\"agent-tool-use demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseTrace.v0\",\"check_id\":\"trace_hash_present\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseTrace.v0.trace_hash_present\",\"responsible_component\":\"agent-tool-use demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"TraceCertificate.v0\",\"check_id\":\"source_commit_matches_release_manifest\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"TraceCertificate.v0.source_commit_matches_release_manifest\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"TraceCertificate.v0\",\"check_id\":\"status_is_certificate_checked_for_release\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"TraceCertificate.v0.status_is_certificate_checked_for_release\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"TraceCertificate.v0\",\"check_id\":\"trace_hash_matches_runtime_receipt\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"TraceCertificate.v0.trace_hash_matches_runtime_receipt\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"VerificationResult.v0\",\"check_id\":\"failed_checks_block_import_ready_status\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"VerificationResult.v0.failed_checks_block_import_ready_status\",\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"VerificationResult.v0\",\"check_id\":\"verified_input_bundle_hash_matches_certified\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"VerificationResult.v0.verified_input_bundle_hash_matches_certified\",\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"WorkflowProfile.v0\",\"check_id\":\"required_registry_entries_registered\",\"enforcement_layer\":\"registry_metadata\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"WorkflowProfile.v0.required_registry_entries_registered\",\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}],\"policy_id\":\"pcs-semantic-check-execution-v0.1\",\"policy_version\":\"0.1.0\",\"schema_version\":\"v0\",\"severity_definitions\":{\"consumer_responsible\":{\"description\":\"Consumer must execute at import/admission time.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"optional\":{\"description\":\"May be skipped; failures are non-fatal.\",\"downstream_must_report_execution\":false,\"fatal_if_skipped_in_release_mode\":false},\"producer_responsible\":{\"description\":\"Runtime producer must execute and attest before handoff.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"release_blocking\":{\"description\":\"Must run in release mode; blocks Validated/ProofChecked status.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"required\":{\"description\":\"Must run in release mode; failure is fatal.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"validator_responsible\":{\"description\":\"Release validator (pcs-core) must execute and cite in validation results.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"warning_only\":{\"description\":\"Non-blocking advisory check.\",\"downstream_must_report_execution\":false,\"fatal_if_skipped_in_release_mode\":false}}}" + "expected_digest": "sha256:60c6c723c87f0456bdea46f0e67ba84ead10d59bea4ee1ee4fcc18892d9ef256", + "canonical_json": "{\"checks\":[{\"allowed_to_skip\":false,\"artifact_type\":\"ArtifactRegistry.v0\",\"check_id\":\"entries_cover_required_artifact_types\",\"enforcement_layer\":\"registry_metadata\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ArtifactRegistry.v0.entries_cover_required_artifact_types\",\"responsible_component\":\"pcs-core\",\"severity\":\"required\"},{\"allowed_to_skip\":false,\"artifact_type\":\"AssumptionSet.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"AssumptionSet.v0.source_commit_not_placeholder\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ClaimArtifact.v0\",\"check_id\":\"assumption_set_ref_present\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ClaimArtifact.v0.assumption_set_ref_present\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComponentReleaseFragment.v0\",\"check_id\":\"component_artifacts_match_release_pins\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComponentReleaseFragment.v0.component_artifacts_match_release_pins\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationRunReceipt.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationRunReceipt.v0.signature_or_digest_valid\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationRunReceipt.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationRunReceipt.v0.source_commit_not_placeholder\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"code_commit_present\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.code_commit_present\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"computation_status_checked_for_release\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.computation_status_checked_for_release\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"dataset_hash_matches_receipt\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.dataset_hash_matches_receipt\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"environment_hash_matches_receipt\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.environment_hash_matches_receipt\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"result_hashes_match_result_artifacts\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.result_hashes_match_result_artifacts\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"run_receipt_hash_matches_declared_run\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.run_receipt_hash_matches_declared_run\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.signature_or_digest_valid\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ComputationWitness.v0\",\"check_id\":\"source_commit_matches_release_manifest\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ComputationWitness.v0.source_commit_matches_release_manifest\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"DatasetReceipt.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"DatasetReceipt.v0.signature_or_digest_valid\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"DatasetReceipt.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"DatasetReceipt.v0.source_commit_not_placeholder\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"EnvironmentReceipt.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"EnvironmentReceipt.v0.signature_or_digest_valid\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"EnvironmentReceipt.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"EnvironmentReceipt.v0.source_commit_not_placeholder\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"EvidenceBundle.v0\",\"check_id\":\"certificate_refs_resolve\",\"enforcement_layer\":\"consumer\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"EvidenceBundle.v0.certificate_refs_resolve\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"producer_responsible\"},{\"allowed_to_skip\":false,\"artifact_type\":\"HandoffManifest.v0\",\"check_id\":\"handoff_input_hashes_when_validated\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"HandoffManifest.v0.handoff_input_hashes_when_validated\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"LeanCheckResult.v0\",\"check_id\":\"lean_theorem_in_catalog\",\"enforcement_layer\":\"registry_metadata\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"LeanCheckResult.v0.lean_theorem_in_catalog\",\"responsible_component\":\"pcs-core\",\"severity\":\"required\"},{\"allowed_to_skip\":false,\"artifact_type\":\"LeanCheckResult.v0\",\"check_id\":\"obligation_results_match_proof_obligation\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"LeanCheckResult.v0.obligation_results_match_proof_obligation\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreAction.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreAction.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreAction.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreAction.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreCapability.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreCapability.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreCapability.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreCapability.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreCertificate.v0\",\"check_id\":\"claim_class_matches_assurance\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreCertificate.v0.claim_class_matches_assurance\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreCertificate.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreCertificate.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreCertificate.v0\",\"check_id\":\"lean_kernel_proof\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreCertificate.v0.lean_kernel_proof\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreCertificate.v0\",\"check_id\":\"lean_library_build\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreCertificate.v0.lean_library_build\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreCertificate.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreCertificate.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreContract.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreContract.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreContract.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreContract.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreEvent.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreEvent.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreEvent.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreEvent.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreHandoff.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreHandoff.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreHandoff.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreHandoff.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCorePrincipal.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCorePrincipal.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCorePrincipal.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCorePrincipal.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreResource.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreResource.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreResource.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreResource.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreRuntimeObservation.v0\",\"check_id\":\"claim_class_matches_assurance\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreRuntimeObservation.v0.claim_class_matches_assurance\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreRuntimeObservation.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreRuntimeObservation.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreRuntimeObservation.v0\",\"check_id\":\"lean_kernel_proof\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreRuntimeObservation.v0.lean_kernel_proof\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreRuntimeObservation.v0\",\"check_id\":\"lean_library_build\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreRuntimeObservation.v0.lean_library_build\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreRuntimeObservation.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreRuntimeObservation.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreTrace.v0\",\"check_id\":\"claim_class_matches_assurance\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreTrace.v0.claim_class_matches_assurance\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreTrace.v0\",\"check_id\":\"explicit_artifact_type\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreTrace.v0.explicit_artifact_type\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreTrace.v0\",\"check_id\":\"lean_kernel_proof\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreTrace.v0.lean_kernel_proof\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreTrace.v0\",\"check_id\":\"lean_library_build\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreTrace.v0.lean_library_build\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"PFCoreTrace.v0\",\"check_id\":\"schema_valid\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"PFCoreTrace.v0.schema_valid\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ProofObligation.v0\",\"check_id\":\"obligations_reference_known_kinds\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ProofObligation.v0.obligations_reference_known_kinds\",\"responsible_component\":\"pcs-core\",\"severity\":\"required\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ReleaseChainValidationResult.v0\",\"check_id\":\"status_matches_check_outcomes\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ReleaseChainValidationResult.v0.status_matches_check_outcomes\",\"responsible_component\":\"pcs-core\",\"severity\":\"validator_responsible\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ReleaseManifest.v0\",\"check_id\":\"artifact_hashes_match_files\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ReleaseManifest.v0.artifact_hashes_match_files\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ReleaseManifest.v0\",\"check_id\":\"release_mode_commit_policy\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ReleaseManifest.v0.release_mode_commit_policy\",\"responsible_component\":\"pcs-core\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ResultArtifact.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ResultArtifact.v0.signature_or_digest_valid\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ResultArtifact.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ResultArtifact.v0.source_commit_not_placeholder\",\"responsible_component\":\"scientific-computation demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"RuntimeReceipt.v0\",\"check_id\":\"source_commit_matches_release_manifest\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"RuntimeReceipt.v0.source_commit_matches_release_manifest\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"RuntimeReceipt.v0\",\"check_id\":\"trace_hash_present\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"RuntimeReceipt.v0.trace_hash_present\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ScienceClaimBundle.v0\",\"check_id\":\"certified_bundle_has_certificate_when_checked\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ScienceClaimBundle.v0.certified_bundle_has_certificate_when_checked\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ScienceClaimBundle.v0\",\"check_id\":\"non_empty_runtime_receipts\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ScienceClaimBundle.v0.non_empty_runtime_receipts\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"SignedScienceClaimBundle.v0\",\"check_id\":\"embedded_bundle_passes_science_claim_semantics\",\"enforcement_layer\":\"consumer\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"SignedScienceClaimBundle.v0.embedded_bundle_passes_science_claim_semantics\",\"responsible_component\":\"Provability Fabric\",\"severity\":\"producer_responsible\"},{\"allowed_to_skip\":false,\"artifact_type\":\"SignedScienceClaimBundle.v0\",\"check_id\":\"signed_input_bundle_hash_matches_certified\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"SignedScienceClaimBundle.v0.signed_input_bundle_hash_matches_certified\",\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"SourceSpan.v0\",\"check_id\":\"source_commit_not_placeholder\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"SourceSpan.v0.source_commit_not_placeholder\",\"responsible_component\":\"LabTrust-Gym\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"certificate_status_checked_for_release\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.certificate_status_checked_for_release\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"no_unauthorized_tool_calls\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.no_unauthorized_tool_calls\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"policy_hash_matches_certificate\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.policy_hash_matches_certificate\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"signature_or_digest_valid\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.signature_or_digest_valid\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"source_commit_matches_release_manifest\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.source_commit_matches_release_manifest\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseCertificate.v0\",\"check_id\":\"tool_trace_hash_matches_certificate\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseCertificate.v0.tool_trace_hash_matches_certificate\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseTrace.v0\",\"check_id\":\"no_unknown_authorization_status\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseTrace.v0.no_unknown_authorization_status\",\"responsible_component\":\"agent-tool-use demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"ToolUseTrace.v0\",\"check_id\":\"trace_hash_present\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"ToolUseTrace.v0.trace_hash_present\",\"responsible_component\":\"agent-tool-use demo producer\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"TraceCertificate.v0\",\"check_id\":\"source_commit_matches_release_manifest\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"TraceCertificate.v0.source_commit_matches_release_manifest\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"TraceCertificate.v0\",\"check_id\":\"status_is_certificate_checked_for_release\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"TraceCertificate.v0.status_is_certificate_checked_for_release\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"TraceCertificate.v0\",\"check_id\":\"trace_hash_matches_runtime_receipt\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"TraceCertificate.v0.trace_hash_matches_runtime_receipt\",\"responsible_component\":\"CertifyEdge\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"VerificationResult.v0\",\"check_id\":\"failed_checks_block_import_ready_status\",\"enforcement_layer\":\"artifact_validate\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"VerificationResult.v0.failed_checks_block_import_ready_status\",\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"VerificationResult.v0\",\"check_id\":\"verified_input_bundle_hash_matches_certified\",\"enforcement_layer\":\"release_chain\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"VerificationResult.v0.verified_input_bundle_hash_matches_certified\",\"responsible_component\":\"Provability Fabric\",\"severity\":\"release_blocking\"},{\"allowed_to_skip\":false,\"artifact_type\":\"WorkflowProfile.v0\",\"check_id\":\"required_registry_entries_registered\",\"enforcement_layer\":\"registry_metadata\",\"execution_required_in_release_mode\":true,\"registry_ref\":\"WorkflowProfile.v0.required_registry_entries_registered\",\"responsible_component\":\"pcs-core\",\"severity\":\"required\"}],\"policy_id\":\"pcs-semantic-check-execution-v0.1\",\"policy_version\":\"0.1.0\",\"schema_version\":\"v0\",\"severity_definitions\":{\"consumer_responsible\":{\"description\":\"Consumer must execute at import/admission time.