Draft
SPDD 2026-07-12: implement intent/authz enforcement, compliance fixtures, OTel Level 1 tests, and P2 spec hardening#45106
Conversation
10 tasks
…xtures, and T-OT tests Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… OTel safeguards, replace-label concurrent norm and fixture Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…er deconfliction in replace-label spec Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Wire Authorizer.AuthorizeTool into execution path for spec compliance
SPDD 2026-07-12: implement intent/authz enforcement, compliance fixtures, OTel Level 1 tests, and P2 spec hardening
Jul 12, 2026
Contributor
🤖 PR Triage
Large SPDD: intent/authz enforcement, compliance fixtures, OTel L1 tests, P2 spec hardening. 14 files, +2049/-35. Draft, CI unknown. High risk due to security/authz critical path. OTel content assigned to
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses the SPDD daily plan covering 5 spec files (rotation indices 5–9). The critical P0 gap:
AuthorizeToolpolicy enforcement was entirely unwired — all compiled policy constraints were advisory-only. P1 closes three missing compliance fixture gaps and converts 7 OTel Level 1 test stubs to passing tests. P2 consolidates scattered struct docs, adds structured safeguards, and normalizes concurrent-conflict behavior in the replace-label spec.P0 — Intent authorization enforcement (
pkg/intent/authz/)New
Authorizertype wired behind aFeatureEnabledfeature flag (false = advisory for rollout safety):Also added
PolicyCompiler.Compile()topkg/intent/policy.go(was stub/advisory-only) with more-restrictive-wins merge semantics:DeniedToolsunion,AllowedToolsintersection preserving nil vs empty distinction,HumanApprovalOR,MaxAttemptsmin,WriteScope/Autonomymost restrictive. Unlinked and ambiguous PRs always producesafestDefaultPolicy()(propose-only, no writes, human approval required).P1 — Compliance fixtures and OTel Level 1 tests
Three new intent-attribution compliance fixtures (
specs/intent-attribution-compliance/), each with a dynamic Go test runner inpkg/intent/compliance_fixture_test.go:explicit-intent-wins.yaml— explicitExplicitIntentmetadata →source: explicit_metadataambiguous-root-closing-issues.yaml— two distinct closing issues →status: ambiguousunlinked-pr-fail-closed.yaml— unlinked PR →propose_only,write_scope: none,human_approval_required: trueT-OT-001–007 converted from stubs to passing tests in
pkg/workflow/otel_observability_formal_test.gocovering: HTTPS endpoint emission, if-missing modes, multi-endpoint ordering, OTLP POST semantics, trace context injection (TRACEPARENT),/tmp/gh-aw/otel.jsonlmirror path, and header CSV format.P2 — Spec hardening
specs/intent-attribution-agent-governance.md## Entitiessection with normalized prose tables for all six Go structs (IntentRecord,ExecutionPolicy,PolicyRule,PolicyCondition,PolicyDecision,OutcomeRecord,EvidenceRecord) — previously only in scattered code blocks.github/intent-policy.jsondoes not exist in this repo (onlyobjective-mapping.jsondoes) with a concrete 5-item migration checklistAuthorizeToolimplementation audit table updated from "Not wired" → "Wired (behind FeatureEnabled flag)" forAllowedTools,DeniedTools,WriteScope,HumanApprovalRequired,MaxAttempts; removed advisory-only risk notespecs/otel-observability-spec.md§15.5 Safeguardswith three normative sub-sections each carrying testable acceptance criteria: OTLP export retry rate limits (max 3 retries, 30 s cap), PII scrubbing requirements (email, GitHub tokens, bearer headers), and cardinality budget enforcement (low-cardinality span names, 128-attribute cap, 2 KB value truncation)§17.1.1heading updated from "Test ID Stubs" to "Level 1 Compliance Tests"; addedStatus: Implementedcolumnspecs/replace-label-spec.md§5.9 Concurrent-Conflict Handlingwith four RFC 2119 requirements (RL-057–060): warning log on unexpected label set after successful PUT, no silent re-PUT after success, fail-closed on HTTP 422 with no auto-retry, SHOULD log before/after label statespecs/replace-label-compliance/rl-004-concurrent-conflict.yamlwith three scenarios: unexpected labels on success, no-retry enforcement, HTTP 422 fail-closedREADME.mdfixture table updated with rl-004 row (RL-057–060)