Add git_hash module that computes SHA-1 blob hashes identical to
`git hash-object --stdin`. Includes BPF map key extraction that
handles both legacy sha256: and new gitsha1: CID formats.
Migrate TestRunResult::compute_cid() from custom SHA-256 to git
blob hash. New CID format: `gitsha1:{40 hex chars}`. File storage
path uses the full CID as filename (backward compatible for reads
since old files retain their sha256: names).
New dependency: sha1 0.10 (RustCrypto, same family as sha2).
See cid-reconciliation-audit.md Sites 1, 3.
Signed-off-by: Tyler King <tking@guildhouse.dev>
Replace fake Forgejo push webhook for AI_RISK_ASSESSMENT with
structured CloudEvents 1.0. Event now carries confidence_score,
recommendation, test_results_analyzed, and diff_match as typed
fields instead of a flat message string.
Event rename: AI_RISK_ASSESSMENT -> GOV_AI_RISK_ASSESSMENT
Signed-off-by: Tyler King <tking@guildhouse.dev>
Replace fake Forgejo push webhook construction with structured
CloudEvents 1.0 via ChronicleClient. Git commit SHAs are now used
as CloudEvent ids for COMMIT_CREATED and PUSH events, enabling
direct correlation between Chronicle entries and git history.
Event renames:
- REPO_CLONED -> GOV_REPO_CLONED
- COMMIT_CREATED -> GOV_COMMIT_CREATED
- GOVERNED_PUSH -> GOV_PUSH
- PR_CREATED -> GOV_PR_CREATED
Signed-off-by: Tyler King <tking@guildhouse.dev>
The reasoning_cid was computed via SHA-256 but immediately discarded
(`let _ = reasoning_cid`). Remove the dead hash computation and the
now-unused sha2 import.
Ref: cid-reconciliation-audit.md Site 5
Signed-off-by: Tyler King <tking@guildhouse.dev>
The governed playbook runner now:
1. Requests an AC from the GSAP broker before execution
2. Validates corpus CID + parameters CID + single-use
3. Executes the ansible playbook (unchanged)
4. Posts a Completion Receipt to the broker after execution
Environment variables:
GSAP_BROKER_URL — Capstone broker endpoint
GSAP_BEARER_TOKEN — JWT for broker auth
GSAP_DRIVER_ID — identity driver (default: keycloak-guildhouse)
GSAP_ACCORD_TEMPLATE — accord template (default: from GUILDHOUSE_ACCORD)
GSAP_SESSION_DIR — local session state directory
Self-authorized mode:
If GSAP_BROKER_URL not set, execution proceeds without AC/CR.
Valid for development (GSAP §1.3). Not for production.
Error handling:
ElevationRequired → shows activation instructions, aborts
Denied → shows reason, aborts
CorpusMismatch → shows CID diff, aborts
CR delivery failure → stores locally, warns, does not abort
4/4 gsap_client unit tests passing.
Build clean with zero errors.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implements the shell side of GCAP-SPEC-SHELLBOUND-BROKER-0001.
The broker (Capstone) issues ACs. This module consumes them.
GsapClient:
authorize() — request AC, validate R-20/R-22/R-23/R-24
complete() — post CR with 3x retry (R-29)
ConsumedContextRegistry:
Filesystem-based replay prevention (R-22)
4/4 unit tests passing:
test_corpus_mismatch, test_params_modified,
test_replay_rejected, test_valid_ac
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
