feat: add AVOW tests, expand EXPLAINME, add CRG self-assessment

- Add ProvenResult_test.res with 8 tests covering fromJs/toJs
  conversion and round-trip integrity for the AVOW protocol
- Wire test task into avow-protocol/deno.json
- Expand EXPLAINME.adoc with architecture decisions, full evidence
  table covering all protocols/specs, usage guide, test coverage
  summary, and roadmap phases
- Add CRG-SELF-ASSESSMENT.adoc documenting current Grade C status,
  gap analysis for Grade B, and recommended actions for Grade A

https://claude.ai/code/session_01DR54srjfuMGcdAmo5LZFPT

Author: claude

CRG-SELF-ASSESSMENT.adoc

@@ -0,0 +1,104 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+
+= CRG Self-Assessment — standards
+:toc:
+:sectnums:
+
+== Current Grade: C
+
+Assessed: 2026-04-09
+
+== Category Checklist
+
+[cols="1,1,3", options="header"]
+|===
+| Category | Status | Evidence
+
+| Unit tests
+| Present
+| a2ml/bindings/rust (47), k9-svc/bindings/rust (45), mcp-repo-guardian (36), axel-protocol (14), groove-protocol (10), avow-protocol/src (8)
+
+| Smoke tests
+| Present
+| `just build` compiles all sub-projects; `just test` runs full suite
+
+| Property-based (P2P)
+| Present
+| proptest in a2ml + k9-svc Rust crates (parse/render roundtrip)
+
+| End-to-end reflexive
+| Present
+| Real manifest parsing + roundtrip stability in mcp-repo-guardian + a2ml
+
+| Contract (pre/post)
+| Present
+| a2ml + k9-svc pre/post-condition validation; avow-lib Idris2 dependent-type proofs
+
+| Aspect (security)
+| Present
+| TruffleHog secret scanning, Trivy vulnerability scanning, CodeQL, OpenSSF Scorecard
+
+| Benchmarks (baselined)
+| Present
+| criterion for a2ml + k9-svc; zig bench for groove-protocol grv6
+|===
+
+All 7 CRG categories are present. Grade C requirements satisfied.
+
+== Gap Analysis: C -> B
+
+Grade B requires all categories to be **robust** (not just present), with consistent pass rates and integration into CI.
+
+[cols="1,1,3", options="header"]
+|===
+| Requirement | Status | Gap
+
+| All tests run in CI
+| Partial
+| groove-protocol Zig tests and avow-lib Idris2 tests are not run in CI (toolchains missing from runners)
+
+| Avow protocol tests
+| New
+| ReScript unit tests for ProvenResult added (8 tests). Idris2 tests exist but are compile-time only. Need CI integration.
+
+| Test count > 200
+| Gap
+| Currently 160+. Need ~40 more tests across existing suites.
+
+| No `continue-on-error` on quality gates
+| Partial
+| Several CI steps still use `continue-on-error: true` (YAML lint, markdown lint, secrets scan). These should be enforced.
+
+| Benchmark regressions block CI
+| Gap
+| Benchmarks exist but are not gated — regressions do not fail the build.
+
+| Fuse3 blocker resolved
+| Gap
+| repo-guardian-fs cannot compile on Rust stable >= 1.80 due to fuse3 v0.7.3 incompatibility. Offline tests exist as workaround.
+
+| Self-referential dogfooding
+| Partial
+| hypatia-scan.yml workflow exists but is not regularly triggered. CRG self-assessment now exists (this file).
+|===
+
+== Recommended Actions for Grade B
+
+1. Add Zig and Idris2 to CI runners (or use Nix/Guix shells in workflows)
+2. Add AVOW protocol `deno task test` to Justfile test suite
+3. Write 40+ additional tests: expand axel-protocol coverage, add groove-protocol edge cases, add consent lifecycle tests for avow-lib
+4. Remove `continue-on-error` from YAML lint, markdown lint, and secrets scan CI steps
+5. Gate benchmark regressions in CI (fail on > 5% regression)
+6. Resolve fuse3 dependency (upgrade to v0.9.0 or replace with fuser crate)
+7. Schedule hypatia-scan to run weekly and enforce its output
+
+== Recommended Actions for Grade A
+
+Grade A requires **comprehensive** coverage, formal verification, and external audit readiness.
+
+1. All lol/ postulates proven (currently 4 of 9 are provable but unproven)
+2. ECHIDNA proof verification running in CI
+3. VeriSimDB populated and queryable
+4. PanLL compliance dashboard operational
+5. External security audit completed
+6. All downstream repos at CRG Grade C or above

EXPLAINME.adoc

@@ -15,30 +15,106 @@ See link:README.adoc[] for the full directory map and specification list.
 
 **Caveat:** Standards are prescriptive -- not every downstream repo is fully compliant yet. Enforcement is via CI workflows and Hypatia scanning, not manual audit.
 
+=== Architecture Decisions
+
+[cols="1,3", options="header"]
+|===
+| Decision | Rationale
+
+| AsciiDoc-first documentation
+| AsciiDoc supports semantic structure, cross-references, and conditional output better than Markdown. `.md` is only used for GitHub-required files (SECURITY.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md).
+
+| Justfile over Makefiles
+| `just` provides cross-platform recipes without implicit rules or tab sensitivity. Makefiles are banned org-wide.
+
+| Language policy (CCCP)
+| Limits ecosystem fragmentation. Primary: ReScript, Rust, Gleam, Deno. Banned: TypeScript, Go, Python, Java/Kotlin/Swift. Exceptions documented per-repo.
+
+| A2ML over YAML/JSON for metadata
+| Machine-readable, versionable, and carries semantic meaning. Each repo declares its state via `.machine_readable/STATE.a2ml`.
+
+| SHA-pinned GitHub Actions
+| Prevents supply-chain attacks from mutable tags. All workflows pin actions by commit SHA.
+
+| Guix-first package management
+| Reproducible builds. Nix flakes as fallback. No npm/node_modules in production.
+|===
+
 === Evidence
 
 [cols="2,3", options="header"]
 |===
 | Path | Proves
 
 | `a2ml/`
-| A2ML format specification -- the machine-readable metadata format used across all repos
+| A2ML format specification -- the machine-readable metadata format used across all repos (47 Rust tests)
 
-| `meta-a2ml/`
-| META.a2ml, STATE.a2ml, ECOSYSTEM.a2ml specs and IANA registration drafts
+| `meta-a2ml/`, `state-a2ml/`, `ecosystem-a2ml/`
+| META, STATE, ECOSYSTEM A2ML specs and IANA registration drafts
 
 | `agentic-a2ml/`
-| AGENTIC.a2ml spec -- AI agent interaction patterns
+| AGENTIC.a2ml spec -- AI agent interaction patterns with contractile enforcement
+
+| `neurosym-a2ml/`
+| NEUROSYM.a2ml spec -- neurosymbolic integration configuration with Nickel schemas
+
+| `playbook-a2ml/`, `anchor-a2ml/`
+| PLAYBOOK and ANCHOR A2ML specs -- operational runbooks and intervention protocols
 
 | `contractiles/`
 | Contractile system (must/trust/dust/intend/k9) -- policy enforcement primitives
 
+| `k9-svc/`
+| K9 self-validating component framework (45 Rust tests, CRG Grade B, deployed on 105+ repos)
+
+| `k9-coordination-protocol/`
+| AI agent coordination protocol (79 tests, Phase 1 complete)
+
 | `axel-protocol/`
-| Axel protocol specification -- cross-forge automation standard
+| Axel protocol specification -- age-gating and explicit enforcement (14 Deno tests, beta)
 
 | `groove-protocol/`
-| Groove universal plug-and-play protocol -- inter-service communication
+| Groove universal plug-and-play protocol -- inter-service communication (10+ Zig tests, 80% complete)
+
+| `avow-protocol/`
+| AVOW consent-attested messaging -- origin attribution and willingness verification (Idris2 + ReScript)
+
+| `consent-aware-http/`
+| Multi-protocol AI usage boundaries -- consent headers for HTTP interactions
 
