npm - @maintainabilityai/research-runner - Versions diffs - 0.1.41 → 0.1.43 - Mend

@maintainabilityai/research-runner 0.1.41 → 0.1.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/runner/skills.js +68 -10
package/package.json +1 -1

package/dist/runner/skills.js CHANGED Viewed

@@ -1881,6 +1881,12 @@ const handleAuditVerifyChain = async (input) => {
     // Track signature state across the whole chain.
     let signedCount = 0;
     let workflowUnsignedCount = 0; // post-agent workflow-emitted events, unsigned by-design
+    // P9 (Bug-P / Codex audit): revise-agent unsigned events get their own
+    // bucket so we can decide legitimacy chain-by-chain — legacy chains
+    // (no per-epoch signing anywhere) keep the old allowance; per-epoch
+    // chains (any event with `signer_epoch`) require revise-agent to sign.
+    let reviseAgentUnsignedCount = 0;
+    let chainUsesPerEpochSigning = false;
     let prev = null;
     for (let i = 0; i < lines.length; i++) {
         let event;
@@ -1911,23 +1917,52 @@ const handleAuditVerifyChain = async (input) => {
         if (recordedHash !== recomputed) {
             return { ok: false, reason: `forged-hash-line-${i + 1}: recorded=${recordedHash.slice(0, 16)}… recomputed=${recomputed.slice(0, 16)}…` };
         }
-        // Bug K + N (cert-run-5): post-agent events (payload.emitted_by in
-        // {'workflow', 'revise-agent'}) carry signature: '' by design — the
-        // post-agent context can't sign because the ephemeral private key is
-        // gone. Count them separately so they don't trip partial-tampering
-        // detection or signature verification. Both attributions are
-        // legitimate-unsigned.
+        // Bug K + N (cert-run-5): post-agent events emitted by the workflow
+        // (e.g. the synthetic self_review backfill that runs AFTER the agent
+        // session ended) genuinely cannot sign — the ephemeral private key
+        // is gone by then. `payload.emitted_by: 'workflow'` is the legitimate
+        // unsigned attribution.
+        //
+        // P9 (Bug-P / Codex audit) — `revise-agent` used to share the same
+        // legitimate-unsigned bucket because Bug N landed BEFORE Bug O. With
+        // per-epoch signing (Bug O), a revise-agent session DOES have an
+        // ephemeral key and DOES sign its events. So an unsigned revise-agent
+        // event is now only legitimate on LEGACY chains — chains where no
+        // event carries `signer_epoch`. Tracking that requires a chain-level
+        // verdict, so we count unsigned revise-agent events into a separate
+        // bucket and decide legitimacy after the loop sees whether the chain
+        // uses per-epoch signing at all.
         const eventPayload = event.payload;
         const emittedBy = eventPayload?.emitted_by;
-        const isUnsignedByDesign = emittedBy === 'workflow' || emittedBy === 'revise-agent';
+        const isWorkflowUnsigned = emittedBy === 'workflow';
+        const isReviseAgentUnsigned = emittedBy === 'revise-agent';
+        if (typeof event.signer_epoch === 'number') {
+            chainUsesPerEpochSigning = true;
+        }
         if (recordedSignature !== null && recordedSignature !== '') {
             signedCount++;
         }
-        else if (isUnsignedByDesign) {
+        else if (isWorkflowUnsigned) {
             workflowUnsignedCount++;
         }
+        else if (isReviseAgentUnsigned) {
+            reviseAgentUnsignedCount++;
+        }
         prev = recordedHash;
     }
+    // P9: legacy chains (pre-Bug-O — no signer_epoch on any event) keep
+    // the broad allowance. New chains (any event carries signer_epoch)
+    // require revise-agent events to be signed; an unsigned revise-agent
+    // event on a per-epoch chain is now a real chain-integrity failure.
+    if (chainUsesPerEpochSigning && reviseAgentUnsignedCount > 0) {
+        return {
+            ok: false,
+            reason: `revise-agent-unsigned-on-per-epoch-chain: ${reviseAgentUnsignedCount} revise-agent events without signatures; per-epoch chains require revise-agent to sign with its own epoch key (Bug O contract)`,
+        };
+    }
+    // Legacy chains: roll revise-agent unsigned into the workflow-unsigned
+    // bucket so the downstream "agent_event_count" math still excludes them.
+    workflowUnsignedCount += reviseAgentUnsignedCount;
     // Knight's Seal verification: every AGENT-emitted event must be signed
     // by its declared signer_epoch's pub key. Workflow-unsigned events are
     // excluded from the denominator (their emitted_by: 'workflow' marker
@@ -1935,6 +1970,24 @@ const handleAuditVerifyChain = async (input) => {
     const sealed = signedCount > 0;
     const agentEventCount = lines.length - workflowUnsignedCount;
     let sealVerified = false;
+    // Bug-Q / Q3 (Codex audit round 2) — a chain that USES per-epoch
+    // signing (any event carries `signer_epoch`) MUST be sealed AND seal-
+    // verified. Without this guard, an attacker could hand-craft a chain
+    // where event 1 is signed (forcing `chainUsesPerEpochSigning=true`)
+    // but every subsequent event is unsigned — `signedCount > 0` would
+    // be true and the per-event check below would pass each unsigned
+    // event as `legitimateUnsigned` if attribution were faked. Equally,
+    // a chain where the runner reports `sealed=true` but the legacy
+    // `chainUsesPerEpochSigning=false` path runs is the gold-product
+    // promise we make to the marketing page. Legacy chains (no event
+    // carries signer_epoch) keep the prior allowance — they predate
+    // Bug O and a user audit-replaying them is intentionally tolerant.
+    if (chainUsesPerEpochSigning && !sealed) {
+        return {
+            ok: false,
+            reason: `per-epoch-chain-not-sealed: chain references signer_epoch (per-epoch signing contract) but no events carry signatures; gold-product contract requires per-epoch chains to be fully sealed`,
+        };
+    }
     if (sealed) {
         if (signedCount !== agentEventCount) {
             return { ok: false, reason: `partial-signatures: ${signedCount}/${agentEventCount} agent-emitted events signed (chain tampered; ${workflowUnsignedCount} workflow-emitted unsigned by-design)` };
@@ -1945,9 +1998,14 @@ const handleAuditVerifyChain = async (input) => {
         for (let i = 0; i < lines.length; i++) {
             const event = JSON.parse(lines[i]);
             const emittedBy = event.payload?.emitted_by;
-            const isLegacyUnsigned = (emittedBy === 'workflow' || emittedBy === 'revise-agent')
+            // P9: workflow-emitted unsigned events are always legitimate
+            // (the post-agent context genuinely has no private key). For
+            // revise-agent unsigned events, the loop above already returned
+            // an error if we're on a per-epoch chain, so reaching this point
+            // means we're on a legacy chain where the looser bucket applies.
+            const isLegitimateUnsigned = (emittedBy === 'workflow' || emittedBy === 'revise-agent')
                 && (!event.signature || event.signature === '');
-            if (isLegacyUnsigned) {
+            if (isLegitimateUnsigned) {
                 continue;
             }
             // Bug O (Task #72) — per-epoch verification. Events default to

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@maintainabilityai/research-runner",
-  "version": "0.1.41",
+  "version": "0.1.43",
   "description": "Research + PRD agent runner — orchestrates the Archeologist and PRD pipelines for the MaintainabilityAI governance mesh",
   "license": "MIT",
   "author": "MaintainabilityAI",