diff --git a/README.md b/README.md index e73cb3b..2433e30 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ TriageCore is an early research workbench for AI-assisted software work that kee - bounded Qwen Cloud escalation for external-safe packets only **Planned / future-facing** -- public release polish such as release tagging and GitHub metadata +- public release polish such as release metadata upkeep and GitHub metadata - deeper environmental-edge packaging around Clear Lake Watch style workflows **Research framing** @@ -115,7 +115,7 @@ Current in-repo proof markers: Proof markers that still depend on GitHub/release state rather than repository files: -- first release tag +- release metadata upkeep - GitHub About description - GitHub topics diff --git a/docs/change/change_log.md b/docs/change/change_log.md index 560c2d7..8abdf76 100644 --- a/docs/change/change_log.md +++ b/docs/change/change_log.md @@ -5,6 +5,7 @@ This file provides a chronological, human-readable record of applied codebase an *Note: For operational task and run history, consult `.triagecore/ledger.jsonl`.* ## [Unreleased] +- Implemented CR-035 (Backlog and Status Alignment Pass): Update current backlog and README status markers after CR-034, keeping runtime integrity enforcement and identity signing expansion out of scope. - Implemented CR-034 (Repository Consistency and Secrets Hygiene): Align Python metadata with supported syntax, consolidate package metadata in `pyproject.toml`, expand CI's Python matrix, require environment-only Qwen API keys, reject secret-bearing persistent keys, sanitize backend HTTP errors, and add `SECURITY.md`. - Implemented CR-033 (Model Manifest Check CLI): Add `tc model check --manifest ` to validate documented route-manifest fields without probing live backends or enforcing routing yet. - Implemented CR-032 (Model Route Manifest Schema): Define the canonical route-manifest artifact shape, required provenance fields, and example manifests before any runtime model-integrity enforcement work. diff --git a/docs/change/requests/CR-035-backlog-status-alignment-pass.md b/docs/change/requests/CR-035-backlog-status-alignment-pass.md new file mode 100644 index 0000000..c1e5fbc --- /dev/null +++ b/docs/change/requests/CR-035-backlog-status-alignment-pass.md @@ -0,0 +1,46 @@ +# CR-035: Backlog and Status Alignment Pass + +## Status + +Implemented + +## Scope + +Update documentation so the public project status matches the merged state +after CR-034. + +This change: + +- updates `docs/current_backlog.md` to reflect the post-CR-034 state +- adds CR-034 to the completed safety spine +- distinguishes active identity lifecycle work, model/runtime integrity work, + and completed repository hygiene work +- checks README proof markers for stale release/status language +- records the change in the changelog + +## Non-Scope + +- Do not implement runtime integrity enforcement. +- Do not expand signing beyond `route_audit`. +- Do not change packaging or security behavior. +- Do not add new runtime code. + +## Acceptance Criteria + +- [x] `docs/current_backlog.md` reflects the post-CR-034 state. +- [x] Completed safety spine includes CR-034. +- [x] Current recommendation distinguishes three lanes: + - identity lifecycle work remains under Issue #4 + - model/runtime integrity builds on CR-031 through CR-033 + - repository hygiene baseline from CR-034 is complete +- [x] README has no stale claim that the first release tag is still pending. +- [x] No runtime code changes. +- [x] Full test suite still passes. + +## Validation + +```powershell +python -m pytest -q +git diff --check +git status --short +``` diff --git a/docs/current_backlog.md b/docs/current_backlog.md index eabd495..f776af0 100644 --- a/docs/current_backlog.md +++ b/docs/current_backlog.md @@ -2,7 +2,7 @@ ## Status -This document summarizes the active TriageCore backlog after CR-021 through CR-024. +This document summarizes the active TriageCore backlog after CR-034. ## Active GitHub Backlog @@ -41,23 +41,22 @@ This document summarizes the active TriageCore backlog after CR-021 through CR-0 - CR-031: Runtime Integrity and Model Provenance Policy - CR-032: Model Route Manifest Schema - CR-033: Model Manifest Check CLI +- CR-034: Repository Consistency and Secrets Hygiene ## Current Recommendation -Keep Issue #4 open and pause signing expansion beyond `route_audit`. -Private-key permission and consistency checks plus metadata-only signed smoke -evidence plus identity revocation are now implemented, and rotation/recovery -policy is now documented. Runtime rotation behavior still needs a separate -implementation slice before adding signed event types. - -Treat CR-031 as the policy baseline for any future `tc model check`, route -manifest, or backend provenance work. Runtime integrity enforcement should stay -separate from convenience-adapter support. - -Treat CR-032 as the artifact contract for future runtime validation. `CR-033` -should validate manifests against this schema instead of inventing provenance -rules ad hoc in code. - -Future runtime-integrity work should build on CR-033 by adding richer -manifests, route discovery, or backend-aware checks without collapsing policy, -artifact shape, and live enforcement into one step. +Keep three work lanes distinct: + +- Identity lifecycle work remains under Issue #4. Pause signing expansion beyond + `route_audit`; runtime rotation behavior still needs a separate + implementation slice before adding signed event types. +- Model and runtime integrity work should build on CR-031 through CR-033. Keep + policy baseline, route-manifest artifact shape, manifest validation, and live + enforcement as separate reviewable slices. +- Repository consistency and secrets hygiene from CR-034 is complete. Future + hygiene work should be limited to stale documented claims or a separately + proposed repo-consistency checker. + +The next feature-sized slice can be a runtime model-manifest enforcement +preview, but it should not collapse policy, artifact shape, manifest validation, +and backend probing into one change.