Skip to content

Commit 1d6246e

Browse files
V29 Gate 5: Guard AssetPack disclosure rights
Define package-owned AssetPackDisclosureReview, leakage checks, and source-safe preview persistence for postprocess and sandbox harness evidence. Render disclosure review in Terminal, extend BTD access boundary coverage, document Gate 5 parity, and enforce version/gate-prefixed PR titles in gate CI.
1 parent 845dc71 commit 1d6246e

23 files changed

Lines changed: 999 additions & 2 deletions

.github/pull_request_template.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
## Title
2+
3+
Use the version and gate prefix for gate PRs: `V29 Gate N: Concise Topical Title`.
4+
Use the version and promotion prefix for version promotion PRs: `V29: Promote Canon`.
5+
6+
## Closure
7+
8+
- Gate:
9+
- Acceptance criteria closed:
10+
- Tests/checks run:
11+
- Accepted boundaries:

.github/workflows/bitcode-gate-quality.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,23 @@ jobs:
3838
- name: Install dependencies
3939
run: pnpm install --frozen-lockfile
4040

41+
- name: Validate gate pull request title
42+
if: github.event_name == 'pull_request'
43+
env:
44+
PR_BASE_REF: ${{ github.base_ref }}
45+
PR_HEAD_REF: ${{ github.head_ref }}
46+
PR_TITLE: ${{ github.event.pull_request.title }}
47+
run: |
48+
if [[ "$PR_BASE_REF" == version/* && "$PR_HEAD_REF" =~ ^v([0-9]+)/gate-([0-9]+)- ]]; then
49+
expected_version="V${BASH_REMATCH[1]}"
50+
expected_gate="${BASH_REMATCH[2]}"
51+
if [[ ! "$PR_TITLE" =~ ^${expected_version}[[:space:]]+Gate[[:space:]]+${expected_gate}:[[:space:]].+ ]]; then
52+
echo "Gate pull request titles must begin with: ${expected_version} Gate ${expected_gate}:"
53+
echo "Observed: ${PR_TITLE}"
54+
exit 1
55+
fi
56+
fi
57+
4158
- name: Validate draft canon posture
4259
run: |
4360
test "$(cat BITCODE_SPEC.txt)" = "V28"
@@ -49,6 +66,7 @@ jobs:
4966
node scripts/check-v29-gate2-terminal-transaction-read-models.mjs --skip-branch-check
5067
node scripts/check-v29-gate3-wallet-signer-btc-operations.mjs --skip-branch-check
5168
node scripts/check-v29-gate4-reading-pipeline-observability.mjs --skip-branch-check
69+
node scripts/check-v29-gate5-assetpack-disclosure-rights.mjs --skip-branch-check
5270
5371
- name: Validate source casing and imports
5472
run: |
@@ -65,8 +83,10 @@ jobs:
6583
run: |
6684
pnpm --filter @bitcode/btd test
6785
pnpm --filter @bitcode/btd test -- --runTestsByPath __tests__/btc-fee-operation.test.ts
86+
pnpm --filter @bitcode/btd test -- --runTestsByPath __tests__/btd.test.ts
6887
pnpm --filter @bitcode/pipeline-asset-pack exec jest --config jest.config.cjs --passWithNoTests --forceExit
6988
pnpm --filter @bitcode/pipeline-asset-pack exec jest --config jest.config.cjs --runTestsByPath src/__tests__/reading-pipeline-observability.test.ts src/__tests__/reading-pipeline-contract.test.ts --runInBand
89+
pnpm --filter @bitcode/pipeline-asset-pack exec jest --config jest.config.cjs --runTestsByPath src/__tests__/asset-pack-disclosure.test.ts src/__tests__/postprocess.test.ts src/__tests__/read-need.test.ts --runInBand
7090
pnpm --filter @bitcode/pipeline-hosts exec jest --config jest.config.cjs --passWithNoTests --forceExit
7191
7292
- name: Test staged Reading route and Terminal harness contracts

AGENTS.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
- Do not consider any legacy code. All legacy code is located under `_legacy/`.
66
- Highest caliber software engineering crafstmanship (maintainibility, abstractions, architectures, naming, patterns, comments, documentation, structures, algorithmic and data flow designs, UI/UX, etc.), correctness (specification and implementation precision, reliability, completeness, boundaried, scoped, encapsulated, etc.), and auditable (totalistic proofs systems from static code, build time, runtime, etc. etc. as is Bitcode, tests from unit, integration, E2E, linting and building, etc.).
77
- Do not push work directly to `main`. Create a version base branch for each draft target, such as `version/v28`, then create scoped gate branches from that version branch. Gate branches must be prefixed with the gate number, such as `v28/gate-3-read-fit-workflow` or `v28/gate-8-promotion-proof`. Pull-request each closed gate back into the version branch. Pull-request the version branch into `main` only when all gates are closed and the version is formally promoted as canon. The default branch is protected by the `Bitcode Core Contributions` ruleset and requires pull requests plus verified signatures.
8+
- Gate pull request titles must begin with the uppercase version and gate prefix, followed by a concise topical title, for example `V29 Gate 5: AssetPack Disclosure Rights And Preview Depth`. Version-promotion pull requests must begin with the uppercase version and name canonical promotion.
89
- Once implementation starts on a gate branch, do not stop at partial progress unless blocked by missing external input or explicit user pause. A gate branch is ready to stop only when the gate's acceptance criteria are implemented, specified, tested, documented, committed, pushed, and pull-requested for closure into the version branch.
910
- Treat gate and promotion workflow health as part of gate closure. Gate pull requests into version branches must be green through the maintained gate-quality checks, and repository-wide canon-quality checks must remain greenable during draft work. Version pull requests into `main` must pass the version promotion workflow, which performs promotion-grade validations and commits the standalone `BITCODE_SPEC.txt` pointer change only after those validations pass.
1011
- Keep CI greenable rather than ceremonial. Required application CI uses root pnpm workspace installation and maintained uapi lint/typecheck/build/Jest coverage. Heavy legacy scans such as full DB/browser E2E, Storybook build, super-linter, and advanced CodeQL are opt-in by repository variables until their backing catalogs and service assumptions are maintained for required branch protection.

BITCODE_SPEC_V29.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -301,6 +301,27 @@ Failure to observe prompt, raw-output, parsed-output, or tool telemetry in a run
301301
- Current validating commands and parity basis: synthesis tests, source-leakage tests, route tests, PR delivery mocks/live checks, and V29 gate checks.
302302
- Current accepted boundaries: full mainnet value delivery remains approval-gated.
303303

304+
#### V29 AssetPack disclosure rights canon
305+
306+
AssetPack disclosure is a first-class review object, not an incidental UI summary.
307+
The preview before payment may show Need measurements, Finding Fits measurements, candidate ids, roots, score band, fee quote, range projection, access policy hash, and delivery target.
308+
It must not show protected source content, the full patch, source-bearing manifest entries, or licensed read payload before the paid unlock is proven.
309+
310+
The disclosure review contract carries:
311+
312+
- `AssetPackSourceSafePreview`, which remains the source-safe preview envelope;
313+
- `AssetPackDisclosureReview`, which binds preview id, AssetPack id, read-right state, source visibility, reader action, policy fields, range projection, roots, and protected-source leakage findings;
314+
- owner-read, licensed-read, denied, and pending-settlement distinctions from BTD access primitives;
315+
- paid unlock state from settlement readback;
316+
- leakage review that fails closed when patch markers, source-code markers, or forbidden source-bearing fields appear in preview metadata.
317+
318+
Terminal must render disclosure review as an ordinary Reading stage surface.
319+
Collapsed view shows visibility, reader action, policy root, review root, visible/withheld counts, leakage state, and source unlock state.
320+
Expanded views may show the review metadata and roots, but they still may not reveal protected source before settlement.
321+
322+
Gate pull request titles are part of the same operator-quality posture.
323+
Gate PRs into version branches must begin with the uppercase version and gate prefix, for example `V29 Gate 5: AssetPack Disclosure Rights And Preview Depth`, so gate history stays auditable from GitHub alone.
324+
304325
### Identity, authorization, and sensitive flow
305326

306327
- Current canonical objects and emitted artifacts: wallet identity, signer session, GitHub connection, organization role, read-license, access-policy decision, permission proof.

BITCODE_SPEC_V29_DELTA.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,16 @@ Closure acceptance:
126126

127127
Gate 5 owns AssetPack range detail, owner-read/licensed-read/denied-state flows, source-safe preview, disclosure policy review, paid unlock state, and protected-source leakage tests.
128128

129+
Closure acceptance:
130+
131+
- `@bitcode/pipeline-asset-pack` exposes `AssetPackDisclosureReview` as the first-class review object between source-safe preview and paid source unlock.
132+
- The disclosure review binds preview id, AssetPack id, BTD read-right state, source visibility, reader action, policy fields, range projection, proof roots, fee quote root, and protected-source leakage review.
133+
- Protected source leakage detection fails closed for source-bearing field names, patch markers, and source-code markers inside pre-settlement preview metadata.
134+
- AssetPack postprocessing and the Vercel Sandbox harness store `assetPackDisclosureReview`, `asset-pack/preview.disclosureReview`, and `asset-pack/preview.disclosureReviewRoot` alongside source-safe preview evidence.
135+
- BTD tests cover owner-read, licensed-read, and denied-state boundaries so paid unlock cannot blur ownership, license, and denial semantics.
136+
- Terminal renders disclosure review as part of the source-safe preview surface with visibility, reader action, policy root, review root, visible/withheld counts, leakage state, and source unlock state before raw evidence.
137+
- Gate-quality CI enforces focused disclosure tests and gate PR titles beginning with the uppercase version and gate prefix, such as `V29 Gate 5: AssetPack Disclosure Rights And Preview Depth`.
138+
129139
### Gate 6: Settlement Reconciliation And Repair
130140

131141
Gate 6 owns ledger/database/metaphysical separation, journal diffing, reconciliation repair actions, proof-root surfacing, settlement conservation drift handling, and delivery recovery.

BITCODE_SPEC_V29_NOTES.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,23 @@ Accepted Gate 4 posture:
134134
- Terminal's live harness stream shows pipeline, phase id, PTRR agent, PTRR step, ThricifiedGeneration, prompt, tool, output schema, raw output posture, and parsed typed output posture through the shared execution log components.
135135
- Gate 4 does not implement disclosure-depth unlock, settlement repair, organization authority, or full browser proof; later gates own those slices.
136136

137+
## Gate 5 working notes
138+
139+
Gate 5 makes AssetPack disclosure a package-owned contract instead of a Terminal-only summary.
140+
The Reading pipeline may synthesize the AssetPack and compute its measurements before payment, but protected source remains withheld until the BTD read-right state and settlement unlock prove that the reader owns or is licensed to read the AssetPack source.
141+
142+
Accepted Gate 5 posture:
143+
144+
- `AssetPackSourceSafePreview` remains the pre-payment preview envelope.
145+
- `AssetPackDisclosureReview` binds source visibility, reader action, policy roots, range projection, fee quote root, and protected-source leakage review to that preview.
146+
- Source visibility has distinct `withheld_before_settlement`, `available_after_settlement`, and `denied` states.
147+
- Reader action has distinct `pay_to_unlock`, `read_as_owner`, `read_as_licensee`, and `blocked` states.
148+
- Leakage review scans preview metadata for source-bearing field names, patch markers, and source-code markers and fails closed before the preview is shown.
149+
- Postprocessing and the sandbox harness store disclosure review evidence next to source-safe preview evidence so database/ledger readback can explain paid unlock state without exposing protected source.
150+
- Terminal renders disclosure review as the ordinary Reading preview surface and keeps expandable raw metadata behind the same source-safe boundary.
151+
- Gate pull request titles must carry the uppercase version and gate prefix so gate closure can be audited from GitHub history.
152+
- Gate 5 does not implement reconciliation repair, organization authority, full settlement UI depth, or browser proof; later V29 gates own those slices.
153+
137154
## Later-version boundaries
138155

139156
- V30 remains reserved for Protocol/BTD hardening that is not necessary to close Terminal transaction depth.

BITCODE_SPEC_V29_PARITY_MATRIX.md

Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ No `_legacy/` source is active source truth.
5252
| Terminal transaction read models | Gate 2 | `uapi/app/terminal/terminal-transaction-read-model.ts`, `uapi/app/terminal/terminal-transaction-query.ts`, `TerminalTransactionWorkspace.tsx`, `TerminalTransactionDetailSurface.tsx`, UAPI tests, Gate 2 checker | drafted | Terminal transaction state is URL-addressable, recoverable, typed, low-detail by default, and expandable without raw JSON as the ordinary operator contract. |
5353
| Wallet signer/BTC operations | Gate 3 | `packages/btd/src/btc-fee-operation.ts`, BTC fee route, Terminal Wallet/BTC detail section, BTD and UAPI tests, Gate 3 checker | drafted | Signer session, PSBT, broadcast/finality/reorg/replacement/failure states are ordinary Terminal states. |
5454
| Reading pipeline observability | Gate 4 | `packages/pipelines/asset-pack/src/reading-pipeline-observability.ts`, `packages/pipeline-hosts/src/asset-pack-harness.ts`, Terminal stream components, Gate 4 checker | drafted | Pipeline/phase/PTRR/ThricifiedGeneration/tool/prompt/raw-output/parsed-output telemetry is contract-projected, complete, and readable. |
55-
| AssetPack disclosure rights | Gate 5 | BTD access primitives, AssetPack preview UI, disclosure policy tests | pending | Source-safe preview and paid unlock are proven without source leakage. |
55+
| AssetPack disclosure rights | Gate 5 | `asset-pack-disclosure.ts`, AssetPack postprocess, sandbox harness, BTD access tests, Terminal disclosure review UI, Gate 5 checker | drafted | Source-safe preview and paid unlock are proven without protected-source leakage. |
5656
| Settlement reconciliation repair | Gate 6 | BTD journal/reconciliation, Supabase readback, Terminal repair UI | pending | Ledger, database, and metaphysical state drift is visible and repairable. |
5757
| Organization permission authority | Gate 7 | access policy, org holdings, MCP/ChatGPT gates, Terminal permission UI | pending | Registry-derived roles, holdings, and read-license authority govern actions. |
5858
| Commercial formalization | Gate 8 | packages/protocol, package tests, import scans, docs | pending | Demonstration-origin commercial internals are package-native and no runtime demo imports remain. |
@@ -70,7 +70,8 @@ No `_legacy/` source is active source truth.
7070
| Gate 2 read model | `pnpm run check:v29-gate2` proves typed route-owned Terminal transaction reading | drafted |
7171
| Gate 3 wallet/BTC operation | `pnpm run check:v29-gate3` proves quote lifecycle, signer recovery, blocked readiness, API posture, and Terminal Wallet/BTC detail | drafted |
7272
| Gate 4 Reading observability | `pnpm run check:v29-gate4` proves contract-aware Reading stream telemetry and Terminal rendering | drafted |
73-
| Product implementation gates | Gates 3-9 close remaining Terminal transaction depth with tests and docs | pending |
73+
| Gate 5 AssetPack disclosure | `pnpm run check:v29-gate5` proves source-safe disclosure review, leakage detection, Terminal preview rendering, and PR title enforcement | drafted |
74+
| Product implementation gates | Gates 6-9 close remaining Terminal transaction depth with tests and docs | pending |
7475
| Promotion gate | Gate 10 closes generated proof and promotion automation | pending |
7576

7677
## Gate 1 Parity
@@ -163,3 +164,28 @@ Gate 3 is complete when package primitives model BTC quotes, signer recovery, op
163164
## Gate 4 completion condition
164165

165166
Gate 4 is complete when Reading pipeline observability is package-owned, stream events are contract-projected in the sandbox harness, Terminal renders the projection through shared execution components, focused package and UAPI tests pass, `check:v29-gate4` passes, CI invokes the checker and tests, docs name the implemented source surfaces, and the gate branch is committed and pushed for review into `version/v29`.
167+
168+
## Gate 5 Parity
169+
170+
| Requirement | Source evidence | Current V29 judgment |
171+
| --- | --- | --- |
172+
| AssetPack disclosure review is package-owned | `asset-pack-disclosure.ts`, package exports, disclosure tests | drafted |
173+
| Source visibility separates pending, paid, owner, licensee, and denied states | `buildAssetPackDisclosureReview`, BTD access tests | drafted |
174+
| Protected source leakage fails closed before preview display | `reviewAssetPackProtectedSourceLeakage`, `assertAssetPackDisclosureSourceSafe`, disclosure tests | drafted |
175+
| Postprocessing persists disclosure review and review root | `postprocess.ts`, postprocess tests | drafted |
176+
| Sandbox harness stores and exports disclosure review evidence | `packages/pipeline-hosts/src/asset-pack-harness.ts`, harness tests | drafted |
177+
| Terminal preview surface renders disclosure policy before raw evidence | `TerminalDepositReadWorkbench.tsx`, Terminal harness client tests | drafted |
178+
| Gate PR title enforcement is automated | `.github/workflows/bitcode-gate-quality.yml`, PR template, AGENTS/README instructions | drafted |
179+
| Gate 5 checker is wired to package scripts and CI | `scripts/check-v29-gate5-assetpack-disclosure-rights.mjs`, `package.json`, gate workflow | drafted |
180+
181+
## Gate 5 accepted boundaries
182+
183+
- Gate 5 does not reveal protected AssetPack source before settlement.
184+
- Gate 5 does not perform settlement reconciliation repair; Gate 6 owns ledger/database drift and repair.
185+
- Gate 5 does not implement organization authority beyond read-right state distinctions; Gate 7 owns registry-derived roles and holdings.
186+
- Gate 5 does not add browser proof or full UX polish; Gate 9 owns that surface.
187+
- Gate 5 does not add versioned API routes or source identifiers.
188+
189+
## Gate 5 completion condition
190+
191+
Gate 5 is complete when AssetPack disclosure review is package-owned, postprocess and sandbox harness evidence include source-safe disclosure review roots, protected-source leakage tests fail closed, Terminal renders the disclosure review through the Reading preview surface, gate PR title enforcement is active, focused package and UAPI tests pass, `check:v29-gate5` passes, CI invokes the checker and tests, docs name the implemented source surfaces, and the gate branch is committed and pushed for review into `version/v29`.

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,8 @@ Use a version branch and gate-numbered branches:
5151
implemented, specified, tested, documented, committed, pushed, and ready for
5252
closure review.
5353
5. Open pull requests from gate branches into the version branch as gates close.
54+
Title gate PRs with the uppercase version and gate prefix plus a topical
55+
title, for example `V29 Gate 5: AssetPack Disclosure Rights And Preview Depth`.
5456
6. Open the version branch back into `main` only after all gates close and the
5557
version is formally promoted as canon.
5658

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@
4848
"check:v29-gate2": "node scripts/check-v29-gate2-terminal-transaction-read-models.mjs",
4949
"check:v29-gate3": "node scripts/check-v29-gate3-wallet-signer-btc-operations.mjs",
5050
"check:v29-gate4": "node scripts/check-v29-gate4-reading-pipeline-observability.mjs",
51+
"check:v29-gate5": "node scripts/check-v29-gate5-assetpack-disclosure-rights.mjs",
5152
"check:spec-quality": "node scripts/run-bitcode-spec-quality.mjs --mode basic",
5253
"check:spec-quality:title": "node scripts/run-bitcode-spec-quality.mjs --mode strict-from-title",
5354
"check:spec-quality:v24": "node scripts/run-bitcode-spec-quality.mjs --mode strict-version --version V24",

0 commit comments

Comments
 (0)