[codex] evidence provenance fabric#10
Merged
Merged
Conversation
…verned change Adversarial review found a confirmed cross-SDK divergence: the governed-change occurredAt was parsed three different ways for a timezone-naive timestamp (Python -> UTC, TypeScript -> host-LOCAL/non-deterministic, Go -> rejected). occurredAt is hashed evidence, so the same governed change recorded via different SDKs produced different hashes or a hard error. - TypeScript (governed-change.ts): a timezone-naive ISO string is interpreted as UTC (append Z), never host-local; Date inputs unchanged. - Go (governed_change.go): fall back to a naive layout parsed as UTC instead of rejecting offset-less timestamps. - Python (governed_change.py): raise the same typed "occurredAt must be a valid date" error instead of leaking the stdlib ValueError text; update the test that pinned that leaky message. All three now produce byte-identical output for naive / offset / Z inputs (... -> 2026-06-23T10:18:00.000Z) and the identical typed error for invalid input, verified by a 3-language reproduction. Also import mongodb lazily in the storage live-databases test (the eager top-level import crashes bson under Bun), matching the fix already on the stacked PR so this branch's gate is green standalone. bun run verify: green (TS/Python/Go SDKs, storage, adapters, server, cli). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements the evidence provenance fabric slice in the OSS Veritio repo. The problem was that Veritio had strong audit records and graph edges, but no portable commit-level manifest tying heterogeneous evidence records into a verifiable batch, and the examples/workbench did not yet demonstrate governed changes end to end across SDKs, storage, browser UI, Docker examples, and hosted ingest/read proof.
The effect on users was a product gap: they could see isolated audit rows or graph edges, but not a clear proof path from a governed application change through SDK-generated evidence, local verification, example runtime behavior, and production hosted visibility. That made the proof of concept look like local seed data rather than a real application flow.
Root Cause
The root cause was that the protocol lacked an EvidenceCommit primitive and the examples were not wired as first-class evidence producers. Storage and Workbench code could verify event and edge chains, but could not record a stable commit manifest for a group of records. The browser examples also needed production-like smoke coverage so changes could be validated as an integrated user-visible workflow rather than only as unit tests.
Changes
This PR adds a language-neutral EvidenceCommit schema and conformance fixture, then implements matching create/hash/verify behavior in TypeScript, Python, and Go. The commit algorithm uses canonical JSON, sha256-qualified member hashes, ordered member indexes, duplicate rejection, commit hash-chain verification, and fail-closed behavior for malformed manifests.
It adds governed-change helpers across TypeScript, Python, and Go so examples can derive audit records, revision evidence, and graph relations from a declared change. It extends the file evidence store and local Workbench/server with batch recording, commit listing, commit verification, export support, HTTP routes, and MCP tools. The Workbench UI now exposes a denser evidence surface with events, changes, commits, graph summary, verification status, export files, and browser-tested responsive behavior.
It upgrades the Next.js, FastAPI, and Gin examples so CRUD and governed lifecycle scenarios generate real SDK evidence. The Docker examples now verify audit, edge, and commit chains after exercising their HTTP routes. Browser smoke scripts cover the Next.js governed-change flow and the local Workbench on desktop and mobile Chromium.
It also documents the split-repo routing and updates public OSS docs around architecture, AI integration, release checks, examples, and repository boundaries.
Validation
Verified locally after the commit with:
bun run verify:splitEarlier in the same rollout, the exact implemented tree was also verified with:
bun run verifybun run verify:examples:browserbun run verify:examples:dockerProduction proof was run against
https://console.getveritio.comafter deployingveritio-cloudversion118f7a01-8b74-4e7d-9db2-6acfd67d35e3. Using real production scoped keys, I ingested evidence generated by the Dockerized FastAPI and Gin governed CRUD examples. Each example generated11audit records,13edge records, and4local EvidenceCommit records with all local verifiers returningok: true; the hosted ingest accepted the generated audit and edge records, and the hosted read API/dashboard showed the resulting production evidence rows.One hosted gap remains intentionally outside this OSS PR: Veritio Cloud currently ingests and displays audit records and graph edges, but does not yet expose EvidenceCommit ingest/list UI as a first-class hosted surface. The OSS protocol and local storage/workbench pieces are ready for that follow-up.