Skip to content

feat(tally): add resilient truth-layer integration#28

Open
lamemustafa wants to merge 17 commits into
masterfrom
tapish-codex/feat/tally-truth-layer
Open

feat(tally): add resilient truth-layer integration#28
lamemustafa wants to merge 17 commits into
masterfrom
tapish-codex/feat/tally-truth-layer

Conversation

@lamemustafa

@lamemustafa lamemustafa commented Jul 16, 2026

Copy link
Copy Markdown
Owner

Functional summary

Bridge now has a local-first Tally Truth Layer with explicit capability truth states, company-bound read authority, encrypted mirror storage, adaptive/resumable Core Accounting snapshots, reconciliation proofs and gap maps, incremental policy foundations, a privacy-reduced operator console, portable read/runtime/protocol crates, synthetic qualification, and fail-closed compatibility claims.

The implementation is intentionally honest about current evidence: all 11 compatibility cells remain unknown; no live write behavior or unsupported product/profile claim is inferred without reviewed authority.

Review closure

All 25 Codex inline findings are fixed, replied to, and resolved. The final multi-agent authority audit is also clean after f1fe337, which adds:

  • durable, replayable clock-rollback evidence for attempt begin/abandon/complete and run completion;
  • additive migration 12 with exact column/trigger admission checks;
  • a deterministic 100,000-record aggregate reconciliation budget before hydration;
  • compact hash-bound CommitPending proof recovery for already-committed lost acknowledgments;
  • fail-closed compatibility behavior where live execution emits no Unsupported claim and fabricated Unsupported receipts cannot seal;
  • method-routed connector test servers so GET health probes cannot shift POST XML fixtures;
  • stack-bounded pending proof storage without changing serialized proof/checksum semantics.

Validation

Final local Windows evidence for commit f1fe337e3b73dc9c223ff0141c9010d6c057dc02:

  • cargo fmt --all -- --check
  • cargo test --locked --workspace: 196/196 root tests plus every workspace integration and doc test passed
  • cargo clippy --locked --workspace --all-targets -- -D warnings
  • pnpm run build: 3/3 frontend transition tests, TypeScript, and Vite production build passed
  • pnpm run tally:live-read-boundary: sealed across 122 normal packages
  • pnpm run license:all: 5 frontend and 369 Rust locked components reconciled
  • compatibility gate: unknown_claims=11:evidenced_claims=0
  • support-matrix markdown verification passed
  • committed-archive compatibility gate passed after Git LF normalization
  • final compatibility surface: 3af3def7be6ebf2c34c081fd7c8b886db7c65d6bee6b4de219fb6192a989f212

Final-head GitHub Windows/macOS CI and dependency review are monitored below; merge remains blocked until required checks and the requested Codex review are clean.

Migration and rollback impact

  • Database migrations are additive and transactional through schema version 12; migration 12 adds one nullable, allowlisted terminal clock-evidence column and two integrity triggers.
  • Snapshot recovery remains fail-closed. More than 100,000 aggregate staged records terminalizes without checkpoint advance or unbounded hydration.
  • Existing legacy pending rows without exact compact proof are never allowed to overwrite committed authority.
  • No destructive migration is introduced.
  • Rollback: restore the prior application version and retain the encrypted database for forward recovery; do not delete mirror/proof state. Migration 12's additive column/triggers do not rewrite source or customer records.

Security impact

  • Tally remains loopback-only, proxy-free, bounded, serialised, company-scoped, and read-only in compatibility qualification.
  • SQLCipher/keyring storage, immutable receipts, exact checkpoint CAS, redacted safe reason codes, and bounded response/record handling remain enforced.
  • Generic Tally STATUS=0, fixture/context/sentinel/parser/malformed-response, and transport failures remain Failed; they cannot become product incompatibility claims.
  • No secrets, raw source records, customer data, local usernames, or developer-specific paths are added.
  • DSC/credential behavior is unchanged by the final review-fix commit.

Completed review checklist

Copy link
Copy Markdown
Owner Author

@codex review

Please review this Tally/DSC change set with special attention to credential zeroization, endpoint validation, durable snapshot recovery, exact proof/count binding, migration compatibility, and truthful live-support claims.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 208273e762

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src-tauri/crates/bridge-tally-canonical/src/lib.rs Outdated
Comment thread src-tauri/src/sync/snapshot.rs
Comment thread src-tauri/src/db/encrypted.rs Outdated
Comment thread src-tauri/src/sync/snapshot.rs
Comment thread src-tauri/src/tally/connector.rs Outdated
Comment thread src-tauri/src/db/tally_mirror.rs Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6d1e4271e5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/main.tsx
Comment thread src-tauri/crates/bridge-tally-qualification/src/main.rs Outdated
Comment thread src-tauri/src/sync/snapshot.rs Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7324b0e7d3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src-tauri/src/tally/connector.rs Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1ee600aa8a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src-tauri/src/tally/connector.rs Outdated
Comment thread src-tauri/crates/bridge-tally-protocol/src/lib.rs Outdated

Copy link
Copy Markdown
Owner Author

@codex review

Please review latest head 969027b after all twelve prior findings were fixed and resolved. Focus especially on Core canary eligibility with derived-but-bound entry IDs, GUID case canonicalization at company and record levels, lease/process-lock recovery, proof/count commitments, and whether any truthful-support or restart path remains blocked.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 969027bda7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src-tauri/src/tally/connector.rs Outdated
Comment thread src-tauri/src/tally/connector.rs
Comment thread src-tauri/src/tally/connector.rs Outdated
Comment thread src-tauri/src/sync/snapshot.rs Outdated

Copy link
Copy Markdown
Owner Author

@codex review

Latest head is now f03dbf7. The only change after 969027b is a repository LF policy plus compatibility hashes resealed from committed LF bytes; an extracted core.autocrlf=false archive passes the executable gate. Please treat this as the final latest-head review.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f03dbf7b33

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/main.tsx Outdated

Copy link
Copy Markdown
Owner Author

@codex review

Please review exact head 2d3572327b3390ebd64a51cc081e48dcb3dad01b. All seventeen prior findings have implementation replies and are resolved. Focus especially on the stable Unknown + Observed + sealed_profile_executed Core start predicate across command/engine boundaries, post-start canary re-fetching, checkpoint CAS-loss terminalization and restart behavior, case-insensitive GUID scope binding, and automatic probe-drop cleanup of every company-scoped UI/request state. Report only concrete remaining correctness, security, reliability, or truth-claim defects.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2d3572327b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/main.tsx Outdated
Comment thread src-tauri/src/tally/connector.rs
Comment thread src-tauri/src/db/tally_mirror.rs
Comment thread src-tauri/src/sync/snapshot.rs Outdated

Copy link
Copy Markdown
Owner Author

@codex review

Please review exact head fd820b90b8b3ce41d9781f24fd66a804dcc3973b. All twenty-one prior Codex findings are resolved with evidence; two additional adversarial-audit gaps were also fixed before this push. Focus on cross-flow lifecycle authority: ordered old-scope cleanup before installing fresh review state, uncached snapshot probes that preserve setup-review cache, company discovery after that single-use cache is consumed, exact sealed Core restart evidence, and exactly-one live GUID validation before any canary export plus the engine TOCTOU recheck. Report only concrete remaining P0-P2 correctness, security, reliability, or truth-claim defects.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fd820b90b8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src-tauri/src/tally/connector.rs

Copy link
Copy Markdown
Owner Author

@codex review

Please review exact head d61ee20. All twenty-two prior Codex findings are resolved with implementation evidence. The only change since the last reviewed head preserves company_identity_not_found and company_identity_ambiguous through durable state/proof/receipt mapping while retaining generic redaction for unknown source-supplied codes. Re-check the full lifecycle authority flow and report only concrete remaining P0-P2 correctness, security, reliability, or truth-claim defects.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d61ee20f78

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src-tauri/src/sync/snapshot.rs
Comment thread src-tauri/src/sync/snapshot.rs
Comment thread src-tauri/crates/bridge-tally-compatibility/src/lib.rs Outdated

Copy link
Copy Markdown
Owner Author

@codex review

Please review exact head f1fe337e3b73dc9c223ff0141c9010d6c057dc02. All prior inline threads are resolved. Focus especially on migration-12 clock evidence replay, aggregate pre-hydration bounds/committed lost-ack recovery, and the intentionally unavailable Unsupported compatibility authority.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f1fe337e3b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +2361 to +2362
terminal_safe_reason_code = CASE WHEN started_at_unix_ms > ?1 \
THEN 'local_clock_moved_backwards' ELSE NULL END \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Replay rollback evidence before sealing terminal proof

When attempt creation succeeds but the durable state-ref save is lost, and the wall clock subsequently moves behind the attempt start while remaining after the overall run start, an early restart exit such as cancellation or a capability failure builds its terminal proof before this update discovers the rollback. The update persists local_clock_moved_backwards, but commit_batch returns no such evidence to the already-built proof, and the now-terminal state is never resumed to replay it, so the proof incorrectly omits the clock-integrity gap. Recover or abandon owner-bound open attempts before preparing any terminal decision, or otherwise incorporate this detected reason into the proof being committed.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant