| Field | Value |
|---|---|
| Decision ID | ADR-019 |
| Initiative | unsorry Phase 3 — soundness hardening (issue #190) |
| Proposed By | unsorry maintainers (findings: external review, issue #190) |
| Date | 2026-06-12 |
| Status | Accepted |
In the context of a repository whose whole trust story is “two CI gates, no human review”, which makes the gates’ own execution environment — the workflow files, the audit tooling, and the third-party actions they invoke — part of the trusted computing base,
facing issue #190’s remaining findings: HIGH, a same-repo PR runs the PR head’s copy of gate-a.yml and can neuter it (continue-on-error, dropped steps) with no ownership over .github/workflows/, tools/gate_a/, or AxiomAudit/; MEDIUM, third-party actions referenced by mutable tags (@v1, @v4) are a supply-chain surface (a compromised tag rewrites the gate’s runtime); LOW, the audit’s acceptance corpus never covers opaque declarations,
we decided for a three-part hardening: (1) every action pinned to a commit SHA (@<sha> # vX.Y.Z) at the latest stable release of its current major, across all five workflows; (2) CODEOWNERS over the trust-bearing paths (.github/, tools/gate_a/, tools/gate_b/, AxiomAudit/, AuditFixtures/, swarm/, lakefile, toolchain) plus docs/security-checklist.md recording the repository settings half (require-codeowner-review, force-push blocks, tag protection) with the honest solo-maintainer trade-off and the explicit recommendation to flip the review requirement before opening to untrusted contributors; and (3) an Opaque.lean fixture pinning that opaque constants (sound — the kernel demands an Inhabited witness) neither trip nor crash the audit,
and neglected bumping actions across majors while hardening (a behaviour change is the wrong passenger on a security PR; §11 currency is satisfied at the latest stable of each major in use), an in-repo workflow-hash self-check (a PR that can edit the workflow can edit the self-check — only platform settings sit outside the PR’s reach), and enabling require-codeowner-review immediately (GitHub does not count self-approval, so under the current solo flow it blocks the maintainer’s own tooling PRs for zero adversary benefit today),
to achieve a gate runtime that cannot be silently swapped from inside a PR or from a compromised upstream tag, with the residual platform-settings work visible as a checklist instead of assumed,
accepting that pinned SHAs need periodic manual refresh (the comment carries the version for auditability), CODEOWNERS is inert until the corresponding setting is enabled (recorded, with the enablement condition stated), and the settings half remains unverifiable from the tree.
Completes the #190 fixes alongside ADR-018. The review’s framing is kept: the HIGH item is a deployment configuration gap, not a code defect — so its fix is split honestly into what git can carry (CODEOWNERS, pins) and what only the repository admin can flip (the checklist).
Pros: everything reviewable is in-tree; the unreviewable remainder is named, owned, and dated; zero behaviour change to the swarm’s auto-merge flow. Cons: checklist discipline required; pins go stale without refresh.
pull_request_target so PRs run the base ref’s workflow (Rejected)Closes the neuter vector but hands the PR head’s code a token with write scope — a worse hole than the one closed (the pr-labels workflow uses it safely only because it never executes PR-head code).
Kills the project’s premise (autonomous merge on gate-green). Ownership is scoped to the trusted computing base precisely so the swarm’s surfaces stay autonomous.
| Relationship | ADR ID | Title | Notes | |————–|——–|——-|——-| | Relates To | ADR-018 | Goal-Statement Immutability | The other #190 fix; this ADR protects the layer that runs it | | Amends | ADR-006 | Gate A Soundness Enforcement | The gate’s runtime joins the trusted computing base explicitly |
| Reference ID | Title | Type | Location | |————–|——-|——|———-| | REF-1 | SPEC-019-A — Supply-chain hardening | Specification | specs/SPEC-019-A-CI-Supply-Chain-Protection.md | | REF-2 | External review | Issue | https://github.com/agenticsnz/unsorry/issues/190 | | REF-3 | Settings checklist | Documentation | ../security-checklist.md |
| Status | Approver | Date | |——–|———-|——| | Proposed | unsorry maintainers | 2026-06-12 | | Accepted | unsorry maintainers | 2026-06-12 |