Skip to content

ADR-0008: Unsigned Release Exception (Pre-Publication Engagement)

Status

Accepted

Context

The end-of-phase commit gate at CLAUDE.md §6 CM-13C declares GPG-signed commits a hard requirement at the highest seriousness tier (publication / release). The active engagement (the production-hardening campaign that authors the canonical surfaces, the validators, the migration tooling, and the publication scaffolding) has not yet declared release-tier seriousness — every prior phase has run at the pre-publication tier, where the validators are still being authored and the publication chain (Phase 09A onward) has not been entered. Probing git config --get user.signingkey in the working tree at Phase 06A entry returned empty, and the operator's prior ratification at Phase 05A close-out (recorded in PROGRESS.md) was Unsigned commit. Three options were available at Phase 06A.2: configure the signing key now, defer publication until configured, or proceed unsigned with this documented exception.

The constraints shaping the option space:

  • The publication chain (Phase 09A onward) is the natural surface where signing-key configuration becomes load-bearing — every release tag will need to be signed.
  • Halting the engagement on a publication-time prerequisite would block six more phases (06B through 10C) on a single decision that belongs at the publication boundary instead.
  • The operator's prior Unsigned commit ratification at Phase 05A close-out establishes the engagement's pre-publication signing posture.
  • A reversible exception (configure key + re-sign at publication) preserves both momentum and final-release integrity.

Decision

The active production-hardening engagement proceeds with unsigned commits through Phase 08D. The signing-key configuration becomes a Phase 09A pre-publication ratification — the operator configures the GPG key (or amends this ADR to defer further) at the entry to the publication chain, and every commit from Phase 09A onward is signed. Tags emitted at Phase 09B are signed per CM-13C release-tier discipline.

This decision is reversible: the engagement may switch to signed commits at any prior phase boundary by configuring the key and amending the active commit cadence; this ADR's Status line is updated to Superseded by ADR-MMMM if a later phase ratifies a different posture.

Consequences

Easier:

  • Phase 06B through 08D proceed without operator intervention on signing-key material; the dispatch chain runs continuously per the CM-16 SHARED+ continuous-execution discipline.
  • The publication chain entry at Phase 09A becomes the single canonical surface where signing-key material is gathered, ratified, and verified — no scattered partial decisions across the engagement.

Harder:

  • Audit trails for the pre-publication commits cannot be cryptographically verified by downstream consumers; commits between Phase 06A and Phase 09A are authenticated by the operator's git identity (name + email) only.
  • Re-signing already-pushed commits requires a force-push, which is forbidden against protected branches per CM-13 safety protocol; the engagement therefore keeps the local working tree the sole ground truth for unsigned commits until publication.

New obligations:

  • Phase 09A's pre-publication AskUserQuestion batch MUST include a signing-key ratification gate; if the operator declines to configure at that point, this ADR is superseded by a successor ADR documenting the publication-time exception (or the publication is deferred per the original Phase 06A.2 second option).
  • The Phase 06A ratification record at .audit/phase-06a-ratifications.yml cross-references this ADR's path so the audit chain is traceable.

Alternatives Considered

  • Configure the signing key now (Phase 06A.2 option 2). Rejected because the engagement has not declared release-tier seriousness; configuring at this phase would require operator-supplied key material out-of-band before any value is delivered (the signing key applies to commits going forward, not retroactively to the 90+ prior unsigned commits in the engagement).
  • Defer publication until configured (Phase 06A.2 option 3). Rejected because halting six more phases (06B through 10C) on a single publication-time decision is premature; the deferred path to Phase 09A preserves momentum without sacrificing final-release integrity.