ontoref-code/.governance/wo-adr001-zero-deps-v2.ncl
2026-07-10 01:44:59 +01:00

35 lines
2.3 KiB
Text

# code/.governance/wo-adr001-zero-deps-v2.ncl — revision of wo-adr001-zero-deps
# per §7.6 (iteration across Work Order instances, never within one run).
# Born from falsación finding F0: v1's C1 check (`! grep …` on a relative
# path) passed VACUOUSLY from any cwd not containing crates/ — grep exit 2
# inverted to 0. This revision hardens the check fail-closed (file must
# exist) and the witness now pins check cwd to the governed repo root.
{
id = "wo-adr001-zero-deps-v2",
objective = "Verify ontoref-ontology declares zero stratumiops dependencies (ADR-001), with a fail-closed check that cannot pass vacuously, and receipts hygiene per the mode's own §7.2 mandate.",
predecessor_wo = "wo-adr001-zero-deps",
existing_mechanisms_searched = [
"v1's own C1 check — exists but vacuous-passes from a wrong cwd; hardened here, not duplicated",
"scripts/witness.nu cwd handling — no prior cwd pinning existed; added to the witness engine (structural), not per-SOW workarounds",
".governance/receipts/.gitignore — already exists from WO#0's intake; C2 verifies its allowlist rather than recreating it",
],
contracts = [
{
id = "C1-ontology-crate-zero-stratumiops-deps",
kind = 'static,
why = "ADR-001: ontoref-ontology must stay buildable with zero stratumiops path deps — it is the protocol's minimal adoption surface. v2: the file's existence is asserted first, so a wrong cwd or a renamed crate fails instead of vacuously passing.",
check = "test -f crates/ontoref-ontology/Cargo.toml && ! grep -n stratum crates/ontoref-ontology/Cargo.toml",
scope = ["crates/ontoref-ontology/Cargo.toml"],
},
{
id = "C2-receipts-gitignore-allowlist",
kind = 'runtime,
why = "§7.2: routine verification runs are untracked logs; only named wo-*.jsonl receipts (and their signatures) are milestone claims worth committing. The allowlist is the gate — its absence would either flood the repo or silently untrack accredited receipts.",
check = "test -f .governance/receipts/.gitignore && grep -Fxq '*' .governance/receipts/.gitignore && grep -Fxq '!wo-*.jsonl' .governance/receipts/.gitignore && grep -Fxq '!wo-*.jsonl.minisig' .governance/receipts/.gitignore",
scope = [".governance/receipts/.gitignore"],
},
],
}