Canonical-JSON (RFC 8785 / JCS) + content-addressed identity.
For our string-only payload, serde_json’s default output (sorted BTreeMap
keys, compact separators, raw non-ASCII, no /-escape) IS JCS — verified by
the golden vectors. Liveness arrays are sorted+deduped here so set-valued
fields are order-insensitive; grounds[] keeps authored order.
The .evolving/config reader: one typed Config parsed once from the flat key = value
file. Defaults match DEFAULT_CONFIG. No TOML dependency — the file is ev-authored and
fixed-shape, so a whole-token line scan is enough.
ev correct — append a corrective CHILD tick that fixes a stale non-hashed tag (authority /
jurisdiction / provenance) on an existing decision, under ev’s append-only law.
A local, append-only events log (results/events.jsonl) — the decision-data埋点 for
metrics. Gitignored, 0-network, best-effort (a write failure never fails the command).
ev guard "<selector>" <id> [<ground>] — attach an existing test to a ground as a
data check (after the fact). Because check is hashed, this writes a NEW CHILD.
Best-effort lexical lints over built-in, deterministic word lists.
R3: the subject of self-evolve/self-improve language must be a human, not the system.
R5: no auto-close / auto-prune / self-stop op language.
Honest limit: a re-wording evades these — they are heuristics, not semantic guarantees.
Event-driven liveness: has a triggering change landed since a check last ran?
Impure (shells git), mirroring staleness.rs. The verdict engine stays pure — this
produces a bool the caller passes into verdict_for.
Run-receipts: the non-hashed evidence that a bound test ran — one JSON object
per line in results/receipts/.jsonl. Deleting receipts never changes a
tick id (the hashed/cached split). Unsigned, trust-on-write for 0.1.0.
ev check –run: execute a bound test locally and produce a run-receipt. A THIN runner —
the production receipt-writer is CI / a supervisor hook; –run is for local verification.
exit == the configured green_exit_code => green, anything else => red (gray comes from
external writers, never from –run).
The external selected-list: which check refs the latest diff selected, and which declared
triggers it changed. An affinity tool / CI writes results/selected.json; ev READS it and
never recomputes affinity. Absent ⇒ L2 (silently-unbound) is not evaluated.
Resolve the staleness-reference sha per the configured policy. No network — live-origin
reads the last-fetched upstream tracking ref. Returns None when the reference can’t be
determined (“stale-unknown”), in which case sha-staleness is simply not evaluated.
The verdict-cache read contract: results/state/<tick_id>.json — a per-host, gitignored
snapshot of each tick’s per-ground verdicts that a consumer hook reads WITHOUT shelling
ev check. Facts, no scores; one row per ground.
The pure verdict engine: per Test-bound ground, the resurface precedence.
No I/O — receipts, the live-origin sha, and the selected-list are passed in. Facts,
not verdicts: every not-green state is a co-equal fact, never ranked or scored.