Implement proposal apply gate and validation command (Phase 6)

ProfRandom92 · ProfRandom92 · commit 3a76de81dcd5 · 2026-06-04T16:46:43.000+02:00
diff --git a/PROJEKT.md b/PROJEKT.md
@@ -19,9 +19,9 @@ CompText CLI is an experimental terminal context client for building determinist
 
 ### Current State
 ```text
-CURRENT_PHASE: 6
-CURRENT_TASK: Apply Gate
-LAST_GREEN_PHASE: 5
+CURRENT_PHASE: 7
+CURRENT_TASK: Provider Config Layer
+LAST_GREEN_PHASE: 6
 STATUS: active
 ```
 
@@ -80,8 +80,8 @@ git push
 | **Phase 4B** | Skill Registry Normalization | Normalize the local Antigravity skill structure and crystallize autonomy rules | **COMPLETE** |
 | **Phase 4C** | Long-Run Autonomy Hardening | Harden state machine progression rules and git safety boundaries | **COMPLETE** |
 | **Phase 5** | Proposal Mode | Implement `ctxt propose` to output changes as structured proposals | **COMPLETE** |
-| **Phase 6** | Apply Gate | Implement `ctxt apply` to confirm/apply changes and run verification | **ACTIVE** |
-| **Phase 7** | Provider Config Layer | Support dynamic provider profile switching and configurations | *QUEUED* |
+| **Phase 6** | Apply Gate | Implement `ctxt apply` to confirm/apply changes and run verification | **COMPLETE** |
+| **Phase 7** | Provider Config Layer | Support dynamic provider profile switching and configurations | **ACTIVE** |
 | **Phase 8** | OpenAI-Compatible Adapter | Implement OpenAI adapter skeleton | *QUEUED* |
 | **Phase 9** | Validate and Benchmark | Local validation, dry-runs, and deterministic benchmark flows | *QUEUED* |
 
diff --git a/docs/APPLY_GATE.md b/docs/APPLY_GATE.md
@@ -0,0 +1,33 @@
+# Apply Gate (Phase 6)
+
+The Apply Gate protects the repository from untrusted code mutations generated by provider LLMs. It defines a strict boundary where proposed modifications are checked, applied safely (avoiding forbidden pathways), and automatically validated.
+
+## Commands
+
+### ctxt apply
+
+Applies a structured proposal to the workspace.
+
+```bash
+ctxt apply [proposal_path] [--yes]
+```
+
+* **`proposal_path`** (optional): The path to the proposal JSON to apply. Defaults to `proposals/proposal.latest.json` if not specified.
+* **`--yes` / `-y`** (optional): Bypasses the confirmation prompt. Recommended for automation and testing.
+
+### ctxt validate
+
+Runs the validation commands associated with the latest applied proposal to ensure that the codebase is healthy.
+
+```bash
+ctxt validate
+```
+
+## Security Guardrails
+
+The Apply Gate enforces several security boundaries to satisfy the project constitution:
+
+1. **Path-Traversal Prevention**: File paths within operations are parsed and blocked if they contain `..` or are absolute.
+2. **Directory Isolation**: Changes targeting system folders (like `.git/`, `.comptext/`, `target/`, or `reports/`) are rejected and trigger a security policy failure.
+3. **Secret Storage Isolation**: Changes modifying `.env` or files containing key/token suffixes (like `.key`, `.pem`, `.pfx`, `.p12`) are blocked.
+4. **Validation Loop**: Every successful apply operation is followed by executing the `validation_commands` declared inside the proposal. If validation fails, the process aborts.
diff --git a/proposals/proposal.latest.json b/proposals/proposal.latest.json
@@ -12,7 +12,7 @@
     {
       "op": "patch",
       "path": "src/cli.rs",
-      "detail": "Mock patch generated by dummy provider: \"Mock LLM response from CompText Dummy Provider. Received prompt: \"Add context inspect\" Workspace context analyzed successfully: 54 files included. Dummy status: offline-test-provider ok.\""
+      "detail": "Mock patch generated by dummy provider: \"Mock LLM response from CompText Dummy Provider. Received prompt: \"Add context inspect\" Workspace context analyzed successfully: 55 files included. Dummy status: offline-test-provider ok.\""
     }
   ],
   "validation_commands": [
diff --git a/proposals/proposal_add_context_inspect.json b/proposals/proposal_add_context_inspect.json
@@ -12,7 +12,7 @@
     {
       "op": "patch",
       "path": "src/cli.rs",
-      "detail": "Mock patch generated by dummy provider: \"Mock LLM response from CompText Dummy Provider. Received prompt: \"Add context inspect\" Workspace context analyzed successfully: 54 files included. Dummy status: offline-test-provider ok.\""
+      "detail": "Mock patch generated by dummy provider: \"Mock LLM response from CompText Dummy Provider. Received prompt: \"Add context inspect\" Workspace context analyzed successfully: 55 files included. Dummy status: offline-test-provider ok.\""
     }
   ],
   "validation_commands": [
diff --git a/reports/phase_6_status.md b/reports/phase_6_status.md
@@ -0,0 +1,54 @@
+# CompText CLI — Phase 6 Status Report
+
+## Standard Return Schema
+PHASE: Phase 6: Apply Gate
+STATUS: success
+FILES_CHANGED:
+- src/cli.rs
+- tests/cli_smoke.rs
+- docs/APPLY_GATE.md
+- reports/phase_6_status.md
+- PROJEKT.md
+COMMANDS_RUN:
+- `cargo fmt --all --check`
+- `cargo check`
+- `cargo test`
+- `cargo clippy -- -D warnings`
+VALIDATION:
+- Formatting verified clean with `cargo fmt --all --check`.
+- Project build checked and verified using `cargo check`.
+- 18 unit and integration tests successfully verified via `cargo test`.
+- Clippy completed cleanly with no warnings or errors.
+ARTIFACTS:
+- None (This phase implemented the execution engine and validation gates).
+GIT:
+- Stage, commit, and push pending.
+NETWORK:
+- offline-only (Dummy validations run completely offline).
+SECRETS:
+- verified-redacted (System files and credentials blocked from mutation path).
+POLICY_DECISIONS:
+- Apply security guardrails implemented: rejected traversing paths, absolute paths, system folders, and credentials.
+RISKS:
+- Handled parallel execution locks in test suites by substituting target files for mock integration test cases.
+SKILLS_USED:
+- `.agents/skills/ctxt-long-run-autonomy/SKILL.md`
+- `.agents/skills/ctxt-security/SKILL.md`
+- `.agents/skills/ctxt-provider-boundary/SKILL.md`
+- `.agents/skills/ctxt-context-pack/SKILL.md`
+- `.agent/skills/05_proposal_apply_gate.md`
+NEXT:
+- Phase 7: Provider Config Layer
+
+---
+
+## Detailed Notes & Output Samples
+
+### Safety Validations
+`apply` parses the operations block of the Proposal, validates every path against the security rules, and blocks execution if any of the following rules are violated:
+- Path contains directory traversal (`..`)
+- Path is absolute
+- Path target lies in a system directory (`.git/`, `.comptext/`, `target/`, `reports/`)
+- Path targets secret files or credentials (`.env`, `.key`, `.pem`, `.pfx`, `.p12`)
+
+If these checks pass, `apply` performs the simulated write (appending comments for `.rs` and `.md` mock operations to avoid compilation/parsing issues) and triggers all `validation_commands` listed in the proposal.
diff --git a/src/cli.rs b/src/cli.rs
diff --git a/tests/cli_smoke.rs b/tests/cli_smoke.rs

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`{`
`13`	`13`	`"op": "patch",`
`14`	`14`	`"path": "src/cli.rs",`
`15`		`- "detail": "Mock patch generated by dummy provider: \"Mock LLM response from CompText Dummy Provider. Received prompt: \"Add context inspect\" Workspace context analyzed successfully: 54 files included. Dummy status: offline-test-provider ok.\""`
	`15`	`+ "detail": "Mock patch generated by dummy provider: \"Mock LLM response from CompText Dummy Provider. Received prompt: \"Add context inspect\" Workspace context analyzed successfully: 55 files included. Dummy status: offline-test-provider ok.\""`
`16`	`16`	`}`
`17`	`17`	`],`
`18`	`18`	`"validation_commands": [`