Skip to content

docs: add W3C-style usage specification#537

Open
davidslater wants to merge 1 commit into
mainfrom
ace/01KXGX3B80ZEQM93DRHE486BHM
Open

docs: add W3C-style usage specification#537
davidslater wants to merge 1 commit into
mainfrom
ace/01KXGX3B80ZEQM93DRHE486BHM

Conversation

@davidslater

Copy link
Copy Markdown
Collaborator

Created by GitHub Ace · View Session

Summary

Adds specs/usage-spec.md — a W3C-style usage specification to simplify integration with the threat-detect CLI. Updates the README to reference both specs.

Closes #383

What's in the spec

The usage specification (63 normative requirements, US-01 through US-63) covers:

Section Topics
§2 Binary Distribution Release assets, checksums, semver tags, promotion model
§3 CLI Invocation Synopsis, flags, environment variables
§4 Artifacts Directory Required/optional file layout, graceful handling
§5 Result Output JSON contract (4 fields), output destination
§6 Exit Codes 0/1/2 mapping
§7 Status Reporting THREAT_DETECTION_STATUS: line, reason values, wrapper guidance
§8 report-result In-session verdict recording, flags, validation, idempotency, atomic writes, tool provisioning
§9 conclude Host-side job-output evaluation, step outputs, env exports, warn mode, failure semantics
§10 Self-Correction Retry Retry bounds, correction prompt, exhaustion handling
§11 Integration Patterns Direct invocation, orchestrated (gh-aw) invocation, replay
§12 Security Sink file permissions, transcript isolation, file-based verdict transport

Relationship to existing spec

The companion threat-detection-spec.md covers detection behavior (threat categories, engine config, custom prompts). This new spec covers usage — how to install, invoke, and integrate with the detector. Cross-references are included in both directions.

Add specs/usage-spec.md covering binary distribution, CLI invocation,
artifact input contract, result output contract, exit codes, status
reporting, report-result subcommand, conclude subcommand, self-correction
retry, integration patterns, and security considerations.

Update README.md to reference both specifications.

Closes #383

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Co-authored-by: David Slater <12449447+davidslater@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 21:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new W3C-style Usage Specification for integrating with the threat-detect CLI (installation, invocation, artifacts layout, result output, subcommands, and integration patterns), and updates the README to link to it alongside the existing behavior-focused spec.

Changes:

  • Add specs/usage-spec.md defining the CLI usage/integration contract (US-01 through US-63).
  • Update README.md to reference both the Threat Detection spec (behavior) and the new Usage spec (integration/operations).
Show a summary per file
File Description
specs/usage-spec.md New usage/integration specification for threat-detect, including subcommand contracts (report-result, conclude) and status/output semantics.
README.md Adds links/descriptions for both W3C-style specs (behavior + usage).

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 6
  • Review effort level: Low

Comment thread specs/usage-spec.md
| `--prompt-injection` | bool | Yes | Whether prompt injection was detected |
| `--secret-leak` | bool | Yes | Whether secret leaks were detected |
| `--malicious-patch` | bool | Yes | Whether malicious patches were detected |
| `--reason` | string | Repeatable | Reason for a detected threat (one per flag) |
Comment thread specs/usage-spec.md
|------|---------|
| 0 | Result successfully recorded (or already recorded) |
| 2 | Invalid or missing required flags, or logic violation |
| 3 | Configuration error (`THREAT_DETECTION_RESULT_FILE` unset) |
Comment thread specs/usage-spec.md
Comment on lines +206 to +207
**US-21**: When any threat field is `true`, the `reasons` array MUST contain
at least one entry explaining the finding.
Comment thread specs/usage-spec.md
Comment on lines +332 to +337
**US-37**: On successful recording, the subcommand MUST print to stdout:

```
THREAT_DETECTION_RESULT_RECORDED: analysis complete; stop now and produce no further output.
```

Comment thread specs/usage-spec.md
Comment on lines +338 to +344
**US-38**: On validation or write errors, the subcommand MUST print to both
stdout and stderr:

```
THREAT_DETECTION_RESULT_ERROR: <reason>. Re-run threat_detection_result with corrected values.
```

Comment thread specs/usage-spec.md
Comment on lines +214 to +216
**US-23**: When `--output <path>` is specified, the result JSON MUST be
written to the given file path with permissions `0600`. No output MUST be
written to stdout in this case.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Usage specification

2 participants