feat(suite): supply_chain end-to-end proof + flip to proven (H-next-5a)

[Rul1an]

H-next-5a — supply_chain end-to-end, proven against released Assay v3.28.0

Flips the supply_chain carrier row from declared (gap no_released_binary_emitter) to end_to_end: proven, using the one-shot supply-chain emitter released in Assay v3.28.0. The consumer (carrier supply-chain), the matrix row, the recipe-provenance schema, and the proven-needs-evidence gate already existed; this PR adds the committed fixture, the hermetic recipe, and the proof.

What it proves (and what it does not)

The released v3.28.0 binary emits a valid assay.supply_chain_conformance.v0 carrier from a committed descriptor, and Harness validly consumes/classifies it via carrier supply-chain. The v1 emitter (none/unsupported provenance) yields policy_result: incomplete, so the gate exits 6 (valid, not-clean) — positive evidence that Harness recognizes the carrier, reads the producer statuses, and refuses to read incomplete as clean.

The proof establishes producer→consumer compatibility + incomplete-never-clean, NOT a clean carrier. Non-claims (frozen): emitted/consumed ≠ safe · verified checksum ≠ policy approval · carrier emitted ≠ clean · row proven ≠ category complete. No Sigstore/Rekor verification, no policy approval, no review.

How

• Fixture harness/fixtures/suite-compatibility/supply-chain/input.example.json — the committed input descriptor (input intent).
• Recipe assay-supply-chain-recipe (dispatch-only, harness-ci.yml) — downloads + checksum-verifies the released x86_64-unknown-linux-gnu asset, emits the carrier --offline, consumes it, and writes a suite.recipe_provenance.v0 sidecar. Accepts consumer exit {0,6} with a valid report; fails on {2,3,7}.
• Proof (hosted run 27724742076) folded into the row, with four distinct digest kinds kept separate: release-asset (tarball), binary (executable), emitted-carrier (artifact_digest), and fixture (descriptor). result records recipe-execution success (0/success) per the Evidence Pack verifier; the not-clean verdict lives in the carrier (policy_result) and the row note.

Tests

Full suite green (453 pass, 1 skip). e2e_proven_count 2→3; a new test locks the supply_chain proof: proven, bound to v3.28.0, fixture-scoped (ambient_scan: false), and honestly not-clean.

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• CI / New Features

  • Added an offline, dispatch-only supply-chain conformance job that downloads and verifies an Assay tarball (with checksum validation), runs conformance against a committed fixture, and publishes provenance artifacts.

• Bug Fixes / Compatibility

  • Updated suite compatibility and canonical manifest digest to align with newer proof metadata and revised end-to-end expectations.

• Tests

  • Expanded suite compatibility validations to assert full hermetic end-to-end proof details and updated expected result counts.

• Chores

  • Refreshed the fixture example used by conformance scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b02b0e75-c0fa-4e81-acbd-4e60d1da269f

📥 Commits

Reviewing files that changed from the base of the PR and between 1d5a5c7 and ac4699a.

📒 Files selected for processing (1)

• harness/suite-compatibility.json

---

📝 Walkthrough

Walkthrough

A new dispatch-only assay-supply-chain-recipe CI job is added that downloads and verifies an Assay release binary, runs offline supply-chain carrier emission from a new committed input fixture, consumes the carrier via the Harness CLI, and emits a suite.recipe_provenance.v0 JSON. The suite-compatibility.json proof record for assay.supply_chain_conformance.v0 is promoted from declared to proven with full hermetic metadata, and test assertions are updated accordingly.

Changes

Supply-chain conformance E2E proof

Layer / File(s)	Summary
Input fixture and compatibility matrix proof update harness/fixtures/suite-compatibility/supply-chain/input.example.json, harness/suite-compatibility.json	Adds the committed assay.supply_chain_conformance.input.v0 fixture JSON with subject identity, digest, provenance, and policy, bumps min_version to v3.28.0, replaces the prior declared proof stub with a fully specified hermetic E2E record (digests, command, runner OS, note), removes the end_to_end_gap block, adds proof_scope with runner/hosted/ambient metadata, and updates the top-level manifest digest.
CI recipe job: binary resolution, emission, consumption, provenance, and artifact upload .github/workflows/harness-ci.yml	Adds the dispatch-only assay-supply-chain-recipe job: resolves and downloads the Assay binary (enforcing v3.28.0 minimum) with tarball checksum verification, emits a supply-chain carrier offline from the committed fixture, validates carrier schema and policy_result=incomplete, computes digests for fixture/carrier/tarball, consumes the carrier via Harness CLI (accepting exit codes {0,6}), validates the consumer JSON report, emits and shape-validates suite.recipe_provenance.v0, then uploads carrier, report, and provenance as workflow artifacts.
Test assertion updates for proven supply-chain and declared render-safety rows harness/test/suite_compatibility.test.mjs	Adjusts golden matrix count expectations from 2/4 to 3/3 proven/declared, adds assertions for assay.render_safety_conformance.v0 declared state and its end_to_end_gap fields (reason_code, owner), and expands assay.supply_chain_conformance.v0 checks to a full proven scenario with hermetic proof field completeness, absence of gap data, proof scoping validation (hosted true, ambient_scan false), and a regex check on proof.note for incompleteness.

