Skip to content

[spdd] Daily spec work plan - 2026-07-05 #43593

Description

@github-actions

Summary

SPDD batch 5/27 (index 20-24): MCP Access Control Compliance Fixtures, Intent Attribution & Agent Governance (v2.0.0, Partially Implemented), OTel Observability (v0.4.0, Working Draft), replace-label (v1.0.0, Candidate Recommendation), Safe Output Outcome Evaluation (v1.0.0, Working Draft).

Top risks: intent-attribution ExecutionPolicy not enforced by Go orchestrator (only in prompt); 7 outcome evaluators are not-started and fall back to permissive evalGenericSticky; replace_label type is absent from the outcome-evaluation spec despite being shipped; OTel spec section 17 has no test IDs.

Priority Work Queue

P0: Missing ExecutionPolicy orchestrator enforcement; dispatch_workflow/update_project/update_release/link_sub_issue evaluators emit accepted on existence alone.

P1: OTel Level 3 features unvalidated; replace-label has no compliance fixtures; mergePolicy() has no precedence unit tests.

P2: MCP fixture coverage gaps (sections 5-10); OTel section 17 lacks test IDs; intent-attribution missing RFC 2119 Norms section.

SPDD Checklist

  • /spdd-analysis intent-attribution: Audit Authorizer.AuthorizeTool in pkg/ against spec ExecutionPolicy.AllowedTools/DeniedTools -- document which fields are wired vs unused (specs/intent-attribution-agent-governance.md)
  • /spdd-generate intent-attribution: Add 3 unit tests for PolicyCompiler.Compile() covering organization > repository > intent precedence in pkg/ -- done when a lower-precedence rule cannot weaken a higher-precedence constraint
  • /spdd-generate safe-output-outcome-evaluation: Implement dedicated Go evaluators for dispatch_workflow and update_discussion in pkg/cli/outcome_eval.go -- done when neither type falls back to evalGenericSticky
  • /spdd-generate replace-label: Create two YAML compliance fixtures for RL-001 (glob semantics) and RL-003 (blocklist ordering) in specs/replace-label-compliance/ -- done when fixture files exist and reference the RL codes
  • /spdd-sync otel-observability: Add at least 5 T-OT-NNN test ID stubs in section 17 of specs/otel-observability-spec.md covering Level 1: compiler config, endpoint normalization, OTLP export, trace context, local mirrors
  • /spdd-reasons-canvas intent-attribution: Add RFC 2119 Norms section to specs/intent-attribution-agent-governance.md covering attribution-resolution order, ambiguous-root handling, and fail-closed behavior
  • /spdd-sync safe-output-outcome-evaluation: Add replace_label row to both the Default Acceptance Map and Implementation Status tables in specs/safe-output-outcome-evaluation.md -- done when Go/JS areas are listed
  • /spdd-analysis mcp-access-control-compliance: Identify 3-5 missing fixture scenarios for sections 5-10 of the upstream spec and add stubs to specs/github-mcp-access-control-compliance/
  • /spdd-reasons-canvas otel-observability: Audit span lifecycle in sections 9-10 of specs/otel-observability-spec.md -- verify each span type has start/end condition, parent constraint, and required attributes
  • /spdd-generate intent-attribution: Document .github/intent-policy.json schema in specs/intent-attribution-agent-governance.md covering version, labels dimensions, scoring strategy, and attribution fields

Per-Spec Findings

MCP Access Control Compliance Fixtures
Intent Attribution & Agent Governance (v2.0.0)
  • suggested attribution promotion path is undefined.
  • No staleness/timeout policy for pending attributions.
  • multi_label_logic: max with labels at both issue and PR level is ambiguous.
  • No RFC 2119 Norms section; fail closed principle lacks test assertions.
OTel Observability (v0.4.0)
  • Compliance classes (section 2.2) and levels (section 2.3) are well-specified.
  • Section 17 has no test IDs -- Level 3 features (metrics, logs) are unvalidated.
  • Section 10.6 lifecycle event attributes are undefined.
replace-label (v1.0.0)
  • RL-001--RL-003 are normatively defined but no fixture files exist.
  • RL-003 (blocklist ordering) is a security boundary requiring test coverage.
  • Section 5 (Processing Model) missing OTel attributes for skipped-missing-source-label path.
Safe Output Outcome Evaluation (v1.0.0)
  • 7 types not-started; evalGenericSticky is too permissive for outcome quality metrics.
  • replace_label completely absent from acceptance map and implementation table.
  • Section 12 (update_discussion) says same as update_issue but mechanism differs (GraphQL vs REST).

Sync Follow-ups

  • After adding replace_label evaluator: update pkg/cli/outcome_eval.go and actions/setup/js/evaluate_outcomes.cjs.
  • After OTel test IDs added: link section 17 to the Go test file.
  • After replace-label fixtures: reference them from section 9 of specs/replace-label-spec.md.
  • After intent-policy.json schema: add reference doc in docs/src/content/docs/reference/.

Context

Field Value
Files reviewed specs/github-mcp-access-control-compliance/README.md, specs/intent-attribution-agent-governance.md, specs/otel-observability-spec.md, specs/replace-label-spec.md, specs/safe-output-outcome-evaluation.md
Rotation index 20-24 of 27
Next batch 25-27 (security-architecture specs)
Run 28747003439

References:

Generated by 📋 Daily SPDD Spec Planner · 109 AIC · ⌖ 9.27 AIC · ⊞ 4.9K ·

  • expires on Jul 8, 2026, 8:29 AM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions