@kungfu-tech/kfd 1.0.0-alpha.19 → 1.0.0-alpha.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/.buildchain/kfd-1/contract-world.witness.json +579 -91
  2. package/.buildchain/kfd-2/kfd-foundation.trust-assessment.json +238 -0
  3. package/.buildchain/kfd-2/kfd-foundation.trust-claims.json +225 -0
  4. package/.buildchain/kfd-2/public-release-trust.claim.json +30 -18
  5. package/.buildchain/kfd-3/collaboration-interface.artifact.json +242 -57
  6. package/.buildchain/kfd-3/collaboration-interface.json +99 -1
  7. package/.buildchain/kfd-3/collaboration-interface.prebuild.json +261 -32
  8. package/README.md +18 -13
  9. package/buildchain.contract-lock.json +5 -5
  10. package/decisions/{kfd-1.md → KFD-1.md} +40 -12
  11. package/decisions/{kfd-2.md → KFD-2.md} +37 -4
  12. package/decisions/{kfd-3.md → KFD-3.md} +17 -1
  13. package/docs/KFD-1-usage.md +37 -0
  14. package/docs/KFD-2-usage.md +123 -0
  15. package/docs/{kfd-3-collaboration-interface.md → KFD-3-usage.md} +21 -0
  16. package/docs/KFD-4-usage.md +31 -0
  17. package/docs/MAP.md +13 -7
  18. package/kfd.release.json +1 -1
  19. package/package.json +3 -1
  20. package/registry.json +4 -4
  21. package/release-impact.json +41 -5
  22. package/schemas/kfd-1/contract-world.schema.json +67 -4
  23. package/schemas/kfd-1/witness.schema.json +113 -0
  24. package/schemas/kfd-2/trust-assessment.schema.json +313 -0
  25. package/schemas/kfd-2/trust-claims.schema.json +334 -0
  26. package/schemas/kfd-3/collaboration-interface.schema.json +60 -0
  27. package/schemas/kfd-3/witness.schema.json +8 -0
  28. package/schemas/kfd-standards.schema.json +124 -0
  29. package/scripts/check.mjs +256 -12
  30. package/scripts/update-kfd-1-witness.mjs +17 -6
  31. package/scripts/update-kfd-2-claim.mjs +226 -5
  32. package/scripts/update-kfd-3-witness.mjs +35 -3
  33. package/scripts/update-site-bundle.mjs +32 -2
  34. package/site/kfd-site.json +67 -4
  35. package/standards.json +634 -11
  36. package/docs/kfd-2-release-trust.md +0 -78
  37. /package/decisions/{kfd-4.md → KFD-4.md} +0 -0
@@ -1,78 +0,0 @@
1
- # KFD-2 Release Trust Metadata
2
-
3
- KFD-2 says that trust must start from inspectable facts and responsibility
4
- state. For releases, that means a product must not ask users or agents to trust
5
- release claims only because they appear in prose, changelogs, or repository
6
- history.
7
-
8
- This package defines two KFD-owned machine interfaces:
9
-
10
- - `schemas/kfd-2/trust-taxonomy.schema.json`: the KFD-owned taxonomy for
11
- residual-risk types, trust impact, machine provability, agent actions, and
12
- downgrade reasons.
13
- - `schemas/kfd-2/release-claims.schema.json`: the product's declared public
14
- release claims.
15
- - `schemas/kfd-2/release-trust-passport.schema.json`: the verifier's result
16
- after auditing those claims against evidence.
17
-
18
- The intended Buildchain flow is:
19
-
20
- ```text
21
- release claims -> evidence audit -> release trust passport -> release passport
22
- ```
23
-
24
- Each claim should declare the statement being made, the source of the claim,
25
- machine-readable evidence, the audit boundary, residual risk, and responsibility
26
- state. The trust passport should then record whether each claim is bound to
27
- evidence, which evidence was checked, what the result was, and who owns the
28
- release decision.
29
-
30
- ## Trust Taxonomy
31
-
32
- KFD-2 owns the vocabulary for residual risks and trust downgrades. A product,
33
- release tool, or agent must not invent new residual-risk values locally and
34
- still claim KFD-2 conformance. Unknown values fail schema validation.
35
-
36
- The current taxonomy is published in
37
- `schemas/kfd-2/trust-taxonomy.schema.json`. It defines:
38
-
39
- - `riskType`: what kind of trust gap remains;
40
- - `trustImpact`: whether the gap is informational, downgraded, failing, or
41
- unverifiable;
42
- - `machineProvability`: whether the gap can be fully proved by machine;
43
- - `agentAction`: what an agent should do next;
44
- - `downgradeReason`: how a verifier maps residual risk into a release trust
45
- result.
46
-
47
- If an agent needs a KFD-2 value that is not present, the standard extension
48
- path is to open an issue in the KFD repository:
49
-
50
- ```text
51
- https://github.com/kungfu-systems/kfd/issues/new?title=KFD-2%20trust%20taxonomy%20extension%20request
52
- ```
53
-
54
- The issue should state the missing value, the field it belongs to, the product
55
- or release scenario that needs it, and why existing values cannot express the
56
- case. Until KFD accepts the new value into the taxonomy schema, consumers
57
- should treat the value as invalid rather than as a soft warning.
58
-
59
- ## Interface Versioning
60
-
61
- KFD package semver is only the distribution version. It is not the version of a
62
- KFD-owned machine interface.
63
-
64
- Every KFD-owned machine interface uses:
65
-
66
- - `schemaVersion`: the interface version consumed by tools.
67
- - `contract`: the stable contract name, such as `kfd-2-release-claims`.
68
- - `$id`: the canonical schema URL for the current stable interface.
69
-
70
- Compatible additions may keep `schemaVersion: 1`. A change that alters required
71
- fields, field semantics, verification meaning, audit boundary semantics, or
72
- responsibility semantics must not silently reuse the same interface contract.
73
- It must introduce a new interface version or, when the standard itself changes,
74
- a new KFD decision or amendment path.
75
-
76
- The same rule applies to KFD-1 and KFD-3 schemas. Their current schemas already
77
- carry `schemaVersion: 1` and a `contract` value; this document makes the
78
- evolution rule explicit across the KFD package.
File without changes