Repo Findings Checklist¶

Every claim in the Tutorial Pack is grounded in concrete repo evidence. This checklist maps each product claim to the exact file + symbol that implements or tests it.

Key: ✅ Fully implemented | 🔶 Partial / scaffold | ❌ Not implemented (roadmap)

1. Policy Enforcement (Tutorial 01)¶

Claim	Status	File	Symbol
Tool calls evaluated against OPA/Rego policy	✅	`runtime/server.go`	`handleTool`, `emitDecision`
Real OPA engine: `data.autonomy.allow` query	✅	`policy/evaluator.go`	`NewEvaluator()` (PreparedEvalQuery)
Rego compiled once at load, evaluated per call	✅	`policy/evaluator.go`	`rego.New(...).PrepareForEval()`
Fail-closed: compilation error → deny all	✅	`policy/evaluator.go`	`NewEvaluator()` returns error on bad Rego
Fail-closed: undefined allow rule → deny all	✅	`policy/evaluator_test.go`	`TestEval_NoAllowRule_FailClosed`
input.kind + input.params wired to Rego	✅	`policy/evaluator.go`	`Eval()` input map
input.params visible in Rego (test)	✅	`policy/evaluator_test.go`	`TestEval_ParamsVisibleToRego`
Multi-module disjunction (OR) (test)	✅	`policy/evaluator_test.go`	`TestEval_MultiModuleDisjunction`
`tool.echo` → allow	✅	`runtime/tools.go`	`echoTool`
`tool.shell` → deny (always)	✅	`runtime/tools.go`	`executeTool` (shell case)
`tool.http_get` → endpoint-key allowlist (`params.endpoint`)	✅	`runtime/tools.go`	`httpGetTool`, `resolveAllowedEndpoint`, `ErrDomainNotAllowed`
Deny cannot be overridden by adapter	✅	`runtime/server_test.go`	`TestInterceptorDenyCannotBeOverridden`
Fail-closed: no policy → deny all	✅	`cmd/autonomy/commands/runtime.go`	`denyAllEvaluator{}`
Strict mode: deny all regardless of policy	✅	`cmd/autonomy/commands/runtime.go`	`AUTONOMY_STRICT_MODE`
`/health` reports mode (normal/strict)	✅	`runtime/server.go`	`handleHealth`

2. Supply Chain Verification (Tutorial 01)¶

Claim	Status	File	Symbol
Step 1: cosign signature validation	✅	`oci/sign/verify.go`	`Verify()`, `ErrNotSigned`
Step 2: agent binary digest match	✅	`oci/sign/verify.go`	`ErrDigestMismatch`
Step 3: BLAKE3 behavioral fingerprint match	✅	`lock/fingerprint.go`	`ComputeFingerprint()`, `VerifyFingerprint()`
Step 4: semver compatibility check	✅	`oci/sign/verify.go`	`ErrSemverIncompat`
Tampered digest rejected (integration test)	✅	`oci/sign/verify_tamper_test.go`	`TestVerify_TamperedAgentDigest`
Tampered fingerprint rejected	✅	`oci/sign/verify_tamper_test.go`	`TestVerify_TamperedFingerprint`
Unsigned sidecar rejected	✅	`oci/sign/verify_tamper_test.go`	`TestVerify_UnsignedLockSidecar`
Policy bundle versioning	✅	`policy/builder.go`	`BundleManifest.Validate()`
Lock JSON BLAKE3 fingerprint stability	✅	`lock/fingerprint_test.go`	`TestFingerprintGolden` (CI gate)
Canonical bytes key-order independent	✅	`lock/fingerprint_test.go`	`TestCanonicalBytesKeyOrderIndependent`

3. OCI Artifact Attachment (Tutorial 01)¶

Claim	Status	File	Symbol
Lock sidecar attached as OCI referrer	✅	`oci/attach.go`	`AttachLock()`
Policy bundle attached as OCI referrer	✅	`oci/attach.go`	`AttachPolicyBundle()`
Pull lock from registry (by tag or referrer)	✅	`oci/oras.go`	`pullFileByTag`, `pullFileByReferrers`
Registry capability probe (referrers API)	✅	`oci/probe.go`	`SupportsReferrers()`
Plain HTTP for localhost (no TLS required)	✅	`oci/oras.go`	`repo.PlainHTTP = isLocalHost(...)`

4. Release Polling (Tutorial 02)¶

Claim	Status	File	Symbol
Poll loop queries `GET /v1/releases/latest`	✅	`runtime/poller.go`	`Poller.poll()`
Emits `polled` lifecycle event each interval	✅	`runtime/poller.go`	`emitLifecycle("polled",...)`
Emits `candidate_detected` on fingerprint diff	✅	`runtime/poller.go`	`emitLifecycle("candidate_detected",...)`
Emits `verify_started`, `verify_passed/failed`	✅	`runtime/poller.go`	phases 5–6
Emits `activated` / `activate_failed` after verify_passed	✅	`runtime/poller.go`	`PolicyActivator` + phases 7–8
Hot-swap interceptor without restart	✅	`runtime/server.go`	`ReloadPolicy()`, `activeState()`
Active lock fingerprint persisted across restarts	✅	`cmd/autonomy/commands/runtime.go`	`active-lock.json`, `readActiveLockFP()`
404 → no error, just `polled` event	✅	`runtime/poller_test.go`	`TestPoller_NoReleases`
Control-plane `GET /v1/releases/latest`	✅	`orchestrator/server.go`	`handleLatestRelease`
Control-plane `POST /v1/releases`	✅	`orchestrator/server.go`	`handlePublishRelease`
Control-plane `GET /v1/events` query	✅	`orchestrator/server.go`	`handleQueryEvents`

5. Edge Relay (Tutorial 02)¶

Claim	Status	File	Symbol
Segment ingest over mTLS (offer → data → ACK)	✅	`edge/cmd/edged/main.go`	`handleRelayConn`
DB-driven pull model (no buffered channel)	✅	`edge/relay/executor.go`	`drainPending()`, GAP-5
CAS claim (workers race, no double-relay)	✅	`edge/relay/boltledger.go`	`TryTransitionInflight()`
Bounded retries → Deadletter (INV-12)	✅	`edge/relay/executor.go`	`failRelay()`, `TransitionFailed`
`one_peer` / `all_peers` success condition	✅	`edge/relay/executor.go`	`checkSuccessCondition()`
ACK after atomic store commit (GAP-7)	✅	`edge/cmd/edged/main.go`	`conn.SendAck()` after `store.Write()`
Crash recovery: abandon inflight on startup	✅	`edge/relay/recovery.go`	`ReconcileOnStartup()`
Relay operator status surface exposes queue depth + bandwidth counters	✅	`edge/cmd/edgectl/deadletter.go`	`relayStatusCmd()`
Relay bandwidth can be hot-updated at runtime with audit emission	✅	`edge/cmd/edgectl/deadletter.go`	`relayConfigSetBandwidthCmd()`, `emitCLIRecord()`
Deadletter operator workflow is implemented: list / inspect / retry / purge	✅	`edge/cmd/edgectl/deadletter.go`	`deadletterListCmd()`, `deadletterInspectCmd()`, `deadletterRetryCmd()`, `deadletterPurgeCmd()`
Multi-peer e2e test	✅	`edge/relay/e2e_test.go`	`TestRelayE2E_MultiPeer`
edged wired to Docker Compose demo	✅	`demo/docker-compose.yml`	`edged-node-a`, `edged-node-b` services (`--profile edge`)

6. WAL Durability (Tutorial 03)¶

Claim	Status	File	Symbol
Length-prefixed binary frame format (4B + JSON)	✅	`telemetry/wal.go`	`Frame` struct, `Append()`
fsync before returning from Append	✅	`telemetry/wal.go`	`Append()`
`telemetry.safe_seq` 8-byte LE uint64	✅	`telemetry/wal.go`	`safeSeqFileName`
Recovery truncates to safe-point boundary	✅	`telemetry/wal.go`	`OpenWAL()`
Fail-hard on missing safe_seq (non-first-run)	✅	`telemetry/wal.go`	`causeSafeSeqNotFound`
Fail-hard on sequence gap	✅	`telemetry/wal.go`	`causeSeqGap`
Fail-hard on invalid JSON frame	✅	`telemetry/wal.go`	`causeWALCorruptInvalidJSON`
Drain does NOT delete events on failure	✅	`cmd/autonomy/commands/telemetry.go`	`telemetryDrainCmd()` (`LoadPos` / `SavePos`)
Events drained in priority order	✅	`telemetry/priority_drain.go`	`PriorityDrainer.Drain()`
WAL survives collector outage (test)	✅	`telemetry/buffer_test.go`	`TestWALSurvivesCollectorDown`
Legacy upgrade env var (escape hatch)	✅	`telemetry/wal.go`	`legacyUpgradeEnvVar`
Operator reset env var (disaster recovery)	✅	`telemetry/wal.go`	`operatorResetEnvVar`

7. OTel Pipeline (Tutorial 03)¶

Claim	Status	File	Symbol
WAL → OTLP/HTTP → OTel Collector	✅	`telemetry/otlp_sender.go`	`HTTPSender`, `toOTLPLogs()`
OTel Collector → Jaeger + bridge	✅	`demo/otel/collector.yaml`	Pipeline config
Bridge → control-plane `/v1/events`	✅	`telemetry/bridge.go`	`RunBridge()`
`kindToEventType()` maps full event kinds	✅	`telemetry/bridge.go`	`kindToEventType()` (bug fixed)
`ai.policy.decision` event type routing	✅	`telemetry/bridge.go`	`"autonomy.decision"` case
`ai.deployment.lifecycle` event type routing	✅	`telemetry/bridge.go`	`"autonomy.lifecycle"` case

8. OS Fingerprint + Reconstruction (Tutorial 04)¶

Claim	Status	File	Symbol
BLAKE3 fingerprint over os-release + uname	✅	`edge/bootstrap/osfingerprint.go`	`CaptureOSFingerprint()`
Kernel-only change triggers reconstruction	✅	`edge/bootstrap/bootstrap_test.go`	`TestFingerprintChange_KernelOnly_TriggersReconstruction`
Fingerprint saved atomically (tmp → rename)	✅	`edge/bootstrap/bootstrap.go`	`SaveFingerprint()`
BootEpoch increments per reconstruction	✅	`edge/cmd/edged/main.go`	`runPrecheck()`
Ed25519 manifest signature verification	✅	`edge/bootstrap/install.go`	`VerifyManifestSignature()`
TOCTOU closed: execute same bytes verified	✅	`edge/bootstrap/bootstrap.go`	`RunReconstruction()` doc comment
GAP-9: typed ops only (no shell exec)	✅	`edge/bootstrap/install.go`	`ValidateInstallOperation()`, `shellMetachars`
Shell metachar rejection in paths	✅	`edge/bootstrap/install.go`	`shellMetachars` const
copy_binary BLAKE3 hash check	✅	`edge/bootstrap/install.go`	`executeCopyBinary()`
Exit 0: clean / first-run / reconstructed	✅	`edge/cmd/edged/main.go`	`runPrecheck()`
Exit 1: config invalid	✅	`edge/cmd/edged/main.go`	`runPrecheck()`
Exit 2: StateRoot invalid	✅	`edge/cmd/edged/main.go`	`runPrecheck()`
Exit 3: mTLS cert expires within 7 days	✅	`edge/cmd/edged/main.go`	`checkCerts()`, `certExpiryWarnDays`
Exit 5: reconstruction failed (fail closed)	✅	`edge/cmd/edged/main.go`	`runPrecheck()`
Epoch evidence written after reconstruction	✅	`edge/epoch/epoch.go`	`RotateEpoch()`
Epoch crash-safe (tmp → rename)	✅	`edge/epoch/epoch.go`	`RotateEpoch()` sequence
Epoch rotate failure is non-fatal	✅	`edge/cmd/edged/precheck_test.go`	`TestPrecheck_EpochRotateFailure_NonFatal`
StateRoot ephemeral FS rejection	✅	`edge/stateroot/stateroot.go`	`CheckMount()`, `EphemeralFSTypes`
overlayfs allowed (container compat)	✅	`edge/stateroot/stateroot.go`	Comment: NIT-C
OS update simulation unit test	✅	`edge/bootstrap/osupdate_test.go`	`TestOSUpdateSimulation` (7 assertions)

9. Portability (Tutorial 05)¶

Claim	Status	File	Symbol
amd64 / arm64 / riscv64 in test matrix	✅	`Makefile`	`PORTABILITY_ARCHES`
ext4 + xfs in test matrix	✅	`Makefile`	`PORTABILITY_FS`
Zero CGO in edge module	✅	`edge/go.mod`	No `#cgo` directives
Randomised crash harness (seeded)	✅	`telemetry/crash_harness_test.go`	`TestCrashHarness_Randomized`
WAL frame format cross-arch verification	✅	`scripts/portability/wal_verify.py`	Python frame parser
Atomic rename check per cell	✅	`scripts/portability/core_matrix.sh`	Step 4
Non-native arches via QEMU Docker	✅	`scripts/portability/lib_portability.sh`	`qemu_available()`
CI gate (strict, exit-1)	✅	`Makefile`	`portability-ci-gate`
Reproducible runs (–seed flag)	✅	`Makefile`	`portability-crash-harness SEED=N`
Mission-layer import ban (INV-10)	✅	`edge/ci/scan_prohibited/main.go`	Import scanner
Container images (multi-arch manifests)	❌	Roadmap	Not in repo
Native riscv64 hardware CI	❌	Roadmap	QEMU only

10. Python Adapter (Tutorial 01)¶

Claim	Status	File	Symbol
`@runtime_guard` decorator — fn body never called on deny	✅	`adapters/python/autonomyops/generic/runtime_guard.py`	Invariant test
`RuntimeTool(BaseTool)` deny propagation	✅	`adapters/python/autonomyops/langchain/runtime_tool.py`	`_run()`
`RuntimeClient` — stdlib only, no requests	✅	`adapters/python/autonomyops/runtime_client.py`	urllib usage
Unique `audit_id` per call (UUID v4)	✅	`adapters/python/autonomyops/runtime_client.py`	`uuid.uuid4()`
Demo agent: echo allow, shell deny, exit 0	✅	`demo/agent_py/agent.py`	main() assertions

11. mTLS Cert Rotation (Tutorial 04)¶

Claim	Status	File	Symbol
`certrotation` package — stdlib only, no shell exec	✅	`edge/certrotation/rotate.go`	`Rotate()`, `NeedsRotation()`, `CheckKeypair()`
ECDSA P-256 leaf cert signed by existing CA	✅	`edge/certrotation/rotate.go`	`Rotate()`
Atomic write: `.new` → fsync → rename → fsync parent	✅	`edge/certrotation/rotate.go`	`writeAndSync()`, `fsyncDir()`
Lifecycle slog markers: rotation_started / rotation_succeeded / rotation_failed	✅	`edge/certrotation/rotate.go`	`Rotate()` defer
CA cert unchanged after leaf rotation	✅	`edge/certrotation/rotate_test.go`	`TestRotate_PreservesCAStability`
No partial .new files on write failure	✅	`edge/certrotation/rotate_test.go`	`TestRotate_AtomicWrite_NoPartialState`
Keypair consistency check in precheck (detects crash-partial state)	✅	`edge/cmd/edged/main.go`	`checkCerts()` + `certrotation.CheckKeypair()`
Auto-rotate in precheck when cert expiring + ca_key_file set	✅	`edge/cmd/edged/main.go`	`checkCerts()` auto-rotation block
Force-rotate flag: `edged precheck --rotate-certs`	✅	`edge/cmd/edged/main.go`	`precheckCmd()` `--rotate-certs` flag
Standalone `edged rotate` subcommand	✅	`edge/cmd/edged/main.go`	`rotateCmd()`
`ca_key_file` optional field in `TransportConfig`	✅	`edge/config/config.go`	`TransportConfig.CAKeyFile`
Demo TOML files wired with `ca_key_file`	✅	`demo/edge/node-a.toml`, `demo/edge/node-b.toml`	`ca_key_file` field
Demo end-to-end: rotate → verify transport → precheck auto-rotate	✅	`demo/scripts/09_cert_rotation.sh`	full demo

12. Fleet Rollouts (Workplan)¶

Claim	Status	File	Symbol
Rollout plan domain model + validation	✅	`rollout/plan.go`	`RolloutPlan`, `Validate()`, `StageByID()`
Plan integrity + fingerprint + signature verification	✅	`rollout/integrity.go`	`ComputePlanFingerprint()`, `SignPlan()`, `VerifyPlanIntegrity()`
Deterministic slot allocation	✅	`rollout/slot.go`	`ComputeSlotRank()`, `ComputeCutoffRank()`
Edge rollout cache and evaluator wiring	✅	`rollout/cache.go`, `rollout/evaluator.go`	`PlanCache`, `EvaluateNodeFromCache()`
Runtime rollout activator callback model	✅	`runtime/activator.go`	`Activator`, `ActivatorCallbacks`
Control-plane rollout persistence + API surface	✅	`orchestrator/rollout/store.go`, `orchestrator/rollout/server.go`	`RolloutStore`, `/v1/rollouts/*` handlers
Batch promotion evaluator (correctness fallback)	✅	`orchestrator/rollout/promoter_batch.go`	`BatchPromoter.RunOnce()`
OPA rollout activation policy gates	✅	`policy/rollout.rego`	`allow_rollout_activation`, `os_reconstruction_precondition_failed`
Event bus for streaming promotion pipeline	✅	`orchestrator/rollout/eventbus.go`	`EventBus`, `Subscribe()`, `Publish()`
Streaming promoter with rolling-window evaluation	✅	`orchestrator/rollout/promoter_streaming.go`, `orchestrator/rollout/window.go`	`StreamingPromoter`, `RollingWindowCache`
Fleet health gate condition evaluation	✅	`orchestrator/rollout/gates.go`	`EvaluateGate()`, `EvaluateGates()`
Statistical promotion conditions + baseline cache	✅	`orchestrator/rollout/stats.go`, `orchestrator/rollout/baseline.go`	statistical tests, `BaselineCache`
Rollout observability + mission telemetry bridge	✅	`orchestrator/rollout/observability.go`, `telemetry/bridge.go`	`RolloutObserver`, `RunBridgeWithConfig()`
Mesh propagation source resolution (cache → peer → registry)	✅	`rollout/mesh.go`, `runtime/source_resolver.go`	`ArtifactSource`, `(*SourceResolver).Resolve()`
Edge relay mesh propagation + deadletter callback isolation	✅	`edge/relay/mesh_propagator.go`, `edge/relay/executor.go`	`MeshPropagator`, `SetDeadletterNotifier()`
OS reconstruction activation path	✅	`runtime/os_reconstruction.go`	`NewOSReconstructionCallback()`
HA leader lease with renewal lifecycle	✅	`orchestrator/rollout/evaluator.go`	`DBLeaderElector.Start()/Stop()/Campaign()`

13. Control Plane HA + Replicated Datastore (Workplan)¶

Claim	Status	File	Symbol
PostgreSQL replicated backend is implemented (not scaffold-only)	✅	`orchestrator/pgstore/store.go`, `orchestrator/pgstore/schema.go`	`Open()`, `ApplySchema()`, `schemaSQL`
Two-layer leader authority (advisory lock + durable epoch)	✅	`orchestrator/pgstore/elector.go`	`PGLeaderElector.Campaign()`
Stale-leader fenced writes fail closed	✅	`orchestrator/pgstore/elector.go`	`EpochFence()`, `ErrEpochMismatch`
Protected/best-effort/audit write classes are explicitly separated	✅	`orchestrator/pgstore/txwrite.go`	`ProtectedTx()`, `BestEffortTx()`, `AuditTx()`
Append-only promotion evidence and decisions	✅	`orchestrator/pgstore/promote.go`, `orchestrator/pgstore/schema.go`	`Promote()`, `evidence_snapshots`, `promotion_decisions`
Startup replay uses durable ingest order, not outbox join	✅	`orchestrator/pgstore/recovery.go`	`RecoverFromEvents()`
Insufficient-history deferrals recorded as class-3 audit writes	✅	`orchestrator/pgstore/recovery.go`	`RecordInsufficientHistoryDecisions()`
Split readiness endpoints expose read/write/audit/quorum states	✅	`orchestrator/pgstore/health_server.go`	`RegisterRoutes()`, `handleReadReady()`, `handleWriteReady()`, `handleAudit()`, `handleQuorum()`
HA health endpoints are wired into control-plane HTTP server	✅	`orchestrator/server.go`	`RegisterPGHealth()`
Split-brain detection and recovery endpoints are implemented	✅	`orchestrator/pgstore/health_server.go`	`handleHASplitBrain()`, `handleHASplitBrainRecover()`
HA backup create / list / restore endpoints are implemented	✅	`orchestrator/pgstore/health_server.go`	`handleBackupCreate()`, `handleBackupList()`, `handleBackupRestore()`
CLI split-brain operator surface is wired with RBAC guard + typed JSON/text output	✅	`cmd/autonomy/commands/ha_split_brain.go`	`haSplitBrainDetectCmd()`, `haSplitBrainRecoverCmd()`
CLI HA backup operator surface is wired for create / list / destructive restore	✅	`cmd/autonomy/commands/ha_backup.go`	`haBackupCreateCmd()`, `haBackupListCmd()`, `haBackupRestoreCmd()`
Migration path from SQLite to PostgreSQL with dry-run/validate modes	✅	`orchestrator/pgstore/migrate.go`, `cmd/autonomy/commands/orchestrator_client.go`	`Migrate()`, `configMigrateCmd()`
Audit diagnostics are read-only and query append-only history	✅	`orchestrator/pgstore/audit_query.go`	`QueryLeaderState()`, `QueryLeaderHistory()`, `QueryPromotionHistory()`, `QueryEvidenceSnapshot()`
PostgreSQL audit emitter upgrades file-only audit to DB-backed multi-emitter	✅	`orchestrator/pgstore/audit_emit.go`, `orchestrator/pgstore/store.go`	`InitPGAuditEmitter()`, `initPGAuditEmitter()`
Legacy provenance surfaced in rollout status (no import cycle)	✅	`orchestrator/rollout/auditprovider.go`, `orchestrator/rollout/server.go`, `orchestrator/pgstore/audittracker.go`	`LegacyProvenanceChecker`, `WithLegacyProvenanceProvider()`, `HasLegacyProvenance()`

14. Proof Report Generators (VAL25-VAL29)¶

Claim	Status	File	Symbol
Fleet proof report aggregates VAL07-VAL11 into text + JSON artifacts	✅	`scripts/labs/run_fleet_rollout_proof_report_val25.sh`	`load_report()`, `chk()`, `json_report`
Fleet proof report degrades missing/malformed slice inputs to `MISSING` instead of aborting	✅	`scripts/labs/run_fleet_rollout_proof_report_val25.sh`	`load_report()`, `validate_report()`, `slice_status()`
Fleet readiness requires coherent evidence timestamps across VAL07-VAL11	✅	`scripts/labs/run_fleet_rollout_proof_report_val25.sh`	`evidence_window_ok`, `evidence_window_detail`
Fleet N=100 target is keyed to the exact VAL08 scenario check, not aggregate error count	✅	`scripts/labs/run_fleet_rollout_proof_report_val25.sh`	`report_check_pass()`, `chk("VAL25-07", ...)`
HA proof report aggregates VAL13-VAL17 into text + JSON artifacts	✅	`scripts/labs/run_ha_proof_report_val26.sh`	`load_report()`, `chk()`, `json_report`
HA proof report validates per-slice schemas before aggregation	✅	`scripts/labs/run_ha_proof_report_val26.sh`	`require()`, `validate_report()`
HA quorum-loss readiness requires detection, timing bound, and write-block proof	✅	`scripts/labs/run_ha_proof_report_val26.sh`	`check_pass()`, `chk("VAL26-09", ...)`
Relay proof report auto-discovers latest standalone VAL19-VAL24 evidence directories	✅	`scripts/labs/run_relay_proof_report_val27.sh`	`find_latest_dir()`
Relay proof report enforces a coherent 7-day validation campaign before readiness	✅	`scripts/labs/run_relay_proof_report_val27.sh`	`evidence_campaign_ok`, `evidence_campaign_detail`
Relay GA readiness is gated on direct VAL24 soak Gate D proof	✅	`scripts/labs/run_relay_proof_report_val27.sh`	`soak_gate_d`, `ga_ready`
Cross-cutting proof report parses text-only VAL01/VAL02 plus JSON VAL03-VAL06	✅	`scripts/labs/run_crosscut_proof_report_val28.sh`	`parse_val01()`, `parse_val02()`, `load_json()`
Cross-cutting RBAC proof requires full 14-check accounting plus allow/deny evidence	✅	`scripts/labs/run_crosscut_proof_report_val28.sh`	`val03_rbac_ok()`
Cross-cutting audit coverage requires exact `25/25` wired event types	✅	`scripts/labs/run_crosscut_proof_report_val28.sh`	`chk("VAL28-08", ...)`
Cross-cutting GA / Public Production are intentionally not evaluated by VAL28 scope	✅	`scripts/labs/run_crosscut_proof_report_val28.sh`	`ga_ready = False`, `public_prod = False`
Public-claim evidence matrix aggregates VAL25-VAL28 proof-report JSON artifacts	✅	`scripts/labs/run_evidence_matrix_val29.sh`	`load_json()`, `row()`, `evaluated`
Design-partner matrix readiness requires a coherent 7-day proof-report campaign	✅	`scripts/labs/run_evidence_matrix_val29.sh`	`report_ts()`, `evidence_campaign_ok`, `dp_ok`
Design-partner matrix readiness requires a machine-readable disclosure artifact with all required beta disclosures	✅	`scripts/labs/run_evidence_matrix_val29.sh`	`required_disclosures`, `disclosures_ok`, `design_partner_disclosures`
Relay soak claim in the matrix is keyed to direct VAL24 Gate D evidence, not broader relay GA	✅	`scripts/labs/run_evidence_matrix_val29.sh`	`row("RL-SOAK-01", ...)`, `rpt27["soak_val24"]["gate_d_overall"]`
Evidence matrix emits machine-readable readiness + campaign + disclosure state	✅	`scripts/labs/run_evidence_matrix_val29.sh`	`json_report["readiness"]`, `json_report["evidence_campaign"]`, `json_report["design_partner_disclosures"]`

15. Standalone Relay Validation Extensions (VAL19-VAL24)¶

Claim	Status	File	Symbol
TCP impairment proxy exposes live mode switching, stats, and counter reset over HTTP	✅	`scripts/labs/relay_impairment_proxy.go`	`proxyMode`, `handleMode()`, `handleStats()`, `handleReset()`
Impairment proxy supports five transport modes: clean, latency, bandwidth, outage, cutoff	✅	`scripts/labs/relay_impairment_proxy.go`	`proxyMode.Type`, `forwardPrimary()`
Relay impairment setup seeds deterministic deadletter fixtures and writes isolated relay config	✅	`scripts/labs/edge_relay_impairment_setup.go`	`seedDeadletterRecord()`, `writeConfig()`
VAL19 harness proves outage retention before clean retry and cutoff retry convergence	✅	`scripts/labs/run_relay_impairment_val19_lab.sh`	`VAL19-02`, `VAL19-10`
Throughput setup seeds `PENDING` ledger entries for direct executor pickup (no failure simulation)	✅	`scripts/labs/edge_relay_throughput_setup.go`	`seedPendingRecord()`
VAL20 benchmark captures five workload tiers plus queue-depth/backpressure evidence	✅	`scripts/labs/run_relay_throughput_val20_lab.sh`	`VAL20-04`, `VAL20-10`
Overflow setup supports configurable ceiling, eviction threshold, and retry budget	✅	`scripts/labs/edge_relay_overflow_setup.go`	`main()` flags `--ceiling-bytes`, `--eviction-threshold`, `--max-retry-count`
VAL21 overflow harness proves eviction-specific `segment not found` failure and exact terminal accounting	✅	`scripts/labs/run_relay_overflow_val21_lab.sh`	`VAL21-05`, `VAL21-07`
VAL22 harness validates exact-ID deadletter list/inspect/retry/re-deadletter/restart/purge workflow	✅	`scripts/labs/run_relay_deadletter_val22_lab.sh`	`deadletter_ids_json()`, `audit_resource_ids_json()`, `VAL22-05`, `VAL22-10`
VAL23 harness isolates rate-only, quota-only, and hot-reload bandwidth behavior with exact delivery/deadletter accounting	✅	`scripts/labs/run_relay_bandwidth_val23_lab.sh`	`bw_field()`, `deadletter_ids_json()`, `VAL23-06`, `VAL23-07`, `VAL23-09`
Relay soak setup binary cleanly separates one-time init from per-round reseeding while edged is stopped	✅	`scripts/labs/edge_relay_soak_val24_setup.go`	`runInit()`, `runSeed()`
VAL24 soak framework installs cron-driven rounds and reports Gate D delivery / retry / loss / rounds criteria	✅	`scripts/labs/run_soak_val24_setup.sh`, `scripts/labs/run_soak_val24_round.sh`, `scripts/labs/run_soak_val24_report.sh`	`CRON_ENTRY`, `gate_d_pass`, `retry_recovery_rate`

16. Validation Traceability + Claims Governance¶

Claim	Status	File	Symbol
Edge FI shell runner emits machine-readable JSONL plus human-readable summary for every shell FI execution	✅	`edge/ci/tests/run_all.sh`	`emit_result()`, `SUMMARY_FILE`, `RESULTS_JSONL`
Root-required FI tests are explicitly represented as `not_run` when skipped	✅	`edge/ci/tests/run_all.sh`	`requires_root()`, `emit_result(..., "not_run", ...)`
FI traceability report merges Go FI and shell FI into a unified FI index	✅	`edge/ci/tests/gen_traceability_report.sh`	`fi_id_from_shell()`, `go_to_fi`, `fi_index`
FI traceability report emits combined pass/fail summary and preserved runner summaries	✅	`edge/ci/tests/gen_traceability_report.sh`	`overall_status`, `go_summary`, `shell_summary`
Public-claim messaging downgrade / upgrade policy is documented in-repo	✅	`docs/tutorials/public-claims-correction-package.md`	`## 2. Claims Correction Table`, `## 4. Red Flag Phrases to Ban`, `## 5. Claims Upgrade Map`
Audit completeness inventory explicitly distinguishes wired event types from deferred ones	✅	`docs/tutorials/audit-completeness-validation.md`	`## 3. Wired Event-Type Inventory`, `Deferred event types (excluded from VAL04)`
FI tutorial traceability from invariant to executed output is documented with real captured output	✅	`docs/tutorials/fi-traceability-invariant-map.md`	`## What you're proving`, `## Expected outputs (from real run)`

17. Operator Diagnostics + Bundle Evidence¶

Claim	Status	File	Symbol
Support-bundle CLI is implemented as a top-level operator surface	✅	`cmd/autonomy/commands/support_bundle.go`	`supportBundleCmd()`, `supportBundleGenerateCmd()`
Support bundle writes gzip+tar archive with manifest-driven collector outcomes	✅	`cmd/autonomy/commands/support_bundle.go`	`generateSupportBundle()`, `BundleManifest`, `CollectorResult`
Support bundle collectors are non-fatal and preserve partial-success evidence in manifest	✅	`cmd/autonomy/commands/support_bundle.go`	`collect()`, `skip()`
Support bundle redacts secrets from config material before archiving	✅	`cmd/autonomy/commands/support_bundle.go`	`collectConfig()`, `redactConfigBytes()`, `redactPostgresURL()`

Known Gaps / Honest Limitations¶

Gap	Details	Where documented
riscv64 native CI	Tested via QEMU; no bare-metal riscv64 in CI	Tutorial 05, Implementation Status table
30-day soak claims are framework-backed but not repo-checked runtime evidence	VAL12 / VAL18 / VAL24 provide generators and Gate D logic, but long-running soak outcomes depend on externally produced evidence directories rather than checked-in repo fixtures	`docs/tutorials/soak-validation.md`, `docs/tutorials/ha-soak-validation.md`, `docs/tutorials/relay-soak-validation.md`
Public-production readiness depends on external evidence not produced by current VAL suite	Third-party audits, compliance evidence, real network partition chaos, and production-hardware calibration are intentionally out of scope for the repo-local proof generators	`docs/tutorials/crosscut-proof-report-validation.md`, `docs/tutorials/evidence-matrix-validation.md`, `docs/tutorials/public-claims-correction-package.md`
Some proof/evidence generators depend on fresh runtime evidence rather than checked-in golden inputs	VAL25–VAL29 report generators are implemented in-repo, but complete outputs still require current upstream evidence directories and, for VAL29, the disclosure artifact	`docs/tutorials/fleet-rollout-proof-report-validation.md`, `docs/tutorials/ha-proof-report-validation.md`, `docs/tutorials/relay-proof-report-validation.md`, `docs/tutorials/crosscut-proof-report-validation.md`, `docs/tutorials/evidence-matrix-validation.md`