@thedecipherist/mdd 1.6.9 → 1.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/commands/mdd-audit.md +6 -4
  2. package/package.json +1 -1
package/commands/mdd-audit.md CHANGED
@@ -113,6 +113,7 @@ Main writes a shard file and config file for each agent into the job folder **be
113
113
 
114
114
  ## Integration Contracts
115
115
  <!-- What each security/shared feature requires ALL callers to implement -->
116
+ <!-- "Caller source files" = look up each caller_feature name in "Feature Source Files" above and list those files -->
116
117
  ### <feature-name>
117
118
  - Contract: <description of what caller must call/implement>
118
119
  Caller features: <featureA>, <featureB>
@@ -153,7 +154,7 @@ Integration context: .mdd/jobs/audit-<date>/integration-context.md
153
154
  - `eval()` used anywhere — only `vm.runInNewContext` is permitted
154
155
  - Cloud metadata endpoints (169.254.169.254, 169.254.170.2, fd00:ec2::254, metadata.google.internal) reachable without block
155
156
  - Secrets, API keys, or credentials hardcoded in source
156
- - Security enforcement function exists in a dependency but is NOT called at this call site — check `integration-context.md` under "Integration Contracts" for the contract that applies to this file's feature, then verify the required call is present in this file
157
+ - Security enforcement function required by a dependency contract is absent from this filetwo-step check: (1) find this file under "Feature Source Files" in `integration-context.md` to identify its owning feature; (2) scan "Integration Contracts" for any contract where this file's owning feature appears under "Caller features" those are contracts this file must satisfy. Verify each required call is present.
157
158
  - "Immutable" rule arrays exported as plain mutable arrays — not `Object.freeze()` + `readonly`
158
159
  - Untrusted MCP/API/CLI input used without validation or sanitization
159
160
  - Data cached or stored without masking applied first
@@ -190,7 +191,7 @@ Integration context: .mdd/jobs/audit-<date>/integration-context.md
190
191
  2. Read shard-<N>.md to know your file list
191
192
  3. Read MANIFEST.md — find the first [ ] entry in Shard <N>
192
193
  4. Read the last 20 lines of agent-<N>-notes.md for continuity
193
- 5. Read integration-context.md — load this into working memory. Use it when checking P1 (integration contract not called at call site): cross-reference the source file's feature against the contracts defined for its dependencies.
194
+ 5. Read integration-context.md — load this into working memory. Use it when checking P1: (a) find this file under "Feature Source Files" to identify its owning feature; (b) scan "Integration Contracts" for any entry where that feature appears under "Caller features" — those are the contracts this file must satisfy.
194
195
  6. Begin the per-file loop at that first [ ] entry
195
196
  ```
196
197
 
@@ -297,12 +298,13 @@ This step runs independently of agent findings. It uses `integration-context.md`
297
298
 
298
299
  For each contract in `integration-context.md`:
299
300
  1. Identify all source files listed under "Caller source files" for that contract
300
- 2. For each such source file, find its `## <filepath>` entry in `audits/notes-<date>.md` and read the `Contracts:` line:
301
+ 2. For each such source file, check the job folder's `MANIFEST.md` for that file's status — the permanent copy at `audits/MANIFEST-<date>.md` does not exist yet at this stage (it is written after Phase A6 completes). If the file is marked `[e]`, skip contract verification for it and note in the Contract Violations section: "Could not verify — file was unreadable during audit."
302
+ 3. For files not marked `[e]`, find the file's `## <filepath>` entry in `audits/notes-<date>.md` and read the `Contracts:` line:
301
303
  - `SATISFIED` — agent confirmed the call is present. No action.
302
304
  - `VIOLATION` — agent flagged it. Include as P1 in Contract Violations section.
303
305
  - `(none)` written but this file IS a caller per integration-context.md — agent made an error. **Re-read that source file now** and check independently.
304
306
  - `Contracts:` line is missing entirely — agent ran before this version of the workflow. **Re-read that source file now** and check independently.
305
- 3. Report each confirmed gap as P1. Note whether it was caught by the agent or discovered by Phase A6.
307
+ 4. Report each confirmed gap as P1. Note whether it was caught by the agent or discovered by Phase A6.
306
308
 
307
309
  Additionally read all `.mdd/docs/*.md` to catch any cases the Phase A1 doc cross-check might have missed (e.g., docs added after Phase A1 ran, or pending contracts that weren't flagged):
308
310
  - Any `satisfies_contracts` with `status: pending` not already in doc-findings = P1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@thedecipherist/mdd",
3
- "version": "1.6.9",
3
+ "version": "1.6.11",
4
4
  "description": "MDD — Manual-Driven Development workflow for Claude Code",
5
5
  "type": "module",
6
6
  "bin": {