Context
Launch-readiness item. The verify page is the trust centerpiece of the
public push, and its pieces have landed without one end-to-end validation
against real, freshly produced artifacts on the live domain: #37's
implementation merged via PR #43 (issue never closed), #34's CNAME
(coderepute.dev) is in the repo but registrar/redirect state is
unconfirmed, and #37 shipped while the verify URL was still the interim
grkanitz.github.io (the account has since been renamed to gkanitz, so
any stale constant is now doubly wrong).
Goal
Prove the full trust loop — CI run → attested artifacts → live verify page
→ honest pass/fail — and fix what falls out. Closing this issue (and #37,
#34 with it) is the launch gate for the verification story.
Checklist — agent-executable
Checklist — owner (HITL, live surfaces)
Acceptance criteria
Success: every box above checked; #37 and #34 closed with a comment
pointing here; any failure found is filed as a bug-labeled issue in this
milestone before this issue closes.
Failure — red flags: launch declared with unchecked live-surface boxes;
a negative test passing verification; stale grkanitz/github.io URLs
surviving anywhere in binary output, docs, or QR payloads.
Parallel-work contract
Context
Launch-readiness item. The verify page is the trust centerpiece of the
public push, and its pieces have landed without one end-to-end validation
against real, freshly produced artifacts on the live domain: #37's
implementation merged via PR #43 (issue never closed), #34's CNAME
(
coderepute.dev) is in the repo but registrar/redirect state isunconfirmed, and #37 shipped while the verify URL was still the interim
grkanitz.github.io(the account has since been renamed togkanitz, soany stale constant is now doubly wrong).
Goal
Prove the full trust loop — CI run → attested artifacts → live verify page
→ honest pass/fail — and fix what falls out. Closing this issue (and #37,
#34 with it) is the launch gate for the verification story.
Checklist — agent-executable
grkanitzandgithub.ioremnants; the verifyURL constant in the report package must be
https://coderepute.dev/verify/. Fix and test if stale.docs/verify/unit tests green (npm test); Rekor fallback fixturesstill pass.
(workflow_dispatch) producing
report.html+report.pdf+attestations.
gh attestation verifypasses for both artifacts, including the--signer-workflowcanonical-identity check.Checklist — owner (HITL, live surfaces)
https://coderepute.dev/verify/serves over HTTPS (Pages customdomain + Enforce HTTPS on).
coderepute.comredirect: confirm registered/configured, orexplicitly descope it in feat: domain registration and GitHub Pages for verify page (HITL) #34 (decide, don't leave ambiguous).
report.html→ verifies (attestation found,canonical workflow identity shown).
report.pdf→ verifies (XMP or URL-param path).?repo=&subject=pre-filled.report.htmlfails with anhonest message; a
.jsonupload is cleanly rejected (feat: update verify page for HTML and PDF uploads #37's cleanbreak); a report from a non-canonical fork shows the honest
degradation path.
Acceptance criteria
Success: every box above checked; #37 and #34 closed with a comment
pointing here; any failure found is filed as a
bug-labeled issue in thismilestone before this issue closes.
Failure — red flags: launch declared with unchecked live-surface boxes;
a negative test passing verification; stale
grkanitz/github.ioURLssurviving anywhere in binary output, docs, or QR payloads.
Parallel-work contract
docs/verify/(fixes only), report-package URL constant,workflow dispatch runs.
checks need feat: domain registration and GitHub Pages for verify page (HITL) #34's registrar state settled by the owner.