From 26c6e8e6db0e73c69667b1d43837a843cc77451b Mon Sep 17 00:00:00 2001 From: Jon Langevin Date: Mon, 1 Jun 2026 02:07:52 -0400 Subject: [PATCH 1/2] docs(retro): v6.3.0 pipeline hardening retro + scope-lock-complete + release-notes 'seven' fix --- RELEASE-NOTES.md | 2 +- ...6-06-01-v6.3.0-pipeline-hardening-retro.md | 86 +++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 docs/retros/2026-06-01-v6.3.0-pipeline-hardening-retro.md diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index a08af16..2c3ee1a 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -2,7 +2,7 @@ ## v6.3.0 — 2026-06-01 -Pipeline-hardening release closing five recurring gate-miss / context-waste issues +Pipeline-hardening release closing seven recurring gate-miss / context-waste issues observed across autonomous runs and Codex compaction. - **`adversarial-design-review` — auth/authz chain-composition bug-class (#59):** a new diff --git a/docs/retros/2026-06-01-v6.3.0-pipeline-hardening-retro.md b/docs/retros/2026-06-01-v6.3.0-pipeline-hardening-retro.md new file mode 100644 index 0000000..4712c78 --- /dev/null +++ b/docs/retros/2026-06-01-v6.3.0-pipeline-hardening-retro.md @@ -0,0 +1,86 @@ +# Retro: v6.3.0 Pipeline Hardening (7 issues) + +**PR:** #62 — feat: v6.3.0 pipeline hardening (merge c5566295) +**Merged / Released:** 2026-06-01 · v6.3.0 (Latest) +**Issues:** #41, #58, #59, #60, #61 (locked) + #63, #64 (user-approved amendment) +**Design:** docs/plans/2026-06-01-pipeline-hardening-4issues-design.md (adversarial PASS @ cycle 3) +**Plan:** docs/plans/2026-06-01-pipeline-hardening-4issues.md (plan-phase PASS @ cycle 2; alignment PASS; Locked → Amended) +**ADRs:** 0003 (Implement-N completion trust-boundary), 0004 (scope amendment) + +## What shipped + +One coherent release hardening the autonomous pipeline against recurring gate-misses: +- **#59** auth/authz chain-composition plan-phase bug-class. +- **#60** sanctioned, host-scoped bash poll-loop CI-wait (the prior background-Agent monitor + early-exited ~6×/run). +- **#58** completion trust-boundary (a flipped `Implement: N` isn't trusted until lead + `verification-before-completion`; hard hook-block infeasible — ADR 0003). +- **#41** `run-hook.cmd` stdout-JSON discipline (recover a block decision even behind a + warning) + `tests/hook-stdout-discipline.sh`. +- **#61** pr-review reminder once-per-session (quote-strip match + marker, reset on + PreCompact). +- **#63** artifact-class precedent design check (survey *where* an artifact lives, not just + the mechanism). +- **#64** session-start Linux `stat` time-dedup fix (a real Linux-breaking bug). +- New `hooks-check.yml` CI gating both hook test suites. + +## Adversarial-review findings, scored + +| Phase | Finding | Sev | Outcome | +|---|---|---|---| +| design c1 | #41 suppress-all dropped block decisions behind a warning | Critical | Resolved upfront — switched to last-JSON-line extraction | +| design c1 | #41 locale over-claim; #60 Codex path undefined; #41 trailing-newline | Important×3 | Resolved upfront | +| design c2 | #61 pre-compact early-exit would skip the marker-clear (no-locked-plan case) | Important | **Prescient** — exactly the kind of place-it-wrong bug; clear forced before the early-exit | +| plan c1 | #61 regex still matched `gh pr create` in a quoted body | Important | Resolved upfront — quote-strip (pre-tool-scope-guard precedent) + false-positive test | +| plan c1 | #41 jq-absent test case dropped; missing trap/stderr asserts | Important | Resolved upfront | +| code review | #41 `grep -vF` substring false-drop; non-atomic marker write | Important + Minor | Resolved upfront — `grep -vxF` + atomic temp-file rename | + +Design converged in 3 cycles, plan in 2. The plan-phase review's #61-early-exit catch and +the code review's `grep -vxF` catch were both real bugs killed pre-merge. + +## Gate misses + +| Issue | Gate that missed | Why it slipped | Fix | +|---|---|---|---| +| `session-start` time-dedup broken on Linux (#64) | local test runs (macOS only) | `hook-contracts.sh` "passed locally" on macOS; the BSD-first `stat -f %m` only misbehaves on GNU/Linux, which was never exercised because **no CI ran the hook tests** | Task 6's new `hooks-check.yml` (ubuntu) surfaced it on the first CI run; fixed GNU-first + numeric guard | + +This is the **existence/runtime-validity discipline catching itself**: adding a CI gate that +runs the hook tests on the *real* target platform immediately exposed a pre-existing +Linux bug that every local (macOS) run had masked. The lesson "a test that never runs is +theater" (the rationale for Task 6) paid off the same hour it shipped. + +## What worked + +- **The amendment path worked as designed.** Two items arose mid-execution (#64 found by + the new CI; #63 newly filed). Both were surfaced, user-approved, recorded (ADR 0004), + the manifest re-stamped Locked → Amended (7 → 9 tasks, PR count unchanged), re-aligned, + re-locked — no silent rescoping. +- **Dogfooding:** the release shipped #58's "completion not trusted until lead-verified" + rule and then *applied it to itself* — the lead ran the full suite from a clean tree + before trusting "done," which is how the macOS/Linux gap would have been caught even + without the CI gate. +- **Copilot review (functional again):** flagged a real `pull_request` path-filter gap + + a CodeQL permissions gap (both fixed) and one false "invalid YAML" claim (rejected with + the green CI run as evidence — receiving-code-review rigor, not blind compliance). + +## What didn't + +- The RELEASE-NOTES intro said "five" after the amendment grew it to seven (fixed in this + retro PR). Minor; a reminder to re-read summary prose after a scope amendment. +- #64 should ideally have been caught before merge of Task 6, not after the first push — + but there is no way to run ubuntu CI locally; the push-and-observe loop is the only real + signal, and it worked. + +## Plugin-level follow-ups + +No new plugin change warranted. #63 itself is the follow-up to the v1-retro "verify against +source" lesson (one level up: survey the artifact class, not just the mechanism). The hook +test suite is now CI-gated; consider extending `hooks-check.yml` to a matrix (macOS + +ubuntu) so BSD/GNU portability bugs like #64 are caught on both — filed as a note, not yet +a trend. + +## Project guidance updates + +| File | Change | Reason | +|---|---|---| +| (none) | no change | The durable lessons are already encoded as the shipped bug-classes (#59, #63) + ADRs 0003/0004. | From 966b764644caac3470c3412eb2fe04318e91c5f9 Mon Sep 17 00:00:00 2001 From: Jon Langevin Date: Mon, 1 Jun 2026 02:08:10 -0400 Subject: [PATCH 2/2] =?UTF-8?q?chore:=20close=20scope-lock=20for=20v6.3.0?= =?UTF-8?q?=20(Amended=20=E2=86=92=20Complete;=20released)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/plans/2026-06-01-pipeline-hardening-4issues.md | 2 +- docs/plans/2026-06-01-pipeline-hardening-4issues.md.scope-lock | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 docs/plans/2026-06-01-pipeline-hardening-4issues.md.scope-lock diff --git a/docs/plans/2026-06-01-pipeline-hardening-4issues.md b/docs/plans/2026-06-01-pipeline-hardening-4issues.md index 878be0d..77c2ea8 100644 --- a/docs/plans/2026-06-01-pipeline-hardening-4issues.md +++ b/docs/plans/2026-06-01-pipeline-hardening-4issues.md @@ -31,7 +31,7 @@ |------|-------|-------|--------| | 1 | feat: v6.3.0 pipeline hardening (#41/#58/#59/#60/#61/#63/#64) | Task 1, Task 2, Task 3, Task 4, Task 5, Task 6, Task 7, Task 8, Task 9 | feat/pipeline-hardening-4issues-v6.3.0 | -**Status:** Amended 2026-06-01T06:00:00Z (user-approved scope expansion to #63 + #64; see Amendment note + decisions/0004) +**Status:** Complete 2026-06-01T06:08:10Z (v6.3.0 released; 7 issues; see docs/retros/2026-06-01-v6.3.0-pipeline-hardening-retro.md) --- diff --git a/docs/plans/2026-06-01-pipeline-hardening-4issues.md.scope-lock b/docs/plans/2026-06-01-pipeline-hardening-4issues.md.scope-lock deleted file mode 100644 index f9c2454..0000000 --- a/docs/plans/2026-06-01-pipeline-hardening-4issues.md.scope-lock +++ /dev/null @@ -1 +0,0 @@ -815ea55f53f1673b36497497a3141abf8c0fc4d2cb5291303ade1d123046498a