Skip to content

IntelIP/Tabellio

Repository files navigation

Tabellio

Tabellio product overview

OpenSSF Scorecard Node.js GitHub Actions JSON Schema SARIF Graphite Entire Code Storage License

Evidence-backed pull request governance for agentic development.

Tabellio is an open-source experiment in what Git review should capture when agents write code: not just the diff, but the task, reason, commands, checks, artifacts, and protected side effects behind the change.

What It Adds

Tabellio attaches a structured evidence packet to a pull request. The packet is small enough to inspect in review and strict enough to validate in CI.

Area Evidence
Task Source request, issue, ticket, or manual prompt summary
Git Repository, base branch, head branch, commit SHA, and PR metadata
Runtime Human, CI, or agent runtime that produced the change
Diff Changed files
Validation Commands run and check results
Approvals Required, granted, denied, or skipped approvals
Side effects Deployment, migration, infra, billing, secret, provider, and destructive-action policy
Artifacts Evidence files generated by the run

Review Questions

AI-assisted pull requests should not depend on reviewer trust alone. Tabellio gives reviewers a repeatable answer to:

  • What changed?
  • Why did it change?
  • What commands ran?
  • What failed or was skipped?
  • Did the workflow try to deploy, migrate, read secrets, touch billing, or mutate infrastructure?
  • Where is the machine-readable audit packet?

Workflow Stack

Layer Tooling Role
Runtime Node.js 20+ Runs the local writer and validators
CI GitHub Actions Hosts the reusable pull request evidence workflow
Evidence contract JSON Schema Validates the evidence envelope and external-action policy
Security signal OpenSSF Scorecard Publishes a non-gating public repository health signal
Code scanning output SARIF Carries Scorecard output into GitHub code scanning
Review surface GitHub Pull Requests Shows checks, artifacts, and reviewer context
Stacked review Graphite Intended companion for small dependent PR stacks
Checkpoint ledger Entire and Entire CLI Intended companion for agent session and checkpoint context
Git substrate GitHub today; Code Storage compatible direction Stores repositories, branches, commits, patches, and machine-created code state
Agent review OpenAI Codex Optional review layer when configured
Prior art SLSA and in-toto Inspiration for provenance and supply-chain evidence, without a compliance claim

The startup/tool tags describe the workflow ecosystem. Tabellio v0.1.0 does not call vendor APIs for Code Storage, Entire, Graphite, or Codex.

Core Files

Path Purpose
.github/workflows/tabellio-evidence.yml Reusable evidence workflow for pull requests
.github/workflows/scorecard.yml Non-gating OpenSSF Scorecard scan
schemas/ Evidence and external-action JSON schemas
scripts/ Dependency-free writer and validators
examples/ Minimal valid evidence fixture and consumer workflow example
templates/ Pull request checklist for evidence-backed review
docs/ Setup, schema, workflow model, Codex review, tooling stack, and research grounding

Quick Start

Add Tabellio to another repository:

name: Tabellio Evidence

on:
  pull_request:

permissions:
  contents: read
  actions: read

jobs:
  evidence:
    uses: IntelIP/Tabellio/.github/workflows/tabellio-evidence.yml@v0.1.0
    with:
      # Replace with the repository's normal validation command.
      validation_command: npm test
      toolkit_ref: v0.1.0

toolkit_ref is required when the consumer repository does not vendor the Tabellio scripts. In consumer repositories, setting it forces the workflow to use the pinned Tabellio toolkit instead of PR-controlled local scripts. Pin it to the same release tag or SHA as the reusable workflow. Before the first release tag exists, use main instead of v0.1.0.

Validate the bundled fixture:

node scripts/check-tabellio-evidence-envelope.mjs --evidence examples/tabellio-evidence/minimal-evidence.json
node scripts/check-tabellio-external-actions.mjs --evidence examples/tabellio-evidence/minimal-evidence.json

Generate evidence from the current Git state:

node scripts/write-tabellio-evidence-envelope.mjs --out tabellio-pr-evidence.json
node scripts/check-tabellio-evidence-envelope.mjs --evidence tabellio-pr-evidence.json
node scripts/check-tabellio-external-actions.mjs --evidence tabellio-pr-evidence.json

Package scripts:

npm run check
npm run tabellio:evidence:write
npm run tabellio:evidence:check
npm run tabellio:external-actions:check

Protected Action Classes

These actions require explicit approval before attempted execution:

  • deployment
  • database migration
  • infrastructure change
  • DNS or hosting change
  • billing or live-money action
  • credentialed provider read
  • secret-value read
  • destructive workspace action

The external-action checker fails when an action is marked attempted: true without approved: true.

Docs

License

Apache-2.0. See LICENSE and NOTICE.

Packages

 
 
 

Contributors