Skip to content

feat: export and import mutation genomes with redacted evidence and origin attestations#44

Merged
karngyan merged 1 commit into
mainfrom
feat/team-genome
Jul 18, 2026
Merged

feat: export and import mutation genomes with redacted evidence and origin attestations#44
karngyan merged 1 commit into
mainfrom
feat/team-genome

Conversation

@karngyan

Copy link
Copy Markdown
Contributor

Claim

A verified mutation can now travel between machines. autophagy genome export
writes a self-contained, redaction-gated genome/0.1 bundle; autophagy genome import ingests it as a fresh review-only candidate. Trust is never
transplanted: lifecycle state does not travel, the origin's replay/shadow
reports arrive as display-only attestations, and the receiver must re-run
challenge → replay → shadow against its own evidence to advance the candidate.
Local-first and offline — export writes a file, import reads one, no network I/O.

What's here

  • autophagy-genome crate — the bundle format only (build, parse,
    content-id integrity check, attestation hashing). Depends solely on events,
    mutations, and redaction; does no storage or network I/O. New crate as a
    genuine vertical slice.
  • Redaction — new public PrivacyPolicy::scrub_value / scrub_string over
    arbitrary JSON, reusing the built-in secret rules (documented, unit-tested).
  • Store — migration 0004_mutation_attestations (STRICT, display-only, no
    lifecycle read path consults it), register_attestation + retrieval, and an
    additive attestations field on MutationDetails.
  • CLIgenome export <id> --out PATH [--force], genome import PATH [--dry-run], a mutations show attestations section, and a mutations list
    (imported) marker. Wording is blunt: attestations are origin-claimed, not
    locally verified
    .
  • Contractdocs/specs/genome/0.1 (schema + valid/invalid fixtures,
    exercised by tests) and ADR 0016.

Why the bundle carries events

Two store facts force it: register_mutation fails unless every cited
event_id already exists locally (the evidence FK wall), and replay/shadow
reports are content-hash-locked on their exact source_event_ids. So the bundle
carries the original events, redacted — rewriting ids would break the hashes.

How the redaction gate works

  • At export, every event runs through PrivacyPolicy (built-in secret rules
    • configured import.exclude_paths). A path-excluded event aborts the
      export naming the event — silently dropping it would break the reports that
      cite it. The mutation's reviewable text is scrubbed with the same rules.
  • At import, the receiver re-runs its own policy over every event before
    storing it (never trusting the sender), and a path-excluded event aborts.
  • Attestation integrity: each report carries a SHA-256 content_hash;
    import recomputes it and records hash_verified — a transit-integrity check,
    never a re-verification.

Evidence

Round-trip integration test (genome_export_import_round_trip_...): drives a
mutation to shadow_passed, exports it, imports into a fresh DB — the candidate
lands as candidate with both attestations stored (hash_verified, but
lifecycle unchanged), --dry-run writes nothing, and re-import is idempotent.
Plus genome-crate unit tests (schema conformance, tamper detection via
genome_id and attestation hash, path-excluded abort, package-text scrubbing)
and a store test (attestations are display-only and idempotent).

Real-data check — exported a real repeated_command_failure candidate from a
copy of the development database (schema v2, upgraded in place to v4 on open)
under an isolated AUTOPHAGY_CONFIG_DIR; the user's real DB and config were
never touched. The bundle carried 28 redacted evidence events; a secret-pattern
scan (sk-, ghp_, AKIA, Bearer …, api_key=…) found no matches, and
no residual [REDACTED] markers (the source was already clean). A sample event:

{
  "event_id": "evt_pi_01bcfb9a…",
  "source": "pi",
  "type": "tool.completed",
  "project": "/Users/karn/code/zuzoto/zuzoto",
  "tool": { "name": "bash", "input": { "command": "cd /Users/karn/code/zuzoto/zuzoto && go build ./... 2>&1" }, "exit_code": 0 }
}

Importing into a fresh empty DB:

$ autophagy genome import real.genome.json --dry-run
mut_a87b7c83…  from path:df3d…  would register as a fresh candidate (dry run)
  evidence: 28 new · 0 already present

$ autophagy genome import real.genome.json
mut_a87b7c83…  from path:df3d…  registered as a fresh candidate
  evidence: 28 new · 0 already present

$ autophagy mutations show mut_a87b7c83   # in the fresh DB
state         candidate
hypothesis    The recurring `cd $PROJECT && go build ./... 2>&1` failure is caused …
evidence      3 events · 25 counterexamples

The candidate lands as candidate — verification did not travel.

mise run check is fully green (ci + docs + fmt + lint + test).

Privacy implications

A genome contains redacted event content — the exact AEP events the mutation
cites, run through the redaction policy at export and again at import.
Exporting is an explicit user act that writes a local file the user then
chooses whether and how to share; Autophagy performs no network I/O at any
point. Attestation reports are deterministic, model-free evaluation summaries
(event ids, normalized selectors, integer counts, outcome enums) with no raw
payloads. Path-excluded evidence aborts rather than leaks, at both ends. Absolute
project paths travel unless import.exclude_paths removes them — they are
governed by the same policy that gates ingestion, and a [genome] policy
override is noted as future work in ADR 0016.

🤖 Generated with Claude Code

…rigin attestations

Add a file-based, offline team genome (genome/0.1): one developer exports a
verified mutation as a self-contained, redaction-gated bundle and another
imports it as a fresh review-only candidate carrying the origin's verification
reports as display-only attestations. Trust is never transplanted — lifecycle
state does not travel, and the receiver must re-verify locally.

- New autophagy-genome crate: bundle build/parse, content-id integrity, and
  attestation hashing (depends only on events, mutations, redaction).
- Redaction: public PrivacyPolicy::scrub_value / scrub_string over arbitrary
  JSON, reusing the built-in secret rules.
- Store: migration 0004 mutation_attestations (STRICT, display-only), plus
  registration/retrieval and the attestations field on MutationDetails.
- CLI: genome export/import (with --dry-run and --force), a mutations show
  attestations section, and a mutations list imported marker.
- Spec docs/specs/genome/0.1 (schema + valid/invalid fixtures) and ADR 0016.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@karngyan
karngyan merged commit 4a400a2 into main Jul 18, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant