gsdd-cli 0.18.5 → 0.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -21
- package/README.md +609 -608
- package/agents/DISTILLATION.md +421 -421
- package/agents/README.md +62 -62
- package/agents/approach-explorer.md +361 -361
- package/agents/debugger.md +82 -82
- package/agents/executor.md +394 -394
- package/agents/integration-checker.md +318 -318
- package/agents/mapper.md +103 -103
- package/agents/planner.md +313 -313
- package/agents/researcher.md +84 -84
- package/agents/roadmapper.md +296 -296
- package/agents/synthesizer.md +236 -236
- package/agents/verifier.md +337 -337
- package/bin/adapters/agents.mjs +34 -34
- package/bin/adapters/claude.mjs +191 -191
- package/bin/adapters/codex.mjs +85 -85
- package/bin/adapters/index.mjs +20 -20
- package/bin/adapters/opencode.mjs +278 -278
- package/bin/gsdd.mjs +123 -116
- package/bin/lib/cli-utils.mjs +28 -28
- package/bin/lib/evidence-contract.mjs +112 -112
- package/bin/lib/file-ops.mjs +186 -144
- package/bin/lib/health-truth.mjs +181 -178
- package/bin/lib/health.mjs +246 -226
- package/bin/lib/init-flow.mjs +247 -231
- package/bin/lib/init-prompts.mjs +248 -247
- package/bin/lib/init-runtime.mjs +191 -190
- package/bin/lib/init.mjs +17 -17
- package/bin/lib/lifecycle-preflight.mjs +347 -325
- package/bin/lib/lifecycle-state.mjs +351 -267
- package/bin/lib/manifest.mjs +116 -114
- package/bin/lib/models.mjs +411 -411
- package/bin/lib/phase.mjs +360 -358
- package/bin/lib/plan-constants.mjs +30 -30
- package/bin/lib/provenance.mjs +109 -106
- package/bin/lib/rendering.mjs +115 -83
- package/bin/lib/runtime-freshness.mjs +214 -214
- package/bin/lib/templates.mjs +225 -224
- package/bin/lib/workspace-root.mjs +2 -1
- package/distilled/DESIGN.md +2333 -2323
- package/distilled/EVIDENCE-INDEX.md +394 -392
- package/distilled/README.md +196 -193
- package/distilled/SKILL.md +86 -85
- package/distilled/templates/agents.block.md +21 -21
- package/distilled/templates/agents.md +6 -6
- package/distilled/templates/approach.md +232 -232
- package/distilled/templates/auth-matrix.md +78 -78
- package/distilled/templates/brownfield-change/CHANGE.md +99 -0
- package/distilled/templates/brownfield-change/HANDOFF.md +38 -0
- package/distilled/templates/brownfield-change/VERIFICATION.md +56 -0
- package/distilled/templates/codebase/architecture.md +110 -110
- package/distilled/templates/codebase/concerns.md +95 -95
- package/distilled/templates/codebase/conventions.md +193 -193
- package/distilled/templates/codebase/stack.md +96 -96
- package/distilled/templates/delegates/approach-explorer.md +25 -25
- package/distilled/templates/delegates/mapper-arch.md +26 -26
- package/distilled/templates/delegates/mapper-concerns.md +27 -27
- package/distilled/templates/delegates/mapper-quality.md +28 -28
- package/distilled/templates/delegates/mapper-tech.md +25 -25
- package/distilled/templates/delegates/plan-checker.md +68 -68
- package/distilled/templates/delegates/researcher-architecture.md +30 -30
- package/distilled/templates/delegates/researcher-features.md +30 -30
- package/distilled/templates/delegates/researcher-pitfalls.md +30 -30
- package/distilled/templates/delegates/researcher-stack.md +30 -30
- package/distilled/templates/delegates/researcher-synthesizer.md +31 -31
- package/distilled/templates/research/architecture.md +57 -57
- package/distilled/templates/research/features.md +23 -23
- package/distilled/templates/research/pitfalls.md +46 -46
- package/distilled/templates/research/stack.md +45 -45
- package/distilled/templates/research/summary.md +67 -67
- package/distilled/templates/roadmap.md +74 -62
- package/distilled/templates/spec.md +110 -110
- package/distilled/workflows/audit-milestone.md +275 -271
- package/distilled/workflows/complete-milestone.md +336 -332
- package/distilled/workflows/execute.md +454 -449
- package/distilled/workflows/map-codebase.md +253 -253
- package/distilled/workflows/new-milestone.md +242 -238
- package/distilled/workflows/new-project.md +398 -398
- package/distilled/workflows/pause.md +160 -156
- package/distilled/workflows/plan-milestone-gaps.md +183 -183
- package/distilled/workflows/plan.md +451 -447
- package/distilled/workflows/progress.md +227 -223
- package/distilled/workflows/quick.md +351 -347
- package/distilled/workflows/resume.md +220 -212
- package/distilled/workflows/verify-work.md +260 -260
- package/distilled/workflows/verify.md +431 -429
- package/docs/BROWNFIELD-PROOF.md +95 -95
- package/docs/RUNTIME-SUPPORT.md +80 -69
- package/docs/USER-GUIDE.md +394 -386
- package/docs/VERIFICATION-DISCIPLINE.md +59 -59
- package/docs/claude/context-monitor.md +98 -98
- package/docs/proof/consumer-node-cli/README.md +37 -37
- package/docs/proof/consumer-node-cli/ROADMAP.md +14 -14
- package/docs/proof/consumer-node-cli/SPEC.md +17 -17
- package/docs/proof/consumer-node-cli/brief.md +9 -9
- package/docs/proof/consumer-node-cli/phases/01-foundation/01-01-PLAN.md +34 -34
- package/docs/proof/consumer-node-cli/phases/01-foundation/01-01-SUMMARY.md +10 -10
- package/docs/proof/consumer-node-cli/phases/01-foundation/01-VERIFICATION.md +30 -30
- package/package.json +62 -61
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
# AGENTS.md - GSDD Governance
|
|
2
|
-
|
|
3
|
-
<!-- BEGIN GSDD -->
|
|
4
|
-
{{GSDD_BLOCK}}
|
|
5
|
-
<!-- END GSDD -->
|
|
6
|
-
|
|
1
|
+
# AGENTS.md - GSDD Governance
|
|
2
|
+
|
|
3
|
+
<!-- BEGIN GSDD -->
|
|
4
|
+
{{GSDD_BLOCK}}
|
|
5
|
+
<!-- END GSDD -->
|
|
6
|
+
|
|
@@ -1,232 +1,232 @@
|
|
|
1
|
-
# Phase Approach Template
|
|
2
|
-
|
|
3
|
-
Template for `.planning/phases/XX-name/{phase_num}-APPROACH.md` — captures implementation decisions and validated assumptions for a phase.
|
|
4
|
-
|
|
5
|
-
**Purpose:** Document decisions that downstream agents need. Planner uses this to know WHAT choices are locked vs flexible. Plan-checker verifies plans honor these decisions.
|
|
6
|
-
|
|
7
|
-
**Key principle:** The top-level structure (`<domain>`, `<decisions>`, `<assumptions>`, `<deferred>`) is fixed. Section names WITHIN `<decisions>` emerge from what was actually discussed for THIS phase — a CLI phase has CLI-relevant sections, a UI phase has UI-relevant sections.
|
|
8
|
-
|
|
9
|
-
**Downstream consumers:**
|
|
10
|
-
- `planner` — Reads decisions to constrain implementation choices. Locked decisions must be implemented. Agent's Discretion items allow planner flexibility.
|
|
11
|
-
- `plan-checker` — Reads decisions to verify plans implement chosen approaches (approach_alignment dimension). Flags plans that contradict explicit user choices.
|
|
12
|
-
|
|
13
|
-
---
|
|
14
|
-
|
|
15
|
-
## File Template
|
|
16
|
-
|
|
17
|
-
```markdown
|
|
18
|
-
# Phase [X]: [Name] - Approach
|
|
19
|
-
|
|
20
|
-
**Explored:** [date]
|
|
21
|
-
**Status:** Ready for planning
|
|
22
|
-
|
|
23
|
-
<domain>
|
|
24
|
-
## Phase Boundary
|
|
25
|
-
|
|
26
|
-
[Clear statement of what this phase delivers — the scope anchor. This comes from ROADMAP.md and is fixed. Discussion clarifies implementation within this boundary.]
|
|
27
|
-
|
|
28
|
-
</domain>
|
|
29
|
-
|
|
30
|
-
<decisions>
|
|
31
|
-
## Implementation Decisions
|
|
32
|
-
|
|
33
|
-
### [Gray Area 1 that was discussed]
|
|
34
|
-
**Chosen approach:** [name]
|
|
35
|
-
**Alternatives considered:** [Option B], [Option C]
|
|
36
|
-
**Why this one:** [reasoning from research + user preference]
|
|
37
|
-
- [Specific decision from questioning]
|
|
38
|
-
- [Another decision if applicable]
|
|
39
|
-
|
|
40
|
-
### [Gray Area 2 that was discussed]
|
|
41
|
-
**Chosen approach:** [name]
|
|
42
|
-
**Alternatives considered:** [Option B]
|
|
43
|
-
**Why this one:** [reasoning]
|
|
44
|
-
- [Specific decision]
|
|
45
|
-
|
|
46
|
-
### Agent's Discretion
|
|
47
|
-
[Areas where user explicitly said "you decide" — the agent has flexibility here during planning/implementation]
|
|
48
|
-
|
|
49
|
-
</decisions>
|
|
50
|
-
|
|
51
|
-
<assumptions>
|
|
52
|
-
## Validated Assumptions
|
|
53
|
-
|
|
54
|
-
### Confirmed
|
|
55
|
-
- [confident] [assumption confirmed by user]
|
|
56
|
-
|
|
57
|
-
### Accepted (not challenged)
|
|
58
|
-
- [assuming] [assumption user didn't challenge — planner should still honor but note it]
|
|
59
|
-
|
|
60
|
-
### Corrected
|
|
61
|
-
- [corrected] [original assumption] → [user's correction]
|
|
62
|
-
|
|
63
|
-
</assumptions>
|
|
64
|
-
|
|
65
|
-
<deferred>
|
|
66
|
-
## Deferred Ideas
|
|
67
|
-
|
|
68
|
-
[Ideas that came up during discussion but belong in other phases. Captured here so they're not lost, but explicitly out of scope for this phase.]
|
|
69
|
-
|
|
70
|
-
[If none: "None — discussion stayed within phase scope"]
|
|
71
|
-
|
|
72
|
-
</deferred>
|
|
73
|
-
|
|
74
|
-
---
|
|
75
|
-
|
|
76
|
-
*Phase: XX-name*
|
|
77
|
-
*Approach explored: [date]*
|
|
78
|
-
```
|
|
79
|
-
|
|
80
|
-
## Good Examples
|
|
81
|
-
|
|
82
|
-
**Example 1: Visual feature (Dashboard)**
|
|
83
|
-
|
|
84
|
-
```markdown
|
|
85
|
-
# Phase 3: Interactive Dashboard - Approach
|
|
86
|
-
|
|
87
|
-
**Explored:** 2026-03-22
|
|
88
|
-
**Status:** Ready for planning
|
|
89
|
-
|
|
90
|
-
<domain>
|
|
91
|
-
## Phase Boundary
|
|
92
|
-
|
|
93
|
-
Build an interactive dashboard with configurable widgets. Users can view metrics and rearrange layout. Widget creation and custom data sources are separate phases.
|
|
94
|
-
|
|
95
|
-
</domain>
|
|
96
|
-
|
|
97
|
-
<decisions>
|
|
98
|
-
## Implementation Decisions
|
|
99
|
-
|
|
100
|
-
### Chart rendering
|
|
101
|
-
**Chosen approach:** Recharts
|
|
102
|
-
**Alternatives considered:** D3 + custom components, Chart.js
|
|
103
|
-
**Why this one:** React-native, SSR-friendly, good defaults. Matches existing React patterns. D3 would give more control but requires more code for standard charts.
|
|
104
|
-
- Bar charts and line charts for metrics — no pie charts in v1
|
|
105
|
-
- Charts should be interactive (hover tooltips) but not editable
|
|
106
|
-
- Responsive: charts resize with widget container
|
|
107
|
-
|
|
108
|
-
### Widget layout
|
|
109
|
-
**Chosen approach:** react-grid-layout
|
|
110
|
-
**Alternatives considered:** CSS Grid + custom drag, @dnd-kit grid
|
|
111
|
-
**Why this one:** Purpose-built for dashboard grids. Layout serialization to JSON for persistence. Mature production usage.
|
|
112
|
-
- Drag-to-reorder enabled
|
|
113
|
-
- Resize handles on bottom-right corner
|
|
114
|
-
- 12-column grid, responsive breakpoints
|
|
115
|
-
- Layout persisted to localStorage (not server)
|
|
116
|
-
|
|
117
|
-
### Agent's Discretion
|
|
118
|
-
- Loading skeleton design
|
|
119
|
-
- Exact spacing and typography within widgets
|
|
120
|
-
- Error state handling for failed data fetches
|
|
121
|
-
|
|
122
|
-
</decisions>
|
|
123
|
-
|
|
124
|
-
<assumptions>
|
|
125
|
-
## Validated Assumptions
|
|
126
|
-
|
|
127
|
-
### Confirmed
|
|
128
|
-
- [confident] Using existing Tailwind patterns from Phase 1-2
|
|
129
|
-
|
|
130
|
-
### Accepted (not challenged)
|
|
131
|
-
- [assuming] Dashboard data comes from static JSON for v1 (no real API)
|
|
132
|
-
|
|
133
|
-
### Corrected
|
|
134
|
-
- [corrected] Dashboard is read-only → Widgets DO need drag reorder
|
|
135
|
-
|
|
136
|
-
</assumptions>
|
|
137
|
-
|
|
138
|
-
<deferred>
|
|
139
|
-
## Deferred Ideas
|
|
140
|
-
|
|
141
|
-
- Real-time data updates — future phase
|
|
142
|
-
- Custom widget creation — add to backlog
|
|
143
|
-
- Dashboard sharing/export — out of scope for v1
|
|
144
|
-
|
|
145
|
-
</deferred>
|
|
146
|
-
|
|
147
|
-
---
|
|
148
|
-
|
|
149
|
-
*Phase: 03-dashboard*
|
|
150
|
-
*Approach explored: 2026-03-22*
|
|
151
|
-
```
|
|
152
|
-
|
|
153
|
-
**Example 2: API feature (Authentication)**
|
|
154
|
-
|
|
155
|
-
```markdown
|
|
156
|
-
# Phase 1: Authentication - Approach
|
|
157
|
-
|
|
158
|
-
**Explored:** 2026-03-22
|
|
159
|
-
**Status:** Ready for planning
|
|
160
|
-
|
|
161
|
-
<domain>
|
|
162
|
-
## Phase Boundary
|
|
163
|
-
|
|
164
|
-
Users can register and log in with email/password. Session management via JWT. OAuth and MFA are separate phases.
|
|
165
|
-
|
|
166
|
-
</domain>
|
|
167
|
-
|
|
168
|
-
<decisions>
|
|
169
|
-
## Implementation Decisions
|
|
170
|
-
|
|
171
|
-
### Session handling
|
|
172
|
-
**Chosen approach:** HTTP-only cookies with JWT
|
|
173
|
-
**Alternatives considered:** localStorage JWT, session-based (server-side)
|
|
174
|
-
**Why this one:** HTTP-only cookies prevent XSS token theft. JWT avoids server-side session storage. Standard pattern for Next.js apps.
|
|
175
|
-
- Access token: 15-minute expiry
|
|
176
|
-
- Refresh token: 7-day expiry, rotation on use
|
|
177
|
-
- Logout clears both tokens
|
|
178
|
-
|
|
179
|
-
### Error responses
|
|
180
|
-
**Chosen approach:** Structured JSON errors
|
|
181
|
-
**Alternatives considered:** Plain text errors, RFC 7807 Problem Details
|
|
182
|
-
**Why this one:** Consistent with existing API patterns. RFC 7807 is overkill for this project size.
|
|
183
|
-
- Always include: status code, error code, user-facing message
|
|
184
|
-
- Never include: stack traces, internal IDs
|
|
185
|
-
- Rate limit errors: include retry-after header
|
|
186
|
-
|
|
187
|
-
### Agent's Discretion
|
|
188
|
-
- Password hashing library (bcrypt vs argon2)
|
|
189
|
-
- Exact JWT payload structure
|
|
190
|
-
- Email validation regex vs library
|
|
191
|
-
|
|
192
|
-
</decisions>
|
|
193
|
-
|
|
194
|
-
<assumptions>
|
|
195
|
-
## Validated Assumptions
|
|
196
|
-
|
|
197
|
-
### Confirmed
|
|
198
|
-
- [confident] Email/password only for v1 (no OAuth)
|
|
199
|
-
|
|
200
|
-
### Accepted (not challenged)
|
|
201
|
-
- [assuming] No email verification required for v1
|
|
202
|
-
|
|
203
|
-
### Corrected
|
|
204
|
-
- [corrected] Single-device sessions → Allow multi-device (don't invalidate other sessions on login)
|
|
205
|
-
|
|
206
|
-
</assumptions>
|
|
207
|
-
|
|
208
|
-
<deferred>
|
|
209
|
-
## Deferred Ideas
|
|
210
|
-
|
|
211
|
-
- OAuth providers (Google, GitHub) — Phase 4
|
|
212
|
-
- MFA/2FA — add to backlog
|
|
213
|
-
|
|
214
|
-
</deferred>
|
|
215
|
-
|
|
216
|
-
---
|
|
217
|
-
|
|
218
|
-
*Phase: 01-authentication*
|
|
219
|
-
*Approach explored: 2026-03-22*
|
|
220
|
-
```
|
|
221
|
-
|
|
222
|
-
## Guidelines
|
|
223
|
-
|
|
224
|
-
**This template captures DECISIONS for downstream agents.**
|
|
225
|
-
|
|
226
|
-
The output should answer: "What choices are locked for the planner? Where does the planner have discretion?"
|
|
227
|
-
|
|
228
|
-
**After creation:**
|
|
229
|
-
- File lives in phase directory: `.planning/phases/XX-name/{phase_num}-APPROACH.md`
|
|
230
|
-
- Planner reads decisions to constrain implementation tasks
|
|
231
|
-
- Plan-checker verifies approach_alignment: plans must implement chosen approaches
|
|
232
|
-
- Downstream agents should NOT need to ask the user again about captured decisions
|
|
1
|
+
# Phase Approach Template
|
|
2
|
+
|
|
3
|
+
Template for `.planning/phases/XX-name/{phase_num}-APPROACH.md` — captures implementation decisions and validated assumptions for a phase.
|
|
4
|
+
|
|
5
|
+
**Purpose:** Document decisions that downstream agents need. Planner uses this to know WHAT choices are locked vs flexible. Plan-checker verifies plans honor these decisions.
|
|
6
|
+
|
|
7
|
+
**Key principle:** The top-level structure (`<domain>`, `<decisions>`, `<assumptions>`, `<deferred>`) is fixed. Section names WITHIN `<decisions>` emerge from what was actually discussed for THIS phase — a CLI phase has CLI-relevant sections, a UI phase has UI-relevant sections.
|
|
8
|
+
|
|
9
|
+
**Downstream consumers:**
|
|
10
|
+
- `planner` — Reads decisions to constrain implementation choices. Locked decisions must be implemented. Agent's Discretion items allow planner flexibility.
|
|
11
|
+
- `plan-checker` — Reads decisions to verify plans implement chosen approaches (approach_alignment dimension). Flags plans that contradict explicit user choices.
|
|
12
|
+
|
|
13
|
+
---
|
|
14
|
+
|
|
15
|
+
## File Template
|
|
16
|
+
|
|
17
|
+
```markdown
|
|
18
|
+
# Phase [X]: [Name] - Approach
|
|
19
|
+
|
|
20
|
+
**Explored:** [date]
|
|
21
|
+
**Status:** Ready for planning
|
|
22
|
+
|
|
23
|
+
<domain>
|
|
24
|
+
## Phase Boundary
|
|
25
|
+
|
|
26
|
+
[Clear statement of what this phase delivers — the scope anchor. This comes from ROADMAP.md and is fixed. Discussion clarifies implementation within this boundary.]
|
|
27
|
+
|
|
28
|
+
</domain>
|
|
29
|
+
|
|
30
|
+
<decisions>
|
|
31
|
+
## Implementation Decisions
|
|
32
|
+
|
|
33
|
+
### [Gray Area 1 that was discussed]
|
|
34
|
+
**Chosen approach:** [name]
|
|
35
|
+
**Alternatives considered:** [Option B], [Option C]
|
|
36
|
+
**Why this one:** [reasoning from research + user preference]
|
|
37
|
+
- [Specific decision from questioning]
|
|
38
|
+
- [Another decision if applicable]
|
|
39
|
+
|
|
40
|
+
### [Gray Area 2 that was discussed]
|
|
41
|
+
**Chosen approach:** [name]
|
|
42
|
+
**Alternatives considered:** [Option B]
|
|
43
|
+
**Why this one:** [reasoning]
|
|
44
|
+
- [Specific decision]
|
|
45
|
+
|
|
46
|
+
### Agent's Discretion
|
|
47
|
+
[Areas where user explicitly said "you decide" — the agent has flexibility here during planning/implementation]
|
|
48
|
+
|
|
49
|
+
</decisions>
|
|
50
|
+
|
|
51
|
+
<assumptions>
|
|
52
|
+
## Validated Assumptions
|
|
53
|
+
|
|
54
|
+
### Confirmed
|
|
55
|
+
- [confident] [assumption confirmed by user]
|
|
56
|
+
|
|
57
|
+
### Accepted (not challenged)
|
|
58
|
+
- [assuming] [assumption user didn't challenge — planner should still honor but note it]
|
|
59
|
+
|
|
60
|
+
### Corrected
|
|
61
|
+
- [corrected] [original assumption] → [user's correction]
|
|
62
|
+
|
|
63
|
+
</assumptions>
|
|
64
|
+
|
|
65
|
+
<deferred>
|
|
66
|
+
## Deferred Ideas
|
|
67
|
+
|
|
68
|
+
[Ideas that came up during discussion but belong in other phases. Captured here so they're not lost, but explicitly out of scope for this phase.]
|
|
69
|
+
|
|
70
|
+
[If none: "None — discussion stayed within phase scope"]
|
|
71
|
+
|
|
72
|
+
</deferred>
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
*Phase: XX-name*
|
|
77
|
+
*Approach explored: [date]*
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
## Good Examples
|
|
81
|
+
|
|
82
|
+
**Example 1: Visual feature (Dashboard)**
|
|
83
|
+
|
|
84
|
+
```markdown
|
|
85
|
+
# Phase 3: Interactive Dashboard - Approach
|
|
86
|
+
|
|
87
|
+
**Explored:** 2026-03-22
|
|
88
|
+
**Status:** Ready for planning
|
|
89
|
+
|
|
90
|
+
<domain>
|
|
91
|
+
## Phase Boundary
|
|
92
|
+
|
|
93
|
+
Build an interactive dashboard with configurable widgets. Users can view metrics and rearrange layout. Widget creation and custom data sources are separate phases.
|
|
94
|
+
|
|
95
|
+
</domain>
|
|
96
|
+
|
|
97
|
+
<decisions>
|
|
98
|
+
## Implementation Decisions
|
|
99
|
+
|
|
100
|
+
### Chart rendering
|
|
101
|
+
**Chosen approach:** Recharts
|
|
102
|
+
**Alternatives considered:** D3 + custom components, Chart.js
|
|
103
|
+
**Why this one:** React-native, SSR-friendly, good defaults. Matches existing React patterns. D3 would give more control but requires more code for standard charts.
|
|
104
|
+
- Bar charts and line charts for metrics — no pie charts in v1
|
|
105
|
+
- Charts should be interactive (hover tooltips) but not editable
|
|
106
|
+
- Responsive: charts resize with widget container
|
|
107
|
+
|
|
108
|
+
### Widget layout
|
|
109
|
+
**Chosen approach:** react-grid-layout
|
|
110
|
+
**Alternatives considered:** CSS Grid + custom drag, @dnd-kit grid
|
|
111
|
+
**Why this one:** Purpose-built for dashboard grids. Layout serialization to JSON for persistence. Mature production usage.
|
|
112
|
+
- Drag-to-reorder enabled
|
|
113
|
+
- Resize handles on bottom-right corner
|
|
114
|
+
- 12-column grid, responsive breakpoints
|
|
115
|
+
- Layout persisted to localStorage (not server)
|
|
116
|
+
|
|
117
|
+
### Agent's Discretion
|
|
118
|
+
- Loading skeleton design
|
|
119
|
+
- Exact spacing and typography within widgets
|
|
120
|
+
- Error state handling for failed data fetches
|
|
121
|
+
|
|
122
|
+
</decisions>
|
|
123
|
+
|
|
124
|
+
<assumptions>
|
|
125
|
+
## Validated Assumptions
|
|
126
|
+
|
|
127
|
+
### Confirmed
|
|
128
|
+
- [confident] Using existing Tailwind patterns from Phase 1-2
|
|
129
|
+
|
|
130
|
+
### Accepted (not challenged)
|
|
131
|
+
- [assuming] Dashboard data comes from static JSON for v1 (no real API)
|
|
132
|
+
|
|
133
|
+
### Corrected
|
|
134
|
+
- [corrected] Dashboard is read-only → Widgets DO need drag reorder
|
|
135
|
+
|
|
136
|
+
</assumptions>
|
|
137
|
+
|
|
138
|
+
<deferred>
|
|
139
|
+
## Deferred Ideas
|
|
140
|
+
|
|
141
|
+
- Real-time data updates — future phase
|
|
142
|
+
- Custom widget creation — add to backlog
|
|
143
|
+
- Dashboard sharing/export — out of scope for v1
|
|
144
|
+
|
|
145
|
+
</deferred>
|
|
146
|
+
|
|
147
|
+
---
|
|
148
|
+
|
|
149
|
+
*Phase: 03-dashboard*
|
|
150
|
+
*Approach explored: 2026-03-22*
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
**Example 2: API feature (Authentication)**
|
|
154
|
+
|
|
155
|
+
```markdown
|
|
156
|
+
# Phase 1: Authentication - Approach
|
|
157
|
+
|
|
158
|
+
**Explored:** 2026-03-22
|
|
159
|
+
**Status:** Ready for planning
|
|
160
|
+
|
|
161
|
+
<domain>
|
|
162
|
+
## Phase Boundary
|
|
163
|
+
|
|
164
|
+
Users can register and log in with email/password. Session management via JWT. OAuth and MFA are separate phases.
|
|
165
|
+
|
|
166
|
+
</domain>
|
|
167
|
+
|
|
168
|
+
<decisions>
|
|
169
|
+
## Implementation Decisions
|
|
170
|
+
|
|
171
|
+
### Session handling
|
|
172
|
+
**Chosen approach:** HTTP-only cookies with JWT
|
|
173
|
+
**Alternatives considered:** localStorage JWT, session-based (server-side)
|
|
174
|
+
**Why this one:** HTTP-only cookies prevent XSS token theft. JWT avoids server-side session storage. Standard pattern for Next.js apps.
|
|
175
|
+
- Access token: 15-minute expiry
|
|
176
|
+
- Refresh token: 7-day expiry, rotation on use
|
|
177
|
+
- Logout clears both tokens
|
|
178
|
+
|
|
179
|
+
### Error responses
|
|
180
|
+
**Chosen approach:** Structured JSON errors
|
|
181
|
+
**Alternatives considered:** Plain text errors, RFC 7807 Problem Details
|
|
182
|
+
**Why this one:** Consistent with existing API patterns. RFC 7807 is overkill for this project size.
|
|
183
|
+
- Always include: status code, error code, user-facing message
|
|
184
|
+
- Never include: stack traces, internal IDs
|
|
185
|
+
- Rate limit errors: include retry-after header
|
|
186
|
+
|
|
187
|
+
### Agent's Discretion
|
|
188
|
+
- Password hashing library (bcrypt vs argon2)
|
|
189
|
+
- Exact JWT payload structure
|
|
190
|
+
- Email validation regex vs library
|
|
191
|
+
|
|
192
|
+
</decisions>
|
|
193
|
+
|
|
194
|
+
<assumptions>
|
|
195
|
+
## Validated Assumptions
|
|
196
|
+
|
|
197
|
+
### Confirmed
|
|
198
|
+
- [confident] Email/password only for v1 (no OAuth)
|
|
199
|
+
|
|
200
|
+
### Accepted (not challenged)
|
|
201
|
+
- [assuming] No email verification required for v1
|
|
202
|
+
|
|
203
|
+
### Corrected
|
|
204
|
+
- [corrected] Single-device sessions → Allow multi-device (don't invalidate other sessions on login)
|
|
205
|
+
|
|
206
|
+
</assumptions>
|
|
207
|
+
|
|
208
|
+
<deferred>
|
|
209
|
+
## Deferred Ideas
|
|
210
|
+
|
|
211
|
+
- OAuth providers (Google, GitHub) — Phase 4
|
|
212
|
+
- MFA/2FA — add to backlog
|
|
213
|
+
|
|
214
|
+
</deferred>
|
|
215
|
+
|
|
216
|
+
---
|
|
217
|
+
|
|
218
|
+
*Phase: 01-authentication*
|
|
219
|
+
*Approach explored: 2026-03-22*
|
|
220
|
+
```
|
|
221
|
+
|
|
222
|
+
## Guidelines
|
|
223
|
+
|
|
224
|
+
**This template captures DECISIONS for downstream agents.**
|
|
225
|
+
|
|
226
|
+
The output should answer: "What choices are locked for the planner? Where does the planner have discretion?"
|
|
227
|
+
|
|
228
|
+
**After creation:**
|
|
229
|
+
- File lives in phase directory: `.planning/phases/XX-name/{phase_num}-APPROACH.md`
|
|
230
|
+
- Planner reads decisions to constrain implementation tasks
|
|
231
|
+
- Plan-checker verifies approach_alignment: plans must implement chosen approaches
|
|
232
|
+
- Downstream agents should NOT need to ask the user again about captured decisions
|
|
@@ -1,78 +1,78 @@
|
|
|
1
|
-
# Authorization Matrix Template
|
|
2
|
-
|
|
3
|
-
> OWASP-style authorization matrix for systematic auth verification.
|
|
4
|
-
> Create `.planning/AUTH_MATRIX.md` using this template when your project has multiple user roles or protected resources.
|
|
5
|
-
|
|
6
|
-
## When to Create This Matrix
|
|
7
|
-
|
|
8
|
-
Create an authorization matrix when your project has:
|
|
9
|
-
- Multiple user roles (e.g., anonymous, user, admin, owner)
|
|
10
|
-
- Protected resources that vary by role
|
|
11
|
-
- Ownership-scoped data (users can only access their own records)
|
|
12
|
-
- Admin or operator surfaces that must be restricted
|
|
13
|
-
|
|
14
|
-
Skip this matrix for single-role projects or projects with no auth requirements.
|
|
15
|
-
|
|
16
|
-
## Matrix Format
|
|
17
|
-
|
|
18
|
-
Use the OWASP pivot format: rows are resources, columns are roles, cells are permissions.
|
|
19
|
-
|
|
20
|
-
### Permission Values
|
|
21
|
-
|
|
22
|
-
| Value | Meaning |
|
|
23
|
-
|-------|---------|
|
|
24
|
-
| ALLOW | Role can perform this action on any matching resource |
|
|
25
|
-
| DENY | Role must be explicitly rejected (not just "no route") |
|
|
26
|
-
| OWN | Role can perform this action only on resources they own |
|
|
27
|
-
| N/A | Action does not apply to this resource |
|
|
28
|
-
|
|
29
|
-
### Matrix Table
|
|
30
|
-
|
|
31
|
-
```markdown
|
|
32
|
-
| Resource | Action | anonymous | user | admin |
|
|
33
|
-
|----------|--------|-----------|------|-------|
|
|
34
|
-
| /login | POST | ALLOW | ALLOW| ALLOW |
|
|
35
|
-
| /profile | GET | DENY | OWN | ALLOW |
|
|
36
|
-
| /profile | PUT | DENY | OWN | ALLOW |
|
|
37
|
-
| /users | GET | DENY | DENY | ALLOW |
|
|
38
|
-
| /users | DELETE | DENY | DENY | ALLOW |
|
|
39
|
-
| /posts | GET | ALLOW | ALLOW| ALLOW |
|
|
40
|
-
| /posts | POST | DENY | ALLOW| ALLOW |
|
|
41
|
-
| /posts | DELETE | DENY | OWN | ALLOW |
|
|
42
|
-
```
|
|
43
|
-
|
|
44
|
-
Adapt the table to your project's actual resources, actions, and roles. Add or remove columns as needed.
|
|
45
|
-
|
|
46
|
-
## Sensitive Surfaces
|
|
47
|
-
|
|
48
|
-
The following resource categories MUST have matrix coverage when they exist in your project:
|
|
49
|
-
|
|
50
|
-
- **User-scoped data** (profiles, settings, personal records) — require OWN or DENY
|
|
51
|
-
- **Admin surfaces** (user management, system config, audit logs) — require DENY for non-admin roles
|
|
52
|
-
- **Financial data** (billing, payments, subscriptions) — require explicit DENY or OWN
|
|
53
|
-
- **Destructive actions** (delete, bulk operations, account removal) — require explicit role gates
|
|
54
|
-
- **API keys and credentials** — require DENY for non-owner roles
|
|
55
|
-
|
|
56
|
-
If a sensitive surface exists in your codebase but is missing from the matrix, the integration checker's narrative auth check (Step 4) will still flag it — Step 4 runs unconditionally regardless of whether this matrix exists. Step 4a only verifies cells that are already in the matrix.
|
|
57
|
-
|
|
58
|
-
## How the Integration Checker Uses This Matrix
|
|
59
|
-
|
|
60
|
-
During milestone audits, the integration checker (Step 4a) will:
|
|
61
|
-
|
|
62
|
-
1. Parse each row of the matrix table(s)
|
|
63
|
-
2. For each cell (resource x role x expected permission):
|
|
64
|
-
- **ALLOW**: Verify the role can access the resource (no auth gate blocks it)
|
|
65
|
-
- **DENY**: Verify explicit rejection exists (middleware, guard, or policy denies access)
|
|
66
|
-
- **OWN**: Verify ownership check is enforced (not just auth, but scoped to the user's records)
|
|
67
|
-
3. Report each cell as:
|
|
68
|
-
- **VERIFIED**: Implementation matches the matrix expectation
|
|
69
|
-
- **MISMATCH**: Implementation contradicts the matrix (e.g., DENY expected but no guard found)
|
|
70
|
-
- **UNTESTED**: Cannot determine from static analysis (e.g., dynamic policy evaluation)
|
|
71
|
-
|
|
72
|
-
The narrative auth check (Step 4) always runs regardless of whether this matrix exists.
|
|
73
|
-
|
|
74
|
-
## File Location
|
|
75
|
-
|
|
76
|
-
Save your project's authorization matrix as `.planning/AUTH_MATRIX.md`.
|
|
77
|
-
|
|
78
|
-
The integration checker will automatically detect and consume it when present. No configuration needed.
|
|
1
|
+
# Authorization Matrix Template
|
|
2
|
+
|
|
3
|
+
> OWASP-style authorization matrix for systematic auth verification.
|
|
4
|
+
> Create `.planning/AUTH_MATRIX.md` using this template when your project has multiple user roles or protected resources.
|
|
5
|
+
|
|
6
|
+
## When to Create This Matrix
|
|
7
|
+
|
|
8
|
+
Create an authorization matrix when your project has:
|
|
9
|
+
- Multiple user roles (e.g., anonymous, user, admin, owner)
|
|
10
|
+
- Protected resources that vary by role
|
|
11
|
+
- Ownership-scoped data (users can only access their own records)
|
|
12
|
+
- Admin or operator surfaces that must be restricted
|
|
13
|
+
|
|
14
|
+
Skip this matrix for single-role projects or projects with no auth requirements.
|
|
15
|
+
|
|
16
|
+
## Matrix Format
|
|
17
|
+
|
|
18
|
+
Use the OWASP pivot format: rows are resources, columns are roles, cells are permissions.
|
|
19
|
+
|
|
20
|
+
### Permission Values
|
|
21
|
+
|
|
22
|
+
| Value | Meaning |
|
|
23
|
+
|-------|---------|
|
|
24
|
+
| ALLOW | Role can perform this action on any matching resource |
|
|
25
|
+
| DENY | Role must be explicitly rejected (not just "no route") |
|
|
26
|
+
| OWN | Role can perform this action only on resources they own |
|
|
27
|
+
| N/A | Action does not apply to this resource |
|
|
28
|
+
|
|
29
|
+
### Matrix Table
|
|
30
|
+
|
|
31
|
+
```markdown
|
|
32
|
+
| Resource | Action | anonymous | user | admin |
|
|
33
|
+
|----------|--------|-----------|------|-------|
|
|
34
|
+
| /login | POST | ALLOW | ALLOW| ALLOW |
|
|
35
|
+
| /profile | GET | DENY | OWN | ALLOW |
|
|
36
|
+
| /profile | PUT | DENY | OWN | ALLOW |
|
|
37
|
+
| /users | GET | DENY | DENY | ALLOW |
|
|
38
|
+
| /users | DELETE | DENY | DENY | ALLOW |
|
|
39
|
+
| /posts | GET | ALLOW | ALLOW| ALLOW |
|
|
40
|
+
| /posts | POST | DENY | ALLOW| ALLOW |
|
|
41
|
+
| /posts | DELETE | DENY | OWN | ALLOW |
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
Adapt the table to your project's actual resources, actions, and roles. Add or remove columns as needed.
|
|
45
|
+
|
|
46
|
+
## Sensitive Surfaces
|
|
47
|
+
|
|
48
|
+
The following resource categories MUST have matrix coverage when they exist in your project:
|
|
49
|
+
|
|
50
|
+
- **User-scoped data** (profiles, settings, personal records) — require OWN or DENY
|
|
51
|
+
- **Admin surfaces** (user management, system config, audit logs) — require DENY for non-admin roles
|
|
52
|
+
- **Financial data** (billing, payments, subscriptions) — require explicit DENY or OWN
|
|
53
|
+
- **Destructive actions** (delete, bulk operations, account removal) — require explicit role gates
|
|
54
|
+
- **API keys and credentials** — require DENY for non-owner roles
|
|
55
|
+
|
|
56
|
+
If a sensitive surface exists in your codebase but is missing from the matrix, the integration checker's narrative auth check (Step 4) will still flag it — Step 4 runs unconditionally regardless of whether this matrix exists. Step 4a only verifies cells that are already in the matrix.
|
|
57
|
+
|
|
58
|
+
## How the Integration Checker Uses This Matrix
|
|
59
|
+
|
|
60
|
+
During milestone audits, the integration checker (Step 4a) will:
|
|
61
|
+
|
|
62
|
+
1. Parse each row of the matrix table(s)
|
|
63
|
+
2. For each cell (resource x role x expected permission):
|
|
64
|
+
- **ALLOW**: Verify the role can access the resource (no auth gate blocks it)
|
|
65
|
+
- **DENY**: Verify explicit rejection exists (middleware, guard, or policy denies access)
|
|
66
|
+
- **OWN**: Verify ownership check is enforced (not just auth, but scoped to the user's records)
|
|
67
|
+
3. Report each cell as:
|
|
68
|
+
- **VERIFIED**: Implementation matches the matrix expectation
|
|
69
|
+
- **MISMATCH**: Implementation contradicts the matrix (e.g., DENY expected but no guard found)
|
|
70
|
+
- **UNTESTED**: Cannot determine from static analysis (e.g., dynamic policy evaluation)
|
|
71
|
+
|
|
72
|
+
The narrative auth check (Step 4) always runs regardless of whether this matrix exists.
|
|
73
|
+
|
|
74
|
+
## File Location
|
|
75
|
+
|
|
76
|
+
Save your project's authorization matrix as `.planning/AUTH_MATRIX.md`.
|
|
77
|
+
|
|
78
|
+
The integration checker will automatically detect and consume it when present. No configuration needed.
|