From bc70c46731734e66d7c561e3da0e1bc9b54e6330 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Thu, 14 May 2026 14:28:38 +0100 Subject: [PATCH] fix(validate-a2ml): recognise contractile-shape A2ML files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The script's identity / version check assumed every `.a2ml` file uses TOML `key = value` form. Contractile-shape files (Trustfile.a2ml, Intentfile.a2ml, Mustfile.a2ml, Adjustfile.a2ml, …) use `@directive:` syntax instead — their identity lives in `@trust-level`, `@intent`, `@abstract` etc., not in `name = "..."` / `version = "..."`. As a result every contractile file in a consumer repo failed validation ("Missing required identity field"), blocking Dependabot PRs across the fleet. Detect contractile shape by the presence of any of: @abstract, @trust-level, @trust-boundary, @trust-actions, @trust-deny, @intent, @must, @adjust, @end in the file body, then skip the manifest-style identity / version checks (parallel to the existing `*AI-MANIFEST*` special-case for markdown-style manifests). Attestation-block and section-heading checks (Checks 3 and 4) remain applied — they're shape-agnostic. Closes the validate-A2ML-manifest failures observed on every Dependabot PR across chimichanga, gitbot-fleet, idaptik, ambientops, and more (reported by hyperpolymath/hypatia#23 audit as `Validate A2ML manifests` class — 10 PRs blocked at audit time). Co-Authored-By: Claude Opus 4.7 --- validate-a2ml.sh | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/validate-a2ml.sh b/validate-a2ml.sh index 45ed0ab..c60b261 100755 --- a/validate-a2ml.sh +++ b/validate-a2ml.sh @@ -146,12 +146,25 @@ validate_a2ml() { is_manifest=true fi - if [[ "$has_identity" == "false" && "$is_manifest" == "false" ]]; then + # Contractile-shape A2ML files use `@directive:` syntax instead of + # TOML `key = value`. Trustfile.a2ml, Intentfile.a2ml, Mustfile.a2ml, + # Adjustfile.a2ml etc. are policy / trust / intent / abstract files + # whose identity is implicit in their @-prefixed directives + # (`@trust-level`, `@intent`, ...) rather than a TOML name/version + # pair. Treating them as manifest-shape produces 100% false positives — + # they're a different A2ML doc type. Detected by the presence of any + # contractile directive in the file body. + local is_contractile_shape=false + if grep -qE '^@(abstract|trust-level|trust-boundary|trust-actions|trust-deny|intent|must|adjust|end)([[:space:]]*:|$)' "$file"; then + is_contractile_shape=true + fi + + if [[ "$has_identity" == "false" && "$is_manifest" == "false" && "$is_contractile_shape" == "false" ]]; then report_issue "error" "$file" 1 \ "Missing required identity field (agent-id, name, or project)" fi - if [[ "$has_version" == "false" && "$is_manifest" == "false" ]]; then + if [[ "$has_version" == "false" && "$is_manifest" == "false" && "$is_contractile_shape" == "false" ]]; then report_issue "warning" "$file" 1 \ "Missing version or schema_version field" fi