Add repository external reference pin guard

[KoiosSG]

/claim #10

Summary

Adds repository-external-reference-pin-guard/, a focused issue #10 Project Repository & Version Control slice.

The guard validates repository releases and export bundles that depend on Git submodules, linked datasets, API snapshots, model weights, or external code/data references. It blocks DOI publication/export when external references are floating, authenticated-only, stale, future-dated, missing verification evidence, malformed, or missing durable checksum/DOI/version evidence. It also stages metadata-only revision when immutable references still lack license or attribution metadata.

Hardening Updates

• Blocks malformed top-level repository packets with MALFORMED_REPOSITORY_PACKET, stable unidentified-repository evidence, and repair_repository_packet:* remediation instead of crashing before reviewer packets are generated.
• Blocks malformed object-shaped references manifests with MALFORMED_REFERENCE_MANIFEST and repair_reference_manifest:* instead of treating them as clean empty audits.
• Blocks malformed external-reference entries with MALFORMED_REFERENCE_ENTRY and repair_reference_entry:* instead of crashing or dropping them from reviewer packets.
• Blocks blank or missing reference IDs with MISSING_REFERENCE_ID, assigns stable unidentified-reference-* packet IDs, and emits assign_reference_id:* remediation instead of releasing ambiguous evidence.
• Rejects invalid checksum placeholders such as pending, truncated checksums such as sha256:abcdef, invalid DOI placeholders, all-zero Git commit placeholders, floating version aliases, future-dated verification timestamps, and future-dated API snapshots.
• Requires otherwise pinned references to carry verification timestamps before release.

Non-overlap

This is scoped to immutable external reference pins and exportable citation evidence for submodules, linked datasets, API sources, model weights, and external code/data pointers. It does not duplicate broad repository ledgers, release engines, structured diffs, provenance attestations, release embargo controls, notebook replay, schema migration, citation impact, API/export contract verification, merge queue governance, environment drift, access review, DOI tombstone handling, metadata readiness, branch hypothesis lineage, sensitive-artifact scanning, dependency-license checks, legal hold, component-owner approval, restore rehearsal, compute sandbox policy, or semantic version-tag governance.

Validation

• Latest red regression failed before implementation with TypeError: Cannot read properties of null (reading 'policy') for assessExternalReferences(null).
• npm test from repository-external-reference-pin-guard passed: 17 tests.
• npm run demo regenerated 7 deterministic JSON packets plus Markdown/SVG evidence, including malformed-repository-packet.json.
• npm run video regenerated reports/demo.mp4.
• npm run check passed: JS syntax checks and Python compile check.
• Parsed all 7 generated JSON packets successfully.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 180 frames, 82,218 bytes.
• git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared.
• Staged diff was limited to repository-external-reference-pin-guard/.
• Focused restricted-string scan returned no credential, payout, or token matches.

Demo Artifacts

• repository-external-reference-pin-guard/reports/blocked-packet.json
• repository-external-reference-pin-guard/reports/malformed-repository-packet.json
• repository-external-reference-pin-guard/reports/malformed-manifest-packet.json
• repository-external-reference-pin-guard/reports/malformed-packet.json
• repository-external-reference-pin-guard/reports/missing-reference-id-packet.json
• repository-external-reference-pin-guard/reports/clean-packet.json
• repository-external-reference-pin-guard/reports/warning-packet.json
• repository-external-reference-pin-guard/reports/external-reference-report.md
• repository-external-reference-pin-guard/reports/summary.svg
• repository-external-reference-pin-guard/reports/demo.mp4

Synthetic data only. No external repositories, live APIs, DOI registries, object stores, credentials, private research data, identity providers, payment systems, or private services are contacted.

AI-assisted with OpenAI Codex; I reviewed and locally verified the diff before submitting.

[KoiosSG]

@algora-pbc /claim #10 #425

Claim indexing follow-up: PR #425 is open, non-draft, CLEAN, and has a top-level /claim #10 line in the PR body. It adds the distinct repository external reference pinning guard for submodules, linked datasets, API sources, model weights, and external code/data references before DOI/citation publication or export bundle release.

[KoiosSG]

Hardening update pushed in 0445f37: floating version aliases such as latest, main, stable, and nightly no longer satisfy durable identifier requirements unless the reference also has checksum or DOI evidence. I added a regression that failed before the fix with release_repository_references == hold_repository_release and now passes. Validation refreshed locally: npm test (4 tests), npm run demo, npm run video, npm run check, ffprobe on demo.mp4, git diff --check, and sensitive-term scan returned no matches.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed:

• Added a regression for future-dated external-reference verification evidence.
• Treat lastVerifiedAt values later than the repository assessment time as stale verification evidence requiring refresh before DOI/export release.
• Updated README and requirements map so the release contract explicitly covers future-dated verification evidence.

Why this matters:

• External reference pinning is only reliable if checksum/DOI/version evidence is paired with trustworthy freshness evidence. A future timestamp previously collapsed to age zero and allowed release.
• This keeps PR Add repository external reference pin guard #425 sharper in the crowded issue Project Repository & Version Control #10 field while staying focused on the distinct external-reference pinning slice.

Validation:

• Confirmed the new regression failed before the implementation: future-dated verification evidence incorrectly produced release_repository_references instead of hold_repository_release.
• npm test -> 5 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> generated blocked/clean/warning packets with expected statuses.
• npm run video -> demo video generation passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check and git diff --cached --check passed; the only messages were Git line-ending normalization warnings on Windows.
• Sensitive-term scan of the code/test/docs patch found no payout or credential strings.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 0026dde:

• Added a regression for future-dated API snapshot evidence.
• API source snapshots now only count as pinned evidence when the snapshot date is parseable and not later than the repository assessment time.
• Updated README, acceptance notes, and requirements map so DOI/export readiness explicitly requires non-future API snapshot dates, not just non-empty snapshot strings.

Validation:

• Confirmed the new regression failed before the implementation: the future API snapshot incorrectly produced release_repository_references instead of hold_repository_release.
• npm test -> 6 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> generated blocked/clean/warning packets with expected statuses.
• npm run video -> demo video generation passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan of the assistant returned no payout or credential strings.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 3c09dce:

• Added a regression for an otherwise pinned linked dataset that has checksum, DOI, license, and attribution evidence but no verification timestamp.
• Such references now block DOI/export release with STALE_REFERENCE_EVIDENCE until verification evidence is refreshed.
• The missing-verification check avoids piling redundant findings onto references already blocked by floating/auth/durable-ID failures.
• README, requirements map, and acceptance notes now explicitly cover present verification evidence, not just non-stale/non-future evidence.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 7 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> regenerated blocked/clean/warning packets with expected statuses.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan returned no payout or credential strings.
• GitHub PR merge state after push: CLEAN.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 99ff7a8:

• Added a regression for Git references pinned to the all-zero null object SHA (0000000000000000000000000000000000000000).
• The guard now rejects that placeholder as FLOATING_GIT_REFERENCE instead of treating it as immutable release evidence.
• README, acceptance notes, and requirements map now document that null Git placeholders are not valid pins.

Why this matters:

• A 40-character hex string is not enough for release-grade external reference pinning; the all-zero SHA is a sentinel/null value, not a concrete commit reviewers can reproduce.
• This keeps the DOI/export release gate stricter without broadening PR Add repository external reference pin guard #425 beyond its existing external-reference pinning scope.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 8 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> regenerated blocked/clean/warning packets with expected statuses.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 7.5s.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan returned no payout or credential strings.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in c3d3811:

• Added regressions for invalid checksum placeholders on linked datasets and API snapshots.
• checksum: "pending" no longer counts as durable identifier evidence for datasets or pinned snapshot evidence for API sources.
• The risky sample fixture now exercises the invalid-checksum path, and README/requirements/acceptance notes document parseable checksum evidence.

Why this matters:

• A non-empty checksum field is not release-grade integrity evidence. DOI/export gating should require parseable hash evidence rather than accepting placeholders.
• This tightens PR Add repository external reference pin guard #425's distinct external-reference pinning slice without broadening into the neighboring issue Project Repository & Version Control #10 proposals.

Validation refreshed locally:

• Confirmed the dataset regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 10 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> regenerated blocked/clean/warning packets with expected statuses.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check and git diff --cached --check passed; only Git line-ending normalization warnings appeared on Windows.
• Sensitive-term scan returned no payout or credential strings.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 5e54fa4:

• Added a regression for truncated API snapshot checksum evidence such as sha256:abcdef.
• Checksum validation now requires algorithm-specific hex lengths for sha256, sha384, and sha512, so short placeholder-like hashes no longer satisfy DOI/export release gates.
• Clean synthetic fixtures now use full-length SHA evidence, and README, requirements map, and acceptance notes document the stricter checksum contract.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 11 repository external reference pin guard tests passed.
• npm run check -> JS syntax checks and Python compile check passed.
• npm run demo -> regenerated blocked/clean/warning packets with expected statuses.
• npm run video -> regenerated demo.mp4.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 52,531 bytes.
• git diff --check passed; only Windows line-ending normalization warnings appeared.
• Sensitive-term scan returned no payout, credential, or token strings.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Follow-up competitive hardening pass for the repository external reference pin guard.

What changed in 00969a1:

• Added a regression for linked datasets that use placeholder DOI text such as pending as their only durable identifier evidence.
• DOI evidence now has to be parseable; placeholder strings no longer satisfy DOI/export release gates.
• The risky synthetic fixture now exercises the invalid-DOI path, and README/requirements/acceptance notes document parseable DOI evidence.

Why this matters:

• DOI evidence is part of the same release-grade integrity contract as checksums and immutable versions. A non-empty DOI field should not let a repository export or DOI publication proceed when it only contains placeholder text.
• This keeps PR Add repository external reference pin guard #425 focused on external-reference pinning while tightening an evidence path competitors could leave soft.

Validation refreshed locally:

• Confirmed the new regression failed before implementation with release_repository_references instead of hold_repository_release.
• npm test -> 12 repository external reference pin guard tests passed.
• npm run demo, npm run video, and npm run check passed.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 53,699 bytes.
• git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared.
• Sensitive-term scan returned no payout, credential, or token strings.
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch.

[KoiosSG]

Hardening update pushed in 601cbf0.

This closes a release-gate gap where malformed checksum or DOI fields could be ignored when another durable identifier was valid. The guard now emits explicit INVALID_CHECKSUM_EVIDENCE / INVALID_DOI_EVIDENCE blockers and repair_reference_evidence:* actions so poisoned integrity or citation metadata cannot ship in DOI/export packets.

Fresh validation from repository-external-reference-pin-guard/:

• npm test passed: 13 tests, including the new red/green regression.
• npm run check passed.
• npm run demo regenerated JSON/Markdown/SVG reviewer artifacts; blocked packet now reports 7 findings with digest 0cb0a30094df....
• npm run video regenerated reports/demo.mp4; ffprobe verified H.264, 1280x720, 24 fps, 7.5s, 53,699 bytes.
• Parsed all report JSON successfully.
• git diff --check and git diff --cached --check passed; only Windows line-ending normalization warnings appeared.
• Restricted-term scan of the module returned no matches.

This remains non-overlapping with #407: #425 focuses on immutable external reference/citation evidence for release and export bundles, while #407 covers component-owner approval quorum.

[KoiosSG]

Pushed an additional hardening commit: 30fb0dc.

What changed:

• Malformed external-reference entries now produce MALFORMED_REFERENCE_ENTRY blockers and repair_reference_entry:* actions instead of crashing assessment or disappearing from reviewer packets.
• The malformed-entry path forces conservative trust signals (immutablePins, exportable, attributionComplete, verificationFresh) to false until the reference entry is repaired.
• Added reports/malformed-packet.json and updated generated Markdown/SVG/video/docs to cover this release-blocking path.

Fresh verification:

• Latest regression failed before implementation with TypeError: Cannot read properties of null (reading 'checksum').
• npm test passed: 14 tests.
• npm run check, npm run demo, and npm run video passed.
• All 4 generated JSON packets parsed successfully.
• ffprobe verified reports/demo.mp4 as H.264, 1280x720, 24 fps, 7.5s, 59,343 bytes.
• git diff --check / git diff --cached --check passed; sensitive-term scan found no matches.

[KoiosSG]

Pushed a focused hardening commit for the reference manifest edge case: 287a41d now blocks object-shaped references manifests as MALFORMED_REFERENCE_MANIFEST instead of allowing them as an empty clean audit.

Fresh verification from repository-external-reference-pin-guard/: npm test (15 tests), npm run check, npm run demo, npm run video, JSON parse checks including malformed-manifest-packet.json, ffprobe on reports/demo.mp4 (H.264 1280x720, 24 fps, 7.5s), git diff --check, git diff --cached --check, allowlist staging, and restricted-string scan all passed.

[KoiosSG]

Hardening update pushed in f100612: blank or missing external-reference IDs now block release with MISSING_REFERENCE_ID, use stable unidentified-reference-* packet IDs, and emit assign_reference_id:* remediation instead of releasing ambiguous reviewer evidence.

Validation refreshed locally:

• red regression first reproduced release_repository_references instead of hold_repository_release
• npm test -> repository-external-reference-pin-guard tests passed (16)
• npm run check, npm run demo, and npm run video
• parsed all 6 generated JSON packets, including missing-reference-id-packet.json
• ffprobe verified reports/demo.mp4 as H.264 1280x720, 24fps, 7.5s, 76,258 bytes
• git diff --check, git diff --cached --check, staged allowlist check, and focused restricted-string scan passed
• GitHub PR merge state after push: CLEAN; no checks are reported for this branch

[KoiosSG]

Pushed #425 hardening commit 2458f1c.

Fresh verified gap closed:

• assessExternalReferences(null) now emits MALFORMED_REPOSITORY_PACKET, stable unidentified-repository evidence, repair_repository_packet:* remediation, and blocked release lanes instead of crashing at repository.policy before reviewer packets are generated.
• Added focused regression coverage and regenerated reviewer evidence, including reports/malformed-repository-packet.json.

Verification: red test reproduced TypeError: Cannot read properties of null (reading 'policy'); npm test (17), npm run demo, npm run video, npm run check, 7 JSON parses, ffprobe H.264 1280x720 24fps 7.5s 180 frames 82,218 bytes, git diff --check, git diff --cached --check, staged allowlist check, and focused restricted-string scan all passed.