You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(audit): final Round 2 state + Rounds 3/4 deferred-with-rationale
Round 2: 7/10 shipped this session. The three remaining items get
explicit deferral rationale rather than "TODO":
- C1 (decisions refactor): pure cut-paste, no user value;
re-prioritise above 5kloc.
- #16 sigstore: needs heavy dep + key-management design;
separate-session work.
- #17 hardening: SHIPPED — TLS 1.2 min + 600s subprocess timeouts
+ audit confirmed.
Rounds 3 (#18-22) and 4 (#23) all marked Deferred with concrete
"what's needed" notes per item, so picking any up later starts
from facts not memory:
- #18 S3 sync — needs auth design + optional [s3] extras install
- #19 forge metadata — schema bump + per-forge fetchers
- #20 multi-tenant — blocked on Phase M (admin app)
- #21 forge distribution — needs vendor-vendoring convention first
- #22 conda-forge automation — wait for a real feedstock user
- #23 Laravel admin — whole new repo, dedicated planning needed
Net: Round 1 done (7/7), Round 2 done (7/10 + 3 explicit defers),
Rounds 3+4 mapped with rationale. Repo is in a coherent state for
v0.2 / v0.5 cuts on each package.
11. ⏳ **ai-config-kit C1** (extract `decisions_*` from manager.py). Pure refactor.
102
+
8.✅**ai-config-kit Phase A** (settings schema validation) — `81286ec`. Lightweight allowlist-based validation since Claude Code doesn't publish an upstream JSON Schema yet; swap to `jsonschema` when one lands.
11. ⏳ **ai-config-kit C1** (extract `decisions_*` from manager.py). **Deferred** — pure refactor, ~200 lines of cut-paste, no user value. Re-prioritise when manager.py exceeds 5kloc (currently ~4kloc post-Round-2). High blast radius if it breaks the 27 decisions tests.
18. ⏳ **ai-config-kit Phase E** (S3 sync). **Deferred** — needs an auth design (IAM role? STS? federated identity?). Each cloud provider has its own credentials chain; baking this into the package adds boto3 or equivalent as a dep. Best handled as an optional `[s3]` extras install.
116
+
19. ⏳ **get-installer Phase D** (forge-aware metadata for git packages). **Deferred** — needs a registry-schema bump + new fetchers per forge (GitHub Releases, GitLab Releases, Bitbucket Downloads, Codeberg). ~1 week of work; the current tarball-URL model already covers GitHub Releases via direct URL.
117
+
20. ⏳ **get-installer Phase E** (multi-tenant + domain-locked installs). **Deferred** — needs an OAuth/OIDC integration with the (future) admin app. Blocked on Phase M.
118
+
21. ⏳ **get-installer Phase I** (forge package distribution / git-package catalogues). **Deferred** — needs vendor-vendoring conventions agreed across the simtabi org first.
119
+
22. ⏳ **release-kit conda-forge automation**. **Deferred** — needs the user to fork the conda-forge feedstock for a real project, then automate the PR-update loop. release-kit's playbook already documents the manual flow; automation is a "when there's a real conda-forge user" item.
23. ⏳ **get-installer Phase M**: `get-installer-admin` — Laravel 13 + Inertia + React + REST API + OAuth. **Out of scope for this audit pass.** Not a Python package; this is a whole separate repo (~weeks of Laravel work). Needs:
0 commit comments