Skip to content

Commit e147132

Browse files
Merge pull request #52 from engineeredsoftware/v31/gate-9-auxillaries-telemetry-proof-recovery-runs
V31 Gate 9: Auxillaries Telemetry Proof And Recovery Runs
2 parents 6d80106 + 43b897d commit e147132

18 files changed

Lines changed: 830 additions & 16 deletions

.github/workflows/bitcode-gate-quality.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ jobs:
103103
node scripts/check-v31-gate6-organization-team-role-policy-authority.mjs --skip-branch-check
104104
node scripts/check-v31-gate7-interfaces-pane-admission-cross-surface-contracts.mjs --skip-branch-check
105105
node scripts/check-v31-gate8-auxillaries-ux-accessibility-responsive-proof.mjs --skip-branch-check
106+
node scripts/check-v31-gate9-auxillaries-telemetry-proof-recovery-runs.mjs --skip-branch-check
106107
else
107108
echo "Unexpected BITCODE_SPEC.txt pointer: $POINTER" >&2
108109
exit 1

BITCODE_SPEC_V31.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,8 @@ Gate 9 telemetry/recovery precision:
288288
- Auxillaries telemetry subjects are profile, account, provider connection, interface admission, wallet, BTD pane, organization authority, policy decision, readiness diagnostic, and recovery run.
289289
- Proof hooks bind theorem id, replay step id, evidence root, telemetry root, source-safety class, and blocker/repair outcome.
290290
- Recovery runs are executions; they may call tools, but the stored evidence must be source-safe and secret-free.
291+
- `AuxillariesTelemetryProofHook` is the package-owned readback object for that proof. It carries subject, subject id, pane, theorem id, replay step id, evidence root, telemetry root, blocker id, repair outcome, source-safety class, and proof root, and is emitted beside the route contract rather than derived by the UI.
292+
- Externals may render compact telemetry proof-hook rows for operator diagnosis, but only theorem/replay/evidence/telemetry roots and classified outcomes may be visible. Raw provider credentials, service keys, wallet secrets, private prompts, and protected source remain prohibited.
291293

292294
V30 Protocol/BTD carryforward precision:
293295

@@ -455,6 +457,7 @@ The canonical diagnostic and recovery model is produced from:
455457
- wallet/BTD facts: signer posture, no-custody posture, BTD range/read-right/treasury summary, and settlement-readiness blockers;
456458
- organization facts: organization, team, role, grant set, policy id/hash, wallet binding requirement, decision, denial reason, and recovery route;
457459
- source-safe telemetry facts: execution id, before/after readiness roots, evidence root, blocker, repair outcome, and retry policy.
460+
- proof-hook facts: telemetry subject, theorem id, replay step id, evidence root, telemetry root, source-safety class, blocker id, repair outcome, and proof root.
458461

459462
Readiness is classified before repair:
460463

@@ -484,6 +487,7 @@ Repair actions are canonical and auditable:
484487

485488
The readiness state is one of ready, incomplete, retryable, repairable, approval-required, denied, or blocked.
486489
Recovery runs are executions and must store source-safe before/after evidence.
490+
They also carry evidence roots and telemetry roots so recovery readback can be joined to `AuxillariesTelemetryProofHook` without replaying private route internals.
487491
They must never store service-role JWTs, Supabase secret keys, OpenAI keys, database passwords, wallet secrets, provider tokens, private prompts, or protected AssetPack source in tracked code, telemetry, UI metadata, or persisted proof payloads.
488492

489493
## V31 canonical subsystem surfaces

BITCODE_SPEC_V31_DELTA.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,12 @@ Closure acceptance:
215215
- proof hooks bind theorem id, replay step id, evidence root, telemetry root, source-safety class, and blocker/repair outcome;
216216
- recovery runs are executions with source-safe before/after evidence and route/UI readback.
217217

218+
Implementation center:
219+
220+
- `packages/api/src/routes/auxillaries-contract.ts` owns `AuxillariesTelemetrySubject`, `AuxillariesTelemetryProofHook`, `buildAuxillariesTelemetryProofHooks`, and recovery-run evidence/telemetry roots.
221+
- `/api/auxillaries/data`, `useUserData`, and the Externals pane surface the same source-safe hook records for route and UI readback.
222+
- Gate tests assert subject coverage, theorem/replay/evidence/telemetry root binding, recovery-run hook generation, and secret/protected-source exclusion.
223+
218224
### Gate 10: V31 Promotion Readiness
219225

220226
Gate 10 owns final local/staging proof, generated artifacts, and V31 promotion workflow support.

BITCODE_SPEC_V31_NOTES.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,3 +122,17 @@ Exchange and Conversations may appear as source-safe hooks, but their market and
122122
Gate 8 is closed only when Auxillaries UX is usable before audit expansion and provable after expansion.
123123
The contained support plane must expose a named main landmark, keyboard skip link, named pane navigation, active-pane state announcement, readable loading/ready posture, and expandable audit detail for every pane without raw JSON.
124124
The panel controls must be keyboard-native, focus-visible, labelled, and state-described, and route-scoped CSS must prove responsive mobile/desktop layout, no horizontal overflow pressure, contrast-preserving readiness chips, and reduced-motion posture.
125+
126+
## Gate 9 closure note
127+
128+
Gate 9 is closed only when Auxillaries telemetry is a package-owned proof
129+
surface rather than an ad hoc console trace.
130+
`AuxillariesTelemetryProofHook` must cover profile, account, provider
131+
connection, interface admission, wallet, BTD pane, organization authority,
132+
policy decision, readiness diagnostic, and recovery run subjects.
133+
Each hook binds theorem id, replay step id, evidence root, telemetry root,
134+
source-safety class, blocker id, repair outcome, and proof root.
135+
Recovery runs must carry source-safe before/after readiness roots plus
136+
evidence/telemetry roots and must be readable through the API route, shared
137+
client hook, and Externals UI without exposing credentials, prompts, wallet
138+
secrets, service keys, database credentials, or protected AssetPack source.

BITCODE_SPEC_V31_PARITY_MATRIX.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -62,9 +62,9 @@ No `_legacy/` source is active source truth.
6262
| Connects provider readiness and recovery | Gate 4 | Provider packages, connection routes, readiness/recovery tests | drafted | Provider readiness names credential posture without secrets, scopes class, readback status, blocker, repair action, and before/after roots. |
6363
| Wallet and BTD pane readiness | Gate 5 | `packages/btd`, Wallet/BTD panes, settlement/read-right tests | drafted | Wallet and BTD panes consume V30 no-custody, signer, read-right, treasury, and settlement-readiness primitives. |
6464
| Organization team role policy authority | Gate 6 | `packages/btd/src/authority.ts`, `packages/api/src/routes/auxillaries-contract.ts`, `uapi/app/auxillaries/components/AuxillariesProfilePane.tsx`, `uapi/app/terminal/terminal-organization-authority.ts`, focused BTD/API/UI tests | drafted | Organization, team, role, grants, multi-sig readiness, policy decisions, denials, and recovery routes are typed and fail closed. |
65-
| Interfaces pane admission and cross-surface contracts | Gate 7 | Interfaces pane, API/MCP/ChatGPT App interface records, tests | pending | Interface admission records name auth mode, supported actions, policy constraints, source-safety class, blockers, and readiness. |
66-
| Auxillaries UX accessibility and responsive proof | Gate 8 | Auxillaries components, focused Jest/Playwright/a11y evidence | pending | Guided low-detail and expandable audit UX works across Profile, Connects, Interfaces, Wallet/BTD, and organization panes. |
67-
| Auxillaries telemetry proof and recovery runs | Gate 9 | Telemetry/proof packages, recovery routes, readback tests | pending | Profile, connection, interface, wallet, BTD, organization, policy, readiness, and recovery events emit source-safe proof hooks. |
65+
| Interfaces pane admission and cross-surface contracts | Gate 7 | Interfaces pane, API/MCP/ChatGPT App interface records, tests | closed | Interface admission records name auth mode, supported actions, policy constraints, source-safety class, blockers, and readiness. |
66+
| Auxillaries UX accessibility and responsive proof | Gate 8 | Auxillaries components, focused Jest/Playwright/a11y evidence | closed | Guided low-detail and expandable audit UX works across Profile, Connects, Interfaces, Wallet/BTD, and organization panes. |
67+
| Auxillaries telemetry proof and recovery runs | Gate 9 | `packages/api/src/routes/auxillaries-contract.ts`, `/api/auxillaries/data`, `useUserData`, Externals UI, route/API/UI tests, Gate 9 checker | closed | Profile, connection, interface, wallet, BTD, organization, policy, readiness, and recovery events emit source-safe proof hooks. |
6868
| Promotion readiness | Gate 10 | V31 promotion workflow, generated `.bitcode/v31-*`, `BITCODE_SPEC_V31_PROVEN.md` | pending | `version/v31` can promote to `main` only after all V31 gates pass and promotion automation commits generated canon. |
6969

