feat: enforce manifest inventory and safety boundaries

.planning/ROADMAP.md

@@ -30,7 +30,7 @@ CAS Workstation v1 progresses from a functional seed to a trustworthy desired-st
 3. Versioned schemas exist for all planned product contracts, with positive and negative fixtures.
 4. Architecture decision and requirement traceability conventions are documented and tested.
 
-### Phase 2: Manifest, Inventory, and Safety Boundaries
+### Phase 2: Manifest, Inventory, and Safety Boundaries (Complete: 2026-06-11)
 
 **Goal:** CAS can safely resolve desired state, inventory actual state, and prove ownership and path safety before mutation.
 

.planning/STATE.md

@@ -3,14 +3,13 @@ gsd_state_version: 1.0
 milestone: v1.0
 milestone_name: milestone
 status: ready_to_plan
-last_updated: 2026-06-11T10:36:59.864Z
+last_updated: "2026-06-11T19:11:00.000Z"
 progress:
   total_phases: 7
-  completed_phases: 1
-  total_plans: 3
-  completed_plans: 3
-  percent: 14
-stopped_at: Phase 1 complete (3/3) — ready to discuss Phase 2
+  completed_phases: 2
+  total_plans: 6
+  completed_plans: 6
+  percent: 29
 ---
 
 # Project State
@@ -19,22 +18,22 @@ stopped_at: Phase 1 complete (3/3) — ready to discuss Phase 2
 
 See: `.planning/PROJECT.md` (updated 2026-06-11)
 
-**Core value:** An AI developer can run one safe, repeatable workflow and receive a complete, working workstation without manually discovering or reconciling prerequisites.  
-**Current focus:** Phase 2 — manifest, inventory, and safety boundaries
+**Core value:** An AI developer can run one safe, repeatable workflow and receive a complete, working workstation without manually discovering or reconciling prerequisites.
+**Current focus:** Phase 3 - transactional plan and apply engine
 
 ## Current Position
 
-Phase: 2
+Phase: 3
 Plan: Not started
 
 - Project initialization: complete
 - Research: complete
 - Requirements: 35 v1 requirements, all mapped
 - Roadmap: 7 phases
-- Completed phase: Phase 1 — Governance and Quality Foundation
-- Active phase: Phase 2 — Manifest, Inventory, and Safety Boundaries
-- Phase 1 plans: 3/3 complete
-- Implementation: Phase 1 verified
+- Completed phases: Phase 1 and Phase 2
+- Active phase: Phase 3 - Transactional Plan and Apply Engine
+- Phase 2 plans: 3/3 complete
+- Implementation: Phase 2 verified
 
 ## Workflow
 
@@ -48,7 +47,7 @@ Plan: Not started
 
 ## Next Action
 
-Run `$gsd-discuss-phase 2` before planning Manifest, Inventory, and Safety Boundaries.
+Run `$gsd-discuss-phase 3` before planning Transactional Plan and Apply Engine.
 
 ## Decisions and Risks
 

.planning/phases/02-manifest-inventory-and-safety-boundaries/02-01-PLAN.md

@@ -0,0 +1,84 @@
+---
+phase: 02-manifest-inventory-and-safety-boundaries
+plan: 01
+type: execute
+wave: 1
+depends_on: []
+files_modified:
+  - stack.manifest.json
+  - schemas/manifest.schema.json
+  - tests/fixtures/contracts/manifest.valid.json
+  - tests/fixtures/contracts/manifest.invalid.json
+  - scripts/Cas.Workstation.psm1
+  - tests/Manifest.Tests.ps1
+autonomous: true
+requirements:
+  - MAN-01
+  - MAN-02
+  - MAN-03
+  - MAN-04
+  - MAN-05
+must_haves:
+  truths:
+    - "D-01 D-02 D-03: Invalid, ambiguous, or unallowlisted manifest content fails before operational external process execution."
+    - "D-04: Profile resolution and desired-state digest are deterministic and inspectable."
+    - "D-05 D-06: Compatibility and inventory findings are structured and never claim pre-existing resources."
+  artifacts:
+    - path: "scripts/Cas.Workstation.psm1"
+      provides: "Validated manifest resolution, digest, and compatibility inventory"
+      contains: "Resolve-CasDesiredState"
+    - path: "tests/Manifest.Tests.ps1"
+      provides: "Manifest, allowlist, determinism, and compatibility regression coverage"
+      contains: "Describe"
+  key_links:
+    - from: "scripts/Cas.Workstation.psm1"
+      to: "schemas/manifest.schema.json"
+      via: "strict manifest contract and semantic validation"
+      pattern: "Test-CasManifest"
+---
+
+<objective>
+Establish strict declarative manifest resolution and structured compatibility inventory.
+
+Purpose: No later planner or mutation path may consume ambiguous or untrusted desired state.
+Output: Strengthened manifest contract, semantic validator, normalized resolved state, deterministic digest, compatibility findings, and tests.
+</objective>
+
+<context>
+@.planning/phases/02-manifest-inventory-and-safety-boundaries/02-CONTEXT.md
+@.planning/phases/02-manifest-inventory-and-safety-boundaries/02-RESEARCH.md
+@stack.manifest.json
+@scripts/Cas.Workstation.psm1
+</context>
+
+<tasks>
+
+<task type="auto">
+  <name>Task 1: Strengthen manifest contract and fail-closed semantic validation</name>
+  <files>stack.manifest.json, schemas/manifest.schema.json, tests/fixtures/contracts/manifest.*.json, scripts/Cas.Workstation.psm1, tests/Manifest.Tests.ps1</files>
+  <action>Make profile categories explicitly required/optional, add declarative services, skills, and workspaces, tighten installer/repository/command/target contracts, and implement semantic checks for unique IDs, trusted identities, and resolvable references. Ensure Get-CasManifest validates before returning content.</action>
+  <verify>Invoke-Pester tests/Manifest.Tests.ps1</verify>
+  <done>Malformed and unallowlisted content fails with actionable errors before operational process execution.</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Resolve deterministic desired state and compatibility findings</name>
+  <files>scripts/Cas.Workstation.psm1, tests/Manifest.Tests.ps1</files>
+  <action>Implement normalized profile resolution across all categories, canonical JSON plus SHA-256 digest, and structured host/tool compatibility findings. Preserve observed-only semantics for resources that already exist.</action>
+  <verify>Invoke-Pester tests/Manifest.Tests.ps1</verify>
+  <done>Equivalent manifests resolve identically and required unsupported or unknown compatibility is surfaced fail closed.</done>
+</task>
+
+</tasks>
+
+<verification>
+- [ ] Manifest tests pass.
+- [ ] Contract fixtures pass.
+- [ ] Desired-state digest is deterministic.
+</verification>
+
+<success_criteria>
+- MAN-01 through MAN-05 are satisfied.
+</success_criteria>
+
+<output>Create `02-01-SUMMARY.md` after execution.</output>

.planning/phases/02-manifest-inventory-and-safety-boundaries/02-01-SUMMARY.md

@@ -0,0 +1,34 @@
+---
+phase: 02-manifest-inventory-and-safety-boundaries
+plan: 01
+subsystem: manifest
+tags: [powershell, json-schema, desired-state, compatibility]
+requires: [01-governance-and-quality-foundation]
+provides: [validated-manifest, deterministic-desired-state, compatibility-inventory]
+affects: [02-02, 02-03, phase-3]
+key-files:
+  created: [tests/Manifest.Tests.ps1]
+  modified: [stack.manifest.json, schemas/manifest.schema.json, scripts/Cas.Workstation.psm1]
+key-decisions:
+  - "Semantic validation enforces deny-by-default operational identities before manifest use."
+  - "Desired-state digest is SHA-256 over canonical normalized JSON."
+requirements-completed: [MAN-01, MAN-02, MAN-03, MAN-04, MAN-05]
+completed: 2026-06-11
+---
+
+# Phase 2 Plan 1: Manifest Resolution Summary
+
+Strict declarative profiles now resolve all six resource categories into deterministic desired state with fail-closed allowlist and compatibility evidence.
+
+## Verification
+
+- Manifest Pester tests: 7/7 passed.
+- Full Pester regression: 18/18 passed.
+- JSON schema fixtures: passed.
+- `git diff --check`: passed.
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Self-Check: PASSED

