CRG-SELF-ASSESSMENT.adoc

CRG Self-Assessment — standards

Table of Contents

• 1. Current Grade: C
• 2. Category Checklist
• 3. Gap Analysis: C → B
• 4. Recommended Actions for Grade B
• 5. Recommended Actions for Grade A

1. Current Grade: C

Assessed: 2026-04-09

2. Category Checklist

Category	Status	Evidence
Unit tests	Present	a2ml/bindings/rust (47), k9-svc/bindings/rust (45), mcp-repo-guardian (36), axel-protocol (14), groove-protocol (10), avow-protocol/src (8)
Smoke tests	Present	just build compiles all sub-projects; just test runs full suite
Property-based (P2P)	Present	proptest in a2ml + k9-svc Rust crates (parse/render roundtrip)
End-to-end reflexive	Present	Real manifest parsing + roundtrip stability in mcp-repo-guardian + a2ml
Contract (pre/post)	Present	a2ml + k9-svc pre/post-condition validation; avow-lib Idris2 dependent-type proofs
Aspect (security)	Present	TruffleHog secret scanning, Trivy vulnerability scanning, CodeQL, OpenSSF Scorecard
Benchmarks (baselined)	Present	criterion for a2ml + k9-svc; zig bench for groove-protocol grv6

All 7 CRG categories are present. Grade C requirements satisfied.

3. Gap Analysis: C → B

Grade B requires all categories to be robust (not just present), with consistent pass rates and integration into CI.

Requirement	Status	Gap
All tests run in CI	Partial	groove-protocol Zig tests and avow-lib Idris2 tests are not run in CI (toolchains missing from runners)
Avow protocol tests	New	ReScript unit tests for ProvenResult added (8 tests). Idris2 tests exist but are compile-time only. Need CI integration.
Test count > 200	Gap	Currently 160+. Need ~40 more tests across existing suites.
No continue-on-error on quality gates	Partial	Several CI steps still use continue-on-error: true (YAML lint, markdown lint, secrets scan). These should be enforced.
Benchmark regressions block CI	Gap	Benchmarks exist but are not gated — regressions do not fail the build.
Fuse3 blocker resolved	Gap	repo-guardian-fs cannot compile on Rust stable >= 1.80 due to fuse3 v0.7.3 incompatibility. Offline tests exist as workaround.
Self-referential dogfooding	Partial	hypatia-scan.yml workflow exists but is not regularly triggered. CRG self-assessment now exists (this file).

4. Recommended Actions for Grade B

1. Add Zig and Idris2 to CI runners (or use Nix/Guix shells in workflows)

2. Add AVOW protocol deno task test to Justfile test suite

3. Write 40+ additional tests: expand axel-protocol coverage, add groove-protocol edge cases, add consent lifecycle tests for avow-lib

4. Remove continue-on-error from YAML lint, markdown lint, and secrets scan CI steps

5. Gate benchmark regressions in CI (fail on > 5% regression)

6. Resolve fuse3 dependency (upgrade to v0.9.0 or replace with fuser crate)

7. Schedule hypatia-scan to run weekly and enforce its output

5. Recommended Actions for Grade A

Grade A requires comprehensive coverage, formal verification, and external audit readiness.

1. All lol/ postulates proven (currently 4 of 9 are provable but unproven)

2. ECHIDNA proof verification running in CI

3. VeriSimDB populated and queryable

4. PanLL compliance dashboard operational

5. External security audit completed

6. All downstream repos at CRG Grade C or above