Open
Conversation
Spec: all 8 tickets Planned→Done
Book: add --breadth-first, --check-cron-syntax, --resource-health,
--machine-health-summary, --notify-ntfy, --only-machine examples
Dogfood: 30/30 configs validate, 20/20 examples run, 2188 tests pass
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- FJ-741: validate --check-env-refs (verify {{env.*}} references)
- FJ-743: graph --subgraph-stats (connected component analysis)
- FJ-744: apply --notify-webhook-headers (custom webhook headers)
- FJ-745: validate --check-resource-names (kebab-case/prefix enforcement)
- FJ-746: status --last-apply-status (per-machine apply history)
- FJ-747: graph --dependency-count (in-degree/out-degree metrics)
- FJ-748: status --resource-staleness (time since last apply)
Spec: Phase 60 defined and marked Planned
Book: updated CLI reference with Phase 59 examples
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All Phase 60 tickets: Planned→Done 30/30 dogfood configs validate, 20/20 examples run, 2202 tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Graph: root-resources, edge-list. Validate: resource-count, duplicate-paths. Status: convergence-percentage, failed-count, drift-count. 18 new tests. Split status_resource_detail.rs → status_counts.rs (500-line limit). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Validate: circular-deps, machine-refs. Graph: connected-components, adjacency-matrix. Status: resource-duration, machine-resource-map. 17 new tests. New modules: validate_safety, status_diagnostics. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Validate: provider-consistency, state-values. Graph: longest-path, in-degree. Status: fleet-convergence, resource-hash, machine-drift-summary. 18 new tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…2274) New CLI flags: - validate --check-unused-machines: detect machines with no resource refs - validate --check-tag-consistency: verify kebab-case tag naming - graph --out-degree: show dependency count per resource - graph --density: compute edge density ratio - status --apply-history-count: total applies per machine from event log - status --lock-file-count: count lock files across fleet - status --resource-type-distribution: resource type breakdown - apply --notify-json: JSON notification output (arg wiring) 19 new tests (2255→2274), all passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… book Phase 64 (FJ-773→FJ-780): 8/8 tickets Done — governance & audit intelligence. Phase 65 defined: operational readiness & deep analysis. Book updated with validate, graph, status Phase 64 examples. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…(2274→2292) New CLI flags: - validate --check-dependency-exists: verify depends_on targets exist - validate --check-path-conflicts-strict: detect same file path on same machine - graph --topological-sort: output valid execution order (Kahn's algorithm) - graph --critical-path-resources: show resources on longest chain - status --resource-apply-age: time since last apply per resource - status --machine-uptime: time since first apply per machine - status --resource-churn: apply frequency per resource from event log - apply --notify-slack-webhook: Slack webhook notification (arg wiring) 18 new tests (2274→2292), all passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… book Phase 65 (FJ-781→FJ-788): 8/8 tickets Done — operational readiness. Phase 66 defined: fleet intelligence & compliance. Book updated with validate, graph, status Phase 65 examples. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…2311) New CLI flags: - validate --check-duplicate-names: detect duplicate base names across groups - validate --check-resource-groups: verify resource groups are non-empty - graph --sink-resources: show resources with no dependents (leaf nodes) - graph --bipartite-check: check if dependency graph is bipartite (2-coloring) - status --last-drift-time: show timestamp of last drift per resource - status --machine-resource-count: show resource count per machine - status --convergence-score: weighted convergence score across fleet - apply --notify-telegram: Telegram notification (arg wiring) New file: status_fleet_detail.rs. 19 new tests (2292→2311), all passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… book Phase 66 (FJ-789→FJ-796): 8/8 tickets Done — fleet intelligence. Phase 67 defined: advanced graph analysis & monitoring. Book updated with validate, graph, status Phase 66 examples. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…J-804, 2329 tests) Validate: --check-orphan-resources (FJ-797), --check-machine-arch (FJ-801) Graph: --strongly-connected via Tarjan SCC (FJ-799), --dependency-matrix-csv (FJ-803) Status: --apply-success-rate (FJ-800), --error-rate (FJ-802), --fleet-health-summary (FJ-804) Split graph_export.rs → graph_advanced.rs to stay under 500-line limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…812, 2329→2350) Validate: --check-resource-health-conflicts (FJ-805), --check-resource-overlap (FJ-809) Status: --machine-convergence-history (FJ-806), --drift-history (FJ-810), --resource-failure-rate (FJ-812) Graph: --resource-weight (FJ-807), --dependency-depth-per-resource (FJ-811) Apply: Wire --notify-pagerduty into NotifyOpts with PagerDuty Events v2 API (FJ-808) Split validate_safety.rs -> validate_advanced.rs, tests_graph_core 1/2 -> core_6. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…50→2373) - validate --check-resource-tags (FJ-813): tag convention enforcement - status --machine-last-apply (FJ-814): last apply timestamp per machine - graph --resource-fanin (FJ-815): fan-in count per resource - apply --notify-discord-webhook (FJ-816): Discord rich embed notifications - validate --check-resource-state-consistency (FJ-817): state/type validation - status --fleet-drift-summary (FJ-818): aggregated drift across fleet - graph --isolated-subgraphs (FJ-819): disconnected subgraph detection - status --resource-apply-duration (FJ-820): avg apply duration per type - Split status_fleet_detail.rs → status_operational.rs (500-line limit) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…→2396) - validate --check-resource-dependencies-complete (FJ-821): dep target existence - status --machine-resource-health (FJ-822): per-machine health breakdown - graph --resource-dependency-chain (FJ-823): full chain from root to leaf - apply --notify-teams-webhook (FJ-824): MS Teams adaptive card notifications - validate --check-machine-connectivity (FJ-825): address format validation - status --fleet-convergence-trend (FJ-826): convergence % across fleet - graph --bottleneck-resources (FJ-827): high fan-in + fan-out detection - status --resource-state-distribution (FJ-828): state counts across fleet Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…al paths (2396→2419) Validate: --check-resource-naming-pattern, --check-resource-provider-support Status: --machine-apply-count, --fleet-apply-history, --resource-hash-changes Graph: --critical-dependency-path, --resource-depth-histogram Apply: --notify-slack-blocks Split graph_advanced.rs → graph_paths.rs (FJ-823/827/831/835) to stay under 500-line limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…nce times (2419→2442) Validate: --check-resource-secret-refs, --check-resource-idempotency-hints Status: --machine-uptime-estimate, --fleet-resource-type-breakdown, --resource-convergence-time Graph: --resource-coupling-score, --resource-change-frequency Apply: --notify-custom-template New status_insights.rs module. Split try_status_phase68 + try_status_phase71 helpers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
8 tickets: validate --check-resource-dependency-depth, --check-resource-machine-affinity, status --machine-drift-age, --fleet-failed-resources, --resource-dependency-health, graph --resource-impact-score, --resource-stability-score, apply --notify-custom-webhook. Split validate_advanced→validate_governance (500-line limit). Extract try_graph_paths helper (cognitive complexity). 2442→2463 tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
8 tickets: validate --check-resource-drift-risk, --check-resource-tag-coverage, status --machine-resource-age-distribution, --fleet-convergence-velocity, --resource-failure-correlation, graph --resource-dependency-fanout, --resource-dependency-weight, apply --notify-custom-headers. Extract try_validate_governance helper. 2463→2484 tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Includes: nix-compatible store model (12 phases), 4 store examples, 204 spec falsification tests, task field expansion, GPU training recipe. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… (Refs FJ-1376) - panic=abort saves 3MB binary size (23→20MB), appropriate for CLI tool - Fix /state/ exclude to not catch src/core/state/ during cargo publish Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…Refs FJ-1376) Root cause (five-whys): 1. Tests fail after cargo update 2. bashrs 6.64→6.65 added SC1035 (done keyword) and SC1100 (unicode dash) 3. service.rs SYSTEMD_GUARD and network.rs UFW_GUARD contained U+2014 em-dash 4. Scripts written against bashrs 6.64, never validated against newer versions 5. cargo update ran without full test suite verification Fixes: - Replace unicode em-dash with ASCII hyphen in service.rs and network.rs - Avoid 'done' at quote boundary in test hook script - Bump rust-toolchain.toml 1.87→1.88, MSRV 1.87→1.88 (home@0.5.12 compat) - Bump version to 1.1.1 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bootstrap merge — clean-room gate workflow deployment. Generated by machines/clean-room/deploy-workflows.sh Spec: sovereign-stack-protected-branch-strategy.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…eness, reconstruction, proptest Implements 8 features from the v2 quality improvement specification: - #116: Output persistence to GlobalLock for cross-stack data flow - #117: Cross-stack data flow via forjar-state data source - #131: Cross-stack staleness detection with max_staleness field - #133: State integrity verification via BLAKE3 sidecars on apply - #127: Event-sourced state reconstruction (forjar state-reconstruct) - #50: Property-based idempotency tests (hash, serde, converged-noop) - #155: pforge MCP server deployment recipe (cookbook) - #156: Agent deployment recipe pattern (cookbook) 42 new tests, all 7176 tests pass. Book updates for state management, testing, and cookbook chapters. Refs PMAT-035, PMAT-036, PMAT-037, PMAT-038, PMAT-039, PMAT-040 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…onfig-merge (Refs PMAT-035) PMAT-041: Drift-aware deployment blocking (#21) — pre-apply drift check PMAT-042: --why change explanation (#106) — plan --why shows reasons PMAT-043: Convergence budget enforcement (#85) — policy.convergence_budget PMAT-044: Pre-apply state snapshots (#129) — policy.snapshot_generations PMAT-045: Reversibility classification (#130) — classify destroy actions PMAT-046: Config merge CLI (#121) — forjar config-merge 22 new tests, 7198 passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…PMAT-036) PMAT-047: Stack extraction (#120) — forjar extract --tags/--group/--glob PMAT-050: Tamper-evident transparency log (#32) — BLAKE3 chain hashing PMAT-052: Proof obligation taxonomy (#52) — idempotent/monotonic/convergent/destructive 29 new tests, 7226 total passing. Scorecard 96→98/166. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… handlers, rollback-on-failure - generation.rs: Nix-style numbered state generations with atomic symlink swap - create_generation(), rollback_to_generation(), gc_generations(), list_generations() - forjar generation list/gc CLI commands; forjar rollback --generation N - Auto-generation creation during apply; 11 tests - compliance.rs: Structured compliance benchmark evaluation framework - CIS (6.1.1, 1.1.5, 5.2.1, 6.2.1), NIST 800-53 (AC-3, AC-6, CM-6, SC-28, SI-7) - SOC2 (CC6.1, CC7.2), HIPAA (164.312a, 164.312e); 22 tests - tests_proptest_handlers.rs: 6 property-based tests with arb_resource() strategy - Hash determinism, type-affects-hash, converged=noop, codegen no-panic - Proof obligation totality, chain hash determinism; covers 8 resource types - apply.rs: Generation-based rollback on failure via maybe_rollback_generation() - Fix: gc_old_snapshots() now uses snapshots_dir() consistently (was .snapshots) Score: 98 → 102/166 (#22 ⚠→✅, #75 ⚠→✅, #77 ⚠→✅, #83 ⚠→✅, #126 ❌→✅) (Refs PMAT-037) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…drift forensics (Refs PMAT-038) - #124 Stack diff: `forjar stack-diff` compares resources/machines/params/outputs between configs - #37 Security scanner: 10-rule IaC scanner (SS-1 through SS-10) with `forjar security-scan` CLI - #35 Policy-as-code: `policy.security_gate` blocks apply on findings above severity threshold - #20 Drift forensics: `operator` and `config_hash` fields on ApplyStarted events for attribution - Book: security scanning section with rule table and policy gate examples - Score: 98 → 101/166 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…efs PMAT-038) - #18 Continuous drift monitoring: forjar watch + drift --auto-remediate - #19 Self-healing drift remediation: already fully implemented in drift.rs - #62 Timeout enforcement: resource timeout + convergence_budget working - Score: 101 → 103/166 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… metadata (Refs PMAT-038) - Recipe expansion detects version conflicts (same recipe at different versions) - ApplyStarted event now includes param_count for experiment tracking - Refactored expand_recipes() into 7 helper functions for complexity compliance - Updated spec scorecard: 105/166 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ebug trace (Refs PMAT-038) - #61: Per-resource `sudo: true` field wraps scripts with sudo bash -c - #29: `forjar sbom` generates SPDX 2.3 JSON (packages, docker, models, files) - #17: Parallel fleet drift detection via std::thread::scope - #109: `forjar apply --trace` prints generated scripts before execution - Spec scorecard: 105 -> 116/166 - 11 new tests (6 sudo + 5 SBOM) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…AT-038) - Add brew provider to package resource (check, apply, state_query) - Idempotent brew install with version pinning (package@version) - Update unsupported-provider tests from brew to snap - 8 new brew-specific tests in tests_package.rs - SBOM now expands recipes before collecting components - 2 new SBOM tests (recipe fallback, brew packages) - Book: add brew provider table row + cross-platform section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…-038) - `forjar cbom`: scans BLAKE3, age/X25519, SSH, TLS, docker SHA-256 - `forjar prove`: validates codegen completeness, DAG acyclicity, hash determinism, state coverage, idempotency structure - 6 CBOM tests, 7 prove tests (13 new tests total) - Score: 116 → 120/166 (#33 CBOM, #68 brew, #70 recipe SBOM, #134 prove) - Book: add CBOM and convergence proof sections Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add native SVG output for `forjar graph --format svg` with grid layout, color-coded resource types, and arrow-marker edges. Fix clippy warnings in cbom.rs and prove.rs. Update spec scorecard for #48. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…lineage (Refs PMAT-038) Add three new CLI commands: - `forjar privilege-analysis` — least-privilege execution analysis (#38) - `forjar provenance` — SLSA Level 3 in-toto attestation (#30) - `forjar lineage` — Merkle DAG configuration lineage (#23) Also marks SVG graph export (#108) in spec. Split misc_args.rs to stay under 500-line limit. Score: 120 -> 124/166. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…s PMAT-038) Add three new CLI commands: - `forjar bundle` — self-contained recipe bundles with BLAKE3 manifest (#92) - `forjar model-card` — ML model card generation (#152) - `forjar agent-sbom` — agent-specific bill of materials (#162) Score: 124 -> 127/166. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
noahgift
added a commit
that referenced
this pull request
Mar 4, 2026
…AT-042, PMAT-043, PMAT-044, PMAT-045, PMAT-046) - Feature #10: conditionals have 28 tests, not "10+" - Feature #13: GlobalLock.outputs field exists (FJ-1260), persist_outputs() works - Feature #77: proptest in 10 files (not 7), upgrade⚠️ → ✅ - Feature #83: generation-based rollback fully implemented, not stubs - Unit test count: 7134 → 8439 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
noahgift
added a commit
that referenced
this pull request
Mar 5, 2026
…AT-042, PMAT-043, PMAT-044, PMAT-045, PMAT-046) - Feature #10: conditionals have 28 tests, not "10+" - Feature #13: GlobalLock.outputs field exists (FJ-1260), persist_outputs() works - Feature #77: proptest in 10 files (not 7), upgrade⚠️ → ✅ - Feature #83: generation-based rollback fully implemented, not stubs - Unit test count: 7134 → 8439 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
noahgift
added a commit
that referenced
this pull request
Mar 5, 2026
…AT-042, PMAT-043, PMAT-044, PMAT-045, PMAT-046) - Feature #10: conditionals have 28 tests, not "10+" - Feature #13: GlobalLock.outputs field exists (FJ-1260), persist_outputs() works - Feature #77: proptest in 10 files (not 7), upgrade⚠️ → ✅ - Feature #83: generation-based rollback fully implemented, not stubs - Unit test count: 7134 → 8439 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
noahgift
added a commit
that referenced
this pull request
Mar 5, 2026
…AT-042, PMAT-043, PMAT-044, PMAT-045, PMAT-046) - Feature #10: conditionals have 28 tests, not "10+" - Feature #13: GlobalLock.outputs field exists (FJ-1260), persist_outputs() works - Feature #77: proptest in 10 files (not 7), upgrade⚠️ → ✅ - Feature #83: generation-based rollback fully implemented, not stubs - Unit test count: 7134 → 8439 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
noahgift
added a commit
that referenced
this pull request
Mar 6, 2026
…AT-042, PMAT-043, PMAT-044, PMAT-045, PMAT-046) - Feature #10: conditionals have 28 tests, not "10+" - Feature #13: GlobalLock.outputs field exists (FJ-1260), persist_outputs() works - Feature #77: proptest in 10 files (not 7), upgrade⚠️ → ✅ - Feature #83: generation-based rollback fully implemented, not stubs - Unit test count: 7134 → 8439 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
noahgift
added a commit
that referenced
this pull request
Mar 20, 2026
…AT-042, PMAT-043, PMAT-044, PMAT-045, PMAT-046) - Feature #10: conditionals have 28 tests, not "10+" - Feature #13: GlobalLock.outputs field exists (FJ-1260), persist_outputs() works - Feature #77: proptest in 10 files (not 7), upgrade⚠️ → ✅ - Feature #83: generation-based rollback fully implemented, not stubs - Unit test count: 7134 → 8439 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
noahgift
force-pushed
the
main
branch
3 times, most recently
from
8cf6817 to
f100dab
Compare
noahgift
added a commit
that referenced
this pull request
Mar 21, 2026
…AT-042, PMAT-043, PMAT-044, PMAT-045, PMAT-046) - Feature #10: conditionals have 28 tests, not "10+" - Feature #13: GlobalLock.outputs field exists (FJ-1260), persist_outputs() works - Feature #77: proptest in 10 files (not 7), upgrade⚠️ → ✅ - Feature #83: generation-based rollback fully implemented, not stubs - Unit test count: 7134 → 8439 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
brewprovider to package resource for cross-platform support (macOS/Linux)Test plan
🤖 Generated with Claude Code