You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(specs): flag 058↔057 statelessness conflict + make roadmap.yaml authoritative (#790)
Cross-spec contradiction audit (2026-07-01) of merged-but-unimplemented specs.
Key finding: specs/README.md badges (tasks.md checkbox %) are systematically
stale — most 'drafted/0%' specs are actually shipped. The one genuine design
contradiction is Spec 058 (MCP 2026-07-28 upgrade, BLOCKED) vs SHIPPED Spec 057
(in-proxy profiles): 058 FR-012 forbids per-connection */list variation, but 057
selects the toolset by URL path /mcp/p/<slug>. 028 agent-token scoping is already
compatible (header-carried identity).
- specs/058: add a Cross-Spec Reconciliation note (Option A/B + a plan.md action);
058 already had US3/FR-011-014 for the token case, this adds the 057 URL case.
- specs/README.md: point to roadmap.yaml/ROADMAP.md as the AUTHORITATIVE status
source; badges are a stale checkbox heuristic (roadmap.yaml wins on disagreement).
- roadmap.yaml: record the genuinely merged-but-unimplemented specs as epics —
058 (blocked, with the conflict note), 054 Tracks C/D, 065 discovery-eval half.
Docs/spec-only; no code touched.
Related: Spec 058 (specs/058-mcp-2026-upgrade)
class profiles_v2,profiles_v2_indexes,profiles_v2_set_profile,profiles_v2_profile_pin,profiles_v2_tray_switcher,sandbox_isolation,sandbox_spike,sandbox_mode_config,sandbox_launcher,sandbox_scanner_parity,sandbox_snap_docker_it,ts_code_exec_ga,ts_code_exec_cookbook,scanner_v2,scanner_v2_foundation,scanner_v2_hard_checks,scanner_v2_soft_checks,scanner_v2_consensus,scanner_v2_eval_gate,scanner_v2_docs,registries_official_protocol,scanner_simplification,scanner_simpl_baseline,scanner_simpl_unified_report,scanner_simpl_deep_optin,scanner_simpl_notifications,scanner_simpl_deepscan_fixes,upgrade_nudge_status_log,connect_trust_preview,connect_trust_backup_visibility,telemetry_machineid_client,hygiene_roadmap_github_check done;
168
171
class upgrade_nudge,connect_trust,telemetry_identity in_progress;
169
172
class windows_tray,windows_tray_window in_review;
170
-
class windows_tray_funnel_qa,ux_audit,ux_audit_webui_sweep,ux_audit_macos_sweep,action_log_transparency,action_log_glance_view,action_log_retention_tie_in,analytics_dashboard,analytics_token_drain_graphs,analytics_default_landing,registries_search_add,registries_search_ux,upgrade_nudge_surfacing,upgrade_nudge_channel,upgrade_nudge_quiet,connect_trust_undo,connect_trust_tcc_copy,telemetry_machineid_worker,telemetry_machineid_dash,telemetry_snapshot_alerting,planning_hygiene,hygiene_tasks_reconcile,hygiene_docs_facts,hygiene_quickstart_contract todo;
173
+
class mcp_2026_upgrade blocked;
174
+
class windows_tray_funnel_qa,ux_audit,ux_audit_webui_sweep,ux_audit_macos_sweep,action_log_transparency,action_log_glance_view,action_log_retention_tie_in,analytics_dashboard,analytics_token_drain_graphs,analytics_default_landing,registries_search_add,registries_search_ux,upgrade_nudge_surfacing,upgrade_nudge_channel,upgrade_nudge_quiet,connect_trust_undo,connect_trust_tcc_copy,telemetry_machineid_worker,telemetry_machineid_dash,telemetry_snapshot_alerting,planning_hygiene,hygiene_tasks_reconcile,hygiene_docs_facts,hygiene_quickstart_contract,security_gateway_cd,discovery_eval_harness todo;
171
175
class marketplace,siem,paid_tier,sdk_v1_migration,sso parked;
# These specs are checked into specs/ but materially absent from code. Most
487
+
# "drafted/0%" specs are actually SHIPPED (stale tasks.md checkboxes) — these
488
+
# are the genuinely-unbuilt ones. See docs/personal-edition-polish.md audit.
489
+
- id: mcp-2026-upgrade
490
+
title: MCP protocol upgrade to 2026-07-28 revision
491
+
status: blocked
492
+
priority: P3
493
+
spec: specs/058-mcp-2026-upgrade
494
+
depends_on: []
495
+
note: "BLOCKED on mcp-go shipping 2026-07-28 (pinned v0.55.x tops out at 2025-11-25). CROSS-SPEC CONFLICT: FR-012 forbids per-connection */list variation; SHIPPED Spec 057 selects toolset by URL path /mcp/p/<slug>. Must reconcile at plan time (058 spec now carries a Cross-Spec Reconciliation note). 028 agent-token scoping is already compatible (header-carried)."
Copy file name to clipboardExpand all lines: specs/058-mcp-2026-upgrade/spec.md
+10Lines changed: 10 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,6 +9,16 @@
9
9
10
10
This feature **cannot begin implementation** until the upstream MCP client/server library (`github.com/mark3labs/mcp-go`) ships support for protocol revision `2026-07-28`. As of 2026-05-28 the pinned library (v0.54.0) and the latest published release (v0.54.1) both target only `2025-11-25`; no `2026-07-28` constant exists in the library. This spec captures the full upgrade scope now so execution can start immediately once the gate clears. A scheduled tracking agent watches the library and the spec's RC→final status and notifies the maintainer when the gate opens.
11
11
12
+
## Cross-Spec Reconciliation *(read at plan time)*
13
+
14
+
> **Flagged 2026-07-01 (cross-spec contradiction audit).** FR-012 forbids per-connection variation of `*/list` results; identity-scoped views must be driven by request-carried identity (token / headers / `_meta`), **not connection state**. US3 + FR-013 already reconcile **Spec 028 agent-token scoping** — token identity travels in the `Authorization` header, so it is request-carried and compatible.
15
+
>
16
+
> **The unresolved case is Spec 057 (In-Proxy Profiles), which is SHIPPED on main.** Spec 057 selects a filtered per-profile toolset by **URL path** (`/mcp/p/<slug>`), not by `_meta`/header identity. Under FR-012 this MUST be classified before implementation:
17
+
> -**Option A — treat the profile URL path as request-carried identity.** Each request line carries the slug, so arguably it is *not* connection state. But a client that opens a stream to `/mcp/p/<slug>` binds the profile to that endpoint, which is closer to connection state than to `_meta` identity, and FR-014 forbids relying on a long-lived GET stream — so profile routing must remain correct in a purely stateless, request-scoped model.
18
+
> -**Option B — move profile selection into `_meta`/a header** (e.g. a `profile` field in per-request `_meta`), demoting or deprecating the `/mcp/p/<slug>` path form for `2026-07-28` clients while keeping it for `2025-11-25` clients during the deprecation window.
19
+
>
20
+
> **Action for plan.md:** pick A or B explicitly, add an acceptance scenario proving per-profile filtering (Spec 057) works under the stateless model without per-connection list variation, and confirm `GET`/`DELETE` on `/mcp/p/<slug>` follow FR-014. Do not implement 058 without resolving this — building FR-012 naively would break shipped per-profile routing. (028 needs no change; 057 does.)
21
+
12
22
## User Scenarios & Testing *(mandatory)*
13
23
14
24
### User Story 1 - Connecting clients negotiate the new protocol without breakage (Priority: P1)
Copy file name to clipboardExpand all lines: specs/README.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,8 @@
1
1
# Specs Index
2
2
3
-
Every numbered directory under `specs/` is a feature specification produced with [GitHub spec-kit](https://github.com/github/spec-kit). This page is the canonical list; badges reflect `tasks.md` checklist progress and are a quick heuristic — not a guarantee. When ambiguous, cross-check `git log --grep='<spec-number>'` and the spec's `plan.md`.
3
+
Every numbered directory under `specs/` is a feature specification produced with [GitHub spec-kit](https://github.com/github/spec-kit).
4
+
5
+
> **Authoritative status lives in [`../roadmap.yaml`](../roadmap.yaml)** (rendered to [`../ROADMAP.md`](../ROADMAP.md)), **not in the badges below.** The badges on this page are derived purely from `tasks.md` checkbox counts and are known to be **systematically stale** — many specs shown as `drafted`/`0%` are in fact shipped (the checkboxes were never ticked after implementation). `roadmap.yaml` carries an explicit `status` field (`todo`/`in_progress`/`in_review`/`blocked`/`done`) per epic that does not depend on checkbox hygiene. Treat the table below as a spec *directory*, and `roadmap.yaml`/`ROADMAP.md` as the source of truth for **what is actually built**. When a badge and `roadmap.yaml` disagree, `roadmap.yaml` wins; confirm against code (`git log --grep='<spec-number>'`, or grep for the spec's key symbols) rather than the badge.
0 commit comments