Feature/ci module sign on approval

[djm81]

Description

Fix signature to re-run auto sign flow.

Fixes #(issue)

New Features #(issue)

Contract References: List any contracts (@icontract decorators) that this change affects or implements.

Type of Change

Please check all that apply:

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• 🔒 Contract enforcement (adding/updating @icontract decorators)
• 🧪 Test enhancement (scenario tests, property-based tests)
• 🔧 Refactoring (code improvement without functionality change)

Contract-First Testing Evidence

Required for all changes affecting CLI commands or public APIs:

Contract Validation

• Runtime contracts added/updated (@icontract decorators on public APIs)
• Type checking enforced (@beartype decorators applied)
• CrossHair exploration completed: hatch run contract-test-exploration
• Contract violations reviewed and addressed

Test Execution

• Contract validation: hatch run contract-test-contracts ✅
• Contract exploration: hatch run contract-test-exploration ✅
• Scenario tests: hatch run contract-test-scenarios ✅
• Full test suite: hatch run contract-test-full ✅

Test Quality

• CLI commands tested with typer test client
• Edge cases covered with Hypothesis property tests
• Error handling tested with invalid inputs
• Rich console output verified manually or with snapshots

How Has This Been Tested?

Contract-First Approach: Describe how contracts and scenario tests validate your changes.

Manual Testing

• Tested CLI commands manually
• Verified rich console output
• Tested with different input scenarios
• Checked error messages for clarity

Automated Testing

• Contract validation passes
• Property-based tests cover edge cases
• Scenario tests cover user workflows
• All existing tests still pass

Test Environment

• Python version: (e.g., 3.11, 3.12, 3.13)
• OS: (e.g., Ubuntu 22.04, macOS 14, Windows 11)

Checklist

• My code follows the style guidelines (PEP 8, ruff format, isort)
• I have performed a self-review of my code
• I have added/updated contracts (@icontract, @beartype)
• I have added/updated docstrings (Google style)
• I have made corresponding changes to documentation
• My changes generate no new warnings (basedpyright, ruff, pylint)
• All tests pass locally
• I have added tests that prove my fix/feature works
• Any dependent changes have been merged

Quality Gates Status

• Type checking ✅ (hatch run type-check)
• Linting ✅ (hatch run lint)
• Contract validation ✅ (hatch run contract-test-contracts)
• Contract exploration ✅ (hatch run contract-test-exploration)
• Scenario tests ✅ (hatch run contract-test-scenarios)

Screenshots/Recordings (if applicable)

Add screenshots or recordings of CLI output, especially for new commands or UI changes.

[coderabbitai]

Warning

Rate limit exceeded

@djm81 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 8 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 1 minutes and 8 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1814135d-5bef-409e-a7c9-149ea44e67ac

📥 Commits

Reviewing files that changed from the base of the PR and between 6d23c3a and 98fc3ad.

📒 Files selected for processing (2)

• docs/reference/module-security.md
• tests/unit/specfact_cli/registry/test_signing_artifacts.py

📝 Walkthrough

Walkthrough

Tightens CI signing and verification: fork PRs targeting main require signatures during verification; reproducibility signing runs only on pushes to main with full git history; approval-time signing runs a trusted signer checked out at the PR base SHA and applies it to the PR head workspace; manifest and docs updated accordingly.

Changes

Cohort / File(s)	Summary
CI: sign-modules & reproducibility .github/workflows/sign-modules.yml, .github/workflows/sign-modules-on-approval.yml, .github/workflows/pr-orchestrator.yml	Reproducibility job now triggers only on push to main and checks out full history (fetch-depth: 0); sign-modules uses --payload-from-filesystem for reproducibility; approval-time signing now checks out signer code from pull_request.base.sha into _trusted_scripts and the PR tree into _pr_workspace, runs the trusted signer against the PR workspace, and the manual sign-and-push computes MERGE_BASE and passes --base-ref "$MERGE_BASE"; pr-orchestrator adds conditional --require-signature for fork→main PRs.
Tests tests/unit/specfact_cli/registry/test_signing_artifacts.py, tests/unit/workflows/test_sign_modules_on_approval.py	Updated tests to assert main-only reproducibility condition (github.event_name == 'push' && github.ref_name == 'main'), new test asserting fork PRs to main require signatures, assert MERGE_BASE usage and absence of direct --base-ref "${BASE_REF}", and verify _trusted_scripts/_pr_workspace` checkout and working-directory usage.
Docs & Release CHANGELOG.md, docs/reference/module-security.md	Documented CI signing policy changes: fork→main verification tightened to require signatures, reproducibility now runs only on main pushes, approval-time signer runs a trusted signer from base SHA against PR head, and --payload-from-filesystem usage noted.
Module manifest src/specfact_cli/modules/init/module-package.yaml	Bumped init module version 0.1.26 → 0.1.27 and updated publisher.integrity.checksum.

Sequence Diagram(s)

sequenceDiagram
  participant GH_Actions as "GitHub Actions\n(workflow)"
  participant Trusted as "Trusted Scripts\n(_trusted_scripts)"
  participant PR_Work as "PR Workspace\n(_pr_workspace)"
  participant Signer as "sign-modules.py"
  participant GitRemote as "Git (origin)"

  GH_Actions->>Trusted: checkout at pull_request.base.sha
  GH_Actions->>PR_Work: checkout PR head (module tree)
  GH_Actions->>PR_Work: set working-directory to _pr_workspace
  GH_Actions->>Signer: invoke ${GITHUB_WORKSPACE}/_trusted_scripts/scripts/sign-modules.py --changed-only --payload-from-filesystem ...
  Signer->>PR_Work: read module payloads from filesystem
  Signer->>GitRemote: commit & push updated manifests to PR branch
  GitRemote-->>GH_Actions: push result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related issues

• [Change] CI-Driven Module Signing On PR Approval #500: Overlaps CI signing workflow changes and branch-aware signature enforcement (fork→main tightening).
• [Change] CI-Driven Module Signing On PR Approval specfact-cli-modules#185: Matches edits to sign-modules-on-approval and pr-orchestrator related to signer isolation and verification gating.
• [Feature] Module Trust Chain & CI Security specfact-cli-modules#187: Related to CI-driven approval-time signing and trust-chain enforcement implemented here.

Possibly related PRs

• feat(ci): module signing on PR approval and manual workflow_dispatch #503: Similar modifications to sign-modules workflow and --base-ref/--payload-from-filesystem behavior.
• Release: dev to main: trustworthy CI and review hardening #470: Related workflow hardening for CI signing and verification logic.
• chore(pre-commit): modular hooks + branch-aware module verify #501: Overlaps branch-aware signing policy and --payload-from-filesystem adoption across workflows.

Suggested labels

devops-backlog, module-system

🚥 Pre-merge checks | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title uses a descriptive feature branch name rather than Conventional Commits format; it lacks the required 'feat:', 'fix:', or other standard prefix.	Adopt Conventional Commits format: 'feat: add approval-based module signing workflow' or 'fix: enable signature re-run on approval' to align with repository standards.
Docstring Coverage	⚠️ Warning	Docstring coverage is 77.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description template is present but incompletely filled: no issue numbers in Fixes/New Features, no contract references, Type of Change unchecked, testing evidence sections empty, and no checklist items marked completed.	Complete the description template by checking appropriate Type of Change items, filling contract/testing sections with actual test results or explicitly stating 'N/A', and marking relevant checklist items to clarify CI/security workflow changes scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/ci-module-sign-on-approval

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

specfact-cli/.github/workflows/sign-modules-on-approval.yml

Line 37 in bcd9b44

ref: ${{ github.event.pull_request.head.sha }}

Run signing script from a trusted revision

This job checks out github.event.pull_request.head.sha and then runs python scripts/sign-modules.py with SPECFACT_MODULE_PRIVATE_SIGN_KEY in the environment, which means approved same-repo PR authors can modify that script in their branch and exfiltrate the private signing key when approval triggers this workflow. This affects repos where contributors can open internal branches but should not access signing secrets; use a trusted script source (base/default branch revision or a pinned action artifact) before injecting secrets.

---

specfact-cli/.github/workflows/pr-orchestrator.yml

Lines 117 to 119 in bcd9b44

	if [ "${{ github.event_name }}" = "pull_request" ]; then
	BASE_REF="origin/${{ github.event.pull_request.base.ref }}"
	elif [ "${{ github.ref_name }}" = "main" ]; then

Keep signature enforcement for PRs that cannot auto-sign

The PR verification path now skips --require-signature for all pull requests, but the new approval-time signer is explicitly limited to same-repo PRs, so fork PRs to main have no pre-merge signature gate anymore. In that scenario unsigned manifests can pass PR checks and only fail on post-merge push checks, which can leave main red if branch protection relies on PR-time statuses.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/reference/module-security.md`:
- Around line 69-71: The docs currently state that --changed-only compares
directly to origin/<branch>; update the wording in the manual-signing base-ref
subsection to reflect that the workflow computes MERGE_BASE (the merge-base of
the branch with main) and passes that commit to --base-ref, so --changed-only
comparisons are against MERGE_BASE rather than origin/<branch>; mention the
MERGE_BASE variable and the use of --base-ref to pass that commit, and adjust
any CLI examples to use --base-ref <MERGE_BASE> (or equivalent) and/or
explicitly say "merge-base" behavior when referring to the base commit.

In `@tests/unit/specfact_cli/registry/test_signing_artifacts.py`:
- Around line 496-503: The test
test_sign_modules_reproducibility_runs_only_on_main_push currently asserts raw
text in SIGN_WORKFLOW; instead parse the workflow YAML (e.g.,
yaml.safe_load(SIGN_WORKFLOW.read_text(encoding="utf-8"))) and assert the "jobs"
-> "reproducibility" -> "if" field equals "github.event_name == 'push' &&
github.ref_name == 'main'"; keep the existing check that the file exists and
replace the raw-string assertion with the parsed-YAML assertions (use the
SIGN_WORKFLOW symbol and the "reproducibility" job name to locate the node).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 71d18196-f2e5-4c86-8d83-808cfafa7664

📥 Commits

Reviewing files that changed from the base of the PR and between b9b8691 and 244128c.

📒 Files selected for processing (5)

• .github/workflows/sign-modules.yml
• CHANGELOG.md
• docs/reference/module-security.md
• src/specfact_cli/modules/init/module-package.yaml
• tests/unit/specfact_cli/registry/test_signing_artifacts.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Tests (Python 3.12)

🧰 Additional context used

📓 Path-based instructions (14)

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• docs/reference/module-security.md
• CHANGELOG.md

docs/**/*.md

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Files:

• docs/reference/module-security.md

---

⚙️ CodeRabbit configuration file

docs/**/*.md: User-facing accuracy: CLI examples match current behavior; preserve Jekyll front matter;
call out when README/docs index need sync.

Files:

• docs/reference/module-security.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• docs/reference/module-security.md
• CHANGELOG.md

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/specfact_cli/registry/test_signing_artifacts.py

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• tests/unit/specfact_cli/registry/test_signing_artifacts.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/specfact_cli/registry/test_signing_artifacts.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/specfact_cli/registry/test_signing_artifacts.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/specfact_cli/registry/test_signing_artifacts.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• tests/unit/specfact_cli/registry/test_signing_artifacts.py

**/*.yaml

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

YAML files must pass linting using: hatch run yaml-lint with relaxed policy.

Files:

• src/specfact_cli/modules/init/module-package.yaml

**/*.{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Validate YAML configuration files locally using hatch run yaml-lint before committing

**/*.{yml,yaml}: Format all YAML and workflow files using hatch run yaml-fix-all before committing
Use Prettier to fix whitespace, indentation, and final newline across YAML files
Use yamllint with the repo .yamllint configuration (line-length 140, trailing spaces and final newline enforced) to lint non-workflow YAML files

Files:

• src/specfact_cli/modules/init/module-package.yaml

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Validate GitHub workflow files using hatch run lint-workflows before committing

.github/workflows/*.{yml,yaml}: Use actionlint for semantic validation of GitHub Actions workflows
Format GitHub Actions workflows using hatch run workflows-fmt and lint them with hatch run workflows-lint after editing

Files:

• .github/workflows/sign-modules.yml

.github/workflows/!(tests).{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Files:

• .github/workflows/sign-modules.yml

.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: CI safety: secrets usage, workflow dependencies, alignment with hatch test / contract-test
gates, and action versions.

Files:

• .github/workflows/sign-modules.yml

CHANGELOG.md

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Files:

• CHANGELOG.md

🧠 Learnings (11)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

Applied to files:

• docs/reference/module-security.md
• tests/unit/specfact_cli/registry/test_signing_artifacts.py
• src/specfact_cli/modules/init/module-package.yaml
• .github/workflows/sign-modules.yml
• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• docs/reference/module-security.md
• tests/unit/specfact_cli/registry/test_signing_artifacts.py
• .github/workflows/sign-modules.yml
• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• docs/reference/module-security.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• docs/reference/module-security.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:apply` (Implementation): OPSX provides task iteration and progress tracking. AGENTS.md requires verification before each task: Confirm you are IN a worktree (not primary checkout) before modifying code, Record failing test evidence in `TDD_EVIDENCE.md` BEFORE implementing, Record passing test evidence AFTER implementation, Run quality gates from worktree (format, type-check, contract-test), GPG-signed commits (`git commit -S`), PR to `dev` branch (never direct push)

Applied to files:

• docs/reference/module-security.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/!(tests).{yml,yaml} : Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Applied to files:

• tests/unit/specfact_cli/registry/test_signing_artifacts.py

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: If `openspec` command is not found or if specfact-cli workspace or openspec/ directory is not accessible, do not modify application code unless the user explicitly confirms to proceed without OpenSpec

Applied to files:

• src/specfact_cli/modules/init/module-package.yaml

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: After merges shipping OpenSpec- or GitHub-related work with a sibling `specfact-cli-internal` checkout present, run wiki scripts from that sibling repo's working directory (e.g., `cd ../specfact-cli-internal && python3 scripts/wiki_openspec_gh_status.py`), not from `specfact-cli` or other directories

Applied to files:

• .github/workflows/sign-modules.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md with all code changes as part of version control requirements.

Applied to files:

• CHANGELOG.md

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

Repository: nold-ai/specfact-cli-modules [::nold-ai/specfact-cli-modules::]

• scripts/sign-modules.py — signing implementation and payload-from-filesystem support

  • file: scripts/sign-modules.py — contains _module_payload(payload_from_filesystem: bool) which implements the filesystem-based payload hashing and is referenced by the script CLI. [::nold-ai/specfact-cli-modules::scripts/sign-modules.py]

• Workflow added / referenced: sign-modules-on-approval

  • file: .github/workflows/sign-modules-on-approval.yml — CI workflow that runs signing on approved PRs and invokes python scripts/sign-modules.py --changed-only --bump-version patch --payload-from-filesystem and computes merge-base per design. (Present in repo workflows.) [::nold-ai/specfact-cli-modules::.github/workflows/sign-modules-on-approval.yml]

• Tests exercising workflow/dispatch expectations

  • file: tests/unit/workflows/test_sign_modules_on_approval.py — asserts workflow contains expected checkout/find/sign invocations and usage of scripts/sign-modules.py and find packages -name 'module-package.yaml'. This test will need to match any changes to flags like --payload-from-filesystem or how base-ref/merge-base is supplied. [::nold-ai/specfact-cli-modules::tests/unit/workflows/test_sign_modules_on_approval.py]

• Documentation referencing the new flags/behaviour

  • docs/authoring/module-signing.md, docs/guides/ci-cd-pipeline.md, docs/reference/module-security.md, docs/guides/module-marketplace.md and others document running scripts/sign-modules.py --payload-from-filesystem and CI behavior for sign-on-approval. These should stay consistent with workflow and script behavior. [::nold-ai/specfact-cli-modules::docs/authoring/module-signing.md] [::nold-ai/specfact-cli-modules::docs/guides/ci-cd-pipeline.md] [::nold-ai/specfact-cli-modules::docs/reference/module-security.md]

• Module manifest discovery and locations

  • tests and tools expect manifests under packages/*/module-package.yaml; workflows and sign script discover and sign those manifests (e.g., tools/validate_repo_manifests.py, scripts/sign-modules.py iterate module-package.yaml under packages/). If the PR changes which manifests are passed/invoked (filesystem vs git ls-files, or explicit manifest lists), these discovery behaviors are relevant. [::nold-ai/specfact-cli-modules::tools/validate_repo_manifests.py] [::nold-ai/specfact-cli-modules::scripts/sign-modules.py]

Immediate cross-repo relevance / risk notes (observed)

• The repository contains the authoritative signing script (scripts/sign-modules.py) and the new sign-on-approval workflow. Changes to workflow flags (adding/removing --payload-from-filesystem or changing how --base-ref is computed/passed) must align with:
  • the script's CLI parsing and behavior in scripts/sign-modules.py,
  • tests under tests/unit/workflows/test_sign_modules_on_approval.py,
  • documentation references that instruct maintainers to run with --payload-from-filesystem and merge-base semantics.
    Any mismatch (workflow passing a flag not parsed by the script, or tests expecting different conditional triggers) will break CI/tests or the signing flow. [::nold-ai/specfact-cli-modules::scripts/sign-modules.py] [::nold-ai/specfact-cli-modules::tests/unit/workflows/test_sign_modules_on_approval.py] [::nold-ai/specfact-cli-modules::.github/workflows/sign-modules-on-approval.yml]

Conclusion: Relevant cross-repo context was found: signing script, workflow, tests, and docs are co-located and must be kept consistent with the PR changes.

🔇 Additional comments (5)

src/specfact_cli/modules/init/module-package.yaml (1)

2-2: Version bump and checksum refresh are correctly aligned with signing flow.

This manifest update is consistent with the automated signing lifecycle (payload-derived checksum + patched module version).

Based on learnings: "Enforce module signatures and version bumps when signed module assets or manifests are affected."

Also applies to: 20-20

.github/workflows/sign-modules.yml (2)

93-93: Main-only reproducibility gate and filesystem payload signing look correct.

This hardens main without adding unnecessary enforcement to dev/PR paths, and keeps checksum/signing inputs aligned with filesystem payload semantics.

Also applies to: 101-102, 130-130

---

180-181: Using merge-base for --base-ref is the right fix for changed-only signing.

Basing diff selection on git merge-base avoids drift from a moving branch tip and makes manual dispatch behavior more stable.

Also applies to: 193-193

tests/unit/specfact_cli/registry/test_signing_artifacts.py (1)

475-480: Good regression guard for merge-base-driven signing arguments.

These assertions protect the manual dispatch path from regressing back to branch-tip comparison.

CHANGELOG.md (1)

38-42: Accurate and release-safe changelog update.

Line 38-Line 42 clearly capture the signing reproducibility scope and branch policy changes, and the notes improve operational clarity for module signing before main merges.