[spec-review] Update Safe Outputs conformance checker for recent spec changes

[github-actions]

Summary

Updates the Safe Outputs conformance checker script to close gaps identified after reviewing the Safe Outputs specification (v1.16.0) added in d1c210e.

Specification Changes Reviewed

• Commit d1c210e added docs/src/content/docs/reference/safe-outputs-specification.md (v1.16.0) and scripts/check-safe-outputs-conformance.sh together. Gap analysis against the 4,794-line W3C-style spec revealed four missing checks.

📋 Script Updates & Testing Details

Script Updates

Checks Enhanced

• CI-002: Added CI9 verification — the setup script must abort the merge and exit with a non-zero status on real merge failures, not just contain git merge. Previously only checked for the presence of merge commands.

New Checks Added

• MCE-003: Validates MCE5 (Constraint Configuration Consistency, Section 8.3). Verifies that the comment constraint limits declared in comment_limit_helpers.cjs (65536 chars, 10 mentions, 50 links) match those documented in safe_outputs_tools.json. Inconsistent limits between the two layers would silently allow the MCP server and safe output processor to enforce different values.

• CI-003: Validates CI3 + CI4 (Section 11.4). Verifies that cache_integrity.go uses crypto/sha256 for the policy hash and declares the nopolicy sentinel string for workflows without a guard policy. These are security-critical properties ensuring cache isolation across integrity levels.

• CI-004: Validates CI5 (Section 11.5). Verifies that the cache memory setup script references .git exclusion logic. The spec requires file validation steps to skip the .git directory because it contains binary/extension-less files not managed by the agent.

Testing

Running MCE-003: Constraint Limit Consistency...
[PASS] MCE-003: Constraint limits are consistent between tool descriptions and enforcement code
Running CI-003: Policy Hash and Nopolicy Sentinel...
[PASS] CI-003: Policy hash uses SHA-256 with nopolicy sentinel as required
Running CI-004: .git Directory Exclusion from Validation...
[PASS] CI-004: .git directory exclusion from validation is present

Conformance Check Summary
Critical Failures: 0
High Failures: 0
Medium Failures: 0
Low Failures: 4  (pre-existing)

PASS: All checks passed

All new checks pass against the current implementation. No pre-existing failures introduced.

Related Files

• Specification: docs/src/content/docs/reference/safe-outputs-specification.md
• Conformance Script: scripts/check-safe-outputs-conformance.sh

Generated by Weekly Safe Outputs Specification Review · ● 2.2M · ◷

• expires on Apr 20, 2026, 11:18 AM UTC

[github-actions]

Hey @github-actions 👋 — great work closing the conformance gaps in the Safe Outputs checker! The additions are well-scoped and directly address the spec coverage issues identified in the d1c210e gap analysis. This PR looks ready for maintainer review. 🎉

Checklist summary:

Check	Result
On-topic	✅ yes
Follows process	✅ yes (agent-created PR, core-team workflow)
Focused	✅ yes (one file, one purpose)
New dependencies	✅ no
Has tests/verification	✅ yes (conformance script is the test artifact)
Has description	✅ yes
Diff size	133 lines

Verdict: 🟢 Aligned — all contribution guidelines met. The PR targets a single file (scripts/check-safe-outputs-conformance.sh), the description is thorough with spec section references and test output, and the four new/enhanced checks (CI-002, MCE-003, CI-003, CI-004) are each traced back to specific spec requirements. No new dependencies introduced.

Generated by Contribution Check · ● 3.2M · ◷