PLAN gate review · generated 2026-06-08

Tier 0 signed attestation becomes the boot floor.

The plan converts Constitutional Clause and Safety Rider obligations into a signed policy, signed runtime fingerprint, signed release attestation, and a verifier that stops customer runtime startup before dispatch, memory, package loading, or tenant workers.

4artifact families
7fail-closed classes
18planned paths
0break-glass paths

Artifact Relationship

The runtime is allowed to boot only when the release attestation binds the policy manifest hash and runtime manifest hash, and the verifier proves the release directory still matches both.

Policy Manifest

Derived from canonical governance sources and protected paths.

FORGE.md §12.2 FORGE.md §12.4 .forge/machines/*.yaml

Runtime Manifest

Fingerprints package set, verifier entry, boot hook, runtime files, and capability set.

release id artifact root hash hook chain

Release Attestation

Signs policy hash, runtime hash, release id, key set, revocation list, and panel receipts.

Grok mandatory 2 non-author approvers

Verifier Contract

Defines trusted inputs, canonicalization, stderr, exit codes, revocation, quorum, and no break-glass.

fail closed structured stderr

Boot-Time Chain

The plan places verification ahead of every customer-runtime capability that can observe or mutate tenant state.

runtime starts no capabilities yet tier0-boot-gate.sh delegates only forge tier0 verify same path as CI dispatch / memory / packages / workers load manifests validate schemas verify hashes verify signatures any mismatch, missing file, invalid signature, insufficient quorum, or revoked key exits non-zero

Seven Fail-Closed Classes

Policy Missing

TIER0_POLICY_MISSING covers absent policy, source entry, extract, key-set, or revocation input.

Policy Hash

TIER0_POLICY_HASH_MISMATCH catches weakened or substituted governance and FSM content.

Runtime Hash

TIER0_RUNTIME_HASH_MISMATCH catches altered runtime files, verifier, hook, package set, or capabilities.

Attestation Missing

TIER0_ATTESTATION_MISSING covers absent, unreadable, schema-invalid, or release-mismatched attestation.

Signature Invalid

TIER0_SIGNATURE_INVALID rejects payload, key, algorithm, or signature mismatch.

Quorum Insufficient

TIER0_QUORUM_INSUFFICIENT requires Grok plus at least two other valid non-author approvers.

Revoked Key

TIER0_REVOKED_KEY fails any signer key present in the effective revocation list.

Operator Signal

Every class maps to structured stderr and a non-zero exit. No warning-only mode is planned.

Implementation Coverage Plan

New Modules

  • manifest-loader.ts validates schemas and safe paths.
  • signature.ts canonicalizes and verifies signed payloads.
  • verifier.ts orchestrates the fail-closed chain.

Tests

  • one direct unit test per public failure class.
  • synthetic valid release fixture.
  • hook and CLI failure propagation tests.

Coverage Targets

  • 90 percent line coverage on forge-core/src/tier0/.
  • 85 percent branch coverage on forge-core/src/tier0/.
  • scoped assertion against soft-fail shell idioms.
framework/tier0/policy/tier0-policy-manifest.v1.json
framework/tier0/policy/tier0-policy-manifest.schema.json
framework/tier0/runtime/tier0-runtime-manifest.v1.json
framework/tier0/runtime/tier0-runtime-manifest.schema.json
framework/tier0/release/tier0-release-attestation.v1.json
framework/tier0/release/tier0-release-attestation.schema.json
framework/tier0/contract/tier0-verifier-contract.v1.md
forge-core/src/tier0/manifest-loader.ts
forge-core/src/tier0/signature.ts
forge-core/src/tier0/verifier.ts
forge-core/src/cli/tier0-cli.ts
framework/hooks/tier0-boot-gate.sh
docs/tier0-operator-runbook.md

Review Boundary

Self-Review Exclusion

Codex authored this PLAN and is the canonical implementer for the security-hardening sprint. Codex may be recorded as author provenance, but it cannot be counted as an approving reviewer for this PLAN or authored sections.

PLAN to DESIGN should require operator approval after visual review plus Grok-mandatory convergence evidence.

Grok 4.3mandatory CTO
Gemini 3.1-pro-previewrequired reviewer
deepseek-r1:32badversarial
Codexauthor only

Plan Review Findings

Good

  • Preserves the architecture rule that customer runtimes carry derived policy rather than operator docs verbatim.
  • Separates schema, loader, signature, verifier, CLI, hook, and runbook concerns cleanly.
  • Names exact public failure classes and maps each to tests.

Bad

  • The PLAN intentionally defers hosted KMS and transparency logging; key lifecycle risk remains until dependent sprints land.
  • The current track checkpoint in the workspace names another sprint, so FSM transition must be handled carefully.

Ugly

  • Canonical fragment extraction can become brittle if heading text changes; the DESIGN should specify stable selectors and fallback behavior.
  • Attestation canonicalization is security-critical and should be kept small enough for reviewers to inspect line by line.

Questions Closed By Plan

  • Break-glass: none.
  • Boot failure: non-zero exit with structured stderr.
  • Review authority: Grok mandatory; Codex author does not approve authored sections.