[codec][P1] Byte-identity must be a real CI gate + freeze golden vectors (D1)

[ignromanov]

Re-audit 2026-05-29 (PR #7). The perpetuity guarantee (Rust↔TS byte-identity, schema v1 immutable) is not enforced by CI.

• (a) cross-impl gate is a no-op by default: ts-rust-parity — the only job comparing Rust WASM output against the deployed vl/app TS reference — is gated behind vars.TS_RUST_PARITY_ENABLED (unset) at .github/workflows/ci.yml:63, and ci-gate scores skipped as PASS (ci.yml:143-145). So Rust↔TS byte-identity is verified by nothing in default CI; intra-repo jobs only prove self-consistency vs frozen vectors.
• (b) golden vectors are not frozen: scripts/generate-vectors.ts:56 overwrites the committed vectors/v4-codec.json with no diff/equality gate, and the generator source has forked from the committed JSON.

Decision D1: frozen golden vectors become the self-contained cross-impl oracle (captured from the canonical TS reference at a pinned vl/app SHA); add a CI freeze-gate (generator diffs vs committed JSON, fails on mismatch); both Rust and TS assert against them; demote live vl/app parity to opt-in advisory.

Pre-publish blocker (not a merge blocker). Source: 43-agent audit, dimensions ci-gate + perpetuity-parity.

[ignromanov]

Kai re-audit 2026-05-29 — root cause of (a): the live job is a non-runnable scaffold, not just an unset var

Flipping TS_RUST_PARITY_ENABLED=true + adding the secret would make CI red, not green. Verified against vl/app at the pinned SHA (e4926b7) and HEAD (0c17b5a):

B1 — target export does not exist. scripts/ts-rust-parity.ts:44 hard-requires mod.encodeInvoiceCanonical from vl-app/src/features/invoice-codec/lib/encode.ts and exit 1s otherwise. git grep encodeInvoiceCanonical -- src/ in vl/app returns zero hits — at the pin, at HEAD, anywhere. The real export is encodeInvoice(invoice, salt?): Promise<string> (full base62 URL, async) — not a sync (invoice) => Uint8Array canonical-bytes function. The script was written against an intended vl/app API that was never added.

B2 — import resolution can't work under the current checkout. encode.ts imports @/entities/invoice, @/shared/config + siblings (./og-preview, ./tlv-map, ./security, ./chain-dict, ./app-dict). The job's sparse-checkout (ci.yml:73-75) pulls only src/features/invoice-codec + src/shared/lib/tlv-codec — so @/entities/invoice and @/shared/config are absent, and plain tsx run from the codec repo has no @/→src/ path-alias mapping (that lives in vl/app's tsconfig).

B3 — vl/app deps not installed. CI runs pnpm install in the codec repo, not vl-app; any runtime dep in the import chain won't resolve.

Implication for D1

This reinforces D1's "demote live vl/app parity to opt-in advisory + make frozen golden vectors the cross-impl oracle." The freeze-gate (generator diff vs committed JSON) is the real, self-contained gate and has none of B1–B3. The live job, to ever be even advisory-green, needs one of:

• Variant A (preferred): add a narrow encodeInvoiceCanonical(invoice): Uint8Array export to vl/app (pre-compression canonical layer, matching Rust's export), + widen sparse-checkout to src/entities/invoice + src/shared/config (+ transitives) and run via vl/app's own tsconfig/tsx with path aliases. Keeps the boundary "codec verified against real vl/app."
• Variant B (faster, dirtier): adapt the script to call existing encodeInvoice, decode the URL back to canonical bytes before compare — but then it also verifies the Brotli/base62 layer and couples to async.

Token/security layer (Shade co-review before enabling)

VOIDPAY_READ_TOKEN reads a private repo from a different org (void-layer/codec → ignromanov/voidpay). Constraints: fine-grained PAT, pinned to the single repo, contents:read only, rotation scheduled, personal-token-on-org-repo bus-factor noted. Fork PRs already can't see it (the if: gate + needs-secret design handles that).

Recommendation: treat freeze-gate (D1 part b) as the actual Phase-3 byte-identity gate (Task 0 in plan-phase3.md); keep the live ts-rust-parity job disabled and reclassify it as opt-in advisory pending Variant A. Do not create the secret / flip the var until A lands, to avoid a half-configured red state.

[ignromanov]

Status after PR #7 merge (15ad9cf, 2026-05-29). Remains a pre-publish gate — merge did not resolve it. Verified on main: (a) ts-rust-parity still gated behind vars.TS_RUST_PARITY_ENABLED and reports skipping in CI; (b) generate-vectors.ts still overwrites vectors/v4-codec.json with no freeze-gate. Partial improvement: a ci-gate meta-job (commit 7c6778c3) now distinguishes a sanctioned opt-out skip from an unexpected skip, but byte-identity itself is still enforced by nothing. D1 (freeze-gate + cross-impl oracle) is the active Phase-3 Task-0.

[ignromanov]

Session 2026-05-30 (kai-cto) — A2 implemented (local branch 056-phase3-a2-freeze-oracle, 285dd4b+294ad78, not yet pushed).

D1 ratified + executed:

• Frozen golden vectors are now the self-contained cross-impl oracle; CI freeze-gate runs in default lint-and-build (no vl/app checkout) with teeth — negative test proves a 1-nibble mutation is caught.
• content_hash = sha256 over committed vectors (immutability checksum); both Rust cargo test + TS pnpm test assert against the frozen JSON.
• Live ts-rust-parity demoted to opt-in advisory; skipped no longer scores as PASS (ci-gate requires lint-and-build success).
• Byte-identity vs DEPLOYED vl/app c658fff PROVEN: 21/21 round-trippable encoder vectors byte-identical (via scripts/vlapp-provenance.test.ts). The 2 decode_unknown_odd_tag_* (roundtrip:false) fixtures are decode-only, excluded from encoder provenance by design.
• Provenance recorded immutably in vectors/PROVENANCE.md.

Reviews: Iris PASS 6/6 AC; Shade PASS (no P0; P1 provenance-record + 3×P2 all fixed).
Decision: 2026-05-29-codec-d1-frozen-vectors-oracle. Status: implementation-complete, awaiting push + PR to main.