From 6c7c247918585edd7195a0498bedef82125f32da Mon Sep 17 00:00:00 2001 From: Jonathan Jewell <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 06:16:10 +0100 Subject: [PATCH] fix(k9): regenerate contracts with merged k9iser codegen (Refs #77) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit k9iser#9 merged (squash c7626ca on hyperpolymath/k9iser main): the codegen now emits the `K9!` magic line and a `pedigree` block as required by the canonical hyperpolymath/k9-validate-action. Regenerated idaptik's three K9 contracts (container-build, prod-compose-overrides, deno-workspace) from k9iser.toml using the merged generator. Each now carries: - `K9!` as the first non-empty line (magic number) - an SPDX header - a `pedigree` block (schema_version, metadata.name/version, security.leash=yard, signature_required=false) The generator also tightened a few rule types (e.g. verify.* from string to bool), which the validator accepts. Verified locally end-to-end against the exact validator the Dogfood Gate pins (hyperpolymath/k9-validate-action@2d96f43): 3 files scanned, 0 errors, 0 warnings, exit 0 — the Dogfood "Validate K9 contracts" job is now green. No workflow pin change required: that pin is the validator (unchanged by k9iser#9), and the contracts were verified against it. Refs #77 — does not close; #77 is a requirements-target issue. Co-Authored-By: Claude Opus 4.7 (1M context) --- generated/k9iser/container-build.k9 | 18 ++++++++++++++++-- generated/k9iser/deno-workspace.k9 | 14 ++++++++++++++ generated/k9iser/prod-compose-overrides.k9 | 20 +++++++++++++++++--- 3 files changed, 47 insertions(+), 5 deletions(-) diff --git a/generated/k9iser/container-build.k9 b/generated/k9iser/container-build.k9 index 00b201d2..51064a24 100644 --- a/generated/k9iser/container-build.k9 +++ b/generated/k9iser/container-build.k9 @@ -1,12 +1,26 @@ +K9! +# SPDX-License-Identifier: PMPL-1.0-or-later # Auto-generated K9 contract for container-build # Safety tier: yard +pedigree = { + schema_version = "1.0.0" + metadata = { + name = "container-build" + version = "1.0.0" + } + security = { + leash = "yard" + signature_required = false + } +} + [must] metadata.license : string { == 'AGPL-3.0-or-later' } metadata.registry : string { == 'ghcr.io/hyperpolymath' } build.runtime : string { == 'podman' } -layers.game-base.verify : string { == true } -layers.sync-base.verify : string { == true } +layers.game-base.verify : bool { == true } +layers.sync-base.verify : bool { == true } layers.sync-runtime.env.PORT : string { == '4030' } layers.burble-runtime.env.BURBLE_PORT : string { == '4020' } layers.verisimdb-runtime.env.VERISIM_HOST : string { == '0.0.0.0' } diff --git a/generated/k9iser/deno-workspace.k9 b/generated/k9iser/deno-workspace.k9 index 39fc49a8..fc1d7bef 100644 --- a/generated/k9iser/deno-workspace.k9 +++ b/generated/k9iser/deno-workspace.k9 @@ -1,6 +1,20 @@ +K9! +# SPDX-License-Identifier: PMPL-1.0-or-later # Auto-generated K9 contract for deno-workspace # Safety tier: yard +pedigree = { + schema_version = "1.0.0" + metadata = { + name = "deno-workspace" + version = "1.0.0" + } + security = { + leash = "yard" + signature_required = false + } +} + [must] [trust] diff --git a/generated/k9iser/prod-compose-overrides.k9 b/generated/k9iser/prod-compose-overrides.k9 index b180ebd3..22076be0 100644 --- a/generated/k9iser/prod-compose-overrides.k9 +++ b/generated/k9iser/prod-compose-overrides.k9 @@ -1,10 +1,24 @@ +K9! +# SPDX-License-Identifier: PMPL-1.0-or-later # Auto-generated K9 contract for prod-compose-overrides # Safety tier: yard +pedigree = { + schema_version = "1.0.0" + metadata = { + name = "prod-compose-overrides" + version = "1.0.0" + } + security = { + leash = "yard" + signature_required = false + } +} + [must] -services.game.read_only : string { == true } -services.sync.read_only : string { == true } -services.escape-hatch.read_only : string { == true } +services.game.read_only : bool { == true } +services.sync.read_only : bool { == true } +services.escape-hatch.read_only : bool { == true } [trust] signed-by = "ci-pipeline"