diff --git a/.attest.json b/.attest.json new file mode 100644 index 0000000..ba4a063 --- /dev/null +++ b/.attest.json @@ -0,0 +1,4 @@ +{ + "requireAttestation": true, + "requireTestsPassed": true +} diff --git a/.augur.toml b/.augur.toml new file mode 100644 index 0000000..031b459 --- /dev/null +++ b/.augur.toml @@ -0,0 +1,3 @@ +[thresholds] +review = 35 +block = 65 diff --git a/.claude/commands/specsync/create-change.md b/.claude/commands/specsync/create-change.md new file mode 100644 index 0000000..04707cc --- /dev/null +++ b/.claude/commands/specsync/create-change.md @@ -0,0 +1,10 @@ +--- +description: Create and guide a verified spec-sync SDD change through its deterministic interview +argument-hint: +--- + +1. Run `specsync change new "$ARGUMENTS" --json`. +2. Read the returned `questions` array and interview the user one question at a time. +3. Record each answer with `specsync change answer --json`. +4. Continue until the question list is empty, then show the selected artifacts and next action. +5. Do not approve, implement, verify, accept, or archive until the corresponding human gate or work stage is reached. diff --git a/.claude/commands/specsync/create-spec.md b/.claude/commands/specsync/create-spec.md new file mode 100644 index 0000000..16cc07f --- /dev/null +++ b/.claude/commands/specsync/create-spec.md @@ -0,0 +1,39 @@ +--- +description: Scaffold a new spec-sync module spec from a module name or a natural-language feature description (full scaffold by default, or minimal with --minimal) +argument-hint: [--minimal] +--- + +Create a new spec-sync module spec. + +Arguments: `$ARGUMENTS` + +1. Remove `--minimal` if present, remember that minimal mode was requested, + and preserve the complete remaining input without choosing a module name yet. +2. Classify the complete remaining input. It will be one of: + - **A bare module name** — a short identifier like `auth-service` or + `billing`. Use it as-is. + - **A free-text feature description** — a sentence or phrase describing + what to build, e.g. `"I want a feature that lets users export their + data as CSV"`. In this case, invent a short, kebab-case module name that + captures the idea (e.g. `csv-export`). If the right name is ambiguous, + ask the user to confirm or rename it before continuing. Keep the full + description at hand — you'll use it in step 5. +3. If minimal mode was requested, run: + ``` + specsync new + ``` + This creates a minimal spec only (no companion files). +4. Otherwise (default), run: + ``` + specsync scaffold + ``` + This creates the spec, companion files (`tasks.md`, `requirements.md`, + `context.md`, `testing.md`, and `design.md` if `companions.design` is + enabled), a registry entry, and auto-detects related source files. +5. Open the newly created `specs//.spec.md` and fill + in the `Purpose`, `Invariants`, and `Public API` sections. If a free-text + description was given in step 2, use it directly to draft these sections — + ask clarifying questions if it's underspecified, but do not leave the + sections as unfilled placeholder text. Do the same for `requirements.md` + (acceptance criteria) and `tasks.md` (initial task breakdown), if present. +6. Run `specsync check` to confirm the new spec passes validation. diff --git a/.claude/skills/spec-sync/SKILL.md b/.claude/skills/spec-sync/SKILL.md new file mode 100644 index 0000000..311a220 --- /dev/null +++ b/.claude/skills/spec-sync/SKILL.md @@ -0,0 +1,75 @@ +--- +name: spec-sync +description: Keep markdown module specs in specs// synchronized with source code using spec-sync. Use this whenever creating, editing, or reviewing code in a module that has (or should have) a spec, or whenever the user mentions specs, spec-sync, companion files (tasks.md/requirements.md/context.md/testing.md/design.md), or asks to add/update a module's documentation. +--- + +# Spec-Sync Workflow + +This project uses [spec-sync](https://github.com/CorvidLabs/spec-sync) for bidirectional spec-to-code validation. Specs live in `specs//.spec.md`. + +## Verified SDD change lifecycle (5.0) + +For every meaningful source, test, public documentation, schema, or configuration change: + +1. Run `specsync change new "" --json` and conduct the returned interview with the user. +2. Use `specsync change answer --json` until no questions remain. +3. Complete the adaptively selected artifacts and semantic deltas. Requirements use stable + `REQ--` IDs, a normative SHALL statement, and acceptance criteria. +4. Ask the user for the definition approval, then run `specsync change approve `. +5. Run `specsync change start ` before editing implementation code. +6. Keep tasks and artifacts current, then run `specsync change verify `. +7. Present verification evidence and ask for closing approval. Only after explicit approval, + run `specsync change accept `; archive separately with `specsync change archive `. + +Never invent or self-grant either human approval. If an approved definition changes, its digest +becomes stale and must be approved again. `specsync check` validates canonical specs plus approved +active deltas, requirement-to-test evidence, change coverage, and CI gates. + +## Companion files + +Each canonical spec may have policy-selected companion files. Read and update the ones present; do not create empty companions only for ceremony: + +- **`tasks.md`** — Work items for this module. Check off tasks (`- [x]`) as you complete them. Add new tasks if you discover work needed. +- **`requirements.md`** — Acceptance criteria and user stories. These are permanent invariants, not tasks — do not check them off. Update if requirements change. +- **`context.md`** — Architectural decisions, key files, and current status. Update when you make design decisions or change what's in progress. +- **`testing.md`** — Test strategy: automated test locations, manual QA checklists, and edge cases/boundary conditions. +- **`design.md`** *(opt-in)* — Layout, component hierarchy, design tokens, and asset references. Present when `companions.design` is enabled in config. + +## Before modifying any module + +1. Read the relevant spec in `specs//.spec.md` +2. Read whichever companion files are present (`requirements.md`, `tasks.md`, `context.md`, `testing.md`, `design.md`, or project-defined files) +3. After changes, run `specsync check` to verify specs still pass + +## After completing work + +1. Mark completed items in `tasks.md` — check off finished tasks, add new ones discovered +2. Update `context.md` — record decisions made, update current status +3. If requirements changed, update `requirements.md` acceptance criteria +4. If test coverage changed, update `testing.md` with new test files or edge cases +5. If UI/layout changed, update `design.md` with revised layout, components, or tokens + +## Before creating a PR + +Run `specsync check --strict` — all specs must pass with zero warnings. + +## When adding new modules + +Run `specsync scaffold ` to create a spec, companion files, a registry +entry, and auto-detected source files — or `specsync new ` for a +minimal spec-only draft. Complete the spec before writing code. The +`/specsync:create-spec` command (or tool-equivalent) runs this for you, and +accepts either a bare module name or a natural-language feature description +(e.g. `/specsync:create-spec "I want a feature that lets users export their +data as CSV"`) — pass a description and it will pick a module name and use +the description to draft the spec's Purpose and Requirements. + +## Key commands + +- `specsync check` — validate all specs against source code +- `specsync check --json` — machine-readable validation output +- `specsync coverage` — show which modules lack specs +- `specsync score` — quality score for each spec (0-100) +- `specsync scaffold ` — full scaffold: spec + companions + registry entry + source detection +- `specsync new ` — quick-create a minimal spec (add `--full` for companions) +- `specsync resolve --remote` — verify cross-project dependencies diff --git a/.codex/skills/spec-sync/SKILL.md b/.codex/skills/spec-sync/SKILL.md new file mode 100644 index 0000000..311a220 --- /dev/null +++ b/.codex/skills/spec-sync/SKILL.md @@ -0,0 +1,75 @@ +--- +name: spec-sync +description: Keep markdown module specs in specs// synchronized with source code using spec-sync. Use this whenever creating, editing, or reviewing code in a module that has (or should have) a spec, or whenever the user mentions specs, spec-sync, companion files (tasks.md/requirements.md/context.md/testing.md/design.md), or asks to add/update a module's documentation. +--- + +# Spec-Sync Workflow + +This project uses [spec-sync](https://github.com/CorvidLabs/spec-sync) for bidirectional spec-to-code validation. Specs live in `specs//.spec.md`. + +## Verified SDD change lifecycle (5.0) + +For every meaningful source, test, public documentation, schema, or configuration change: + +1. Run `specsync change new "" --json` and conduct the returned interview with the user. +2. Use `specsync change answer --json` until no questions remain. +3. Complete the adaptively selected artifacts and semantic deltas. Requirements use stable + `REQ--` IDs, a normative SHALL statement, and acceptance criteria. +4. Ask the user for the definition approval, then run `specsync change approve `. +5. Run `specsync change start ` before editing implementation code. +6. Keep tasks and artifacts current, then run `specsync change verify `. +7. Present verification evidence and ask for closing approval. Only after explicit approval, + run `specsync change accept `; archive separately with `specsync change archive `. + +Never invent or self-grant either human approval. If an approved definition changes, its digest +becomes stale and must be approved again. `specsync check` validates canonical specs plus approved +active deltas, requirement-to-test evidence, change coverage, and CI gates. + +## Companion files + +Each canonical spec may have policy-selected companion files. Read and update the ones present; do not create empty companions only for ceremony: + +- **`tasks.md`** — Work items for this module. Check off tasks (`- [x]`) as you complete them. Add new tasks if you discover work needed. +- **`requirements.md`** — Acceptance criteria and user stories. These are permanent invariants, not tasks — do not check them off. Update if requirements change. +- **`context.md`** — Architectural decisions, key files, and current status. Update when you make design decisions or change what's in progress. +- **`testing.md`** — Test strategy: automated test locations, manual QA checklists, and edge cases/boundary conditions. +- **`design.md`** *(opt-in)* — Layout, component hierarchy, design tokens, and asset references. Present when `companions.design` is enabled in config. + +## Before modifying any module + +1. Read the relevant spec in `specs//.spec.md` +2. Read whichever companion files are present (`requirements.md`, `tasks.md`, `context.md`, `testing.md`, `design.md`, or project-defined files) +3. After changes, run `specsync check` to verify specs still pass + +## After completing work + +1. Mark completed items in `tasks.md` — check off finished tasks, add new ones discovered +2. Update `context.md` — record decisions made, update current status +3. If requirements changed, update `requirements.md` acceptance criteria +4. If test coverage changed, update `testing.md` with new test files or edge cases +5. If UI/layout changed, update `design.md` with revised layout, components, or tokens + +## Before creating a PR + +Run `specsync check --strict` — all specs must pass with zero warnings. + +## When adding new modules + +Run `specsync scaffold ` to create a spec, companion files, a registry +entry, and auto-detected source files — or `specsync new ` for a +minimal spec-only draft. Complete the spec before writing code. The +`/specsync:create-spec` command (or tool-equivalent) runs this for you, and +accepts either a bare module name or a natural-language feature description +(e.g. `/specsync:create-spec "I want a feature that lets users export their +data as CSV"`) — pass a description and it will pick a module name and use +the description to draft the spec's Purpose and Requirements. + +## Key commands + +- `specsync check` — validate all specs against source code +- `specsync check --json` — machine-readable validation output +- `specsync coverage` — show which modules lack specs +- `specsync score` — quality score for each spec (0-100) +- `specsync scaffold ` — full scaffold: spec + companions + registry entry + source detection +- `specsync new ` — quick-create a minimal spec (add `--full` for companions) +- `specsync resolve --remote` — verify cross-project dependencies diff --git a/.cursor/commands/specsync-create-change.md b/.cursor/commands/specsync-create-change.md new file mode 100644 index 0000000..49402f3 --- /dev/null +++ b/.cursor/commands/specsync-create-change.md @@ -0,0 +1,9 @@ +Create a verified spec-sync SDD change. + +Arguments: $ARGUMENTS + +1. Run `specsync change new "$ARGUMENTS" --json`. +2. Read the returned `questions` array and interview the user one question at a time. +3. Record each answer with `specsync change answer --json`. +4. Continue until the question list is empty, then show the selected artifacts and next action. +5. Do not approve, implement, verify, accept, or archive until the corresponding human gate or work stage is reached. diff --git a/.cursor/commands/specsync-create-spec.md b/.cursor/commands/specsync-create-spec.md new file mode 100644 index 0000000..9af4a46 --- /dev/null +++ b/.cursor/commands/specsync-create-spec.md @@ -0,0 +1,34 @@ +Create a new spec-sync module spec. + +Arguments: $ARGUMENTS + +1. Remove `--minimal` if present, remember that minimal mode was requested, + and preserve the complete remaining input without choosing a module name yet. +2. Classify the complete remaining input. It will be one of: + - **A bare module name** — a short identifier like `auth-service` or + `billing`. Use it as-is. + - **A free-text feature description** — a sentence or phrase describing + what to build, e.g. `"I want a feature that lets users export their + data as CSV"`. In this case, invent a short, kebab-case module name that + captures the idea (e.g. `csv-export`). If the right name is ambiguous, + ask the user to confirm or rename it before continuing. Keep the full + description at hand — you'll use it in step 5. +3. If minimal mode was requested, run: + ``` + specsync new + ``` + This creates a minimal spec only (no companion files). +4. Otherwise (default), run: + ``` + specsync scaffold + ``` + This creates the spec, companion files (`tasks.md`, `requirements.md`, + `context.md`, `testing.md`, and `design.md` if `companions.design` is + enabled), a registry entry, and auto-detects related source files. +5. Open the newly created `specs//.spec.md` and fill + in the `Purpose`, `Invariants`, and `Public API` sections. If a free-text + description was given in step 2, use it directly to draft these sections — + ask clarifying questions if it's underspecified, but do not leave the + sections as unfilled placeholder text. Do the same for `requirements.md` + (acceptance criteria) and `tasks.md` (initial task breakdown), if present. +6. Run `specsync check` to confirm the new spec passes validation. diff --git a/.cursor/skills/spec-sync/SKILL.md b/.cursor/skills/spec-sync/SKILL.md new file mode 100644 index 0000000..311a220 --- /dev/null +++ b/.cursor/skills/spec-sync/SKILL.md @@ -0,0 +1,75 @@ +--- +name: spec-sync +description: Keep markdown module specs in specs// synchronized with source code using spec-sync. Use this whenever creating, editing, or reviewing code in a module that has (or should have) a spec, or whenever the user mentions specs, spec-sync, companion files (tasks.md/requirements.md/context.md/testing.md/design.md), or asks to add/update a module's documentation. +--- + +# Spec-Sync Workflow + +This project uses [spec-sync](https://github.com/CorvidLabs/spec-sync) for bidirectional spec-to-code validation. Specs live in `specs//.spec.md`. + +## Verified SDD change lifecycle (5.0) + +For every meaningful source, test, public documentation, schema, or configuration change: + +1. Run `specsync change new "" --json` and conduct the returned interview with the user. +2. Use `specsync change answer --json` until no questions remain. +3. Complete the adaptively selected artifacts and semantic deltas. Requirements use stable + `REQ--` IDs, a normative SHALL statement, and acceptance criteria. +4. Ask the user for the definition approval, then run `specsync change approve `. +5. Run `specsync change start ` before editing implementation code. +6. Keep tasks and artifacts current, then run `specsync change verify `. +7. Present verification evidence and ask for closing approval. Only after explicit approval, + run `specsync change accept `; archive separately with `specsync change archive `. + +Never invent or self-grant either human approval. If an approved definition changes, its digest +becomes stale and must be approved again. `specsync check` validates canonical specs plus approved +active deltas, requirement-to-test evidence, change coverage, and CI gates. + +## Companion files + +Each canonical spec may have policy-selected companion files. Read and update the ones present; do not create empty companions only for ceremony: + +- **`tasks.md`** — Work items for this module. Check off tasks (`- [x]`) as you complete them. Add new tasks if you discover work needed. +- **`requirements.md`** — Acceptance criteria and user stories. These are permanent invariants, not tasks — do not check them off. Update if requirements change. +- **`context.md`** — Architectural decisions, key files, and current status. Update when you make design decisions or change what's in progress. +- **`testing.md`** — Test strategy: automated test locations, manual QA checklists, and edge cases/boundary conditions. +- **`design.md`** *(opt-in)* — Layout, component hierarchy, design tokens, and asset references. Present when `companions.design` is enabled in config. + +## Before modifying any module + +1. Read the relevant spec in `specs//.spec.md` +2. Read whichever companion files are present (`requirements.md`, `tasks.md`, `context.md`, `testing.md`, `design.md`, or project-defined files) +3. After changes, run `specsync check` to verify specs still pass + +## After completing work + +1. Mark completed items in `tasks.md` — check off finished tasks, add new ones discovered +2. Update `context.md` — record decisions made, update current status +3. If requirements changed, update `requirements.md` acceptance criteria +4. If test coverage changed, update `testing.md` with new test files or edge cases +5. If UI/layout changed, update `design.md` with revised layout, components, or tokens + +## Before creating a PR + +Run `specsync check --strict` — all specs must pass with zero warnings. + +## When adding new modules + +Run `specsync scaffold ` to create a spec, companion files, a registry +entry, and auto-detected source files — or `specsync new ` for a +minimal spec-only draft. Complete the spec before writing code. The +`/specsync:create-spec` command (or tool-equivalent) runs this for you, and +accepts either a bare module name or a natural-language feature description +(e.g. `/specsync:create-spec "I want a feature that lets users export their +data as CSV"`) — pass a description and it will pick a module name and use +the description to draft the spec's Purpose and Requirements. + +## Key commands + +- `specsync check` — validate all specs against source code +- `specsync check --json` — machine-readable validation output +- `specsync coverage` — show which modules lack specs +- `specsync score` — quality score for each spec (0-100) +- `specsync scaffold ` — full scaffold: spec + companions + registry entry + source detection +- `specsync new ` — quick-create a minimal spec (add `--full` for companions) +- `specsync resolve --remote` — verify cross-project dependencies diff --git a/.gemini/commands/specsync/create-change.toml b/.gemini/commands/specsync/create-change.toml new file mode 100644 index 0000000..f46c572 --- /dev/null +++ b/.gemini/commands/specsync/create-change.toml @@ -0,0 +1,11 @@ +description = "Create and guide a verified spec-sync SDD change through its deterministic interview" + +prompt = """ +Arguments: {{args}} + +1. Treat the arguments shown above as the user's raw description, shell-escape them exactly once, and run `specsync change new --json`. +2. Read the returned `questions` array and interview the user one question at a time. +3. Record each answer with `specsync change answer --json`. +4. Continue until the question list is empty, then show the selected artifacts and next action. +5. Do not approve, implement, verify, accept, or archive until the corresponding human gate or work stage is reached. +""" diff --git a/.gemini/commands/specsync/create-spec.toml b/.gemini/commands/specsync/create-spec.toml new file mode 100644 index 0000000..c61dc4f --- /dev/null +++ b/.gemini/commands/specsync/create-spec.toml @@ -0,0 +1,34 @@ +description = "Scaffold a new spec-sync module spec from a module name or a natural-language feature description (full scaffold by default, or minimal with --minimal)" + +prompt = """ +Create a new spec-sync module spec. + +Arguments: {{args}} + +1. Remove --minimal if present, remember that minimal mode was requested, and + preserve the complete remaining input without choosing a module name yet. +2. Classify the complete remaining input. It will be one of: + - A bare module name - a short identifier like auth-service or billing. + Use it as-is. + - A free-text feature description - a sentence or phrase describing what + to build, e.g. "I want a feature that lets users export their data as + CSV". In this case, invent a short, kebab-case module name that captures + the idea (e.g. csv-export). If the right name is ambiguous, ask the user + to confirm or rename it before continuing. Keep the full description at + hand - you'll use it in step 5. +3. If minimal mode was requested, run: + specsync new + This creates a minimal spec only (no companion files). +4. Otherwise (default), run: + specsync scaffold + This creates the spec, companion files (tasks.md, requirements.md, + context.md, testing.md, and design.md if companions.design is enabled), + a registry entry, and auto-detects related source files. +5. Open the newly created specs//.spec.md and fill + in the Purpose, Invariants, and Public API sections. If a free-text + description was given in step 2, use it directly to draft these sections - + ask clarifying questions if it's underspecified, but do not leave the + sections as unfilled placeholder text. Do the same for requirements.md + (acceptance criteria) and tasks.md (initial task breakdown), if present. +6. Run specsync check to confirm the new spec passes validation. +""" diff --git a/.gemini/skills/spec-sync/SKILL.md b/.gemini/skills/spec-sync/SKILL.md new file mode 100644 index 0000000..311a220 --- /dev/null +++ b/.gemini/skills/spec-sync/SKILL.md @@ -0,0 +1,75 @@ +--- +name: spec-sync +description: Keep markdown module specs in specs// synchronized with source code using spec-sync. Use this whenever creating, editing, or reviewing code in a module that has (or should have) a spec, or whenever the user mentions specs, spec-sync, companion files (tasks.md/requirements.md/context.md/testing.md/design.md), or asks to add/update a module's documentation. +--- + +# Spec-Sync Workflow + +This project uses [spec-sync](https://github.com/CorvidLabs/spec-sync) for bidirectional spec-to-code validation. Specs live in `specs//.spec.md`. + +## Verified SDD change lifecycle (5.0) + +For every meaningful source, test, public documentation, schema, or configuration change: + +1. Run `specsync change new "" --json` and conduct the returned interview with the user. +2. Use `specsync change answer --json` until no questions remain. +3. Complete the adaptively selected artifacts and semantic deltas. Requirements use stable + `REQ--` IDs, a normative SHALL statement, and acceptance criteria. +4. Ask the user for the definition approval, then run `specsync change approve `. +5. Run `specsync change start ` before editing implementation code. +6. Keep tasks and artifacts current, then run `specsync change verify `. +7. Present verification evidence and ask for closing approval. Only after explicit approval, + run `specsync change accept `; archive separately with `specsync change archive `. + +Never invent or self-grant either human approval. If an approved definition changes, its digest +becomes stale and must be approved again. `specsync check` validates canonical specs plus approved +active deltas, requirement-to-test evidence, change coverage, and CI gates. + +## Companion files + +Each canonical spec may have policy-selected companion files. Read and update the ones present; do not create empty companions only for ceremony: + +- **`tasks.md`** — Work items for this module. Check off tasks (`- [x]`) as you complete them. Add new tasks if you discover work needed. +- **`requirements.md`** — Acceptance criteria and user stories. These are permanent invariants, not tasks — do not check them off. Update if requirements change. +- **`context.md`** — Architectural decisions, key files, and current status. Update when you make design decisions or change what's in progress. +- **`testing.md`** — Test strategy: automated test locations, manual QA checklists, and edge cases/boundary conditions. +- **`design.md`** *(opt-in)* — Layout, component hierarchy, design tokens, and asset references. Present when `companions.design` is enabled in config. + +## Before modifying any module + +1. Read the relevant spec in `specs//.spec.md` +2. Read whichever companion files are present (`requirements.md`, `tasks.md`, `context.md`, `testing.md`, `design.md`, or project-defined files) +3. After changes, run `specsync check` to verify specs still pass + +## After completing work + +1. Mark completed items in `tasks.md` — check off finished tasks, add new ones discovered +2. Update `context.md` — record decisions made, update current status +3. If requirements changed, update `requirements.md` acceptance criteria +4. If test coverage changed, update `testing.md` with new test files or edge cases +5. If UI/layout changed, update `design.md` with revised layout, components, or tokens + +## Before creating a PR + +Run `specsync check --strict` — all specs must pass with zero warnings. + +## When adding new modules + +Run `specsync scaffold ` to create a spec, companion files, a registry +entry, and auto-detected source files — or `specsync new ` for a +minimal spec-only draft. Complete the spec before writing code. The +`/specsync:create-spec` command (or tool-equivalent) runs this for you, and +accepts either a bare module name or a natural-language feature description +(e.g. `/specsync:create-spec "I want a feature that lets users export their +data as CSV"`) — pass a description and it will pick a module name and use +the description to draft the spec's Purpose and Requirements. + +## Key commands + +- `specsync check` — validate all specs against source code +- `specsync check --json` — machine-readable validation output +- `specsync coverage` — show which modules lack specs +- `specsync score` — quality score for each spec (0-100) +- `specsync scaffold ` — full scaffold: spec + companions + registry entry + source detection +- `specsync new ` — quick-create a minimal spec (add `--full` for companions) +- `specsync resolve --remote` — verify cross-project dependencies diff --git a/.github/workflows/trust.yml b/.github/workflows/trust.yml new file mode 100644 index 0000000..53b1f93 --- /dev/null +++ b/.github/workflows/trust.yml @@ -0,0 +1,23 @@ +name: trust + +on: + pull_request: + push: + branches: [main] + +permissions: + contents: read + +jobs: + trust: + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 + - name: Install ShellCheck + run: sudo apt-get install -y shellcheck + - name: CorvidLabs Trust gate + id: trust + uses: CorvidLabs/trust@9d32b5786d2e9e4d39fc581c0091c721ee3d4226 # v1.0.0 diff --git a/.specsync/.gitignore b/.specsync/.gitignore new file mode 100644 index 0000000..a655086 --- /dev/null +++ b/.specsync/.gitignore @@ -0,0 +1,3 @@ +backup-3x/ +config.local.toml +hashes.json diff --git a/.specsync/adoption-report.json b/.specsync/adoption-report.json new file mode 100644 index 0000000..dc7fb5b --- /dev/null +++ b/.specsync/adoption-report.json @@ -0,0 +1,9 @@ +{ + "bootstrap_policy": { + "base_commit": "e18318d0d12e1cf4d3f85dcab343b3ea6f1bfb8d", + "digest": "2f696488563fdab00793ed51018de70841e6cbf81d4d8d0e9a868b1435d52161", + "path": ".specsync/sdd.json" + }, + "generated_at": 1783878181, + "requirements_needing_ids": [] +} diff --git a/.specsync/change-sequence.json b/.specsync/change-sequence.json new file mode 100644 index 0000000..445cb10 --- /dev/null +++ b/.specsync/change-sequence.json @@ -0,0 +1,6 @@ +{ + "schema_version": 1, + "sequence": 3, + "id": "CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug", + "acknowledged_collisions": [] +} diff --git a/.specsync/change.lock b/.specsync/change.lock new file mode 100644 index 0000000..e69de29 diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/approvals.json b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/approvals.json new file mode 100644 index 0000000..e9b8ad9 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/approvals.json @@ -0,0 +1,192 @@ +{ + "approvals": [ + { + "gate": "definition", + "actor": "user:0xLeif", + "timestamp": 1783953990, + "digest": "44e6d71c807000c9c06c4e8d98c6665fc83f1438febf890fad737ad075bbd5c9", + "note": "Definition approved after artifact, review-correction, and preliminary native-verification audit." + }, + { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783954149, + "digest": "31cb117ed6c4f5b644d5280f779bca7260bea297de71e290f3df775d7190d214", + "note": "Closing approval recorded after successful committed-head native verification with explicit requirement evidence." + }, + { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783983796, + "digest": "623eccbe4b4c65d710c9481284f1f759adb290df0310a31d5206c3e88eab85bd", + "note": "Fresh native verification passed with CHG-0002 present; the prior canonical delta was not replayed. Hosted CI remains required before promotion." + }, + { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783983883, + "digest": "781e21aca23beb8e11821f7e3affcbce9704a5e16ddff03ae46ad56cf237f26d", + "note": "Fresh native verification passed with truthful extensionless Bash coverage; the prior canonical delta was not replayed. Hosted CI remains required before promotion." + }, + { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783983984, + "digest": "623eccbe4b4c65d710c9481284f1f759adb290df0310a31d5206c3e88eab85bd", + "note": "Fresh native verification passed after removing the unsupported coverage experiment; the prior canonical delta was not replayed. Hosted CI remains required before promotion." + }, + { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1784057091, + "digest": "5da156f776cc90e5afc15c06dcac97a79fefe65fe1c70720f6427cd272cffc57", + "note": "Closing approval recorded after the complete native Fledge lane passed on the current extensionless-coverage tree; authenticated GitHub operations and hosted Trust success are not claimed." + } + ], + "reopenings": [ + { + "schema_version": 1, + "change_id": "CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin", + "actor": "user:0xLeif", + "reason": "CHG-0002 corrected governed agent instructions and SDD policy inputs after the prior acceptance evidence.", + "timestamp": 1783983795, + "from_state": "accepted", + "to_state": "verifying", + "superseded_approval": { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783954149, + "digest": "31cb117ed6c4f5b644d5280f779bca7260bea297de71e290f3df775d7190d214", + "note": "Closing approval recorded after successful committed-head native verification with explicit requirement evidence." + }, + "prior_verification": { + "timestamp": 1783954064, + "commit": "22483b4cfcbde9b5843a0dd2311e72ef05d5c5eb", + "contract_digest": "44e6d71c807000c9c06c4e8d98c6665fc83f1438febf890fad737ad075bbd5c9", + "workspace_digest": "0242b72d92533496a2fa83c21ba90e4ecfccb3d896c0d442ca7a1e4e79074c9b", + "acceptance_input_digest": "8675764ba3587505ddf18cf92a4a1582223ee13dce09a7b44df276366a89de3b", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [ + "REQ-github-001" + ] + }, + "stale_acceptance_input_digest": "8675764ba3587505ddf18cf92a4a1582223ee13dce09a7b44df276366a89de3b", + "current_acceptance_input_digest": "395e28afb84dcedea44ff2973f2c2b3de91b47e973157ef025b861fdd071764f" + }, + { + "schema_version": 1, + "change_id": "CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin", + "actor": "user:0xLeif", + "reason": "CHG-0003 changed the shared SpecSync coverage configuration after the prior acceptance evidence.", + "timestamp": 1783983882, + "from_state": "accepted", + "to_state": "verifying", + "superseded_approval": { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783983796, + "digest": "623eccbe4b4c65d710c9481284f1f759adb290df0310a31d5206c3e88eab85bd", + "note": "Fresh native verification passed with CHG-0002 present; the prior canonical delta was not replayed. Hosted CI remains required before promotion." + }, + "prior_verification": { + "timestamp": 1783983796, + "commit": "f5ee59c46fc03e38cf2c3b183c6a139a9b79c46c", + "contract_digest": "44e6d71c807000c9c06c4e8d98c6665fc83f1438febf890fad737ad075bbd5c9", + "workspace_digest": "9f1ab2d01962c882e002a59bb96377aca157fbf6c6e7bcc9857c12a1ec5e910e", + "acceptance_input_digest": "395e28afb84dcedea44ff2973f2c2b3de91b47e973157ef025b861fdd071764f", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [ + "REQ-github-001" + ] + }, + "stale_acceptance_input_digest": "395e28afb84dcedea44ff2973f2c2b3de91b47e973157ef025b861fdd071764f", + "current_acceptance_input_digest": "0492a1c19434be9efa67a9af401aa475c5b026d6baee34033573ed670f9b8223" + }, + { + "schema_version": 1, + "change_id": "CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin", + "actor": "user:0xLeif", + "reason": "The unsupported extensionless coverage experiment was removed, restoring the governed SpecSync configuration after the prior evidence.", + "timestamp": 1783983983, + "from_state": "accepted", + "to_state": "verifying", + "superseded_approval": { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783983883, + "digest": "781e21aca23beb8e11821f7e3affcbce9704a5e16ddff03ae46ad56cf237f26d", + "note": "Fresh native verification passed with truthful extensionless Bash coverage; the prior canonical delta was not replayed. Hosted CI remains required before promotion." + }, + "prior_verification": { + "timestamp": 1783983883, + "commit": "f5ee59c46fc03e38cf2c3b183c6a139a9b79c46c", + "contract_digest": "44e6d71c807000c9c06c4e8d98c6665fc83f1438febf890fad737ad075bbd5c9", + "workspace_digest": "8a4cc53039e85aee6baa47a81e2cd247fe546256f3c6ecf3835b5d8021a5384e", + "acceptance_input_digest": "0492a1c19434be9efa67a9af401aa475c5b026d6baee34033573ed670f9b8223", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [ + "REQ-github-001" + ] + }, + "stale_acceptance_input_digest": "0492a1c19434be9efa67a9af401aa475c5b026d6baee34033573ed670f9b8223", + "current_acceptance_input_digest": "395e28afb84dcedea44ff2973f2c2b3de91b47e973157ef025b861fdd071764f" + }, + { + "schema_version": 1, + "change_id": "CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin", + "actor": "user:0xLeif", + "reason": "Truthful extensionless coverage and corrected meaningful-path policy change the verified delivery inputs; refresh native verification and portable closing approval.", + "timestamp": 1784057022, + "from_state": "accepted", + "to_state": "verifying", + "superseded_approval": { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783983984, + "digest": "623eccbe4b4c65d710c9481284f1f759adb290df0310a31d5206c3e88eab85bd", + "note": "Fresh native verification passed after removing the unsupported coverage experiment; the prior canonical delta was not replayed. Hosted CI remains required before promotion." + }, + "prior_verification": { + "timestamp": 1783983984, + "commit": "f5ee59c46fc03e38cf2c3b183c6a139a9b79c46c", + "contract_digest": "44e6d71c807000c9c06c4e8d98c6665fc83f1438febf890fad737ad075bbd5c9", + "workspace_digest": "9f1ab2d01962c882e002a59bb96377aca157fbf6c6e7bcc9857c12a1ec5e910e", + "acceptance_input_digest": "395e28afb84dcedea44ff2973f2c2b3de91b47e973157ef025b861fdd071764f", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [ + "REQ-github-001" + ] + }, + "stale_acceptance_input_digest": "395e28afb84dcedea44ff2973f2c2b3de91b47e973157ef025b861fdd071764f", + "current_acceptance_input_digest": "81619f9dd84045e38dc56281015f1af74938738bf1cd72415345290c707d670e" + } + ] +} diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/change.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/change.md new file mode 100644 index 0000000..409a460 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/change.md @@ -0,0 +1,25 @@ +--- +id: CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin +state: accepted +type: migration +base_commit: e18318d0d12e1cf4d3f85dcab343b3ea6f1bfb8d +--- + +# Adopt SpecSync 5.0.1 and Trust 1.0.0 governance for the GitHub Fledge plugin + +## Intent + +Adopt SpecSync 5.0.1 and Trust 1.0.0 governance for the GitHub Fledge plugin + +## Affected Canonical Specs + +- `github` + +## Acceptance Criteria + +- SpecSync strict check passes at explicit advisory threshold 0; all four integrations report installed; Trust doctor and verification pass. +- ShellCheck, Bash syntax, and help for every GitHub plugin executable remain green; live GitHub mutations remain independently authorized. + +## No-spec Rationale + +Not applicable diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/context.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/context.md new file mode 100644 index 0000000..db4ea1f --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/context.md @@ -0,0 +1,8 @@ +--- +change: CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin +artifact: context +--- + +# Context + +The shell plugin exposes authenticated GitHub reads and mutations plus managed workspace operations. Migration validation must remain offline and must preserve workspace deletion safety and explicit mutation commands. diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/deltas/github.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/deltas/github.md new file mode 100644 index 0000000..5e96756 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/deltas/github.md @@ -0,0 +1,9 @@ +## MODIFIED + +### REQUIREMENT REQ-github-001 + +The plugin SHALL provide the documented PR, issue, repository, checks, and poll subcommands through authenticated `gh`. + +Acceptance Criteria +- Offline help succeeds for every `bin/fledge-github*` executable without creating external state. +- Authenticated GitHub reads and mutations remain separately authorized. diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/design.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/design.md new file mode 100644 index 0000000..75862d7 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/design.md @@ -0,0 +1,8 @@ +--- +change: CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin +artifact: design +--- + +# Design + +Use one active companion, standard Trust, blocking risk, progressive provenance, and Atlas disabled. Add immutable Ubuntu Trust with ShellCheck while preserving native CI and Pages. diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/docs.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/docs.md new file mode 100644 index 0000000..a88b665 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/docs.md @@ -0,0 +1,8 @@ +--- +change: CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin +artifact: docs +--- + +# Docs + +The companion documents all command groups, cross-repo/JSON behavior, explicit mutations, AI confirmation, workspace boundaries, polling schema, errors, and stable requirements. README behavior is unchanged. diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/plan.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/plan.md new file mode 100644 index 0000000..54c6f7e --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/plan.md @@ -0,0 +1,12 @@ +--- +change: CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin +artifact: plan +--- + +# Plan + +1. Document PR, issue, repo, checks, poll, and workspace contracts. +2. Capture safety and confirmation invariants. +3. Enable SDD and install integrations. +4. Add offline lint/syntax/help Trust verification. +5. Keep live GitHub reads/mutations independently authorized. diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/research.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/research.md new file mode 100644 index 0000000..7608ab2 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/research.md @@ -0,0 +1,8 @@ +--- +change: CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin +artifact: research +--- + +# Research + +SpecSync cannot measure extensionless Bash executables, so advisory threshold 0 is explicit. ShellCheck, Bash syntax, and dispatcher help are deterministic; live GitHub/API operations remain independently authorized. diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/state.json b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/state.json new file mode 100644 index 0000000..03e36b4 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/state.json @@ -0,0 +1,44 @@ +{ + "schema_version": 1, + "id": "CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin", + "slug": "adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin", + "title": "Adopt SpecSync 5.0.1 and Trust 1.0.0 governance for the GitHub Fledge plugin", + "description": "Adopt SpecSync 5.0.1 and Trust 1.0.0 governance for the GitHub Fledge plugin", + "kind": "migration", + "state": "accepted", + "canonical_applied": true, + "base_commit": "e18318d0d12e1cf4d3f85dcab343b3ea6f1bfb8d", + "created_at": 1783878225, + "updated_at": 1784057091, + "affected_specs": [ + "github" + ], + "affected_paths": [ + "bin/", + ".github/", + ".specsync/", + "specs/", + ".trust.toml", + "fledge.toml" + ], + "no_spec_change": false, + "no_spec_change_rationale": null, + "acceptance_criteria": [ + "SpecSync strict check passes at explicit advisory threshold 0; all four integrations report installed; Trust doctor and verification pass.", + "ShellCheck, Bash syntax, and help for every GitHub plugin executable remain green; live GitHub mutations remain independently authorized." + ], + "selected_artifacts": [ + "context", + "research", + "design", + "plan", + "tasks", + "testing", + "docs" + ], + "dependencies": [], + "answers": { + "architecture_risk": "yes", + "public_contract": "no" + } +} diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/tasks.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/tasks.md new file mode 100644 index 0000000..1566df7 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/tasks.md @@ -0,0 +1,15 @@ +--- +change: CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin +artifact: tasks +--- + +# Tasks + +- [x] Create the active GitHub companion. +- [x] Add stable safety requirements. +- [x] Install all four integrations. +- [x] Add offline lifecycle and Trust policy. +- [x] Pass ShellCheck, Bash syntax, and help smoke. +- [x] Document the owner-gated definition and closing approval boundaries. +- [x] Configure hosted Trust alongside the existing CI checks without claiming their result. +- [x] Document authenticated integration as a separately authorized operation. diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/testing.md b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/testing.md new file mode 100644 index 0000000..65e1559 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/testing.md @@ -0,0 +1,14 @@ +--- +change: CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin +artifact: testing +--- + +# Testing + +- `shellcheck --severity=warning bin/*` +- `bash -n bin/*` +- Help for every `bin/fledge-github*` executable +- `REQ-github-001` evidence is the offline all-executable help smoke; authenticated behavior remains separately authorized. +- `specsync check --strict --force` at advisory threshold 0 +- `fledge trust doctor` and `fledge trust verify` +- Authenticated GitHub integration remains independently controlled diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/verification-attempts.json b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/verification-attempts.json new file mode 100644 index 0000000..b57d501 --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/verification-attempts.json @@ -0,0 +1,22 @@ +{ + "schema_version": 1, + "attempts": [ + { + "timestamp": 1784057049, + "commit": "d429bd93845ee8ffc172778967bd7af4039476bb", + "contract_digest": "44e6d71c807000c9c06c4e8d98c6665fc83f1438febf890fad737ad075bbd5c9", + "workspace_digest": "4baa0369869aa10c17d1f303ed442a2ffd5e959e1b708c64d871bf34d390a063", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [ + "REQ-github-001" + ] + } + ] +} diff --git a/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/verification.json b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/verification.json new file mode 100644 index 0000000..3ad15cd --- /dev/null +++ b/.specsync/changes/CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin/verification.json @@ -0,0 +1,18 @@ +{ + "timestamp": 1784057049, + "commit": "d429bd93845ee8ffc172778967bd7af4039476bb", + "contract_digest": "44e6d71c807000c9c06c4e8d98c6665fc83f1438febf890fad737ad075bbd5c9", + "workspace_digest": "4baa0369869aa10c17d1f303ed442a2ffd5e959e1b708c64d871bf34d390a063", + "acceptance_input_digest": "81619f9dd84045e38dc56281015f1af74938738bf1cd72415345290c707d670e", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [ + "REQ-github-001" + ] +} diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/approvals.json b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/approvals.json new file mode 100644 index 0000000..a7d0186 --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/approvals.json @@ -0,0 +1,61 @@ +{ + "approvals": [ + { + "gate": "definition", + "actor": "user:0xLeif", + "timestamp": 1783983774, + "digest": "70afa89294d7825e1f34f6f3ebd17e7f5ad1469288b20d0e6e4ca027a6079263", + "note": "Approved portable definition for non-semantic governance and agent-instruction corrections." + }, + { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783983795, + "digest": "d37e1755770d65ecf23944c48cc151d13c47c4038ab35792e96735ba8d28c31a", + "note": "Native Fledge verification passed for the non-semantic governance corrections; hosted CI remains required before promotion and is not claimed here." + }, + { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1784057092, + "digest": "7514164b1b7afaf7916df26ae80102f23c9b0e3ad0bc30b609a903776d3c3f7f", + "note": "Closing approval recorded after the complete native Fledge lane passed on the current extensionless-coverage tree; authenticated GitHub operations and hosted Trust success are not claimed." + } + ], + "reopenings": [ + { + "schema_version": 1, + "change_id": "CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage", + "actor": "user:0xLeif", + "reason": "Truthful extensionless coverage and corrected meaningful-path policy change the verified delivery inputs; refresh native verification and portable closing approval.", + "timestamp": 1784057022, + "from_state": "accepted", + "to_state": "verifying", + "superseded_approval": { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1783983795, + "digest": "d37e1755770d65ecf23944c48cc151d13c47c4038ab35792e96735ba8d28c31a", + "note": "Native Fledge verification passed for the non-semantic governance corrections; hosted CI remains required before promotion and is not claimed here." + }, + "prior_verification": { + "timestamp": 1783983794, + "commit": "f5ee59c46fc03e38cf2c3b183c6a139a9b79c46c", + "contract_digest": "70afa89294d7825e1f34f6f3ebd17e7f5ad1469288b20d0e6e4ca027a6079263", + "workspace_digest": "9f1ab2d01962c882e002a59bb96377aca157fbf6c6e7bcc9857c12a1ec5e910e", + "acceptance_input_digest": "c29b09eff794e454f04ada62b1c3a7557b77ea439f953ae78b14d207585f7de9", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [] + }, + "stale_acceptance_input_digest": "c29b09eff794e454f04ada62b1c3a7557b77ea439f953ae78b14d207585f7de9", + "current_acceptance_input_digest": "690842db8bc829e4362781a1721032577ecf3a67c7393bf0236a451bfc489489" + } + ] +} diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/change.md b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/change.md new file mode 100644 index 0000000..f91a70c --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/change.md @@ -0,0 +1,31 @@ +--- +id: CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage +state: accepted +type: documentation +base_commit: f5ee59c46fc03e38cf2c3b183c6a139a9b79c46c +--- + +# Correct SpecSync agent guidance and governance path coverage + +## Intent + +Correct SpecSync agent guidance and governance path coverage + +## Affected Canonical Specs + +- None + +## Acceptance Criteria + +- Claude +- Cursor +- and Gemini classify the complete remaining create-spec input before choosing a module name; Gemini create-change shell-escapes the displayed raw arguments exactly once; the SDD policy covers Trust +- Fledge +- Augur +- Attest +- documentation +- and plugin manifests; the canonical changelog row has a valid version; native verification and strict SpecSync 100% coverage pass. + +## No-spec Rationale + +Correct generated agent instructions, SDD meaningful-path coverage, and canonical changelog formatting without changing GitHub plugin requirements or runtime behavior. diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/context.md b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/context.md new file mode 100644 index 0000000..9f91c09 --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/context.md @@ -0,0 +1,10 @@ +--- +change: CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage +artifact: context +--- + +# Context + +The installed create-spec prompts chose the first token as a module name before deciding whether the complete input was a natural-language description. Gemini's create-change prompt also referenced a shell variable that is not provided by its template. Separately, the SDD policy did not classify the committed Trust, Fledge, Augur, Attest, documentation, manifest, or agent-integration files as meaningful. + +These are governance and instruction defects. The plugin's command behavior and canonical requirements remain unchanged. diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/design.md b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/design.md new file mode 100644 index 0000000..04f9f9c --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/design.md @@ -0,0 +1,10 @@ +--- +change: CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage +artifact: design +--- + +# Design + +Make all three create-spec integrations preserve and classify the complete remaining input before deriving a module name, and use the canonical `Invariants` section name. Make Gemini create-change consume the displayed raw arguments and require exactly one shell-escaping step. + +Extend `meaningful_paths` to cover the repository's committed governance, documentation, manifest, and integration surfaces. Correct only the malformed canonical changelog row and title capitalization; do not alter requirement semantics or plugin executables. diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/docs.md b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/docs.md new file mode 100644 index 0000000..66638f7 --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/docs.md @@ -0,0 +1,8 @@ +--- +change: CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage +artifact: docs +--- + +# Docs + +The changes are limited to installed agent instructions, SDD policy metadata, and canonical presentation. README and user-facing plugin command documentation do not require changes because the runtime interface is unchanged. diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/state.json b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/state.json new file mode 100644 index 0000000..5aa0e4a --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/state.json @@ -0,0 +1,45 @@ +{ + "schema_version": 1, + "id": "CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage", + "slug": "correct-specsync-agent-guidance-and-governance-path-coverage", + "title": "Correct SpecSync agent guidance and governance path coverage", + "description": "Correct SpecSync agent guidance and governance path coverage", + "kind": "documentation", + "state": "accepted", + "canonical_applied": true, + "base_commit": "f5ee59c46fc03e38cf2c3b183c6a139a9b79c46c", + "created_at": 1783983718, + "updated_at": 1784057092, + "affected_specs": [], + "affected_paths": [ + ".claude/commands/specsync/create-spec.md", + ".cursor/commands/specsync-create-spec.md", + ".gemini/commands/specsync/create-spec.toml", + ".gemini/commands/specsync/create-change.toml", + ".specsync/sdd.json", + "specs/github/github.spec.md" + ], + "no_spec_change": true, + "no_spec_change_rationale": "Correct generated agent instructions, SDD meaningful-path coverage, and canonical changelog formatting without changing GitHub plugin requirements or runtime behavior.", + "acceptance_criteria": [ + "Claude", + "Cursor", + "and Gemini classify the complete remaining create-spec input before choosing a module name; Gemini create-change shell-escapes the displayed raw arguments exactly once; the SDD policy covers Trust", + "Fledge", + "Augur", + "Attest", + "documentation", + "and plugin manifests; the canonical changelog row has a valid version; native verification and strict SpecSync 100% coverage pass." + ], + "selected_artifacts": [ + "context", + "docs", + "design", + "tasks" + ], + "dependencies": [], + "answers": { + "architecture_risk": "no", + "public_contract": "no" + } +} diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/tasks.md b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/tasks.md new file mode 100644 index 0000000..71045f9 --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/tasks.md @@ -0,0 +1,12 @@ +--- +change: CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage +artifact: tasks +--- + +# Tasks + +- [x] Correct Claude, Cursor, and Gemini create-spec input classification. +- [x] Correct Gemini create-change raw-argument handling. +- [x] Cover committed governance, documentation, manifest, and agent files in the SDD policy. +- [x] Correct the malformed canonical changelog row without changing requirement semantics. +- [x] Preserve the existing hosted Trust and CodeQL jobs as required post-push evidence before promotion. diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/verification-attempts.json b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/verification-attempts.json new file mode 100644 index 0000000..fd8ee4b --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/verification-attempts.json @@ -0,0 +1,20 @@ +{ + "schema_version": 1, + "attempts": [ + { + "timestamp": 1784057050, + "commit": "d429bd93845ee8ffc172778967bd7af4039476bb", + "contract_digest": "70afa89294d7825e1f34f6f3ebd17e7f5ad1469288b20d0e6e4ca027a6079263", + "workspace_digest": "4baa0369869aa10c17d1f303ed442a2ffd5e959e1b708c64d871bf34d390a063", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [] + } + ] +} diff --git a/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/verification.json b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/verification.json new file mode 100644 index 0000000..4ab24d6 --- /dev/null +++ b/.specsync/changes/CHG-0002-correct-specsync-agent-guidance-and-governance-path-coverage/verification.json @@ -0,0 +1,16 @@ +{ + "timestamp": 1784057050, + "commit": "d429bd93845ee8ffc172778967bd7af4039476bb", + "contract_digest": "70afa89294d7825e1f34f6f3ebd17e7f5ad1469288b20d0e6e4ca027a6079263", + "workspace_digest": "4baa0369869aa10c17d1f303ed442a2ffd5e959e1b708c64d871bf34d390a063", + "acceptance_input_digest": "690842db8bc829e4362781a1721032577ecf3a67c7393bf0236a451bfc489489", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [] +} diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/approvals.json b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/approvals.json new file mode 100644 index 0000000..57399ef --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/approvals.json @@ -0,0 +1,33 @@ +{ + "approvals": [ + { + "gate": "definition", + "actor": "user:0xLeif", + "timestamp": 1784056974, + "digest": "d6c16bcda308a94b8b7f4ca5c83c5d99191bb1836bb31cc2a53e7e62f56d022c", + "note": "Definition approved for governance-only extensionless coverage and omitted-path correction; no product behavior, authenticated GitHub operation, hosted success, or closing result is claimed." + }, + { + "gate": "definition", + "actor": "user:0xLeif", + "timestamp": 1784057056, + "digest": "5c003eb2988003e9567e9e96ac51c4fcdf75a9451a6ad12fa53c59ad97cff04b", + "note": "Definition reapproved after completing the planned governance artifacts; no product behavior or authenticated GitHub operation is changed or claimed." + }, + { + "gate": "definition", + "actor": "user:0xLeif", + "timestamp": 1784057082, + "digest": "73f075cd5d585504d38fe2bd719e61ceb110ee8105fc15ab75a1a840c982711b", + "note": "Definition reapproved after replacing circular verification tasks with truthful completed configuration and preparation tasks; no hosted or closing result is claimed early." + }, + { + "gate": "acceptance", + "actor": "user:0xLeif", + "timestamp": 1784057092, + "digest": "cef4e827329916bde6b4fac72c9086e9c98e6d20bf56b9c36a4f0faaef27303e", + "note": "Closing approval recorded after the complete native Fledge lane passed on the current extensionless-coverage tree; authenticated GitHub operations and hosted Trust success are not claimed." + } + ], + "reopenings": [] +} diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/change.md b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/change.md new file mode 100644 index 0000000..d3e0f06 --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/change.md @@ -0,0 +1,24 @@ +--- +id: CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug +state: accepted +type: migration +base_commit: d429bd93845ee8ffc172778967bd7af4039476bb +--- + +# Complete truthful extensionless coverage and lifecycle scope for the GitHub plugin migration + +## Intent + +Complete truthful extensionless coverage and lifecycle scope for the GitHub plugin migration + +## Affected Canonical Specs + +- None + +## Acceptance Criteria + +- Current SpecSync main measures all six extensionless Bash executables at 100% file and LOC coverage; strict lifecycle validation covers every meaningful rollout file; all four agent integrations, the complete native Fledge lane, Trust doctor, and local Trust verification pass without authenticated GitHub operations. + +## No-spec Rationale + +This governance correction makes SpecSync measure the six existing extensionless Bash executables and accounts for rollout files omitted from lifecycle scope; it does not change plugin behavior or canonical requirement semantics. diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/context.md b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/context.md new file mode 100644 index 0000000..1a7383c --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/context.md @@ -0,0 +1,16 @@ +--- +change: CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug +artifact: context +--- + +# Context + +The accepted migration and review-correction changes omitted eight introduced +governance files from their affected paths. SpecSync 5.0.1 therefore rejects +the hosted merge tree even though the native Fledge lane passes. + +The repository also contains six extensionless Bash executables under `bin/`. +SpecSync 5.0.1 cannot discover extensionless sources, so the committed +threshold of zero is vacuous. Current SpecSync main adds explicit +`include_extensionless` discovery and can measure the existing canonical +file list without changing runtime code. diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/design.md b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/design.md new file mode 100644 index 0000000..d6c5121 --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/design.md @@ -0,0 +1,16 @@ +--- +change: CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug +artifact: design +--- + +# Design + +Enable extensionless source discovery in the existing `bin/` source root and +raise the local contract threshold from zero to 100. Keep the six canonical +file entries unchanged. + +Replace generic meaningful-path defaults with the repository's actual delivery +surfaces, including all four agent integrations and canonical specs. Record the +eight omitted rollout files in this change's affected paths. Preserve the +immutable Trust and SpecSync consumer pins; the hosted 5.0.1 limitation remains +an explicit release-order blocker rather than being hidden by weaker policy. diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/docs.md b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/docs.md new file mode 100644 index 0000000..98178c8 --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/docs.md @@ -0,0 +1,14 @@ +--- +change: CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug +artifact: docs +--- + +# Docs + +No user-facing command documentation changes are required. The canonical spec +already describes the observed plugin surface and distinguishes offline help +from separately authorized authenticated operations. + +The governance configuration now records truthful extensionless coverage. The +pull request must continue to disclose that hosted Trust remains pinned to +SpecSync 5.0.1 until the coordinated consumer-pin update. diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/plan.md b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/plan.md new file mode 100644 index 0000000..6fb37e0 --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/plan.md @@ -0,0 +1,14 @@ +--- +change: CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug +artifact: plan +--- + +# Plan + +1. Audit all canonical requirements against the six existing executables. +2. Enable explicit extensionless discovery and require 100% measured coverage. +3. Correct meaningful paths and cover the eight omitted rollout files. +4. Run strict SpecSync main validation, all agent status checks, the complete + native Fledge lane, Trust doctor, and local Trust verification. +5. Preserve the pinned 5.0.1 consumer action and report it as the remaining + hosted blocker until the coordinated pin update is authorized. diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/research.md b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/research.md new file mode 100644 index 0000000..17bf344 --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/research.md @@ -0,0 +1,21 @@ +--- +change: CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug +artifact: research +--- + +# Research + +The hosted Trust log identifies exactly eight uncovered meaningful paths: +`.attest.json`, `.augur.toml`, the Claude and Cursor create-change commands +and skills, the Gemini skill, and `AGENTS.md`. These are rollout files already +present in the pull request, not new product behavior. + +All six tracked files in `bin/` are extensionless Bash executables and all six +are named by `specs/github/github.spec.md`. Their help surfaces run without +authentication or external mutation. Live GitHub reads and writes cannot be +claimed by this migration because they require separate network credentials +and authorization. + +SpecSync main at `a9422aedbe12a3c50787c1fcc074749232f25dfe` +supports explicit extensionless discovery. The consumer action remains pinned +to SpecSync 5.0.1 until an organization-wide pin update is authorized. diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/state.json b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/state.json new file mode 100644 index 0000000..fe82b6f --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/state.json @@ -0,0 +1,48 @@ +{ + "schema_version": 1, + "id": "CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug", + "slug": "complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug", + "title": "Complete truthful extensionless coverage and lifecycle scope for the GitHub plugin migration", + "description": "Complete truthful extensionless coverage and lifecycle scope for the GitHub plugin migration", + "kind": "migration", + "state": "accepted", + "canonical_applied": true, + "base_commit": "d429bd93845ee8ffc172778967bd7af4039476bb", + "created_at": 1784056907, + "updated_at": 1784057092, + "affected_specs": [], + "affected_paths": [ + ".specsync/config.toml", + ".specsync/sdd.json", + ".trust.toml", + ".attest.json", + ".augur.toml", + ".claude/commands/specsync/create-change.md", + ".claude/skills/spec-sync/SKILL.md", + ".cursor/commands/specsync-create-change.md", + ".cursor/skills/spec-sync/SKILL.md", + ".gemini/skills/spec-sync/SKILL.md", + ".codex/skills/spec-sync/SKILL.md", + "AGENTS.md", + ".specsync/change-sequence.json" + ], + "no_spec_change": true, + "no_spec_change_rationale": "This governance correction makes SpecSync measure the six existing extensionless Bash executables and accounts for rollout files omitted from lifecycle scope; it does not change plugin behavior or canonical requirement semantics.", + "acceptance_criteria": [ + "Current SpecSync main measures all six extensionless Bash executables at 100% file and LOC coverage; strict lifecycle validation covers every meaningful rollout file; all four agent integrations, the complete native Fledge lane, Trust doctor, and local Trust verification pass without authenticated GitHub operations." + ], + "selected_artifacts": [ + "context", + "research", + "design", + "plan", + "tasks", + "testing", + "docs" + ], + "dependencies": [], + "answers": { + "architecture_risk": "no", + "public_contract": "no" + } +} diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/tasks.md b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/tasks.md new file mode 100644 index 0000000..417385e --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/tasks.md @@ -0,0 +1,14 @@ +--- +change: CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug +artifact: tasks +--- + +# Tasks + +- [x] Reproduce the exact hosted lifecycle-scope failure. +- [x] Audit all review threads and the canonical GitHub contract. +- [x] Confirm every tracked `bin/fledge-github*` executable is canonical. +- [x] Enable explicit extensionless discovery and 100% local coverage. +- [x] Correct meaningful paths and cover all omitted governance files. +- [x] Configure the complete offline native and governance verification commands. +- [x] Record portable definition approval for the finalized governance scope. diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/testing.md b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/testing.md new file mode 100644 index 0000000..44886a8 --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/testing.md @@ -0,0 +1,18 @@ +--- +change: CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug +artifact: testing +--- + +# Testing + +Run ShellCheck at warning severity, Bash syntax validation, and offline +`--help` for all six executables through `fledge lanes run verify`. + +Run current SpecSync main with strict forced validation at 100% coverage and +confirm six of six files and all executable LOC are measured. Confirm Claude, +Cursor, Codex, and Gemini integrations are installed. Run `fledge trust +doctor` and local `fledge trust verify` with current SpecSync main first on +`PATH`. + +Do not execute or claim authenticated GitHub reads, comments, reviews, merges, +workspace pushes, or other external mutations. diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/verification-attempts.json b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/verification-attempts.json new file mode 100644 index 0000000..f0c5fc0 --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/verification-attempts.json @@ -0,0 +1,20 @@ +{ + "schema_version": 1, + "attempts": [ + { + "timestamp": 1784057083, + "commit": "d429bd93845ee8ffc172778967bd7af4039476bb", + "contract_digest": "73f075cd5d585504d38fe2bd719e61ceb110ee8105fc15ab75a1a840c982711b", + "workspace_digest": "4baa0369869aa10c17d1f303ed442a2ffd5e959e1b708c64d871bf34d390a063", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [] + } + ] +} diff --git a/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/verification.json b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/verification.json new file mode 100644 index 0000000..89d1c1d --- /dev/null +++ b/.specsync/changes/CHG-0003-complete-truthful-extensionless-coverage-and-lifecycle-scope-for-the-github-plug/verification.json @@ -0,0 +1,16 @@ +{ + "timestamp": 1784057083, + "commit": "d429bd93845ee8ffc172778967bd7af4039476bb", + "contract_digest": "73f075cd5d585504d38fe2bd719e61ceb110ee8105fc15ab75a1a840c982711b", + "workspace_digest": "4baa0369869aa10c17d1f303ed442a2ffd5e959e1b708c64d871bf34d390a063", + "acceptance_input_digest": "853d9c6ffec54365b43881e709b8de9993a43b5dea2336b1b559c67672ebe90c", + "passed": true, + "commands": [ + { + "command": "fledge lanes run verify", + "success": true, + "exit_code": 0 + } + ], + "requirement_ids": [] +} diff --git a/.specsync/config.toml b/.specsync/config.toml new file mode 100644 index 0000000..4f51cfe --- /dev/null +++ b/.specsync/config.toml @@ -0,0 +1,13 @@ +# SpecSync 5 configuration +# Docs: https://github.com/CorvidLabs/spec-sync + +specs_dir = "specs" +source_dirs = ["bin"] +include_extensionless = true +exclude_dirs = [] +exclude_patterns = [] +required_sections = ["Purpose", "Public API", "Invariants", "Behavioral Examples", "Error Cases", "Dependencies", "Change Log"] +enforcement = "strict" + +[lifecycle] +track_history = false diff --git a/.specsync/registry.toml b/.specsync/registry.toml new file mode 100644 index 0000000..1601f12 --- /dev/null +++ b/.specsync/registry.toml @@ -0,0 +1,5 @@ +[registry] +name = "fledge-plugin-github-trust-wave4" + +[specs] +github = "specs/github/github.spec.md" diff --git a/.specsync/sdd.json b/.specsync/sdd.json new file mode 100644 index 0000000..3fde2da --- /dev/null +++ b/.specsync/sdd.json @@ -0,0 +1,29 @@ +{ + "version": 1, + "enabled": true, + "require_change_for_meaningful_files": true, + "meaningful_paths": [ + "bin/", + "specs/", + ".claude/", + ".codex/", + ".cursor/", + ".gemini/", + ".github/", + ".attest.json", + ".augur.toml", + ".trust.toml", + "README.md", + "AGENTS.md", + "plugin.toml", + "fledge.toml" + ], + "ignored_paths": [ + ".specsync/" + ], + "verification_commands": [ + "fledge lanes run verify" + ], + "custom_artifacts": {}, + "principles_file": null +} diff --git a/.specsync/version b/.specsync/version new file mode 100644 index 0000000..6b244dc --- /dev/null +++ b/.specsync/version @@ -0,0 +1 @@ +5.0.1 diff --git a/.trust.toml b/.trust.toml new file mode 100644 index 0000000..12e0013 --- /dev/null +++ b/.trust.toml @@ -0,0 +1,22 @@ +schema_version = 1 +profile = "standard" + +[lifecycle] +command = ["fledge", "lanes", "run", "verify"] + +[contract] +enabled = true +require_coverage = 100 +skip_reason = "" + +[risk] +threshold = "block" + +[provenance] +mode = "soft" +policy = ".attest.json" +skip_reason = "" + +[atlas] +enabled = false +skip_reason = "Standalone Pages publication remains independently managed" diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..3da08a2 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,12 @@ + +## CorvidLabs trust toolchain + +This repository uses one trust gate. Every session must use it and must not bypass or weaken it. + +- Run `fledge trust verify` before calling a change complete. +- Keep module specs synchronized with implementation changes. +- Treat an Augur block verdict as a hard stop that must be surfaced and de-risked. +- Record and verify provenance with Attest after the repository's verification lane passes. +- Keep generated trust configuration and this managed block in place. + + diff --git a/fledge.toml b/fledge.toml new file mode 100644 index 0000000..01c0d67 --- /dev/null +++ b/fledge.toml @@ -0,0 +1,9 @@ +# fledge.toml: project task definitions +[tasks] +lint = "shellcheck --severity=warning bin/*" +syntax = "bash -n bin/*" +smoke = "for executable in bin/fledge-github*; do \"$executable\" --help >/dev/null; done" + +[lanes.verify] +description = "Lint, syntax-check, and smoke-test every GitHub plugin executable" +steps = ["lint", "syntax", "smoke"] diff --git a/specs/github/context.md b/specs/github/context.md new file mode 100644 index 0000000..85ec984 --- /dev/null +++ b/specs/github/context.md @@ -0,0 +1,19 @@ +--- +spec: github.spec.md +--- + +## Context + +This plugin keeps forge-specific functionality outside fledge core while supporting humans and agents through a consistent nested command surface. + +## Related Modules + +- GitHub CLI and API +- Git managed workspaces +- Merlin daemon event schema + +## Design Decisions + +- Delegate authentication and API compatibility to `gh`. +- Bound destructive workspace cleanup by validated roots. +- Keep mutation commands explicit and read commands composable. diff --git a/specs/github/github.spec.md b/specs/github/github.spec.md new file mode 100644 index 0000000..92df282 --- /dev/null +++ b/specs/github/github.spec.md @@ -0,0 +1,75 @@ +--- +module: github +version: 2 +status: active +files: + - bin/fledge-github + - bin/fledge-github-checks + - bin/fledge-github-issues + - bin/fledge-github-poll + - bin/fledge-github-prs + - bin/fledge-github-repo + +db_tables: [] +depends_on: [] +--- + +# GitHub + +## Purpose + +Provide a nested fledge GitHub surface over authenticated `gh` and Git: pull request and issue operations, check status, repository reads/clones, safety-scoped managed workspaces, and structured event polling. + +## Public API + +| Surface | Behavior | +|---------|----------| +| pull requests | List/view/create/comment/review/merge/close/reopen, including cross-repository targeting and JSON. | +| issues | List/view/create/comment/close/reopen, including labels, assignees, comments, cross-repository targeting, and JSON. | +| repository | View metadata, read files/directories at refs, clone, and manage bounded workspaces. | +| checks | Read check-run status for a branch or target repository. | +| poll | Emit structured issue/PR events for daemon consumers. | +| dispatcher | Route nested commands and provide stable help/usage. | + +## Invariants + +1. Cross-repository `-R` targeting is forwarded consistently to supported subcommands. +2. Read-only JSON modes preserve raw/structured API data without human formatting. +3. Mutating PR/issue/review/merge operations require explicit subcommands and arguments. +4. AI-assisted PR creation requires user confirmation/edit/abort before opening a PR. +5. Workspace cleanup refuses paths outside the configured workspace root or recognized legacy prefix. +6. Workspace push operates only inside a validated managed workspace and reports its branch/repository/path. +7. File reads decode files and list directories without writing repository state. +8. Poll output retains the daemon event schema and deterministic ordering/cursor semantics. + +## Behavioral Examples + +``` +Given a managed workspace path outside the configured workspace root +When workspace-clean is requested +Then the command refuses deletion and exits non-zero +``` + +## Error Cases + +| Error | When | Behavior | +|-------|------|----------| +| Missing gh/authentication | A GitHub API command runs without usable `gh` auth | Surface the `gh` failure and exit non-zero. | +| Invalid subcommand/options | CLI input does not match the selected surface | Print scoped usage and exit non-zero. | +| Missing mutation body/title | Create/comment/review requires absent content | Reject before calling GitHub. | +| Unsafe workspace path | Push/clean path is not recognized as managed | Refuse the operation. | +| Missing repository/ref/path | API lookup cannot resolve input | Surface the GitHub response without local mutation. | +| Failed checks | Read check status contains failures | Report aggregate failed state while preserving individual results. | + +## Dependencies + +- authenticated GitHub CLI and Git +- Bash, Python 3, awk, and base64 +- fledge AI command only for explicitly selected AI-assisted PR creation + +## Change Log + +| Version | Date | Changes | +|---------|------|---------| +| 1 | 2026-07-12 | Document existing GitHub command and workspace safety behavior for SpecSync 5 adoption. | +| 2 | 2026-07-13 | CHG-0001-adopt-specsync-5-0-1-and-trust-1-0-0-governance-for-the-github-fledge-plugin: Adopt SpecSync 5.0.1 and Trust 1.0.0 governance for the GitHub Fledge plugin | diff --git a/specs/github/requirements.md b/specs/github/requirements.md new file mode 100644 index 0000000..ed6e9f3 --- /dev/null +++ b/specs/github/requirements.md @@ -0,0 +1,42 @@ +--- +spec: github.spec.md +--- + +## User Stories + +- As a developer, I want GitHub PR, issue, repository, and check operations under one fledge namespace. +- As an agent, I want bounded workspaces and structured JSON/event output for safe automation. + +## Acceptance Criteria + +### REQ-github-001 + +The plugin SHALL provide the documented PR, issue, repository, checks, and poll subcommands through authenticated `gh`. + +Acceptance Criteria +- Offline help succeeds for every `bin/fledge-github*` executable without creating external state. +- Authenticated GitHub reads and mutations remain separately authorized. + +### REQ-github-002 + +Supported operations SHALL accept explicit cross-repository targeting and JSON output. + +### REQ-github-003 + +Workspace push and cleanup SHALL reject paths outside recognized managed workspace roots. + +### REQ-github-004 + +AI-assisted PR creation SHALL require confirmation, editing, or abort before creating external state. + +### REQ-github-005 + +Poll output SHALL preserve structured daemon event fields and cursor filtering. + +## Constraints + +- Requires authenticated `gh`, Git, Bash, and network access for live operations. + +## Out of Scope + +- Non-GitHub forges and automatic mutation without explicit command/arguments. diff --git a/specs/github/tasks.md b/specs/github/tasks.md new file mode 100644 index 0000000..764a0a7 --- /dev/null +++ b/specs/github/tasks.md @@ -0,0 +1,8 @@ +--- +spec: github.spec.md +--- + +## Tasks + +- [x] Document command and workspace safety behavior. +- [x] Preserve ShellCheck, Bash syntax, and help smokes without live GitHub mutation. diff --git a/specs/github/testing.md b/specs/github/testing.md new file mode 100644 index 0000000..2c1c088 --- /dev/null +++ b/specs/github/testing.md @@ -0,0 +1,12 @@ +--- +spec: github.spec.md +--- + +## Test Plan + +### Integration Tests + +- `shellcheck --severity=warning bin/*` +- `bash -n bin/*` +- Run `--help` on every executable. +- Authenticated live reads/mutations remain independently authorized.