feat(skill): add dependency-advisory-graph skill (Frantic Bounty #29)#115
Open
codeboost-tr wants to merge 710 commits into
Open
feat(skill): add dependency-advisory-graph skill (Frantic Bounty #29)#115codeboost-tr wants to merge 710 commits into
codeboost-tr wants to merge 710 commits into
Conversation
Apply graph-declared wrap_as and named emit envelopes to Rust agent-step and tool step outputs so downstream graph context paths resolve during issue-to-pr authoring. Validated with runtime skill-run, catalog adapter, issue-to-pr harness tests, issue-to-pr graph vitest, cargo build, and diff checks.
Allow draft PR packaging when code changes include a test/spec file but scafld reports no validation count, while still blocking unvalidated code-only changes. Validated with outbox PR tests, issue-to-pr graph tests, runtime tests, cargo build, and diff checks.
Stop refreshing closed unmerged pull requests by branch match during GitHub outbox publication. New issue-to-PR runs now create a fresh PR instead of silently reopening a human-closed gate. Validated with thread push outbox tests, issue-to-pr graph tests, outbox PR tests, runtime tests, cargo build, and diff checks.
Expose declared agent-step outputs and deterministic skill/tool claim fields to graph context edges while preserving transition-gate protection for skill claims. Update issue-to-pr to consume normalized spec contents from the direct packet data path.
Add pure agent tool-ref admission predicate in runx-core::policy, route all agent allowed_tools through it at parser and runtime boundaries, require operator-carried provider grant id (no invented fallback), and add receipt-signing env child-process regression tests. Spec runx-capability-admission-spine-v1 completed via scafld review (pass, no blocking findings) and archived.
- Remove the tautological rail_proof.proof_ref self-comparison in supervisor verification; the claim/evidence binding is enforced by validate_supervisor_evidence. - Verify the sealed evidence_digest before rebinding a supervisor proof to a re-sealed receipt, so evidence tampered after issuance fails closed instead of being re-blessed. - Enforce max_per_period_units at runtime as a run-level clamp on the spend ledger (min of run and period caps); previously a period-only authority satisfied the aggregate-cap admission rule while the runtime reserved nothing. - Record terminally failed step runs in the execution run list so the run record agrees with the journal's StepFailed event. - Document both behaviors in docs/security-authority-proof.md.
max_per_period_units with a declared period (daily/weekly/monthly) is now reserved against a calendar-window ledger in the effect state file, bounding total spend across runs inside one UTC window. Unrecognized period values fail closed at admission. The run-level clamp remains as defense in depth for deployments without a configured state path. Window math uses Hinnant civil_from_days; no new time dependency. The new period_spend_ledger field is serde-defaulted so existing state files load unchanged.
Groups stored receipts into lineage trees and re-verifies canonical digests, content addresses, tree integrity, and (when the operator supplies RUNX_RECEIPT_VERIFY_* keys) production Ed25519 signatures, all offline. Broken parent chains and unreadable files fail closed with a non-zero exit. First Tier 1 slice; per-effect grant-id receipt evidence remains follow-up work.
Receipts-prove-governance contract: per-effect grant evidence in sealed receipts, scope-adherence verification in runx verify, period ledger retention, and runx doctor authority diagnostics. Approved and ready for the scafld build loop.
Single-receipt stdin/file verify with stable JSON verdict and a conformance fixture corpus; the dependency root the hosted notary embeds so the binary stays the only verifier across surfaces.
Bind grant evidence into privileged effects, verify scope adherence, and retain durable payment state across pruned windows.
Improve registry human output, add registry doctor diagnostics, and share cache-root resolution across the CLI resolver.
Archive completed scafld readiness specs, wire CI to enforce readiness/demo dogfood gates, repair release-script Windows package-manager spawning, and clean Rust clippy/style issues found by the release gates.
Consolidate parser, CLI, runtime, and payment helpers while preserving registry and payment authority behavior. Validate native registry publish/install/search paths, payment finality adapters, and Rust style gates.
Preserve active and previous period spend state while keeping legacy state files loadable.
Factor file-backed effect state operations through store-oriented helpers so hosted implementations can share the same persistence semantics.
Move rail packet and recovery-state derivation into the shared effect-state persistence helper so file and hosted stores follow the same path.
Show direct registry run commands after URL indexing and registry installs, surface doctor repair next actions, and make unresolved skill errors point to search and direct registry refs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds the dependency-advisory-graph skill as requested for Frantic Bounty #29. It composes existing runx vulnerability and research skills to produce an advisory packet for dependency manifests without false positives. Included harness cases for sealed and clean scenarios.