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"optional\":{\"description\":\"May be skipped; failures are non-fatal.\",\"downstream_must_report_execution\":false,\"fatal_if_skipped_in_release_mode\":false},\"producer_responsible\":{\"description\":\"Runtime producer must execute and attest before handoff.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"release_blocking\":{\"description\":\"Must run in release mode; blocks Validated/ProofChecked status.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"required\":{\"description\":\"Must run in release mode; failure is fatal.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"validator_responsible\":{\"description\":\"Release validator (pcs-core) must execute and cite in validation results.\",\"downstream_must_report_execution\":true,\"fatal_if_skipped_in_release_mode\":true},\"warning_only\":{\"description\":\"Non-blocking advisory check.\",\"downstream_must_report_execution\":false,\"fatal_if_skipped_in_release_mode\":false}}}" } diff --git a/test_vectors/hash/workflow_profile.vector.json b/test_vectors/hash/workflow_profile.vector.json index 212c0c3..d00cfe5 100644 --- a/test_vectors/hash/workflow_profile.vector.json +++ b/test_vectors/hash/workflow_profile.vector.json @@ -1,6 +1,6 @@ { "artifact_type": "WorkflowProfile.v0", "input_file": "examples/workflow_profiles/agent_tool_use_safety.valid.json", - "expected_digest": "sha256:f08e4c928dff1be1d610cbd2513b4c5ac5a05f718b5803603c082f136fec23d0", - "canonical_json": "{\"certificate_artifacts\":[\"ToolUseCertificate.v0\"],\"description\":\"Proof-carrying tool-use safety workflow for agent traces.\",\"domain\":\"agent_tool_use\",\"failure_modes\":[\"unauthorized_tool_call\",\"missing_policy_hash\",\"tool_output_hash_mismatch\",\"unapproved_network_call\",\"unknown_authorization_status\"],\"handoff_sequence\":[\"runtime_to_certificate\",\"certificate_to_bundle\",\"bundle_to_verifier\",\"signed_bundle_to_memory\"],\"limitations_notice\":\"This artifact is a proof-carrying tool-use simulation result. It does not guarantee trace-level safety preservation under stated assumptions for a real deployed runtime.\",\"required_admission_profile\":\"agent_tool_use_safety\",\"required_registry_entries\":[\"ToolUseTrace.v0\",\"ToolUseCertificate.v0\",\"RuntimeReceipt.v0\",\"ScienceClaimBundle.v0\",\"VerificationResult.v0\",\"SignedScienceClaimBundle.v0\",\"ReleaseManifest.v0\",\"HandoffManifest.v0\",\"ReleaseChainValidationResult.v0\",\"WorkflowProfile.v0\"],\"runtime_artifacts\":[\"ToolUseTrace.v0\",\"RuntimeReceipt.v0\"],\"schema_version\":\"v0\",\"status_policy\":{\"allowed_terminal_statuses\":[\"Rejected\",\"Stale\"],\"description\":\"Tool traces require authorized calls before CertificateChecked export.\",\"forbidden_transitions\":[{\"from_status\":\"Rejected\",\"to_status\":\"ProofChecked\"}],\"policy_id\":\"pcs-v0.1-tool-use-lifecycle\"},\"workflow_id\":\"agent_tool_use.safety_v0\"}" + "expected_digest": "sha256:02de75f38beeb2bcf81d69a2f8913f5ff5eba1287ca380f9efc4d3d7e418b410", + "canonical_json": "{\"certificate_artifacts\":[\"ToolUseCertificate.v0\"],\"description\":\"Proof-carrying tool-use safety workflow for agent traces.\",\"domain\":\"agent_tool_use\",\"failure_modes\":[\"unauthorized_tool_call\",\"missing_policy_hash\",\"tool_output_hash_mismatch\",\"unapproved_network_call\",\"unknown_authorization_status\"],\"handoff_sequence\":[\"runtime_to_certificate\",\"certificate_to_bundle\",\"bundle_to_verifier\",\"signed_bundle_to_memory\"],\"limitations_notice\":\"This artifact is a proof-carrying tool-use simulation result. It is not a guarantee of operational safety for a deployed agent.\",\"required_admission_profile\":\"agent_tool_use_safety\",\"required_registry_entries\":[\"ToolUseTrace.v0\",\"ToolUseCertificate.v0\",\"RuntimeReceipt.v0\",\"ScienceClaimBundle.v0\",\"VerificationResult.v0\",\"SignedScienceClaimBundle.v0\",\"ReleaseManifest.v0\",\"HandoffManifest.v0\",\"ReleaseChainValidationResult.v0\",\"WorkflowProfile.v0\"],\"runtime_artifacts\":[\"ToolUseTrace.v0\",\"RuntimeReceipt.v0\"],\"schema_version\":\"v0\",\"status_policy\":{\"allowed_terminal_statuses\":[\"Rejected\",\"Stale\"],\"description\":\"Tool traces require authorized calls before CertificateChecked export.\",\"forbidden_transitions\":[{\"from_status\":\"Rejected\",\"to_status\":\"ProofChecked\"}],\"policy_id\":\"pcs-v0.1-tool-use-lifecycle\"},\"workflow_id\":\"agent_tool_use.safety_v0\"}" } diff --git a/typescript/packages/core/src/pfCore.ts b/typescript/packages/core/src/pfCore.ts index 35acf32..75d8d44 100644 --- a/typescript/packages/core/src/pfCore.ts +++ b/typescript/packages/core/src/pfCore.ts @@ -3,6 +3,261 @@ import { canonicalHash, canonicalJsonBytes } from "./hash.js"; export const GENESIS_HASH = "sha256:0000000000000000000000000000000000000000000000000000000000000000"; +export const EFFECT_KINDS = new Set([ + "file.read", + "file.write", + "network.egress", + "email.send", + "handoff.delegate", + "mcp.invoke", + "lab.release", +]); + +export type CapabilityEntry = { + capability_id: string; + effect_kind: string; + resource_pattern: string; +}; + +export const CAPABILITY_CATALOG: Record = { + "cap:file-read": { + capability_id: "cap:file-read", + effect_kind: "file.read", + resource_pattern: "/data/*", + }, + "cap:file-write": { + capability_id: "cap:file-write", + effect_kind: "file.write", + resource_pattern: "/data/*", + }, + "cap:network": { + capability_id: "cap:network", + effect_kind: "network.egress", + resource_pattern: "*", + }, + "cap:email-send": { + capability_id: "cap:email-send", + effect_kind: "email.send", + resource_pattern: "mailto:*", + }, + "cap:handoff": { + capability_id: "cap:handoff", + effect_kind: "handoff.delegate", + resource_pattern: "agent:*", + }, + "cap:mcp-invoke": { + capability_id: "cap:mcp-invoke", + effect_kind: "mcp.invoke", + resource_pattern: "mcp:*", + }, + "cap:lab-release": { + capability_id: "cap:lab-release", + effect_kind: "lab.release", + resource_pattern: "lab:*", + }, +}; + +function runtimeError(code: string, message: string, path: string): string { + return `${code}: ${message} (at ${path})`; +} + +function globMatch(pattern: string, text: string): boolean { + const patternChars = [...pattern]; + const textChars = [...text]; + function rec(pi: number, ti: number): boolean { + if (pi === patternChars.length) { + return ti === textChars.length; + } + if (patternChars[pi] === "*") { + if (pi + 1 === patternChars.length) { + return true; + } + for (let j = ti; j <= textChars.length; j += 1) { + if (rec(pi + 1, j)) { + return true; + } + } + return false; + } + if (ti >= textChars.length || patternChars[pi] !== textChars[ti]) { + return false; + } + return rec(pi + 1, ti + 1); + } + return rec(0, 0); +} + +export function resourceMatchesPattern(uri: string, pattern: string): boolean { + if (pattern === "*") { + return true; + } + return globMatch(pattern, uri); +} + +function validateActionEffectsKnown( + action: Record, + path: string, +): string | null { + const effects = action.effects; + if (!Array.isArray(effects)) { + return runtimeError("UnknownEffect", "unknown effect: ", `${path}.effects`); + } + if (effects.length === 0) { + return runtimeError("UnknownEffect", "unknown effect: ", path); + } + for (let index = 0; index < effects.length; index += 1) { + const effect = effects[index]; + if (!effect || typeof effect !== "object" || Array.isArray(effect)) { + return runtimeError( + "UnknownEffect", + "unknown effect: ", + `${path}.effects[${index}]`, + ); + } + const kind = String((effect as Record).effect_kind ?? ""); + if (!kind || !EFFECT_KINDS.has(kind)) { + return runtimeError( + "UnknownEffect", + `unknown effect: ${kind || ""}`, + `${path}.effects[${index}].effect_kind`, + ); + } + } + return null; +} + +function validateActionCapabilitiesKnown( + action: Record, + path: string, +): string | null { + const capability = action.capability; + if (!capability || typeof capability !== "object" || Array.isArray(capability)) { + return runtimeError( + "UnknownCapability", + "unknown capability: ", + `${path}.capability`, + ); + } + const capObj = capability as Record; + const capId = String(capObj.capability_id ?? ""); + if (!capId || !CAPABILITY_CATALOG[capId]) { + return runtimeError( + "UnknownCapability", + `unknown capability: ${capId || ""}`, + `${path}.capability`, + ); + } + const effectKind = String(capObj.effect_kind ?? ""); + if (!effectKind || !EFFECT_KINDS.has(effectKind)) { + return runtimeError( + "UnknownEffect", + `unknown effect: ${effectKind || ""}`, + `${path}.capability.effect_kind`, + ); + } + return null; +} + +function validateActionCapabilityEffects( + action: Record, + path: string, +): string | null { + const capability = action.capability; + if (!capability || typeof capability !== "object" || Array.isArray(capability)) { + return runtimeError( + "UnknownCapability", + "unknown capability: ", + `${path}.capability`, + ); + } + const capId = String((capability as Record).capability_id ?? ""); + const catalog = CAPABILITY_CATALOG[capId]; + if (!catalog) { + return runtimeError( + "UnknownCapability", + `unknown capability: ${capId || ""}`, + `${path}.capability`, + ); + } + const effectsError = validateActionEffectsKnown(action, path); + if (effectsError) { + return effectsError; + } + if (!actionHasEffect(action, catalog.effect_kind)) { + return runtimeError( + "CapabilityEffectMismatch", + `capability ${JSON.stringify(catalog.capability_id)} effect_kind ${JSON.stringify(catalog.effect_kind)} not listed in action effects`, + `${path}.effects`, + ); + } + return null; +} + +function validateResourceScope(action: Record, path: string): string | null { + const capability = action.capability; + if (!capability || typeof capability !== "object" || Array.isArray(capability)) { + return null; + } + const pattern = String((capability as Record).resource_pattern ?? ""); + if (!pattern) { + return null; + } + for (const key of ["reads", "writes"]) { + const resources = action[key]; + if (!Array.isArray(resources)) { + continue; + } + for (let index = 0; index < resources.length; index += 1) { + const resource = resources[index]; + if (!resource || typeof resource !== "object" || Array.isArray(resource)) { + continue; + } + const uri = String((resource as Record).uri ?? ""); + if (uri && !resourceMatchesPattern(uri, pattern)) { + return runtimeError( + "ResourceScopeViolation", + `resource ${JSON.stringify(uri)} outside declared pattern ${JSON.stringify(pattern)}`, + `${path}.${key}[${index}].uri`, + ); + } + } + } + return null; +} + +export function validateDirectTraceActionSemantics(trace: Record): string[] { + const errors: string[] = []; + const events = trace.events; + if (!Array.isArray(events)) { + return errors; + } + for (let index = 0; index < events.length; index += 1) { + const event = events[index]; + if (!event || typeof event !== "object" || Array.isArray(event)) { + continue; + } + const action = (event as Record).action; + if (!action || typeof action !== "object" || Array.isArray(action)) { + continue; + } + const actionObj = action as Record; + const base = `events[${index}].action`; + const effectError = validateActionEffectsKnown(actionObj, base); + if (effectError) { + errors.push(effectError); + } + const capabilityError = validateActionCapabilitiesKnown(actionObj, base); + if (capabilityError) { + errors.push(capabilityError); + } + const mismatchError = validateActionCapabilityEffects(actionObj, base); + if (mismatchError) { + errors.push(mismatchError); + } + } + return errors; +} + const TRACE_CLAIM_CLASSES = new Set([ "SchemaValidated", "RuntimeChecked", @@ -159,6 +414,21 @@ export function validatePfcoreTraceHashChain(trace: Record): st } } + for (let index = 0; index < events.length; index += 1) { + const event = events[index]; + if (!event || typeof event !== "object" || Array.isArray(event)) { + continue; + } + const action = (event as Record).action; + if (!action || typeof action !== "object" || Array.isArray(action)) { + continue; + } + const scopeError = validateResourceScope(action as Record, `events[${index}].action`); + if (scopeError) { + errors.push(scopeError); + } + } + return errors; } @@ -527,3 +797,43 @@ export function validateDeniedEventsPreserved( } return errors; } + +export function validateTenantIsolation(trace: Record): string[] { + const errors: string[] = []; + const events = trace.events; + if (!Array.isArray(events)) { + return ["TraceInvalid: events must be an array"]; + } + for (let index = 0; index < events.length; index += 1) { + const base = `events[${index}]`; + const event = events[index]; + if (!event || typeof event !== "object" || Array.isArray(event)) { + continue; + } + const eventObj = event as Record; + const principal = eventObj.principal; + const action = eventObj.action; + if ( + !principal || + typeof principal !== "object" || + Array.isArray(principal) || + !action || + typeof action !== "object" || + Array.isArray(action) + ) { + errors.push(`TenantIsolation: ${base} missing principal or action`); + continue; + } + const tenant = String((principal as Record).tenant ?? ""); + if (!tenant) { + errors.push(`TenantIsolation: ${base}.principal.tenant is empty`); + continue; + } + if (!tenantMatches(principal as Record, action as Record)) { + errors.push( + `TenantIsolation: cross-tenant resource access at ${base} (principal tenant ${JSON.stringify(tenant)})`, + ); + } + } + return errors; +} diff --git a/typescript/packages/core/src/tests/examples.test.ts b/typescript/packages/core/src/tests/examples.test.ts index 7b02333..d3daaed 100644 --- a/typescript/packages/core/src/tests/examples.test.ts +++ b/typescript/packages/core/src/tests/examples.test.ts @@ -12,7 +12,10 @@ import { computeTraceHash, validateClaimClassOverclaim, validateDeniedEventsPreserved, + validateDirectTraceActionSemantics, + validatePfcoreCertificateSemantics, validatePfcoreTraceHashChain, + validateTenantIsolation, validateTraceContracts, } from "../pfCore.js"; import { detectArtifactType, validateArtifact, ValidationError, type ArtifactType } from "../validate.js"; @@ -27,6 +30,7 @@ const pfCoreVectorsDir = join( "../../../../../python/tests/hash_vectors/pf_core", ); const pfCoreInvalidVectorsDir = join(pfCoreVectorsDir, "invalid"); +const pfCoreInvalidExamplesDir = join(examplesDir, "pf-core-invalid"); const sharedVectorsDir = join( dirname(fileURLToPath(import.meta.url)), "../../../../../test_vectors/hash", @@ -237,6 +241,24 @@ test("pf-core negative hash vectors parity", () => { const overclaimErrors = validatePfcoreTraceHashChain(overclaimTrace); assert.ok(overclaimErrors.some((err) => err.includes("ClaimClassOverclaim"))); + const traceMismatch = JSON.parse( + readFileSync(join(pfCoreInvalidVectorsDir, "trace_hash_mismatch.json"), "utf8"), + ) as Record; + const traceMismatchErrors = validatePfcoreTraceHashChain(traceMismatch); + assert.ok(traceMismatchErrors.some((err) => err.includes("TraceHashMismatch"))); + + const prevMismatch = JSON.parse( + readFileSync(join(pfCoreInvalidVectorsDir, "previous_event_hash_mismatch.json"), "utf8"), + ) as Record; + const prevMismatchErrors = validatePfcoreTraceHashChain(prevMismatch); + assert.ok(prevMismatchErrors.some((err) => err.includes("EventHashMismatch"))); + + const crossTenant = JSON.parse( + readFileSync(join(pfCoreInvalidVectorsDir, "cross_tenant_leak.json"), "utf8"), + ) as Record; + const tenantErrors = validateTenantIsolation(crossTenant); + assert.ok(tenantErrors.some((err) => err.includes("TenantIsolation"))); + const contractDir = join(pfCoreInvalidVectorsDir, "contract_capability_missing"); const contractTrace = JSON.parse( readFileSync(join(contractDir, "trace.json"), "utf8"), @@ -265,6 +287,59 @@ test("pf-core negative hash vectors parity", () => { ); }); +test("pf-core direct-trace semantics invalid vectors", () => { + const cases: Array<[string, string]> = [ + ["unknown_direct_trace_effect/trace.json", "UnknownEffect"], + ["capability_effect_mismatch/trace.json", "CapabilityEffectMismatch"], + ["unknown_direct_trace_capability/trace.json", "UnknownCapability"], + ]; + for (const [relative, needle] of cases) { + const trace = JSON.parse( + readFileSync(join(pfCoreInvalidExamplesDir, relative), "utf8"), + ) as Record; + const errors = validateDirectTraceActionSemantics(trace); + assert.ok( + errors.some((err) => err.includes(needle)), + `${relative}: expected ${needle} in ${errors.join("; ")}`, + ); + } +}); + +test("pf-core resource scope violation vector", () => { + const trace = JSON.parse( + readFileSync(join(pfCoreInvalidExamplesDir, "resource_scope_violation/trace.json"), "utf8"), + ) as Record; + const errors = validatePfcoreTraceHashChain(trace); + assert.ok(errors.some((err) => err.includes("ResourceScopeViolation"))); +}); + +test("pf-core audit invalid vectors parity", () => { + const traceCases: Array<[string, string]> = [ + ["lean_kernel_checked_on_trace/trace.json", "ClaimClassOverclaim"], + ["lean_kernel_checked_without_proof_ref/trace.json", "ClaimClassOverclaim"], + ]; + for (const [relative, needle] of traceCases) { + const trace = JSON.parse( + readFileSync(join(pfCoreInvalidExamplesDir, relative), "utf8"), + ) as Record; + const errors = validatePfcoreTraceHashChain(trace); + assert.ok(errors.some((err) => err.includes(needle)), `${relative}: ${errors.join("; ")}`); + } + + const certificateCases: Array<[string, string]> = [ + ["lean_kernel_checked_without_proof_term_hash/certificate.json", "proof_term_hash"], + ["lean_kernel_checked_without_proof_term_ref/certificate.json", "proof_term_ref"], + ["lean_kernel_checked_with_skipped_build/certificate.json", "lean_build_status"], + ]; + for (const [relative, needle] of certificateCases) { + const certificate = JSON.parse( + readFileSync(join(pfCoreInvalidExamplesDir, relative), "utf8"), + ) as Record; + const errors = validatePfcoreCertificateSemantics(certificate); + assert.ok(errors.some((err) => err.includes(needle)), `${relative}: ${errors.join("; ")}`); + } +}); + test("shared hash vectors match test_vectors/hash fixtures", () => { for (const fileName of readdirSync(sharedVectorsDir)) { if (!fileName.endsWith(".vector.json")) { diff --git a/typescript/packages/core/src/validate.ts b/typescript/packages/core/src/validate.ts index 1816d93..6465383 100644 --- a/typescript/packages/core/src/validate.ts +++ b/typescript/packages/core/src/validate.ts @@ -3,6 +3,7 @@ import { validatePcsBenchIngestSemantics, } from "./benchmarkIngest.js"; import { + validateDirectTraceActionSemantics, validatePfcoreCertificateSemantics, validatePfcoreTraceHashChain, } from "./pfCore.js"; @@ -538,6 +539,7 @@ export function validateArtifact( } } if (type === "PFCoreTrace.v0") { + errors.push(...validateDirectTraceActionSemantics(data)); errors.push(...validatePfcoreTraceHashChain(data)); } if (type === "PFCoreCertificate.v0") {