FEAT-050 (v3.0): tool-qualification dossier (DO-330 TQL-5 / ISO 26262-8 §11)#89
Merged
Conversation
…-8 §11) The G-005 capstone (CA-011). docs/qualification-dossier-v1.md maps every DO-330 TQL-5 objective and every ISO 26262-8 §11 (TCL) objective to a concrete scry artifact — a mechanized proof, a runnable test, a CI gate, or an explicit scope statement. Honesty-first (the roadmap audit's mandate): - The mechanized-soundness inventory (§4) names all 17 admit-free Rocq proofs + the semantic Verus join proof, each re-checked by bazel test in CI. Evidence that is test-/γ-sweep-validated but NOT machine-proven (MC/DC, the value-level transfers, float rounding) is labelled as such, never as mechanized. - The scope/limitation statement (§5) is fed by the FEAT-040 gap report (the per-artifact conservative-site oracle) plus the known precision limits of each domain. - §6 honesty notes record the deltas: REQ-002 is now literally true for i32.add (WrapAdd.v) but NOT tool-wide; float rounding is γ-sweep not Rocq; the Verus join proof's false-then-repaired history is recorded, not hidden. - ISO 26262-8: derives TCL1 (TI2 × TD1) with the proof + MC/DC + per-release falsification-statement argument for TD1. Depends on the substance having landed (FEAT-045/046/048 shipped). Doc + roadmap status only; rivet validate PASS. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
An adversarial overclaim-audit of the dossier flagged (core §4 proof basis verified honest): - 'Rocq 9.0.1' -> 'Rocq 9.0' (MODULE.bazel pins 9.0, not 9.0.1). - 'sigil-signed release artifacts' -> cosign (sigstore keyless OIDC) + SLSA-v1 build-provenance attestation (release.yml actually uses cosign, not sigil). - 'rivet coverage (CI gate)' -> rivet coverage is an assessor-run entry point (§8), NOT wired into CI; only rivet validate is a gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📐 rivet artifact deltaPR: #89 Base SHA: Validationhead — `rivet validate` resultbase — `rivet validate` result (for comparison)Artifact stats
full stats — headDiff (base → head)AADL model — headPosted by the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The G-005 capstone (CA-011).
docs/qualification-dossier-v1.mdmaps everyDO-330 TQL-5 objective and every ISO 26262-8:2018 §11 (TCL) objective to a
concrete scry artifact — a mechanized proof, a runnable test, a CI gate, or an
explicit scope statement.
Honesty-first (the roadmap audit's mandate)
Verus join proof, each re-checked by
bazel testin CI. Evidence that istest-/γ-sweep-validated but not machine-proven (MC/DC, the value-level
transfers, float rounding) is labelled as such — never as mechanized.
conservative-site oracle) + each domain's known precision limits.
i32.add(WrapAdd.v) but not tool-wide; float rounding is γ-sweep notRocq; the Verus join proof's false-then-repaired history is recorded.
per-release falsification-statement argument for TD1.
Depends on the substance (FEAT-045/046/048) having shipped — it has. Doc +
roadmap status only;
rivet validatePASS.🤖 Generated with Claude Code