Skip to content

docs(#1772): document dual test-result architecture and trust chain#1773

Open
fullsend-ai-coder[bot] wants to merge 1 commit into
mainfrom
agent/1772-doc-dual-test-arch
Open

docs(#1772): document dual test-result architecture and trust chain#1773
fullsend-ai-coder[bot] wants to merge 1 commit into
mainfrom
agent/1772-doc-dual-test-arch

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown

Add documentation to AGENTS.md covering the dual-path test validation architecture introduced in PR #1770:

  • Architecture section: describes the parallel test validation paths
    (policy/release/test/ for pipeline task results vs
    policy/release/test_attestation/ for in-toto attestations) and their
    feature parity requirement.

  • Architecture section: documents the trust verification chain in
    policy/lib/intoto/trust.rego and its fail-closed behavior.

  • Common Change Patterns table: adds rows for test result validation
    changes and attestation trust verification modifications.

  • Key Conventions: adds note about Sigstore/OCI mock patterns needed
    for test_attestation tests.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com


Closes #1772

Post-script verification

  • Branch is not main/master (agent/1772-doc-dual-test-arch)
  • Secret scan passed (gitleaks — da5071a1d8a1e594609cd3c4c3ad6c640f85f6cf..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

Add documentation to AGENTS.md covering the dual-path test validation
architecture introduced in PR #1770:

- Architecture section: describes the parallel test validation paths
  (policy/release/test/ for pipeline task results vs
  policy/release/test_attestation/ for in-toto attestations) and their
  feature parity requirement.

- Architecture section: documents the trust verification chain in
  policy/lib/intoto/trust.rego and its fail-closed behavior.

- Common Change Patterns table: adds rows for test result validation
  changes and attestation trust verification modifications.

- Key Conventions: adds note about Sigstore/OCI mock patterns needed
  for test_attestation tests.

Closes #1772

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:13 PM UTC · Completed 8:21 PM UTC
Commit: 87c4a29 · View workflow run →

@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
unit-tests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fullsend-ai-review

Copy link
Copy Markdown

Review — approve

PR: #1773 — docs(#1772): document dual test-result architecture and trust chain
Scope: 1 file changed (AGENTS.md), +21/−0

Summary

Clean documentation-only PR that adds architectural context about the dual test-result validation paths and trust verification chain to AGENTS.md. All changes trace directly to issue #1772 with no scope creep.

Dimensions reviewed

Dimension Result
Correctness ✅ All 7 technical claims verified against source code
Security ✅ No secrets, injection patterns, or Unicode attacks
Intent & coherence ✅ Scope exactly matches issue #1772; no scope creep
Style & conventions ✅ Formatting, tone, and backtick usage consistent with existing AGENTS.md
Documentation currency ✅ All referenced file paths and identifiers verified as existing
Cross-repo contracts ⏭ Skipped — no exported interfaces modified

Technical accuracy verification

Every claim in the documentation was cross-checked against the actual source files:

  • policy/release/test_attestation/ — exists, validates in-toto test-result attestations via intoto.verified_statements_by_predicate
  • policy/release/test/ — exists, validates pipeline task results consuming TEST_OUTPUT from SLSA provenance ✓
  • policy/lib/intoto/trust.rego — exists, couples lib.intoto, lib.sigstore, lib.tekton, and OCI builtins. Header comment (lines 19–20) confirms the coupling ✓
  • Fail-closed behaviorverified_statements (line 51) uses Rego comprehension semantics; failed conditions silently exclude statements. Tests (test_malformed_blob, test_unrecognized_statement_type) confirm this behavior ✓
  • Test files — both test_attestation_test.rego and trust_test.rego exist and contain Sigstore/OCI mock infrastructure ✓
  • Consumer deny rulestest_attestation.rego contains multiple deny rules operating on _test_attestations sourced from verified_statements

No findings

No issues identified at any severity level. The documentation is technically accurate, well-placed within the existing document structure, and appropriately scoped to the linked issue.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • AGENTS.md

Labels: PR adds documentation to AGENTS.md

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment documentation Improvements or additions to documentation labels Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation requires-manual-review Review requires human judgment size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Document dual test-result architecture and trust chain in AGENTS.md

0 participants