docs: pin DPI safeguards mapping to framework version 2.0 and add O2 row#187
Conversation
The framework site now publishes version 2.0; the page cited principle IDs against an unversioned link, so the mapping could drift silently. Pin the version in the claim scope (matching the standards register entry) and link the canonical framework page instead of /assessments. Add an Evolve with evidence (O2) row to the principle alignment table, pointing at the ITB/SEMIC evidence, security self-assessment, and OpenSSF release-trust pages, which already exist as reviewable evidence but were not surfaced in this mapping. Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
…s page The page expanded DCAT, CPSV-AP, SHACL, and OIDC on first use but left PDP, SD-JWT VC, and OID4VCI bare, and dropped holder binding and did:jwk unexplained; the stated reader is a DPI reviewer, not a credentials engineer. Expand each on first use, gloss holder binding inline, and replace the untraceable 'bundle digests' phrase with the package and configuration-bundle digests the code actually publishes. Link the pdp.* denial codes to the errors reference and the disclosure modes to their explanation page so table claims are checkable in one click. Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
|
Second commit adds the prose-quality pass discussed in review: first-use expansions for Policy Decision Point (PDP), Selective Disclosure JWT Verifiable Credentials (SD-JWT VC), and OpenID for Verifiable Credential Issuance (OID4VCI); an inline gloss for holder binding via did:jwk; 'bundle digests' replaced with the traceable 'package and configuration-bundle digests'; and the pdp.* denial codes and disclosure modes now link to their reference/explanation pages. Gates re-run clean (frontmatter, markdownlint, Vale 0 errors, build 198 pages, banned-pattern grep empty, all new link targets present in dist). |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5dc1846551
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Tier-C maintainer sign-off: reviewed the trust and security claims against the RS-* specs and the code evidence listed in the PR body. Approved for merge. |
Review findings on #187: holder_binding.mode defaults to none per credential profile, so state that binding applies when the profile enables it rather than implying every credential is bound. Remove the 'CI-gated tests and conformance fixtures' clause from the O2 row; it had no evidence link, and the three linked evidence pages carry the claim. Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
What
Two edits to
explanation/dpi-safeguards-alignment.mdx, from a full review of the page against the MOSIP DPI Safeguards Report 2025 and the Mifos DPI safeguards blog as models:/framework) instead of/assessments. The standards register already recordsUniversal DPI Safeguards Framework version 2.0; the page body previously cited principle IDs (F1-F9, O1-O9) with no version, so a framework revision could silently invalidate the mapping. Verified against dpi-safeguards.org (2026-07-02): 18 principles, 13 risks, five life-cycle stages, and the F/O principle names on the page all match version 2.0.Also bumps
last_reviewedto 2026-07-02 to reflect the review below.Review notes (security-sensitive / Tier-C)
This page carries trust and security claims, so per docs review policy it needs maintainer source-pack sign-off against the RS-* specs. Evidence gathered during the review, all claims re-verified against source at c595e84:
pdp.*stable denial codes and purpose/context fail-closed gates:crates/registry-platform-pdp/src/lib.rs, wired incrates/registry-relay/src/api/governed.rsvalue/predicate/redacteddisclosure modes:crates/registry-notary-core/src/model.rsdid:jwkholder binding:crates/registry-notary-core/src/sd_jwt.rs,crates/registry-notary-server/src/api.rsFederationConfigincrates/registry-notary-core/src/config.rs,/federation/v1/evaluationscrates/registry-notary-server/tests/target_matching_contract_test.rscrates/registry-relay/src/api/admin.rs,main.rsregistry-manifest-corestandards_referencedmatchessrc/data/standards.yaml;universal-dpi-safeguardsstayscompares_againstand the page language stays within that claim levelVerification
npm run generateclean;npm run check:content,check:markdown0 errors;check:styleVale summary 0 errorsnpm testpasses;npm run buildcompletes (198 pages)