feat(#189): empirical substrate-independence proof — non-CSV transport_table + real ProposalSink parity + Part 11 gate-totality note#196
Merged
Conversation
…ansport_table + real ProposalSink parity (#189 P0) The ADR-019/027 substrate-independence claim was unfalsified: port_tests' proposal_sink_conformance was an empty `// TODO` stub and no parity suite existed, so "git/Dolt interchangeable behind the gate" had never run. - port_tests: fill proposal_sink_conformance with real contract assertions (submit→well-formed ProposalRef, status round-trip, exhaustive status). - port_tests: add proposal_sink_parity (ADR-027 Tier 3), re-scoped per the spike #189 distributed-data review to *post-merge state equivalence on cleanly-applying inputs* + accept/reject agreement — full-trace parity is unachievable across git line-merge vs relational cell-merge. - crates/transport_table: a deliberately non-CSV in-memory ProposalSink (relational row map), the parity partner. Building it surfaced 3 CSV/git leaks in the "substrate-neutral" contract: mandatory ProposalRef.url, HeaderChange.file = "registry.csv", and row→container routing absent from the Diff. All documented inline + on #189. - parity test: real GithubPrProposalSink (recording HTTP fake) vs TableSink agree on a clean add/bind/void corpus AND on rejecting a registry delete. Result: substrate-independence now empirically demonstrated, not asserted. Full workspace `cargo test` green. Refs #189
…rtify (Part 11/ALCOA/IEC 62366) Distills the spike's compliance review: 'validate the gate, not the tool' is true for output integrity but cannot cover e-signature meaning/binding (§11.50/70/200), ALCOA contemporaneousness of offline edits (gate sees merge-time only), or valid-but-wrong/use-error (IEC 62366). Each gap gets a concrete control; reframes the slogan so gate-totality isn't oversold to an auditor. Refs #189
…+ column-clear Two fresh-agent reviews of the shipped proof found the corpus dodged two genuine divergence points: - leak #3 (row→container routing absent from Diff): a print-log-shaped row routes to print_log.csv in the CSV adapter but to the single table in TableSink. Added a test asserting this *known* substrate-visible divergence (kept out of proposal_sink_parity, which would correctly reject it). Follow-up: routing belongs in the Diff, not classify_row. - empty-'after' column-clear: substrates differ byte-wise (remove vs empty cell) but must agree at the logical level — now pinned. Refs #189
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the P0 of the #189 architecture spike, and dogfoods the gate it's about.
What & why
ADR-019/027 assert the proposal gate is substrate-independent (git today, Dolt later, behind one
ProposalSinkcontract). On inspection the proof was a// TODO:port_tests::proposal_sink_conformancewas an empty stub and no parity suite existed, so the claim had never run. In a Part 11 context where "we validated the gate" is the load-bearing sentence, that's the most expensive untested assumption in the repo.Changes
crates/port_tests: realproposal_sink_conformanceassertions; newproposal_sink_parity(ADR-027 Tier 3), re-scoped to post-merge state equivalence on cleanly-applying inputs + accept/reject agreement (full-trace parity is unachievable across git line-merge vs relational cell-merge — to be ratified in ADR-027 via Ratify ADR-027 Tier-3 parity re-scope + fill Tier-2/Tier-4 stubs (#189 follow-up) #190).crates/transport_table(new): a deliberately non-CSV in-memoryProposalSink(relational row map). Building it surfaced 3 contract leaks (mandatoryProposalRef.url;HeaderChange.file = "registry.csv"; row→container routing absent fromDiff), documented inline + in Contract leaks: container routing into the Diff + optional ProposalRef.url (#189 follow-up) #192.GithubPrProposalSink(recording HTTP fake) vsTableSinkagree on a clean add/bind/void/clear corpus and on rejecting an illegal delete; a dedicated test documents leak Pyodide: replace TS encoder with label.py in browser (PRIORITY — unblocks Micro QR + bind/edit) #3 as a known substrate-visible divergence.decisions/NOTE-189-…: Part 11 / ALCOA / IEC 62366 liability fence — what the gate structurally cannot certify, with concrete controls (Part 11 / ALCOA / GAMP 5 controls per NOTE-189 (#189 follow-up) #195).Reviews
Two rounds of fresh-agent review (5 design + 2 code). The code reviewers confirmed the proof is genuine (real submit path, independently-written apply logic, faithful fake) — not theater. Their findings (routing-leak blind spot, column-clear gap) are actioned in
639ff44.Verdicts
Full workspace
cargo testgreen.🤖 Generated with Claude Code