Skip to content

docs: FS↔M anchors+mapping, release workflow, Rust WASM policy demo, tip link #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

docs: FS↔M anchors+mapping, release workflow, Rust WASM policy demo, tip link #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
c860cc9
vectors: add golden canonicalization tools (Py/Rust/Go) and entry vec…
flyingrobots Nov 3, 2025
957e499
cbor: add canonical tools (Py/Go) + CI; C step for blake3 over canoni…
flyingrobots Nov 3, 2025
b76047b
Update gitignore to include 'tmp/'
flyingrobots Nov 4, 2025
167dfe1
docs/spec: add FS↔M anchors + mapping table; model: add M‑x anchors
flyingrobots Nov 4, 2025
10f89cd
chore: remove accidental tmp/junit.xml and ignore tmp/
flyingrobots Nov 4, 2025
5b84d3d
merge: incorporate chore/mantine-v7 into docs/release-wasm-fs-m-ancho…
flyingrobots Nov 4, 2025
3b64ea8
docs+ci: merge chore/mantine-v7 stashed changes (README badges/notes,…
flyingrobots Nov 4, 2025
6478464
Update gitignore
flyingrobots Nov 4, 2025
8ecb871
tests(feedback): add checks for FEEDBACK.md items (WASM panic handler…
flyingrobots Nov 4, 2025
1b2d6c4
fix(wasm-demo): add #[panic_handler] for no_std and adjust panic hand…
flyingrobots Nov 4, 2025
521f848
feedback: mark WASM panic handler as Resolved with build evidence
flyingrobots Nov 4, 2025
08e6b7a
ci(release): tighten tag trigger to semver, add tag guard if:, add di…
flyingrobots Nov 4, 2025
6b12b04
docs(compliance): fix broken links to spec/model, reconstruct error t…
flyingrobots Nov 4, 2025
9d4468a
wasm-demo: enable size opts (strip=true, panic=abort); Makefile: remo…
flyingrobots Nov 4, 2025
d4fff2c
tests(feedback): stabilize wasm Makefile check in generator; all feed…
flyingrobots Nov 4, 2025
e95d20f
feedback: mark remaining items as Resolved/Already Fixed with evidenc…
flyingrobots Nov 4, 2025
0775342
tests(feedback): add remaining checks; fixes across docs/ci/harness; …
flyingrobots Nov 4, 2025
c580459
chore: remove FEEDBACK.md from branch (gitignored; kept tests and fix…
flyingrobots Nov 5, 2025
5c869e8
chore(wasm-demo): remove committed build artifacts; ignore target/ an…
flyingrobots Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: Release Artifacts

on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
Comment on lines +3 to +6
Copy link

@coderabbitai coderabbitai bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify GitHub Actions glob pattern for semantic version tags.

Line 6's pattern - 'v[0-9]+.[0-9]+.[0-9]+' uses glob syntax (not regex). In GitHub Actions glob patterns, [0-9] is a character class (matches single digit), but + is literal (not a quantifier as in regex). This means the pattern matches v0.0.+ literally, not v1.2.3.

For semantic versioning (v1.2.3), the correct glob pattern should be:

  • - 'v[0-9]*.[0-9]*.[0-9]*' (wildcard for any digit sequence), or
  • - 'v[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*' (if stricter), or
  • Use regex syntax if GitHub Actions supports it in this context.

Verify the tag pattern behavior:

Or test locally by creating a tag matching your pattern and verifying the workflow triggers.

🌐 Web query:

GitHub Actions workflow tag filtering glob patterns semantic version

💡 Result:

Short answer: GitHub Actions uses glob patterns (not regular expressions) to match tag names in on.push.tags / tags-ignore, so you cannot strictly express full semver with regex quantifiers (like +). Use globs to approximate semver and, if you need exact semver validation, combine a permissive tag-glob with an in-workflow regex check.

Key points and examples

  • Docs: tags use shell-style globbing (*, **, ?, [chars], ! for negation). Exact doc reference. [1]
  • Globs you can use:
    • Match any v-prefixed semver-ish tag: tags: [ 'v*' ] — matches v1, v1.2.3, v1.2.3-alpha, etc. [1]
    • Match major only or major.minor: tags: [ 'v1.' ] or [ 'v1..*' ] — approximates numeric components but does not enforce digits. [1]
    • Use character classes to require digits at a specific position (single digit only): tags: [ 'v[0-9].[0-9].[0-9]' ] — but this only matches single digits and cannot express "one or more" digits. [1][2]
  • What you cannot do: express regex-like quantifiers (e.g., + for one-or-more digits) or full semver rules inside the tags glob — globs lack that expressiveness. Many people mistakenly try regex (e.g., ^v[0-9]+.[0-9]+.[0-9]+) and it won't work. [2][3]

Recommended pattern (practical)

  • Trigger on a permissive glob, then validate inside the job:
    • on:
      push:
      tags: [ 'v*' ]
    • In the first job step, check github.ref (or github.ref_name) with a proper regex (bash, node, or an action). If it doesn't match your semver regex (for example ^v[0-9]+.[0-9]+.[0-9]+(-[0-9A-Za-z.-]+)?$), exit/skip the rest. This gives exact semver enforcement while keeping the trigger reliable. [1][2][3]

References

  • GitHub Actions workflow syntax (tags/globs). [1]
  • Stack Overflow examples & explanation that tags use globs (not regex) and common pitfalls. [2][3]

Fix the tag glob pattern—it will not trigger on semantic version releases.

GitHub Actions uses shell-style globbing (not regex) for tags, so quantifiers like + are treated as literal characters, not as "one or more" operators. The pattern 'v[0-9]+.[0-9]+.[0-9]+' is fundamentally broken: it won't match v1.2.3 at all; it will only match tags containing literal + characters.

Use a permissive glob like v* and validate the exact semver format with a regex check inside the workflow. Alternatively, if a stricter glob is preferred: 'v[0-9]*.[0-9]*.[0-9]*' (though this still lacks strict digit-only enforcement).

Current line 6:

      - 'v[0-9]+.[0-9]+.[0-9]+'

Change to:

      - 'v*'

Then add a validation step early in your job to enforce exact semver matching.

🤖 Prompt for AI Agents 
.github/workflows/release.yml lines 3-6: the tag pattern uses regex-like
quantifiers so it won't match semantic version tags (e.g., v1.2.3); replace the
trigger with a permissive glob such as 'v*' and add an early workflow step in
the job to validate the tag against a proper semver regex, failing the job if it
does not match (alternatively use a stricter glob like 'v[0-9]*.[0-9]*.[0-9]*'
if you want some bounding but still perform exact validation in the workflow).


permissions:
contents: write

jobs:
release:
if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Prepare assets
run: |
set -euo pipefail
for dir in schemas tests/vectors scripts/vectors; do
if [ ! -d "$dir" ]; then
echo "ERROR: Required directory '$dir' not found" >&2
exit 1
fi
done
mkdir -p dist
zip -r dist/schemas.zip schemas
zip -r dist/vectors.zip tests/vectors scripts/vectors
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
files: |
dist/schemas.zip
dist/vectors.zip
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
35 changes: 35 additions & 0 deletions .github/workflows/vectors-cbor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: CBOR Vectors (Python/Go)

on:
push:
branches: [ main ]
pull_request:

Comment on lines +3 to +7
Copy link

@coderabbitai coderabbitai bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Fix YAML formatting for consistency.

Static analysis flags several style issues: bracket/brace spacing, truthy values, extra blank lines.

Apply these formatting fixes:

 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:

And at line 24:

-        with: { go-version: '1.21.x' }
+        with: {go-version: '1.21.x'}

And remove the trailing blank line at the end of the file.

Based on static analysis.

🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 3-3: truthy value should be one of [false, true]

(truthy)

[error] 5-5: too many spaces inside brackets

(brackets)

[error] 5-5: too many spaces inside brackets

(brackets)

🤖 Prompt for AI Agents 
In .github/workflows/vectors-cbor.yml around lines 3-7 and at line 24, the YAML
has inconsistent formatting (bracket/brace spacing), improper truthy values,
extra blank lines and a trailing blank line at EOF; fix by normalizing lists to
block style (e.g. replace inline brackets with a dash list for branches), ensure
boolean-like values are proper lowercase true/false or omitted per GitHub
Actions schema, remove unintended extra blank lines (including the trailing
blank line at end of file), and correct spacing around braces/brackets to match
repo style so the file passes static analysis.

jobs:
cbor-vectors:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Python cbor id
id: py
run: |
python -m pip install --upgrade pip cbor2 blake3
python scripts/vectors/python/cbor_canon.py tests/vectors/core/entry_canonical.json > py_cbor_id.txt
echo "id=$(cat py_cbor_id.txt)" >> $GITHUB_OUTPUT
- name: Go cbor id
id: go
uses: actions/setup-go@v5
with: { go-version: '1.21.x' }
- run: |
cd scripts/vectors/go-cbor && go build -o ../../bin_lk_cbor_go .
scripts/bin_lk_cbor_go tests/vectors/core/entry_canonical.json > go_cbor_id.txt
echo "id=$(cat go_cbor_id.txt)" >> $GITHUB_OUTPUT
- name: Compare CBOR IDs
run: |
echo "Python CBOR: ${{ steps.py.outputs.id }}"
echo "Go CBOR: ${{ steps.go.outputs.id }}"
test "${{ steps.py.outputs.id }}" = "${{ steps.go.outputs.id }}"
68 changes: 68 additions & 0 deletions .github/workflows/vectors-matrix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Canonicalization Vectors (Python/Rust/Go)

on:
push:
branches: [ main ]
pull_request:
Comment on lines +3 to +6
Copy link

@coderabbitai coderabbitai bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Fix YAML formatting for consistency.

Static analysis flags style issues with brackets and truthy values (same as vectors-cbor.yml).

Apply these formatting fixes:

 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:

And at lines 17, 40 for braces spacing.

Based on static analysis.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
push:
branches: [ main ]
pull_request:
on:
push:
branches: [main]
pull_request:
🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 3-3: truthy value should be one of [false, true]

(truthy)

[error] 5-5: too many spaces inside brackets

(brackets)

[error] 5-5: too many spaces inside brackets

(brackets)

🤖 Prompt for AI Agents 
In .github/workflows/vectors-matrix.yml around lines 3 to 6, change the inline
array and empty key style to the repository convention: replace "branches: [
main ]" with a block style "branches:" followed by "- main", and replace the
bare "pull_request:" with an explicit empty mapping "pull_request: {}". Also at
lines 17 and 40 fix brace spacing to match project style by adding a single
space after '{' and before '}' (e.g. "{ value }" not "{value}").


jobs:
vectors:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with: { python-version: '3.x' }
- name: Install python deps
run: python -m pip install --upgrade pip blake3
- name: Python compute id
id: py
run: |
Copy link

@coderabbitai coderabbitai bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Unquoted variable expansions: Quote $GITHUB_OUTPUT to satisfy ShellCheck SC2086.

Lines 22, 34, 46 expand $GITHUB_OUTPUT without quotes. Although unlikely in GitHub Actions (where the path is controlled and safe), ShellCheck SC2086 flags this as a best practice violation. Apply quotes defensively:

-          echo "id=$(cat py_id.txt)" >> $GITHUB_OUTPUT
+          echo "id=$(cat py_id.txt)" >> "$GITHUB_OUTPUT"

Apply the same fix on lines 34 and 46.

Also applies to: 34-34, 46-46

🧰 Tools
🪛 actionlint (1.7.8)

22-22: shellcheck reported issue in this script: SC2086:info:2:31: Double quote to prevent globbing and word splitting

(shellcheck)

🤖 Prompt for AI Agents 
.github/workflows/vectors-matrix.yml lines 22, 34, 46: ShellCheck SC2086 flags
unquoted expansions of $GITHUB_OUTPUT; update each occurrence to quote the
variable (use "$GITHUB_OUTPUT" wherever currently using $GITHUB_OUTPUT) to
prevent word-splitting/expansion issues, and apply the same change to all three
lines.

python scripts/vectors/python/canon.py tests/vectors/core/entry_canonical.json > py_id.txt
echo "id=$(cat py_id.txt)" >> $GITHUB_OUTPUT
- name: Set up Rust
uses: dtolnay/rust-toolchain@stable
- name: Build Rust tool
run: |
cd scripts/vectors/rust
cargo build --release
- name: Rust compute id
id: rs
run: |
scripts/vectors/rust/target/release/lk_canon_rust tests/vectors/core/entry_canonical.json > rs_id.txt
echo "id=$(cat rs_id.txt)" >> $GITHUB_OUTPUT
- name: Set up Go
uses: actions/setup-go@v5
with: { go-version: '1.21.x' }
- name: Build Go tool
run: |
cd scripts/vectors/go && go build -o ../../bin_lk_canon_go .
- name: Go compute id
id: go
run: |
scripts/bin_lk_canon_go tests/vectors/core/entry_canonical.json > go_id.txt
echo "id=$(cat go_id.txt)" >> $GITHUB_OUTPUT
- name: Compare IDs
run: |
echo "Python: ${{ steps.py.outputs.id }}"
echo "Rust: ${{ steps.rs.outputs.id }}"
echo "Go: ${{ steps.go.outputs.id }}"
test "${{ steps.py.outputs.id }}" = "${{ steps.rs.outputs.id }}"
test "${{ steps.rs.outputs.id }}" = "${{ steps.go.outputs.id }}"
- name: C (blake3) check over canonical bytes
run: |
sudo apt-get update && sudo apt-get install -y libblake3-dev
echo -n "${{ steps.py.outputs.id }}" > py_id_hex
# Compute canonical bytes via Python tool
python scripts/vectors/python/canon.py tests/vectors/core/entry_canonical.json > can.txt
# Compile the C tool and pipe canonical bytes into it
gcc -O2 -lblake3 -o c_b3sum scripts/vectors/c/blake3_id.c
./c_b3sum < can.txt > c_id.txt
echo "C: $(cat c_id.txt)"
test "$(cat c_id.txt)" = "${{ steps.py.outputs.id }}"
Comment on lines +58 to +68
Copy link

@coderabbitai coderabbitai bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Dead variable: Remove unused py_id_hex assignment (line 61).

Line 61 writes the Python ID hexadecimal output to a file but never references py_id_hex afterward:

echo -n "${{ steps.py.outputs.id }}" > py_id_hex

The file is created and immediately discarded. Remove this line or justify its use if it serves a debugging purpose.

🤖 Prompt for AI Agents 
In .github/workflows/vectors-matrix.yml around lines 58 to 68 the workflow
writes the step output to a temporary file with `echo -n "${{
steps.py.outputs.id }}" > py_id_hex` but that file is never used; remove that
line to eliminate the dead variable, or if it was intended for debugging,
document its purpose and reference the file later (or gate it behind a
conditional/step that only runs in debug mode).

4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,7 @@ fastlane/test_output
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/*.code-snippets
# Temp artifacts
tmp/

FEEDBACK.md
Comment on lines +70 to +73
Copy link

@coderabbitai coderabbitai bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Trailing blank line after new section.

Lines 72-73 contain a blank line after FEEDBACK.md. While not technically harmful, this introduces a trailing blank line that diverges from the structure of prior sections (e.g., lines 59-60 after fastlane section). For consistency and minimal git diffs, remove the extra blank line.

~# Temp artifacts
~tmp/
~
~FEEDBACK.md
+# Temp artifacts
+tmp/
+
+FEEDBACK.md

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In .gitignore around lines 70 to 73, there's an extra trailing blank line after
the new "FEEDBACK.md" entry; remove the blank line so the section ends
immediately after "FEEDBACK.md" to match the formatting of prior sections and
minimize diffs.

13 changes: 13 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Changelog

## v0.1.0 (proposed)

- Spec spine: Model (M‑1..M‑9), Formal Spec (FS‑1..FS‑14)
- Wire Format: JSON canonical profile (+ optional CBOR profile), BLAKE3‑256 id, domain‑separated signing input
- Compliance: levels (Core/Policy/WASM), checks C‑1..C‑5, report schema
- Schemas: entry, attestation, policy_result, compliance_report (+ aliases)
- Vectors: Python/Rust/Go canonicalization tools; JSON golden vector; CI matrix that fails on divergence
- Orchestrator: minimal TOML‑driven runner that emits compliance.json and validates against schema
- WASM Policy ABI: deterministic host interface and constraints
- Implementers Guide and CLI harness docs

88 changes: 64 additions & 24 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Ledger-Kernel

[![Docs (VitePress)](https://github.com/flyingrobots/ledger-kernel/actions/workflows/docs.yml/badge.svg)](https://flyingrobots.github.io/ledger-kernel/) [![Site](https://img.shields.io/badge/docs-site-blue?logo=github)](https://flyingrobots.github.io/ledger-kernel/)
> [!IMPORTANT]\
> This project is under construction.

[![Docs](https://img.shields.io/badge/docs-website-0b7285?logo=readthedocs)](https://flyingrobots.github.io/ledger-kernel/) [![Docs Build](https://github.com/flyingrobots/ledger-kernel/actions/workflows/docs.yml/badge.svg)](https://github.com/flyingrobots/ledger-kernel/actions/workflows/docs.yml) [![Spec Version](https://img.shields.io/github/v/tag/flyingrobots/ledger-kernel?label=spec%20version)](https://github.com/flyingrobots/ledger-kernel/tags)

**Git-native, cryptographically verifiable, append-only ledgers with policy enforcement.**

Expand All @@ -12,15 +15,15 @@

**Ledger-Kernel** is a formal specification and reference implementation ([`libgitledger`](https://github.com/flyingrobots/libgitledger)) for building verifiable, append-only ledgers directly on top of Git’s object model.

Unlike blockchains or SaaS audit logs, **Ledger-Kernel is just Git**.
Unlike blockchains or SaaS audit logs, **Ledger-Kernel is just Git**.\
It adds deterministic replay, cryptographic attestation, and programmable policy enforcement without introducing new infrastructure.

It uses existing `.git` storage, requiring no daemons or databases. It enforces fast-forward-only semantics to ensure history is immutable and guarantees deterministic replay, where identical input always yields identical state. Every entry is attested for non-repudiable authorship, and the system supports WASM-based policies for validation.

✅ **It's _just_ Git!** No custom storage, no daemons, just `.git`.
✅ Enforces fast-forward-only semantics. History is immutable by design.
✅ Provides deterministic replay. Same entries = same state, always.
✅ Cryptographically attests every entry. Non-repudiable authorship.
✅ **It's _just_ Git!** No custom storage, no daemons, just `.git`.\
✅ Enforces fast-forward-only semantics. History is immutable by design.\
✅ Provides deterministic replay. Same entries = same state, always.\
✅ Cryptographically attests every entry. Non-repudiable authorship.\
✅ Supports programmable policies. WASM-based rules for entry validation.

### Why Use It?
Expand Down Expand Up @@ -77,7 +80,8 @@ The architecture is layered. The Kernel Spec defines the formal model and invari

## Core Invariants

Every compliant implementation **MUST** enforce:
Every compliant implementation **MUST** enforce:\

| Invariant | Meaning |
|---|---|
| Append-Only | Entries cannot be modified or deleted |
Expand Down Expand Up @@ -126,25 +130,60 @@ Documentation
- How to run the harness (user‑facing): `docs/cli/harness.md`.
- Implementers Guide (repo setup, CLI contract, CI snippets): `docs/implementation/implementers.md`.

## Documentation Quick Links

Spec
- Overview: `docs/spec/overview.md`
- Model (hybrid with M‑x call‑outs): `docs/spec/model.md`
- Formal Spec (FS‑1..FS‑14): `docs/spec/formal-spec.md`
- Wire Format (JSON canonical profile + optional CBOR): `docs/spec/wire-format.md`
- Compliance (levels, checks C‑1..C‑5, report schema): `docs/spec/compliance.md`
- Deterministic WASM Policy ABI (FS‑9): `docs/spec/policy-wasm.md`
- Versioning & Releases: `docs/spec/versioning.md`

CLI / DX
- Running the Compliance Harness: `docs/cli/harness.md`
- Implementers Guide: `docs/implementation/implementers.md`

Schemas & Vectors
- Compliance Report Schema: `schemas/compliance_report.schema.json`
- Entry / Attestation / PolicyResult Schemas: `schemas/entry.schema.json`, `schemas/attestation.schema.json`, `schemas/policy_result.schema.json`
- Schema aliases (for convenience): `schemas/entry.json`, `schemas/attest.json`, `schemas/policy.json`
- Golden vector (JSON): `tests/vectors/core/entry_canonical.json`
- Canonicalization tools: Python `scripts/vectors/python/canon.py`, Rust `scripts/vectors/rust`, Go `scripts/vectors/go`, C blake3 `scripts/vectors/c/blake3_id.c`
- CBOR tools: Python `scripts/vectors/python/cbor_canon.py`, Go `scripts/vectors/go-cbor`

Orchestrator & Linter
- Polyglot orchestrator (TOML → compliance.json): `scripts/harness/run.sh` (see `scripts/harness/README.md`)
- Sample config: `scripts/harness/config.sample.toml`
- Spec linter (id/signing/schema): `scripts/lint/spec_lint.py`

CI
- JSON matrix (fail on divergence): `.github/workflows/vectors-matrix.yml`
- CBOR matrix: `.github/workflows/vectors-cbor.yml`

Reference implementation
- Portable C reference: https://github.com/flyingrobots/libgitledger

## Quick Start

1. **Install libgitledger**

```bash
git clone https://github.com/flyingrobots/ledger-kernel
cd ledger-kernel && make && sudo make install
```

2. **Initialize a Ledger**

```bash
git init my-ledger
cd my-ledger
git ledger init --namespace prod/deploys
```

3. **Append an Entry**

```bash
git ledger append \
  --ref refs/_ledger/prod/deploys \
Expand All @@ -153,6 +192,7 @@ Reference implementation
```

4. **Replay & Verify**

```bash
git ledger replay  --ref refs/_ledger/prod/deploys
git ledger verify  --ref refs/_ledger/prod/deploys
Expand Down Expand Up @@ -201,10 +241,10 @@ git mind query "show me all TODO items"

## Security Model

**Traceability**: Every entry is cryptographically signed.
**Non-Repudiation**: Compliance proofs are emitted per operation.
**Monotonic Atomicity**: Ledger refs advance only by fast-forward.
**Programmable Authorization**: WASM policies act as rule gates.
**Traceability**: Every entry is cryptographically signed.\
**Non-Repudiation**: Compliance proofs are emitted per operation.\
**Monotonic Atomicity**: Ledger refs advance only by fast-forward.\
**Programmable Authorization**: WASM policies act as rule gates.\
**Offline Verifiability**: Anyone with read access can replay history.

---
Expand All @@ -227,23 +267,23 @@ Compliance levels progress from Core (eight mandatory invariants) to Verified (i

---

## Project Status
## Project Status

### v0.1.0 (Draft Specification)

The specification is finalized (✅).
The [`libgitledger`](https://github.com/flyingrobots/libgitledger) reference implementation and the compliance test suite are both in progress (🚧).
The specification is finalized (✅).\
The [`libgitledger`](https://github.com/flyingrobots/libgitledger) reference implementation and the compliance test suite are both in progress (🚧).\
[Shiplog](https://github.com/flyingrobots/shiplog) integration using libgitledger and the WASM policy engine are planned for the future (🔜).

---

## Acknowledgments

This project acknowledges
This project acknowledges

Git ([Linus Torvalds](https://github.com/torvalds)) for the content-addressed DAG
[Certificate Transparency](https://certificate.transparency.dev/) for append-only logs
[Sigstore](https://www.sigstore.dev/) for supply-chain attestations
Git ([Linus Torvalds](https://github.com/torvalds)) for the content-addressed DAG\
[Certificate Transparency](https://certificate.transparency.dev/) for append-only logs\
[Sigstore](https://www.sigstore.dev/) for supply-chain attestations\
and [Nix](https://nixos.org/) for deterministic builds.

---
Expand Down Expand Up @@ -276,8 +316,7 @@ Shiplog captures stdout, stderr, exit code, timestamp, author, and reason - the

<img alt="wesley" src="https://github.com/user-attachments/assets/23e9810c-3f45-4696-8b78-2467f059f83b" width="200" align="right" />


Stop describing your data model six times in six different files.
Stop describing your data model six times in six different files.\
Everyone else generates GraphQL from databases. Wesley flips the stack and generates databases from GraphQL.

From one schema, Wesley compiles your entire backend:
Expand All @@ -289,7 +328,7 @@ From one schema, Wesley compiles your entire backend:
- pgTAP tests
- A SHA-locked "Shipme" certification file for zero-downtime deployments

Your schema is the source of truth. Everything else is a compilation target.
Your schema is the source of truth. Everything else is a compilation target.\
Banish drift. Never think about migrations again. Describe your shapes once and let Wesley handle the rest.

_Go on, deploy on a Friday._
Expand All @@ -302,6 +341,7 @@ _Go on, deploy on a Friday._
git mind ingest notes/
git mind query "show me all TODO items"
```

> _Version your thoughts. Branch your ideas. Merge understanding._

`git-mind` is an open-source protocol and toolkit that turns Git into a database-less, version-controlled semantic knowledge graph — a tool for distributed cognition, evolving interpretation, and human–AI co-thought.
Expand All @@ -310,15 +350,15 @@ git mind query "show me all TODO items"

## Contact

**Author**: _J. Kirby Ross_
**Email**: [james@flyingrobots.dev](mailto:james@flyingrobots.dev)
**Author**: _J. Kirby Ross_\
**Email**: [james@flyingrobots.dev](mailto:james@flyingrobots.dev)\
**GitHub**: [flyingrobots](https://github.com/flyingrobots)

---

## License

MIT License (_with Ethical Use Clause_) · **© 2025 J. Kirby Ross**
MIT License (_with Ethical Use Clause_) · **© 2025 J. Kirby Ross**\
_See [`LICENSE`](./LICENSE) and [`NOTICE`](./NOTICE.md) for terms._

> _“Provenance without clutter. Policy as infrastructure. Zero SaaS, zero guesswork.”_
4 changes: 4 additions & 0 deletions docs/.vitepress/config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ export default withMermaid(defineConfig({
// Keep while we reshuffle content into the new IA
ignoreDeadLinks: true,
themeConfig: {
footer: {
message: 'Spec docs built with VitePress · Latest version: see GitHub tags',
copyright: '© 2025 Ledger‑Kernel authors'
},
nav: [
{ text: 'Spec', link: '/spec/', activeMatch: '^/spec/' },
{ text: 'Reference Implementation', link: '/implementation/', activeMatch: '^/implementation/' },
Expand Down
Loading
Loading