gardesk/garcard / 6adfbf7

Browse files

Update sprint 08 interactive parity evidence

Authored by mfwolffe <wolffemf@dukes.jmu.edu>
SHA
6adfbf7bc29d4c185885ad09e645132004711be4
Parents
b5da957
Tree
a3def66

2 changed files

StatusFile+-
M examples/sprint-08-parity-matrix.md 8 7
M examples/sprint-08-validation-report-2026-02-26.md 18 8
examples/sprint-08-parity-matrix.mdmodified
@@ -9,23 +9,24 @@ Use this matrix to certify behavior against mature desktop PolicyKit agents.
9
 ## Matrix
9
 ## Matrix
10
 | Scenario | Procedure | Expected Result | Status | Evidence |
10
 | Scenario | Procedure | Expected Result | Status | Evidence |
11
 | --- | --- | --- | --- | --- |
11
 | --- | --- | --- | --- | --- |
12
-| Success path | Trigger `pkcheck --allow-user-interaction --process $$ --action-id com.mesonbuild.install.run` and enter correct password | Prompt completes, auth is authorized, no failure flash | Pending | daemon log + `garcardctl auth-summary` |
12
+| Success path | Trigger `pkcheck --allow-user-interaction --process $$ --action-id com.mesonbuild.install.run` and enter correct password | Prompt completes, auth is authorized, no failure flash | PASS (interactive) | `target/sprint-08-parity-evidence.md` (`cycle 1/2`, `last_outcome: success`) |
13
 | Failure path | Trigger same `pkcheck` and enter wrong password | Prompt flashes error, reprompts in place, `auth-summary.last_outcome=failure` before retry | Pending | daemon log + `garcardctl auth-summary` |
13
 | Failure path | Trigger same `pkcheck` and enter wrong password | Prompt flashes error, reprompts in place, `auth-summary.last_outcome=failure` before retry | Pending | daemon log + `garcardctl auth-summary` |
14
-| Cancel path | Trigger `pkcheck`, cancel prompt | Request exits cleanly, `auth-summary.last_outcome=canceled` | Pending | daemon log + `garcardctl auth-summary` |
14
+| Cancel path | Trigger `pkcheck`, cancel prompt | Request exits cleanly, `auth-summary.last_outcome=canceled` | PASS (interactive) | `target/sprint-08-parity-evidence.md` (`cycle 3`, `last_outcome: canceled`) |
15
 | Timeout path | Set short timeout (`GARCARD_PROMPT_TIMEOUT_SECS=2`), trigger auth, do not respond | Request times out, `auth-summary.last_outcome=timeout` | Pending | daemon log + `garcardctl auth-summary` |
15
 | Timeout path | Set short timeout (`GARCARD_PROMPT_TIMEOUT_SECS=2`), trigger auth, do not respond | Request times out, `auth-summary.last_outcome=timeout` | Pending | daemon log + `garcardctl auth-summary` |
16
 | Multi-identity flow | Trigger policy requiring identity choice | Identity list rendered, selected identity is honored | Pending | prompt capture + daemon log |
16
 | Multi-identity flow | Trigger policy requiring identity choice | Identity list rendered, selected identity is honored | Pending | prompt capture + daemon log |
17
 | Retention choice flow | Trigger policy exposing retention options | Retention choice accepted and recorded in `auth-summary` | Pending | `garcardctl auth-summary` |
17
 | Retention choice flow | Trigger policy exposing retention options | Retention choice accepted and recorded in `auth-summary` | Pending | `garcardctl auth-summary` |
18
-| Temp auth introspection | Run `garcardctl temp-list` after successful retained auth | Active temporary authorization entries are listed | PASS (baseline) | `target/sprint-08-parity-evidence.md` (`authorizations: []` in non-interactive baseline) |
18
+| Temp auth introspection | Run `garcardctl temp-list` after successful retained auth | Active temporary authorization entries are listed | PASS (interactive) | `target/sprint-08-parity-evidence.md` (`tmpauthz0/tmpauthz1` listed) |
19
 | Temp auth revoke single | Run `garcardctl temp-revoke <id>` | Target authorization removed | Pending interactive retained auth | `temp-list` before/after |
19
 | Temp auth revoke single | Run `garcardctl temp-revoke <id>` | Target authorization removed | Pending interactive retained auth | `temp-list` before/after |
20
-| Temp auth revoke all | Run `garcardctl temp-revoke-all` | All temporary authorizations removed | PASS (baseline) | `target/sprint-08-parity-evidence.md` (`revoked_count: 0` baseline) |
20
+| Temp auth revoke all | Run `garcardctl temp-revoke-all` | All temporary authorizations removed | PASS (interactive) | `target/sprint-08-parity-evidence.md` (`revoked_count: 1` after cycle 1/2) |
21
 | Daemon restart during lifecycle | Restart daemon and rerun status/diag/temp commands | Control plane recovers without stale socket state | PASS (baseline) | `target/sprint-08-parity-evidence.md` (`validate-sprint-07.sh` section) |
21
 | Daemon restart during lifecycle | Restart daemon and rerun status/diag/temp commands | Control plane recovers without stale socket state | PASS (baseline) | `target/sprint-08-parity-evidence.md` (`validate-sprint-07.sh` section) |
22
-| Polkit restart recovery | Restart polkit and relaunch daemon | Diagnostics recover, control commands remain responsive | Pending | script output + daemon log |
22
+| Polkit restart recovery | Restart polkit and relaunch daemon | Diagnostics recover, control commands remain responsive | PASS (manual) | 2026-02-26 manual `sudo systemctl restart polkit` + post-check `validate-sprint-07.sh` (`polkit` backend healthy) |
23
23
24
 ## Signoff
24
 ## Signoff
25
 1. Date: 2026-02-26 (baseline run)
25
 1. Date: 2026-02-26 (baseline run)
26
 2. Operator: mfwolffe/codex
26
 2. Operator: mfwolffe/codex
27
 3. Result (`PASS`/`FAIL`): IN PROGRESS
27
 3. Result (`PASS`/`FAIL`): IN PROGRESS
28
 4. Blocking gaps:
28
 4. Blocking gaps:
29
-   - interactive `pkcheck` matrix rows (success/failure/cancel/timeout)
29
+   - failure-path parity (`last_outcome: failure`) on explicit wrong-password flow
30
+   - timeout-path parity (`last_outcome: timeout`) under interactive challenge
30
    - multi-identity and retention-choice scenarios on policies that expose those options
31
    - multi-identity and retention-choice scenarios on policies that expose those options
31
-   - polkit restart recovery check with privileged restart command
32
+   - temp-revoke single-id scenario
examples/sprint-08-validation-report-2026-02-26.mdmodified
@@ -22,17 +22,27 @@ 
22
    - previous `InvalidArgs` (`(sa{sv})` vs `((sa{sv}))`) no longer appears
22
    - previous `InvalidArgs` (`(sa{sv})` vs `((sa{sv}))`) no longer appears
23
    - `temp-list` and `temp-revoke-all` return clean baseline results
23
    - `temp-list` and `temp-revoke-all` return clean baseline results
24
 4. Workspace tests pass after lifecycle-call marshaling fix.
24
 4. Workspace tests pass after lifecycle-call marshaling fix.
25
+5. Interactive parity loop executed via `GARCARD_SPRINT08_RUN_INTERACTIVE=1 ./examples/validate-sprint-08-parity.sh`:
26
+   - successful auth path observed (`last_outcome: success`)
27
+   - canceled auth path observed (`last_outcome: canceled`)
28
+   - temporary authorizations created and revoked in-loop (`revoked_count: 1`)
29
+6. Privileged polkit-restart recovery executed manually on 2026-02-26:
30
+   - operator ran `sudo systemctl restart polkit`
31
+   - post-restart lifecycle verification on `polkit` backend passed (`validate-sprint-07.sh`)
25
 
32
 
26
 ## Matrix Status
33
 ## Matrix Status
27
 1. Baseline non-interactive rows updated in `examples/sprint-08-parity-matrix.md`.
34
 1. Baseline non-interactive rows updated in `examples/sprint-08-parity-matrix.md`.
28
-2. Remaining rows are interactive/policy-dependent and still pending:
35
+2. Interactive/passive coverage now includes:
29
-   - success/failure/cancel/timeout prompt-path parity via `pkcheck`
36
+   - success and canceled prompt paths
37
+   - temp-list and temp-revoke-all with concrete temporary authorization ids
38
+   - manual privileged polkit-restart recovery
39
+3. Remaining rows are policy/path specific and still pending:
40
+   - explicit wrong-password failure path (`last_outcome: failure`)
41
+   - timeout path under live challenge (`last_outcome: timeout`)
30
    - multi-identity and retention-choice scenarios
42
    - multi-identity and retention-choice scenarios
31
-   - privileged polkit restart recovery path
43
+   - temp-revoke single-id scenario
32
 
44
 
33
 ## Next Actions
45
 ## Next Actions
34
-1. Run interactive parity pass:
46
+1. Run one focused wrong-password parity capture (`failure` outcome) with debug logs.
35
-   - `GARCARD_SPRINT08_RUN_INTERACTIVE=1 ./examples/validate-sprint-08-parity.sh`
47
+2. Run one focused timeout capture using short prompt timeout on `polkit` backend.
36
-2. Execute privileged recovery check:
48
+3. Add one targeted single-id revoke capture (`temp-revoke <authorization-id>`) and finalize matrix signoff.
37
-   - `GARCARD_SPRINT07_POLKIT_RESTART_CMD='sudo systemctl restart polkit' ./examples/validate-sprint-07.sh`
38
-3. Mark remaining matrix rows PASS/FAIL with log pointers.