site-deploy: make the RFC 9110 probe opt-in (skip if no config)#42
Merged
Conversation
A reusable workflow shouldn't force every site to ship contract/http-probe.json. Skip the probe (with a notice) when the config file is absent; sites enable it by adding the config. Lets bounded.tools derive the pipeline without a probe contract it doesn't have. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bdelanghe
added a commit
to bounded-systems/site
that referenced
this pull request
Jun 29, 2026
…al gate) (#98) * deploy: derive bounded.tools from the canonical reusable pipeline (adds gate) Mirror robertdelanghe.dev: replace the straight build->deploy job with a call to the canonical reusable workflow (bounded-systems/.github). This ADDS the preview -> deterministic preview-URL verify -> required-reviewers promote gate that bounded.tools didn't have. Also re-vendors the FIXED standalone verifier (package.json + lockfile + the X509 SAN extraction), which is portable (identity derived from served provenance). site-promote Environment created with bdelanghe as required reviewer. Pinned to the opt-in-probe branch until bounded-systems/.github#42 merges, then -> @sha. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * deploy: pin canonical reusable workflow to merged .github SHA (was opt-in-probe branch) --------- Co-authored-by: Robert DeLanghe <oink_monocle_7d@icloud.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bdelanghe
added a commit
to bounded-systems/site
that referenced
this pull request
Jun 29, 2026
* deploy: derive bounded.tools from the canonical reusable pipeline (adds gate) Mirror robertdelanghe.dev: replace the straight build->deploy job with a call to the canonical reusable workflow (bounded-systems/.github). This ADDS the preview -> deterministic preview-URL verify -> required-reviewers promote gate that bounded.tools didn't have. Also re-vendors the FIXED standalone verifier (package.json + lockfile + the X509 SAN extraction), which is portable (identity derived from served provenance). site-promote Environment created with bdelanghe as required reviewer. Pinned to the opt-in-probe branch until bounded-systems/.github#42 merges, then -> @sha. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs(conformance): spec — agents against the not-assessed rows Defines how agents attack the 15 not-assessed criteria, with a hard invariant: an agent run NEVER sets a row to met. Three parts: - Part A: 5 static rows reachable by fail-closed gates (vuln scan, commonmark, vnu, slsa-provenance, baseline) — real met gains, independent PRs. - Part B: human-gated rows (WCAG 2.2 AA manual, ASVS L2, COGA) get agent PRE-verification only — structured non-gating artifact + readiness report; rows stay not-assessed pending the named human/external verifier. - Part C: guest-room trial-runner sketch — capability-scoped sandbox that makes "agents never gate" structural (no door to the evidence file / to met). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Robert DeLanghe <oink_monocle_7d@icloud.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bdelanghe
added a commit
to bounded-systems/site
that referenced
this pull request
Jun 29, 2026
…42 merged) (#109) bounded-systems/.github#42 (make the RFC 9110 probe opt-in) merged 2026-06-29; per #98's plan, move the promote pin off the temporary @fix/optional-http-probe branch to its merge commit c46a1dc on .github main, restoring the repo's SHA-pin posture. Also re-triggers a fresh deploy run (the prior one wedged in pending). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A reusable workflow shouldn't mandate a per-site
contract/http-probe.json. Skip the probe (with a notice) when the config is absent — sites opt in by shipping the config. Unblocks the bounded.tools mirror (it has no probe contract yet). Tiny, self-contained.🤖 Generated with Claude Code