docs(vcr): bootstrap tool-qualification top-of-V (#242)#284
Merged
Conversation
…egen program (#242) bootstrap-verification seed for the VCR program (verified selector + SSA allocator). The codegen STPA front-end already existed (L-CODE / H-CODE / SC-CODE); what was missing was the top-of-V tool-qualification ROOT and the upward wiring from the VCR cure to the hazards it eliminates. Adds artifacts/vcr-tool-qualification.yaml: - VCR-TQ-001 (system-req, req-type: safety) — tool classification across all four target standards: DO-178C §12.2/DO-330 (Criteria-1 code generator), ISO 26262-8 §11 (TI2/TD3 -> TCL3), IEC 61508-3 §7.4.4 (class T3), EN 50128 §6.5.4/Table A.6 (class T3). Uniform conclusion: synth-as-shipped needs product evidence, not trust. Derives from BR-001 "Safety-critical qualification"; mitigates H-CODE-1 / H-CODE-3. - VCR-TQ-002 (sw-req) — the three evidence pillars that discharge it: (1) formal lowering proof (VCR-SEL-001 + ISA-001 + WASM-001) = DO-330 verified-tool / IEC 61508 Route 2s; (2) coverage-guided differential oracle (VCR-ORACLE-001) = ISO 26262 TD measure / validation-by-testing; (3) frozen- fixture result-identity gate = configuration-controlled behavioral baseline. Wires VCR-RA-001 (SSA allocator + spilling) -> constraint-satisfies SC-CODE-1 (exclude reserved regs) + SC-CODE-2 (spill, don't wrap) — the two STPA code-generation constraints the single-pass allocator violates by construction. Oracle: rivet validate — 0 broken cross-refs, 0 net-new errors (36 -> 36, all pre-existing); the +3 warnings are expected coverage notes on `proposed` backlog items. All new trace links resolve. Tool friction (separate follow-up): the four safety standards are not separately loadable schemas in this rivet install (loaded: common/stpa/aspice/ ai-provenance), so the multi-standard targeting is captured as content rather than four rivet.yaml presets. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
Author
|
Tool-friction follow-up filed: pulseengine/rivet#510 — schema presets for DO-178C / ISO 26262 / IEC 61508 / EN 50128 are not declarable in |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
…ips arc) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
bootstrap-verification for the VCR verified-codegen program. The codegen STPA front-end already existed (
L-CODE-*→H-CODE-*→SC-CODE-*); the missing piece was the top-of-V tool-qualification root and the upward wiring from the VCR cure to the hazards it eliminates by construction.New:
artifacts/vcr-tool-qualification.yamlVCR-TQ-001 (
system-req,req-type: safety) — synth's tool classification across all four target standards, with the uniform conclusion that a code generator whose output isn't independently verified needs product evidence, not trust:Derives from BR-001 "Safety-critical qualification";
mitigatesH-CODE-1 / H-CODE-3.VCR-TQ-002 (
sw-req) — the three evidence pillars that discharge it: (1) formal lowering proof (VCR-SEL-001 + ISA-001 + WASM-001) = DO-330 verified-tool / IEC 61508 Route 2s; (2) coverage-guided differential oracle (VCR-ORACLE-001) = ISO 26262 TD measure; (3) frozen-fixture result-identity gate = configuration-controlled baseline.Wired: VCR-RA-001 → the constraints it satisfies
The SSA allocator + spilling now
constraint-satisfiesSC-CODE-1 (exclude reserved regs) and SC-CODE-2 (spill, don't wrap) — the two STPA constraints the single-pass allocator violates by construction (H-CODE-1). The structural cure now traces to the hazard it removes.Oracle
rivet validate: 0 broken cross-refs, 0 net-new errors (36 → 36, all pre-existing). All new trace links resolve. The +3 warnings are the expected coverage notes onproposedbacklog items (same as the existing VCR roadmap).Tool friction (separate follow-up)
The four safety standards are not separately loadable schemas in this rivet install (loaded: common/stpa/aspice/ai-provenance), so multi-standard targeting is captured as content rather than four
rivet.yamlpresets. Worth a rivet feature request — happy to file via report-tool-friction.Falsification
This bootstrap is wrong if an assessor for any of the four standards rejects the qualification argument as process-only with no cited product evidence — that means VCR-TQ-002's pillars are insufficient and must be strengthened (stated as VCR-TQ-001's kill-criterion).
🤖 Generated with Claude Code