Skip to content

audit-impl: Add hash-bound closure authority and independently verified requirements reports #4241

Description

@Trecek

audit-impl: Add hash-bound closure authority and independently verified requirements reports

Problem

audit-impl cannot activate a caller-selected frozen requirement inventory, bind it to an
independently supplied expected hash, or persist a requirement-level report whose verdict can be
independently reconstructed. Its sole runtime inventory is mutable and append-only across plan
provenance changes, and all six consuming recipes route directly on the raw LLM verdict.

The concrete #4233 closure authority has four plans and exactly REQ-001..REQ-072, but production
uses a five-plan mutable inventory containing REQ-001..REQ-083. The first 72 rows match and the
additional 11 are unauthorized. A four-plan invocation does not reset or subtract them. Therefore,
a reported GO cannot prove that #4233's exact frozen authority was audited, blocking REQ-043.

Reproduction

At #4233 feature commit ec3b9894e39e55673f3897b5309c1caf1ff724b6:

  1. Compare the frozen inventory (72 rows, four plans, SHA-256
    1a2981773ab01706d15a0cf753521e64e203fa301de0c3c13a63ff8eac29df5f) with the shared mutable
    inventory (83 rows, five plans, SHA-256
    a0e113849eeef1edae27e8a3232608f1fed44ba491c19db44656494e08d888ae).
  2. The first 72 canonical rows are equal; the mutable file adds REQ-073..REQ-083.
  3. Inspect src/autoskillit/skills_extended/audit-impl/SKILL.md: it accepts no frozen-authority
    input, always reads requirements_inventory.json, and extends it on provenance mismatch.
  4. Inspect implementation, implementation-groups, remediation, merge-prs, research, and
    research-implement: each routes on the raw audit skill verdict without independent report
    verification.

Acceptance Criteria

  1. Optional closure mode requires both an absolute authority path and independently supplied
    lowercase SHA-256; XOR, malformed, absent, or mismatched input fails closed.
  2. Authority, inventory, plans, diff inputs, report root, reports, and remediation artifacts are
    securely opened with containment, owner/mode, symlink/hardlink, size, and pre/post metadata
    checks.
  3. Strict schemas bind the authority hash, ordered plan hashes, inventory/row hashes,
    base/diff/target SHAs, canonical diff hash, and exact requirement IDs.
  4. Closure mode consumes only the authorized inventory and never creates, extends, or consults the
    shared mutable requirements_inventory.json.
  5. Audit produces a canonical persisted report with exactly one assessment per authorized row,
    hash-bound evidence, blocking extra findings, request hash, verdict, and remediation metadata.
  6. An independent Python verifier reconstructs the request and verdict. No recipe routes on the raw
    skill verdict.
  7. Valid NO GO retains a verified remediation artifact and existing remediation behavior;
    malformed or unverifiable output fails as execution error.
  8. All six audit-consuming recipes support optional closure activation and verified routing;
    ordinary non-closure behavior is unchanged.
  9. Tests cover the 72-versus-83 occurrence, hash/schema/path attacks, ref/diff drift,
    missing/duplicate/reordered rows, forged GO, report-root escape, and valid GO/NO GO routes.
  10. pre-commit run --all-files, task test-check, and task test-all pass.

Scope Exclusions

Dependencies

#4177 / PR #4178 is already on develop. This issue must merge into develop before #4233 can
publish and implement its final writer authority. #4185 remains parallel and matters only if a
verified closing result is NO GO and autonomous remediation must continue.

Execution Reset - 2026-07-13

The previous Driver-owned attempt is invalid and must not be resumed. It incorrectly inserted
out-of-recipe plan validators after successful dry_walkthrough steps, removed valid stamps based
on those external opinions, and repeatedly reran the same step instead of following the remediation
route to implementation. No implementation worktree, source edit, commit, or PR was produced.

The attempt's branch, clone, reports, plans, and local driver artifacts have been retired. Start one
fresh whole remediation recipe at investigate; do not reuse or reconstruct any investigation,
rectification plan, dry-walkthrough output, validator finding, or session result from that attempt.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugExisting behavior is brokenrecipe:remediationRoute: investigate/decompose before implementationstagedImplementation staged and waiting for promotion to main

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions