@delegance/claude-autopilot 7.4.0 → 7.4.3

package/CHANGELOG.md

@@ -2,6 +2,143 @@
 
 - v5.6 Phase 7 (docs reconciliation) — pending.
 
+## 7.4.3 (2026-05-11)
+
+**v7.4.3 — FastAPI scaffold respects spec-derived package name.**
+Patch release. Real-package end-to-end test on v7.4.2 surfaced
+this regression: the v7.4.0 Python/FastAPI scaffolder always used
+`basename(cwd)` for the package directory and ignored spec-listed
+`src/<pkg>/main.py` paths. Result: scaffolding a spec that listed
+`src/fastapi_test/main.py` from a directory called `v742-fastapi`
+produced TWO competing trees:
+
+* `src/v742_fastapi/` — auto-generated FastAPI app (correct
+  content, wrong location)
+* `src/fastapi_test/main.py` — empty placeholder from the spec's
+  bullet (right location, no content)
+
+`pyproject.toml`'s `[project.scripts]` pointed at the
+auto-generated tree (`v742_fastapi.main:run`) — the spec's intent
+was clearly the named package.
+
+**Fix:** new `packageNameFromSpec(parsed)` extracts the package
+name from the first `src/<pkg>/<*>.py` entry in the spec's
+`## Files` section. Falls back to the cwd-derived default only
+when the spec doesn't list any `src/<pkg>/` path.
+
+8 new tests in `tests/scaffold-python.test.ts` cover:
+* extraction from `src/<pkg>/main.py` (the conventional case)
+* extraction from `src/<pkg>/<other>.py`
+* null when no `src/<pkg>/<*>.py` listed
+* null for non-`src/` paths
+* first-match-wins on multiple `src/<pkg>/` entries
+* rejects invalid Python identifier characters in the path
+* the exact regression case (`src/fastapi_test/main.py` from
+  cwd `v742-fastapi`)
+* fallback to cwd basename when spec has no `src/<pkg>/`
+
+Plus 2 end-to-end tests verifying:
+* scaffold from `cwd=v742-real` + `src/intentional_pkg/main.py`
+  spec → SINGLE `src/intentional_pkg/` directory (no competing
+  tree); `pyproject.toml` consistent throughout
+* scaffold from `cwd=myapp` + spec without `src/<pkg>/` → still
+  uses `src/myapp/` (preserves v7.4.0 default behavior)
+
+1597 → 1606 CLI tests (+9). tsc clean. build clean.
+
+## 7.4.2 (2026-05-11)
+
+**v7.4.2 — risk-tiered codex pass policy in autopilot skill.**
+Docs-only PR. Codifies finding N2 from the v7.4.1 codex strategic
+review into `skills/autopilot/SKILL.md`.
+
+**New policy table** in the skill:
+
+| Spec risk | # of codex passes |
+|---|---|
+| **Low** (CLI UX, doc-only, scaffolding, CI tweaks) | 1 |
+| **Medium** (new exec modes, auth, billing, data-access, env vars, API contracts) | 2 |
+| **High** (sandboxing, multi-tenancy, auto-merge, repo-mutation, secrets, RPC/SECURITY DEFINER) | 3 + external review |
+
+**Convention:** spec docs declare `risk: low | medium | high` in
+frontmatter. Omitted defaults to **medium** (safer than defaulting
+to low).
+
+**v7.x examples** included in the skill text:
+* v7.1.7 (low) — 1 pass, 0 CRITICALs in practice.
+* v7.4.0 (low) — 1 pass, 2 CRITICALs caught pre-impl.
+* v7.0 Phase 6 (high) — 3 passes, would have shipped credential-
+  exfiltration vector C3 without all three.
+* v8.0 spec (high) — 2 passes done, needs 3rd before v8 alpha.
+
+No code change. Bumping to 7.4.2.
+
+## 7.4.1 (2026-05-11)
+
+**v7.4.1 — strategic pivot doc from codex 5.5 review.** Docs-only
+PR. Records the decision to pause v8 daemon implementation pending
+customer discovery, plus 8 other findings from the codex strategic
+review of full project state on 2026-05-11.
+
+**Key outcome:** "ship v8 daemon" is NOT the next milestone. The CLI
+chat-session loop is the validated asset; v8 is unvalidated. New
+priority order: (1) customer discovery sprint, (2) hosted beta
+readiness slice (operational), (3) org-tier revocation completion,
+(4) risk-tiered codex pass policy in the autopilot skill.
+
+**Process changes adopted:**
+
+* **Risk-tiered codex passes** (1 for low-risk CLI UX, 2 for new
+  exec/auth/billing/data-access modes, 3 for sandboxing /
+  multi-tenancy / repo-mutation).
+* **Strategic codex review every ~10 PRs** (separate from per-spec
+  passes — catches "ship more without validating demand" trap).
+* **Bounded benchmark suite gate** (4 repo shapes only, run
+  pre-release + after major workflow changes — already in v8 spec).
+
+**v8 IF customer discovery validates demand:** local-only alpha
+first (per W5 of codex review). NO hosted workers, NO billing, NO
+auto-merge until alpha demand is proven.
+
+Full doc at `docs/strategy/2026-05-11-codex-pivot.md`.
+
+## 7.4.0 (2026-05-11)
+
+**v7.4.0 — scaffold per-stack support (Python + FastAPI).** Closes
+the v7.1.6/v7.1.8 benchmark caveat ("n=1, Node 22 ESM only —
+Python/Rust/Go remain v8 follow-ups") and gates v8 spec
+stabilization criteria #2 (4-repo benchmark suite).
+
+* **Stack detection precedence** (codex C1): explicit `--stack` >
+  FastAPI > Python > Node > detected-but-unsupported > Node fallback.
+  FastAPI checked BEFORE Python so FastAPI specs that include
+  `pyproject.toml` aren't mis-classified.
+* **FastAPI scaffold completeness** (codex C2): generates a runnable
+  `src/<package>/main.py` with `app = FastAPI()`, `/health` route,
+  `run()` function, plus `tests/test_main.py` (otherwise the
+  `[project.scripts]` entry was dangling).
+* **Name normalization** (codex W1): PEP 503 distribution name +
+  valid Python identifier package name. `my-pkg-2` → distribution
+  `my-pkg-2`, package `my_pkg_2`. Hatchling explicit `packages`
+  config always present.
+* **Detected-but-unsupported** (codex W2): Go/Rust/Ruby specs →
+  exit 3 with diagnostic, NOT silent fallback to Node.
+* **Polyglot guard** (codex W3): specs listing both `package.json`
+  AND `pyproject.toml` without `--stack` → exit 3.
+* **Narrow dep extraction** (codex W6): 3 patterns only, no inferred
+  versions, dedup by PEP 503 normalized name. FastAPI auto-includes
+  `fastapi>=0.110` + `uvicorn[standard]>=0.27`.
+* **Module split**: `scaffold.ts` is now the dispatcher;
+  per-stack scaffolders live under
+  `src/cli/scaffold/{node,python,types}.ts`.
+* **New flags**: `--stack <node|python|fastapi>`, `--list-stacks`.
+* **Integration test** (codex N3): scaffolds FastAPI + creates
+  isolated venv (handles PEP 668) + `pip install -e .` + import-
+  app. Skipped cleanly when `python3` unavailable.
+
+1563 → 1597 CLI tests; tsc clean; build clean. PR #155 spec +
+#156 impl. Version 7.3.0 → 7.4.0.
+
 ## 7.3.0 (2026-05-10)
 
 **v7.3.0 — library export surface for v8 daemon.** Minor bump

package/dist/src/cli/scaffold/python.d.ts

@@ -1,4 +1,4 @@
-import type { ScaffoldResult, ScaffoldRunContext } from './types.ts';
+import type { ParsedFiles, ScaffoldResult, ScaffoldRunContext } from './types.ts';
 /**
  * PEP 503 distribution-name normalization, restricted to what we need
  * here. Lowercase, runs of `[._-]+` collapse to a single `-`, leading +
@@ -65,6 +65,16 @@ export declare function buildFastapiTest(packageName: string): string;
  * not listed in `## Files` — without them the generated pyproject.toml
  * is invalid (missing package dir) or has dead config (no tests).
  */
+/**
+ * Extract the Python package name from a spec's `## Files` paths if the
+ * spec lists a `src/<pkg>/<*>.py` entry. Returns null if no spec-derived
+ * package name is present — caller falls back to the cwd-derived default.
+ *
+ * v7.4.3 hotfix — the v7.4.0 scaffolder always used basename(cwd) and
+ * ignored spec-listed src/<pkg>/ paths, producing two competing trees
+ * (one auto-generated, one empty placeholder from the spec).
+ */
+export declare function packageNameFromSpec(parsed: ParsedFiles): string | null;
 export declare function scaffoldPython(ctx: ScaffoldRunContext, opts: {
     isFastapi: boolean;
 }): Promise<ScaffoldResult>;

package/dist/src/cli/scaffold/python.js

@@ -206,11 +206,30 @@ pytest
  * not listed in `## Files` — without them the generated pyproject.toml
  * is invalid (missing package dir) or has dead config (no tests).
  */
+/**
+ * Extract the Python package name from a spec's `## Files` paths if the
+ * spec lists a `src/<pkg>/<*>.py` entry. Returns null if no spec-derived
+ * package name is present — caller falls back to the cwd-derived default.
+ *
+ * v7.4.3 hotfix — the v7.4.0 scaffolder always used basename(cwd) and
+ * ignored spec-listed src/<pkg>/ paths, producing two competing trees
+ * (one auto-generated, one empty placeholder from the spec).
+ */
+export function packageNameFromSpec(parsed) {
+    for (const p of parsed.paths) {
+        const m = /^src\/([a-zA-Z_][a-zA-Z0-9_]*)\/[^/]+\.py$/.exec(p);
+        if (m && m[1])
+            return m[1];
+    }
+    return null;
+}
 export async function scaffoldPython(ctx, opts) {
     const { cwd, parsed, dryRun } = ctx;
     const { isFastapi } = opts;
+    // v7.4.3: prefer spec-derived package name; fall back to cwd basename.
+    const specPackage = packageNameFromSpec(parsed);
     const distributionName = normalizeDistributionName(path.basename(cwd));
-    const packageName = packageNameFromDistribution(distributionName);
+    const packageName = specPackage ?? packageNameFromDistribution(distributionName);
     const filesCreated = [];
     const filesSkippedExisting = [];
     const dirsCreated = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "7.4.0",
+  "version": "7.4.3",
   "type": "module",
   "publishConfig": {
     "tag": "next"

package/skills/autopilot/SKILL.md

@@ -25,6 +25,58 @@ The ONLY time you stop is if a step **fails and cannot be recovered**. Otherwise
 
 Brief status lines like `[autopilot] Step 3: Executing plan...` are fine. Full summaries, questions, or check-ins are not.
 
+## Codex pass policy (risk-tiered)
+
+> Adopted from the v7.4.1 strategic review (see
+> `docs/strategy/2026-05-11-codex-pivot.md`, codex finding N2).
+>
+> The v8 spec pass-2 finding 3 CRITICALs the original spec missed
+> (especially sandbox / credential exfiltration) was concrete evidence
+> that 1 codex pass is insufficient for security-sensitive architecture.
+> But running 3 passes on every CLI polish spec adds latency without
+> proportional value.
+
+**Tier the spec by risk; pass count follows.**
+
+| Spec risk | Triggers | # of codex passes |
+|---|---|---|
+| **Low** | CLI UX changes, doc-only PRs, scaffolding extensions, config polish, CI workflow tweaks | **1 pass** (this skill's existing pattern — codex on the committed spec) |
+| **Medium** | New execution modes, auth changes, billing flows, data-access patterns, new env vars, API contracts | **2 passes** (1 on the draft spec, 1 on the merged spec after edits) |
+| **High** | Sandboxing, multi-tenancy, auto-merge, anything that mutates user repos, new secrets-handling, RPC/SECURITY DEFINER changes | **3 passes** + external review (1 draft, 1 post-edit, 1 on the impl PR diff) |
+
+**How to apply.** Spec docs declare risk in their frontmatter:
+
+```markdown
+---
+title: <topic>
+risk: low | medium | high
+---
+```
+
+If the spec's `risk:` is omitted, default to **medium** (safer than
+defaulting to low; matches the v8 spec pattern where pass-1 was
+clearly insufficient).
+
+The brainstorming skill's per-step codex pass (approach selection,
+architecture, components, error handling, implementation prep) is
+ALWAYS run — it's how we get a draft spec good enough to merge.
+This tier policy applies to the **post-brainstorm** passes and to
+the codex PR review at Step 7 below.
+
+**Examples from v7.x:**
+
+* v7.1.7 (setup polish — CLAUDE.md scaffold + .gitignore + dedup): low.
+  1 pass on the committed spec. Caught zero CRITICALs in practice.
+* v7.4.0 (Python/FastAPI scaffold extension): low. 1 pass. Found
+  2 CRITICALs (FastAPI precedence, dangling entrypoint) — both
+  fixed pre-impl, no PR-pass surprises.
+* v7.0 Phase 6 (engine-off removal + middleware revocation): high.
+  3 passes (spec, post-edit, PR diff). Each pass surfaced new
+  trust-boundary issues; without all three the launch would have
+  shipped with the credential-exfiltration vector C3.
+* v8.0 spec (standalone daemon): high. 2 passes so far + needs a
+  3rd before any v8 alpha implementation.
+
 ## Pipeline
 
 Execute these steps in order. Do NOT pause between steps unless a step fails.