Skip to content

Reconcile evidence allowlist loaders (GP2/GP4) with the GP1 identityPattern/source schema #1505

Description

@njhensley

Summary

The evidence-corroboration allowlist has three divergent schema definitions. The committed allowlist file and the GP1 schema package use identityPattern/source, but the GP2 producer loader and the GP4 consumer loader each hand-roll an outdated issuer+identity schema. As a result neither loader can parse the real recipes/evidence/allowlist.yaml, and docs/contributor/evidence-ingest.md documents the stale shape.

Current state

Surface Schema Status
recipes/evidence/allowlist.yaml (source of truth) issuer + identityPattern (first-party), issuer + source slug (community) authoritative
pkg/evidence/allowlist (GP1 schema pkg) Entry{Label, Issuer, Source, IdentityPattern} — exactly one of Source/IdentityPattern matches the file
pkg/evidence/project/classify.go (GP2 producer loader) hand-rolled AllowlistEntry{Issuer, Identity} stale
pkg/corroborate/classify.go (GP4 consumer loader) hand-rolled AllowlistEntry{Issuer, Identity} stale
docs/contributor/evidence-ingest.md (classification section) documents issuer+identity stale (matches the loaders, not the file)

Impact

  • Running either loader against the real allowlist fails closed: the unknown identityPattern/source fields are ignored, leaving Identity empty, and validation rejects it with allowlist <class> entry has empty identity. Confirmed by running corroborate -allowlist recipes/evidence/allowlist.yaml.
  • Community entries keyed by source slug can never classify through the stale loaders (no source field), so a legitimately-allowlisted community signer would be mislabeled community/allowlisted=false.
  • The GP5 Pages publish workflow (GP5 — GitHub Pages publish CI (merge-to-main cadence) #1405) had to drop -allowlist and rely on the class baked into meta.json at ingest as a workaround.
  • docs/contributor/evidence-ingest.md (the "Classification" schema block) is inaccurate relative to the actual file.

Proposed fix

Retire the two hand-rolled loaders and have both GP2 (pkg/evidence/project) and GP4 (pkg/corroborate) consume the shared pkg/evidence/allowlist package (or its schema), so file + code + docs converge on one definition.

Then:

  • Update pkg/corroborate/testdata/allowlist.yaml (currently written in the old identity schema) and the classify_test.go expectations in both packages.
  • Update docs/contributor/evidence-ingest.md to the identityPattern/source schema.
  • Re-enable -allowlist recipes/evidence/allowlist.yaml in .github/workflows/evidence-dashboard-publish.yaml and drop the deferral note in docs/contributor/evidence-dashboard-publish.md.

Acceptance

  • corroborate -allowlist recipes/evidence/allowlist.yaml succeeds and classifies first-party (identityPattern) and community (source) signers correctly.
  • One allowlist schema definition is used across GP1/GP2/GP4 (no duplicate hand-rolled structs).
  • evidence-ingest.md and evidence-dashboard-publish.md describe the same, correct schema.
  • Anti-sybil invariants (disjoint classes, no over-broad patterns, source-slug uniqueness) remain enforced by the shared package.

Affected files

  • pkg/evidence/project/classify.go, pkg/corroborate/classify.go
  • pkg/evidence/allowlist/ (target shared schema)
  • pkg/corroborate/testdata/allowlist.yaml, *_test.go in both packages
  • docs/contributor/evidence-ingest.md, docs/contributor/evidence-dashboard-publish.md
  • .github/workflows/evidence-dashboard-publish.yaml

Related

Epic #1400 · GP1 (allowlist schema) · GP2 #1402 · GP4 #1404 · GP5 #1405 (workaround in PR #1504) · surfaced while reviewing PR #1504.

Metadata

Metadata

Assignees

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions