Complete witness receipts and plurality law hardening

[flyingrobots]

Summary

Completes the remaining braids/strands hardening roadmap slices for Goalposts 4 and 5.

• Adds typed witness receipt boundaries, compatibility rules, simulator fixtures, and sealed membership presentation vocabulary.
• Extends braid shell audit/replay facts with disclosure budgets, typed self-witness receipts, named plurality law refs, and witnessed law readings.
• Adds named plurality law machinery: law refs, law families, Law Cards, deterministic registry, reading identity, authorization evidence, and unsupported/unauthorized obstruction evidence.
• Checks off GP4-S1 through GP5-S5 in the roadmap and updates the Goalpost 4/5 design packets plus changelog.

Self-Review Fixes Included

• Self-witness simulator now rejects non-E1 compatibility requests with WitnessError::UnsupportedCompatibility instead of minting stable public identity for scaffolding evidence.
• PluralityLawRef::new(...) rejects all-zero law names and zero versions before registration.

Validation

• cargo test -p warp-core --lib
• cargo test -p warp-core --test witness_public_api_tests
• cargo test -p warp-core --test plurality_law_public_api_tests
• cargo fmt --all -- --check
• cargo clippy -p warp-core --lib -- -D warnings
• cargo clippy -p warp-core --test witness_public_api_tests -- -D warnings
• cargo clippy -p warp-core --test plurality_law_public_api_tests -- -D warnings
• pnpm exec markdownlint-cli2 CHANGELOG.md docs/design/braids-and-strands-roadmap.md docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md docs/design/braids-and-strands-hardening/goalpost-05-named-plurality-laws.md
• scripts/check_spdx.sh
• scripts/check-no-app-nouns-in-core.sh
• git diff --check origin/main...HEAD
• Drift scan for stale GP4/GP5 planned markers, unchecked slices, and self-witness overclaim wording

Summary by CodeRabbit

• New Features
  • Added typed witness receipts with deterministic simulator support and stricter compatibility/attestation rules.
  • Added purpose-bound sealed membership presentations that carry disclosure budgets.
  • Introduced a named plurality law registry with typed cards/authorizations and typed law reading/obstruction evidence.
  • Extended braid shell replay/audit to include law references/readings, witness receipts, and per-member disclosure-budget labeling.
• Bug Fixes
  • Reject empty policy identifiers and detect incoherent collapse policy identity during validation.
• Documentation
  • Marked Goals 4–5 as implemented; expanded design details and updated roadmap wording.
• Tests
  • Added public API, determinism, and rejection/identity-mismatch coverage for witness and plurality-law flows.

[coderabbitai]

Warning

Review limit reached

@flyingrobots, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 32 minutes and 25 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 78e6bd64-f639-4702-b413-ce4fbb3253b8

📥 Commits

Reviewing files that changed from the base of the PR and between 9da73d6 and ba972f6.

📒 Files selected for processing (1)

• crates/warp-core/tests/witness_public_api_tests.rs

📝 Walkthrough

Walkthrough

Implements Goalposts 4 and 5 of the braids/strands hardening roadmap. Adds three new warp-core modules: witness (typed receipts, deterministic simulator backend), sealed_membership (disclosure budget, presentation vocabulary), and plurality_law (named law registry, machine-readable cards, authorization/obstruction). All types are re-exported from the crate root. BraidShellReplay and BraidShellAudit are extended with law_ref, law_reading, witness_receipt, and disclosure_budget fields wired through the replay/audit constructors. Policy validation rejects all-zero policy ids.

