Skip to content

[spdd] Daily spec work plan - 2026-07-11 #44985

Description

@github-actions

Summary

This daily SPDD plan covers 5 specification files reviewed in this run (rotation index 0–4 of 17 total spec files):

  • specs/security-architecture-spec-summary.md — Candidate Recommendation, v1.0.0
  • specs/security-architecture-spec-validation.md — Validation report, July 6 2026
  • specs/security-architecture-spec.md — Full 7-layer security architecture spec
  • scratchpad/github-mcp-access-control-specification.md — v1.1.0 Draft, MCP access control
  • scratchpad/guard-policies-specification.md — v0.1.0 Draft, guard policies integration

Key findings: the security-architecture spec is mature with a complete formal model and generated test suite. The MCP access control spec has compliance fixtures but lacks combined-failure scenarios. The guard-policies spec is an early draft missing normative requirements, entities, norms, and safeguards sections — it needs significant SPDD work before it can leave scratchpad.


Priority Work Queue

P0 — Must fix for spec integrity

  • Guard-policies spec has no RFC 2119 norms — normative SHALLs are scattered in prose
  • MCP access control compliance fixtures have no combined P5_NotBlocked + P6_IntegrityMet scenario

P1 — Important gaps

  • Security-architecture spec Appendix G lock-file checklist has no machine-readable fixture counterpart
  • Guard-policies spec has no Sync section linking to mcp-gateway-config.schema.json

P2 — Maintenance

  • PM-11 pre_activation note (added 2026-07-06) needs test-coverage verification in formal test file
  • P5_NotBlocked placement in §4.5.3 is ambiguous in MCP access control spec

SPDD Checklist

  • /spdd-generatescratchpad/guard-policies-specification.md: add ## Normative Requirements section with ≥ 6 requirement codes (GP-001...GP-006) covering allowed-repos, min-integrity, and extension-point semantics. Done when: section exists with numbered RFC 2119 requirements.
  • /spdd-generatescratchpad/guard-policies-specification.md: add ## Sync Follow-ups section naming schemas/mcp-gateway-config.schema.json and the Go policy file as mandatory update targets after spec changes. Done when: both file paths are referenced with update steps.
  • /spdd-generatespecs/github-mcp-access-control-compliance/: create fixture file combined-blocked-integrity.yaml covering P5_NotBlocked + P6_IntegrityMet evaluated simultaneously. Done when: YAML file exists, fixture_id is set, and compliance README table row is added.
  • /spdd-reasons-canvasscratchpad/guard-policies-specification.md: add Safeguards (S) canvas section — what prevents allowed-repos: all from being a security bypass at runtime? Done when: ≥ 1 normative safeguard requirement is present.
  • /spdd-analysispkg/workflow/security_architecture_sg_formal_test.go: verify PM-11 (pre_activation membership validation) is covered by TestFormalSG04_LeastPrivilegeBasePermissions or a dedicated test. Done when: test is confirmed or gap issue is opened.
  • /spdd-syncscratchpad/github-mcp-access-control-specification.md: add or update ## Sync Follow-ups section naming the Go implementation file and compliance README as sync targets when §4.5.3 predicate order changes. Done when: section present with both targets named.
  • /spdd-analysisspecs/security-architecture-spec.md Appendix G: audit all 9 checklist items (action pinning, permission separation, fork protection, input sanitization, threat detection, RBAC, AWF sandbox, concurrency, runtime validation) against tests in security_architecture_sg_formal_test.go. Done when: coverage gap table added or confirmed complete.
  • /spdd-reasons-canvasscratchpad/guard-policies-specification.md: add ## Entities section defining GuardPolicy, GitHubGuardPolicy, and MCPServerConfig types with field descriptions. Done when: ≥ 3 type definitions are present with field tables.

Per-Spec Findings

specs/security-architecture-spec.md — v1.0.0 Candidate Recommendation

REASONS Canvas

Element Status Notes
Requirements ✅ Strong 70+ test IDs, 7 SG guarantees, RFC 2119
Entities ✅ Strong WorkflowState and sub-types fully defined
Approach ✅ Strong 7-layer defense-in-depth, TLA+/F*/Z3 formal model
Structure ✅ Strong 15 sections + Appendices A–H
Operations ✅ Strong Job pipeline pre_activation→activation→agent→detection→safe_outputs→conclusion formally specified
Norms ✅ Strong MUST/SHALL per section, §2.2 notation
Safeguards ⚠️ Partial Appendix G is prose-only; no machine-readable fixture per checklist item

Risks: Appendix G lacks automated coverage. PM-11 (pre_activation membership, added 2026-07-06) test coverage unverified.

specs/security-architecture-spec-validation.md — validation report (July 6 2026)

Status: Overall passes. Recent additions (PM-11, optional conclusion job, Appendix D detection job) recorded as done in summary spec.

Gap: trusted-users runtime enforcement cross-referenced but no Go function or test named — traceability incomplete.

specs/security-architecture-spec-summary.md — summary (v1.0.0)

Status: Well-maintained; all spec maintenance tasks ✅. Formal model section added 2026-07-09.

Minor gap: Summary does not document which conformance level (Basic/Standard/Complete) each of the 15 formal tests satisfies.

scratchpad/github-mcp-access-control-specification.md — v1.1.0 Draft

REASONS Canvas

Element Status Notes
Requirements ✅ Strong §11 table, 14 test functions, error codes
Entities ✅ Strong P1–P6 predicates, ALLOW conjunction
Approach ✅ Strong Guard predicate evaluation order §4.5.3
Structure ✅ Strong 11 sections
Operations ⚠️ Partial P5_NotBlocked placement inconsistent between README and spec
Norms ✅ Strong RFC 2119 throughout
Safeguards ⚠️ Partial No combined P5+P6 fixture; gap in SAFETY_BlockedUserAlwaysDenied when P6 also fails

Risk: 9 fixtures vs 14 test functions — combined-failure scenarios uncovered.

scratchpad/guard-policies-specification.md — v0.1.0 Draft

REASONS Canvas

Element Status Notes
Requirements ❌ Missing No RFC 2119 normative table; requirements buried in prose
Entities ⚠️ Partial Types in code blocks only; no formal Entities section
Approach ✅ Present Type hierarchy and frontmatter syntax shown
Structure ⚠️ Partial Missing conformance section
Operations ❌ Missing No processing model or evaluation order
Norms ❌ Missing No dedicated norms section
Safeguards ❌ Missing No safeguards section

Risk: Cannot write compliance tests without normative language. Needs significant SPDD work before leaving scratchpad.


Sync Follow-ups

  • After adding normative requirements to guard-policies-specification.md → update schemas/mcp-gateway-config.schema.json.
  • After creating combined-blocked-integrity.yaml → register in compliance README and link from §11.4 of access control spec.
  • After PM-11 test audit → update specs/security-architecture-spec-validation.md with verification date.
  • If P5_NotBlocked ordering is resolved in access control spec → regenerate TestFormal_BlockedUserSafetyProperty to match.

Context

Key Value
Files reviewed specs/security-architecture-spec-summary.md, specs/security-architecture-spec-validation.md, specs/security-architecture-spec.md, scratchpad/github-mcp-access-control-specification.md, scratchpad/guard-policies-specification.md
Rotation index 0–4 of 17 total spec files
Next run starts at index 5
Run URL §29159272441

References:

Generated by 📋 Daily SPDD Spec Planner · 49.4 AIC · ⌖ 7.64 AIC · ⊞ 4.8K ·

  • expires on Jul 14, 2026, 8:18 AM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions