fix: safe VS Code settings merge and project artifact writes (#490)

[djm81]

Description

This change implements the safe project artifact write policy for specfact init ide (and related paths) so .vscode/settings.json is merged instead of overwritten: SpecFact-managed chat/prompt recommendations are applied while unrelated user settings are preserved. Malformed JSON fails safely unless --force is used (with backup under .specfact/recovery/). A CI/static guard (scripts/verify_safe_project_writes.py, wired into hatch run lint) rejects direct unsafe writes to protected paths in init/setup code.

Semgrep started failing when setuptools 82+ dropped pkg_resources; this PR pins setuptools>=69.0.0,<82 in Hatch/dev deps so the code review and lint stack keep working.

OpenSpec: profile-04-safe-project-artifact-writes. Paired modules adoption remains tracked as project-runtime-01-safe-artifact-write-policy (see #490).

Fixes #487

Closes #490

Contract References

• specfact_cli.utils.project_artifact_write: merge_vscode_settings_prompt_recommendations, backup_file_to_recovery, create_vscode_settings — @require / @ensure with contract_predicates.repo_path_exists, repo_path_is_dir, file_path_is_file, settings_relative_nonblank, prompt_files_all_strings.
• specfact_cli.utils.contract_predicates: settings_relative_nonblank, prompt_files_all_strings (new).
• scripts/verify_safe_project_writes.py: main() with layout precondition and postcondition via icontract; @beartype on entrypoints.

Type of Change

Please check all that apply:

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• 🔒 Contract enforcement (adding/updating @icontract decorators)
• 🧪 Test enhancement (scenario tests, property-based tests)
• 🔧 Refactoring (code improvement without functionality change)

Contract-First Testing Evidence

Required for all changes affecting CLI commands or public APIs:

Contract Validation

• Runtime contracts added/updated (@icontract decorators on public APIs)
• Type checking enforced (@beartype decorators applied)
• CrossHair exploration completed: hatch run contract-test-exploration
• Contract violations reviewed and addressed (N/A for this scope / gates clean)

Test Execution

• Contract validation: hatch run contract-test-contracts ✅
• Contract exploration: hatch run contract-test-exploration ✅
• Scenario tests: hatch run contract-test-scenarios ✅
• Full test suite: hatch run smart-test ✅ (and hatch run contract-test auto — cached pass)

Test Quality

• CLI commands tested with typer test client (init ide paths covered via unit/integration tests)
• Edge cases covered with Hypothesis property tests
• Error handling tested with invalid inputs (malformed JSON, bad chat shape)
• Rich console output verified manually or with snapshots

How Has This Been Tested?

Contract-First Approach: New predicates and safe-write helpers are covered by unit tests; verify_safe_project_writes is enforced in hatch run lint. specfact code review run executed clean on touched scripts.

Manual Testing

• Tested CLI commands manually
• Verified rich console output
• Tested with different input scenarios
• Checked error messages for clarity

Automated Testing

• Contract validation passes
• Property-based tests cover edge cases
• Scenario tests cover user workflows
• All existing tests still pass

Test Environment

• Python version: 3.12 (Hatch default env)
• OS: Linux (Ubuntu)

Checklist

• My code follows the style guidelines (PEP 8, ruff format, isort)
• I have performed a self-review of my code
• I have added/updated contracts (@icontract, @beartype)
• I have added/updated docstrings (Google style) (minimal; public helpers documented as in repo norms)
• I have made corresponding changes to documentation
• My changes generate no new warnings (basedpyright, ruff, pylint) (0 basedpyright errors; pre-existing test warnings)
• All tests pass locally
• I have added tests that prove my fix/feature works
• Any dependent changes have been merged (paired specfact-cli-modules change tracked in [Change] Safe project artifact writes for init and IDE setup #490 — not a blocker for this PR)

Quality Gates Status

• Type checking ✅ (hatch run type-check)
• Linting ✅ (hatch run lint)
• Contract validation ✅ (hatch run contract-test-contracts)
• Contract exploration ✅ (hatch run contract-test-exploration)
• Scenario tests ✅ (hatch run contract-test-scenarios)

Screenshots/Recordings (if applicable)

N/A (behavioral/CLI plumbing; see tests and TDD_EVIDENCE.md in the OpenSpec change folder).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a safe-write core for project artifacts (notably .vscode/settings.json): new JSON5-backed merge/backup logic, error types, and explicit --force replace semantics; refactors IDE setup to use it; adds an AST-based CI/lint gate to prevent raw JSON IO; bumps package to v0.45.2 and updates docs/tests. (50 words)

Changes

Cohort / File(s)	Summary
Version & Packaging pyproject.toml, setup.py, src/__init__.py, src/specfact_cli/__init__.py, CHANGELOG.md	Bumped package to 0.45.2, added json5>=0.9.28, and constrained setuptools<82 in dev/Hatch envs.
Docs & Samples README.md, docs/getting-started/installation.md, docs/_support/readme-first-contact/..., docs/_support/readme-first-contact/sample-output/..., docs/_support/readme-first-contact/sample-output/review-output.txt	Updated CLI version strings to 0.45.2; documented .vscode/settings.json merge behavior, failure modes, and --force/backup semantics; refreshed sample outputs.
Safe-write Core Module src/specfact_cli/utils/project_artifact_write.py	New module: JSON5-backed read/merge/write for VS Code settings, repository-relative path safety, ordered dedupe merges, SpecFact-managed-path stripping, .specfact/recovery backups, error classes (ProjectArtifactWriteError, StructuredJsonDocumentError), and public APIs merge_vscode_settings_prompt_recommendations / backup_file_to_recovery.
IDE Setup Refactor src/specfact_cli/utils/ide_setup.py	Delegates merging/repair to safe-write helper, adds force: bool param, handles StructuredJsonDocumentError with click-friendly exit, adjusts prompt-finalization to support empty explicit mappings, and removes local merge helpers.
Contracts & Validation src/specfact_cli/utils/contract_predicates.py	Added icontract/beartype predicates settings_relative_nonblank and prompt_files_all_strings.
Lint Gate & CI .github/workflows/pr-orchestrator.yml, pyproject.toml	Added scripts/verify_safe_project_writes.py to lint/CI checks and extended lint script to run the verifier; CI job step tightened with set -euo pipefail.
Regression Gate Script scripts/verify_safe_project_writes.py	New AST-based verifier that scans ide_setup.py for direct JSON IO call sites (load, dump, loads, dumps, including aliases) and returns exit codes {0,1,2}.
Tests & OpenSpec Evidence tests/unit/..., openspec/changes/profile-04-safe-project-artifact-writes/...	Added unit tests for safe-write behavior and verifier, extensive merge/backup/error-flow tests; added TDD evidence and updated tasks/checklist for profile-04.
Minor Test Import Update tests/unit/utils/test_ide_setup.py	Adjusted test import to source _is_specfact_github_prompt_path from project_artifact_write.
Build/metadata script samples docs/_support/readme-first-contact/capture-readme-output.sh, sample-output files	Bumped sample CLI version env usage to 0.45.2 in capture scripts and outputs.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI (init ide)
    participant IdeSetup as ide_setup.py
    participant SafeWrite as project_artifact_write.py
    participant FS as File System
    participant CI as CI / Lint Gate

    rect rgba(70, 130, 180, 0.5)
        note over CLI,IdeSetup: Prior behavior — direct overwrite
        CLI->>IdeSetup: create_vscode_settings(prompts)
        IdeSetup->>FS: write settings.json (overwrite)
        FS-->>CLI: existing settings lost
    end

    rect rgba(34, 139, 34, 0.5)
        note over CLI,SafeWrite: New behavior — merge, validate, backup
        CLI->>IdeSetup: create_vscode_settings(prompts, force=False)
        IdeSetup->>SafeWrite: merge_vscode_settings_prompt_recommendations(prompts,...)
        SafeWrite->>FS: read settings.json
        alt invalid JSON & force=False
            FS-->>SafeWrite: invalid JSON
            SafeWrite-->>IdeSetup: StructuredJsonDocumentError
            IdeSetup-->>CLI: abort with recovery guidance (exit 1)
        else valid JSON
            SafeWrite->>SafeWrite: merge chat.promptFilesRecommendations (ordered dedupe)
            SafeWrite->>FS: write merged settings.json (preserve other keys)
            FS-->>CLI: updated settings with SpecFact entries merged
        end
        alt force=True
            SafeWrite->>FS: backup settings.json → .specfact/recovery/*.bak
            SafeWrite->>FS: write replacement settings.json
            FS-->>CLI: recoverable backup created
        end
    end

    rect rgba(255, 165, 0, 0.5)
        note over CI,SafeWrite: CI/lint regression gate
        CI->>CI: run python scripts/verify_safe_project_writes.py
        CI-->>SafeWrite: ensures no raw json IO in ide_setup.py
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• #447 — Modifies IDE init/export logic and prompt recommendation merging; overlaps with safe-write and merge behavior changes.
• #446 — Alters create_vscode_settings and prompts handling; intersects the refactor of prompt-source namespacing and merge semantics.
• #478 — Touches VS Code settings and prompt-recommendation flow; related to merging/stripping SpecFact prompt entries and tests.

Suggested labels

QA, documentation

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 29.55% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: safe VS Code settings merge and project artifact writes (#490)' follows Conventional Commits style with 'fix:' prefix and clearly summarizes the main change.
Description check	✅ Passed	The PR description comprehensively covers required sections: issue fixes, contract references, type of change checkboxes, testing evidence, quality gates, and detailed checklist completion.
Linked Issues check	✅ Passed	Code changes fully implement linked issue requirements: #487 (merge instead of overwrite) and #490 (safe-write policy with backups, contracts, CI guards). All acceptance criteria are met.
Out of Scope Changes check	✅ Passed	All changes are in-scope: safe-write helpers, contract enforcement, CI guard script, setuptools pin, documentation updates, and comprehensive tests directly address the linked issues.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bugfix/profile-04-safe-project-artifact-writes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed16399914

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/getting-started/installation.md`:
- Around line 78-79: The paragraph beginning "For VS Code / Copilot, the CLI
**merges** prompt recommendations..." exceeds the 120-character markdown
line-length guideline; wrap it into multiple lines so no line exceeds 120
characters while preserving all original wording and symbols
(`.vscode/settings.json`, `chat` block, `specfact init ide --force`,
`.specfact/recovery/`) and keep the meaning that the command stops if JSON is
invalid and `--force` replaces the file after a timestamped backup.

In `@openspec/changes/profile-04-safe-project-artifact-writes/tasks.md`:
- Around line 23-28: Add a new checklist item to the verification tasks to run
strict OpenSpec validation: explicitly run "openspec validate
profile-04-safe-project-artifact-writes --strict" and fix any validation errors
until it passes before sign-off; update the tasks list (near the existing
numbered items 4.1–4.6) to include this step and record the successful
validation and timestamp in TDD_EVIDENCE.md (or PR notes) as part of completion
evidence.

In `@scripts/verify_safe_project_writes.py`:
- Around line 22-35: The current _collect_json_io_offenders only flags attribute
calls like json.load/dump and misses direct calls from "from json import loads"
or aliased imports; extend it to first scan the AST for ImportFrom nodes with
module == "json" and collect the imported names and their aliases (e.g., loads,
dumps, load, dump, or alias names), then when walking Call nodes also check if
node.func is an ast.Name whose id is in that collected set and append those
calls (using the same offenders tuple format) so direct imports and aliases are
detected in addition to json.X attribute calls.

In `@src/specfact_cli/utils/contract_predicates.py`:
- Around line 55-60: The validator settings_relative_nonblank currently only
checks for non-blank strings and must be tightened to forbid absolute paths and
parent-traversal segments: update settings_relative_nonblank to (1) strip and
ensure non-empty, (2) construct a pathlib.Path(settings_relative) and ensure
p.is_absolute() is False, and (3) ensure no part equals ".." (e.g., all(part !=
".." for part in p.parts)) so relative traversal is disallowed; return the
combined boolean. Use the function name settings_relative_nonblank and
pathlib.Path in the implementation.

In `@src/specfact_cli/utils/ide_setup.py`:
- Around line 515-523: Extract the duplicated StructuredJsonDocumentError
handling into a small helper (e.g., handle_structured_json_error) and call it
from both _copy_template_files_to_ide and copy_prompts_by_source_to_ide; the
helper should accept the exception instance and the console and perform the two
console.print calls shown in the current blocks and then raise
click.exceptions.Exit(1) from the passed exception. Replace the two try/except
blocks that catch StructuredJsonDocumentError around create_vscode_settings with
a single except that calls this helper (refer to StructuredJsonDocumentError,
create_vscode_settings, _copy_template_files_to_ide, and
copy_prompts_by_source_to_ide to locate the spots).

In `@src/specfact_cli/utils/project_artifact_write.py`:
- Around line 39-45: ProjectWriteMode is declared but never used; either clarify
intent or remove it: if you intend it as a public policy surface, add a short
docstring/TODO to the ProjectWriteMode enum explaining it’s reserved for future
write-dispatch semantics (CREATE_ONLY, MERGE_STRUCTURED, EXPLICIT_REPLACE) so
reviewers know it’s intentional; otherwise delete the ProjectWriteMode
declaration and remove any unused imports/exports referencing it to satisfy
YAGNI. Ensure you update any module-level __all__ or docs if present to reflect
the change.
- Around line 174-178: The backup filename currently uses
datetime.now(UTC).strftime("%Y%m%dT%H%M%SZ") which is only second-precision and
can collide; update the stamp generation in this backup routine (the code that
sets stamp and constructs dest) to include microseconds (e.g. use
"%Y%m%dT%H%M%S.%fZ" or append datetime.now(UTC).strftime("%f")) or implement a
collision-avoidance loop that checks dest.exists() and appends a numeric suffix
until a unique path is found before calling shutil.copy2; ensure you update the
stamp/dest construction code (the variables stamp, dest and the shutil.copy2
call) so no silent overwrite can occur.

In `@tests/unit/modules/init/test_init_ide_prompt_selection.py`:
- Around line 155-174: The test
test_init_ide_malformed_vscode_settings_exits_nonzero currently only checks exit
code and stdout but doesn't assert the CLI preserved the malformed
.vscode/settings.json; after invoking app (the runner.invoke call) read the
settings file (vscode_dir / "settings.json") and assert its contents remain the
original malformed string (e.g. "{not-json") to ensure non-destructive behavior
is tested; place this assertion after the existing exit_code/stdout checks so it
runs even when the command failed.

In `@tests/unit/utils/test_project_artifact_write.py`:
- Around line 102-115: Add a complementary unit test that verifies
create_vscode_settings coerces a non-object "chat" when force=True and creates a
backup: create a .vscode/settings.json containing {"chat":"invalid"}, create a
prompt file as in the existing test, call create_vscode_settings(tmp_path,
".vscode/settings.json", prompts_by_source={PROMPT_SOURCE_CORE: [prompt]},
force=True), then assert a backup file exists under .specfact/recovery (e.g.,
settings.json.*.bak) and that the updated settings.json now has data["chat"] as
a dict; use the test name
test_create_vscode_settings_chat_not_object_force_coerces_with_backup to mirror
the existing test pattern.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: dd742cff-d512-4f1b-924d-f68582e04fec

📥 Commits

Reviewing files that changed from the base of the PR and between 73b8f48 and ed16399.

📒 Files selected for processing (21)

• CHANGELOG.md
• README.md
• docs/_support/readme-first-contact/capture-readme-output.sh
• docs/_support/readme-first-contact/sample-output/capture-metadata.txt
• docs/_support/readme-first-contact/sample-output/review-output.txt
• docs/getting-started/installation.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• pyproject.toml
• scripts/verify_safe_project_writes.py
• setup.py
• src/__init__.py
• src/specfact_cli/__init__.py
• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_ide_setup.py
• tests/unit/utils/test_project_artifact_write.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Linting (ruff, pylint)
• GitHub Check: Contract-First CI
• GitHub Check: Tests (Python 3.12)
• GitHub Check: Compatibility (Python 3.11)

🧰 Additional context used

📓 Path-based instructions (19)

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• src/__init__.py
• src/specfact_cli/__init__.py
• tests/unit/utils/test_contract_predicates.py
• setup.py
• tests/unit/utils/test_ide_setup.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• src/specfact_cli/utils/contract_predicates.py
• scripts/verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

{src/__init__.py,pyproject.toml,setup.py}

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

{src/__init__.py,pyproject.toml,setup.py}: Update src/init.py first as primary source of truth for package version, then pyproject.toml and setup.py
Maintain version synchronization across src/init.py, pyproject.toml, and setup.py

Files:

• src/__init__.py
• setup.py
• pyproject.toml

src/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

src/**/*.py: All code changes must be followed by running the full test suite using the smart test system.
All Python files in src/ and tools/ directories must have corresponding test files in tests/ directory. If you modify src/common/logger_setup.py, you MUST have tests/unit/common/test_logger_setup.py. NO EXCEPTIONS - even small changes require tests.
All new Python runtime code files must have corresponding test files created BEFORE committing the code. NO EXCEPTIONS - no code without tests.
Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.
All components must support TEST_MODE=true environment variable with test-specific behavior defined as: if os.environ.get('TEST_MODE') == 'true': # test-specific behavior
Use src/common/logger_setup.py for all logging via: from common.logger_setup import get_logger; logger = get_logger(name)
Use src/common/redis_client.py with fallback for Redis operations via: from common.redis_client import get_redis_client; redis_client = get_redis_client()
Type checking must pass with no errors using: mypy .
Test coverage must meet or exceed 80% total coverage. New code must have corresponding tests. Modified code must maintain or improve coverage. Critical paths must have 100% coverage.
Use Pydantic v2 validation for all context and data schemas.

Add/update contracts on new or modified public APIs, stateful classes and adapters using icontract decorators and beartype runtime type checks

src/**/*.py: Meaningful Naming — identifiers reveal intent; avoid abbreviations. Identifiers in src/ must use snake_case (modules/functions), PascalCase (classes), UPPER_SNAKE_CASE (constants). Avoid single-letter names outside short loop variables.
KISS — keep functions and modules small and single-purpose. Maximum function length: 120 lines (Phase A error threshold). Maximum cyclomati...

Files:

• src/__init__.py
• src/specfact_cli/__init__.py
• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• src/__init__.py
• src/specfact_cli/__init__.py
• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_ide_setup.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• src/specfact_cli/utils/contract_predicates.py
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

{pyproject.toml,setup.py,src/__init__.py}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Manually update version numbers in pyproject.toml, setup.py, and src/init.py when making a formal version change

Files:

• src/__init__.py
• setup.py
• pyproject.toml

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• src/__init__.py
• src/specfact_cli/__init__.py
• tests/unit/utils/test_contract_predicates.py
• setup.py
• tests/unit/utils/test_ide_setup.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• src/specfact_cli/utils/contract_predicates.py
• scripts/verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

src/specfact_cli/**/*.py

⚙️ CodeRabbit configuration file

src/specfact_cli/**/*.py: Focus on modular CLI architecture: lazy module loading, registry/bootstrap patterns, and
dependency direction. Flag breaking changes to public APIs, Pydantic models, and resource
bundling. Verify @icontract + @beartype on public surfaces; prefer centralized logging
(get_bridge_logger) over print().

Files:

• src/specfact_cli/__init__.py
• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_ide_setup.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_ide_setup.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_ide_setup.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• README.md
• docs/getting-started/installation.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• CHANGELOG.md

@(README.md|AGENTS.md)

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Check README.md and AGENTS.md for current project status and development guidelines. Review .cursor/rules/ for detailed development standards and testing procedures.

Files:

• README.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• README.md
• docs/getting-started/installation.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• CHANGELOG.md

docs/**/*.md

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Files:

• docs/getting-started/installation.md

---

⚙️ CodeRabbit configuration file

docs/**/*.md: User-facing accuracy: CLI examples match current behavior; preserve Jekyll front matter;
call out when README/docs index need sync.

Files:

• docs/getting-started/installation.md

openspec/changes/**/*.md

📄 CodeRabbit inference engine (.cursorrules)

For /opsx:archive (Archive change): Include module signing and cleanup in final tasks. Agents MUST run openspec archive <change-id> from repo root (no manual mv under openspec/changes/archive/)

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

openspec/**/*.md

⚙️ CodeRabbit configuration file

openspec/**/*.md: Treat as specification source of truth: proposal/tasks/spec deltas vs. code behavior,
CHANGE_ORDER consistency, and scenario coverage. Surface drift between OpenSpec and
implementation.

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

openspec/**/{proposal.md,tasks.md,design.md,spec.md}

📄 CodeRabbit inference engine (.cursor/rules/automatic-openspec-workflow.mdc)

openspec/**/{proposal.md,tasks.md,design.md,spec.md}: Apply openspec/config.yaml project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase
After implementation, validate the change with openspec validate <change-id> --strict; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

scripts/**/*.py

⚙️ CodeRabbit configuration file

scripts/**/*.py: Deterministic tooling: subprocess safety, Hatch integration, and parity with documented
quality gates (format, type-check, module signing).

Files:

• scripts/verify_safe_project_writes.py

pyproject.toml

📄 CodeRabbit inference engine (.cursorrules)

When updating the version in pyproject.toml, ensure it's newer than the latest PyPI version. The CI/CD pipeline will automatically publish to PyPI only if the new version is greater than the published version

Files:

• pyproject.toml

CHANGELOG.md

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Files:

• CHANGELOG.md

🧠 Learnings (46)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : Apply `openspec/config.yaml` project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to {src/__init__.py,pyproject.toml,setup.py} : Update src/__init__.py first as primary source of truth for package version, then pyproject.toml and setup.py

Applied to files:

• src/__init__.py
• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to {pyproject.toml,setup.py,src/__init__.py} : Manually update version numbers in pyproject.toml, setup.py, and src/__init__.py when making a formal version change

Applied to files:

• src/__init__.py
• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(pyproject.toml|setup.py|src/__init__.py|src/specfact_cli/__init__.py) : Maintain synchronized versions across pyproject.toml, setup.py, src/__init__.py, and src/specfact_cli/__init__.py.

Applied to files:

• src/__init__.py
• src/specfact_cli/__init__.py
• setup.py
• pyproject.toml
• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to {src/__init__.py,pyproject.toml,setup.py} : Maintain version synchronization across src/__init__.py, pyproject.toml, and setup.py

Applied to files:

• src/__init__.py
• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to docs/**/*.md : Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Applied to files:

• docs/_support/readme-first-contact/sample-output/review-output.txt
• docs/_support/readme-first-contact/sample-output/capture-metadata.txt
• README.md
• docs/getting-started/installation.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Fix SpecFact code review findings, including warnings, unless a rare explicit exception is documented

Applied to files:

• docs/_support/readme-first-contact/sample-output/review-output.txt
• docs/_support/readme-first-contact/sample-output/capture-metadata.txt

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• docs/_support/readme-first-contact/capture-readme-output.sh
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: After merges shipping OpenSpec- or GitHub-related work with a sibling `specfact-cli-internal` checkout present, run wiki scripts from that sibling repo's working directory (e.g., `cd ../specfact-cli-internal && python3 scripts/wiki_openspec_gh_status.py`), not from `specfact-cli` or other directories

Applied to files:

• docs/_support/readme-first-contact/capture-readme-output.sh
• docs/_support/readme-first-contact/sample-output/capture-metadata.txt
• README.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: Detect repository root, branch, and worktree state before implementation

Applied to files:

• docs/_support/readme-first-contact/capture-readme-output.sh

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Detect repository root, active branch, and worktree state during bootstrap

Applied to files:

• docs/_support/readme-first-contact/capture-readme-output.sh

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• docs/_support/readme-first-contact/sample-output/capture-metadata.txt
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• scripts/verify_safe_project_writes.py
• CHANGELOG.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: For OpenSpec changes when a sibling `specfact-cli-internal/` checkout exists, read internal wiki guidance in `docs/agent-rules/40-openspec-and-tdd.md` and consult `wiki/hot.md`, `wiki/graph.md`, and relevant `wiki/concepts/*.md` files

Applied to files:

• docs/_support/readme-first-contact/sample-output/capture-metadata.txt
• README.md
• docs/getting-started/installation.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: If `openspec` command is not found or if specfact-cli workspace or openspec/ directory is not accessible, do not modify application code unless the user explicitly confirms to proceed without OpenSpec

Applied to files:

• docs/_support/readme-first-contact/sample-output/capture-metadata.txt
• docs/getting-started/installation.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : Apply `openspec/config.yaml` project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase

Applied to files:

• README.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : All code changes must be followed by running the full test suite using the smart test system.

Applied to files:

• tests/unit/scripts/test_verify_safe_project_writes.py
• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• tests/unit/scripts/test_verify_safe_project_writes.py
• pyproject.toml

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Perform `spec -> tests -> failing evidence -> code -> passing evidence` in that order for behavior changes

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:31:55.908Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/estimation-bias-prevention.mdc:0-0
Timestamp: 2026-03-25T21:31:55.908Z
Learning: Use TDD with quality gates (contract-driven, test-driven implementation, quality gate validation, documentation) as the standard development pattern

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : After implementation, validate the change with `openspec validate <change-id> --strict`; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Before implementing code changes, run `openspec validate <change-id> --strict` to validate the OpenSpec change and optionally run `/wf-validate-change <change-id>` for breaking-change and dependency analysis; do not proceed to implementation until validation passes or user explicitly overrides

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:apply` (Implementation): OPSX provides task iteration and progress tracking. AGENTS.md requires verification before each task: Confirm you are IN a worktree (not primary checkout) before modifying code, Record failing test evidence in `TDD_EVIDENCE.md` BEFORE implementing, Record passing test evidence AFTER implementation, Run quality gates from worktree (format, type-check, contract-test), GPG-signed commits (`git commit -S`), PR to `dev` branch (never direct push)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• pyproject.toml

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-31T22:38:25.299Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-31T22:38:25.299Z
Learning: Applies to src/**/*.py : Use `icontract` (`require`/`ensure`) and `beartype` on all public APIs in `src/`

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to src/**/*.py : Add/update contracts on new or modified public APIs, stateful classes and adapters using `icontract` decorators and `beartype` runtime type checks

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : All public APIs must have `icontract` decorators and `beartype` type checking

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Applies to **/*.py : Public APIs require icontract and beartype decorators

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to {src,tools}/**/*.{js,ts,jsx,tsx,py},**/*.test.{js,ts,jsx,tsx,py},**/*.spec.{js,ts,jsx,tsx,py} : Do not add, modify, or delete any application code in src/, tools/, tests, or significant docs until an OpenSpec change (new or delta) is created and validated, unless the user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or 'just fix it'

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Always finish each output by listing: (1) Which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), (2) Confirmation of Git Worktree Policy compliance (if applicable), (3) Which AI (LLM) provider and model version you are using

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: When implementation is complete and merged, run `openspec archive <change-id>` from the repository root to merge delta specs into openspec/specs/ and move the change under openspec/changes/archive/; do not manually move folders or use --skip-specs or --no-validate without explicit user confirmation

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to pyproject.toml : When updating the version in `pyproject.toml`, ensure it's newer than the latest PyPI version. The CI/CD pipeline will automatically publish to PyPI only if the new version is greater than the published version

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Use Python 3.12 as the target Python version

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run linting with ruff and pylint on all Python files

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Use `hatch test` command for running tests instead of direct pytest usage to ensure proper Python matrix, dependency resolution, environment variables, and coverage reports

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run type checking with basedpyright on all Python files

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(src|tests)/**/*.py : Linting must pass with no errors using: pylint src tests

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Type checking must pass with no errors using: mypy .

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Applied to files:

• CHANGELOG.md

🪛 GitHub Check: Type Checking (basedpyright)

src/specfact_cli/utils/project_artifact_write.py

[warning] 186-186:
Type of "is_file" is unknown (reportUnknownMemberType)

---

[warning] 186-186:
Type of "exists" is unknown (reportUnknownMemberType)

---

[warning] 169-169:
Type of "is_file" is unknown (reportUnknownMemberType)

---

[warning] 145-145:
Type of "get" is partially unknown
  Type of "get" is "Overload[(key: Unknown, default: None = None, /) -> (Unknown | None), (key: Unknown, default: Unknown, /) -> Unknown, (key: Unknown, default: _T@get, /) -> (Unknown | _T@get)]" (reportUnknownMemberType)

🔇 Additional comments (22)

openspec/changes/profile-04-safe-project-artifact-writes/tasks.md (1)

16-20: Safe-write rollout tasks and quality gates are well-scoped and traceable.

The implementation/verification breakdown is clear and maps cleanly to the safe artifact-write policy and CI guard outcomes.

Also applies to: 23-27

src/__init__.py (1)

6-6: Version bump in package root is correct.

__version__ update is appropriate for the patch release flow.

docs/_support/readme-first-contact/sample-output/review-output.txt (1)

12-12: Sample output version stamp is correctly updated.

This keeps captured evidence aligned with the release version.

README.md (1)

30-30: README release references are consistent.

Both the sample banner and hook revision now correctly reflect v0.45.2.

Also applies to: 87-87

src/specfact_cli/__init__.py (1)

48-48: Exported package version update looks good.

specfact_cli.__version__ now matches the patch release target.

setup.py (1)

10-10: Distribution metadata version bump is correct.

setup.py is aligned with the patch version increment.

docs/_support/readme-first-contact/sample-output/capture-metadata.txt (1)

3-3: Capture metadata version updates are consistent and correct.

The pinned uvx --from "specfact-cli==0.45.2" commands align with the release artifacts.

Also applies to: 12-13

docs/_support/readme-first-contact/capture-readme-output.sh (1)

8-8: Default capture CLI version update is correct.

The capture script now targets the intended 0.45.2 release by default.

tests/unit/utils/test_ide_setup.py (1)

24-24: Import move is correct and keeps coverage aligned with the refactor.

This update keeps the existing path-filter tests pointed at the new owning module.

tests/unit/scripts/test_verify_safe_project_writes.py (1)

10-19: Good regression gate test for the safe-write verifier.

This provides a straightforward CI guard that the safety script remains executable and passing in-repo.

pyproject.toml (2)

210-210: Nice lint-gate integration for safe project writes.

Adding scripts/verify_safe_project_writes.py to hatch run lint is a strong regression barrier for VS Code settings safety.

---

7-7: Version synchronization is correct across all package sources.

The version bump to 0.45.2 is properly synchronized: pyproject.toml, src/init.py, src/specfact_cli/init.py, and setup.py all match.

tests/unit/utils/test_contract_predicates.py (1)

36-43: ⚠️ Potential issue | 🟡 Minor

Add rejection-path cases for the new safety predicates.

Line 36 and Line 41 currently cover only happy/basic paths. Please add explicit rejection scenarios (for example absolute/parent-traversal path inputs for settings_relative_nonblank, and at least one non-string element case for prompt_files_all_strings) so the contract intent is regression-safe.

As per coding guidelines: tests/**/*.py: Contract-first testing should cover meaningful scenarios, not just redundant/basic assertions.

⛔ Skipped due to learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to tests/**/*.py : Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*e2e*.py : Keep scenario/E2E tests for behavioral coverage, performance and resilience validation

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test coverage must meet or exceed 80% total coverage. New code must have corresponding tests. Modified code must maintain or improve coverage. Critical paths must have 100% coverage.

CHANGELOG.md (1)

13-25: Looks good: release entry is clear, scoped, and correctly positioned.

This 0.45.2 changelog block is top-placed, readable, and captures the safe-write policy, lint gate, and Semgrep/setuptools compatibility fix in a way that supports release traceability.

openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md (1)

1-55: Well-structured TDD evidence document aligning with OpenSpec workflow.

The evidence captures the failing-first → passing-after TDD cycle correctly, includes proper worktree path conventions, and documents the code review gate command matching the repository's quality gate pattern. The module signature verification step wisely notes that module-package.yaml remains unchanged since error UX is handled in ide_setup.

scripts/verify_safe_project_writes.py (1)

38-44: Contract precondition _repo_layout_ok() is minimal—consider strengthening.

The precondition only checks ROOT.is_dir(). For a regression gate, you might also want to verify that the src/specfact_cli directory structure exists to fail early with a clear contract violation rather than returning exit code 2.

That said, the current design separates "repo layout" (contract) from "target file existence" (runtime check with distinct exit code), which is a reasonable architectural choice for CI diagnostics.

tests/unit/utils/test_project_artifact_write.py (2)

59-79: Solid preservation test covering both top-level and nested chat keys.

This test correctly validates the core requirement from issue #487: unrelated user settings survive the merge. The test exercises both python.defaultInterpreterPath (top-level) and chat.otherSetting (nested within the managed key), confirming the merge implementation respects the trust boundary.

The assertion on line 79 verifies the prompt path transformation (.github/prompts/specfact.01-import.prompt.md), which aligns with the flat export layout.

---

82-99: Force-replace test validates backup/recovery contract.

The test correctly verifies that force=True creates a recovery directory and timestamped backup before replacing malformed JSON. The glob pattern settings.json.*.bak matches the backup_file_to_recovery implementation.

One architectural note: the test doesn't verify backup file contents, but since test_backup_file_to_recovery_writes_under_specfact (lines 32-38) already validates content preservation, this is appropriate separation of concerns.

src/specfact_cli/utils/ide_setup.py (1)

880-932: Well-designed contract-first public API with clear parameter semantics.

The create_vscode_settings function demonstrates good architectural principles:

1. Contract decorators (@beartype, @require, @ensure) enforce input/output invariants at the API boundary
2. Clear parameter semantics: force maps directly to explicit_replace_unparseable, making the intent transparent
3. Delegation to shared helper: JSON I/O is routed through merge_vscode_settings_prompt_recommendations, satisfying the regression gate
4. Docstring update (lines 899-900) documents the new force behavior for downstream consumers

The strip_specfact_github_from_existing=prompts_by_source is not None logic elegantly handles the selective export case where stale SpecFact recommendations should be pruned.

src/specfact_cli/utils/project_artifact_write.py (3)

165-178: Contract-protected backup function with clear recovery semantics.

The backup_file_to_recovery function demonstrates excellent contract-first design:

1. Preconditions validate repo exists, is a directory, and source file exists
2. Postcondition guarantees the returned path is a file (backup succeeded)
3. Safe filename sanitization via regex prevents path traversal or special character issues
4. shutil.copy2 preserves metadata, which is useful for forensic recovery

The .specfact/recovery/ location keeps backups organized within the project's tooling directory rather than polluting the workspace root.

---

181-227: Architecturally sound merge entry point with layered validation.

The merge_vscode_settings_prompt_recommendations function implements a clean layered architecture:

1. Path resolution (lines 202-203): Normalizes and ensures parent directory
2. Create-if-missing (lines 205-207): Fast path for new repos
3. Load + validate (lines 209-216): First validation layer via _load_root_dict_from_settings_text
4. Merge + validate (lines 217-225): Second validation layer via _merge_chat_and_recommendations
5. Atomic write (line 226): Final state persisted

The contract predicates (settings_relative_nonblank, prompt_files_all_strings) from contract_predicates.py enforce API boundaries at runtime, while the postcondition guarantees callers always receive an existing file path.

This design satisfies the OpenSpec profile requirement for safe artifact writes with declared ownership semantics.

---

90-119: Validation layer handles JSON parse errors with actionable guidance.

The error message at lines 102-105 includes:

• The specific file path
• JSON error details (message, line, column)
• Clear remediation: "Fix the file or re-run with --force"

This aligns with the PR objective of making malformed JSON cause a "safe failure" rather than silent data loss. The backup-before-replace pattern (lines 106-108) ensures recoverability when --force is used.

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/specfact_cli/utils/ide_setup.py (1)

909-924: ⚠️ Potential issue | 🟠 Major

Don't repopulate recommendations on an empty selective export.

When prompts_by_source is an empty dict, this branch falls back to the full discovered catalog instead of preserving the empty selection. That means a selective init ide --prompts ... run that exports zero prompts will re-add every SpecFact recommendation rather than clearing stale managed entries. The selective path should pass through the exact exported set, even when it is empty.

♻️ Minimal fix

-    if prompts_by_source is not None:
-        prompt_files = _finalize_vscode_prompt_recommendation_paths(
-            repo_path, _vscode_prompt_recommendation_paths_from_sources(prompts_by_source)
-        )
+    if prompts_by_source is not None:
+        prompt_files = _vscode_prompt_recommendation_paths_from_sources(prompts_by_source)
     else:
         prompt_files = _finalize_vscode_prompt_recommendation_paths(
             repo_path, _vscode_prompt_paths_from_full_catalog(repo_path)
         )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/specfact_cli/utils/ide_setup.py` around lines 909 - 924, The current
branch treats a non-None prompts_by_source incorrectly when it is an empty dict
and ends up repopulating recommendations from the full catalog; change the logic
so an explicit empty export is preserved by passing the exact exported set (e.g.
an empty list) into _finalize_vscode_prompt_recommendation_paths instead of
falling back to _vscode_prompt_paths_from_full_catalog. Concretely, update the
if branch around prompts_by_source to detect empty mappings and call
_finalize_vscode_prompt_recommendation_paths(repo_path,
_vscode_prompt_recommendation_paths_from_sources(prompts_by_source) or [] ) (or
otherwise pass [] when prompts_by_source is empty) so
merge_vscode_settings_prompt_recommendations receives the true exported set
(honoring strip_specfact_github_from_existing and
explicit_replace_unparseable/force).

♻️ Duplicate comments (1)

scripts/verify_safe_project_writes.py (1)

24-54: ⚠️ Potential issue | 🟠 Major

import json as <alias> still bypasses offender detection.

Line 47-53 only flags attribute calls when the base name is exactly json.
import json as js + js.loads(...) will evade this gate.

Suggested fix

 _JSON_IO_NAMES = frozenset({"load", "dump", "loads", "dumps"})
 
+def _json_module_aliases(tree: ast.AST) -> set[str]:
+    aliases: set[str] = {"json"}
+    for node in ast.walk(tree):
+        if isinstance(node, ast.Import):
+            for alias in node.names:
+                if alias.name == "json":
+                    aliases.add(alias.asname or "json")
+    return aliases
+
 def _collect_json_io_offenders(tree: ast.AST) -> list[tuple[int, str]]:
     import_aliases = _json_import_aliases(tree)
+    module_aliases = _json_module_aliases(tree)
     offenders: list[tuple[int, str]] = []
     for node in ast.walk(tree):
         if not isinstance(node, ast.Call):
             continue
         func = node.func
@@
         if (
             isinstance(func, ast.Attribute)
             and isinstance(func.value, ast.Name)
-            and func.value.id == "json"
+            and func.value.id in module_aliases
             and func.attr in _JSON_IO_NAMES
         ):
             offenders.append((node.lineno, f"json.{func.attr}"))

As per coding guidelines: the unsafe-write rejection gate must reliably reject direct unsafe JSON writes on protected paths.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/verify_safe_project_writes.py` around lines 24 - 54,
_json_import_aliases only records names from "from json import ..." but misses
module aliases from "import json as js", so _collect_json_io_offenders doesn't
catch calls like js.loads(...). Update _json_import_aliases to also scan
ast.Import nodes and map module aliases (e.g., map "js" -> "json"), then in
_collect_json_io_offenders check attribute bases against that map (e.g., if
isinstance(func.value, ast.Name) and import_aliases.get(func.value.id) == "json"
and func.attr in _JSON_IO_NAMES) so both "json.loads" and "js.loads" are
flagged; keep existing mapping for from-imports so Name-based calls still work.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@openspec/changes/profile-04-safe-project-artifact-writes/tasks.md`:
- Around line 3-29: Several checklist lines in tasks.md exceed the 120-character
markdown limit (e.g., the "Create
`bugfix/profile-04-safe-project-artifact-writes`..." checklist line and long
items such as the CI/static guard/verification lines including "3.3 Implement
the CI/static guard..." and the long run-quality-gates line); wrap those long
markdown checklist lines to under 120 characters at logical breakpoints (between
clauses or before parentheticals) without splitting code spans or changing the
checklist semantics, preserving backticks around tokens like
`bugfix/profile-04-safe-project-artifact-writes`,
`scripts/verify_safe_project_writes.py`, and `hatch run ...` commands, then run
your markdown linter/formatter to confirm no lines exceed 120 chars and commit
the updated tasks.md.

In `@openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md`:
- Around line 18-59: Wrap any Markdown lines longer than 120 characters in
TDD_EVIDENCE.md: break the long command and narrative lines such as the
multi-command bash block starting with "hatch run pytest
tests/unit/utils/test_project_artifact_write.py \", the long "hatch run specfact
code review run --json --out .specfact/code-review.json \\" line, and the long
paragraph beginning "- **Pass (2026-04-12)**: after `hatch run specfact module
install nold-ai/specfact-codebase`..." into multiple shorter lines (soft-wrap
within paragraphs or use continued indented code lines for command blocks) so
every line is <=120 chars, preserving markdown structure and code block
formatting.

In `@src/specfact_cli/utils/project_artifact_write.py`:
- Around line 211-235: Resolve repo_root = repo_path.resolve() and then after
computing settings_path = (repo_path / settings_relative).resolve(), validate
containment by ensuring settings_path is under repo_root (use
pathlib.Path.relative_to(repo_root) and catch ValueError or equivalent) before
performing any filesystem mutations (parent.mkdir, read_text, backup, or
write_text). If the check fails, abort early (raise/return) instead of creating
directories or touching files outside the repo; keep existing calls to
_write_new_vscode_settings_file, _load_root_dict_from_settings_text, and
_merge_chat_and_recommendations but only invoke them after the containment check
passes.
- Around line 95-124: The settings handling currently uses json.loads/json.dumps
in _load_root_dict_from_settings_text (and its write path) which will reject or
strip JSONC comments/trailing-commas used by VS Code; switch to a JSONC-aware
parser/serializer (e.g., comment-preserving loader) for both parsing and
round-trip dumping to preserve user comments and formatting. Also harden the
path validation around settings_relative_nonblank by, after resolving the
candidate path (settings_path = (repo_path / settings_relative).resolve()),
asserting settings_path.is_relative_to(repo_path.resolve()) (or equivalent
containment check) so symlinks cannot escape the repo boundary before any
write/backup operations. Ensure both fixes reference the json.loads/json.dumps
sites and the settings_relative_nonblank/resolve usage so the parser change and
the containment check are applied where settings are read, backed up, and
written.

In `@tests/unit/scripts/test_verify_safe_project_writes.py`:
- Around line 30-46: Add a new unit test to
tests/unit/scripts/test_verify_safe_project_writes.py that mirrors
test_collect_json_io_flags_aliased_json_import but covers the "import json as
js" form: load the module via _load_verify_module(), parse a snippet like
'import json as js\nx = None\njs.dump(x, open("f","w"))', call
mod._collect_json_io_offenders(tree) and assert that one of the offender names
equals "json.dump"; this ensures the _collect_json_io_offenders logic recognizes
attribute calls through module aliasing (reference _collect_json_io_offenders
and _load_verify_module to locate the implementation).

In `@tests/unit/utils/test_contract_predicates.py`:
- Around line 43-45: Add a negative test case to
tests/unit/utils/test_contract_predicates.py to assert
cp.prompt_files_all_strings returns False for mixed-type input; specifically, in
the test_prompt_files_all_strings function add an assertion using a list
containing at least one non-string (e.g., ["a", 1] or ["a", None]) and assert
cp.prompt_files_all_strings(<mixed_list>) is False to catch regressions in type
filtering for the prompt_files_all_strings function.

---

Outside diff comments:
In `@src/specfact_cli/utils/ide_setup.py`:
- Around line 909-924: The current branch treats a non-None prompts_by_source
incorrectly when it is an empty dict and ends up repopulating recommendations
from the full catalog; change the logic so an explicit empty export is preserved
by passing the exact exported set (e.g. an empty list) into
_finalize_vscode_prompt_recommendation_paths instead of falling back to
_vscode_prompt_paths_from_full_catalog. Concretely, update the if branch around
prompts_by_source to detect empty mappings and call
_finalize_vscode_prompt_recommendation_paths(repo_path,
_vscode_prompt_recommendation_paths_from_sources(prompts_by_source) or [] ) (or
otherwise pass [] when prompts_by_source is empty) so
merge_vscode_settings_prompt_recommendations receives the true exported set
(honoring strip_specfact_github_from_existing and
explicit_replace_unparseable/force).

---

Duplicate comments:
In `@scripts/verify_safe_project_writes.py`:
- Around line 24-54: _json_import_aliases only records names from "from json
import ..." but misses module aliases from "import json as js", so
_collect_json_io_offenders doesn't catch calls like js.loads(...). Update
_json_import_aliases to also scan ast.Import nodes and map module aliases (e.g.,
map "js" -> "json"), then in _collect_json_io_offenders check attribute bases
against that map (e.g., if isinstance(func.value, ast.Name) and
import_aliases.get(func.value.id) == "json" and func.attr in _JSON_IO_NAMES) so
both "json.loads" and "js.loads" are flagged; keep existing mapping for
from-imports so Name-based calls still work.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 79f4fce9-05bd-4732-9790-5cb67f99fc8f

📥 Commits

Reviewing files that changed from the base of the PR and between 3a76aac and 75cf864.

📒 Files selected for processing (11)

• docs/getting-started/installation.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• scripts/verify_safe_project_writes.py
• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_project_artifact_write.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Tests (Python 3.12)

🧰 Additional context used

📓 Path-based instructions (14)

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• docs/getting-started/installation.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

docs/**/*.md

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Files:

• docs/getting-started/installation.md

---

⚙️ CodeRabbit configuration file

docs/**/*.md: User-facing accuracy: CLI examples match current behavior; preserve Jekyll front matter;
call out when README/docs index need sync.

Files:

• docs/getting-started/installation.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• docs/getting-started/installation.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• src/specfact_cli/utils/contract_predicates.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• scripts/verify_safe_project_writes.py
• src/specfact_cli/utils/ide_setup.py
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/project_artifact_write.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• src/specfact_cli/utils/contract_predicates.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• src/specfact_cli/utils/ide_setup.py
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/project_artifact_write.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/modules/init/test_init_ide_prompt_selection.py
• src/specfact_cli/utils/contract_predicates.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• scripts/verify_safe_project_writes.py
• src/specfact_cli/utils/ide_setup.py
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/project_artifact_write.py

src/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

src/**/*.py: All code changes must be followed by running the full test suite using the smart test system.
All Python files in src/ and tools/ directories must have corresponding test files in tests/ directory. If you modify src/common/logger_setup.py, you MUST have tests/unit/common/test_logger_setup.py. NO EXCEPTIONS - even small changes require tests.
All new Python runtime code files must have corresponding test files created BEFORE committing the code. NO EXCEPTIONS - no code without tests.
Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.
All components must support TEST_MODE=true environment variable with test-specific behavior defined as: if os.environ.get('TEST_MODE') == 'true': # test-specific behavior
Use src/common/logger_setup.py for all logging via: from common.logger_setup import get_logger; logger = get_logger(name)
Use src/common/redis_client.py with fallback for Redis operations via: from common.redis_client import get_redis_client; redis_client = get_redis_client()
Type checking must pass with no errors using: mypy .
Test coverage must meet or exceed 80% total coverage. New code must have corresponding tests. Modified code must maintain or improve coverage. Critical paths must have 100% coverage.
Use Pydantic v2 validation for all context and data schemas.

Add/update contracts on new or modified public APIs, stateful classes and adapters using icontract decorators and beartype runtime type checks

src/**/*.py: Meaningful Naming — identifiers reveal intent; avoid abbreviations. Identifiers in src/ must use snake_case (modules/functions), PascalCase (classes), UPPER_SNAKE_CASE (constants). Avoid single-letter names outside short loop variables.
KISS — keep functions and modules small and single-purpose. Maximum function length: 120 lines (Phase A error threshold). Maximum cyclomati...

Files:

• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

src/specfact_cli/**/*.py

⚙️ CodeRabbit configuration file

src/specfact_cli/**/*.py: Focus on modular CLI architecture: lazy module loading, registry/bootstrap patterns, and
dependency direction. Flag breaking changes to public APIs, Pydantic models, and resource
bundling. Verify @icontract + @beartype on public surfaces; prefer centralized logging
(get_bridge_logger) over print().

Files:

• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

openspec/changes/**/*.md

📄 CodeRabbit inference engine (.cursorrules)

For /opsx:archive (Archive change): Include module signing and cleanup in final tasks. Agents MUST run openspec archive <change-id> from repo root (no manual mv under openspec/changes/archive/)

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

openspec/**/*.md

⚙️ CodeRabbit configuration file

openspec/**/*.md: Treat as specification source of truth: proposal/tasks/spec deltas vs. code behavior,
CHANGE_ORDER consistency, and scenario coverage. Surface drift between OpenSpec and
implementation.

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

scripts/**/*.py

⚙️ CodeRabbit configuration file

scripts/**/*.py: Deterministic tooling: subprocess safety, Hatch integration, and parity with documented
quality gates (format, type-check, module signing).

Files:

• scripts/verify_safe_project_writes.py

openspec/**/{proposal.md,tasks.md,design.md,spec.md}

📄 CodeRabbit inference engine (.cursor/rules/automatic-openspec-workflow.mdc)

openspec/**/{proposal.md,tasks.md,design.md,spec.md}: Apply openspec/config.yaml project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase
After implementation, validate the change with openspec validate <change-id> --strict; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

🧠 Learnings (28)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : Apply `openspec/config.yaml` project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to docs/**/*.md : Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Applied to files:

• docs/getting-started/installation.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: For OpenSpec changes when a sibling `specfact-cli-internal/` checkout exists, read internal wiki guidance in `docs/agent-rules/40-openspec-and-tdd.md` and consult `wiki/hot.md`, `wiki/graph.md`, and relevant `wiki/concepts/*.md` files

Applied to files:

• docs/getting-started/installation.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Keep line length under 120 characters in markdown files

Applied to files:

• docs/getting-started/installation.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: If `openspec` command is not found or if specfact-cli workspace or openspec/ directory is not accessible, do not modify application code unless the user explicitly confirms to proceed without OpenSpec

Applied to files:

• docs/getting-started/installation.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-03-31T22:38:25.299Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-31T22:38:25.299Z
Learning: Applies to src/**/*.py : Use `icontract` (`require`/`ensure`) and `beartype` on all public APIs in `src/`

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to src/**/*.py : Add/update contracts on new or modified public APIs, stateful classes and adapters using `icontract` decorators and `beartype` runtime type checks

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : All public APIs must have `icontract` decorators and `beartype` type checking

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Perform `spec -> tests -> failing evidence -> code -> passing evidence` in that order for behavior changes

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : After implementation, validate the change with `openspec validate <change-id> --strict`; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:31:55.908Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/estimation-bias-prevention.mdc:0-0
Timestamp: 2026-03-25T21:31:55.908Z
Learning: Use TDD with quality gates (contract-driven, test-driven implementation, quality gate validation, documentation) as the standard development pattern

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Before implementing code changes, run `openspec validate <change-id> --strict` to validate the OpenSpec change and optionally run `/wf-validate-change <change-id>` for breaking-change and dependency analysis; do not proceed to implementation until validation passes or user explicitly overrides

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:apply` (Implementation): OPSX provides task iteration and progress tracking. AGENTS.md requires verification before each task: Confirm you are IN a worktree (not primary checkout) before modifying code, Record failing test evidence in `TDD_EVIDENCE.md` BEFORE implementing, Record passing test evidence AFTER implementation, Run quality gates from worktree (format, type-check, contract-test), GPG-signed commits (`git commit -S`), PR to `dev` branch (never direct push)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : Apply `openspec/config.yaml` project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• src/specfact_cli/utils/ide_setup.py
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/project_artifact_write.py

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to {src,tools}/**/*.{js,ts,jsx,tsx,py},**/*.test.{js,ts,jsx,tsx,py},**/*.spec.{js,ts,jsx,tsx,py} : Do not add, modify, or delete any application code in src/, tools/, tests, or significant docs until an OpenSpec change (new or delta) is created and validated, unless the user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or 'just fix it'

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Run the required verification and quality gates for the touched scope before finalization

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Always finish each output by listing: (1) Which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), (2) Confirmation of Git Worktree Policy compliance (if applicable), (3) Which AI (LLM) provider and model version you are using

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: When implementation is complete and merged, run `openspec archive <change-id>` from the repository root to merge delta specs into openspec/specs/ and move the change under openspec/changes/archive/; do not manually move folders or use --skip-specs or --no-validate without explicit user confirmation

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

🪛 GitHub Check: Linting (ruff, pylint, safe-write guard)

src/specfact_cli/utils/project_artifact_write.py

[warning] 195-195:
Type of "is_file" is unknown (reportUnknownMemberType)

---

[warning] 195-195:
Type of "exists" is unknown (reportUnknownMemberType)

---

[warning] 174-174:
Type of "is_file" is unknown (reportUnknownMemberType)

---

[warning] 150-150:
Type of "get" is partially unknown
  Type of "get" is "Overload[(key: Unknown, default: None = None, /) -> (Unknown | None), (key: Unknown, default: Unknown, /) -> Unknown, (key: Unknown, default: _T@get, /) -> (Unknown | _T@get)]" (reportUnknownMemberType)

🪛 GitHub Check: Type Checking (basedpyright)

src/specfact_cli/utils/project_artifact_write.py

[warning] 195-195:
Type of "is_file" is unknown (reportUnknownMemberType)

---

[warning] 195-195:
Type of "exists" is unknown (reportUnknownMemberType)

---

[warning] 174-174:
Type of "is_file" is unknown (reportUnknownMemberType)

---

[warning] 150-150:
Type of "get" is partially unknown
  Type of "get" is "Overload[(key: Unknown, default: None = None, /) -> (Unknown | None), (key: Unknown, default: Unknown, /) -> Unknown, (key: Unknown, default: _T@get, /) -> (Unknown | _T@get)]" (reportUnknownMemberType)

🔇 Additional comments (3)

docs/getting-started/installation.md (1)

78-81: Safety contract wording is accurate and release-ready.

Lines 78-81 correctly describe merge behavior, fail-safe handling for malformed JSON/chat, and --force replacement only after backup under .specfact/recovery/.

As per coding guidelines: “Document the user-facing safety contract for specfact init ide on VS Code…stop without rewriting…--force…after a timestamped backup under .specfact/recovery/.”

tests/unit/modules/init/test_init_ide_prompt_selection.py (1)

155-176: Excellent regression coverage for non-destructive failure path.

Line 175 now verifies malformed .vscode/settings.json remains untouched when merge fails, which is the core safety contract.

src/specfact_cli/utils/contract_predicates.py (1)

55-73: Path and prompt predicates are tightened correctly.

Line 55-66 now blocks absolute/traversal paths, and Line 68-73 enforces string-only prompt entries with runtime contracts in place.

Based on learnings: public APIs in src/** should use @icontract and @beartype.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md (1)

36-38: 🧹 Nitpick | 🔵 Trivial

Minor: Some lines still exceed 120 characters.

Several narrative lines remain over the markdown width limit (e.g., lines 36-38, 42-43, 52-53, 58-59). Consider soft-wrapping to keep lint clean.

As per coding guidelines: "Keep line length under 120 characters in markdown files."

Also applies to: 42-43, 52-53, 58-59

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md`
around lines 36 - 38, The markdown has several narrative lines exceeding the
120-character limit (notably the "**Module signatures**" bullet containing the
long command `hatch run ./scripts/verify-modules-signature.py
--require-signature`); soft-wrap those long sentences so no line exceeds 120
chars, breaking phrases at natural word boundaries and keeping inline
code/commands intact on their own or wrapped across lines if needed; update the
affected paragraphs (the module signatures bullet and the other long narrative
lines) to multiple shorter lines so the markdown linter passes while preserving
exact commands and meaning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@openspec/changes/profile-04-safe-project-artifact-writes/tasks.md`:
- Around line 3-4: Update the worktree bootstrap checklist in tasks.md to add
explicit pre-flight status checks: after the step that bootstraps Hatch in the
worktree (the `hatch env create` bootstrap step referenced in the checklist),
insert two commands to run pre-flight checks — `hatch run smart-test-status` and
`hatch run contract-test-status` — so the execution plan enforces these status
checks immediately following the Hatch environment creation.
- Around line 43-45: The quality-gate checklist in tasks.md is missing the
required full coverage test command; update the checklist near the "Run quality
gates" items (the list including `hatch run format`, `hatch run type-check`,
`hatch run lint`, `hatch run yaml-lint`, `hatch run contract-test`, and `hatch
run smart-test`) to include `hatch test --cover -v` as one of the steps so the
documented verification sequence matches the coding guideline requiring the full
test suite with coverage.

In `@src/specfact_cli/utils/project_artifact_write.py`:
- Line 196: The postcondition lambda used with the ensure decorator currently
lacks an explicit type for its parameter (lambda result: result.exists() and
result.is_file()), which triggers pyright's reportUnknownMemberType; fix by
narrowing the type or suppressing the warning—for example change the lambda to
perform an isinstance check like: lambda result: isinstance(result,
pathlib.Path) and result.exists() and result.is_file(), or add a pyright
suppression comment (e.g. # pyright: ignore[reportUnknownMemberType]) on the
decorator line; ensure you import pathlib if using isinstance and keep the
ensure decorator and the is_file/exists checks intact.

---

Duplicate comments:
In `@openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md`:
- Around line 36-38: The markdown has several narrative lines exceeding the
120-character limit (notably the "**Module signatures**" bullet containing the
long command `hatch run ./scripts/verify-modules-signature.py
--require-signature`); soft-wrap those long sentences so no line exceeds 120
chars, breaking phrases at natural word boundaries and keeping inline
code/commands intact on their own or wrapped across lines if needed; update the
affected paragraphs (the module signatures bullet and the other long narrative
lines) to multiple shorter lines so the markdown linter passes while preserving
exact commands and meaning.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 505eef03-162b-4c94-8eb6-a7cf844856e9

📥 Commits

Reviewing files that changed from the base of the PR and between 75cf864 and 13d12d6.

📒 Files selected for processing (12)

• CHANGELOG.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• pyproject.toml
• scripts/verify_safe_project_writes.py
• setup.py
• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_project_artifact_write.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Type Checking (basedpyright)
• GitHub Check: Tests (Python 3.12)
• GitHub Check: Compatibility (Python 3.11)
• GitHub Check: Linting (ruff, pylint, safe-write guard)
• GitHub Check: Contract-First CI

🧰 Additional context used

📓 Path-based instructions (17)

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_project_artifact_write.py
• tests/unit/scripts/test_verify_safe_project_writes.py

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• tests/unit/utils/test_contract_predicates.py
• setup.py
• src/specfact_cli/utils/contract_predicates.py
• scripts/verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_project_artifact_write.py
• tests/unit/scripts/test_verify_safe_project_writes.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/utils/test_contract_predicates.py
• tests/unit/utils/test_project_artifact_write.py
• tests/unit/scripts/test_verify_safe_project_writes.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/utils/test_contract_predicates.py
• src/specfact_cli/utils/contract_predicates.py
• tests/unit/utils/test_project_artifact_write.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• tests/unit/utils/test_contract_predicates.py
• setup.py
• src/specfact_cli/utils/contract_predicates.py
• scripts/verify_safe_project_writes.py
• tests/unit/utils/test_project_artifact_write.py
• tests/unit/scripts/test_verify_safe_project_writes.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

{src/__init__.py,pyproject.toml,setup.py}

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

{src/__init__.py,pyproject.toml,setup.py}: Update src/init.py first as primary source of truth for package version, then pyproject.toml and setup.py
Maintain version synchronization across src/init.py, pyproject.toml, and setup.py

Files:

• setup.py
• pyproject.toml

{pyproject.toml,setup.py,src/__init__.py}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Manually update version numbers in pyproject.toml, setup.py, and src/init.py when making a formal version change

Files:

• setup.py
• pyproject.toml

src/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

src/**/*.py: All code changes must be followed by running the full test suite using the smart test system.
All Python files in src/ and tools/ directories must have corresponding test files in tests/ directory. If you modify src/common/logger_setup.py, you MUST have tests/unit/common/test_logger_setup.py. NO EXCEPTIONS - even small changes require tests.
All new Python runtime code files must have corresponding test files created BEFORE committing the code. NO EXCEPTIONS - no code without tests.
Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.
All components must support TEST_MODE=true environment variable with test-specific behavior defined as: if os.environ.get('TEST_MODE') == 'true': # test-specific behavior
Use src/common/logger_setup.py for all logging via: from common.logger_setup import get_logger; logger = get_logger(name)
Use src/common/redis_client.py with fallback for Redis operations via: from common.redis_client import get_redis_client; redis_client = get_redis_client()
Type checking must pass with no errors using: mypy .
Test coverage must meet or exceed 80% total coverage. New code must have corresponding tests. Modified code must maintain or improve coverage. Critical paths must have 100% coverage.
Use Pydantic v2 validation for all context and data schemas.

Add/update contracts on new or modified public APIs, stateful classes and adapters using icontract decorators and beartype runtime type checks

src/**/*.py: Meaningful Naming — identifiers reveal intent; avoid abbreviations. Identifiers in src/ must use snake_case (modules/functions), PascalCase (classes), UPPER_SNAKE_CASE (constants). Avoid single-letter names outside short loop variables.
KISS — keep functions and modules small and single-purpose. Maximum function length: 120 lines (Phase A error threshold). Maximum cyclomati...

Files:

• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

src/specfact_cli/**/*.py

⚙️ CodeRabbit configuration file

src/specfact_cli/**/*.py: Focus on modular CLI architecture: lazy module loading, registry/bootstrap patterns, and
dependency direction. Flag breaking changes to public APIs, Pydantic models, and resource
bundling. Verify @icontract + @beartype on public surfaces; prefer centralized logging
(get_bridge_logger) over print().

Files:

• src/specfact_cli/utils/contract_predicates.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

scripts/**/*.py

⚙️ CodeRabbit configuration file

scripts/**/*.py: Deterministic tooling: subprocess safety, Hatch integration, and parity with documented
quality gates (format, type-check, module signing).

Files:

• scripts/verify_safe_project_writes.py

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• CHANGELOG.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• CHANGELOG.md

openspec/changes/**/*.md

📄 CodeRabbit inference engine (.cursorrules)

For /opsx:archive (Archive change): Include module signing and cleanup in final tasks. Agents MUST run openspec archive <change-id> from repo root (no manual mv under openspec/changes/archive/)

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

openspec/**/*.md

⚙️ CodeRabbit configuration file

openspec/**/*.md: Treat as specification source of truth: proposal/tasks/spec deltas vs. code behavior,
CHANGE_ORDER consistency, and scenario coverage. Surface drift between OpenSpec and
implementation.

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

openspec/**/{proposal.md,tasks.md,design.md,spec.md}

📄 CodeRabbit inference engine (.cursor/rules/automatic-openspec-workflow.mdc)

openspec/**/{proposal.md,tasks.md,design.md,spec.md}: Apply openspec/config.yaml project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase
After implementation, validate the change with openspec validate <change-id> --strict; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

pyproject.toml

📄 CodeRabbit inference engine (.cursorrules)

When updating the version in pyproject.toml, ensure it's newer than the latest PyPI version. The CI/CD pipeline will automatically publish to PyPI only if the new version is greater than the published version

Files:

• pyproject.toml

CHANGELOG.md

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Files:

• CHANGELOG.md

🧠 Learnings (48)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : Apply `openspec/config.yaml` project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Applied to files:

• tests/unit/utils/test_contract_predicates.py

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(pyproject.toml|setup.py|src/__init__.py|src/specfact_cli/__init__.py) : Maintain synchronized versions across pyproject.toml, setup.py, src/__init__.py, and src/specfact_cli/__init__.py.

Applied to files:

• setup.py
• pyproject.toml
• CHANGELOG.md

📚 Learning: 2026-03-31T22:38:25.299Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-31T22:38:25.299Z
Learning: Applies to src/**/*.py : Use `icontract` (`require`/`ensure`) and `beartype` on all public APIs in `src/`

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to src/**/*.py : Add/update contracts on new or modified public APIs, stateful classes and adapters using `icontract` decorators and `beartype` runtime type checks

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : All public APIs must have `icontract` decorators and `beartype` type checking

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Applies to **/*.py : Public APIs require icontract and beartype decorators

Applied to files:

• src/specfact_cli/utils/contract_predicates.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Perform `spec -> tests -> failing evidence -> code -> passing evidence` in that order for behavior changes

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: For OpenSpec changes when a sibling `specfact-cli-internal/` checkout exists, read internal wiki guidance in `docs/agent-rules/40-openspec-and-tdd.md` and consult `wiki/hot.md`, `wiki/graph.md`, and relevant `wiki/concepts/*.md` files

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : After implementation, validate the change with `openspec validate <change-id> --strict`; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Before implementing code changes, run `openspec validate <change-id> --strict` to validate the OpenSpec change and optionally run `/wf-validate-change <change-id>` for breaking-change and dependency analysis; do not proceed to implementation until validation passes or user explicitly overrides

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:31:55.908Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/estimation-bias-prevention.mdc:0-0
Timestamp: 2026-03-25T21:31:55.908Z
Learning: Use TDD with quality gates (contract-driven, test-driven implementation, quality gate validation, documentation) as the standard development pattern

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: When implementation is complete and merged, run `openspec archive <change-id>` from the repository root to merge delta specs into openspec/specs/ and move the change under openspec/changes/archive/; do not manually move folders or use --skip-specs or --no-validate without explicit user confirmation

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : Apply `openspec/config.yaml` project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• tests/unit/utils/test_project_artifact_write.py
• src/specfact_cli/utils/ide_setup.py
• src/specfact_cli/utils/project_artifact_write.py

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Keep line length under 120 characters in markdown files

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Enforce maximum line length of 120 characters in Python code

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .yamllint : Ensure .yamllint configuration enforces line-length of 140 characters, ignores workflows, and enforces trailing spaces and final newline

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• pyproject.toml

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:apply` (Implementation): OPSX provides task iteration and progress tracking. AGENTS.md requires verification before each task: Confirm you are IN a worktree (not primary checkout) before modifying code, Record failing test evidence in `TDD_EVIDENCE.md` BEFORE implementing, Record passing test evidence AFTER implementation, Run quality gates from worktree (format, type-check, contract-test), GPG-signed commits (`git commit -S`), PR to `dev` branch (never direct push)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to {src,tools}/**/*.{js,ts,jsx,tsx,py},**/*.test.{js,ts,jsx,tsx,py},**/*.spec.{js,ts,jsx,tsx,py} : Do not add, modify, or delete any application code in src/, tools/, tests, or significant docs until an OpenSpec change (new or delta) is created and validated, unless the user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or 'just fix it'

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Run the required verification and quality gates for the touched scope before finalization

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Always finish each output by listing: (1) Which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), (2) Confirmation of Git Worktree Policy compliance (if applicable), (3) Which AI (LLM) provider and model version you are using

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Lines should not have trailing spaces (MD009: No Trailing Spaces)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-31T22:38:25.299Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-31T22:38:25.299Z
Learning: Applies to src/**/*.py : KISS — keep functions and modules small and single-purpose. Maximum function length: 120 lines (Phase A error threshold). Maximum cyclomatic complexity: 12 (radon `cc` threshold).

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Lists should be surrounded by blank lines (MD032: Lists)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.md : Avoid markdown linting errors (refer to markdown-rules)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to **/*.yaml : YAML files must pass linting using: hatch run yaml-lint with relaxed policy.

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to **/*.{yml,yaml} : Validate YAML configuration files locally using `hatch run yaml-lint` before committing

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Use Python 3.12 as the target Python version

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run linting with ruff and pylint on all Python files

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Use `hatch test` command for running tests instead of direct pytest usage to ensure proper Python matrix, dependency resolution, environment variables, and coverage reports

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(src|tests)/**/*.py : Linting must pass with no errors using: pylint src tests

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run type checking with basedpyright on all Python files

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Type checking must pass with no errors using: mypy .

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : All code changes must be followed by running the full test suite using the smart test system.

Applied to files:

• pyproject.toml

🪛 GitHub Check: Type Checking (basedpyright)

src/specfact_cli/utils/project_artifact_write.py

[warning] 196-196:
Type of "is_file" is unknown (reportUnknownMemberType)

---

[warning] 196-196:
Type of "exists" is unknown (reportUnknownMemberType)

---

[warning] 175-175:
Type of "is_file" is unknown (reportUnknownMemberType)

---

[warning] 151-151:
Type of "get" is partially unknown
  Type of "get" is "Overload[(key: Unknown, default: None = None, /) -> (Unknown | None), (key: Unknown, default: Unknown, /) -> Unknown, (key: Unknown, default: _T@get, /) -> (Unknown | _T@get)]" (reportUnknownMemberType)

🔇 Additional comments (26)

setup.py (1)

10-10: Version/dependency packaging updates look consistent and release-safe.

The 0.45.2 bump and json5>=0.9.28 addition align with the safe settings merge runtime path.

Also applies to: 34-34

tests/unit/utils/test_contract_predicates.py (1)

36-40: Predicate regression coverage is solid and focused.

These assertions capture both valid/invalid path constraints and mixed-type prompt file inputs without redundant noise.

Also applies to: 43-47

openspec/changes/profile-04-safe-project-artifact-writes/tasks.md (1)

53-55: Strict OpenSpec validation gate is correctly captured.

Good addition of the explicit openspec validate profile-04-safe-project-artifact-writes --strict sign-off step with evidence expectations.

src/specfact_cli/utils/contract_predicates.py (1)

56-67: New predicates are correctly constrained for safe-write contracts.

Both additions are single-purpose, typed, and decorated with @icontract/@beartype, and they directly reinforce repository-bound path and prompt-file input safety.

Also applies to: 69-73

scripts/verify_safe_project_writes.py (2)

24-58: AST detection logic is appropriately targeted for the regression boundary.

Catching both json.<fn> and from json import <fn> usage patterns strengthens the lint gate against bypasses.

---

61-78: Main gate behavior is CI-friendly and operationally clear.

Exit-code contract (0/1/2) and stderr diagnostics are clean for deterministic lint orchestration.

CHANGELOG.md (1)

13-30: Release notes are well-structured and policy-compliant.

This entry is clear, scoped to the safe artifact-write initiative, and correctly placed at the top with a proper Fixed breakdown.

pyproject.toml (1)

7-7: LGTM! Well-coordinated dependency and tooling updates.

The changes establish a solid foundation for the safe-write policy:

1. Version bump (0.45.2) — ensure src/__init__.py and src/specfact_cli/__init__.py stay synchronized per project conventions.
2. json5 dependency — appropriate choice for JSONC-compatible parsing; VS Code's settings.json commonly includes comments and trailing commas.
3. setuptools pin (<82) — pragmatic fix for the Semgrep/pkg_resources compatibility chain.
4. lint gate extension — verify_safe_project_writes.py now runs as part of hatch run lint, enforcing the safe-write contract at CI time.

Based on learnings: "Maintain synchronized versions across pyproject.toml, setup.py, src/init.py, and src/specfact_cli/init.py."

Also applies to: 87-88, 109-109, 177-178, 212-212

openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md (1)

1-64: Well-documented TDD evidence trail.

The artifact correctly captures the failing-first/passing-after cycle, quality gates (format, type-check, lint, contract-test, smart-test), module signature verification, code review gate, and OpenSpec strict validation — aligning with the project's contract-first development workflow and OpenSpec traceability requirements.

tests/unit/scripts/test_verify_safe_project_writes.py (3)

37-41: Good: Module-alias test case added.

This test (test_collect_json_io_flags_import_json_as_module_alias) covers the import json as js form, addressing the previously flagged gap in alias detection coverage. The test validates that attribute-style calls through module aliases are properly detected by _collect_json_io_offenders.

---

12-19: LGTM with minor note on path brittleness.

The parents[3] calculation works for the current test location (tests/unit/scripts/). If the test file moves, this will break silently. Consider extracting a shared test utility or adding a guard assertion on the script path existence.

---

44-53: Solid end-to-end verification.

The subprocess execution test ensures the gate script passes against the actual repository state — a good regression lock that the ide_setup.py module routes settings I/O through the sanctioned project_artifact_write helper.

tests/unit/utils/test_project_artifact_write.py (5)

21-46: Excellent symlink escape test.

This test validates the path containment check by creating a symlink that escapes tmp_path. The try/finally cleanup pattern and platform-aware skip logic (symlink_to availability, OSError on unsupported platforms) make this robust across environments. The assertion on "outside the repository" matches the error message in merge_vscode_settings_prompt_recommendations.

---

49-71: JSONC handling validated.

This test confirms that VS Code settings with // comments are correctly parsed via JSON5 and that unrelated keys (python.defaultInterpreterPath) survive the merge while chat.promptFilesRecommendations is updated.

---

124-139: Malformed JSON fail-safe behavior confirmed.

Validates the contract: without force=True, malformed JSON raises StructuredJsonDocumentError and the original file content is preserved unchanged. This is the core "fail-safe" guarantee from the PR objectives.

---

165-182: Force-replace with backup validated.

Confirms that force=True creates a timestamped backup under .specfact/recovery/ before replacing unparseable settings with safe defaults containing the expected prompt recommendations.

---

201-219: Good: Force coercion test for non-object chat added.

This test addresses the past review suggestion — it validates that when chat is a string (invalid type) and force=True, the file is backed up and chat is coerced to a proper dict with the expected promptFilesRecommendations.

src/specfact_cli/utils/ide_setup.py (3)

476-482: Good DRY extraction.

The _handle_structured_json_document_error helper consolidates the duplicate error handling pattern from both _copy_template_files_to_ide and copy_prompts_by_source_to_ide, addressing the past review feedback. The NoReturn return type annotation correctly signals this function never returns normally.

---

812-829: allow_empty_fallback enables explicit empty exports.

This parameter allows create_vscode_settings to distinguish between "no prompts discovered" (fallback to defaults) and "explicitly empty prompts_by_source" (strip existing SpecFact entries, add nothing new). This aligns with the selective --prompts export behavior described in the PR objectives.

---

889-944: Clean delegation to merge_vscode_settings_prompt_recommendations.

The refactored create_vscode_settings now delegates all JSON parsing, merging, and error recovery to the centralized helper in project_artifact_write.py. Key points:

• force maps to explicit_replace_unparseable (explicit consent for destructive replace)
• strip_specfact_github_from_existing is True when prompts_by_source is set (selective export mode)
• The StructuredJsonDocumentError propagates to callers, who handle it via _handle_structured_json_document_error

This architectural boundary ensures all IDE settings I/O flows through the policy-constrained helper, which the verify_safe_project_writes.py gate now enforces.

src/specfact_cli/utils/project_artifact_write.py (6)

31-36: Well-defined error hierarchy.

ProjectArtifactWriteError as the base and StructuredJsonDocumentError as a specialization provides a clean exception taxonomy. Callers can catch the specific error for JSON merge failures while still having a broader category for general artifact write failures.

---

39-50: ProjectWriteMode enum documented for future use.

The docstring now explicitly notes this is "reserved for future write-dispatch routing" — addressing the past review feedback about YAGNI concerns. Keeping the enum aligned with the OpenSpec narrative without immediate call-site wiring is a reasonable architectural placeholder.

---

171-188: Robust backup with collision handling.

The backup function now:

1. Uses microsecond-precision timestamps (%Y%m%dT%H%M%S.%fZ)
2. Includes a collision-avoidance loop that appends numeric suffixes

This addresses the past review concern about rapid successive backups within the same second.

---

215-222: Symlink escape prevention implemented.

The containment check (settings_path.relative_to(repo_root)) after resolution ensures symlinks cannot escape the repository boundary. This addresses the security concern from the past review about writing outside the trust boundary.

---

191-249: Solid contract-first public API.

merge_vscode_settings_prompt_recommendations demonstrates the project's contract-first philosophy:

• Preconditions: @require for repo existence, directory type, non-blank relative path, string list
• Postconditions: @ensure guarantees the returned path exists and is a file
• Runtime type checking: @beartype decorator
• JSON5 parsing: Handles JSONC (comments, trailing commas) common in VS Code configs
• Fail-safe behavior: Raises StructuredJsonDocumentError unless explicit_replace_unparseable=True
• Recovery path: Timestamped backups under .specfact/recovery/

The docstring correctly notes that serialized output is canonical JSON (comments are not preserved from input) — this is acceptable given the merge semantics.

---

52-59: Path normalization in _is_specfact_github_prompt_path is intentional and correct.

The function is designed to accept paths with leading dots (as stored in VS Code settings: .github/prompts/specfact.01-import.prompt.md) and normalize them for comparison. The lstrip("./") converts .github/prompts/ to github/prompts/ before validation—this is confirmed by comprehensive test coverage including both Unix and Windows path formats in test_is_specfact_github_prompt_path_only_specfact_named_prompts. The pattern is consistent with how the function integrates with _strip_specfact_github_prompt_recommendations for selective export filtering.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md`:
- Around line 27-34: The verification evidence block is missing the claimed
full-suite coverage gate output; run and record the coverage command `hatch test
--cover -v` (or remove/uncheck the corresponding checklist entry in tasks.md)
and include its console output in the passing evidence section so the documented
gate matches the checklist; update the evidence block to show the `hatch test
--cover -v` invocation and its success summary to restore consistency between
the passing evidence and the checklist in tasks.md.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: be459b2d-dea0-4c71-9121-545ff29b9026

📥 Commits

Reviewing files that changed from the base of the PR and between 13d12d6 and 002bacd.

📒 Files selected for processing (3)

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md
• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• src/specfact_cli/utils/project_artifact_write.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Linting (ruff, pylint, safe-write guard)
• GitHub Check: Tests (Python 3.12)
• GitHub Check: Compatibility (Python 3.11)
• GitHub Check: Contract-First CI

🧰 Additional context used

📓 Path-based instructions (10)

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

openspec/changes/**/*.md

📄 CodeRabbit inference engine (.cursorrules)

For /opsx:archive (Archive change): Include module signing and cleanup in final tasks. Agents MUST run openspec archive <change-id> from repo root (no manual mv under openspec/changes/archive/)

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

openspec/**/{proposal.md,tasks.md,design.md,spec.md}

📄 CodeRabbit inference engine (.cursor/rules/automatic-openspec-workflow.mdc)

openspec/**/{proposal.md,tasks.md,design.md,spec.md}: Apply openspec/config.yaml project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase
After implementation, validate the change with openspec validate <change-id> --strict; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

openspec/**/*.md

⚙️ CodeRabbit configuration file

openspec/**/*.md: Treat as specification source of truth: proposal/tasks/spec deltas vs. code behavior,
CHANGE_ORDER consistency, and scenario coverage. Surface drift between OpenSpec and
implementation.

Files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• src/specfact_cli/utils/project_artifact_write.py

src/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

src/**/*.py: All code changes must be followed by running the full test suite using the smart test system.
All Python files in src/ and tools/ directories must have corresponding test files in tests/ directory. If you modify src/common/logger_setup.py, you MUST have tests/unit/common/test_logger_setup.py. NO EXCEPTIONS - even small changes require tests.
All new Python runtime code files must have corresponding test files created BEFORE committing the code. NO EXCEPTIONS - no code without tests.
Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.
All components must support TEST_MODE=true environment variable with test-specific behavior defined as: if os.environ.get('TEST_MODE') == 'true': # test-specific behavior
Use src/common/logger_setup.py for all logging via: from common.logger_setup import get_logger; logger = get_logger(name)
Use src/common/redis_client.py with fallback for Redis operations via: from common.redis_client import get_redis_client; redis_client = get_redis_client()
Type checking must pass with no errors using: mypy .
Test coverage must meet or exceed 80% total coverage. New code must have corresponding tests. Modified code must maintain or improve coverage. Critical paths must have 100% coverage.
Use Pydantic v2 validation for all context and data schemas.

Add/update contracts on new or modified public APIs, stateful classes and adapters using icontract decorators and beartype runtime type checks

src/**/*.py: Meaningful Naming — identifiers reveal intent; avoid abbreviations. Identifiers in src/ must use snake_case (modules/functions), PascalCase (classes), UPPER_SNAKE_CASE (constants). Avoid single-letter names outside short loop variables.
KISS — keep functions and modules small and single-purpose. Maximum function length: 120 lines (Phase A error threshold). Maximum cyclomati...

Files:

• src/specfact_cli/utils/project_artifact_write.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• src/specfact_cli/utils/project_artifact_write.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• src/specfact_cli/utils/project_artifact_write.py

src/specfact_cli/**/*.py

⚙️ CodeRabbit configuration file

src/specfact_cli/**/*.py: Focus on modular CLI architecture: lazy module loading, registry/bootstrap patterns, and
dependency direction. Flag breaking changes to public APIs, Pydantic models, and resource
bundling. Verify @icontract + @beartype on public surfaces; prefer centralized logging
(get_bridge_logger) over print().

Files:

• src/specfact_cli/utils/project_artifact_write.py

🧠 Learnings (33)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : Apply `openspec/config.yaml` project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : After implementation, validate the change with `openspec validate <change-id> --strict`; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Before implementing code changes, run `openspec validate <change-id> --strict` to validate the OpenSpec change and optionally run `/wf-validate-change <change-id>` for breaking-change and dependency analysis; do not proceed to implementation until validation passes or user explicitly overrides

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : Apply `openspec/config.yaml` project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• src/specfact_cli/utils/project_artifact_write.py

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: For OpenSpec changes when a sibling `specfact-cli-internal/` checkout exists, read internal wiki guidance in `docs/agent-rules/40-openspec-and-tdd.md` and consult `wiki/hot.md`, `wiki/graph.md`, and relevant `wiki/concepts/*.md` files

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to {src,tools}/**/*.{js,ts,jsx,tsx,py},**/*.test.{js,ts,jsx,tsx,py},**/*.spec.{js,ts,jsx,tsx,py} : Do not add, modify, or delete any application code in src/, tools/, tests, or significant docs until an OpenSpec change (new or delta) is created and validated, unless the user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or 'just fix it'

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:apply` (Implementation): OPSX provides task iteration and progress tracking. AGENTS.md requires verification before each task: Confirm you are IN a worktree (not primary checkout) before modifying code, Record failing test evidence in `TDD_EVIDENCE.md` BEFORE implementing, Record passing test evidence AFTER implementation, Run quality gates from worktree (format, type-check, contract-test), GPG-signed commits (`git commit -S`), PR to `dev` branch (never direct push)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Run the required verification and quality gates for the touched scope before finalization

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Always finish each output by listing: (1) Which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), (2) Confirmation of Git Worktree Policy compliance (if applicable), (3) Which AI (LLM) provider and model version you are using

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Keep line length under 120 characters in markdown files

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .yamllint : Ensure .yamllint configuration enforces line-length of 140 characters, ignores workflows, and enforces trailing spaces and final newline

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Lines should not have trailing spaces (MD009: No Trailing Spaces)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-31T22:38:25.299Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-31T22:38:25.299Z
Learning: Applies to src/**/*.py : KISS — keep functions and modules small and single-purpose. Maximum function length: 120 lines (Phase A error threshold). Maximum cyclomatic complexity: 12 (radon `cc` threshold).

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Enforce maximum line length of 120 characters in Python code

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Lists should be surrounded by blank lines (MD032: Lists)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.md : Avoid markdown linting errors (refer to markdown-rules)

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: After implementation, run quality gates (hatch run format, hatch run type-check, hatch run contract-test, hatch test or hatch run smart-test) to ensure all tests pass and contracts are satisfied

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md
• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Use `hatch test` command for running tests instead of direct pytest usage to ensure proper Python matrix, dependency resolution, environment variables, and coverage reports

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : All code changes must be followed by running the full test suite using the smart test system.

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: When implementation is complete and merged, run `openspec archive <change-id>` from the repository root to merge delta specs into openspec/specs/ and move the change under openspec/changes/archive/; do not manually move folders or use --skip-specs or --no-validate without explicit user confirmation

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/tasks.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Perform `spec -> tests -> failing evidence -> code -> passing evidence` in that order for behavior changes

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:55.908Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/estimation-bias-prevention.mdc:0-0
Timestamp: 2026-03-25T21:31:55.908Z
Learning: Use TDD with quality gates (contract-driven, test-driven implementation, quality gate validation, documentation) as the standard development pattern

Applied to files:

• openspec/changes/profile-04-safe-project-artifact-writes/TDD_EVIDENCE.md

🪛 GitHub Check: Type Checking (basedpyright)

src/specfact_cli/utils/project_artifact_write.py

[warning] 151-151:
Type of "get" is partially unknown
  Type of "get" is "Overload[(key: Unknown, default: None = None, /) -> (Unknown | None), (key: Unknown, default: Unknown, /) -> Unknown, (key: Unknown, default: _T@get, /) -> (Unknown | _T@get)]" (reportUnknownMemberType)

🔇 Additional comments (2)

openspec/changes/profile-04-safe-project-artifact-writes/tasks.md (2)

54-56: Strict OpenSpec validation gate is explicitly captured and looks correct.

This closes the prior sign-off gap and improves traceability of completion evidence.

---

44-45: No actionable issue: hatch run yaml-lint is correctly defined in pyproject.toml (line 227) and aligns with documented standards. The checklist task is reproducible as written.

			> Likely an incorrect or invalid review comment.