7070
## V31 implementation checklist
@@ -154,9 +154,9 @@ No `_legacy/` source is active source truth.
154154

155155
| Requirement | Source evidence | Current V31 judgment |
156156
| --- | --- | --- |
157-
| Auxillaries telemetry subjects are typed | telemetry/proof hook package and tests | pending |
158-
| Recovery runs are executions with source-safe before/after evidence | recovery route/UI readback tests | pending |
159-
| Proof hooks bind theorem, replay, evidence, telemetry, blocker, and repair outcome roots | proof-hook tests and generated artifact | pending |
157+
| Auxillaries telemetry subjects are typed | `AuxillariesTelemetrySubject` and `AuxillariesTelemetryProofHook` in `packages/api/src/routes/auxillaries-contract.ts`; `packages/api/src/routes/__tests__/auxillaries-contract.test.ts` asserts all required subjects | closed |
158+
| Recovery runs are executions with source-safe before/after evidence | `AuxillariesRecoveryRun` carries blocker id, retry policy, before/after roots, execution id, evidence root, telemetry root, outcome, and source-safety class; route/UI tests read those records | closed |
159+
| Proof hooks bind theorem, replay, evidence, telemetry, blocker, and repair outcome roots | `buildAuxillariesTelemetryProofHooks` derives hooks from profile, account, provider, interface, wallet, BTD, organization, policy, readiness, and recovery objects; Externals renders compact source-safe hook readback | closed |
160160

161161
## Gate 10 Parity
162162

SPECIFICATIONS_ROADMAP.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
- Current active canonical pointer: `BITCODE_SPEC.txt` -> `V30`
66
- Current active canon: `BITCODE_SPEC_V30.md`
77
- Current draft target: `BITCODE_SPEC_V31.md`
8-
- Current working gate: V31 Gate 8 Auxillaries UX Accessibility And Responsive Proof, which makes the Auxillaries support plane low-detail by default with a named main landmark, keyboard skip link, named pane navigation, active-pane state announcements, expandable audit detail, responsive mobile/desktop layout, focus/label/contrast posture, and reduced-motion proof.
8+
- Current working gate: V31 Gate 9 Auxillaries Telemetry Proof And Recovery Runs, which binds Profile, account, provider connection, interface admission, Wallet, BTD pane, organization authority, policy decision, readiness diagnostic, and recovery-run subjects to source-safe theorem/replay/evidence/telemetry proof hooks and UI readback.
99
- Purpose: concise running index of Bitcode/ENGI specification history, current work, and planned work.
1010

1111
This roadmap is not an active system specification.

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,7 @@
7272
"check:v31-gate6": "node scripts/check-v31-gate6-organization-team-role-policy-authority.mjs",
7373
"check:v31-gate7": "node scripts/check-v31-gate7-interfaces-pane-admission-cross-surface-contracts.mjs",
7474
"check:v31-gate8": "node scripts/check-v31-gate8-auxillaries-ux-accessibility-responsive-proof.mjs",
75+
"check:v31-gate9": "node scripts/check-v31-gate9-auxillaries-telemetry-proof-recovery-runs.mjs",
7576
"check:spec-quality": "node scripts/run-bitcode-spec-quality.mjs --mode basic",
7677
"check:spec-quality:title": "node scripts/run-bitcode-spec-quality.mjs --mode strict-from-title",
7778
"check:spec-quality:v24": "node scripts/run-bitcode-spec-quality.mjs --mode strict-version --version V24",

packages/api/README.md

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,9 @@ objects must be built through `buildAuxillariesContractSnapshot` and
2323
`AuxillariesProfileState`, `AuxillariesConnectionReadiness`,
2424
`AuxillariesInterfaceAdmission`, `AuxillariesWalletBtdPaneState`,
2525
`OrganizationPolicyAuthority`, `AuxillariesReadinessDiagnostic`, and
26-
`AuxillariesRecoveryRun` values. They redact provider tokens, API keys, wallet
27-
secrets, private prompts, protected source, service keys, and database
26+
`AuxillariesRecoveryRun` values, plus source-safe
27+
`AuxillariesTelemetryProofHook` records. They redact provider tokens, API keys,
28+
wallet secrets, private prompts, protected source, service keys, and database
2829
credentials before UI, telemetry, or proof-hook consumption.
2930

3031
Profile/account state is also package-owned. `AuxillariesProfileState` binds
@@ -39,7 +40,11 @@ classifies provider id/name, installation state, credential posture, token
3940
presence, scopes, last readback, blocker, repair action, source-safe metadata,
4041
and a readiness root. Routes may validate credentials privately, but API
4142
responses, UI metadata, telemetry, and recovery proof hooks must only serialize
42-
classified readiness and `AuxillariesRecoveryRun` before/after roots.
43+
classified readiness and `AuxillariesRecoveryRun` before/after roots. Gate 9
44+
telemetry hooks bind each support subject to theorem id, replay step id,
45+
evidence root, telemetry root, source-safety class, blocker, and repair outcome
46+
so Auxillaries readback can be audited without exposing credentials or
47+
protected source.
4348

4449
Wallet/BTD support state is package-owned through `@bitcode/btd` and mapped
4550
here as `AuxillariesWalletBtdPaneState`. Route payloads may include wallet

packages/api/src/routes/__tests__/auxillaries-contract.test.ts

Lines changed: 78 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -322,6 +322,31 @@ describe('Auxillaries package route contracts', () => {
322322
expect(admission.interfaceAdmissionRoot).toMatch(/^[0-9a-f]{64}$/);
323323
expect(admission.policyConstraints).toEqual(admission.policyRequirements);
324324
}
325+
const telemetrySubjects = payload.telemetryProofHooks.map((hook) => hook.subject);
326+
expect(telemetrySubjects).toEqual(expect.arrayContaining([
327+
'profile',
328+
'account',
329+
'provider_connection',
330+
'interface_admission',
331+
'wallet',
332+
'btd_pane',
333+
'organization_authority',
334+
'policy_decision',
335+
'readiness_diagnostic',
336+
]));
337+
for (const hook of payload.telemetryProofHooks) {
338+
expect(hook).toMatchObject({
339+
kind: 'AuxillariesTelemetryProofHook',
340+
sourceSafetyClass: 'source_safe',
341+
});
342+
expect(hook.theoremId).toMatch(/^auxillaries\./);
343+
expect(hook.replayStepId.length).toBeGreaterThan(0);
344+
expect(hook.evidenceRoot.length).toBeGreaterThan(0);
345+
expect(hook.telemetryRoot).toMatch(/^[0-9a-f]{64}$/);
346+
expect(hook.proofRoot).toMatch(/^[0-9a-f]{64}$/);
347+
}
348+
expect(payload.auxillariesContract.telemetryProofHooks)
349+
.toEqual(payload.telemetryProofHooks);
325350
expect(payload.auxillariesContract.contractVersion).toBe(AUXILLARIES_CONTRACT_VERSION);
326351
expect(validateAuxillariesContractSnapshot(payload.auxillariesContract)).toEqual({
327352
valid: true,
@@ -334,6 +359,7 @@ describe('Auxillaries package route contracts', () => {
334359
expect(JSON.stringify(payload)).not.toContain('wallet-secret');
335360
expect(JSON.stringify(payload)).not.toContain('repository source');
336361
expect(JSON.stringify(payload)).not.toContain('private prompt body');
362+
expect(JSON.stringify(payload.telemetryProofHooks)).not.toContain('provider-token');
337363
expect(JSON.stringify(payload.walletBtdPaneState)).not.toContain('asset pack source');
338364
expect(JSON.stringify(payload.connectionReadiness[0].metadata)).not.toContain('provider-token');
339365
expect(assertAuxillariesJsonSafe(payload)).toBeUndefined();
@@ -398,10 +424,14 @@ describe('Auxillaries package route contracts', () => {
398424
const recoveryRun = buildAuxillariesRecoveryRun({
399425
targetPane: 'externals',
400426
repairAction: 'reauthorize_provider',
427+
blockerId: 'connects.github.reauthorize_provider',
401428
beforeReadinessRoot: 'before-root',
402429
afterReadinessRoot: 'after-root',
403430
executionId: 'execution-1',
404431
outcome: 'succeeded',
432+
retryPolicy: 'after_repair',
433+
startedAt: '2026-05-21T00:00:00.000Z',
434+
completedAt: '2026-05-21T00:01:00.000Z',
405435
});
406436
const payload = buildAuxillaryDataPayload({
407437
profile: { id: 'user-2', username: 'reviewer' },
@@ -414,15 +444,59 @@ describe('Auxillaries package route contracts', () => {
414444
btcFeeBalance: null,
415445
recentBtdAssetPacks: [],
416446
modelPreferences: null,
447+
recoveryRuns: [recoveryRun],
417448
onboardedSteps: ['profile'],
418449
});
419-
const snapshot = {
420-
...payload.auxillariesContract,
421-
recoveryRuns: [recoveryRun],
422-
};
450+
const snapshot = payload.auxillariesContract;
423451

424452
expect(parseAuxillariesContractSnapshot(snapshot).recoveryRuns[0].recoveryRoot)
425453
.toMatch(/^[0-9a-f]{64}$/);
454+
expect(snapshot.recoveryRuns[0]).toMatchObject({
455+
blockerId: 'connects.github.reauthorize_provider',
456+
retryPolicy: 'after_repair',
457+
sourceSafetyClass: 'source_safe',
458+
});
459+
expect(snapshot.recoveryRuns[0].evidenceRoot).toMatch(/^[0-9a-f]{64}$/);
460+
expect(snapshot.recoveryRuns[0].telemetryRoot).toMatch(/^[0-9a-f]{64}$/);
461+
expect(snapshot.telemetryProofHooks).toEqual(
462+
expect.arrayContaining([
463+
expect.objectContaining({
464+
subject: 'recovery_run',
465+
subjectId: 'execution-1',
466+
pane: 'externals',
467+
theoremId: 'auxillaries.recovery_run.execution_evidence',
468+
evidenceRoot: recoveryRun.evidenceRoot,
469+
telemetryRoot: recoveryRun.telemetryRoot,
470+
blockerId: 'connects.github.reauthorize_provider',
471+
repairOutcome: 'succeeded',
472+
sourceSafetyClass: 'source_safe',
473+
}),
474+
]),
475+
);
476+
expect(validateAuxillariesContractSnapshot({
477+
...snapshot,
478+
telemetryProofHooks: [
479+
{
480+
...snapshot.telemetryProofHooks[0],
481+
subject: 'unknown_subject',
482+
},
483+
],
484+
})).toMatchObject({
485+
valid: false,
486+
errors: expect.arrayContaining(['telemetryProofHooks[0].subject is invalid']),
487+
});
488+
expect(validateAuxillariesContractSnapshot({
489+
...snapshot,
490+
recoveryRuns: [
491+
{
492+
...snapshot.recoveryRuns[0],
493+
outcome: 'unknown_outcome',
494+
},
495+
],
496+
})).toMatchObject({
497+
valid: false,
498+
errors: expect.arrayContaining(['recoveryRuns[0].outcome is invalid']),
499+
});
426500
expect(JSON.stringify(snapshot.recoveryRuns)).not.toContain('access_token');
427501
expect(JSON.stringify(snapshot.recoveryRuns)).not.toContain('oauth_token');
428502
expect(validateAuxillariesContractSnapshot({ kind: 'wrong' })).toMatchObject({

0 commit comments

Comments
 (0)