Skip to content

batch A audit: canonical entry and proof-route repositories #13

Open
Open
batch A audit: canonical entry and proof-route repositories#13
Labels
auditbatch-ainventorypartially-remediatedphase-4
@Riverbraid

Description

@Riverbraid
Riverbraid
opened on Jun 2, 2026

Status

BATCH A AUDIT INVENTORY ITEM / PARTIALLY REMEDIATED

Scope

Batch A covers:

  • Riverbraid-Core
  • Riverbraid-Evaluation-Kit
  • Riverbraid-Verification-Suite
  • Riverbraid-Documentation
  • Riverbraid-Golds

Confirmed public entry strengths

  • The organization profile routes first-time readers to Evaluation Kit, Documentation, Core, Golds, Safety Example, and Gold V2.
  • Evaluation Kit is presented as the public entry and reproduction path.
  • Documentation points readers to Evaluation Kit and Phase 4 scaffold surfaces, including remediation and review-pass addenda.
  • Core states its authority boundary and non-claims.
  • Verification Suite and Golds link back to Evaluation Kit or Documentation.

Current finding state

  1. Evaluation Kit registry is a pinned snapshot and does not include the later Refusal Gold fail closed patch. Still tracked separately as Riverbraid-Evaluation-Kit#10.
  2. Evaluation Kit registry verification commands have uneven verification strength. Classified but not upgraded in Riverbraid-Evaluation-Kit#11 and docs/VERIFICATION_DEPTH_CLASSIFICATION.md.
  3. Core workflow clones sibling repositories from mutable default branch state. Still tracked as Riverbraid-Core#6.
  4. Evaluation Kit Docker base image remains tag pinned and environment lock marks digest as UNPINNED. Still tracked as Riverbraid-Evaluation-Kit#9.
  5. Evaluation Kit verifier dispatch was patched to use a bounded command allowlist. Still tracked as Riverbraid-Evaluation-Kit#8 because execution evidence is required.
  6. Verification Suite workflow and target were remediated with a bounded scaffold check and secretless workflow path, but execution evidence is still required.
  7. Riverbraid-Golds no longer prints External Alignment: Verified (Simulated); it now prints External Alignment: SIMULATED_NOT_EVIDENCE.
  8. Central community health coverage now exists in .github for SECURITY.md, CONTRIBUTING.md, and SUPPORT.md. Per-repo root coverage and root LICENSE coverage remain policy decisions and audit items.

Search-limited non-findings

Search did not return visible hits in Batch A for common private key markers, GitHub token markers, AWS secret marker, npm token marker, pull_request_target, permissions: write-all, secrets.GITHUB_TOKEN, or pipe-to-shell patterns.

This is search-limited and does not prove absence across history, settings, artifacts, dependencies, or unindexed surfaces.

Required follow-up

  • Run execution evidence for patched workflow and verifier paths.
  • Keep registry freshness locked until an explicit gate exists.
  • Verify Refusal Gold patched behavior before any registry refresh.
  • Resolve Docker digest evidence before Dockerfile pinning.
  • Decide central-only versus per-repo community health and license surfaces.
  • Populate readiness matrix with evidence.

Boundary

This issue records audit inventory only.
It does not claim Batch A is secure, complete, production ready, externally audited, or free of defects.
It does not mutate registry, verifier behavior, protocol, hash, seal, manifest, tag, or release state.

Metadata

Metadata

Assignees

No one assigned

    Labels

    auditbatch-ainventorypartially-remediatedphase-4

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions