# code/.governance/wo-adr001-zero-deps-v2.ncl — revision of wo-adr001-zero-deps # per §7.6 (iteration across Work Order instances, never within one run). # Born from falsación finding F0: v1's C1 check (`! grep …` on a relative # path) passed VACUOUSLY from any cwd not containing crates/ — grep exit 2 # inverted to 0. This revision hardens the check fail-closed (file must # exist) and the witness now pins check cwd to the governed repo root. { id = "wo-adr001-zero-deps-v2", objective = "Verify ontoref-ontology declares zero stratumiops dependencies (ADR-001), with a fail-closed check that cannot pass vacuously, and receipts hygiene per the mode's own §7.2 mandate.", predecessor_wo = "wo-adr001-zero-deps", existing_mechanisms_searched = [ "v1's own C1 check — exists but vacuous-passes from a wrong cwd; hardened here, not duplicated", "scripts/witness.nu cwd handling — no prior cwd pinning existed; added to the witness engine (structural), not per-SOW workarounds", ".governance/receipts/.gitignore — already exists from WO#0's intake; C2 verifies its allowlist rather than recreating it", ], contracts = [ { id = "C1-ontology-crate-zero-stratumiops-deps", kind = 'static, why = "ADR-001: ontoref-ontology must stay buildable with zero stratumiops path deps — it is the protocol's minimal adoption surface. v2: the file's existence is asserted first, so a wrong cwd or a renamed crate fails instead of vacuously passing.", check = "test -f crates/ontoref-ontology/Cargo.toml && ! grep -n stratum crates/ontoref-ontology/Cargo.toml", scope = ["crates/ontoref-ontology/Cargo.toml"], }, { id = "C2-receipts-gitignore-allowlist", kind = 'runtime, why = "§7.2: routine verification runs are untracked logs; only named wo-*.jsonl receipts (and their signatures) are milestone claims worth committing. The allowlist is the gate — its absence would either flood the repo or silently untrack accredited receipts.", check = "test -f .governance/receipts/.gitignore && grep -Fxq '*' .governance/receipts/.gitignore && grep -Fxq '!wo-*.jsonl' .governance/receipts/.gitignore && grep -Fxq '!wo-*.jsonl.minisig' .governance/receipts/.gitignore", scope = [".governance/receipts/.gitignore"], }, ], }