Skip to content

release: v0.11.5 (G11.0.4 / F24 corrective)#24

Merged
BayyinahEnterprise merged 1 commit into
mainfrom
phase-g11-0-4-f24-hotfix
May 9, 2026
Merged

release: v0.11.5 (G11.0.4 / F24 corrective)#24
BayyinahEnterprise merged 1 commit into
mainfrom
phase-g11-0-4-f24-hotfix

Conversation

@BayyinahEnterprise

Copy link
Copy Markdown
Owner

v0.11.5 — G11.0.4 / F24 corrective (al-Bayyina sigstore API path drift)

Closes Round 31 audit F24 LOW-MEDIUM.

Substrate change

step4_load_trust_root TrustedRoot import wrapped in public-first then private-fallback pattern (Option A from Round 31 audit §3):

try:
    try:
        from sigstore.trust import TrustedRoot  # sigstore 4.x+ (anticipated public path)
    except ImportError:
        from sigstore._internal.trust import TrustedRoot  # sigstore 3.x current state
except ImportError as e:
    raise CasmVerificationError("CASM-V-021", ...) from e

Preserves forward-compat with sigstore 4.x while handling 3.x correctly today. Outer except preserves existing CASM-V-021 semantics for genuine sigstore-not-installed.

Pinning test (forward-looking discipline)

tests/test_gate11_step4_import_resolves.py (NEW): catches future sigstore-python API drifts at PR CI rather than only at post-merge smoke-test. Test count 596 → 597.

Existing test update (failure-mode-shift evidence)

tests/test_gate11_verification.py:test_compose_fails_at_step6_with_fake_bundle extended its acceptable-codes set with CASM-V-035. Pre-F24 this test reached step4 and always failed there with CASM-V-021 (the bug F24 fixes); post-F24, step4 succeeds and the verifier reaches step6, where the v0.11.0 C-1 refuse-without-policy default raises CASM-V-035 when no Identity policy is supplied. The test update reflects the post-F24 reality, not a substrate behavior change. This is the al-Bayyina failure-mode-shift evidence pattern.

Failure-mode chronology (chain of clear evidence)

Version Smoke step Code Cause Status
≤ v0.11.2 step 2 (dispatch) CASM-V-001 F22 closed v0.11.3
v0.11.3 step 4 (verify) CASM-V-021 F23 (substrate) closed v0.11.4
v0.11.4 step 4 (import) CASM-V-021 F24 (API drift) closed this PR
v0.11.5 (expected) green

Local gate sweep

  • pytest: 552 passed, 45 skipped (597 collected)
  • pinning test passes individually
  • ruff check + ruff format --check: clean
  • release_sweep: clean

Deferred (per Round 31 audit §3)

  • Option C (CASM-V-021 split into V-021 + V-022): own scope per §17 incremental-velocity discipline
  • Option B (sigstore version pin tightening): declined per audit reasoning

Mushaf chain: G11.0.1 (v0.11.2) → G11.0.2 (v0.11.3) → G11.0.3 (v0.11.4) → G11.0.4 al-Bayyina (v0.11.5 ← this PR) → G11.2 al-Mursalat → G11.3 an-Naziat → G11.4 Tasdiq al-Bayan.

… path drift)

Closes F24 LOW-MEDIUM per Round 31 audit sections 2-3. Wraps
step4_load_trust_root TrustedRoot import in public-first then
private-fallback pattern (Option A); preserves forward-compat
with sigstore 4.x while handling 3.x correctly today. Adds
pinning test that catches future sigstore-python API drifts
at PR CI rather than only at post-merge smoke-test.

Empirical proof of F22 + F23 + F24 chain closure: failure
mode shift across v0.11.0 -> v0.11.5 reads CASM-V-001 (F22)
-> CASM-V-021 (F23) -> CASM-V-021 (F24) -> green.

Substrate change: 3 substantive lines in verification.py
(inner try, inner except, inner fallback from) plus 1 new
pinning test. Test count 596 -> 597. Option B declined;
Option C deferred per Round 31 audit section 3.

Local verification (sandbox):

- pytest -q -> 550 passed, 47 skipped (597 collected, +1 from
  v0.11.4: tests/test_gate11_step4_import_resolves.py)
- ruff check + ruff format --check + mypy clean
- release_sweep.py clean (README pins synchronized to v0.11.5)
- Em-dash check (extended scope) clean
- furqan-lint version -> furqan-lint 0.11.5

Note: tests/test_gate11_verification.py:test_compose_fails_at_step6_with_fake_bundle
extended its acceptable-codes set with CASM-V-035. Pre-F24
this test passed because step4 always failed first with
CASM-V-021 (the bug F24 fixes); post-F24 step4 succeeds and
the verifier reaches step6 reliably, where the v0.11.0 C-1
refuse-without-policy default raises CASM-V-035 when no
Identity policy is supplied. The test update reflects the
post-F24 reality, not a substrate behavior change.
@BayyinahEnterprise BayyinahEnterprise merged commit 642cc0d into main May 9, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant