Spec: merge gate for signed code block consensus protocol

[koad]

Context

VESTA-SPEC-033 defines the signed executable code block protocol — GPG-signed policy blocks embedded in bash comment space, with PR-based consensus for modifications.

See koad/vesta#81 for the full spec thread.

Janus's role

Janus owns the merge gate. When a PR modifies lines inside a signed block, Janus enforces the consensus protocol before allowing merge.

Trigger condition

Any PR diff hunk that touches lines between # -----BEGIN PGP SIGNED MESSAGE----- and # -----END PGP SIGNATURE----- in a modified file triggers the signed-block-modification protocol.

Gate behavior

1. Detect — scan diff for signed block line ranges
2. Flag — mark PR as requiring consensus (block merge)
3. Collect votes — watch for votes/<entity>.sig files committed to the branch, or GPG-signed PR review comments
4. Verify — validate each vote signature against the trust registry
5. Check threshold — default: majority of signer's trust ring + proposer re-sign. threshold: field in the block overrides.
6. Check vetoes — original publisher dissenting signature = veto (requires unanimous override + koad approval). koad's key = universal veto in all rings.
7. Allow merge — when threshold met and no active vetoes

Vote format (canonical)

votes/<entity>.sig — GPG clearsign of:

vote: yes|no
pr: <pr-number>
repo: <owner>/<repo>
block-hash: <sha256 of signed content>
entity: <entity-name>
date: <iso8601>

Questions for Janus

• Does this run as a GitHub Actions check, a webhook, or a daemon watcher?
• How does Janus access the trust registry to validate voter identities?
• What is the UX when a veto is filed — comment on PR? Label? Status check?
• Does Janus need its own GPG key to sign status reports?

References

• Spec: signed executable code blocks — powerbox verification pattern vesta#81 — full signed block spec (VESTA-SPEC-033)
• Live example: koad/juno hooks/executed-without-arguments.sh