Sequence Diagram

sequenceDiagram
  participant Runner as GitHub Actions Runner
  participant GHRelease as GitHub Releases
  participant AssayBin as Assay Binary (v3.28.0)
  participant HarnessCLI as Harness CLI

  Runner->>GHRelease: resolve & download tarball (default v3.28.0)
  GHRelease-->>Runner: tarball + checksum
  Runner->>Runner: verify checksum, export ASSAY_BIN
  Runner->>AssayBin: emit carrier offline (input.example.json)
  AssayBin-->>Runner: supply-chain carrier JSON
  Runner->>Runner: assert schema + policy_result=incomplete, compute digests
  Runner->>HarnessCLI: consume carrier
  HarnessCLI-->>Runner: consumer report JSON (exit 0 or 6)
  Runner->>Runner: validate consumer report JSON
  Runner->>Runner: emit + validate suite.recipe_provenance.v0
  Runner->>Runner: upload carrier, report, provenance artifacts

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Rul1an/Assay-Harness#115: Modifies the same Assay release-resolution and download logic in .github/workflows/harness-ci.yml for the binary fallback version.
• Rul1an/Assay-Harness#124: Updates the same suite-compatibility.json and suite_compatibility.test.mjs contracts for assay.supply_chain_conformance.v0 proof/end-to-end matrix expectations.
• Rul1an/Assay-Harness#128: Adds release_asset { path, digest } with sha256:<64-hex> validation to the same suite.recipe_provenance.v0 emission flow that this PR's new CI job exercises.

Poem

🐇 Hop, hop — the supply chain is sealed,
A fixture committed, a digest revealed.
The binary fetched, the carrier emits,
Provenance proven in hermetic bits.
From declared to proven, the matrix gleams bright —
The rabbit stamps "E2E: verified right!" 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: transitioning supply_chain carrier to end-to-end proven status using Assay v3.28.0. It is specific, concise, and directly reflects the primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/a5a2-supply-chain-proof

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

harness/test/suite_compatibility.test.mjs (1)

122-131: ⚡ Quick win

Add explicit row-existence assertions before property access.

These tests currently rely on implicit TypeErrors when .find(...) misses. Explicit existence checks make CI failures much faster to diagnose.

♻️ Suggested refactor

   const inv = m.carrier_rows.find((r) => r.carrier === "assay.mcp_server_inventory.v0");
+  assert.ok(inv, "missing assay.mcp_server_inventory.v0 row");
   assert.equal(inv.proof.end_to_end, "proven");
@@
   const rs = m.carrier_rows.find((r) => r.carrier === "assay.render_safety_conformance.v0");
+  assert.ok(rs, "missing assay.render_safety_conformance.v0 row");
   assert.equal(rs.proof.end_to_end, "declared");
@@
   const sc = m.carrier_rows.find((r) => r.carrier === "assay.supply_chain_conformance.v0");
+  assert.ok(sc, "missing assay.supply_chain_conformance.v0 row");
   assert.equal(sc.proof.end_to_end, "proven");

Also applies to: 136-151

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@harness/test/suite_compatibility.test.mjs` around lines 122 - 131, The test
code uses `.find()` to locate carrier rows and directly accesses their
properties without verifying the find operation returned a result, which can
lead to implicit TypeErrors that are hard to diagnose. Add explicit
`assert.ok()` checks immediately after each `.find()` call: one after the find
for carrier "assay.mcp_server_inventory.v0" (assigned to inv) and another after
the find for carrier "assay.render_safety_conformance.v0" (assigned to rs),
ensuring each row exists before accessing its proof and end_to_end_gap
properties on the following lines.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/harness-ci.yml:
- Around line 749-756: The test currently accepts both exit codes 0 and 6 as
valid consumption outcomes regardless of the policy_result value, which can mask
regressions where incomplete policies are incorrectly treated as clean. Modify
the case statement that checks consume_rc to only accept exit code 0 when the
policy_result is not "incomplete", or restrict acceptable exit codes based on
the policy_result value. Ensure that when policy_result equals "incomplete",
only exit code 6 (not 0) is treated as valid to properly enforce the stated
proof claim.
- Around line 675-683: The hardcoded fallback version in the assay_version
initialization block creates a mismatch: the script falls back to v3.28.0, but
the shared workflow_dispatch input defaults to v3.27.0, which violates the
min_version requirement of v3.28.0. Update the fallback assignment in the line
assay_version="${ASSAY_VERSION_INPUT:-}" by changing the hardcoded default
version from v3.28.0 to align with both the actual workflow_dispatch input
default and the minimum version requirement to ensure the job cannot silently
run with an incorrect version.

---

Nitpick comments:
In `@harness/test/suite_compatibility.test.mjs`:
- Around line 122-131: The test code uses `.find()` to locate carrier rows and
directly accesses their properties without verifying the find operation returned
a result, which can lead to implicit TypeErrors that are hard to diagnose. Add
explicit `assert.ok()` checks immediately after each `.find()` call: one after
the find for carrier "assay.mcp_server_inventory.v0" (assigned to inv) and
another after the find for carrier "assay.render_safety_conformance.v0"
(assigned to rs), ensuring each row exists before accessing its proof and
end_to_end_gap properties on the following lines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: cc02ce62-e64d-4a96-a263-82cb0ce7a10d

📥 Commits

Reviewing files that changed from the base of the PR and between cd4b3f0 and a79b375.

📒 Files selected for processing (4)

• .github/workflows/harness-ci.yml
• harness/fixtures/suite-compatibility/supply-chain/input.example.json
• harness/suite-compatibility.json
• harness/test/suite_compatibility.test.mjs

[Rul1an]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.