security: T-4 decision-ledger hash chain + STRIDE claim/evidence CI gate#40
Merged
Conversation
…gate Follow-through on the verification audit (per maintainer: build T-4, add the claim<->test gate, keep the framework). T-4 — decision ledger now has a real tamper-evident chain: - Every LedgerEntry carries previousHash, chained from GENESIS; the head is bootstrapped from disk in initialize() so appends keep chaining across restarts. - New streaming verifyChain() (readline, no OOM) fails closed on content tampering, deletion, OR reordering, reporting the breaking index. - Legacy pre-chain entries (no previousHash) stay verifiable: their per-entry hash is still checked, the link check resumes from them. - STRIDE T-4 corrected ❌ → ✅ 2026-05-18 (now genuinely implemented). Claim/evidence gate (scripts/check-stride-claims.mjs, npm run check:stride, wired into security.yml): - Every STRIDE table finding must have a manifest entry. - A ✅ finding must be test-backed (attack-path test that references the id) or explicitly audit-attested with a code anchor. - A non-✅ finding must declare resolved:false — doc and manifest cannot silently diverge (the gate already caught one such drift on T-4). This structurally prevents the D-6 class of "marked done, not built". Full suite 126/126; gate PASS. https://claude.ai/code/session_01ArAvRMiZgCwF5oNj3r94Ap
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #39 (merged: STRIDE audit truth-up + E-5/T-5 fixes). That PR was merged before this final commit landed, so this PR carries the remaining two pieces the audit called for: build T-4 and add the claim/evidence CI gate. Single commit, clean on top of merged
main.T-4 — decision-ledger tamper-evident hash chain (was ❌ aspirational → now ✅)
The decision ledger previously had per-entry hashes only, so deleting or reordering entries was undetectable — a real hole in a non-repudiation/compliance-critical artifact.
LedgerEntrynow carriespreviousHash, chained fromGENESIS.verifyChain()(readline, no OOM — consistent with D-4) fails closed on content tampering, deletion, or reordering, reporting the breaking index.initialize()so appends keep chaining across restarts.previousHash) remain verifiable: per-entry hash still checked, chain resumes from them — no migration needed.docs/STRIDE.mdT-4 corrected ❌ → ✅ 2026-05-18.Structural fix — STRIDE claim/evidence CI gate
scripts/check-stride-claims.mjs(npm run check:stride, wired intosecurity.yml):✅finding must be test-backed (an attack-path test that references the id) or explicitly audit-attested with a code anchor.✅finding must declareresolved:false— the doc and the manifest cannot silently diverge.This is the durable fix for the D-6 class of "marked done, not built." It already caught a real drift during development (T-4 left ❌ in the doc after being implemented → gate failed until reconciled).
Test plan
npm test— 126/126, 10 suitesnpm run check:stride— PASS (29 findings: 4 test-backed, 19 audit-attested debt, 6 not-resolved)decision-ledger-chain— clean-verify, content tamper, deletion, reorder, legacy back-compatmain; typecheck clean (only the pre-existing stale non-testtests/security/model-guard.tserrors remain, untouched)