Skip to content

spdd batch 4: promote guard-policies spec, add safeguards/norms to manifest and alias specs, create MCP access-control compliance fixtures#43245

Draft
pelikhan with Copilot wants to merge 3 commits into
mainfrom
copilot/spdd-daily-spec-work-plan-2026-07-03
Draft

spdd batch 4: promote guard-policies spec, add safeguards/norms to manifest and alias specs, create MCP access-control compliance fixtures#43245
pelikhan with Copilot wants to merge 3 commits into
mainfrom
copilot/spdd-daily-spec-work-plan-2026-07-03

Conversation

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Five specs reviewed in batch 4 of the daily SPDD rotation had gaps in Safeguards, Sync Notes, Norms, and compliance test coverage. Addresses all nine checklist items.

scratchpad/guard-policies-specification.md

  • ## Entities — normative definitions for GitHubReposScope, GitHubIntegrityLevel, GitHubToolConfig guard-policy fields, and a formal deprecation block for the legacy repos alias (migration via gh aw fix, removal target v2.0.0)
  • ## Safeguards — five MUST requirements (GP-S001–GP-S005): empty-allowlist rejection, lockdown supremacy, allowed-repos+min-integrity co-requirement, legacy-field isolation, absent-policy-is-not-permissive
  • ## Sync Notes — maps spec sections to pkg/workflow/mcp_github_config.go, tools_validation_github.go, tools_types.go, and safeoutputs_guard_policy_test.go

docs/src/content/docs/specs/repository-package-manifest-specification.md

  • §4.8 — MUST NOT path-traversal rule: files entries containing ../ or resolving outside the package root must be rejected
  • §5.1 / §5.3 — cross-references to §10 Safeguards (R-PKG-003/004/006/007) added inline to the install and remove lifecycle paragraphs
  • §11.1 norms table — new row for the path-traversal prohibition

docs/src/content/docs/specs/model-alias-specification.md

  • §13.1 — alias chain overflow now names error code V-MAF-008 and test case T-MAF-055 (model_alias_validation_test.go); informative error-message format added
  • §15.2 — R-MAF-S001 norm updated to reference V-MAF-008
  • §15 intro — explicit RFC 2119 / RFC 8174 keyword statement added

scratchpad/github-mcp-access-control-specification.md + specs/github-mcp-access-control-compliance/

  • New §11.4 links five YAML compliance fixture stubs covering the core access-control decision matrix:
Fixture Scenarios Test IDs
exact-match-allow.yaml exact pattern allow + deny T-GH-11, T-GH-12
wildcard-deny.yaml owner-wildcard allow + cross-owner deny T-GH-13, T-GH-14
role-deny.yaml role match allow + insufficient role deny T-GH-19, T-GH-20, T-GH-23
private-repo-block.yaml private-repos: false blocks private, passes public T-GH-024–026
integrity-level-block.yaml min-integrity threshold enforcement + no-policy pass-through T-GH-51, T-GH-52, T-GH-54, T-GH-59

Copilot AI linked an issue Jul 3, 2026 that may be closed by this pull request
10 tasks
Copilot AI and others added 2 commits July 3, 2026 16:44
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update draft specs based on review feedback spdd batch 4: promote guard-policies spec, add safeguards/norms to manifest and alias specs, create MCP access-control compliance fixtures Jul 3, 2026
Copilot AI requested a review from pelikhan July 3, 2026 16:46
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Hey @Copilot 👋 — great work on SPDD batch 4! The guard-policies safeguards block (GP-S001–GP-S005), the path-traversal prohibition in the package manifest spec, and the five MCP access-control compliance fixtures with their full decision-matrix coverage (T-GH-11 through T-GH-59) are all well-structured and clearly documented.

The PR description is thorough, each change is traceable to a named requirement or test ID, and the RFC 2119 keyword statement added to the model-alias spec is a nice normative clarity touch. This looks ready for review. 🚀

Generated by ✅ Contribution Check · 131.6 AIC · ⌖ 12.8 AIC · ⊞ 6.3K ·

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

PR Triage

Field Value
Category docs (SPDD spec batch)
Risk Low
Score 28 (impact 14 + urgency 6 + quality 8)
Action defer

Breakdown: SPDD batch 4 — adds safeguards/norms/sync-notes to spec files and MCP access-control compliance fixtures. 583 add / 4 del. Draft. Docs/spec-only changes, no production code impact. Low urgency.

Next: Queue for human spec review when batch-4 SPDD sprint is scheduled.

Generated by 🔧 PR Triage Agent · 86.6 AIC · ⌖ 10.9 AIC · ⊞ 5.5K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[spdd] Daily spec work plan - 2026-07-03

2 participants