Skip to content

Add enforcement-grade verification for MGTP determinism and DecisionRecord surface isolation#8

Draft
Copilot wants to merge 3 commits intofeat/mgtp-scaffold-v0.1from
copilot/add-enforcement-grade-verification
Draft

Add enforcement-grade verification for MGTP determinism and DecisionRecord surface isolation#8
Copilot wants to merge 3 commits intofeat/mgtp-scaffold-v0.1from
copilot/add-enforcement-grade-verification

Conversation

Copy link
Contributor

Copilot AI commented Feb 28, 2026
edited
Loading

Adds verification layer for MGTP: golden determinism fixtures, fail-closed guard enforcement, cross-run stability, and surface isolation checks ensuring MGTP consumes—not redefines—authority contracts. Also adds a CI drift guard preventing modification of forbidden files in PRs.

mgtp/types.pyDecisionRecord artefact

New frozen dataclass with deterministic serialisation:

record = DecisionRecord(
    transition_id="txn-001",
    verdict=TransitionOutcome.APPROVED,
    reasons=("evidence_sufficient",),
    decision_time="2026-01-01T00:00:00Z",
    authority_basis="OWNER",
)
record.canonical_bytes()  # UTF-8 JSON, sorted keys, no whitespace
record.decision_hash      # SHA-256 hex of canonical_bytes()

mgtp/evaluator.py — Fail-closed verdict resolver

Consumes AuthorityGate directly; does not shadow it. Two hard refusals:

  • provided_evidence is NoneREFUSED / reason: missing_evidence
  • decision_time outside [request.timestamp, +1h]REFUSED / reason: decision_time_outside_authority_window

Irreversible or trust-boundary-crossing requests are always SUPERVISED.

tests/test_mgtp_enforcement.py — 17 enforcement tests

  • T1 Golden fixture: pre-computed base64 canonical bytes + SHA-256 hash asserted byte-exact
  • T2 Stability: 100-iteration loop on canonical_bytes() and decision_hash
  • T3 Fail-closed guards with explicit reason code assertions
  • T4 Surface isolation: authority_gate module not mutated post-import; mgtp carries no parallel Evidence/Decision/AuthorityGate definitions

.github/workflows/ci.yml — Forbidden-file drift guard

New forbidden-file-drift-guard job fails any PR that touches authority_gate.py, stop_machine.py, or commit_gate/**. Permissions scoped to contents: read.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits February 28, 2026 13:50
@LalaSkye
Initial plan
b2defc5 
Co-authored-by: LalaSkye <228581229+LalaSkye@users.noreply.github.com>
@LalaSkye
Add MGTP enforcement-grade verification: DecisionRecord, evaluator, t…
ed1d026 
…ests, CI drift guard

Co-authored-by: LalaSkye <228581229+LalaSkye@users.noreply.github.com>
Copilot AI changed the title [WIP] Add enforcement-grade verification and isolation checks for MGTP Add enforcement-grade verification for MGTP determinism and DecisionRecord surface isolation Feb 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@LalaSkye LalaSkye LalaSkye approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

Copilot code review Copilot

@LalaSkye LalaSkye

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LalaSkye