You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Key findings: the security-architecture spec is mature with a complete formal model and generated test suite. The MCP access control spec has compliance fixtures but lacks combined-failure scenarios. The guard-policies spec is an early draft missing normative requirements, entities, norms, and safeguards sections — it needs significant SPDD work before it can leave scratchpad.
Priority Work Queue
P0 — Must fix for spec integrity
Guard-policies spec has no RFC 2119 norms — normative SHALLs are scattered in prose
MCP access control compliance fixtures have no combined P5_NotBlocked + P6_IntegrityMet scenario
P1 — Important gaps
Security-architecture spec Appendix G lock-file checklist has no machine-readable fixture counterpart
Guard-policies spec has no Sync section linking to mcp-gateway-config.schema.json
P2 — Maintenance
PM-11 pre_activation note (added 2026-07-06) needs test-coverage verification in formal test file
P5_NotBlocked placement in §4.5.3 is ambiguous in MCP access control spec
SPDD Checklist
/spdd-generate — scratchpad/guard-policies-specification.md: add ## Normative Requirements section with ≥ 6 requirement codes (GP-001...GP-006) covering allowed-repos, min-integrity, and extension-point semantics. Done when: section exists with numbered RFC 2119 requirements.
/spdd-generate — scratchpad/guard-policies-specification.md: add ## Sync Follow-ups section naming schemas/mcp-gateway-config.schema.json and the Go policy file as mandatory update targets after spec changes. Done when: both file paths are referenced with update steps.
/spdd-generate — specs/github-mcp-access-control-compliance/: create fixture file combined-blocked-integrity.yaml covering P5_NotBlocked + P6_IntegrityMet evaluated simultaneously. Done when: YAML file exists, fixture_id is set, and compliance README table row is added.
/spdd-reasons-canvas — scratchpad/guard-policies-specification.md: add Safeguards (S) canvas section — what prevents allowed-repos: all from being a security bypass at runtime? Done when: ≥ 1 normative safeguard requirement is present.
/spdd-analysis — pkg/workflow/security_architecture_sg_formal_test.go: verify PM-11 (pre_activation membership validation) is covered by TestFormalSG04_LeastPrivilegeBasePermissions or a dedicated test. Done when: test is confirmed or gap issue is opened.
/spdd-sync — scratchpad/github-mcp-access-control-specification.md: add or update ## Sync Follow-ups section naming the Go implementation file and compliance README as sync targets when §4.5.3 predicate order changes. Done when: section present with both targets named.
/spdd-analysis — specs/security-architecture-spec.md Appendix G: audit all 9 checklist items (action pinning, permission separation, fork protection, input sanitization, threat detection, RBAC, AWF sandbox, concurrency, runtime validation) against tests in security_architecture_sg_formal_test.go. Done when: coverage gap table added or confirmed complete.
/spdd-reasons-canvas — scratchpad/guard-policies-specification.md: add ## Entities section defining GuardPolicy, GitHubGuardPolicy, and MCPServerConfig types with field descriptions. Done when: ≥ 3 type definitions are present with field tables.
Summary
This daily SPDD plan covers 5 specification files reviewed in this run (rotation index 0–4 of 17 total spec files):
specs/security-architecture-spec-summary.md— Candidate Recommendation, v1.0.0specs/security-architecture-spec-validation.md— Validation report, July 6 2026specs/security-architecture-spec.md— Full 7-layer security architecture specscratchpad/github-mcp-access-control-specification.md— v1.1.0 Draft, MCP access controlscratchpad/guard-policies-specification.md— v0.1.0 Draft, guard policies integrationKey findings: the security-architecture spec is mature with a complete formal model and generated test suite. The MCP access control spec has compliance fixtures but lacks combined-failure scenarios. The guard-policies spec is an early draft missing normative requirements, entities, norms, and safeguards sections — it needs significant SPDD work before it can leave scratchpad.
Priority Work Queue
P0 — Must fix for spec integrity
P5_NotBlocked + P6_IntegrityMetscenarioP1 — Important gaps
mcp-gateway-config.schema.jsonP2 — Maintenance
P5_NotBlockedplacement in §4.5.3 is ambiguous in MCP access control specSPDD Checklist
/spdd-generate—scratchpad/guard-policies-specification.md: add## Normative Requirementssection with ≥ 6 requirement codes (GP-001...GP-006) coveringallowed-repos,min-integrity, and extension-point semantics. Done when: section exists with numbered RFC 2119 requirements./spdd-generate—scratchpad/guard-policies-specification.md: add## Sync Follow-upssection namingschemas/mcp-gateway-config.schema.jsonand the Go policy file as mandatory update targets after spec changes. Done when: both file paths are referenced with update steps./spdd-generate—specs/github-mcp-access-control-compliance/: create fixture filecombined-blocked-integrity.yamlcoveringP5_NotBlocked + P6_IntegrityMetevaluated simultaneously. Done when: YAML file exists,fixture_idis set, and compliance README table row is added./spdd-reasons-canvas—scratchpad/guard-policies-specification.md: add Safeguards (S) canvas section — what preventsallowed-repos: allfrom being a security bypass at runtime? Done when: ≥ 1 normative safeguard requirement is present./spdd-analysis—pkg/workflow/security_architecture_sg_formal_test.go: verify PM-11 (pre_activation membership validation) is covered byTestFormalSG04_LeastPrivilegeBasePermissionsor a dedicated test. Done when: test is confirmed or gap issue is opened./spdd-sync—scratchpad/github-mcp-access-control-specification.md: add or update## Sync Follow-upssection naming the Go implementation file and compliance README as sync targets when §4.5.3 predicate order changes. Done when: section present with both targets named./spdd-analysis—specs/security-architecture-spec.mdAppendix G: audit all 9 checklist items (action pinning, permission separation, fork protection, input sanitization, threat detection, RBAC, AWF sandbox, concurrency, runtime validation) against tests insecurity_architecture_sg_formal_test.go. Done when: coverage gap table added or confirmed complete./spdd-reasons-canvas—scratchpad/guard-policies-specification.md: add## Entitiessection definingGuardPolicy,GitHubGuardPolicy, andMCPServerConfigtypes with field descriptions. Done when: ≥ 3 type definitions are present with field tables.Per-Spec Findings
specs/security-architecture-spec.md — v1.0.0 Candidate Recommendation
REASONS Canvas
WorkflowStateand sub-types fully definedpre_activation→activation→agent→detection→safe_outputs→conclusionformally specifiedRisks: Appendix G lacks automated coverage. PM-11 (pre_activation membership, added 2026-07-06) test coverage unverified.
specs/security-architecture-spec-validation.md — validation report (July 6 2026)
Status: Overall passes. Recent additions (PM-11, optional conclusion job, Appendix D detection job) recorded as done in summary spec.
Gap: trusted-users runtime enforcement cross-referenced but no Go function or test named — traceability incomplete.
specs/security-architecture-spec-summary.md — summary (v1.0.0)
Status: Well-maintained; all spec maintenance tasks ✅. Formal model section added 2026-07-09.
Minor gap: Summary does not document which conformance level (Basic/Standard/Complete) each of the 15 formal tests satisfies.
scratchpad/github-mcp-access-control-specification.md — v1.1.0 Draft
REASONS Canvas
P5_NotBlockedplacement inconsistent between README and specRisk: 9 fixtures vs 14 test functions — combined-failure scenarios uncovered.
scratchpad/guard-policies-specification.md — v0.1.0 Draft
REASONS Canvas
Risk: Cannot write compliance tests without normative language. Needs significant SPDD work before leaving scratchpad.
Sync Follow-ups
guard-policies-specification.md→ updateschemas/mcp-gateway-config.schema.json.combined-blocked-integrity.yaml→ register in compliance README and link from §11.4 of access control spec.specs/security-architecture-spec-validation.mdwith verification date.P5_NotBlockedordering is resolved in access control spec → regenerateTestFormal_BlockedUserSafetyPropertyto match.Context
specs/security-architecture-spec-summary.md,specs/security-architecture-spec-validation.md,specs/security-architecture-spec.md,scratchpad/github-mcp-access-control-specification.md,scratchpad/guard-policies-specification.mdReferences: