From 9aae74b1d2c0beac6f01c92022eec892a36af367 Mon Sep 17 00:00:00 2001 From: Jonathanchang31 <55106972+jonathanchang31@users.noreply.github.com> Date: Sat, 4 Jul 2026 08:33:01 +0200 Subject: [PATCH 1/2] =?UTF-8?q?docs(examples):=20community=20example=20?= =?UTF-8?q?=E2=80=94=20vouchdev/vouch=20issue-tracker=20audit?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds examples/community/vouch-issue-tracker-audit/, a real vouch KB built by cross-referencing every open issue on vouchdev/vouch against upstream/main and upstream/test for a resolving commit. 13 of the 93 open issues checked turned out to be already fixed but left open on GitHub, or genuinely open and unclaimed; one (#168, cross-agent approval bypassing the review gate) is still unfixed and security-relevant, with a prior maintainer review on record describing exactly what a correct fix needs. A 14th finding, a real bug in `vouch source add --url`, surfaced while building the KB itself. Every claim is proposed and approved through the real CLI and cited to a source file containing the actual evidence (git log output, direct code reads, or a maintainer's PR review comment) — no hand-authored artifacts. Closes #338. --- CHANGELOG.md | 7 + docs/img/examples/community/audit-log.svg | 20 +++ docs/img/examples/community/audit-search.svg | 13 ++ docs/img/examples/community/audit-show.svg | 42 +++++ docs/img/examples/community/audit-status.svg | 14 ++ examples/README.md | 11 ++ .../vouch-issue-tracker-audit/README.md | 68 ++++++++ .../vouch/audit.log.jsonl | 92 +++++++++++ .../vouch-starter-reviewed-knowledge.yaml | 23 +++ ...0-feat-richer-scopes-on-claim-source-.yaml | 26 +++ ...6-bundle-import-can-overwrite-the-aud.yaml | 26 +++ ...8-critical-agent-transport-allows-cro.yaml | 30 ++++ ...9-richer-scopes-on-claim-source-per-v.yaml | 24 +++ ...-epic-make-vouch-friendlier-and-more-.yaml | 25 +++ ...-crystallize-bypasses-the-review-gate.yaml | 26 +++ ...-kb-context-returns-archived-supersed.yaml | 25 +++ ...-import-check-accepts-bundles-whose-m.yaml | 24 +++ ...-claim-model-has-no-min-evidence-vali.yaml | 25 +++ ...-retrieve-ignores-retrieval-backends-.yaml | 25 +++ ...-feat-vouch-approve-batch-for-scripta.yaml | 25 +++ ...-feat-http-transport-for-vouch-serve-.yaml | 24 +++ ...-vouch-serve-should-fail-clearly-when.yaml | 23 +++ ...uch-source-add-path-url-url-silently-.yaml | 29 ++++ .../vouch/config.yaml | 19 +++ .../decided/20260704-061029-8ae22018.yaml | 26 +++ .../decided/20260704-061032-e2c77208.yaml | 26 +++ .../decided/20260704-061036-8e0faea0.yaml | 25 +++ .../decided/20260704-061040-ef56c928.yaml | 23 +++ .../decided/20260704-061043-57bfb8a4.yaml | 25 +++ .../decided/20260704-061047-bf405cfc.yaml | 26 +++ .../decided/20260704-061052-7c202c7a.yaml | 25 +++ .../decided/20260704-061056-e8724ce8.yaml | 24 +++ .../decided/20260704-061100-29c5dca4.yaml | 23 +++ .../decided/20260704-061106-eb27e9fd.yaml | 27 +++ .../decided/20260704-061110-f4c09773.yaml | 25 +++ .../decided/20260704-061116-082830a4.yaml | 26 +++ .../decided/20260704-061119-0680e882.yaml | 31 ++++ .../decided/20260704-061425-808652d7.yaml | 27 +++ .../decided/20260704-061428-2ecdb562.yaml | 27 +++ .../decided/20260704-061432-51a7ca63.yaml | 26 +++ .../decided/20260704-061435-44efb4a8.yaml | 24 +++ .../decided/20260704-061438-7249c426.yaml | 26 +++ .../decided/20260704-061441-f33ed406.yaml | 27 +++ .../decided/20260704-061445-267a62ab.yaml | 26 +++ .../decided/20260704-061448-9e9bb439.yaml | 25 +++ .../decided/20260704-061454-49cfcfc0.yaml | 24 +++ .../decided/20260704-061500-9c95a168.yaml | 28 ++++ .../decided/20260704-061505-a91c3897.yaml | 26 +++ .../decided/20260704-061511-995c6f4d.yaml | 27 +++ .../decided/20260704-061515-0e132b51.yaml | 32 ++++ .../decided/20260704-061640-20537c0f.yaml | 124 ++++++++++++++ .../decided/20260704-062209-21e9b7a4.yaml | 30 ++++ .../decided/20260704-062448-4d9f894f.yaml | 156 ++++++++++++++++++ .../vouch/pages/edit-in-obsidian.md | 36 ++++ ...ssue-tracker-audit-2026-07-04-rev-2-14-.md | 85 ++++++++++ ...uch-open-issue-tracker-audit-2026-07-04.md | 68 ++++++++ .../vouch/schema_version | 1 + .../content | 53 ++++++ .../meta.yaml | 15 ++ .../content | 20 +++ .../meta.yaml | 15 ++ .../content | 19 +++ .../meta.yaml | 15 ++ .../content | 19 +++ .../meta.yaml | 15 ++ .../content | 42 +++++ .../meta.yaml | 15 ++ .../content | 29 ++++ .../meta.yaml | 15 ++ .../content | 7 + .../meta.yaml | 17 ++ .../content | 18 ++ .../meta.yaml | 15 ++ .../content | 18 ++ .../meta.yaml | 15 ++ .../content | 21 +++ .../meta.yaml | 15 ++ .../content | 22 +++ .../meta.yaml | 15 ++ .../content | 23 +++ .../meta.yaml | 15 ++ .../content | 21 +++ .../meta.yaml | 15 ++ .../content | 24 +++ .../meta.yaml | 15 ++ .../content | 16 ++ .../meta.yaml | 15 ++ 87 files changed, 2422 insertions(+) create mode 100644 docs/img/examples/community/audit-log.svg create mode 100644 docs/img/examples/community/audit-search.svg create mode 100644 docs/img/examples/community/audit-show.svg create mode 100644 docs/img/examples/community/audit-status.svg create mode 100644 examples/community/vouch-issue-tracker-audit/README.md create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/audit.log.jsonl create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouch-starter-reviewed-knowledge.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-78-kb-context-returns-archived-supersed.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/config.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061029-8ae22018.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061032-e2c77208.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061036-8e0faea0.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061040-ef56c928.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061043-57bfb8a4.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061047-bf405cfc.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061052-7c202c7a.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061056-e8724ce8.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061100-29c5dca4.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061106-eb27e9fd.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061110-f4c09773.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061116-082830a4.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061119-0680e882.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061425-808652d7.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061428-2ecdb562.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061432-51a7ca63.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061435-44efb4a8.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061438-7249c426.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061441-f33ed406.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061445-267a62ab.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061448-9e9bb439.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061454-49cfcfc0.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061500-9c95a168.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061505-a91c3897.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061511-995c6f4d.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061515-0e132b51.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062209-21e9b7a4.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/pages/edit-in-obsidian.md create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/schema_version create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/meta.yaml create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/content create mode 100644 examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/meta.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 523eb81..aa92845 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ All notable changes to vouch are documented here. Format follows ## [Unreleased] +### Added +- `examples/community/vouch-issue-tracker-audit/`: a community example KB + (issue #338) auditing vouchdev/vouch's own open-issue tracker for + staleness — which open issues are already fixed upstream and which are + genuinely open, plus one live security bug (#168) and one bug in `vouch + source add --url` found while building the KB. + ## [1.1.0] — 2026-07-03 ### Added diff --git a/docs/img/examples/community/audit-log.svg b/docs/img/examples/community/audit-log.svg new file mode 100644 index 0000000..8ae5363 --- /dev/null +++ b/docs/img/examples/community/audit-log.svg @@ -0,0 +1,20 @@ + + + + + + + +vouch-issue-tracker-audit/ — vouch audit --tail 10 +$ vouch audit --tail 10 +2026-07-04T06:17:24.668152+00:00 proposal.page.approve by jonathanchang31 objects=['20260704-061640-20537c0f', 'vouchdev-vouch-open-issue-tracker-audit-2026-07-04'] +2026-07-04T06:17:37.109152+00:00 source.verify by vouch-verify objects=[] +2026-07-04T06:22:08.321798+00:00 source.add by claude-code-audit objects=['14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd'] +2026-07-04T06:22:09.353069+00:00 proposal.claim.create by claude-code-audit objects=['20260704-062209-21e9b7a4'] +2026-07-04T06:22:11.611776+00:00 proposal.claim.approve by jonathanchang31 objects=['20260704-062209-21e9b7a4', 'vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-'] +2026-07-04T06:22:47.109098+00:00 source.verify by vouch-verify objects=[] +2026-07-04T06:22:51.574949+00:00 source.verify by vouch-verify objects=[] +2026-07-04T06:24:48.022905+00:00 proposal.page.create by claude-code-audit objects=['20260704-062448-4d9f894f'] +2026-07-04T06:24:49.072776+00:00 proposal.page.approve by jonathanchang31 objects=['20260704-062448-4d9f894f', 'vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-'] +2026-07-04T06:24:59.488805+00:00 source.verify by vouch-verify objects=[] + diff --git a/docs/img/examples/community/audit-search.svg b/docs/img/examples/community/audit-search.svg new file mode 100644 index 0000000..f74c3b9 --- /dev/null +++ b/docs/img/examples/community/audit-search.svg @@ -0,0 +1,13 @@ + + + + + + + +vouch-issue-tracker-audit/ — vouch search cross-agent +$ vouch search cross-agent +claim/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro …agent transport allows «cross-agent» approval) is still unfixed on both main and test: kb.approve… (fts5) +page/vouchdev-vouch-open-issue-tracker-audit-2026-07-04 vouchdev/vouch open-issue tracker audit — 2026-07-04 (fts5) +page/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14- vouchdev/vouch open-issue tracker audit — 2026-07-04 (rev 2, 14 findings) (fts5) + diff --git a/docs/img/examples/community/audit-show.svg b/docs/img/examples/community/audit-show.svg new file mode 100644 index 0000000..5f8c7d7 --- /dev/null +++ b/docs/img/examples/community/audit-show.svg @@ -0,0 +1,42 @@ + + + + + + + +vouch-issue-tracker-audit/ — vouch show (issue #168 finding) +$ vouch show 20260704-061515-0e132b51 +id: 20260704-061515-0e132b51 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:15.581538Z' +payload: + id: vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + text: 'vouchdev/vouch issue #168 (critical: agent transport allows cross-agent approval) + is still unfixed on both main and test: kb.approve/kb.reject are registered on + the JSONL transport with no expose_decision_tools trust gate, and the only check + is same-agent self-approval. A prior fix (PR #169) was closed unmerged after a + maintainer requested changes: remove the duplicated handle_request guard whose + broad except-Exception swallows real errors, and document or remove the undocumented + approver_role: trusted-agent bypass.' + type: fact + confidence: 0.95 + evidence: + - 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc + entities: [] + tags: + - live-bug + - codebase-audit + - security + - needs-pr +rationale: 'The single actionable item in this audit: a real, reviewed-but-unmerged + security gap, with the maintainer''s exact acceptance criteria already on record + in PR #169.' +status: approved +decided_at: '2026-07-04T06:15:29.902048Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' + diff --git a/docs/img/examples/community/audit-status.svg b/docs/img/examples/community/audit-status.svg new file mode 100644 index 0000000..2f04aaa --- /dev/null +++ b/docs/img/examples/community/audit-status.svg @@ -0,0 +1,14 @@ + + + + + + + +vouch-issue-tracker-audit/ — vouch status +$ vouch status +KB at /your/project/.vouch + durable: 15 claims • 3 pages • 15 sources • 0 entities • 0 relations + pending: 0 proposals + audit: 92 events • index: present + diff --git a/examples/README.md b/examples/README.md index a70d7fa..2b00d93 100644 --- a/examples/README.md +++ b/examples/README.md @@ -57,6 +57,17 @@ The snapshot KBs ship with everything already in `claims/`, `pages/`, etc. — they're "post-approval" snapshots. There are no `proposed/` entries because proposals are local-only by nature. +## Community examples + +Real vouch KBs from real use, submitted per [issue #338](https://github.com/vouchdev/vouch/issues/338). +Unlike the shipped snapshots above, these aren't required to be +byte-for-byte re-renderable — just honest: every claim traceable through +`audit.log.jsonl` to an actual `propose → approve` decision. + +| Example | Topic | Size | +|---|---|---| +| [community/vouch-issue-tracker-audit/](community/vouch-issue-tracker-audit/) | A codebase-hygiene audit of vouchdev/vouch's own open-issue tracker — which open issues are already fixed upstream, which are genuinely open, and one live security bug found along the way | 15 claims, 3 pages, 15 sources | + ## Runnable flows Each of these is a script that builds a throwaway KB in `$(mktemp -d)`, diff --git a/examples/community/vouch-issue-tracker-audit/README.md b/examples/community/vouch-issue-tracker-audit/README.md new file mode 100644 index 0000000..b90a94d --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/README.md @@ -0,0 +1,68 @@ +# vouch-issue-tracker-audit/ + +A real `vouch` knowledge base built while auditing `vouchdev/vouch`'s own +GitHub issue tracker for staleness. It's a "codebase-audit" style KB +(findings → claims, cited to evidence) rather than a project's living +documentation, submitted for issue [#338](https://github.com/vouchdev/vouch/issues/338). + +- **Host:** Claude Code, driving the real `vouch` CLI (v1.1.0) directly — + `vouch init`, `vouch source add`, `vouch propose-claim`, `vouch approve`, + `vouch propose-page`, `vouch reindex`, `vouch doctor`. +- **What it's used for:** every open issue on `vouchdev/vouch` (93 at audit + time) was checked against `git log --grep` on `upstream/main` and + `upstream/test` for a commit resolving it, then spot-checked by reading the + relevant source directly. 13 of the resulting findings are proposed claims, + each cited to a source file containing the real evidence (a `git log` + transcript, a code excerpt, or an actual maintainer PR-review comment + copied from GitHub). A 14th finding — a real bug in `vouch source add + --url` — surfaced while building this very KB and is included too. + +## What to look at first + +1. [vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md](vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md) — + the findings table and method, current revision. +2. [vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml](vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml) — + the one still-unfixed, security-relevant finding, with a maintainer's + review notes on record from a prior closed PR. +3. [vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml](vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml) — + the self-found bug in the tool used to build this KB. +4. [vouch/audit.log.jsonl](vouch/audit.log.jsonl) — the full trail: 13 + claims proposed, all 13 first rejected (wrong `--type` value), all 13 + resubmitted correctly and approved, a summary page approved, a 14th claim + added, and a revised page approved. Nothing here was hand-written into + `claims/` or `decided/` directly — every artifact went through + `propose-* → approve`/`reject`. + +## See it in action + +After `cp -r examples/community/vouch-issue-tracker-audit/vouch ./.vouch && +vouch reindex`, here's what the CLI shows against this KB: + +`vouch status` — artifact counts and the audit-event total: + +vouch status on the issue-tracker-audit example + +`vouch search cross-agent` — retrieval surfacing the live #168 finding: + +vouch search cross-agent on the issue-tracker-audit example + +`vouch show` on the #168 finding's decided proposal — full citation, +rationale, and decision metadata: + +vouch show on the issue-tracker-audit example + +`vouch audit --tail 10` — the reject-then-rework and page-revision trail: + +vouch audit tail on the issue-tracker-audit example + +## What this example is *not* + +- Not a teaching fixture — every claim, source, and audit event here is the + byproduct of a real `vouch` session, not hand-authored YAML. +- Not exhaustive — the audit covered issues without an in-flight open PR; + issues already claimed by another contributor's PR were excluded up front + rather than re-checked. +- Not a fix for #168 or the `source add --url` bug — this KB documents them + as findings with enough evidence for someone (possibly the same + contributor, in a follow-up PR) to act on. Bundling a code fix into this + PR would violate `CONTRIBUTING.md`'s "one concern per PR." diff --git a/examples/community/vouch-issue-tracker-audit/vouch/audit.log.jsonl b/examples/community/vouch-issue-tracker-audit/vouch/audit.log.jsonl new file mode 100644 index 0000000..cc9ee73 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/audit.log.jsonl @@ -0,0 +1,92 @@ +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:26.405000Z","data":{},"dry_run":false,"event":"kb.init","hash":"b8bbc2b761816d327972d943cbadf0a1e1819f02b16e7b5ef76cf6defa1c0296","id":"951ac530a5074be59a2a7e85dafbcb69","object_ids":[],"prev_hash":"0000000000000000000000000000000000000000000000000000000000000000","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:27.588515Z","data":{},"dry_run":false,"event":"source.add","hash":"95dc23fa58665e4bdb30c877b49b415eaf84baa6c05a17adbba91d5a6675602e","id":"33007d67b1af472a91b36855bc5af1d9","object_ids":["31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98"],"prev_hash":"b8bbc2b761816d327972d943cbadf0a1e1819f02b16e7b5ef76cf6defa1c0296","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:29.356029Z","data":{"slug_hint":"vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-"},"dry_run":false,"event":"proposal.claim.create","hash":"043690072bf9d5dc34412f0a4d5b2193ab4b284444e26adb09ac4d2dbc2560da","id":"faaa97cae1ef4a5c9a88e8cbf02b72b3","object_ids":["20260704-061029-8ae22018"],"prev_hash":"95dc23fa58665e4bdb30c877b49b415eaf84baa6c05a17adbba91d5a6675602e","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:31.114382Z","data":{},"dry_run":false,"event":"source.add","hash":"32d15ff7f3ea7242376d3ae3092340495af395deed92fd4639ded690f39a6c9e","id":"339803f4c4ab45f38bb5b711882058f0","object_ids":["2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025"],"prev_hash":"043690072bf9d5dc34412f0a4d5b2193ab4b284444e26adb09ac4d2dbc2560da","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:32.994225Z","data":{"slug_hint":"vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate"},"dry_run":false,"event":"proposal.claim.create","hash":"1afbaa718b75c271384025665219c626667ff6d81218ba4bc553f5e71a11e4e4","id":"2f6d7033ed044201b1a810f8eda83c5b","object_ids":["20260704-061032-e2c77208"],"prev_hash":"32d15ff7f3ea7242376d3ae3092340495af395deed92fd4639ded690f39a6c9e","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:34.313940Z","data":{},"dry_run":false,"event":"source.add","hash":"ad340dbdcc5c4ea46c971f122359c95e906e08f10df6c9ee71015c845d431b94","id":"a80eecaff4f843d9b65d7228c300c61a","object_ids":["efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27"],"prev_hash":"1afbaa718b75c271384025665219c626667ff6d81218ba4bc553f5e71a11e4e4","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:36.488266Z","data":{"slug_hint":"vouchdev-vouch-issue-78-kb-context-returns-archived-supersed"},"dry_run":false,"event":"proposal.claim.create","hash":"edc480cc066f668931c4221e23d1500eec27c9ffb05110b71512488d091bc807","id":"5afd4793f0bf4a9e85ad4e0f84bc3f7b","object_ids":["20260704-061036-8e0faea0"],"prev_hash":"ad340dbdcc5c4ea46c971f122359c95e906e08f10df6c9ee71015c845d431b94","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:39.008445Z","data":{},"dry_run":false,"event":"source.add","hash":"547683f98dc8793c4d819a011e7588724abf659fc81658f0d0969062668509dd","id":"ac3df4f49aac4cd4b525b00ef7402329","object_ids":["c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424"],"prev_hash":"edc480cc066f668931c4221e23d1500eec27c9ffb05110b71512488d091bc807","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:40.684027Z","data":{"slug_hint":"vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m"},"dry_run":false,"event":"proposal.claim.create","hash":"16e8c885fc905fc0c4666a77229f96ee4b2252dc2c356c89dce711e4b66cb784","id":"cd61626590e04b39b4b25b69df5f7d0c","object_ids":["20260704-061040-ef56c928"],"prev_hash":"547683f98dc8793c4d819a011e7588724abf659fc81658f0d0969062668509dd","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:41.813621Z","data":{},"dry_run":false,"event":"source.add","hash":"35262a78dfb6d8ae7bde061aca3993585bab625957377675869602c2521364dd","id":"6f487c9c00874b359bb8e47fb061ccff","object_ids":["4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a"],"prev_hash":"16e8c885fc905fc0c4666a77229f96ee4b2252dc2c356c89dce711e4b66cb784","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:43.446546Z","data":{"slug_hint":"vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali"},"dry_run":false,"event":"proposal.claim.create","hash":"f0cd63d41d4f379c515e05970e4b50e84125e5884c31d884a15cff3cee8216cb","id":"45f466aa0b9c48778fe8bfc93fb44782","object_ids":["20260704-061043-57bfb8a4"],"prev_hash":"35262a78dfb6d8ae7bde061aca3993585bab625957377675869602c2521364dd","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:44.989326Z","data":{},"dry_run":false,"event":"source.add","hash":"a2d1c764c8c4937ebb25b6f5e7c264fb6741a5c11b3823ecf25ece117fade104","id":"0afa344be06d401fb153aa8d80100ded","object_ids":["e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d"],"prev_hash":"f0cd63d41d4f379c515e05970e4b50e84125e5884c31d884a15cff3cee8216cb","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:47.342473Z","data":{"slug_hint":"vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-"},"dry_run":false,"event":"proposal.claim.create","hash":"313a66e460091cfd5ebb8de2e4751a8dd35ee792dc5aa75340a92500bc7e6f87","id":"1e36601fa3a048a9a9dac05e52ed393c","object_ids":["20260704-061047-bf405cfc"],"prev_hash":"a2d1c764c8c4937ebb25b6f5e7c264fb6741a5c11b3823ecf25ece117fade104","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:50.558071Z","data":{},"dry_run":false,"event":"source.add","hash":"2002f84d6ca606d255de765a66a2970eaf68c17f2d0d364bd474a5cdd4c58381","id":"6f2b68fe89444d05991cf8d12374c890","object_ids":["f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068"],"prev_hash":"313a66e460091cfd5ebb8de2e4751a8dd35ee792dc5aa75340a92500bc7e6f87","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:52.709880Z","data":{"slug_hint":"vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta"},"dry_run":false,"event":"proposal.claim.create","hash":"8fd0c0da9b01d9a3bfd9c14827a87ae174f05e4ef7939535196153155ac0d99d","id":"e723b927cb624a97b36ee64085d90433","object_ids":["20260704-061052-7c202c7a"],"prev_hash":"2002f84d6ca606d255de765a66a2970eaf68c17f2d0d364bd474a5cdd4c58381","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:55.402108Z","data":{},"dry_run":false,"event":"source.add","hash":"78e0d2f3a6428d5be087227b8c3a11da4223fb3629d49e2a1882ad76fa587257","id":"99ffa5cea58b4c4ea7091de0520c1284","object_ids":["c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7"],"prev_hash":"8fd0c0da9b01d9a3bfd9c14827a87ae174f05e4ef7939535196153155ac0d99d","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:56.784241Z","data":{"slug_hint":"vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-"},"dry_run":false,"event":"proposal.claim.create","hash":"afff73cfdba306fb923abc84deee39b3adfcd19f0843957e4f3fcbe467afb9b7","id":"db00944112be4eff930e0071dbb999a6","object_ids":["20260704-061056-e8724ce8"],"prev_hash":"78e0d2f3a6428d5be087227b8c3a11da4223fb3629d49e2a1882ad76fa587257","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:10:58.616023Z","data":{},"dry_run":false,"event":"source.add","hash":"1440693032b7396acd6cc237bd97023af7dba179bfda0907b8a074f7ee2aa430","id":"9746bcdfba5c43e5a5789a556b45f690","object_ids":["f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3"],"prev_hash":"afff73cfdba306fb923abc84deee39b3adfcd19f0843957e4f3fcbe467afb9b7","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:00.261101Z","data":{"slug_hint":"vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when"},"dry_run":false,"event":"proposal.claim.create","hash":"ff87cac9c872972f1d6bd537ecf8c27d40392f6af91ee844861b7ffbc2d3132e","id":"62f7cbb71e1d425e817ba4b0eb01c83f","object_ids":["20260704-061100-29c5dca4"],"prev_hash":"1440693032b7396acd6cc237bd97023af7dba179bfda0907b8a074f7ee2aa430","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:03.374095Z","data":{},"dry_run":false,"event":"source.add","hash":"3e96f1d523f392b0d97db0a7d58740caefb766d3bd62e8c9a3e0059343728be3","id":"98bd1532562e49a6bcac4107d8e9c23d","object_ids":["f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7"],"prev_hash":"ff87cac9c872972f1d6bd537ecf8c27d40392f6af91ee844861b7ffbc2d3132e","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:06.635277Z","data":{"slug_hint":"vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-"},"dry_run":false,"event":"proposal.claim.create","hash":"3e01aaecebc6f2eeac4ab7d395b38544b61a70192fe4550fccf068bf8c8a34b2","id":"6b69f77a09f043c4a0372bbec78a0f8b","object_ids":["20260704-061106-eb27e9fd"],"prev_hash":"3e96f1d523f392b0d97db0a7d58740caefb766d3bd62e8c9a3e0059343728be3","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:08.823689Z","data":{},"dry_run":false,"event":"source.add","hash":"773218999807905c3d4c5a4d898c43f786c7aeb0b8cd06070bbea584e0119266","id":"47dcacc9ac39409e9fd23efb5b518171","object_ids":["dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50"],"prev_hash":"3e01aaecebc6f2eeac4ab7d395b38544b61a70192fe4550fccf068bf8c8a34b2","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:10.739916Z","data":{"slug_hint":"vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v"},"dry_run":false,"event":"proposal.claim.create","hash":"28ccacb499593642d0c6acaa2e4937a47796af158b45a4b60e0d8a2c9cefc220","id":"40a2a99880bf4ec199970ded12816ca6","object_ids":["20260704-061110-f4c09773"],"prev_hash":"773218999807905c3d4c5a4d898c43f786c7aeb0b8cd06070bbea584e0119266","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:12.422080Z","data":{},"dry_run":false,"event":"source.add","hash":"bb6d88d0b714d24ef19034e6291e06721baf13a6da20c067b5800e405a46c5f9","id":"0b5e1152dce7466593009e1ab4ce6a9f","object_ids":["9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292"],"prev_hash":"28ccacb499593642d0c6acaa2e4937a47796af158b45a4b60e0d8a2c9cefc220","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:16.776400Z","data":{"slug_hint":"vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud"},"dry_run":false,"event":"proposal.claim.create","hash":"bbd554bec88049c4298c3667355fb66ba9bce5af2503606f11c6267e3b9b7e5e","id":"54d9642af95f405bb64a3797ac63cce2","object_ids":["20260704-061116-082830a4"],"prev_hash":"bb6d88d0b714d24ef19034e6291e06721baf13a6da20c067b5800e405a46c5f9","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:18.603758Z","data":{},"dry_run":false,"event":"source.add","hash":"f20be39873659bcf1ec0bdb0abcaaabcb1961a892887aaeca134635512727e35","id":"55bdfaf6269b4be29403b5cd202a57b6","object_ids":["77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc"],"prev_hash":"bbd554bec88049c4298c3667355fb66ba9bce5af2503606f11c6267e3b9b7e5e","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:11:19.905456Z","data":{"slug_hint":"vouchdev-vouch-issue-168-critical-agent-transport-allows-cro"},"dry_run":false,"event":"proposal.claim.create","hash":"0ee8a00ad2b5887f0ef56eb0f8271af909e38aedd1cb808c022b240a8e0969d4","id":"75c7ac60c79e4bd484ff4b51a868bd4b","object_ids":["20260704-061119-0680e882"],"prev_hash":"f20be39873659bcf1ec0bdb0abcaaabcb1961a892887aaeca134635512727e35","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:13:22.349152Z","data":{"checked":14,"failed":0},"dry_run":false,"event":"source.verify","hash":"370d69b9e6a6f29870aa5de83d7edce212181c1b899209456fe0c414369f702d","id":"3ffe027eebee41d6a58389e01a48bae9","object_ids":[],"prev_hash":"0ee8a00ad2b5887f0ef56eb0f8271af909e38aedd1cb808c022b240a8e0969d4","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:36.870162Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"5b813593610123435f4904fe36b6d6409516e51cb9266d508e7d075423b2b4d8","id":"89ab8895490d4de680e34d653ea968ef","object_ids":["20260704-061029-8ae22018"],"prev_hash":"370d69b9e6a6f29870aa5de83d7edce212181c1b899209456fe0c414369f702d","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:39.254544Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"1903385b00639ebe41591b33d5faf1c3860b7e47f6ea6c28529074ae311364ac","id":"9b0b07376eed49c1979fee8bc5290e51","object_ids":["20260704-061032-e2c77208"],"prev_hash":"5b813593610123435f4904fe36b6d6409516e51cb9266d508e7d075423b2b4d8","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:41.225199Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"f9b758c5f4823c3a4776ccae5770cd1009878b67a87eb804983c3ed1247f44bd","id":"e67b0d8175204449b4b7e2917def14db","object_ids":["20260704-061036-8e0faea0"],"prev_hash":"1903385b00639ebe41591b33d5faf1c3860b7e47f6ea6c28529074ae311364ac","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:43.258889Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"a5ff272032ea9e2fe8440e86912991cfb2244f46599382b873a3cba2a8931db0","id":"6a43e5b009534df481da94c0c3639191","object_ids":["20260704-061040-ef56c928"],"prev_hash":"f9b758c5f4823c3a4776ccae5770cd1009878b67a87eb804983c3ed1247f44bd","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:47.426509Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"a517dab28078fba46b43061ce0b290c05958967628b5e9a08b8f03fa9bd6b1ac","id":"c8ce7931885642a4b042f63074a9c436","object_ids":["20260704-061043-57bfb8a4"],"prev_hash":"a5ff272032ea9e2fe8440e86912991cfb2244f46599382b873a3cba2a8931db0","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:49.354601Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"c7a90a6b0d608239639137d4ef56be5e7cf35a0966d1ee95045919ca38d802cc","id":"2aa795612c1b4e68a03fe913629c4136","object_ids":["20260704-061047-bf405cfc"],"prev_hash":"a517dab28078fba46b43061ce0b290c05958967628b5e9a08b8f03fa9bd6b1ac","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:51.531122Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"b109bb1de2f949e4279bf567a5e67507e04cb5376f69455aa6d9cf995a7f5c35","id":"8de11251fb174211acb1df54b7d28c65","object_ids":["20260704-061052-7c202c7a"],"prev_hash":"c7a90a6b0d608239639137d4ef56be5e7cf35a0966d1ee95045919ca38d802cc","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:54.782183Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"3766a46d5f7f08302ea85c2d0de3ca7f98e0ac2d20b6291eb46f00ecdcc9d26e","id":"24f6e0b3df4c4657b77655f77e0608c1","object_ids":["20260704-061056-e8724ce8"],"prev_hash":"b109bb1de2f949e4279bf567a5e67507e04cb5376f69455aa6d9cf995a7f5c35","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:56.153822Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"998b6c95cd89a39e98a58670f0619cc3bf693705948c8fa52adae1f8bdff505b","id":"4e5dac05cb9e42efa9806945f7396989","object_ids":["20260704-061100-29c5dca4"],"prev_hash":"3766a46d5f7f08302ea85c2d0de3ca7f98e0ac2d20b6291eb46f00ecdcc9d26e","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:57.835241Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"21a1af42a32c1797a859244be21cff2968e67b568c388d66c052778207445ba7","id":"48361fc436b941a8bce2d5327eeb095e","object_ids":["20260704-061106-eb27e9fd"],"prev_hash":"998b6c95cd89a39e98a58670f0619cc3bf693705948c8fa52adae1f8bdff505b","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:13:59.275784Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"f27d43af42d8c57cfa9161e00edca8479b22796de8242aaa59919c4917155d5b","id":"33fac97a0c06410a8d39de19fb226301","object_ids":["20260704-061110-f4c09773"],"prev_hash":"21a1af42a32c1797a859244be21cff2968e67b568c388d66c052778207445ba7","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:14:00.539359Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"5c148bb0abc150a8f247526eb5bc2a44821692df9f6796810247859a46b9ce8a","id":"5cb5c73fa100426f95bfdcb3f76b334d","object_ids":["20260704-061116-082830a4"],"prev_hash":"f27d43af42d8c57cfa9161e00edca8479b22796de8242aaa59919c4917155d5b","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:14:03.459488Z","data":{"reason":"invalid claim type 'finding' - resubmitting with valid type 'fact'"},"dry_run":false,"event":"proposal.claim.reject","hash":"b0afdf0345de8cde89adffad7aa7be87dcd88e6b83f9075e48f0d611419480f2","id":"3cb08009cc9643f5896fe8d67f38f348","object_ids":["20260704-061119-0680e882"],"prev_hash":"5c148bb0abc150a8f247526eb5bc2a44821692df9f6796810247859a46b9ce8a","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:23.935075Z","data":{},"dry_run":false,"event":"source.add","hash":"64616f5fad1acb891bd4f2bd4cc5cb32e0c182479a6f7d780d268702080429e7","id":"cf601044418840b884795c0ecf8c255b","object_ids":["31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98"],"prev_hash":"b0afdf0345de8cde89adffad7aa7be87dcd88e6b83f9075e48f0d611419480f2","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:25.466827Z","data":{"slug_hint":"vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-"},"dry_run":false,"event":"proposal.claim.create","hash":"aef8e5ada61c7fb9ef6fcd1f85bb7a8d2c7c06654a9b24513b3723334a63f4ab","id":"648d74408cda415088971d99beb4b45e","object_ids":["20260704-061425-808652d7"],"prev_hash":"64616f5fad1acb891bd4f2bd4cc5cb32e0c182479a6f7d780d268702080429e7","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:27.118930Z","data":{},"dry_run":false,"event":"source.add","hash":"36a48b5a1ebaa99936bf5c4c6cdf1b449f39c03125017bc7566228b08cd9b434","id":"407796ca73384ca1a57b2b54412a6c1b","object_ids":["2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025"],"prev_hash":"aef8e5ada61c7fb9ef6fcd1f85bb7a8d2c7c06654a9b24513b3723334a63f4ab","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:28.602331Z","data":{"slug_hint":"vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate"},"dry_run":false,"event":"proposal.claim.create","hash":"32828b61f01a010f5c7a8db276590d7c8d8247e34f30add02148eac9e6cb4a94","id":"b9f93de115d44922b3e660742bcbb19c","object_ids":["20260704-061428-2ecdb562"],"prev_hash":"36a48b5a1ebaa99936bf5c4c6cdf1b449f39c03125017bc7566228b08cd9b434","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:30.744628Z","data":{},"dry_run":false,"event":"source.add","hash":"42a5f51af9d8341607450f10e6f794a01139e0e40e55e800e3467cce36b85e85","id":"abd776b17b0a4257aae5c9a838009e02","object_ids":["efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27"],"prev_hash":"32828b61f01a010f5c7a8db276590d7c8d8247e34f30add02148eac9e6cb4a94","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:32.026090Z","data":{"slug_hint":"vouchdev-vouch-issue-78-kb-context-returns-archived-supersed"},"dry_run":false,"event":"proposal.claim.create","hash":"9829debb05a365616961e2b9fa9e96b1905556c30009e80bc06223c5348f32bf","id":"846c0260c86642558561b86fc10ddb18","object_ids":["20260704-061432-51a7ca63"],"prev_hash":"42a5f51af9d8341607450f10e6f794a01139e0e40e55e800e3467cce36b85e85","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:33.849146Z","data":{},"dry_run":false,"event":"source.add","hash":"9f077d6053bd4e145b776f9c4fd1a4ea478676e84878404214adbe8eb9c99795","id":"81b93e32f77d4f71800cbe89f1948ede","object_ids":["c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424"],"prev_hash":"9829debb05a365616961e2b9fa9e96b1905556c30009e80bc06223c5348f32bf","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:35.642111Z","data":{"slug_hint":"vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m"},"dry_run":false,"event":"proposal.claim.create","hash":"aee933072468fe8f54059305e76fe81bc07d866c7994603cafa6c8d3cca66e81","id":"0e3edbe6362642599376d692cb93d67a","object_ids":["20260704-061435-44efb4a8"],"prev_hash":"9f077d6053bd4e145b776f9c4fd1a4ea478676e84878404214adbe8eb9c99795","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:36.947969Z","data":{},"dry_run":false,"event":"source.add","hash":"4aac94a67d2de37fd628a79ba2d0e8e987aecf3e878df120f8b79eac77713cce","id":"9367bf35d8f04c4e9aa0abcccffbf621","object_ids":["4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a"],"prev_hash":"aee933072468fe8f54059305e76fe81bc07d866c7994603cafa6c8d3cca66e81","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:39.010849Z","data":{"slug_hint":"vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali"},"dry_run":false,"event":"proposal.claim.create","hash":"41e80291d0e467746819b3ee084c3007212e5788be2b7a14591d135c99ccf89f","id":"31e46fba653a40468756ea21602f51eb","object_ids":["20260704-061438-7249c426"],"prev_hash":"4aac94a67d2de37fd628a79ba2d0e8e987aecf3e878df120f8b79eac77713cce","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:40.578585Z","data":{},"dry_run":false,"event":"source.add","hash":"4f415f0ab7c82fba6ee1cfc57616d4e8b34272fde4b621929f53b563618fdd90","id":"13064878a2a143b3b7e9c69b6449d0c9","object_ids":["e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d"],"prev_hash":"41e80291d0e467746819b3ee084c3007212e5788be2b7a14591d135c99ccf89f","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:41.556127Z","data":{"slug_hint":"vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-"},"dry_run":false,"event":"proposal.claim.create","hash":"a257af7f791d2e931624e217e03e5f7a21a584a8302f054cfafdea3e352ecfae","id":"21d7f992ef8347c796745582522e8495","object_ids":["20260704-061441-f33ed406"],"prev_hash":"4f415f0ab7c82fba6ee1cfc57616d4e8b34272fde4b621929f53b563618fdd90","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:43.798681Z","data":{},"dry_run":false,"event":"source.add","hash":"fcea1d2f2a3229cf10e015b34ae21f5100067007ec9f96924a5c31eeba951ab2","id":"6294eae97b5f4d4fb262be23191ab75e","object_ids":["f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068"],"prev_hash":"a257af7f791d2e931624e217e03e5f7a21a584a8302f054cfafdea3e352ecfae","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:45.034262Z","data":{"slug_hint":"vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta"},"dry_run":false,"event":"proposal.claim.create","hash":"d849c19ae40bd2a003387539bb819bfd5e351af3747a43d423911acb52fcf700","id":"ee6c22afb0904cd29ded898747facfb2","object_ids":["20260704-061445-267a62ab"],"prev_hash":"fcea1d2f2a3229cf10e015b34ae21f5100067007ec9f96924a5c31eeba951ab2","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:46.634616Z","data":{},"dry_run":false,"event":"source.add","hash":"1262b757734be05619fc7c4cfa27bb49e1645df83757276e844013bfd271fe3c","id":"9070e4204c71474d8f758a49fe10c320","object_ids":["c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7"],"prev_hash":"d849c19ae40bd2a003387539bb819bfd5e351af3747a43d423911acb52fcf700","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:48.651175Z","data":{"slug_hint":"vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-"},"dry_run":false,"event":"proposal.claim.create","hash":"b507e77958bce843574da4d5aee0f878e8e5af048980ea9f5016764d1bcdc9bc","id":"ab15879045c048d5987b85521e5047c0","object_ids":["20260704-061448-9e9bb439"],"prev_hash":"1262b757734be05619fc7c4cfa27bb49e1645df83757276e844013bfd271fe3c","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:51.640084Z","data":{},"dry_run":false,"event":"source.add","hash":"764b10af5baab65d1379439995b16ebc5894b964d4e817e3ce05de0182bd3e75","id":"60250bc7fb72434d89e97faebe604f73","object_ids":["f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3"],"prev_hash":"b507e77958bce843574da4d5aee0f878e8e5af048980ea9f5016764d1bcdc9bc","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:54.153111Z","data":{"slug_hint":"vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when"},"dry_run":false,"event":"proposal.claim.create","hash":"5392f68990e3e432d27e38e07f3474876dc89d4df64ce6e9c3765a37cab6a8b0","id":"ff861e4d527b421eb7f02fd8e4d28ffc","object_ids":["20260704-061454-49cfcfc0"],"prev_hash":"764b10af5baab65d1379439995b16ebc5894b964d4e817e3ce05de0182bd3e75","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:14:56.184033Z","data":{},"dry_run":false,"event":"source.add","hash":"2242c1e4cc1401b0d8a018d4b4a54c77fce532f9e89521e89781225c7d2eb996","id":"47403fb63cf2479685ef6d1f51aecde7","object_ids":["f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7"],"prev_hash":"5392f68990e3e432d27e38e07f3474876dc89d4df64ce6e9c3765a37cab6a8b0","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:00.145460Z","data":{"slug_hint":"vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-"},"dry_run":false,"event":"proposal.claim.create","hash":"cf4e6cc04edcd88349bf465e59ffc3562f1bf383118261343da434b78f55098a","id":"2b2fb67ad8044633af494d6b544b0668","object_ids":["20260704-061500-9c95a168"],"prev_hash":"2242c1e4cc1401b0d8a018d4b4a54c77fce532f9e89521e89781225c7d2eb996","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:03.670614Z","data":{},"dry_run":false,"event":"source.add","hash":"48805f9a4d51b9fcb4c784360fe98819f0b823a9733c6650249782c4ebada7e7","id":"3e3cba3b792045d2bf564e6d9fafcf2d","object_ids":["dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50"],"prev_hash":"cf4e6cc04edcd88349bf465e59ffc3562f1bf383118261343da434b78f55098a","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:05.479935Z","data":{"slug_hint":"vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v"},"dry_run":false,"event":"proposal.claim.create","hash":"b29a45abf416ee2e05ebed6e5ac4926af77017f8fdd22ff1479f09e565fb02e6","id":"224c763047054e77ab5980c9b6581a77","object_ids":["20260704-061505-a91c3897"],"prev_hash":"48805f9a4d51b9fcb4c784360fe98819f0b823a9733c6650249782c4ebada7e7","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:08.877391Z","data":{},"dry_run":false,"event":"source.add","hash":"4adf603a43e6040bbbaf54b4a0b4790f0df5375e5333bee446dc7857b44cea26","id":"898dd819bd6b426689fea1f20119be41","object_ids":["9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292"],"prev_hash":"b29a45abf416ee2e05ebed6e5ac4926af77017f8fdd22ff1479f09e565fb02e6","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:11.451225Z","data":{"slug_hint":"vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud"},"dry_run":false,"event":"proposal.claim.create","hash":"92d35d948bbf696da7ee846d7c7e39cea891b8463817b4c6ec0cac264b1a3241","id":"81772f0da6374560a529bba8eb5d694d","object_ids":["20260704-061511-995c6f4d"],"prev_hash":"4adf603a43e6040bbbaf54b4a0b4790f0df5375e5333bee446dc7857b44cea26","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:13.978408Z","data":{},"dry_run":false,"event":"source.add","hash":"3672bc556b591814770134474e2d8d38772be962976e684dfcac226d90719243","id":"413d352ebc5547b1826a4a4b9cc3cb8b","object_ids":["77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc"],"prev_hash":"92d35d948bbf696da7ee846d7c7e39cea891b8463817b4c6ec0cac264b1a3241","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:15:15.592921Z","data":{"slug_hint":"vouchdev-vouch-issue-168-critical-agent-transport-allows-cro"},"dry_run":false,"event":"proposal.claim.create","hash":"560f450f5f1bcb071f877bf12b2c4c1ee3e7deb5193112728587d67493109dc9","id":"bdbbc5a8bfb743f1973756fdc1b6d484","object_ids":["20260704-061515-0e132b51"],"prev_hash":"3672bc556b591814770134474e2d8d38772be962976e684dfcac226d90719243","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.046458Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"39eb73fef7854e2aca08f418b3ad3b56d122ae5b0d8bec30657034eca4c34b13","id":"b8138ef88c6f4c87a5d50188b4429cd5","object_ids":["20260704-061425-808652d7","vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-"],"prev_hash":"560f450f5f1bcb071f877bf12b2c4c1ee3e7deb5193112728587d67493109dc9","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.146232Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"263c78b62b6617b5c532ad8e123c18a6d19e733240817c5904f82e8c1971ef90","id":"ad4f588eee754b78b13928a6d538b665","object_ids":["20260704-061428-2ecdb562","vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate"],"prev_hash":"39eb73fef7854e2aca08f418b3ad3b56d122ae5b0d8bec30657034eca4c34b13","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.372870Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"92e493e7c2538cdc8aa209a7f585b3180e68d623428e19a2e3afe2c5995b2624","id":"b75436a551814a80966971afc79713c6","object_ids":["20260704-061432-51a7ca63","vouchdev-vouch-issue-78-kb-context-returns-archived-supersed"],"prev_hash":"263c78b62b6617b5c532ad8e123c18a6d19e733240817c5904f82e8c1971ef90","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.459241Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"d720213a72448b01eb144881d9d156f578e88738014eac450d61985d9c4c7ea9","id":"00da9530674e425eab434b368c3b3f22","object_ids":["20260704-061435-44efb4a8","vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m"],"prev_hash":"92e493e7c2538cdc8aa209a7f585b3180e68d623428e19a2e3afe2c5995b2624","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.559829Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"ff3a79e231a8072b20f2fb10179383e717eb1cdef696462ef899f4da376ea453","id":"4c0019e725f94eb58f66f516b1f1c203","object_ids":["20260704-061438-7249c426","vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali"],"prev_hash":"d720213a72448b01eb144881d9d156f578e88738014eac450d61985d9c4c7ea9","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.780791Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"221593ac9257bbbb35ab7d5207d6ffd804d61154f83ff8b5beba394256123fab","id":"a17f547abbf94b0da333dc76ae24a356","object_ids":["20260704-061441-f33ed406","vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-"],"prev_hash":"ff3a79e231a8072b20f2fb10179383e717eb1cdef696462ef899f4da376ea453","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:28.991364Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"e994277a9ecc0ba69d57e498d819c3d8cfd9b4d901d1346ab17255119352fad2","id":"b43a7171e2fe448686f56f426d6836f0","object_ids":["20260704-061445-267a62ab","vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta"],"prev_hash":"221593ac9257bbbb35ab7d5207d6ffd804d61154f83ff8b5beba394256123fab","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.055189Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"ac3605bbc2ffa8ecebfa0bc82afb85d1024466550594ae3b370be084e1c14dbb","id":"7f0c454d052a42b3a4a3a1ed48242de5","object_ids":["20260704-061448-9e9bb439","vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-"],"prev_hash":"e994277a9ecc0ba69d57e498d819c3d8cfd9b4d901d1346ab17255119352fad2","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.242300Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"e466dca53de1e873f2e1eb6b663c894e4029ee925ebc3a6c0b5d04778883b684","id":"dac1e500cb6748838c89704ca0c91257","object_ids":["20260704-061454-49cfcfc0","vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when"],"prev_hash":"ac3605bbc2ffa8ecebfa0bc82afb85d1024466550594ae3b370be084e1c14dbb","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.306841Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"101293af2c15c699061948e6cc3dc164f4ac76a738a58022511d72887dc1a607","id":"cf3e1553987640be95abb44627e5171a","object_ids":["20260704-061500-9c95a168","vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-"],"prev_hash":"e466dca53de1e873f2e1eb6b663c894e4029ee925ebc3a6c0b5d04778883b684","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.597947Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"8903928b139b8ce9aa9a147ae27826c70644720bdcdaee819b9bce5e78a579e8","id":"7c404b084c08440e96634217de8a27c4","object_ids":["20260704-061505-a91c3897","vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v"],"prev_hash":"101293af2c15c699061948e6cc3dc164f4ac76a738a58022511d72887dc1a607","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.832285Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"2220df33737968ba699d1257db1a6ced0caa6c2fbb2bf93c750d91d6763a9c68","id":"673fa44bb0d240b9b1682af0d9af5738","object_ids":["20260704-061511-995c6f4d","vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud"],"prev_hash":"8903928b139b8ce9aa9a147ae27826c70644720bdcdaee819b9bce5e78a579e8","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:15:29.939458Z","data":{"reason":"Verified against live vouchdev/vouch repo state (git log, direct source reads, GitHub API) during a codebase-hygiene audit for issue #338."},"dry_run":false,"event":"proposal.claim.approve","hash":"f3f5a6a4aa8ab65648e9e2259b860b804f133c42b4bb39f90e76f3cb84ecd5d3","id":"e263b81a7ca24b65b2222f6c9f80c73b","object_ids":["20260704-061515-0e132b51","vouchdev-vouch-issue-168-critical-agent-transport-allows-cro"],"prev_hash":"2220df33737968ba699d1257db1a6ced0caa6c2fbb2bf93c750d91d6763a9c68","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:15:37.648373Z","data":{"checked":14,"failed":0},"dry_run":false,"event":"source.verify","hash":"6ede78de55ec1072a660a01fb0216cde2c7fab20818fdd8d83e2f839fc61459d","id":"33cf219e5d164f3190719674f8fa0980","object_ids":[],"prev_hash":"f3f5a6a4aa8ab65648e9e2259b860b804f133c42b4bb39f90e76f3cb84ecd5d3","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:16:40.201861Z","data":{"slug_hint":"vouchdev-vouch-open-issue-tracker-audit-2026-07-04"},"dry_run":false,"event":"proposal.page.create","hash":"6f0742a86b3a0820d830c838fc54a4182885bd99b4e4b458dc8cc30a7f7c21f9","id":"58ddec0885b343c5ac05886e0bf7e992","object_ids":["20260704-061640-20537c0f"],"prev_hash":"6ede78de55ec1072a660a01fb0216cde2c7fab20818fdd8d83e2f839fc61459d","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:17:24.668152Z","data":{"reason":"Summary page for the codebase-audit community example (issue #338)."},"dry_run":false,"event":"proposal.page.approve","hash":"f503347795b9b2a190d1f1cc02b5fbded29239faef2a58bff3b3dc5d2cd84887","id":"d71652422f554ca69e21b7a3f7232ac5","object_ids":["20260704-061640-20537c0f","vouchdev-vouch-open-issue-tracker-audit-2026-07-04"],"prev_hash":"6f0742a86b3a0820d830c838fc54a4182885bd99b4e4b458dc8cc30a7f7c21f9","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:17:37.109152Z","data":{"checked":14,"failed":0},"dry_run":false,"event":"source.verify","hash":"17d1c207d0b3681e704c575afc446fbfb49171934de61df1655f41b3fb285c91","id":"2405312af1e24e678b130b4f84f31245","object_ids":[],"prev_hash":"f503347795b9b2a190d1f1cc02b5fbded29239faef2a58bff3b3dc5d2cd84887","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:22:08.321798Z","data":{},"dry_run":false,"event":"source.add","hash":"b40a72699c9127cad7a07fc96e52192778b1d597b774e13caf6b6263d905d77d","id":"48e2f15fbf644fd9a8f755d8ef633ab1","object_ids":["14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd"],"prev_hash":"17d1c207d0b3681e704c575afc446fbfb49171934de61df1655f41b3fb285c91","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:22:09.353069Z","data":{"slug_hint":"vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-"},"dry_run":false,"event":"proposal.claim.create","hash":"29413a3105c06b7d3a122de31a5b3c02fc1f6f4aed6e4044bef8b491a9e8cd3b","id":"ffba4906b0854f2399866f21cb2e5d75","object_ids":["20260704-062209-21e9b7a4"],"prev_hash":"b40a72699c9127cad7a07fc96e52192778b1d597b774e13caf6b6263d905d77d","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:22:11.611776Z","data":{"reason":"Confirmed by reading cli.py::source_add and storage.py::put_source directly; reproduced against this KB's own source-add calls."},"dry_run":false,"event":"proposal.claim.approve","hash":"f50166586674f4359a63e6935a5d7833c2532f89bb6dd87b2919c9c332d56314","id":"3d41b7591ea949c395f8b43edba3f70b","object_ids":["20260704-062209-21e9b7a4","vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-"],"prev_hash":"29413a3105c06b7d3a122de31a5b3c02fc1f6f4aed6e4044bef8b491a9e8cd3b","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:22:47.109098Z","data":{"checked":15,"failed":0},"dry_run":false,"event":"source.verify","hash":"cf30e60730f1faad74d20ca488907a5dad998291a1b1dc13f3c43bba69fac33d","id":"d5137938c758495fa4020fe15882cbca","object_ids":[],"prev_hash":"f50166586674f4359a63e6935a5d7833c2532f89bb6dd87b2919c9c332d56314","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:22:51.574949Z","data":{"checked":15,"failed":0},"dry_run":false,"event":"source.verify","hash":"fe8ae5996eafaefc250c7732dd5106d6fea4d618c64d3387e3a965e3457de434","id":"557fbbc966134dbe845bd4f99760f6db","object_ids":[],"prev_hash":"cf30e60730f1faad74d20ca488907a5dad998291a1b1dc13f3c43bba69fac33d","reversible":true} +{"actor":"claude-code-audit","created_at":"2026-07-04T06:24:48.022905Z","data":{"slug_hint":"vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-"},"dry_run":false,"event":"proposal.page.create","hash":"f858c01f8a3d8d1af9b49936c2abb780d9cce9d48b6982672dae5db9ad0d09b0","id":"2fa76979fef8458fb1058a0040210453","object_ids":["20260704-062448-4d9f894f"],"prev_hash":"fe8ae5996eafaefc250c7732dd5106d6fea4d618c64d3387e3a965e3457de434","reversible":true} +{"actor":"jonathanchang31","created_at":"2026-07-04T06:24:49.072776Z","data":{"reason":"Revision 2: adds the self-found vouch source add --url bug as a 14th finding."},"dry_run":false,"event":"proposal.page.approve","hash":"8aeb0ee84334a65c396b4e6a240abd93f206b98287c4ff835c465a0e5a674584","id":"357415db77674bfe818ddd76e2507661","object_ids":["20260704-062448-4d9f894f","vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-"],"prev_hash":"f858c01f8a3d8d1af9b49936c2abb780d9cce9d48b6982672dae5db9ad0d09b0","reversible":true} +{"actor":"vouch-verify","created_at":"2026-07-04T06:24:59.488805Z","data":{"checked":15,"failed":0},"dry_run":false,"event":"source.verify","hash":"52716fba06b892105e400f48266546b50e9948951e3ee0612b78d57fd1a8e60e","id":"f7fd78e2f49e43b4920093f2d387dacb","object_ids":[],"prev_hash":"8aeb0ee84334a65c396b4e6a240abd93f206b98287c4ff835c465a0e5a674584","reversible":true} diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouch-starter-reviewed-knowledge.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouch-starter-reviewed-knowledge.yaml new file mode 100644 index 0000000..f011738 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouch-starter-reviewed-knowledge.yaml @@ -0,0 +1,23 @@ +id: vouch-starter-reviewed-knowledge +text: Vouch stores reviewed, cited knowledge in the repository so future agent sessions + can retrieve agreed project context. +type: workflow +status: actionable +confidence: 0.95 +evidence: +- be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- vouch +- onboarding +created_at: '2026-07-04T06:10:25.981307Z' +updated_at: '2026-07-04T06:10:25.981314Z' +last_confirmed_at: null +approved_by: claude-code-audit diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-.yaml new file mode 100644 index 0000000..015f248 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source-.yaml @@ -0,0 +1,26 @@ +id: vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- +text: 'vouchdev/vouch issue #100 (feat: richer scopes on Claim/Source [VEP]) is resolved + on main only in the narrow sense that commit 0dba232 added the VEP-0005 proposal + document. The actual (visibility, project, agent) scoping feature it describes is + tracked separately as issue #189, which has no matching commit on main or test as + of this audit.' +type: fact +status: working +confidence: 0.85 +evidence: +- f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- codebase-audit +- vep-tracking +created_at: '2026-07-04T06:15:29.270915Z' +updated_at: '2026-07-04T06:15:29.270922Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud.yaml new file mode 100644 index 0000000..edc76e9 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud.yaml @@ -0,0 +1,26 @@ +id: vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud +text: 'vouchdev/vouch issue #166 (bundle import can overwrite the audit log) is fixed + and merged into both main and test via PR #183 (merge commit 6d53c99), after an + earlier attempt (PR #167) was closed for being retargeted to the wrong base branch. + The GitHub issue is still open.' +type: fact +status: working +confidence: 0.95 +evidence: +- 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +- security +created_at: '2026-07-04T06:15:29.739373Z' +updated_at: '2026-07-04T06:15:29.739380Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml new file mode 100644 index 0000000..c2b694d --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-168-critical-agent-transport-allows-cro.yaml @@ -0,0 +1,30 @@ +id: vouchdev-vouch-issue-168-critical-agent-transport-allows-cro +text: 'vouchdev/vouch issue #168 (critical: agent transport allows cross-agent approval) + is still unfixed on both main and test: kb.approve/kb.reject are registered on the + JSONL transport with no expose_decision_tools trust gate, and the only check is + same-agent self-approval. A prior fix (PR #169) was closed unmerged after a maintainer + requested changes: remove the duplicated handle_request guard whose broad except-Exception + swallows real errors, and document or remove the undocumented approver_role: trusted-agent + bypass.' +type: fact +status: working +confidence: 0.95 +evidence: +- 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- live-bug +- codebase-audit +- security +- needs-pr +created_at: '2026-07-04T06:15:29.862831Z' +updated_at: '2026-07-04T06:15:29.862838Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v.yaml new file mode 100644 index 0000000..f57ea1c --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v.yaml @@ -0,0 +1,24 @@ +id: vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v +text: 'vouchdev/vouch issue #189 (richer scopes on Claim/Source per VEP-0005) is genuinely + open and unclaimed: no commit on main or test references #189, and no open PR body + contains a Closes/Fixes/Resolves #189 link, as of this audit.' +type: fact +status: working +confidence: 0.85 +evidence: +- dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- codebase-audit +- open-opportunity +created_at: '2026-07-04T06:15:29.321641Z' +updated_at: '2026-07-04T06:15:29.321648Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-.yaml new file mode 100644 index 0000000..5a8d67f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more-.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- +text: 'vouchdev/vouch issue #54 (epic: make vouch friendlier and more useful out of + the box) is still open on GitHub, but its CLI-output track landed on main via commit + a5f074f ''feat(cli): colourise output, add --json to lint/search, progress on long + ops (#54)''.' +type: fact +status: working +confidence: 0.9 +evidence: +- 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:27.916862Z' +updated_at: '2026-07-04T06:15:27.916869Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate.yaml new file mode 100644 index 0000000..a240a23 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate.yaml @@ -0,0 +1,26 @@ +id: vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate +text: 'vouchdev/vouch issue #76 (crystallize bypasses the review gate by embedding + agent-controlled markdown verbatim into a durable page) is fixed on main by commit + cdf72ab ''fix(sessions): close crystallize review-gate bypass via summary page (#76)'', + but the GitHub issue is still open.' +type: fact +status: working +confidence: 0.95 +evidence: +- 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +- security +created_at: '2026-07-04T06:15:28.090165Z' +updated_at: '2026-07-04T06:15:28.090172Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-78-kb-context-returns-archived-supersed.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-78-kb-context-returns-archived-supersed.yaml new file mode 100644 index 0000000..163161a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-78-kb-context-returns-archived-supersed.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-78-kb-context-returns-archived-supersed +text: 'vouchdev/vouch issue #78 (kb.context returns archived/superseded claims because + lifecycle mutations never re-index FTS5 status) is fixed on main by commit 0708c74, + which added `_RETRACTED_CLAIM_STATUSES` filtering in src/vouch/context.py, but the + GitHub issue is still open.' +type: fact +status: working +confidence: 0.95 +evidence: +- efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.297524Z' +updated_at: '2026-07-04T06:15:28.297530Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m.yaml new file mode 100644 index 0000000..3ee2c57 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m.yaml @@ -0,0 +1,24 @@ +id: vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m +text: 'vouchdev/vouch issue #80 (import_check accepts bundles whose manifest lists + files missing from the tarball) is fixed on main by commit f558fd0, but the GitHub + issue is still open.' +type: fact +status: working +confidence: 0.9 +evidence: +- c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.384912Z' +updated_at: '2026-07-04T06:15:28.384921Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali.yaml new file mode 100644 index 0000000..9695038 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali +text: 'vouchdev/vouch issue #81 (Claim model has no min-evidence validator, so uncited + claims could land via bundle import, put_claim, or update_claim) is fixed on main + by commit ab54194, which moved the validator onto the Claim model itself, but the + GitHub issue is still open.' +type: fact +status: working +confidence: 0.9 +evidence: +- 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.493622Z' +updated_at: '2026-07-04T06:15:28.493629Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-.yaml new file mode 100644 index 0000000..4fab713 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends-.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- +text: 'vouchdev/vouch issue #92 (_retrieve ignores retrieval.backends config and hardcodes + embeddings-primary) is fixed on main by commit fb4b326, which added _configured_backend() + honoring retrieval.backend (with a legacy retrieval.backends fallback), but the + GitHub issue is still open.' +type: fact +status: working +confidence: 0.95 +evidence: +- e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.712091Z' +updated_at: '2026-07-04T06:15:28.712097Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta.yaml new file mode 100644 index 0000000..821deb9 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta.yaml @@ -0,0 +1,25 @@ +id: vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta +text: 'vouchdev/vouch issue #93 (feat: vouch approve --batch for scriptable bulk approval) + is fixed on main by commit e7df047, which lets `vouch approve` take multiple proposal + ids with all-or-nothing or --keep-going semantics, but the GitHub issue is still + open.' +type: fact +status: working +confidence: 0.95 +evidence: +- f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:28.917620Z' +updated_at: '2026-07-04T06:15:28.917627Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-.yaml new file mode 100644 index 0000000..d2ca876 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve-.yaml @@ -0,0 +1,24 @@ +id: vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- +text: 'vouchdev/vouch issue #94 (feat: HTTP transport for vouch serve, tagged [VEP]) + is fixed on main by commit 2827a74 ''feat(serve): add HTTP transport for vouch serve + --transport http (#94)'', but the GitHub issue is still open.' +type: fact +status: working +confidence: 0.85 +evidence: +- c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:29.020028Z' +updated_at: '2026-07-04T06:15:29.020035Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when.yaml new file mode 100644 index 0000000..d007133 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when.yaml @@ -0,0 +1,23 @@ +id: vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when +text: 'vouchdev/vouch issue #95 (vouch serve should fail clearly when no .vouch/ KB + is present) is fixed on main by commit 1af9521, but the GitHub issue is still open.' +type: fact +status: working +confidence: 0.9 +evidence: +- f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- stale-issue +- codebase-audit +created_at: '2026-07-04T06:15:29.198053Z' +updated_at: '2026-07-04T06:15:29.198061Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml new file mode 100644 index 0000000..dcf0cea --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/claims/vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently-.yaml @@ -0,0 +1,29 @@ +id: vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently- +text: 'vouchdev/vouch''s CLI: ''vouch source add PATH --url URL'' silently drops --url. + cli.py::source_add always passes an explicit locator=str(Path(path).resolve()) into + store.put_source(), and storage.py''s locator=locator or url or title or sid never + falls through to url as a result. Found while building this very KB: every source + below had to have its locator hand-corrected post-hoc from a local scratch path + to its real GitHub URL.' +type: fact +status: working +confidence: 0.95 +evidence: +- 14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd +entities: [] +supersedes: [] +superseded_by: null +contradicts: [] +scope: + visibility: project + project: null + agent: null +tags: +- live-bug +- codebase-audit +- dogfooding +- needs-pr +created_at: '2026-07-04T06:22:11.419605Z' +updated_at: '2026-07-04T06:22:11.419611Z' +last_confirmed_at: null +approved_by: jonathanchang31 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/config.yaml b/examples/community/vouch-issue-tracker-audit/vouch/config.yaml new file mode 100644 index 0000000..ad59bcc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/config.yaml @@ -0,0 +1,19 @@ +version: 1 +review: + require_human_approval: true + expire_pending_after_days: 90 +capture: + enabled: true + min_observations: 3 +recall: + enabled: true + max_chars: 12000 +retrieval: + backend: auto + default_limit: 10 +agents: + recommended_loop: + - kb.search before writing + - kb.propose_* with citations + - human review via vouch pending/show/approve +page_kinds: {} diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061029-8ae22018.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061029-8ae22018.yaml new file mode 100644 index 0000000..a70472d --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061029-8ae22018.yaml @@ -0,0 +1,26 @@ +id: 20260704-061029-8ae22018 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:29.345915Z' +payload: + id: vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- + text: 'vouchdev/vouch issue #54 (epic: make vouch friendlier and more useful out + of the box) is still open on GitHub, but its CLI-output track landed on main via + commit a5f074f ''feat(cli): colourise output, add --json to lint/search, progress + on long ops (#54)''.' + type: finding + confidence: 0.9 + evidence: + - 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Epic issues can be partially resolved by one commit while other tracks + remain open; the epic itself should stay open, but a reader following the issue + link alone would not know part of it already shipped. +status: rejected +decided_at: '2026-07-04T06:13:36.860473Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061032-e2c77208.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061032-e2c77208.yaml new file mode 100644 index 0000000..549dbcc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061032-e2c77208.yaml @@ -0,0 +1,26 @@ +id: 20260704-061032-e2c77208 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:32.990020Z' +payload: + id: vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate + text: 'vouchdev/vouch issue #76 (crystallize bypasses the review gate by embedding + agent-controlled markdown verbatim into a durable page) is fixed on main by commit + cdf72ab ''fix(sessions): close crystallize review-gate bypass via summary page + (#76)'', but the GitHub issue is still open.' + type: finding + confidence: 0.95 + evidence: + - 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 + entities: [] + tags: + - stale-issue + - codebase-audit + - security +rationale: Verified both by commit-message grep and by reading src/vouch/context.py-adjacent + session code for the described guard. +status: rejected +decided_at: '2026-07-04T06:13:39.248445Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061036-8e0faea0.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061036-8e0faea0.yaml new file mode 100644 index 0000000..138556b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061036-8e0faea0.yaml @@ -0,0 +1,25 @@ +id: 20260704-061036-8e0faea0 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:36.475356Z' +payload: + id: vouchdev-vouch-issue-78-kb-context-returns-archived-supersed + text: 'vouchdev/vouch issue #78 (kb.context returns archived/superseded claims because + lifecycle mutations never re-index FTS5 status) is fixed on main by commit 0708c74, + which added `_RETRACTED_CLAIM_STATUSES` filtering in src/vouch/context.py, but + the GitHub issue is still open.' + type: finding + confidence: 0.95 + evidence: + - efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Confirmed by reading the live filter constant and its guarding comment + directly in src/vouch/context.py on main. +status: rejected +decided_at: '2026-07-04T06:13:41.218116Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061040-ef56c928.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061040-ef56c928.yaml new file mode 100644 index 0000000..d934a2c --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061040-ef56c928.yaml @@ -0,0 +1,23 @@ +id: 20260704-061040-ef56c928 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:40.681510Z' +payload: + id: vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m + text: 'vouchdev/vouch issue #80 (import_check accepts bundles whose manifest lists + files missing from the tarball) is fixed on main by commit f558fd0, but the GitHub + issue is still open.' + type: finding + confidence: 0.9 + evidence: + - c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Verified by commit-message grep against upstream/main. +status: rejected +decided_at: '2026-07-04T06:13:43.255963Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061043-57bfb8a4.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061043-57bfb8a4.yaml new file mode 100644 index 0000000..ee432c7 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061043-57bfb8a4.yaml @@ -0,0 +1,25 @@ +id: 20260704-061043-57bfb8a4 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:43.439208Z' +payload: + id: vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali + text: 'vouchdev/vouch issue #81 (Claim model has no min-evidence validator, so uncited + claims could land via bundle import, put_claim, or update_claim) is fixed on main + by commit ab54194, which moved the validator onto the Claim model itself, but + the GitHub issue is still open.' + type: finding + confidence: 0.9 + evidence: + - 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Model-layer validation is stronger than a single call-site check because + it covers every write path; worth flagging as resolved-and-improved, not just resolved. +status: rejected +decided_at: '2026-07-04T06:13:47.408161Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061047-bf405cfc.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061047-bf405cfc.yaml new file mode 100644 index 0000000..1b3638e --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061047-bf405cfc.yaml @@ -0,0 +1,26 @@ +id: 20260704-061047-bf405cfc +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:47.333282Z' +payload: + id: vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- + text: 'vouchdev/vouch issue #92 (_retrieve ignores retrieval.backends config and + hardcodes embeddings-primary) is fixed on main by commit fb4b326, which added + _configured_backend() honoring retrieval.backend (with a legacy retrieval.backends + fallback), but the GitHub issue is still open.' + type: finding + confidence: 0.95 + evidence: + - e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: 'Confirmed directly by reading src/vouch/context.py: _configured_backend() + and _retrieve() implement exactly the auto/embedding/fts5/substring behavior the + issue asked for.' +status: rejected +decided_at: '2026-07-04T06:13:49.265732Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061052-7c202c7a.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061052-7c202c7a.yaml new file mode 100644 index 0000000..c5f75d1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061052-7c202c7a.yaml @@ -0,0 +1,25 @@ +id: 20260704-061052-7c202c7a +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:52.696144Z' +payload: + id: vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta + text: 'vouchdev/vouch issue #93 (feat: vouch approve --batch for scriptable bulk + approval) is fixed on main by commit e7df047, which lets `vouch approve` take + multiple proposal ids with all-or-nothing or --keep-going semantics, but the GitHub + issue is still open.' + type: finding + confidence: 0.95 + evidence: + - f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Confirmed against the installed CLI's own --help text, not just the commit + log. +status: rejected +decided_at: '2026-07-04T06:13:51.525885Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061056-e8724ce8.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061056-e8724ce8.yaml new file mode 100644 index 0000000..e82fc1b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061056-e8724ce8.yaml @@ -0,0 +1,24 @@ +id: 20260704-061056-e8724ce8 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:10:56.781019Z' +payload: + id: vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- + text: 'vouchdev/vouch issue #94 (feat: HTTP transport for vouch serve, tagged [VEP]) + is fixed on main by commit 2827a74 ''feat(serve): add HTTP transport for vouch + serve --transport http (#94)'', but the GitHub issue is still open.' + type: finding + confidence: 0.85 + evidence: + - c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: The [VEP] tag suggested this needed a design proposal first; it shipped + anyway, so either the VEP happened informally or the tag was aspirational. +status: rejected +decided_at: '2026-07-04T06:13:54.771085Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061100-29c5dca4.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061100-29c5dca4.yaml new file mode 100644 index 0000000..344f425 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061100-29c5dca4.yaml @@ -0,0 +1,23 @@ +id: 20260704-061100-29c5dca4 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:00.256945Z' +payload: + id: vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when + text: 'vouchdev/vouch issue #95 (vouch serve should fail clearly when no .vouch/ + KB is present) is fixed on main by commit 1af9521, but the GitHub issue is still + open.' + type: finding + confidence: 0.9 + evidence: + - f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Small, well-scoped UX fix; a clean example of a fast-turnaround merge. +status: rejected +decided_at: '2026-07-04T06:13:56.149229Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061106-eb27e9fd.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061106-eb27e9fd.yaml new file mode 100644 index 0000000..85cb90e --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061106-eb27e9fd.yaml @@ -0,0 +1,27 @@ +id: 20260704-061106-eb27e9fd +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:06.629083Z' +payload: + id: vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- + text: 'vouchdev/vouch issue #100 (feat: richer scopes on Claim/Source [VEP]) is + resolved on main only in the narrow sense that commit 0dba232 added the VEP-0005 + proposal document. The actual (visibility, project, agent) scoping feature it + describes is tracked separately as issue #189, which has no matching commit on + main or test as of this audit.' + type: finding + confidence: 0.85 + evidence: + - f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 + entities: [] + tags: + - codebase-audit + - vep-tracking +rationale: 'Distinguishing ''the VEP was written'' from ''the feature was built'' + avoids a false-positive stale-issue call on #100 and correctly leaves #189 flagged + as genuinely open.' +status: rejected +decided_at: '2026-07-04T06:13:57.831270Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061110-f4c09773.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061110-f4c09773.yaml new file mode 100644 index 0000000..d1cada8 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061110-f4c09773.yaml @@ -0,0 +1,25 @@ +id: 20260704-061110-f4c09773 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:10.737117Z' +payload: + id: vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v + text: 'vouchdev/vouch issue #189 (richer scopes on Claim/Source per VEP-0005) is + genuinely open and unclaimed: no commit on main or test references #189, and no + open PR body contains a Closes/Fixes/Resolves #189 link, as of this audit.' + type: finding + confidence: 0.85 + evidence: + - dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 + entities: [] + tags: + - codebase-audit + - open-opportunity +rationale: A negative result (checked and found nothing) is worth recording with the + same rigor as a positive one, so a future contributor doesn't have to redo the same + search. +status: rejected +decided_at: '2026-07-04T06:13:59.258091Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061116-082830a4.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061116-082830a4.yaml new file mode 100644 index 0000000..2f06036 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061116-082830a4.yaml @@ -0,0 +1,26 @@ +id: 20260704-061116-082830a4 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:16.762109Z' +payload: + id: vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud + text: 'vouchdev/vouch issue #166 (bundle import can overwrite the audit log) is + fixed and merged into both main and test via PR #183 (merge commit 6d53c99), after + an earlier attempt (PR #167) was closed for being retargeted to the wrong base + branch. The GitHub issue is still open.' + type: finding + confidence: 0.95 + evidence: + - 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 + entities: [] + tags: + - stale-issue + - codebase-audit + - security +rationale: Confirmed by reading FORBIDDEN_SAFETY_FLAGS and the audit.log.jsonl rejection + path directly in src/vouch/bundle.py on both main and test. +status: rejected +decided_at: '2026-07-04T06:14:00.536174Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061119-0680e882.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061119-0680e882.yaml new file mode 100644 index 0000000..130e4c1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061119-0680e882.yaml @@ -0,0 +1,31 @@ +id: 20260704-061119-0680e882 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:11:19.902283Z' +payload: + id: vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + text: 'vouchdev/vouch issue #168 (critical: agent transport allows cross-agent approval) + is still unfixed on both main and test: kb.approve/kb.reject are registered on + the JSONL transport with no expose_decision_tools trust gate, and the only check + is same-agent self-approval. A prior fix (PR #169) was closed unmerged after a + maintainer requested changes: remove the duplicated handle_request guard whose + broad except-Exception swallows real errors, and document or remove the undocumented + approver_role: trusted-agent bypass.' + type: finding + confidence: 0.95 + evidence: + - 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc + entities: [] + tags: + - live-bug + - codebase-audit + - security + - needs-pr +rationale: 'The single actionable item in this audit: a real, reviewed-but-unmerged + security gap, with the maintainer''s exact acceptance criteria already on record + in PR #169.' +status: rejected +decided_at: '2026-07-04T06:14:03.452118Z' +decided_by: jonathanchang31 +decision_reason: invalid claim type 'finding' - resubmitting with valid type 'fact' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061425-808652d7.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061425-808652d7.yaml new file mode 100644 index 0000000..12b6eb7 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061425-808652d7.yaml @@ -0,0 +1,27 @@ +id: 20260704-061425-808652d7 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:25.460547Z' +payload: + id: vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- + text: 'vouchdev/vouch issue #54 (epic: make vouch friendlier and more useful out + of the box) is still open on GitHub, but its CLI-output track landed on main via + commit a5f074f ''feat(cli): colourise output, add --json to lint/search, progress + on long ops (#54)''.' + type: fact + confidence: 0.9 + evidence: + - 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Epic issues can be partially resolved by one commit while other tracks + remain open; the epic itself should stay open, but a reader following the issue + link alone would not know part of it already shipped. +status: approved +decided_at: '2026-07-04T06:15:28.008120Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061428-2ecdb562.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061428-2ecdb562.yaml new file mode 100644 index 0000000..530122a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061428-2ecdb562.yaml @@ -0,0 +1,27 @@ +id: 20260704-061428-2ecdb562 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:28.598912Z' +payload: + id: vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate + text: 'vouchdev/vouch issue #76 (crystallize bypasses the review gate by embedding + agent-controlled markdown verbatim into a durable page) is fixed on main by commit + cdf72ab ''fix(sessions): close crystallize review-gate bypass via summary page + (#76)'', but the GitHub issue is still open.' + type: fact + confidence: 0.95 + evidence: + - 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 + entities: [] + tags: + - stale-issue + - codebase-audit + - security +rationale: Verified both by commit-message grep and by reading src/vouch/context.py-adjacent + session code for the described guard. +status: approved +decided_at: '2026-07-04T06:15:28.128750Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061432-51a7ca63.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061432-51a7ca63.yaml new file mode 100644 index 0000000..77f16ab --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061432-51a7ca63.yaml @@ -0,0 +1,26 @@ +id: 20260704-061432-51a7ca63 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:32.022224Z' +payload: + id: vouchdev-vouch-issue-78-kb-context-returns-archived-supersed + text: 'vouchdev/vouch issue #78 (kb.context returns archived/superseded claims because + lifecycle mutations never re-index FTS5 status) is fixed on main by commit 0708c74, + which added `_RETRACTED_CLAIM_STATUSES` filtering in src/vouch/context.py, but + the GitHub issue is still open.' + type: fact + confidence: 0.95 + evidence: + - efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Confirmed by reading the live filter constant and its guarding comment + directly in src/vouch/context.py on main. +status: approved +decided_at: '2026-07-04T06:15:28.369425Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061435-44efb4a8.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061435-44efb4a8.yaml new file mode 100644 index 0000000..aaa50b1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061435-44efb4a8.yaml @@ -0,0 +1,24 @@ +id: 20260704-061435-44efb4a8 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:35.638307Z' +payload: + id: vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m + text: 'vouchdev/vouch issue #80 (import_check accepts bundles whose manifest lists + files missing from the tarball) is fixed on main by commit f558fd0, but the GitHub + issue is still open.' + type: fact + confidence: 0.9 + evidence: + - c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Verified by commit-message grep against upstream/main. +status: approved +decided_at: '2026-07-04T06:15:28.444731Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061438-7249c426.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061438-7249c426.yaml new file mode 100644 index 0000000..79a3474 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061438-7249c426.yaml @@ -0,0 +1,26 @@ +id: 20260704-061438-7249c426 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:38.986504Z' +payload: + id: vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali + text: 'vouchdev/vouch issue #81 (Claim model has no min-evidence validator, so uncited + claims could land via bundle import, put_claim, or update_claim) is fixed on main + by commit ab54194, which moved the validator onto the Claim model itself, but + the GitHub issue is still open.' + type: fact + confidence: 0.9 + evidence: + - 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Model-layer validation is stronger than a single call-site check because + it covers every write path; worth flagging as resolved-and-improved, not just resolved. +status: approved +decided_at: '2026-07-04T06:15:28.536829Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061441-f33ed406.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061441-f33ed406.yaml new file mode 100644 index 0000000..91aadc4 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061441-f33ed406.yaml @@ -0,0 +1,27 @@ +id: 20260704-061441-f33ed406 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:41.553108Z' +payload: + id: vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- + text: 'vouchdev/vouch issue #92 (_retrieve ignores retrieval.backends config and + hardcodes embeddings-primary) is fixed on main by commit fb4b326, which added + _configured_backend() honoring retrieval.backend (with a legacy retrieval.backends + fallback), but the GitHub issue is still open.' + type: fact + confidence: 0.95 + evidence: + - e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: 'Confirmed directly by reading src/vouch/context.py: _configured_backend() + and _retrieve() implement exactly the auto/embedding/fts5/substring behavior the + issue asked for.' +status: approved +decided_at: '2026-07-04T06:15:28.769924Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061445-267a62ab.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061445-267a62ab.yaml new file mode 100644 index 0000000..8f5e86a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061445-267a62ab.yaml @@ -0,0 +1,26 @@ +id: 20260704-061445-267a62ab +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:45.031547Z' +payload: + id: vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta + text: 'vouchdev/vouch issue #93 (feat: vouch approve --batch for scriptable bulk + approval) is fixed on main by commit e7df047, which lets `vouch approve` take + multiple proposal ids with all-or-nothing or --keep-going semantics, but the GitHub + issue is still open.' + type: fact + confidence: 0.95 + evidence: + - f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Confirmed against the installed CLI's own --help text, not just the commit + log. +status: approved +decided_at: '2026-07-04T06:15:28.985388Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061448-9e9bb439.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061448-9e9bb439.yaml new file mode 100644 index 0000000..ca9f319 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061448-9e9bb439.yaml @@ -0,0 +1,25 @@ +id: 20260704-061448-9e9bb439 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:48.645208Z' +payload: + id: vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- + text: 'vouchdev/vouch issue #94 (feat: HTTP transport for vouch serve, tagged [VEP]) + is fixed on main by commit 2827a74 ''feat(serve): add HTTP transport for vouch + serve --transport http (#94)'', but the GitHub issue is still open.' + type: fact + confidence: 0.85 + evidence: + - c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: The [VEP] tag suggested this needed a design proposal first; it shipped + anyway, so either the VEP happened informally or the tag was aspirational. +status: approved +decided_at: '2026-07-04T06:15:29.051850Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061454-49cfcfc0.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061454-49cfcfc0.yaml new file mode 100644 index 0000000..e9ff9fe --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061454-49cfcfc0.yaml @@ -0,0 +1,24 @@ +id: 20260704-061454-49cfcfc0 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:14:54.138750Z' +payload: + id: vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when + text: 'vouchdev/vouch issue #95 (vouch serve should fail clearly when no .vouch/ + KB is present) is fixed on main by commit 1af9521, but the GitHub issue is still + open.' + type: fact + confidence: 0.9 + evidence: + - f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 + entities: [] + tags: + - stale-issue + - codebase-audit +rationale: Small, well-scoped UX fix; a clean example of a fast-turnaround merge. +status: approved +decided_at: '2026-07-04T06:15:29.234611Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061500-9c95a168.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061500-9c95a168.yaml new file mode 100644 index 0000000..226601a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061500-9c95a168.yaml @@ -0,0 +1,28 @@ +id: 20260704-061500-9c95a168 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:00.108536Z' +payload: + id: vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- + text: 'vouchdev/vouch issue #100 (feat: richer scopes on Claim/Source [VEP]) is + resolved on main only in the narrow sense that commit 0dba232 added the VEP-0005 + proposal document. The actual (visibility, project, agent) scoping feature it + describes is tracked separately as issue #189, which has no matching commit on + main or test as of this audit.' + type: fact + confidence: 0.85 + evidence: + - f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 + entities: [] + tags: + - codebase-audit + - vep-tracking +rationale: 'Distinguishing ''the VEP was written'' from ''the feature was built'' + avoids a false-positive stale-issue call on #100 and correctly leaves #189 flagged + as genuinely open.' +status: approved +decided_at: '2026-07-04T06:15:29.296336Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061505-a91c3897.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061505-a91c3897.yaml new file mode 100644 index 0000000..d1d1b92 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061505-a91c3897.yaml @@ -0,0 +1,26 @@ +id: 20260704-061505-a91c3897 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:05.316438Z' +payload: + id: vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v + text: 'vouchdev/vouch issue #189 (richer scopes on Claim/Source per VEP-0005) is + genuinely open and unclaimed: no commit on main or test references #189, and no + open PR body contains a Closes/Fixes/Resolves #189 link, as of this audit.' + type: fact + confidence: 0.85 + evidence: + - dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 + entities: [] + tags: + - codebase-audit + - open-opportunity +rationale: A negative result (checked and found nothing) is worth recording with the + same rigor as a positive one, so a future contributor doesn't have to redo the same + search. +status: approved +decided_at: '2026-07-04T06:15:29.542760Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061511-995c6f4d.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061511-995c6f4d.yaml new file mode 100644 index 0000000..9057753 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061511-995c6f4d.yaml @@ -0,0 +1,27 @@ +id: 20260704-061511-995c6f4d +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:11.447796Z' +payload: + id: vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud + text: 'vouchdev/vouch issue #166 (bundle import can overwrite the audit log) is + fixed and merged into both main and test via PR #183 (merge commit 6d53c99), after + an earlier attempt (PR #167) was closed for being retargeted to the wrong base + branch. The GitHub issue is still open.' + type: fact + confidence: 0.95 + evidence: + - 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 + entities: [] + tags: + - stale-issue + - codebase-audit + - security +rationale: Confirmed by reading FORBIDDEN_SAFETY_FLAGS and the audit.log.jsonl rejection + path directly in src/vouch/bundle.py on both main and test. +status: approved +decided_at: '2026-07-04T06:15:29.829495Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061515-0e132b51.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061515-0e132b51.yaml new file mode 100644 index 0000000..6b7507e --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061515-0e132b51.yaml @@ -0,0 +1,32 @@ +id: 20260704-061515-0e132b51 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:15:15.581538Z' +payload: + id: vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + text: 'vouchdev/vouch issue #168 (critical: agent transport allows cross-agent approval) + is still unfixed on both main and test: kb.approve/kb.reject are registered on + the JSONL transport with no expose_decision_tools trust gate, and the only check + is same-agent self-approval. A prior fix (PR #169) was closed unmerged after a + maintainer requested changes: remove the duplicated handle_request guard whose + broad except-Exception swallows real errors, and document or remove the undocumented + approver_role: trusted-agent bypass.' + type: fact + confidence: 0.95 + evidence: + - 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc + entities: [] + tags: + - live-bug + - codebase-audit + - security + - needs-pr +rationale: 'The single actionable item in this audit: a real, reviewed-but-unmerged + security gap, with the maintainer''s exact acceptance criteria already on record + in PR #169.' +status: approved +decided_at: '2026-07-04T06:15:29.902048Z' +decided_by: jonathanchang31 +decision_reason: 'Verified against live vouchdev/vouch repo state (git log, direct + source reads, GitHub API) during a codebase-hygiene audit for issue #338.