Skip to content

Commit 4e5f1fe

Browse files
committed
Update hardening report for RC verdict policy
1 parent eb7575a commit 4e5f1fe

2 files changed

Lines changed: 8 additions & 3 deletions

File tree

reports/public-selfhost-hardening/final-report.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
Date: 2026-06-24
44

5-
Implementation commit hash: `bfd998abf5c3bfd2ff9b932e8bc3111f4dab1bb8`
5+
Implementation commit hash: `eb7575ad8963e93648d20e3a5fdcb97611733c21`
66

77
Branch: `next-phase`
88

@@ -11,6 +11,7 @@ Branch: `next-phase`
1111
- Added the public self-host release spec files under `docs/specs/` and the acceptance gate at `docs/acceptance/public-selfhost-release-gate.yaml`.
1212
- Created the pre-change implementation audit at `reports/public-selfhost-hardening/implementation-audit.md`.
1313
- Hardened the public self-host RC verifier so it emits only `GO` or `NO-GO`, rejects real-executor simulation env values, runs configured real executor gates by adapter, and fails the release gate when required real proofs are missing.
14+
- Removed stale active public-doc wording that said missing real executor proof reports `PARTIAL`; active RC docs now say missing/skipped/simulated/failed required real executor proof is `NO-GO`, and the public boundary checker rejects stale `reports PARTIAL` claims plus malformed hardening-report final verdict lines.
1415
- Confirmed the real Codex path invokes the configured Codex binary with `ALL_ADAPTERS_SIMULATION_MODE=0` and `CODEX_SIMULATION_MODE=0`.
1516
- Added `codencer run events`, `codencer run report`, `codencer run cancel`, and structured `codencer run resume` blocker behavior.
1617
- Added Gateway MCP async lifecycle tools: `codencer.start_project_run`, `codencer.submit_project_task`, `codencer.list_project_runs`, `codencer.get_project_run`, `codencer.get_project_run_status`, `codencer.get_gateway_run_events`, true project-scoped `codencer.cancel_project_run`, and a structured `codencer.resume_project_run` capability blocker.
@@ -138,6 +139,10 @@ Branch: `next-phase`
138139
- `make verify-gateway-console` after adding Console human interrupt response panel - passed
139140
- `make verify-gateway-console-live` after adding Console human interrupt response panel - passed
140141
- `make verify-public-release` after adding Console human interrupt response panel - passed
142+
- `python3 -m py_compile scripts/check_public_boundary.py` after adding RC verdict-language boundary checks - passed
143+
- `python3 scripts/check_docs_links.py` after aligning RC verdict docs with NO-GO policy - passed
144+
- `python3 scripts/check_public_boundary.py` after aligning RC verdict docs with NO-GO policy - passed
145+
- `make verify-public-release` after aligning RC verdict docs with NO-GO policy - passed
141146
- `CODENCER_E2E_REAL_EXECUTORS=codex,claude CODENCER_E2E_CODEX_COMMAND=<codex-binary> CODENCER_E2E_CLAUDE_COMMAND=<claude-binary> make verify-public-selfhost-rc` - failed by design with `NO-GO` after Codex and Claude passed and Antigravity was missing
142147
- `cd web/gateway-console && CODENCER_E2E_BIN_DIR=../../bin CODENCER_E2E_EXECUTOR_ADAPTER=antigravity CODENCER_E2E_EXECUTOR_PROFILE=antigravity-default CODENCER_E2E_ANTIGRAVITY_INSTANCE_FILE=<temp-file> node tests/live/verify-live.mjs` - failed correctly; the provided Antigravity LS did not expose the isolated verifier repo workspace
143148
- `git diff --check` - passed

reports/public-selfhost-hardening/implementation-audit.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,15 +43,15 @@ the exact package was not available in the current attachment cache.
4343
| Run history/audit/console | Partially implemented | Gateway-observed run history/audit now includes scope, limit/offset pagination, server-side filters, and grouped lifecycle summaries; synced/local ingest transport remains incomplete. |
4444
| Redaction | Partially implemented | Gateway/sync sanitization exists and artifact-backed release verification now covers default human CLI output for init, config show, project init/status/scan, executor list, sync preview, submit, and run output; full explicit JSON/debug/path surface policy proof is still incomplete. |
4545
| Public/private boundary | Partially implemented | Docs/checks exist; public repo still contains cloud-control-plane packages that need boundary review against the new specs. |
46-
| Public RC verifier | Partially implemented | `make verify-public-selfhost-rc` emits only `GO`/`NO-GO`, requires configured real-proof coverage, and reports `NO-GO` when required proofs are missing; Antigravity remains unproven. |
46+
| Public RC verifier | Partially implemented | `make verify-public-selfhost-rc` emits only `GO`/`NO-GO`, requires configured real-proof coverage, reports `NO-GO` when required proofs are missing, and public boundary checks reject stale active docs claiming `PARTIAL` verdicts; Antigravity remains unproven. |
4747

4848
## Requirement Audit
4949

5050
### 00 - Public Self-host Release Gate
5151

5252
| Requirement | Status | Evidence |
5353
| --- | --- | --- |
54-
| Final verdicts only `GO` or `NO-GO` | Implemented | `scripts/verify_public_selfhost_rc.sh` emits `GO` or `NO-GO`; no `PARTIAL` branch remains. |
54+
| Final verdicts only `GO` or `NO-GO` | Implemented | `scripts/verify_public_selfhost_rc.sh` emits `GO` or `NO-GO`; no `PARTIAL` branch remains, active docs now describe missing real proof as `NO-GO`, and `scripts/check_public_boundary.py` rejects stale `reports PARTIAL` claims plus malformed final hardening-report verdict lines. |
5555
| Fake/simulation cannot satisfy GO | Implemented for current verifier | Real executor gates reject simulation text/metadata and missing required real proofs force `NO-GO`; Codex and Claude real gates passed with simulation disabled. |
5656
| Artifact-backed verifier | Implemented | `make verify-public-selfhost-rc` builds/unpacks artifacts through `scripts/verify_public_selfhost_rc.sh`. |
5757
| Codex, Claude Code, and Antigravity real proofs | Partially implemented | Codex passed current artifact-backed scoped proof in `reports/public-selfhost-rc/20260624T120012Z`; Codex and Claude Code passed earlier artifact-backed real gates in `reports/public-selfhost-rc/20260624T105654Z`; Antigravity remains missing. |

0 commit comments

Comments
 (0)