verify: fail closed patch remains execution-unverified

[Riverbraid]

Status

PATCHED_UNVERIFIED

Original finding

verify.mjs previously computed an ok value and wrote a status of either VERIFIED or FILES_PRESENT_UNVERIFIED, but exited with success in both cases:

process.exit(ok ? 0 : 0);

Patch applied

The file now exits fail closed:

process.exit(ok ? 0 : 1);

The repository verification workflow also now declares read-only permissions:

permissions:
  contents: read

Evidence check performed

The current main commit checked during Phase 4 remediation was:

5e7687bbb1bcae84685f50a49b97deabd3d83a3c

Tool check results:

• fetch_commit_workflow_runs returned no workflow runs for that commit.
• get_commit_combined_status returned no statuses for that commit.

Remaining verification requirement

This issue should remain open until an execution surface confirms the verifier behavior after the patch.

Required evidence before closure:

• verifier execution on the patched commit
• evidence that a failed or unverified state exits nonzero
• workflow or local command output attached or cited

Boundary

This issue records a patched but unverified verification integrity finding.
It does not claim the repository is secure, hardened, audited, defect free, or externally reviewed.
It does not change registry, workflow, protocol, hash, seal, manifest, tag, or release state.

Evidence surface

Repository file: Riverbraid-Refusal-Gold/verify.mjs
Current state: patched in file, execution not yet evidenced
Claim boundary: PATCHED_UNVERIFIED, not resolved

[Riverbraid]

Patch committed on main: verify.mjs now exits fail closed with process.exit(ok ? 0 : 1);.

Boundary: this records patch application only. No workflow run or combined status was returned for the patch commit during connector check, so this remains PATCHED_UNVERIFIED until an execution surface confirms the verifier path.