feat(aspice): v0.36 — full ASPICE SWE tier migration, rivet validate PASSES (#303)#311
Merged
Merged
Conversation
…0.36) Drives rivet validate errors 77→39 (oracle-gated with the #570-fixed rivet) on three clearly-correct STPA-hygiene classes — no trace-model judgment: - rfc46-hazards.yaml: UCAs carried an undeclared `type:` field with off-vocabulary values; rename to the schema's required `uca-type:` and remap to the allowed set [not-providing, providing, too-early-too-late] (providing-causes-hazard→providing; too-early/too-late→too-early-too-late). Clears 12 missing-uca-type errors. - control-structure.yaml: model the 3 host/runtime controllers the UCAs issue from — "CM Runtime (embedded)", "Fiber Manager (host intrinsic)", "host-wit-bindgen" — so the `issued-by` links resolve. Clears 24 errors (12 dangling issued-by + 12 missing-controller-link). - loss-scenarios.yaml: status `fixed` is not in the lifecycle enum → LS-M-5 `verified` (cites regression test ls_m_5_*), LS-W-1 `implemented` (fix landed, no cited test). Clears 2 errors. Remaining 39 (GitHub-provenance links + 4 dangling caused-by-uca) follow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 1 of the full ASPICE SWE tier migration (maintainer-chosen scope for v0.36). Authors the upstream tier the sw-req migration requires: - ADR-5: the migration plan — target tier (stakeholder-req→system-req→sw-req →sw-verification), the 44-SR→11-system-req map, and the phased, oracle-gated execution order. - system-requirements.yaml: STK-1/2 (stakeholder needs: functional equivalence; functional-safety fitness) + SYS-1..11 (system reqs grouping the SRs by pipeline stage), each deriving from a stakeholder-req. Additive — oracle (the #570-fixed rivet) holds at 39 errors, 0 from the new tier (+13 expected sys2-has-verification warnings). Phase 2 (flip 44 SRs requirement→sw-req + derived-from SYS-n + cited-source for #N provenance) and Phase 3 (typed sw-verification layer) follow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…e (ADR-5)
Phase 2 of the ASPICE SWE tier migration. Drives rivet validate 38→4 errors
(only the 4 caused-by-uca STPA danglers remain). Per ADR-5 + the maintainer's
"keep granular STPA trace on sw-reqs" decision:
- All 44 SRs: type requirement → sw-req; each gains derived-from → SYS-n
(the system-req from system-requirements.yaml) per the ADR map.
- STPA links reclassified to schema-valid types, preserving every
requirement's exact safety motivation:
derives-from CC-*/SC-* → addresses-constraint (declared, meld-local)
derives-from LS-* → mitigates (existing)
derives-from SR-* → depends-on (existing)
- GitHub-issue provenance (derives-from/tracked-by "#N") → cited-source
(kind: github) — issues are not trace-graph artifacts.
- schemas/meld-local.yaml: declares addresses-constraint + supersedes-default-of
link types; registered in rivet.yaml.
Verified with the #570-fixed rivet (4 errors, 121 warnings; the 44
swe1-has-verification warnings are Phase 3 — the typed sw-verification layer).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…hase 3) Closes the right side of the V — the enforcement payload of v0.36. Authors 44 typed sw-verification (SWE.6) artifacts, one per sw-req, each carrying its required `verifies` backlink and the concrete tests/proofs that discharge it (from traceability.yaml's verification-status block; 40 generated from that data, 4 stragglers — SR-18/42/43/44 — grounded in their actual tests: test_304_identity_direct_adapter_is_inlined, the resource_floats_opaque runtime oracle, the adapter-path runtime suite, and rivet validate itself for the governance req). requirement→verification is now a typed, mechanically-enforced trace, not a rendered matrix. Oracle (the #570-fixed rivet): 4 errors (only the caused-by-uca STPA danglers remain), 0 swe1-has-verification warnings — every sw-req verified. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The last 4 caused-by-uca danglers: loss scenarios LS-A-9, LS-A-17/18, LS-CP-5 referenced UCAs that were never authored. Authored them in their correct controller groups, grounded in the scenario content: - UCA-F-2 (adapter-ucas / CTRL-ADAPTER, not-providing): resource-graph build drops resource handling — definer-purge/terminal-exporter skip an (iface,rn) pair; [resource-drop] imports dropped for non-pure-consumers. [H-3, H-1] - UCA-F-3 (adapter-ucas, not-providing): async-callback trampoline doesn't dispatch the host poll for a guest POLL return code. [H-3] - UCA-CP-1 (wrapper-ucas / CTRL-WRAPPER, not-providing): composition export dropped or mis-typed when assembling the fused multi-component output. [H-1, H-3] With this, `rivet validate` PASSES (0 errors) on the #570-fixed rivet — the v0.36 traceability graph is clean and gate-able. Remaining 80 warnings are higher-tier V-closure (11 system-reqs need sys-verification; a few inverts-uca notes) — out of v0.36's software scope. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
LS-N verification gate✅ 57/57 approved LS entries verified
Approved Failed LS entries(none) Missing regression tests(none) Updated automatically by |
The release-time compliance report pinned rivet v0.15.0, which predates both the #570 YAML-parser fix and the aspice@0.2.0 schema — it could neither parse meld's STPA YAML cleanly nor understand the new sw-req/sw-verification tier. rivet v0.19.0 (released 2026-06-24) includes the #570 fix (commit 74aa830 is an ancestor) and ships aspice@0.2.0, so the compliance action + binary are bumped together to v0.19.0. Completes the v0.36 enforcement story: the release pipeline now validates/exports the migrated ASPICE artifacts. Release-only workflow (on: release published) — does not affect PR CI. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Closes the system tier of the V to complete the full ASPICE migration: 11 typed sys-verification (SYS.5) artifacts, one per system-req (SYS-1..11), each carrying its `verifies` backlink and grounded in meld's system-level test evidence — primarily the behavioural-equivalence golden harness (golden_e2e.rs, #213) plus the per-domain e2e/runtime suites (multi_memory, dwarf_*, p3_*, cross_component_call, component_provenance, proptest_fusion), and `rivet validate` itself for the governance req. With this, BOTH tiers are verified: 0 requirement-verification gaps (sw + sys). Oracle (rivet v0.19.0): PASS, 69 warnings (down from 80) — the remainder are unrelated advisory coverage (orphan/prose-mention/EU-AI-Act-risk notes), not requirement→verification gaps. The V-model is closed end to end. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Migrates meld's requirement model to the full ASPICE SWE tier (the maintainer-chosen scope for v0.36 enforced traceability, #303), driving
rivet validatefrom 77 errors → 0 (PASS).This is the enforcement half of #303/SR-44: requirement→verification is now a typed, mechanically-enforced trace, not just the rendered matrix (#308).
Phases (per ADR-5, each oracle-gated)
1a52863): UCAuca-typevocab + 3 host controllers + status-enum fixes (77→39).2194f11): ADR-5 +system-requirements.yaml— STK-1/2 stakeholder needs + SYS-1..11 system reqs.60d552e): all 44 SRsrequirement→sw-req, eachderived-fromits system-req; STPA trace preserved per the chosen Option A (LS-→mitigates, CC-/SC-*→declaredaddresses-constraint, issue refs→cited-source);meld-localschema for the link types (39→4).dca1469): 44 typedsw-verification(SWE.6) artifacts, one per sw-req, carrying theverifiesbacklink + concrete tests/proofs — closes the V's right side, every sw-req verified.e6571db): authoredUCA-F-2/UCA-F-3/UCA-CP-1(the loss scenarios referenced never-authored UCAs) → 0 errors, PASS.Result
rivet validate→PASS (80 warnings, 0 errors). The 80 warnings are higher-tier V-closure (11 system-reqs would needsys-verification; a fewinverts-ucanotes on the new UCAs) — out of v0.36's software scope.Review note
These are safety-case artifacts — the STPA×ASPICE integration (Option A: granular STPA trace kept on the sw-reqs) and the system-req hierarchy (ADR-5) warrant a maintainer look before merge. Not auto-merging.
Refs #303. ADR-5.
🤖 Generated with Claude Code