 | `hooks/`
 | Pre-commit and CI hooks -- the enforcement layer that makes standards stick
+
+| `.github/workflows/`
+| 23 CI/CD workflows -- policy enforcement, quality gates, security scanning, deployment
 |===
+
+=== How to Use This Repo
+
+1. **New project?** Copy `.machine_readable/` templates into your repo and fill in the A2ML files.
+2. **CI enforcement?** Reference the shared workflows or copy the relevant `.github/workflows/` files.
+3. **Language question?** Check the CCCP language policy in `CLAUDE.md` or the `language-policy.yml` workflow.
+4. **Building?** Run `just build` (requires Rust, Zig, and Deno). Run `just test` for the full 158+ test suite.
+5. **Self-check?** Run `just doctor` to verify your local toolchain, `just heal` to auto-fix common issues.
+
+=== Test Coverage
+
+[cols="2,1,1", options="header"]
+|===
+| Suite | Technology | Tests
+
+| groove-protocol/reference/ipv6t | Zig | 10+
+| 0-ai-gatekeeper-protocol/mcp-repo-guardian | Deno | 36
+| axel-protocol | Deno | 14
+| a2ml/bindings/rust | Rust | 47
+| k9-svc/bindings/rust | Rust | 45
+| avow-protocol (ReScript) | Deno | 8
+| **Total** | | **160+**
+|===
+
+=== Roadmap Phases
+
+* **Phase A (Innervation):** Wire k9 coordination across all repos, replace static 6a2 files with derived STATE.
+* **Phase B (Evidence):** Formal proof verification via ECHIDNA, VeriSimDB population, lol/ postulate resolution.
+* **Phase C (Visibility):** PanLL dashboard panels, ecosystem health metrics, compliance heatmaps.
+* **Phase D (Maturity):** CRG Grade A self-assessment, full dogfooding, external audit readiness.

avow-protocol/deno.json

@@ -1,5 +1,6 @@
 {
   "tasks": {
+    "test": "deno run -A npm:rescript && deno test --allow-read src/*_test.bs.js",
     "build": "deno run -A npm:rescript",
     "clean": "deno run -A npm:rescript clean",
     "watch": "deno run -A npm:rescript -w",

avow-protocol/src/ProvenResult_test.res

@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+// SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell
+
+@module("@std/assert") external assertEquals: ('a, 'a) => unit = "assertEquals"
+@module("@std/assert") external assertNotEquals: ('a, 'a) => unit = "assertNotEquals"
+
+@val @scope("Deno") external test: (string, unit => unit) => unit = "test"
+
+// --- fromJs tests ---
+
+let () = test("fromJs: ok result with value converts to Ok", () => {
+  let jsResult: ProvenResult.jsResult<string> = {
+    ok: true,
+    value: Some("hello"),
+    error: None,
+  }
+  let result = ProvenResult.fromJs(jsResult)
+  assertEquals(result, Ok("hello"))
+})
+
+let () = test("fromJs: ok result missing value converts to Error", () => {
+  let jsResult: ProvenResult.jsResult<string> = {
+    ok: true,
+    value: None,
+    error: None,
+  }
+  let result = ProvenResult.fromJs(jsResult)
+  assertEquals(result, Error("Ok result missing value"))
+})
+
+let () = test("fromJs: error result with message converts to Error", () => {
+  let jsResult: ProvenResult.jsResult<string> = {
+    ok: false,
+    value: None,
+    error: Some("parse failed"),
+  }
+  let result = ProvenResult.fromJs(jsResult)
+  assertEquals(result, Error("parse failed"))
+})
+
+let () = test("fromJs: error result without message converts to Unknown error", () => {
+  let jsResult: ProvenResult.jsResult<string> = {
+    ok: false,
+    value: None,
+    error: None,
+  }
+  let result = ProvenResult.fromJs(jsResult)
+  assertEquals(result, Error("Unknown error"))
+})
+
+// --- toJs tests ---
+
+let () = test("toJs: Ok value converts to jsResult with ok=true", () => {
+  let jsResult = ProvenResult.toJs(Ok("world"))
+  assertEquals(jsResult.ok, true)
+  assertEquals(jsResult.value, Some("world"))
+  assertEquals(jsResult.error, None)
+})
+
+let () = test("toJs: Error value converts to jsResult with ok=false", () => {
+  let jsResult = ProvenResult.toJs(Error("bad input"))
+  assertEquals(jsResult.ok, false)
+  assertEquals(jsResult.value, None)
+  assertEquals(jsResult.error, Some("bad input"))
+})
+
+// --- round-trip tests ---
+
+let () = test("round-trip: Ok -> toJs -> fromJs preserves value", () => {
+  let original: result<int, string> = Ok(42)
+  let roundTripped = original->ProvenResult.toJs->ProvenResult.fromJs
+  assertEquals(roundTripped, original)
+})
+
+let () = test("round-trip: Error -> toJs -> fromJs preserves error", () => {
+  let original: result<int, string> = Error("not found")
+  let roundTripped = original->ProvenResult.toJs->ProvenResult.fromJs
+  assertEquals(roundTripped, original)
+})