Changes

GP4 + GP5: Witness Receipts, Sealed Membership, and Named Plurality Laws

Layer / File(s)	Summary
Witness receipt types and deterministic simulator backend crates/warp-core/src/witness.rs	Defines WitnessKind with canonical tag, WitnessAttestation (IntegrityOnly/IndependentAttestation), WitnessCompatibilityRule (StableV1/E1Scaffold/migration), WitnessReceipt with self-witness validation (E1Scaffold + IntegrityOnly only) and deterministic digest, WitnessRequest with explicit and self_witness constructors, WitnessRejectionCode, WitnessError with typed variants, WitnessBackend trait, and WitnessBackendSimulator with fixture-driven verify().
Sealed membership presentation vocabulary crates/warp-core/src/sealed_membership.rs	Adds DisclosureBudget enum, PresentationPurpose with const fn accessors, SealedMembershipPresentationError with typed mismatch variants, and SealedMembershipPresentation bundling coordinate/authority/commitment/receipt/budget with fallible constructor validating witness subject/evidence digests.
Named plurality law registry, cards, readings, and obstruction evidence crates/warp-core/src/plurality_law.rs	Introduces PluralityLawName, PluralityLawFamily (AdapterProvided with authority digest), PluralityLawRef validating non-all-zero name and non-zero version, machine-readable card components, PluralityLawCard with sorted+deduped vectors and canonical digest, PluralityLawRegistry with authorize() enforcing authority-domain digest matching, typed PluralityLawObstruction, and PluralityLawReading deriving evidence posture from witness receipt with disclosure-budget-tagged digest.
Module declarations and public re-exports crates/warp-core/src/lib.rs	Declares mod plurality_law, mod sealed_membership, mod witness and adds pub use blocks exposing all new types at crate root.
BraidShell policy validation crates/warp-core/src/braid_shell.rs	Adds BraidShellError::EmptyPolicyId; introduces check_policy_id and check_collapse_policy_identity helpers; wires validation into both assemble_with_proof and validate; rejects all-zero policy ids and ensures collapse policy matches shell policy id.
BraidShellReplay/Audit struct extensions crates/warp-core/src/braid_shell.rs	Adds law_ref: PluralityLawRef to BraidShellReplay, disclosure_budget: DisclosureBudget to BraidShellMemberAuditFact, and law_reading: PluralityLawReading plus witness_receipt: WitnessReceipt to BraidShellAudit.
BraidShell constructor logic crates/warp-core/src/braid_shell.rs	Updates replay_braid_shell to derive law_ref from policy; extends audit_braid_shell to construct witness_receipt via self_witness, derive law_ref, compute shell/member disclosure budgets (AuthorityScoped if any sealed member), and build PluralityLawReading with witness receipt.
BraidShell tests crates/warp-core/src/braid_shell.rs	Updates replay/audit assertions to validate law_ref, law_reading (evidence posture, disclosure budget), witness_receipt; extends member facts with disclosure_budget; adds sealed-member test and empty-policy rejection test; verifies Collapse family in collapse scenarios; validates collapse-policy-identity mismatch rejection.
Witness receipt public API tests crates/warp-core/tests/witness_public_api_tests.rs	Tests unsupported backend/compatibility/attestation errors, deterministic receipt generation and digest stability, rejection handling, E1Scaffold-only enforcement for self-witness, receipt digest binding to compatibility, and SealedMembershipPresentation field retention and witness subject validation.
Plurality law public API tests crates/warp-core/tests/plurality_law_public_api_tests.rs	Tests registry registration and duplicate rejection, ref validation (EmptyName/ZeroVersion), reading digest binding to version, integrity-only evidence posture, witness subject mismatch rejection, adapter-provided law authorization with authority-domain matching, and unsupported law obstruction.
Design documentation and roadmap docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md, goalpost-05-named-plurality-laws.md, braids-and-strands-roadmap.md, CHANGELOG.md	Updates Goalpost 4 and 5 status to implemented with full Implementation Design sections covering receipt identity, witness backend boundary, sealed membership validation, law registry, reading digests, and BraidShellAudit/Replay linkage. Marks Goalpost 4 checklist complete; updates witness compatibility enum name; adds changelog entries.

Sequence Diagram(s)

sequenceDiagram
  participant Caller
  participant WitnessBackendSimulator
  participant WitnessReceipt
  participant PluralityLawReading
  participant BraidShellAudit

  Caller->>WitnessBackendSimulator: verify(WitnessRequest::self_witness(subject, evidence))
  WitnessBackendSimulator->>WitnessReceipt: self_witness(subject_digest, evidence_digest)
  WitnessReceipt-->>WitnessBackendSimulator: receipt(IntegrityOnly, E1Scaffold)
  WitnessBackendSimulator-->>Caller: Ok(WitnessReceipt)

  Caller->>PluralityLawReading: new(law_ref, shell_digest, witness_receipt, disclosure_budget)
  Note over PluralityLawReading: infers EvidencePosture from WitnessKind::SelfWitness + IntegrityOnly
  PluralityLawReading-->>Caller: reading with disclosure-budget-tagged digest

  Caller->>BraidShellAudit: audit_braid_shell(shell, witness_digest)
  Note over BraidShellAudit: computes member DisclosureBudget (Public vs AuthorityScoped)<br/>constructs WitnessReceipt::self_witness<br/>builds PluralityLawReading
  BraidShellAudit-->>Caller: BraidShellAudit { law_reading, witness_receipt, member_facts[disclosure_budget] }

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• flyingrobots/echo#551: Directly extends the same BraidShellAudit/audit_braid_shell surface in braid_shell.rs that this PR builds on for GP4/GP5 law reading and witness receipt fields.
• flyingrobots/echo#539: Modifies braid_shell.rs around retained shell policy/policy-id handling that this PR extends with plurality-law and witness-receipt derivation.
• flyingrobots/echo#545: Modifies BraidShellReplay/BraidShellAudit data structures in braid_shell.rs that this PR extends with law_ref, law_reading, and witness_receipt fields.

Poem

🧵 A braid gets audited, a law gets named,
The receipt is hashed, the witness is framed.
All-zero names? Rejected outright.
E1Scaffold only—self-witness rite.
The registry speaks in deterministic bytes,
And no StableV1 slips through the pipe. ⚙️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Complete witness receipts and plurality law hardening' accurately summarizes the main change—completing two major hardening roadmap goalposts (GP4 and GP5) with typed witness receipts and named plurality law machinery.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hardening/witness-receipts-sealed-capabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/warp-core/src/braid_shell.rs`:
- Around line 1716-1740: The test
replay_audit_labels_sealed_member_disclosure_budget currently only asserts the
member-level disclosure budget via audit.member_facts[0].disclosure_budget but
missing validation of the shell-level disclosure budget. Add an assertion to
check audit.law_reading.disclosure_budget() to ensure the shell-level disclosure
budget is validated and prevent regressions in shell_disclosure_budget function.
The assertion should verify that the shell-level disclosure budget matches the
expected DisclosureBudget value (likely DisclosureBudget::AuthorityScoped).

In `@crates/warp-core/src/plurality_law.rs`:
- Around line 375-399: The digest method of PluralityLawCard calls hash_tag_vec
three times with self.requires, self.emits, and self.conceals, and each call
allocates a temporary Vec<u8> in the hash_tag_vec helper function. To eliminate
these hot-path allocations, refactor the hash_tag_vec helper to accept a Hasher
reference and update it directly without creating intermediate Vec allocations,
then modify all three calls in the digest method to pass the hasher and iterator
directly to the refactored helper instead of having the helper create and return
a Vec.
- Around line 148-154: The settlement_policy function directly constructs a
PluralityLawRef struct instead of using the proper constructor validation
method, which bypasses the non-zero-name guard that exists in the new()
constructor at line 133. This creates an inconsistency where settlement_policy
can create invalid instances (such as with an all-zero policy_id) that would be
rejected by new(). Refactor settlement_policy to use the proper constructor
validation logic instead of directly constructing the struct, ensuring all
invariants are consistently enforced regardless of which function creates the
PluralityLawRef.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a38d0ed6-cb79-4852-93ca-8e49a860a31c

📥 Commits

Reviewing files that changed from the base of the PR and between be00416 and 0ca9eb2.

📒 Files selected for processing (11)

• CHANGELOG.md
• crates/warp-core/src/braid_shell.rs
• crates/warp-core/src/lib.rs
• crates/warp-core/src/plurality_law.rs
• crates/warp-core/src/sealed_membership.rs
• crates/warp-core/src/witness.rs
• crates/warp-core/tests/plurality_law_public_api_tests.rs
• crates/warp-core/tests/witness_public_api_tests.rs
• docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md
• docs/design/braids-and-strands-hardening/goalpost-05-named-plurality-laws.md
• docs/design/braids-and-strands-roadmap.md

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0ca9eb2c1c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[flyingrobots]

Severity	Source	File	Lines	Issue	Planned handling
P2	Self-audit, extension of existing Codex sealed-presentation thread	crates/warp-core/src/sealed_membership.rs	54-66	SealedMembershipPresentation fields are public, so constructor validation alone would still allow callers to mutate a validated presentation into an unbound receipt/field pairing. @codex please sanity-check this closure condition.	Make the presentation fields private, expose read-only accessors, and validate witness subject/evidence digests in the constructor.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0ca9eb2c1c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[flyingrobots]

Activity Summary

#	Severity	Source	Area	Commit	Outcome
1	P2	PR	witness.rs self-witness overclaims	3390bb5e	Rejected stable/independent self-witness receipts; fields made read-only.
2	P2	PR	plurality_law.rs evidence posture	57e47dcc	Law readings derive posture from attestation strength.
3	P2	PR + Self	sealed_membership.rs presentation binding	7c995864	Presentations are immutable and validate receipt subject/evidence digests.
4	P2	PR	plurality_law.rs / braid_shell.rs empty policy refs	89ec42dc	Settlement policy refs and braid shell policy ids reject all-zero law names.
5	P2	PR	braid_shell.rs collapse law family	d67b25cd	Collapse-derived shells report collapse policy ids as collapse laws.
6	P5	PR	braid_shell.rs disclosure-budget test coverage	116e491a	Sealed-member audit test now asserts shell-level disclosure budget.
7	P3	PR	plurality_law.rs Law Card digest allocation	aa04326c	hash_tag_vec streams exact-size iterators without temporary Vec allocation.
8	P2	PR	plurality_law.rs law reading support binding	bd18b984	PluralityLawReading::new is fallible and rejects receipt/support digest mismatches.

Resolved review threads: all 12 thread IDs currently returned by GraphQL are isResolved: true.

Local validation after the final commit:

• cargo test -p warp-core --lib
• cargo test -p warp-core --test witness_public_api_tests
• cargo test -p warp-core --test plurality_law_public_api_tests
• cargo fmt --all -- --check
• cargo clippy -p warp-core --lib -- -D warnings
• cargo clippy -p warp-core --test witness_public_api_tests -- -D warnings
• cargo clippy -p warp-core --test plurality_law_public_api_tests -- -D warnings
• pnpm exec markdownlint-cli2 CHANGELOG.md docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md docs/design/braids-and-strands-hardening/goalpost-05-named-plurality-laws.md
• git diff --check origin/main...HEAD
• scripts/check_spdx.sh
• scripts/check-no-app-nouns-in-core.sh

Pre-push hooks also reran the configured exact Rust slices and markdown formatting successfully.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CHANGELOG.md (1)

42-52: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Incomplete: GP4 CHANGELOG entry omits the known sealed-membership field-visibility gap.

The entry describes the validation that sealed presentations perform at construction time, which is accurate. However, it does not mention that the P2 severity issue remains unresolved: SealedMembershipPresentation fields are public and can be mutated after construction, circumventing the validation. The design doc (lines 92–94 of goalpost-04) incorrectly claims fields are read-only post-construction.

Consider adding a note like "Remediation of field-visibility constraints is planned as a follow-up" to signal that the implementation is incomplete on the security boundary, or leave this to the design doc to state more clearly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` around lines 42 - 52, The CHANGELOG entry for the warp-core
fourth goalpost describes the sealed membership presentation validation but
omits mention of the known P2 severity security gap where
SealedMembershipPresentation fields are public and can be mutated after
construction, circumventing the validation. Add a note to the CHANGELOG entry
acknowledging this known issue and indicating that remediation of
field-visibility constraints is planned as follow-up work to signal that the
security boundary implementation is incomplete.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/warp-core/src/braid_shell.rs`:
- Around line 758-763: The check_policy_id function only validates the main
policy_id parameter but ignores the collapse_policy field in Derived outcomes,
allowing shells with invalid (all-zeros) collapse_policy values to pass
assembly-time validation and fail only during replay. Extend the
check_outcome_law function to validate the collapse_policy field when it is
present in a Derived outcome, ensuring it is not all zeros similar to how
check_policy_id validates the main policy_id, so that invalid shells fail fast
at assembly time rather than during replay/audit operations.

In `@crates/warp-core/tests/witness_public_api_tests.rs`:
- Around line 160-190: The current test
public_sealed_membership_presentation_rejects_unbound_receipts only exercises
the WitnessSubjectMismatch error path of SealedMembershipPresentation::new. Add
a new dedicated test function that creates a WitnessReceipt with a correct
subject digest but an incorrect evidence digest (pass a different value than
evidence_digest() to the self_witness call), then verify that
SealedMembershipPresentation::new returns the
SealedMembershipPresentationError::WitnessEvidenceMismatch variant to ensure
complete error-path coverage.

In
`@docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md`:
- Around line 92-94: The design document claims that fields in
SealedMembershipPresentation are read-only after construction, but this is
factually incorrect since the current implementation exposes all fields as pub
in sealed_membership.rs, allowing direct mutation after construction. Either
update the document to accurately describe the current implementation state
(public mutable fields with a validation closure gap) or explicitly reference
the planned remediation work that will address this security issue through
private fields and read-only accessors. Do not assert read-only semantics that
do not currently exist in the code.

---

Outside diff comments:
In `@CHANGELOG.md`:
- Around line 42-52: The CHANGELOG entry for the warp-core fourth goalpost
describes the sealed membership presentation validation but omits mention of the
known P2 severity security gap where SealedMembershipPresentation fields are
public and can be mutated after construction, circumventing the validation. Add
a note to the CHANGELOG entry acknowledging this known issue and indicating that
remediation of field-visibility constraints is planned as follow-up work to
signal that the security boundary implementation is incomplete.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f75943ab-8448-4d5e-93a1-cc29fe36f0ac

📥 Commits

Reviewing files that changed from the base of the PR and between 0ca9eb2 and aa04326.

📒 Files selected for processing (10)

• CHANGELOG.md
• crates/warp-core/src/braid_shell.rs
• crates/warp-core/src/lib.rs
• crates/warp-core/src/plurality_law.rs
• crates/warp-core/src/sealed_membership.rs
• crates/warp-core/src/witness.rs
• crates/warp-core/tests/plurality_law_public_api_tests.rs
• crates/warp-core/tests/witness_public_api_tests.rs
• docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md
• docs/design/braids-and-strands-hardening/goalpost-05-named-plurality-laws.md

[flyingrobots]

Self-Code Review Findings

@codex please confirm these findings against bd18b984.

Severity	File	Lines	Infraction	Evidence	Recommended agent prompt
P1 High	crates/warp-core/src/braid_shell.rs	521-605, 800-819, 1163-1171	Collapse-derived shells can carry two different policy identities.	BraidShell::assemble_with_proof accepts top-level policy_id and BraidShellOutcome::Derived { collapse_policy: Some(...) } independently. check_outcome_member_coherence only checks that collapse fields are all present or absent, not that collapse_policy == policy_id. The new shell_law_ref then reports the nested collapse_policy as the law ref while BraidShellReplay/BraidShellAudit still expose the top-level policy_id, so a validated shell can claim policy A at the shell level and policy B as the named law. The current test at lines 2048-2059 already constructs such a mismatch: top-level [0x5E; 32] with nested [0x77; 32], and cargo test -p warp-core --lib braid_shell::tests::collapse_lineage_requires_a_retained_plural_parent passes.	Add a deterministic regression test that assembles a collapse-derived shell with mismatched top-level policy_id and nested collapse_policy and expects a typed error. Introduce a BraidShellError variant for incoherent collapse policy identity, reject the mismatch in both assembly and validation, and update existing tests to use matching identities unless intentionally exercising the error path.
P5 Nit	crates/warp-core/src/plurality_law.rs	123-139	Rustdoc # Errors contract is incomplete.	PluralityLawRef::new returns PluralityLawRefError::EmptyName at lines 133-135 and ZeroVersion at lines 136-138, but its # Errors docs only mention ZeroVersion at line 127. This is a public constructor in a newly exported API; incomplete error docs are drift.	Update the PluralityLawRef::new Rustdoc # Errors section to list both EmptyName for all-zero law names and ZeroVersion for version 0.

Checks run during review:

• git status --porcelain clean before review
• git fetch origin
• git diff --check origin/main...HEAD
• cargo fmt --all -- --check
• pnpm exec markdownlint-cli2 CHANGELOG.md docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md docs/design/braids-and-strands-hardening/goalpost-05-named-plurality-laws.md docs/design/braids-and-strands-roadmap.md
• scripts/check_spdx.sh
• scripts/check-no-app-nouns-in-core.sh
• cargo test -p warp-core --lib braid_shell::tests::collapse_lineage_requires_a_retained_plural_parent
• cargo clippy -p warp-core --lib -- -D warnings

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bd18b984cb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

crates/warp-core/src/plurality_law.rs (1)

521-530: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

PluralityLawAuthorization public fields allow bypassing registry validation.

External code can construct this directly without calling registry.authorize(), creating forged authorization evidence. Same pattern as the P2 issue flagged for SealedMembershipPresentation in this PR.

If the remediation plan (private fields + read-only accessors) applies here too, consider bundling it.

Proposed encapsulation

 /// Successful law authorization evidence.
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub struct PluralityLawAuthorization {
-    /// Authorized law reference.
-    pub law_ref: PluralityLawRef,
-    /// Digest of the registered Law Card.
-    pub card_digest: Hash,
-    /// Authority that authorized execution, if any.
-    pub authorized_by: Option<AuthorityDomainRef>,
+    law_ref: PluralityLawRef,
+    card_digest: Hash,
+    authorized_by: Option<AuthorityDomainRef>,
+}
+
+impl PluralityLawAuthorization {
+    pub const fn law_ref(&self) -> PluralityLawRef { self.law_ref }
+    pub const fn card_digest(&self) -> Hash { self.card_digest }
+    pub const fn authorized_by(&self) -> Option<AuthorityDomainRef> { self.authorized_by }
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/warp-core/src/plurality_law.rs` around lines 521 - 530, The public
fields on the PluralityLawAuthorization struct (law_ref, card_digest, and
authorized_by) allow external code to construct valid-looking authorization
evidence without going through the registry authorization process. Make these
three fields private instead of public, and add public getter methods for each
field that return the same types they currently expose. This ensures the struct
can only be properly instantiated through the intended registry.authorize() code
path, preventing forged authorization evidence from being created by external
callers.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@crates/warp-core/src/plurality_law.rs`:
- Around line 521-530: The public fields on the PluralityLawAuthorization struct
(law_ref, card_digest, and authorized_by) allow external code to construct
valid-looking authorization evidence without going through the registry
authorization process. Make these three fields private instead of public, and
add public getter methods for each field that return the same types they
currently expose. This ensures the struct can only be properly instantiated
through the intended registry.authorize() code path, preventing forged
authorization evidence from being created by external callers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2250b624-a5bc-4a38-86ef-6219d88df28e

📥 Commits

Reviewing files that changed from the base of the PR and between aa04326 and 9da73d6.

📒 Files selected for processing (5)

• CHANGELOG.md
• crates/warp-core/src/braid_shell.rs
• crates/warp-core/src/lib.rs
• crates/warp-core/src/plurality_law.rs
• crates/warp-core/tests/plurality_law_public_api_tests.rs

[flyingrobots]

Activity Summary

@codex review-thread remediation complete against ba972f6f.

#	Severity	Source	File	Thread / lines	Commit	Outcome
1	P1	PR / Codex	crates/warp-core/src/braid_shell.rs	discussion_r3427674226, L1196-L1200	9da73d6c	Rejected collapse-derived shells whose nested collapse_policy differs from the shell policy_id; regression covers the incoherent pair.
2	P3	PR / Codex	crates/warp-core/src/plurality_law.rs	discussion_r3427674228, L130	9da73d6c	Documented both EmptyName and ZeroVersion in PluralityLawRef::new public error contract.
3	P4	PR / CodeRabbit	crates/warp-core/tests/witness_public_api_tests.rs	discussion_r3427283025, L160-L190	ba972f6f	Added explicit sealed-presentation WitnessEvidenceMismatch regression coverage.
4	P2	PR / CodeRabbit	docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md / crates/warp-core/src/sealed_membership.rs	discussion_r3427283071, L92-L94	7c995864	Confirmed the documentation now matches implementation: presentation fields are private after construction and exposed only via read-only accessors.

Review-thread state: all four remaining threads resolved via GraphQL; a fresh thread inventory returns 0 unresolved threads.

Verification:

Command	Result
git status --porcelain	clean before audit and clean after push
git fetch origin	refs refreshed
git diff origin/main...HEAD	audited; no additional self-discovered issues after the queued findings
cargo test -p warp-core --test witness_public_api_tests public_sealed_membership_presentation_rejects_wrong_evidence_digest -- --exact --list	RED presence witness failed before the test existed; passes after ba972f6f
cargo test -p warp-core --test witness_public_api_tests public_sealed_membership_presentation_rejects_wrong_evidence_digest -- --exact	passed
cargo test -p warp-core --test witness_public_api_tests	passed, 9 tests
cargo test -p warp-core --lib	passed, 565 tests
cargo fmt --all -- --check	passed
cargo clippy -p warp-core --lib --test witness_public_api_tests -- -D warnings	passed
cargo check -p warp-core --quiet	passed
pnpm exec markdownlint-cli2 CHANGELOG.md docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md docs/design/braids-and-strands-hardening/goalpost-05-named-plurality-laws.md docs/design/braids-and-strands-roadmap.md	passed
scripts/check_spdx.sh	passed
scripts/check-no-app-nouns-in-core.sh	passed
pre-commit hook	passed
pre-push hook	passed

[chatgpt-codex-connector]

Summary

• Verified the trigger’s reported remediation is already present on ba972f6: collapse-derived shells reject mismatched top-level and nested collapse policy identities via check_collapse_policy_identity. crates/warp-core/src/braid_shell.rsL780-L797
• Confirmed replay/audit law references still derive collapse shells from the nested collapse policy only after validation coherence is enforced. crates/warp-core/src/braid_shell.rsL1194-L1203
• Confirmed PluralityLawRef::new Rustdoc now documents both EmptyName and ZeroVersion errors. crates/warp-core/src/plurality_law.rsL123-L130
• Confirmed the sealed-membership public API tests include explicit WitnessEvidenceMismatch coverage. crates/warp-core/tests/witness_public_api_tests.rsL192-L230
• No repository code changes were needed. I restored an unrelated local pnpm-lock.yaml working-tree drift and left the branch clean, so I did not create a commit or call make_pr.

Testing / Checks

• ✅ pwd && find .. -name AGENTS.md -print && git status --porcelain && git log -n 5 --oneline
• ✅ sed -n '1,220p' docs/BEARING.md
• ✅ sed -n '1,220p' METHOD.md
• ⚠️ find backlog/asap -maxdepth 2 -type f -print | sort | head -50 — warning: backlog/asap does not exist in this repo state.
• ✅ git diff -- pnpm-lock.yaml | sed -n '1,220p'
• ✅ git checkout -- pnpm-lock.yaml && git status --porcelain && git log -n 1 --oneline
• ✅ nl -ba crates/warp-core/tests/witness_public_api_tests.rs | sed -n '150,220p'
• ✅ nl -ba crates/warp-core/src/braid_shell.rs | sed -n '780,835p;1185,1215p'
• ✅ nl -ba crates/warp-core/src/plurality_law.rs | sed -n '120,155p'
• ✅ git status --porcelain
• ✅ nl -ba crates/warp-core/tests/witness_public_api_tests.rs | sed -n '217,240p'

View task →

[flyingrobots]

Activity Summary

Code Lawyer re-audit complete against ba972f6f.

#	Severity	Source	File	Commit	Outcome
1	N/A	PR threads	N/A	N/A	Full GraphQL review-thread inventory found 0 unresolved threads across 17 review threads. No PR-originated issue remains open.
2	N/A	Self-audit	origin/main...HEAD	N/A	Deep diff audit found no new logic, determinism, architecture, typing, docs, or style issues requiring changes. No RED/GREEN loop entered and no commit was created.

Review inventory:

Surface	Count	Pagination
Global comments	6	complete
Reviews	6	complete
Inline review comments	17	complete
Review threads	17	complete
Unresolved review threads	0	complete
Changes Requested reviews	0	complete
Approvals	0	complete

Verification:

Command	Result
git status --porcelain	clean
git fetch origin	passed
gh auth status	authenticated as flyingrobots
git diff origin/main...HEAD	audited, no new findings
cargo test -p warp-core --test witness_public_api_tests	passed, 9 tests
cargo test -p warp-core --test plurality_law_public_api_tests	passed, 7 tests
cargo test -p warp-core --lib	passed, 565 tests
cargo fmt --all -- --check	passed
cargo clippy -p warp-core --lib --test witness_public_api_tests --test plurality_law_public_api_tests -- -D warnings	passed
cargo check -p warp-core --quiet	passed
git diff --check origin/main...HEAD	passed
pnpm exec markdownlint-cli2 CHANGELOG.md docs/design/braids-and-strands-hardening/goalpost-04-witness-receipts-and-sealed-capabilities.md docs/design/braids-and-strands-hardening/goalpost-05-named-plurality-laws.md docs/design/braids-and-strands-roadmap.md	passed
scripts/check_spdx.sh	passed
scripts/check-no-app-nouns-in-core.sh	passed