You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Detection-job Appendix D + conclusion job docs pending
P2
replace-label-spec.md
No outcome-evaluation cross-reference in §9
P2
intent-attribution-agent-governance.md
intent-policy.json migration schema undefined
SPDD Checklist
[P0 /spdd-generate] Add replace_label to the implementation status table in specs/safe-output-outcome-evaluation.md and write its per-type evaluator section (pass/fail conditions, OTel attrs ghaw.outcome.label.removed/added). Done when type appears in both status table and conformance test table.
[P0 /spdd-generate] Add normative note in specs/security-architecture-spec.md (§8 or §9) tying role validation to pre_activation job; reference pre_activation→activation→agent→detection→safe_outputs→conclusion flow. Mark row ✅ in summary.
[P0 /spdd-generate] Audit trusted-users enforcement in specs/security-architecture-spec.md §§8–9. Add normative subsection or forward-reference to GitHub MCP access-control spec. Mark row ✅ in summary.
[P1 /spdd-generate] Add ## Norms section to specs/intent-attribution-agent-governance.md with RFC 2119 notation; convert resolution order, fail-closed rule, provenance requirement, unknown-is-not-zero to MUST/SHOULD language.
[P1 /spdd-generate] Write evaluator spec sections in specs/safe-output-outcome-evaluation.md for dispatch_workflow, update_project, update_release — each with evaluation table, API ref, and OTel attributes.
[P2 /spdd-generate] Add Appendix D example to specs/security-architecture-spec.md naming detection job as runtime threat-detection layer; document conclusion job as optional. Mark both rows ✅ in summary.
[P2 /spdd-generate] Add outcome-evaluation cross-reference in §9 of specs/replace-label-spec.md pointing to replace_label section once created.
[P2 /spdd-generate] Add draft intent-policy.json schema skeleton (version, labels map with dimension/value/weight, scoring, attribution) to specs/intent-attribution-agent-governance.md.
[/spdd-sync] After task 1: grep pkg/cli/outcome_eval.go for replace_label — add evalGenericSticky fallback or // TODO(spdd) placeholder if absent.
[/spdd-sync] After task 2: run make recompile to confirm no .lock.yml regressions.
[/spdd-sync] After task 5: file follow-up implementation issue tracking safestDefaultPolicy() wiring in the Orchestrator.
Goals: Deterministic intent layer (priority/domain/initiative/risk/root) for attribution+reporting and workflow governance.
Risks: Resolver covers only 0/1/multiple-closing-issues. Missing parent_issue, referenced_issue, project, milestone, suggestion paths. No conformance tests.
REASONS gaps: Norms ❌ (no RFC 2119), Safeguards ❌ (no config-absent or corrupted-state handling), Operations ⚠️ (Orchestrator integration point is pseudo-code only).
Goals: Atomic label swap via PUT /issues/{n}/labels. Eliminates race window in separate remove+add calls.
Risks: 55+ RL-* requirements, comprehensive 8-stage pipeline — but replace_label entirely absent from outcome evaluation spec. §9 test IDs not linked to implementation file.
REASONS gaps: Operations ⚠️ (no outcome evaluator anywhere for this type); staged-mode count semantics ambiguous to operators.
safe-output-outcome-evaluation.md v1.0.0 · Working Draft
Goals: Per-type outcome evaluation logic for all safe-output types.
Risks: 8 types not-started; replace_label completely absent. Audit NDJSON path defined but schema unspecified. Reconciliation process has no ownership.
Summary
Daily SPDD review for 2026-06-29 (rotation 3/3, files 7–11 of 14). Five specs reviewed: intent attribution & governance, OTel observability,
replace-labeltype, outcome evaluation, and security architecture summary. Top finding:replace_labelis entirely absent from the outcome evaluation spec; 4 pending security-summary maintenance tasks remain; intent-attribution spec lacks RFC 2119 norms and Safeguards.Priority Work Queue
safe-output-outcome-evaluation.mdreplace_labelabsent from status table and evaluator specsecurity-architecture-spec.mdpre_activationrole-validation note missing §§8–9; trusted-users unauditedintent-attribution-agent-governance.mdsafe-output-outcome-evaluation.mddispatch_workflow,update_project,update_releaselack evaluator specsecurity-architecture-spec-summary.mdconclusionjob docs pendingreplace-label-spec.mdintent-attribution-agent-governance.mdintent-policy.jsonmigration schema undefinedSPDD Checklist
replace_labelto the implementation status table inspecs/safe-output-outcome-evaluation.mdand write its per-type evaluator section (pass/fail conditions, OTel attrsghaw.outcome.label.removed/added). Done when type appears in both status table and conformance test table.specs/security-architecture-spec.md(§8 or §9) tying role validation topre_activationjob; referencepre_activation→activation→agent→detection→safe_outputs→conclusionflow. Mark row ✅ in summary.specs/security-architecture-spec.md§§8–9. Add normative subsection or forward-reference to GitHub MCP access-control spec. Mark row ✅ in summary.## Normssection tospecs/intent-attribution-agent-governance.mdwith RFC 2119 notation; convert resolution order, fail-closed rule, provenance requirement, unknown-is-not-zero to MUST/SHOULD language.## Safeguardssection tospecs/intent-attribution-agent-governance.md: (a) missing config →safestDefaultPolicy(); (b) corruptedIntentRecord→unlinked; (c) compile error → block + structured error.specs/safe-output-outcome-evaluation.mdfordispatch_workflow,update_project,update_release— each with evaluation table, API ref, and OTel attributes.specs/security-architecture-spec.mdnamingdetectionjob as runtime threat-detection layer; documentconclusionjob as optional. Mark both rows ✅ in summary.specs/replace-label-spec.mdpointing toreplace_labelsection once created.intent-policy.jsonschema skeleton (version, labels map with dimension/value/weight, scoring, attribution) tospecs/intent-attribution-agent-governance.md.pkg/cli/outcome_eval.goforreplace_label— addevalGenericStickyfallback or// TODO(spdd)placeholder if absent.make recompileto confirm no.lock.ymlregressions.safestDefaultPolicy()wiring in the Orchestrator.Per-Spec Findings
intent-attribution-agent-governance.md v2.0.0 · Partially Implemented
parent_issue,referenced_issue,project,milestone,suggestionpaths. No conformance tests.otel-observability-spec.md v0.4.0 · Working Draft
capture-content,mode,signalsreserved but unimplemented. Collector mode RECOMMENDED but no setup docs. No compliance test harness referenced.replace-label-spec.md v1.0.0 · Candidate Recommendation
PUT /issues/{n}/labels. Eliminates race window in separate remove+add calls.replace_labelentirely absent from outcome evaluation spec. §9 test IDs not linked to implementation file.safe-output-outcome-evaluation.md v1.0.0 · Working Draft
not-started;replace_labelcompletely absent. Audit NDJSON path defined but schema unspecified. Reconciliation process has no ownership.replace_labelmissing), Operationssecurity-architecture-spec-summary.md v1.0.0 · Candidate Recommendation
Sync Follow-ups
replace_labelevaluator spec: greppkg/cli/outcome_eval.goand add fallback/TODO if absent.make recompileto verify no.lock.ymldrift.IntentRecord,ExecutionPolicy) consistent with spec.// TODO(spdd-sync): implement dedicated evaluatorcomments inpkg/cli/outcome_eval.go.safestDefaultPolicy()Orchestrator fallback.Context
specs/intent-attribution-agent-governance.md,specs/otel-observability-spec.md,specs/replace-label-spec.md,specs/safe-output-outcome-evaluation.md,specs/security-architecture-spec-summary.mdlast_index: 11)scratchpad/safe-outputs-specification.md,specs/aw-harness.md,specs/awf-config-sources-spec.md,specs/compiler-threat-detection-spec.md,specs/forecast-compliance-fixtures/README.md