fix(workflow): non-forgeable irrecoverable auth, merger consumer, exact-scope cleanup (#709)

Address formal review 434 REQUEST_CHANGES on PR #710:
- F1: replace caller operator_authorized with server-side HMAC auth artifacts
- F2: implement fail-closed merger consumption for prior-provenance only
- F3: enforce remote/org/repo/head on cross-profile load and clear

Co-Authored-By: Grok 4.5 (xAI) <[email protected]>
This commit is contained in:
2026-07-14 01:36:39 -04:00
co-authored by Grok 4.5
parent ec5cf67771
commit 9cb12ee0f4
6 changed files with 2730 additions and 336 deletions
+56 -30
View File
@@ -570,13 +570,52 @@ def build_irrecoverable_provenance_record(
actor_username: str | None,
profile_name: str | None,
reason: str,
incident_ref: str | None,
operator_authorized: bool,
incident_ref: str | None = None,
# Deprecated kwargs retained only so stale call sites fail closed:
operator_authorized: bool | None = None,
# Required for merger-acceptable records (#709 F1):
authorization: dict[str, Any] | None = None,
incident_issue: int | None = None,
incident_comment_id: int | None = None,
destroyed_subject: str | None = None,
historical_provenance_subject: str | None = None,
) -> dict[str, Any]:
"""Truthful absence-of-proof record (#709 AC5). Never sets applied=True."""
"""Truthful absence-of-proof record (#709 AC5). Never sets applied=True.
Caller-supplied ``operator_authorized`` is **ignored** as authorization
evidence (review 434 F1). Prefer
:func:`irrecoverable_provenance.build_irrecoverable_provenance_record`
with a verified server-side authorization artifact.
"""
# Explicitly ignore deprecated self-assertable Boolean.
_ = operator_authorized
if authorization is not None and incident_issue is not None and incident_comment_id is not None:
from irrecoverable_provenance import (
build_irrecoverable_provenance_record as _build,
)
return _build(
pr_number=int(pr_number),
head_sha=str(head_sha or ""),
remote=str(remote or ""),
org=str(org or ""),
repo=str(repo or ""),
actor_username=actor_username,
profile_name=profile_name,
reason=reason,
incident_issue=int(incident_issue),
incident_comment_id=int(incident_comment_id),
authorization=authorization,
destroyed_subject=destroyed_subject,
historical_provenance_subject=historical_provenance_subject
or destroyed_subject,
)
# Fail-closed skeleton when no server authorization is supplied: never
# sets merger_may_accept True (even if operator_authorized was True).
return {
"event": "irrecoverable_decision_lock_provenance",
"status": "provenance_irrecoverable",
"record_type": "irrecoverable_decision_provenance",
"operator_recovery_required": True,
"issue_ref": "#709",
"recovery_critical": True,
@@ -592,40 +631,27 @@ def build_irrecoverable_provenance_record(
"profile_name": profile_name,
"reason": reason,
"incident_ref": incident_ref,
"operator_authorized": bool(operator_authorized),
"merger_may_accept": bool(operator_authorized),
"incident_issue": incident_issue,
"incident_comment_id": incident_comment_id,
"authorization_verified": False,
"merger_may_accept": False,
"acceptance_rule": (
"Merger may accept this record only when operator_authorized=true, "
"repository/PR/head match the live target, the record is durable "
"and read back, and no conflicting terminal lock remains for a "
"different PR/head. This does not prove historical cleanup."
"Merger may accept this record only when a server-side "
"authorization artifact verifies for remote/org/repo/PR/exact "
"head/incident, the record is durable and read back, and normal "
"merge gates still pass. Caller Booleans never authorize. This "
"does not prove historical cleanup."
),
}
def format_irrecoverable_audit_comment(record: dict[str, Any]) -> str:
"""Markdown body for irrecoverable provenance audit (no applied=true claim)."""
lines = [
"## Irrecoverable decision-lock provenance (#709)",
"",
"Status: **PROVENANCE_IRRECOVERABLE** (not applied cleanup)",
"",
f"- actor: `{record.get('actor_username')}`",
f"- profile: `{record.get('profile_name')}`",
f"- timestamp: `{record.get('timestamp')}`",
f"- PR: `#{record.get('pr_number')}`",
f"- head_sha: `{record.get('head_sha')}`",
f"- incident_ref: `{record.get('incident_ref')}`",
f"- operator_authorized: `{record.get('operator_authorized')}`",
f"- historical_cleanup_proven: `{record.get('historical_cleanup_proven')}`",
f"- applied: `{record.get('applied')}` (must remain false)",
"",
f"Reason: {record.get('reason')}",
"",
"This record documents **absence of proof**, not successful cleanup.",
"It must not be reused for a different PR or head (#709 AC6).",
]
return "\n".join(lines)
from irrecoverable_provenance import (
format_irrecoverable_audit_comment as _fmt,
)
return _fmt(record)
def format_post_merge_recovery_comment(record: dict[str, Any]) -> str: