From 2c6db44ffbc1918d9822515dd9b155811f8d59cb Mon Sep 17 00:00:00 2001 From: LubuSeb <187313664+LubuSeb@users.noreply.github.com> Date: Tue, 23 Jun 2026 06:35:08 +0200 Subject: [PATCH 1/5] Add access request review skill --- skills/access-request-review/SKILL.md | 69 +++ skills/access-request-review/X.yaml | 181 ++++++++ .../evidence/dogfood-output.json | 408 ++++++++++++++++++ .../evidence/dogfood-output.stderr.txt | 0 .../evidence/dogfood-receipts-linux.tgz | Bin 0 -> 1504 bytes .../evidence/local-harness-receipts-linux.tgz | Bin 0 -> 2397 bytes .../evidence/local-harness-verification.json | 29 ++ .../local-harness-verification.stderr.txt | 0 .../evidence/local-harness.json | 17 + .../evidence/local-harness.stderr.txt | 0 .../evidence/runx-version.txt | 1 + .../evidence/verification.json | 15 + .../evidence/verification.stderr.txt | 0 .../fixtures/deny-request.json | 41 ++ .../fixtures/grant-request.json | 47 ++ skills/access-request-review/run.mjs | 334 ++++++++++++++ 16 files changed, 1142 insertions(+) create mode 100644 skills/access-request-review/SKILL.md create mode 100644 skills/access-request-review/X.yaml create mode 100644 skills/access-request-review/evidence/dogfood-output.json create mode 100644 skills/access-request-review/evidence/dogfood-output.stderr.txt create mode 100644 skills/access-request-review/evidence/dogfood-receipts-linux.tgz create mode 100644 skills/access-request-review/evidence/local-harness-receipts-linux.tgz create mode 100644 skills/access-request-review/evidence/local-harness-verification.json create mode 100644 skills/access-request-review/evidence/local-harness-verification.stderr.txt create mode 100644 skills/access-request-review/evidence/local-harness.json create mode 100644 skills/access-request-review/evidence/local-harness.stderr.txt create mode 100644 skills/access-request-review/evidence/runx-version.txt create mode 100644 skills/access-request-review/evidence/verification.json create mode 100644 skills/access-request-review/evidence/verification.stderr.txt create mode 100644 skills/access-request-review/fixtures/deny-request.json create mode 100644 skills/access-request-review/fixtures/grant-request.json create mode 100644 skills/access-request-review/run.mjs diff --git a/skills/access-request-review/SKILL.md b/skills/access-request-review/SKILL.md new file mode 100644 index 00000000..5e73361b --- /dev/null +++ b/skills/access-request-review/SKILL.md @@ -0,0 +1,69 @@ +--- +name: access-request-review +description: Review a bounded access request against policy and emit a least-privilege grant proposal or denial. +source: + type: cli-tool + command: node + args: + - run.mjs + input_mode: stdin + cwd: . + timeout_seconds: 30 +inputs: + access_request: + type: json + required: true + description: Request packet with requester, requested resource, requested action, business justification, and optional ticket metadata. + policy: + type: json + required: true + description: Access policy with allowed roles, resources, actions, TTL caps, approval rules, and escalation rules. + current_entitlements: + type: json + required: true + description: Current role and grant state for the requester. + objective: + type: string + required: false + description: Optional operator intent for the review. +runx: + category: security + input_resolution: + required: + - access_request + - policy + - current_entitlements +--- + +# access-request-review + +Use this skill when an operator needs a bounded access decision before a +human-approved one-time grant. The skill compares a request, the governing +policy, and current entitlements, then returns `grant`, `deny`, or +`needs_human_review`. + +The skill never creates access, calls identity providers, sends approval +messages, stores credentials, or widens authority outside the supplied policy. +When access is allowed it emits a least-privilege grant proposal with a bounded +TTL, exact scope, approval gate, and evidence citations. + +## Inputs + +- `access_request`: requester id, role, action, resource, requested scope, + justification, ticket id, and optional requested TTL. +- `policy`: allowed roles, resources, actions, maximum TTL, denied resources, + sensitive resources, required approvals, and break-glass rules. +- `current_entitlements`: current grants and group/role state for the requester. +- `objective`: optional operator intent. + +## Output + +The runner returns JSON with: + +- `decision_packet`: typed decision packet. +- `grant_proposal`: one-time proposal when the decision is `grant`. +- `evidence_json`: compact review evidence for external verification. +- `report`: human-readable review summary. + +Decisions are deterministic and fail closed when request, policy, or entitlement +facts are missing. diff --git a/skills/access-request-review/X.yaml b/skills/access-request-review/X.yaml new file mode 100644 index 00000000..c86c8a45 --- /dev/null +++ b/skills/access-request-review/X.yaml @@ -0,0 +1,181 @@ +skill: access-request-review +version: "0.1.0" + +catalog: + kind: skill + audience: public + visibility: public + role: canonical + +policy: + side_effects: none + grant_mutation: denied + network_during_run: denied + secrets_required: false + filesystem: + read: [] + write: [] + +harness: + cases: + - name: least-privilege-grant-proposal + runner: default + inputs: + objective: "Review a temporary production log access request for incident response." + access_request: + request_id: req-2026-06-23-001 + requester: + id: user-17 + role: oncall_engineer + team: payments + action: read + resource: prod/payments/logs/service-a + requested_scope: logs.read:prod/payments/service-a/* + justification: "Investigate incident INC-2042 elevated payment retries." + ticket_id: INC-2042 + requested_ttl_minutes: 120 + policy: + policy_id: access-policy-demo-v1 + max_ttl_minutes: 240 + allowed_roles: + oncall_engineer: + actions: [read] + resources: + - prod/payments/logs/* + scope_prefixes: + - logs.read:prod/payments/ + denied_resources: + - prod/payments/secrets + sensitive_resources: + - prod/payments/logs/* + required_approvals: + sensitive_resource: human_approval + grant_defaults: + approval_gate: human_approval_required + current_entitlements: + subject_id: user-17 + roles: [oncall_engineer] + current_grants: + - grant_id: grant-staging-logs + scope: logs.read:staging/payments/* + expires_at: "2026-06-23T12:00:00Z" + expect: + status: sealed + receipt: + schema: runx.receipt.v1 + state: sealed + disposition: closed + reason_code: process_closed + + - name: deny-for-disallowed-resource + runner: default + inputs: + objective: "Reject direct secret access." + access_request: + request_id: req-2026-06-23-002 + requester: + id: user-21 + role: oncall_engineer + team: payments + action: read + resource: prod/payments/secrets + requested_scope: secrets.read:prod/payments/* + justification: "Need to check API keys." + ticket_id: INC-2043 + requested_ttl_minutes: 60 + policy: + policy_id: access-policy-demo-v1 + max_ttl_minutes: 240 + allowed_roles: + oncall_engineer: + actions: [read] + resources: + - prod/payments/logs/* + scope_prefixes: + - logs.read:prod/payments/ + denied_resources: + - prod/payments/secrets + sensitive_resources: + - prod/payments/logs/* + required_approvals: + sensitive_resource: human_approval + grant_defaults: + approval_gate: human_approval_required + current_entitlements: + subject_id: user-21 + roles: [oncall_engineer] + current_grants: [] + expect: + status: sealed + receipt: + schema: runx.receipt.v1 + state: sealed + disposition: closed + reason_code: process_closed + + - name: missing-justification-fails-closed + runner: default + inputs: + objective: "Reject incomplete access requests." + access_request: + request_id: req-2026-06-23-003 + requester: + id: user-22 + role: support_agent + action: read + resource: prod/support/tickets + requested_scope: tickets.read:prod/support/* + requested_ttl_minutes: 30 + policy: + policy_id: access-policy-demo-v1 + max_ttl_minutes: 60 + allowed_roles: + support_agent: + actions: [read] + resources: + - prod/support/tickets + scope_prefixes: + - tickets.read:prod/support/ + denied_resources: [] + sensitive_resources: [] + required_approvals: {} + current_entitlements: + subject_id: user-22 + roles: [support_agent] + current_grants: [] + expect: + status: failure + +runners: + default: + default: true + type: cli-tool + command: node + input_mode: stdin + args: + - run.mjs + outputs: + decision_packet: object + grant_proposal: object + evidence_json: object + report: string + artifacts: + wrap_as: access_request_review_packet + packet: runx.security.access_request_review.v1 + inputs: + access_request: + type: json + required: true + description: Bounded access request packet. + policy: + type: json + required: true + description: Governing access policy. + current_entitlements: + type: json + required: true + description: Current role and grant state for the requester. + objective: + type: string + required: false + description: Operator intent for the review. diff --git a/skills/access-request-review/evidence/dogfood-output.json b/skills/access-request-review/evidence/dogfood-output.json new file mode 100644 index 00000000..f141f2c6 --- /dev/null +++ b/skills/access-request-review/evidence/dogfood-output.json @@ -0,0 +1,408 @@ +{ + "closure": { + "closed_at": "2026-06-23T04:33:57.734Z", + "disposition": "closed", + "reason_code": "process_closed", + "summary": "cli-tool default completed" + }, + "execution": { + "exit_code": 0, + "skill_claim": { + "decision_packet": { + "action": "read", + "approval_gate": "human_approval_required", + "decision": "grant", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "objective": "Dogfood access request review for Frantic bounty 55.", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "resource": "prod/payments/logs/service-a", + "safeguards": { + "executes_grant": false, + "mutates_grants": false, + "read_only": true, + "requires_human_approval": true + }, + "schema": "runx.security.access_request_review.v1", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "evidence_json": { + "artifact": "access-request-review", + "observations": { + "action": "read", + "approval_gate": "human_approval_required", + "current_grant_count": 1, + "decision": "grant", + "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "policy_digest": "sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_digest": "sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a", + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "requester_roles": [ + "oncall_engineer" + ], + "resource": "prod/payments/logs/service-a", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "schema": "frantic.delivery.evidence.v1" + }, + "grant_proposal": { + "action": "read", + "approval_gate": "human_approval_required", + "execution_status": "proposal_only", + "handoff": { + "catalog_skill": "least-privilege-auditor", + "requires_human_approval": true + }, + "issued_by_skill": false, + "justification": "Investigate incident INC-2042 elevated payment retries.", + "policy_id": "access-policy-demo-v1", + "proposal_id": "grant-proposal-req-2026-06-23-001", + "resource": "prod/payments/logs/service-a", + "schema": "runx.security.one_time_grant_proposal.v1", + "scope": "logs.read:prod/payments/service-a", + "subject_id": "user-17", + "ticket_id": "INC-2042", + "ttl_minutes": 120 + }, + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + }, + "stderr": "", + "stdout": "{\n \"decision_packet\": {\n \"schema\": \"runx.security.access_request_review.v1\",\n \"decision\": \"grant\",\n \"request_id\": \"req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"objective\": \"Dogfood access request review for Frantic bounty 55.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"action\": \"read\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ],\n \"safeguards\": {\n \"read_only\": true,\n \"mutates_grants\": false,\n \"executes_grant\": false,\n \"requires_human_approval\": true\n }\n },\n \"grant_proposal\": {\n \"schema\": \"runx.security.one_time_grant_proposal.v1\",\n \"proposal_id\": \"grant-proposal-req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"ticket_id\": \"INC-2042\",\n \"justification\": \"Investigate incident INC-2042 elevated payment retries.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"issued_by_skill\": false,\n \"execution_status\": \"proposal_only\",\n \"handoff\": {\n \"catalog_skill\": \"least-privilege-auditor\",\n \"requires_human_approval\": true\n }\n },\n \"evidence_json\": {\n \"schema\": \"frantic.delivery.evidence.v1\",\n \"artifact\": \"access-request-review\",\n \"observations\": {\n \"request_id\": \"req-2026-06-23-001\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"policy_digest\": \"sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c\",\n \"request_digest\": \"sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a\",\n \"entitlement_digest\": \"sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7\",\n \"subject_id\": \"user-17\",\n \"requester_roles\": [\n \"oncall_engineer\"\n ],\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"decision\": \"grant\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"current_grant_count\": 1,\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ]\n }\n },\n \"report\": \"# access-request-review report\\n\\nRequest: req-2026-06-23-001\\nSubject: user-17\\nPolicy: access-policy-demo-v1\\nDecision: grant\\nResource: prod/payments/logs/service-a\\nRequested scope: logs.read:prod/payments/service-a/*\\nLeast-privilege scope: logs.read:prod/payments/service-a\\nTTL: 120 minutes\\nApproval gate: human_approval_required\\n\\n## Reasons\\n- request matches allowed role, action, resource, and scope prefix\\n- ttl bounded to 120 minutes by policy max 240\\n- proposal is gated; no access is issued by this skill\\n\\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\\nThis skill does not mutate grants, move secrets, or call identity-provider APIs.\"\n}\n", + "structured_output": { + "decision_packet": { + "action": "read", + "approval_gate": "human_approval_required", + "decision": "grant", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "objective": "Dogfood access request review for Frantic bounty 55.", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "resource": "prod/payments/logs/service-a", + "safeguards": { + "executes_grant": false, + "mutates_grants": false, + "read_only": true, + "requires_human_approval": true + }, + "schema": "runx.security.access_request_review.v1", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "evidence_json": { + "artifact": "access-request-review", + "observations": { + "action": "read", + "approval_gate": "human_approval_required", + "current_grant_count": 1, + "decision": "grant", + "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "policy_digest": "sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_digest": "sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a", + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "requester_roles": [ + "oncall_engineer" + ], + "resource": "prod/payments/logs/service-a", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "schema": "frantic.delivery.evidence.v1" + }, + "grant_proposal": { + "action": "read", + "approval_gate": "human_approval_required", + "execution_status": "proposal_only", + "handoff": { + "catalog_skill": "least-privilege-auditor", + "requires_human_approval": true + }, + "issued_by_skill": false, + "justification": "Investigate incident INC-2042 elevated payment retries.", + "policy_id": "access-policy-demo-v1", + "proposal_id": "grant-proposal-req-2026-06-23-001", + "resource": "prod/payments/logs/service-a", + "schema": "runx.security.one_time_grant_proposal.v1", + "scope": "logs.read:prod/payments/service-a", + "subject_id": "user-17", + "ticket_id": "INC-2042", + "ttl_minutes": 120 + }, + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + } + }, + "payload": { + "decision_packet": { + "action": "read", + "approval_gate": "human_approval_required", + "decision": "grant", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "objective": "Dogfood access request review for Frantic bounty 55.", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "resource": "prod/payments/logs/service-a", + "safeguards": { + "executes_grant": false, + "mutates_grants": false, + "read_only": true, + "requires_human_approval": true + }, + "schema": "runx.security.access_request_review.v1", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "evidence_json": { + "artifact": "access-request-review", + "observations": { + "action": "read", + "approval_gate": "human_approval_required", + "current_grant_count": 1, + "decision": "grant", + "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "policy_digest": "sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_digest": "sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a", + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "requester_roles": [ + "oncall_engineer" + ], + "resource": "prod/payments/logs/service-a", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "schema": "frantic.delivery.evidence.v1" + }, + "grant_proposal": { + "action": "read", + "approval_gate": "human_approval_required", + "execution_status": "proposal_only", + "handoff": { + "catalog_skill": "least-privilege-auditor", + "requires_human_approval": true + }, + "issued_by_skill": false, + "justification": "Investigate incident INC-2042 elevated payment retries.", + "policy_id": "access-policy-demo-v1", + "proposal_id": "grant-proposal-req-2026-06-23-001", + "resource": "prod/payments/logs/service-a", + "schema": "runx.security.one_time_grant_proposal.v1", + "scope": "logs.read:prod/payments/service-a", + "subject_id": "user-17", + "ticket_id": "INC-2042", + "ttl_minutes": 120 + }, + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + }, + "receipt": { + "acts": [ + { + "artifact_refs": [], + "closure": { + "closed_at": "2026-06-23T04:33:57.734Z", + "disposition": "closed", + "reason_code": "process_exit", + "summary": "cli-tool exited successfully" + }, + "criterion_bindings": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "form": "observation", + "id": "act_default", + "intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Runtime graph execution was admitted by the local harness", + "purpose": "Run graph step default", + "success_criteria": [ + { + "criterion_id": "process_exit", + "required": true, + "statement": "cli-tool exits successfully" + } + ] + }, + "source_refs": [], + "summary": "Executed graph step default", + "target_refs": [] + } + ], + "authority": { + "actor_ref": { + "type": "principal", + "uri": "runx:principal:local_runtime" + }, + "attenuation": { + "parent_authority_ref": null, + "subset_proof": null + }, + "authority_proof_refs": [], + "enforcement": { + "profile_hash": "sha256:runtime-skeleton-enforcement", + "redaction_refs": [], + "setup_refs": [], + "teardown_refs": [] + }, + "grant_refs": [], + "scope_refs": [], + "terms": [] + }, + "canonicalization": "runx.receipt.c14n.v1", + "created_at": "2026-06-23T04:33:57.734Z", + "decisions": [ + { + "artifact_refs": [], + "choice": "open", + "closure": null, + "decision_id": "dec_default", + "inputs": { + "opportunity_refs": [], + "selection_ref": null, + "signal_refs": [], + "target_ref": null + }, + "justification": { + "evidence_refs": [], + "summary": "runtime graph planner selected this node" + }, + "proposed_intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Local graph execution requested this node", + "purpose": "Open runtime node default", + "success_criteria": [] + }, + "selected_act_id": "act_default", + "selected_harness_ref": null + } + ], + "digest": "sha256:e23e5164c906d73bb1383d24f14eba0aeed003232677627740150a444fb43df7", + "id": "sha256:fc425c86f5c9340c8e2fa38bac0c5ad88ccb01489a5cb9cf7cfafcc88ccbff0e", + "idempotency": { + "content_hash": "sha256:run_default_8e438e086dc8-default-content", + "intent_key": "sha256:run_default_8e438e086dc8-default-intent", + "trigger_fingerprint": "sha256:run_default_8e438e086dc8-default-trigger" + }, + "issuer": { + "kid": "local:bountybar-frantic-runx-22-20260618192655", + "public_key_sha256": "sha256:afae74faf1b1b104b27d788bee2dd0982052af89a1ae30b3282f1a14b0707871", + "type": "hosted" + }, + "lineage": { + "children": [], + "sync": [] + }, + "schema": "runx.receipt.v1", + "seal": { + "closed_at": "2026-06-23T04:33:57.734Z", + "criteria": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "disposition": "closed", + "last_observed_at": "2026-06-23T04:33:57.734Z", + "reason_code": "process_closed", + "summary": "cli-tool default completed" + }, + "signals": [], + "signature": { + "alg": "Ed25519", + "value": "base64:IPrUVe8iFzP-IXATGMrUFdDzcc0qPFnVougfSw53RGrSsDS3IlTkOOKbIDtwNFy6752Pi5kWhDwjWuv6BPxZBg" + }, + "subject": { + "commitments": [], + "kind": "skill", + "ref": { + "type": "harness", + "uri": "hrn_run_default_8e438e086dc8_default" + } + } + }, + "receipt_id": "sha256:fc425c86f5c9340c8e2fa38bac0c5ad88ccb01489a5cb9cf7cfafcc88ccbff0e", + "run_id": "run_default_8e438e086dc8", + "schema": "runx.skill_run.v1", + "skill_name": "access-request-review", + "status": "sealed" +} diff --git a/skills/access-request-review/evidence/dogfood-output.stderr.txt b/skills/access-request-review/evidence/dogfood-output.stderr.txt new file mode 100644 index 00000000..e69de29b diff --git a/skills/access-request-review/evidence/dogfood-receipts-linux.tgz b/skills/access-request-review/evidence/dogfood-receipts-linux.tgz new file mode 100644 index 0000000000000000000000000000000000000000..7d4131b9cefcdc838de204bd647f82c876a2562c GIT binary patch literal 1504 zcmV<61t0n!iwFP!000001MOGaZreBz&8G-@j#J$w`)RjGQv}=H2E8u2SO^p~vKh;y zN>WMOApgEYO1`y86BliYVl{q{MN%_oX3h*r+48Fqp%j!FN%+`;()he!a5*Z)v=XAk zR|>4r>dC=3iieWMv3dGw?DbFIj`wol$AO zuDfsk7nP$YM^AoxA^7wKe`30Kx#0PJ;spoJiywq%M^^clLg=rp zyKnv%6}d7a25@rRV9*s$vWt0}4A7x__(_&1klvbpo z)Q(q`2S?{h@SpAXAe}r${%!qx-d+7aj<7fE^#9O|9ys1(1mJ((|F2y|XRsjd#5Ghn z>XUtR;k$<}D{=TcRXwVs5{QN}CmPiTUXYBuWE6yNyl4`JlQ=y}!{~!qN4VgOlA3)Y znhE|nHtI*b2dGpF(w$tpdf5Q3n+b&$aAt0?*8;Un3ej@CEQlOcl5oxF$g(~NMh1kJ z_?bUO-o^M?(-t+O`5cyc=l3Q6q#}?;=#*dJ&x?v6Ez>M30D`jg##!LS0jbb`pFrpp zVUPutPyDFxQZLO?-@Q3>6`OLRTL}g-si&y@SsBE!KStXZq;8E51yPVhlhZT#_8nyG zbrQR;m>JK^s{JFQ+{#^I~y^0hjC9iG;2<}Y9VQJfy@%fC*R zNg4-dES|rg9bcZmZ!eOkXICGdP7R8ZO|i^3otlFxG!m>&&Q((~u4V*5GYmDPxZNj**f-%oas7PDuJcB6A zz{`@7W}|*^)P01?v}DsM$h=}4AC1I`J=FAH8y<-c#*C=h9t!%;Y`)s!9H=%f%^A1V zFlTj*x+PTGv?G#Z2gUJLGV?BZewUrqpwUmoV!`wRttof%&%ZcAT0IkzX&XjDwUGI) zDH9IL8d9%~88T1S!xPJSV_mZa7$Z|ddZWeKK&Pl^VC#KtGH>vZQ*F;^3`E=4;I-Qj zX~MZ#Z;|n~u5F|g=uSg7hL$zRMXw5YB_svos#PUL#cKF6H3sxZ&7lS@_-Okp6Y~-y zf?&3t0o^uR?;40K#pPzn&8qC`enknCDO6%!uh(z6?HBmAP7h{hCKxp_$9Qo=a^AEi zQP;h~ZL>s9L2m~{G>wqD<$aviaBEn*u#OW(qY(-_V_yO$K&>=GX#6D_clyXUT$JE! z5Y{kdI8IE}xi3uO9n5w!bKnYSYwS4vrVgc}XG~cIu1S~O@^gxL1j$H;4wI!~%lR#+k!A~%Xe6<`=-?f?w`Jp1 z%X^F%)8?*JyxQ?*lZ;EE98zM*8=s0Lx&@A{S7*~fZb{9x+rO-MiiELi;ELIpYus16 z(!xlvkrtwM%$#z1Z54)PX-nv1%dn2ziIy$gJT&L)G(EGfAoyEjut8a1x5VzP9tgh0 zh3*BeshHipzew?6Kig4fyP($4b{t29JDwX)m1yOT%1zO(`rYTW*&-IU3Z{?*tUr;M z35yjEHF%%NsUhc=&OHp?VXy9sk0XO8$_03PSz|Y1(h}VHI2r|4ynG)rA`i8FS zuQYw{uJplnYl}4}&<3_GYi953pJ48*zJM^c5!o>I9*LhTFtfi()BJnm zZtMR|LERz#vmqnY?pcBD`hmw84y53Oxt3%u!juw;U3jL9I@EIrahV^um@_UsS0L_5 zZW3g(&L~ThpDlL-6+DIg%lJp=ru z?FyaR*qsS(ZMMPynja|Y0UcL@^8F7#5_P&&oq0Kc3jUp*5g=`CLw20 z_!rB=G`Y?j$5v7^m}P}ft=>f|pN<8L8>SghfS%Km_b3G{JwGjyeCjjRmWm~L$lImY z6Vld9ARD{bBQ~Y*+PLtekoQl;v|q`+PymxmI3TpdKKw(LPn^JUU0(LpWj z@P&>i$FJV*lm2vQJNxViPm1?D+1J;{=k)Ls7F%D7?MV?I`yY11p?h{_?(TcL?}f8} zP{`d+gRM`|4iE6zPWJE5M}KBy>*bl|A_xZ%<_pP?FR*V}U_#4s9SU}{O^XuSaiqmS z&L9AZOxyDU+q1Fb1a<%k!@~~2lDM`kJw?RhG#3eQ%!km$#Y`BT5l7w|MU4_IfI zhFt3$^p$8QPsW8d)J2VOnJiNSkuNJG9gkC$7fG$BIlGaVi!j#{Xk(makQwU`&#z@jY7z+*~F$kfZ>8NY%X~P>}?eWkM=YkiSj!{qQA~5n{n3V`x+Fa$7 z-{)XQp+Z)12cDnhiiNd1YF(*t0(?o8#^Ga#@%YvnOe;pIcIvK%a8%oIR zGmpxOIA&^EIdLgq#r`;ANg|XnLw1FCSe*orXcjK411UsYY{>mwR*WK#O1m+ zpPOmB6a|=Hse=WVK4eSC-r1VW7cj6jfiW^HXYX%Jyjk~FuCp9abJng14jf*QTuYjz zg}Q=r5wx>>cinB491BuKn1K_7^@>Dyl)S>C2KF<3uATE+;nrhsvqpEz(&(}jLqP7o zD?9V<6%5t(Ghi|rL)tBet;G&FJ+a^!Pv8{b+fkSZHYg3uhhY@J6jvje zCcK(Je)byuF`=pdH1(f5?*AQZ3M2$I8KZ&em?AJKb&(`K4FVqt;s=(?eQIIfw2XzU z>OY5A?7VrM#RsqcIDCbj59j9bpIf_8_VRdplAPgDh6aC3@eztfJHdysv|qj0KO)g^ zgo~lGC-=7*i30n}*4by2dZRa<+Bz7#-db7z0SP2`i7#x&;tmTqwU9J9c08N9asj=P+ z|2s)ek`istSQ~4Jk>wB;D%NWyv0LURvb2<-&7NZ_PbFA;upoqlV)bBvQ z@l3~fPY0fY1lx_v&a5l4xc=TBrGC#Oz!_a|#&oTw#-76Qd{H^D2kXBc zv99AP|3VaRC%Kw_OaZ}Rm=Cu|TbN+M3`oHij%N8V%w#_`>C6?)UfoCC`VTZe(pd?_HO)&R`1q}glD3PWw zV5~>6@SF3WUkIMU{`a{5YaypO|9J{n`~2reqkf(Hzn{n9EOmOIH$sKrNktlmhWK)WRYNDLL44& z#}ei}?*E#?MuI!o<(U7#`Oiu;cRBxAiQo~=f0pSq=ReK)Pjmj$oc}cEKh6E$_3!_d zOQT=s{%^ffTl4op!-TN*3KWx(L_y4eMH^2XU61ZXi*Uw<( zDf*Sg%dOTxz=XWmzG25D*!75MBMa>2S&pMaG=bH(sIvYH(*ysAv|KhOEEW%kwRGvV zf1i4}xmvadxFESgwg { + if (!isObject(grant)) throw new Error(`current_entitlements.current_grants[${index}] must be an object`); + return { + grant_id: stringValue(grant.grant_id) || `grant-${index + 1}`, + scope: stringValue(grant.scope) || "", + expires_at: stringValue(grant.expires_at), + }; + }); + + if (!requestId) throw new Error("access_request.request_id is required"); + if (!subjectId) throw new Error("access_request.requester.id is required"); + if (!requesterRole) throw new Error("access_request.requester.role is required"); + if (!action) throw new Error("access_request.action is required"); + if (!resource) throw new Error("access_request.resource is required"); + if (!requestedScope) throw new Error("access_request.requested_scope is required"); + if (!justification) throw new Error("access_request.justification is required"); + if (!policyId) throw new Error("policy.policy_id is required"); + if (!maxTtlMinutes || maxTtlMinutes < 1) throw new Error("policy.max_ttl_minutes must be a positive number"); + + return { + requestId, + subjectId, + requesterRole, + roles, + action, + resource, + requestedScope, + justification, + ticketId: stringValue(request.ticket_id), + requestedTtlMinutes: requestedTtlMinutes || maxTtlMinutes, + policyId, + maxTtlMinutes, + allowedRoles: isObject(policy.allowed_roles) ? policy.allowed_roles : {}, + deniedResources: arrayValue(policy.denied_resources).map(String), + sensitiveResources: arrayValue(policy.sensitive_resources).map(String), + requiredApprovals: isObject(policy.required_approvals) ? policy.required_approvals : {}, + grantDefaults: isObject(policy.grant_defaults) ? policy.grant_defaults : {}, + currentGrants, + }; +} + +function decide(input) { + const evidenceRefs = [ + `request:${input.requestId}`, + `policy:${input.policyId}`, + `entitlements:${input.subjectId}`, + ]; + const reasons = []; + + if (matchesAny(input.resource, input.deniedResources) || input.requestedScope.startsWith("secrets.")) { + return { + decision: "deny", + leastPrivilegeScope: null, + ttlMinutes: 0, + approvalGate: "not_applicable", + evidenceRefs, + reasons: ["requested resource or scope is explicitly denied by policy"], + }; + } + + const rolePolicy = firstRolePolicy(input.roles, input.allowedRoles); + if (!rolePolicy) { + return { + decision: "deny", + leastPrivilegeScope: null, + ttlMinutes: 0, + approvalGate: "not_applicable", + evidenceRefs, + reasons: ["requester has no role with access policy for this request"], + }; + } + + const allowedActions = arrayValue(rolePolicy.actions).map(String); + if (!allowedActions.includes(input.action)) { + return { + decision: "deny", + leastPrivilegeScope: null, + ttlMinutes: 0, + approvalGate: "not_applicable", + evidenceRefs, + reasons: [`action ${input.action} is not allowed for requester role`], + }; + } + + const allowedResources = arrayValue(rolePolicy.resources).map(String); + if (!matchesAny(input.resource, allowedResources)) { + return { + decision: "deny", + leastPrivilegeScope: null, + ttlMinutes: 0, + approvalGate: "not_applicable", + evidenceRefs, + reasons: ["requested resource does not match any allowed resource pattern"], + }; + } + + const allowedPrefixes = arrayValue(rolePolicy.scope_prefixes).map(String); + if (!allowedPrefixes.some((prefix) => input.requestedScope.startsWith(prefix))) { + return { + decision: "deny", + leastPrivilegeScope: null, + ttlMinutes: 0, + approvalGate: "not_applicable", + evidenceRefs, + reasons: ["requested scope is outside allowed scope prefixes"], + }; + } + + const leastPrivilegeScope = narrowScope(input.requestedScope, input.resource); + const ttlMinutes = Math.max(1, Math.min(input.requestedTtlMinutes, input.maxTtlMinutes)); + const isSensitive = matchesAny(input.resource, input.sensitiveResources); + const approvalGate = isSensitive + ? stringValue(input.requiredApprovals.sensitive_resource) || "human_approval_required" + : stringValue(input.grantDefaults.approval_gate) || "human_approval_required"; + + if (input.currentGrants.some((grant) => grant.scope === leastPrivilegeScope)) { + reasons.push("matching entitlement already exists; proposal keeps scope unchanged and flags duplicate grant risk"); + } else { + reasons.push("request matches allowed role, action, resource, and scope prefix"); + } + reasons.push(`ttl bounded to ${ttlMinutes} minutes by policy max ${input.maxTtlMinutes}`); + reasons.push("proposal is gated; no access is issued by this skill"); + + return { + decision: "grant", + leastPrivilegeScope, + ttlMinutes, + approvalGate, + evidenceRefs, + reasons, + }; +} + +function buildGrantProposal(input, decision) { + return { + schema: "runx.security.one_time_grant_proposal.v1", + proposal_id: `grant-proposal-${input.requestId}`, + subject_id: input.subjectId, + action: input.action, + resource: input.resource, + scope: decision.leastPrivilegeScope, + ttl_minutes: decision.ttlMinutes, + approval_gate: decision.approvalGate, + ticket_id: input.ticketId, + justification: input.justification, + policy_id: input.policyId, + issued_by_skill: false, + execution_status: "proposal_only", + handoff: { + catalog_skill: "least-privilege-auditor", + requires_human_approval: true, + }, + }; +} + +function firstRolePolicy(roles, allowedRoles) { + for (const role of roles) { + if (isObject(allowedRoles[role])) return allowedRoles[role]; + } + return null; +} + +function narrowScope(scope, resource) { + if (!scope.endsWith("*")) return scope; + if (scope.endsWith("/*")) return scope.slice(0, -2); + const [prefix] = scope.split("*"); + const normalizedResource = resource.replace(/^\/+/, ""); + if (prefix.endsWith("/") && normalizedResource.startsWith(prefix.split(":").slice(1).join(":"))) { + return `${prefix}${normalizedResource.split("/").pop()}`; + } + return `${prefix}${normalizedResource}`; +} + +function matchesAny(value, patterns) { + return patterns.some((pattern) => matchesPattern(value, pattern)); +} + +function matchesPattern(value, pattern) { + if (!pattern) return false; + if (pattern === value) return true; + if (pattern.endsWith("*")) return value.startsWith(pattern.slice(0, -1)); + return false; +} + +function renderReport(packet, grantProposal) { + const lines = [ + "# access-request-review report", + "", + `Request: ${packet.request_id}`, + `Subject: ${packet.subject_id}`, + `Policy: ${packet.policy_id}`, + `Decision: ${packet.decision}`, + `Resource: ${packet.resource}`, + `Requested scope: ${packet.requested_scope}`, + `Least-privilege scope: ${packet.least_privilege_scope || "none"}`, + `TTL: ${packet.ttl_minutes} minutes`, + `Approval gate: ${packet.approval_gate}`, + "", + "## Reasons", + ...packet.reasons.map((reason) => `- ${reason}`), + "", + grantProposal + ? `Grant proposal ${grantProposal.proposal_id} is proposal-only and requires ${grantProposal.approval_gate}.` + : "No grant proposal was emitted.", + "This skill does not mutate grants, move secrets, or call identity-provider APIs.", + ]; + return lines.join("\n"); +} + +function readInputs() { + if (process.env.RUNX_INPUTS_PATH) { + return JSON.parse(fs.readFileSync(process.env.RUNX_INPUTS_PATH, "utf8")); + } + if (process.env.RUNX_INPUTS_JSON) { + return JSON.parse(process.env.RUNX_INPUTS_JSON); + } + if (!process.stdin.isTTY) { + const raw = fs.readFileSync(0, "utf8").trim(); + if (raw) return JSON.parse(raw); + } + return {}; +} + +function requireObject(value, field) { + if (!isObject(value)) throw new Error(`${field} must be an object`); + return value; +} + +function isObject(value) { + return Boolean(value) && typeof value === "object" && !Array.isArray(value); +} + +function arrayValue(value) { + return Array.isArray(value) ? value : []; +} + +function stringValue(value) { + return typeof value === "string" && value.trim().length > 0 ? value.trim() : null; +} + +function numberValue(value) { + return typeof value === "number" && Number.isFinite(value) ? value : null; +} + +function sha256Json(value) { + return `sha256:${crypto.createHash("sha256").update(JSON.stringify(sortJson(value))).digest("hex")}`; +} + +function sortJson(value) { + if (Array.isArray(value)) return value.map(sortJson); + if (isObject(value)) { + return Object.fromEntries(Object.keys(value).sort().map((key) => [key, sortJson(value[key])])); + } + return value; +} From ba78019e5befce597b1382ce60d016c665d91619 Mon Sep 17 00:00:00 2001 From: LubuSeb <187313664+LubuSeb@users.noreply.github.com> Date: Tue, 23 Jun 2026 06:37:19 +0200 Subject: [PATCH 2/5] Add access request review delivery evidence --- .../evidence/clean-install.json | 43 ++ .../evidence/clean-install.stderr.txt | 0 .../evidence/evidence.json | 81 ++++ .../evidence/hosted-dogfood-output.json | 419 ++++++++++++++++++ .../evidence/hosted-dogfood-output.stderr.txt | 0 .../hosted-dogfood-receipts-linux.tgz | Bin 0 -> 1509 bytes .../hosted-harness-receipts-linux.tgz | Bin 0 -> 2405 bytes .../evidence/hosted-harness-verification.json | 29 ++ .../hosted-harness-verification.stderr.txt | 0 .../evidence/hosted-harness.json | 17 + .../evidence/hosted-harness.stderr.txt | 0 .../evidence/hosted-verification.json | 15 + .../evidence/hosted-verification.stderr.txt | 0 .../evidence/registry-publish.json | 20 + .../evidence/registry-publish.stderr.txt | 0 .../evidence/registry-read.json | 50 +++ .../evidence/registry-read.stderr.txt | 0 .../access-request-review/evidence/report.md | 23 + 18 files changed, 697 insertions(+) create mode 100644 skills/access-request-review/evidence/clean-install.json create mode 100644 skills/access-request-review/evidence/clean-install.stderr.txt create mode 100644 skills/access-request-review/evidence/evidence.json create mode 100644 skills/access-request-review/evidence/hosted-dogfood-output.json create mode 100644 skills/access-request-review/evidence/hosted-dogfood-output.stderr.txt create mode 100644 skills/access-request-review/evidence/hosted-dogfood-receipts-linux.tgz create mode 100644 skills/access-request-review/evidence/hosted-harness-receipts-linux.tgz create mode 100644 skills/access-request-review/evidence/hosted-harness-verification.json create mode 100644 skills/access-request-review/evidence/hosted-harness-verification.stderr.txt create mode 100644 skills/access-request-review/evidence/hosted-harness.json create mode 100644 skills/access-request-review/evidence/hosted-harness.stderr.txt create mode 100644 skills/access-request-review/evidence/hosted-verification.json create mode 100644 skills/access-request-review/evidence/hosted-verification.stderr.txt create mode 100644 skills/access-request-review/evidence/registry-publish.json create mode 100644 skills/access-request-review/evidence/registry-publish.stderr.txt create mode 100644 skills/access-request-review/evidence/registry-read.json create mode 100644 skills/access-request-review/evidence/registry-read.stderr.txt create mode 100644 skills/access-request-review/evidence/report.md diff --git a/skills/access-request-review/evidence/clean-install.json b/skills/access-request-review/evidence/clean-install.json new file mode 100644 index 00000000..501ec036 --- /dev/null +++ b/skills/access-request-review/evidence/clean-install.json @@ -0,0 +1,43 @@ +{ + "status": "success", + "registry": { + "action": "install", + "source": "remote", + "ref": "lubuseb/access-request-review@sha-fefdaf21eb13", + "install": { + "status": "installed", + "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-fefdaf21eb13/SKILL.md", + "skill_name": "access-request-review", + "source": "runx-registry", + "source_label": "runx registry", + "skill_id": "lubuseb/access-request-review", + "version": "sha-fefdaf21eb13", + "digest": "sha256:64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", + "profile_digest": "sha256:74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5", + "profile_state_path": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-fefdaf21eb13/.runx/profile.json", + "runner_names": [ + "default" + ], + "trust_tier": "community" + }, + "receipt_metadata": { + "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-fefdaf21eb13/SKILL.md", + "digest": "sha256:64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", + "install_count": 1, + "package_digest": "fb9e74d2f776897866e5a6e431c5e94da782ede2ef0451d31a3e39494618c5cf", + "profile_digest": "sha256:74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5", + "publisher": { + "display_name": "LubuSeb", + "handle": "lubuseb", + "id": "user_53f00ae7ec2363e37ac6ff68", + "kind": "user" + }, + "ref": "lubuseb/access-request-review@sha-fefdaf21eb13", + "skill_id": "lubuseb/access-request-review", + "source_label": "runx registry", + "status": "installed", + "trust_tier": "community", + "version": "sha-fefdaf21eb13" + } + } +} diff --git a/skills/access-request-review/evidence/clean-install.stderr.txt b/skills/access-request-review/evidence/clean-install.stderr.txt new file mode 100644 index 00000000..e69de29b diff --git a/skills/access-request-review/evidence/evidence.json b/skills/access-request-review/evidence/evidence.json new file mode 100644 index 00000000..56dc3f98 --- /dev/null +++ b/skills/access-request-review/evidence/evidence.json @@ -0,0 +1,81 @@ +{ + "schema": "frantic.delivery.evidence.v1", + "summary": "access-request-review was published as a hosted runx skill, clean-installed from the registry, harnessed from the installed package, dogfooded on a bounded least-privilege access request, and verified with a sealed production-mode runx receipt.", + "artifact": "access-request-review", + "package": { + "owner": "lubuseb", + "name": "access-request-review", + "version": "sha-fefdaf21eb13", + "registry_ref": "lubuseb/access-request-review@sha-fefdaf21eb13", + "public_url": "https://runx.ai/x/lubuseb/access-request-review@sha-fefdaf21eb13", + "digest": "64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", + "profile_digest": "74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5" + }, + "source": { + "pr_url": "https://github.com/runxhq/runx/pull/123", + "source_url": "https://github.com/LubuSeb/runx/tree/access-request-review-55", + "x_yaml": "https://raw.githubusercontent.com/LubuSeb/runx/access-request-review-55/skills/access-request-review/X.yaml", + "skill_md": "https://raw.githubusercontent.com/LubuSeb/runx/access-request-review-55/skills/access-request-review/SKILL.md" + }, + "runtime": { + "runx_version": "runx-cli 0.6.13", + "receipt_ref": "runx:receipt:sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "receipt_id": "sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "verify_verdict": "valid", + "signature_mode": "production" + }, + "observations": [ + { + "name": "published_registry_package", + "status": "passed", + "detail": "runx registry publish completed successfully for lubuseb/access-request-review@sha-fefdaf21eb13 on https://api.runx.ai.", + "evidence_ref": "registry-publish.json" + }, + { + "name": "registry_read", + "status": "passed", + "detail": "runx registry read resolved the published package metadata.", + "evidence_ref": "registry-read.json" + }, + { + "name": "clean_install", + "status": "passed", + "detail": "runx add installed lubuseb/access-request-review@sha-fefdaf21eb13 into a clean directory.", + "evidence_ref": "clean-install.json" + }, + { + "name": "hosted_harness", + "status": "passed", + "detail": "The installed registry package passed least-privilege grant, deny, and fail-closed harness cases.", + "evidence_ref": "hosted-harness.json" + }, + { + "name": "dogfood_run", + "status": "closed", + "detail": "Hosted dogfood emitted a grant proposal with a bounded TTL and human approval gate, without issuing access.", + "evidence_ref": "hosted-dogfood-output.json" + }, + { + "name": "dogfood_receipt_verified", + "status": "passed", + "detail": "runx verify accepted receipt sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21 with no findings.", + "evidence_ref": "hosted-verification.json" + }, + { + "name": "read_only_behavior", + "status": "passed", + "detail": "The runner reads JSON inputs, computes deterministically in memory, performs no provider calls, requires no secrets, and emits structured stdout only.", + "evidence_ref": "run.mjs" + } + ], + "commands": [ + "npx --yes @runxhq/cli@latest --version", + "npx --yes @runxhq/cli@latest harness /mnt/f/BountyBar/repos/runx/skills/access-request-review --json", + "npx --yes @runxhq/cli@latest registry publish /mnt/f/BountyBar/repos/runx/skills/access-request-review/SKILL.md --registry https://api.runx.ai --json", + "npx --yes @runxhq/cli@latest registry read lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --json", + "npx --yes @runxhq/cli@latest add lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --to /tmp/runx-access-request-review-clean-install --json", + "npx --yes @runxhq/cli@latest harness /tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/ --json", + "npx --yes @runxhq/cli@latest skill lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --input-json access_request= --input-json policy= --input-json current_entitlements= --json", + "npx --yes @runxhq/cli@latest verify --receipt-dir /tmp/runx-access-request-review-hosted-dogfood-receipts --json" + ] +} diff --git a/skills/access-request-review/evidence/hosted-dogfood-output.json b/skills/access-request-review/evidence/hosted-dogfood-output.json new file mode 100644 index 00000000..b9df5e6e --- /dev/null +++ b/skills/access-request-review/evidence/hosted-dogfood-output.json @@ -0,0 +1,419 @@ +{ + "closure": { + "closed_at": "2026-06-23T04:37:01.209Z", + "disposition": "closed", + "reason_code": "process_closed", + "summary": "cli-tool default completed" + }, + "execution": { + "exit_code": 0, + "skill_claim": { + "decision_packet": { + "action": "read", + "approval_gate": "human_approval_required", + "decision": "grant", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "objective": "Hosted dogfood access request review for Frantic bounty 55.", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "resource": "prod/payments/logs/service-a", + "safeguards": { + "executes_grant": false, + "mutates_grants": false, + "read_only": true, + "requires_human_approval": true + }, + "schema": "runx.security.access_request_review.v1", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "evidence_json": { + "artifact": "access-request-review", + "observations": { + "action": "read", + "approval_gate": "human_approval_required", + "current_grant_count": 1, + "decision": "grant", + "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "policy_digest": "sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_digest": "sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a", + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "requester_roles": [ + "oncall_engineer" + ], + "resource": "prod/payments/logs/service-a", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "schema": "frantic.delivery.evidence.v1" + }, + "grant_proposal": { + "action": "read", + "approval_gate": "human_approval_required", + "execution_status": "proposal_only", + "handoff": { + "catalog_skill": "least-privilege-auditor", + "requires_human_approval": true + }, + "issued_by_skill": false, + "justification": "Investigate incident INC-2042 elevated payment retries.", + "policy_id": "access-policy-demo-v1", + "proposal_id": "grant-proposal-req-2026-06-23-001", + "resource": "prod/payments/logs/service-a", + "schema": "runx.security.one_time_grant_proposal.v1", + "scope": "logs.read:prod/payments/service-a", + "subject_id": "user-17", + "ticket_id": "INC-2042", + "ttl_minutes": 120 + }, + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + }, + "stderr": "", + "stdout": "{\n \"decision_packet\": {\n \"schema\": \"runx.security.access_request_review.v1\",\n \"decision\": \"grant\",\n \"request_id\": \"req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"objective\": \"Hosted dogfood access request review for Frantic bounty 55.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"action\": \"read\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ],\n \"safeguards\": {\n \"read_only\": true,\n \"mutates_grants\": false,\n \"executes_grant\": false,\n \"requires_human_approval\": true\n }\n },\n \"grant_proposal\": {\n \"schema\": \"runx.security.one_time_grant_proposal.v1\",\n \"proposal_id\": \"grant-proposal-req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"ticket_id\": \"INC-2042\",\n \"justification\": \"Investigate incident INC-2042 elevated payment retries.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"issued_by_skill\": false,\n \"execution_status\": \"proposal_only\",\n \"handoff\": {\n \"catalog_skill\": \"least-privilege-auditor\",\n \"requires_human_approval\": true\n }\n },\n \"evidence_json\": {\n \"schema\": \"frantic.delivery.evidence.v1\",\n \"artifact\": \"access-request-review\",\n \"observations\": {\n \"request_id\": \"req-2026-06-23-001\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"policy_digest\": \"sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c\",\n \"request_digest\": \"sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a\",\n \"entitlement_digest\": \"sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7\",\n \"subject_id\": \"user-17\",\n \"requester_roles\": [\n \"oncall_engineer\"\n ],\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"decision\": \"grant\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"current_grant_count\": 1,\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ]\n }\n },\n \"report\": \"# access-request-review report\\n\\nRequest: req-2026-06-23-001\\nSubject: user-17\\nPolicy: access-policy-demo-v1\\nDecision: grant\\nResource: prod/payments/logs/service-a\\nRequested scope: logs.read:prod/payments/service-a/*\\nLeast-privilege scope: logs.read:prod/payments/service-a\\nTTL: 120 minutes\\nApproval gate: human_approval_required\\n\\n## Reasons\\n- request matches allowed role, action, resource, and scope prefix\\n- ttl bounded to 120 minutes by policy max 240\\n- proposal is gated; no access is issued by this skill\\n\\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\\nThis skill does not mutate grants, move secrets, or call identity-provider APIs.\"\n}\n", + "structured_output": { + "decision_packet": { + "action": "read", + "approval_gate": "human_approval_required", + "decision": "grant", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "objective": "Hosted dogfood access request review for Frantic bounty 55.", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "resource": "prod/payments/logs/service-a", + "safeguards": { + "executes_grant": false, + "mutates_grants": false, + "read_only": true, + "requires_human_approval": true + }, + "schema": "runx.security.access_request_review.v1", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "evidence_json": { + "artifact": "access-request-review", + "observations": { + "action": "read", + "approval_gate": "human_approval_required", + "current_grant_count": 1, + "decision": "grant", + "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "policy_digest": "sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_digest": "sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a", + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "requester_roles": [ + "oncall_engineer" + ], + "resource": "prod/payments/logs/service-a", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "schema": "frantic.delivery.evidence.v1" + }, + "grant_proposal": { + "action": "read", + "approval_gate": "human_approval_required", + "execution_status": "proposal_only", + "handoff": { + "catalog_skill": "least-privilege-auditor", + "requires_human_approval": true + }, + "issued_by_skill": false, + "justification": "Investigate incident INC-2042 elevated payment retries.", + "policy_id": "access-policy-demo-v1", + "proposal_id": "grant-proposal-req-2026-06-23-001", + "resource": "prod/payments/logs/service-a", + "schema": "runx.security.one_time_grant_proposal.v1", + "scope": "logs.read:prod/payments/service-a", + "subject_id": "user-17", + "ticket_id": "INC-2042", + "ttl_minutes": 120 + }, + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + } + }, + "payload": { + "decision_packet": { + "action": "read", + "approval_gate": "human_approval_required", + "decision": "grant", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "objective": "Hosted dogfood access request review for Frantic bounty 55.", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "resource": "prod/payments/logs/service-a", + "safeguards": { + "executes_grant": false, + "mutates_grants": false, + "read_only": true, + "requires_human_approval": true + }, + "schema": "runx.security.access_request_review.v1", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "evidence_json": { + "artifact": "access-request-review", + "observations": { + "action": "read", + "approval_gate": "human_approval_required", + "current_grant_count": 1, + "decision": "grant", + "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "evidence_refs": [ + "request:req-2026-06-23-001", + "policy:access-policy-demo-v1", + "entitlements:user-17" + ], + "least_privilege_scope": "logs.read:prod/payments/service-a", + "policy_digest": "sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c", + "policy_id": "access-policy-demo-v1", + "reasons": [ + "request matches allowed role, action, resource, and scope prefix", + "ttl bounded to 120 minutes by policy max 240", + "proposal is gated; no access is issued by this skill" + ], + "request_digest": "sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a", + "request_id": "req-2026-06-23-001", + "requested_scope": "logs.read:prod/payments/service-a/*", + "requester_roles": [ + "oncall_engineer" + ], + "resource": "prod/payments/logs/service-a", + "subject_id": "user-17", + "ttl_minutes": 120 + }, + "schema": "frantic.delivery.evidence.v1" + }, + "grant_proposal": { + "action": "read", + "approval_gate": "human_approval_required", + "execution_status": "proposal_only", + "handoff": { + "catalog_skill": "least-privilege-auditor", + "requires_human_approval": true + }, + "issued_by_skill": false, + "justification": "Investigate incident INC-2042 elevated payment retries.", + "policy_id": "access-policy-demo-v1", + "proposal_id": "grant-proposal-req-2026-06-23-001", + "resource": "prod/payments/logs/service-a", + "schema": "runx.security.one_time_grant_proposal.v1", + "scope": "logs.read:prod/payments/service-a", + "subject_id": "user-17", + "ticket_id": "INC-2042", + "ttl_minutes": 120 + }, + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + }, + "receipt": { + "acts": [ + { + "artifact_refs": [], + "closure": { + "closed_at": "2026-06-23T04:37:01.209Z", + "disposition": "closed", + "reason_code": "process_exit", + "summary": "cli-tool exited successfully" + }, + "criterion_bindings": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "form": "observation", + "id": "act_default", + "intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Runtime graph execution was admitted by the local harness", + "purpose": "Run graph step default", + "success_criteria": [ + { + "criterion_id": "process_exit", + "required": true, + "statement": "cli-tool exits successfully" + } + ] + }, + "source_refs": [], + "summary": "Executed graph step default", + "target_refs": [] + } + ], + "authority": { + "actor_ref": { + "type": "principal", + "uri": "runx:principal:local_runtime" + }, + "attenuation": { + "parent_authority_ref": null, + "subset_proof": null + }, + "authority_proof_refs": [], + "enforcement": { + "profile_hash": "sha256:runtime-skeleton-enforcement", + "redaction_refs": [], + "setup_refs": [], + "teardown_refs": [] + }, + "grant_refs": [], + "scope_refs": [], + "terms": [] + }, + "canonicalization": "runx.receipt.c14n.v1", + "created_at": "2026-06-23T04:37:01.209Z", + "decisions": [ + { + "artifact_refs": [], + "choice": "open", + "closure": null, + "decision_id": "dec_default", + "inputs": { + "opportunity_refs": [], + "selection_ref": null, + "signal_refs": [], + "target_ref": null + }, + "justification": { + "evidence_refs": [], + "summary": "runtime graph planner selected this node" + }, + "proposed_intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Local graph execution requested this node", + "purpose": "Open runtime node default", + "success_criteria": [] + }, + "selected_act_id": "act_default", + "selected_harness_ref": null + } + ], + "digest": "sha256:58c0f202dcc6040c2e8a6618c5da594a6b21171dcb9f100b5ebcc0fbc61d17f0", + "id": "sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "idempotency": { + "content_hash": "sha256:run_default_470fa655fc09-default-content", + "intent_key": "sha256:run_default_470fa655fc09-default-intent", + "trigger_fingerprint": "sha256:run_default_470fa655fc09-default-trigger" + }, + "issuer": { + "kid": "local:bountybar-frantic-runx-22-20260618192655", + "public_key_sha256": "sha256:afae74faf1b1b104b27d788bee2dd0982052af89a1ae30b3282f1a14b0707871", + "type": "hosted" + }, + "lineage": { + "children": [], + "sync": [] + }, + "schema": "runx.receipt.v1", + "seal": { + "closed_at": "2026-06-23T04:37:01.209Z", + "criteria": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "disposition": "closed", + "last_observed_at": "2026-06-23T04:37:01.209Z", + "reason_code": "process_closed", + "summary": "cli-tool default completed" + }, + "signals": [], + "signature": { + "alg": "Ed25519", + "value": "base64:NxHzjfLOg20GjhHWN-AJbOGX1ZYE8EfsCOfUH1TSqF9oS0Sd_cQrP2qMw5iuoihDRwRJc-S6H-4gAqcuKxbkAw" + }, + "subject": { + "commitments": [], + "kind": "skill", + "ref": { + "type": "harness", + "uri": "hrn_run_default_470fa655fc09_default" + } + } + }, + "receipt_id": "sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "registry_provenance": { + "digest": "sha256:64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", + "profile_digest": "sha256:74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5", + "registry_key_id": "runx-registry-ed25519-v1", + "registry_source": "remote https://api.runx.ai", + "registry_source_fingerprint": "ba1ac16b631195fd", + "skill_id": "lubuseb/access-request-review", + "trust_state": "trusted", + "trust_tier": "community", + "version": "sha-fefdaf21eb13" + }, + "run_id": "run_default_470fa655fc09", + "schema": "runx.skill_run.v1", + "skill_name": "access-request-review", + "status": "sealed" +} diff --git a/skills/access-request-review/evidence/hosted-dogfood-output.stderr.txt b/skills/access-request-review/evidence/hosted-dogfood-output.stderr.txt new file mode 100644 index 00000000..e69de29b diff --git a/skills/access-request-review/evidence/hosted-dogfood-receipts-linux.tgz b/skills/access-request-review/evidence/hosted-dogfood-receipts-linux.tgz new file mode 100644 index 0000000000000000000000000000000000000000..220d77cfb02d3cebe2cca625adff528b73b8247e GIT binary patch literal 1509 zcmVr+n-i!S%WTXx}?Ll4ue2Zl+9Qc z6_QHg2KnzhQu14xG;z_UD5~=ZStND$+}(3WQnvNAM<``Vd6HeUOlf#ta(3lSh0?6> z3Na~#C}5N_-e~n=Z&yJeNfenUP9oGlu^sPa4@W+ZLlj45osV%4>^afSmOevTrHOQ$ zJ;m}*u6u0$JC%bM2QPj)7WL$q*R!u=!z4Hk!)3njK9Rri-;QG(C6NE)uY_kymid=L z=ufSCZ2mhHxqJPqDe zmwucEVUWfFBR)PjSEByb?*H)eEcrL}kI+N?KMJ8YZ1?{piNZYxJx2h3@cw_}DmrCz z;*MQIg@ZoJ2bb90cXqsqX zPD#Z-5Y0t>7aPT4-2+srWzrqrxO&krSl4kDW@Z+9B|ytK7j3N+0Ntuoa zCM-aC;HQ3x2@Z3Vpd?MOd%N!{KB2vMJYukgrcA{Mj@g;OGyk-p;1Ai zQApw(4rB=~Xg(@2LV3h;3SZxJv2P34_Qz5ywVI))w znQfag;h?-B)ykM5^LRBpwwyQCHJ>wMWMW8fv{)P96cr8Icwd>!8aU*Xn=={$(e^cX z<2FQ^aIV)|WOZ9rHd2b|PD3{amNk>}UKOiLAt^JiT2)e%ykZ}x#(?(Jj8#mF+S~lf z#Jqrr0GLf@m~NYmcg=__#MOGq?Xv8uenr73SD?ha-mKm-+b`g4l^)2>RB&oy4)LlD z$?K*yiMr_(Zki=>!t`c9MAHbV+q#d_3U0+#F0A4N(P)H%&e)fL2~aD|5EwrJ<4zwL zrxpcs)(9&$;V@22)w#ze@eX9WnL6y6(bm{;`c0h`j-GO56}To{cFWHw3iQ{4s4{8>X<&G$928IyC^YY7PsscZ{7oK6a8G;0c*LaKzaZM8E*B-k;yR!a<5t$-mH^xMU+DdD0$;kz5utFW9!vfcaVEhbK~|eOP&H@>>75> zZOk?7t6gb9B)F%As2nq=oL*ZAVOiJ`x@bAnkvrD1Ww%ew`6^9^))fGMZw%HbbLf`P zz10)Jx3JK?gf%6%yZ1*a-tT8S>TDL&3fh+AfN;xmz02+W zk^3JCr!p6S`!8v^7{IQlhnuQDD*Kr!gLg1a}9tk zNOIP7{iUWae2KKj#+uC8m(yyw{N(#7bd7JFv_S?LWRO7y8Dx+_1{q|KK?WIQkR9ZI Lf7kta04M+eXHn4k literal 0 HcmV?d00001 diff --git a/skills/access-request-review/evidence/hosted-harness-receipts-linux.tgz b/skills/access-request-review/evidence/hosted-harness-receipts-linux.tgz new file mode 100644 index 0000000000000000000000000000000000000000..6bd1997fe99db22e375c57a81a70bec4e7ebe106 GIT binary patch literal 2405 zcmV-r37YmFiwFP!000001MOSuSKB%g=TGtGQ+o~xlKjqoS=!QDTIdtnOPAdoSso<@ z#}2X`pq&2icVs&cXn=$Q?LF7SBeA5+d&bf)i7Jw_HWvc2tgYarfGo$yaRjIBL7L?d zwg+4#)vSPMlxG`js}ezSZCgK5*CzENEyrtGqc)?CMI75^YlKm}Tr=#ICEbCFEa%EF z)-nigTzA|2-;_EVosIwOq)C4#N{$~$h7Pb}S(A8QeI#t|c{z^Zcg;0p=YjOOM3eZd zG|g{Xcia5ml+^0=pA9&(ovv-t!1Nsn+%*}oP2$_84>mV}G1s-h^g>&Dz$N&hq=C;Y z)3-b-Z02$%P0~5a(&Sg0|Bt7~h<{oCgk0DEZ3}zD<^JzFj=N@%$8f+uy#HUcGBJQ5 zZ*^Nb6*_g4J7d~fZ$%*v-&46GJE4GMM)i1(Y#Curn>cM|?h&hNq5!YsIo4Objwfjn z2_8q^cpjz6Row)&l3KwmD?qin7p?q!1h}rsS)4g8b&pfz(hbrg$+EVc(k3_r7 zddAvX3F1(X`V2D z=c_M1oql>1!$|Z5Y`qD^_-yp~4>NVcFX6jw{-XW%KpykcKeqpjw>M8n@ji@SF>lM= zr(l2E`LGH6xOj0k=6eVJcIc|-n_7!7>SLMDEDKCRgeN^4LemQZ2lrp#n-2Gd%UtQ( z%mNpr!yHEZ!1W~eL*@h|@I4AR5SbXA5Js7PO{q<5X1$)M&h(%~@5hbS#;b^rT69N|SiNL7@VZsa0Q zRqwJW?G6!*csv!Rles$`?v^>PrRUKQw2;0|dd;PjfkugR1asF@k-ZUaa^(C>j*ckm z8oX$YxYF*NtuHl8ia0Jkl|f!{sK!uo4r*Alf<&fDfHt*crBWHi@MCDS((UXRV#w2^ zJ^w20^AJ6P%FG)Bc`=&1&Vj2iJ)JH2J}JAnUJ-(bGGwAJFQ!+$vR~lUG&~rcK^h6| zbM#lDlROy}I#3ri!+Eh>^&y{kNIDv&Dld}SPg8Ycn3^#46MAEmX4o0)63`ARlpaFi z?@+i=d&Wr85R93IG4vxG=ep`zJ3899`F$^zZRMP4~gKbfgCov&+R-X}+RvyCKn_DM!% z#c;^gd6mSaftC8Bm?sG+W5Vo`?zlS%vC+&@SQk>9W@THg1aXCOv|iICI-5ma#e9L* zm}WyAXiQ=?uGCv^EsDm+BB^ympN_5z#m7t5%z|;sGlPd%^4g~09L)lwtXE^!K^BDO zqE%l^@)Q%MTmxrO>GK@#t5s>CC!%(qrm>;tGNa}u(Jkj?37r%X)={gQs{+0+8}n(H zwn|e_`Gr21X&GR*#O|FfseFM8TVq@!qw?y`CBsp}OO|U(v$Rl` zSk8)e((kUO&0Jz(tB5j8f~ek+=!sHS+|=MfrYCfA{%G8C>aEx8ZrK`rFU(=3GjXyU@?f|5N~lclk-GW zH;`YwM}J6a@Sg_%x!d_4gyVUVNLz;7rZye}34m`COOnv#p$vH7fwU}MJz#>` zp5+l{hE^aN{O5O|$B6&R_>W0U$7=AO$DpP0pPw!FrSKn08~kU2|Ga1E`CxCGrlZ&H z3(tJ{Z0{gA-rpsO>Fk=LcPELLJhRpAKD6Jx+C77lO%TtWy?7uz>Ac%b2491ZJ1?@c zeHM%TukqO3fAi(dv;HFdhx)eVg&`B1qFutK5(CP7n+Y`7aadrQzI20tdxE<+>eYRlq3^}epbe||e^@Sg_%x!d{QHv?jtp&NLNQ)b!RbqNbi;yK_GCIqv5 z%1sXh9uO@Dj}RsvFC07{aq2ldkPZIxJJ6%V|3>_W;vIut{rrz@(FXr{3|boh`Pp(` z2LJJ?)8Ic7{6{^1bt3oJC;nC(owQ#j&eu0@zrkrd<}aRo{v4&_bjvz>Z?ZqLb88SC zn6EAR%5;i-*9%qb?(;93!`C7>JJ{T{o`2YL+GktGFQ0u_g#QTc_=H+445Z2YkXo*Z z9&sd3X*9gm=JyEYG)y89IWppTU0?u~`ZKS;XKW z@Siz34gS;MKMnrV;6DxibLFTnId+7*9`toL>27RnSs*3*A$uGiE550k^BWZN~C=2~*(IhKwZ>iraKmp#mQ^0@x$GXLpR zm&X)MNtcnS=oYnjVSe?R&A`eNJe;SG`nw%yCStV_T5a-D7W@ZsMDw%yA&2$ud_G2Q@wb+I+n XP(uwh)KEhW{RZ?G9U*Kq08jt`79P>I literal 0 HcmV?d00001 diff --git a/skills/access-request-review/evidence/hosted-harness-verification.json b/skills/access-request-review/evidence/hosted-harness-verification.json new file mode 100644 index 00000000..842ac46e --- /dev/null +++ b/skills/access-request-review/evidence/hosted-harness-verification.json @@ -0,0 +1,29 @@ +{ + "receipt_dir": "/tmp/runx-access-request-review-hosted-harness-receipts", + "signature_mode": "production", + "trees": [ + { + "root_receipt_id": "sha256:531b396fea73205309539e5a3e22775e38d5f8eafe9df1b92439481c527a2f30", + "receipt_count": 1, + "parent_missing": null, + "valid": true, + "findings": [] + }, + { + "root_receipt_id": "sha256:93b033d7b82a1245a7702d3086e902cc2491a38ecf0d463393a11689aa186abf", + "receipt_count": 1, + "parent_missing": null, + "valid": true, + "findings": [] + }, + { + "root_receipt_id": "sha256:ec688f0f5fda515e220ee9504f0d7adfbab8ef510b22a3298e2c15848023d4bc", + "receipt_count": 1, + "parent_missing": null, + "valid": true, + "findings": [] + } + ], + "unreadable_files": [], + "valid": true +} diff --git a/skills/access-request-review/evidence/hosted-harness-verification.stderr.txt b/skills/access-request-review/evidence/hosted-harness-verification.stderr.txt new file mode 100644 index 00000000..e69de29b diff --git a/skills/access-request-review/evidence/hosted-harness.json b/skills/access-request-review/evidence/hosted-harness.json new file mode 100644 index 00000000..29822110 --- /dev/null +++ b/skills/access-request-review/evidence/hosted-harness.json @@ -0,0 +1,17 @@ +{ + "status": "passed", + "case_count": 3, + "assertion_error_count": 0, + "assertion_errors": [], + "case_names": [ + "least-privilege-grant-proposal", + "deny-for-disallowed-resource", + "missing-justification-fails-closed" + ], + "receipt_ids": [ + "sha256:ec688f0f5fda515e220ee9504f0d7adfbab8ef510b22a3298e2c15848023d4bc", + "sha256:531b396fea73205309539e5a3e22775e38d5f8eafe9df1b92439481c527a2f30", + "sha256:93b033d7b82a1245a7702d3086e902cc2491a38ecf0d463393a11689aa186abf" + ], + "graph_case_count": 0 +} diff --git a/skills/access-request-review/evidence/hosted-harness.stderr.txt b/skills/access-request-review/evidence/hosted-harness.stderr.txt new file mode 100644 index 00000000..e69de29b diff --git a/skills/access-request-review/evidence/hosted-verification.json b/skills/access-request-review/evidence/hosted-verification.json new file mode 100644 index 00000000..7b8fbc3a --- /dev/null +++ b/skills/access-request-review/evidence/hosted-verification.json @@ -0,0 +1,15 @@ +{ + "receipt_dir": "/tmp/runx-access-request-review-hosted-dogfood-receipts", + "signature_mode": "production", + "trees": [ + { + "root_receipt_id": "sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "receipt_count": 1, + "parent_missing": null, + "valid": true, + "findings": [] + } + ], + "unreadable_files": [], + "valid": true +} diff --git a/skills/access-request-review/evidence/hosted-verification.stderr.txt b/skills/access-request-review/evidence/hosted-verification.stderr.txt new file mode 100644 index 00000000..e69de29b diff --git a/skills/access-request-review/evidence/registry-publish.json b/skills/access-request-review/evidence/registry-publish.json new file mode 100644 index 00000000..50126c23 --- /dev/null +++ b/skills/access-request-review/evidence/registry-publish.json @@ -0,0 +1,20 @@ +{ + "status": "success", + "registry": { + "action": "publish", + "publish": { + "target": "hosted", + "status": "published", + "skill_id": "lubuseb/access-request-review", + "owner": "lubuseb", + "name": "access-request-review", + "version": "sha-fefdaf21eb13", + "digest": "64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", + "profile_digest": "74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5", + "trust_tier": "community", + "install_command": "runx add lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai", + "run_command": "runx skill lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai", + "public_url": "https://runx.ai/x/lubuseb/access-request-review" + } + } +} diff --git a/skills/access-request-review/evidence/registry-publish.stderr.txt b/skills/access-request-review/evidence/registry-publish.stderr.txt new file mode 100644 index 00000000..e69de29b diff --git a/skills/access-request-review/evidence/registry-read.json b/skills/access-request-review/evidence/registry-read.json new file mode 100644 index 00000000..885708ba --- /dev/null +++ b/skills/access-request-review/evidence/registry-read.json @@ -0,0 +1,50 @@ +{ + "status": "success", + "registry": { + "action": "read", + "source": "remote", + "ref": "lubuseb/access-request-review@sha-fefdaf21eb13", + "skill": { + "skill_id": "lubuseb/access-request-review", + "owner": "lubuseb", + "name": "access-request-review", + "description": "Review a bounded access request against policy and emit a least-privilege grant proposal or denial.", + "category": "security", + "version": "sha-fefdaf21eb13", + "digest": "64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", + "markdown": "---\nname: access-request-review\ndescription: Review a bounded access request against policy and emit a least-privilege grant proposal or denial.\nsource:\n type: cli-tool\n command: node\n args:\n - run.mjs\n input_mode: stdin\n cwd: .\n timeout_seconds: 30\ninputs:\n access_request:\n type: json\n required: true\n description: Request packet with requester, requested resource, requested action, business justification, and optional ticket metadata.\n policy:\n type: json\n required: true\n description: Access policy with allowed roles, resources, actions, TTL caps, approval rules, and escalation rules.\n current_entitlements:\n type: json\n required: true\n description: Current role and grant state for the requester.\n objective:\n type: string\n required: false\n description: Optional operator intent for the review.\nrunx:\n category: security\n input_resolution:\n required:\n - access_request\n - policy\n - current_entitlements\n---\n\n# access-request-review\n\nUse this skill when an operator needs a bounded access decision before a\nhuman-approved one-time grant. The skill compares a request, the governing\npolicy, and current entitlements, then returns `grant`, `deny`, or\n`needs_human_review`.\n\nThe skill never creates access, calls identity providers, sends approval\nmessages, stores credentials, or widens authority outside the supplied policy.\nWhen access is allowed it emits a least-privilege grant proposal with a bounded\nTTL, exact scope, approval gate, and evidence citations.\n\n## Inputs\n\n- `access_request`: requester id, role, action, resource, requested scope,\n justification, ticket id, and optional requested TTL.\n- `policy`: allowed roles, resources, actions, maximum TTL, denied resources,\n sensitive resources, required approvals, and break-glass rules.\n- `current_entitlements`: current grants and group/role state for the requester.\n- `objective`: optional operator intent.\n\n## Output\n\nThe runner returns JSON with:\n\n- `decision_packet`: typed decision packet.\n- `grant_proposal`: one-time proposal when the decision is `grant`.\n- `evidence_json`: compact review evidence for external verification.\n- `report`: human-readable review summary.\n\nDecisions are deterministic and fail closed when request, policy, or entitlement\nfacts are missing.", + "profile_digest": "74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5", + "runner_names": [ + "default" + ], + "source_type": "cli-tool", + "trust_tier": "community", + "required_scopes": [], + "tags": [], + "publisher": { + "kind": "user", + "id": "user_53f00ae7ec2363e37ac6ff68", + "handle": "lubuseb", + "display_name": "LubuSeb" + }, + "attestations": [ + { + "kind": "publisher", + "id": "publisher:user_53f00ae7ec2363e37ac6ff68", + "status": "declared", + "summary": "LubuSeb", + "issued_at": "2026-06-23T04:36:54.410Z", + "metadata": { + "publisher_display_name": "LubuSeb", + "publisher_handle": "lubuseb", + "publisher_id": "user_53f00ae7ec2363e37ac6ff68", + "publisher_kind": "user", + "trust_tier": "community" + } + } + ], + "install_command": "runx add lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai", + "run_command": "runx skill lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai" + } + } +} diff --git a/skills/access-request-review/evidence/registry-read.stderr.txt b/skills/access-request-review/evidence/registry-read.stderr.txt new file mode 100644 index 00000000..e69de29b diff --git a/skills/access-request-review/evidence/report.md b/skills/access-request-review/evidence/report.md new file mode 100644 index 00000000..7971e964 --- /dev/null +++ b/skills/access-request-review/evidence/report.md @@ -0,0 +1,23 @@ +# access-request-review delivery report + +- Package: `lubuseb/access-request-review@sha-fefdaf21eb13`. +- Public registry URL: `https://runx.ai/x/lubuseb/access-request-review@sha-fefdaf21eb13`. +- Source PR: `https://github.com/runxhq/runx/pull/123`. +- `runx-cli 0.6.13` was used for publish, registry read, clean install, harness, dogfood, and receipt verification. +- Local harness passed three cases: `least-privilege-grant-proposal`, `deny-for-disallowed-resource`, and `missing-justification-fails-closed`. +- Hosted clean install succeeded with `runx add lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai`. +- Harness from the clean installed package passed the same three cases and all hosted harness receipts verified. +- Hosted dogfood produced sealed receipt `runx:receipt:sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21`. +- `runx verify` returned `valid=true` and no findings for the dogfood receipt. +- The runner emits a bounded `one_time_grant_proposal` only when the request matches role, action, resource, scope prefix, TTL, and approval-gate policy. +- The implementation is read-only: it reads the provided JSON request, policy, and entitlements, computes deterministically in memory, requires no credentials, performs no network/provider calls, and emits structured stdout. + +Reproduce: + +```bash +runx add lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai +runx registry read lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --json +runx harness ./access-request-review --json +runx skill lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --input-json access_request='' --input-json policy='' --input-json current_entitlements='' --json +runx verify --receipt-dir /tmp/runx-access-request-review-hosted-dogfood-receipts --json +``` From 37964fbf195946335e3c039ce6c3251c326d8045 Mon Sep 17 00:00:00 2001 From: LubuSeb <187313664+LubuSeb@users.noreply.github.com> Date: Tue, 23 Jun 2026 06:41:03 +0200 Subject: [PATCH 3/5] Add dogfood summary to access request evidence --- .../access-request-review/evidence/evidence.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/skills/access-request-review/evidence/evidence.json b/skills/access-request-review/evidence/evidence.json index 56dc3f98..6bc2c567 100644 --- a/skills/access-request-review/evidence/evidence.json +++ b/skills/access-request-review/evidence/evidence.json @@ -24,6 +24,22 @@ "verify_verdict": "valid", "signature_mode": "production" }, + "dogfood": { + "command": "runx skill lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --input-json access_request= --input-json policy= --input-json current_entitlements= --json", + "receipt_ref": "runx:receipt:sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "verification_json": "hosted-verification.json", + "decision": "grant", + "least_privilege_scope": "logs.read:prod/payments/service-a", + "ttl_minutes": 120, + "approval_gate": "human_approval_required", + "execution_status": "proposal_only", + "safeguards": [ + "does not issue access", + "does not call identity providers", + "does not move secrets", + "requires human approval for the one-time grant proposal" + ] + }, "observations": [ { "name": "published_registry_package", From 9a83cb881250d42f28e62588aaedf24f58c67d74 Mon Sep 17 00:00:00 2001 From: LubuSeb <187313664+LubuSeb@users.noreply.github.com> Date: Tue, 23 Jun 2026 06:57:24 +0200 Subject: [PATCH 4/5] Fix access request review delivery evidence --- skills/access-request-review/SKILL.md | 3 +- skills/access-request-review/X.yaml | 1 + .../evidence/clean-install.json | 24 ++--- .../evidence/dogfood-output.json | 83 +++++++++++++--- .../evidence/dogfood-receipts-linux.tgz | Bin 1504 -> 1501 bytes .../evidence/evidence.json | 79 ++++++++++++---- .../evidence/hosted-dogfood-output.json | 89 ++++++++++++++---- .../hosted-dogfood-receipts-linux.tgz | Bin 1509 -> 1508 bytes .../hosted-harness-receipts-linux.tgz | Bin 2405 -> 2405 bytes .../evidence/hosted-harness-verification.json | 6 +- .../evidence/hosted-harness.json | 6 +- .../evidence/hosted-verification.json | 2 +- .../evidence/local-harness-receipts-linux.tgz | Bin 2397 -> 2396 bytes .../evidence/local-harness-verification.json | 6 +- .../evidence/local-harness.json | 6 +- .../evidence/registry-publish.json | 10 +- .../evidence/registry-read.json | 16 ++-- .../access-request-review/evidence/report.md | 14 +-- .../evidence/verification.json | 2 +- skills/access-request-review/run.mjs | 24 ++++- 20 files changed, 278 insertions(+), 93 deletions(-) diff --git a/skills/access-request-review/SKILL.md b/skills/access-request-review/SKILL.md index 5e73361b..e57b38ce 100644 --- a/skills/access-request-review/SKILL.md +++ b/skills/access-request-review/SKILL.md @@ -45,7 +45,7 @@ policy, and current entitlements, then returns `grant`, `deny`, or The skill never creates access, calls identity providers, sends approval messages, stores credentials, or widens authority outside the supplied policy. When access is allowed it emits a least-privilege grant proposal with a bounded -TTL, exact scope, approval gate, and evidence citations. +TTL, exact scope, approval gate, escalation lane, and evidence citations. ## Inputs @@ -62,6 +62,7 @@ The runner returns JSON with: - `decision_packet`: typed decision packet. - `grant_proposal`: one-time proposal when the decision is `grant`. +- `escalation`: human approval or denial escalation lane for the request. - `evidence_json`: compact review evidence for external verification. - `report`: human-readable review summary. diff --git a/skills/access-request-review/X.yaml b/skills/access-request-review/X.yaml index c86c8a45..ae50dad3 100644 --- a/skills/access-request-review/X.yaml +++ b/skills/access-request-review/X.yaml @@ -157,6 +157,7 @@ runners: outputs: decision_packet: object grant_proposal: object + escalation: object evidence_json: object report: string artifacts: diff --git a/skills/access-request-review/evidence/clean-install.json b/skills/access-request-review/evidence/clean-install.json index 501ec036..59dcfda1 100644 --- a/skills/access-request-review/evidence/clean-install.json +++ b/skills/access-request-review/evidence/clean-install.json @@ -3,41 +3,41 @@ "registry": { "action": "install", "source": "remote", - "ref": "lubuseb/access-request-review@sha-fefdaf21eb13", + "ref": "lubuseb/access-request-review@sha-844f75658a9f", "install": { "status": "installed", - "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-fefdaf21eb13/SKILL.md", + "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-844f75658a9f/SKILL.md", "skill_name": "access-request-review", "source": "runx-registry", "source_label": "runx registry", "skill_id": "lubuseb/access-request-review", - "version": "sha-fefdaf21eb13", - "digest": "sha256:64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", - "profile_digest": "sha256:74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5", - "profile_state_path": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-fefdaf21eb13/.runx/profile.json", + "version": "sha-844f75658a9f", + "digest": "sha256:b1e8d2b79039ff87d8dcc34fbbeb2f2c5d51cee5e7df305770855c271b2ccf59", + "profile_digest": "sha256:865d7c9c5be962b752080face77831ddbf4d110b6fae85ee40baba3dae6b436e", + "profile_state_path": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-844f75658a9f/.runx/profile.json", "runner_names": [ "default" ], "trust_tier": "community" }, "receipt_metadata": { - "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-fefdaf21eb13/SKILL.md", - "digest": "sha256:64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", + "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-844f75658a9f/SKILL.md", + "digest": "sha256:b1e8d2b79039ff87d8dcc34fbbeb2f2c5d51cee5e7df305770855c271b2ccf59", "install_count": 1, - "package_digest": "fb9e74d2f776897866e5a6e431c5e94da782ede2ef0451d31a3e39494618c5cf", - "profile_digest": "sha256:74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5", + "package_digest": "4dadabe78e9b528dd7b256eaf9bbefb7a272e4c0e1edc401ec6de2f9758d858a", + "profile_digest": "sha256:865d7c9c5be962b752080face77831ddbf4d110b6fae85ee40baba3dae6b436e", "publisher": { "display_name": "LubuSeb", "handle": "lubuseb", "id": "user_53f00ae7ec2363e37ac6ff68", "kind": "user" }, - "ref": "lubuseb/access-request-review@sha-fefdaf21eb13", + "ref": "lubuseb/access-request-review@sha-844f75658a9f", "skill_id": "lubuseb/access-request-review", "source_label": "runx registry", "status": "installed", "trust_tier": "community", - "version": "sha-fefdaf21eb13" + "version": "sha-844f75658a9f" } } } diff --git a/skills/access-request-review/evidence/dogfood-output.json b/skills/access-request-review/evidence/dogfood-output.json index f141f2c6..c3398c46 100644 --- a/skills/access-request-review/evidence/dogfood-output.json +++ b/skills/access-request-review/evidence/dogfood-output.json @@ -1,6 +1,6 @@ { "closure": { - "closed_at": "2026-06-23T04:33:57.734Z", + "closed_at": "2026-06-23T04:56:31.382Z", "disposition": "closed", "reason_code": "process_closed", "summary": "cli-tool default completed" @@ -12,6 +12,12 @@ "action": "read", "approval_gate": "human_approval_required", "decision": "grant", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -38,6 +44,12 @@ "subject_id": "user-17", "ttl_minutes": 120 }, + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_json": { "artifact": "access-request-review", "observations": { @@ -46,6 +58,13 @@ "current_grant_count": 1, "decision": "grant", "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, + "escalation_path": "human_approval_required", "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -90,15 +109,21 @@ "ticket_id": "INC-2042", "ttl_minutes": 120 }, - "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\nEscalation: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." }, "stderr": "", - "stdout": "{\n \"decision_packet\": {\n \"schema\": \"runx.security.access_request_review.v1\",\n \"decision\": \"grant\",\n \"request_id\": \"req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"objective\": \"Dogfood access request review for Frantic bounty 55.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"action\": \"read\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ],\n \"safeguards\": {\n \"read_only\": true,\n \"mutates_grants\": false,\n \"executes_grant\": false,\n \"requires_human_approval\": true\n }\n },\n \"grant_proposal\": {\n \"schema\": \"runx.security.one_time_grant_proposal.v1\",\n \"proposal_id\": \"grant-proposal-req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"ticket_id\": \"INC-2042\",\n \"justification\": \"Investigate incident INC-2042 elevated payment retries.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"issued_by_skill\": false,\n \"execution_status\": \"proposal_only\",\n \"handoff\": {\n \"catalog_skill\": \"least-privilege-auditor\",\n \"requires_human_approval\": true\n }\n },\n \"evidence_json\": {\n \"schema\": \"frantic.delivery.evidence.v1\",\n \"artifact\": \"access-request-review\",\n \"observations\": {\n \"request_id\": \"req-2026-06-23-001\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"policy_digest\": \"sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c\",\n \"request_digest\": \"sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a\",\n \"entitlement_digest\": \"sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7\",\n \"subject_id\": \"user-17\",\n \"requester_roles\": [\n \"oncall_engineer\"\n ],\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"decision\": \"grant\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"current_grant_count\": 1,\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ]\n }\n },\n \"report\": \"# access-request-review report\\n\\nRequest: req-2026-06-23-001\\nSubject: user-17\\nPolicy: access-policy-demo-v1\\nDecision: grant\\nResource: prod/payments/logs/service-a\\nRequested scope: logs.read:prod/payments/service-a/*\\nLeast-privilege scope: logs.read:prod/payments/service-a\\nTTL: 120 minutes\\nApproval gate: human_approval_required\\n\\n## Reasons\\n- request matches allowed role, action, resource, and scope prefix\\n- ttl bounded to 120 minutes by policy max 240\\n- proposal is gated; no access is issued by this skill\\n\\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\\nThis skill does not mutate grants, move secrets, or call identity-provider APIs.\"\n}\n", + "stdout": "{\n \"decision_packet\": {\n \"schema\": \"runx.security.access_request_review.v1\",\n \"decision\": \"grant\",\n \"request_id\": \"req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"objective\": \"Dogfood access request review for Frantic bounty 55.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"action\": \"read\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"escalation\": {\n \"required\": true,\n \"lane\": \"human_approval_required\",\n \"reason\": \"one-time grant proposal requires human approval before any access is issued\",\n \"ticket_id\": \"INC-2042\"\n },\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ],\n \"safeguards\": {\n \"read_only\": true,\n \"mutates_grants\": false,\n \"executes_grant\": false,\n \"requires_human_approval\": true\n }\n },\n \"grant_proposal\": {\n \"schema\": \"runx.security.one_time_grant_proposal.v1\",\n \"proposal_id\": \"grant-proposal-req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"ticket_id\": \"INC-2042\",\n \"justification\": \"Investigate incident INC-2042 elevated payment retries.