Skip to content

Allow intentional blank governance SHA exceptions in validation#58

Merged
CAM-Initiative merged 4 commits into
mainfrom
codex/fix-governance-validation-pipeline-for-missing-shas
May 11, 2026
Merged

Allow intentional blank governance SHA exceptions in validation#58
CAM-Initiative merged 4 commits into
mainfrom
codex/fix-governance-validation-pipeline-for-missing-shas

Conversation

@CAM-Initiative
Copy link
Copy Markdown
Owner

@CAM-Initiative CAM-Initiative commented May 11, 2026

Motivation

  • Step 2 of the governance rebuild was failing because strict validation treated every blank latest ledger SHA/JSON HASH as a hard error, which rejected intentionally blank/externally-anchored instruments.
  • The change introduces an explicit allowlist so those known intentional blanks are tolerated while preserving strict failure behaviour for all other missing/malformed SHAs.

Description

  • Added a single shared allowlist helper at .github/scripts/lib/ledger_sha_exceptions.py exposing ALLOWED_BLANK_SHA_IDS and allows_blank_sha(doc_id) containing CAM-BS2025-AEON-006-SCH-01 and CAM-BS2025-AEON-006-SCH-03.
  • Updated lint_amendment_ledger.py to import allows_blank_sha and treat an allowlisted document with an empty latest ledger SHA as an allowed exception that emits the warning Allowed blank SHA: <ID> instead of failing in strict mode.
  • Updated verify-ledger-sha-coverage.py to import allows_blank_sha and apply the same allowlist for both latest ledger SHA checks and JSON HASH blank checks, emitting Allowed blank SHA: <ID> and skipping failure for allowlisted entries.
  • Added tests to .github/scripts/tests/test_lint_amendment_ledger_sha_policy.py and .github/scripts/tests/test_verify_ledger_sha_coverage.py asserting that allowlisted blank latest SHAs pass strict validation and log the explicit message; no SHAs are populated or backfilled and validation logic is not globally weakened.

Files modified:

  • Added: .github/scripts/lib/ledger_sha_exceptions.py
  • Modified: .github/scripts/lint_amendment_ledger.py, .github/scripts/verify-ledger-sha-coverage.py, .github/scripts/tests/test_lint_amendment_ledger_sha_policy.py, and .github/scripts/tests/test_verify_ledger_sha_coverage.py.

Exact reason Step 2 was failing:

  • The strict-latest validation branch treated a blank latest ledger SHA as a hard error for all instruments, so intentionally blank entries were indistinguishable from unintended/missing SHAs and caused the step to fail.

Confirmation about other failures:

  • Non-allowlisted missing or malformed SHA/HASH values continue to fail validation in both the lint and coverage stages (failure branches remain unchanged when allows_blank_sha(doc_id) is false).

Testing

  • Ran the repository tests: pytest -q .github/scripts/tests/test_lint_amendment_ledger_sha_policy.py .github/scripts/tests/test_verify_ledger_sha_coverage.py which returned 15 passed (all tests passed).
  • Verified that an allowlisted instrument with an empty latest ledger SHA passes strict validation and that the log contains Allowed blank SHA: CAM-BS2025-AEON-006-SCH-01.
  • Verified that non-allowlisted blank or malformed historical/latest SHAs still cause failures under strict checks, preserving strictness and idempotency of the pipeline.

Codex Task

@CAM-Initiative CAM-Initiative merged commit ce8cbec into main May 11, 2026
@CAM-Initiative CAM-Initiative deleted the codex/fix-governance-validation-pipeline-for-missing-shas branch May 11, 2026 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CAM-Initiative