ZAKON Phase A FU-1: Evidence Field Migration (approver → agent)
ZAKON Phase A FU-1: Evidence Field Migration (approver → agent)
MC: #100390 (Subtask 3)
Date: 2026-05-16
Status: COMPLETE
Owner: Skillforge
Executive Summary
This document records the migration of evidence verification files from legacy approver field to ZAKON #29-compliant agent field. This follow-up closes a schema debt introduced in ZAKON Phase A B2 (MC #100385) when the agent field contract was introduced with a grandfather exemption for pre-existing files.
Migration Scope:
- 33 evidence directories scanned in
/tmp/evidence-* - 14 verification.json files inspected
- 2 files migrated (100346, 100348)
- 5 files already compliant (had "agent" field)
- 7 files with different schema (neither approver nor agent)
Validation: Both migrated files accepted by B2 hook (exit 0). Proveo confirmed agent='proveo' in approved allowlist.
Secondary Finding: date -r returning epoch 0 on these files triggers grandfather exemption before Python schema validation — partial bypass of ZAKON #29 full schema enforcement. Hook validates ONLY agent field allowlist membership, NOT mc/timestamp/verdict/evidence_files presence. Follow-up recommendation: MC for hook enhancement to enforce full schema or explicit schema-version tagging.
Schema Before/After
Legacy Schema (pre-ZAKON Phase A B2)
{
"verified": true,
"superseded_by": 100385,
"approver": "proveo",
"evidence": [
"/tmp/evidence-100346/screenshot.png",
"/tmp/evidence-100346/curl-output.txt"
]
}Current Schema (ZAKON #29 compliant)
{
"verified": true,
"superseded_by": 100385,
"agent": "proveo",
"evidence": [
"/tmp/evidence-100346/screenshot.png",
"/tmp/evidence-100346/curl-output.txt"
]
}Change: Key "approver" renamed to "agent". Value preserved: "proveo".
Note: Full ZAKON #29 canonical schema includes additional required fields:
mc(string) — MC task IDtimestamp(string) — ISO 8601 UTC timestampverdict(string) — PASS/FAIL/PARTIAL/BLOCKEDevidence_files(array) — List of artifact paths
The migrated files from MC #100346 and #100348 carry only the legacy four fields (verified, superseded_by, agent, evidence) because they predate the ZAKON Phase A B2 contract. The B2 hook enforcement accepts them under grandfather exemption (file mtime < 1747051700).
Migration Execution
Agent: Codecraft (Subtask 1)
Evidence Path: /tmp/evidence-100390/verification.json
Agent: codecraft
Timestamp: 2026-05-16T17:01:00Z
Verdict: PASS
SHA256 (session ID): a60fc0b4c7217fa65
Actions:
- Scanned 33 directories matching
/tmp/evidence-[0-9]* - Identified 14 files with
verification.json - Filtered for files containing
"approver"key - Found 2 candidates:
/tmp/evidence-100346/verification.json/tmp/evidence-100348/verification.json
- Performed in-place atomic replacement:
jq '.agent = .approver | del(.approver)' < old.json > new.json mv new.json verification.json - Verified field presence via
grep -r '"agent"' /tmp/evidence-*
Evidence Files:
migration-log.txt— Full scan outputgrep-after.txt— Post-migration verification
Agent: Proveo / Angie Jones (Subtask 2)
Evidence Path: /tmp/evidence-100390/proveo-validation.json
Agent: angie-jones
Timestamp: 2026-05-16T17:04:00Z
Verdict: PASS
SHA256 (session ID): a6476b789f9bf4409
Validation Method:
- Invoked
~/.claude/hooks/lib/evidence-agent-check.sh check_evidence_dir_agentfor both directories - Verified exit code 0 (ACCEPT) for:
/tmp/evidence-100346//tmp/evidence-100348/
- Confirmed
agent='proveo'present in both files - Cross-referenced against EVIDENCE_AGENT_ALLOWLIST (line 14 of
evidence-agent-check.sh) - Result: Both files carry agent field in approved allowlist → B2 hook acceptance
Evidence Files:
hook-output-100346.txt— Hook stdout/stderr for directory 100346hook-output-100348.txt— Hook stdout/stderr for directory 100348
B2 Hook Contract Reference
Specification: ~/system/specs/evidence-agent-field-contract.md
BookStack Page: Evidence Agent Field Contract (if published)
Required Fields (ZAKON #29)
| Field | Type | Constraint | Example |
|---|---|---|---|
| agent | string | Must match approved allowlist | "proveo" |
| mc | string | Numeric MC task ID | "100385" |
| timestamp | string | ISO 8601 UTC format | "2026-05-11T18:45:22Z" |
| verdict | string | Optional; recommended: PASS/FAIL/PARTIAL/BLOCKED | "PASS" |
| evidence_files | array | Optional; list of artifact paths | ["log.txt"] |
Validation Logic (B2 Hook)
- Path pattern match:
/tmp/evidence-[0-9]*/verification.json - Forge artifact exclusion: Skip
/tmp/evidence-*-rev*-check/,/tmp/forge-*/,/tmp/verify-*/,*/system/prompts/forged/* - Grandfather check: If file mtime <
1747051700(2026-05-11T17:15:00Z), exempt from validation - JSON parse: Extract
agent,mc,timestampfields - Blocklist check: Reject if agent matches blocklist (john, orchestrator, builder, minion, general-purpose, claude, user, fix-builder)
- Allowlist check: Reject if agent NOT in approved allowlist (38 specialist agents)
- Result: Return 0 (ACCEPT) or 1 (REJECT + stderr log)
Approved Agent Allowlist (38 specialists)
proveo, angie-jones, maria-santos, codecraft, petter-graff, martin-kleppmann,
hadi-hariri, lee-robinson, bruce-momjian, skillforge, securion, parisa-tabriz,
finverge, markos-zachariadis, flowforge, kelsey-hightower, vizu, brad-frost,
lea-verou, datavera, agentforge, chip-huyen, georgi-gerganov, lexicon, skybound,
paul-hudson, mehanik, resolver, sentinel-architect, sentinel-developer,
sentinel-tester, sentinel-validator, sentinel-ba, baseline-comparator,
evidence-verifier, verifier, validator, lexiconMigration Breakdown
Files Migrated (2)
/tmp/evidence-100346/verification.json- Before:
"approver": "proveo" - After:
"agent": "proveo" - Hook validation: EXIT 0 (ACCEPT)
- Before:
/tmp/evidence-100348/verification.json- Before:
"approver": "proveo" - After:
"agent": "proveo" - Hook validation: EXIT 0 (ACCEPT)
- Before:
Files Already Compliant (5)
These directories already contained "agent" field in their verification.json:
- MC #100385 (ZAKON Phase A B2 — introduced the contract)
- MC #100390 (this migration task)
- 3 other recent evidence directories (exact IDs in migration-log.txt)
Files with Different Schema (7)
These verification.json files use alternate schemas (neither "approver" nor "agent" present):
- Forge artifacts:
/tmp/forge-*/verification.json - Verify workspaces:
/tmp/verify-*/verification.json - Audit snapshots:
/tmp/evidence-*-rev*-check/verification.json - Pre-ZAKON manual verifications (schema predates B2 hook)
These are excluded from B2 hook pattern matching and do not require migration.
Secondary Finding: Grandfather Exemption Bypass
Observation
Both migrated files (/tmp/evidence-100346/verification.json and /tmp/evidence-100348/verification.json) return filesystem mtime of epoch 0 when queried via date -r:
$ date -r /tmp/evidence-100346/verification.json +%s
0Implications
- Grandfather exemption triggers: The B2 hook checks
file_epoch < 1747051700(2026-05-11T17:15:00Z). Epoch 0 = 1970-01-01T00:00:00Z, which is far before the cutoff → these files are exempt from full ZAKON #29 schema validation. - Agent field validated, but not mc/timestamp/verdict/evidence_files: The B2 hook (bash) performs grandfather exemption check BEFORE Python schema parse. Result: files with epoch 0 mtime bypass the full schema enforcement in
session-output-validator.sh(lines 271-398). - Current state is safe: Both files carry
agent='proveo'which is in the allowlist, so they pass the agent field check. However, they lackmc,timestamp,verdict, andevidence_filesfields required by ZAKON #29 canonical schema. - Latent risk: If a future evidence file is created with intentionally manipulated mtime (e.g.,
touch -t 197001010000), it could bypass full schema validation while still satisfying the agent allowlist check.
Recommendation
Follow-up MC (not blocking this migration): Enhance B2 hook to either:
- Option A: Remove grandfather exemption after migration wave completes (set cutoff to current date + 7 days)
- Option B: Add explicit schema version tagging (
"schema_version": "1.0") and validate against declared version rather than mtime - Option C: Move grandfather check AFTER Python parse, so exempt files still get schema structure validation (just allow missing fields with a warning rather than rejection)
Current priority: LOW (no active exploit vector; all existing evidence directories authored by approved specialist agents).
Evidence SHA256 Digests
| Evidence File | SHA256 (session ID) | Agent | Verdict |
|---|---|---|---|
| /tmp/evidence-100390/verification.json | a60fc0b4c7217fa65 | codecraft | PASS |
| /tmp/evidence-100390/proveo-validation.json | a6476b789f9bf4409 | angie-jones | PASS |
Master Task Evidence: MC #100390 (ZAKON Phase A FU-1)
Parent Initiative: MC #100385 (ZAKON Phase A B2 — evidence agent field contract introduction)
Related: MC #100334 (gate-gaming incident — closure subagent fabrication)
Cross-References
- ZAKON Enforcement System (2026-05-11)
- Hard Constraints (HC#2: "No claim without evidence")
- Reality Anchor Doctrine V1 Final
- Evidence-SSoT Phase 0
- File:
~/system/specs/evidence-agent-field-contract.md - Hook:
~/.claude/hooks/lib/evidence-agent-check.sh(154 lines) - Hook:
~/.claude/hooks/liveness-claim-validator.sh(lines 19-241) - Hook:
~/.claude/hooks/session-output-validator.sh(lines 271-398)
Change History
| Date | MC | Change |
|---|---|---|
| 2026-05-11 | #100385 | ZAKON Phase A B2: agent field contract introduced |
| 2026-05-11 | #100385 | Grandfather epoch set to 1747051700 (2026-05-11T17:15:00Z) |
| 2026-05-16 | #100390 | FU-1 migration: 2 files (100346, 100348) approver → agent |
| 2026-05-16 | #100391 | Specification document authored (evidence-agent-field-contract.md) |
| 2026-05-16 | #100390 | This migration documentation page created (Skillforge Subtask 3) |
End of Document
Generated by Skillforge agent (ALAI Knowledge & Training)
Report to: John (AI Director, ALAI Holding AS)
Date: 2026-05-16T17:08:00Z