diff --git a/CHANGELOG.md b/CHANGELOG.md index 523eb81..aa92845 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ All notable changes to vouch are documented here. Format follows ## [Unreleased] +### Added +- `examples/community/vouch-issue-tracker-audit/`: a community example KB + (issue #338) auditing vouchdev/vouch's own open-issue tracker for + staleness — which open issues are already fixed upstream and which are + genuinely open, plus one live security bug (#168) and one bug in `vouch + source add --url` found while building the KB. + ## [1.1.0] — 2026-07-03 ### Added diff --git a/docs/img/examples/community/audit-log.svg b/docs/img/examples/community/audit-log.svg new file mode 100644 index 0000000..8ae5363 --- /dev/null +++ b/docs/img/examples/community/audit-log.svg @@ -0,0 +1,20 @@ + + + + + + + +vouch-issue-tracker-audit/ — vouch audit --tail 10 +$ vouch audit --tail 10 +2026-07-04T06:17:24.668152+00:00 proposal.page.approve by jonathanchang31 objects=['20260704-061640-20537c0f', 'vouchdev-vouch-open-issue-tracker-audit-2026-07-04'] +2026-07-04T06:17:37.109152+00:00 source.verify by vouch-verify objects=[] +2026-07-04T06:22:08.321798+00:00 source.add by claude-code-audit objects=['14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd'] +2026-07-04T06:22:09.353069+00:00 proposal.claim.create by claude-code-audit objects=['20260704-062209-21e9b7a4'] +2026-07-04T06:22:11.611776+00:00 proposal.claim.approve by jonathanchang31 objects=['20260704-062209-21e9b7a4', 'vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-'] +2026-07-04T06:22:47.109098+00:00 source.verify by vouch-verify objects=[] +2026-07-04T06:22:51.574949+00:00 source.verify by vouch-verify objects=[] +2026-07-04T06:24:48.022905+00:00 proposal.page.create by claude-code-audit objects=['20260704-062448-4d9f894f'] +2026-07-04T06:24:49.072776+00:00 proposal.page.approve by jonathanchang31 objects=['20260704-062448-4d9f894f', 'vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-'] +2026-07-04T06:24:59.488805+00:00 source.verify by vouch-verify objects=[] + diff --git a/docs/img/examples/community/audit-search.svg b/docs/img/examples/community/audit-search.svg new file mode 100644 index 0000000..f74c3b9 --- /dev/null +++ b/docs/img/examples/community/audit-search.svg @@ -0,0 +1,13 @@ + + + + + + + +vouch-issue-tracker-audit/ — vouch search cross-agent +$ vouch search cross-agent +claim/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro …agent transport allows «cross-agent» approval) is still unfixed on both main and test: kb.approve… (fts5) +page/vouchdev-vouch-open-issue-tracker-audit-2026-07-04 vouchdev/vouch open-issue tracker audit — 2026-07-04 (fts5) +page/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14- vouchdev/vouch open-issue tracker audit — 2026-07-04 (rev 2, 14 findings) (fts5) + diff --git a/docs/img/examples/community/audit-show.svg b/docs/img/examples/community/audit-show.svg new file mode 100644 index 0000000..5f8c7d7 --- /dev/null +++ b/docs/img/examples/community/audit-show.svg @@ -0,0 +1,42 @@ + + + + + + + +vouch-issue-tracker-audit/ — vouch show (issue #168 finding) +$ vouch show 20260704-061515-0e132b51 +id: 20260704-061515-0e132b51 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:15.581538Z' +payload: + id: vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + text: 'vouchdev/vouch issue #168 (critical: agent transport allows cross-agent approval) + is still unfixed on both main and test: kb.approve/kb.reject are registered on + the JSONL transport with no expose_decision_tools trust gate, and the only check + is same-agent self-approval. A prior fix (PR #169) was closed unmerged after a + maintainer requested changes: remove the duplicated handle_request guard whose + broad except-Exception swallows real errors, and document or remove the undocumented + approver_role: trusted-agent bypass.' + type: fact + confidence: 0.95 + evidence: + - 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc + entities: [] + tags: + - live-bug + - codebase-audit + - security + - needs-pr +rationale: 'The single actionable item in this audit: a real, reviewed-but-unmerged + security gap, with the maintainer''s exact acceptance criteria already on record + in PR #169.' +status: approved +decided_at: '2026-07-04T06:15:29.902048Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' + diff --git a/docs/img/examples/community/audit-status.svg b/docs/img/examples/community/audit-status.svg new file mode 100644 index 0000000..2f04aaa --- /dev/null +++ b/docs/img/examples/community/audit-status.svg @@ -0,0 +1,14 @@ + + + + + + + +vouch-issue-tracker-audit/ — vouch status +$ vouch status +KB at /your/project/.vouch + durable: 15 claims • 3 pages • 15 sources • 0 entities • 0 relations + pending: 0 proposals + audit: 92 events • index: present + diff --git a/examples/README.md b/examples/README.md index a70d7fa..2b00d93 100644 --- a/examples/README.md +++ b/examples/README.md @@ -57,6 +57,17 @@ The snapshot KBs ship with everything already in `claims/`, `pages/`, etc. — they're "post-approval" snapshots. There are no `proposed/` entries because proposals are local-only by nature. +## Community examples + +Real vouch KBs from real use, submitted per [issue #338](https://github.com/vouchdev/vouch/issues/338). +Unlike the shipped snapshots above, these aren't required to be +byte-for-byte re-renderable — just honest: every claim traceable through +`audit.log.jsonl` to an actual `propose → approve` decision. + +| Example | Topic | Size | +|---|---|---| +| [community/vouch-issue-tracker-audit/](community/vouch-issue-tracker-audit/) | A codebase-hygiene audit of vouchdev/vouch's own open-issue tracker — which open issues are already fixed upstream, which are genuinely open, and one live security bug found along the way | 15 claims, 3 pages, 15 sources | + ## Runnable flows Each of these is a script that builds a throwaway KB in `$(mktemp -d)`, diff --git a/examples/community/vouch-issue-tracker-audit/README.md b/examples/community/vouch-issue-tracker-audit/README.md new file mode 100644 index 0000000..c4f3352 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/README.md @@ -0,0 +1,69 @@ +# vouch-issue-tracker-audit/ + +A real `vouch` knowledge base built while auditing `vouchdev/vouch`'s own +GitHub issue tracker for staleness. It's a "codebase-audit" style KB +(findings → claims, cited to evidence) rather than a project's living +documentation, submitted for issue [#338](https://github.com/vouchdev/vouch/issues/338). + +- **Host:** Claude Code, driving the real `vouch` CLI (v1.1.0) directly — + `vouch init`, `vouch source add`, `vouch propose-claim`, `vouch approve`, + `vouch propose-page`, `vouch reindex`, `vouch doctor`. +- **What it's used for:** every open issue on `vouchdev/vouch` not already + linked from another in-flight open PR (61 of 93 open issues at audit time) + was checked against `git log --grep` on `upstream/main` and `upstream/test` + for a commit resolving it, then spot-checked by reading the relevant source + directly. 13 of the resulting findings are proposed claims, + each cited to a source file containing the real evidence (a `git log` + transcript, a code excerpt, or an actual maintainer PR-review comment + copied from GitHub). A 14th finding — a real bug in `vouch source add + --url` — surfaced while building this very KB and is included too. + +## What to look at first + +1. [vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md](vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md) — + the findings table and method, current revision. +2. [vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml](vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml) — + the one still-unfixed, security-relevant finding, with a maintainer's + review notes on record from a prior closed PR. +3. [vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml](vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml) — + the self-found bug in the tool used to build this KB. +4. [vouch/audit.log.jsonl](vouch/audit.log.jsonl) — the full trail: 13 + claims proposed, all 13 first rejected (wrong `--type` value), all 13 + resubmitted correctly and approved, a summary page approved, a 14th claim + added, and a revised page approved. Nothing here was hand-written into + `claims/` or `decided/` directly — every artifact went through + `propose-* → approve`/`reject`. + +## See it in action + +After `cp -r examples/community/vouch-issue-tracker-audit/vouch ./.vouch && +vouch reindex`, here's what the CLI shows against this KB: + +`vouch status` — artifact counts and the audit-event total: + +vouch status on the issue-tracker-audit example + +`vouch search cross-agent` — retrieval surfacing the live #168 finding: + +vouch search cross-agent on the issue-tracker-audit example + +`vouch show` on the #168 finding's decided proposal — full citation, +rationale, and decision metadata: + +vouch show on the issue-tracker-audit example + +`vouch audit --tail 10` — the reject-then-rework and page-revision trail: + +vouch audit tail on the issue-tracker-audit example + +## What this example is *not* + +- Not a teaching fixture — every claim, source, and audit event here is the + byproduct of a real `vouch` session, not hand-authored YAML. +- Not exhaustive — the audit covered issues without an in-flight open PR; + issues already claimed by another contributor's PR were excluded up front + rather than re-checked. +- Not a fix for #168 or the `source add --url` bug — this KB documents them + as findings with enough evidence for someone (possibly the same + contributor, in a follow-up PR) to act on. Bundling a code fix into this + PR would violate `CONTRIBUTING.md`'s "one concern per PR." diff --git a/examples/community/vouch-issue-tracker-audit/vouch/audit.log.jsonl b/examples/community/vouch-issue-tracker-audit/vouch/audit.log.jsonl new file mode 100644 index 0000000..cc9ee73 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/audit.log.jsonl @@ -0,0 +1,92 @@ +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:26.405000Z","data":{},"dry_run":false,"event":"kb.init","hash":"b8bbc2b761816d327972d943cbadf0a1e1819f02b16e7b5ef76cf6defa1c0296","id":"951ac530a5074be59a2a7e85dafbcb69","object_ids":[],"prev_hash":"0000000000000000000000000000000000000000000000000000000000000000","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:27.588515Z","data":{},"dry_run":false,"event":"source.add","hash":"95dc23fa58665e4bdb30c877b49b415eaf84baa6c05a17adbba91d5a6675602e","id":"33007d67b1af472a91b36855bc5af1d9","object_ids":["31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98"],"prev_hash":"b8bbc2b761816d327972d943cbadf0a1e1819f02b16e7b5ef76cf6defa1c0296","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:29.356029Z","data":{"slug_hint":"vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-"},"dry_run":false,"event":"proposal.claim.create","hash":"043690072bf9d5dc34412f0a4d5b2193ab4b284444e26adb09ac4d2dbc2560da","id":"faaa97cae1ef4a5c9a88e8cbf02b72b3","object_ids":["20260704-061029-8ae22018"],"prev_hash":"95dc23fa58665e4bdb30c877b49b415eaf84baa6c05a17adbba91d5a6675602e","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:31.114382Z","data":{},"dry_run":false,"event":"source.add","hash":"32d15ff7f3ea7242376d3ae3092340495af395deed92fd4639ded690f39a6c9e","id":"339803f4c4ab45f38bb5b711882058f0","object_ids":["2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025"],"prev_hash":"043690072bf9d5dc34412f0a4d5b2193ab4b284444e26adb09ac4d2dbc2560da","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:32.994225Z","data":{"slug_hint":"vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate"},"dry_run":false,"event":"proposal.claim.create","hash":"1afbaa718b75c271384025665219c626667ff6d81218ba4bc553f5e71a11e4e4","id":"2f6d7033ed044201b1a810f8eda83c5b","object_ids":["20260704-061032-e2c77208"],"prev_hash":"32d15ff7f3ea7242376d3ae3092340495af395deed92fd4639ded690f39a6c9e","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:34.313940Z","data":{},"dry_run":false,"event":"source.add","hash":"ad340dbdcc5c4ea46c971f122359c95e906e08f10df6c9ee71015c845d431b94","id":"a80eecaff4f843d9b65d7228c300c61a","object_ids":["efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27"],"prev_hash":"1afbaa718b75c271384025665219c626667ff6d81218ba4bc553f5e71a11e4e4","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:36.488266Z","data":{"slug_hint":"vouchdev-vouch-issue-78-kb-context-returns-archived-supersed"},"dry_run":false,"event":"proposal.claim.create","hash":"edc480cc066f668931c4221e23d1500eec27c9ffb05110b71512488d091bc807","id":"5afd4793f0bf4a9e85ad4e0f84bc3f7b","object_ids":["20260704-061036-8e0faea0"],"prev_hash":"ad340dbdcc5c4ea46c971f122359c95e906e08f10df6c9ee71015c845d431b94","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:39.008445Z","data":{},"dry_run":false,"event":"source.add","hash":"547683f98dc8793c4d819a011e7588724abf659fc81658f0d0969062668509dd","id":"ac3df4f49aac4cd4b525b00ef7402329","object_ids":["c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424"],"prev_hash":"edc480cc066f668931c4221e23d1500eec27c9ffb05110b71512488d091bc807","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:40.684027Z","data":{"slug_hint":"vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m"},"dry_run":false,"event":"proposal.claim.create","hash":"16e8c885fc905fc0c4666a77229f96ee4b2252dc2c356c89dce711e4b66cb784","id":"cd61626590e04b39b4b25b69df5f7d0c","object_ids":["20260704-061040-ef56c928"],"prev_hash":"547683f98dc8793c4d819a011e7588724abf659fc81658f0d0969062668509dd","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:41.813621Z","data":{},"dry_run":false,"event":"source.add","hash":"35262a78dfb6d8ae7bde061aca3993585bab625957377675869602c2521364dd","id":"6f487c9c00874b359bb8e47fb061ccff","object_ids":["4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a"],"prev_hash":"16e8c885fc905fc0c4666a77229f96ee4b2252dc2c356c89dce711e4b66cb784","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:43.446546Z","data":{"slug_hint":"vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali"},"dry_run":false,"event":"proposal.claim.create","hash":"f0cd63d41d4f379c515e05970e4b50e84125e5884c31d884a15cff3cee8216cb","id":"45f466aa0b9c48778fe8bfc93fb44782","object_ids":["20260704-061043-57bfb8a4"],"prev_hash":"35262a78dfb6d8ae7bde061aca3993585bab625957377675869602c2521364dd","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:44.989326Z","data":{},"dry_run":false,"event":"source.add","hash":"a2d1c764c8c4937ebb25b6f5e7c264fb6741a5c11b3823ecf25ece117fade104","id":"0afa344be06d401fb153aa8d80100ded","object_ids":["e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d"],"prev_hash":"f0cd63d41d4f379c515e05970e4b50e84125e5884c31d884a15cff3cee8216cb","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:47.342473Z","data":{"slug_hint":"vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-"},"dry_run":false,"event":"proposal.claim.create","hash":"313a66e460091cfd5ebb8de2e4751a8dd35ee792dc5aa75340a92500bc7e6f87","id":"1e36601fa3a048a9a9dac05e52ed393c","object_ids":["20260704-061047-bf405cfc"],"prev_hash":"a2d1c764c8c4937ebb25b6f5e7c264fb6741a5c11b3823ecf25ece117fade104","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:50.558071Z","data":{},"dry_run":false,"event":"source.add","hash":"2002f84d6ca606d255de765a66a2970eaf68c17f2d0d364bd474a5cdd4c58381","id":"6f2b68fe89444d05991cf8d12374c890","object_ids":["f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068"],"prev_hash":"313a66e460091cfd5ebb8de2e4751a8dd35ee792dc5aa75340a92500bc7e6f87","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:52.709880Z","data":{"slug_hint":"vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta"},"dry_run":false,"event":"proposal.claim.create","hash":"8fd0c0da9b01d9a3bfd9c14827a87ae174f05e4ef7939535196153155ac0d99d","id":"e723b927cb624a97b36ee64085d90433","object_ids":["20260704-061052-7c202c7a"],"prev_hash":"2002f84d6ca606d255de765a66a2970eaf68c17f2d0d364bd474a5cdd4c58381","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:55.402108Z","data":{},"dry_run":false,"event":"source.add","hash":"78e0d2f3a6428d5be087227b8c3a11da4223fb3629d49e2a1882ad76fa587257","id":"99ffa5cea58b4c4ea7091de0520c1284","object_ids":["c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7"],"prev_hash":"8fd0c0da9b01d9a3bfd9c14827a87ae174f05e4ef7939535196153155ac0d99d","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:56.784241Z","data":{"slug_hint":"vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-"},"dry_run":false,"event":"proposal.claim.create","hash":"afff73cfdba306fb923abc84deee39b3adfcd19f0843957e4f3fcbe467afb9b7","id":"db00944112be4eff930e0071dbb999a6","object_ids":["20260704-061056-e8724ce8"],"prev_hash":"78e0d2f3a6428d5be087227b8c3a11da4223fb3629d49e2a1882ad76fa587257","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:58.616023Z","data":{},"dry_run":false,"event":"source.add","hash":"1440693032b7396acd6cc237bd97023af7dba179bfda0907b8a074f7ee2aa430","id":"9746bcdfba5c43e5a5789a556b45f690","object_ids":["f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3"],"prev_hash":"afff73cfdba306fb923abc84deee39b3adfcd19f0843957e4f3fcbe467afb9b7","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:00.261101Z","data":{"slug_hint":"vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when"},"dry_run":false,"event":"proposal.claim.create","hash":"ff87cac9c872972f1d6bd537ecf8c27d40392f6af91ee844861b7ffbc2d3132e","id":"62f7cbb71e1d425e817ba4b0eb01c83f","object_ids":["20260704-061100-29c5dca4"],"prev_hash":"1440693032b7396acd6cc237bd97023af7dba179bfda0907b8a074f7ee2aa430","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:03.374095Z","data":{},"dry_run":false,"event":"source.add","hash":"3e96f1d523f392b0d97db0a7d58740caefb766d3bd62e8c9a3e0059343728be3","id":"98bd1532562e49a6bcac4107d8e9c23d","object_ids":["f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7"],"prev_hash":"ff87cac9c872972f1d6bd537ecf8c27d40392f6af91ee844861b7ffbc2d3132e","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:06.635277Z","data":{"slug_hint":"vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-"},"dry_run":false,"event":"proposal.claim.create","hash":"3e01aaecebc6f2eeac4ab7d395b38544b61a70192fe4550fccf068bf8c8a34b2","id":"6b69f77a09f043c4a0372bbec78a0f8b","object_ids":["20260704-061106-eb27e9fd"],"prev_hash":"3e96f1d523f392b0d97db0a7d58740caefb766d3bd62e8c9a3e0059343728be3","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:08.823689Z","data":{},"dry_run":false,"event":"source.add","hash":"773218999807905c3d4c5a4d898c43f786c7aeb0b8cd06070bbea584e0119266","id":"47dcacc9ac39409e9fd23efb5b518171","object_ids":["dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50"],"prev_hash":"3e01aaecebc6f2eeac4ab7d395b38544b61a70192fe4550fccf068bf8c8a34b2","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:10.739916Z","data":{"slug_hint":"vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v"},"dry_run":false,"event":"proposal.claim.create","hash":"28ccacb499593642d0c6acaa2e4937a47796af158b45a4b60e0d8a2c9cefc220","id":"40a2a99880bf4ec199970ded12816ca6","object_ids":["20260704-061110-f4c09773"],"prev_hash":"773218999807905c3d4c5a4d898c43f786c7aeb0b8cd06070bbea584e0119266","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:12.422080Z","data":{},"dry_run":false,"event":"source.add","hash":"bb6d88d0b714d24ef19034e6291e06721baf13a6da20c067b5800e405a46c5f9","id":"0b5e1152dce7466593009e1ab4ce6a9f","object_ids":["9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292"],"prev_hash":"28ccacb499593642d0c6acaa2e4937a47796af158b45a4b60e0d8a2c9cefc220","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:16.776400Z","data":{"slug_hint":"vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud"},"dry_run":false,"event":"proposal.claim.create","hash":"bbd554bec88049c4298c3667355fb66ba9bce5af2503606f11c6267e3b9b7e5e","id":"54d9642af95f405bb64a3797ac63cce2","object_ids":["20260704-061116-082830a4"],"prev_hash":"bb6d88d0b714d24ef19034e6291e06721baf13a6da20c067b5800e405a46c5f9","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:18.603758Z","data":{},"dry_run":false,"event":"source.add","hash":"f20be39873659bcf1ec0bdb0abcaaabcb1961a892887aaeca134635512727e35","id":"55bdfaf6269b4be29403b5cd202a57b6","object_ids":["77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc"],"prev_hash":"bbd554bec88049c4298c3667355fb66ba9bce5af2503606f11c6267e3b9b7e5e","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:19.905456Z","data":{"slug_hint":"vouchdev-vouch-issue-168-critical-agent-transport-allows-cro"},"dry_run":false,"event":"proposal.claim.create","hash":"0ee8a00ad2b5887f0ef56eb0f8271af909e38aedd1cb808c022b240a8e0969d4","id":"75c7ac60c79e4bd484ff4b51a868bd4b","object_ids":["20260704-061119-0680e882"],"prev_hash":"f20be39873659bcf1ec0bdb0abcaaabcb1961a892887aaeca134635512727e35","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:13:22.349152Z","data":{"checked":14,"failed":0},"dry_run":false,"event":"source.verify","hash":"370d69b9e6a6f29870aa5de83d7edce212181c1b899209456fe0c414369f702d","id":"3ffe027eebee41d6a58389e01a48bae9","object_ids":[],"prev_hash":"0ee8a00ad2b5887f0ef56eb0f8271af909e38aedd1cb808c022b240a8e0969d4","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:36.870162Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"5b813593610123435f4904fe36b6d6409516e51cb9266d508e7d075423b2b4d8","id":"89ab8895490d4de680e34d653ea968ef","object_ids":["20260704-061029-8ae22018"],"prev_hash":"370d69b9e6a6f29870aa5de83d7edce212181c1b899209456fe0c414369f702d","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:39.254544Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"1903385b00639ebe41591b33d5faf1c3860b7e47f6ea6c28529074ae311364ac","id":"9b0b07376eed49c1979fee8bc5290e51","object_ids":["20260704-061032-e2c77208"],"prev_hash":"5b813593610123435f4904fe36b6d6409516e51cb9266d508e7d075423b2b4d8","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:41.225199Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"f9b758c5f4823c3a4776ccae5770cd1009878b67a87eb804983c3ed1247f44bd","id":"e67b0d8175204449b4b7e2917def14db","object_ids":["20260704-061036-8e0faea0"],"prev_hash":"1903385b00639ebe41591b33d5faf1c3860b7e47f6ea6c28529074ae311364ac","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:43.258889Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"a5ff272032ea9e2fe8440e86912991cfb2244f46599382b873a3cba2a8931db0","id":"6a43e5b009534df481da94c0c3639191","object_ids":["20260704-061040-ef56c928"],"prev_hash":"f9b758c5f4823c3a4776ccae5770cd1009878b67a87eb804983c3ed1247f44bd","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:47.426509Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"a517dab28078fba46b43061ce0b290c05958967628b5e9a08b8f03fa9bd6b1ac","id":"c8ce7931885642a4b042f63074a9c436","object_ids":["20260704-061043-57bfb8a4"],"prev_hash":"a5ff272032ea9e2fe8440e86912991cfb2244f46599382b873a3cba2a8931db0","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:49.354601Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"c7a90a6b0d608239639137d4ef56be5e7cf35a0966d1ee95045919ca38d802cc","id":"2aa795612c1b4e68a03fe913629c4136","object_ids":["20260704-061047-bf405cfc"],"prev_hash":"a517dab28078fba46b43061ce0b290c05958967628b5e9a08b8f03fa9bd6b1ac","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:51.531122Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"b109bb1de2f949e4279bf567a5e67507e04cb5376f69455aa6d9cf995a7f5c35","id":"8de11251fb174211acb1df54b7d28c65","object_ids":["20260704-061052-7c202c7a"],"prev_hash":"c7a90a6b0d608239639137d4ef56be5e7cf35a0966d1ee95045919ca38d802cc","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:54.782183Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"3766a46d5f7f08302ea85c2d0de3ca7f98e0ac2d20b6291eb46f00ecdcc9d26e","id":"24f6e0b3df4c4657b77655f77e0608c1","object_ids":["20260704-061056-e8724ce8"],"prev_hash":"b109bb1de2f949e4279bf567a5e67507e04cb5376f69455aa6d9cf995a7f5c35","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:56.153822Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"998b6c95cd89a39e98a58670f0619cc3bf693705948c8fa52adae1f8bdff505b","id":"4e5dac05cb9e42efa9806945f7396989","object_ids":["20260704-061100-29c5dca4"],"prev_hash":"3766a46d5f7f08302ea85c2d0de3ca7f98e0ac2d20b6291eb46f00ecdcc9d26e","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:57.835241Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"21a1af42a32c1797a859244be21cff2968e67b568c388d66c052778207445ba7","id":"48361fc436b941a8bce2d5327eeb095e","object_ids":["20260704-061106-eb27e9fd"],"prev_hash":"998b6c95cd89a39e98a58670f0619cc3bf693705948c8fa52adae1f8bdff505b","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:59.275784Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"f27d43af42d8c57cfa9161e00edca8479b22796de8242aaa59919c4917155d5b","id":"33fac97a0c06410a8d39de19fb226301","object_ids":["20260704-061110-f4c09773"],"prev_hash":"21a1af42a32c1797a859244be21cff2968e67b568c388d66c052778207445ba7","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:14:00.539359Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"5c148bb0abc150a8f247526eb5bc2a44821692df9f6796810247859a46b9ce8a","id":"5cb5c73fa100426f95bfdcb3f76b334d","object_ids":["20260704-061116-082830a4"],"prev_hash":"f27d43af42d8c57cfa9161e00edca8479b22796de8242aaa59919c4917155d5b","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:14:03.459488Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"b0afdf0345de8cde89adffad7aa7be87dcd88e6b83f9075e48f0d611419480f2","id":"3cb08009cc9643f5896fe8d67f38f348","object_ids":["20260704-061119-0680e882"],"prev_hash":"5c148bb0abc150a8f247526eb5bc2a44821692df9f6796810247859a46b9ce8a","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:23.935075Z","data":{},"dry_run":false,"event":"source.add","hash":"64616f5fad1acb891bd4f2bd4cc5cb32e0c182479a6f7d780d268702080429e7","id":"cf601044418840b884795c0ecf8c255b","object_ids":["31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98"],"prev_hash":"b0afdf0345de8cde89adffad7aa7be87dcd88e6b83f9075e48f0d611419480f2","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:25.466827Z","data":{"slug_hint":"vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-"},"dry_run":false,"event":"proposal.claim.create","hash":"aef8e5ada61c7fb9ef6fcd1f85bb7a8d2c7c06654a9b24513b3723334a63f4ab","id":"648d74408cda415088971d99beb4b45e","object_ids":["20260704-061425-808652d7"],"prev_hash":"64616f5fad1acb891bd4f2bd4cc5cb32e0c182479a6f7d780d268702080429e7","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:27.118930Z","data":{},"dry_run":false,"event":"source.add","hash":"36a48b5a1ebaa99936bf5c4c6cdf1b449f39c03125017bc7566228b08cd9b434","id":"407796ca73384ca1a57b2b54412a6c1b","object_ids":["2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025"],"prev_hash":"aef8e5ada61c7fb9ef6fcd1f85bb7a8d2c7c06654a9b24513b3723334a63f4ab","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:28.602331Z","data":{"slug_hint":"vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate"},"dry_run":false,"event":"proposal.claim.create","hash":"32828b61f01a010f5c7a8db276590d7c8d8247e34f30add02148eac9e6cb4a94","id":"b9f93de115d44922b3e660742bcbb19c","object_ids":["20260704-061428-2ecdb562"],"prev_hash":"36a48b5a1ebaa99936bf5c4c6cdf1b449f39c03125017bc7566228b08cd9b434","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:30.744628Z","data":{},"dry_run":false,"event":"source.add","hash":"42a5f51af9d8341607450f10e6f794a01139e0e40e55e800e3467cce36b85e85","id":"abd776b17b0a4257aae5c9a838009e02","object_ids":["efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27"],"prev_hash":"32828b61f01a010f5c7a8db276590d7c8d8247e34f30add02148eac9e6cb4a94","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:32.026090Z","data":{"slug_hint":"vouchdev-vouch-issue-78-kb-context-returns-archived-supersed"},"dry_run":false,"event":"proposal.claim.create","hash":"9829debb05a365616961e2b9fa9e96b1905556c30009e80bc06223c5348f32bf","id":"846c0260c86642558561b86fc10ddb18","object_ids":["20260704-061432-51a7ca63"],"prev_hash":"42a5f51af9d8341607450f10e6f794a01139e0e40e55e800e3467cce36b85e85","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:33.849146Z","data":{},"dry_run":false,"event":"source.add","hash":"9f077d6053bd4e145b776f9c4fd1a4ea478676e84878404214adbe8eb9c99795","id":"81b93e32f77d4f71800cbe89f1948ede","object_ids":["c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424"],"prev_hash":"9829debb05a365616961e2b9fa9e96b1905556c30009e80bc06223c5348f32bf","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:35.642111Z","data":{"slug_hint":"vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m"},"dry_run":false,"event":"proposal.claim.create","hash":"aee933072468fe8f54059305e76fe81bc07d866c7994603cafa6c8d3cca66e81","id":"0e3edbe6362642599376d692cb93d67a","object_ids":["20260704-061435-44efb4a8"],"prev_hash":"9f077d6053bd4e145b776f9c4fd1a4ea478676e84878404214adbe8eb9c99795","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:36.947969Z","data":{},"dry_run":false,"event":"source.add","hash":"4aac94a67d2de37fd628a79ba2d0e8e987aecf3e878df120f8b79eac77713cce","id":"9367bf35d8f04c4e9aa0abcccffbf621","object_ids":["4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a"],"prev_hash":"aee933072468fe8f54059305e76fe81bc07d866c7994603cafa6c8d3cca66e81","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:39.010849Z","data":{"slug_hint":"vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali"},"dry_run":false,"event":"proposal.claim.create","hash":"41e80291d0e467746819b3ee084c3007212e5788be2b7a14591d135c99ccf89f","id":"31e46fba653a40468756ea21602f51eb","object_ids":["20260704-061438-7249c426"],"prev_hash":"4aac94a67d2de37fd628a79ba2d0e8e987aecf3e878df120f8b79eac77713cce","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:40.578585Z","data":{},"dry_run":false,"event":"source.add","hash":"4f415f0ab7c82fba6ee1cfc57616d4e8b34272fde4b621929f53b563618fdd90","id":"13064878a2a143b3b7e9c69b6449d0c9","object_ids":["e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d"],"prev_hash":"41e80291d0e467746819b3ee084c3007212e5788be2b7a14591d135c99ccf89f","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:41.556127Z","data":{"slug_hint":"vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-"},"dry_run":false,"event":"proposal.claim.create","hash":"a257af7f791d2e931624e217e03e5f7a21a584a8302f054cfafdea3e352ecfae","id":"21d7f992ef8347c796745582522e8495","object_ids":["20260704-061441-f33ed406"],"prev_hash":"4f415f0ab7c82fba6ee1cfc57616d4e8b34272fde4b621929f53b563618fdd90","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:43.798681Z","data":{},"dry_run":false,"event":"source.add","hash":"fcea1d2f2a3229cf10e015b34ae21f5100067007ec9f96924a5c31eeba951ab2","id":"6294eae97b5f4d4fb262be23191ab75e","object_ids":["f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068"],"prev_hash":"a257af7f791d2e931624e217e03e5f7a21a584a8302f054cfafdea3e352ecfae","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:45.034262Z","data":{"slug_hint":"vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta"},"dry_run":false,"event":"proposal.claim.create","hash":"d849c19ae40bd2a003387539bb819bfd5e351af3747a43d423911acb52fcf700","id":"ee6c22afb0904cd29ded898747facfb2","object_ids":["20260704-061445-267a62ab"],"prev_hash":"fcea1d2f2a3229cf10e015b34ae21f5100067007ec9f96924a5c31eeba951ab2","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:46.634616Z","data":{},"dry_run":false,"event":"source.add","hash":"1262b757734be05619fc7c4cfa27bb49e1645df83757276e844013bfd271fe3c","id":"9070e4204c71474d8f758a49fe10c320","object_ids":["c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7"],"prev_hash":"d849c19ae40bd2a003387539bb819bfd5e351af3747a43d423911acb52fcf700","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:48.651175Z","data":{"slug_hint":"vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-"},"dry_run":false,"event":"proposal.claim.create","hash":"b507e77958bce843574da4d5aee0f878e8e5af048980ea9f5016764d1bcdc9bc","id":"ab15879045c048d5987b85521e5047c0","object_ids":["20260704-061448-9e9bb439"],"prev_hash":"1262b757734be05619fc7c4cfa27bb49e1645df83757276e844013bfd271fe3c","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:51.640084Z","data":{},"dry_run":false,"event":"source.add","hash":"764b10af5baab65d1379439995b16ebc5894b964d4e817e3ce05de0182bd3e75","id":"60250bc7fb72434d89e97faebe604f73","object_ids":["f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3"],"prev_hash":"b507e77958bce843574da4d5aee0f878e8e5af048980ea9f5016764d1bcdc9bc","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:54.153111Z","data":{"slug_hint":"vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when"},"dry_run":false,"event":"proposal.claim.create","hash":"5392f68990e3e432d27e38e07f3474876dc89d4df64ce6e9c3765a37cab6a8b0","id":"ff861e4d527b421eb7f02fd8e4d28ffc","object_ids":["20260704-061454-49cfcfc0"],"prev_hash":"764b10af5baab65d1379439995b16ebc5894b964d4e817e3ce05de0182bd3e75","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:56.184033Z","data":{},"dry_run":false,"event":"source.add","hash":"2242c1e4cc1401b0d8a018d4b4a54c77fce532f9e89521e89781225c7d2eb996","id":"47403fb63cf2479685ef6d1f51aecde7","object_ids":["f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7"],"prev_hash":"5392f68990e3e432d27e38e07f3474876dc89d4df64ce6e9c3765a37cab6a8b0","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:00.145460Z","data":{"slug_hint":"vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-"},"dry_run":false,"event":"proposal.claim.create","hash":"cf4e6cc04edcd88349bf465e59ffc3562f1bf383118261343da434b78f55098a","id":"2b2fb67ad8044633af494d6b544b0668","object_ids":["20260704-061500-9c95a168"],"prev_hash":"2242c1e4cc1401b0d8a018d4b4a54c77fce532f9e89521e89781225c7d2eb996","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:03.670614Z","data":{},"dry_run":false,"event":"source.add","hash":"48805f9a4d51b9fcb4c784360fe98819f0b823a9733c6650249782c4ebada7e7","id":"3e3cba3b792045d2bf564e6d9fafcf2d","object_ids":["dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50"],"prev_hash":"cf4e6cc04edcd88349bf465e59ffc3562f1bf383118261343da434b78f55098a","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:05.479935Z","data":{"slug_hint":"vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v"},"dry_run":false,"event":"proposal.claim.create","hash":"b29a45abf416ee2e05ebed6e5ac4926af77017f8fdd22ff1479f09e565fb02e6","id":"224c763047054e77ab5980c9b6581a77","object_ids":["20260704-061505-a91c3897"],"prev_hash":"48805f9a4d51b9fcb4c784360fe98819f0b823a9733c6650249782c4ebada7e7","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:08.877391Z","data":{},"dry_run":false,"event":"source.add","hash":"4adf603a43e6040bbbaf54b4a0b4790f0df5375e5333bee446dc7857b44cea26","id":"898dd819bd6b426689fea1f20119be41","object_ids":["9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292"],"prev_hash":"b29a45abf416ee2e05ebed6e5ac4926af77017f8fdd22ff1479f09e565fb02e6","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:11.451225Z","data":{"slug_hint":"vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud"},"dry_run":false,"event":"proposal.claim.create","hash":"92d35d948bbf696da7ee846d7c7e39cea891b8463817b4c6ec0cac264b1a3241","id":"81772f0da6374560a529bba8eb5d694d","object_ids":["20260704-061511-995c6f4d"],"prev_hash":"4adf603a43e6040bbbaf54b4a0b4790f0df5375e5333bee446dc7857b44cea26","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:13.978408Z","data":{},"dry_run":false,"event":"source.add","hash":"3672bc556b591814770134474e2d8d38772be962976e684dfcac226d90719243","id":"413d352ebc5547b1826a4a4b9cc3cb8b","object_ids":["77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc"],"prev_hash":"92d35d948bbf696da7ee846d7c7e39cea891b8463817b4c6ec0cac264b1a3241","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:15.592921Z","data":{"slug_hint":"vouchdev-vouch-issue-168-critical-agent-transport-allows-cro"},"dry_run":false,"event":"proposal.claim.create","hash":"560f450f5f1bcb071f877bf12b2c4c1ee3e7deb5193112728587d67493109dc9","id":"bdbbc5a8bfb743f1973756fdc1b6d484","object_ids":["20260704-061515-0e132b51"],"prev_hash":"3672bc556b591814770134474e2d8d38772be962976e684dfcac226d90719243","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.046458Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"39eb73fef7854e2aca08f418b3ad3b56d122ae5b0d8bec30657034eca4c34b13","id":"b8138ef88c6f4c87a5d50188b4429cd5","object_ids":["20260704-061425-808652d7","vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-"],"prev_hash":"560f450f5f1bcb071f877bf12b2c4c1ee3e7deb5193112728587d67493109dc9","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.146232Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"263c78b62b6617b5c532ad8e123c18a6d19e733240817c5904f82e8c1971ef90","id":"ad4f588eee754b78b13928a6d538b665","object_ids":["20260704-061428-2ecdb562","vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate"],"prev_hash":"39eb73fef7854e2aca08f418b3ad3b56d122ae5b0d8bec30657034eca4c34b13","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.372870Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"92e493e7c2538cdc8aa209a7f585b3180e68d623428e19a2e3afe2c5995b2624","id":"b75436a551814a80966971afc79713c6","object_ids":["20260704-061432-51a7ca63","vouchdev-vouch-issue-78-kb-context-returns-archived-supersed"],"prev_hash":"263c78b62b6617b5c532ad8e123c18a6d19e733240817c5904f82e8c1971ef90","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.459241Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"d720213a72448b01eb144881d9d156f578e88738014eac450d61985d9c4c7ea9","id":"00da9530674e425eab434b368c3b3f22","object_ids":["20260704-061435-44efb4a8","vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m"],"prev_hash":"92e493e7c2538cdc8aa209a7f585b3180e68d623428e19a2e3afe2c5995b2624","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.559829Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"ff3a79e231a8072b20f2fb10179383e717eb1cdef696462ef899f4da376ea453","id":"4c0019e725f94eb58f66f516b1f1c203","object_ids":["20260704-061438-7249c426","vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali"],"prev_hash":"d720213a72448b01eb144881d9d156f578e88738014eac450d61985d9c4c7ea9","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.780791Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"221593ac9257bbbb35ab7d5207d6ffd804d61154f83ff8b5beba394256123fab","id":"a17f547abbf94b0da333dc76ae24a356","object_ids":["20260704-061441-f33ed406","vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-"],"prev_hash":"ff3a79e231a8072b20f2fb10179383e717eb1cdef696462ef899f4da376ea453","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.991364Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"e994277a9ecc0ba69d57e498d819c3d8cfd9b4d901d1346ab17255119352fad2","id":"b43a7171e2fe448686f56f426d6836f0","object_ids":["20260704-061445-267a62ab","vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta"],"prev_hash":"221593ac9257bbbb35ab7d5207d6ffd804d61154f83ff8b5beba394256123fab","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.055189Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"ac3605bbc2ffa8ecebfa0bc82afb85d1024466550594ae3b370be084e1c14dbb","id":"7f0c454d052a42b3a4a3a1ed48242de5","object_ids":["20260704-061448-9e9bb439","vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-"],"prev_hash":"e994277a9ecc0ba69d57e498d819c3d8cfd9b4d901d1346ab17255119352fad2","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.242300Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"e466dca53de1e873f2e1eb6b663c894e4029ee925ebc3a6c0b5d04778883b684","id":"dac1e500cb6748838c89704ca0c91257","object_ids":["20260704-061454-49cfcfc0","vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when"],"prev_hash":"ac3605bbc2ffa8ecebfa0bc82afb85d1024466550594ae3b370be084e1c14dbb","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.306841Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"101293af2c15c699061948e6cc3dc164f4ac76a738a58022511d72887dc1a607","id":"cf3e1553987640be95abb44627e5171a","object_ids":["20260704-061500-9c95a168","vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-"],"prev_hash":"e466dca53de1e873f2e1eb6b663c894e4029ee925ebc3a6c0b5d04778883b684","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.597947Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"8903928b139b8ce9aa9a147ae27826c70644720bdcdaee819b9bce5e78a579e8","id":"7c404b084c08440e96634217de8a27c4","object_ids":["20260704-061505-a91c3897","vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v"],"prev_hash":"101293af2c15c699061948e6cc3dc164f4ac76a738a58022511d72887dc1a607","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.832285Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"2220df33737968ba699d1257db1a6ced0caa6c2fbb2bf93c750d91d6763a9c68","id":"673fa44bb0d240b9b1682af0d9af5738","object_ids":["20260704-061511-995c6f4d","vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud"],"prev_hash":"8903928b139b8ce9aa9a147ae27826c70644720bdcdaee819b9bce5e78a579e8","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.939458Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"f3f5a6a4aa8ab65648e9e2259b860b804f133c42b4bb39f90e76f3cb84ecd5d3","id":"e263b81a7ca24b65b2222f6c9f80c73b","object_ids":["20260704-061515-0e132b51","vouchdev-vouch-issue-168-critical-agent-transport-allows-cro"],"prev_hash":"2220df33737968ba699d1257db1a6ced0caa6c2fbb2bf93c750d91d6763a9c68","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:15:37.648373Z","data":{"checked":14,"failed":0},"dry_run":false,"event":"source.verify","hash":"6ede78de55ec1072a660a01fb0216cde2c7fab20818fdd8d83e2f839fc61459d","id":"33cf219e5d164f3190719674f8fa0980","object_ids":[],"prev_hash":"f3f5a6a4aa8ab65648e9e2259b860b804f133c42b4bb39f90e76f3cb84ecd5d3","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:16:40.201861Z","data":{"slug_hint":"vouchdev-vouch-open-issue-tracker-audit-2026-07-04"},"dry_run":false,"event":"proposal.page.create","hash":"6f0742a86b3a0820d830c838fc54a4182885bd99b4e4b458dc8cc30a7f7c21f9","id":"58ddec0885b343c5ac05886e0bf7e992","object_ids":["20260704-061640-20537c0f"],"prev_hash":"6ede78de55ec1072a660a01fb0216cde2c7fab20818fdd8d83e2f839fc61459d","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:17:24.668152Z","data":{"reason":"Summary page for the codebase-audit community example (issue #338)."},"dry_run":false,"event":"proposal.page.approve","hash":"f503347795b9b2a190d1f1cc02b5fbded29239faef2a58bff3b3dc5d2cd84887","id":"d71652422f554ca69e21b7a3f7232ac5","object_ids":["20260704-061640-20537c0f","vouchdev-vouch-open-issue-tracker-audit-2026-07-04"],"prev_hash":"6f0742a86b3a0820d830c838fc54a4182885bd99b4e4b458dc8cc30a7f7c21f9","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:17:37.109152Z","data":{"checked":14,"failed":0},"dry_run":false,"event":"source.verify","hash":"17d1c207d0b3681e704c575afc446fbfb49171934de61df1655f41b3fb285c91","id":"2405312af1e24e678b130b4f84f31245","object_ids":[],"prev_hash":"f503347795b9b2a190d1f1cc02b5fbded29239faef2a58bff3b3dc5d2cd84887","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:22:08.321798Z","data":{},"dry_run":false,"event":"source.add","hash":"b40a72699c9127cad7a07fc96e52192778b1d597b774e13caf6b6263d905d77d","id":"48e2f15fbf644fd9a8f755d8ef633ab1","object_ids":["14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd"],"prev_hash":"17d1c207d0b3681e704c575afc446fbfb49171934de61df1655f41b3fb285c91","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:22:09.353069Z","data":{"slug_hint":"vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-"},"dry_run":false,"event":"proposal.claim.create","hash":"29413a3105c06b7d3a122de31a5b3c02fc1f6f4aed6e4044bef8b491a9e8cd3b","id":"ffba4906b0854f2399866f21cb2e5d75","object_ids":["20260704-062209-21e9b7a4"],"prev_hash":"b40a72699c9127cad7a07fc96e52192778b1d597b774e13caf6b6263d905d77d","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:22:11.611776Z","data":{"reason":"Confirmed by reading cli.py::source_add and storage.py::put_source directly; reproduced against this KB's own source-add calls."},"dry_run":false,"event":"proposal.claim.approve","hash":"f50166586674f4359a63e6935a5d7833c2532f89bb6dd87b2919c9c332d56314","id":"3d41b7591ea949c395f8b43edba3f70b","object_ids":["20260704-062209-21e9b7a4","vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-"],"prev_hash":"29413a3105c06b7d3a122de31a5b3c02fc1f6f4aed6e4044bef8b491a9e8cd3b","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:22:47.109098Z","data":{"checked":15,"failed":0},"dry_run":false,"event":"source.verify","hash":"cf30e60730f1faad74d20ca488907a5dad998291a1b1dc13f3c43bba69fac33d","id":"d5137938c758495fa4020fe15882cbca","object_ids":[],"prev_hash":"f50166586674f4359a63e6935a5d7833c2532f89bb6dd87b2919c9c332d56314","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:22:51.574949Z","data":{"checked":15,"failed":0},"dry_run":false,"event":"source.verify","hash":"fe8ae5996eafaefc250c7732dd5106d6fea4d618c64d3387e3a965e3457de434","id":"557fbbc966134dbe845bd4f99760f6db","object_ids":[],"prev_hash":"cf30e60730f1faad74d20ca488907a5dad998291a1b1dc13f3c43bba69fac33d","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:24:48.022905Z","data":{"slug_hint":"vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-"},"dry_run":false,"event":"proposal.page.create","hash":"f858c01f8a3d8d1af9b49936c2abb780d9cce9d48b6982672dae5db9ad0d09b0","id":"2fa76979fef8458fb1058a0040210453","object_ids":["20260704-062448-4d9f894f"],"prev_hash":"fe8ae5996eafaefc250c7732dd5106d6fea4d618c64d3387e3a965e3457de434","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:24:49.072776Z","data":{"reason":"Revision 2: adds the self-found vouch source add --url bug as a 14th finding."},"dry_run":false,"event":"proposal.page.approve","hash":"8aeb0ee84334a65c396b4e6a240abd93f206b98287c4ff835c465a0e5a674584","id":"357415db77674bfe818ddd76e2507661","object_ids":["20260704-062448-4d9f894f","vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-"],"prev_hash":"f858c01f8a3d8d1af9b49936c2abb780d9cce9d48b6982672dae5db9ad0d09b0","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:24:59.488805Z","data":{"checked":15,"failed":0},"dry_run":false,"event":"source.verify","hash":"52716fba06b892105e400f48266546b50e9948951e3ee0612b78d57fd1a8e60e","id":"f7fd78e2f49e43b4920093f2d387dacb","object_ids":[],"prev_hash":"8aeb0ee84334a65c396b4e6a240abd93f206b98287c4ff835c465a0e5a674584","reversible":true} diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouch-starter-reviewed-knowledge.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouch-starter-reviewed-knowledge.yaml new file mode 100644 index 0000000..f011738 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouch-starter-reviewed-knowledge.yaml @@ -0,0 +1,23 @@ +id: vouch-starter-reviewed-knowledge +text: Vouch stores reviewed, cited knowledge in the repository so future agent sessions + can retrieve agreed project context. +type: workflow +status: actionable +confidence: 0.95 +evidence: +- be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- vouch +- onboarding +created_at: '2026-07-04T06:10:25.981307Z' +updated_at: '2026-07-04T06:10:25.981314Z' +last_confirmed_at: null +approved_by: claude-code-audit diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-.yaml new file mode 100644 index 0000000..015f248 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-.yaml @@ -0,0 +1,26 @@ +id: vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- +text: 'vouchdev/vouch issue #100 (feat: richer scopes on Claim/Source [VEP]) is resolved + on main only in the narrow sense that commit 0dba232 added the VEP-0005 proposal + document. The actual (visibility, project, agent) scoping feature it describes is + tracked separately as issue #189, which has no matching commit on main or test as + of this audit.' +type: fact +status: working +confidence: 0.85 +evidence: +- f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- codebase-audit +- vep-tracking +created_at: '2026-07-04T06:15:29.270915Z' +updated_at: '2026-07-04T06:15:29.270922Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud.yaml new file mode 100644 index 0000000..edc76e9 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud.yaml @@ -0,0 +1,26 @@ +id: vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud +text: 'vouchdev/vouch issue #166 (bundle import can overwrite the audit log) is fixed + and merged into both main and test via PR #183 (merge commit 6d53c99), after an + earlier attempt (PR #167) was closed for being retargeted to the wrong base branch. + The GitHub issue is still open.' +type: fact +status: working +confidence: 0.95 +evidence: +- 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +- security +created_at: '2026-07-04T06:15:29.739373Z' +updated_at: '2026-07-04T06:15:29.739380Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml new file mode 100644 index 0000000..c2b694d --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml @@ -0,0 +1,30 @@ +id: vouchdev-vouch-issue-168-critical-agent-transport-allows-cro +text: 'vouchdev/vouch issue #168 (critical: agent transport allows cross-agent approval) + is still unfixed on both main and test: kb.approve/kb.reject are registered on the + JSONL transport with no expose_decision_tools trust gate, and the only check is + same-agent self-approval. A prior fix (PR #169) was closed unmerged after a maintainer + requested changes: remove the duplicated handle_request guard whose broad except-Exception + swallows real errors, and document or remove the undocumented approver_role: trusted-agent + bypass.' +type: fact +status: working +confidence: 0.95 +evidence: +- 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- live-bug +- codebase-audit +- security +- needs-pr +created_at: '2026-07-04T06:15:29.862831Z' +updated_at: '2026-07-04T06:15:29.862838Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v.yaml new file mode 100644 index 0000000..f57ea1c --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v.yaml @@ -0,0 +1,24 @@ +id: vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v +text: 'vouchdev/vouch issue #189 (richer scopes on Claim/Source per VEP-0005) is genuinely + open and unclaimed: no commit on main or test references #189, and no open PR body + contains a Closes/Fixes/Resolves #189 link, as of this audit.' +type: fact +status: working +confidence: 0.85 +evidence: +- dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- codebase-audit +- open-opportunity +created_at: '2026-07-04T06:15:29.321641Z' +updated_at: '2026-07-04T06:15:29.321648Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-.yaml new file mode 100644 index 0000000..5a8d67f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- +text: 'vouchdev/vouch issue #54 (epic: make vouch friendlier and more useful out of + the box) is still open on GitHub, but its CLI-output track landed on main via commit + a5f074f ''feat(cli): colourise output, add --json to lint/search, progress on long + ops (#54)''.' +type: fact +status: working +confidence: 0.9 +evidence: +- 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:27.916862Z' +updated_at: '2026-07-04T06:15:27.916869Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate.yaml new file mode 100644 index 0000000..a240a23 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate.yaml @@ -0,0 +1,26 @@ +id: vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate +text: 'vouchdev/vouch issue #76 (crystallize bypasses the review gate by embedding + agent-controlled markdown verbatim into a durable page) is fixed on main by commit + cdf72ab ''fix(sessions): close crystallize review-gate bypass via summary page (#76)'', + but the GitHub issue is still open.' +type: fact +status: working +confidence: 0.95 +evidence: +- 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +- security +created_at: '2026-07-04T06:15:28.090165Z' +updated_at: '2026-07-04T06:15:28.090172Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-78-kb-context-returns-archived-supersed.