Add repository external reference pin guard

[KoiosSG]

/claim #10 ## Summary - Adds repository-external-reference-pin-guard/, a focused issue #10 Project Repository & Version Control slice. - Validates repository releases and export bundles that depend on Git submodules, linked datasets, API snapshots, model weights, or external code/data references. - Blocks DOI publication/export when references are floating, authenticated-only, stale, future-dated, missing verification evidence, invalid placeholder checksum or DOI evidence, or missing checksum/parseable DOI/non-floating immutable version evidence. - Blocks malformed supplied checksum/DOI metadata even when another durable identifier is present, preventing poisoned integrity or citation fields from slipping into export packets. - Stages metadata-only revision when immutable references still lack license or attribution metadata. - Emits deterministic JSON, Markdown, SVG, and MP4 reviewer artifacts with SHA-256 audit digests. ## Hardening Updates

• Malformed object-shaped
  eferences manifests now emit MALFORMED_REFERENCE_MANIFEST blockers plus
  epair_reference_manifest:* actions instead of being treated as clean empty audits.- Invalid checksum placeholders such as pending no longer count as durable identifier or API snapshot evidence. - Invalid DOI placeholders such as pending no longer count as durable identifier evidence for linked datasets or model weights. - Truncated SHA checksum values such as sha256:abcdef no longer count as API snapshot evidence; checksum validation now requires algorithm-specific hex lengths. - Malformed checksum/DOI fields now emit explicit evidence-repair blockers even when another durable identifier is valid. - All-zero Git commit placeholders are now rejected as unpinned Git references instead of being accepted as immutable release evidence. - Floating version aliases such as latest, main, stable, and nightly no longer satisfy durable identifier requirements unless the reference also has checksum or DOI evidence. - Future-dated verification timestamps are treated as stale evidence requiring refresh. - Future-dated API snapshots do not count as pinned snapshot evidence. - Otherwise pinned references without verification timestamps now block release until verification evidence is refreshed. ## Non-overlap This is scoped to immutable external reference pins and exportable citation evidence for submodules, linked datasets, API sources, model weights, and external code/data pointers. It does not duplicate the broad repository ledger, release engine, structured diff/rollback, provenance attestation, release embargo, notebook replay, schema migration, citation impact, API/export verifier, merge queue, environment drift, access review, DOI tombstone, metadata readiness, branch hypothesis lineage, sensitive-artifact, dependency-license, legal-hold, component-owner approval, restore rehearsal, compute sandbox, or semantic version-tag slices. ## Validation - Wrote failing tests first. Latest red regression failed before implementation with release_repository_references instead of hold_repository_release for a packet carrying truncated checksum evidence and a placeholder DOI while other identifiers were valid. - Added explicit INVALID_CHECKSUM_EVIDENCE and INVALID_DOI_EVIDENCE blockers plus repair_reference_evidence:* actions. - npm test from repository-external-reference-pin-guard passed: 13 tests. - npm run check from repository-external-reference-pin-guard passed: JS syntax checks and Python compile check. - npm run demo regenerated deterministic JSON/Markdown/SVG reviewer artifacts with expected blocked/clean/warning statuses. - npm run video regenerated reports/demo.mp4. - ffprobe verified repository-external-reference-pin-guard/reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 53,699 bytes. - Parsed all JSON reviewer reports successfully; blocked/clean/warning packets reported 7/0/2 findings with SHA-256 audit digests. - git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared. - Sensitive-term scan of repository-external-reference-pin-guard returned no matches. - GitHub PR merge state after push: CLEAN. - Added a red regression for object-shaped reference manifests; before the fix it returned release_repository_references instead of hold_repository_release.
• npm test from repository-external-reference-pin-guard passed: 15 tests.
• npm run check, npm run demo, and npm run video passed after the manifest hardening.
• Parsed all JSON reviewer reports successfully; malformed-manifest-packet.json reports hold_repository_release, one MALFORMED_REFERENCE_MANIFEST finding, and digest cd76d8b327ff.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 68,232 bytes.
• git diff --check, git diff --cached --check, allowlist staging, and restricted-string scan passed.

Safety Synthetic data only. No external repositories, live APIs, DOI registries, object stores, credentials, private research data, identity providers, payment systems, or private services are contacted. AI-assisted with OpenAI Codex; I reviewed and locally verified the diff before submitting.

[KoiosSG]

@algora-pbc /claim #10 #425

Claim indexing follow-up: PR #425 is open, non-draft, CLEAN, and has a top-level /claim #10 line in the PR body. It adds the distinct repository external reference pinning guard for submodules, linked datasets, API sources, model weights, and external code/data references before DOI/citation publication or export bundle release.

[KoiosSG]

Hardening update pushed in 0445f37: floating version aliases such as latest, main, stable, and nightly no longer satisfy durable identifier requirements unless the reference also has checksum or DOI evidence. I added a regression that failed before the fix with release_repository_references == hold_repository_release and now passes. Validation refreshed locally: npm test (4 tests), npm run demo, npm run video, npm run check, ffprobe on demo.mp4, git diff --check, and sensitive-term scan returned no matches.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed:

• Added a regression for future-dated external-reference verification evidence.
• Treat lastVerifiedAt values later than the repository assessment time as stale verification evidence requiring refresh before DOI/export release.
• Updated README and requirements map so the release contract explicitly covers future-dated verification evidence.

Why this matters:

• External reference pinning is only reliable if checksum/DOI/version evidence is paired with trustworthy freshness evidence. A future timestamp previously collapsed to age zero and allowed release.
• This keeps PR Add repository external reference pin guard #425 sharper in the crowded issue Project Repository & Version Control #10 field while staying focused on the distinct external-reference pinning slice.

Validation:

• Confirmed the new regression failed before the implementation: future-dated verification evidence incorrectly produced release_repository_references instead of hold_repository_release.
• npm test -> 5 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> generated blocked/clean/warning packets with expected statuses.
• npm run video -> demo video generation passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check and git diff --cached --check passed; the only messages were Git line-ending normalization warnings on Windows.
• Sensitive-term scan of the code/test/docs patch found no payout or credential strings.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 0026dde:

• Added a regression for future-dated API snapshot evidence.
• API source snapshots now only count as pinned evidence when the snapshot date is parseable and not later than the repository assessment time.
• Updated README, acceptance notes, and requirements map so DOI/export readiness explicitly requires non-future API snapshot dates, not just non-empty snapshot strings.

Validation:

• Confirmed the new regression failed before the implementation: the future API snapshot incorrectly produced release_repository_references instead of hold_repository_release.
• npm test -> 6 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> generated blocked/clean/warning packets with expected statuses.
• npm run video -> demo video generation passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan of the assistant returned no payout or credential strings.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 3c09dce:

• Added a regression for an otherwise pinned linked dataset that has checksum, DOI, license, and attribution evidence but no verification timestamp.
• Such references now block DOI/export release with STALE_REFERENCE_EVIDENCE until verification evidence is refreshed.
• The missing-verification check avoids piling redundant findings onto references already blocked by floating/auth/durable-ID failures.
• README, requirements map, and acceptance notes now explicitly cover present verification evidence, not just non-stale/non-future evidence.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 7 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> regenerated blocked/clean/warning packets with expected statuses.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan returned no payout or credential strings.
• GitHub PR merge state after push: CLEAN.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 99ff7a8:

• Added a regression for Git references pinned to the all-zero null object SHA (0000000000000000000000000000000000000000).
• The guard now rejects that placeholder as FLOATING_GIT_REFERENCE instead of treating it as immutable release evidence.
• README, acceptance notes, and requirements map now document that null Git placeholders are not valid pins.

Why this matters:

• A 40-character hex string is not enough for release-grade external reference pinning; the all-zero SHA is a sentinel/null value, not a concrete commit reviewers can reproduce.
• This keeps the DOI/export release gate stricter without broadening PR Add repository external reference pin guard #425 beyond its existing external-reference pinning scope.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 8 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> regenerated blocked/clean/warning packets with expected statuses.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 7.5s.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan returned no payout or credential strings.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in c3d3811:

• Added regressions for invalid checksum placeholders on linked datasets and API snapshots.
• checksum: "pending" no longer counts as durable identifier evidence for datasets or pinned snapshot evidence for API sources.
• The risky sample fixture now exercises the invalid-checksum path, and README/requirements/acceptance notes document parseable checksum evidence.

Why this matters:

• A non-empty checksum field is not release-grade integrity evidence. DOI/export gating should require parseable hash evidence rather than accepting placeholders.
• This tightens PR Add repository external reference pin guard #425's distinct external-reference pinning slice without broadening into the neighboring issue Project Repository & Version Control #10 proposals.

Validation refreshed locally:

• Confirmed the dataset regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 10 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> regenerated blocked/clean/warning packets with expected statuses.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan returned no payout or credential strings.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 5e54fa4:

• Added a regression for truncated API snapshot checksum evidence such as sha256:abcdef.
• Checksum validation now requires algorithm-specific hex lengths for sha256, sha384, and sha512, so short placeholder-like hashes no longer satisfy DOI/export release gates.
• Clean synthetic fixtures now use full-length SHA evidence, and README, requirements map, and acceptance notes document the stricter checksum contract.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 11 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> regenerated blocked/clean/warning packets with expected statuses.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check passed; only Windows line-ending normalization warnings appeared.
• Sensitive-term scan returned no payout, credential, or token strings.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 00969a1:

• Added a regression for linked datasets that use placeholder DOI text such as pending as their only durable identifier evidence.
• DOI evidence now has to be parseable; placeholder strings no longer satisfy DOI/export release gates.
• The risky synthetic fixture now exercises the invalid-DOI path, and README/requirements/acceptance notes document parseable DOI evidence.

Why this matters:

• DOI evidence is part of the same release-grade integrity contract as checksums and immutable versions. A non-empty DOI field should not let a repository export or DOI publication proceed when it only contains placeholder text.
• This keeps PR Add repository external reference pin guard #425 focused on external-reference pinning while tightening an evidence path competitors could leave soft.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 12 repository external reference pin guard tests passed.
• npm run demo, npm run video, and npm run check passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 53,699 bytes.
• git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared.
• Sensitive-term scan returned no payout, credential, or token strings.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Hardening update pushed in 601cbf0.

This closes a release-gate gap where malformed checksum or DOI fields could be ignored when another durable identifier was valid. The guard now emits explicit INVALID_CHECKSUM_EVIDENCE / INVALID_DOI_EVIDENCE blockers and repair_reference_evidence:* actions so poisoned integrity or citation metadata cannot ship in DOI/export packets.

Fresh validation from repository-external-reference-pin-guard/:

• npm test passed: 13 tests, including the new red/green regression.
• npm run check passed.
• npm run demo regenerated JSON/Markdown/SVG reviewer artifacts; blocked packet now reports 7 findings with digest 0cb0a30094df....
• npm run video regenerated reports/demo.mp4; ffprobe verified H.264, 1280x720, 24 fps, 7.5s, 53,699 bytes.
• Parsed all report JSON successfully.
• git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared.
• Restricted-term scan of the module returned no matches.

This remains non-overlapping with #407: #425 focuses on immutable external reference/citation evidence for release and export bundles, while #407 covers component-owner approval quorum.

[KoiosSG]

Pushed an additional hardening commit: 30fb0dc.

What changed:

• Malformed external-reference entries now produce MALFORMED_REFERENCE_ENTRY blockers and repair_reference_entry:* actions instead of crashing assessment or disappearing from reviewer packets.
• The malformed-entry path forces conservative trust signals (immutablePins, exportable, attributionComplete, verificationFresh) to false until the reference entry is repaired.
• Added reports/malformed-packet.json and updated generated Markdown/SVG/video/docs to cover this release-blocking path.

Fresh verification:

• Latest regression failed before implementation with TypeError: Cannot read properties of null (reading 'checksum').
• npm test passed: 14 tests.
• npm run check, npm run demo, and npm run video passed.
• All 4 generated JSON packets parsed successfully.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 59,343 bytes.
• git diff --check / git diff --cached --check passed; sensitive-term scan found no matches.

[KoiosSG]

Pushed a focused hardening commit for the reference manifest edge case: 287a41d now blocks object-shaped references manifests as MALFORMED_REFERENCE_MANIFEST instead of allowing them as an empty clean audit.

Fresh verification from repository-external-reference-pin-guard/: npm test (15 tests), npm run check, npm run demo, npm run video, JSON parse checks including malformed-manifest-packet.json, ffprobe on reports/demo.mp4 (H.264 1280x720, 24 fps, 7.5s), git diff --check, git diff --cached --check, allowlist staging, and restricted-string scan all passed.