diff --git a/CHANGELOG.md b/CHANGELOG.md index bf39090..1c05146 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,9 +5,50 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [Unreleased] — v0.1.0 (alpha) +## [Unreleased] -The stdlib-only core, built test-first (TDD) per `docs/PLAN.md`. +### Added — OKF adapter (v0.2, stream 1) + +An OKF (Google Open Knowledge Format v0.1) adapter *on top of* the +format-agnostic core (`llm_ingestion_guard.okf`). The core stays `text -> +findings`; the adapter knows OKF structure and routes scannable regions into the +existing machinery. All TDD (failing test first), +61 tests. Verified against the +OKF `SPEC.md` (2026-07-06). See `docs/OKF-INGESTION-BRIEF.md` §8. + +- `parse_frontmatter` — strict, reject-by-default frontmatter loader; refuses + anchors, aliases, explicit tags, merge keys, block scalars and flow collections + by construction, so YAML anchor/alias DoS and `!!python/object` coercion cannot + occur (not a general YAML parser, by design). (T2) +- `scan_concept` — whole-concept scan surface: frontmatter values (incl. + `description`, read first under progressive disclosure), `resource` and body all + go through `scan_output`. (T1) +- `validate_concept_path` — path / reserved-name gate: rejects `..` traversal, + absolute paths and `index.md` / `log.md` shadowing; returns the concept-ID. (T4) +- `validate_resource_url` — `resource` https allowlist: rejects non-https before + commit (reject, not defang — the format imposes no scheme constraint itself). (T3) +- `stamp_concept` / `format_log_entry` — provenance stamping: origin × channel → + trust × disposition per concept, emitted as `log.md` lines. Trust follows the + origin, never the insertion channel. (T6) +- `import_bundle` — received-bundle iterator (mode b): validates each concept + (path, frontmatter, resource, scan, stamp) independently; one bad concept is + rejected fail-secure while the rest are still checked; the aggregate disposition + is the most severe. (T7) +- `link_graph` / `resolve_link` / `extract_link_targets` — in-import cross-link + graph: resolves `.md` links (bundle-absolute or relative) to concept-IDs, flags + dangling links (the §7.2 dormant-injection signal) and rejects dangerous-scheme + or bundle-escaping targets. (T5a) + +### Deferred + +- Cross-run persisted link graph (T5b) — catching a link planted in one run whose + poisoned target is written in a *later* run (§7.2) needs durable graph state + whose storage/ownership depends on the consuming pipeline. Deferred to the + consumer-wiring stream; cross-run dormant links remain a documented residual + risk (README honest-limitations). + +## [0.1.0] — 2026-07-06 (alpha) + +The stdlib-only core, built test-first (TDD) per `docs/PLAN.md`. Tagged `v0.1.0`. ### Added diff --git a/README.md b/README.md index 1a73dbc..a6e7676 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ ![Version](https://img.shields.io/badge/version-0.1.0-blue) ![Status](https://img.shields.io/badge/status-alpha-orange) ![Python](https://img.shields.io/badge/python-3.10%2B-purple) -![Tests](https://img.shields.io/badge/tests-214_passing-green) +![Tests](https://img.shields.io/badge/tests-275_passing-green) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A reusable, minimal, dependency-light defensive layer for **LLM ingestion