.planning/phases/02-manifest-inventory-and-safety-boundaries/02-02-PLAN.md

@@ -0,0 +1,82 @@
+---
+phase: 02-manifest-inventory-and-safety-boundaries
+plan: 02
+type: execute
+wave: 2
+depends_on:
+  - "02-01"
+files_modified:
+  - schemas/managed-state.schema.json
+  - tests/fixtures/contracts/managed-state.valid.json
+  - tests/fixtures/contracts/managed-state.invalid.json
+  - scripts/Cas.Workstation.psm1
+  - tests/Safety.Tests.ps1
+autonomous: true
+requirements:
+  - SAFE-01
+  - SAFE-02
+  - SAFE-04
+  - SAFE-05
+must_haves:
+  truths:
+    - "D-07: Mutation targets outside approved boundaries, at forbidden roots, or behind reparse points are rejected."
+    - "D-08 D-06: The versioned ledger distinguishes created, modified, and observed resources without claiming pre-existing state."
+    - "D-09: Existing user-owned files are backed up and replaced atomically only after validation."
+  artifacts:
+    - path: "scripts/Cas.Workstation.psm1"
+      provides: "Canonical path policy, ownership ledger, and atomic JSON writes"
+      contains: "Test-CasPathBoundary"
+    - path: "tests/Safety.Tests.ps1"
+      provides: "Filesystem and ownership failure-path coverage"
+      contains: "Describe"
+  key_links:
+    - from: "scripts/Cas.Workstation.psm1"
+      to: "schemas/managed-state.schema.json"
+      via: "ledger serialization contract"
+      pattern: "Write-CasManagedState"
+---
+
+<objective>
+Establish reusable filesystem boundary, ownership-ledger, and atomic-write safety primitives.
+
+Purpose: Every later mutation and removal must be constrained by current path evidence and explicit ownership.
+Output: Strict managed-state contract, path policy, atomic state/file helpers, and failure-path tests.
+</objective>
+
+<context>
+@.planning/phases/02-manifest-inventory-and-safety-boundaries/02-CONTEXT.md
+@.planning/phases/02-manifest-inventory-and-safety-boundaries/02-RESEARCH.md
+@schemas/managed-state.schema.json
+@scripts/Cas.Workstation.psm1
+</context>
+
+<tasks>
+
+<task type="auto">
+  <name>Task 1: Implement canonical path and forbidden-root policy</name>
+  <files>scripts/Cas.Workstation.psm1, tests/Safety.Tests.ps1</files>
+  <action>Implement PowerShell 5.1-compatible canonicalization and boundary checks that require strict containment, reject drive/profile/system roots and traversal, and reject existing reparse-point targets or ancestors. Add isolated failure-path tests.</action>
+  <verify>Invoke-Pester tests/Safety.Tests.ps1</verify>
+  <done>Unsafe paths fail before mutation with actionable errors.</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Strengthen ledger and atomic backup-aware writes</name>
+  <files>schemas/managed-state.schema.json, tests/fixtures/contracts/managed-state.*.json, scripts/Cas.Workstation.psm1, tests/Safety.Tests.ps1</files>
+  <action>Add explicit resource ownership and backup metadata, implement ledger validation/read/write helpers, prevent created ownership for pre-existing targets, and implement validated sibling-temp atomic JSON/file replacement with recoverable backup evidence.</action>
+  <verify>Invoke-Pester tests/Safety.Tests.ps1; .\scripts\Test-CasJsonSchema.ps1 -AllFixtures</verify>
+  <done>Ledger and file writes are atomic, validated, and cannot claim unrelated pre-existing resources.</done>
+</task>
+
+</tasks>
+
+<verification>
+- [ ] Safety tests pass without touching real workstation paths.
+- [ ] Managed-state schema fixtures pass.
+</verification>
+
+<success_criteria>
+- SAFE-01, SAFE-02, SAFE-04, and SAFE-05 are satisfied.
+</success_criteria>
+
+<output>Create `02-02-SUMMARY.md` after execution.</output>

.planning/phases/02-manifest-inventory-and-safety-boundaries/02-02-SUMMARY.md

@@ -0,0 +1,34 @@
+---
+phase: 02-manifest-inventory-and-safety-boundaries
+plan: 02
+subsystem: safety
+tags: [powershell, filesystem, ownership, atomic-write]
+requires: [02-01]
+provides: [canonical-path-policy, ownership-ledger, atomic-json-write]
+affects: [02-03, phase-3, phase-4]
+key-files:
+  created: [tests/Safety.Tests.ps1]
+  modified: [schemas/managed-state.schema.json, scripts/Cas.Workstation.psm1]
+key-decisions:
+  - "Every mutation target is revalidated against approved roots and reparse-point policy."
+  - "Created ownership requires explicit evidence that the resource did not previously exist."
+requirements-completed: [SAFE-01, SAFE-02, SAFE-04, SAFE-05]
+completed: 2026-06-11
+---
+
+# Phase 2 Plan 2: Safety Boundary Summary
+
+Canonical filesystem policy, explicit ownership evidence, and backup-aware atomic managed-state writes now constrain later mutation paths.
+
+## Verification
+
+- Safety Pester tests: 8/8 passed.
+- Full Pester regression: 26/26 passed.
+- Managed-state schema fixtures: passed.
+- PSScriptAnalyzer: zero error findings.
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Self-Check: PASSED

