Skip to content

feat(supply-chain): candidate generator + combined promotion gate (v0.1)#122

Merged
Davincc77 merged 1 commit into
integration/supply-chain-cumulativefrom
feat/supply-chain-runner-gate
Jun 2, 2026
Merged

feat(supply-chain): candidate generator + combined promotion gate (v0.1)#122
Davincc77 merged 1 commit into
integration/supply-chain-cumulativefrom
feat/supply-chain-runner-gate

Conversation

@Davincc77
Copy link
Copy Markdown
Owner

@Davincc77 Davincc77 commented Jun 2, 2026

Summary

Stacked on integration/supply-chain-cumulative (PR #121). Implements the next two planned supply-chain stages as real, tool-backed, NON-NORMATIVE, internal-only automation:

  1. Candidate generatorscripts/generate_supply_chain_candidate.py

    • Input: config-only build_request JSON (inline sources and/or referenced source_manifest).
    • Output: candidate skill in the internal v4.2 target shape (all 13 layers: metadata, competency_architecture, memory_system, governance_system, memory_governance, runtime, context_graph, interactions, evidence, security, audit, skill_lifecycle, output_contract) → .internal-skills/supply-chain/candidates/ or --out.
    • 7 foundation + 12 transversal competency anchors; harmonized domain names; skill_lifecycle (not supply_chain); output_contract.graph_bindings; canonical interactions flow.
    • Deterministic: candidate_id/candidate_hash/run_id derived only from canonical input bytes. No clock in the hashed core.
    • Anti-mirage: missing domain info → requires_human_premium_pass with named gaps, never hallucinated. Sources come only from the build_request/source_manifest.

  2. Combined promotion gatescripts/run_supply_chain_promotion_gate.py

    • Orchestrates threat-model (always), source/license (--source-manifest), logical diff (--before), candidate shape checks, and forbidden-claim / public-private boundary tripwires.
    • Classifies ACCEPT / ACCEPT_WITH_REVIEW / BLOCK. Exit 0 acceptable, 1 BLOCK, 2 usage. deterministic_gate_id excludes the clock.
    • Reports whether a human premium pass is required — does not run it. not_run checks recorded with a reason, never as pass. No compliance/security/benchmark claim.

Example artefacts checked in: candidates/xklickd-research-reader.json, promotion-gate/xklickd-research-reader.gate.{json,md}. ACTION_LOG.md added; README integration index updated (stages moved planned → tool-backed with literal scope notes).

Claim boundaries (read literally)

  • Emitting the v4.2 shape is NOT a supply-chain completeness claim; a generated candidate is NOT a loaded executable skill (still requires artifact_loaded AND sha256_matches_manifest).
  • No universal standard, no automatic GDPR/EU AI Act compliance, no benchmark superiority.
  • Public artefacts remain v4.1; v4.2 is internal target only. No release/tag/DOI/publish/deploy. No merge to main. Davincc77/klickd-ai untouched.

Testing

  • pytest tests/test_supply_chain_candidate.py tests/test_supply_chain_promotion_gate.py → 39 passed
  • Full supply-chain suite (feat(supply-chain): tool-backed audit-trail index + determinism record #116feat: deterministic supply-chain threat-model generator (v0.1) #120 + new) → 102 passed
  • pytest tests/ → 283 passed (1 unrelated jsonschema DeprecationWarning), 0 failures
  • verify_xklickd_skill_packs.py verify, validate_v4_schemas.py, validate_v4_1_candidate_mapping.py → all rc 0
  • Forbidden-claims / codename grep over committed artefacts → CLEAN; internal track name only inside internal_target
  • Determinism: identical input → identical candidate_id/gate_id; gate_id stable across --eval-date
  • Block paths verified: forbidden claim, codename leak, private→public leak, public-v4.2 over-claim, missing v4.2 layer, completeness claim

🤖 Generated with Claude Code

@claude
feat(supply-chain): internal candidate generator + combined promotion…
c075037 
… gate (v0.1)

Adds the next two tool-backed supply-chain stages on top of the cumulative
integration branch, both NON-NORMATIVE and internal-only:

- scripts/generate_supply_chain_candidate.py: config-only build_request ->
  candidate skill in the internal v4.2 target shape. Deterministic ids derived
  only from input bytes; missing domain info -> requires_human_premium_pass
  (never hallucinated); sources only from build_request/source_manifest.
- scripts/run_supply_chain_promotion_gate.py: orchestrates threat-model,
  source/license, logical-diff, candidate-shape, and forbidden-claim /
  public-private boundary tripwires. Classifies ACCEPT / ACCEPT_WITH_REVIEW /
  BLOCK (exit 0/0/1, 2 usage). Reports — never runs — the premium pass;
  not_run checks recorded honestly.

Tests: 39 new (deterministic repeatability, anti-mirage premium-pass, blocked
candidate, clean accept, forbidden-claim/leak/over-claim blocks). Full suite
283 passed. Example candidate + gate report checked in. ACTION_LOG added;
README integration index updated (stages moved planned -> tool-backed with
literal scope notes).

No release/tag/DOI/publish/deploy. No merge to main. Public stays v4.1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Davincc77 Davincc77 merged commit c6ac907 into integration/supply-chain-cumulative Jun 2, 2026
@Davincc77 Davincc77 mentioned this pull request Jun 2, 2026
Merged
Davincc77 added a commit that referenced this pull request Jun 2, 2026
@Davincc77
Merge pull request #123 from Davincc77/chore/internal-action-log-inte…
760db13 
…gration-merge

chore(internal): log #121/#122 integration merge in supply-chain ACTION_LOG
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Davincc77