Skip to content

Commit b829a20

Browse files
V29 Gate 7: Close organization interface authority
Adds package-owned BTD organization/interface authority decisions with holdings, read-license usage, source visibility, and proof roots. Wires JSON-safe API/UAPI decisions, MCP required interface authority, ChatGPT App write admission, sandbox harness evidence, and Terminal Authority detail projection. Updates V29 spec/parity/docs, gate-quality CI, Gate 7 checker, lockfile, and focused BTD/API/MCP/ChatGPT/pipeline-host/UAPI coverage.
1 parent 347221b commit b829a20

43 files changed

Lines changed: 2264 additions & 37 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/bitcode-gate-quality.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ jobs:
6868
node scripts/check-v29-gate4-reading-pipeline-observability.mjs --skip-branch-check
6969
node scripts/check-v29-gate5-assetpack-disclosure-rights.mjs --skip-branch-check
7070
node scripts/check-v29-gate6-settlement-reconciliation-repair.mjs --skip-branch-check
71+
node scripts/check-v29-gate7-organization-permission-authority.mjs --skip-branch-check
7172
7273
- name: Validate source casing and imports
7374
run: |
@@ -78,6 +79,8 @@ jobs:
7879
run: |
7980
pnpm --filter @bitcode/btd typecheck
8081
pnpm --filter @bitcode/api build
82+
pnpm --dir packages/executions-mcp/src/mcp-server run type-check
83+
pnpm --dir packages/chatgptapp exec tsc --noEmit --pretty false
8184
pnpm --filter @bitcode/pipeline-asset-pack typecheck
8285
pnpm --filter @bitcode/pipeline-hosts typecheck
8386
@@ -87,6 +90,8 @@ jobs:
8790
pnpm --filter @bitcode/btd test -- --runTestsByPath __tests__/btc-fee-operation.test.ts
8891
pnpm --filter @bitcode/btd test -- --runTestsByPath __tests__/btd.test.ts
8992
pnpm --filter @bitcode/api exec jest --config jest.config.cjs --runTestsByPath src/routes/__tests__/btd-crypto.test.ts --runInBand
93+
pnpm --dir packages/executions-mcp/src/mcp-server exec jest --config "${{ github.workspace }}/packages/executions-mcp/src/mcp-server/jest.config.mcp.js" --runTestsByPath src/__tests__/unit/auth.test.ts --runInBand
94+
pnpm --dir packages/chatgptapp exec jest --runTestsByPath src/__tests__/tools.test.ts --runInBand
9095
pnpm --filter @bitcode/pipeline-hosts exec jest --config jest.config.cjs --runTestsByPath src/__tests__/asset-pack-harness.test.ts --runInBand
9196
pnpm --filter @bitcode/pipeline-asset-pack exec jest --config jest.config.cjs --passWithNoTests --forceExit
9297
pnpm --filter @bitcode/pipeline-asset-pack exec jest --config jest.config.cjs --runTestsByPath src/__tests__/reading-pipeline-observability.test.ts src/__tests__/reading-pipeline-contract.test.ts --runInBand
@@ -104,7 +109,9 @@ jobs:
104109
tests/terminalTransactionReadModel.test.ts \
105110
tests/terminalWalletBtcOperation.test.ts \
106111
tests/terminalJournalReconciliation.test.ts \
112+
tests/terminalOrganizationAuthority.test.ts \
107113
tests/terminalTransactionDetailCards.test.tsx \
114+
tests/terminalTransactionDetailSnapshot.test.ts \
108115
tests/pipelineExecutionLogHeader.test.tsx \
109116
--runInBand
110117

BITCODE_SPEC_V29.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -369,6 +369,40 @@ Gate PRs into version branches must begin with the uppercase version and gate pr
369369
- Current validating commands and parity basis: wallet tests, access tests, API route tests, Terminal permission tests, and staging auth readback.
370370
- Current accepted boundaries: broad enterprise RBAC depth can expand inside V29 only when tied to Terminal transaction operation.
371371

372+
#### V29 organization interface authority canon
373+
374+
Organization permission authority is a BTD primitive, not a per-interface convention.
375+
The canonical decision is `BtdOrganizationInterfaceAuthorityDecision`.
376+
It binds actor id, organization id, organization role, organization permission grants, interface surface, action, wallet binding, registry read-access decision, settlement state, explicit confirmation state, repair approval state, target anchor, source visibility, and proof roots.
377+
378+
Gate 7 defines the current action set:
379+
380+
- `read_transaction`
381+
- `request_read`
382+
- `review_need`
383+
- `request_finding_fits`
384+
- `review_asset_pack_preview`
385+
- `pay_btc_fee`
386+
- `unlock_asset_pack_source`
387+
- `deliver_asset_pack`
388+
- `repair_projection`
389+
- `administer_organization`
390+
391+
Each action has a minimum organization role, optional explicit permission grants, wallet-binding requirement, registry read-access requirement, settled-payment requirement, explicit-confirmation requirement, repair-approval requirement, and source-visibility result.
392+
Protected-source actions fail closed unless role/grant, wallet binding, owner-read or licensed-read registry access, settlement, and interface admission all agree.
393+
Source-safe preview actions may remain visible without protected source.
394+
395+
The same authority primitive must be used by:
396+
397+
- Terminal, as the ordinary permission explainer for selected activity detail;
398+
- API routes, as the JSON-safe route decision for interface owners;
399+
- MCP, as organization-scoped action authority over read-license and delivery operations;
400+
- ChatGPT App, as connected-interface write admission over confirmed delivery writes;
401+
- the sandbox harness, as emitted evidence for live Reading/AssetPack completion readback.
402+
403+
Authority proof roots include role root, permission root, read-access root, interface root, and aggregate authority root.
404+
Terminal renders those roots with blockers and decision rows so operators can understand why a transaction can or cannot pay, unlock, deliver, repair, or administer without opening network logs.
405+
372406
### Disclosure and projection
373407

374408
- Current canonical objects and emitted artifacts: disclosure policy, projection policy, redaction decision, preview metadata, owner-read/licensed-read/denied state.

BITCODE_SPEC_V29_DELTA.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -154,6 +154,17 @@ Closure acceptance:
154154

155155
Gate 7 owns organization holdings, roles, read-license usage, registry-derived permission decisions, MCP/ChatGPT action authority alignment, and Terminal permission explainers.
156156

157+
Closure acceptance:
158+
159+
- `packages/btd/src/authority.ts` defines the shared organization/interface authority primitive, action requirements, registry holdings/read-license summary, source visibility, and proof roots.
160+
- BTD tests prove organization holdings, active/expired/revoked read-license usage, paid delivery admission, unpaid unlock denial, and unsupported ChatGPT administration denial.
161+
- `packages/api/src/routes/btd-crypto.ts` exposes JSON-safe organization authority decisions and `uapi/app/api/btd/organization-interface-authority/route.ts` binds the route.
162+
- MCP auth can require interface authority after registry-derived owner-read or licensed-read evidence.
163+
- ChatGPT App connected-interface write carriers require explicit confirmation, registry read-access evidence, and organization authority evidence before write execution.
164+
- The sandbox harness emits `organizationAuthority` evidence alongside settlement unlock and ledger/database reconciliation.
165+
- Terminal adds an Authority detail section rendering decision rows, blockers, and proof roots from the same payload.
166+
- `pnpm run check:v29-gate7` passes with focused BTD, API, MCP, ChatGPT App, pipeline-hosts, and UAPI tests.
167+
157168
### Gate 8: Demonstration-Origin Commercial Formalization
158169

159170
Gate 8 owns cleanup of freshly ported demonstration-origin internals into package-native APIs, no demonstration runtime imports, durable package tests, and updated internal/public documentation.

BITCODE_SPEC_V29_NOTES.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,26 @@ Operator notes:
168168
- Terminal journal detail is the ordinary repair cockpit for this gate: drift classes, blockers, repair actions, proof roots, journal entries, and repair receipts must be visible without opening network logs.
169169
- Raw payload remains audit material, not the primary operator interface.
170170

171+
## Gate 7 working notes
172+
173+
Gate 7 makes organization authority package-owned and interface-shared.
174+
175+
Accepted Gate 7 posture:
176+
177+
- BTD authority evaluates Terminal, API, MCP, and ChatGPT App surfaces against the same action requirement table.
178+
- Registry-derived organization holdings and read-license usage are summarized as authority evidence, not aggregate spendable balance.
179+
- Protected-source actions require owner-read or licensed-read access plus settled payment where the action crosses the source boundary.
180+
- ChatGPT App writes remain impossible without explicit user confirmation, read-access evidence, and organization authority evidence.
181+
- MCP can request interface authority after its existing permission and read-access checks.
182+
- Terminal exposes authority as a normal selected-activity detail section with collapsed metrics, blockers, decision rows, proof roots, and raw payload.
183+
- Sandbox harness output carries `organizationAuthority` so staging-testnet Reading runs can be debugged from Terminal.
184+
185+
Gate 7 completion condition:
186+
187+
- `pnpm run check:v29-gate7` passes.
188+
- Focused BTD, API, MCP, ChatGPT App, pipeline-hosts, and UAPI tests cover the authority primitive and interface surfaces.
189+
- Spec, delta, notes, parity, Terminal README, package scripts, and gate-quality workflow name the Gate 7 closure surface.
190+
171191
## Later-version boundaries
172192

173193
- V30 remains reserved for Protocol/BTD hardening that is not necessary to close Terminal transaction depth.

BITCODE_SPEC_V29_PARITY_MATRIX.md

Lines changed: 33 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ No `_legacy/` source is active source truth.
5454
| Reading pipeline observability | Gate 4 | `packages/pipelines/asset-pack/src/reading-pipeline-observability.ts`, `packages/pipeline-hosts/src/asset-pack-harness.ts`, Terminal stream components, Gate 4 checker | drafted | Pipeline/phase/PTRR/ThricifiedGeneration/tool/prompt/raw-output/parsed-output telemetry is contract-projected, complete, and readable. |
5555
| AssetPack disclosure rights | Gate 5 | `asset-pack-disclosure.ts`, AssetPack postprocess, sandbox harness, BTD access tests, Terminal disclosure review UI, Gate 5 checker | drafted | Source-safe preview and paid unlock are proven without protected-source leakage. |
5656
| Settlement reconciliation repair | Gate 6 | BTD journal/reconciliation, Supabase readback, sandbox harness settlement evidence, Terminal repair UI, Gate 6 checker | drafted | Ledger, database, and metaphysical state drift is classified, proof-rooted, repair-actioned, and visible. |
57-
| Organization permission authority | Gate 7 | access policy, org holdings, MCP/ChatGPT gates, Terminal permission UI | pending | Registry-derived roles, holdings, and read-license authority govern actions. |
57+
| Organization permission authority | Gate 7 | `packages/btd/src/authority.ts`, BTD/API/MCP/ChatGPT App tests, sandbox harness authority evidence, Terminal Authority section, Gate 7 checker | drafted | Registry-derived roles, holdings, read-license authority, settlement, confirmation, and interface admission govern actions. |
5858
| Commercial formalization | Gate 8 | packages/protocol, package tests, import scans, docs | pending | Demonstration-origin commercial internals are package-native and no runtime demo imports remain. |
5959
| Terminal UX quality | Gate 9 | Playwright/Jest/a11y/responsive/browser QA | pending | Complete transaction cockpit is usable by default and inspectable in detail. |
6060
| Promotion readiness | Gate 10 | promotion workflow, `.bitcode/v29-*`, `BITCODE_SPEC_V29_PROVEN.md` | pending | `version/v29` can promote to `main` only after all V29 checks pass. |
@@ -71,7 +71,8 @@ No `_legacy/` source is active source truth.
7171
| Gate 3 wallet/BTC operation | `pnpm run check:v29-gate3` proves quote lifecycle, signer recovery, blocked readiness, API posture, and Terminal Wallet/BTC detail | drafted |
7272
| Gate 4 Reading observability | `pnpm run check:v29-gate4` proves contract-aware Reading stream telemetry and Terminal rendering | drafted |
7373
| Gate 5 AssetPack disclosure | `pnpm run check:v29-gate5` proves source-safe disclosure review, leakage detection, Terminal preview rendering, and PR title enforcement | drafted |
74-
| Product implementation gates | Gates 6-9 close remaining Terminal transaction depth with tests and docs | pending |
74+
| Gate 7 organization authority | `pnpm run check:v29-gate7` proves shared org/interface authority across BTD, API, MCP, ChatGPT App, harness, and Terminal | drafted |
75+
| Product implementation gates | Gates 8-9 close remaining Terminal transaction depth with tests and docs | pending |
7576
| Promotion gate | Gate 10 closes generated proof and promotion automation | pending |
7677

7778
## Gate 1 Parity
@@ -207,10 +208,37 @@ Gate 6 completion condition:
207208

208209
- `pnpm run check:v29-gate6` passes.
209210
- Focused BTD, API, pipeline-hosts, and UAPI tests prove repair classification, conservation drift, proof roots, and Terminal repair visibility.
210-
- Gate 5 does not implement organization authority beyond read-right state distinctions; Gate 7 owns registry-derived roles and holdings.
211-
- Gate 5 does not add browser proof or full UX polish; Gate 9 owns that surface.
212-
- Gate 5 does not add versioned API routes or source identifiers.
213211

214212
## Gate 5 completion condition
215213

216214
Gate 5 is complete when AssetPack disclosure review is package-owned, postprocess and sandbox harness evidence include source-safe disclosure review roots, protected-source leakage tests fail closed, Terminal renders the disclosure review through the Reading preview surface, gate PR title enforcement is active, focused package and UAPI tests pass, `check:v29-gate5` passes, CI invokes the checker and tests, docs name the implemented source surfaces, and the gate branch is committed and pushed for review into `version/v29`.
215+
216+
## Gate 7 Parity
217+
218+
Gate 7 closes the organization authority slice by making action permission a shared BTD decision instead of interface-local convention.
219+
220+
Accepted surfaces:
221+
222+
- `packages/btd/src/authority.ts` is the canonical organization/interface authority primitive for role checks, explicit grants, wallet binding, registry read access, settlement, explicit confirmation, repair approval, source visibility, and authority proof roots.
223+
- `packages/api/src/routes/btd-crypto.ts` and `uapi/app/api/btd/organization-interface-authority/route.ts` expose JSON-safe authority decisions for application routes.
224+
- `packages/executions-mcp/src/mcp-server/src/auth/middleware.ts` can require interface authority after existing permission and BTD read-access checks.
225+
- `packages/chatgptapp/src/tools.ts` requires explicit confirmation, registry read-access evidence, and organization authority evidence before connected-interface writes.
226+
- `packages/pipeline-hosts/src/asset-pack-harness.ts` stores and emits `organizationAuthority` beside settlement unlock and reconciliation evidence.
227+
- `uapi/app/terminal/terminal-organization-authority.ts` and `TerminalTransactionOrganizationAuthorityCard.tsx` project the selected transaction into authority metrics, blockers, decision rows, proof roots, and raw payload.
228+
229+
Accepted failure states:
230+
231+
- Missing role, insufficient role, or missing explicit grant blocks authority.
232+
- Missing wallet binding blocks fee payment, source unlock, and delivery when those actions require Reader wallet proof.
233+
- Missing or denied registry read access blocks protected-source unlock and delivery.
234+
- Pending settlement blocks protected-source visibility even when role evidence exists.
235+
- Missing explicit confirmation blocks payment, delivery, repair, and administration actions that cross sensitive boundaries.
236+
- Interfaces may deny actions even when the organization role could authorize them elsewhere.
237+
238+
Gate 7 completion condition:
239+
240+
- `pnpm run check:v29-gate7` passes.
241+
- Focused BTD, API, MCP, ChatGPT App, pipeline-hosts, and UAPI tests prove organization holdings, active/expired/revoked license usage, paid delivery admission, unpaid denial, interface denial, connected-interface write gating, harness evidence, and Terminal visibility.
242+
- Gate-quality CI invokes the Gate 7 checker and focused tests.
243+
- Gate 7 does not add broad enterprise RBAC administration beyond Terminal transaction authority; later versions may deepen team policy authoring.
244+
- Gate 7 does not reveal protected source before settlement and does not add versioned API routes or source identifiers.

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@
5050
"check:v29-gate4": "node scripts/check-v29-gate4-reading-pipeline-observability.mjs",
5151
"check:v29-gate5": "node scripts/check-v29-gate5-assetpack-disclosure-rights.mjs",
5252
"check:v29-gate6": "node scripts/check-v29-gate6-settlement-reconciliation-repair.mjs",
53+
"check:v29-gate7": "node scripts/check-v29-gate7-organization-permission-authority.mjs",
5354
"check:spec-quality": "node scripts/run-bitcode-spec-quality.mjs --mode basic",
5455
"check:spec-quality:title": "node scripts/run-bitcode-spec-quality.mjs --mode strict-from-title",
5556
"check:spec-quality:v24": "node scripts/run-bitcode-spec-quality.mjs --mode strict-version --version V24",

0 commit comments

Comments
 (0)