.planning/phases/02-manifest-inventory-and-safety-boundaries/02-03-PLAN.md

@@ -0,0 +1,84 @@
+---
+phase: 02-manifest-inventory-and-safety-boundaries
+plan: 03
+type: execute
+wave: 3
+depends_on:
+  - "02-01"
+  - "02-02"
+files_modified:
+  - uninstall.ps1
+  - scripts/Cas.Workstation.psm1
+  - tests/Uninstall.Tests.ps1
+  - docs/traceability.json
+  - README.md
+autonomous: true
+requirements:
+  - SAFE-03
+must_haves:
+  truths:
+    - "D-10: Uninstall defaults to preview and requires explicit apply intent."
+    - "D-10 D-11: Uninstall acts only on ledger-owned resources that pass current path policy."
+    - "D-11: Missing, malformed, observed-only, or unsafe evidence blocks removal without touching user state."
+  artifacts:
+    - path: "uninstall.ps1"
+      provides: "Preview-first explicit uninstall entry point"
+      contains: "Apply"
+    - path: "tests/Uninstall.Tests.ps1"
+      provides: "Ledger-only uninstall preview and apply coverage"
+      contains: "Describe"
+    - path: "docs/traceability.json"
+      provides: "Phase 2 requirement evidence"
+      contains: "SAFE-03"
+  key_links:
+    - from: "uninstall.ps1"
+      to: "scripts/Cas.Workstation.psm1"
+      via: "ledger-only uninstall domain functions"
+      pattern: "Get-CasUninstallPreview"
+---
+
+<objective>
+Replace arbitrary recursive uninstall with a preview-first ledger-only workflow and complete Phase 2 evidence.
+
+Purpose: A user must be able to inspect removal intent and trust that unrelated state cannot enter removal scope.
+Output: Safe uninstall functions and entry point, failure-path tests, documentation, and traceability evidence.
+</objective>
+
+<context>
+@.planning/phases/02-manifest-inventory-and-safety-boundaries/02-CONTEXT.md
+@.planning/phases/02-manifest-inventory-and-safety-boundaries/02-RESEARCH.md
+@uninstall.ps1
+@scripts/Cas.Workstation.psm1
+</context>
+
+<tasks>
+
+<task type="auto">
+  <name>Task 1: Implement ledger-only uninstall preview and explicit apply</name>
+  <files>uninstall.ps1, scripts/Cas.Workstation.psm1, tests/Uninstall.Tests.ps1</files>
+  <action>Make preview the default, require an explicit Apply switch for mutation, load and validate the ownership ledger, reject observed or unsafe resources, revalidate path policy immediately before apply, restore modified resources only from recorded backups, and remove created resources in safe child-before-parent order.</action>
+  <verify>Invoke-Pester tests/Uninstall.Tests.ps1</verify>
+  <done>Uninstall cannot remove arbitrary roots or unrelated resources and fails closed on unsafe evidence.</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Complete Phase 2 documentation and evidence</name>
+  <files>README.md, docs/traceability.json</files>
+  <action>Document desired-state inspection, safety boundaries, managed-state location, and preview/apply uninstall usage. Mark all Phase 2 requirements verified in traceability with direct tests and evidence commands.</action>
+  <verify>.\Invoke-Quality.ps1</verify>
+  <done>Phase 2 behavior is documented, traceable, and enforced by the full quality gate.</done>
+</task>
+
+</tasks>
+
+<verification>
+- [ ] Uninstall tests prove preview default, explicit apply, ledger-only scope, and fail-closed behavior.
+- [ ] Full quality gate passes.
+- [ ] `git diff --check` passes.
+</verification>
+
+<success_criteria>
+- SAFE-03 is satisfied and all Phase 2 requirements have executable evidence.
+</success_criteria>
+
+<output>Create `02-03-SUMMARY.md` after execution.</output>