feat: AI session provenance — link Claude Code session logs to traceability chain

[avrabe]

Context

Claude Code already logs complete session data: full conversation, every tool call, model ID (claude-opus-4-6), Claude Code version, timestamps, git branch, token usage, hooks. The files sit at ~/.claude/projects/*/.

rivet already traces requirement → artifact → test → evidence. sigil signs the output. The missing link: connecting the AI session that produced a commit to the traceability chain.

Proposal

1. Commit hook that writes session metadata into git commit trailers:

   • Session ID
   • SHA-256 of the session .jsonl at time of commit
   • Model ID
   • Claude Code version

2. rivet artifact type ai-session that references:

   • Commit SHA
   • Session hash
   • Model ID + version
   • Link to the requirement(s) the session addressed

3. rivet audit subcommand (or extension of rivet validate) that checks:

   • Every AI-authored commit (Co-Authored-By header) has a corresponding ai-session artifact
   • Session hashes are present and consistent

What this is NOT

• Not reproducibility — same prompt, different day, different output. Same as a human developer. We never logged which Stack Overflow answer or conversation led to an implementation either.
• Not model internals — exact weights, sampling parameters, server-side updates are opaque. ISO 26262 tool qualification does not require verifying a compiler's source code. It requires verifying the output independently. The proofs handle that.

What this IS

Auditability. An assessor can see: this requirement was addressed in this session, by this model, producing this commit, verified by these proofs, signed by sigil.

Relates to

• AI code provenance tracking: AIBOM integration and AI-generated artifact audit trail #104 (AIBOM integration)
• EU AI Act compliance schema (schemas/eu-ai-act.yaml) — high-risk AI system documentation #99 (EU AI Act compliance)

[avrabe]

Partially addressed in v0.4.1: rivet stamp carries created-by / model / timestamp on every AI-authored artifact (#168 hardened the fields semantics; #175 made provenance round-trip through ReqIF). The Claude Code session-log linking (commit trailer with Session-Hash: + session-log ai-session artifact type) remains unshipped. PR #125's mark/apply hooks are half the story here — the session-hash trailer needs a separate follow-up once #125 lands.

[avrabe]

Triage: this is a multi-component proposal (commit hook + new artifact type + new audit subcommand) without an ## Acceptance section. There is also overlap with the in-flight #125 (provenance lifecycle) and the broader #104. Recommend one of:

1. Decompose into per-component issues, each with explicit acceptance bullets (commit-hook pure-work, schema for ai-session, rivet audit subcommand). One PR per issue is then trivial.
2. Or add a single ## Acceptance section here with bullets like:

## Acceptance
- [ ] PostCommit (or `prepare-commit-msg`) hook writes trailers `Claude-Session-Id`, `Claude-Session-Sha256`, `Claude-Model`, `Claude-Code-Version` when the session log is reachable
- [ ] New artifact type `ai-session` declared in a schema (likely `schemas/provenance.yaml`) with required fields: commit-sha, session-hash, model-id, version
- [ ] `rivet audit` (or `rivet validate --check ai-sessions`) errors when an AI-authored commit (Co-Authored-By header present) lacks an `ai-session` artifact
- [ ] Tests cover: hook writes correct trailers; missing artifact triggers audit error; hash mismatch triggers audit error
- [ ] Commit trailer `Implements: REQ-XXX` (whichever requirement covers AI provenance)

Confirm scope/decomposition and I'll pick it up.

---

Generated by Claude Code