Skip to content

Tighten validation and provenance surfaces#6

Open
GsCommand wants to merge 3 commits intomainfrom
codex/update-validation-to-match-release-story
Open

Tighten validation and provenance surfaces#6
GsCommand wants to merge 3 commits intomainfrom
codex/update-validation-to-match-release-story

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented Mar 19, 2026

Motivation

  • Center the default validation and reviewer story on the current canonical release line (v1.1.0) rather than an undifferentiated whole-repo sweep.
  • Remove obvious legacy placeholder/template junk from committed JSON so the archive does not look fabricated.
  • Make governance, resolution, and provenance language sober and explicit so reviewers can interpret tradeoffs (not theater).
  • Explicitly answer the pgp_fingerprint question and document the provenance model decisions.

Description

  • Reworked validation to provide clear modes and reviewer commands by updating scripts/validate-cards.mjs to support --mode=current|legacy|all and splitting validation paths into validate:current, validate:legacy, validate:cards (all), and validate:release, and made npm run validate the release-facing alias for the current-line flow.
  • Updated package.json scripts accordingly (validatevalidate:release, added validate:current, validate:legacy, validate:cards) so reviewers run npm run validate to exercise the canonical gate.
  • Split CI into two explicit jobs in .github/workflows/validate.yml: validate-current-release (the reviewer/release gate) and validate-legacy-compatibility (archival/compat checks).
  • Removed placeholder schemas_mirror IPFS URLs from the five legacy commercial cards and added meta.notes entries documenting that mirrors were intentionally omitted because no canonical historical mirror binding exists, and regenerated checksums.txt.
  • Expanded and rewrote repository docs (README.md, COMPLIANCE.md, GOVERNANCE.md, RESOLUTION.md, SECURITY_PROVENANCE.md) to state legacy limitations, define the repository/manifest/checksum provenance model, and explicitly confirm that pgp_fingerprint was intentionally removed from the v1.1.0 card schema and replaced by release-surface anchors.

Testing

  • Ran npm run validate (which runs validate:current, checksum verification, and tsc) and it completed successfully.
  • Ran npm run validate:current and npm run validate:legacy and both completed successfully, with legacy validation rejecting placeholder/template content where present and legacy cards carrying preservation meta.notes.
  • Ran npm run validate:checksums (via generate-checksums.mjs --verify) and it reported checksums.txt matches the repository contents.
  • Searched the agents tree for common placeholder patterns (COMMERCIAL_SCHEMAS_CID, example.com, REPLACE_ME, TODO, TBD, etc.) and found none remaining in committed JSON files.

Codex Task

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand