Skip to content

[spdd] Daily spec work plan - 2026-07-08 #44357

Description

@github-actions

Summary

This run reviewed 5 specification files (rotation index 10–14/29), focusing on model alias resolution, repository package management, safe output gateway, GitHub MCP access control, and guard policies. All five specifications are in Draft status and carry concrete implementation gaps, open sync items, and ambiguous safeguard conditions suitable for today's work queue.


Priority Work Queue

P0 — Missing/broken safeguards or requirements

  • safe-outputs-specification.md §7 sync follow-up: handler definitions lack exact function-name cross-references for 15+ output types (explicitly marked [Open]).
  • safe-outputs-specification.md §8.3: MCE1–MCE5 MCP Server Constraint Enforcement requirements are not yet mapped to implementation calls (explicitly marked [Open]).
  • guard-policies-specification.md GP-11: cross-field consistency rule (allowed-repos non-all requires min-integrity) is specified but Sync Notes do not confirm a test covering this combination.

P1 — Weak or missing REASONS canvas sections

  • model-alias-specification.md: No Operations section describing the runtime resolution lifecycle step-by-step (§8 is algorithm pseudocode but lacks normative operation ordering for callers).
  • repository-package-manifest-specification.md: §5.3 Remove lifecycle lacks a README.md removal policy — R-PKG-R001 through R-PKG-R004 say nothing about whether the package-installed README.md is also removed.
  • github-mcp-access-control-specification.md (scratchpad): §11 Compliance Testing section exists but no compliance fixture directory is referenced (compare: specs/github-mcp-access-control-compliance/ exists — connection to spec is undocumented).

P2 — Maintenance and norms improvements

  • guard-policies-specification.md: repos deprecation removal target is "tentatively v2.0.0" with no tracking issue or timeline — needs a concrete milestone or issue reference.
  • model-alias-specification.md §14 Sync Notes: "last verified 2026-06-01" — over a month stale; needs a re-verification pass against current implementation files.
  • repository-package-manifest-specification.md §12 Sync Notes: §5 Install ordering sub-section is listed but pkg/cli/add_command.go download-compile-write sequence is not verified against R-PKG-003 rollback requirement.

SPDD Checklist

  • /spdd-sync safe-outputs §7: Add exact function-name cross-references for all 15+ safe output type handlers from actions/setup/js/safe_outputs_handlers.cjs into docs/src/content/docs/specs/safe-outputs-specification.md §7 handler table. Done when: every handler row names the implementing function.
  • /spdd-sync safe-outputs §8.3: Map MCE1–MCE5 MCP Server Constraint Enforcement requirements to specific validation call sites in actions/setup/js/safe_outputs_mcp_server.cjs and add references in the §8 Sync Notes table. Done when: MCE1–MCE5 all have an Implementation File(s) entry.
  • /spdd-analysis guard-policies GP-11 test coverage: Verify pkg/workflow/tools_validation_github.go has a test asserting a compilation error when allowed-repos is non-"all" and min-integrity is absent. Add test if missing. Done when: go test ./pkg/workflow/... passes with a GP-11 cross-field test.
  • /spdd-generate model-alias Operations section: Draft a normative §16 (Operations) for docs/src/content/docs/specs/model-alias-specification.md describing the caller-facing runtime resolution lifecycle (invoke, depth counter, visited set, result or error). Done when: section exists with at least 4 normative steps.
  • /spdd-generate repo-manifest Remove + README: Clarify §5.3 of docs/src/content/docs/specs/repository-package-manifest-specification.md to state whether a package-installed README.md is deleted on remove (R-PKG-R001 scope). Done when: a normative statement covers README.md removal behaviour.
  • /spdd-sync MCP access-control compliance fixtures: Add a reference in scratchpad/github-mcp-access-control-specification.md §11 Compliance Testing to specs/github-mcp-access-control-compliance/ directory. Done when: spec section links to or names the fixture directory.
  • /spdd-sync guard-policies repos deprecation milestone: Replace "tentatively v2.0.0" in scratchpad/guard-policies-specification.md with a concrete tracking issue or milestone reference. Done when: a GitHub issue number or milestone label appears in the deprecation note.
  • /spdd-sync model-alias Sync Notes re-verify: Re-verify §14 implementation-file mapping in docs/src/content/docs/specs/model-alias-specification.md against current pkg/workflow/model_alias_validation.go, pkg/workflow/model_aliases.go. Update "last verified" date. Done when: date is ≤ 30 days old and any stale file paths are corrected.
  • /spdd-sync repo-manifest R-PKG-003 rollback test: Confirm pkg/cli/add_command.go write-failure rollback path is tested in pkg/cli/ test files; add a test if absent. Done when: a test exercises the rollback branch and go test ./pkg/cli/... passes.

Per-Spec Findings

📄 model-alias-specification.md (v1.2.0 Draft)

Analysis

  • Strong W3C-style spec with complete ABNF grammar, REASONS canvas, compliance test suite, and change log.
  • §14 Sync Notes are functional but stale (last verified 2026-06-01).
  • No normative Operations section for callers — §8 is an algorithm but it is written for implementors, not workflow authors.

REASONS Canvas gaps

  • ✅ Requirements — comprehensive, V-MAF-* IDs
  • ✅ Entities — Alias Map, Model Identifier, etc.
  • ⚠️ Approach — §8 is detailed but no plain-language overview for workflow authors
  • ✅ Structure — ABNF grammar, §4
  • ⚠️ Operations — runtime resolution lifecycle not exposed as normative caller contract
  • ✅ Norms — §15 reference table complete
  • ✅ Safeguards — §13 R-MAF-S001 through R-MAF-S007

Concrete tasks: sync notes re-verify, add Operations section

📄 repository-package-manifest-specification.md (v0.2.0 Draft)

Analysis

  • Well-structured; strong §10 Safeguards and §11 Norms; §12 Sync Notes present with verified implementation mappings.
  • §5.3 Remove lifecycle underspecified for README.md: R-PKG-R001 says "only package-installed files" but README.md handling is unaddressed.
  • §12 Sync Notes list install ordering but do not confirm rollback test coverage for R-PKG-003.

REASONS Canvas gaps

  • ✅ Requirements — full R-PKG-* table
  • ✅ Entities — manifest fields §4
  • ⚠️ Approach — install/update/remove coverage complete; rollback test parity unverified
  • ✅ Structure — YAML manifest table
  • ✅ Operations — §5.1, §5.2, §5.3 lifecycle steps
  • ✅ Norms — §11
  • ⚠️ Safeguards — R-PKG-003 rollback implementation unverified via test

Concrete tasks: clarify README removal in §5.3, add/verify rollback test

📄 safe-outputs-specification.md (v1.24.0 Working Draft)

Analysis

  • Most mature spec in this batch. Extensive §7 handler catalog, §9 sanitization pipeline, §11 Cache Memory Integrity.
  • Two explicitly open sync items: §7 handler function-name cross-references and §8.3 MCE1–MCE5 mapping.
  • No Last verified timestamp on Sync Notes — staleness is unknown.

REASONS Canvas gaps

  • ✅ Requirements — P1–P4 principles, SP* properties
  • ✅ Entities — MCP Gateway, Safe Output Type, Handler, etc.
  • ✅ Approach — §3 Security Architecture
  • ✅ Structure — §4 Structural Components
  • ⚠️ Operations — §8.3 MCE1–MCE5 not mapped to implementation
  • ✅ Norms — implicit throughout (formal norms section absent — minor gap)
  • ✅ Safeguards — §9, §10, §11

Concrete tasks: add §7 function references, map §8.3 MCE requirements

📄 scratchpad/github-mcp-access-control-specification.md (v1.1.0 Draft)

Analysis

  • Detailed access control spec with two conformance levels, a three-layer architecture diagram, configuration flow, and §11 Compliance Testing.
  • specs/github-mcp-access-control-compliance/ directory exists in the repo but is not referenced in the spec.
  • Scratchpad location suggests it may need promotion to docs/src/content/docs/specs/.

REASONS Canvas gaps

  • ✅ Requirements — Level 1 and Level 2 conformance classes
  • ✅ Entities — allowed-repos, roles, min-integrity, blocked-users, etc.
  • ✅ Approach — §3 Architecture diagram
  • ✅ Structure — §4 Configuration Format
  • ✅ Operations — §8 Integrity Level Management
  • ⚠️ Norms — normative IDs absent (requirements written as prose MUST/SHOULD without short IDs)
  • ⚠️ Safeguards — compliance fixture directory not linked

Concrete tasks: link compliance fixture directory in §11, add normative IDs

📄 scratchpad/guard-policies-specification.md (v0.1.0 Draft)

Analysis

  • Comprehensive for a 0.1.0 draft: GP-01 through GP-11 requirements, GP-S001 through GP-S005 safeguards, and Sync Notes with last verified 2026-07-03.
  • repos deprecation removal target is vague ("tentatively v2.0.0").
  • GP-11 cross-field consistency rule has no corresponding test entry in Sync Notes.

REASONS Canvas gaps

  • ✅ Requirements — GP-01 through GP-11
  • ✅ Entities — GitHubReposScope, GitHubIntegrityLevel, GitHubToolConfig
  • ✅ Approach — §4 derivation rules
  • ✅ Structure — type hierarchy diagram
  • ✅ Operations — GP-05 through GP-08 derivation steps
  • ✅ Norms — GP requirements inline
  • ⚠️ Safeguards — GP-S003 implementation test not confirmed in Sync Notes

Concrete tasks: confirm GP-11/GP-S003 test, set concrete deprecation milestone


Sync Follow-ups

  1. safe-outputs §7 handler cross-references — Open item in spec; assign to next engineering sprint that touches actions/setup/js/safe_outputs_handlers.cjs.
  2. safe-outputs §8.3 MCE mapping — Open item; pair with any refactor of actions/setup/js/safe_outputs_mcp_server.cjs.
  3. guard-policies repos removal milestone — Track in a GitHub issue or project milestone; update spec once milestone is set.
  4. github-mcp-access-control promotion from scratchpad — Evaluate moving to docs/src/content/docs/specs/ once compliance fixtures are linked and normative IDs are added.
  5. model-alias §14 last-verified refresh — Schedule for any PR touching pkg/workflow/model_alias*.go.

Context

Item Value
Files reviewed model-alias-specification.md, repository-package-manifest-specification.md, safe-outputs-specification.md, scratchpad/github-mcp-access-control-specification.md, scratchpad/guard-policies-specification.md
Rotation index 10–14 of 29 total spec files
Previous run 2026-07-07 (index 5–9)
Workflow run §28958345719

References:

Generated by 📋 Daily SPDD Spec Planner · 61.8 AIC · ⌖ 8.77 AIC · ⊞ 4.8K ·

  • expires on Jul 11, 2026, 8:33 AM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions