Skip to content

Add Phase 3 hardware validation harness#83

Open
jmcte wants to merge 3 commits into
mainfrom
codex/issue-43-hardware-validation
Open

Add Phase 3 hardware validation harness#83
jmcte wants to merge 3 commits into
mainfrom
codex/issue-43-hardware-validation

Conversation

@jmcte
Copy link
Copy Markdown
Contributor

@jmcte jmcte commented May 24, 2026
edited
Loading

Summary

  • adds scripts/validate-phase3-hardware.sh for fail-closed notarized APW.app hardware validation
  • documents the Phase 3 validation procedure and adds a report template that avoids credential capture
  • requires operator-recorded cancel, denied, and timeout observations before writing the report
  • automatically exercises an unsupported-domain request via --unsupported-url
  • updates the native-only redesign and security posture docs to point to the hardware validation proof path

Related issue: #43.

The remaining acceptance criteria require running the script on a real notarized host, recording success plus cancel/denied/timeout/unsupported-domain error paths, and attaching the completed report.

Verification

  • bash -n scripts/validate-phase3-hardware.sh - passed
  • ./scripts/validate-phase3-hardware.sh --help - passed
  • bash scripts/ci/run-fast-checks.sh - passed
  • git diff --check - passed

Notes

  • The validation script intentionally does not persist returned usernames or passwords.
  • apw app install is run from the validated APW.app parent directory so the CLI installs the same bundle that passed codesign, Gatekeeper, staple, and entitlement checks.
  • The generated report now fails closed unless the operator supplies the manual error-path observations required by issue Roadmap: real-hardware verification of Phase 3 broker on notarized build #43.

@jmcte jmcte requested a review from pheidon as a code owner May 24, 2026 00:57
@athena-omt athena-omt added area:infra Infrastructure, CI, release, governance, scripts, or repo setup. lane:ares Ares validation/test lane. review:athena Athena review governance requested. risk:medium Medium-risk change; normal care required. state:waiting-checks Waiting for CI/check status to settle. status:needs-review PR is ready for Athena review. labels May 24, 2026
@jmcte jmcte removed the state:waiting-checks Waiting for CI/check status to settle. label May 24, 2026
@jmcte jmcte mentioned this pull request May 24, 2026
Open
3 tasks
pheidon
pheidon approved these changes May 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@pheidon pheidon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved from Pheidon sweep. Phase 3 hardware validation docs/script changes are scoped, secret/fast/Rust checks are green, and the native Swift job is intentionally skipped for this non-native path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pheidon pheidon pheidon approved these changes

Assignees

No one assigned

Labels

area:infra Infrastructure, CI, release, governance, scripts, or repo setup. lane:ares Ares validation/test lane. review:athena Athena review governance requested. risk:medium Medium-risk change; normal care required. status:needs-review PR is ready for Athena review.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jmcte @pheidon @athena-omt