fix(g19): close PR14 P2 review-thread gaps#15
Merged
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
G-19 v2 static/dynamic trust-boundary hardening
Authority token:
CEO_GO_VTOOLS_PR15_STATIC_DYNAMIC_TRUST_BOUNDARY_HARDENING_02This PR remains Draft. It does not authorize ready-for-review, merge, release, tag, package publish, deploy, signing, branch deletion, public-release readiness, CISO/NASA clean-close, enterprise-ready, SLSA/provenance claims, or PR #14 review-thread resolution.
Base / head
9b7e8456e96771f9285b728aa104a5ed985e8f2b79cc81d93a7c86a0cb31c2427c11889dd338f3b6ec8708d68aa018c186af7789201960d94b7d9382Static/dynamic trust model
tests/g19-v2-structural-check.shGIT_*env keys, includingGIT_PAGER; block/inlineworkflow_dispatch; protected-file writers including indirect path variables; trusted git path rewrites; prefixed git mutation; and sentinel side effects.tests/run-gates.shGIT_*exists, git substrate is untrusted, object store is poisoned, checkout SHA drifts, or executed bytes differ from committed blobs..github/workflows/ci.ymlGIT_*env before first git use, materializes the merge checkout, verifies proof-bound blobs, and recomputes the proof from committed material.Static PASS is not treated as proof of dynamic execution. Dynamic proof is emitted only after substrate, object-store, checkout, and disk/blob checks pass.
Hardening applied
GIT_*variables are rejected before proof-critical git use; this coversGIT_NAMESPACE,GIT_CEILING_DIRECTORIES, andGIT_PAGER(P2-01 red-team residual), not only the earlier list. A blanketGIT_*class scan is intentionally not used because Windows Git Bash exports harmless vars such asGIT_SEQUENCE_EDITORandGIT_EDITOR./usr/local/bin/gitwas removed from the trusted dynamic git path set.TARGET=tests/run-gates.sh; printf ... > "$TARGET".workflow_dispatchin block sequence form underon:.Proof-bound pins @
ec8708dRUN_GATES:d1ec3239d04d0cd3e716a2a6054befb76723146396f2de25550b194c36ff234bSTRUCTURAL:4863e581cfa202621ca8a1529c0fca44faa348b4df30e1eb31e84addc1432716WORKSPACE_HELPER:e105de0bca00c509bfff6923515cccb9ab416013a20f17ff90a7159c52890a06VERIFY_PY:abedd126eac0227dddad9267d8863d1b3b4921ef0bdc69301f59b9c9d708683bVERIFY_SH:65694b5e0abe95f3322c45ab7c69b597d83121ec14001bdbba8e6e83f2224192FIXTURE_MANIFEST:ed002608e565b853c03f868097e684361e43b49db6ae75f3567b8ef75dfea8edChanged files (25)
.github/workflows/ci.ymltests/g19-v2-structural-check.shtests/lib/verify-tracked-workspace.shtests/run-gates.shtests/fixtures/g19-v2/mutant-gate-inline-git-checkout-before-run.ymltests/fixtures/g19-v2/mutant-job-env-git-ceiling-directories.ymltests/fixtures/g19-v2/mutant-job-env-git-pager.ymltests/fixtures/g19-v2/mutant-job-env-git-work-tree.ymltests/fixtures/g19-v2/mutant-prestep-colon-redir-run-gates.ymltests/fixtures/g19-v2/mutant-prestep-command-git-checkout-head-drift.ymltests/fixtures/g19-v2/mutant-prestep-env-git-checkout-head-drift.ymltests/fixtures/g19-v2/mutant-prestep-git-C-checkout-head-drift.ymltests/fixtures/g19-v2/mutant-prestep-tee-run-gates.ymltests/fixtures/g19-v2/mutant-prestep-truncate-run-gates.ymltests/fixtures/g19-v2/mutant-prestep-usrbin-git-checkout-head-drift.ymltests/fixtures/g19-v2/mutant-prestep-var-run-gates-writer.ymltests/fixtures/g19-v2/mutant-prestep-write-trusted-git.ymltests/fixtures/g19-v2/mutant-sentinel-builtin-printf-side-effect.ymltests/fixtures/g19-v2/mutant-sentinel-exec-printf-side-effect.ymltests/fixtures/g19-v2/mutant-sentinel-printf-redirect-side-effect.ymltests/fixtures/g19-v2/mutant-step-env-git-object-directory.ymltests/fixtures/g19-v2/mutant-workflow-dispatch-block-sequence.ymltests/fixtures/g19-v2/mutant-workflow-dispatch-flow-sequence.ymltests/fixtures/g19-v2/mutant-workflow-env-git-dir.ymltests/fixtures/g19-v2/mutant-workflow-env-git-namespace.ymlLocal gates
Local gate shell:
C:\Program Files\Git\bin\bash.exewithGIT_PAGERunset. The default Cygwin-stylebashenvironment is not used as authority because it exportsGIT_PAGER=cat, which the hardened gate correctly treats as proof-criticalGIT_*contamination.git diff --check: PASSbash -n tests/run-gates.sh: PASSbash -n tests/g19-v2-structural-check.sh: PASSbash tests/g19-v2-structural-check.sh .github/workflows/ci.yml:G-19 STRUCTURAL CHECK PASSbash tests/run-gates.sh:ALL GATES PASSb9c9f974c033b7fde21c4253445d1c74de028a9453ea15ac0c872d36780c031bFocused adversarial probes @
ec8708dGIT_PAGER=cat: exit2, proof count0, diagnosticSETUP FAIL: proof-critical git environment variable is set (GIT_PAGER).GIT_NAMESPACE=poison: exit2, proof count0, diagnosticSETUP FAIL: proof-critical git environment variable is set (GIT_NAMESPACE).GIT_CEILING_DIRECTORIES=/: exit2, proof count0, diagnosticSETUP FAIL: proof-critical git environment variable is set (GIT_CEILING_DIRECTORIES).mutant-job-env-git-pager.yml: structural checker exits1.workflow_dispatch: structural checker exits1.TARGET=tests/run-gates.sh: structural checker exits1./usr/local/bin/git: structural checker exits1.2, proof count0, diagnosticSETUP FAIL: git executable resolves outside trusted system paths.2, proof count0, diagnosticSETUP FAIL: VT_G19_CHECKOUT_SHA does not match executed worktree HEAD.tests/run-gates.shand fixtures.Remote CI
ec8708d:28894080030gates (ubuntu-latest): PASS, job85714054039, 37sgates (windows-latest): PASS, job85714053990, 3m21s0ec8708d68aa018c186af7789201960d94b7d93829b7e8456e96771f9285b728aa104a5ed985e8f2bc1ec457730c7e75260fe476f4d333d3f45e906e2dc514a8cf3e8fd252f5fe646d0fab7eb5f7781b0f3fc93e044a11769d28a540eReview-thread boundary
06unresolved / not outdated, intentionally not resolved until PR fix(g19): close PR14 P2 review-thread gaps #15 is merged and postverified under a separate CEO token.Explicit boundaries
NO_RELEASE_NO_TAG_NO_PACKAGE_PUBLISH_NO_DEPLOY_NO_SIGNINGNO_PUBLIC_RELEASE_READYNO_CISO_NASA_CLEAN_DECLAREDNO_ENTERPRISE_READY_CLAIMNO_SLSA_PROVENANCE_CLAIMNO_PRODUCTION_READY_CLAIMPR14_THREADS_NOT_RESOLVED_UNTIL_PR15_POSTVERIFYCLEAN_ESTATE_NOT_DECLARED