invariant-systems-ai
diff --git a/‎.github/ISSUE_TEMPLATE/config.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/config.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 1 addition & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/SECURITY.md‎
Lines changed: 136 additions & 0 deletions b/‎.github/SECURITY.md‎
Lines changed: 136 additions & 0 deletions
diff --git a/‎.markdownlint.yaml‎
Lines changed: 4 additions & 42 deletions b/‎.markdownlint.yaml‎
Lines changed: 4 additions & 42 deletions
diff --git a/‎ARCHITECTURE.md‎
Lines changed: 1 addition & 1 deletion b/‎ARCHITECTURE.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 22 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 1 addition & 1 deletion b/‎CONTRIBUTING.md‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: Apache-2.0
+blank_issues_enabled: true
+contact_links:
+  - name: Security Vulnerability
+    url: https://github.com/invariant-systems-ai/aiir/security/policy
+    about: Please report security vulnerabilities via our security policy — do NOT open a public issue.
+  - name: Discussions
+    url: https://github.com/invariant-systems-ai/aiir/discussions
+    about: Ask questions, share ideas, or discuss AIIR usage.
@@ -1,3 +1,4 @@
+<!-- markdownlint-disable MD041 -->
 ## Description
 
 <!-- What does this PR do? Why? -->
 
@@ -0,0 +1,136 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 1.2.x   | ✅ Active (current) |
+| 1.1.x   | ✅ Security fixes |
+| 1.0.x   | ✅ Security fixes |
+| < 1.0.0 | ❌ Unsupported — upgrade to 1.2.x |
+
+## Reporting a Vulnerability
+
+**This is a security-critical tool.** We take every report seriously.
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Instead, report vulnerabilities via:
+
+- **Email**: [noah@invariantsystems.io](mailto:noah@invariantsystems.io)
+- **Subject prefix**: `[VULN] aiir: <brief description>`
+
+### What to include
+
+1. Description of the vulnerability
+2. Steps to reproduce
+3. Affected versions
+4. Severity assessment (if known)
+5. Suggested fix (if any)
+
+### Response timeline
+
+| Stage | Target |
+|-------|--------|
+| Acknowledgment | 24 hours |
+| Initial triage | 48 hours |
+| Fix for Critical/High | 7 days |
+| Fix for Medium/Low | 30 days |
+| Public disclosure | After fix is released |
+
+### Scope
+
+The following are in scope:
+
+- **aiir/cli.py** — public API shell and CLI entry point
+- **aiir/_core.py** — constants, encoding helpers, git operations, hashing
+- **aiir/_detect.py** — AI signal detection and commit metadata parsing
+- **aiir/_receipt.py** — receipt building, generation, formatting, writing
+- **aiir/_verify.py** — receipt content-addressed integrity verification
+- **aiir/_sign.py** — Sigstore signing and verification
+- **aiir/_ledger.py** — append-only JSONL ledger with auto-index
+- **aiir/_stats.py** — badge, stats dashboard, policy checks
+- **aiir/_github.py** — GitHub Actions integration
+- **aiir/mcp_server.py** — MCP server for AI assistants (path-restricted, error-sanitized)
+- **action.yml** — GitHub Actions composite action
+- **Receipt integrity** — content-addressed hashing chain
+- **Output injection** — GitHub Actions output/summary manipulation
+- **Supply chain** — dependency pinning and integrity
+
+### Out of scope
+
+- AI detection bypass (this is a known limitation of heuristic detection — see README)
+- Issues in upstream dependencies (`actions/setup-python`, `actions/upload-artifact`, etc.)
+- Denial of service via extremely large repositories (mitigated by `--max-count` limit)
+
+## Security Design
+
+### Threat model
+
+This tool processes untrusted input from:
+1. **Git commit metadata** — author names, emails, subjects, message bodies
+2. **GitHub Actions inputs** — `commit-range`, `ai-only`, `output-dir`
+3. **Diff content** — full diffs are hashed but not stored in receipts
+
+### Security properties
+
+- **Content-addressed receipts**: The `receipt_id` and `content_hash` are derived from SHA-256 of the canonical JSON receipt core. Modifying any field invalidates both.
