|
| 1 | +# Repo Standards Gap Analysis |
| 2 | + |
| 3 | +Date: 2026-02-01 |
| 4 | +Owner: Codex |
| 5 | + |
| 6 | +## Scope and Impact |
| 7 | + |
| 8 | +Impacted (planned changes): `docs/reports/2026-02-01-repo-standards-gap-analysis.md`, `docs/plans/2026-02-01-repo-standards-gap-analysis.md`. |
| 9 | +Reviewed (no changes): repo configuration, CI/CD workflows, hooks, docs, and `skills/**/SKILL.md` for trigger decisions. |
| 10 | +Unimpacted: runtime code and deployable components (no application code changes). |
| 11 | + |
| 12 | +## Summary |
| 13 | + |
| 14 | +- 15 skills would have triggered during repo population based on front matter and `When to Use`. |
| 15 | +- Most repo standards are enforced via hooks and CI for documentation quality and commit conventions. |
| 16 | +- Key gaps: no automated guardrail to block commits on `main`, no CI enforcement for secret scanning, and limited CI/CD traceability controls (no tag-based release/deploy pipelines). |
| 17 | + |
| 18 | +## Findings and Recommendations |
| 19 | + |
| 20 | +- Add a `pre-commit` or `pre-push` guardrail to block commits or pushes to `main`, and document required branch protection settings (status checks, no direct pushes, no merge commits). |
| 21 | +- Add a CI job for `npm run secretlint` to make security scanning reproducible and enforceable. |
| 22 | +- Document CI/CD scope exceptions explicitly (no release/deploy pipelines) or add tag-based release/deploy workflows if required by operating context. |
| 23 | + |
| 24 | +## Triggered Skills and Gaps |
| 25 | + |
| 26 | +| Skill | Trigger rationale (from front matter + When to Use) | Required standards | Repo evidence | Gap status | Notes | |
| 27 | +| --- | --- | --- | --- | --- | --- | |
| 28 | +| repository-foundation-bootstrap | Bootstrapping a new repository or migrating a repo to this library's standards. | Baseline documented, brownfield path planned, ADRs for tooling/structure, zero-warning verification. | `docs/plans/2026-01-02-brownfield-standards-migration.md`, `docs/reports/2026-01-02-brownfield-impact.md`, `docs/adr/006-commit-message-validation-and-secret-scanning.md`, `npm run verify` in `README.md`. | Pass | Baseline and migration evidence are present. | |
| 29 | +| documentation-scaffold | Starting a new repository or migrating a repo missing/inconsistent docs. | `AGENTS.md` present, README setup/verification, ADRs for decisions, doc checks pass. | `AGENTS.md`, `README.md` (Development/Contributing), `docs/adr/*.md`, `npm run verify` in `README.md`. | Pass | Meets minimum doc scaffold expectations. | |
| 30 | +| documentation-as-code | Creating/updating README, plans, ADRs, or SKILL docs. | Linting and spell checks enforced, docs treated as code with CI gate. | `.markdownlint-cli2.yaml`, `.markdownlint.json`, `cspell.json`, `package.json` scripts, `.github/workflows/docs-quality.yml`, `.husky/pre-commit`. | Pass | Automated checks are in place for docs. | |
| 31 | +| writing-skills | Creating or modifying any `SKILL.md` during repo population. | Use skill template and enforce front matter constraints. | `skills/writing-skills/templates/skill_template.md`, `README.md` Contributing section. | Pass | Template and guidance exist; enforcement is manual. | |
| 32 | +| writing-plans | Producing multi-step plans in `docs/plans/`. | Plan template used and stored in `docs/plans/`. | `skills/writing-plans/templates/plan_template.md`, `docs/plans/2026-01-02-brownfield-standards-migration.md`. | Pass | Plans follow template and are stored in repo. | |
| 33 | +| incremental-change-impact | Any change set (docs/config/tooling) during repo setup. | Impact analysis documented with impacted/unimpacted set. | `docs/reports/2026-01-02-brownfield-impact.md`. | Pass | Explicit impact report exists. | |
| 34 | +| automated-standards-enforcement | Establishing tooling, linting, and quality gates for standards. | Prefer automated enforcement via hooks/CI over manual review. | `.husky/pre-commit`, `.husky/commit-msg`, `package.json` lint-staged config, `.github/workflows/docs-quality.yml`, `.github/workflows/commitlint.yml`. | Pass | Automated gates exist for docs and commits. | |
| 35 | +| local-dev-experience | Introducing hooks, linting, formatting, and staged-only checks. | Husky + lint-staged for staged-only checks; local verification commands. | `.husky/pre-commit`, `package.json` lint-staged config, `npm run verify` in `README.md`. | Pass | Staged-only hooks and local verify are configured. | |
| 36 | +| runtime-tooling-validation | Introducing/validating Node/tooling versions and policy. | LTS version pinned and enforced. | `.nvmrc`, `package.json` engines, `volta` node pin. | Pass | Runtime policy is explicit and consistent. | |
| 37 | +| static-analysis-security | Introducing or modifying security linting (e.g., secret scanning). | Security scans run and are reproducible; evidence recorded. | `.secretlintrc.json`, `.secretlintignore`, `package.json` `secretlint` script, lint-staged `secretlint`. | Gap | No CI job runs `secretlint`; enforcement is local only. | |
| 38 | +| ci-cd-conformance | Creating/modifying CI workflows to meet monorepo standards. | Incremental execution, quality gates, immutable releases, tag-based deployments. | `.github/workflows/docs-quality.yml` uses path filters; `commitlint.yml` enforces commit conventions. | Partial | Quality gates exist; no release/deploy pipelines or tag-based deployment evidence (scope may be N/A). | |
| 39 | +| branching-strategy-and-conventions | Defining branching strategy and commit conventions. | No direct commits to `main`, commitlint enforced, branch protection, pre-commit guardrail for default branch. | `.husky/commit-msg`, `.github/workflows/commitlint.yml`, `README.md` branch protection note. | Gap | No automated guardrail to block commits on `main`; branch protection enforcement not verifiable in repo. | |
| 40 | +| quality-gate-enforcement | Ensuring checks run and block before merge/tag/deploy. | Required checks block merges and releases with zero warnings. | `.github/workflows/docs-quality.yml`, `.github/workflows/commitlint.yml`, `npm run verify`. | Partial | Secret scanning not enforced in CI; quality gates limited to docs/commit linting. | |
| 41 | +| best-practice-introduction | Introducing new standards/tooling with safe rollout. | Incremental rollout plan and ADRs for tooling decisions. | `docs/plans/2026-01-02-brownfield-standards-migration.md`, `docs/adr/006-commit-message-validation-and-secret-scanning.md`. | Pass | Rollout plan and ADRs exist. | |
| 42 | +| using-git-worktrees | Multi-step work or need for isolation during repo setup. | Worktree location is defined and ignored; usage documented. | `.gitignore` includes `.worktrees/`, `AGENTS.md` step 5. | Pass | Worktree policy is documented and supported. | |
0 commit comments