Skip to content

test(eval): cover audit-chain integrity and decoder dispatch in the CI gate#142

Merged
xunholy merged 1 commit into
mainfrom
test/eval-audit-decoder-coverage
Jun 27, 2026
Merged

test(eval): cover audit-chain integrity and decoder dispatch in the CI gate#142
xunholy merged 1 commit into
mainfrom
test/eval-audit-decoder-coverage

Conversation

@xunholy

@xunholy xunholy commented Jun 27, 2026

Copy link
Copy Markdown
Owner

Summary

The golden eval suite is the CI regression gate for top-level agent flows, but two recently-shipped capabilities reached it only through unit tests: the tamper-evidence audit hash chain (v0.761/0.762) and the new decoder tools (WebAuthn / COSE / CWT). A regression in the agent dispatch path for either would have slipped past task eval. Two scenarios close that gap.

  • audit_chain_intact_after_agent_run — drives Low-risk tools through agent.RunTool (the real RunToolRecordCtx path), verifies the resulting hash chain is intact with the expected row count, then anchors the state out-of-band, grows the chain, and confirms VerifyChainAgainst still validates the protected prefix. Guards the agent → audit → chain → anchor integration the unit tests (which call Record directly) don't exercise.
  • decoder_dispatches_through_agent — dispatches cwt_decode (RFC 8392 example claims) through agent.RunTool and checks the decoded issuer claim; a stand-in protecting the decoder family's agent-path dispatch.

Suite grows 15 → 17 scenarios.

Verification

  • task ci green (lint 0 / vet / build / test:full 0 fail / govulncheck clean); task eval 17/17.

Test-only, no production change — no release on its own; rides the next feature release.

…I gate

The golden eval suite is the CI regression gate for top-level agent flows,
but two recently-shipped capabilities reached it only through unit tests:
the tamper-evidence audit hash chain (v0.761/0.762) and the new decoder
tools (WebAuthn / COSE / CWT). A regression in the agent dispatch path for
either would have slipped past `task eval`. Two scenarios close that.

- audit_chain_intact_after_agent_run: drives Low-risk tools through
  agent.RunTool (the real RunTool -> RecordCtx path), verifies the resulting
  hash chain is intact with the expected row count, then anchors the state
  out-of-band, grows the chain, and confirms VerifyChainAgainst still
  validates the protected prefix. Guards the agent -> audit -> chain -> anchor
  integration the unit tests (which call Record directly) don't exercise.
- decoder_dispatches_through_agent: dispatches cwt_decode (RFC 8392 example
  claims) through agent.RunTool and checks the decoded issuer claim — a
  stand-in protecting the decoder family's agent-path dispatch.

Suite grows 15 -> 17 scenarios. Test-only; no production change.

Verified: task ci green (lint 0 / vet / build / test:full 0 fail /
govulncheck clean); task eval 17/17.
@xunholy
xunholy merged commit fbf6789 into main Jun 27, 2026
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant