Skip to content

SPDD 2026-07-12: implement intent/authz enforcement, compliance fixtures, OTel Level 1 tests, and P2 spec hardening#45106

Draft
pelikhan with Copilot wants to merge 4 commits into
mainfrom
copilot/spdd-daily-spec-work-plan-2026-07-12
Draft

SPDD 2026-07-12: implement intent/authz enforcement, compliance fixtures, OTel Level 1 tests, and P2 spec hardening#45106
pelikhan with Copilot wants to merge 4 commits into
mainfrom
copilot/spdd-daily-spec-work-plan-2026-07-12

Conversation

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Addresses the SPDD daily plan covering 5 spec files (rotation indices 5–9). The critical P0 gap: AuthorizeTool policy enforcement was entirely unwired — all compiled policy constraints were advisory-only. P1 closes three missing compliance fixture gaps and converts 7 OTel Level 1 test stubs to passing tests. P2 consolidates scattered struct docs, adds structured safeguards, and normalizes concurrent-conflict behavior in the replace-label spec.

P0 — Intent authorization enforcement (pkg/intent/authz/)

New Authorizer type wired behind a FeatureEnabled feature flag (false = advisory for rollout safety):

a := authz.Authorizer{FeatureEnabled: true}

// DeniedTools checked first; AllowedTools nil=unrestricted, []string{}=deny-all
if err := a.AuthorizeTool(policy, toolName); err != nil { /* block */ }

// Scope ordering: none < feature_branch < any_branch
if err := a.AuthorizeWriteScope(policy, requestedScope); err != nil { /* block */ }

// Human approval gate and attempt cap
a.CheckHumanApproval(policy)
a.CheckAttemptLimit(policy, currentAttempts)

Also added PolicyCompiler.Compile() to pkg/intent/policy.go (was stub/advisory-only) with more-restrictive-wins merge semantics: DeniedTools union, AllowedTools intersection preserving nil vs empty distinction, HumanApproval OR, MaxAttempts min, WriteScope/Autonomy most restrictive. Unlinked and ambiguous PRs always produce safestDefaultPolicy() (propose-only, no writes, human approval required).

P1 — Compliance fixtures and OTel Level 1 tests

Three new intent-attribution compliance fixtures (specs/intent-attribution-compliance/), each with a dynamic Go test runner in pkg/intent/compliance_fixture_test.go:

  • explicit-intent-wins.yaml — explicit ExplicitIntent metadata → source: explicit_metadata
  • ambiguous-root-closing-issues.yaml — two distinct closing issues → status: ambiguous
  • unlinked-pr-fail-closed.yaml — unlinked PR → propose_only, write_scope: none, human_approval_required: true

T-OT-001–007 converted from stubs to passing tests in pkg/workflow/otel_observability_formal_test.go covering: HTTPS endpoint emission, if-missing modes, multi-endpoint ordering, OTLP POST semantics, trace context injection (TRACEPARENT), /tmp/gh-aw/otel.jsonl mirror path, and header CSV format.

P2 — Spec hardening

specs/intent-attribution-agent-governance.md

  • Added ## Entities section with normalized prose tables for all six Go structs (IntentRecord, ExecutionPolicy, PolicyRule, PolicyCondition, PolicyDecision, OutcomeRecord, EvidenceRecord) — previously only in scattered code blocks
  • Sync Notes now records that .github/intent-policy.json does not exist in this repo (only objective-mapping.json does) with a concrete 5-item migration checklist
  • AuthorizeTool implementation audit table updated from "Not wired" → "Wired (behind FeatureEnabled flag)" for AllowedTools, DeniedTools, WriteScope, HumanApprovalRequired, MaxAttempts; removed advisory-only risk note

specs/otel-observability-spec.md

  • Added §15.5 Safeguards with three normative sub-sections each carrying testable acceptance criteria: OTLP export retry rate limits (max 3 retries, 30 s cap), PII scrubbing requirements (email, GitHub tokens, bearer headers), and cardinality budget enforcement (low-cardinality span names, 128-attribute cap, 2 KB value truncation)
  • §17.1.1 heading updated from "Test ID Stubs" to "Level 1 Compliance Tests"; added Status: Implemented column

specs/replace-label-spec.md

  • Added §5.9 Concurrent-Conflict Handling with four RFC 2119 requirements (RL-057–060): warning log on unexpected label set after successful PUT, no silent re-PUT after success, fail-closed on HTTP 422 with no auto-retry, SHOULD log before/after label state

specs/replace-label-compliance/

  • New rl-004-concurrent-conflict.yaml with three scenarios: unexpected labels on success, no-retry enforcement, HTTP 422 fail-closed
  • README.md fixture table updated with rl-004 row (RL-057–060)

Copilot AI linked an issue Jul 12, 2026 that may be closed by this pull request
10 tasks
Copilot AI and others added 3 commits July 12, 2026 16:38
…xtures, and T-OT tests

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… OTel safeguards, replace-label concurrent norm and fixture

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…er deconfliction in replace-label spec

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Wire Authorizer.AuthorizeTool into execution path for spec compliance SPDD 2026-07-12: implement intent/authz enforcement, compliance fixtures, OTel Level 1 tests, and P2 spec hardening Jul 12, 2026
Copilot AI requested a review from pelikhan July 12, 2026 16:57
@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category feature
Risk high
Priority Score 85/100
Score Breakdown impact: 45, urgency: 25, quality: 15
Action fast_track
OTel @mnkeifer — contains OTel Level 1 tests

Large SPDD: intent/authz enforcement, compliance fixtures, OTel L1 tests, P2 spec hardening. 14 files, +2049/-35. Draft, CI unknown. High risk due to security/authz critical path. OTel content assigned to @mnkeifer.

Generated by 🔧 PR Triage Agent · 142.9 AIC · ⌖ 7.2 AIC · ⊞ 5.6K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[spdd] Daily spec work plan - 2026-07-12

2 participants