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml new file mode 100644 index 0000000..80abb02 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml @@ -0,0 +1,124 @@ +id: 20260704-061640-20537c0f +kind: page +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:16:40.192605Z' +payload: + id: vouchdev-vouch-open-issue-tracker-audit-2026-07-04 + title: vouchdev/vouch open-issue tracker audit — 2026-07-04 + body: '## Method + + + Every open issue in `vouchdev/vouch` (93 at audit time) was cross-referenced + + against `git log --grep` on `upstream/main` and `upstream/test` for a commit + + mentioning that issue number, then spot-checked by reading the relevant + + source file directly (not just trusting the commit message). Issues already + + linked from an in-flight open PR were excluded up front, since those aren''t + + stale — they''re just not merged yet. + + + ## Findings + + + | Issue | Title | Status found | + + |---|---|---| + + | [#54](https://github.com/vouchdev/vouch/issues/54) | epic: make vouch friendlier + | partially fixed (CLI-output track), open | + + | [#76](https://github.com/vouchdev/vouch/issues/76) | crystallize bypasses review + gate | fixed, open | + + | [#78](https://github.com/vouchdev/vouch/issues/78) | kb.context returns archived/superseded + claims | fixed, open | + + | [#80](https://github.com/vouchdev/vouch/issues/80) | import_check accepts bundles + missing manifest files | fixed, open | + + | [#81](https://github.com/vouchdev/vouch/issues/81) | Claim model has no min-evidence + validator | fixed, open | + + | [#92](https://github.com/vouchdev/vouch/issues/92) | _retrieve ignores retrieval.backends + config | fixed, open | + + | [#93](https://github.com/vouchdev/vouch/issues/93) | vouch approve --batch | + fixed, open | + + | [#94](https://github.com/vouchdev/vouch/issues/94) | HTTP transport for vouch + serve | fixed, open | + + | [#95](https://github.com/vouchdev/vouch/issues/95) | vouch serve fails unclearly + with no KB | fixed, open | + + | [#100](https://github.com/vouchdev/vouch/issues/100) | richer scopes VEP | VEP + drafted only, open | + + | [#189](https://github.com/vouchdev/vouch/issues/189) | richer scopes implementation + | genuinely open, unclaimed | + + | [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite + audit log | fixed + merged (PR #183), open | + + | [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval + bypass | **still unfixed**, security-relevant | + + + 11 of these 13 issues describe bugs or features that are already resolved in + + code but left open on GitHub — likely because merges to non-default branches + + (or squash-merge commits) don''t trigger GitHub''s auto-close. One (#189) is a + + genuinely open, unclaimed implementation gap behind a drafted VEP. One (#168) + + is a real, unfixed, security-relevant bug with a maintainer review already on + + record (from a prior closed PR) describing exactly what a correct fix needs + + to do. + + + ## Why this matters for contributors + + + Before picking an open issue to work on in this repo, check whether it''s + + already fixed upstream — `git log --oneline -E --grep="#([^0-9]|$)" + + upstream/main upstream/test` takes seconds and avoids a wasted or duplicate + + PR. This KB is the evidence trail for one pass of that check; see each + + claim''s citation for the exact commit, code, or review comment behind it. + + ' + type: report + claims: + - vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- + - vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud + - vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + - vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v + - vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- + - vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate + - vouchdev-vouch-issue-78-kb-context-returns-archived-supersed + - vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m + - vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali + - vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- + - vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta + - vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- + - vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when + entities: [] + sources: [] + tags: [] + metadata: {} +rationale: null +status: approved +decided_at: '2026-07-04T06:17:24.561601Z' +decided_by: jonathanchang31 +decision_reason: 'Summary page for the codebase-audit community example (issue #338).' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062209-21e9b7a4.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062209-21e9b7a4.yaml new file mode 100644 index 0000000..c44f15b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062209-21e9b7a4.yaml @@ -0,0 +1,30 @@ +id: 20260704-062209-21e9b7a4 +kind: claim +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:22:09.345234Z' +payload: + id: vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently- + text: 'vouchdev/vouch''s CLI: ''vouch source add PATH --url URL'' silently drops + --url. cli.py::source_add always passes an explicit locator=str(Path(path).resolve()) + into store.put_source(), and storage.py''s locator=locator or url or title or + sid never falls through to url as a result. Found while building this very KB: + every source below had to have its locator hand-corrected post-hoc from a local + scratch path to its real GitHub URL.' + type: fact + confidence: 0.95 + evidence: + - 14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd + entities: [] + tags: + - live-bug + - codebase-audit + - dogfooding + - needs-pr +rationale: 'Self-referential finding: this is a real bug in the exact tool used to + build this example, discovered by using it for its intended purpose.' +status: approved +decided_at: '2026-07-04T06:22:11.587493Z' +decided_by: jonathanchang31 +decision_reason: Confirmed by reading cli.py::source_add and storage.py::put_source + directly; reproduced against this KB's own source-add calls. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml new file mode 100644 index 0000000..6ea0912 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml @@ -0,0 +1,156 @@ +id: 20260704-062448-4d9f894f +kind: page +proposed_by: claude-code-audit +session_id: null +proposed_at: '2026-07-04T06:24:48.012409Z' +payload: + id: vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14- + title: vouchdev/vouch open-issue tracker audit — 2026-07-04 (rev 2, 14 findings) + body: '## Method + + + Every open issue in `vouchdev/vouch` (93 at audit time) was cross-referenced + + against `git log --grep` on `upstream/main` and `upstream/test` for a commit + + mentioning that issue number, then spot-checked by reading the relevant + + source file directly (not just trusting the commit message). Issues already + + linked from an in-flight open PR were excluded up front, since those aren''t + + stale — they''re just not merged yet. + + + ## Findings + + + | Issue | Title | Status found | + + |---|---|---| + + | [#54](https://github.com/vouchdev/vouch/issues/54) | epic: make vouch friendlier + | partially fixed (CLI-output track), open | + + | [#76](https://github.com/vouchdev/vouch/issues/76) | crystallize bypasses review + gate | fixed, open | + + | [#78](https://github.com/vouchdev/vouch/issues/78) | kb.context returns archived/superseded + claims | fixed, open | + + | [#80](https://github.com/vouchdev/vouch/issues/80) | import_check accepts bundles + missing manifest files | fixed, open | + + | [#81](https://github.com/vouchdev/vouch/issues/81) | Claim model has no min-evidence + validator | fixed, open | + + | [#92](https://github.com/vouchdev/vouch/issues/92) | _retrieve ignores retrieval.backends + config | fixed, open | + + | [#93](https://github.com/vouchdev/vouch/issues/93) | vouch approve --batch | + fixed, open | + + | [#94](https://github.com/vouchdev/vouch/issues/94) | HTTP transport for vouch + serve | fixed, open | + + | [#95](https://github.com/vouchdev/vouch/issues/95) | vouch serve fails unclearly + with no KB | fixed, open | + + | [#100](https://github.com/vouchdev/vouch/issues/100) | richer scopes VEP | VEP + drafted only, open | + + | [#189](https://github.com/vouchdev/vouch/issues/189) | richer scopes implementation + | genuinely open, unclaimed | + + | [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite + audit log | fixed + merged (PR #183), open | + + | [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval + bypass | **still unfixed**, security-relevant | + + | — | `vouch source add --url` is a no-op | **self-found bug**, see below | + + + 11 of these 13 issues describe bugs or features that are already resolved in + + code but left open on GitHub — likely because merges to non-default branches + + (or squash-merge commits) don''t trigger GitHub''s auto-close. One (#189) is a + + genuinely open, unclaimed implementation gap behind a drafted VEP. One (#168) + + is a real, unfixed, security-relevant bug with a maintainer review already on + + record (from a prior closed PR) describing exactly what a correct fix needs + + to do. + + + ## A 14th finding, found by dogfooding + + + Building this KB surfaced a bug in the tool itself: `vouch source add PATH + + --url URL` silently drops `--url`. `cli.py::source_add` always passes an + + explicit `locator=str(Path(path).resolve())` into `store.put_source()`, and + + `storage.py`''s `locator=locator or url or title or sid` never falls through + + to `url` as a result. Every source citation in this KB had to have its + + `locator` corrected by hand, from a local scratch path to its real GitHub + + URL, after the fact — see the `vouchdev-vouch-s-cli-...` claim for the full + + repro. This page is a revision: an earlier page proposed earlier in this KB''s + + audit trail (`vouch audit`) covered only the 13 issue-tracker findings, before + + this 14th one came up during the write-up. `vouch supersede` only applies to + + claims, not pages, so both page revisions remain in this KB''s history rather + + than one replacing the other in the object model. + + + ## Why this matters for contributors + + + Before picking an open issue to work on in this repo, check whether it''s + + already fixed upstream — `git log --oneline -E --grep="#([^0-9]|$)" + + upstream/main upstream/test` takes seconds and avoids a wasted or duplicate + + PR. This KB is the evidence trail for one pass of that check; see each + + claim''s citation for the exact commit, code, or review comment behind it. + + ' + type: report + claims: + - vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- + - vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud + - vouchdev-vouch-issue-168-critical-agent-transport-allows-cro + - vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v + - vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- + - vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate + - vouchdev-vouch-issue-78-kb-context-returns-archived-supersed + - vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m + - vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali + - vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- + - vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta + - vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- + - vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when + - vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently- + entities: [] + sources: [] + tags: [] + metadata: {} +rationale: null +status: approved +decided_at: '2026-07-04T06:24:49.061207Z' +decided_by: jonathanchang31 +decision_reason: 'Revision 2: adds the self-found vouch source add --url bug as a + 14th finding.' diff --git a/examples/community/vouch-issue-tracker-audit/vouch/pages/edit-in-obsidian.md b/examples/community/vouch-issue-tracker-audit/vouch/pages/edit-in-obsidian.md new file mode 100644 index 0000000..16a5439 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/pages/edit-in-obsidian.md @@ -0,0 +1,36 @@ +--- +id: edit-in-obsidian +title: Edit in Obsidian +type: workflow +status: active +claims: +- vouch-starter-reviewed-knowledge +entities: [] +sources: +- be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2 +tags: +- vouch +- onboarding +- obsidian +metadata: {} +created_at: '2026-07-04T06:10:25.983339Z' +updated_at: '2026-07-04T06:10:25.983344Z' +--- +# Edit in Obsidian + +Vouch's pages are plain markdown with YAML frontmatter -- your knowledge +base is already an Obsidian-compatible vault. To edit pages in your own +Obsidian vault: + +1. Run `vouch sync --vault ~/Obsidian/YourVault` once to mirror approved + pages and claims under `/vouch/`. +2. Open `/vouch/pages/.md` in Obsidian and edit it. +3. Re-run `vouch sync --vault ~/Obsidian/YourVault` to file your edits as + page-edit proposals in `.vouch/proposed/`. +4. Review and approve with `vouch approve `. The next sync mirrors the + approved version back into the vault. + +Claims appear as stub markdown files under `/vouch/claims/`; pages +that cite them are linked via Obsidian `[[wikilink]]` syntax so the graph +view connects them. Use `--watch` to keep a polling loop alive while you +edit. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md new file mode 100644 index 0000000..e50108b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md @@ -0,0 +1,85 @@ +--- +id: vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14- +title: vouchdev/vouch open-issue tracker audit — 2026-07-04 (rev 2, 14 findings) +type: report +status: draft +claims: +- vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- +- vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud +- vouchdev-vouch-issue-168-critical-agent-transport-allows-cro +- vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v +- vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- +- vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate +- vouchdev-vouch-issue-78-kb-context-returns-archived-supersed +- vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m +- vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali +- vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- +- vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta +- vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- +- vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when +- vouchdev-vouch-s-cli-vouch-source-add-path-url-url-silently- +entities: [] +sources: [] +tags: [] +metadata: {} +created_at: '2026-07-04T06:24:49.036278Z' +updated_at: '2026-07-04T06:24:49.036285Z' +--- +## Method + +Every open issue in `vouchdev/vouch` (93 at audit time) was cross-referenced +against `git log --grep` on `upstream/main` and `upstream/test` for a commit +mentioning that issue number, then spot-checked by reading the relevant +source file directly (not just trusting the commit message). Issues already +linked from an in-flight open PR were excluded up front, since those aren't +stale — they're just not merged yet. + +## Findings + +| Issue | Title | Status found | +|---|---|---| +| [#54](https://github.com/vouchdev/vouch/issues/54) | epic: make vouch friendlier | partially fixed (CLI-output track), open | +| [#76](https://github.com/vouchdev/vouch/issues/76) | crystallize bypasses review gate | fixed, open | +| [#78](https://github.com/vouchdev/vouch/issues/78) | kb.context returns archived/superseded claims | fixed, open | +| [#80](https://github.com/vouchdev/vouch/issues/80) | import_check accepts bundles missing manifest files | fixed, open | +| [#81](https://github.com/vouchdev/vouch/issues/81) | Claim model has no min-evidence validator | fixed, open | +| [#92](https://github.com/vouchdev/vouch/issues/92) | _retrieve ignores retrieval.backends config | fixed, open | +| [#93](https://github.com/vouchdev/vouch/issues/93) | vouch approve --batch | fixed, open | +| [#94](https://github.com/vouchdev/vouch/issues/94) | HTTP transport for vouch serve | fixed, open | +| [#95](https://github.com/vouchdev/vouch/issues/95) | vouch serve fails unclearly with no KB | fixed, open | +| [#100](https://github.com/vouchdev/vouch/issues/100) | richer scopes VEP | VEP drafted only, open | +| [#189](https://github.com/vouchdev/vouch/issues/189) | richer scopes implementation | genuinely open, unclaimed | +| [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite audit log | fixed + merged (PR #183), open | +| [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval bypass | **still unfixed**, security-relevant | +| — | `vouch source add --url` is a no-op | **self-found bug**, see below | + +11 of these 13 issues describe bugs or features that are already resolved in +code but left open on GitHub — likely because merges to non-default branches +(or squash-merge commits) don't trigger GitHub's auto-close. One (#189) is a +genuinely open, unclaimed implementation gap behind a drafted VEP. One (#168) +is a real, unfixed, security-relevant bug with a maintainer review already on +record (from a prior closed PR) describing exactly what a correct fix needs +to do. + +## A 14th finding, found by dogfooding + +Building this KB surfaced a bug in the tool itself: `vouch source add PATH +--url URL` silently drops `--url`. `cli.py::source_add` always passes an +explicit `locator=str(Path(path).resolve())` into `store.put_source()`, and +`storage.py`'s `locator=locator or url or title or sid` never falls through +to `url` as a result. Every source citation in this KB had to have its +`locator` corrected by hand, from a local scratch path to its real GitHub +URL, after the fact — see the `vouchdev-vouch-s-cli-...` claim for the full +repro. This page is a revision: an earlier page proposed earlier in this KB's +audit trail (`vouch audit`) covered only the 13 issue-tracker findings, before +this 14th one came up during the write-up. `vouch supersede` only applies to +claims, not pages, so both page revisions remain in this KB's history rather +than one replacing the other in the object model. + +## Why this matters for contributors + +Before picking an open issue to work on in this repo, check whether it's +already fixed upstream — `git log --oneline -E --grep="#([^0-9]|$)" +upstream/main upstream/test` takes seconds and avoids a wasted or duplicate +PR. This KB is the evidence trail for one pass of that check; see each +claim's citation for the exact commit, code, or review comment behind it. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md new file mode 100644 index 0000000..18e3b2b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md @@ -0,0 +1,68 @@ +--- +id: vouchdev-vouch-open-issue-tracker-audit-2026-07-04 +title: vouchdev/vouch open-issue tracker audit — 2026-07-04 +type: report +status: draft +claims: +- vouchdev-vouch-issue-100-feat-richer-scopes-on-claim-source- +- vouchdev-vouch-issue-166-bundle-import-can-overwrite-the-aud +- vouchdev-vouch-issue-168-critical-agent-transport-allows-cro +- vouchdev-vouch-issue-189-richer-scopes-on-claim-source-per-v +- vouchdev-vouch-issue-54-epic-make-vouch-friendlier-and-more- +- vouchdev-vouch-issue-76-crystallize-bypasses-the-review-gate +- vouchdev-vouch-issue-78-kb-context-returns-archived-supersed +- vouchdev-vouch-issue-80-import-check-accepts-bundles-whose-m +- vouchdev-vouch-issue-81-claim-model-has-no-min-evidence-vali +- vouchdev-vouch-issue-92-retrieve-ignores-retrieval-backends- +- vouchdev-vouch-issue-93-feat-vouch-approve-batch-for-scripta +- vouchdev-vouch-issue-94-feat-http-transport-for-vouch-serve- +- vouchdev-vouch-issue-95-vouch-serve-should-fail-clearly-when +entities: [] +sources: [] +tags: [] +metadata: {} +created_at: '2026-07-04T06:17:24.368089Z' +updated_at: '2026-07-04T06:17:24.368096Z' +--- +## Method + +Every open issue in `vouchdev/vouch` (93 at audit time) was cross-referenced +against `git log --grep` on `upstream/main` and `upstream/test` for a commit +mentioning that issue number, then spot-checked by reading the relevant +source file directly (not just trusting the commit message). Issues already +linked from an in-flight open PR were excluded up front, since those aren't +stale — they're just not merged yet. + +## Findings + +| Issue | Title | Status found | +|---|---|---| +| [#54](https://github.com/vouchdev/vouch/issues/54) | epic: make vouch friendlier | partially fixed (CLI-output track), open | +| [#76](https://github.com/vouchdev/vouch/issues/76) | crystallize bypasses review gate | fixed, open | +| [#78](https://github.com/vouchdev/vouch/issues/78) | kb.context returns archived/superseded claims | fixed, open | +| [#80](https://github.com/vouchdev/vouch/issues/80) | import_check accepts bundles missing manifest files | fixed, open | +| [#81](https://github.com/vouchdev/vouch/issues/81) | Claim model has no min-evidence validator | fixed, open | +| [#92](https://github.com/vouchdev/vouch/issues/92) | _retrieve ignores retrieval.backends config | fixed, open | +| [#93](https://github.com/vouchdev/vouch/issues/93) | vouch approve --batch | fixed, open | +| [#94](https://github.com/vouchdev/vouch/issues/94) | HTTP transport for vouch serve | fixed, open | +| [#95](https://github.com/vouchdev/vouch/issues/95) | vouch serve fails unclearly with no KB | fixed, open | +| [#100](https://github.com/vouchdev/vouch/issues/100) | richer scopes VEP | VEP drafted only, open | +| [#189](https://github.com/vouchdev/vouch/issues/189) | richer scopes implementation | genuinely open, unclaimed | +| [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite audit log | fixed + merged (PR #183), open | +| [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval bypass | **still unfixed**, security-relevant | + +11 of these 13 issues describe bugs or features that are already resolved in +code but left open on GitHub — likely because merges to non-default branches +(or squash-merge commits) don't trigger GitHub's auto-close. One (#189) is a +genuinely open, unclaimed implementation gap behind a drafted VEP. One (#168) +is a real, unfixed, security-relevant bug with a maintainer review already on +record (from a prior closed PR) describing exactly what a correct fix needs +to do. + +## Why this matters for contributors + +Before picking an open issue to work on in this repo, check whether it's +already fixed upstream — `git log --oneline -E --grep="#([^0-9]|$)" +upstream/main upstream/test` takes seconds and avoids a wasted or duplicate +PR. This KB is the evidence trail for one pass of that check; see each +claim's citation for the exact commit, code, or review comment behind it. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/schema_version b/examples/community/vouch-issue-tracker-audit/vouch/schema_version new file mode 100644 index 0000000..6e8bf73 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/schema_version @@ -0,0 +1 @@ +0.1.0 diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/content new file mode 100644 index 0000000..ec3ae92 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/content @@ -0,0 +1,53 @@ +# vouchdev/vouch: `vouch source add --url` is a no-op (found while building this KB) + +Not a filed GitHub issue — a bug surfaced by dogfooding vouch to build this +very example. + +## What happened + +`vouch source add PATH --url URL` accepts `--url`, but the value is +discarded. In `src/vouch/cli.py`, `source_add()` always calls: + + src = store.put_source( + data, + title=title or Path(path).name, + url=url, + locator=str(Path(path).resolve()), # <-- always non-None + source_type=source_type, + ) + +and in `src/vouch/storage.py`, `KBStore.put_source()` resolves the stored +`locator` field as: + + locator=locator or url or title or sid, + +Because the CLI always passes a concrete `locator` (the resolved local +file path), the `locator or url` fallback never reaches `url` — the CLI +has no way to make `--url` observable in the stored Source's `locator` +field, no matter what a caller passes. + +## Reproduction (this exact KB) + + $ vouch source add evidence/issue-168.md \ + --title "vouchdev/vouch issue #168 + closed PR #169 (unmerged)" \ + --url "https://github.com/vouchdev/vouch/issues/168" + 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc + + $ cat .vouch/sources/77cf.../meta.yaml + locator: /tmp/.../evidence/issue-168.md # the --url value is nowhere in this file + +## Impact + +Low severity, but real: any workflow that registers a source from a local +file while also wanting to record its canonical URL (exactly the "cite the +GitHub issue this file was copied from" pattern this community example +needed) silently loses that URL. `store.put_source` does still accept a +`url` kwarg — a library caller bypassing the CLI can set it — so the gap is +specifically in `source_add()`'s CLI wiring, not the storage layer. + +## Suggested fix + +`src/vouch/cli.py::source_add` should pass `locator=locator_override or url +or str(Path(path).resolve())` — i.e., prefer an explicit `--url` when given, +falling back to the resolved path only when no URL was supplied. Today +there's no `--locator` override either, so the resolved path always wins. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/meta.yaml new file mode 100644 index 0000000..f39bf14 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd/meta.yaml @@ -0,0 +1,15 @@ +id: 14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd +type: commit +locator: 'vouchdev/vouch@main: src/vouch/cli.py::source_add + src/vouch/storage.py::put_source' +title: 'vouchdev/vouch: vouch source add --url is a no-op (self-found)' +hash: 14ec6e206005e19431aec8e26d7f44935c4e031c535c9848c80ff9e88df13ecd +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 2121 +media_type: text/plain +created_at: '2026-07-04T06:22:08.308903Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/content new file mode 100644 index 0000000..714f48b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/content @@ -0,0 +1,20 @@ +# vouchdev/vouch issue #76 + +Title: bug: crystallize writes a durable Page bypassing the review gate; + body embeds agent-controlled markdown verbatim +Author: galuis116 +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +cdf72ab5940d366775f7a83fe078bc5db8733fb4 2026-05-25 +fix(sessions): close crystallize review-gate bypass via summary page (#76) + +Verified with: + $ git log --oneline -E --grep="#76([^0-9]|$)" upstream/main + cdf72ab fix(sessions): close crystallize review-gate bypass via summary page (#76) + +Conclusion: the review-gate bypass described in the issue (session.crystallize +promoting agent-supplied task/note text into a durable page without going +through propose_page + approve) is fixed on main. The GitHub issue is still +open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/meta.yaml new file mode 100644 index 0000000..2aa0053 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025/meta.yaml @@ -0,0 +1,15 @@ +id: 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 +type: issue +locator: https://github.com/vouchdev/vouch/issues/76 +title: 'vouchdev/vouch issue #76 + fix commit cdf72ab' +hash: 2bea22cff37e6643e7da2782beb45db5dbe3b7a696343304f40a4485143b2025 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 775 +media_type: text/plain +created_at: '2026-07-04T06:10:31.107297Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/content new file mode 100644 index 0000000..5ab68fc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/content @@ -0,0 +1,19 @@ +# vouchdev/vouch issue #54 + +Title: epic: make vouch friendlier and more useful out of the box +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +a5f074f754a2005c0eca8db636a00943ccb823d1 2026-05-26 +feat(cli): colourise output, add --json to lint/search, progress on long ops (#54) + +Verified with: + $ git log --oneline -E --grep="#54([^0-9]|$)" upstream/main + a5f074f feat(cli): colourise output, add --json to lint/search, progress on long ops (#54) + +Conclusion: Track 2 (Friendlier CLI output) of this epic landed on main. +The issue references a multi-track epic body; only the CLI-output track's +commit was checked for this claim (see the "still open" caveat in the claim +rationale). diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/meta.yaml new file mode 100644 index 0000000..258dcb0 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98/meta.yaml @@ -0,0 +1,15 @@ +id: 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 +type: issue +locator: https://github.com/vouchdev/vouch/issues/54 +title: 'vouchdev/vouch issue #54 + fix commit a5f074f' +hash: 31b58bbcf6f59d6531522d2cdcd9ef5432454c657f0e4ec18ca6160ff8384a98 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 748 +media_type: text/plain +created_at: '2026-07-04T06:10:27.584136Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/content new file mode 100644 index 0000000..9855a95 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/content @@ -0,0 +1,19 @@ +# vouchdev/vouch issue #81 + +Title: bug: Claim model has no min-evidence validator — uncited claims land + via bundle import, put_claim, update_claim +Author: galuis116 +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +ab54194f280b93a8bf69ab5d871291ac4ce9e95d 2026-05-25 +fix(models): require Claim.evidence to be non-empty at the model layer (#81) + +Verified with: + $ git log --oneline -E --grep="#81([^0-9]|$)" upstream/main + ab54194 fix(models): require Claim.evidence to be non-empty at the model layer (#81) + +Conclusion: fixed on main — the validator now lives on the Claim model +itself, so every write path is covered, not just the CLI/MCP entry points. +The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/meta.yaml new file mode 100644 index 0000000..6d97e81 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a/meta.yaml @@ -0,0 +1,15 @@ +id: 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a +type: issue +locator: https://github.com/vouchdev/vouch/issues/81 +title: 'vouchdev/vouch issue #81 + fix commit ab54194' +hash: 4a3d84936c35017a12be0b04d8b80c5d4927d76639a75ff1dfa54dc29d66297a +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 725 +media_type: text/plain +created_at: '2026-07-04T06:10:41.809515Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/content new file mode 100644 index 0000000..b5037a1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/content @@ -0,0 +1,42 @@ +# vouchdev/vouch issue #168 + +Title: critical: Agent transport allows cross-agent approval +Author: jonathanchang31 +State on GitHub at audit time: OPEN + +## No fix on main or test + + $ git log --oneline -E --grep="#168([^0-9]|$)" upstream/main upstream/test + (no output) + +Direct code check, upstream/main src/vouch/jsonl_server.py: + "kb.approve": _h_approve, + "kb.reject": _h_reject, +registered with no `expose_decision_tools` / trust gate. src/vouch/proposals.py +`_approval_block_reason()` only checks `approved_by == proposal.proposed_by` +(same-agent self-approval), so a second agent identity can approve another +agent's proposal through the JSONL/MCP transport, landing a durable claim +without any human CLI review. Confirmed identical on upstream/test. + +## Prior attempt: PR #169 (closed, unmerged) + +PR #169 implemented an `expose_decision_tools` config gate. Maintainer +review (plind-junior, COLLABORATOR) on 2026-06-09 requested changes: + +> **[blocking]** the guard in `handle_request` duplicates the one already +> inside `_h_approve`/`_h_reject`... the `except Exception` fallback inside +> the new block silently swallows *any* unexpected error ... and returns +> `method_not_found` instead of `internal_error`, hiding the real cause. + +> **[non-blocking]** `decision_tools_enabled` returns `True` for two +> independent conditions: `expose_decision_tools: true` **or** +> `approver_role: trusted-agent`. The `approver_role` path is not mentioned +> in the updated docs... If vestigial, removing it avoids a hidden unlock +> path. + +The PR was closed on 2026-06-09 without those changes being made. + +Conclusion: genuinely open, unfixed, and security-relevant. A resubmission +should implement a single non-duplicated gate check and either document or +remove the `approver_role: trusted-agent` bypass, per the maintainer's own +review notes above. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/meta.yaml new file mode 100644 index 0000000..0f45647 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc/meta.yaml @@ -0,0 +1,15 @@ +id: 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc +type: issue +locator: https://github.com/vouchdev/vouch/issues/168 +title: 'vouchdev/vouch issue #168 + closed PR #169 (unmerged)' +hash: 77cf22c12729473bdd16015f273b9b7159500a6529a43e9f61910615e9fcc5dc +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 1846 +media_type: text/plain +created_at: '2026-07-04T06:11:18.592619Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/content new file mode 100644 index 0000000..31ae07b --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/content @@ -0,0 +1,29 @@ +# vouchdev/vouch issue #166 + +Title: [Bug] Bundle import can overwrite the audit log +Author: jonathanchang31 +State on GitHub at audit time: OPEN + +## Fix merged via PR #183 + +PR #167 (closed, unmerged — GitHub does not allow re-targeting a closed PR's +base branch) was replaced by PR #183, "fix:bundle import can overwrite the +audit log", merged 2026-06-09. + +Merge commit found on upstream/main and upstream/test: +6d53c9989ec42f199cb3735ddd82caf3122b6267 +Merge pull request #183 from jonathanchang31/fix/bundle-import-overwrite-audit-log + +Verified with: + $ git show upstream/main:src/vouch/bundle.py | grep -n "FORBIDDEN_SAFETY_FLAGS\|has_audit_log" + 49:FORBIDDEN_SAFETY_FLAGS = { + 52: "has_audit_log": "audit.log.jsonl", + 113: "has_audit_log": False, + 164: if name == "audit.log.jsonl": + ... + (identical result against upstream/test) + +Conclusion: fixed and merged into both main and test. The GitHub issue is +still open — the merge did not auto-close it (likely because the merge +landed via a squash/merge-pull-request commit rather than a linked +"Fixes #166" commit message on the default branch at merge time). diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/meta.yaml new file mode 100644 index 0000000..9ca2818 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292/meta.yaml @@ -0,0 +1,15 @@ +id: 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 +type: issue +locator: https://github.com/vouchdev/vouch/issues/166 +title: 'vouchdev/vouch issue #166 + merged PR #183' +hash: 9e25d14157633c926abbd0cafd1cfff119d21ad266152b7b7e49d7288b77b292 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 1139 +media_type: text/plain +created_at: '2026-07-04T06:11:12.413960Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/content new file mode 100644 index 0000000..19c3acc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/content @@ -0,0 +1,7 @@ +# Vouch starter source + +This starter source is created by `vouch init` so new users can see how a +reviewed claim cites durable evidence. + +Keep facts small, cite their sources, and approve only the knowledge you want +future agents to retrieve. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/meta.yaml new file mode 100644 index 0000000..ced8fb8 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2/meta.yaml @@ -0,0 +1,17 @@ +id: be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2 +type: message +locator: vouch:init +title: Vouch starter source +hash: be7aec64b0fc803a33cb3d610f67ae95e636877db20231ef72440a7cbe6b69d2 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 243 +media_type: text/markdown +created_at: '2026-07-04T06:10:25.977586Z' +metadata: {} +tags: +- vouch +- onboarding diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/content new file mode 100644 index 0000000..763b30f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/content @@ -0,0 +1,18 @@ +# vouchdev/vouch issue #80 + +Title: bug: import_check accepts bundles whose manifest lists files missing + from the tarball (no issue raised) +Author: galuis116 +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +f558fd0fdc5fb071cca34f941be7ee522b03104f 2026-05-25 +fix(bundle): reject import of bundles whose manifest lists files missing +from tarball (#80) + +Verified with: + $ git log --oneline -E --grep="#80([^0-9]|$)" upstream/main + f558fd0 fix(bundle): reject import of bundles whose manifest lists files missing from tarball (#80) + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/meta.yaml new file mode 100644 index 0000000..143e703 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424/meta.yaml @@ -0,0 +1,15 @@ +id: c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 +type: issue +locator: https://github.com/vouchdev/vouch/issues/80 +title: 'vouchdev/vouch issue #80 + fix commit f558fd0' +hash: c295fcf5b9d4f52a91667e3b65f9fd242b760401df36fb88b0a6ba9fb7a0e424 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 624 +media_type: text/plain +created_at: '2026-07-04T06:10:39.004547Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/content new file mode 100644 index 0000000..5ca6d5f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/content @@ -0,0 +1,18 @@ +# vouchdev/vouch issue #94 + +Title: feat: HTTP transport for `vouch serve` (`--transport http`) [VEP] +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +2827a7491a7816a1b1f2e325478237d0ef99df28 2026-05-28 +feat(serve): add HTTP transport for vouch serve --transport http (#94) + +Verified with: + $ git log --oneline -E --grep="#94([^0-9]|$)" upstream/main + 2827a74 feat(serve): add HTTP transport for vouch serve --transport http (#94) + +Conclusion: fixed on main, despite the [VEP] tag in the issue title (a VEP +was apparently handled inline rather than blocking). The GitHub issue is +still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/meta.yaml new file mode 100644 index 0000000..9663b9c --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7/meta.yaml @@ -0,0 +1,15 @@ +id: c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 +type: issue +locator: https://github.com/vouchdev/vouch/issues/94 +title: 'vouchdev/vouch issue #94 + fix commit 2827a74' +hash: c59241dc3b461093c45b9d45f9aaea8ee8914f621d0fcd6cb744583fd486c0c7 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 656 +media_type: text/plain +created_at: '2026-07-04T06:10:55.377988Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/content new file mode 100644 index 0000000..cda2943 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/content @@ -0,0 +1,21 @@ +# vouchdev/vouch issue #189 + +Title: Richer scopes on Claim/Source: (visibility, project, agent) retrieval + filtering (VEP-0005) +Author: jsdevninja +State on GitHub at audit time: OPEN + +## No matching commit + + $ git log --oneline -E --grep="#189([^0-9]|$)" upstream/main upstream/test + (no output) + +Related: issue #100 asked for the VEP-0005 *proposal document*, which was +written (commit 0dba232, see issue-100.md in this KB). This issue (#189) is +the separate tracking issue for the actual (visibility, project, agent) +scoping *implementation*. No open PR currently references "Closes #189" / +"Fixes #189" / "Resolves #189" either (checked against all open PR bodies +on vouchdev/vouch at audit time). + +Conclusion: genuinely open and unclaimed — the VEP was drafted but the +feature it describes has not been implemented. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/meta.yaml new file mode 100644 index 0000000..b48f515 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50/meta.yaml @@ -0,0 +1,15 @@ +id: dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 +type: issue +locator: https://github.com/vouchdev/vouch/issues/189 +title: 'vouchdev/vouch issue #189 (no fix found) + contrast with issue #100' +hash: dc52816569f0823843ea7f60a3ae8fdaf64fdc0c7fe66c0d892ca388a8470b50 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 830 +media_type: text/plain +created_at: '2026-07-04T06:11:08.819493Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/content new file mode 100644 index 0000000..3d93236 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/content @@ -0,0 +1,22 @@ +# vouchdev/vouch issue #92 + +Title: bug: `_retrieve` ignores `retrieval.backends` config and hardcodes + embeddings-primary +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +fb4b326254694645e255bc9884a877f42f287cfd 2026-05-26 +fix(context): honor retrieval.backend config instead of hardcoding +embeddings (#92) + +Verified with: + $ git log --oneline -E --grep="#92([^0-9]|$)" upstream/main + fb4b326 fix(context): honor retrieval.backend config instead of hardcoding embeddings (#92) + +Corroborated by reading src/vouch/context.py directly: `_configured_backend()` +reads `retrieval.backend` (with a legacy `retrieval.backends` list fallback) +and `_retrieve()` branches on `auto|embedding|fts5|substring`. + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/meta.yaml new file mode 100644 index 0000000..933d89a --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d/meta.yaml @@ -0,0 +1,15 @@ +id: e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d +type: issue +locator: https://github.com/vouchdev/vouch/issues/92 +title: 'vouchdev/vouch issue #92 + fix commit fb4b326' +hash: e55c1e956d0b08b2244e59290f01e29d2b51b8873a328bf4d5475873fb3e326d +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 828 +media_type: text/plain +created_at: '2026-07-04T06:10:44.961349Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/content new file mode 100644 index 0000000..8df3202 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/content @@ -0,0 +1,23 @@ +# vouchdev/vouch issue #78 + +Title: bug: kb.context returns archived/superseded claims; lifecycle + mutations never re-index FTS5 status +Author: galuis116 +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +0708c743ea2aacea1e820c8be60ceac0fd563dc7 2026-05-25 +fix(context,storage): exclude retracted claims from kb.context and reindex +FTS5 on update (#78) + +Verified with: + $ git log --oneline -E --grep="#78([^0-9]|$)" upstream/main + 0708c74 fix(context,storage): exclude retracted claims from kb.context and reindex FTS5 on update (#78) + +Corroborated by reading src/vouch/context.py directly: `_RETRACTED_CLAIM_STATUSES` +(ARCHIVED, SUPERSEDED, REDACTED) is defined and referenced as a filter, with a +comment: "Any retrieval surface that hands knowledge back to an agent must +exclude these — otherwise the archive/supersede/redact controls are decorative." + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/meta.yaml new file mode 100644 index 0000000..0013e98 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27/meta.yaml @@ -0,0 +1,15 @@ +id: efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 +type: issue +locator: https://github.com/vouchdev/vouch/issues/78 +title: 'vouchdev/vouch issue #78 + fix commit 0708c74' +hash: efb2f2cf4f7a0e2f98ef9fb6fc1734833ec1348be50bcb81a81bc8b677a11e27 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 948 +media_type: text/plain +created_at: '2026-07-04T06:10:34.304171Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/content new file mode 100644 index 0000000..8ad14be --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/content @@ -0,0 +1,21 @@ +# vouchdev/vouch issue #93 + +Title: feat: `vouch approve --batch` for scriptable bulk approval +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +e7df0475328cdecf4918983cec6c127e4553b7e3 2026-05-26 +feat(cli): vouch approve accepts multiple ids for scriptable bulk approval (#93) + +Verified with: + $ git log --oneline -E --grep="#93([^0-9]|$)" upstream/main + e7df047 feat(cli): vouch approve accepts multiple ids for scriptable bulk approval (#93) + +Corroborated by `vouch approve --help` on the installed 1.1.0 CLI: +"Pass several ids to approve a batch in one call ... One audit event is +recorded per approved artifact." Both --keep-going (best-effort) and the +default all-or-nothing precheck are implemented. + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/meta.yaml new file mode 100644 index 0000000..15ce6fc --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068/meta.yaml @@ -0,0 +1,15 @@ +id: f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 +type: issue +locator: https://github.com/vouchdev/vouch/issues/93 +title: 'vouchdev/vouch issue #93 + fix commit e7df047' +hash: f1d74de94468e031b9eb88b781d69d16c71797a64b7da1bf39fd43e30aab2068 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 830 +media_type: text/plain +created_at: '2026-07-04T06:10:50.554665Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/content new file mode 100644 index 0000000..381c136 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/content @@ -0,0 +1,24 @@ +# vouchdev/vouch issue #100 + +Title: feat: richer scopes on Claim/Source — `(visibility, project, agent)` [VEP] +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Commit found on upstream/main + +0dba23287f6d9f8fb5a036a7c344793734f5bd92 2026-05-26 +docs(proposals): add VEP-0005 richer scopes on Claim/Source (draft) (#100) + +Verified with: + $ git log --oneline -E --grep="#100([^0-9]|$)" upstream/main + 0dba232 docs(proposals): add VEP-0005 richer scopes on Claim/Source (draft) (#100) + +Important nuance (see issue #189 in this same KB): this commit only adds the +VEP-0005 *proposal document*. It is not an implementation. Issue #189 +("Richer scopes on Claim/Source ... (VEP-0005)") is the tracking issue for +the actual feature and, as of this audit, has no matching commit on main or +test. + +Conclusion: #100 (write the VEP) is done; the underlying feature (#189) is +not. Both issues are open on GitHub, which is technically correct for #189 +but misleading for #100. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/meta.yaml new file mode 100644 index 0000000..78b64d0 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7/meta.yaml @@ -0,0 +1,15 @@ +id: f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 +type: issue +locator: https://github.com/vouchdev/vouch/issues/100 +title: 'vouchdev/vouch issue #100 + commit 0dba232, contrast with issue #189' +hash: f549fefbc32557f0f4b55ba774968ba5e4f4296022d49ac0fd2974467d2605c7 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 993 +media_type: text/plain +created_at: '2026-07-04T06:11:03.368195Z' +metadata: {} +tags: [] diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/content b/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/content new file mode 100644 index 0000000..fbcd76f --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/content @@ -0,0 +1,16 @@ +# vouchdev/vouch issue #95 + +Title: ux: `vouch serve` should fail clearly when no `.vouch/` KB is present +Author: plind-junior (COLLABORATOR) +State on GitHub at audit time: OPEN + +## Fix commit found on upstream/main + +1af95216f86cf2473045f2a633167a4b13f5f581 2026-05-29 +fix: vouch serve fails fast with clear hint when no KB is present (#95) + +Verified with: + $ git log --oneline -E --grep="#95([^0-9]|$)" upstream/main + 1af9521 fix: vouch serve fails fast with clear hint when no KB is present (#95) + +Conclusion: fixed on main. The GitHub issue is still open. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/meta.yaml b/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/meta.yaml new file mode 100644 index 0000000..767e9b1 --- /dev/null +++ b/examples/community/vouch-issue-tracker-audit/vouch/sources/f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3/meta.yaml @@ -0,0 +1,15 @@ +id: f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 +type: issue +locator: https://github.com/vouchdev/vouch/issues/95 +title: 'vouchdev/vouch issue #95 + fix commit 1af9521' +hash: f92712389e056618ad749331fc6ad4bf756fc2a53918af2ea8de1d6754c03eb3 +immutable: true +scope: + visibility: project + project: null + agent: null +byte_size: 561 +media_type: text/plain +created_at: '2026-07-04T06:10:58.611868Z' +metadata: {} +tags: [] From 86c09707948423c8d73fae3205afa127d897ae24 Mon Sep 17 00:00:00 2001 From: Jonathanchang31 <55106972+jonathanchang31@users.noreply.github.com> Date: Sat, 4 Jul 2026 11:27:50 +0200 Subject: [PATCH 2/2] docs(examples): fix scope wording and issue-count summary per PR review Addresses CodeRabbit's review on PR #358: - The README and both audit pages said "every open issue" was checked, which contradicted the very next sentence excluding issues already tied to another open PR. Reworded to state the actual in-scope set: 61 of 93 open issues, i.e. all except those already claimed by an in-flight PR. - The "11 of these 13 issues ... already resolved" summary double-counted #54 and #100 as fully fixed. #54's epic only shipped one of several tracks, and #100 only drafted a VEP document without building the feature it describes. Corrected to "9 of these 13", with #54 and #100 now called out explicitly as partial, alongside the already-separate #189 (open) and #168 (unfixed) callouts. The corresponding decided/ proposal records are updated to match the corrected page text, so the audit trail stays internally consistent (payload.body in decided/ mirrors the durable pages/*.md content, per `vouch doctor`/`fsck`). --- .../vouch-issue-tracker-audit/README.md | 9 ++++--- .../decided/20260704-061640-20537c0f.yaml | 26 +++++++++++++------ .../decided/20260704-062448-4d9f894f.yaml | 26 +++++++++++++------ ...ssue-tracker-audit-2026-07-04-rev-2-14-.md | 21 +++++++++------ ...uch-open-issue-tracker-audit-2026-07-04.md | 21 +++++++++------ 5 files changed, 67 insertions(+), 36 deletions(-) diff --git a/examples/community/vouch-issue-tracker-audit/README.md b/examples/community/vouch-issue-tracker-audit/README.md index b90a94d..c4f3352 100644 --- a/examples/community/vouch-issue-tracker-audit/README.md +++ b/examples/community/vouch-issue-tracker-audit/README.md @@ -8,10 +8,11 @@ documentation, submitted for issue [#338](https://github.com/vouchdev/vouch/issu - **Host:** Claude Code, driving the real `vouch` CLI (v1.1.0) directly — `vouch init`, `vouch source add`, `vouch propose-claim`, `vouch approve`, `vouch propose-page`, `vouch reindex`, `vouch doctor`. -- **What it's used for:** every open issue on `vouchdev/vouch` (93 at audit - time) was checked against `git log --grep` on `upstream/main` and - `upstream/test` for a commit resolving it, then spot-checked by reading the - relevant source directly. 13 of the resulting findings are proposed claims, +- **What it's used for:** every open issue on `vouchdev/vouch` not already + linked from another in-flight open PR (61 of 93 open issues at audit time) + was checked against `git log --grep` on `upstream/main` and `upstream/test` + for a commit resolving it, then spot-checked by reading the relevant source + directly. 13 of the resulting findings are proposed claims, each cited to a source file containing the real evidence (a `git log` transcript, a code excerpt, or an actual maintainer PR-review comment copied from GitHub). A 14th finding — a real bug in `vouch source add diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml index 80abb02..54b0004 100644 --- a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-061640-20537c0f.yaml @@ -9,17 +9,19 @@ payload: body: '## Method - Every open issue in `vouchdev/vouch` (93 at audit time) was cross-referenced + All open issues in `vouchdev/vouch` not already linked from an in-flight - against `git log --grep` on `upstream/main` and `upstream/test` for a commit + open PR (61 of 93 open issues at audit time) were cross-referenced against + + `git log --grep` on `upstream/main` and `upstream/test` for a commit mentioning that issue number, then spot-checked by reading the relevant source file directly (not just trusting the commit message). Issues already - linked from an in-flight open PR were excluded up front, since those aren''t + tied to another open PR were excluded up front, since those aren''t stale — - stale — they''re just not merged yet. + they''re just not merged yet. ## Findings @@ -69,15 +71,23 @@ payload: bypass | **still unfixed**, security-relevant | - 11 of these 13 issues describe bugs or features that are already resolved in + 9 of these 13 issues describe bugs or features that are already resolved in code but left open on GitHub — likely because merges to non-default branches - (or squash-merge commits) don''t trigger GitHub''s auto-close. One (#189) is a + (or squash-merge commits) don''t trigger GitHub''s auto-close. Two more are + + only partially addressed: #54''s epic has one track (CLI output) shipped but + + its other tracks are still open, and #100''s VEP-0005 document was drafted + + but the (visibility, project, agent) scoping feature it describes was never + + built. One (#189) is a genuinely open, unclaimed implementation gap — the - genuinely open, unclaimed implementation gap behind a drafted VEP. One (#168) + tracking issue for that same undelivered VEP-0005 feature. One (#168) is a - is a real, unfixed, security-relevant bug with a maintainer review already on + real, unfixed, security-relevant bug with a maintainer review already on record (from a prior closed PR) describing exactly what a correct fix needs diff --git a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml index 6ea0912..1b6bbbc 100644 --- a/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml +++ b/examples/community/vouch-issue-tracker-audit/vouch/decided/20260704-062448-4d9f894f.yaml @@ -9,17 +9,19 @@ payload: body: '## Method - Every open issue in `vouchdev/vouch` (93 at audit time) was cross-referenced + All open issues in `vouchdev/vouch` not already linked from an in-flight - against `git log --grep` on `upstream/main` and `upstream/test` for a commit + open PR (61 of 93 open issues at audit time) were cross-referenced against + + `git log --grep` on `upstream/main` and `upstream/test` for a commit mentioning that issue number, then spot-checked by reading the relevant source file directly (not just trusting the commit message). Issues already - linked from an in-flight open PR were excluded up front, since those aren''t + tied to another open PR were excluded up front, since those aren''t stale — - stale — they''re just not merged yet. + they''re just not merged yet. ## Findings @@ -71,15 +73,23 @@ payload: | — | `vouch source add --url` is a no-op | **self-found bug**, see below | - 11 of these 13 issues describe bugs or features that are already resolved in + 9 of these 13 issues describe bugs or features that are already resolved in code but left open on GitHub — likely because merges to non-default branches - (or squash-merge commits) don''t trigger GitHub''s auto-close. One (#189) is a + (or squash-merge commits) don''t trigger GitHub''s auto-close. Two more are + + only partially addressed: #54''s epic has one track (CLI output) shipped but + + its other tracks are still open, and #100''s VEP-0005 document was drafted + + but the (visibility, project, agent) scoping feature it describes was never + + built. One (#189) is a genuinely open, unclaimed implementation gap — the - genuinely open, unclaimed implementation gap behind a drafted VEP. One (#168) + tracking issue for that same undelivered VEP-0005 feature. One (#168) is a - is a real, unfixed, security-relevant bug with a maintainer review already on + real, unfixed, security-relevant bug with a maintainer review already on record (from a prior closed PR) describing exactly what a correct fix needs diff --git a/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md index e50108b..0f84fc7 100644 --- a/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md +++ b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04-rev-2-14-.md @@ -27,12 +27,13 @@ updated_at: '2026-07-04T06:24:49.036285Z' --- ## Method -Every open issue in `vouchdev/vouch` (93 at audit time) was cross-referenced -against `git log --grep` on `upstream/main` and `upstream/test` for a commit +All open issues in `vouchdev/vouch` not already linked from an in-flight +open PR (61 of 93 open issues at audit time) were cross-referenced against +`git log --grep` on `upstream/main` and `upstream/test` for a commit mentioning that issue number, then spot-checked by reading the relevant source file directly (not just trusting the commit message). Issues already -linked from an in-flight open PR were excluded up front, since those aren't -stale — they're just not merged yet. +tied to another open PR were excluded up front, since those aren't stale — +they're just not merged yet. ## Findings @@ -53,11 +54,15 @@ stale — they're just not merged yet. | [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval bypass | **still unfixed**, security-relevant | | — | `vouch source add --url` is a no-op | **self-found bug**, see below | -11 of these 13 issues describe bugs or features that are already resolved in +9 of these 13 issues describe bugs or features that are already resolved in code but left open on GitHub — likely because merges to non-default branches -(or squash-merge commits) don't trigger GitHub's auto-close. One (#189) is a -genuinely open, unclaimed implementation gap behind a drafted VEP. One (#168) -is a real, unfixed, security-relevant bug with a maintainer review already on +(or squash-merge commits) don't trigger GitHub's auto-close. Two more are +only partially addressed: #54's epic has one track (CLI output) shipped but +its other tracks are still open, and #100's VEP-0005 document was drafted +but the (visibility, project, agent) scoping feature it describes was never +built. One (#189) is a genuinely open, unclaimed implementation gap — the +tracking issue for that same undelivered VEP-0005 feature. One (#168) is a +real, unfixed, security-relevant bug with a maintainer review already on record (from a prior closed PR) describing exactly what a correct fix needs to do. diff --git a/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md index 18e3b2b..d29868f 100644 --- a/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md +++ b/examples/community/vouch-issue-tracker-audit/vouch/pages/vouchdev-vouch-open-issue-tracker-audit-2026-07-04.md @@ -26,12 +26,13 @@ updated_at: '2026-07-04T06:17:24.368096Z' --- ## Method -Every open issue in `vouchdev/vouch` (93 at audit time) was cross-referenced -against `git log --grep` on `upstream/main` and `upstream/test` for a commit +All open issues in `vouchdev/vouch` not already linked from an in-flight +open PR (61 of 93 open issues at audit time) were cross-referenced against +`git log --grep` on `upstream/main` and `upstream/test` for a commit mentioning that issue number, then spot-checked by reading the relevant source file directly (not just trusting the commit message). Issues already -linked from an in-flight open PR were excluded up front, since those aren't -stale — they're just not merged yet. +tied to another open PR were excluded up front, since those aren't stale — +they're just not merged yet. ## Findings @@ -51,11 +52,15 @@ stale — they're just not merged yet. | [#166](https://github.com/vouchdev/vouch/issues/166) | bundle import can overwrite audit log | fixed + merged (PR #183), open | | [#168](https://github.com/vouchdev/vouch/issues/168) | cross-agent approval bypass | **still unfixed**, security-relevant | -11 of these 13 issues describe bugs or features that are already resolved in +9 of these 13 issues describe bugs or features that are already resolved in code but left open on GitHub — likely because merges to non-default branches -(or squash-merge commits) don't trigger GitHub's auto-close. One (#189) is a -genuinely open, unclaimed implementation gap behind a drafted VEP. One (#168) -is a real, unfixed, security-relevant bug with a maintainer review already on +(or squash-merge commits) don't trigger GitHub's auto-close. Two more are +only partially addressed: #54's epic has one track (CLI output) shipped but +its other tracks are still open, and #100's VEP-0005 document was drafted +but the (visibility, project, agent) scoping feature it describes was never +built. One (#189) is a genuinely open, unclaimed implementation gap — the +tracking issue for that same undelivered VEP-0005 feature. One (#168) is a +real, unfixed, security-relevant bug with a maintainer review already on record (from a prior closed PR) describing exactly what a correct fix needs to do.