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"issued_by_skill\": false,\n \"execution_status\": \"proposal_only\",\n \"handoff\": {\n \"catalog_skill\": \"least-privilege-auditor\",\n \"requires_human_approval\": true\n }\n },\n \"escalation\": {\n \"required\": true,\n \"lane\": \"human_approval_required\",\n \"reason\": \"one-time grant proposal requires human approval before any access is issued\",\n \"ticket_id\": \"INC-2042\"\n },\n \"evidence_json\": {\n \"schema\": \"frantic.delivery.evidence.v1\",\n \"artifact\": \"access-request-review\",\n \"observations\": {\n \"request_id\": \"req-2026-06-23-001\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"policy_digest\": \"sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c\",\n \"request_digest\": \"sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a\",\n \"entitlement_digest\": \"sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7\",\n \"subject_id\": \"user-17\",\n \"requester_roles\": [\n \"oncall_engineer\"\n ],\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"decision\": \"grant\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"escalation\": {\n \"required\": true,\n \"lane\": \"human_approval_required\",\n \"reason\": \"one-time grant proposal requires human approval before any access is issued\",\n \"ticket_id\": \"INC-2042\"\n },\n \"escalation_path\": \"human_approval_required\",\n \"current_grant_count\": 1,\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ]\n }\n },\n \"report\": \"# access-request-review report\\n\\nRequest: req-2026-06-23-001\\nSubject: user-17\\nPolicy: access-policy-demo-v1\\nDecision: grant\\nResource: prod/payments/logs/service-a\\nRequested scope: logs.read:prod/payments/service-a/*\\nLeast-privilege scope: logs.read:prod/payments/service-a\\nTTL: 120 minutes\\nApproval gate: human_approval_required\\nEscalation: human_approval_required\\n\\n## Reasons\\n- request matches allowed role, action, resource, and scope prefix\\n- ttl bounded to 120 minutes by policy max 240\\n- proposal is gated; no access is issued by this skill\\n\\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\\nThis skill does not mutate grants, move secrets, or call identity-provider APIs.\"\n}\n", "structured_output": { "decision_packet": { "action": "read", "approval_gate": "human_approval_required", "decision": "grant", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -125,6 +150,12 @@ "subject_id": "user-17", "ttl_minutes": 120 }, + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_json": { "artifact": "access-request-review", "observations": { @@ -133,6 +164,13 @@ "current_grant_count": 1, "decision": "grant", "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, + "escalation_path": "human_approval_required", "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -177,7 +215,7 @@ "ticket_id": "INC-2042", "ttl_minutes": 120 }, - "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\nEscalation: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." } }, "payload": { @@ -185,6 +223,12 @@ "action": "read", "approval_gate": "human_approval_required", "decision": "grant", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -211,6 +255,12 @@ "subject_id": "user-17", "ttl_minutes": 120 }, + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_json": { "artifact": "access-request-review", "observations": { @@ -219,6 +269,13 @@ "current_grant_count": 1, "decision": "grant", "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, + "escalation_path": "human_approval_required", "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -263,14 +320,14 @@ "ticket_id": "INC-2042", "ttl_minutes": 120 }, - "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\nEscalation: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." }, "receipt": { "acts": [ { "artifact_refs": [], "closure": { - "closed_at": "2026-06-23T04:33:57.734Z", + "closed_at": "2026-06-23T04:56:31.382Z", "disposition": "closed", "reason_code": "process_exit", "summary": "cli-tool exited successfully" @@ -325,7 +382,7 @@ "terms": [] }, "canonicalization": "runx.receipt.c14n.v1", - "created_at": "2026-06-23T04:33:57.734Z", + "created_at": "2026-06-23T04:56:31.382Z", "decisions": [ { "artifact_refs": [], @@ -353,8 +410,8 @@ "selected_harness_ref": null } ], - "digest": "sha256:e23e5164c906d73bb1383d24f14eba0aeed003232677627740150a444fb43df7", - "id": "sha256:fc425c86f5c9340c8e2fa38bac0c5ad88ccb01489a5cb9cf7cfafcc88ccbff0e", + "digest": "sha256:cc90a797df2cb4fe9be28fd25690f3e9e1a43b4740f1840272c8a79d501dba71", + "id": "sha256:a4ba985040f3e89d93c2ac2b11ffc5f916d172fb878ec34d3484270958df7428", "idempotency": { "content_hash": "sha256:run_default_8e438e086dc8-default-content", "intent_key": "sha256:run_default_8e438e086dc8-default-intent", @@ -371,7 +428,7 @@ }, "schema": "runx.receipt.v1", "seal": { - "closed_at": "2026-06-23T04:33:57.734Z", + "closed_at": "2026-06-23T04:56:31.382Z", "criteria": [ { "criterion_id": "process_exit", @@ -382,14 +439,14 @@ } ], "disposition": "closed", - "last_observed_at": "2026-06-23T04:33:57.734Z", + "last_observed_at": "2026-06-23T04:56:31.382Z", "reason_code": "process_closed", "summary": "cli-tool default completed" }, "signals": [], "signature": { "alg": "Ed25519", - "value": "base64:IPrUVe8iFzP-IXATGMrUFdDzcc0qPFnVougfSw53RGrSsDS3IlTkOOKbIDtwNFy6752Pi5kWhDwjWuv6BPxZBg" + "value": "base64:izf_-fgxEdZpLGTEt0tzYgpHC0rXLPvCxpHtbs0IEomzxV4p9uBBEuojIWFhIggqk9Oe6QaPxZur0ytM5S3gCw" }, "subject": { "commitments": [], @@ -400,7 +457,7 @@ } } }, - "receipt_id": "sha256:fc425c86f5c9340c8e2fa38bac0c5ad88ccb01489a5cb9cf7cfafcc88ccbff0e", + "receipt_id": "sha256:a4ba985040f3e89d93c2ac2b11ffc5f916d172fb878ec34d3484270958df7428", "run_id": "run_default_8e438e086dc8", "schema": "runx.skill_run.v1", "skill_name": "access-request-review", diff --git a/skills/access-request-review/evidence/dogfood-receipts-linux.tgz b/skills/access-request-review/evidence/dogfood-receipts-linux.tgz index 7d4131b9cefcdc838de204bd647f82c876a2562c..0cd291213ab9764474bbf723781b3264185e837b 100644 GIT binary patch literal 1501 zcmV<31tR(%iwFP!000001MOFBZ`(Ey&QB5aIZi2Aul_W&$kqZG+I7WVIt&6uon$t$ zsFGA-C&+)_k&@riq=}0*MKN7~$Req`=kA_6lCo=-6UrDUHIeYK1EukK!QpaJh^iE# zz*h#m)#};N7Yad%!_YjvI3&Z^{Afa=i9dZuf*Bf^dMDGwe{a^&Ml_t! znqN`PMROY)^MYmos8k2ion5{Y{oV;cNg)nOT6#JDks$ZuB2JPVz%L4tCO!#$S|%y= zC`?H{^%KAJs2AiUCUFvb?#;2Qc-2tdNidLUU7_~V!Vg0)McWs&?u-vPRS*R;epP0Z zvRa-N@7uFq-koZqul}yumoJF?>+H?Ni)H&#=Zd^K6^pCoA3>XT&!3-m;=`*yf1bap zs*mUCYlwcMZh0amBa5?o(|#4BO80WnAM8{?sOnTPqmztbmeswayXjhdd^Oo6ufp44iV0Pw$GZS-+S7S)tw4F)R z^`LOqER_}L-GGR;6;gN25T^~?8a6I$;)Ky?g~HA_lz<6PC(RHVe~reSAu>)Q3UIav zYp6JmQ&V;BnMu5Z*>2|!EP-{#jx%iPP&j(dl~v%HblELGW0*&foc8FD`ASR52RfQq zNq&L2N+}itL3~U|QRdh!v3sjWg70vl zdx2|8Zg=lbQhYqj_SD%es139|#}VP4=f+bdI=QEETeRzbcbhgl#KKm=6_S7tClWJZ zvErcy?=u-QjD7-AAh&DY0Ih6-*__t}ZgGQ>Rm1uXuI%=e)RnmyTWMOApgEYO1`y86BliYVl{q{MN%_oX3h*r+48Fqp%j!FN%+`;()he!a5*Z)v=XAk zR|>4r>dC=3iieWMv3dGw?DbFIj`wol$AO zuDfsk7nP$YM^AoxA^7wKe`30Kx#0PJ;spoJiywq%M^^clLg=rp zyKnv%6}d7a25@rRV9*s$vWt0}4A7x__(_&1klvbpo z)Q(q`2S?{h@SpAXAe}r${%!qx-d+7aj<7fE^#9O|9ys1(1mJ((|F2y|XRsjd#5Ghn z>XUtR;k$<}D{=TcRXwVs5{QN}CmPiTUXYBuWE6yNyl4`JlQ=y}!{~!qN4VgOlA3)Y znhE|nHtI*b2dGpF(w$tpdf5Q3n+b&$aAt0?*8;Un3ej@CEQlOcl5oxF$g(~NMh1kJ z_?bUO-o^M?(-t+O`5cyc=l3Q6q#}?;=#*dJ&x?v6Ez>M30D`jg##!LS0jbb`pFrpp zVUPutPyDFxQZLO?-@Q3>6`OLRTL}g-si&y@SsBE!KStXZq;8E51yPVhlhZT#_8nyG zbrQR;m>JK^s{JFQ+{#^I~y^0hjC9iG;2<}Y9VQJfy@%fC*R zNg4-dES|rg9bcZmZ!eOkXICGdP7R8ZO|i^3otlFxG!m>&&Q((~u4V*5GYmDPxZNj**f-%oas7PDuJcB6A zz{`@7W}|*^)P01?v}DsM$h=}4AC1I`J=FAH8y<-c#*C=h9t!%;Y`)s!9H=%f%^A1V zFlTj*x+PTGv?G#Z2gUJLGV?BZewUrqpwUmoV!`wRttof%&%ZcAT0IkzX&XjDwUGI) zDH9IL8d9%~88T1S!xPJSV_mZa7$Z|ddZWeKK&Pl^VC#KtGH>vZQ*F;^3`E=4;I-Qj zX~MZ#Z;|n~u5F|g=uSg7hL$zRMXw5YB_svos#PUL#cKF6H3sxZ&7lS@_-Okp6Y~-y zf?&3t0o^uR?;40K#pPzn&8qC`enknCDO6%!uh(z6?HBmAP7h{hCKxp_$9Qo=a^AEi zQP;h~ZL>s9L2m~{G>wqD<$aviaBEn*u#OW(qY(-_V_yO$K&>=GX#6D_clyXUT$JE! z5Y{kdI8IE}xi3uO9n5w!bKnYSYwS4vrVgc}XG~cIu1S~O@^gxL1j$H;4wI!~%lR#+k!A~%Xe6<`=-?f?w`Jp1 z%X^F%)8?*JyxQ?*lZ;EE98zM*8=s0Lx&@A{S7*~fZb{9x+rO-MiiELi;ELIpYus16 z(!xlvkrtwM%$#z1Z54)PX-nv1%dn2ziIy$gJT&L)G(EGfAoyEjut8a1x5VzP9tgh0 zh3*BeshHipzew?6Kig4fyP($4b{t29JDwX)m1yOT%1zO(`rYTW*&-IU3Z{?*tUr;M z35yjEHF%%NsUhc=&OHp?VXy9sk0XO8$_03PSz|Y1(h}VHI2r|4ynG)rA`i8FS zuQYw --input-json policy= --input-json current_entitlements= --json", - "receipt_ref": "runx:receipt:sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "command": "runx skill lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --input-json access_request= --input-json policy= --input-json current_entitlements= --json", + "package": "lubuseb/access-request-review@sha-844f75658a9f", + "input": "fixtures/grant-request.json", + "receipt_ref": "runx:receipt:sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458", "verification_json": "hosted-verification.json", + "verify_verdict": "valid", + "harness_cases": [ + { + "name": "least-privilege-grant-proposal", + "status": "sealed" + }, + { + "name": "deny-for-disallowed-resource", + "status": "sealed" + }, + { + "name": "missing-justification-fails-closed", + "status": "refused" + } + ], "decision": "grant", "least_privilege_scope": "logs.read:prod/payments/service-a", "ttl_minutes": 120, "approval_gate": "human_approval_required", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "execution_status": "proposal_only", "safeguards": [ "does not issue access", @@ -41,10 +64,16 @@ ] }, "observations": [ + { + "name": "runx_version", + "status": "passed", + "detail": "npx --yes @runxhq/cli@latest --version returned: runx-cli 0.6.13", + "evidence_ref": "runx-version.txt" + }, { "name": "published_registry_package", "status": "passed", - "detail": "runx registry publish completed successfully for lubuseb/access-request-review@sha-fefdaf21eb13 on https://api.runx.ai.", + "detail": "runx registry publish completed successfully for lubuseb/access-request-review@sha-844f75658a9f on https://api.runx.ai.", "evidence_ref": "registry-publish.json" }, { @@ -56,13 +85,19 @@ { "name": "clean_install", "status": "passed", - "detail": "runx add installed lubuseb/access-request-review@sha-fefdaf21eb13 into a clean directory.", + "detail": "runx add installed lubuseb/access-request-review@sha-844f75658a9f into a clean directory.", "evidence_ref": "clean-install.json" }, { "name": "hosted_harness", "status": "passed", - "detail": "The installed registry package passed least-privilege grant, deny, and fail-closed harness cases.", + "detail": "The installed registry package passed least-privilege grant, deny, and fail-closed harness cases: least-privilege-grant-proposal=sealed, deny-for-disallowed-resource=sealed, missing-justification-fails-closed=refused.", + "evidence_ref": "hosted-harness.json" + }, + { + "name": "harness_case_names", + "status": "passed", + "detail": "Harness cases: least-privilege-grant-proposal=sealed; deny-for-disallowed-resource=sealed; missing-justification-fails-closed=refused.", "evidence_ref": "hosted-harness.json" }, { @@ -71,10 +106,22 @@ "detail": "Hosted dogfood emitted a grant proposal with a bounded TTL and human approval gate, without issuing access.", "evidence_ref": "hosted-dogfood-output.json" }, + { + "name": "escalation_path", + "status": "passed", + "detail": "Dogfood grant proposal escalates to human_approval_required and remains proposal-only; the skill never issues live access.", + "evidence_ref": "hosted-dogfood-output.json" + }, { "name": "dogfood_receipt_verified", "status": "passed", - "detail": "runx verify accepted receipt sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21 with no findings.", + "detail": "runx verify accepted receipt sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458 with no findings.", + "evidence_ref": "hosted-verification.json" + }, + { + "name": "receipt_id", + "status": "passed", + "detail": "Post-publish dogfood receipt id: sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458.", "evidence_ref": "hosted-verification.json" }, { @@ -88,10 +135,10 @@ "npx --yes @runxhq/cli@latest --version", "npx --yes @runxhq/cli@latest harness /mnt/f/BountyBar/repos/runx/skills/access-request-review --json", "npx --yes @runxhq/cli@latest registry publish /mnt/f/BountyBar/repos/runx/skills/access-request-review/SKILL.md --registry https://api.runx.ai --json", - "npx --yes @runxhq/cli@latest registry read lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --json", - "npx --yes @runxhq/cli@latest add lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --to /tmp/runx-access-request-review-clean-install --json", + "npx --yes @runxhq/cli@latest registry read lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --json", + "npx --yes @runxhq/cli@latest add lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --to /tmp/runx-access-request-review-clean-install --json", "npx --yes @runxhq/cli@latest harness /tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/ --json", - "npx --yes @runxhq/cli@latest skill lubuseb/access-request-review@sha-fefdaf21eb13 --registry https://api.runx.ai --input-json access_request= --input-json policy= --input-json current_entitlements= --json", + "npx --yes @runxhq/cli@latest skill lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --input-json access_request= --input-json policy= --input-json current_entitlements= --json", "npx --yes @runxhq/cli@latest verify --receipt-dir /tmp/runx-access-request-review-hosted-dogfood-receipts --json" ] } diff --git a/skills/access-request-review/evidence/hosted-dogfood-output.json b/skills/access-request-review/evidence/hosted-dogfood-output.json index b9df5e6e..ff6e5417 100644 --- a/skills/access-request-review/evidence/hosted-dogfood-output.json +++ b/skills/access-request-review/evidence/hosted-dogfood-output.json @@ -1,6 +1,6 @@ { "closure": { - "closed_at": "2026-06-23T04:37:01.209Z", + "closed_at": "2026-06-23T04:56:46.586Z", "disposition": "closed", "reason_code": "process_closed", "summary": "cli-tool default completed" @@ -12,6 +12,12 @@ "action": "read", "approval_gate": "human_approval_required", "decision": "grant", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -38,6 +44,12 @@ "subject_id": "user-17", "ttl_minutes": 120 }, + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_json": { "artifact": "access-request-review", "observations": { @@ -46,6 +58,13 @@ "current_grant_count": 1, "decision": "grant", "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, + "escalation_path": "human_approval_required", "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -90,15 +109,21 @@ "ticket_id": "INC-2042", "ttl_minutes": 120 }, - "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\nEscalation: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." }, "stderr": "", - "stdout": "{\n \"decision_packet\": {\n \"schema\": \"runx.security.access_request_review.v1\",\n \"decision\": \"grant\",\n \"request_id\": \"req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"objective\": \"Hosted dogfood access request review for Frantic bounty 55.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"action\": \"read\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ],\n \"safeguards\": {\n \"read_only\": true,\n \"mutates_grants\": false,\n \"executes_grant\": false,\n \"requires_human_approval\": true\n }\n },\n \"grant_proposal\": {\n \"schema\": \"runx.security.one_time_grant_proposal.v1\",\n \"proposal_id\": \"grant-proposal-req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"ticket_id\": \"INC-2042\",\n \"justification\": \"Investigate incident INC-2042 elevated payment retries.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"issued_by_skill\": false,\n \"execution_status\": \"proposal_only\",\n \"handoff\": {\n \"catalog_skill\": \"least-privilege-auditor\",\n \"requires_human_approval\": true\n }\n },\n \"evidence_json\": {\n \"schema\": \"frantic.delivery.evidence.v1\",\n \"artifact\": \"access-request-review\",\n \"observations\": {\n \"request_id\": \"req-2026-06-23-001\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"policy_digest\": \"sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c\",\n \"request_digest\": \"sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a\",\n \"entitlement_digest\": \"sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7\",\n \"subject_id\": \"user-17\",\n \"requester_roles\": [\n \"oncall_engineer\"\n ],\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"decision\": \"grant\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"current_grant_count\": 1,\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ]\n }\n },\n \"report\": \"# access-request-review report\\n\\nRequest: req-2026-06-23-001\\nSubject: user-17\\nPolicy: access-policy-demo-v1\\nDecision: grant\\nResource: prod/payments/logs/service-a\\nRequested scope: logs.read:prod/payments/service-a/*\\nLeast-privilege scope: logs.read:prod/payments/service-a\\nTTL: 120 minutes\\nApproval gate: human_approval_required\\n\\n## Reasons\\n- request matches allowed role, action, resource, and scope prefix\\n- ttl bounded to 120 minutes by policy max 240\\n- proposal is gated; no access is issued by this skill\\n\\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\\nThis skill does not mutate grants, move secrets, or call identity-provider APIs.\"\n}\n", + "stdout": "{\n \"decision_packet\": {\n \"schema\": \"runx.security.access_request_review.v1\",\n \"decision\": \"grant\",\n \"request_id\": \"req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"objective\": \"Hosted dogfood access request review for Frantic bounty 55.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"action\": \"read\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"escalation\": {\n \"required\": true,\n \"lane\": \"human_approval_required\",\n \"reason\": \"one-time grant proposal requires human approval before any access is issued\",\n \"ticket_id\": \"INC-2042\"\n },\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ],\n \"safeguards\": {\n \"read_only\": true,\n \"mutates_grants\": false,\n \"executes_grant\": false,\n \"requires_human_approval\": true\n }\n },\n \"grant_proposal\": {\n \"schema\": \"runx.security.one_time_grant_proposal.v1\",\n \"proposal_id\": \"grant-proposal-req-2026-06-23-001\",\n \"subject_id\": \"user-17\",\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"ticket_id\": \"INC-2042\",\n \"justification\": \"Investigate incident INC-2042 elevated payment retries.\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"issued_by_skill\": false,\n \"execution_status\": \"proposal_only\",\n \"handoff\": {\n \"catalog_skill\": \"least-privilege-auditor\",\n \"requires_human_approval\": true\n }\n },\n \"escalation\": {\n \"required\": true,\n \"lane\": \"human_approval_required\",\n \"reason\": \"one-time grant proposal requires human approval before any access is issued\",\n \"ticket_id\": \"INC-2042\"\n },\n \"evidence_json\": {\n \"schema\": \"frantic.delivery.evidence.v1\",\n \"artifact\": \"access-request-review\",\n \"observations\": {\n \"request_id\": \"req-2026-06-23-001\",\n \"policy_id\": \"access-policy-demo-v1\",\n \"policy_digest\": \"sha256:fed71a99fc94be00827e5a8fc8678ee5d07b3ff9fb2830bc3b718cff29bb8a9c\",\n \"request_digest\": \"sha256:42e9ee73c27845ed1fea00efce5f1d509b9bb97322d8c891ed74a78a14681d5a\",\n \"entitlement_digest\": \"sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7\",\n \"subject_id\": \"user-17\",\n \"requester_roles\": [\n \"oncall_engineer\"\n ],\n \"action\": \"read\",\n \"resource\": \"prod/payments/logs/service-a\",\n \"requested_scope\": \"logs.read:prod/payments/service-a/*\",\n \"decision\": \"grant\",\n \"least_privilege_scope\": \"logs.read:prod/payments/service-a\",\n \"ttl_minutes\": 120,\n \"approval_gate\": \"human_approval_required\",\n \"escalation\": {\n \"required\": true,\n \"lane\": \"human_approval_required\",\n \"reason\": \"one-time grant proposal requires human approval before any access is issued\",\n \"ticket_id\": \"INC-2042\"\n },\n \"escalation_path\": \"human_approval_required\",\n \"current_grant_count\": 1,\n \"reasons\": [\n \"request matches allowed role, action, resource, and scope prefix\",\n \"ttl bounded to 120 minutes by policy max 240\",\n \"proposal is gated; no access is issued by this skill\"\n ],\n \"evidence_refs\": [\n \"request:req-2026-06-23-001\",\n \"policy:access-policy-demo-v1\",\n \"entitlements:user-17\"\n ]\n }\n },\n \"report\": \"# access-request-review report\\n\\nRequest: req-2026-06-23-001\\nSubject: user-17\\nPolicy: access-policy-demo-v1\\nDecision: grant\\nResource: prod/payments/logs/service-a\\nRequested scope: logs.read:prod/payments/service-a/*\\nLeast-privilege scope: logs.read:prod/payments/service-a\\nTTL: 120 minutes\\nApproval gate: human_approval_required\\nEscalation: human_approval_required\\n\\n## Reasons\\n- request matches allowed role, action, resource, and scope prefix\\n- ttl bounded to 120 minutes by policy max 240\\n- proposal is gated; no access is issued by this skill\\n\\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\\nThis skill does not mutate grants, move secrets, or call identity-provider APIs.\"\n}\n", "structured_output": { "decision_packet": { "action": "read", "approval_gate": "human_approval_required", "decision": "grant", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -125,6 +150,12 @@ "subject_id": "user-17", "ttl_minutes": 120 }, + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_json": { "artifact": "access-request-review", "observations": { @@ -133,6 +164,13 @@ "current_grant_count": 1, "decision": "grant", "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, + "escalation_path": "human_approval_required", "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -177,7 +215,7 @@ "ticket_id": "INC-2042", "ttl_minutes": 120 }, - "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\nEscalation: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." } }, "payload": { @@ -185,6 +223,12 @@ "action": "read", "approval_gate": "human_approval_required", "decision": "grant", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -211,6 +255,12 @@ "subject_id": "user-17", "ttl_minutes": 120 }, + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, "evidence_json": { "artifact": "access-request-review", "observations": { @@ -219,6 +269,13 @@ "current_grant_count": 1, "decision": "grant", "entitlement_digest": "sha256:39f793146c7d0523fe0a0267640093d3a124f3efa49ce2bd128075a7056fc4e7", + "escalation": { + "lane": "human_approval_required", + "reason": "one-time grant proposal requires human approval before any access is issued", + "required": true, + "ticket_id": "INC-2042" + }, + "escalation_path": "human_approval_required", "evidence_refs": [ "request:req-2026-06-23-001", "policy:access-policy-demo-v1", @@ -263,14 +320,14 @@ "ticket_id": "INC-2042", "ttl_minutes": 120 }, - "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." + "report": "# access-request-review report\n\nRequest: req-2026-06-23-001\nSubject: user-17\nPolicy: access-policy-demo-v1\nDecision: grant\nResource: prod/payments/logs/service-a\nRequested scope: logs.read:prod/payments/service-a/*\nLeast-privilege scope: logs.read:prod/payments/service-a\nTTL: 120 minutes\nApproval gate: human_approval_required\nEscalation: human_approval_required\n\n## Reasons\n- request matches allowed role, action, resource, and scope prefix\n- ttl bounded to 120 minutes by policy max 240\n- proposal is gated; no access is issued by this skill\n\nGrant proposal grant-proposal-req-2026-06-23-001 is proposal-only and requires human_approval_required.\nThis skill does not mutate grants, move secrets, or call identity-provider APIs." }, "receipt": { "acts": [ { "artifact_refs": [], "closure": { - "closed_at": "2026-06-23T04:37:01.209Z", + "closed_at": "2026-06-23T04:56:46.586Z", "disposition": "closed", "reason_code": "process_exit", "summary": "cli-tool exited successfully" @@ -325,7 +382,7 @@ "terms": [] }, "canonicalization": "runx.receipt.c14n.v1", - "created_at": "2026-06-23T04:37:01.209Z", + "created_at": "2026-06-23T04:56:46.586Z", "decisions": [ { "artifact_refs": [], @@ -353,8 +410,8 @@ "selected_harness_ref": null } ], - "digest": "sha256:58c0f202dcc6040c2e8a6618c5da594a6b21171dcb9f100b5ebcc0fbc61d17f0", - "id": "sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "digest": "sha256:ac95917e67807fcaa370290ec498059f41ea1e4ad958b7f510793cbd9e7ce085", + "id": "sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458", "idempotency": { "content_hash": "sha256:run_default_470fa655fc09-default-content", "intent_key": "sha256:run_default_470fa655fc09-default-intent", @@ -371,7 +428,7 @@ }, "schema": "runx.receipt.v1", "seal": { - "closed_at": "2026-06-23T04:37:01.209Z", + "closed_at": "2026-06-23T04:56:46.586Z", "criteria": [ { "criterion_id": "process_exit", @@ -382,14 +439,14 @@ } ], "disposition": "closed", - "last_observed_at": "2026-06-23T04:37:01.209Z", + "last_observed_at": "2026-06-23T04:56:46.586Z", "reason_code": "process_closed", "summary": "cli-tool default completed" }, "signals": [], "signature": { "alg": "Ed25519", - "value": "base64:NxHzjfLOg20GjhHWN-AJbOGX1ZYE8EfsCOfUH1TSqF9oS0Sd_cQrP2qMw5iuoihDRwRJc-S6H-4gAqcuKxbkAw" + "value": "base64:9ERFD8dHGVW_qh1jxQJGUBCYh_pnBYkfryOBv75TVEPrHsRCc8ghpxEgfqKn_4tJa0bgJubmSY6E1PCegit6Bg" }, "subject": { "commitments": [], @@ -400,17 +457,17 @@ } } }, - "receipt_id": "sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "receipt_id": "sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458", "registry_provenance": { - "digest": "sha256:64dd95e8a5f5fd2e34a07710f9256596468e3d0399efc97ffb61286b37c5dc83", - "profile_digest": "sha256:74de3a7ad9c53687034e0751b415adf4039a4234fb954898c1d2fb1c9c31d3f5", + "digest": "sha256:b1e8d2b79039ff87d8dcc34fbbeb2f2c5d51cee5e7df305770855c271b2ccf59", + "profile_digest": "sha256:865d7c9c5be962b752080face77831ddbf4d110b6fae85ee40baba3dae6b436e", "registry_key_id": "runx-registry-ed25519-v1", "registry_source": "remote https://api.runx.ai", "registry_source_fingerprint": "ba1ac16b631195fd", "skill_id": "lubuseb/access-request-review", "trust_state": "trusted", "trust_tier": "community", - "version": "sha-fefdaf21eb13" + "version": "sha-844f75658a9f" }, "run_id": "run_default_470fa655fc09", "schema": "runx.skill_run.v1", diff --git a/skills/access-request-review/evidence/hosted-dogfood-receipts-linux.tgz b/skills/access-request-review/evidence/hosted-dogfood-receipts-linux.tgz index 220d77cfb02d3cebe2cca625adff528b73b8247e..3d987c904e70b81dc6432015c5799dd3e537e6db 100644 GIT binary patch delta 1504 zcmV<61t0q53*-xs7Jp7jS+D*yq{~`#0lH;fhi(`IilSsDGO3bO8ZXFy-;t8v(xi!t zHbqgLKgc4fyXWqnJCdpsR}(@h(|V%V`;KV?&r8leOy*J>R!&M;S5lTRN*QmBes-|0 zAdn=A>=P#u8lKpV4|0H`0LLN52*(E~z!)b7UbMHR&yY?VqJKQ^K(peL>mHi_PUYy? z(X*dUrKnH2xcEvoY=Yx3T;==r69rrU-8jZkGClB4zY?AuS><0zX+E{?q51Dr)c*Ca z=Ol>YSzM(>SyGC_X^LqaqJYvVN|QJ!rqe17D=6uR#4L$|Bnz?-6*ys8#0p$OrAO(} zxt8KvyZ^(>Q-9>&)jvY__5Ub@-mu&MlNg5w9(sxZ{NVln+Shc>7Q~G-fZ6~B@dU+_VEP7yGcXXwM^PI8ZPyVY1*fFp{}IEbxQz`k zhykG19aH}7+BeIV!MdKaFmvIsHxjhW3fT#>EQp#^ihl^h>BO-<2qqQ;igAjwAdVvV ztnG@1)BJ)h^WN`G07ykx5>}+b1^iH01WB2sX~9@fmMBXD6a}P8GlB`5qGB4PL4^qp z3zVQFO|XA+=xbgJVmievWYW~2{iF<{2xnmXk~E$5p&**Y;Ve5j`{n1feEH(-U-|nv zKEL|?)qjgWkDtGr=dCz?cTuV3>*LELdh_<=H}z7VJ*R0sZ?8`3>iw@G56vrriuzSo zEdF>GpWxq~vznXuxV9)tUPGC0c}BA+gKWh~ijs;FGEGpBAx6V2MNw9Tm=VlEQf5(F zBvph_l1*t*W-Or$rIBL_TeQ+JL6_DwF5s`RVSn6Mftcqdt4P;AR zuHAY!jHpt6*etnOm0dHeC>iA%l-Sqn^?zIL`USkL(*xO=OHOUfAzs3gT(q4{)b*fn z+bmHvGur`?Z7Y@O#1N-7+=i`PSjP#X(Mk=SaVP;BpibE#F#Z~hdqZSAAxq|M5H_}| z`GVN0^G|K!J;-)D_t+Jqowef)n>s5!Gw0eV@NK%>mY-9|BU7C8=z#g!D8dIi+J9In zehIiLB^Luhdk<_Er=|~@{j-6zo*!yrJ0|C_+42fH`-)MzTP%oL_9S)=_VC+=2*H%M zQnrH~PA4Tanhk|*AvIFFw%Qva3hY>1>m`=W)bu&O12xcWVG|7`R+l}zL;tR9oONQr z2r+H%OU2oaH=AU9Alf4(l)Uw+Sbu_B%yaeXZ92#usk!!tmlaQeFm4UI;x6U}_SL?$ zAQF6Hq-;Dpr@cX21z}mb5_;cps3U)7RL5=}oAY&=PMj+M{>~U|P!`ZFp?m8`g709V ze+g?U?so5wQhYef_SD%fs5P`5#{uDv=hjm#JGG;7Q?#pocbhg_#DZ4AHGhzR4<`~k z;jqG?1}-u=wdDNRxyQjf9MnB0cgmd2b)m~ZPzV(6dWKu(I)SU z<}v5G{TTfOqyTO=Trg6*1k*WhO4#BCB}+m34dh#&(Z8mA#{CaUn_ca5dw<~mhr&3z zb^n`Uc#QYICy;yYf4PQ}Ct1t;RJ*HI&0s^`T;Fh#1~`MX#!(h$VVWX)g@G+dan^VJ zm8LIziFC(CK^E-GX?0wF^!*gN#NKd~L}We-O_jzbhjW}T055bQb8&XztyTBV6}oPRyV@=vaNZ2miygBJ%c zemWNQj$K2AgFed#m)PBR zc>%*;sN6vvm5czRGNM7PkNns}vF8WxP&f{fF~SEv8of8`NG)nkNyR@9%|(3|8^vMW z15~PI(jDKpdeJag*KrnRW)^!TK+8B6ZLJqMkzOfDt$#W7EbD#WGayimQ#|s4dGJ}& z<`t*ej4iUx?{xr3Nmvq=q{KP=P?-Bkk)&zPm|qlVl=>+0NtuoaCM-aC;HQ3x2@Z3V zpd?MOd%N!{KBzy zA9>;AvYVSij(ftY6nD@j}FEKE>IAmSxOBd;Iy zx{pAamV7c{GAnrvk4D184r=R12AHn=;{`ydl-f zn13Pjcr`q>oHy1rpEF}*Vn}baSR3FJ6%E^XUzyArIOLR@Ga3TX_BD9pHbk0muGd>+ zbz4<7Qi|zLLpKJNHIwsR6{|}jDKoBGRZ^6^Vjri*fcDgkRZNT8+x*JJynu)Rm`!Jx zZkvsF&4?_-)q2V8vh1pUMZqXnpv1i1tbg7z+b`g4l^)2>RB&oy4)LlD$?K*yiMr_( zZki=>!t`c9MAHbV+q#d_3U0+#F0A4N(P)H%&e)fL2~aD|5EwrJ<4zwLrxpcs)(9&$ z;V@22)w#ze@eX9WnL6y6(bm{;`c0h`j-GO56}To{cFWHwLHo2l+{eh+G(+1w-=NGvZqc>C^s**I)IU3zsHyHH(UE!>z?*Y{3&wr!p6S`!8v^7{IQlhnuQDD*Kr!gLg1a}9tkNOIP7 z{iUWae2KKj#+uC8m(yyw{N(#7bd7JFv_S?LWRO7y8Dx+_1{q|KK?WIQkR9ZIf7kta H04M+eLow3) diff --git a/skills/access-request-review/evidence/hosted-harness-receipts-linux.tgz b/skills/access-request-review/evidence/hosted-harness-receipts-linux.tgz index 6bd1997fe99db22e375c57a81a70bec4e7ebe106..b9d3b1ec74c24479fa6757f076f656e033c4b3f0 100644 GIT binary patch literal 2405 zcmV-r37YmFiwFP!000001MOVvQ`o<~ZYwfkw7 z3*PQCom8`tP{TaiTw9e8kmoq&8G8<@pK&=}(;9XNb}7aP(=|jew!JmWSy|FOsK|1r zEo&_k;jQcLn*WQ^#^%Q6zxLClx37}ZN0MOz>{2?3_tj@a=3bZM7(1T5X6-+cK9^_` zf1RfJZR_ru|BI4dz5cU4BaYh8&MdcGS9A|nS=KMbj~sqmR&hn%v| zCNAQB=y2jil-MlVILXrFSDXL0r>BU2S^o&#)c+j{z2S2I_dM*ZS?DPo@Hg-O7p*Mn ziveqOS|$}X>L_oFaBID#I1E2fxdXdM3kDh0WjU}Vh`4R!wu${7(GCcpbc0amt69gA zG*JA>r4y)asE)q^sh3vKAYBXGHJ0!D0j9oiU&9Ltcq z)T0bRS#m*bhhk(4MmX{@w>gtS+Kl>Trij5X%|#N8jcF=@m$`A{ObYnC%Y|e`oOf;E zA`yAmk8sqk2iw(~fLX3puP1a@ssx^f8YWg?Q@`8fQCg|dXIXy*2KC#@copG^h;n1n zsY=RfI8|{BytRc_($nrpz;Ao%UYfP{1--8k@r)r^3shg z%2VCFEXueeQbQI`g_&gTOouyV&Kv2u8VDn#XOiAt{p{FRs_PlkmF)J4s3UM$l+ksk*V4nlSYfcw?Am&>8CzFb*oT z83N&NK)6+V#!6ByteJ+f=qVUyrs`VzCh!(Sd)T+cxrhoQ$Et7Yf?IiCWhH}_30HZ` z??wdaskh!*6peR9QtJpl9o`g*cbBZ01>=lm7UNLz#-?x#W(ljTS8LWm z7KG-aRbNc<6cVOfBhFRn^BnH0RcV1IR69@8*fMjORdbWzmT_4^-wFkF)avBA5I>fU z`7}&Br758NLLbbu453>>_s*77zJP_T5v-A_yn9~@@p?U5rOtdoO;x*OIB0mua${+h z7Wxv)Sy-hH`YPsdi>sN8 zlc>6Z{OUdWV^V|vH2BZ`&i_G(B8eRz4m+Gj<>}91RC<`eNj}7IhIb_Ag3%}n0zo{6 zIE8al==(O~9&YfT--4bZ{ww1@Ho}B9_|H?&()iEMmisdJ5B6z;|4i_o-C-F2`Qo!T z?z?;FL;J<+FR!}shYthC_ry0l86CC{B|M_&X#dE5zxQ@{^7d8mN}jcq9BpkMlHvK= zJ^T`nNb&va$I$`v4vX`}_z(6Zm)Lg#R|W`C#}?cT5hb<+>p~cpcIeqYSb+l;aV%Zt zhloo_;k-;mxH|sBP#{qdP{;9{pTK_>vRMWHS;*iK@Sk}(4gS;MKMnrV;6Dxi)8IeL z<3Hur==Z^Y>Ydt>_|Ift*Wf?D9X0q*ga6#`{O<&zONsAzI1B^FrHBY5DGow`F&z0M zvx&Yb7 z|FMzZ;6D@mr?-1}zH_GHkLO>v$lyH5+HwyaY`^PnN5PgI$>4OmyYv3F-RI=!XzNIQ z$-kZiJn^>d?#}Ckd~iO#+4i=){>xmt$UgiOe>t+ZdW-NMNrcb2^f4;|I={2nf`a29495)jngd>#q(8o=D0*1OJDkoj70R)0;cK|A}qKxq|=OFxKGz zPeC`}|J^K4wdhu%E}{0GNQ9oj_t^6Z4j`-)`XX^WzeM;2bS@>TQ~!k11AmB6!iEVO zh==1^=JL{?PyAS4Y}*5TL3V*{5ArShrN4W7lWh<1$KMNVdyxMivGm`S!wv9P7h6LO XHPlc;4K>uzZ$SSCoP$*K08jt`-&EMi literal 2405 zcmV-r37YmFiwFP!000001MOSuSKB%g=TGtGQ+o~xlKjqoS=!QDTIdtnOPAdoSso<@ z#}2X`pq&2icVs&cXn=$Q?LF7SBeA5+d&bf)i7Jw_HWvc2tgYarfGo$yaRjIBL7L?d zwg+4#)vSPMlxG`js}ezSZCgK5*CzENEyrtGqc)?CMI75^YlKm}Tr=#ICEbCFEa%EF z)-nigTzA|2-;_EVosIwOq)C4#N{$~$h7Pb}S(A8QeI#t|c{z^Zcg;0p=YjOOM3eZd zG|g{Xcia5ml+^0=pA9&(ovv-t!1Nsn+%*}oP2$_84>mV}G1s-h^g>&Dz$N&hq=C;Y z)3-b-Z02$%P0~5a(&Sg0|Bt7~h<{oCgk0DEZ3}zD<^JzFj=N@%$8f+uy#HUcGBJQ5 zZ*^Nb6*_g4J7d~fZ$%*v-&46GJE4GMM)i1(Y#Curn>cM|?h&hNq5!YsIo4Objwfjn z2_8q^cpjz6Row)&l3KwmD?qin7p?q!1h}rsS)4g8b&pfz(hbrg$+EVc(k3_r7 zddAvX3F1(X`V2D z=c_M1oql>1!$|Z5Y`qD^_-yp~4>NVcFX6jw{-XW%KpykcKeqpjw>M8n@ji@SF>lM= zr(l2E`LGH6xOj0k=6eVJcIc|-n_7!7>SLMDEDKCRgeN^4LemQZ2lrp#n-2Gd%UtQ( z%mNpr!yHEZ!1W~eL*@h|@I4AR5SbXA5Js7PO{q<5X1$)M&h(%~@5hbS#;b^rT69N|SiNL7@VZsa0Q zRqwJW?G6!*csv!Rles$`?v^>PrRUKQw2;0|dd;PjfkugR1asF@k-ZUaa^(C>j*ckm z8oX$YxYF*NtuHl8ia0Jkl|f!{sK!uo4r*Alf<&fDfHt*crBWHi@MCDS((UXRV#w2^ zJ^w20^AJ6P%FG)Bc`=&1&Vj2iJ)JH2J}JAnUJ-(bGGwAJFQ!+$vR~lUG&~rcK^h6| zbM#lDlROy}I#3ri!+Eh>^&y{kNIDv&Dld}SPg8Ycn3^#46MAEmX4o0)63`ARlpaFi z?@+i=d&Wr85R93IG4vxG=ep`zJ3899`F$^zZRMP4~gKbfgCov&+R-X}+RvyCKn_DM!% z#c;^gd6mSaftC8Bm?sG+W5Vo`?zlS%vC+&@SQk>9W@THg1aXCOv|iICI-5ma#e9L* zm}WyAXiQ=?uGCv^EsDm+BB^ympN_5z#m7t5%z|;sGlPd%^4g~09L)lwtXE^!K^BDO zqE%l^@)Q%MTmxrO>GK@#t5s>CC!%(qrm>;tGNa}u(Jkj?37r%X)={gQs{+0+8}n(H zwn|e_`Gr21X&GR*#O|FfseFM8TVq@!qw?y`CBsp}OO|U(v$Rl` zSk8)e((kUO&0Jz(tB5j8f~ek+=!sHS+|=MfrYCfA{%G8C>aEx8ZrK`rFU(=3GjXyU@?f|5N~lclk-GW zH;`YwM}J6a@Sg_%x!d_4gyVUVNLz;7rZye}34m`COOnv#p$vH7fwU}MJz#>` zp5+l{hE^aN{O5O|$B6&R_>W0U$7=AO$DpP0pPw!FrSKn08~kU2|Ga1E`CxCGrlZ&H z3(tJ{Z0{gA-rpsO>Fk=LcPELLJhRpAKD6Jx+C77lO%TtWy?7uz>Ac%b2491ZJ1?@c zeHM%TukqO3fAi(dv;HFdhx)eVg&`B1qFutK5(CP7n+Y`7aadrQzI20tdxE<+>eYRlq3^}epbe||e^@Sg_%x!d{QHv?jtp&NLNQ)b!RbqNbi;yK_GCIqv5 z%1sXh9uO@Dj}RsvFC07{aq2ldkPZIxJJ6%V|3>_W;vIut{rrz@(FXr{3|boh`Pp(` z2LJJ?)8Ic7{6{^1bt3oJC;nC(owQ#j&eu0@zrkrd<}aRo{v4&_bjvz>Z?ZqLb88SC zn6EAR%5;i-*9%qb?(;93!`C7>JJ{T{o`2YL+GktGFQ0u_g#QTc_=H+445Z2YkXo*Z z9&sd3X*9gm=JyEYG)y89IWppTU0?u~`ZKS;XKW z@Siz34gS;MKMnrV;6DxibLFTnId+7*9`toL>27RnSs*3*A$uGiE550k^BWZN~C=2~*(IhKwZ>iraKmp#mQ^0@x$GXLpR zm&X)MNtcnS=oYnjVSe?R&A`eNJe;SG`nw%yCStV_T5a-D7W@ZsMDw%yA&2$ud_G2Q@wb+I+n XP(uwh)KEhW{RZ?G9U*Kq08jt`79P>I diff --git a/skills/access-request-review/evidence/hosted-harness-verification.json b/skills/access-request-review/evidence/hosted-harness-verification.json index 842ac46e..784cafa4 100644 --- a/skills/access-request-review/evidence/hosted-harness-verification.json +++ b/skills/access-request-review/evidence/hosted-harness-verification.json @@ -3,21 +3,21 @@ "signature_mode": "production", "trees": [ { - "root_receipt_id": "sha256:531b396fea73205309539e5a3e22775e38d5f8eafe9df1b92439481c527a2f30", + "root_receipt_id": "sha256:59b6428571bb956402e0f419be113adfa326dcab6a13e103a7db5b3a3ab21e84", "receipt_count": 1, "parent_missing": null, "valid": true, "findings": [] }, { - "root_receipt_id": "sha256:93b033d7b82a1245a7702d3086e902cc2491a38ecf0d463393a11689aa186abf", + "root_receipt_id": "sha256:9b0cf158e30ddc4f34e5a4f712216b12775fddea4cc99e27a0d4b10b883ad71c", "receipt_count": 1, "parent_missing": null, "valid": true, "findings": [] }, { - "root_receipt_id": "sha256:ec688f0f5fda515e220ee9504f0d7adfbab8ef510b22a3298e2c15848023d4bc", + "root_receipt_id": "sha256:ef433a34265ae0b0794786be2fc5148bb4f34e8a53bd4ab3260d8b5d27c423ac", "receipt_count": 1, "parent_missing": null, "valid": true, diff --git a/skills/access-request-review/evidence/hosted-harness.json b/skills/access-request-review/evidence/hosted-harness.json index 29822110..25421de4 100644 --- a/skills/access-request-review/evidence/hosted-harness.json +++ b/skills/access-request-review/evidence/hosted-harness.json @@ -9,9 +9,9 @@ "missing-justification-fails-closed" ], "receipt_ids": [ - "sha256:ec688f0f5fda515e220ee9504f0d7adfbab8ef510b22a3298e2c15848023d4bc", - "sha256:531b396fea73205309539e5a3e22775e38d5f8eafe9df1b92439481c527a2f30", - "sha256:93b033d7b82a1245a7702d3086e902cc2491a38ecf0d463393a11689aa186abf" + "sha256:9b0cf158e30ddc4f34e5a4f712216b12775fddea4cc99e27a0d4b10b883ad71c", + "sha256:ef433a34265ae0b0794786be2fc5148bb4f34e8a53bd4ab3260d8b5d27c423ac", + "sha256:59b6428571bb956402e0f419be113adfa326dcab6a13e103a7db5b3a3ab21e84" ], "graph_case_count": 0 } diff --git a/skills/access-request-review/evidence/hosted-verification.json b/skills/access-request-review/evidence/hosted-verification.json index 7b8fbc3a..bf57c4f2 100644 --- a/skills/access-request-review/evidence/hosted-verification.json +++ b/skills/access-request-review/evidence/hosted-verification.json @@ -3,7 +3,7 @@ "signature_mode": "production", "trees": [ { - "root_receipt_id": "sha256:db7a0c11abce65a3b0561308d75b46db38b4e36598021534b6f268343863ea21", + "root_receipt_id": "sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458", "receipt_count": 1, "parent_missing": null, "valid": true, diff --git a/skills/access-request-review/evidence/local-harness-receipts-linux.tgz b/skills/access-request-review/evidence/local-harness-receipts-linux.tgz index b18b6936466b35bb71fa3eea6f6739892731ac8d..eb3456bb5a1ad9293f64a08f87bd8ef76ad8ecbf 100644 GIT binary patch literal 2396 zcmV-i38VHOiwFP!000001MM7ZSKB(0pW@A@_8dYa*|O~Hmo0tV+m@C-fEJcrA6b?Y zgJY+%ose?+-|xtFUNn@10_{E5LtDp^GVd8lBT-c(7i}(t%(AwUUkaJ!@Ek>Q-0pLg zRLw$0!#wM3-4YN0qf|dJqo{u3vb}~aObNCvj2MG)nAr?%8T7UUH-RF{xiXBcO!_|@ zcT@l06m~j0o&W5mNpCMo&hLqaHn443Q+r>1g1MJ{0by(-vSsYu6F*BZwZBT!{72(% z>i?U9+93Y3J}1=f`c~i&AwtW=jC157VOrFsf`k^q0b`6{(`LToTMU~fk7%*g4D6Gg!P zH516j4t9x6DST~M_;Dn>b2;%Ux#tStA(zYwd5C@ZL6%Qgz#PYyk^}*A9fBy~q2qGQ zrHOo#I3&azTRvh4RDoOHwp&@$OL$%=safW653oNE2&LEs+9MtpS_YqI(zd#9J_Srs zy63x=31L|9*N4Zuy)1wFj(<2gJUWa|qW8i6(O}F*J@3u=$>EE`{ny8B*?vXj3;cz? za*r+RfU>r2{&8dv+bP}s{PcL`<}3Q34-xt;RVO(76}LkQZ_8nbJm5Fzg5{ z+I3^Q`Vt_^Rn+TA<%LlKkD-E&4barz)_#;$Z1j27-vB}VwbEXNexa z>JZV8$1`HunY***Zt3%ydL9j=CeqVRud$RgKq!$8<-+@nq&I{`PPo{UgCdGL1}|Gf zuCzMm<4ewxB92QxmugU>l1Z2pLL2I`Mz~0ptDejk6_O5zsmhC_*3*pLSk6S4=?SzkOf$%gbqHt$6-qY&@qHj} z)S5ApG?2!e!&vqrXy-cWT6@~?23UL8H{^vBg{EWFle!FyydPyHf|fQ{Ipuo->?l>l zEAGJavt040c1Nu%6^($eP^E*~K`RM#78iM?H2q=D(yYIZiA9~9!DJhSklCjml@)^l zSCh(#O93nPhcQnQsf;PICEj6m58Ti50@Gd(Xw z0p?fgV9uov*%GpMwkGoh3~Y^HOc<53_je}Vu6rxjSq!KdYfFLyhf9)cNwc(2ODN|- zJI!}j-DbhDAXP*eI6+jeNOVWZD=cbYKjR7QoZkz#9(&t0x*L{8-%2qg(-(Ue{-@;ZXngi`ysG{axQv-12wVw~2O8n<*A0awOc6?i9haK6z}$8jsK5^y z3(SB~-*R0ZhB6eJ*MGR>xE3-4Kudn2{<9LzCiS0{2=1Z&vq-0@|1|ZVrvB5^f13Kw zm92irAtT&&qp!0`x6|nilDrdkcFP%mm#dDFV7QJ>k)1MiXPuRcT|HuFaF%sl_cSq# zC^R1ZYsp(5gRN9LHWE2Do-38AN2jd{lUHNfSsHJEzfP5X+IswNjrDr?|7miXlxVxg z+E`1BJcqDQ1HD#~FU$O7Ji0qwz@qH&jLu!5#i&cr4C|XTC}R04^>?7(c%);zs{>C# zg6#~-&a5M|LH*e~OZ~1%XqV7AXI$56YD{}62M^wf20H!z2wz+d?85r5ORTH7%6}n> zpC`GRyh{PWrzr0~|M;dte;r;u=MNy3x)`&rX7Dt53j<-tYm5lmfj=PlJrpBnp|fT& zvWb=^TK+E4a&s}d+&2E8Hhx2N%)0NWHeT;y*Q||C_q?~LjW-i!lLGz`DWEy1xi@Ie zf12~34eS4uNi#GhvV>(xPLaStXxWx7g9>RorY)R+!jHrPb7ESqD-fkVfx*akOs6^j z`HkQq?0<{AJ4D|NGm)Ci_2#X?byr-TMvuKddkNE${!ZZQITM?;+rt{hyb?%2Rrk z#mlW$Pr`&e-@aky5bPrAxDK`*moZ0g17HeLk*u=*6w@7VBFklC!Uyv1u$C^p_WtzS z_G;Pg;DY1|+3w`B_1bqYuaoT#e))HWY39S8l#gOfPb+9$iKm!dl&_DwXG|<2= OhQ9!9TMM!PPyhhK@w}7( literal 2397 zcmV-j38MBNiwFP!000001MM4YSKB(0pW@A@_8gK(vgJqi%eItKdg+UD7s|4mBg<0a z;72Okfm{y%eMh$QfQAw%(DqzUdq^zF^PZ73QdE(gw;AUm%i2nOEku^X=Oh$o?IBZ1 z)yzdW&a>{uJplnYl}4}&<3_GYi953pJ48*zJM^c5!o>I9*LhTFtfi()BJnm zZtMR|LERz#vmqnY?pcBD`hmw84y53Oxt3%u!juw;U3jL9I@EIrahV^um@_UsS0L_5 zZW3g(&L~ThpDlL-6+DIg%lJp=ru z?FyaR*qsS(ZMMPynja|Y0UcL@^8F7#5_P&&oq0Kc3jUp*5g=`CLw20 z_!rB=G`Y?j$5v7^m}P}ft=>f|pN<8L8>SghfS%Km_b3G{JwGjyeCjjRmWm~L$lImY z6Vld9ARD{bBQ~Y*+PLtekoQl;v|q`+PymxmI3TpdKKw(LPn^JUU0(LpWj z@P&>i$FJV*lm2vQJNxViPm1?D+1J;{=k)Ls7F%D7?MV?I`yY11p?h{_?(TcL?}f8} zP{`d+gRM`|4iE6zPWJE5M}KBy>*bl|A_xZ%<_pP?FR*V}U_#4s9SU}{O^XuSaiqmS z&L9AZOxyDU+q1Fb1a<%k!@~~2lDM`kJw?RhG#3eQ%!km$#Y`BT5l7w|MU4_IfI zhFt3$^p$8QPsW8d)J2VOnJiNSkuNJG9gkC$7fG$BIlGaVi!j#{Xk(makQwU`&#z@jY7z+*~F$kfZ>8NY%X~P>}?eWkM=YkiSj!{qQA~5n{n3V`x+Fa$7 z-{)XQp+Z)12cDnhiiNd1YF(*t0(?o8#^Ga#@%YvnOe;pIcIvK%a8%oIR zGmpxOIA&^EIdLgq#r`;ANg|XnLw1FCSe*orXcjK411UsYY{>mwR*WK#O1m+ zpPOmB6a|=Hse=WVK4eSC-r1VW7cj6jfiW^HXYX%Jyjk~FuCp9abJng14jf*QTuYjz zg}Q=r5wx>>cinB491BuKn1K_7^@>Dyl)S>C2KF<3uATE+;nrhsvqpEz(&(}jLqP7o zD?9V<6%5t(Ghi|rL)tBet;G&FJ+a^!Pv8{b+fkSZHYg3uhhY@J6jvje zCcK(Je)byuF`=pdH1(f5?*AQZ3M2$I8KZ&em?AJKb&(`K4FVqt;s=(?eQIIfw2XzU z>OY5A?7VrM#RsqcIDCbj59j9bpIf_8_VRdplAPgDh6aC3@eztfJHdysv|qj0KO)g^ zgo~lGC-=7*i30n}*4by2dZRa<+Bz7#-db7z0SP2`i7#x&;tmTqwU9J9c08N9asj=P+ z|2s)ek`istSQ~4Jk>wB;D%NWyv0LURvb2<-&7NZ_PbFA;upoqlV)bBvQ z@l3~fPY0fY1lx_v&a5l4xc=TBrGC#Oz!_a|#&oTw#-76Qd{H^D2kXBc zv99AP|3VaRC%Kw_OaZ}Rm=Cu|TbN+M3`oHij%N8V%w#_`>C6?)UfoCC`VTZe(pd?_HO)&R`1q}glD3PWw zV5~>6@SF3WUkIMU{`a{5YaypO|9J{n`~2reqkf(Hzn{n9EOmOIH$sKrNktlmhWK)WRYNDLL44& z#}ei}?*E#?MuI!o<(U7#`Oiu;cRBxAiQo~=f0pSq=ReK)Pjmj$oc}cEKh6E$_3!_d zOQT=s{%^ffTl4op!-TN*3KWx(L_y4eMH^2XU61ZXi*Uw<( zDf*Sg%dOTxz=XWmzG25D*!75MBMa>2S&pMaG=bH(sIvYH(*ysAv|KhOEEW%kwRGvV zf1i4}xmvadxFESgwg `- ${reason}`), From 211b03c57c12f2883f2ea2f90a3e0aabd84bbce6 Mon Sep 17 00:00:00 2001 From: LubuSeb <187313664+LubuSeb@users.noreply.github.com> Date: Tue, 23 Jun 2026 07:01:33 +0200 Subject: [PATCH 5/5] Clarify access request review evidence packet --- skills/access-request-review/SKILL.md | 11 ++--- .../evidence/clean-install.json | 18 ++++---- .../evidence/dogfood-output.json | 18 ++++---- .../evidence/dogfood-receipts-linux.tgz | Bin 1501 -> 1502 bytes .../evidence/evidence.json | 39 +++++++++++------- .../evidence/hosted-dogfood-output.json | 22 +++++----- .../hosted-dogfood-receipts-linux.tgz | Bin 1508 -> 1508 bytes .../hosted-harness-receipts-linux.tgz | Bin 2405 -> 2422 bytes .../evidence/hosted-harness-verification.json | 6 +-- .../evidence/hosted-harness.json | 6 +-- .../evidence/hosted-verification.json | 2 +- .../evidence/local-harness-receipts-linux.tgz | Bin 2396 -> 2389 bytes .../evidence/local-harness-verification.json | 6 +-- .../evidence/local-harness.json | 6 +-- .../evidence/registry-publish.json | 8 ++-- .../evidence/registry-read.json | 14 +++---- .../access-request-review/evidence/report.md | 14 +++---- .../evidence/verification.json | 2 +- 18 files changed, 90 insertions(+), 82 deletions(-) diff --git a/skills/access-request-review/SKILL.md b/skills/access-request-review/SKILL.md index e57b38ce..cd670310 100644 --- a/skills/access-request-review/SKILL.md +++ b/skills/access-request-review/SKILL.md @@ -60,11 +60,12 @@ TTL, exact scope, approval gate, escalation lane, and evidence citations. The runner returns JSON with: -- `decision_packet`: typed decision packet. -- `grant_proposal`: one-time proposal when the decision is `grant`. -- `escalation`: human approval or denial escalation lane for the request. -- `evidence_json`: compact review evidence for external verification. -- `report`: human-readable review summary. +- `decision_packet` object: typed decision packet. +- `grant_proposal` object: one-time proposal when the decision is `grant`. +- `escalation` object: `required`, `lane`, `reason`, and optional `ticket_id` + for human approval or denial escalation. +- `evidence_json` object: compact review evidence for external verification. +- `report` string: human-readable review summary. Decisions are deterministic and fail closed when request, policy, or entitlement facts are missing. diff --git a/skills/access-request-review/evidence/clean-install.json b/skills/access-request-review/evidence/clean-install.json index 59dcfda1..8683db5b 100644 --- a/skills/access-request-review/evidence/clean-install.json +++ b/skills/access-request-review/evidence/clean-install.json @@ -3,26 +3,26 @@ "registry": { "action": "install", "source": "remote", - "ref": "lubuseb/access-request-review@sha-844f75658a9f", + "ref": "lubuseb/access-request-review@sha-2100c1996336", "install": { "status": "installed", - "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-844f75658a9f/SKILL.md", + "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-2100c1996336/SKILL.md", "skill_name": "access-request-review", "source": "runx-registry", "source_label": "runx registry", "skill_id": "lubuseb/access-request-review", - "version": "sha-844f75658a9f", - "digest": "sha256:b1e8d2b79039ff87d8dcc34fbbeb2f2c5d51cee5e7df305770855c271b2ccf59", + "version": "sha-2100c1996336", + "digest": "sha256:5d7e4a0c2122f7f98d418827f0115f81c158004ac9a12f2236ba6eb212d60aee", "profile_digest": "sha256:865d7c9c5be962b752080face77831ddbf4d110b6fae85ee40baba3dae6b436e", - "profile_state_path": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-844f75658a9f/.runx/profile.json", + "profile_state_path": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-2100c1996336/.runx/profile.json", "runner_names": [ "default" ], "trust_tier": "community" }, "receipt_metadata": { - "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-844f75658a9f/SKILL.md", - "digest": "sha256:b1e8d2b79039ff87d8dcc34fbbeb2f2c5d51cee5e7df305770855c271b2ccf59", + "destination": "/tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/sha-2100c1996336/SKILL.md", + "digest": "sha256:5d7e4a0c2122f7f98d418827f0115f81c158004ac9a12f2236ba6eb212d60aee", "install_count": 1, "package_digest": "4dadabe78e9b528dd7b256eaf9bbefb7a272e4c0e1edc401ec6de2f9758d858a", "profile_digest": "sha256:865d7c9c5be962b752080face77831ddbf4d110b6fae85ee40baba3dae6b436e", @@ -32,12 +32,12 @@ "id": "user_53f00ae7ec2363e37ac6ff68", "kind": "user" }, - "ref": "lubuseb/access-request-review@sha-844f75658a9f", + "ref": "lubuseb/access-request-review@sha-2100c1996336", "skill_id": "lubuseb/access-request-review", "source_label": "runx registry", "status": "installed", "trust_tier": "community", - "version": "sha-844f75658a9f" + "version": "sha-2100c1996336" } } } diff --git a/skills/access-request-review/evidence/dogfood-output.json b/skills/access-request-review/evidence/dogfood-output.json index c3398c46..d3600097 100644 --- a/skills/access-request-review/evidence/dogfood-output.json +++ b/skills/access-request-review/evidence/dogfood-output.json @@ -1,6 +1,6 @@ { "closure": { - "closed_at": "2026-06-23T04:56:31.382Z", + "closed_at": "2026-06-23T05:01:03.689Z", "disposition": "closed", "reason_code": "process_closed", "summary": "cli-tool default completed" @@ -327,7 +327,7 @@ { "artifact_refs": [], "closure": { - "closed_at": "2026-06-23T04:56:31.382Z", + "closed_at": "2026-06-23T05:01:03.689Z", "disposition": "closed", "reason_code": "process_exit", "summary": "cli-tool exited successfully" @@ -382,7 +382,7 @@ "terms": [] }, "canonicalization": "runx.receipt.c14n.v1", - "created_at": "2026-06-23T04:56:31.382Z", + "created_at": "2026-06-23T05:01:03.689Z", "decisions": [ { "artifact_refs": [], @@ -410,8 +410,8 @@ "selected_harness_ref": null } ], - "digest": "sha256:cc90a797df2cb4fe9be28fd25690f3e9e1a43b4740f1840272c8a79d501dba71", - "id": "sha256:a4ba985040f3e89d93c2ac2b11ffc5f916d172fb878ec34d3484270958df7428", + "digest": "sha256:f17ca72b4a6a3c8c5d6498b655fa1adcb62b04b0dc30a5f291e6e1b8ae4cdbc1", + "id": "sha256:e7345fa793916faca7cad087176a959b36bbf794d35ed9e56a587eb2f9a1ac21", "idempotency": { "content_hash": "sha256:run_default_8e438e086dc8-default-content", "intent_key": "sha256:run_default_8e438e086dc8-default-intent", @@ -428,7 +428,7 @@ }, "schema": "runx.receipt.v1", "seal": { - "closed_at": "2026-06-23T04:56:31.382Z", + "closed_at": "2026-06-23T05:01:03.689Z", "criteria": [ { "criterion_id": "process_exit", @@ -439,14 +439,14 @@ } ], "disposition": "closed", - "last_observed_at": "2026-06-23T04:56:31.382Z", + "last_observed_at": "2026-06-23T05:01:03.689Z", "reason_code": "process_closed", "summary": "cli-tool default completed" }, "signals": [], "signature": { "alg": "Ed25519", - "value": "base64:izf_-fgxEdZpLGTEt0tzYgpHC0rXLPvCxpHtbs0IEomzxV4p9uBBEuojIWFhIggqk9Oe6QaPxZur0ytM5S3gCw" + "value": "base64:PtZ--prYv24pqqw_aqkHatYeAnfeqJxNjgG3r3_RTIs0DC_O3xS1qexsVlVpHCybiJuyN9t2CPA7x5P1YviVDA" }, "subject": { "commitments": [], @@ -457,7 +457,7 @@ } } }, - "receipt_id": "sha256:a4ba985040f3e89d93c2ac2b11ffc5f916d172fb878ec34d3484270958df7428", + "receipt_id": "sha256:e7345fa793916faca7cad087176a959b36bbf794d35ed9e56a587eb2f9a1ac21", "run_id": "run_default_8e438e086dc8", "schema": "runx.skill_run.v1", "skill_name": "access-request-review", diff --git a/skills/access-request-review/evidence/dogfood-receipts-linux.tgz b/skills/access-request-review/evidence/dogfood-receipts-linux.tgz index 0cd291213ab9764474bbf723781b3264185e837b..cef953d849c7219dab21ad0e2f316490cf64949b 100644 GIT binary patch literal 1502 zcmV<41tIz$iwFP!000001MOGaZreBz&8G-@j#Aw(e%hifwp#?4r>eQT=3~RQaX*{3!uariq`J*uM;h=wvJ8rAx)A3JXB_`wG^nz-J?4bI{;`)t+`E;ys4 zX8#h+1iy`qdLbVGD%FCtC)c)KH-PJALZJnmnRnQ0fm$YoXt`b&L^_ouTr=u)toMD# zfN*0k^)f$>BK)jri<;4V4(q)4dlvvw5lF&{R9=BUH!S?5OwzOf@XON8Qs0eyQl-XS z2;3s@Q@`?v7Zz^fCKxCC=G0bf%870z7|5iaqV`v%A4Ohlf>S zy=m8PGwr{4_dHoe@4Qb-_VML&gQ8?pEc2abm4~@Z{30YV31~{AG7ht}z=%}nOi7E_ zFVJ7Nq=8GK%FjHA!7EY%AuS8qGX)ln(7@^1xW+jC)h3KPD;V>+;nW7eKXfY0h|84Rco4 zs9Qp{Pdg$xc2FE|B{T1m=l9v!3>y7ZEEY^J(3-L*fB%Ccq}4ManeM_!s1`CmG-bj; zSwrfrF+=9bc6icp-dNXc0mjJGkltwNY@kzAG_d!+HJLYf$f@>cGzOv_YVg`_h&18c zt?!WWwywKKDbT%!ehe*Zkc&YT@JdJu#??-h6cwxC%hVXqj+#RaT5xCoD--h)BZ6S| zodMl8d+!>EEXCDs$<3zh>S09*lqpnVUaz-rdDk!SZJQp<&P*_BVvh0RhUC0yO`@&` zh5KfSoPypDh-exib<2l1ZQ<6ibzvJPj7B3AcE+IuOn_QxhS2z*XxthiV{uV}wL@6L zl;JorRcD`@#9Nr{W@f<(Xlv|P!=?_UrDsfa3T%_EZp+Up<`E<#JvwB*(vq-&jwV); zEfH5G#bO|6?}6#!RQEwMe|C_z^FvMS$K(PxTUKFb-!MwGiv^MEp2VGlJ^ZF7oP)GB z$_}vO>7>L)v!k#nq*|!1t@eh9L^}r8c8Os#)qT$IK#eq8m_#Fq<+6u&YTuQO_bneV zVoaO+Qt|%4n_V)lh_XnDC2xEx*60>kUAE?b6mWKXng;pVY9-=^tR=L&+qGX^`91$Im9-s+LyTU=-_ zaZSa#-TR9apANGJnVcGOe(Buf;GGWY9yl7^bZ!9l{$t^6r|$qXG?|)Ar_uT(-g(pwQ`;2#2ttsG!yt}@6N$PtUo@j&ETz%ZYcTI_MJbgpo^*5Tn z^Chx7Hgd9n@29n+^rP>m*foB3(nc9&lu^{Afa=i9dZuf*Bf^dMDGwe{a^&Ml_t! znqN`PMROY)^MYmos8k2ion5{Y{oV;cNg)nOT6#JDks$ZuB2JPVz%L4tCO!#$S|%y= zC`?H{^%KAJs2AiUCUFvb?#;2Qc-2tdNidLUU7_~V!Vg0)McWs&?u-vPRS*R;epP0Z zvRa-N@7uFq-koZqul}yumoJF?>+H?Ni)H&#=Zd^K6^pCoA3>XT&!3-m;=`*yf1bap zs*mUCYlwcMZh0amBa5?o(|#4BO80WnAM8{?sOnTPqmztbmeswayXjhdd^Oo6ufp44iV0Pw$GZS-+S7S)tw4F)R z^`LOqER_}L-GGR;6;gN25T^~?8a6I$;)Ky?g~HA_lz<6PC(RHVe~reSAu>)Q3UIav zYp6JmQ&V;BnMu5Z*>2|!EP-{#jx%iPP&j(dl~v%HblELGW0*&foc8FD`ASR52RfQq zNq&L2N+}itL3~U|QRdh!v3sjWg70vl zdx2|8Zg=lbQhYqj_SD%es139|#}VP4=f+bdI=QEETeRzbcbhgl#KKm=6_S7tClWJZ zvErcy?=u-QjD7-AAh&DY0Ih6-*__t}ZgGQ>Rm1uXuI%=e)RnmyT --input-json policy= --input-json current_entitlements= --json", - "package": "lubuseb/access-request-review@sha-844f75658a9f", + "command": "runx skill lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai --input-json access_request= --input-json policy= --input-json current_entitlements= --json", + "package": "lubuseb/access-request-review@sha-2100c1996336", "input": "fixtures/grant-request.json", - "receipt_ref": "runx:receipt:sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458", + "receipt_ref": "runx:receipt:sha256:a4fd591f7cc19db6843c35c1f25dbed748e6eb8f2cd0b417707c51d6e0efb7ba", "verification_json": "hosted-verification.json", "verify_verdict": "valid", "harness_cases": [ @@ -73,7 +74,13 @@ { "name": "published_registry_package", "status": "passed", - "detail": "runx registry publish completed successfully for lubuseb/access-request-review@sha-844f75658a9f on https://api.runx.ai.", + "detail": "runx registry publish completed successfully for lubuseb/access-request-review@sha-2100c1996336 on https://api.runx.ai.", + "evidence_ref": "registry-publish.json" + }, + { + "name": "public_url_binding", + "status": "passed", + "detail": "Submitted public_url is the version-pinned registry page https://runx.ai/x/lubuseb/access-request-review@sha-2100c1996336; registry-publish.json also reports the unversioned landing page https://runx.ai/x/lubuseb/access-request-review.", "evidence_ref": "registry-publish.json" }, { @@ -85,7 +92,7 @@ { "name": "clean_install", "status": "passed", - "detail": "runx add installed lubuseb/access-request-review@sha-844f75658a9f into a clean directory.", + "detail": "runx add installed lubuseb/access-request-review@sha-2100c1996336 into a clean directory.", "evidence_ref": "clean-install.json" }, { @@ -115,13 +122,13 @@ { "name": "dogfood_receipt_verified", "status": "passed", - "detail": "runx verify accepted receipt sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458 with no findings.", + "detail": "runx verify accepted receipt sha256:a4fd591f7cc19db6843c35c1f25dbed748e6eb8f2cd0b417707c51d6e0efb7ba with no findings.", "evidence_ref": "hosted-verification.json" }, { "name": "receipt_id", "status": "passed", - "detail": "Post-publish dogfood receipt id: sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458.", + "detail": "Post-publish dogfood receipt id: sha256:a4fd591f7cc19db6843c35c1f25dbed748e6eb8f2cd0b417707c51d6e0efb7ba.", "evidence_ref": "hosted-verification.json" }, { @@ -135,10 +142,10 @@ "npx --yes @runxhq/cli@latest --version", "npx --yes @runxhq/cli@latest harness /mnt/f/BountyBar/repos/runx/skills/access-request-review --json", "npx --yes @runxhq/cli@latest registry publish /mnt/f/BountyBar/repos/runx/skills/access-request-review/SKILL.md --registry https://api.runx.ai --json", - "npx --yes @runxhq/cli@latest registry read lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --json", - "npx --yes @runxhq/cli@latest add lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --to /tmp/runx-access-request-review-clean-install --json", + "npx --yes @runxhq/cli@latest registry read lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai --json", + "npx --yes @runxhq/cli@latest add lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai --to /tmp/runx-access-request-review-clean-install --json", "npx --yes @runxhq/cli@latest harness /tmp/runx-access-request-review-clean-install/lubuseb/access-request-review/ --json", - "npx --yes @runxhq/cli@latest skill lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --input-json access_request= --input-json policy= --input-json current_entitlements= --json", + "npx --yes @runxhq/cli@latest skill lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai --input-json access_request= --input-json policy= --input-json current_entitlements= --json", "npx --yes @runxhq/cli@latest verify --receipt-dir /tmp/runx-access-request-review-hosted-dogfood-receipts --json" ] } diff --git a/skills/access-request-review/evidence/hosted-dogfood-output.json b/skills/access-request-review/evidence/hosted-dogfood-output.json index ff6e5417..9080ce04 100644 --- a/skills/access-request-review/evidence/hosted-dogfood-output.json +++ b/skills/access-request-review/evidence/hosted-dogfood-output.json @@ -1,6 +1,6 @@ { "closure": { - "closed_at": "2026-06-23T04:56:46.586Z", + "closed_at": "2026-06-23T05:01:17.986Z", "disposition": "closed", "reason_code": "process_closed", "summary": "cli-tool default completed" @@ -327,7 +327,7 @@ { "artifact_refs": [], "closure": { - "closed_at": "2026-06-23T04:56:46.586Z", + "closed_at": "2026-06-23T05:01:17.986Z", "disposition": "closed", "reason_code": "process_exit", "summary": "cli-tool exited successfully" @@ -382,7 +382,7 @@ "terms": [] }, "canonicalization": "runx.receipt.c14n.v1", - "created_at": "2026-06-23T04:56:46.586Z", + "created_at": "2026-06-23T05:01:17.986Z", "decisions": [ { "artifact_refs": [], @@ -410,8 +410,8 @@ "selected_harness_ref": null } ], - "digest": "sha256:ac95917e67807fcaa370290ec498059f41ea1e4ad958b7f510793cbd9e7ce085", - "id": "sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458", + "digest": "sha256:3dae333124cd272cca16d886a728ba88967b8c7c8c990bb338105b4339436915", + "id": "sha256:a4fd591f7cc19db6843c35c1f25dbed748e6eb8f2cd0b417707c51d6e0efb7ba", "idempotency": { "content_hash": "sha256:run_default_470fa655fc09-default-content", "intent_key": "sha256:run_default_470fa655fc09-default-intent", @@ -428,7 +428,7 @@ }, "schema": "runx.receipt.v1", "seal": { - "closed_at": "2026-06-23T04:56:46.586Z", + "closed_at": "2026-06-23T05:01:17.986Z", "criteria": [ { "criterion_id": "process_exit", @@ -439,14 +439,14 @@ } ], "disposition": "closed", - "last_observed_at": "2026-06-23T04:56:46.586Z", + "last_observed_at": "2026-06-23T05:01:17.986Z", "reason_code": "process_closed", "summary": "cli-tool default completed" }, "signals": [], "signature": { "alg": "Ed25519", - "value": "base64:9ERFD8dHGVW_qh1jxQJGUBCYh_pnBYkfryOBv75TVEPrHsRCc8ghpxEgfqKn_4tJa0bgJubmSY6E1PCegit6Bg" + "value": "base64:lyKf_YXHdammnW4HzXP2gHwm8rD4Mla3_x1ModRB1HX99RGC_TcNCk373gcP87Dzb0qe9jc6Dij4CfPDwLPpBg" }, "subject": { "commitments": [], @@ -457,9 +457,9 @@ } } }, - "receipt_id": "sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458", + "receipt_id": "sha256:a4fd591f7cc19db6843c35c1f25dbed748e6eb8f2cd0b417707c51d6e0efb7ba", "registry_provenance": { - "digest": "sha256:b1e8d2b79039ff87d8dcc34fbbeb2f2c5d51cee5e7df305770855c271b2ccf59", + "digest": "sha256:5d7e4a0c2122f7f98d418827f0115f81c158004ac9a12f2236ba6eb212d60aee", "profile_digest": "sha256:865d7c9c5be962b752080face77831ddbf4d110b6fae85ee40baba3dae6b436e", "registry_key_id": "runx-registry-ed25519-v1", "registry_source": "remote https://api.runx.ai", @@ -467,7 +467,7 @@ "skill_id": "lubuseb/access-request-review", "trust_state": "trusted", "trust_tier": "community", - "version": "sha-844f75658a9f" + "version": "sha-2100c1996336" }, "run_id": "run_default_470fa655fc09", "schema": "runx.skill_run.v1", diff --git a/skills/access-request-review/evidence/hosted-dogfood-receipts-linux.tgz b/skills/access-request-review/evidence/hosted-dogfood-receipts-linux.tgz index 3d987c904e70b81dc6432015c5799dd3e537e6db..a08b090eb89a69e282852d50b25e29824eadcde7 100644 GIT binary patch literal 1508 zcmVX44RL#WdA?sSSA$H^KJ zJGC8Pi}>$1cCv323R|^QRWp3Z#&%|&nR#YxBYS=`!-P zR*Je3qJ&XGS*O*jgMGyVNutO+Q4)FM6WQ@m4p8KyI7BE6V4aVUA09Z--j=>VdZn>+ zoC8IR&#rrF{s)z#S4XdYITgGc4U=* zDTMyqx~JxUP?7uBzgl2Fisv}2$|yrsLI}#rB2L4A1Q9`%AC(0ylQ5+*Ez-&-rB{R~ zNxXzasEnyct0F1z(S;KHd%OSB%S+_n*1zXH*8igrdc#it58w|SINnPH;3x0@x2_@! z+G2O^8Y&!(Sw6Z#?xD*{82(D-4(f=c7#Njf4QhSQk7r&y^MiL@H22UPB}Z8r|6|r+ zE;u8&VIQ$(g5SqRP{>DsO7&E_^IKOhI|}Ot&ce*4#oh?eGA~5W^|HWnR!Ph?BQwi- z-=7%}UW`(d`EeA%XI)=3jO3SenGb$%1)#z-2`gNo0{*yzs?mB-=l4G!`f^t&j}U!#-vS$6*GoBSR5{p z(=1Mklq4i2S>_c*5TwY9iZBSWFo-i0S*Fmo6Pj|eG_ElYKeY+t#tOtdFKLDQM(1JT zRTv^(5igsKgR|iyP^KlTYbx`Kad>nRCiYM>er3}awfQ`wHHD6fPh)VOL@Nl~$eewrEsdZsREL$%;BNzT0}&6w6XvZ;{?&@go4gEmVgORFU=4b{}YTmV`LmI zO6qJ7Hne6ij!o6MrzY_ZWV>59^oEk&*m1^9otBPXFl80ECS7*R&k5v_N`?n?z)-&t zYcS_jIxA&6*x__iLZjJG*c4JDlx?enAuPd;!L?pu*i7`0^9N7^&03RaAhEm};2pXT zW#hc(BSwg6_gE^L-~j2d z()my{&pFra$LJRz1#r7zoZ{Lhm@HUR!WK6wS#mOLAm96p{w?JT?tf6)^k$#i`xEy+ zFN~vm|Nn!tXfWOXUP2zZ|K$o!o-`j)ZLeB2g$;RgeM3p=qs&W_B+EiS@I&7>CCcIS zO^2?(()5)tk@ncgaZA6RR?FpQ-%p`yeD9=9GRY*9OftzNlT0$nB$G@s$t08PA^!tK K(4?NEiGm~x zvJe$GVOhiqTtcNs>Cw5C;#<4_!^>0T-_<`t_x1lMgx;{*|C1Pp2OfHg0Q}(n|Jv7d z&KAU<`IZVtLza&&v480E5{AD}xq~{Y7y(A*#DLlW1@Q#MlVJJ=g)=Y^#z#>a|83V1 zAqA(T;r|iCrMQg^Fo*%5)*Vy+?AkZWmchE7voLevus0I4%nI2Fvn+_3REh}0>BO-< z2qqQ;igAjwAdVvVtnG@1)BJ)h^WN`G07ykx5>}+b1^iH01WB2sX~9@fmMBXD6a}P8 zGlB`5qGB4PL4^qp3zVQFO|XA+=xbgJVmievWYW~2{iF<{2xnmXk~E$5p&**Y;Ve5j z`{n1feEH(-U-|nvKEL|?)r&umpTC>utvG&nQK{wYCO;C^_M#C&c zQC5YR5zInTW>H!sRfJKJO=(ePETIggkz)#5w9+s^m)12d;IFY^+*pB_=OwF1*O)v^ zP(>i(6-C)(7@YJUfik0bT{D$eT)?AMFtLZ4;cLqy*~6FNsY@R`e3SDZ6ytVH;kxKe%LIzS(RNgtSA}f8kE@A>-Agi`USkL(*xO=OHOUfAzs3g zT(q4{)b*fn+bmHvGur`?Z7Y@O#1N-7+=i`PSjP#X(Mk=SaVP;BpibE#F#Z~hdqZSA zAxq|M5H_}|`GVN0^G|K!J;-)D_t+Jqowef)n>s5!Gw0eV@NK%>mY-9|BU7C8=z#g! zD8dIi+E^)m3AidH7Xv|i4{R5wrVpC^vw^gpA8KMdCg-r(@(Mcpicz{-EQnh6Bz6w= z@Y{w6!IZaBwu2o`CnYqR4TWtXHB!5_+8ZJY>{wjuC6>+9^f|u+HPCEf6AdI*mp!~g z|E_GDbz;B>F>UWl#o3NGn`C?-+9M^Dy!EMAf?LdU_3CXp$Q`M<_J@}hPk}IQ4ZGql z<_7lFzO*0`d}5?*JUgeoL0bi3S-KK>-*KoTe`Zw2ZXTQSb(&6`D**n^7;I1$&@G{R z>qmm`V4;5rYbx$`?~hV^IL!9c*)FIxv>nF*;g09lQ!P8SqjFQUtA2NzHe1AkR>3up zfDb1UJK?axp$0B8Ikn{c*ty5SI~>$Ka5TDcZZPQm`@&gI-vMaIp9h;!3vJgedlVcX zJ<%rbi{>%sy8Rga1f&3NH(W4My9CoYZ%WwW1|>^D`wiqF8wu diff --git a/skills/access-request-review/evidence/hosted-harness-receipts-linux.tgz b/skills/access-request-review/evidence/hosted-harness-receipts-linux.tgz index b9d3b1ec74c24479fa6757f076f656e033c4b3f0..904f713ae807e068e40ea5d7a91fb39d1f23374d 100644 GIT binary patch literal 2422 zcmV-+35oU}iwFP!000001MM7ZSKB(0pW@A@_8bx<*^=$-m+fuY+XB6`x3sh@yE(Ef zCkDq(WEn^~{qH-nod+~PLV@<4>uFCNOUk@wtQk2~MS9WZLdZOCD>*J?uHkwX%k%ai z%e4&K1Fq6)R>*jy^R10_0Rgy_nk#lGs;{^luVDjIf|-M{V>=s&z?E)TbZtuafFjpi zS=L4_gIm|#HUAfd&Q@pZUwc{F-;2}JN1|a2%p7NG@9S4Y7Cx8b7*p5Yu=XB_pDQr6 zzsfRw+q%2v|DvGQkNCP{7|j|6jIp zF_1&v>b8t4bZRSi&Twn96^AhVK;aJPgpwRQs>d~;C5W&#Vr^m{AlgN^i)qJq>5*B- z(=3ezPvWm!$60!vH-VkBW-!kSsaoC3mY$3xtgCz$W=>1qlMJwQgRDsPB;cwYDW2+B zv`eoiq-~f$413roj8gd8s0fl+^iJiZSIIqB0FStIorp&`fIr9yh#R_|7f4CM5P|TB z5*~Rz$6VSdu!%<^%&`+77rCB`Ti-TYdE8IAE|fGZ^P~^hw?jfH_JQ^pPYNSLz;nr* z?#I)YyX~{z`UhiI?~How-LI3_eY z6G(taB#1bYj5xk0-GCu%W9nhTg%jC!M8n80Jw*;jnU<-T7}4SsK5C=JITg@(FO(54 z65X>ULsGcd6IitC!FKf}K&DmP?@QH-;uJ0;1ruwaslRRfD67~Q@O-cag8FNvy^7#O z3T;F>jngt3PU9p2+)74^Zdc_<7%x<8?p4~miOzJ;;1}6&80#TW%Uj+5{1--ep$D0Y zb*V-!bf$V&Nf~vBc*K(#G2_hL*>Jb?c|%>tLurWgjnf+}B@GZtWFxt7KO@;2!6qkK zoYA0&qK?7K)`%;k&iVS1v$RN(Qd7Cq6^3dIC~K*PH7c1#nG({7TB1@}6esd~(-@}P z`Ke5#&eHbcw~Wq1&v#C`FtD5_5YwyX%$t0`6w! z0qYF1SQwpyzEb1l>8LP1|T%vgtj zQBa}G5D?!7;#RF0E6qY_%{feDKZbE`qOP@P3~zz8M*~YHWaRqb?U$Z5~ zn}x1yzJzOVv!O9GII%jb*xPI^v&NrATJs1x9o=M#Kd(qLH^w>7EgnM18<~O$h$XEu zUaffsSz?;YR(&(|Q*fAajl76UoojfmR-px&h}$~L63fixR*fwJwM@zo8W%CdQLC#} zA-}C^^O>2pOHqLNr8<~%89=s#?47U3d;tqvXRs!U%cu8uCf=-PE7w^Js2OWl1P2bU zNNyy}vqD`#IS<-tzPs)=3yuY;BF@1H;(AA7CQ4pmQv-!ePZ;O?UbxlR+pN*uu{HWu ziXkEQuglJCdI>|d{VaGGjUero%T{6soSx^pR|U-~`?~c!`U#u@d^?F#$@`^&#UM^X zc*NC6CaI_%AU}JL{+Q78f13W!{px?=qX2WnBZ4Ctcn|q|6v_O zoTmRX?f+a*y1lov&vK-bBKKb$@cmcW!T4oA_;--!`)uq{vAy@^w0K2&y=ZUv_Dg!0 zh|h<+!23Ab&ff*3_afKmgMN49xc&XZZ8>~-zO4V_`W{Dw1d$AVEPOk3A|e@%>>vzj zK#*`e;&_Po9z>`Ii?Ohsz-Jgmk!|~8{r(SkJl{cf$OI-o(EnMAW}W`eQUs6C|5>Ed z^naTEPt*Tt`aezo=US;BamWbwE%Z$`>27Up>EUSWmOZUVBv0W<14NT#D=C5k_H|oJ z*P4B9o51E(VBcr9%?#eo@Feg0{&8wqab!LF#}$u$4)#>pxs}RuYg?&IJv(kysCzZ) z&Xx5R`1I5u$F1l8G+1wj{~f2tX^FOLt&FwA$TftH8k+r-d{gEy>)F%lt4sXnGhUvO zG)7&5W|ZG%VUft4EaAPUc%OAJ(6HCt1+73GEU(=boFsP>pFX z;}9*KcxY1nZTOOMVHftAUE*BFRsIVZV>{Jq@-71ehp`@Pe|TG=zX`9|Uko8`yBND& z!{BlH2P}lL+Bzes1AjsAM`(P`!gR&PXA_xCWHyocePrI%WUtHNTYCO?MB;4vL3;kP z>U^c1|GbvJN6)|62sG)YNjDF^5oiv(8u$*H^S|c&@1F1fhRAk(=`iWrfydp*af!=9 z=7p5H+;J)4e&h)U3GRBt_iTcs4a)_?+!X<7&i{S|cnbU9$c^~6=r+?tN7iS;ac>f^Z{mOdd zbGbt9P)vQ7QV3H4|82HLztH>N)lO~I_rL3XUGx6;F9-Li{~)yG z#X8md9rYi!DZTdpKiF_>>c6Le8|uGa4m(fTt4v*%T73x*rXK~@Q;YgZDY!Z^5L+SzP$49lfP}=Alr`@$jfAVh%Vd8wf9Z3J;2Mq oOJsYHUl6SPUNL0*pB-!sG|)f;4K&a|1HSo<~ZYwfkw7 z3*PQCom8`tP{TaiTw9e8kmoq&8G8<@pK&=}(;9XNb}7aP(=|jew!JmWSy|FOsK|1r zEo&_k;jQcLn*WQ^#^%Q6zxLClx37}ZN0MOz>{2?3_tj@a=3bZM7(1T5X6-+cK9^_` zf1RfJZR_ru|BI4dz5cU4BaYh8&MdcGS9A|nS=KMbj~sqmR&hn%v| zCNAQB=y2jil-MlVILXrFSDXL0r>BU2S^o&#)c+j{z2S2I_dM*ZS?DPo@Hg-O7p*Mn ziveqOS|$}X>L_oFaBID#I1E2fxdXdM3kDh0WjU}Vh`4R!wu${7(GCcpbc0amt69gA zG*JA>r4y)asE)q^sh3vKAYBXGHJ0!D0j9oiU&9Ltcq z)T0bRS#m*bhhk(4MmX{@w>gtS+Kl>Trij5X%|#N8jcF=@m$`A{ObYnC%Y|e`oOf;E zA`yAmk8sqk2iw(~fLX3puP1a@ssx^f8YWg?Q@`8fQCg|dXIXy*2KC#@copG^h;n1n zsY=RfI8|{BytRc_($nrpz;Ao%UYfP{1--8k@r)r^3shg z%2VCFEXueeQbQI`g_&gTOouyV&Kv2u8VDn#XOiAt{p{FRs_PlkmF)J4s3UM$l+ksk*V4nlSYfcw?Am&>8CzFb*oT z83N&NK)6+V#!6ByteJ+f=qVUyrs`VzCh!(Sd)T+cxrhoQ$Et7Yf?IiCWhH}_30HZ` z??wdaskh!*6peR9QtJpl9o`g*cbBZ01>=lm7UNLz#-?x#W(ljTS8LWm z7KG-aRbNc<6cVOfBhFRn^BnH0RcV1IR69@8*fMjORdbWzmT_4^-wFkF)avBA5I>fU z`7}&Br758NLLbbu453>>_s*77zJP_T5v-A_yn9~@@p?U5rOtdoO;x*OIB0mua${+h z7Wxv)Sy-hH`YPsdi>sN8 zlc>6Z{OUdWV^V|vH2BZ`&i_G(B8eRz4m+Gj<>}91RC<`eNj}7IhIb_Ag3%}n0zo{6 zIE8al==(O~9&YfT--4bZ{ww1@Ho}B9_|H?&()iEMmisdJ5B6z;|4i_o-C-F2`Qo!T z?z?;FL;J<+FR!}shYthC_ry0l86CC{B|M_&X#dE5zxQ@{^7d8mN}jcq9BpkMlHvK= zJ^T`nNb&va$I$`v4vX`}_z(6Zm)Lg#R|W`C#}?cT5hb<+>p~cpcIeqYSb+l;aV%Zt zhloo_;k-;mxH|sBP#{qdP{;9{pTK_>vRMWHS;*iK@Sk}(4gS;MKMnrV;6Dxi)8IeL z<3Hur==Z^Y>Ydt>_|Ift*Wf?D9X0q*ga6#`{O<&zONsAzI1B^FrHBY5DGow`F&z0M zvx&Yb7 z|FMzZ;6D@mr?-1}zH_GHkLO>v$lyH5+HwyaY`^PnN5PgI$>4OmyYv3F-RI=!XzNIQ z$-kZiJn^>d?#}Ckd~iO#+4i=){>xmt$UgiOe>t+ZdW-NMNrcb2^f4;|I={2nf`a29495)jngd>#q(8o=D0*1OJDkoj70R)0;cK|A}qKxq|=OFxKGz zPeC`}|J^K4wdhu%E}{0GNQ9oj_t^6Z4j`-)`XX^WzeM;2bS@>TQ~!k11AmB6!iEVO zh==1^=JL{?PyAS4Y}*5TL3V*{5ArShrN4W7lWh<1$KMNVdyxMivGm`S!wv9P7h6LO XHPlc;4K>uzZ$SSCoP$*K08jt`-&EMi diff --git a/skills/access-request-review/evidence/hosted-harness-verification.json b/skills/access-request-review/evidence/hosted-harness-verification.json index 784cafa4..15f56422 100644 --- a/skills/access-request-review/evidence/hosted-harness-verification.json +++ b/skills/access-request-review/evidence/hosted-harness-verification.json @@ -3,21 +3,21 @@ "signature_mode": "production", "trees": [ { - "root_receipt_id": "sha256:59b6428571bb956402e0f419be113adfa326dcab6a13e103a7db5b3a3ab21e84", + "root_receipt_id": "sha256:0636c61c47e81f7eca6bf7a8f744503e3698289839cbcc11f1321cc758b10184", "receipt_count": 1, "parent_missing": null, "valid": true, "findings": [] }, { - "root_receipt_id": "sha256:9b0cf158e30ddc4f34e5a4f712216b12775fddea4cc99e27a0d4b10b883ad71c", + "root_receipt_id": "sha256:0d0379e46e93b8a7f47276d68d557a4752a9f8c40ca78298320e3e46c61a7cb2", "receipt_count": 1, "parent_missing": null, "valid": true, "findings": [] }, { - "root_receipt_id": "sha256:ef433a34265ae0b0794786be2fc5148bb4f34e8a53bd4ab3260d8b5d27c423ac", + "root_receipt_id": "sha256:c90b1a0af21feb8469dc3e5dd0b4ac5a01881fabd1e21c04c6a2230d680a504d", "receipt_count": 1, "parent_missing": null, "valid": true, diff --git a/skills/access-request-review/evidence/hosted-harness.json b/skills/access-request-review/evidence/hosted-harness.json index 25421de4..c8ef0579 100644 --- a/skills/access-request-review/evidence/hosted-harness.json +++ b/skills/access-request-review/evidence/hosted-harness.json @@ -9,9 +9,9 @@ "missing-justification-fails-closed" ], "receipt_ids": [ - "sha256:9b0cf158e30ddc4f34e5a4f712216b12775fddea4cc99e27a0d4b10b883ad71c", - "sha256:ef433a34265ae0b0794786be2fc5148bb4f34e8a53bd4ab3260d8b5d27c423ac", - "sha256:59b6428571bb956402e0f419be113adfa326dcab6a13e103a7db5b3a3ab21e84" + "sha256:0d0379e46e93b8a7f47276d68d557a4752a9f8c40ca78298320e3e46c61a7cb2", + "sha256:0636c61c47e81f7eca6bf7a8f744503e3698289839cbcc11f1321cc758b10184", + "sha256:c90b1a0af21feb8469dc3e5dd0b4ac5a01881fabd1e21c04c6a2230d680a504d" ], "graph_case_count": 0 } diff --git a/skills/access-request-review/evidence/hosted-verification.json b/skills/access-request-review/evidence/hosted-verification.json index bf57c4f2..7861c84d 100644 --- a/skills/access-request-review/evidence/hosted-verification.json +++ b/skills/access-request-review/evidence/hosted-verification.json @@ -3,7 +3,7 @@ "signature_mode": "production", "trees": [ { - "root_receipt_id": "sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458", + "root_receipt_id": "sha256:a4fd591f7cc19db6843c35c1f25dbed748e6eb8f2cd0b417707c51d6e0efb7ba", "receipt_count": 1, "parent_missing": null, "valid": true, diff --git a/skills/access-request-review/evidence/local-harness-receipts-linux.tgz b/skills/access-request-review/evidence/local-harness-receipts-linux.tgz index eb3456bb5a1ad9293f64a08f87bd8ef76ad8ecbf..ee8cf5821f12f7fe917d4c491080c488be9de91f 100644 GIT binary patch literal 2389 zcmV-b399xViwFP!000001MOUEQ`lrv5Ux>wf9K!+@Nd!t1Q#s z8+Tv-A4+P4{LcrBP`4YnC~{d4QGr;17^BR`RCo@LDdHGm=0l4g5Z`t@O8kg(giN(##ZoPKyNr55 z+C~WEVjl;@r4&9kD#Aqa-np3cD!pe0U@-%AV;18O{vjtMUgY_HC+5OZvclJ0g_g0Or16NnvydSuR|syU)jO zcejg|#W5xHi;hk{oPXFp-#S#ghu-F!@lmlge)EZ(srbvw!|desap?a0pq-rWZoj3Y zPwhi?;*L(_aUpX$DPA9CyI~R2txF?CB>Rx&GtIE=**Ns=nBjoO*rp7KI1#AlFa~F<|*%1qSuUN`DpMnc&)}bS~2} z8_s2t0BCA1exnrD^v?waSi(eUTla47W6@T8T*^5>DV~kQ-1BtG-Uv21@qCX4Llkum zUbRL{8FS9Ymy)GLl9ZOpg|0YMZ7{PIYFM)pX`Cr8jH)FomBlg<-@3*K-OkTNB6OCv z=Raj^9)U$bn0aM{E=F_DS}+x5m$M;XuhTB6M?`|l9GIBLtLam(tQYV!bq{!FkV$TA z4)#h-kf)=*|_Kf2#@b+k6iLu~?na8RZbrD&5AoG$z%ebpt@_QWo zD3oNCbP)NuR!r96Xl$kA1;`bvY*+_qrGcs9TvtXjZ)PG*`|F&Tx5*hSwlapwejQPH zF&r{Ase-svuo8ciurw9Qx@LAmcG#UnP-tc$Y!WHS^0KT}6EOwz7`diHOf+*{`Fw%Y z5N1Q;Xb56;QHi(STI7wRBCTZvn~v^s#nBCIX3n@|xy2$#d81P}0kwox=BqWUAPZb` z)v6z^;}im>93#fEw7G_LwMs3pgly|9ODxluTQ#>B%rYrc=yM?Ij9yh`Ht#ZqWw_dZmXKVDeR6{`RUsarG z_X2@x|5>mYjiBt7!i}&yvTv09m2w9#N!M_a6n{)aRDbl&qJZ>QrlxV;=avY zPD9(HaTJRN|M`vRDg3`0{zDD^V-u&rf1ZMt#(#b`>+i>Z@J8S^_|Fvo`G|u|o*#|V z&G6NZ+SzFLH#Bb`QtiEQ!{?p(;tKR=`oDc_r8~Dt3j|(NX?^(w)KUEj`{DCwuSq zcRp-+laFT+8STG2{%ecB7hCjrGNBsTn@7R++3q|3F`H~Iy#K=}NQzu;Q_39Mbv)rv z-ysI%3z1ET9YOjs-zI_WG0!1EEbPb?PQ)m(d1<#*@gK(zAjKn>WAZcj&muM};XjKQ zJO=(VH&28AH26=0|1|hdga6z*>c-j$o*SqO|r|D^0vh7++b1gYC4QZi`Wk88G-D^~)QRr|CWn zgcGlILC^;LfZ~q;Mov>_Nied>mL^;Nlx$hzGNS)|Z2X?=n07zZ-AI3>yOI76W8=+& z*_434MG0trQS)fD3jPawdNKY1^!}dvf7qtC@n7uH=KG&dLU-W5y*Ks}o}$TJHOWWN;EsqdQ8179L6VWX4{#lvweLwf1^iC@-GQu z`2yV@Q-0pLg zRLw$0!#wM3-4YN0qf|dJqo{u3vb}~aObNCvj2MG)nAr?%8T7UUH-RF{xiXBcO!_|@ zcT@l06m~j0o&W5mNpCMo&hLqaHn443Q+r>1g1MJ{0by(-vSsYu6F*BZwZBT!{72(% z>i?U9+93Y3J}1=f`c~i&AwtW=jC157VOrFsf`k^q0b`6{(`LToTMU~fk7%*g4D6Gg!P zH516j4t9x6DST~M_;Dn>b2;%Ux#tStA(zYwd5C@ZL6%Qgz#PYyk^}*A9fBy~q2qGQ zrHOo#I3&azTRvh4RDoOHwp&@$OL$%=safW653oNE2&LEs+9MtpS_YqI(zd#9J_Srs zy63x=31L|9*N4Zuy)1wFj(<2gJUWa|qW8i6(O}F*J@3u=$>EE`{ny8B*?vXj3;cz? za*r+RfU>r2{&8dv+bP}s{PcL`<}3Q34-xt;RVO(76}LkQZ_8nbJm5Fzg5{ z+I3^Q`Vt_^Rn+TA<%LlKkD-E&4barz)_#;$Z1j27-vB}VwbEXNexa z>JZV8$1`HunY***Zt3%ydL9j=CeqVRud$RgKq!$8<-+@nq&I{`PPo{UgCdGL1}|Gf zuCzMm<4ewxB92QxmugU>l1Z2pLL2I`Mz~0ptDejk6_O5zsmhC_*3*pLSk6S4=?SzkOf$%gbqHt$6-qY&@qHj} z)S5ApG?2!e!&vqrXy-cWT6@~?23UL8H{^vBg{EWFle!FyydPyHf|fQ{Ipuo->?l>l zEAGJavt040c1Nu%6^($eP^E*~K`RM#78iM?H2q=D(yYIZiA9~9!DJhSklCjml@)^l zSCh(#O93nPhcQnQsf;PICEj6m58Ti50@Gd(Xw z0p?fgV9uov*%GpMwkGoh3~Y^HOc<53_je}Vu6rxjSq!KdYfFLyhf9)cNwc(2ODN|- zJI!}j-DbhDAXP*eI6+jeNOVWZD=cbYKjR7QoZkz#9(&t0x*L{8-%2qg(-(Ue{-@;ZXngi`ysG{axQv-12wVw~2O8n<*A0awOc6?i9haK6z}$8jsK5^y z3(SB~-*R0ZhB6eJ*MGR>xE3-4Kudn2{<9LzCiS0{2=1Z&vq-0@|1|ZVrvB5^f13Kw zm92irAtT&&qp!0`x6|nilDrdkcFP%mm#dDFV7QJ>k)1MiXPuRcT|HuFaF%sl_cSq# zC^R1ZYsp(5gRN9LHWE2Do-38AN2jd{lUHNfSsHJEzfP5X+IswNjrDr?|7miXlxVxg z+E`1BJcqDQ1HD#~FU$O7Ji0qwz@qH&jLu!5#i&cr4C|XTC}R04^>?7(c%);zs{>C# zg6#~-&a5M|LH*e~OZ~1%XqV7AXI$56YD{}62M^wf20H!z2wz+d?85r5ORTH7%6}n> zpC`GRyh{PWrzr0~|M;dte;r;u=MNy3x)`&rX7Dt53j<-tYm5lmfj=PlJrpBnp|fT& zvWb=^TK+E4a&s}d+&2E8Hhx2N%)0NWHeT;y*Q||C_q?~LjW-i!lLGz`DWEy1xi@Ie zf12~34eS4uNi#GhvV>(xPLaStXxWx7g9>RorY)R+!jHrPb7ESqD-fkVfx*akOs6^j z`HkQq?0<{AJ4D|NGm)Ci_2#X?byr-TMvuKddkNE${!ZZQITM?;+rt{hyb?%2Rrk z#mlW$Pr`&e-@aky5bPrAxDK`*moZ0g17HeLk*u=*6w@7VBFklC!Uyv1u$C^p_WtzS z_G;Pg;DY1|+3w`B_1bqYuaoT#e))HWY39S8l#gOfPb+9$iKm!dl&_DwXG|<2= OhQ9!9TMM!PPyhhK@w}7( diff --git a/skills/access-request-review/evidence/local-harness-verification.json b/skills/access-request-review/evidence/local-harness-verification.json index df115fe5..15605088 100644 --- a/skills/access-request-review/evidence/local-harness-verification.json +++ b/skills/access-request-review/evidence/local-harness-verification.json @@ -3,21 +3,21 @@ "signature_mode": "production", "trees": [ { - "root_receipt_id": "sha256:57e3f3e04c44ea50c1df464e2ddce6836c8d5d5de1c1a23499c055b24ea0b838", + "root_receipt_id": "sha256:80913055a7d490e01e3a27ca0dd6aa2ace475770b66537a1dc83c6c5b375fdfe", "receipt_count": 1, "parent_missing": null, "valid": true, "findings": [] }, { - "root_receipt_id": "sha256:9d1e8498bd72ab90451b384da67ed5da9d0c153c6381a43152e712151b0fd089", + "root_receipt_id": "sha256:944b199698a86fb54d84d79443a85ee2ad3cd36005ee6e3e4b92f0d1c0bccf7c", "receipt_count": 1, "parent_missing": null, "valid": true, "findings": [] }, { - "root_receipt_id": "sha256:b4d82ccf4917aa090c34595c2f421d77721367b8b471332e5378769633bfbdac", + "root_receipt_id": "sha256:960d6a9d5e0a90aa5a815e74cf50c101a85a88928347528dcc08db7b10f90eaa", "receipt_count": 1, "parent_missing": null, "valid": true, diff --git a/skills/access-request-review/evidence/local-harness.json b/skills/access-request-review/evidence/local-harness.json index 754450c3..6942da98 100644 --- a/skills/access-request-review/evidence/local-harness.json +++ b/skills/access-request-review/evidence/local-harness.json @@ -9,9 +9,9 @@ "missing-justification-fails-closed" ], "receipt_ids": [ - "sha256:57e3f3e04c44ea50c1df464e2ddce6836c8d5d5de1c1a23499c055b24ea0b838", - "sha256:b4d82ccf4917aa090c34595c2f421d77721367b8b471332e5378769633bfbdac", - "sha256:9d1e8498bd72ab90451b384da67ed5da9d0c153c6381a43152e712151b0fd089" + "sha256:80913055a7d490e01e3a27ca0dd6aa2ace475770b66537a1dc83c6c5b375fdfe", + "sha256:960d6a9d5e0a90aa5a815e74cf50c101a85a88928347528dcc08db7b10f90eaa", + "sha256:944b199698a86fb54d84d79443a85ee2ad3cd36005ee6e3e4b92f0d1c0bccf7c" ], "graph_case_count": 0 } diff --git a/skills/access-request-review/evidence/registry-publish.json b/skills/access-request-review/evidence/registry-publish.json index 7ef735d5..16853d2c 100644 --- a/skills/access-request-review/evidence/registry-publish.json +++ b/skills/access-request-review/evidence/registry-publish.json @@ -8,12 +8,12 @@ "skill_id": "lubuseb/access-request-review", "owner": "lubuseb", "name": "access-request-review", - "version": "sha-844f75658a9f", - "digest": "b1e8d2b79039ff87d8dcc34fbbeb2f2c5d51cee5e7df305770855c271b2ccf59", + "version": "sha-2100c1996336", + "digest": "5d7e4a0c2122f7f98d418827f0115f81c158004ac9a12f2236ba6eb212d60aee", "profile_digest": "865d7c9c5be962b752080face77831ddbf4d110b6fae85ee40baba3dae6b436e", "trust_tier": "community", - "install_command": "runx add lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai", - "run_command": "runx skill lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai", + "install_command": "runx add lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai", + "run_command": "runx skill lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai", "public_url": "https://runx.ai/x/lubuseb/access-request-review" } } diff --git a/skills/access-request-review/evidence/registry-read.json b/skills/access-request-review/evidence/registry-read.json index a4a96e64..9a8d4cd4 100644 --- a/skills/access-request-review/evidence/registry-read.json +++ b/skills/access-request-review/evidence/registry-read.json @@ -3,16 +3,16 @@ "registry": { "action": "read", "source": "remote", - "ref": "lubuseb/access-request-review@sha-844f75658a9f", + "ref": "lubuseb/access-request-review@sha-2100c1996336", "skill": { "skill_id": "lubuseb/access-request-review", "owner": "lubuseb", "name": "access-request-review", "description": "Review a bounded access request against policy and emit a least-privilege grant proposal or denial.", "category": "security", - "version": "sha-844f75658a9f", - "digest": "b1e8d2b79039ff87d8dcc34fbbeb2f2c5d51cee5e7df305770855c271b2ccf59", - "markdown": "---\nname: access-request-review\ndescription: Review a bounded access request against policy and emit a least-privilege grant proposal or denial.\nsource:\n type: cli-tool\n command: node\n args:\n - run.mjs\n input_mode: stdin\n cwd: .\n timeout_seconds: 30\ninputs:\n access_request:\n type: json\n required: true\n description: Request packet with requester, requested resource, requested action, business justification, and optional ticket metadata.\n policy:\n type: json\n required: true\n description: Access policy with allowed roles, resources, actions, TTL caps, approval rules, and escalation rules.\n current_entitlements:\n type: json\n required: true\n description: Current role and grant state for the requester.\n objective:\n type: string\n required: false\n description: Optional operator intent for the review.\nrunx:\n category: security\n input_resolution:\n required:\n - access_request\n - policy\n - current_entitlements\n---\n\n# access-request-review\n\nUse this skill when an operator needs a bounded access decision before a\nhuman-approved one-time grant. The skill compares a request, the governing\npolicy, and current entitlements, then returns `grant`, `deny`, or\n`needs_human_review`.\n\nThe skill never creates access, calls identity providers, sends approval\nmessages, stores credentials, or widens authority outside the supplied policy.\nWhen access is allowed it emits a least-privilege grant proposal with a bounded\nTTL, exact scope, approval gate, escalation lane, and evidence citations.\n\n## Inputs\n\n- `access_request`: requester id, role, action, resource, requested scope,\n justification, ticket id, and optional requested TTL.\n- `policy`: allowed roles, resources, actions, maximum TTL, denied resources,\n sensitive resources, required approvals, and break-glass rules.\n- `current_entitlements`: current grants and group/role state for the requester.\n- `objective`: optional operator intent.\n\n## Output\n\nThe runner returns JSON with:\n\n- `decision_packet`: typed decision packet.\n- `grant_proposal`: one-time proposal when the decision is `grant`.\n- `escalation`: human approval or denial escalation lane for the request.\n- `evidence_json`: compact review evidence for external verification.\n- `report`: human-readable review summary.\n\nDecisions are deterministic and fail closed when request, policy, or entitlement\nfacts are missing.", + "version": "sha-2100c1996336", + "digest": "5d7e4a0c2122f7f98d418827f0115f81c158004ac9a12f2236ba6eb212d60aee", + "markdown": "---\nname: access-request-review\ndescription: Review a bounded access request against policy and emit a least-privilege grant proposal or denial.\nsource:\n type: cli-tool\n command: node\n args:\n - run.mjs\n input_mode: stdin\n cwd: .\n timeout_seconds: 30\ninputs:\n access_request:\n type: json\n required: true\n description: Request packet with requester, requested resource, requested action, business justification, and optional ticket metadata.\n policy:\n type: json\n required: true\n description: Access policy with allowed roles, resources, actions, TTL caps, approval rules, and escalation rules.\n current_entitlements:\n type: json\n required: true\n description: Current role and grant state for the requester.\n objective:\n type: string\n required: false\n description: Optional operator intent for the review.\nrunx:\n category: security\n input_resolution:\n required:\n - access_request\n - policy\n - current_entitlements\n---\n\n# access-request-review\n\nUse this skill when an operator needs a bounded access decision before a\nhuman-approved one-time grant. The skill compares a request, the governing\npolicy, and current entitlements, then returns `grant`, `deny`, or\n`needs_human_review`.\n\nThe skill never creates access, calls identity providers, sends approval\nmessages, stores credentials, or widens authority outside the supplied policy.\nWhen access is allowed it emits a least-privilege grant proposal with a bounded\nTTL, exact scope, approval gate, escalation lane, and evidence citations.\n\n## Inputs\n\n- `access_request`: requester id, role, action, resource, requested scope,\n justification, ticket id, and optional requested TTL.\n- `policy`: allowed roles, resources, actions, maximum TTL, denied resources,\n sensitive resources, required approvals, and break-glass rules.\n- `current_entitlements`: current grants and group/role state for the requester.\n- `objective`: optional operator intent.\n\n## Output\n\nThe runner returns JSON with:\n\n- `decision_packet` object: typed decision packet.\n- `grant_proposal` object: one-time proposal when the decision is `grant`.\n- `escalation` object: `required`, `lane`, `reason`, and optional `ticket_id`\n for human approval or denial escalation.\n- `evidence_json` object: compact review evidence for external verification.\n- `report` string: human-readable review summary.\n\nDecisions are deterministic and fail closed when request, policy, or entitlement\nfacts are missing.", "profile_digest": "865d7c9c5be962b752080face77831ddbf4d110b6fae85ee40baba3dae6b436e", "runner_names": [ "default" @@ -33,7 +33,7 @@ "id": "publisher:user_53f00ae7ec2363e37ac6ff68", "status": "declared", "summary": "LubuSeb", - "issued_at": "2026-06-23T04:56:39.582Z", + "issued_at": "2026-06-23T05:01:11.882Z", "metadata": { "publisher_display_name": "LubuSeb", "publisher_handle": "lubuseb", @@ -43,8 +43,8 @@ } } ], - "install_command": "runx add lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai", - "run_command": "runx skill lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai" + "install_command": "runx add lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai", + "run_command": "runx skill lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai" } } } diff --git a/skills/access-request-review/evidence/report.md b/skills/access-request-review/evidence/report.md index 0ad323d0..c474f9ab 100644 --- a/skills/access-request-review/evidence/report.md +++ b/skills/access-request-review/evidence/report.md @@ -1,13 +1,13 @@ # access-request-review delivery report -- Package: `lubuseb/access-request-review@sha-844f75658a9f`. -- Public registry URL: `https://runx.ai/x/lubuseb/access-request-review@sha-844f75658a9f`. +- Package: `lubuseb/access-request-review@sha-2100c1996336`. +- Public registry URL: `https://runx.ai/x/lubuseb/access-request-review@sha-2100c1996336`. - Source PR: `https://github.com/runxhq/runx/pull/123`. - `runx-cli 0.6.13` was used for publish, registry read, clean install, harness, dogfood, and receipt verification. - Local harness passed three cases: `least-privilege-grant-proposal`, `deny-for-disallowed-resource`, and `missing-justification-fails-closed`. -- Hosted clean install succeeded with `runx add lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai`. +- Hosted clean install succeeded with `runx add lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai`. - Harness from the clean installed package passed the same three cases and all hosted harness receipts verified. -- Hosted dogfood produced sealed receipt `runx:receipt:sha256:6f8bddcc14381c6402cc308762b33f84f1525a6e752792940b17e95eb1d16458`. +- Hosted dogfood produced sealed receipt `runx:receipt:sha256:a4fd591f7cc19db6843c35c1f25dbed748e6eb8f2cd0b417707c51d6e0efb7ba`. - `runx verify` returned `valid=true` and no findings for the dogfood receipt. - The runner emits a bounded `one_time_grant_proposal` only when the request matches role, action, resource, scope prefix, TTL, and approval-gate policy. - The implementation is read-only: it reads the provided JSON request, policy, and entitlements, computes deterministically in memory, requires no credentials, performs no network/provider calls, and emits structured stdout. @@ -15,9 +15,9 @@ Reproduce: ```bash -runx add lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai -runx registry read lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --json +runx add lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai +runx registry read lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai --json runx harness ./access-request-review --json -runx skill lubuseb/access-request-review@sha-844f75658a9f --registry https://api.runx.ai --input-json access_request='' --input-json policy='' --input-json current_entitlements='' --json +runx skill lubuseb/access-request-review@sha-2100c1996336 --registry https://api.runx.ai --input-json access_request='' --input-json policy='' --input-json current_entitlements='' --json runx verify --receipt-dir /tmp/runx-access-request-review-hosted-dogfood-receipts --json ``` diff --git a/skills/access-request-review/evidence/verification.json b/skills/access-request-review/evidence/verification.json index fca97de0..5940442e 100644 --- a/skills/access-request-review/evidence/verification.json +++ b/skills/access-request-review/evidence/verification.json @@ -3,7 +3,7 @@ "signature_mode": "production", "trees": [ { - "root_receipt_id": "sha256:a4ba985040f3e89d93c2ac2b11ffc5f916d172fb878ec34d3484270958df7428", + "root_receipt_id": "sha256:e7345fa793916faca7cad087176a959b36bbf794d35ed9e56a587eb2f9a1ac21", "receipt_count": 1, "parent_missing": null, "valid": true,