Skip to content

[spdd] Daily spec work plan - 2026-05-11 #31544

Description

@github-actions

Summary

This run reviewed 5 specification files from the specs/ directory (rotation index 0–4, first run — cache initialized). The specs cover: AW Harness engine design, AWF config canonical sources, compiler threat detection, security architecture summary, and security architecture validation.

Key findings: the AW Harness spec is still a Working Draft and its implementation status vs. the spec is unclear; the AWF config sources spec lacks an automated drift detection workflow inside gh-aw; the security architecture validation has a pending re-run task after v1.0.2/1.0.3 changes; and several specs lack explicit Sync Follow-up sections.

Priority Work Queue

Priority Task Spec SPDD Stage
P0 Verify aw_harness.cjs exists and matches Section 5 invocation contract specs/aw-harness.md /spdd-analysis
P0 Re-run security architecture validation after v1.0.2–1.0.3 changes specs/security-architecture-spec-validation.md /spdd-sync
P1 Add automated AWF config drift detection workflow to gh-aw specs/awf-config-sources-spec.md /spdd-generate
P1 Add compliance tests skeleton for AW Harness Section 12 specs/aw-harness.md /spdd-generate
P1 Harden Section 4.4 (Automation) of AWF config sources spec with concrete GHA workflow reference specs/awf-config-sources-spec.md /spdd-sync
P2 Add Safeguards (S) section to AWF config sources spec specs/awf-config-sources-spec.md /spdd-reasons-canvas
P2 Add Sync Follow-up notes to security-architecture-spec-summary.md maintenance table specs/security-architecture-spec-summary.md /spdd-sync
P2 Clarify AW Harness Extension 1-6 normative requirements with done-conditions specs/aw-harness.md /spdd-reasons-canvas
P2 Verify compiler threat detection spec CTR-012 is reflected in implementation specs/compiler-threat-detection-spec.md /spdd-sync

SPDD Checklist

  • /spdd-analysis Confirm actions/setup/js/aw_harness.cjs file exists and read its entry-point; compare against Section 5 of specs/aw-harness.md
  • /spdd-analysis Identify which AW Harness Pi Extensions (1–6) are implemented vs. spec-only
  • /spdd-reasons-canvas Add missing Safeguards section to specs/awf-config-sources-spec.md describing what gh-aw does when drift is detected (e.g., fail CI, open issue)
  • /spdd-reasons-canvas Audit Operations coverage in specs/aw-harness.md Section 7 for missing edge cases (session timeout, budget exceeded, extension registration failure)
  • /spdd-generate Draft a GitHub Actions workflow file github/gh-aw/.github/workflows/awf-config-drift.yml that implements Section 4.3 drift detection procedure from specs/awf-config-sources-spec.md
  • /spdd-generate Add compliance test stubs for specs/aw-harness.md Section 12 to pkg/cli/ or a new tests/aw-harness/ directory
  • /spdd-sync Re-run validation script (or agent) against updated .lock.yml files and update specs/security-architecture-spec-validation.md to cover v1.0.2 pre_activation pattern and v1.0.3 threat detection changes
  • /spdd-sync Update maintenance table in specs/security-architecture-spec-summary.md: mark "Rerun validation report" as ✅ Done once above re-run completes
  • /spdd-sync Verify specs/compiler-threat-detection-spec.md CTR-012 requirement is tested in pkg/workflow/ tests; add test if missing
  • /spdd-sync Add a "Spec Maintenance" section to specs/awf-config-sources-spec.md tracking when canonical sources were last checked
Per-Spec Findings

specs/aw-harness.md — AW Harness Specification

Status: Working Draft | SPDD Grade: C (incomplete implementation coverage)

  • Requirements (R): ✅ RFC 2119 used throughout; normative MUST/SHALL requirements present
  • Entities (E): ✅ Section 3 Terminology defines key types (AgentSession, ExtensionAPI, cli-proxy, etc.)
  • Approach (A): ✅ Architecture diagram in Section 4.1
  • Structure (S): ✅ Well-organized 14-section ToC
  • Operations (O): ⚠️ Section 7 (Single-Session Execution Model) exists but edge cases (timeout, budget exhaustion, extension failure recovery) need explicit normative language
  • Norms (N): ✅ RFC 2119 conformance table in Section 2
  • Safeguards (Sg): ⚠️ Section 11 (Security Considerations) present but not verified for completeness in this read

Key gap: Working Draft status with no clear implementation-vs-spec traceability. aw_harness.cjs file path not confirmed.


specs/awf-config-sources-spec.md — AWF Config Canonical Sources

Status: Working Draft v0.1.0 | SPDD Grade: B (good norms, missing safeguards + automation)

  • Requirements (R): ✅ CR-01 to CR-05 clearly stated
  • Entities (E): ⚠️ No entity model for config property categories (CLI-mapped vs. config-only vs. env-only)
  • Approach (A): ✅ Clear cross-repo reference model
  • Structure (S): ✅ Concise and well-structured
  • Operations (O): ✅ Section 4.2 Step-by-Step drift procedure is concrete
  • Norms (N): ✅ RFC 2119 present
  • Safeguards (Sg): ❌ Missing — no normative language on what gh-aw does when drift is detected (CI failure threshold, issue creation, PR blocking)

Key gap: Section 4.4 references a scheduled GHA workflow but none exists in the repo.


specs/compiler-threat-detection-spec.md — Compiler Threat Detection

Status: Candidate Recommendation v1.0.3 | SPDD Grade: B+ (mature spec, sync needed for recent changes)

  • Requirements (R): ✅ Comprehensive with CTR-NNN identifiers
  • Entities (E): ✅ Threat categories defined
  • Approach (A): ✅ Detection rules architecture documented
  • Structure (S): ✅ Formal W3C-style layout
  • Operations (O): ✅ Detection procedures specified
  • Norms (N): ✅ RFC 2119 throughout
  • Safeguards (Sg): ✅ Present (remediation procedures)

Key gap: CTR-012 (referenced in summary doc as recent v1.0.2 work) needs sync verification with pkg/workflow/safe_jobs.go.


specs/security-architecture-spec-summary.md — Security Architecture Summary

Status: Summary/Tracker | SPDD Grade: A- (well-maintained tracker, one pending item)

  • All maintenance tasks tracked in table
  • Pending item: "Rerun validation report after Appendix A update" — still marked ⏳
  • Next Steps section has stale references to v1.0.0 tasks that are now done

specs/security-architecture-spec-validation.md — Validation Report

Status: Validation doc | SPDD Grade: B (accurate at time of writing, stale now)

  • Validates v1.0.0 implementation against spec
  • Does NOT cover pre_activation pattern added in v1.0.2 (PM-10a–PM-10d)
  • Does NOT cover CTR-012 threat detection changes in v1.0.3
  • Missing sections: No validation of Appendix G (lock file checklist) or Appendix H (security best practices)

Sync Follow-ups

  • After aw_harness.cjs is verified/implemented: update specs/aw-harness.md status from Working Draft → Last Call
  • After drift workflow is created: add its workflow run URL pattern to Section 4.4 of specs/awf-config-sources-spec.md
  • After validation re-run: close pending item in specs/security-architecture-spec-summary.md maintenance table
  • Consider adding a specs/README.md index listing all spec files with their status and last-validated date

Context

  • Files reviewed (rotation index 0–4, first run):
    • specs/aw-harness.md
    • specs/awf-config-sources-spec.md
    • specs/compiler-threat-detection-spec.md
    • specs/security-architecture-spec-summary.md
    • specs/security-architecture-spec-validation.md
  • Next run will start at index 5 (specs/security-architecture-spec.md) and continue through docs/src/content/docs/reference/ and scratchpad/ specs
  • Workflow run: §25683867756

References:

Generated by Daily SPDD Spec Planner · ● 7.6M ·

  • expires on May 14, 2026, 4:49 PM UTC

Metadata

Metadata

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions