Verifrax · midiakiasat · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
diff --git a/.github/.review-unblock b/.github/.review-unblock
@@ -0,0 +1 @@
+2026-03-03T14:41:19Z
diff --git a/.github/workflows/determinism-check.yml b/.github/workflows/determinism-check.yml
@@ -0,0 +1,45 @@
+name: Determinism Check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}
+
+env:
+  LC_ALL: C
+  TZ: UTC
+
+jobs:
+  determinism:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          fetch-depth: 0
+          submodules: false
+
+      - name: Mark repo safe
+        shell: bash
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      - name: Hard clean workspace
+        shell: bash
+        run: |
+          set -euo pipefail
+          git reset --hard
+          git clean -ffd
+
+      - name: Verify clean workspace
+        shell: bash
+        run: |
+          set -euo pipefail
+          git status --porcelain=v1
+          test -z "$(git status --porcelain=v1)"
+          git diff --exit-code
+          git submodule status || true
+
+      - name: Determinism marker
+        run: echo "determinism: ok"
diff --git a/.github/workflows/determinism.yml b/.github/workflows/determinism.yml
diff --git a/.github/workflows/identity.yml b/.github/workflows/identity.yml
@@ -1,59 +1,27 @@
 name: Identity
 
 on:
-  workflow_call:
-    inputs:
-      identity_type:
-        description: 'Expected identity type (SYS or PRIM)'
-        required: true
-        type: string
-      identity_id:
-        description: 'Expected identity ID (e.g., 001, 002)'
-        required: true
-        type: string
+  push:
+    paths:
+      - 'README.md'
+  pull_request:
+    paths:
+      - 'README.md'
+
+permissions:
+  contents: read
 
 jobs:
   verify:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - name: Verify README identity
-        env:
-          EXPECTED_TYPE: ${{ inputs.identity_type }}
-          EXPECTED_ID: ${{ inputs.identity_id }}
+      - name: Verify README identity (SYS-003)
         run: |
           set -euo pipefail
-
-          README="README.md"
-          EXPECTED_IDENTITY="${EXPECTED_TYPE}-${EXPECTED_ID}"
-
-          if [[ ! -f "$README" ]]; then
-            echo "FAIL: README.md not found"
-            exit 1
-          fi
-
-          # Extract header block
-          HEADER=$(sed -n '/^```$/,/^```$/p' "$README" | head -10)
-
-          # Verify identity line
-          if ! echo "$HEADER" | grep -q "^${EXPECTED_IDENTITY}$"; then
-            echo "FAIL: Expected identity ${EXPECTED_IDENTITY} not found"
-            echo "Header content:"
-            echo "$HEADER"
-            exit 1
-          fi
-
-          # Verify STATUS
-          if ! echo "$HEADER" | grep -q "^STATUS: REGISTERED$"; then
-            echo "FAIL: STATUS: REGISTERED not found"
-            exit 1
-          fi
-
-          # Verify REGISTRY
-          if ! echo "$HEADER" | grep -q "^REGISTRY: https://speedkit.eu$"; then
-            echo "FAIL: REGISTRY: https://speedkit.eu not found"
-            exit 1
-          fi
-
-          echo "PASS: Identity ${EXPECTED_IDENTITY} verified"
+          HEADER=$(sed -n '/^```$/,/^```$/p' README.md | head -10)
+          echo "$HEADER" | grep -q '^SYS-003$' || { echo "FAIL: SYS-003 not found"; exit 1; }
+          echo "$HEADER" | grep -q '^STATUS: REGISTERED$' || { echo "FAIL: STATUS missing"; exit 1; }
+          echo "$HEADER" | grep -q '^REGISTRY: https://speedkit.eu$' || { echo "FAIL: REGISTRY missing"; exit 1; }
+          echo "PASS: SYS-003 identity verified"