feat(cacert): externalize CACert verification network (CEN-V) + offline verifier

[BrianCLong]

Motivation

• Provide an externally verifiable CACert surface so auditors/partners can validate admissibility without access to internal systems.
• Meet requirements for deterministic verification: signature validation, evidence-hash linkage, verdict check, replay/expiry detection, and tamper detection.
• Support offline/air-gapped verification workflows and a stable schema for portable trust artifacts.

Description

• Upgrade CACert model to an external 2.0 form with stable cert_id, signer identity (key_id), validity window, evidence manifest and canonicalization helpers in packages/cacert/src/cacert.ts.
• Add deterministic verification engine verifyCACert in packages/cacert/src/verification.ts that validates signatures (Ed25519), checks trust anchors/revocation, verifies evidence hashes and decision-trace linkage, and emits structured reason codes.
• Provide an offline CLI verifier cacert-verify at packages/cacert/tools/cacert-verify.mjs (CLI: --cert <path> --request <path> [--output <path>]) that returns non-zero on FAIL for air-gapped consumers.
• Add JSON Schemas for CACert and verification contracts at packages/cacert/schema/* and expose the verifier via package bin and verify script in packages/cacert/package.json.
• Add unit tests covering positive and attack/failure cases in packages/cacert/tests/cacert.test.ts (forged signature, tampered evidence, revoked key/replay, missing evidence, trace mismatch) and wire this surface into GA docs (docs/ga/CACERT_VERIFICATION_NETWORK.md) and docs/ga/verification-map.json.

Testing

• Ran pnpm --filter @summit/cacert test, which executed the package tests and passed (all tests OK: positive path + forged/tamper/replay/missing-evidence/trace mismatch cases).
• Ran node scripts/check-boundaries.cjs and it reported no parallelization/boundary violations.
• Ran make ga-verify (repo GA verification sweep), which surfaced unrelated GA fixture issues (a demo evidence keyword mismatch, malformed/merged agent-contract.json markers, and pilot doc token mismatch) and therefore the GA sweep failed; these failures are external to the CACert verification logic.
• pnpm --filter @summit/cacert build initially reported TypeScript / local environment type issues in this environment (missing local dev typings / node_modules setup), but tests run via tsx succeeded; build/CI in a normal dev environment with dependencies installed should succeed.

---

Codex Task

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@BrianCLong has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 31 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 5 minutes and 31 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f1237d36-c1d4-4029-ba59-47c7a48605a7

📥 Commits

Reviewing files that changed from the base of the PR and between ff4ddf6 and be0c272.

📒 Files selected for processing (12)

• docs/ga/CACERT_VERIFICATION_NETWORK.md
• docs/ga/MVP-4-GA-VERIFICATION.md
• docs/ga/verification-map.json
• packages/cacert/package.json
• packages/cacert/schema/cacert.schema.json
• packages/cacert/schema/verification_request.schema.json
• packages/cacert/schema/verification_response.schema.json
• packages/cacert/src/cacert.ts
• packages/cacert/src/index.ts
• packages/cacert/src/verification.ts
• packages/cacert/tests/cacert.test.ts
• packages/cacert/tools/cacert-verify.mjs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/externalize-cacert-into-verification-network

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: be0c272eab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fail admissibility when cert is expired or not yet valid

The admissibility decision does not incorporate validity-window failures: EXPIRED_CERT_REPLAY and NOT_YET_VALID are recorded in reasons, but admissibility_status is still computed only from signature, evidence integrity, and cert.verdict. In practice, a correctly signed PASS cert outside its validity window can still return admissibility_status: "PASS", which defeats replay/expiry protection for consumers that key off status.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Compare validity timestamps as parsed dates, not strings

The validity checks use direct string comparison (cert.expires_at < request.now / cert.issued_at > request.now). RFC3339 date-time strings are not guaranteed to be lexicographically ordered across all valid representations (for example, timezone offsets), so this can misclassify expired or not-yet-valid certs. Parse both values to numeric instants before comparing to avoid false PASS/FAIL outcomes.

Useful? React with 👍 / 👎.