Skip to content

Commit 6e0972f

Browse files
Merge pull request #211 from engineeredsoftware/v45/gate-8-proof-readback-operational-boundaries
V45 Gate 8: Proof Readback Authority
2 parents 240fc4e + 515b159 commit 6e0972f

3 files changed

Lines changed: 231 additions & 0 deletions

File tree

BITCODE_SPEC_V45_NOTES.md

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -548,6 +548,76 @@ entitlement, explicit non-final language for preview/quote/payment
548548
observation, authoritative readback for final settlement and rights transfer,
549549
and repository delivery visibility only for the entitled Reader boundary.
550550

551+
## V45 protocol atom 7: proof readback and operational authority
552+
553+
Audit classification: V44 establishes generated specification proof,
554+
ledgerized journaling, telemetry, database/storage synchronization, workflow
555+
checks, and source-safe repair posture. The remaining gap is evidence
556+
authority: which operational artifacts can advance protocol state, which are
557+
only observability, and what happens when proof, ledger, database, storage,
558+
telemetry, provider, or delivery evidence disagrees.
559+
560+
Protocol-law statement:
561+
562+
Bitcode state advances only by proof-backed readback. No UI row, conversation
563+
message, streamed telemetry item, route response, external provider event, or
564+
workflow log can alone advance AssetPack lifecycle, BTD rights, BTC settlement,
565+
source unlock, delivery, or contributor compensation. The advancing artifact
566+
must be paired with the required proof root and read back from the appropriate
567+
ledger, database, storage, wallet, provider, or repository boundary.
568+
569+
Canonical evidence authority is:
570+
571+
| Evidence class | Protocol authority | Limit |
572+
| --- | --- | --- |
573+
| canonical specification and generated proof appendix | defines protocol law, required proof families, and promotion-grade validation posture | not a live transaction, wallet, source, or delivery receipt |
574+
| execution/workflow receipt | proves a pipeline, PTRR agent, tool, route, workflow, or validation step ran with typed inputs/outputs and status | not economic finality and not source entitlement unless joined to settlement and rights readback |
575+
| ledger journal | records protocol-economic state transitions, BTD/BTC journals, repair states, and auditable event ordering | cannot override Bitcoin finality, protected storage, or repository delivery evidence |
576+
| database projection | serves queryable application state, interface read models, and reconciliation indexes | cannot be treated as final when it diverges from ledger, storage, wallet, or delivery roots |
577+
| object storage and protected-source roots | prove content custody, source-safe preview objects, source-bearing withheld pack objects, and delivery payload roots | cannot disclose source without entitlement, rights transfer, and delivery authority |
578+
| telemetry stream | makes running phases, agents, tools, prompts, outputs, timings, and errors observable | observability only; telemetry is not settlement, rights transfer, or source unlock |
579+
| wallet/provider receipt | supplies quote, PSBT, broadcast, observation, txid, block/finality, or network evidence | provider observation is not final settlement until reconciled with quote, wallet authority, and finality policy |
580+
| repository delivery receipt | proves pull request, branch, commit, patch, or delivery artifact reached the entitled repository boundary | not public source permission and not contributor compensation by itself |
581+
582+
Canonical readback requirements are:
583+
584+
| State advancement | Required readback before advancement |
585+
| --- | --- |
586+
| Depository admission | depositor approval root, source-safety proof, policy eligibility, protected-source storage root, Depository index root, ledger/database projection |
587+
| reviewed Need acceptance | Read Request root, Need synthesis receipt, user review/approval root, database read model, telemetry summary root |
588+
| Finding Fits selection | search receipt, candidate provenance roots, measurement/ranking roots, source-safe Fit set root, depository readback |
589+
| Need-Fit AssetPack synthesis | selected Fit set root, synthesis execution receipt, source-bearing withheld storage root, source-safe preview root, measurement/BTD posture root |
590+
| BTC quote issuance | reviewed Need root, selected Fit set root, Need-Fit AssetPack root, BTD volume/range roots, deterministic quote root, wallet/network policy root |
591+
| BTC payment observation | accepted quote root, wallet authority root, provider observation, txid/network/amount readback, mismatch classification if any |
592+
| BTC settlement finalization | payment observation, configured finality receipt, quote/payment conservation, ledger/database/storage agreement, repair-free settlement receipt |
593+
| BTD rights transfer | finalized settlement root, BTD range/rights receipt, entitled Reader boundary, ledger/database readback |
594+
| source unlock and repository delivery | rights transfer root, protected-source object readback, delivery payload root, repository PR/commit receipt, entitled repository boundary |
595+
| contributor compensation | finalized settlement root, source-to-shares allocation root, contributor roots, compensation statement, ledger/database reconciliation |
596+
597+
Operational repair law:
598+
599+
- If any required readback is missing, stale, contradictory, or outside the
600+
allowed actor/network/source boundary, the state must remain in or return to
601+
a source-safe repair state.
602+
- Repair state may expose failure class, blocker, retry command, proof root
603+
identifiers, and operator-safe telemetry, but not unpaid source, secrets,
604+
wallet private material, raw provider payloads, raw prompts, or raw model
605+
responses.
606+
- Computation hosts, sandbox executions, workflow runners, browser proofs, and
607+
API routes may produce receipts, but they do not own protocol truth. They
608+
must write/read through the canonical proof, ledger, database, storage,
609+
wallet, and repository boundaries.
610+
- If evidence classes conflict, Bitcode must prefer the stricter
611+
source-safety and economic-finality posture until reconciliation proves the
612+
correct state.
613+
614+
Acceptance for this atom: later V45 formal specification and implementation
615+
work may split the readback tables, but it must preserve proof-backed readback
616+
as the only state advancement mechanism, telemetry as observability rather
617+
than authority, Bitcoin finality as payment truth, storage and repository roots
618+
as delivery truth, database projections as reconciled read models, and
619+
fail-closed repair for every evidence mismatch.
620+
551621
## Non-goals during V45 opening
552622

553623
- Do not implement V45 gate behavior before the V45 intent discussion is

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -393,6 +393,7 @@
393393
"check:v45-gate5": "node scripts/check-v45-gate5-btc-settlement-state-machine.mjs",
394394
"check:v45-gate6": "node scripts/check-v45-gate6-spec-consolidation-sequencing.mjs",
395395
"check:v45-gate7": "node scripts/check-v45-gate7-interface-authority-disclosure-boundaries.mjs",
396+
"check:v45-gate8": "node scripts/check-v45-gate8-proof-readback-operational-boundaries.mjs",
396397
"generate:v38-inference-surface-inventory": "node scripts/generate-v38-inference-surface-inventory.mjs",
397398
"check:v38-inference-surface-inventory": "node scripts/generate-v38-inference-surface-inventory.mjs --check",
398399
"check:v38-gate2": "node scripts/check-v38-gate2-inference-surface-inventory.mjs",
Lines changed: 160 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,160 @@
1+
#!/usr/bin/env node
2+
3+
import { execFileSync } from 'node:child_process';
4+
import { existsSync, readFileSync } from 'node:fs';
5+
import path from 'node:path';
6+
import { fileURLToPath } from 'node:url';
7+
8+
const __filename = fileURLToPath(import.meta.url);
9+
const __dirname = path.dirname(__filename);
10+
const defaultRepoRoot = path.resolve(__dirname, '..');
11+
12+
function read(root, relativePath) {
13+
return readFileSync(path.join(root, relativePath), 'utf8');
14+
}
15+
16+
function exists(root, relativePath) {
17+
return existsSync(path.join(root, relativePath));
18+
}
19+
20+
function git(root, args) {
21+
return execFileSync('git', args, { cwd: root, encoding: 'utf8' }).trim();
22+
}
23+
24+
function assertCheck(failures, condition, message) {
25+
if (!condition) failures.push(message);
26+
}
27+
28+
function normalize(content) {
29+
return content.replace(/\s+/gu, ' ').trim();
30+
}
31+
32+
function parseArgs(argv) {
33+
const args = { repoRoot: defaultRepoRoot, skipBranchCheck: false };
34+
for (let index = 0; index < argv.length; index += 1) {
35+
const arg = argv[index];
36+
if (arg === '--repo-root') args.repoRoot = path.resolve(argv[++index]);
37+
else if (arg === '--skip-branch-check') args.skipBranchCheck = true;
38+
else if (arg === '--help' || arg === '-h') args.help = true;
39+
else throw new Error(`Unknown argument ${arg}`);
40+
}
41+
return args;
42+
}
43+
44+
function printHelp() {
45+
process.stdout.write(
46+
[
47+
'Usage: node scripts/check-v45-gate8-proof-readback-operational-boundaries.mjs [--skip-branch-check] [--repo-root <path>]',
48+
'',
49+
'Checks the V45 proof readback and operational authority atom.',
50+
].join('\n'),
51+
);
52+
process.stdout.write('\n');
53+
}
54+
55+
function main() {
56+
const args = parseArgs(process.argv.slice(2));
57+
if (args.help) {
58+
printHelp();
59+
return;
60+
}
61+
62+
const root = args.repoRoot;
63+
const failures = [];
64+
const pointer = read(root, 'BITCODE_SPEC.txt').trim();
65+
66+
assertCheck(failures, pointer === 'V44', `BITCODE_SPEC.txt must remain V44 during V45 atom work. Observed ${pointer || 'empty'}.`);
67+
68+
if (!args.skipBranchCheck) {
69+
const branch = git(root, ['branch', '--show-current']);
70+
assertCheck(
71+
failures,
72+
branch === 'version/v45' || /^v45\/gate-\d+-[a-z0-9][a-z0-9-]*$/u.test(branch),
73+
`V45 work must occur on version/v45 or v45/gate-N-* branches. Observed ${branch || 'detached HEAD'}.`,
74+
);
75+
}
76+
77+
for (const relativePath of [
78+
'BITCODE_SPEC_V45_NOTES.md',
79+
'BITCODE_SPEC_V44.md',
80+
'BITCODE_SPEC.txt',
81+
'package.json',
82+
'scripts/check-v45-gate7-interface-authority-disclosure-boundaries.mjs',
83+
]) {
84+
assertCheck(failures, exists(root, relativePath), `Missing required V45 Gate 8 file: ${relativePath}`);
85+
}
86+
87+
const notes = read(root, 'BITCODE_SPEC_V45_NOTES.md');
88+
const normalizedNotes = normalize(notes);
89+
const packageJson = read(root, 'package.json');
90+
91+
for (const phrase of [
92+
'V45 protocol atom 7: proof readback and operational authority',
93+
'The remaining gap is evidence authority',
94+
'which operational artifacts can advance protocol state',
95+
'Bitcode state advances only by proof-backed readback',
96+
'No UI row, conversation message, streamed telemetry item, route response, external provider event, or workflow log can alone advance AssetPack lifecycle',
97+
'The advancing artifact must be paired with the required proof root and read back from the appropriate ledger, database, storage, wallet, provider, or repository boundary',
98+
'Canonical evidence authority is',
99+
'canonical specification and generated proof appendix',
100+
'execution/workflow receipt',
101+
'ledger journal',
102+
'database projection',
103+
'object storage and protected-source roots',
104+
'telemetry stream',
105+
'observability only; telemetry is not settlement, rights transfer, or source unlock',
106+
'wallet/provider receipt',
107+
'provider observation is not final settlement',
108+
'repository delivery receipt',
109+
'not public source permission and not contributor compensation by itself',
110+
'Canonical readback requirements are',
111+
'Depository admission',
112+
'reviewed Need acceptance',
113+
'Finding Fits selection',
114+
'Need-Fit AssetPack synthesis',
115+
'BTC quote issuance',
116+
'BTC payment observation',
117+
'BTC settlement finalization',
118+
'BTD rights transfer',
119+
'source unlock and repository delivery',
120+
'contributor compensation',
121+
'Operational repair law',
122+
'source-safe repair state',
123+
'failure class, blocker, retry command, proof root identifiers, and operator-safe telemetry',
124+
'Computation hosts, sandbox executions, workflow runners, browser proofs, and API routes may produce receipts',
125+
'they do not own protocol truth',
126+
'prefer the stricter source-safety and economic-finality posture',
127+
'Acceptance for this atom',
128+
'proof-backed readback as the only state advancement mechanism',
129+
'telemetry as observability rather than authority',
130+
'Bitcoin finality as payment truth',
131+
'storage and repository roots as delivery truth',
132+
'database projections as reconciled read models',
133+
'fail-closed repair for every evidence mismatch',
134+
]) {
135+
assertCheck(failures, normalizedNotes.includes(phrase), `V45 Gate 8 notes must include phrase: ${phrase}`);
136+
}
137+
138+
assertCheck(
139+
failures,
140+
packageJson.includes('"check:v45-gate8": "node scripts/check-v45-gate8-proof-readback-operational-boundaries.mjs"'),
141+
'package.json must expose check:v45-gate8.',
142+
);
143+
144+
if (failures.length > 0) {
145+
process.stderr.write('V45 Gate 8 proof readback and operational authority check failed:\n');
146+
for (const failure of failures) process.stderr.write(`- ${failure}\n`);
147+
process.exitCode = 1;
148+
return;
149+
}
150+
151+
process.stdout.write('V45 Gate 8 proof readback and operational authority check passed.\n');
152+
}
153+
154+
try {
155+
main();
156+
} catch (error) {
157+
const detail = error instanceof Error ? error.message : String(error);
158+
process.stderr.write(`${detail}\n`);
159+
process.exitCode = 1;
160+
}

0 commit comments

Comments
 (0)