Skip to content

integrate: cumulative x.klickd supply-chain (PRs #115-#120)#121

Merged
Davincc77 merged 15 commits into
mainfrom
integration/supply-chain-cumulative
Jun 2, 2026
Merged

integrate: cumulative x.klickd supply-chain (PRs #115-#120)#121
Davincc77 merged 15 commits into
mainfrom
integration/supply-chain-cumulative

Conversation

@Davincc77
Copy link
Copy Markdown
Owner

@Davincc77 Davincc77 commented Jun 2, 2026

Summary

Cumulative integration branch bringing the six independent supply-chain PRs together on one branch for review. Draft — not for merge to main. No release, publish, tag, DOI, external action, or approval is requested or performed.

Integrates (all base main, all merged here with --no-ff, zero conflicts — file sets were disjoint):

Added on this branch

  • .internal-skills/supply-chain/README.md — integration index mapping the four real, tool-backed stages (audit/determinism, logical diff, source/license, threat model) vs planned stages (candidate generation, promotion gate, full PII/secrets scanner, runtime enforcement).
  • MASTER_BRIEF.md — in-repo protocol doc so future agents are not dependent on a missing workspace path. Restates anti-mirage rules, public v4.1 vs internal v4.2 boundary, no-claims / no-external-action rules, and the loaded-skill gate (artifact_loaded and sha256_matches_manifest).

Real vs planned stages

Real (shipped + tested): audit/determinism · logical diff · source/license · threat model.
Planned (specified, not built): candidate generation (runner) · promotion gate · full PII/secrets scanner · runtime enforcement.

Anti-mirage / boundary

  • A pack is "loaded" only when artifact_loaded = true and sha256_matches_manifest = true. Stubs/catalog entries are not loaded skills.
  • Public version claims unchanged: .klickd v4.0.0 GA, x.klickd artefacts as v4.1 candidates. v4.2 is internal-only.
  • Davincc77/klickd-ai untouched.

Test plan

  • New supply-chain tests (feat(supply-chain): tool-backed audit-trail index + determinism record #116-feat: deterministic supply-chain threat-model generator (v0.1) #120): pytest tests/test_supply_chain_audit.py tests/test_supply_chain_diff.py tests/test_supply_chain_sources.py tests/test_supply_chain_threat_model.py63 passed.
  • Full tests/: 244 passed (was 181 on main; +63 new).
  • python scripts/verify_xklickd_skill_packs.py → OK (42 packs verified, hash-match manifest).
  • python scripts/validate_v4_1_candidate_mapping.py → OK (49 rows, 42 artefacts).
  • python scripts/validate_v4_schemas.py → all strict-schema validations passed.
  • Forbidden public-v4.2 / codename greps over changed files → clean.
  • Baseline note: nested packages//benchmarks//examples//integrations/ test modules fail collection under root pytest due to pre-existing import-path issues unrelated to this work; scope to tests/ for a clean signal.

Next step

Not public release. Next: build the runner candidate generator + promotion gate (the two highest-leverage planned stages).

🤖 Generated by Computer

klickd agent and others added 14 commits June 2, 2026 11:14
@claude
docs: document x.klickd supply chain protocol
e6d1b98 
Consolidate the x.klickd skill-pack build process into a single
NON-NORMATIVE spec + operator quickstart. No release, no automation
claim beyond the per-stage tool/manual/planned labels.

- docs/rfcs/chimera/SUPPLY_CHAIN.md: 18-stage pipeline, version
  lineage, rollback/deprecation/approval-revocation, determinism +
  reproducibility, anti-mirage protocol, audit-trail index. Explicit
  claim boundary (no universal standard, no automatic GDPR/EU-AI-Act
  compliance, no proven benchmark superiority; 70-80% is a design
  target, not a guarantee).
- docs/rfcs/chimera/packs/QUICKSTART.md: human-or-agent build/audit
  loop, multi-agent role split, shipped verification commands,
  truth-boundary warning (artifact_loaded + sha256_matches_manifest).
- Pointer links added in RFC-009 §12, chimera/README §6, packs/README §7.

Docs-only. No schema/SDK/package/CI change. No existing claim altered.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
feat(supply-chain): add tool-backed audit-trail index + determinism r…
a51a671 
…ecord

First real automation stage of the x.klickd supply-chain protocol. Adds a
stdlib-only, offline generator that collects the 42 verifiable v4.1 candidate
skill packs (+ manifest), enforces the loaded+sha256_matches_manifest gate, and
writes two re-checkable artefacts:

- .internal-skills/supply-chain/audit/audit_trail_index.json
- .internal-skills/supply-chain/audit/determinism_record.json

deterministic_run_id is derived only from inputs (timestamps quarantined in a
non_deterministic_zone, excluded from every hash), so identical inputs yield an
identical id across runs and hosts. A `check` subcommand verifies on-disk
artefacts are in sync and exits non-zero on drift or on banned-claim/secret
content. validation_results is left empty by design: the generator records but
does not run the validation commands, so it asserts no outcomes it did not
observe (anti-mirage).

Only stages labelled `tool` are automated; everything else stays `planned` /
`partial` / `manual` per the stage_automation map. Not a v4.1 GA release. No
publish/deploy/merge/tag.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
feat(supply-chain): tool-backed logical diff report for skill/pack ca…
75ad577 
…ndidates

Add the logical-diff stage of the x.klickd skill/pack supply chain: a
deterministic, offline CLI that compares a previous candidate (--before)
against a new one (--after) and classifies governance/guardrail/memory/
evidence/claim/public-boundary changes rather than raw JSON lines.

Hard-fails (exit 1) on guardrail lowering, claim-boundary violations, or
public/private-boundary violations; exit 0 when no blocking finding. The
deterministic_diff_id is a sha256 over input hashes + sorted findings, clock-
and host-independent. Stdlib only, no network.

Adds 10 before/after fixtures and 17 tests covering each blocking and
non-blocking class plus determinism and CLI exit codes. Operator README under
.internal-skills/supply-chain/diff/.

No claim of full end-to-end automation; downstream stages remain planned.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
add supply-chain source freshness + license check stage
ccc8d58 
Implements pipeline steps 11 (license check) and 12 (source freshness)
as a real, stdlib-only, offline CLI that triages skill/candidate source
manifests. Classifies licenses (allowed/review/blocked/unknown) and
freshness (fresh/review/stale/missing_date) for internal review, verifies
local-file hashes, flags missing/non-https URLs, and emits a deterministic
JSON report. Exits non-zero on blocking findings.

Internal triage only: no legal advice, no compliance claim, no network I/O,
no candidate generation. Independent of PRs #115/#116/#117.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
docs(internal): add v4.2 internal target skill mapping (draft, not pu…
167f035 
…blic)

Internal documentation only, ahead of internal production. Adds
docs/internal/INTERNAL_SKILL_V4_2_MAPPING.md + README capturing the
validated v4.2 mapping corrections:

- governance_system detailed and symmetric with memory_system
- supply_chain renamed conceptually to skill_lifecycle (no completeness claim)
- output_contract wired to context_graph via graph_bindings
- harmonised competency/domain naming (primary/secondary_domain_competencies,
  domain_risk_profile, domain_output_requirements, competency_core)
- explicit interactions layer + canonical end-to-end flow

Non-normative, no release. Public .klickd stays v4.0.0 GA; the 42 x.klickd
artefacts remain v4.1 candidates. No tag/DOI/package/schema/SDK change, no
public v4.2 claim, no artefact modified. Internal track name kept out of
public surfaces.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
feat: deterministic supply-chain threat-model generator (v0.1)
ed41ebb 
Add scripts/generate_supply_chain_threat_model.py: an offline, stdlib-only,
deterministic static analyser for x.klickd candidate manifests. Classifies
declared threats across 11 categories (authority_escalation, human_veto_bypass,
tool_boundary_violation, memory_poisoning, private_public_leak,
evidence_weakening, unsourced_claim, unsafe_external_action,
irreversible_action, compliance_overclaim,
stale_or_unlicensed_source_dependency), emits required mitigations, and blocks
(exit 1) on unmitigated high/critical findings.

Adds 7 candidate fixtures, a 14-case pytest suite, and an internal/draft doc.
NON-NORMATIVE: not a security certification, no GDPR/EU AI Act compliance
claim, no benchmark/universal-standard claim, no release. Public artefacts
remain v4.1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
integrate PR #115: docs/supply-chain-protocol
28296b5
integrate PR #116: feat/supply-chain-audit-determinism
e881f25
integrate PR #117: feat/supply-chain-logical-diff
4d3baf6
integrate PR #118: feat/supply-chain-source-license-check
94e2e7a
integrate PR #119: docs/internal-skill-v42-mapping
747e62b
integrate PR #120: feat/supply-chain-threat-model
fae0cc3
add internal supply-chain integration index + MASTER_BRIEF protocol doc
12e3786
@claude
feat(supply-chain): internal candidate generator + combined promotion…
c075037 
… gate (v0.1)

Adds the next two tool-backed supply-chain stages on top of the cumulative
integration branch, both NON-NORMATIVE and internal-only:

- scripts/generate_supply_chain_candidate.py: config-only build_request ->
  candidate skill in the internal v4.2 target shape. Deterministic ids derived
  only from input bytes; missing domain info -> requires_human_premium_pass
  (never hallucinated); sources only from build_request/source_manifest.
- scripts/run_supply_chain_promotion_gate.py: orchestrates threat-model,
  source/license, logical-diff, candidate-shape, and forbidden-claim /
  public-private boundary tripwires. Classifies ACCEPT / ACCEPT_WITH_REVIEW /
  BLOCK (exit 0/0/1, 2 usage). Reports — never runs — the premium pass;
  not_run checks recorded honestly.

Tests: 39 new (deterministic repeatability, anti-mirage premium-pass, blocked
candidate, clean accept, forbidden-claim/leak/over-claim blocks). Full suite
283 passed. Example candidate + gate report checked in. ACTION_LOG added;
README integration index updated (stages moved planned -> tool-backed with
literal scope notes).

No release/tag/DOI/publish/deploy. No merge to main. Public stays v4.1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Davincc77 Davincc77 mentioned this pull request Jun 2, 2026
Merged
7 tasks
@Davincc77
Merge pull request #122 from Davincc77/feat/supply-chain-runner-gate
c6ac907 
feat(supply-chain): candidate generator + combined promotion gate (v0.1)
@Davincc77 Davincc77 marked this pull request as ready for review June 2, 2026 12:23
@Davincc77 Davincc77 merged commit 47d244c into main Jun 2, 2026
3 checks passed
@Davincc77 Davincc77 mentioned this pull request Jun 2, 2026
Merged
Davincc77 added a commit that referenced this pull request Jun 2, 2026
@Davincc77
Merge pull request #123 from Davincc77/chore/internal-action-log-inte…
760db13 
…gration-merge

chore(internal): log #121/#122 integration merge in supply-chain ACTION_LOG
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Davincc77