Conversation
- 4 architectural kill-switch CI gates - property tests now mandatory - Property 6: artifact_passthrough_integrity - Property 7: diagnostics_read_only_surface - diagnostics surface guaranteed read-only - 104 tests passing
- Generate deterministic RUN_ID (YYYYMMDDTHHMMSSZ-<sha>) matching evidence/ naming convention - Use EVIDENCE_DIR variable in failure output for accurate path reporting - Aligns with evidence/run-<RUN_ID>/ directory structure
- docs/hooks/: hook configuration and .kiro.hook reference copies - docs/steering/: steering reference copies (product, rules, structure, tech) - docs/specs/pre-ci-discipline/: pre-CI discipline spec (requirements, design, tasks) - docs/specs/phase13-trust-registry-propagation/: Phase 13 trust registry spec - scripts/ci/test_pre_ci_discipline.sh: pre-CI discipline test script - userspace/proofd/proptest-regressions/lib.txt: proptest regression seeds
…mization - Add ci-kill-switch-phase13 target grouping all 13 Phase-13 kill-switch gates (proof integrity, distributed verification, observability isolation, reputation prohibition) - Wire ci-kill-switch-phase13 into ci-freeze pipeline (was: implemented but not enforced) - Add PRE_CI_MODE=1 support to ci-gate-boundary: skips kernel rebuild when existing artifact present, preventing local pre-ci timeout - Update pre_ci_discipline.sh to pass PRE_CI_MODE=1 for boundary gate Phase-13 kill-switch gates now enforced in CI. Local pre-ci discipline remains advisory (4 gates only).
Shell grep-per-symbol loop was O(n*m) process forks causing boundary gate timeout on macOS. Replace steps 2+3 with symbol_scan_match.py which compiles all patterns once and runs in-process. Before: timeout (>30s) After: 0.4s Evidence format and exit codes unchanged.
search() on anchored patterns (^...$) is functionally equivalent but fullmatch() correctly expresses the intent: exact symbol match, not substring. Consistent across both deny and allow steps.
…SS state (Constitutional Rule 7) Phase status updates: - Phase-10/11: OFFICIALLY CLOSED (remote CI run 22797401328) - Phase-12: OFFICIALLY CLOSED (remote CI run 23099070483, PR #62, tag phase12-official-closure-confirmed) - Phase-13: KILL_SWITCH_GATES_PASS (6/6 gates PASS, tag phase13-kill-switch-gates-pass at 0ec4bb5) - CURRENT_PHASE=12 (formal transition at 0adb2a8) Files updated: - ARCHITECTURE_FREEZE.md: CI gate list updated to 23-gate chain, status section updated, version 1.4→1.5 - docs/roadmap/freeze-enforcement-workflow.md: Section 2.1 full gate list + execution order rationale + gate order change protocol; Section 2.3 gate order lock note - docs/roadmap/README.md: Phase status and CURRENT_PHASE pointer corrected - docs/development/PROJECT_STATUS_REPORT.md: Phase-12 CLOSED, Phase-13 kill-switch status, date updated - docs/development/DOCUMENTATION_INDEX.md: CURRENT_PHASE=12, Phase-12/13 status corrected - docs/steering/product.md: Current Status section updated with all phase closures and 23-gate count - docs/steering/tech.md: Mandatory Gates section updated with full 23-gate ordered list Refs: Constitutional Rule 7 (Documentation Synchronization)
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 328a25b3f4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| echo "" | ||
| echo "Inspect evidence under:" | ||
| echo " ${EVIDENCE_ROOT:-out/evidence}/run-<RUN_ID>/reports/" | ||
| echo " ${EVIDENCE_DIR}/" |
There was a problem hiding this comment.
The failure message now prints a concrete run-${RUN_ID} evidence directory, but this script-local RUN_ID is never exported or passed into the make gate commands, so each gate can write evidence under a different Makefile-generated run id; when a gate fails, users are directed to the wrong directory and cannot find the actual artifacts for debugging. This is reproducible by running the script with a mocked make and observing RUN_ID is unset in child invocations.
Useful? React with 👍 / 👎.
| case "\$1" in | ||
| ci-gate-abi) exit ${abi_exit} ;; | ||
| ci-gate-boundary) exit ${boundary_exit} ;; | ||
| ci-gate-hygiene) exit ${hygiene_exit} ;; |
There was a problem hiding this comment.
The mock make dispatcher keys only on $1, but the updated boundary invocation is make PRE_CI_MODE=1 ci-gate-boundary, where $1 is PRE_CI_MODE=1 and the target is $2; this prevents boundary failures from being simulated, so fail-closed assertions for the boundary step become invalid (e.g., bash scripts/ci/test_pre_ci_discipline.sh reports boundary checks failing for the wrong reason). The mock should skip leading VAR=... args before matching the gate target.
Useful? React with 👍 / 👎.
…snapshot.abdf in CI)
…aths field (phase13 additive)
…13 §4.1 spec - GATE_REGISTRY.md: remove ci-gate-proof-bundle from verification artifact integrity supporting gates (consistent with Makefile change) - PHASE13_KILL_SWITCH_GATES.md: same removal - Add phase13-service-backed-verification-expansion spec: requirements.md, design.md, tasks.md
- design.md: add atomic manifest creation (O_CREAT|O_EXCL) design - design.md: add path normalization flow (two-layer: segment safety + allowed set) - design.md: add spec projection layer (FederationDiagnosticsProjection) - design.md: add forbidden fields compile-time guard (PHASE13_FORBIDDEN_FIELDS const) - design.md: add P9 path traversal normalization property test - design.md: add 'diagnostics never influence verification result' kill-switch invariant - design.md: update data models section with projection structs - tasks.md: expand task 4 with path normalization sub-task (4.3) - tasks.md: rewrite task 6 with projection struct sub-tasks (6.2-6.5) - tasks.md: add P9 to task 7 (7.7) - tasks.md: add task 8 (atomic manifest creation) - tasks.md: add task 9 (spec projection layer isolation) - tasks.md: add task 10 (forbidden fields serialize-level guard) - requirements.md: already updated in previous session
1 participant
Freeze PR Template
Gate Run
evidence/run-<id>/):Gate Verdicts
ci-gate-abi):ci-gate-boundary):ci-gate-tooling-isolation):ci-gate-constitutional):ci-gate-workspace):ci-gate-hygiene):ci-gate-performance):ci-summarize):Tooling Isolation Guard
yes/nokernel touch = 0:yes/noevidence/run-<id>/gates/tooling-isolation/):Contract Change
yes/noRFC / Waiver
Claim Check
If this PR claims
Completed/Production-ready, all must be true:summary.jsonverdict isPASSNotes