Evidence Attribution¶
Declared obligation is not satisfied obligation.
Satisfied obligation requires attributable evidence.
Human review evidence must identify reviewer authority.
Attestation primitives should be mapped rather than reinvented.
Declared vs satisfied¶
A manifest declares required review and evidence.
A validator or enforcement layer checks whether declared requirements are satisfied.
A declared requirement is not satisfied merely because it appears in the manifest.
Minimum v0 rule¶
For v0, satisfied evidence SHOULD identify:
- evidence kind;
- source artifact or system;
- producing actor or system;
- timestamp or run identifier when available;
- related surface;
- related role;
- related review requirement;
- reviewer authority when the evidence satisfies human review.
Human review attribution¶
Evidence that satisfies a human review requirement MUST be attributable to a human reviewer with the required reviewer authority.
AI-generated summaries, comments, or review notes MAY support a human reviewer. They MUST NOT satisfy the human review requirement.
External attestation primitives¶
The accountable surface ecosystem SHOULD map to existing attestation and provenance mechanisms rather than inventing a parallel attribution system.
Potential mapping targets include:
- GitHub review metadata;
- CI run metadata;
- SLSA provenance;
- in-toto attestations;
- Sigstore-backed signing and verification.
Evidence integrity¶
Evidence must be inspectable enough to distinguish:
- the declaration that evidence is required;
- the existence of an evidence artifact;
- the attribution of that artifact;
- the authority of the reviewer or system that produced it;
- the surface and role the evidence satisfies.