From bead581317fdf3a61a25cf66ca0ea3506fd0cdc4 Mon Sep 17 00:00:00 2001 From: Haining Yin Date: Fri, 3 Jul 2026 09:54:32 +0200 Subject: [PATCH] feat(compliance): add batch_manifest_hash to RolloutProvenance Wire batch_manifest_hash through buildRolloutRecord() so individual rollout records can reference their parent EvidenceManifest's content hash, enabling EU AI Act Art. 19 verifiable evidence chains. Closes #2 Co-Authored-By: Claude Opus 4.6 --- apps/worker/src/trajectoryExport.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apps/worker/src/trajectoryExport.ts b/apps/worker/src/trajectoryExport.ts index 981652c..faf6a65 100644 --- a/apps/worker/src/trajectoryExport.ts +++ b/apps/worker/src/trajectoryExport.ts @@ -53,6 +53,8 @@ export interface RolloutProvenance { schema_version: "rollout-wire/v1"; evidence_source: "client_reported"; redaction_version: "bscode/pii-redact/v1"; + /** SHA-256 of the full redacted JSONL batch (from EvidenceManifest.content_hash). */ + batch_manifest_hash?: string; } // ── AEP re-exports (for consumers that import from trajectoryExport) ────────── @@ -107,6 +109,7 @@ export function buildRolloutRecord(opts: { buildResult: BuildResultSnapshot | null; toolCallSequence?: ToolCallEvent[]; finalAnswer?: string; + batchManifestHash?: string; }): RolloutWireRecord { const { jobId, @@ -116,6 +119,7 @@ export function buildRolloutRecord(opts: { buildResult, toolCallSequence = [], finalAnswer = "", + batchManifestHash, } = opts; // Strict binary encoding: 'success' → 1, any failure → 0, no-build → 0 with status=unknown. @@ -146,6 +150,7 @@ export function buildRolloutRecord(opts: { schema_version: "rollout-wire/v1", evidence_source: "client_reported", redaction_version: "bscode/pii-redact/v1", + ...(batchManifestHash ? { batch_manifest_hash: batchManifestHash } : {}), }, }; validateRolloutRecord(record);