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-78-kb-context-returns-archived-supersed.yaml new file mode 100644 index 0000000..163161a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-78-kb-context-returns-archived-supersed.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-78-kb-context-returns-archived-supersed +text: 'vouchdev/vouch issue #78 (kb.context returns archived/superseded claims because + lifecycle mutations never re-index FTS5 status) is fixed on main by commit 0708c74, + which added `_RETRACTED_CLAIM_STATUSES` filtering in src/vouch/context.py, but the + GitHub issue is still open.' +type: fact +status: working +confidence: 0.95 +evidence: +- efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.297524Z' +updated_at: '2026-07-04T06:15:28.297530Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m.yaml new file mode 100644 index 0000000..3ee2c57 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m.yaml @@ -0,0 +1,24 @@ +id: vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m +text: 'vouchdev/vouch issue #80 (import_check accepts bundles whose manifest lists + files missing from the tarball) is fixed on main by commit f558fd0, but the GitHub + issue is still open.' +type: fact +status: working +confidence: 0.9 +evidence: +- c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.384912Z' +updated_at: '2026-07-04T06:15:28.384921Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali.yaml new file mode 100644 index 0000000..9695038 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali +text: 'vouchdev/vouch issue #81 (Claim model has no min-evidence validator, so uncited + claims could land via bundle import, put_claim, or update_claim) is fixed on main + by commit ab54194, which moved the validator onto the Claim model itself, but the + GitHub issue is still open.' +type: fact +status: working +confidence: 0.9 +evidence: +- 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.493622Z' +updated_at: '2026-07-04T06:15:28.493629Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-.yaml new file mode 100644 index 0000000..4fab713 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- +text: 'vouchdev/vouch issue #92 (_retrieve ignores retrieval.backends config and hardcodes + embeddings-primary) is fixed on main by commit fb4b326, which added _configured_backend() + honoring retrieval.backend (with a legacy retrieval.backends fallback), but the + GitHub issue is still open.' +type: fact +status: working +confidence: 0.95 +evidence: +- e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.712091Z' +updated_at: '2026-07-04T06:15:28.712097Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta.yaml new file mode 100644 index 0000000..821deb9 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta +text: 'vouchdev/vouch issue #93 (feat: vouch approve --batch for scriptable bulk approval) + is fixed on main by commit e7df047, which lets `vouch approve` take multiple proposal + ids with all-or-nothing or --keep-going semantics, but the GitHub issue is still + open.' +type: fact +status: working +confidence: 0.95 +evidence: +- f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.917620Z' +updated_at: '2026-07-04T06:15:28.917627Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-.yaml new file mode 100644 index 0000000..d2ca876 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-.yaml @@ -0,0 +1,24 @@ +id: vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- +text: 'vouchdev/vouch issue #94 (feat: HTTP transport for vouch serve, tagged [VEP]) + is fixed on main by commit 2827a74 ''feat(serve): add HTTP transport for vouch serve + --transport http (#94)'', but the GitHub issue is still open.' +type: fact +status: working +confidence: 0.85 +evidence: +- c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:29.020028Z' +updated_at: '2026-07-04T06:15:29.020035Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when.yaml new file mode 100644 index 0000000..d007133 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when.yaml @@ -0,0 +1,23 @@ +id: vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when +text: 'vouchdev/vouch issue #95 (vouch serve should fail clearly when no .vouch/ KB + is present) is fixed on main by commit 1af9521, but the GitHub issue is still open.' +type: fact +status: working +confidence: 0.9 +evidence: +- f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:29.198053Z' +updated_at: '2026-07-04T06:15:29.198061Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml new file mode 100644 index 0000000..dcf0cea --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml @@ -0,0 +1,29 @@ +id: vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently- +text: 'vouchdev/vouch''s CLI: ''vouch source add PATH --url URL'' silently drops --url. + cli.py::source_add always passes an explicit locator=str(Path(path).resolve()) into + store.put_source(), and storage.py''s locator=locator or url or title or sid never + falls through to url as a result. Found while building this very KB: every source + below had to have its locator hand-corrected post-hoc from a local scratch path + to its real GitHub URL.' +type: fact +status: working +confidence: 0.95 +evidence: +- 14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- live-bug +- codebase-audit +- dogfooding +- needs-pr +created_at: '2026-07-04T06:22:11.419605Z' +updated_at: '2026-07-04T06:22:11.419611Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/config.yaml b/examples/community/vouch-issue-tracker-audit/vouch/config.yaml new file mode 100644 index 0000000..ad59bcc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/config.yaml @@ -0,0 +1,19 @@ +version: 1 +review: + require_human_approval: true + expire_pending_after_days: 90 +capture: + enabled: true + min_observations: 3 +recall: + enabled: true + max_chars: 12000 +retrieval: + backend: auto + default_limit: 10 +agents: + recommended_loop: + - kb.search before writing + - kb.propose_* with citations + - human review via vouch pending/show/approve +page_kinds: {} diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061029-8ae22018.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061029-8ae22018.yaml new file mode 100644 index 0000000..a70472d --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061029-8ae22018.yaml @@ -0,0 +1,26 @@ +id: 20260704-061029-8ae22018 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:29.345915Z' +payload: + id: vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- + text: 'vouchdev/vouch issue #54 (epic: make vouch friendlier and more useful out + of the box) is still open on GitHub, but its CLI-output track landed on main via + commit a5f074f ''feat(cli): colourise output, add --json to lint/search, progress + on long ops (#54)''.' + type: finding + confidence: 0.9 + evidence: + - 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Epic issues can be partially resolved by one commit while other tracks + remain open; the epic itself should stay open, but a reader following the issue + link alone would not know part of it already shipped. +status: rejected +decided_at: '2026-07-04T06:13:36.860473Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061032-e2c77208.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061032-e2c77208.yaml new file mode 100644 index 0000000..549dbcc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061032-e2c77208.yaml @@ -0,0 +1,26 @@ +id: 20260704-061032-e2c77208 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:32.990020Z' +payload: + id: vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate + text: 'vouchdev/vouch issue #76 (crystallize bypasses the review gate by embedding + agent-controlled markdown verbatim into a durable page) is fixed on main by commit + cdf72ab ''fix(sessions): close crystallize review-gate bypass via summary page + (#76)'', but the GitHub issue is still open.' + type: finding + confidence: 0.95 + evidence: + - 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 + entities: [] + tags: + - stale-issue + - codebase-audit + - security +rationale: Verified both by commit-message grep and by reading src/vouch/context.py-adjacent + session code for the described guard. +status: rejected +decided_at: '2026-07-04T06:13:39.248445Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061036-8e0faea0.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061036-8e0faea0.yaml new file mode 100644 index 0000000..138556b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061036-8e0faea0.yaml @@ -0,0 +1,25 @@ +id: 20260704-061036-8e0faea0 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:36.475356Z' +payload: + id: vouchdev-vouch-issue-78-kb-context-returns-archived-supersed + text: 'vouchdev/vouch issue #78 (kb.context returns archived/superseded claims because + lifecycle mutations never re-index FTS5 status) is fixed on main by commit 0708c74, + which added `_RETRACTED_CLAIM_STATUSES` filtering in src/vouch/context.py, but + the GitHub issue is still open.' + type: finding + confidence: 0.95 + evidence: + - efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Confirmed by reading the live filter constant and its guarding comment + directly in src/vouch/context.py on main. +status: rejected +decided_at: '2026-07-04T06:13:41.218116Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061040-ef56c928.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061040-ef56c928.yaml new file mode 100644 index 0000000..d934a2c --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061040-ef56c928.yaml @@ -0,0 +1,23 @@ +id: 20260704-061040-ef56c928 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:40.681510Z' +payload: + id: vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m + text: 'vouchdev/vouch issue #80 (import_check accepts bundles whose manifest lists + files missing from the tarball) is fixed on main by commit f558fd0, but the GitHub + issue is still open.' + type: finding + confidence: 0.9 + evidence: + - c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Verified by commit-message grep against upstream/main. +status: rejected +decided_at: '2026-07-04T06:13:43.255963Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061043-57bfb8a4.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061043-57bfb8a4.yaml new file mode 100644 index 0000000..ee432c7 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061043-57bfb8a4.yaml @@ -0,0 +1,25 @@ +id: 20260704-061043-57bfb8a4 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:43.439208Z' +payload: + id: vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali + text: 'vouchdev/vouch issue #81 (Claim model has no min-evidence validator, so uncited + claims could land via bundle import, put_claim, or update_claim) is fixed on main + by commit ab54194, which moved the validator onto the Claim model itself, but + the GitHub issue is still open.' + type: finding + confidence: 0.9 + evidence: + - 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Model-layer validation is stronger than a single call-site check because + it covers every write path; worth flagging as resolved-and-improved, not just resolved. +status: rejected +decided_at: '2026-07-04T06:13:47.408161Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061047-bf405cfc.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061047-bf405cfc.yaml new file mode 100644 index 0000000..1b3638e --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061047-bf405cfc.yaml @@ -0,0 +1,26 @@ +id: 20260704-061047-bf405cfc +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:47.333282Z' +payload: + id: vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- + text: 'vouchdev/vouch issue #92 (_retrieve ignores retrieval.backends config and + hardcodes embeddings-primary) is fixed on main by commit fb4b326, which added + _configured_backend() honoring retrieval.backend (with a legacy retrieval.backends + fallback), but the GitHub issue is still open.' + type: finding + confidence: 0.95 + evidence: + - e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: 'Confirmed directly by reading src/vouch/context.py: _configured_backend() + and _retrieve() implement exactly the auto/embedding/fts5/substring behavior the + issue asked for.' +status: rejected +decided_at: '2026-07-04T06:13:49.265732Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061052-7c202c7a.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061052-7c202c7a.yaml new file mode 100644 index 0000000..c5f75d1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061052-7c202c7a.yaml @@ -0,0 +1,25 @@ +id: 20260704-061052-7c202c7a +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:52.696144Z' +payload: + id: vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta + text: 'vouchdev/vouch issue #93 (feat: vouch approve --batch for scriptable bulk + approval) is fixed on main by commit e7df047, which lets `vouch approve` take + multiple proposal ids with all-or-nothing or --keep-going semantics, but the GitHub + issue is still open.' + type: finding + confidence: 0.95 + evidence: + - f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Confirmed against the installed CLI's own --help text, not just the commit + log. +status: rejected +decided_at: '2026-07-04T06:13:51.525885Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061056-e8724ce8.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061056-e8724ce8.yaml new file mode 100644 index 0000000..e82fc1b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061056-e8724ce8.yaml @@ -0,0 +1,24 @@ +id: 20260704-061056-e8724ce8 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:56.781019Z' +payload: + id: vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- + text: 'vouchdev/vouch issue #94 (feat: HTTP transport for vouch serve, tagged [VEP]) + is fixed on main by commit 2827a74 ''feat(serve): add HTTP transport for vouch + serve --transport http (#94)'', but the GitHub issue is still open.' + type: finding + confidence: 0.85 + evidence: + - c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: The [VEP] tag suggested this needed a design proposal first; it shipped + anyway, so either the VEP happened informally or the tag was aspirational. +status: rejected +decided_at: '2026-07-04T06:13:54.771085Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061100-29c5dca4.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061100-29c5dca4.yaml new file mode 100644 index 0000000..344f425 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061100-29c5dca4.yaml @@ -0,0 +1,23 @@ +id: 20260704-061100-29c5dca4 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:00.256945Z' +payload: + id: vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when + text: 'vouchdev/vouch issue #95 (vouch serve should fail clearly when no .vouch/ + KB is present) is fixed on main by commit 1af9521, but the GitHub issue is still + open.' + type: finding + confidence: 0.9 + evidence: + - f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Small, well-scoped UX fix; a clean example of a fast-turnaround merge. +status: rejected +decided_at: '2026-07-04T06:13:56.149229Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061106-eb27e9fd.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061106-eb27e9fd.yaml new file mode 100644 index 0000000..85cb90e --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061106-eb27e9fd.yaml @@ -0,0 +1,27 @@ +id: 20260704-061106-eb27e9fd +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:06.629083Z' +payload: + id: vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- + text: 'vouchdev/vouch issue #100 (feat: richer scopes on Claim/Source [VEP]) is + resolved on main only in the narrow sense that commit 0dba232 added the VEP-0005 + proposal document. The actual (visibility, project, agent) scoping feature it + describes is tracked separately as issue #189, which has no matching commit on + main or test as of this audit.' + type: finding + confidence: 0.85 + evidence: + - f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 + entities: [] + tags: + - codebase-audit + - vep-tracking +rationale: 'Distinguishing ''the VEP was written'' from ''the feature was built'' + avoids a false-positive stale-issue call on #100 and correctly leaves #189 flagged + as genuinely open.' +status: rejected +decided_at: '2026-07-04T06:13:57.831270Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061110-f4c09773.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061110-f4c09773.yaml new file mode 100644 index 0000000..d1cada8 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061110-f4c09773.yaml @@ -0,0 +1,25 @@ +id: 20260704-061110-f4c09773 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:10.737117Z' +payload: + id: vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v + text: 'vouchdev/vouch issue #189 (richer scopes on Claim/Source per VEP-0005) is + genuinely open and unclaimed: no commit on main or test references #189, and no + open PR body contains a Closes/Fixes/Resolves #189 link, as of this audit.' + type: finding + confidence: 0.85 + evidence: + - dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 + entities: [] + tags: + - codebase-audit + - open-opportunity +rationale: A negative result (checked and found nothing) is worth recording with the + same rigor as a positive one, so a future contributor doesn't have to redo the same + search. +status: rejected +decided_at: '2026-07-04T06:13:59.258091Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061116-082830a4.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061116-082830a4.yaml new file mode 100644 index 0000000..2f06036 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061116-082830a4.yaml @@ -0,0 +1,26 @@ +id: 20260704-061116-082830a4 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:16.762109Z' +payload: + id: vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud + text: 'vouchdev/vouch issue #166 (bundle import can overwrite the audit log) is + fixed and merged into both main and test via PR #183 (merge commit 6d53c99), after + an earlier attempt (PR #167) was closed for being retargeted to the wrong base + branch. The GitHub issue is still open.' + type: finding + confidence: 0.95 + evidence: + - 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 + entities: [] + tags: + - stale-issue + - codebase-audit + - security +rationale: Confirmed by reading FORBIDDEN_SAFETY_FLAGS and the audit.log.jsonl rejection + path directly in src/vouch/bundle.py on both main and test. +status: rejected +decided_at: '2026-07-04T06:14:00.536174Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061119-0680e882.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061119-0680e882.yaml new file mode 100644 index 0000000..130e4c1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061119-0680e882.yaml @@ -0,0 +1,31 @@ +id: 20260704-061119-0680e882 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:19.902283Z' +payload: + id: vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + text: 'vouchdev/vouch issue #168 (critical: agent transport allows cross-agent approval) + is still unfixed on both main and test: kb.approve/kb.reject are registered on + the JSONL transport with no expose_decision_tools trust gate, and the only check + is same-agent self-approval. A prior fix (PR #169) was closed unmerged after a + maintainer requested changes: remove the duplicated handle_request guard whose + broad except-Exception swallows real errors, and document or remove the undocumented + approver_role: trusted-agent bypass.' + type: finding + confidence: 0.95 + evidence: + - 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc + entities: [] + tags: + - live-bug + - codebase-audit + - security + - needs-pr +rationale: 'The single actionable item in this audit: a real, reviewed-but-unmerged + security gap, with the maintainer''s exact acceptance criteria already on record + in PR #169.' +status: rejected +decided_at: '2026-07-04T06:14:03.452118Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061425-808652d7.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061425-808652d7.yaml new file mode 100644 index 0000000..12b6eb7 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061425-808652d7.yaml @@ -0,0 +1,27 @@ +id: 20260704-061425-808652d7 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:25.460547Z' +payload: + id: vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- + text: 'vouchdev/vouch issue #54 (epic: make vouch friendlier and more useful out + of the box) is still open on GitHub, but its CLI-output track landed on main via + commit a5f074f ''feat(cli): colourise output, add --json to lint/search, progress + on long ops (#54)''.' + type: fact + confidence: 0.9 + evidence: + - 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Epic issues can be partially resolved by one commit while other tracks + remain open; the epic itself should stay open, but a reader following the issue + link alone would not know part of it already shipped. +status: approved +decided_at: '2026-07-04T06:15:28.008120Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061428-2ecdb562.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061428-2ecdb562.yaml new file mode 100644 index 0000000..530122a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061428-2ecdb562.yaml @@ -0,0 +1,27 @@ +id: 20260704-061428-2ecdb562 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:28.598912Z' +payload: + id: vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate + text: 'vouchdev/vouch issue #76 (crystallize bypasses the review gate by embedding + agent-controlled markdown verbatim into a durable page) is fixed on main by commit + cdf72ab ''fix(sessions): close crystallize review-gate bypass via summary page + (#76)'', but the GitHub issue is still open.' + type: fact + confidence: 0.95 + evidence: + - 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 + entities: [] + tags: + - stale-issue + - codebase-audit + - security +rationale: Verified both by commit-message grep and by reading src/vouch/context.py-adjacent + session code for the described guard. +status: approved +decided_at: '2026-07-04T06:15:28.128750Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061432-51a7ca63.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061432-51a7ca63.yaml new file mode 100644 index 0000000..77f16ab --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061432-51a7ca63.yaml @@ -0,0 +1,26 @@ +id: 20260704-061432-51a7ca63 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:32.022224Z' +payload: + id: vouchdev-vouch-issue-78-kb-context-returns-archived-supersed + text: 'vouchdev/vouch issue #78 (kb.context returns archived/superseded claims because + lifecycle mutations never re-index FTS5 status) is fixed on main by commit 0708c74, + which added `_RETRACTED_CLAIM_STATUSES` filtering in src/vouch/context.py, but + the GitHub issue is still open.' + type: fact + confidence: 0.95 + evidence: + - efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Confirmed by reading the live filter constant and its guarding comment + directly in src/vouch/context.py on main. +status: approved +decided_at: '2026-07-04T06:15:28.369425Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061435-44efb4a8.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061435-44efb4a8.yaml new file mode 100644 index 0000000..aaa50b1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061435-44efb4a8.yaml @@ -0,0 +1,24 @@ +id: 20260704-061435-44efb4a8 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:35.638307Z' +payload: + id: vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m + text: 'vouchdev/vouch issue #80 (import_check accepts bundles whose manifest lists + files missing from the tarball) is fixed on main by commit f558fd0, but the GitHub + issue is still open.' + type: fact + confidence: 0.9 + evidence: + - c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Verified by commit-message grep against upstream/main. +status: approved +decided_at: '2026-07-04T06:15:28.444731Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061438-7249c426.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061438-7249c426.yaml new file mode 100644 index 0000000..79a3474 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061438-7249c426.yaml @@ -0,0 +1,26 @@ +id: 20260704-061438-7249c426 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:38.986504Z' +payload: + id: vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali + text: 'vouchdev/vouch issue #81 (Claim model has no min-evidence validator, so uncited + claims could land via bundle import, put_claim, or update_claim) is fixed on main + by commit ab54194, which moved the validator onto the Claim model itself, but + the GitHub issue is still open.' + type: fact + confidence: 0.9 + evidence: + - 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Model-layer validation is stronger than a single call-site check because + it covers every write path; worth flagging as resolved-and-improved, not just resolved. +status: approved +decided_at: '2026-07-04T06:15:28.536829Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061441-f33ed406.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061441-f33ed406.yaml new file mode 100644 index 0000000..91aadc4 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061441-f33ed406.yaml @@ -0,0 +1,27 @@ +id: 20260704-061441-f33ed406 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:41.553108Z' +payload: + id: vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- + text: 'vouchdev/vouch issue #92 (_retrieve ignores retrieval.backends config and + hardcodes embeddings-primary) is fixed on main by commit fb4b326, which added + _configured_backend() honoring retrieval.backend (with a legacy retrieval.backends + fallback), but the GitHub issue is still open.' + type: fact + confidence: 0.95 + evidence: + - e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: 'Confirmed directly by reading src/vouch/context.py: _configured_backend() + and _retrieve() implement exactly the auto/embedding/fts5/substring behavior the + issue asked for.' +status: approved +decided_at: '2026-07-04T06:15:28.769924Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061445-267a62ab.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061445-267a62ab.yaml new file mode 100644 index 0000000..8f5e86a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061445-267a62ab.yaml @@ -0,0 +1,26 @@ +id: 20260704-061445-267a62ab +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:45.031547Z' +payload: + id: vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta + text: 'vouchdev/vouch issue #93 (feat: vouch approve --batch for scriptable bulk + approval) is fixed on main by commit e7df047, which lets `vouch approve` take + multiple proposal ids with all-or-nothing or --keep-going semantics, but the GitHub + issue is still open.' + type: fact + confidence: 0.95 + evidence: + - f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Confirmed against the installed CLI's own --help text, not just the commit + log. +status: approved +decided_at: '2026-07-04T06:15:28.985388Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061448-9e9bb439.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061448-9e9bb439.yaml new file mode 100644 index 0000000..ca9f319 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061448-9e9bb439.yaml @@ -0,0 +1,25 @@ +id: 20260704-061448-9e9bb439 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:48.645208Z' +payload: + id: vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- + text: 'vouchdev/vouch issue #94 (feat: HTTP transport for vouch serve, tagged [VEP]) + is fixed on main by commit 2827a74 ''feat(serve): add HTTP transport for vouch + serve --transport http (#94)'', but the GitHub issue is still open.' + type: fact + confidence: 0.85 + evidence: + - c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: The [VEP] tag suggested this needed a design proposal first; it shipped + anyway, so either the VEP happened informally or the tag was aspirational. +status: approved +decided_at: '2026-07-04T06:15:29.051850Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061454-49cfcfc0.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061454-49cfcfc0.yaml new file mode 100644 index 0000000..e9ff9fe --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061454-49cfcfc0.yaml @@ -0,0 +1,24 @@ +id: 20260704-061454-49cfcfc0 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:54.138750Z' +payload: + id: vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when + text: 'vouchdev/vouch issue #95 (vouch serve should fail clearly when no .vouch/ + KB is present) is fixed on main by commit 1af9521, but the GitHub issue is still + open.' + type: fact + confidence: 0.9 + evidence: + - f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Small, well-scoped UX fix; a clean example of a fast-turnaround merge. +status: approved +decided_at: '2026-07-04T06:15:29.234611Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061500-9c95a168.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061500-9c95a168.yaml new file mode 100644 index 0000000..226601a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061500-9c95a168.yaml @@ -0,0 +1,28 @@ +id: 20260704-061500-9c95a168 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:00.108536Z' +payload: + id: vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- + text: 'vouchdev/vouch issue #100 (feat: richer scopes on Claim/Source [VEP]) is + resolved on main only in the narrow sense that commit 0dba232 added the VEP-0005 + proposal document. The actual (visibility, project, agent) scoping feature it + describes is tracked separately as issue #189, which has no matching commit on + main or test as of this audit.' + type: fact + confidence: 0.85 + evidence: + - f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 + entities: [] + tags: + - codebase-audit + - vep-tracking +rationale: 'Distinguishing ''the VEP was written'' from ''the feature was built'' + avoids a false-positive stale-issue call on #100 and correctly leaves #189 flagged + as genuinely open.' +status: approved +decided_at: '2026-07-04T06:15:29.296336Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061505-a91c3897.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061505-a91c3897.yaml new file mode 100644 index 0000000..d1d1b92 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061505-a91c3897.yaml @@ -0,0 +1,26 @@ +id: 20260704-061505-a91c3897 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:05.316438Z' +payload: + id: vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v + text: 'vouchdev/vouch issue #189 (richer scopes on Claim/Source per VEP-0005) is + genuinely open and unclaimed: no commit on main or test references #189, and no + open PR body contains a Closes/Fixes/Resolves #189 link, as of this audit.' + type: fact + confidence: 0.85 + evidence: + - dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 + entities: [] + tags: + - codebase-audit + - open-opportunity +rationale: A negative result (checked and found nothing) is worth recording with the + same rigor as a positive one, so a future contributor doesn't have to redo the same + search. +status: approved +decided_at: '2026-07-04T06:15:29.542760Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061511-995c6f4d.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061511-995c6f4d.yaml new file mode 100644 index 0000000..9057753 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061511-995c6f4d.yaml @@ -0,0 +1,27 @@ +id: 20260704-061511-995c6f4d +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:11.447796Z' +payload: + id: vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud + text: 'vouchdev/vouch issue #166 (bundle import can overwrite the audit log) is + fixed and merged into both main and test via PR #183 (merge commit 6d53c99), after + an earlier attempt (PR #167) was closed for being retargeted to the wrong base + branch. The GitHub issue is still open.' + type: fact + confidence: 0.95 + evidence: + - 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 + entities: [] + tags: + - stale-issue + - codebase-audit + - security +rationale: Confirmed by reading FORBIDDEN_SAFETY_FLAGS and the audit.log.jsonl rejection + path directly in src/vouch/bundle.py on both main and test. +status: approved +decided_at: '2026-07-04T06:15:29.829495Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061515-0e132b51.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061515-0e132b51.yaml new file mode 100644 index 0000000..6b7507e --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061515-0e132b51.yaml @@ -0,0 +1,32 @@ +id: 20260704-061515-0e132b51 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:15.581538Z' +payload: + id: vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + text: 'vouchdev/vouch issue #168 (critical: agent transport allows cross-agent approval) + is still unfixed on both main and test: kb.approve/kb.reject are registered on + the JSONL transport with no expose_decision_tools trust gate, and the only check + is same-agent self-approval. A prior fix (PR #169) was closed unmerged after a + maintainer requested changes: remove the duplicated handle_request guard whose + broad except-Exception swallows real errors, and document or remove the undocumented + approver_role: trusted-agent bypass.' + type: fact + confidence: 0.95 + evidence: + - 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc + entities: [] + tags: + - live-bug + - codebase-audit + - security + - needs-pr +rationale: 'The single actionable item in this audit: a real, reviewed-but-unmerged + security gap, with the maintainer''s exact acceptance criteria already on record + in PR #169.' +status: approved +decided_at: '2026-07-04T06:15:29.902048Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml new file mode 100644 index 0000000..54b0004 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml @@ -0,0 +1,134 @@ +id: 20260704-061640-20537c0f +kind: page +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:16:40.192605Z' +payload: + id: vouchdev-vouch-open-issue-tracker-audit-2026-07-04 + title: vouchdev/vouch open-issue tracker audit — 2026-07-04 + body: '## Method + + + All open issues in `vouchdev/vouch` not already linked from an in-flight + + open PR (61 of 93 open issues at audit time) were cross-referenced against + + `git log --grep` on `upstream/main` and `upstream/test` for a commit + + mentioning that issue number, then spot-checked by reading the relevant + + source file directly (not just trusting the commit message). Issues already + + tied to another open PR were excluded up front, since those aren''t stale — + + they''re just not merged yet. + + + ## Findings + + + | Issue | Title | Status found | + + |---|---|---| + + | [#54](https://github.com/vouchdev/vouch/issues/54) | epic: make vouch friendlier + | partially fixed (CLI-output track), open | + + | [#76](https://github.com/vouchdev/vouch/issues/76) | crystallize bypasses review + gate | fixed, open | + + | [#78](https://github.com/vouchdev/vouch/issues/78) | kb.context returns archived/superseded + claims | fixed, open | + + | [#80](https://github.com/vouchdev/vouch/issues/80) | import_check accepts bundles + missing manifest files | fixed, open | + + | [#81](https://github.com/vouchdev/vouch/issues/81) | Claim model has no min-evidence + validator | fixed, open | + + | [#92](https://github.com/vouchdev/vouch/issues/92) | _retrieve ignores retrieval.backends + config | fixed, open | + + | [#93](https://github.com/vouchdev/vouch/issues/93) | vouch approve --batch | + fixed, open | + + | [#94](https://github.com/vouchdev/vouch/issues/94) | HTTP transport for vouch + serve | fixed, open | + + | [#95](https://github.com/vouchdev/vouch/issues/95) | vouch serve fails unclearly + with no KB | fixed, open | + + | [#100](https://github.com/vouchdev/vouch/issues/100) | richer scopes VEP | VEP + drafted only, open | + + | [#189](https://github.com/vouchdev/vouch/issues/189) | richer scopes implementation + | genuinely open, unclaimed | + + | [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite + audit log | fixed + merged (PR #183), open | + + | [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval + bypass | **still unfixed**, security-relevant | + + + 9 of these 13 issues describe bugs or features that are already resolved in + + code but left open on GitHub — likely because merges to non-default branches + + (or squash-merge commits) don''t trigger GitHub''s auto-close. Two more are + + only partially addressed: #54''s epic has one track (CLI output) shipped but + + its other tracks are still open, and #100''s VEP-0005 document was drafted + + but the (visibility, project, agent) scoping feature it describes was never + + built. One (#189) is a genuinely open, unclaimed implementation gap — the + + tracking issue for that same undelivered VEP-0005 feature. One (#168) is a + + real, unfixed, security-relevant bug with a maintainer review already on + + record (from a prior closed PR) describing exactly what a correct fix needs + + to do. + + + ## Why this matters for contributors + + + Before picking an open issue to work on in this repo, check whether it''s + + already fixed upstream — `git log --oneline -E --grep="#([^0-9]|$)" + + upstream/main upstream/test` takes seconds and avoids a wasted or duplicate + + PR. This KB is the evidence trail for one pass of that check; see each + + claim''s citation for the exact commit, code, or review comment behind it. + + ' + type: report + claims: + - vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- + - vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud + - vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + - vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v + - vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- + - vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate + - vouchdev-vouch-issue-78-kb-context-returns-archived-supersed + - vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m + - vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali + - vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- + - vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta + - vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- + - vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when + entities: [] + sources: [] + tags: [] + metadata: {} +rationale: null +status: approved +decided_at: '2026-07-04T06:17:24.561601Z' +decided_by: jonathanchang31 +decision_reason: 'Summary page for the codebase-audit community example (issue #338).' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062209-21e9b7a4.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062209-21e9b7a4.yaml new file mode 100644 index 0000000..c44f15b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062209-21e9b7a4.yaml @@ -0,0 +1,30 @@ +id: 20260704-062209-21e9b7a4 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:22:09.345234Z' +payload: + id: vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently- + text: 'vouchdev/vouch''s CLI: ''vouch source add PATH --url URL'' silently drops + --url. cli.py::source_add always passes an explicit locator=str(Path(path).resolve()) + into store.put_source(), and storage.py''s locator=locator or url or title or + sid never falls through to url as a result. Found while building this very KB: + every source below had to have its locator hand-corrected post-hoc from a local + scratch path to its real GitHub URL.' + type: fact + confidence: 0.95 + evidence: + - 14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd + entities: [] + tags: + - live-bug + - codebase-audit + - dogfooding + - needs-pr +rationale: 'Self-referential finding: this is a real bug in the exact tool used to + build this example, discovered by using it for its intended purpose.' +status: approved +decided_at: '2026-07-04T06:22:11.587493Z' +decided_by: jonathanchang31 +decision_reason: Confirmed by reading cli.py::source_add and storage.py::put_source + directly; reproduced against this KB's own source-add calls. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml new file mode 100644 index 0000000..1b6bbbc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml @@ -0,0 +1,166 @@ +id: 20260704-062448-4d9f894f +kind: page +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:24:48.012409Z' +payload: + id: vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14- + title: vouchdev/vouch open-issue tracker audit — 2026-07-04 (rev 2, 14 findings) + body: '## Method + + + All open issues in `vouchdev/vouch` not already linked from an in-flight + + open PR (61 of 93 open issues at audit time) were cross-referenced against + + `git log --grep` on `upstream/main` and `upstream/test` for a commit + + mentioning that issue number, then spot-checked by reading the relevant + + source file directly (not just trusting the commit message). Issues already + + tied to another open PR were excluded up front, since those aren''t stale — + + they''re just not merged yet. + + + ## Findings + + + | Issue | Title | Status found | + + |---|---|---| + + | [#54](https://github.com/vouchdev/vouch/issues/54) | epic: make vouch friendlier + | partially fixed (CLI-output track), open | + + | [#76](https://github.com/vouchdev/vouch/issues/76) | crystallize bypasses review + gate | fixed, open | + + | [#78](https://github.com/vouchdev/vouch/issues/78) | kb.context returns archived/superseded + claims | fixed, open | + + | [#80](https://github.com/vouchdev/vouch/issues/80) | import_check accepts bundles + missing manifest files | fixed, open | + + | [#81](https://github.com/vouchdev/vouch/issues/81) | Claim model has no min-evidence + validator | fixed, open | + + | [#92](https://github.com/vouchdev/vouch/issues/92) | _retrieve ignores retrieval.backends + config | fixed, open | + + | [#93](https://github.com/vouchdev/vouch/issues/93) | vouch approve --batch | + fixed, open | + + | [#94](https://github.com/vouchdev/vouch/issues/94) | HTTP transport for vouch + serve | fixed, open | + + | [#95](https://github.com/vouchdev/vouch/issues/95) | vouch serve fails unclearly + with no KB | fixed, open | + + | [#100](https://github.com/vouchdev/vouch/issues/100) | richer scopes VEP | VEP + drafted only, open | + + | [#189](https://github.com/vouchdev/vouch/issues/189) | richer scopes implementation + | genuinely open, unclaimed | + + | [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite + audit log | fixed + merged (PR #183), open | + + | [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval + bypass | **still unfixed**, security-relevant | + + | — | `vouch source add --url` is a no-op | **self-found bug**, see below | + + + 9 of these 13 issues describe bugs or features that are already resolved in + + code but left open on GitHub — likely because merges to non-default branches + + (or squash-merge commits) don''t trigger GitHub''s auto-close. Two more are + + only partially addressed: #54''s epic has one track (CLI output) shipped but + + its other tracks are still open, and #100''s VEP-0005 document was drafted + + but the (visibility, project, agent) scoping feature it describes was never + + built. One (#189) is a genuinely open, unclaimed implementation gap — the + + tracking issue for that same undelivered VEP-0005 feature. One (#168) is a + + real, unfixed, security-relevant bug with a maintainer review already on + + record (from a prior closed PR) describing exactly what a correct fix needs + + to do. + + + ## A 14th finding, found by dogfooding + + + Building this KB surfaced a bug in the tool itself: `vouch source add PATH + + --url URL` silently drops `--url`. `cli.py::source_add` always passes an + + explicit `locator=str(Path(path).resolve())` into `store.put_source()`, and + + `storage.py`''s `locator=locator or url or title or sid` never falls through + + to `url` as a result. Every source citation in this KB had to have its + + `locator` corrected by hand, from a local scratch path to its real GitHub + + URL, after the fact — see the `vouchdev-vouch-s-cli-...` claim for the full + + repro. This page is a revision: an earlier page proposed earlier in this KB''s + + audit trail (`vouch audit`) covered only the 13 issue-tracker findings, before + + this 14th one came up during the write-up. `vouch supersede` only applies to + + claims, not pages, so both page revisions remain in this KB''s history rather + + than one replacing the other in the object model. + + + ## Why this matters for contributors + + + Before picking an open issue to work on in this repo, check whether it''s + + already fixed upstream — `git log --oneline -E --grep="#([^0-9]|$)" + + upstream/main upstream/test` takes seconds and avoids a wasted or duplicate + + PR. This KB is the evidence trail for one pass of that check; see each + + claim''s citation for the exact commit, code, or review comment behind it. + + ' + type: report + claims: + - vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- + - vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud + - vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + - vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v + - vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- + - vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate + - vouchdev-vouch-issue-78-kb-context-returns-archived-supersed + - vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m + - vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali + - vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- + - vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta + - vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- + - vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when + - vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently- + entities: [] + sources: [] + tags: [] + metadata: {} +rationale: null +status: approved +decided_at: '2026-07-04T06:24:49.061207Z' +decided_by: jonathanchang31 +decision_reason: 'Revision 2: adds the self-found vouch source add --url bug as a + 14th finding.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/pages/edit-in-obsidian.md b/examples/community/vouch-issue-tracker-audit/vouch/pages/edit-in-obsidian.md new file mode 100644 index 0000000..16a5439 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/pages/edit-in-obsidian.md @@ -0,0 +1,36 @@ +--- +id: edit-in-obsidian +title: Edit in Obsidian +type: workflow +status: active +claims: +- vouch-starter-reviewed-knowledge +entities: [] +sources: +- be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2 +tags: +- vouch +- onboarding +- obsidian +metadata: {} +created_at: '2026-07-04T06:10:25.983339Z' +updated_at: '2026-07-04T06:10:25.983344Z' +--- +# Edit in Obsidian + +Vouch's pages are plain markdown with YAML frontmatter -- your knowledge +base is already an Obsidian-compatible vault. To edit pages in your own +Obsidian vault: + +1. Run `vouch sync --vault ~/Obsidian/YourVault` once to mirror approved + pages and claims under `/vouch/`. +2. Open `/vouch/pages/.md` in Obsidian and edit it. +3. Re-run `vouch sync --vault ~/Obsidian/YourVault` to file your edits as + page-edit proposals in `.vouch/proposed/`. +4. Review and approve with `vouch approve `. The next sync mirrors the + approved version back into the vault. + +Claims appear as stub markdown files under `/vouch/claims/`; pages +that cite them are linked via Obsidian `[[wikilink]]` syntax so the graph +view connects them. Use `--watch` to keep a polling loop alive while you +edit. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md new file mode 100644 index 0000000..0f84fc7 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md @@ -0,0 +1,90 @@ +--- +id: vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14- +title: vouchdev/vouch open-issue tracker audit — 2026-07-04 (rev 2, 14 findings) +type: report +status: draft +claims: +- vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- +- vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud +- vouchdev-vouch-issue-168-critical-agent-transport-allows-cro +- vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v +- vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- +- vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate +- vouchdev-vouch-issue-78-kb-context-returns-archived-supersed +- vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m +- vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali +- vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- +- vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta +- vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- +- vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when +- vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently- +entities: [] +sources: [] +tags: [] +metadata: {} +created_at: '2026-07-04T06:24:49.036278Z' +updated_at: '2026-07-04T06:24:49.036285Z' +--- +## Method + +All open issues in `vouchdev/vouch` not already linked from an in-flight +open PR (61 of 93 open issues at audit time) were cross-referenced against +`git log --grep` on `upstream/main` and `upstream/test` for a commit +mentioning that issue number, then spot-checked by reading the relevant +source file directly (not just trusting the commit message). Issues already +tied to another open PR were excluded up front, since those aren't stale — +they're just not merged yet. + +## Findings + +| Issue | Title | Status found | +|---|---|---| +| [#54](https://github.com/vouchdev/vouch/issues/54) | epic: make vouch friendlier | partially fixed (CLI-output track), open | +| [#76](https://github.com/vouchdev/vouch/issues/76) | crystallize bypasses review gate | fixed, open | +| [#78](https://github.com/vouchdev/vouch/issues/78) | kb.context returns archived/superseded claims | fixed, open | +| [#80](https://github.com/vouchdev/vouch/issues/80) | import_check accepts bundles missing manifest files | fixed, open | +| [#81](https://github.com/vouchdev/vouch/issues/81) | Claim model has no min-evidence validator | fixed, open | +| [#92](https://github.com/vouchdev/vouch/issues/92) | _retrieve ignores retrieval.backends config | fixed, open | +| [#93](https://github.com/vouchdev/vouch/issues/93) | vouch approve --batch | fixed, open | +| [#94](https://github.com/vouchdev/vouch/issues/94) | HTTP transport for vouch serve | fixed, open | +| [#95](https://github.com/vouchdev/vouch/issues/95) | vouch serve fails unclearly with no KB | fixed, open | +| [#100](https://github.com/vouchdev/vouch/issues/100) | richer scopes VEP | VEP drafted only, open | +| [#189](https://github.com/vouchdev/vouch/issues/189) | richer scopes implementation | genuinely open, unclaimed | +| [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite audit log | fixed + merged (PR #183), open | +| [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval bypass | **still unfixed**, security-relevant | +| — | `vouch source add --url` is a no-op | **self-found bug**, see below | + +9 of these 13 issues describe bugs or features that are already resolved in +code but left open on GitHub — likely because merges to non-default branches +(or squash-merge commits) don't trigger GitHub's auto-close. Two more are +only partially addressed: #54's epic has one track (CLI output) shipped but +its other tracks are still open, and #100's VEP-0005 document was drafted +but the (visibility, project, agent) scoping feature it describes was never +built. One (#189) is a genuinely open, unclaimed implementation gap — the +tracking issue for that same undelivered VEP-0005 feature. One (#168) is a +real, unfixed, security-relevant bug with a maintainer review already on +record (from a prior closed PR) describing exactly what a correct fix needs +to do. + +## A 14th finding, found by dogfooding + +Building this KB surfaced a bug in the tool itself: `vouch source add PATH +--url URL` silently drops `--url`. `cli.py::source_add` always passes an +explicit `locator=str(Path(path).resolve())` into `store.put_source()`, and +`storage.py`'s `locator=locator or url or title or sid` never falls through +to `url` as a result. Every source citation in this KB had to have its +`locator` corrected by hand, from a local scratch path to its real GitHub +URL, after the fact — see the `vouchdev-vouch-s-cli-...` claim for the full +repro. This page is a revision: an earlier page proposed earlier in this KB's +audit trail (`vouch audit`) covered only the 13 issue-tracker findings, before +this 14th one came up during the write-up. `vouch supersede` only applies to +claims, not pages, so both page revisions remain in this KB's history rather +than one replacing the other in the object model. + +## Why this matters for contributors + +Before picking an open issue to work on in this repo, check whether it's +already fixed upstream — `git log --oneline -E --grep="#([^0-9]|$)" +upstream/main upstream/test` takes seconds and avoids a wasted or duplicate +PR. This KB is the evidence trail for one pass of that check; see each +claim's citation for the exact commit, code, or review comment behind it. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md new file mode 100644 index 0000000..d29868f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md @@ -0,0 +1,73 @@ +--- +id: vouchdev-vouch-open-issue-tracker-audit-2026-07-04 +title: vouchdev/vouch open-issue tracker audit — 2026-07-04 +type: report +status: draft +claims: +- vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- +- vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud +- vouchdev-vouch-issue-168-critical-agent-transport-allows-cro +- vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v +- vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- +- vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate +- vouchdev-vouch-issue-78-kb-context-returns-archived-supersed +- vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m +- vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali +- vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- +- vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta +- vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- +- vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when +entities: [] +sources: [] +tags: [] +metadata: {} +created_at: '2026-07-04T06:17:24.368089Z' +updated_at: '2026-07-04T06:17:24.368096Z' +--- +## Method + +All open issues in `vouchdev/vouch` not already linked from an in-flight +open PR (61 of 93 open issues at audit time) were cross-referenced against +`git log --grep` on `upstream/main` and `upstream/test` for a commit +mentioning that issue number, then spot-checked by reading the relevant +source file directly (not just trusting the commit message). Issues already +tied to another open PR were excluded up front, since those aren't stale — +they're just not merged yet. + +## Findings + +| Issue | Title | Status found | +|---|---|---| +| [#54](https://github.com/vouchdev/vouch/issues/54) | epic: make vouch friendlier | partially fixed (CLI-output track), open | +| [#76](https://github.com/vouchdev/vouch/issues/76) | crystallize bypasses review gate | fixed, open | +| [#78](https://github.com/vouchdev/vouch/issues/78) | kb.context returns archived/superseded claims | fixed, open | +| [#80](https://github.com/vouchdev/vouch/issues/80) | import_check accepts bundles missing manifest files | fixed, open | +| [#81](https://github.com/vouchdev/vouch/issues/81) | Claim model has no min-evidence validator | fixed, open | +| [#92](https://github.com/vouchdev/vouch/issues/92) | _retrieve ignores retrieval.backends config | fixed, open | +| [#93](https://github.com/vouchdev/vouch/issues/93) | vouch approve --batch | fixed, open | +| [#94](https://github.com/vouchdev/vouch/issues/94) | HTTP transport for vouch serve | fixed, open | +| [#95](https://github.com/vouchdev/vouch/issues/95) | vouch serve fails unclearly with no KB | fixed, open | +| [#100](https://github.com/vouchdev/vouch/issues/100) | richer scopes VEP | VEP drafted only, open | +| [#189](https://github.com/vouchdev/vouch/issues/189) | richer scopes implementation | genuinely open, unclaimed | +| [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite audit log | fixed + merged (PR #183), open | +| [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval bypass | **still unfixed**, security-relevant | + +9 of these 13 issues describe bugs or features that are already resolved in +code but left open on GitHub — likely because merges to non-default branches +(or squash-merge commits) don't trigger GitHub's auto-close. Two more are +only partially addressed: #54's epic has one track (CLI output) shipped but +its other tracks are still open, and #100's VEP-0005 document was drafted +but the (visibility, project, agent) scoping feature it describes was never +built. One (#189) is a genuinely open, unclaimed implementation gap — the +tracking issue for that same undelivered VEP-0005 feature. One (#168) is a +real, unfixed, security-relevant bug with a maintainer review already on +record (from a prior closed PR) describing exactly what a correct fix needs +to do. + +## Why this matters for contributors + +Before picking an open issue to work on in this repo, check whether it's +already fixed upstream — `git log --oneline -E --grep="#([^0-9]|$)" +upstream/main upstream/test` takes seconds and avoids a wasted or duplicate +PR. This KB is the evidence trail for one pass of that check; see each +claim's citation for the exact commit, code, or review comment behind it. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/schema_version b/examples/community/vouch-issue-tracker-audit/vouch/schema_version new file mode 100644 index 0000000..6e8bf73 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/schema_version @@ -0,0 +1 @@ +0.1.0 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/content new file mode 100644 index 0000000..ec3ae92 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/content @@ -0,0 +1,53 @@ +# vouchdev/vouch: `vouch source add --url` is a no-op (found while building this KB) + +Not a filed GitHub issue — a bug surfaced by dogfooding vouch to build this +very example. + +## What happened + +`vouch source add PATH --url URL` accepts `--url`, but the value is +discarded. In `src/vouch/cli.py`, `source_add()` always calls: + + src = store.put_source( + data, + title=title or Path(path).name, + url=url, + locator=str(Path(path).resolve()), # <-- always non-None + source_type=source_type, + ) + +and in `src/vouch/storage.py`, `KBStore.put_source()` resolves the stored +`locator` field as: + + locator=locator or url or title or sid, + +Because the CLI always passes a concrete `locator` (the resolved local +file path), the `locator or url` fallback never reaches `url` — the CLI +has no way to make `--url` observable in the stored Source's `locator` +field, no matter what a caller passes. + +## Reproduction (this exact KB) + + $ vouch source add evidence/issue-168.md \ + --title "vouchdev/vouch issue #168 + closed PR #169 (unmerged)" \ + --url "https://github.com/vouchdev/vouch/issues/168" + 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc + + $ cat .vouch/sources/77cf.../meta.yaml + locator: /tmp/.../evidence/issue-168.md # the --url value is nowhere in this file + +## Impact + +Low severity, but real: any workflow that registers a source from a local +file while also wanting to record its canonical URL (exactly the "cite the +GitHub issue this file was copied from" pattern this community example +needed) silently loses that URL. `store.put_source` does still accept a +`url` kwarg — a library caller bypassing the CLI can set it — so the gap is +specifically in `source_add()`'s CLI wiring, not the storage layer. + +## Suggested fix + +`src/vouch/cli.py::source_add` should pass `locator=locator_override or url +or str(Path(path).resolve())` — i.e., prefer an explicit `--url` when given, +falling back to the resolved path only when no URL was supplied. Today +there's no `--locator` override either, so the resolved path always wins. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/meta.yaml new file mode 100644 index 0000000..f39bf14 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/meta.yaml @@ -0,0 +1,15 @@ +id: 14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd +type: commit +locator: 'vouchdev/vouch@main: src/vouch/cli.py::source_add + src/vouch/storage.py::put_source' +title: 'vouchdev/vouch: vouch source add --url is a no-op (self-found)' +hash: 14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 2121 +media_type: text/plain +created_at: '2026-07-04T06:22:08.308903Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/content new file mode 100644 index 0000000..714f48b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/content @@ -0,0 +1,20 @@ +# vouchdev/vouch issue #76 + +Title: bug: crystallize writes a durable Page bypassing the review gate; + body embeds agent-controlled markdown verbatim +Author: galuis116 +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +cdf72ab5940d366775f7a83fe078bc5db8733fb4 2026-05-25 +fix(sessions): close crystallize review-gate bypass via summary page (#76) + +Verified with: + $ git log --oneline -E --grep="#76([^0-9]|$)" upstream/main + cdf72ab fix(sessions): close crystallize review-gate bypass via summary page (#76) + +Conclusion: the review-gate bypass described in the issue (session.crystallize +promoting agent-supplied task/note text into a durable page without going +through propose_page + approve) is fixed on main. The GitHub issue is still +open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/meta.yaml new file mode 100644 index 0000000..2aa0053 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/meta.yaml @@ -0,0 +1,15 @@ +id: 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 +type: issue +locator: https://github.com/vouchdev/vouch/issues/76 +title: 'vouchdev/vouch issue #76 + fix commit cdf72ab' +hash: 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 775 +media_type: text/plain +created_at: '2026-07-04T06:10:31.107297Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/content new file mode 100644 index 0000000..5ab68fc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/content @@ -0,0 +1,19 @@ +# vouchdev/vouch issue #54 + +Title: epic: make vouch friendlier and more useful out of the box +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +a5f074f754a2005c0eca8db636a00943ccb823d1 2026-05-26 +feat(cli): colourise output, add --json to lint/search, progress on long ops (#54) + +Verified with: + $ git log --oneline -E --grep="#54([^0-9]|$)" upstream/main + a5f074f feat(cli): colourise output, add --json to lint/search, progress on long ops (#54) + +Conclusion: Track 2 (Friendlier CLI output) of this epic landed on main. +The issue references a multi-track epic body; only the CLI-output track's +commit was checked for this claim (see the "still open" caveat in the claim +rationale). diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/meta.yaml new file mode 100644 index 0000000..258dcb0 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/meta.yaml @@ -0,0 +1,15 @@ +id: 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 +type: issue +locator: https://github.com/vouchdev/vouch/issues/54 +title: 'vouchdev/vouch issue #54 + fix commit a5f074f' +hash: 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 748 +media_type: text/plain +created_at: '2026-07-04T06:10:27.584136Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/content new file mode 100644 index 0000000..9855a95 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/content @@ -0,0 +1,19 @@ +# vouchdev/vouch issue #81 + +Title: bug: Claim model has no min-evidence validator — uncited claims land + via bundle import, put_claim, update_claim +Author: galuis116 +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +ab54194f280b93a8bf69ab5d871291ac4ce9e95d 2026-05-25 +fix(models): require Claim.evidence to be non-empty at the model layer (#81) + +Verified with: + $ git log --oneline -E --grep="#81([^0-9]|$)" upstream/main + ab54194 fix(models): require Claim.evidence to be non-empty at the model layer (#81) + +Conclusion: fixed on main — the validator now lives on the Claim model +itself, so every write path is covered, not just the CLI/MCP entry points. +The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/meta.yaml new file mode 100644 index 0000000..6d97e81 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/meta.yaml @@ -0,0 +1,15 @@ +id: 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a +type: issue +locator: https://github.com/vouchdev/vouch/issues/81 +title: 'vouchdev/vouch issue #81 + fix commit ab54194' +hash: 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 725 +media_type: text/plain +created_at: '2026-07-04T06:10:41.809515Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/content new file mode 100644 index 0000000..b5037a1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/content @@ -0,0 +1,42 @@ +# vouchdev/vouch issue #168 + +Title: critical: Agent transport allows cross-agent approval +Author: jonathanchang31 +State on GitHub at audit time: OPEN + +## No fix on main or test + + $ git log --oneline -E --grep="#168([^0-9]|$)" upstream/main upstream/test + (no output) + +Direct code check, upstream/main src/vouch/jsonl_server.py: + "kb.approve": _h_approve, + "kb.reject": _h_reject, +registered with no `expose_decision_tools` / trust gate. src/vouch/proposals.py +`_approval_block_reason()` only checks `approved_by == proposal.proposed_by` +(same-agent self-approval), so a second agent identity can approve another +agent's proposal through the JSONL/MCP transport, landing a durable claim +without any human CLI review. Confirmed identical on upstream/test. + +## Prior attempt: PR #169 (closed, unmerged) + +PR #169 implemented an `expose_decision_tools` config gate. Maintainer +review (plind-junior, COLLABORATOR) on 2026-06-09 requested changes: + +> **[blocking]** the guard in `handle_request` duplicates the one already +> inside `_h_approve`/`_h_reject`... the `except Exception` fallback inside +> the new block silently swallows *any* unexpected error ... and returns +> `method_not_found` instead of `internal_error`, hiding the real cause. + +> **[non-blocking]** `decision_tools_enabled` returns `True` for two +> independent conditions: `expose_decision_tools: true` **or** +> `approver_role: trusted-agent`. The `approver_role` path is not mentioned +> in the updated docs... If vestigial, removing it avoids a hidden unlock +> path. + +The PR was closed on 2026-06-09 without those changes being made. + +Conclusion: genuinely open, unfixed, and security-relevant. A resubmission +should implement a single non-duplicated gate check and either document or +remove the `approver_role: trusted-agent` bypass, per the maintainer's own +review notes above. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/meta.yaml new file mode 100644 index 0000000..0f45647 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/meta.yaml @@ -0,0 +1,15 @@ +id: 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc +type: issue +locator: https://github.com/vouchdev/vouch/issues/168 +title: 'vouchdev/vouch issue #168 + closed PR #169 (unmerged)' +hash: 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 1846 +media_type: text/plain +created_at: '2026-07-04T06:11:18.592619Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/content new file mode 100644 index 0000000..31ae07b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/content @@ -0,0 +1,29 @@ +# vouchdev/vouch issue #166 + +Title: [Bug] Bundle import can overwrite the audit log +Author: jonathanchang31 +State on GitHub at audit time: OPEN + +## Fix merged via PR #183 + +PR #167 (closed, unmerged — GitHub does not allow re-targeting a closed PR's +base branch) was replaced by PR #183, "fix:bundle import can overwrite the +audit log", merged 2026-06-09. + +Merge commit found on upstream/main and upstream/test: +6d53c9989ec42f199cb3735ddd82caf3122b6267 +Merge pull request #183 from jonathanchang31/fix/bundle-import-overwrite-audit-log + +Verified with: + $ git show upstream/main:src/vouch/bundle.py | grep -n "FORBIDDEN_SAFETY_FLAGS\|has_audit_log" + 49:FORBIDDEN_SAFETY_FLAGS = { + 52: "has_audit_log": "audit.log.jsonl", + 113: "has_audit_log": False, + 164: if name == "audit.log.jsonl": + ... + (identical result against upstream/test) + +Conclusion: fixed and merged into both main and test. The GitHub issue is +still open — the merge did not auto-close it (likely because the merge +landed via a squash/merge-pull-request commit rather than a linked +"Fixes #166" commit message on the default branch at merge time). diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/meta.yaml new file mode 100644 index 0000000..9ca2818 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/meta.yaml @@ -0,0 +1,15 @@ +id: 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 +type: issue +locator: https://github.com/vouchdev/vouch/issues/166 +title: 'vouchdev/vouch issue #166 + merged PR #183' +hash: 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 1139 +media_type: text/plain +created_at: '2026-07-04T06:11:12.413960Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/content new file mode 100644 index 0000000..19c3acc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/content @@ -0,0 +1,7 @@ +# Vouch starter source + +This starter source is created by `vouch init` so new users can see how a +reviewed claim cites durable evidence. + +Keep facts small, cite their sources, and approve only the knowledge you want +future agents to retrieve. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/meta.yaml new file mode 100644 index 0000000..ced8fb8 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/meta.yaml @@ -0,0 +1,17 @@ +id: be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2 +type: message +locator: vouch:init +title: Vouch starter source +hash: be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 243 +media_type: text/markdown +created_at: '2026-07-04T06:10:25.977586Z' +metadata: {} +tags: +- vouch +- onboarding diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/content new file mode 100644 index 0000000..763b30f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/content @@ -0,0 +1,18 @@ +# vouchdev/vouch issue #80 + +Title: bug: import_check accepts bundles whose manifest lists files missing + from the tarball (no issue raised) +Author: galuis116 +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +f558fd0fdc5fb071cca34f941be7ee522b03104f 2026-05-25 +fix(bundle): reject import of bundles whose manifest lists files missing +from tarball (#80) + +Verified with: + $ git log --oneline -E --grep="#80([^0-9]|$)" upstream/main + f558fd0 fix(bundle): reject import of bundles whose manifest lists files missing from tarball (#80) + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/meta.yaml new file mode 100644 index 0000000..143e703 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/meta.yaml @@ -0,0 +1,15 @@ +id: c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 +type: issue +locator: https://github.com/vouchdev/vouch/issues/80 +title: 'vouchdev/vouch issue #80 + fix commit f558fd0' +hash: c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 624 +media_type: text/plain +created_at: '2026-07-04T06:10:39.004547Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/content new file mode 100644 index 0000000..5ca6d5f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/content @@ -0,0 +1,18 @@ +# vouchdev/vouch issue #94 + +Title: feat: HTTP transport for `vouch serve` (`--transport http`) [VEP] +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +2827a7491a7816a1b1f2e325478237d0ef99df28 2026-05-28 +feat(serve): add HTTP transport for vouch serve --transport http (#94) + +Verified with: + $ git log --oneline -E --grep="#94([^0-9]|$)" upstream/main + 2827a74 feat(serve): add HTTP transport for vouch serve --transport http (#94) + +Conclusion: fixed on main, despite the [VEP] tag in the issue title (a VEP +was apparently handled inline rather than blocking). The GitHub issue is +still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/meta.yaml new file mode 100644 index 0000000..9663b9c --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/meta.yaml @@ -0,0 +1,15 @@ +id: c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 +type: issue +locator: https://github.com/vouchdev/vouch/issues/94 +title: 'vouchdev/vouch issue #94 + fix commit 2827a74' +hash: c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 656 +media_type: text/plain +created_at: '2026-07-04T06:10:55.377988Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/content new file mode 100644 index 0000000..cda2943 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/content @@ -0,0 +1,21 @@ +# vouchdev/vouch issue #189 + +Title: Richer scopes on Claim/Source: (visibility, project, agent) retrieval + filtering (VEP-0005) +Author: jsdevninja +State on GitHub at audit time: OPEN + +## No matching commit + + $ git log --oneline -E --grep="#189([^0-9]|$)" upstream/main upstream/test + (no output) + +Related: issue #100 asked for the VEP-0005 *proposal document*, which was +written (commit 0dba232, see issue-100.md in this KB). This issue (#189) is +the separate tracking issue for the actual (visibility, project, agent) +scoping *implementation*. No open PR currently references "Closes #189" / +"Fixes #189" / "Resolves #189" either (checked against all open PR bodies +on vouchdev/vouch at audit time). + +Conclusion: genuinely open and unclaimed — the VEP was drafted but the +feature it describes has not been implemented. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/meta.yaml new file mode 100644 index 0000000..b48f515 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/meta.yaml @@ -0,0 +1,15 @@ +id: dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 +type: issue +locator: https://github.com/vouchdev/vouch/issues/189 +title: 'vouchdev/vouch issue #189 (no fix found) + contrast with issue #100' +hash: dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 830 +media_type: text/plain +created_at: '2026-07-04T06:11:08.819493Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/content new file mode 100644 index 0000000..3d93236 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/content @@ -0,0 +1,22 @@ +# vouchdev/vouch issue #92 + +Title: bug: `_retrieve` ignores `retrieval.backends` config and hardcodes + embeddings-primary +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +fb4b326254694645e255bc9884a877f42f287cfd 2026-05-26 +fix(context): honor retrieval.backend config instead of hardcoding +embeddings (#92) + +Verified with: + $ git log --oneline -E --grep="#92([^0-9]|$)" upstream/main + fb4b326 fix(context): honor retrieval.backend config instead of hardcoding embeddings (#92) + +Corroborated by reading src/vouch/context.py directly: `_configured_backend()` +reads `retrieval.backend` (with a legacy `retrieval.backends` list fallback) +and `_retrieve()` branches on `auto|embedding|fts5|substring`. + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/meta.yaml new file mode 100644 index 0000000..933d89a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/meta.yaml @@ -0,0 +1,15 @@ +id: e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d +type: issue +locator: https://github.com/vouchdev/vouch/issues/92 +title: 'vouchdev/vouch issue #92 + fix commit fb4b326' +hash: e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 828 +media_type: text/plain +created_at: '2026-07-04T06:10:44.961349Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/content new file mode 100644 index 0000000..8df3202 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/content @@ -0,0 +1,23 @@ +# vouchdev/vouch issue #78 + +Title: bug: kb.context returns archived/superseded claims; lifecycle + mutations never re-index FTS5 status +Author: galuis116 +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +0708c743ea2aacea1e820c8be60ceac0fd563dc7 2026-05-25 +fix(context,storage): exclude retracted claims from kb.context and reindex +FTS5 on update (#78) + +Verified with: + $ git log --oneline -E --grep="#78([^0-9]|$)" upstream/main + 0708c74 fix(context,storage): exclude retracted claims from kb.context and reindex FTS5 on update (#78) + +Corroborated by reading src/vouch/context.py directly: `_RETRACTED_CLAIM_STATUSES` +(ARCHIVED, SUPERSEDED, REDACTED) is defined and referenced as a filter, with a +comment: "Any retrieval surface that hands knowledge back to an agent must +exclude these — otherwise the archive/supersede/redact controls are decorative." + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/meta.yaml new file mode 100644 index 0000000..0013e98 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/meta.yaml @@ -0,0 +1,15 @@ +id: efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 +type: issue +locator: https://github.com/vouchdev/vouch/issues/78 +title: 'vouchdev/vouch issue #78 + fix commit 0708c74' +hash: efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 948 +media_type: text/plain +created_at: '2026-07-04T06:10:34.304171Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/content new file mode 100644 index 0000000..8ad14be --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/content @@ -0,0 +1,21 @@ +# vouchdev/vouch issue #93 + +Title: feat: `vouch approve --batch` for scriptable bulk approval +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +e7df0475328cdecf4918983cec6c127e4553b7e3 2026-05-26 +feat(cli): vouch approve accepts multiple ids for scriptable bulk approval (#93) + +Verified with: + $ git log --oneline -E --grep="#93([^0-9]|$)" upstream/main + e7df047 feat(cli): vouch approve accepts multiple ids for scriptable bulk approval (#93) + +Corroborated by `vouch approve --help` on the installed 1.1.0 CLI: +"Pass several ids to approve a batch in one call ... One audit event is +recorded per approved artifact." Both --keep-going (best-effort) and the +default all-or-nothing precheck are implemented. + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/meta.yaml new file mode 100644 index 0000000..15ce6fc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/meta.yaml @@ -0,0 +1,15 @@ +id: f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 +type: issue +locator: https://github.com/vouchdev/vouch/issues/93 +title: 'vouchdev/vouch issue #93 + fix commit e7df047' +hash: f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 830 +media_type: text/plain +created_at: '2026-07-04T06:10:50.554665Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/content new file mode 100644 index 0000000..381c136 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/content @@ -0,0 +1,24 @@ +# vouchdev/vouch issue #100 + +Title: feat: richer scopes on Claim/Source — `(visibility, project, agent)` [VEP] +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Commit found on upstream/main + +0dba23287f6d9f8fb5a036a7c344793734f5bd92 2026-05-26 +docs(proposals): add VEP-0005 richer scopes on Claim/Source (draft) (#100) + +Verified with: + $ git log --oneline -E --grep="#100([^0-9]|$)" upstream/main + 0dba232 docs(proposals): add VEP-0005 richer scopes on Claim/Source (draft) (#100) + +Important nuance (see issue #189 in this same KB): this commit only adds the +VEP-0005 *proposal document*. It is not an implementation. Issue #189 +("Richer scopes on Claim/Source ... (VEP-0005)") is the tracking issue for +the actual feature and, as of this audit, has no matching commit on main or +test. + +Conclusion: #100 (write the VEP) is done; the underlying feature (#189) is +not. Both issues are open on GitHub, which is technically correct for #189 +but misleading for #100. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/meta.yaml new file mode 100644 index 0000000..78b64d0 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/meta.yaml @@ -0,0 +1,15 @@ +id: f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 +type: issue +locator: https://github.com/vouchdev/vouch/issues/100 +title: 'vouchdev/vouch issue #100 + commit 0dba232, contrast with issue #189' +hash: f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 993 +media_type: text/plain +created_at: '2026-07-04T06:11:03.368195Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/content new file mode 100644 index 0000000..fbcd76f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/content @@ -0,0 +1,16 @@ +# vouchdev/vouch issue #95 + +Title: ux: `vouch serve` should fail clearly when no `.vouch/` KB is present +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +1af95216f86cf2473045f2a633167a4b13f5f581 2026-05-29 +fix: vouch serve fails fast with clear hint when no KB is present (#95) + +Verified with: + $ git log --oneline -E --grep="#95([^0-9]|$)" upstream/main + 1af9521 fix: vouch serve fails fast with clear hint when no KB is present (#95) + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/meta.yaml new file mode 100644 index 0000000..767e9b1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/meta.yaml @@ -0,0 +1,15 @@ +id: f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 +type: issue +locator: https://github.com/vouchdev/vouch/issues/95 +title: 'vouchdev/vouch issue #95 + fix commit 1af9521' +hash: f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 561 +media_type: text/plain +created_at: '2026-07-04T06:10:58.611868Z' +metadata: {} +tags: []