Witnessed journal: chained RFC 3161 release manifests for thesis-facts appends#92
Merged
Merged
Conversation
Every proposal that appends to ledger/official_observations.jsonl must now carry the next thesis_ledger_release_v1 manifest and two independently anchored RFC 3161 receipts (FreeTSA and DigiCert) witnessing the proposed state. Manifests form an append-only hash chain: contiguous indices, filename bound to exact file bytes, previousManifestSha256 over the prior manifest file, state bound to the exact JSONL byte prefix and immutable_prefix bytes, and an append block binding the row delta and the exact appended byte suffix. The append gate verifies the whole chain — including base-chain validity, base release-file byte and mode immutability, receipt cryptography against committed anchors with code-pinned PEM bytes, policy OIDs, and leaf signer certificate and SPKI pins, and genTime chronology — before any merge; CI re-verifies the full chain on every push to the branch so an unwitnessed direct-push state turns the branch red. Verification is fully offline (scripts/verify_release_chain.py --full). Pre-genesis proposals without release files remain valid until genesis merges. scripts/cut_release_manifest.py builds the next canonical manifest and requests both receipts (DigiCert's documented RFC 3161 endpoint is plain HTTP; tokens are self-authenticating signatures verified against pinned anchors). Tests mint a local OpenSSL test TSA so receipt verification runs offline; production anchors were verified against brier's independently pinned SPKI hashes. releases/README.md documents the schema, the offline verification procedure, and the security limits honestly: this provides tamper evidence and third-party verifiable append-only history, not multi-party authorization — retain an external checkpoint of the head manifest digest. Implemented by GPT-5.6 Sol per its own architecture-review finding 1 (minimal fix), reviewed line by line. 70 tests pass (5 xfail markers document deliberate scope limits). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Cut with scripts/cut_release_manifest.py at 2026-07-11T14:13:39Z; FreeTSA and DigiCert receipts both attest 2026-07-11T14:13:40Z over the manifest bytes. verify_release_chain --full passes with production pins. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
MaxGhenis
added a commit
to MaxGhenis/brier
that referenced
this pull request
Jul 11, 2026
The upstream ledger (PolicyEngine/ledger#92) now witnesses every append with chained RFC 3161 release manifests. This wires brier in as both producer and verifying consumer. Proposer: propose_ledger_append builds the next canonical manifest from the exact trusted base state, requests FreeTSA and DigiCert receipts, and full-verifies the staged candidate with the vendored production verifier before any remote ref or PR exists. The base is fetched by nonrecursive git-object traversal with recomputed tree and blob OIDs; the proposal is created as an unreferenced commit first; the merge binds the exact proposal SHA, rechecks the base after the append gate, and full-verifies the returned merge commit. Any TSA or verification failure aborts with no visible partial state. Pre-genesis bases propose without release files (moot now that genesis is merged upstream). Pin: pin_ledger refuses to advance across any post-genesis commit whose release inventory is not an immutable prefix of the final chain or whose head manifest does not witness that same commit's exact JSONL and immutable-prefix bytes, walking parent SHAs as a linear chain. The final state runs the full vendored verification with production pins, and the committed pin gains an additive releaseHead checkpoint (index, manifest digest, both genTimes). Legacy pins migrate on the next refresh, including a same-SHA refresh. Acceptance windows: the availability index now records, per row, the first witnessed release including it and the last witnessed release excluding it, with both TSA genTimes copied exactly. A claimed acceptedAtUtc earlier than the last excluding receipt genTime (minus skew) fails the refresh — witnessed non-membership makes backdated acceptance claims refutable. Inclusion receipt times deliberately do NOT upper-bound acceptance; the fields are named to prevent that misreading. Witness custody: witness_upstream_ledger archives the exact manifest and DER receipt bytes with recomputed git OIDs into the TSA-witnessed custody chain, closing the upstream residual that receipts are not manifest-hashed and could be silently replaced. verify_witnessed_pin binds the witnessed bundle to the committed pin, and resolve-and-rebuild validates that binding before commit and again after rebase. scripts/ledger_release_chain.py is vendored byte-for-byte from the upstream verifier (guard: tail -n +3 | cmp). Branch protection on the upstream thesis-facts branch now also requires strictly up-to-date branches, closing the residual base-advance window behind the gate. Implemented by GPT-5.6 Sol (three adversarial self-review passes), reviewed line by line. 219 tests pass across the pin, resolver, registration, publication, and witness suites; offline receipt fixtures mint a local test TSA rather than checking in opaque DER blobs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the witnessing layer from the 2026-07-10 architecture review (finding 1, critical: "accepted fact history has no immutable, externally witnessed publication boundary"), in place on this branch per the decision to keep the ledger in the PolicyEngine org.
What this adds
thesis_ledger_release_v1, underreleases/manifests/): each append proposal must carry the next manifest — contiguous index, filename bound to exact file bytes,previousManifestSha256over the prior manifest file, state bound to the exact JSONL byte prefix +immutable_prefix.jsonbytes, append block binding the row delta and exact appended byte suffix.check_thesis_facts_append.py): base release files are byte- and mode-immutable; post-genesis, a ledger append requires exactly the next manifest triple; release-only proposals are refused; the base chain is fully re-verified from materialized base bytes before trusting its head. Pre-genesis proposals without release files stay valid, so nothing in flight breaks before this merges.ci.ymlrunsverify_release_chain.py --fullon every push to this branch — an unwitnessed or inconsistent direct-push state turns the branch red.What this does and does not prove
Third parties can clone and run
python3 scripts/verify_release_chain.py --full(Python + OpenSSL only, no network) to verify an append-only witnessed history. Acceptance-time claims become refutable: a row absent from every witnessed state before its first inclusion cannot claim earlier acceptance. This is tamper evidence, not multi-party authorization — seereleases/README.mdfor the full limits (admin bypass detectability, receipt replacement, verifier-in-repo circularity, the need for an external head-manifest checkpoint). Cross-institution governance remains an open institutional decision.Verification
tests/test_release_chain.py(22 cases) + hardenedtest_thesis_append_adversarial.py: 70 passed, 5 xfail markers documenting deliberate scope limits. Receipt fixtures use a locally minted OpenSSL test TSA; production paths enforce the real pins.tests/test_arch_bundle.pyfails identically on the untouched base tip (stale hardcoded counts, not in CI's whitelist) — pre-existing, tracked separately.Follow-up (brier side, shipping next): the resolver's append proposals will emit the manifest + receipts, the consumer pin will refuse to advance past an unwitnessed state, and receipt bytes get archived into brier's own witnessed records.
🤖 Generated with Claude Code