Audit Log

This file tracks spec-to-implementation audits.

2025-12-22 — ASL/1-CORE (`tier1/asl-1-core.md`)

Scope: ASL/1-CORE conformance for value semantics, encoding profiles, and reference derivation.
Findings: immutability enforcement gaps; EncodingProfileId layering leak; no central ASL ref-derivation API; amduat_octets_eq missing invalid-input guard.
Resolution: implemented fixes and added amduat_asl_ref_derive conformance test.
Tests: ctest --test-dir build (11 tests).

Scope: ASL/1-STORE conformance for store semantics, error mapping, and StoreConfig handling in ASL store implementations.
Findings: put could delete existing artifacts on fsync failure; non-integrity failures surfaced as integrity errors; malformed references treated as unsupported; StoreConfig not enforced at the wrapper boundary.
Resolution: gated unlink on new writes; introduced AMDUAT_ASL_STORE_ERR_IO and mapped I/O paths; treat malformed refs as ERR_INTEGRITY; added optional validate_config hook with minimal wrapper checks; added amduat_asl_store_ops_init helper to avoid uninitialized ops.
Tests: command not provided — pass (user reported “100% tests passed, 0 tests failed out of 11”).

Scope: canonical encoding/decoding for ArtifactBytes and ReferenceBytes in store-related paths.
Findings: Reference codec rejected unknown hash_id values; FS store requires digests >= 2 bytes (layout constraint).
Resolution: accept unknown hash_id values with framing, enforce digest length only when known; reject reserved hash_id = 0; documented FS store digest-length constraint in README.md.
Tests: not run.

Scope: registry behavior, reserved IDs, immutability, and streaming support.
Findings: reserved IDs treated as usable; 0x0000 reachable via registry enumeration; SHA-256 override allowed; no streaming API.
Resolution: reserved-ID guard + registry rows for 0x8002–0x80FF; removed 0x0000 from runtime list; block SHA-256 override; added streaming API and updated tgk mem-store test to use a non-reserved unsupported hash ID.
Tests: ctest --test-dir /home/niklas/build/amduat (pass, 11 tests).

Scope: core execution semantics, totality, and out-of-model failure handling.
Findings: OOM paths emitted core results; amduat_pel_exec_program_bytes returned false on invalid program bytes; decode OOM indistinguishable from invalid; kernel op OOM mapped to runtime failure.
Resolution: treat OOM as out-of-model throughout; add decode status API; make amduat_pel_exec_program_bytes return deterministic INVALID_* results; propagate kernel op OOM status to abort execution.
Tests: not run.

Scope: store-backed surface execution wiring, store error mapping, result artifact semantics, and params handling for DAG scheme.
Findings: params_ref resolved but not passed to scheme; store ERR_IO mapped to StoreFailure instead of environment failure; trace+result persistence and result TypeTag wiring needed alignment.
Resolution: pass global params into scheme execution; treat ERR_IO as environment failure (no surface result); ensure surface result TypeTag and diagnostics wiring; add conformance tests for params and store I/O behavior.
Tests: command not provided — pass (user reported “100% tests passed, 0 tests failed out of 11”).

Scope: Exec_DAG semantics, structural validity, canonical order, diagnostics, and scheme entrypoint correctness.
Findings: Exec_DAG accepted raw bytes without enforcing program TypeTag; diagnostics were empty for invalid program/input/runtime cases; OOM returned false with no ExecutionResultValue; CLI exec lacked diagnostics and could not accept tagged program artifacts.
Resolution: added artifact entrypoint with TypeTag enforcement; demoted raw bytes helper; deterministic diagnostics across validation and runtime; treat OOM as deterministic RUNTIME_FAILED; expose diagnostics in formatters and CLI; allow amduat-pel exec to accept artifact input via --program-format (defaulting to artifact when --input-format artifact is set); refined structural diagnostics for node output index errors.
Tests: command not provided — pass (user reported “100% tests passed, 0 tests failed out of 11”).

Scope: scheme descriptor Artifact layout, SchemeRef derivation, and DAG scheme binding behavior.
Findings: missing descriptor encode/decode implementation; no recognition path for TYPE_TAG_PEL_SCHEME_DESC_1; program interpretation ignored descriptor program_type_tag/program_enc_profile; scheme dispatch did not reject non-SchemeRef_DAG_1.
Resolution: added descriptor codec + round-trip tests; added canonical descriptor recognition helpers; wired validation in CLI; introduced binding accessor for program type/profile and used it across execution/CLI/seed; added scheme-aware exec path and CLI flag.
Tests: command not provided — pass (user reported “100% tests passed, 0 tests failed out of 12”).

Scope: ProgramBytes encoding/decoding, canonical order, and framing limits.
Findings: size overflow risk when allocating canonical node order and when computing roots byte size, leading to non-canonical encodes.
Resolution: added explicit overflow guards; added regression test for large count rejection.
Tests: command not provided — pass (user reported “100% tests passed, 0 tests failed out of 13”).

Scope: surface result encoding, inline ExecutionResultValue, and encoding invariants.
Findings: encoder did not enforce ExecutionStatus/summary invariants or store_failure ↔ status coupling; decoder accepted out-of-range status/kind.
Resolution: enforced invariants in encoder; added strict status/kind checks in decoder; added invariant regression tests.
Tests: command not provided — pass (user reported “100% tests passed, 0 tests failed out of 14”).