Summary
This run reviewed 5 specification files from the specs/ directory (rotation index 0–4, first run — cache initialized). The specs cover: AW Harness engine design, AWF config canonical sources, compiler threat detection, security architecture summary, and security architecture validation.
Key findings: the AW Harness spec is still a Working Draft and its implementation status vs. the spec is unclear; the AWF config sources spec lacks an automated drift detection workflow inside gh-aw; the security architecture validation has a pending re-run task after v1.0.2/1.0.3 changes; and several specs lack explicit Sync Follow-up sections.
Priority Work Queue
| Priority |
Task |
Spec |
SPDD Stage |
| P0 |
Verify aw_harness.cjs exists and matches Section 5 invocation contract |
specs/aw-harness.md |
/spdd-analysis |
| P0 |
Re-run security architecture validation after v1.0.2–1.0.3 changes |
specs/security-architecture-spec-validation.md |
/spdd-sync |
| P1 |
Add automated AWF config drift detection workflow to gh-aw |
specs/awf-config-sources-spec.md |
/spdd-generate |
| P1 |
Add compliance tests skeleton for AW Harness Section 12 |
specs/aw-harness.md |
/spdd-generate |
| P1 |
Harden Section 4.4 (Automation) of AWF config sources spec with concrete GHA workflow reference |
specs/awf-config-sources-spec.md |
/spdd-sync |
| P2 |
Add Safeguards (S) section to AWF config sources spec |
specs/awf-config-sources-spec.md |
/spdd-reasons-canvas |
| P2 |
Add Sync Follow-up notes to security-architecture-spec-summary.md maintenance table |
specs/security-architecture-spec-summary.md |
/spdd-sync |
| P2 |
Clarify AW Harness Extension 1-6 normative requirements with done-conditions |
specs/aw-harness.md |
/spdd-reasons-canvas |
| P2 |
Verify compiler threat detection spec CTR-012 is reflected in implementation |
specs/compiler-threat-detection-spec.md |
/spdd-sync |
SPDD Checklist
Per-Spec Findings
specs/aw-harness.md — AW Harness Specification
Status: Working Draft | SPDD Grade: C (incomplete implementation coverage)
- Requirements (R): ✅ RFC 2119 used throughout; normative
MUST/SHALL requirements present
- Entities (E): ✅ Section 3 Terminology defines key types (AgentSession, ExtensionAPI, cli-proxy, etc.)
- Approach (A): ✅ Architecture diagram in Section 4.1
- Structure (S): ✅ Well-organized 14-section ToC
- Operations (O): ⚠️ Section 7 (Single-Session Execution Model) exists but edge cases (timeout, budget exhaustion, extension failure recovery) need explicit normative language
- Norms (N): ✅ RFC 2119 conformance table in Section 2
- Safeguards (Sg): ⚠️ Section 11 (Security Considerations) present but not verified for completeness in this read
Key gap: Working Draft status with no clear implementation-vs-spec traceability. aw_harness.cjs file path not confirmed.
specs/awf-config-sources-spec.md — AWF Config Canonical Sources
Status: Working Draft v0.1.0 | SPDD Grade: B (good norms, missing safeguards + automation)
- Requirements (R): ✅ CR-01 to CR-05 clearly stated
- Entities (E): ⚠️ No entity model for config property categories (CLI-mapped vs. config-only vs. env-only)
- Approach (A): ✅ Clear cross-repo reference model
- Structure (S): ✅ Concise and well-structured
- Operations (O): ✅ Section 4.2 Step-by-Step drift procedure is concrete
- Norms (N): ✅ RFC 2119 present
- Safeguards (Sg): ❌ Missing — no normative language on what gh-aw does when drift is detected (CI failure threshold, issue creation, PR blocking)
Key gap: Section 4.4 references a scheduled GHA workflow but none exists in the repo.
specs/compiler-threat-detection-spec.md — Compiler Threat Detection
Status: Candidate Recommendation v1.0.3 | SPDD Grade: B+ (mature spec, sync needed for recent changes)
- Requirements (R): ✅ Comprehensive with CTR-NNN identifiers
- Entities (E): ✅ Threat categories defined
- Approach (A): ✅ Detection rules architecture documented
- Structure (S): ✅ Formal W3C-style layout
- Operations (O): ✅ Detection procedures specified
- Norms (N): ✅ RFC 2119 throughout
- Safeguards (Sg): ✅ Present (remediation procedures)
Key gap: CTR-012 (referenced in summary doc as recent v1.0.2 work) needs sync verification with pkg/workflow/safe_jobs.go.
specs/security-architecture-spec-summary.md — Security Architecture Summary
Status: Summary/Tracker | SPDD Grade: A- (well-maintained tracker, one pending item)
- All maintenance tasks tracked in table
- Pending item: "Rerun validation report after Appendix A update" — still marked ⏳
- Next Steps section has stale references to v1.0.0 tasks that are now done
specs/security-architecture-spec-validation.md — Validation Report
Status: Validation doc | SPDD Grade: B (accurate at time of writing, stale now)
- Validates v1.0.0 implementation against spec
- Does NOT cover pre_activation pattern added in v1.0.2 (PM-10a–PM-10d)
- Does NOT cover CTR-012 threat detection changes in v1.0.3
- Missing sections: No validation of Appendix G (lock file checklist) or Appendix H (security best practices)
Sync Follow-ups
- After
aw_harness.cjs is verified/implemented: update specs/aw-harness.md status from Working Draft → Last Call
- After drift workflow is created: add its workflow run URL pattern to Section 4.4 of
specs/awf-config-sources-spec.md
- After validation re-run: close pending item in
specs/security-architecture-spec-summary.md maintenance table
- Consider adding a
specs/README.md index listing all spec files with their status and last-validated date
Context
- Files reviewed (rotation index 0–4, first run):
specs/aw-harness.md
specs/awf-config-sources-spec.md
specs/compiler-threat-detection-spec.md
specs/security-architecture-spec-summary.md
specs/security-architecture-spec-validation.md
- Next run will start at index 5 (
specs/security-architecture-spec.md) and continue through docs/src/content/docs/reference/ and scratchpad/ specs
- Workflow run: §25683867756
References:
Generated by Daily SPDD Spec Planner · ● 7.6M · ◷
Summary
This run reviewed 5 specification files from the
specs/directory (rotation index 0–4, first run — cache initialized). The specs cover: AW Harness engine design, AWF config canonical sources, compiler threat detection, security architecture summary, and security architecture validation.Key findings: the AW Harness spec is still a Working Draft and its implementation status vs. the spec is unclear; the AWF config sources spec lacks an automated drift detection workflow inside
gh-aw; the security architecture validation has a pending re-run task after v1.0.2/1.0.3 changes; and several specs lack explicit Sync Follow-up sections.Priority Work Queue
aw_harness.cjsexists and matches Section 5 invocation contractspecs/aw-harness.mdspecs/security-architecture-spec-validation.mdgh-awspecs/awf-config-sources-spec.mdspecs/aw-harness.mdspecs/awf-config-sources-spec.mdspecs/awf-config-sources-spec.mdsecurity-architecture-spec-summary.mdmaintenance tablespecs/security-architecture-spec-summary.mdspecs/aw-harness.mdspecs/compiler-threat-detection-spec.mdSPDD Checklist
/spdd-analysisConfirmactions/setup/js/aw_harness.cjsfile exists and read its entry-point; compare against Section 5 ofspecs/aw-harness.md/spdd-analysisIdentify which AW Harness Pi Extensions (1–6) are implemented vs. spec-only/spdd-reasons-canvasAdd missing Safeguards section tospecs/awf-config-sources-spec.mddescribing what gh-aw does when drift is detected (e.g., fail CI, open issue)/spdd-reasons-canvasAudit Operations coverage inspecs/aw-harness.mdSection 7 for missing edge cases (session timeout, budget exceeded, extension registration failure)/spdd-generateDraft a GitHub Actions workflow filegithub/gh-aw/.github/workflows/awf-config-drift.ymlthat implements Section 4.3 drift detection procedure fromspecs/awf-config-sources-spec.md/spdd-generateAdd compliance test stubs forspecs/aw-harness.mdSection 12 topkg/cli/or a newtests/aw-harness/directory/spdd-syncRe-run validation script (or agent) against updated.lock.ymlfiles and updatespecs/security-architecture-spec-validation.mdto cover v1.0.2 pre_activation pattern and v1.0.3 threat detection changes/spdd-syncUpdate maintenance table inspecs/security-architecture-spec-summary.md: mark "Rerun validation report" as ✅ Done once above re-run completes/spdd-syncVerifyspecs/compiler-threat-detection-spec.mdCTR-012 requirement is tested inpkg/workflow/tests; add test if missing/spdd-syncAdd a "Spec Maintenance" section tospecs/awf-config-sources-spec.mdtracking when canonical sources were last checkedPer-Spec Findings
specs/aw-harness.md— AW Harness SpecificationStatus: Working Draft | SPDD Grade: C (incomplete implementation coverage)
MUST/SHALLrequirements presentKey gap: Working Draft status with no clear implementation-vs-spec traceability.
aw_harness.cjsfile path not confirmed.specs/awf-config-sources-spec.md— AWF Config Canonical SourcesStatus: Working Draft v0.1.0 | SPDD Grade: B (good norms, missing safeguards + automation)
Key gap: Section 4.4 references a scheduled GHA workflow but none exists in the repo.
specs/compiler-threat-detection-spec.md— Compiler Threat DetectionStatus: Candidate Recommendation v1.0.3 | SPDD Grade: B+ (mature spec, sync needed for recent changes)
Key gap: CTR-012 (referenced in summary doc as recent v1.0.2 work) needs sync verification with
pkg/workflow/safe_jobs.go.specs/security-architecture-spec-summary.md— Security Architecture SummaryStatus: Summary/Tracker | SPDD Grade: A- (well-maintained tracker, one pending item)
specs/security-architecture-spec-validation.md— Validation ReportStatus: Validation doc | SPDD Grade: B (accurate at time of writing, stale now)
Sync Follow-ups
aw_harness.cjsis verified/implemented: updatespecs/aw-harness.mdstatus from Working Draft → Last Callspecs/awf-config-sources-spec.mdspecs/security-architecture-spec-summary.mdmaintenance tablespecs/README.mdindex listing all spec files with their status and last-validated dateContext
specs/aw-harness.mdspecs/awf-config-sources-spec.mdspecs/compiler-threat-detection-spec.mdspecs/security-architecture-spec-summary.mdspecs/security-architecture-spec-validation.mdspecs/security-architecture-spec.md) and continue throughdocs/src/content/docs/reference/andscratchpad/specsReferences: