Skip to content

release: v0.11.6 (G11.0.5 / F25 corrective -- al-Furqan)#25

Merged
BayyinahEnterprise merged 1 commit into
mainfrom
phase-g11-0-5-f25-hotfix
May 9, 2026
Merged

release: v0.11.6 (G11.0.5 / F25 corrective -- al-Furqan)#25
BayyinahEnterprise merged 1 commit into
mainfrom
phase-g11-0-5-f25-hotfix

Conversation

@BayyinahEnterprise

Copy link
Copy Markdown
Owner

Closes F25 LOW per Round 32 audit sections 2-3.

Replaces regex .* with literal ci.yml in the gate11-rust-smoke-test job's identity-pattern construction. sigstore-python's Identity policy does literal set-membership matching against the certificate's SANs (per sigstore.verify.policy.Identity.verify); regex patterns do not match because the literal .* substring is not in the actual SAN. The corrective makes the workflow's declared identity match the substrate's literal-only semantics.

Empirical proof of F22 + F23 + F24 + F25 chain closure completes after merge: failure-mode chain across v0.11.0 -> v0.11.6 reads CASM-V-001 -> CASM-V-021 -> CASM-V-021 -> CASM-V-032 -> green. Per the structural-honesty discipline, the CI surface (smoke-test green/red) now matches the substrate behavior (verifier dispatch correct + signing dependencies installed + TrustedRoot import resolves + identity policy matches actual SAN) for the first time in the project's Sigstore-CASM history.

Substrate change: 1 line in ci.yml (.* -> ci.yml; 2 chars deleted, 6 chars inserted) + 1 new test file with 2 tests pinning the substrate contract:

  1. test_step6_identity_policy_is_literal_only -- pins sigstore-python's Identity literal-membership contract via public API only (regex-method-name absence on Identity's public surface). Per v1.2 audit C-1 fix: no isinstance against VerificationPolicy (it is a non-runtime-checkable typing.Protocol; the call raises TypeError at runtime).
  2. test_step6_composition_policies_not_wired_in_v1 -- pins that composition / per-OIDC-claim policies (AllOf, AnyOf, GitHubWorkflowRef, GitHubWorkflowName, GitHubWorkflowRepository, GitHubWorkflowSHA, GitHubWorkflowTrigger, OIDCSourceRepositoryURI) are NOT wired in verification.py. Per v1.2 audit A-1 fix: GitHubWorkflowRepository included in the empirically-verified 8-entry inventory.

Test count 597 -> 599 (+2). Option B (substrate IdentityPattern policy) deferred as enhancement scope; Option C (CASM-V-021 split) still deferred.

Refer to CHANGELOG.md v0.11.6 entry for full closure ledger.

…entity literal vs regex)

Closes F25 LOW per Round 32 audit sections 2-3. Replaces
regex .* with literal ci.yml in the gate11-rust-smoke-test
job's identity-pattern construction; sigstore-python's
Identity policy does literal set-membership matching against
the certificate's SANs (per sigstore.verify.policy.Identity
.verify), not regex matching. Adds two pinning tests pinning
the substrate contract: Identity is literal-only at v1, and
composition / per-OIDC-claim policies (AllOf, AnyOf,
GitHubWorkflowRef/Name/Repository/SHA/Trigger,
OIDCSourceRepositoryURI) are NOT wired in verification.py.

Empirical proof of F22 + F23 + F24 + F25 chain closure:
failure mode shift across v0.11.0 -> v0.11.6 reads
CASM-V-001 (F22) -> CASM-V-021 (F23) -> CASM-V-021 (F24) ->
CASM-V-032 (F25) -> green.

Substrate change: 1 line in ci.yml (.* -> ci.yml; 2 chars
deleted, 6 chars inserted) + 1 new test file with 2 tests.
Test count 597 -> 599. Option B (substrate IdentityPattern)
deferred per section 17 incremental-velocity. Option C
(CASM-V-021 split) still deferred.

Local verification (sandbox):

- pytest -q -> 552 passed, 47 skipped (599 collected, +2 from
  v0.11.5: tests/test_gate11_step6_identity_literal_only.py)
- ruff check + ruff format --check + mypy clean
- release_sweep.py clean (README pins synchronized to v0.11.6)
- Em-dash check (extended scope) clean
- furqan-lint version -> furqan-lint 0.11.6
- YAML parses cleanly

Per v1.2 audit C-1 fix: pinning test 1 uses public-API only
(no isinstance against non-runtime-checkable Protocol).
Per v1.2 audit A-1 fix: pinning test 2's forbidden list
includes 8 empirically-verified policy classes including
GitHubWorkflowRepository.
@BayyinahEnterprise BayyinahEnterprise merged commit 6ad921f into main May 9, 2026
17 checks passed
@BayyinahEnterprise BayyinahEnterprise deleted the phase-g11-0-5-f25-hotfix branch May 9, 2026 03:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant