Phase 1: Ground-truth revocation oracle #67

Merged

erikinkinen merged 3 commits from 1-ground-truth-revocation-oracle into main

2026-03-05 10:30:01 +01:00

erikinkinen commented

2026-03-05 10:05:29 +01:00

Owner

Closes #27

Summary

This PR introduces a Phase 1 ground-truth post-revocation oracle that evaluates revocation correctness independently of revocation strategy implementation.

It defines a canonical core API for computing:

targeted edge set,
removed edge set,
post-step residue (Residual_t),
over-removal (Over_t),

and classifies completeness/soundness deterministically under direct-edge semantics.

It also adds canonical test graphs with known outcomes to lock expected behavior for correct, incomplete, over-removing, and mixed-failure cases.

Scope

Included

New core revocation oracle interface and report type
Deterministic oracle implementation with strict selector validation
Residue/over-removal detection logic from pre/post snapshots
Canonical revocation graph tests with explicit expected outcomes
Phase 1 documentation updates describing oracle semantics

Explicitly excluded

Revocation strategy policy changes
Transitive/provenance reachability semantics
Runtime enforcement/remediation behavior
Metrics/export schema changes

Design intent

The intent is to establish a strategy-independent correctness reference for revocation in Phase 1.

The oracle computes correctness directly from authoritative pre/post snapshots and selector inputs, so it can validate any revocation strategy implementation against the same ground truth.

This preserves determinism and keeps correctness checks aligned with Phase 1’s direct-edge model.

Phase discipline

This is a Phase 1 change.

It does not weaken Phase 0 invariants and does not alter event-log/replay foundations.
It adds semantic validation logic on top of the existing deterministic graph substrate.

Verification

cmake --build _build --target aes_revocation_oracle_tests
ctest --test-dir _build --output-on-failure -R aes_revocation_oracle_tests
ctest --test-dir _build --output-on-failure -R "aes_apply_event_tests|aes_engine_tests|aes_reachability_tests|aes_residual_authority_tests"

Notes

Review focus:

Set-operation correctness (removed, residual, over_removed)
Error semantics for invalid/missing selector edges
Deterministic ordering guarantees in oracle outputs
Canonical graph expected outcomes matching Phase 1 definitions

Closes #27 --- ## Summary This PR introduces a Phase 1 ground-truth post-revocation oracle that evaluates revocation correctness independently of revocation strategy implementation. It defines a canonical core API for computing: - targeted edge set, - removed edge set, - post-step residue (`Residual_t`), - over-removal (`Over_t`), and classifies completeness/soundness deterministically under direct-edge semantics. It also adds canonical test graphs with known outcomes to lock expected behavior for correct, incomplete, over-removing, and mixed-failure cases. --- ## Scope ### **Included** - New core revocation oracle interface and report type - Deterministic oracle implementation with strict selector validation - Residue/over-removal detection logic from pre/post snapshots - Canonical revocation graph tests with explicit expected outcomes - Phase 1 documentation updates describing oracle semantics ### **Explicitly excluded** - Revocation strategy policy changes - Transitive/provenance reachability semantics - Runtime enforcement/remediation behavior - Metrics/export schema changes --- ## Design intent The intent is to establish a strategy-independent correctness reference for revocation in Phase 1. The oracle computes correctness directly from authoritative pre/post snapshots and selector inputs, so it can validate any revocation strategy implementation against the same ground truth. This preserves determinism and keeps correctness checks aligned with Phase 1’s direct-edge model. --- ## Phase discipline This is a Phase 1 change. It does not weaken Phase 0 invariants and does not alter event-log/replay foundations. It adds semantic validation logic on top of the existing deterministic graph substrate. --- ## Verification - [x] `cmake --build _build --target aes_revocation_oracle_tests` - [x] `ctest --test-dir _build --output-on-failure -R aes_revocation_oracle_tests` - [x] `ctest --test-dir _build --output-on-failure -R "aes_apply_event_tests|aes_engine_tests|aes_reachability_tests|aes_residual_authority_tests"` --- ## Notes Review focus: - Set-operation correctness (`removed`, `residual`, `over_removed`) - Error semantics for invalid/missing selector edges - Deterministic ordering guarantees in oracle outputs - Canonical graph expected outcomes matching Phase 1 definitions