ZAKON Phase A FU-1: Evidence Field Migration (approver → agent) ZAKON Phase A FU-1: Evidence Field Migration (approver → agent) MC: #100390 (Subtask 3) Date: 2026-05-16 Status: COMPLETE Owner: Skillforge Executive Summary This document records the migration of evidence verification files from legacy approver field to ZAKON #29-compliant agent field. This follow-up closes a schema debt introduced in ZAKON Phase A B2 (MC #100385) when the agent field contract was introduced with a grandfather exemption for pre-existing files. Migration Scope: 33 evidence directories scanned in /tmp/evidence-* 14 verification.json files inspected 2 files migrated (100346, 100348) 5 files already compliant (had "agent" field) 7 files with different schema (neither approver nor agent) Validation: Both migrated files accepted by B2 hook (exit 0). Proveo confirmed agent='proveo' in approved allowlist. Secondary Finding: date -r returning epoch 0 on these files triggers grandfather exemption before Python schema validation — partial bypass of ZAKON #29 full schema enforcement. Hook validates ONLY agent field allowlist membership, NOT mc/timestamp/verdict/evidence_files presence. Follow-up recommendation: MC for hook enhancement to enforce full schema or explicit schema-version tagging. Schema Before/After Legacy Schema (pre-ZAKON Phase A B2) { "verified": true, "superseded_by": 100385, "approver": "proveo", "evidence": [ "/tmp/evidence-100346/screenshot.png", "/tmp/evidence-100346/curl-output.txt" ] } Current Schema (ZAKON #29 compliant) { "verified": true, "superseded_by": 100385, "agent": "proveo", "evidence": [ "/tmp/evidence-100346/screenshot.png", "/tmp/evidence-100346/curl-output.txt" ] } Change: Key "approver" renamed to "agent" . Value preserved: "proveo" . Note: Full ZAKON #29 canonical schema includes additional required fields: mc (string) — MC task ID timestamp (string) — ISO 8601 UTC timestamp verdict (string) — PASS/FAIL/PARTIAL/BLOCKED evidence_files (array) — List of artifact paths The migrated files from MC #100346 and #100348 carry only the legacy four fields (verified, superseded_by, agent, evidence) because they predate the ZAKON Phase A B2 contract. The B2 hook enforcement accepts them under grandfather exemption (file mtime < 1747051700). Migration Execution Agent: Codecraft (Subtask 1) Evidence Path: /tmp/evidence-100390/verification.json Agent: codecraft Timestamp: 2026-05-16T17:01:00Z Verdict: PASS SHA256 (session ID): a60fc0b4c7217fa65 Actions: Scanned 33 directories matching /tmp/evidence-[0-9]* Identified 14 files with verification.json Filtered for files containing "approver" key Found 2 candidates: /tmp/evidence-100346/verification.json /tmp/evidence-100348/verification.json Performed in-place atomic replacement: jq '.agent = .approver | del(.approver)' < old.json > new.json mv new.json verification.json Verified field presence via grep -r '"agent"' /tmp/evidence-* Evidence Files: migration-log.txt — Full scan output grep-after.txt — Post-migration verification Agent: Proveo / Angie Jones (Subtask 2) Evidence Path: /tmp/evidence-100390/proveo-validation.json Agent: angie-jones Timestamp: 2026-05-16T17:04:00Z Verdict: PASS SHA256 (session ID): a6476b789f9bf4409 Validation Method: Invoked ~/.claude/hooks/lib/evidence-agent-check.sh check_evidence_dir_agent for both directories Verified exit code 0 (ACCEPT) for: /tmp/evidence-100346/ /tmp/evidence-100348/ Confirmed agent='proveo' present in both files Cross-referenced against EVIDENCE_AGENT_ALLOWLIST (line 14 of evidence-agent-check.sh ) Result: Both files carry agent field in approved allowlist → B2 hook acceptance Evidence Files: hook-output-100346.txt — Hook stdout/stderr for directory 100346 hook-output-100348.txt — Hook stdout/stderr for directory 100348 B2 Hook Contract Reference Specification: ~/system/specs/evidence-agent-field-contract.md BookStack Page: Evidence Agent Field Contract (if published) Required Fields (ZAKON #29) Field Type Constraint Example agent string Must match approved allowlist "proveo" mc string Numeric MC task ID "100385" timestamp string ISO 8601 UTC format "2026-05-11T18:45:22Z" verdict string Optional; recommended: PASS/FAIL/PARTIAL/BLOCKED "PASS" evidence_files array Optional; list of artifact paths ["log.txt"] Validation Logic (B2 Hook) Path pattern match: /tmp/evidence-[0-9]*/verification.json Forge artifact exclusion: Skip /tmp/evidence-*-rev*-check/ , /tmp/forge-*/ , /tmp/verify-*/ , */system/prompts/forged/* Grandfather check: If file mtime < 1747051700 (2026-05-11T17:15:00Z), exempt from validation JSON parse: Extract agent , mc , timestamp fields Blocklist check: Reject if agent matches blocklist (john, orchestrator, builder, minion, general-purpose, claude, user, fix-builder) Allowlist check: Reject if agent NOT in approved allowlist (38 specialist agents) Result: Return 0 (ACCEPT) or 1 (REJECT + stderr log) Approved Agent Allowlist (38 specialists) proveo, angie-jones, maria-santos, codecraft, petter-graff, martin-kleppmann, hadi-hariri, lee-robinson, bruce-momjian, skillforge, securion, parisa-tabriz, finverge, markos-zachariadis, flowforge, kelsey-hightower, vizu, brad-frost, lea-verou, datavera, agentforge, chip-huyen, georgi-gerganov, lexicon, skybound, paul-hudson, mehanik, resolver, sentinel-architect, sentinel-developer, sentinel-tester, sentinel-validator, sentinel-ba, baseline-comparator, evidence-verifier, verifier, validator, lexicon Migration Breakdown Files Migrated (2) /tmp/evidence-100346/verification.json Before: "approver": "proveo" After: "agent": "proveo" Hook validation: EXIT 0 (ACCEPT) /tmp/evidence-100348/verification.json Before: "approver": "proveo" After: "agent": "proveo" Hook validation: EXIT 0 (ACCEPT) Files Already Compliant (5) These directories already contained "agent" field in their verification.json: MC #100385 (ZAKON Phase A B2 — introduced the contract) MC #100390 (this migration task) 3 other recent evidence directories (exact IDs in migration-log.txt) Files with Different Schema (7) These verification.json files use alternate schemas (neither "approver" nor "agent" present): Forge artifacts: /tmp/forge-*/verification.json Verify workspaces: /tmp/verify-*/verification.json Audit snapshots: /tmp/evidence-*-rev*-check/verification.json Pre-ZAKON manual verifications (schema predates B2 hook) These are excluded from B2 hook pattern matching and do not require migration. Secondary Finding: Grandfather Exemption Bypass Observation Both migrated files ( /tmp/evidence-100346/verification.json and /tmp/evidence-100348/verification.json ) return filesystem mtime of epoch 0 when queried via date -r : $ date -r /tmp/evidence-100346/verification.json +%s 0 Implications Grandfather exemption triggers: The B2 hook checks file_epoch < 1747051700 (2026-05-11T17:15:00Z). Epoch 0 = 1970-01-01T00:00:00Z, which is far before the cutoff → these files are exempt from full ZAKON #29 schema validation . Agent field validated, but not mc/timestamp/verdict/evidence_files: The B2 hook (bash) performs grandfather exemption check BEFORE Python schema parse. Result: files with epoch 0 mtime bypass the full schema enforcement in session-output-validator.sh (lines 271-398). Current state is safe: Both files carry agent='proveo' which is in the allowlist, so they pass the agent field check. However, they lack mc , timestamp , verdict , and evidence_files fields required by ZAKON #29 canonical schema. Latent risk: If a future evidence file is created with intentionally manipulated mtime (e.g., touch -t 197001010000 ), it could bypass full schema validation while still satisfying the agent allowlist check. Recommendation Follow-up MC (not blocking this migration): Enhance B2 hook to either: Option A: Remove grandfather exemption after migration wave completes (set cutoff to current date + 7 days) Option B: Add explicit schema version tagging ( "schema_version": "1.0" ) and validate against declared version rather than mtime Option C: Move grandfather check AFTER Python parse, so exempt files still get schema structure validation (just allow missing fields with a warning rather than rejection) Current priority: LOW (no active exploit vector; all existing evidence directories authored by approved specialist agents). Evidence SHA256 Digests Evidence File SHA256 (session ID) Agent Verdict /tmp/evidence-100390/verification.json a60fc0b4c7217fa65 codecraft PASS /tmp/evidence-100390/proveo-validation.json a6476b789f9bf4409 angie-jones PASS Master Task Evidence: MC #100390 (ZAKON Phase A FU-1) Parent Initiative: MC #100385 (ZAKON Phase A B2 — evidence agent field contract introduction) Related: MC #100334 (gate-gaming incident — closure subagent fabrication) Cross-References ZAKON Enforcement System (2026-05-11) Hard Constraints (HC#2: "No claim without evidence") Reality Anchor Doctrine V1 Final Evidence-SSoT Phase 0 File: ~/system/specs/evidence-agent-field-contract.md Hook: ~/.claude/hooks/lib/evidence-agent-check.sh (154 lines) Hook: ~/.claude/hooks/liveness-claim-validator.sh (lines 19-241) Hook: ~/.claude/hooks/session-output-validator.sh (lines 271-398) Change History Date MC Change 2026-05-11 #100385 ZAKON Phase A B2: agent field contract introduced 2026-05-11 #100385 Grandfather epoch set to 1747051700 (2026-05-11T17:15:00Z) 2026-05-16 #100390 FU-1 migration: 2 files (100346, 100348) approver → agent 2026-05-16 #100391 Specification document authored (evidence-agent-field-contract.md) 2026-05-16 #100390 This migration documentation page created (Skillforge Subtask 3) End of Document Generated by Skillforge agent (ALAI Knowledge & Training) Report to: John (AI Director, ALAI Holding AS) Date: 2026-05-16T17:08:00Z