agentic-proofkit 0.1.91

package/proofkit/receipt-producer-policy.json

@@ -0,0 +1,48 @@
+{
+  "schemaVersion": 1,
+  "policyId": "proofkit.receipt-producer-policy",
+  "receiptKinds": [
+    "proofkit.package-gate"
+  ],
+  "environmentClasses": [
+    "local-go"
+  ],
+  "producers": [
+    {
+      "producerId": "github.actions.package",
+      "owner": "proofkit.package-boundary",
+      "admissionLevel": "merge_satisfying",
+      "receiptKinds": [
+        "proofkit.package-gate"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ],
+      "evidenceRefs": [
+        ".github/workflows/ci.yml"
+      ],
+      "nonClaim": "GitHub Actions producer admission does not authenticate the runner inside Proofkit or compute receipt freshness."
+    },
+    {
+      "producerId": "local.developer",
+      "owner": "proofkit.package-boundary",
+      "admissionLevel": "advisory",
+      "receiptKinds": [
+        "proofkit.package-gate"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ],
+      "evidenceRefs": [
+        "AGENTS.md"
+      ],
+      "nonClaim": "Local developer receipts are advisory and do not satisfy merge obligations."
+    }
+  ],
+  "receipts": [],
+  "nonClaims": [
+    "Receipt producer policy does not approve package release or consumer rollout.",
+    "Receipt producer policy does not authenticate GitHub Actions.",
+    "Receipt producer policy does not compute receipt freshness."
+  ]
+}

package/proofkit/requirement-bindings.json

@@ -0,0 +1,520 @@
+{
+  "schemaVersion": 1,
+  "bindingId": "proofkit.package-boundary.requirement-bindings",
+  "requirements": [
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-001",
+      "ownerId": "proofkit.package-boundary",
+      "specPath": "docs/specs/proofkit-package-boundary/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim consumer adoption, registry publication, rollout approval, or production readiness."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-002",
+      "ownerId": "proofkit.package-boundary",
+      "specPath": "docs/specs/proofkit-package-boundary/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim native witness execution, producer authentication, proof freshness, or merge approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-003",
+      "ownerId": "proofkit.package-boundary",
+      "specPath": "docs/specs/proofkit-package-boundary/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim registry publication, registry consumer installation, execution for non-native platform binaries, or rollout readiness."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-004",
+      "ownerId": "proofkit.package-boundary",
+      "specPath": "docs/specs/proofkit-package-boundary/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not authenticate GitHub Actions, compute proof freshness, approve merge, approve release, or make local advisory receipts merge-satisfying evidence."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-005",
+      "ownerId": "proofkit.package-boundary",
+      "specPath": "docs/specs/proofkit-package-boundary/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim semantic completeness, release approval, registry publication, consumer rollout, or production readiness."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-001",
+      "ownerId": "proofkit.spec-proof-core",
+      "specPath": "docs/specs/proofkit-spec-proof-core/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim product requirement meaning, proof freshness, native witness execution, or overview prose authority."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-002",
+      "ownerId": "proofkit.spec-proof-core",
+      "specPath": "docs/specs/proofkit-spec-proof-core/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim native witness pass evidence, proof freshness, receipt authenticity, or merge approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-003",
+      "ownerId": "proofkit.spec-proof-core",
+      "specPath": "docs/specs/proofkit-spec-proof-core/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim command execution, CI scheduling authority, credential approval, or repository-specific command policy."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-004",
+      "ownerId": "proofkit.spec-proof-core",
+      "specPath": "docs/specs/proofkit-spec-proof-core/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim changed-path completeness, command success, receipt authenticity, proof freshness, or approval to skip caller-owned gates."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-005",
+      "ownerId": "proofkit.spec-proof-core",
+      "specPath": "docs/specs/proofkit-spec-proof-core/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim generated view authority, full graph context emission, proof freshness, or agent edit approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-001",
+      "ownerId": "proofkit.receipt-authority",
+      "specPath": "docs/specs/proofkit-receipt-authority/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim producer authentication, receipt freshness, native command execution, command result correctness, current-obligation matching, or merge approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-002",
+      "ownerId": "proofkit.receipt-authority",
+      "specPath": "docs/specs/proofkit-receipt-authority/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim producer authentication, receipt freshness, command execution, command result correctness, CI log authority, or merge approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-003",
+      "ownerId": "proofkit.receipt-authority",
+      "specPath": "docs/specs/proofkit-receipt-authority/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim producer authentication, receipt freshness, policy digest provenance, policy-diff discovery, migration exception approval, or merge approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-004",
+      "ownerId": "proofkit.receipt-authority",
+      "specPath": "docs/specs/proofkit-receipt-authority/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim native witness execution, producer authentication, proof freshness, command result correctness, merge approval, release approval, or rollout approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-001",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "specPath": "docs/specs/proofkit-consumer-infra-retirement/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim file deletion, parity authenticity, native witness execution, proof freshness, merge approval, release approval, or rollout approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-002",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "specPath": "docs/specs/proofkit-consumer-infra-retirement/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim package resolution, manifest reads, lockfile reads, registry authentication, package-manager authority, native execution, proof freshness, merge approval, or rollout approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-003",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "specPath": "docs/specs/proofkit-consumer-infra-retirement/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim script execution, lockfile generation, lockfile freshness, registry authentication, package-manager behavior, CI scheduling, merge approval, or rollout approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-004",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "specPath": "docs/specs/proofkit-consumer-infra-retirement/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim repository scanning, tracked-file freshness, command execution, native proof coverage, CI readiness, merge approval, release approval, or rollout approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-005",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "specPath": "docs/specs/proofkit-consumer-infra-retirement/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim scenario appropriateness, repository scanning, command execution, receipt authentication, proof freshness, merge approval, release approval, or rollout approval."
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-006",
+      "ownerId": "proofkit.consumer-infra-retirement",
+      "specPath": "docs/specs/proofkit-consumer-infra-retirement/requirements.v1.json",
+      "claimLevel": "blocking",
+      "proofState": "witness_backed",
+      "nonClaims": [
+        "This requirement does not claim parity authenticity, digest computation, native witness execution, proof freshness, semantic correctness, proof coverage adequacy, old-owner deletion approval, merge approval, release approval, or rollout approval."
+      ]
+    }
+  ],
+  "bindings": [
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-001",
+      "scenarioId": "proofkit.package-boundary.root-export-and-deep-import-denial",
+      "witnessId": "proofkit.package-artifact.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/tools/packageverify/main.go",
+      "commandIds": [
+        "proofkit.go-test",
+        "proofkit.package-artifact"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-002",
+      "scenarioId": "proofkit.package-boundary.cli-deterministic-report-boundary",
+      "witnessId": "proofkit.cli.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/cli_contract_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-003",
+      "scenarioId": "proofkit.package-boundary.outside-consumer-artifact",
+      "witnessId": "proofkit.package-artifact.outside-consumer",
+      "witnessKind": "contract",
+      "witnessPath": "internal/tools/packageverify/main.go",
+      "commandIds": [
+        "proofkit.package-artifact"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-004",
+      "scenarioId": "proofkit.package-boundary.ci-receipt-anchor",
+      "witnessId": "proofkit.ci.receipt-anchor",
+      "witnessKind": "contract",
+      "witnessPath": ".github/workflows/ci.yml",
+      "commandIds": [
+        "proofkit.ci-receipt-anchor",
+        "proofkit.package-gate"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-PACKAGE-005",
+      "scenarioId": "proofkit.package-boundary.go-format-static-vet-and-vulnerability-clean",
+      "witnessId": "proofkit.go.quality-gate",
+      "witnessKind": "contract",
+      "witnessPath": "cmd internal scripts",
+      "commandIds": [
+        "proofkit.go-fmt",
+        "proofkit.go-staticcheck",
+        "proofkit.go-vet",
+        "proofkit.go-vulncheck"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-001",
+      "scenarioId": "proofkit.spec-proof-core.requirement-source-admission",
+      "witnessId": "proofkit.requirement-source-admission.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-002",
+      "scenarioId": "proofkit.spec-proof-core.requirement-proof-binding-reporting",
+      "witnessId": "proofkit.requirement-proof-binding.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-003",
+      "scenarioId": "proofkit.spec-proof-core.witness-planning-boundary",
+      "witnessId": "proofkit.witness-planning.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-004",
+      "scenarioId": "proofkit.spec-proof-core.selective-planning-and-evidence",
+      "witnessId": "proofkit.selective-proof.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-SPEC-005",
+      "scenarioId": "proofkit.spec-proof-core.rendered-view-and-agent-envelope-non-authority",
+      "witnessId": "proofkit.rendered-proof-view.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-001",
+      "scenarioId": "proofkit.receipt-authority.proof-receipt-admission",
+      "witnessId": "proofkit.proof-receipt-admission.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-002",
+      "scenarioId": "proofkit.receipt-authority.receipt-producer-admission",
+      "witnessId": "proofkit.receipt-producer-admission.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-003",
+      "scenarioId": "proofkit.receipt-authority.producer-policy-self-proof",
+      "witnessId": "proofkit.producer-policy-self-proof.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RECEIPT-004",
+      "scenarioId": "proofkit.receipt-authority.spec-proof-bundle-linkage",
+      "witnessId": "proofkit.spec-proof-bundle-admission.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-001",
+      "scenarioId": "proofkit.consumer-infra-retirement.migration-plan-retirement-gates",
+      "witnessId": "proofkit.migration-plan.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-002",
+      "scenarioId": "proofkit.consumer-infra-retirement.package-runtime-dependency-admission",
+      "witnessId": "proofkit.package-runtime-dependency-admission.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-003",
+      "scenarioId": "proofkit.consumer-infra-retirement.workspace-registry-admission",
+      "witnessId": "proofkit.workspace-registry-admission.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-004",
+      "scenarioId": "proofkit.consumer-infra-retirement.repo-profile-admission",
+      "witnessId": "proofkit.repo-profile-admission.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-005",
+      "scenarioId": "proofkit.consumer-infra-retirement.adoption-workflow-routing",
+      "witnessId": "proofkit.adoption-workflow-plan.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    },
+    {
+      "requirementId": "REQ-PROOFKIT-RETIRE-006",
+      "scenarioId": "proofkit.consumer-infra-retirement.migration-parity-admission",
+      "witnessId": "proofkit.migration-parity-admission.boundary",
+      "witnessKind": "contract",
+      "witnessPath": "internal/app/self_hosting_semantics_test.go",
+      "commandIds": [
+        "proofkit.go-test"
+      ],
+      "environmentClasses": [
+        "local-go"
+      ]
+    }
+  ],
+  "witnessCommands": [
+    {
+      "commandId": "proofkit.ci-receipt-anchor",
+      "command": "npm run self:receipt",
+      "environmentClass": "local-go"
+    },
+    {
+      "commandId": "proofkit.go-fmt",
+      "command": "npm run go:fmt",
+      "environmentClass": "local-go"
+    },
+    {
+      "commandId": "proofkit.go-staticcheck",
+      "command": "npm run go:staticcheck",
+      "environmentClass": "local-go"
+    },
+    {
+      "commandId": "proofkit.go-test",
+      "command": "go test ./...",
+      "environmentClass": "local-go"
+    },
+    {
+      "commandId": "proofkit.go-vet",
+      "command": "go vet ./...",
+      "environmentClass": "local-go"
+    },
+    {
+      "commandId": "proofkit.go-vulncheck",
+      "command": "npm run go:vulncheck",
+      "environmentClass": "local-go"
+    },
+    {
+      "commandId": "proofkit.package-artifact",
+      "command": "npm run package:artifact",
+      "environmentClass": "local-go"
+    },
+    {
+      "commandId": "proofkit.package-gate",
+      "command": "npm run check",
+      "environmentClass": "local-go"
+    }
+  ],
+  "nonClaims": [
+    "Requirement proof bindings do not execute native witnesses.",
+    "Requirement proof bindings do not authenticate receipt producers or decide proof freshness.",
+    "Requirement proof bindings do not approve package release or consumer rollout."
+  ]
+}