Skip to content

Witnessed journal: chained RFC 3161 release manifests for thesis-facts appends#92

Merged
MaxGhenis merged 2 commits into
codex/thesis-ledger-factsfrom
witnessed-journal
Jul 11, 2026
Merged

Witnessed journal: chained RFC 3161 release manifests for thesis-facts appends#92
MaxGhenis merged 2 commits into
codex/thesis-ledger-factsfrom
witnessed-journal

Conversation

@MaxGhenis

Copy link
Copy Markdown
Contributor

Implements the witnessing layer from the 2026-07-10 architecture review (finding 1, critical: "accepted fact history has no immutable, externally witnessed publication boundary"), in place on this branch per the decision to keep the ledger in the PolicyEngine org.

What this adds

  • Chained release manifests (thesis_ledger_release_v1, under releases/manifests/): each append proposal must carry the next manifest — contiguous index, filename bound to exact file bytes, previousManifestSha256 over the prior manifest file, state bound to the exact JSONL byte prefix + immutable_prefix.json bytes, append block binding the row delta and exact appended byte suffix.
  • Dual RFC 3161 witnessing: FreeTSA + DigiCert receipts over each manifest's bytes, verified fully offline against committed anchors with code-pinned PEM bytes, pinned policy OIDs, and pinned leaf signer certificate + SPKI. Anchors verified against brier's independently pinned SPKI hashes.
  • Gate enforcement (check_thesis_facts_append.py): base release files are byte- and mode-immutable; post-genesis, a ledger append requires exactly the next manifest triple; release-only proposals are refused; the base chain is fully re-verified from materialized base bytes before trusting its head. Pre-genesis proposals without release files stay valid, so nothing in flight breaks before this merges.
  • Push-time detection: ci.yml runs verify_release_chain.py --full on every push to this branch — an unwitnessed or inconsistent direct-push state turns the branch red.
  • Genesis (second commit): witnessed release 0 over the current 143-row state, receipts from both TSAs at 2026-07-11T14:13:40Z. This PR itself passes the new gate's genesis rule.

What this does and does not prove

Third parties can clone and run python3 scripts/verify_release_chain.py --full (Python + OpenSSL only, no network) to verify an append-only witnessed history. Acceptance-time claims become refutable: a row absent from every witnessed state before its first inclusion cannot claim earlier acceptance. This is tamper evidence, not multi-party authorization — see releases/README.md for the full limits (admin bypass detectability, receipt replacement, verifier-in-repo circularity, the need for an external head-manifest checkpoint). Cross-institution governance remains an open institutional decision.

Verification

  • tests/test_release_chain.py (22 cases) + hardened test_thesis_append_adversarial.py: 70 passed, 5 xfail markers documenting deliberate scope limits. Receipt fixtures use a locally minted OpenSSL test TSA; production paths enforce the real pins.
  • Live TSA round-trip validated end to end before this PR (dry run + this genesis).
  • Note: tests/test_arch_bundle.py fails identically on the untouched base tip (stale hardcoded counts, not in CI's whitelist) — pre-existing, tracked separately.

Follow-up (brier side, shipping next): the resolver's append proposals will emit the manifest + receipts, the consumer pin will refuse to advance past an unwitnessed state, and receipt bytes get archived into brier's own witnessed records.

🤖 Generated with Claude Code

MaxGhenis and others added 2 commits July 11, 2026 10:14
Every proposal that appends to ledger/official_observations.jsonl must now
carry the next thesis_ledger_release_v1 manifest and two independently
anchored RFC 3161 receipts (FreeTSA and DigiCert) witnessing the proposed
state. Manifests form an append-only hash chain: contiguous indices,
filename bound to exact file bytes, previousManifestSha256 over the prior
manifest file, state bound to the exact JSONL byte prefix and
immutable_prefix bytes, and an append block binding the row delta and the
exact appended byte suffix. The append gate verifies the whole chain —
including base-chain validity, base release-file byte and mode
immutability, receipt cryptography against committed anchors with
code-pinned PEM bytes, policy OIDs, and leaf signer certificate and SPKI
pins, and genTime chronology — before any merge; CI re-verifies the full
chain on every push to the branch so an unwitnessed direct-push state
turns the branch red. Verification is fully offline
(scripts/verify_release_chain.py --full). Pre-genesis proposals without
release files remain valid until genesis merges.

scripts/cut_release_manifest.py builds the next canonical manifest and
requests both receipts (DigiCert's documented RFC 3161 endpoint is plain
HTTP; tokens are self-authenticating signatures verified against pinned
anchors). Tests mint a local OpenSSL test TSA so receipt verification runs
offline; production anchors were verified against brier's independently
pinned SPKI hashes. releases/README.md documents the schema, the offline
verification procedure, and the security limits honestly: this provides
tamper evidence and third-party verifiable append-only history, not
multi-party authorization — retain an external checkpoint of the head
manifest digest.

Implemented by GPT-5.6 Sol per its own architecture-review finding 1
(minimal fix), reviewed line by line. 70 tests pass (5 xfail markers
document deliberate scope limits).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Cut with scripts/cut_release_manifest.py at 2026-07-11T14:13:39Z; FreeTSA
and DigiCert receipts both attest 2026-07-11T14:13:40Z over the manifest
bytes. verify_release_chain --full passes with production pins.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@MaxGhenis MaxGhenis merged commit 08d1001 into codex/thesis-ledger-facts Jul 11, 2026
3 checks passed
@MaxGhenis MaxGhenis deleted the witnessed-journal branch July 11, 2026 14:18
MaxGhenis added a commit to MaxGhenis/brier that referenced this pull request Jul 11, 2026
The upstream ledger (PolicyEngine/ledger#92) now witnesses every append
with chained RFC 3161 release manifests. This wires brier in as both
producer and verifying consumer.

Proposer: propose_ledger_append builds the next canonical manifest from
the exact trusted base state, requests FreeTSA and DigiCert receipts,
and full-verifies the staged candidate with the vendored production
verifier before any remote ref or PR exists. The base is fetched by
nonrecursive git-object traversal with recomputed tree and blob OIDs;
the proposal is created as an unreferenced commit first; the merge binds
the exact proposal SHA, rechecks the base after the append gate, and
full-verifies the returned merge commit. Any TSA or verification failure
aborts with no visible partial state. Pre-genesis bases propose without
release files (moot now that genesis is merged upstream).

Pin: pin_ledger refuses to advance across any post-genesis commit whose
release inventory is not an immutable prefix of the final chain or whose
head manifest does not witness that same commit's exact JSONL and
immutable-prefix bytes, walking parent SHAs as a linear chain. The final
state runs the full vendored verification with production pins, and the
committed pin gains an additive releaseHead checkpoint (index, manifest
digest, both genTimes). Legacy pins migrate on the next refresh,
including a same-SHA refresh.

Acceptance windows: the availability index now records, per row, the
first witnessed release including it and the last witnessed release
excluding it, with both TSA genTimes copied exactly. A claimed
acceptedAtUtc earlier than the last excluding receipt genTime (minus
skew) fails the refresh — witnessed non-membership makes backdated
acceptance claims refutable. Inclusion receipt times deliberately do NOT
upper-bound acceptance; the fields are named to prevent that misreading.

Witness custody: witness_upstream_ledger archives the exact manifest and
DER receipt bytes with recomputed git OIDs into the TSA-witnessed
custody chain, closing the upstream residual that receipts are not
manifest-hashed and could be silently replaced. verify_witnessed_pin
binds the witnessed bundle to the committed pin, and resolve-and-rebuild
validates that binding before commit and again after rebase.

scripts/ledger_release_chain.py is vendored byte-for-byte from the
upstream verifier (guard: tail -n +3 | cmp). Branch protection on the
upstream thesis-facts branch now also requires strictly up-to-date
branches, closing the residual base-advance window behind the gate.

Implemented by GPT-5.6 Sol (three adversarial self-review passes),
reviewed line by line. 219 tests pass across the pin, resolver,
registration, publication, and witness suites; offline receipt fixtures
mint a local test TSA rather than checking in opaque DER blobs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant