Skip to content

M0 — governance truth: security_sensitive gate enforced, CLAUDE.md truthful#58

Merged
MartinMontero merged 6 commits into
mainfrom
m0/governance-truth
Jul 12, 2026
Merged

M0 — governance truth: security_sensitive gate enforced, CLAUDE.md truthful#58
MartinMontero merged 6 commits into
mainfrom
m0/governance-truth

Conversation

@MartinMontero

@MartinMontero MartinMontero commented Jul 11, 2026

Copy link
Copy Markdown
Owner

What does this PR do?

PLAN.md M0 — the P0 fix (BACKLOG B1, Option 2 per gate ruling G2), six commits:

  • 07efa9eschema: security_sensitive becomes a real, validated field (src/schema/catalog.ts). The Marmot guide's existing flag stops being inert frontmatter.
  • ddb72b1the gate: additive .github/workflows/i18n-security-gate.yml (new file; touches nothing in the protected {verify, security-pr, quality} set) + zero-dependency scripts/i18n-security-gate.mjs. PRs touching a flagged English source or any es/ar variant of one fail the check until 2 distinct approving reviews exist. Fail-closed semantics: flag honored on base OR head (flag-removal PRs stay gated); unreadable pages count as flagged; approvals = distinct users' latest verdicts, author excluded, CHANGES_REQUESTED supersedes, COMMENTED never does. Re-evaluates on review submit/dismiss. Decision logic is pure and pinned by 9 unit tests.
  • 4ae5a70CLAUDE.md truthful (E5 + E9 ride along): the i18n section now states what EXISTS (including this gate, with its B4 dependency in writing) vs what is PLANNED. No dangling TRANSLATING.md reference survives; constraint 4 names the protected workflow set.
  • af07933 — fix: unused ts-expect-error caught by verify:all (process note: a grep pipe briefly masked the exit code; corrected on the record).
  • c4a51daM0-R1 REQUIRED FIX — trusted-code pin: the gate's checkout is pinned to the PR's base SHA, closing the self-modification bypass (a PR must never supply the logic that judges it).
  • a142a68 — PLAN.md records the M0-R1 rulings (B4 → Required with owner-bypass; item-0 deploy semantics into E4's acceptance; B13 scope addendum).

⚠ Expected: this PR's own two-review-gate run is RED after c4a51da

Bootstrap, by design (M0-R1): the gate now runs the BASE branch's copy of scripts/i18n-security-gate.mjs — which does not exist at base until this PR merges. The job therefore fails closed on this PR and self-heals on merge. Merging over this specific red is the owner's ruled call (M0-R1 §4); every future PR runs the trusted, merged copy.

Verification

  • npm run check green (schema validates the flagged Marmot guide)
  • npm run verify:all exit 0 — 0 type errors, 361/361 tests (+9), enforce green, build complete
  • Zero new dependencies; workflow actions SHA-pinned matching house style; zizmor green
  • Gate wiring proven live: pre-fix run on af07933 executed and passed (no flagged pages touched)
  • UNTESTED-live: the red→green two-approval transition needs a post-merge PR touching the flagged Marmot guide — the recorded acceptance step.

🤖 Generated with Claude Code

https://claude.ai/code/session_01LVPyHAtQ1cdK76RpFasafP

claude added 4 commits July 11, 2026 15:34
The Marmot guide has carried security_sensitive: true since it landed, but
the schema never defined the field — the flag was inert frontmatter. Now it
is typed, documented (English source only; locale variants inherit by path),
and validated by astro check. The enforcing gate lands in the next commit.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LVPyHAtQ1cdK76RpFasafP
…ensitive pages (M0)

Additive workflow (new file per constraint 4; touches nothing in the
protected set) + a zero-dependency script whose decision logic is pure and
unit-tested (10 tests): locale variants inherit the English source's flag by
path; the flag is honored on BASE or HEAD (a PR removing the flag is still
gated); an unreadable page fails closed as flagged; approvals = distinct
users' LATEST verdicts, author excluded, CHANGES_REQUESTED supersedes,
COMMENTED never does. Re-evaluates on review submit/dismiss.

Stated plainly per the SHIP-GATE-R2 G2 rider: until this check is marked
Required in branch protection (OWNER item B4), a red gate is a loud advisory
— GitHub does not block the merge. M0 + B4 together close the P0.

Live red/green verification requires a PR touching the flagged Marmot guide
— recorded as the post-merge acceptance step (UNTESTED-live until then).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LVPyHAtQ1cdK76RpFasafP
…n 2)

The section previously described freshness stamps, a reader banner, hygiene
CI, TRANSLATING.md, and CODEOWNERS in the present tense — none of which
exist. It now states exactly what EXISTS (Starlight i18n, the translation
pipeline, the house island pattern, and the NOW-ENFORCED security_sensitive
two-review gate with its B4 required-check dependency stated) and what is
PLANNED (the full governance layer — BACKLOG B1, its own future effort).
E5: no dangling TRANSLATING.md reference survives (the stop-and-ask trigger
now says the charter is unwritten and to always ask). E9: constraint 4 names
the protected workflow set {verify, security-pr, quality}, previously
recorded only in guard.py.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LVPyHAtQ1cdK76RpFasafP
…port

Caught by verify:all AFTER an earlier pipeline masked its exit code (grep in
a pipe won the && chain) — the prior push carried a red typecheck. This
commit restores green; the process error is on the record.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LVPyHAtQ1cdK76RpFasafP
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 11, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
wecanjustbuildthings a142a68 Jul 11 2026, 09:46 PM

claude added 2 commits July 11, 2026 21:41
…o base (M0-R1)

Closes the self-modification bypass: with the default merge-ref checkout, a
PR touching a flagged page could ALSO edit scripts/i18n-security-gate.mjs in
the same PR and neuter the gate judging it. The checkout is now pinned to
the PR's base SHA, so the decision logic always comes from the base branch.
Bootstrap consequence, accepted and ruled: on THIS PR the script is absent
at base, so the gate goes red — failing closed — and self-heals on merge.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LVPyHAtQ1cdK76RpFasafP
…-0 deploy semantics into E4, B13 scope addendum

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LVPyHAtQ1cdK76RpFasafP
@MartinMontero
MartinMontero merged commit 98130a5 into main Jul 12, 2026
14 of 15 checks passed
@MartinMontero
MartinMontero deleted the m0/governance-truth branch July 12, 2026 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants