Summary
This run reviewed 5 specification files (rotation index 10–14/29), focusing on model alias resolution, repository package management, safe output gateway, GitHub MCP access control, and guard policies. All five specifications are in Draft status and carry concrete implementation gaps, open sync items, and ambiguous safeguard conditions suitable for today's work queue.
Priority Work Queue
P0 — Missing/broken safeguards or requirements
safe-outputs-specification.md §7 sync follow-up: handler definitions lack exact function-name cross-references for 15+ output types (explicitly marked [Open]).
safe-outputs-specification.md §8.3: MCE1–MCE5 MCP Server Constraint Enforcement requirements are not yet mapped to implementation calls (explicitly marked [Open]).
guard-policies-specification.md GP-11: cross-field consistency rule (allowed-repos non-all requires min-integrity) is specified but Sync Notes do not confirm a test covering this combination.
P1 — Weak or missing REASONS canvas sections
model-alias-specification.md: No Operations section describing the runtime resolution lifecycle step-by-step (§8 is algorithm pseudocode but lacks normative operation ordering for callers).
repository-package-manifest-specification.md: §5.3 Remove lifecycle lacks a README.md removal policy — R-PKG-R001 through R-PKG-R004 say nothing about whether the package-installed README.md is also removed.
github-mcp-access-control-specification.md (scratchpad): §11 Compliance Testing section exists but no compliance fixture directory is referenced (compare: specs/github-mcp-access-control-compliance/ exists — connection to spec is undocumented).
P2 — Maintenance and norms improvements
guard-policies-specification.md: repos deprecation removal target is "tentatively v2.0.0" with no tracking issue or timeline — needs a concrete milestone or issue reference.
model-alias-specification.md §14 Sync Notes: "last verified 2026-06-01" — over a month stale; needs a re-verification pass against current implementation files.
repository-package-manifest-specification.md §12 Sync Notes: §5 Install ordering sub-section is listed but pkg/cli/add_command.go download-compile-write sequence is not verified against R-PKG-003 rollback requirement.
SPDD Checklist
Per-Spec Findings
📄 model-alias-specification.md (v1.2.0 Draft)
Analysis
- Strong W3C-style spec with complete ABNF grammar, REASONS canvas, compliance test suite, and change log.
- §14 Sync Notes are functional but stale (last verified 2026-06-01).
- No normative Operations section for callers — §8 is an algorithm but it is written for implementors, not workflow authors.
REASONS Canvas gaps
- ✅ Requirements — comprehensive, V-MAF-* IDs
- ✅ Entities — Alias Map, Model Identifier, etc.
- ⚠️ Approach — §8 is detailed but no plain-language overview for workflow authors
- ✅ Structure — ABNF grammar, §4
- ⚠️ Operations — runtime resolution lifecycle not exposed as normative caller contract
- ✅ Norms — §15 reference table complete
- ✅ Safeguards — §13 R-MAF-S001 through R-MAF-S007
Concrete tasks: sync notes re-verify, add Operations section
📄 repository-package-manifest-specification.md (v0.2.0 Draft)
Analysis
- Well-structured; strong §10 Safeguards and §11 Norms; §12 Sync Notes present with verified implementation mappings.
- §5.3 Remove lifecycle underspecified for
README.md: R-PKG-R001 says "only package-installed files" but README.md handling is unaddressed.
- §12 Sync Notes list install ordering but do not confirm rollback test coverage for R-PKG-003.
REASONS Canvas gaps
- ✅ Requirements — full R-PKG-* table
- ✅ Entities — manifest fields §4
- ⚠️ Approach — install/update/remove coverage complete; rollback test parity unverified
- ✅ Structure — YAML manifest table
- ✅ Operations — §5.1, §5.2, §5.3 lifecycle steps
- ✅ Norms — §11
- ⚠️ Safeguards — R-PKG-003 rollback implementation unverified via test
Concrete tasks: clarify README removal in §5.3, add/verify rollback test
📄 safe-outputs-specification.md (v1.24.0 Working Draft)
Analysis
- Most mature spec in this batch. Extensive §7 handler catalog, §9 sanitization pipeline, §11 Cache Memory Integrity.
- Two explicitly open sync items: §7 handler function-name cross-references and §8.3 MCE1–MCE5 mapping.
- No
Last verified timestamp on Sync Notes — staleness is unknown.
REASONS Canvas gaps
- ✅ Requirements — P1–P4 principles, SP* properties
- ✅ Entities — MCP Gateway, Safe Output Type, Handler, etc.
- ✅ Approach — §3 Security Architecture
- ✅ Structure — §4 Structural Components
- ⚠️ Operations — §8.3 MCE1–MCE5 not mapped to implementation
- ✅ Norms — implicit throughout (formal norms section absent — minor gap)
- ✅ Safeguards — §9, §10, §11
Concrete tasks: add §7 function references, map §8.3 MCE requirements
📄 scratchpad/github-mcp-access-control-specification.md (v1.1.0 Draft)
Analysis
- Detailed access control spec with two conformance levels, a three-layer architecture diagram, configuration flow, and §11 Compliance Testing.
specs/github-mcp-access-control-compliance/ directory exists in the repo but is not referenced in the spec.
- Scratchpad location suggests it may need promotion to
docs/src/content/docs/specs/.
REASONS Canvas gaps
- ✅ Requirements — Level 1 and Level 2 conformance classes
- ✅ Entities —
allowed-repos, roles, min-integrity, blocked-users, etc.
- ✅ Approach — §3 Architecture diagram
- ✅ Structure — §4 Configuration Format
- ✅ Operations — §8 Integrity Level Management
- ⚠️ Norms — normative IDs absent (requirements written as prose MUST/SHOULD without short IDs)
- ⚠️ Safeguards — compliance fixture directory not linked
Concrete tasks: link compliance fixture directory in §11, add normative IDs
📄 scratchpad/guard-policies-specification.md (v0.1.0 Draft)
Analysis
- Comprehensive for a 0.1.0 draft: GP-01 through GP-11 requirements, GP-S001 through GP-S005 safeguards, and Sync Notes with last verified 2026-07-03.
repos deprecation removal target is vague ("tentatively v2.0.0").
- GP-11 cross-field consistency rule has no corresponding test entry in Sync Notes.
REASONS Canvas gaps
- ✅ Requirements — GP-01 through GP-11
- ✅ Entities —
GitHubReposScope, GitHubIntegrityLevel, GitHubToolConfig
- ✅ Approach — §4 derivation rules
- ✅ Structure — type hierarchy diagram
- ✅ Operations — GP-05 through GP-08 derivation steps
- ✅ Norms — GP requirements inline
- ⚠️ Safeguards — GP-S003 implementation test not confirmed in Sync Notes
Concrete tasks: confirm GP-11/GP-S003 test, set concrete deprecation milestone
Sync Follow-ups
- safe-outputs §7 handler cross-references — Open item in spec; assign to next engineering sprint that touches
actions/setup/js/safe_outputs_handlers.cjs.
- safe-outputs §8.3 MCE mapping — Open item; pair with any refactor of
actions/setup/js/safe_outputs_mcp_server.cjs.
- guard-policies
repos removal milestone — Track in a GitHub issue or project milestone; update spec once milestone is set.
- github-mcp-access-control promotion from scratchpad — Evaluate moving to
docs/src/content/docs/specs/ once compliance fixtures are linked and normative IDs are added.
- model-alias §14 last-verified refresh — Schedule for any PR touching
pkg/workflow/model_alias*.go.
Context
| Item |
Value |
| Files reviewed |
model-alias-specification.md, repository-package-manifest-specification.md, safe-outputs-specification.md, scratchpad/github-mcp-access-control-specification.md, scratchpad/guard-policies-specification.md |
| Rotation index |
10–14 of 29 total spec files |
| Previous run |
2026-07-07 (index 5–9) |
| Workflow run |
§28958345719 |
References:
Generated by 📋 Daily SPDD Spec Planner · 61.8 AIC · ⌖ 8.77 AIC · ⊞ 4.8K · ◷
Summary
This run reviewed 5 specification files (rotation index 10–14/29), focusing on model alias resolution, repository package management, safe output gateway, GitHub MCP access control, and guard policies. All five specifications are in Draft status and carry concrete implementation gaps, open sync items, and ambiguous safeguard conditions suitable for today's work queue.
Priority Work Queue
P0 — Missing/broken safeguards or requirements
safe-outputs-specification.md§7 sync follow-up: handler definitions lack exact function-name cross-references for 15+ output types (explicitly marked[Open]).safe-outputs-specification.md§8.3: MCE1–MCE5 MCP Server Constraint Enforcement requirements are not yet mapped to implementation calls (explicitly marked[Open]).guard-policies-specification.mdGP-11: cross-field consistency rule (allowed-reposnon-allrequiresmin-integrity) is specified but Sync Notes do not confirm a test covering this combination.P1 — Weak or missing REASONS canvas sections
model-alias-specification.md: No Operations section describing the runtime resolution lifecycle step-by-step (§8 is algorithm pseudocode but lacks normative operation ordering for callers).repository-package-manifest-specification.md: §5.3 Remove lifecycle lacks aREADME.mdremoval policy — R-PKG-R001 through R-PKG-R004 say nothing about whether the package-installedREADME.mdis also removed.github-mcp-access-control-specification.md(scratchpad): §11 Compliance Testing section exists but no compliance fixture directory is referenced (compare:specs/github-mcp-access-control-compliance/exists — connection to spec is undocumented).P2 — Maintenance and norms improvements
guard-policies-specification.md:reposdeprecation removal target is "tentatively v2.0.0" with no tracking issue or timeline — needs a concrete milestone or issue reference.model-alias-specification.md§14 Sync Notes: "last verified 2026-06-01" — over a month stale; needs a re-verification pass against current implementation files.repository-package-manifest-specification.md§12 Sync Notes: §5 Install ordering sub-section is listed butpkg/cli/add_command.godownload-compile-write sequence is not verified against R-PKG-003 rollback requirement.SPDD Checklist
/spdd-syncsafe-outputs §7: Add exact function-name cross-references for all 15+ safe output type handlers fromactions/setup/js/safe_outputs_handlers.cjsintodocs/src/content/docs/specs/safe-outputs-specification.md§7 handler table. Done when: every handler row names the implementing function./spdd-syncsafe-outputs §8.3: Map MCE1–MCE5 MCP Server Constraint Enforcement requirements to specific validation call sites inactions/setup/js/safe_outputs_mcp_server.cjsand add references in the §8 Sync Notes table. Done when: MCE1–MCE5 all have anImplementation File(s)entry./spdd-analysisguard-policies GP-11 test coverage: Verifypkg/workflow/tools_validation_github.gohas a test asserting a compilation error whenallowed-reposis non-"all"andmin-integrityis absent. Add test if missing. Done when:go test ./pkg/workflow/...passes with a GP-11 cross-field test./spdd-generatemodel-alias Operations section: Draft a normative §16 (Operations) fordocs/src/content/docs/specs/model-alias-specification.mddescribing the caller-facing runtime resolution lifecycle (invoke, depth counter, visited set, result or error). Done when: section exists with at least 4 normative steps./spdd-generaterepo-manifest Remove + README: Clarify §5.3 ofdocs/src/content/docs/specs/repository-package-manifest-specification.mdto state whether a package-installedREADME.mdis deleted on remove (R-PKG-R001 scope). Done when: a normative statement coversREADME.mdremoval behaviour./spdd-syncMCP access-control compliance fixtures: Add a reference inscratchpad/github-mcp-access-control-specification.md§11 Compliance Testing tospecs/github-mcp-access-control-compliance/directory. Done when: spec section links to or names the fixture directory./spdd-syncguard-policiesreposdeprecation milestone: Replace "tentatively v2.0.0" inscratchpad/guard-policies-specification.mdwith a concrete tracking issue or milestone reference. Done when: a GitHub issue number or milestone label appears in the deprecation note./spdd-syncmodel-alias Sync Notes re-verify: Re-verify §14 implementation-file mapping indocs/src/content/docs/specs/model-alias-specification.mdagainst currentpkg/workflow/model_alias_validation.go,pkg/workflow/model_aliases.go. Update "last verified" date. Done when: date is ≤ 30 days old and any stale file paths are corrected./spdd-syncrepo-manifest R-PKG-003 rollback test: Confirmpkg/cli/add_command.gowrite-failure rollback path is tested inpkg/cli/test files; add a test if absent. Done when: a test exercises the rollback branch andgo test ./pkg/cli/...passes.Per-Spec Findings
📄 model-alias-specification.md (v1.2.0 Draft)
Analysis
REASONS Canvas gaps
Concrete tasks: sync notes re-verify, add Operations section
📄 repository-package-manifest-specification.md (v0.2.0 Draft)
Analysis
README.md: R-PKG-R001 says "only package-installed files" butREADME.mdhandling is unaddressed.REASONS Canvas gaps
Concrete tasks: clarify README removal in §5.3, add/verify rollback test
📄 safe-outputs-specification.md (v1.24.0 Working Draft)
Analysis
Last verifiedtimestamp on Sync Notes — staleness is unknown.REASONS Canvas gaps
Concrete tasks: add §7 function references, map §8.3 MCE requirements
📄 scratchpad/github-mcp-access-control-specification.md (v1.1.0 Draft)
Analysis
specs/github-mcp-access-control-compliance/directory exists in the repo but is not referenced in the spec.docs/src/content/docs/specs/.REASONS Canvas gaps
allowed-repos,roles,min-integrity,blocked-users, etc.Concrete tasks: link compliance fixture directory in §11, add normative IDs
📄 scratchpad/guard-policies-specification.md (v0.1.0 Draft)
Analysis
reposdeprecation removal target is vague ("tentatively v2.0.0").REASONS Canvas gaps
GitHubReposScope,GitHubIntegrityLevel,GitHubToolConfigConcrete tasks: confirm GP-11/GP-S003 test, set concrete deprecation milestone
Sync Follow-ups
actions/setup/js/safe_outputs_handlers.cjs.actions/setup/js/safe_outputs_mcp_server.cjs.reposremoval milestone — Track in a GitHub issue or project milestone; update spec once milestone is set.docs/src/content/docs/specs/once compliance fixtures are linked and normative IDs are added.pkg/workflow/model_alias*.go.Context
model-alias-specification.md,repository-package-manifest-specification.md,safe-outputs-specification.md,scratchpad/github-mcp-access-control-specification.md,scratchpad/guard-policies-specification.mdReferences: