Skip to content

Commit 2a23829

Browse files
committed
docs(specs): flag 058↔057 statelessness conflict + make roadmap.yaml authoritative
Cross-spec contradiction audit (2026-07-01) of merged-but-unimplemented specs. Key finding: specs/README.md badges (tasks.md checkbox %) are systematically stale — most 'drafted/0%' specs are actually shipped. The one genuine design contradiction is Spec 058 (MCP 2026-07-28 upgrade, BLOCKED) vs SHIPPED Spec 057 (in-proxy profiles): 058 FR-012 forbids per-connection */list variation, but 057 selects the toolset by URL path /mcp/p/<slug>. 028 agent-token scoping is already compatible (header-carried identity). - specs/058: add a Cross-Spec Reconciliation note (Option A/B + a plan.md action); 058 already had US3/FR-011-014 for the token case, this adds the 057 URL case. - specs/README.md: point to roadmap.yaml/ROADMAP.md as the AUTHORITATIVE status source; badges are a stale checkbox heuristic (roadmap.yaml wins on disagreement). - roadmap.yaml: record the genuinely merged-but-unimplemented specs as epics — 058 (blocked, with the conflict note), 054 Tracks C/D, 065 discovery-eval half. Docs/spec-only; no code touched. Related: Spec 058 (specs/058-mcp-2026-upgrade)
1 parent 5b0cfbe commit 2a23829

4 files changed

Lines changed: 47 additions & 2 deletions

File tree

ROADMAP.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,9 @@ graph TD
9292
paid_tier["Paid-tier MVP (billing / seats / license)<br/>MCP-40"]
9393
sdk_v1_migration["SDK v1 migration"]
9494
sso["SSO (server edition)"]
95+
mcp_2026_upgrade["MCP protocol upgrade to 2026-07-28 revision"]
96+
security_gateway_cd["Security gateway Tracks C/D (per-arg least-privilege + signature provenance)"]
97+
discovery_eval_harness["Discovery-quality eval harness (Spec 065 second half)"]
9598
9699
profiles_v2_indexes --> profiles_v2_set_profile
97100
profiles_v2_set_profile --> profiles_v2_profile_pin
@@ -127,7 +130,8 @@ graph TD
127130
class profiles_v2,profiles_v2_indexes,profiles_v2_set_profile,profiles_v2_profile_pin,profiles_v2_tray_switcher,sandbox_isolation,sandbox_spike,sandbox_mode_config,sandbox_launcher,sandbox_scanner_parity,sandbox_snap_docker_it,ts_code_exec_ga,ts_code_exec_cookbook,scanner_v2,scanner_v2_foundation,scanner_v2_hard_checks,scanner_v2_soft_checks,scanner_v2_consensus,scanner_v2_eval_gate,scanner_v2_docs done;
128131
class scanner_simplification in_progress;
129132
class windows_tray,windows_tray_window in_review;
130-
class ux_audit,ux_audit_webui_sweep,ux_audit_macos_sweep,action_log_transparency,action_log_glance_view,action_log_retention_tie_in,analytics_dashboard,analytics_token_drain_graphs,analytics_default_landing,registries_search_add,registries_search_ux,registries_official_protocol,scanner_simpl_baseline,scanner_simpl_unified_report,scanner_simpl_deep_optin,scanner_simpl_notifications todo;
133+
class mcp_2026_upgrade blocked;
134+
class ux_audit,ux_audit_webui_sweep,ux_audit_macos_sweep,action_log_transparency,action_log_glance_view,action_log_retention_tie_in,analytics_dashboard,analytics_token_drain_graphs,analytics_default_landing,registries_search_add,registries_search_ux,registries_official_protocol,scanner_simpl_baseline,scanner_simpl_unified_report,scanner_simpl_deep_optin,scanner_simpl_notifications,security_gateway_cd,discovery_eval_harness todo;
131135
class marketplace,siem,paid_tier,sdk_v1_migration,sso parked;
132136
```
133137

@@ -137,10 +141,13 @@ graph TD
137141
| --- | --- | --- | --- | --- | --- | --- |
138142
| Scanner simplification (deterministic default, opt-in deep scan) | In progress | unassigned | P1 | 0/42 (0%) | [077-scanner-simplification](./specs/077-scanner-simplification/) | |
139143
| Windows native tray app `MCP-43` | In review | BackendEngineer | P2 | 25/60 (42%) | [002-windows-installer](./specs/002-windows-installer/) | |
144+
| MCP protocol upgrade to 2026-07-28 revision | Blocked | | P3 || [058-mcp-2026-upgrade](./specs/058-mcp-2026-upgrade/) | |
140145
| Web UI + macOS app UX audit | Todo | unassigned | P0 || [064-glass-cockpit](./specs/064-glass-cockpit/) | |
141146
| Action log / transparency — info at a glance | Todo | unassigned | P0 | 63/66 (95%) | [024-expand-activity-log](./specs/024-expand-activity-log/) | |
142147
| Analytics dashboard as default page | Todo | unassigned | P1 | 16/26 (62%) | [069-observability-usage-graphs](./specs/069-observability-usage-graphs/) | |
143148
| Registries — easier search + add-server | Todo | unassigned | P1 | 3/24 (12%) | [070-registry-easy-upstream-add](./specs/070-registry-easy-upstream-add/) | |
149+
| Security gateway Tracks C/D (per-arg least-privilege + signature provenance) | Todo | | P3 || [054-mcp-security-gateway](./specs/054-mcp-security-gateway/) | |
150+
| Discovery-quality eval harness (Spec 065 second half) | Todo | | P3 || [065-evaluation-foundation](./specs/065-evaluation-foundation/) | |
144151
| Server marketplace `MCP-37` | Todo (parked) | | P3 | 3/24 (12%) | [070-registry-easy-upstream-add](./specs/070-registry-easy-upstream-add/) | |
145152
| Audit SIEM integration `MCP-39` | Todo (parked) | | P3 || | |
146153
| Paid-tier MVP (billing / seats / license) `MCP-40` | Todo (parked) | | P3 || | |

roadmap.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -356,3 +356,29 @@ epics:
356356
priority: P3
357357
depends_on: []
358358
note: "PARKED. Single sign-on for the multi-user server edition."
359+
360+
# ── MERGED-BUT-UNIMPLEMENTED specs (cross-spec audit 2026-07-01) ───────────
361+
# These specs are checked into specs/ but materially absent from code. Most
362+
# "drafted/0%" specs are actually SHIPPED (stale tasks.md checkboxes) — these
363+
# are the genuinely-unbuilt ones. See docs/personal-edition-polish.md audit.
364+
- id: mcp-2026-upgrade
365+
title: MCP protocol upgrade to 2026-07-28 revision
366+
status: blocked
367+
priority: P3
368+
spec: specs/058-mcp-2026-upgrade
369+
depends_on: []
370+
note: "BLOCKED on mcp-go shipping 2026-07-28 (pinned v0.54.0 = 2025-11-25 only). CROSS-SPEC CONFLICT: FR-012 forbids per-connection */list variation; SHIPPED Spec 057 selects toolset by URL path /mcp/p/<slug>. Must reconcile at plan time (058 spec now carries a Cross-Spec Reconciliation note). 028 agent-token scoping is already compatible (header-carried)."
371+
- id: security-gateway-cd
372+
title: Security gateway Tracks C/D (per-arg least-privilege + signature provenance)
373+
status: todo
374+
priority: P3
375+
spec: specs/054-mcp-security-gateway
376+
depends_on: []
377+
note: "Track A→Spec 056, Track B→Spec 059 (both shipped). UNBUILT: Track C per-ARGUMENT allow-listing (per-tool scope exists in mcp_direct_scope.go); Track D provenance + human-readable signature diff (SHA-256 pinning exists via Spec 032). Build ON 032/028, don't re-implement; honor the rug-pull re-quarantine interaction rule vs 032 auto-approve."
378+
- id: discovery-eval-harness
379+
title: Discovery-quality eval harness (Spec 065 second half)
380+
status: todo
381+
priority: P3
382+
spec: specs/065-evaluation-foundation
383+
depends_on: []
384+
note: "Security recall/FP half SHIPPED (cmd/scan-eval, backs Spec 076/077 gate). UNBUILT: the discovery-quality (retrieve_tools recall) eval harness."

specs/058-mcp-2026-upgrade/spec.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,16 @@
99

1010
This feature **cannot begin implementation** until the upstream MCP client/server library (`github.com/mark3labs/mcp-go`) ships support for protocol revision `2026-07-28`. As of 2026-05-28 the pinned library (v0.54.0) and the latest published release (v0.54.1) both target only `2025-11-25`; no `2026-07-28` constant exists in the library. This spec captures the full upgrade scope now so execution can start immediately once the gate clears. A scheduled tracking agent watches the library and the spec's RC→final status and notifies the maintainer when the gate opens.
1111

12+
## Cross-Spec Reconciliation *(read at plan time)*
13+
14+
> **Flagged 2026-07-01 (cross-spec contradiction audit).** FR-012 forbids per-connection variation of `*/list` results; identity-scoped views must be driven by request-carried identity (token / headers / `_meta`), **not connection state**. US3 + FR-013 already reconcile **Spec 028 agent-token scoping** — token identity travels in the `Authorization` header, so it is request-carried and compatible.
15+
>
16+
> **The unresolved case is Spec 057 (In-Proxy Profiles), which is SHIPPED on main.** Spec 057 selects a filtered per-profile toolset by **URL path** (`/mcp/p/<slug>`), not by `_meta`/header identity. Under FR-012 this MUST be classified before implementation:
17+
> - **Option A — treat the profile URL path as request-carried identity.** Each request line carries the slug, so arguably it is *not* connection state. But a client that opens a stream to `/mcp/p/<slug>` binds the profile to that endpoint, which is closer to connection state than to `_meta` identity, and FR-014 forbids relying on a long-lived GET stream — so profile routing must remain correct in a purely stateless, request-scoped model.
18+
> - **Option B — move profile selection into `_meta`/a header** (e.g. a `profile` field in per-request `_meta`), demoting or deprecating the `/mcp/p/<slug>` path form for `2026-07-28` clients while keeping it for `2025-11-25` clients during the deprecation window.
19+
>
20+
> **Action for plan.md:** pick A or B explicitly, add an acceptance scenario proving per-profile filtering (Spec 057) works under the stateless model without per-connection list variation, and confirm `GET`/`DELETE` on `/mcp/p/<slug>` follow FR-014. Do not implement 058 without resolving this — building FR-012 naively would break shipped per-profile routing. (028 needs no change; 057 does.)
21+
1222
## User Scenarios & Testing *(mandatory)*
1323

1424
### User Story 1 - Connecting clients negotiate the new protocol without breakage (Priority: P1)

specs/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
# Specs Index
22

3-
Every numbered directory under `specs/` is a feature specification produced with [GitHub spec-kit](https://github.com/github/spec-kit). This page is the canonical list; badges reflect `tasks.md` checklist progress and are a quick heuristic — not a guarantee. When ambiguous, cross-check `git log --grep='<spec-number>'` and the spec's `plan.md`.
3+
Every numbered directory under `specs/` is a feature specification produced with [GitHub spec-kit](https://github.com/github/spec-kit).
4+
5+
> **Authoritative status lives in [`../roadmap.yaml`](../roadmap.yaml)** (rendered to [`../ROADMAP.md`](../ROADMAP.md)), **not in the badges below.** The badges on this page are derived purely from `tasks.md` checkbox counts and are known to be **systematically stale** — many specs shown as `drafted`/`0%` are in fact shipped (the checkboxes were never ticked after implementation). `roadmap.yaml` carries an explicit `status` field (`todo`/`in_progress`/`in_review`/`blocked`/`done`) per epic that does not depend on checkbox hygiene. Treat the table below as a spec *directory*, and `roadmap.yaml`/`ROADMAP.md` as the source of truth for **what is actually built**. When a badge and `roadmap.yaml` disagree, `roadmap.yaml` wins; confirm against code (`git log --grep='<spec-number>'`, or grep for the spec's key symbols) rather than the badge.
46
57
**Status legend**
68

0 commit comments

Comments
 (0)