@kungfu-tech/kfd 1.0.0-alpha.3 → 1.0.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -115,13 +115,26 @@ e.g. `https://kfd.libkungfu.dev/1`). This repository publishes
115
115
 
116
116
  Machine consumers that need KFD-owned standard identity should read
117
117
  `standards.json`. It is the versioned metadata surface for stable standard
118
- keys, document routes, schema IDs, and KFD-owned concept names. In Node or
119
- TypeScript projects, import it as:
118
+ keys, document routes and SHA-256 digests, schema IDs, KFD-owned concept names,
119
+ and machine-interface contract versions. In Node or TypeScript projects, import
120
+ it as:
120
121
 
121
122
  ```js
122
123
  import standards from "@kungfu-tech/kfd/standards.json" with { type: "json" };
123
124
  ```
124
125
 
126
+ KFD package semver is only the distribution version. KFD-owned machine
127
+ interfaces carry their own `schemaVersion` and `contract` fields. Compatible
128
+ additions may keep the same interface version; semantic changes, required-field
129
+ changes, verification meaning changes, or responsibility-boundary changes must
130
+ use a new interface version or contract.
131
+
132
+ KFD-2 publishes release-claims and release-trust-passport schemas under
133
+ `schemas/kfd-2/`. These schemas let Buildchain and other release systems audit
134
+ whether public release claims are bound to source facts, evidence, hashes,
135
+ audit boundaries, residual risk, and responsibility state. See
136
+ [`docs/kfd-2-release-trust.md`](docs/kfd-2-release-trust.md).
137
+
125
138
  KFD-3 also publishes a general collaboration-interface schema and witness
126
139
  schema under `schemas/kfd-3/`. These schemas are for participant-facing product
127
140
  interfaces, not only agent APIs. A product such as Kungfu may implement an
@@ -158,6 +171,8 @@ standards.json machine-readable KFD standard metadata (schemaVersion 1,
158
171
  contract kfd-standards-metadata)
159
172
  schemas/ JSON schemas for package metadata and KFD-owned schema IDs
160
173
  site/ machine-readable site bundle for kfd.libkungfu.dev renderers
174
+ buildchain.release-propagation.json
175
+ Buildchain release propagation graph for KFD -> site consumers
161
176
  release-impact.json
162
177
  Buildchain surface-aware impact ledger for production release passports
163
178
  scripts/ conformance check: registry and documents must agree
@@ -165,7 +180,8 @@ scripts/ conformance check: registry and documents must agree
165
180
 
166
181
  `node scripts/check.mjs` (also `pnpm run check`) verifies numbering
167
182
  uniqueness, registry/document agreement, standards metadata/schema agreement,
168
- status validity, and the release impact ledger required by Buildchain
183
+ status validity, decision document SHA-256 bindings, interface contract
184
+ version bindings, and the release impact ledger required by Buildchain
169
185
  production release passports. Releases are governed by Buildchain; this package
170
186
  versions itself under KFD-1's own rules: the outer package line remains `v1.0`,
171
187
  while patch and prerelease numbers are advanced by Buildchain release
@@ -0,0 +1,32 @@
1
+ {
2
+ "schemaVersion": 1,
3
+ "contract": "kungfu-buildchain-release-propagation-graph",
4
+ "nodes": [
5
+ {
6
+ "id": "kfd",
7
+ "repository": "kungfu-systems/kfd",
8
+ "package": "@kungfu-tech/kfd"
9
+ },
10
+ {
11
+ "id": "site-libkungfu-dev",
12
+ "repository": "kungfu-systems/site-libkungfu-dev",
13
+ "lockPath": "buildchain.upstreams/kfd.release.json",
14
+ "baseRef": "main"
15
+ }
16
+ ],
17
+ "edges": [
18
+ {
19
+ "id": "kfd-to-site-libkungfu-dev",
20
+ "from": "kfd",
21
+ "to": "site-libkungfu-dev",
22
+ "channelPolicy": "preserve",
23
+ "consumes": [
24
+ "@kungfu-tech/kfd",
25
+ "site/kfd-site.json",
26
+ "registry.json",
27
+ "standards.json",
28
+ "decisions/*.md"
29
+ ]
30
+ }
31
+ ]
32
+ }
package/docs/MAP.md CHANGED
@@ -12,6 +12,7 @@
12
12
  | What does a specific decision say? | [`../decisions/`](../decisions) (index: [`../registry.json`](../registry.json)) |
13
13
  | What machine metadata should Buildchain or another consumer import for KFD standard identity and schema IDs? | [`../standards.json`](../standards.json) |
14
14
  | What schema validates the standards metadata surface? | [`../schemas/kfd-standards.schema.json`](../schemas/kfd-standards.schema.json) |
15
+ | What schema should release systems use for KFD-2 release claims and trust passports? | [`kfd-2-release-trust.md`](kfd-2-release-trust.md) |
15
16
  | How do I cite a decision? | [`../README.md`](../README.md) — cite by number, e.g. `KFD-1` |
16
17
  | How do decisions change over time? | [`../CONTRIBUTING.md`](../CONTRIBUTING.md) — append-only; explicit supersession mints a new number |
17
18
  | How is this package versioned and released? | [KFD-1](../decisions/kfd-1.md) applied to itself; Buildchain governs releases |
@@ -0,0 +1,46 @@
1
+ # KFD-2 Release Trust Metadata
2
+
3
+ KFD-2 says that trust must start from inspectable facts and responsibility
4
+ state. For releases, that means a product must not ask users or agents to trust
5
+ release claims only because they appear in prose, changelogs, or repository
6
+ history.
7
+
8
+ This package defines two KFD-owned machine interfaces:
9
+
10
+ - `schemas/kfd-2/release-claims.schema.json`: the product's declared public
11
+ release claims.
12
+ - `schemas/kfd-2/release-trust-passport.schema.json`: the verifier's result
13
+ after auditing those claims against evidence.
14
+
15
+ The intended Buildchain flow is:
16
+
17
+ ```text
18
+ release claims -> evidence audit -> release trust passport -> release passport
19
+ ```
20
+
21
+ Each claim should declare the statement being made, the source of the claim,
22
+ machine-readable evidence, the audit boundary, residual risk, and responsibility
23
+ state. The trust passport should then record whether each claim is bound to
24
+ evidence, which evidence was checked, what the result was, and who owns the
25
+ release decision.
26
+
27
+ ## Interface Versioning
28
+
29
+ KFD package semver is only the distribution version. It is not the version of a
30
+ KFD-owned machine interface.
31
+
32
+ Every KFD-owned machine interface uses:
33
+
34
+ - `schemaVersion`: the interface version consumed by tools.
35
+ - `contract`: the stable contract name, such as `kfd-2-release-claims`.
36
+ - `$id`: the canonical schema URL for the current stable interface.
37
+
38
+ Compatible additions may keep `schemaVersion: 1`. A change that alters required
39
+ fields, field semantics, verification meaning, audit boundary semantics, or
40
+ responsibility semantics must not silently reuse the same interface contract.
41
+ It must introduce a new interface version or, when the standard itself changes,
42
+ a new KFD decision or amendment path.
43
+
44
+ The same rule applies to KFD-1 and KFD-3 schemas. Their current schemas already
45
+ carry `schemaVersion: 1` and a `contract` value; this document makes the
46
+ evolution rule explicit across the KFD package.
@@ -0,0 +1,13 @@
1
+ {
2
+ "schemaVersion": 1,
3
+ "contract": "kfd-release-anchor",
4
+ "line": "v1.0",
5
+ "channel": "alpha",
6
+ "npmPackage": "@kungfu-tech/kfd",
7
+ "npmVersion": "1.0.0-alpha.5",
8
+ "source": {
9
+ "repository": "kungfu-systems/kfd",
10
+ "branch": "alpha/v1/v1.0"
11
+ },
12
+ "rationale": "KFD uses an anchored/manual Buildchain mode: the public package version is an explicit release fact, while the outer KFD line remains v1.0."
13
+ }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kungfu-tech/kfd",
3
- "version": "1.0.0-alpha.3",
3
+ "version": "1.0.0-alpha.5",
4
4
  "description": "Kung Fu Decisions (KFD): the kungfu-systems organization-wide decision registry, as a consumable artifact",
5
5
  "license": "Apache-2.0",
6
6
  "files": [
@@ -8,8 +8,12 @@
8
8
  "decisions",
9
9
  "registry.json",
10
10
  "standards.json",
11
+ "kfd.release.json",
11
12
  "schemas",
12
13
  "site",
14
+ "buildchain.release-propagation.json",
15
+ ".buildchain/kfd-1/contract-world.witness.json",
16
+ ".buildchain/kfd-3",
13
17
  "docs"
14
18
  ],
15
19
  "exports": {
@@ -17,14 +21,21 @@
17
21
  "./README.md": "./README.md",
18
22
  "./registry.json": "./registry.json",
19
23
  "./standards.json": "./standards.json",
24
+ "./kfd.release.json": "./kfd.release.json",
20
25
  "./site/kfd-site.json": "./site/kfd-site.json",
26
+ "./buildchain.release-propagation.json": "./buildchain.release-propagation.json",
27
+ "./buildchain/kfd-1/contract-world.witness.json": "./.buildchain/kfd-1/contract-world.witness.json",
28
+ "./buildchain/kfd-3/collaboration-interface.json": "./.buildchain/kfd-3/collaboration-interface.json",
29
+ "./buildchain/kfd-3/collaboration-interface.prebuild.json": "./.buildchain/kfd-3/collaboration-interface.prebuild.json",
30
+ "./buildchain/kfd-3/collaboration-interface.artifact.json": "./.buildchain/kfd-3/collaboration-interface.artifact.json",
21
31
  "./schemas/*.json": "./schemas/*.json",
22
32
  "./schemas/*/*.json": "./schemas/*/*.json",
23
33
  "./decisions/*.md": "./decisions/*.md",
24
34
  "./docs/*": "./docs/*"
25
35
  },
26
36
  "scripts": {
27
- "check": "node scripts/check.mjs"
37
+ "check": "node scripts/check.mjs",
38
+ "update:kfd-3-witness": "node scripts/update-kfd-3-witness.mjs"
28
39
  },
29
40
  "publishConfig": {
30
41
  "registry": "https://registry.npmjs.org/",
@@ -0,0 +1,332 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://kfd.libkungfu.dev/schemas/kfd-2/release-claims.schema.json",
4
+ "title": "KFD-2 release claims",
5
+ "type": "object",
6
+ "required": [
7
+ "schemaVersion",
8
+ "contract",
9
+ "standard",
10
+ "product",
11
+ "release",
12
+ "claims"
13
+ ],
14
+ "properties": {
15
+ "schemaVersion": {
16
+ "const": 1
17
+ },
18
+ "contract": {
19
+ "const": "kfd-2-release-claims"
20
+ },
21
+ "standard": {
22
+ "const": "kfd-2"
23
+ },
24
+ "product": {
25
+ "$ref": "#/$defs/product"
26
+ },
27
+ "release": {
28
+ "$ref": "#/$defs/release"
29
+ },
30
+ "claims": {
31
+ "type": "array",
32
+ "minItems": 1,
33
+ "items": {
34
+ "$ref": "#/$defs/claim"
35
+ }
36
+ },
37
+ "schemaEvolution": {
38
+ "$ref": "#/$defs/schemaEvolution"
39
+ }
40
+ },
41
+ "additionalProperties": true,
42
+ "$defs": {
43
+ "product": {
44
+ "type": "object",
45
+ "required": [
46
+ "name"
47
+ ],
48
+ "properties": {
49
+ "name": {
50
+ "type": "string",
51
+ "minLength": 1
52
+ },
53
+ "repository": {
54
+ "type": "string",
55
+ "minLength": 1
56
+ },
57
+ "package": {
58
+ "type": "string",
59
+ "minLength": 1
60
+ }
61
+ },
62
+ "additionalProperties": true
63
+ },
64
+ "release": {
65
+ "type": "object",
66
+ "required": [
67
+ "version",
68
+ "channel"
69
+ ],
70
+ "properties": {
71
+ "version": {
72
+ "type": "string",
73
+ "minLength": 1
74
+ },
75
+ "channel": {
76
+ "type": "string",
77
+ "minLength": 1
78
+ },
79
+ "tag": {
80
+ "type": "string",
81
+ "minLength": 1
82
+ },
83
+ "sourceSha": {
84
+ "type": "string",
85
+ "minLength": 1
86
+ }
87
+ },
88
+ "additionalProperties": true
89
+ },
90
+ "claim": {
91
+ "type": "object",
92
+ "required": [
93
+ "id",
94
+ "statement",
95
+ "source",
96
+ "evidence",
97
+ "auditBoundary",
98
+ "responsibility",
99
+ "status"
100
+ ],
101
+ "properties": {
102
+ "id": {
103
+ "type": "string",
104
+ "pattern": "^[a-z0-9]+(-[a-z0-9]+)*$"
105
+ },
106
+ "statement": {
107
+ "type": "string",
108
+ "minLength": 1
109
+ },
110
+ "category": {
111
+ "enum": [
112
+ "metadata",
113
+ "schema",
114
+ "package-export",
115
+ "artifact",
116
+ "site",
117
+ "release",
118
+ "kfd-1",
119
+ "kfd-2",
120
+ "kfd-3",
121
+ "other"
122
+ ]
123
+ },
124
+ "source": {
125
+ "$ref": "#/$defs/artifactPointer"
126
+ },
127
+ "evidence": {
128
+ "type": "array",
129
+ "minItems": 1,
130
+ "items": {
131
+ "$ref": "#/$defs/evidenceBinding"
132
+ }
133
+ },
134
+ "verification": {
135
+ "$ref": "#/$defs/verification"
136
+ },
137
+ "auditBoundary": {
138
+ "$ref": "#/$defs/auditBoundary"
139
+ },
140
+ "residualRisk": {
141
+ "type": "array",
142
+ "items": {
143
+ "type": "string",
144
+ "minLength": 1
145
+ }
146
+ },
147
+ "responsibility": {
148
+ "$ref": "#/$defs/responsibilityState"
149
+ },
150
+ "status": {
151
+ "enum": [
152
+ "declared",
153
+ "audited",
154
+ "enforced",
155
+ "not-applicable"
156
+ ]
157
+ }
158
+ },
159
+ "additionalProperties": true
160
+ },
161
+ "artifactPointer": {
162
+ "type": "object",
163
+ "required": [
164
+ "kind"
165
+ ],
166
+ "properties": {
167
+ "kind": {
168
+ "enum": [
169
+ "file",
170
+ "schema",
171
+ "package-export",
172
+ "artifact",
173
+ "command",
174
+ "witness",
175
+ "passport",
176
+ "url",
177
+ "other"
178
+ ]
179
+ },
180
+ "path": {
181
+ "type": "string",
182
+ "minLength": 1
183
+ },
184
+ "specifier": {
185
+ "type": "string",
186
+ "minLength": 1
187
+ },
188
+ "url": {
189
+ "type": "string",
190
+ "format": "uri"
191
+ },
192
+ "schemaId": {
193
+ "type": "string",
194
+ "format": "uri"
195
+ },
196
+ "sha256": {
197
+ "type": "string",
198
+ "pattern": "^[0-9a-f]{64}$"
199
+ },
200
+ "digest": {
201
+ "type": "string",
202
+ "minLength": 1
203
+ }
204
+ },
205
+ "additionalProperties": true
206
+ },
207
+ "evidenceBinding": {
208
+ "type": "object",
209
+ "required": [
210
+ "type"
211
+ ],
212
+ "properties": {
213
+ "type": {
214
+ "enum": [
215
+ "file",
216
+ "schema",
217
+ "package-export",
218
+ "artifact",
219
+ "hash",
220
+ "command-result",
221
+ "witness",
222
+ "passport-section",
223
+ "url",
224
+ "other"
225
+ ]
226
+ },
227
+ "pointer": {
228
+ "$ref": "#/$defs/artifactPointer"
229
+ },
230
+ "description": {
231
+ "type": "string",
232
+ "minLength": 1
233
+ }
234
+ },
235
+ "additionalProperties": true
236
+ },
237
+ "verification": {
238
+ "type": "object",
239
+ "properties": {
240
+ "resultRef": {
241
+ "$ref": "#/$defs/artifactPointer"
242
+ },
243
+ "command": {
244
+ "type": "string",
245
+ "minLength": 1
246
+ },
247
+ "expectedResult": {
248
+ "enum": [
249
+ "pass",
250
+ "fail",
251
+ "warning",
252
+ "unverifiable"
253
+ ]
254
+ }
255
+ },
256
+ "additionalProperties": true
257
+ },
258
+ "auditBoundary": {
259
+ "type": "object",
260
+ "required": [
261
+ "scope",
262
+ "enumerability"
263
+ ],
264
+ "properties": {
265
+ "scope": {
266
+ "type": "string",
267
+ "minLength": 1
268
+ },
269
+ "enumerability": {
270
+ "enum": [
271
+ "closed-world",
272
+ "declared-open",
273
+ "sampled",
274
+ "manual"
275
+ ]
276
+ },
277
+ "exclusions": {
278
+ "type": "array",
279
+ "items": {
280
+ "type": "string",
281
+ "minLength": 1
282
+ }
283
+ }
284
+ },
285
+ "additionalProperties": true
286
+ },
287
+ "responsibilityState": {
288
+ "type": "object",
289
+ "required": [
290
+ "sourceOwner",
291
+ "verificationOwner",
292
+ "releaseDecisionOwner"
293
+ ],
294
+ "properties": {
295
+ "sourceOwner": {
296
+ "type": "string",
297
+ "minLength": 1
298
+ },
299
+ "verificationOwner": {
300
+ "type": "string",
301
+ "minLength": 1
302
+ },
303
+ "releaseDecisionOwner": {
304
+ "type": "string",
305
+ "minLength": 1
306
+ },
307
+ "escalation": {
308
+ "type": "string",
309
+ "minLength": 1
310
+ }
311
+ },
312
+ "additionalProperties": true
313
+ },
314
+ "schemaEvolution": {
315
+ "type": "object",
316
+ "required": [
317
+ "interfaceVersion",
318
+ "compatibilityRule"
319
+ ],
320
+ "properties": {
321
+ "interfaceVersion": {
322
+ "const": 1
323
+ },
324
+ "compatibilityRule": {
325
+ "type": "string",
326
+ "minLength": 1
327
+ }
328
+ },
329
+ "additionalProperties": true
330
+ }
331
+ }
332
+ }