|
| 1 | +# Roadmap v0.2 — Proof Pack adversarial inspection targets |
| 2 | + |
| 3 | +This document records the inspection result for Proof Pack v0.1 and the |
| 4 | +candidate next proof-surface targets for v0.2. It is a custody artefact, |
| 5 | +not a marketing document. |
| 6 | + |
| 7 | +## 1. Current v0.1 boundary |
| 8 | + |
| 9 | +Proof Pack v0.1 is bounded to: |
| 10 | + |
| 11 | +- a path-local Python harness driving the existing CommitGate kernel |
| 12 | +- a synthetic signature verifier (accepts records where |
| 13 | + `signature == "sig_valid"`) |
| 14 | +- an in-memory nonce ledger |
| 15 | +- a fixed clock pinned to `2026-04-27T05:01:00Z` |
| 16 | +- a single mutation callback |
| 17 | +- reproducible JSON fixtures and content-addressed receipts |
| 18 | + |
| 19 | +## 2. What v0.1 proves |
| 20 | + |
| 21 | +On the demonstrated path, with the harness above: |
| 22 | + |
| 23 | +- a DENY decision prevents the `mutation_callback` from executing |
| 24 | +- receipts record both ALLOW and DENY outcomes |
| 25 | +- each DENY receipt emits a `no_execution_marker` |
| 26 | +- the four fixture cases and their receipts are byte-for-byte replayable |
| 27 | + |
| 28 | +## 3. What v0.1 does not prove |
| 29 | + |
| 30 | +v0.1 does not prove: |
| 31 | + |
| 32 | +- real cryptographic signature verification (the verifier is synthetic) |
| 33 | +- persistent nonce custody across process restarts |
| 34 | +- cross-process replay resistance |
| 35 | +- concurrent safety under simultaneous `execute()` calls |
| 36 | +- distributed side-effect control beyond the in-process callback |
| 37 | +- production readiness |
| 38 | + |
| 39 | +## 4. v0.2 candidate targets |
| 40 | + |
| 41 | +The following are candidate proof surfaces, each scoped to remain |
| 42 | +inspectable without expanding the public claim: |
| 43 | + |
| 44 | +- Ed25519 or ECDSA signature verification against a fixed public key, |
| 45 | + with a malformed-signature fixture |
| 46 | +- a persistent nonce ledger (file- or sqlite-backed) with a restart- |
| 47 | + replay fixture |
| 48 | +- a cross-process replay test that consumes a nonce in one process and |
| 49 | + asserts refusal in a second |
| 50 | +- a concurrent `execute()` test under a shared nonce ledger, asserting |
| 51 | + that at most one mutation occurs per nonce |
| 52 | +- malformed-JSON and parser-boundary fixtures (truncated input, wrong |
| 53 | + types, extra fields) with matching DENY receipts |
| 54 | + |
| 55 | +## 5. Claim boundary |
| 56 | + |
| 57 | +- This roadmap does not claim production infrastructure, certification, |
| 58 | + adoption, or universal runtime governance. |
| 59 | +- It records the next bounded proof surfaces for authority-before- |
| 60 | + mutation inspection. |
| 61 | +- v0.2 targets remain candidate work until implemented, tested, and |
| 62 | + reviewed. |
0 commit comments