Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .brik/manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"schema": "brik64.cli_project_manifest.v1",
"schemaVersion": "brik64.cli_project_manifest.v1",
"project": "brik64-cli",
"cliVersion": "0.1.0-beta.7",
"cliVersion": "0.1.0-beta.8",
"lane": "cli_0_1_beta",
"generationClaim": "assisted_generation_non_claim",
"preferred_engine": "auto",
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/release-train-dry-run.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,20 @@ on:
paths:
- "release/manifest.json"
- "scripts/release-*.js"
- "scripts/beta8-*.js"
- "scripts/beta8-*.sh"
- "scripts/build-beta8-package.sh"
- "scripts/beta7-*.js"
- "scripts/build-beta7-package.js"
- "scripts/beta6-l6-hetzner-generation-gate.js"
- ".github/workflows/release-train-dry-run.yml"
- "package.json"
- "CHANGELOG.md"
- "README.md"
- "docs/BETA8_RELEASE_PLAN.md"
- "docs/GITHUB_SIGNING_KEY_RUNBOOK.md"
- "pcd/**"
- "engines/l4plus-n5/**"
- "docs/BETA7_RELEASE_PLAN.md"
- "docs/BETA6_RELEASE_PLAN.md"
- "docs/BETA6_L6_HETZNER_GENERATION_ENDPOINT.md"
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/release-train-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@ jobs:
- name: Generate sync payload
run: npm run release:train:sync-surfaces

- name: Verify GitHub signed release commit
env:
GH_TOKEN: ${{ secrets.BRIK64_GITHUB_RELEASE_TOKEN }}
BRIK64_RELEASE_COMMIT: ${{ github.sha }}
run: npm run gate:beta8:github-verified-signature

- name: Prepare SDK publication workspaces
env:
BRIK64_GITHUB_RELEASE_TOKEN: ${{ secrets.BRIK64_GITHUB_RELEASE_TOKEN }}
Expand Down Expand Up @@ -175,5 +181,6 @@ jobs:
evidence/release-train-sync/changelog.md
evidence/release-train-sync/sync-payload.json
evidence/release-train-sync/report.json
evidence/beta8-github-verified-signature/report.json
evidence/release-train-publish-plan/report.json
evidence/release-train-publish-execute/report.json
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ node_modules/
*.log
.DS_Store
evidence/tmp/
evidence/beta8-github-verified-signature/
evidence/github-signing-key-preflight/
evidence/github-signing-key-registration/
evidence/beta5-package/stage/
runner-env.local.sh
*.secret
Expand Down
29 changes: 29 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,35 @@
All notable BRIK64 CLI changes are recorded here. This file is required for
every beta, release candidate, or public release train.

## 0.1.0-beta.8

### Added

- Adds bounded source-to-source PCD emission for executable TypeScript, Rust,
and Python programs.
- Adds generated target tests that execute emitted programs and check expected
behavior across supported target languages.
- Adds parser support for arithmetic expressions, comparisons, boolean
conditions, nested branches, and expression returns.
- Adds adversarial parser coverage for malformed input, binary data, oversized
PCD files, unsupported statements, and path traversal attempts.
- Adds a local package smoke check that extracts the beta8 tarball and runs the
packaged CLI outside the repository checkout.

### Changed

- Updates `brik64 emit` from static candidate output toward executable output
for the supported beta PCD syntax.
- Keeps unsupported syntax fail-closed with actionable parser errors.

### Compatibility

- macOS and Linux continue to use the portable Node.js CLI package and require
Node.js 20 or newer.
- Windows native executables are not published in this beta.
- This beta does not claim formal certification for arbitrary user code,
universal correctness, or independent toolchain closure.

## 0.1.0-beta.7

### Added
Expand Down
17 changes: 9 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ workflows. It helps developers initialize `.brik` metadata, work with PCD files,
create local candidate evidence, emit supported language targets, and prepare
artifacts for managed platform workflows.

Current public beta: `0.1.0-beta.7`
Current beta candidate: `0.1.0-beta.8`

## Install

Expand All @@ -24,10 +24,10 @@ brik64 help

The npm package namespace is reserved for SDK libraries, not CLI installation.

## Beta7 Command Surface
## Beta8 Command Surface

`0.1.0-beta.7` focuses on local/managed workflow parity and clearer terminal
behavior.
`0.1.0-beta.8` focuses on making PCD emission executable for the supported
beta syntax while keeping local/managed workflow boundaries intact.

- `brik64 init` creates `.brik/manifest.json` and does not create `AGENTS.md`.
- `brik64 doctor` prints a human-readable workspace summary.
Expand All @@ -40,7 +40,8 @@ behavior.
- `brik64 certify <file.pcd>` writes a local candidate certificate.
- `brik64 verify <file.pcd>` checks local certificate and AST/hash coherence.
- `brik64 emit <file.pcd> --target <ts|rust|python> --out <dir> --tests`
emits supported target files and generated tests.
emits executable target files and generated tests for supported beta PCD
expressions and branches.
- `brik64 polymerize <files.pcd...> --out polymer.pcd` combines compatible PCD
files into a deterministic local polymer candidate.
- `brik64 migrate <file.pcd>` converts supported legacy PCD syntax into the
Expand All @@ -67,9 +68,9 @@ SDKs are distributed separately from the CLI. Current beta SDK package
coordinates:

```sh
npm install @brik64/core@0.1.0-beta.7
pip install brik64==0.1.0b7
cargo add brik64-core@0.1.0-beta.7
npm install @brik64/core@0.1.0-beta.8
pip install brik64==0.1.0b8
cargo add brik64-core@0.1.0-beta.8
```

SDK packages are language libraries. They do not install the CLI, issue managed
Expand Down
160 changes: 160 additions & 0 deletions docs/GITHUB_SIGNING_KEY_RUNBOOK.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
# GitHub Signing Key Runbook

This runbook closes the beta8 release integrity blocker where GitHub sees the
release commit as SSH-signed but not verified.

Current blocker:

- PR: https://github.com/brik64/brik64-cli/pull/65
- State: approved, checks green, merge blocked
- GitHub verification reason: `unknown_key`
- Commit signing account: `carlosjperez`
- Public key fingerprint for this release lane:
`SHA256:Ua933KXYBhzgl5+852YF5GYMwOab/RGZwevZyImNfZ8`

Do not use admin merge override. The release train must pass with GitHub
recognizing the exact release commit as verified.

## Preflight

Run with the public key that belongs to the commit signing account:

```bash
npm run preflight:github-signing-key -- \
--public-key "$HOME/.ssh/brik64-carlosjperez-release-signing.pub"
```

Expected blocked state before authorization:

```text
decision=BLOCKED_GITHUB_SIGNING_KEY_PREFLIGHT
failures=github_token_missing_scope:admin:ssh_signing_key
```

The preflight must not read private keys or print secrets. It only checks the
public signing key fingerprint and GitHub API visibility.

## Authorize GitHub API Scopes

Run:

```bash
gh auth refresh -h github.com -s admin:ssh_signing_key -s admin:public_key
```

Complete the browser device-flow approval. After approval, verify scopes:

```bash
gh auth status -h github.com
```

The active account used to register the key must be the account that owns the
beta8 commit identity. A GitHub SSH signing key cannot be reused across
accounts. If the key is already registered to another account, create a
separate signing key for the actual committing account.

## Register The Public Signing Key

Never print or upload the private key. Register only the public key for the
committing account:

```bash
~/.ssh/brik64-carlosjperez-release-signing.pub
```

The public key fingerprint must match:

```text
SHA256:Ua933KXYBhzgl5+852YF5GYMwOab/RGZwevZyImNfZ8
```

Preferred repo command after scopes are authorized:

```bash
npm run release:github-signing-key:register -- \
--execute \
--public-key "$HOME/.ssh/brik64-carlosjperez-release-signing.pub" \
--title "BRIK64 beta8 release signing key carlosjperez"
```

The command is idempotent. It lists existing GitHub SSH signing keys, compares
public fingerprints, and only submits the public key when no matching key
exists.

Equivalent API path:

```bash
gh api user/ssh_signing_keys \
--method POST \
--field title="BRIK64 beta8 release signing key" \
--field key="$(cat ~/.ssh/brik64-carlosjperez-release-signing.pub)"
```

If GitHub reports the key already exists, continue to validation.

## Validate

Run:

```bash
npm run preflight:github-signing-key -- \
--public-key "$HOME/.ssh/brik64-carlosjperez-release-signing.pub"
```

Required result:

```text
decision=PASS_GITHUB_SIGNING_KEY_PREFLIGHT
```

Then regenerate the beta8 signature report for the exact PR head:

```bash
npm run gate:beta8:github-verified-signature
```

Required result:

```text
decision=PASS_BETA8_GITHUB_VERIFIED_SIGNATURE
publicReleaseAllowed=true
```

Finally verify PR #65:

```bash
gh pr view 65 --repo brik64/brik64-cli \
--json mergeStateStatus,reviewDecision,statusCheckRollup,headRefOid
```

Required release-ready state:

- `reviewDecision=APPROVED`
- every required check is `SUCCESS`
- `mergeStateStatus` is no longer blocked by signature verification

## Resume Release Train

Only after the verified-signature gate passes:

```bash
npm run release:train:publish-plan
```

Publication must still remain blocked while `release/manifest.json` is
`state=draft`. Moving beta8 from draft to public requires the full synchronized
release train: GitHub Release, curl/GCP installer, SDKs, docs, web, changelog,
skills, platform smoke and public-claim scan.

## Failure Handling

If the commit remains `verified=false`:

- `unknown_key`: the public key is not registered as a GitHub SSH signing key
for the relevant account.
- `no_user`: the commit identity is not associated with a GitHub user/email.
- `bad_email`: update commit author/committer email to a verified account
email and recreate the signed commit.

Do not bypass with admin override. Keep the failed reports as evidence and fix
the identity/signing configuration.
47 changes: 47 additions & 0 deletions evidence/beta8-adversarial/report.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{
"schemaVersion": "brik64.cli_beta8_adversarial_gate.v1",
"generatedAt": "2026-06-07T10:08:18Z",
"iter_id": "BRIK64-CLI-BETA8-ADVERSARIAL-20260606-R1",
"lane": "cli_0_1_beta8",
"decision": "PASS_BRIK64_CLI_BETA8_ADVERSARIAL",
"rc": 0,
"cliVersion": "0.1.0-beta.8",
"cliSha256": "sha256:63f28a941626edb18cee7b794e9f3c05acdc29db94e8387e02809ed402a7f8ed",
"executableEdgeFixture": {
"path": "pcd/edge_precedence.pcd",
"sha256": "sha256:de6c384a4f4146f78e1ea040176206b49aed6725a35db10b447a8d42fe75bf63"
},
"passChecks": 9,
"failClosedChecks": 12,
"generatedTargetExecution": {
"typescript": true,
"rust": true,
"python": true
},
"failClosedSurface": [
"empty_pcd",
"binary_input",
"too_large_input",
"legacy_syntax",
"missing_fn",
"too_many_params",
"invalid_param",
"missing_return",
"unsupported_statement",
"unsupported_expression_token",
"malformed_expression",
"unclosed_block"
],
"claim_boundary": {
"public_claims_allowed": false,
"public_release_allowed": false,
"adversarial_gate_passed": true,
"compiler_functionality_scope": "supported_beta8_pcd_subset_only",
"fixpoint_claim_allowed": false,
"n5_formal_claim_allowed": false,
"rust_independence_claim_allowed": false
},
"blockers": [],
"warnings": [],
"next_action": "run beta8 package smoke and release-train sync gates"
}
Loading