Skip to content

Add verifiable maintainer and evidence surfaces#3

Merged
ashishki merged 3 commits into
masterfrom
agent/maintainer-evidence-surface
Jul 13, 2026
Merged

Add verifiable maintainer and evidence surfaces#3
ashishki merged 3 commits into
masterfrom
agent/maintainer-evidence-surface

Conversation

@ashishki

@ashishki ashishki commented Jul 13, 2026

Copy link
Copy Markdown
Owner

What changed

  • add a bounded SECURITY policy with an available private email path and explicit supported scope
  • record that GitHub private vulnerability reporting is currently disabled; the issue picker routes to the policy instead of an unavailable advisory form
  • add a reproducible-defect issue form while disabling blank/generic roadmap intake
  • document the code/test-backed human approval path
  • add a readable SVG preview of Eval Lab v0.2.0's canonical failed gdev challenge
  • bind the renderer to the pinned manifest, raw-summary digests, content address, and candidate revision
  • show all five failed challenge thresholds one-for-one; keep the 32% reconciled pass rate explicitly separate as a diagnostic aggregate
  • link the new surfaces from README and the evidence index
  • add focused documentation/provenance contracts and a local verification receipt

Why

The portfolio audit calls for maintainer intake and component-native visuals without expanding gdev-agent into a hosted-product claim. The failed Eval result should be visible while retaining exact raw provenance and local/synthetic limitations.

Impact

This is a maintainer/documentation/evidence tranche. It does not change application behavior, relax eval thresholds, claim a new quality result, or claim production use. The SVG is historical negative evidence for gdev-agent revision 0e4c5f0fd50382bbf12ffd35cfca4632384fb0cc.

Validation

  • exact head: 5ca5e42936262dc8cfd44c56ee0c60c420b72741
  • GitHub Actions run 29268613714: success
  • Tests + Lint: success, including Ruff, format, full tests, and eval regression gate
  • Compose RLS + Demo: success
  • local full suite: 312 passed, 45 warnings
  • isolated local Compose proof passed role flags, 16-table FORCE RLS, tenant read isolation, and cross-tenant write rejection
  • deterministic health/auth/webhook/pending/approval/metrics demo completed
  • Eval preview renderer --check passed against the pinned v0.2.0 package
  • deliberately tampered challenge-run.json was rejected by its manifest digest
  • isolated Compose containers, volumes, and network were removed after verification

Independent review

Read-only exact-head review found two issues and both were fixed in separate commits:

  1. GitHub private vulnerability reporting is disabled, so the unavailable direct advisory path was replaced with the working policy/email path.
  2. The first SVG omitted the failed human-review-count threshold; the final SVG displays all five failed thresholds and labels the reconciled pass rate as a separate diagnostic aggregate.

Final reviewer verdict: no remaining blockers or actionable findings.

Residual limits: private intake depends on the published maintainer email; Eval Lab's annotated tag is unsigned but commit/hash/content-address pinned; challenge evidence is historical local/synthetic and self-authored rather than an independent blind holdout.

@ashishki ashishki marked this pull request as ready for review July 13, 2026 17:04
@ashishki ashishki merged commit f47068d into master Jul 13, 2026
3 checks passed
@ashishki ashishki deleted the agent/maintainer-evidence-surface branch July 13, 2026 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant