feat(solver): deployment solver foundations — topology, allocation, protocol library

.github/workflows/ci.yml

@@ -164,19 +164,12 @@ jobs:
   supply-chain:
     name: Supply Chain (cargo-vet)
     runs-on: ubuntu-latest
-    continue-on-error: true
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@nightly
+      - uses: dtolnay/rust-toolchain@stable
       - name: Install cargo-vet
         uses: taiki-e/install-action@v2
         with:
           tool: cargo-vet
-      - name: Initialize cargo-vet if needed
-        run: |
-          if [ ! -d supply-chain ]; then
-            cargo vet init
-            echo "::notice::cargo-vet initialized"
-          fi
-      - name: Check supply chain
-        run: cargo vet --locked || echo "::warning::cargo-vet found unaudited crates"
+      - name: Verify supply chain
+        run: cargo vet --locked

.github/workflows/release.yml

@@ -7,6 +7,8 @@ on:
 
 permissions:
   contents: write
+  id-token: write
+  attestations: write
 
 env:
   CARGO_TERM_COLOR: always
@@ -244,10 +246,28 @@ jobs:
         env:
           VSCE_PAT: ${{ secrets.VSCE_PAT }}
 
+  # ── SBOM (Software Bill of Materials) ─────────────────────────────────
+  build-sbom:
+    name: Generate SBOM
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Install cargo-cyclonedx
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-cyclonedx
+      - name: Generate CycloneDX SBOM
+        run: cargo cyclonedx --format json --output-file spar-sbom.cdx.json
+      - uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: spar-sbom.cdx.json
+
   # ── Create GitHub Release ─────────────────────────────────────────────
   create-release:
     name: Create GitHub Release
-    needs: [build-binaries, build-compliance, build-test-evidence, build-vsix]
+    needs: [build-binaries, build-compliance, build-test-evidence, build-vsix, build-sbom]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -260,7 +280,7 @@ jobs:
       - name: Collect assets
         run: |
           mkdir -p release
-          find artifacts -type f \( -name "*.tar.gz" -o -name "*.zip" -o -name "*.vsix" \) -exec mv {} release/ \;
+          find artifacts -type f \( -name "*.tar.gz" -o -name "*.zip" -o -name "*.vsix" -o -name "*.cdx.json" \) -exec mv {} release/ \;
           ls -la release/
 
       - name: Generate checksums
@@ -272,9 +292,20 @@ jobs:
       - name: Create Release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ github.ref_name }}
         run: |
-          VERSION="${GITHUB_REF#refs/tags/}"
           gh release create "$VERSION" \
             --title "spar $VERSION" \
             --generate-notes \
             release/*
+
+      - name: Attest release artifacts (SLSA provenance)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          for file in release/*; do
+            echo "Attesting: $file"
+            gh attestation create "$file" \
+              --repo "${{ github.repository }}" \
+              --bundle-output "$file.jsonl" || true
+          done

.playwright-mcp/console-2026-03-20T04-54-47-549Z.log

@@ -0,0 +1 @@
+[     856ms] [ERROR] Failed to load resource: the server responded with a status of 404 (File not found) @ http://localhost:8777/favicon.ico:0

AGENTS.md

@@ -0,0 +1,112 @@
+<!-- Auto-generated by `rivet init --agents`. Re-run to update after artifact changes. -->
+# AGENTS.md — Rivet Project Instructions
+
+> This file was generated by `rivet init --agents`. Re-run the command
+> any time artifacts change to keep this file current.
+
+## Project Overview
+
+This project uses **Rivet** for SDLC artifact traceability.
+- Config: `rivet.yaml`
+- Schemas: common, dev, aspice, stpa, aadl
+- Artifacts: 221 across 3 types
+- Validation: `rivet validate` (current status: 21 errors)
+
+## Available Commands
+
+| Command | Purpose | Example |
+|---------|---------|---------|
+| `rivet validate` | Check link integrity, coverage, required fields | `rivet validate --format json` |
+| `rivet list` | List artifacts with filters | `rivet list --type requirement --format json` |
+| `rivet stats` | Show artifact counts by type | `rivet stats --format json` |
+| `rivet add` | Create a new artifact | `rivet add -t requirement --title "..." --link "satisfies:SC-1"` |
+| `rivet link` | Add a link between artifacts | `rivet link SOURCE -t satisfies --target TARGET` |
+| `rivet serve` | Start the dashboard | `rivet serve --port 3000` |
+| `rivet export` | Generate HTML reports | `rivet export --format html --output ./dist` |
+| `rivet impact` | Show change impact | `rivet impact --since HEAD~1` |
+| `rivet coverage` | Show traceability coverage | `rivet coverage --format json` |
+| `rivet diff` | Compare artifact versions | `rivet diff --base path/old --head path/new` |
+
+## Artifact Types
+
+| Type | Count | Description |
+|------|------:|-------------|
+| `design-decision` | 46 | An architectural or design decision with rationale |
+| `feature` | 90 | A user-visible capability or feature |
+| `requirement` | 85 | A functional or non-functional requirement |
+| `aadl-analysis-result` | 0 | Output of a spar analysis pass |
+| `aadl-component` | 0 | AADL component type or implementation imported from spar |
+| `aadl-flow` | 0 | End-to-end flow with latency bounds |
+| `aadl-tool` | 0 | An AADL ecosystem tool — captures what it does, what makes it unique, and what capabilities spar could adopt from it. |
+| `control-action` | 0 | An action issued by a controller to a controlled process or another controller. |
+| `controlled-process` | 0 | A process being controlled — the physical or data transformation acted upon by controllers. |
+| `controller` | 0 | A system component (human or automated) responsible for issuing control actions. Each controller has a process model — its internal beliefs about the state of the controlled process. |
+| `controller-constraint` | 0 | A constraint on a controller's behavior derived by inverting a UCA. Specifies what the controller must or must not do. |
+| `hazard` | 0 | A system state or set of conditions that, together with worst-case environmental conditions, will lead to a loss. |
+| `loss` | 0 | An undesired or unplanned event involving something of value to stakeholders. Losses define what the analysis aims to prevent. |
+| `loss-scenario` | 0 | A causal pathway describing how a UCA could occur or how the control action could be improperly executed, leading to a hazard. |
+| `stakeholder-req` | 0 | Stakeholder requirement (SYS.1) |
+| `sub-hazard` | 0 | A refinement of a hazard into a more specific unsafe condition. |
+| `sw-arch-component` | 0 | Software architectural element (SWE.2) |
+| `sw-detail-design` | 0 | Software detailed design or unit specification (SWE.3) |
+| `sw-integration-verification` | 0 | Software component and integration verification measure (SWE.5 — Software Component Verification and Integration Verification) |
+| `sw-req` | 0 | Software requirement (SWE.1) |
+| `sw-verification` | 0 | Software verification measure against SW requirements (SWE.6 — Software Verification) |
+| `sys-integration-verification` | 0 | System integration and integration verification measure (SYS.4 — System Integration and Integration Verification) |
+| `sys-verification` | 0 | System verification measure against system requirements (SYS.5 — System Verification) |
+| `system-arch-component` | 0 | System architectural element (SYS.3) |
+| `system-constraint` | 0 | A condition or behavior that must be satisfied to prevent a hazard. Each constraint is the inversion of a hazard. |
+| `system-req` | 0 | System requirement derived from stakeholder needs (SYS.2) |
+| `uca` | 0 | An Unsafe Control Action — a control action that, in a particular context and worst-case environment, leads to a hazard. Four types (provably complete): 1. Not providing the control action leads to a hazard 2. Providing the control action leads to a hazard 3. Providing too early, too late, or in the wrong order 4. Control action stopped too soon or applied too long |
+| `unit-verification` | 0 | Unit verification measure (SWE.4 — Software Unit Verification) |
+| `verification-execution` | 0 | A verification execution run against a specific version |
+| `verification-verdict` | 0 | Pass/fail verdict for a single verification measure in an execution run |
+
+## Working with Artifacts
+
+### File Structure
+- Artifacts are stored as YAML files in: `artifacts`, `safety/stpa`, `safety/stpa/requirements.yaml`, `safety/stpa/architecture.yaml`, `safety/stpa/validation.yaml`
+- Schema definitions: `schemas/` directory
+- Documents: `docs`
+
+### Creating Artifacts
+```bash
+rivet add -t requirement --title "New requirement" --status draft --link "satisfies:SC-1"
+```
+
+### Validating Changes
+Always run `rivet validate` after modifying artifact YAML files.
+Use `rivet validate --format json` for machine-readable output.
+
+### Link Types
+
+| Link Type | Description | Inverse |
+|-----------|-------------|--------|
+| `acts-on` | Control action acts on a process or controller | `acted-on-by` |
+| `allocated-to` | Source is allocated to the target (e.g. requirement to architecture component) | `allocated-from` |
+| `caused-by-uca` | Loss scenario is caused by an unsafe control action | `causes-scenario` |
+| `constrained-by` | Source is constrained by the target | `constrains` |
+| `constrains-controller` | Constraint applies to a specific controller | `controller-constrained-by` |
+| `depends-on` | Source depends on target being completed first | `depended-on-by` |
+| `derives-from` | Source is derived from the target | `derived-into` |
+| `implements` | Source implements the target | `implemented-by` |
+| `inverts-uca` | Controller constraint inverts (is derived from) an UCA | `inverted-by` |
+| `issued-by` | Control action or UCA is issued by a controller | `issues` |
+| `leads-to-hazard` | UCA or loss scenario leads to a hazard | `hazard-caused-by` |
+| `leads-to-loss` | Hazard leads to a specific loss | `loss-caused-by` |
+| `mitigates` | Source mitigates or prevents the target | `mitigated-by` |
+| `modeled-by` | An architecture component is modeled by an AADL component | `models` |
+| `part-of-execution` | Verification verdict belongs to a verification execution run | `contains-verdict` |
+| `prevents` | Constraint prevents a hazard | `prevented-by` |
+| `refines` | Source is a refinement or decomposition of the target | `refined-by` |
+| `result-of` | Verification verdict is the result of executing a verification measure | `has-result` |
+| `satisfies` | Source satisfies or fulfils the target | `satisfied-by` |
+| `traces-to` | General traceability link between any two artifacts | `traced-from` |
+| `verifies` | Source verifies or validates the target | `verified-by` |
+
+## Conventions
+
+- Artifact IDs follow the pattern: PREFIX-NNN (e.g., REQ-001, FEAT-042)
+- Use `rivet add` to create artifacts (auto-generates next ID)
+- Always include traceability links when creating artifacts
+- Run `rivet validate` before committing

CLAUDE.md

@@ -0,0 +1,7 @@
+# CLAUDE.md
+
+See [AGENTS.md](AGENTS.md) for project instructions.
+
+Additional Claude Code settings:
+- Use `rivet validate` to verify changes to artifact YAML files
+- Use `rivet list --format json` for machine-readable artifact queries