cid(review): PASS — SHA512 checksums verified against v0.2.0 tarballs

Author: CID Agent

.claude/context/handoff.md

@@ -1,29 +1,37 @@
-## 2026-03-08 — Add SHA512 checksums to vcpkg portfile
+## 2026-03-08 — Review of: Add SHA512 checksums to vcpkg portfile
 
-**Done:** Downloaded all 5 v0.2.0 FFI release tarballs from GitHub Releases, computed SHA512
-checksums for each, added `set(ISCC_SHA512 "...")` lines in each platform branch of
-`portfile.cmake`, and replaced `SKIP_SHA512` with `SHA512 "${ISCC_SHA512}"` in the
-`vcpkg_download_distfile` call.
+**Verdict:** PASS
 
-**Files changed:**
+**Summary:** The advance agent replaced `SKIP_SHA512` with per-platform SHA512 checksums in
+`packages/cpp/portfile.cmake`. All 5 checksums were independently verified by downloading the v0.2.0
+release tarballs and computing SHA512 sums — every hash matches. The change is minimal, correct, and
+within scope.
 
-- `packages/cpp/portfile.cmake`: Added per-platform SHA512 checksums (5 `set()` calls) and replaced
-    `SKIP_SHA512` with `SHA512 "${ISCC_SHA512}"` in the download call
+**Verification:**
 
-**Verification:** All 5 criteria pass:
+- [x] `SKIP_SHA512` removed from portfile — grep confirms absence
+- [x] `ISCC_SHA512` appears exactly 6 times (5 `set()` + 1 `SHA512` usage)
+- [x] `SHA512 "${ISCC_SHA512}"` pattern present in download call
+- [x] Each SHA512 hash is 128 lowercase hex characters — `grep -cP` returns 5
+- [x] CMake syntax valid — errors on vcpkg functions (expected), not on syntax
+- [x] All 15 pre-commit hooks pass (`mise run check`)
+- [x] All 5 checksums independently verified against actual downloaded tarballs
+- [x] `cargo clippy --workspace --all-targets -- -D warnings` clean
 
-- `SKIP_SHA512` no longer present in the file
-- `ISCC_SHA512` appears exactly 6 times (5 `set()` + 1 `SHA512` usage)
-- `SHA512 "${ISCC_SHA512}"` pattern present in download call
-- All 5 SHA512 hashes are 128 lowercase hex characters
-- CMake syntax is valid (errors on vcpkg functions as expected, not on syntax)
-- All 15 pre-commit hooks pass
+**Issues found:**
 
-**Next:** Only one `normal` priority issue remains: language logos in README/docs. After that, the
-CID loop should check issues.md for any remaining items or signal idle.
+- (none) — clean implementation
 
-**Notes:** The SHA512 checksums are pinned to the v0.2.0 release tarballs. Future releases will need
-these checksums updated — the next.md explicitly noted that release workflow automation for
-computing SHA512 on future releases is out of scope and should be a follow-up step. The Conan recipe
-(`conanfile.py`) also lacks SHA512 verification but that's a separate concern per the scope
-definition.
+**Codex review:** No actionable findings. Codex confirmed the change is limited to replacing
+`SKIP_SHA512` with per-platform SHA512 pins and introduces no correctness or compatibility
+regressions.
+
+**Next:** The only remaining `normal`-priority issue is "Add programming language logos to README
+and docs." After that, only `low`-priority items remain (Swift/Kotlin bindings) and the CID loop
+should signal idle.
+
+**Notes:** The resolved vcpkg SHA512 issue has been deleted from issues.md. The advance handoff
+correctly noted that future releases will need SHA512 checksums updated — this is not automated yet
+(explicitly out of scope per next.md). The Conan recipe (`conanfile.py`) also lacks SHA512
+verification but no issue is filed for it. State.md line 135-136 still references the open issue —
+update-state will pick this up next cycle.

.claude/context/issues.md

@@ -64,13 +64,6 @@ shared `crates/iscc-uniffi/` crate. Published to Maven Central as `io.iscc:iscc-
 5. **Documentation**: `docs/howto/kotlin.md` how-to guide, update README with Kotlin
     install/quickstart
 
-## vcpkg portfile skips SHA512 verification `normal` [human]
-
-`packages/cpp/portfile.cmake:42` uses `SKIP_SHA512` in `vcpkg_download_distfile`, so consumers
-download release tarballs without a pinned checksum. This weakens supply-chain integrity and
-reproducibility. Fix by computing and storing SHA512 checksums per release and passing them to
-`vcpkg_download_distfile`.
-
 ## Add programming language logos to README and docs `normal` [human]
 
 Add logos/icons for the supported programming languages (Rust, Python, etc.) to the README and

.claude/context/iterations.jsonl

@@ -944,3 +944,8 @@
 {"ts":"2026-03-08T10:13:41.963691+00:00","iteration":1,"role":"define-next","status":"OK","turns":19,"cost_usd":0.845636,"duration_s":224.5}
 {"ts":"2026-03-08T10:19:27.775881+00:00","iteration":1,"role":"advance","status":"OK","turns":28,"cost_usd":0.753171,"duration_s":345.8}
 {"ts":"2026-03-08T10:23:17.421946+00:00","iteration":1,"role":"review","status":"PASS","turns":0,"cost_usd":0.0,"duration_s":0}
+{"ts":"2026-03-08T10:25:48.438002+00:00","iteration":1,"role":"review","status":"OK","turns":1,"cost_usd":1.050798,"duration_s":380.7}
+{"ts":"2026-03-08T10:48:23.488174+00:00","iteration":2,"role":"update-state","status":"OK","turns":20,"cost_usd":0.734549,"duration_s":264.1}
+{"ts":"2026-03-08T10:51:05.776624+00:00","iteration":2,"role":"define-next","status":"OK","turns":21,"cost_usd":0.808569,"duration_s":162.3}
+{"ts":"2026-03-08T10:54:10.228417+00:00","iteration":2,"role":"advance","status":"OK","turns":22,"cost_usd":0.589685,"duration_s":184.4}
+{"ts":"2026-03-08T10:57:35.937127+00:00","iteration":2,"role":"review","status":"PASS","turns":1,"cost_usd":0.0,"duration_s":0}