+- **Sigstore keyless signing** (optional): Receipts can be cryptographically signed using Sigstore, providing non-repudiation and a public transparency log entry (Rekor). Uses OIDC keyless signing — no key management required. In GitHub Actions, ambient credentials are used automatically when `id-token: write` is set.
+- **NUL-byte delimited parsing**: Git metadata fields are parsed using `%x00` delimiters to prevent field injection via pipes or other characters in author names.
+- **Ref validation**: All user-provided git refs are validated to reject option-like strings (e.g., `--all`), preventing git argument injection.
+- **Heredoc output pattern**: GitHub Actions outputs use the heredoc delimiter pattern to prevent output injection via multiline values.
+- **Pinned dependencies**: All action dependencies are pinned to full commit SHAs, not mutable version tags.
+- **Markdown sanitization**: Commit subjects in step summaries are sanitized to prevent image beacon, phishing link, and HTML injection.
+- **Zero dependencies**: Only Python standard library. No supply chain attack surface from pip packages.
+- **PEP 740 digital attestations**: Every wheel and sdist published to PyPI includes in-toto-style digital attestations (SLSA provenance + PyPI Publish predicates), cryptographically signed via short-lived OIDC identities from Trusted Publishing. No static keys to compromise.
+- **SLSA provenance**: GitHub Actions `attest-build-provenance` generates SLSA provenance attestations for both wheel and sdist, binding each artifact to the specific build invocation.
+- **PyPI Integrity API verification**: Post-publish CI verifies that attestations are retrievable via PyPI's Integrity API (`GET /integrity/aiir/<version>/<file>/provenance`). A standalone verification script (`scripts/verify-pypi-provenance.py`) is provided for consumers.
+- **Trusted Publishing (OIDC)**: PyPI uploads use GitHub's OIDC identity provider — short-lived, scoped tokens instead of long-lived API tokens. No `PYPI_TOKEN` secret to rotate or leak.
+
+### Verifying AIIR release provenance
+
+Consumers can verify that any AIIR release was built by the official CI pipeline:
+
+```bash
+# Verify the latest release attestations (zero dependencies)
+python scripts/verify-pypi-provenance.py
+
+# Verify a specific version
+python scripts/verify-pypi-provenance.py 1.2.2
+
+# Strict mode — fail if any artifact lacks attestations
+python scripts/verify-pypi-provenance.py --strict
+```
+
+Alternatively, query the PyPI Integrity API directly:
+
+```bash
+# Fetch attestations for a specific file
+curl -s https://pypi.org/integrity/aiir/1.2.2/aiir-1.2.2-py3-none-any.whl/provenance | python3 -m json.tool
+```
+
+## Secret rotation
+
+The AIIR project minimises long-lived secrets through OIDC Trusted Publishing
+(PyPI), Sigstore keyless signing, and the automatic `GITHUB_TOKEN`. Three
+repository-level secrets remain:
+
+| Secret | Type | Scope | Rotation cadence |
+|--------|------|-------|------------------|
+| `GITLAB_TOKEN` | GitLab PAT | `write_repository` on the GitLab mirror | 90 days |
+| `NPM_TOKEN` | npm granular token | `publish` on `@invariantsystems/aiir` | 90 days |
+| `WEBSITE_DISPATCH_TOKEN` | GitHub fine-grained PAT | `contents:read` on `invariantsystems.io` | 90 days |
+
+**Rotation procedure:**
+1. Generate a new token with the scopes listed above.
+2. Update the secret in **Settings → Secrets and variables → Actions**.
+3. Trigger a test workflow run to verify the new token works.
+4. Revoke the old token immediately after confirming the new one.
+
+**Design intent:** If any secret expires or is revoked, the failure mode is
+graceful — GitLab sync, npm publish, and website dispatch all have fallback
+paths (CI mirror cron, manual publish, 6-hour self-heal schedule).
+
+## Acknowledgments
+
+We gratefully acknowledge security researchers who report vulnerabilities responsibly.
@@ -2,6 +2,10 @@
 # https://github.com/DavidAnson/markdownlint
 #
 # SPDX-License-Identifier: Apache-2.0
+#
+# All rules enforced. File-level and line-level exceptions use
+# inline markdownlint-disable comments where structurally necessary
+# (frontmatter, PR templates, UI navigation paths, formula syntax).
 
 # Allow long lines — markdown prose is not code.
 MD013: false
@@ -23,45 +27,3 @@ MD003:
 
 # Allow inline HTML for shields.io badges
 no-inline-html: false
-
-# ── Relaxations for docs/contrib content ─────────────────────────────
-# These rules fire frequently on intentional patterns in our docs.
-
-# Fenced code blocks without language (sometimes intentional for plain text)
-MD040: false
-
-# Blanks around lists (frequently violated in contrib posts and docs)
-MD032: false
-
-# Bare URLs (common in contrib launch posts, Show HN drafts, etc.)
-MD034: false
-
-# Blanks around fences (contrib posts use compact formatting)
-MD031: false
-
-# Emphasis as heading (docs use bold for UI navigation paths)
-MD036: false
-
-# First line must be a heading (PR template starts with ## Description)
-MD041: false
-
-# Blank lines inside blockquotes
-MD028: false
-
-# Emphasis style consistency (contrib uses both * and _)
-MD049: false
-
-# Heading spacing
-MD022: false
-
-# No multiple blank lines (can happen in formatted docs)
-MD012: false
-
-# Single top-level heading (contrib posts have frontmatter + heading)
-MD025: false
-
-# Ordered list prefix
-MD029: false
-
-# Link fragments
-MD056: false
@@ -4,7 +4,7 @@
 
 ## Current Architecture (v1.0.x)
 
-```
+```text
 ┌─────────────────────────────────────────────────────────────┐
 │  CLI / GitHub Action / MCP Server                           │
 │  (aiir/cli.py, action.yml, mcp_server.py)                   │
 
@@ -4,15 +4,35 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/), and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [1.2.3] — 2026-03-11
+
+### Added
+
+- **Markdown lint enforcement**: Fixed all 78 markdown lint violations across 20 files and re-enabled all suppressed rules in `.markdownlint.yaml`. CI now enforces the full rule set.
+- **Verification pipeline documentation**: New "How It Works — The Verification Pipeline" section in README with ASCII architecture diagram showing `git commit → receipt → Sigstore → policy → VSA → CI gate`.
+- **Example gallery** (`examples/README.md`): Real receipt JSON, verification output, CI check mockup, policy evaluation example, and badge usage guide.
+- **GitHub community profile**: Added `.github/SECURITY.md` for detection and `.github/ISSUE_TEMPLATE/config.yml` with security policy redirect and discussions link.
+- **CI badge**: Added CI status badge to README badge row.
+
+### Changed
+
+- **README messaging**: Tagline updated from consumer-style to infra-grade positioning. Test count updated to 1600+. Audience-specific bullets for developers, security teams, and auditors.
+
 ## [1.2.2] — 2026-03-10
 
 ### Added
 
+- **DAG binding hardening** (`commit_receipt.v2`): Receipt core now includes `tree_sha` (directory state) and `parent_shas` (graph position) in the hashed `commit` object. Closes the theoretical "receipt laundering" vector identified in red-team review — a receipt is now cryptographically bound to the commit's exact position in the DAG, not just its content hash. Backwards-compatible: v1 receipts still verify. JSON Schema: `schemas/commit_receipt.v2.schema.json`. New controls: R24-DAG-01, R24-DAG-02.
 - **P0: GitHub Check Run** (`create_check_run()`): AIIR verification now posts a visible `aiir/verify` check run on every PR when running as a GitHub Action. Enforceable via branch protection rules. Requires `checks: write` permission.
 - **P1: Review Receipts** (`build_review_receipt()`, `--review`): New receipt type (`aiir/review_receipt.v1`) for human review attestations. Content-addressed, schema-validated, appended to the same ledger. Supports `--review-outcome` (approved/rejected/commented) and `--review-comment`. JSON Schema: `schemas/review_receipt.v1.schema.json`.
 - **P2: Project Init** (`--init`): Scaffold a `.aiir/` directory with `receipts.jsonl`, `index.json`, `config.json`, `.gitignore`, and optional `policy.json`. Path-traversal guarded. Idempotent (safe to re-run).
 - **P3: PR Comment** (`post_pr_comment()`): Automatic receipt summary comment on every PR in GitHub Actions mode. Idempotent (updates existing comment via hidden HTML marker). Requires `pull-requests: write` permission.
 - **P4: Commit Trailers** (`format_commit_trailer()`, `--trailer`): Print `AIIR-Receipt`, `AIIR-Type`, `AIIR-AI`, `AIIR-Verified` trailer lines suitable for `git interpret-trailers`. Terminal-escape sanitized, capped at 10 trailers.
+- **Transport-level agent attestation** (`extensions.agent_attestation`): 3-tier confidence model for AI authorship evidence:
+  - `"declared"` — self-reported via `--agent-tool`/`--agent-model`/`--agent-context` CLI flags (existing).
+  - `"transport"` — **NEW**: MCP server auto-populates `confidence: "transport"` because the MCP protocol itself guarantees an AI client invoked the tool. Generator stamped as `aiir.mcp`.
+  - `"environment"` — **NEW**: CI auto-detection reads `GITHUB_ACTOR` / `GITLAB_USER_LOGIN` and auto-populates attestation when the actor matches known AI/bot patterns (e.g., `copilot`, `dependabot[bot]`, `gitlab-duo`). Explicit `--agent-*` flags always take precedence.
+  - Review receipts (`build_review_receipt`) now accept and propagate `agent_attestation`.
 - **PEP 740 digital attestations**: Publish workflow now explicitly enables `attestations: true` on `pypa/gh-action-pypi-publish`. Every wheel and sdist uploaded to PyPI includes in-toto-style digital attestations (SLSA provenance + PyPI Publish predicates), cryptographically signed via short-lived OIDC identities from Trusted Publishing.
 - **SLSA provenance for sdist**: `actions/attest-build-provenance` now covers both `.whl` and `.tar.gz` artifacts (was wheel-only).
 - **PyPI Integrity API verification**: Post-publish CI step queries `GET /integrity/aiir/<version>/<file>/provenance` for every release artifact and reports attestation coverage.
@@ -28,6 +48,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/), and this
 
 ### Fixed
 
+- **MCP server generator identity**: MCP server called `generate_receipt()`/`generate_receipts_for_range()` without `generator` or `agent_attestation` — receipts from MCP were indistinguishable from CLI receipts. Now stamps `generator: "aiir.mcp"` and `agent_attestation.confidence: "transport"` on all 3 call sites (`_handle_aiir_receipt` single + range, `_handle_aiir_gitlab_summary`).
+- **Review receipt attestation gap**: `build_review_receipt()` did not accept `agent_attestation`. Now propagates `--agent-*` flags and CI auto-detection to review receipts.
 - **PR comment markdown injection**: `_format_pr_comment()` now uses `_sanitize_md()` instead of `_strip_terminal_escapes()` — neutralises markdown metacharacters (`|`, `` ` ``, `<`) in user-controlled fields rendered in GitHub PR comment tables.
 - **`--init` path traversal**: Replaced `startswith()` with `relative_to()` to prevent prefix-collision attacks (`/repo` vs `/repo_evil`).
 - **`--review` ref resolution**: CLI now resolves symbolic refs (e.g., `HEAD`) to full hex SHAs via `git rev-parse` before building review receipts. Previously, `--review HEAD` produced a receipt with `reviewed_commit.sha = "HEAD"`, which violated the JSON Schema.
 
@@ -38,7 +38,7 @@ python -m pytest tests/ -q  # 1030+ tests, ~2 min
 All contributions must include a `Signed-off-by` line certifying the
 [Developer Certificate of Origin v1.1](https://developercertificate.org/):
 
-```
+```text
 Signed-off-by: Your Name <your@email.com>
 ```
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+<!-- markdownlint-disable MD041 -->`
`1`	`2`	`## Description`
`2`	`3`
`3`	`4`	`<!-- What does this PR do? Why? -->`