feat: supply-chain source freshness + license check stage#118
Merged
1 commit merged intoJun 2, 2026
Merged
Conversation
Implements pipeline steps 11 (license check) and 12 (source freshness) as a real, stdlib-only, offline CLI that triages skill/candidate source manifests. Classifies licenses (allowed/review/blocked/unknown) and freshness (fresh/review/stale/missing_date) for internal review, verifies local-file hashes, flags missing/non-https URLs, and emits a deterministic JSON report. Exits non-zero on blocking findings. Internal triage only: no legal advice, no compliance claim, no network I/O, no candidate generation. Independent of PRs #115/#116/#117. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This was referenced Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements a real source freshness + license compatibility check for skill/candidate input manifests — pipeline steps 11 (license check) and 12 (source freshness) of the documented supply chain. Independent PR on
main; does not depend on or merge #115/#116/#117.scripts/check_supply_chain_sources.py— stdlib-only, offline CLI. Parses a source manifest, classifies each source's license (allowed/review/blocked/unknown) and freshness (fresh/review/stale/missing_date), flags missing/non-https URLs, verifies local-file sha256 when referenced, emits a deterministic JSON report. Exit0/1(blocking)/2(usage)..internal-skills/supply-chain/source-check/— operator README + example manifest.tests/test_supply_chain_sources.py— 22 tests with fixtures.Claim boundaries (preserved)
Internal triage only. No legal advice, no compliance claim, no network I/O, no candidate generation, no codename leak, no banned public claims. Sources without clear origin are flagged/blocked, never silently accepted (anti-mirage).
Determinism
deterministic_report_id = sha256over manifest hash + sorted normalized findings. Same--manifest+--eval-date-> identical id, clock-independent;evaluated_at/age_dayslive innon_deterministic_zone, excluded from the id.Testing
pytest tests/test_supply_chain_sources.py— 22 passedverify_xklickd_skill_packs.py verify— 42 verified, exit 0validate_v4_1_candidate_mapping.py— 49 rows / 42 artefacts, exit 0No merge / release / publish / deploy / tag / DOI / communication.
klickd-aiuntouched. Agent does not approve PRs.