[GENERAL-TRACE] ## LAW 4: ANTI-AUTHORITARIAN ### Law 4.1: Collaborative Framing **Status:** UND... #69
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sovereign Trace Audit Verify | |
| on: | |
| issues: | |
| types: [labeled] | |
| jobs: | |
| # ═══════════════════════════════════════════════════════════════════ | |
| # JOB 1 — STRIPE PAYMENT VERIFICATION | |
| # Fires when audit-request label is applied (set by issue template). | |
| # Single trigger — no double-fire, no race condition. | |
| # ═══════════════════════════════════════════════════════════════════ | |
| verify-payment: | |
| if: github.event.label.name == 'audit-request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| steps: | |
| - name: Extract and verify Stripe payment | |
| id: stripe | |
| env: | |
| ISSUE_BODY: ${{ github.event.issue.body }} | |
| STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }} | |
| run: | | |
| python3 - <<'PYEOF' | |
| import os, re, json, urllib.request, urllib.error, base64 | |
| body = os.environ['ISSUE_BODY'] | |
| stripe_key = os.environ['STRIPE_SECRET_KEY'] | |
| clean_body = re.split(r'---\s*\n.*Sovereign Trace Protocol', body, flags=re.DOTALL)[0] | |
| id_match = re.search(r'(pi_[A-Za-z0-9]{20,}|ch_[A-Za-z0-9]{20,})', body) | |
| payment_id = id_match.group(0) if id_match else "" | |
| id_type = "payment_intents" if payment_id.startswith("pi_") else "charges" | |
| def normalize(s): | |
| return s.replace('\u2014', '-').replace('\u2013', '-') | |
| tier_prices = { | |
| 'Snapshot': 250000, | |
| 'Standard': 500000, | |
| 'Extended': 750000, | |
| 'Full': 1250000, | |
| 'Enterprise': 2500000, | |
| } | |
| tier_name = "UNKNOWN" | |
| expected_amount = 0 | |
| norm_body = normalize(body) | |
| for name, amount in tier_prices.items(): | |
| if name in norm_body: | |
| tier_name = name | |
| expected_amount = amount | |
| break | |
| email_match = re.search( | |
| r'[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}', | |
| clean_body | |
| ) | |
| submitter_email = email_match.group(0) if email_match else "" | |
| if not payment_id: | |
| result = "NO_PAYMENT_ID" | |
| status = "failed" | |
| actual_amount = 0 | |
| charge_email = "" | |
| elif tier_name == "UNKNOWN": | |
| result = "TIER_NOT_DETECTED" | |
| status = "failed" | |
| actual_amount = 0 | |
| charge_email = "" | |
| else: | |
| try: | |
| credentials = base64.b64encode(f"{stripe_key}:".encode()).decode() | |
| req = urllib.request.Request( | |
| f"https://api.stripe.com/v1/{id_type}/{payment_id}", | |
| headers={"Authorization": f"Basic {credentials}"} | |
| ) | |
| with urllib.request.urlopen(req) as resp: | |
| data = json.loads(resp.read()) | |
| if id_type == "payment_intents": | |
| succeeded = data.get("status", "") == "succeeded" | |
| actual_amount = data.get("amount", 0) | |
| charge_email = data.get("receipt_email", "") or "" | |
| else: | |
| succeeded = data.get("paid", False) | |
| actual_amount = data.get("amount", 0) | |
| charge_email = data.get("receipt_email", "") or "" | |
| if not succeeded: | |
| result = "PAYMENT_NOT_SUCCEEDED" | |
| status = "failed" | |
| elif expected_amount and actual_amount != expected_amount: | |
| result = "AMOUNT_MISMATCH" | |
| status = "failed" | |
| else: | |
| result = "PAYMENT_CONFIRMED" | |
| status = "confirmed" | |
| except urllib.error.HTTPError as e: | |
| result = f"STRIPE_API_ERROR_{e.code}" | |
| status = "failed" | |
| actual_amount = 0 | |
| charge_email = "" | |
| email_match_flag = ( | |
| submitter_email.lower() == charge_email.lower() | |
| if submitter_email and charge_email else False | |
| ) | |
| with open(os.environ['GITHUB_OUTPUT'], 'a') as gh_out: | |
| gh_out.write(f"result={result}\n") | |
| gh_out.write(f"status={status}\n") | |
| gh_out.write(f"payment_id={payment_id}\n") | |
| gh_out.write(f"tier_name={tier_name}\n") | |
| gh_out.write(f"actual_amount={actual_amount}\n") | |
| gh_out.write(f"expected_amount={expected_amount}\n") | |
| gh_out.write(f"charge_email={charge_email}\n") | |
| gh_out.write(f"email_match={'true' if email_match_flag else 'false'}\n") | |
| print(f"Result: {result} | Tier: {tier_name} | Amount: {actual_amount} / {expected_amount}") | |
| PYEOF | |
| - name: Post payment confirmed comment | |
| if: steps.stripe.outputs.status == 'confirmed' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const payment_id = '${{ steps.stripe.outputs.payment_id }}'; | |
| const tier_name = '${{ steps.stripe.outputs.tier_name }}'; | |
| const actual_amount = parseInt('${{ steps.stripe.outputs.actual_amount }}'); | |
| const email_match = '${{ steps.stripe.outputs.email_match }}'; | |
| const charge_email = '${{ steps.stripe.outputs.charge_email }}'; | |
| const formatted = (actual_amount / 100).toLocaleString('en-US', { | |
| style: 'currency', currency: 'USD' | |
| }); | |
| const email_note = email_match === 'true' | |
| ? '✅ Submitter email matches Stripe charge email.' | |
| : `⚠ Email advisory: Stripe charge email (${charge_email}) does not match issue submitter email. Manual check recommended.`; | |
| const body = [ | |
| '## ✅ PAYMENT CONFIRMED — ' + tier_name + ' Audit Request', | |
| '', | |
| '```', | |
| `Payment ID: ${payment_id}`, | |
| `Amount: ${formatted}`, | |
| `Tier: ${tier_name}`, | |
| `Status: PAYMENT_CONFIRMED`, | |
| '```', | |
| '', | |
| email_note, | |
| '', | |
| '**What happens next:**', | |
| 'Your request is queued. The Architect will review your submission and', | |
| 'deliver your report on the following weekend per the standard schedule.', | |
| '', | |
| '---', | |
| '*Sovereign Trace Protocol · FROZEN-2.0 · Sheldon K. Salmon*' | |
| ].join('\n'); | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body | |
| }); | |
| - name: Label payment confirmed | |
| if: steps.stripe.outputs.status == 'confirmed' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| await github.rest.issues.removeLabel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| name: 'pending-payment-verification' | |
| }).catch(() => {}); | |
| await github.rest.issues.addLabels({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| labels: ['payment-confirmed'] | |
| }); | |
| - name: Post payment failed comment | |
| if: steps.stripe.outputs.status == 'failed' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const result = '${{ steps.stripe.outputs.result }}'; | |
| const payment_id = '${{ steps.stripe.outputs.payment_id }}'; | |
| const tier_name = '${{ steps.stripe.outputs.tier_name }}'; | |
| const actual_amount = parseInt('${{ steps.stripe.outputs.actual_amount }}'); | |
| const expected = parseInt('${{ steps.stripe.outputs.expected_amount }}'); | |
| const reasons = { | |
| 'NO_PAYMENT_ID': 'No Stripe payment ID found. Include your `pi_` or `ch_` ID in the transaction code field.', | |
| 'TIER_NOT_DETECTED': 'Tier could not be read from your submission. Ensure the dropdown was selected before submitting.', | |
| 'PAYMENT_NOT_SUCCEEDED': 'Payment found but not completed. Ensure payment succeeded in Stripe before filing.', | |
| 'AMOUNT_MISMATCH': `Amount mismatch. Expected $${(expected/100).toFixed(2)} for ${tier_name}. Found $${(actual_amount/100).toFixed(2)}.`, | |
| }; | |
| const reason = reasons[result] || `Stripe error: ${result}. Contact aionsystem2026@gmail.com.`; | |
| const body = [ | |
| '## ⚠ PAYMENT VERIFICATION FAILED', | |
| '', | |
| '```', | |
| `Payment ID: ${payment_id || 'NOT PROVIDED'}`, | |
| `Result: ${result}`, | |
| `Tier: ${tier_name}`, | |
| '```', | |
| '', | |
| '**Reason:** ' + reason, | |
| '', | |
| 'This submission is closed. File a new `10-audit-request.yml` to retry.', | |
| '', | |
| '---', | |
| '*Sovereign Trace Protocol · FROZEN-2.0 · Sheldon K. Salmon*' | |
| ].join('\n'); | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body | |
| }); | |
| - name: Label and close payment failed | |
| if: steps.stripe.outputs.status == 'failed' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| await github.rest.issues.addLabels({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| labels: ['payment-failed'] | |
| }); | |
| await github.rest.issues.update({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| state: 'closed' | |
| }); | |
| # ═══════════════════════════════════════════════════════════════════ | |
| # JOB 2 — AUDITOR BADGE VERIFICATION | |
| # Fires only on pending-verification label. Unchanged logic. | |
| # ═══════════════════════════════════════════════════════════════════ | |
| verify-auditor: | |
| if: github.event.label.name == 'pending-verification' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| contents: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Extract issue data and verify badge | |
| id: verify | |
| env: | |
| ISSUE_BODY: ${{ github.event.issue.body }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| ISSUE_USER: ${{ github.event.issue.user.login }} | |
| run: | | |
| python3 - <<'PYEOF' | |
| import os, json, re | |
| body = os.environ['ISSUE_BODY'] | |
| number = os.environ['ISSUE_NUMBER'] | |
| user = os.environ['ISSUE_USER'] | |
| badge_match = re.search(r'STP-AUDITOR-\d{4}', body) | |
| badge = badge_match.group(0) if badge_match else "" | |
| try: | |
| with open('.github/verified-auditors.json') as f: | |
| registry = json.load(f) | |
| except FileNotFoundError: | |
| registry = {} | |
| if badge and badge in registry: | |
| auditor = registry[badge] | |
| verified = True | |
| auditor_name = auditor.get('name', 'Unknown') | |
| auditor_linkedin = auditor.get('linkedin', '') | |
| else: | |
| verified = False | |
| auditor_name = "UNVERIFIED" | |
| auditor_linkedin = "" | |
| badge = badge if badge else "NONE_PROVIDED" | |
| with open(os.environ['GITHUB_OUTPUT'], 'a') as gh_out: | |
| gh_out.write(f"verified={'true' if verified else 'false'}\n") | |
| gh_out.write(f"badge={badge}\n") | |
| gh_out.write(f"auditor_name={auditor_name}\n") | |
| gh_out.write(f"auditor_linkedin={auditor_linkedin}\n") | |
| gh_out.write(f"issue_number={number}\n") | |
| gh_out.write(f"issue_user={user}\n") | |
| print(f"Badge: {badge} | Verified: {verified}") | |
| PYEOF | |
| - name: Run FROZEN-2.0 stamp | |
| id: stamp | |
| env: | |
| ISSUE_TITLE: ${{ github.event.issue.title }} | |
| ISSUE_BODY: ${{ github.event.issue.body }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| ISSUE_USER: ${{ github.event.issue.user.login }} | |
| ISSUE_URL: ${{ github.event.issue.html_url }} | |
| VERIFIED: ${{ steps.verify.outputs.verified }} | |
| BADGE: ${{ steps.verify.outputs.badge }} | |
| AUDITOR_NAME: ${{ steps.verify.outputs.auditor_name }} | |
| run: | | |
| python3 - <<'PYEOF' | |
| import os, json, datetime, sys | |
| sys.path.insert(0, 'stamp') | |
| from sovereign_trace_stamp import stamp, to_dict | |
| title = os.environ['ISSUE_TITLE'] | |
| body = os.environ['ISSUE_BODY'] | |
| number = os.environ['ISSUE_NUMBER'] | |
| user = os.environ['ISSUE_USER'] | |
| url = os.environ['ISSUE_URL'] | |
| verified = os.environ['VERIFIED'] == 'true' | |
| badge = os.environ['BADGE'] | |
| auditor_name = os.environ['AUDITOR_NAME'] | |
| status_tag = "CERTIFIED" if verified else "AUDITOR_UNVERIFIED" | |
| seal_content = ( | |
| f"STP-AUDIT-COMPLETION | Issue #{number} | {user} | " | |
| f"Badge: {badge} | Status: {status_tag} | {title}\n\n{body}" | |
| ) | |
| ts = stamp(seal_content) | |
| ts_dict = to_dict(ts) | |
| date_str = datetime.datetime.utcnow().strftime('%Y-%m-%d') | |
| ledger_id = f"STP-AUDIT-COMPLETION-{date_str}-{number.zfill(6)}" | |
| entry = { | |
| "ledger_id": ledger_id, | |
| "template_type": "audit-completion", | |
| "issue_number": int(number), | |
| "issue_url": url, | |
| "submitter": user, | |
| "title": title, | |
| "auditor": { | |
| "badge": badge, | |
| "name": auditor_name, | |
| "verified": verified, | |
| "status": status_tag | |
| }, | |
| "seal": { | |
| "sha256": ts_dict["seal"], | |
| "gregorian": ts_dict["gregorian"], | |
| "hebrew": ts_dict["hebrew"], | |
| "dreamspell": ts_dict["dreamspell"], | |
| "unix_utc": ts_dict["unix_utc"], | |
| "frozen_version": "FROZEN-2.0" | |
| }, | |
| "status": status_tag | |
| } | |
| os.makedirs('ledger', exist_ok=True) | |
| ledger_path = f"ledger/{ledger_id}.json" | |
| with open(ledger_path, 'w') as f: | |
| json.dump(entry, f, indent=2) | |
| with open(os.environ['GITHUB_OUTPUT'], 'a') as gh_out: | |
| gh_out.write(f"ledger_id={ledger_id}\n") | |
| gh_out.write(f"sha256={ts_dict['seal']}\n") | |
| gh_out.write(f"gregorian={ts_dict['gregorian']}\n") | |
| gh_out.write(f"hebrew={ts_dict['hebrew']}\n") | |
| gh_out.write(f"dreamspell={ts_dict['dreamspell']}\n") | |
| print(f"Sealed: {ledger_id} | {status_tag}") | |
| PYEOF | |
| - name: Commit ledger entry | |
| run: | | |
| git config user.name "Sovereign Trace Protocol" | |
| git config user.email "aionsystem2026@gmail.com" | |
| git add ledger/ | |
| git diff --cached --quiet && echo "Nothing to commit" && exit 0 | |
| git commit -m "AUDIT-SEAL: ${{ steps.stamp.outputs.ledger_id }}" | |
| git push | |
| - name: Post verified receipt | |
| if: steps.verify.outputs.verified == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const ledger_id = '${{ steps.stamp.outputs.ledger_id }}'; | |
| const sha256 = '${{ steps.stamp.outputs.sha256 }}'; | |
| const gregorian = '${{ steps.stamp.outputs.gregorian }}'; | |
| const hebrew = '${{ steps.stamp.outputs.hebrew }}'; | |
| const dreamspell = '${{ steps.stamp.outputs.dreamspell }}'; | |
| const badge = '${{ steps.verify.outputs.badge }}'; | |
| const auditor_name = '${{ steps.verify.outputs.auditor_name }}'; | |
| const auditor_linkedin = '${{ steps.verify.outputs.auditor_linkedin }}'; | |
| const body = [ | |
| '## ✅ SOVEREIGN TRACE AUDIT SEAL — CERTIFIED', | |
| '', | |
| '```', | |
| `Ledger ID: ${ledger_id}`, | |
| `SHA-256: ${sha256}`, | |
| `Status: CERTIFIED`, | |
| '```', | |
| '', | |
| '**Auditor:**', | |
| `🏅 Badge: ${badge}`, | |
| `👤 Name: ${auditor_name}`, | |
| `🔗 LinkedIn: ${auditor_linkedin}`, | |
| '', | |
| '**Triple-Time Stamp:**', | |
| `📅 Gregorian: ${gregorian}`, | |
| `🌑 Hebrew: ${hebrew}`, | |
| `🌀 Dreamspell: ${dreamspell}`, | |
| '', | |
| '**Status:** `CERTIFIED` — This audit record is permanently sealed.', | |
| '', | |
| '---', | |
| '*Sovereign Trace Protocol · FROZEN-2.0 · Sheldon K. Salmon*' | |
| ].join('\n'); | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body | |
| }); | |
| - name: Label verified | |
| if: steps.verify.outputs.verified == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| await github.rest.issues.removeLabel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| name: 'pending-verification' | |
| }).catch(() => {}); | |
| await github.rest.issues.addLabels({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| labels: ['audit-complete'] | |
| }); | |
| - name: Post unverified warning | |
| if: steps.verify.outputs.verified == 'false' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const ledger_id = '${{ steps.stamp.outputs.ledger_id }}'; | |
| const sha256 = '${{ steps.stamp.outputs.sha256 }}'; | |
| const badge = '${{ steps.verify.outputs.badge }}'; | |
| const body = [ | |
| '## ⚠ UNVERIFIED AUDITOR SUBMISSION', | |
| '', | |
| '```', | |
| `Ledger ID: ${ledger_id}`, | |
| `SHA-256: ${sha256}`, | |
| `Status: AUDITOR_UNVERIFIED`, | |
| `Badge Filed: ${badge}`, | |
| '```', | |
| '', | |
| 'This audit completion was submitted without a valid STP Auditor badge number.', | |
| 'The badge provided was not found in the verified auditor registry.', | |
| '', | |
| 'This record has been **permanently sealed** in the ledger with status `AUDITOR_UNVERIFIED`.', | |
| 'It cannot be removed, altered, or hidden.', | |
| '', | |
| 'If you are a certified STP Auditor and believe this is an error,', | |
| 'contact aionsystem2026@gmail.com with your badge number and LinkedIn.', | |
| '', | |
| '---', | |
| '*Sovereign Trace Protocol · FROZEN-2.0 · Sheldon K. Salmon*' | |
| ].join('\n'); | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body | |
| }); | |
| - name: Label unverified | |
| if: steps.verify.outputs.verified == 'false' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| await github.rest.issues.removeLabel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| name: 'pending-verification' | |
| }).catch(() => {}); | |
| await github.rest.issues.addLabels({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| labels: ['unverified-auditor-attempt'] | |
| }); |