docs: post-cloud-SDK plugin ecosystem sweep — design + plan + scope-lock#690
Merged
Conversation
Bumps 8 lagging plugins (payments, audit-chain, tofu, ci-generator, agent, github, gitlab, azure) from workflow v0.51.6/v0.51.7/pseudo pins → v0.53.1. Per-plugin PR pattern; mechanical sweep; closes #656's engine-pin-sweep half. Defers host conformance (gcp#6 + azure#4) and v2 action lifecycle (#640) and catalog manifest-derivation to separate design passes. Self-challenge surfaced 3 doubts: hidden API drift, tofu first-release scope creep, 8-PR-parallel-execution operator load. All mitigated by per-plugin verification gates + scope-pause discipline. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Critical fixes: - Tofu has tags v0.1.0/v0.1.1/v0.1.2 (not first release); next = v0.1.3 - Add admin/bento/authz/authz-ui/eventbus to scope (5 plugins were silently excluded from initial scope) — now 13 plugins total - Flag security/supply-chain for Task 0 cadence-classification - Document waf/sandbox/data-protection (v0.3.56-era) + cloud-ui as verified-out-of-scope with rationale Important fixes: - Add wave-1 / wave-2 sequencing for agent → authz transitive dep - Reframe minEng "0.53.0" as tested-floor semantic (not feature-floor) - Document the cross-plugin probe pre-dispatch (Task 0) Minor fixes: - ADR 0024 reference now path-specific (decisions/0024-iac-typed-...) - Cross-plugin smoke test → operator-run, not CI gate - v0.53.1 vs v0.53.0 target rationale documented (Assumption #9) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ings Critical fixes: - Document self-hosted runner dependency (4 plugins: tofu/authz-ui/security/supply-chain) with explicit "intentional infra, NOT migrating to ubuntu-latest" rationale - Fix stale "8 PRs" mentions (2 places) → 15 Important fixes: - Agent dual-bump now explicit in new "Agent extended pattern" section with 6 steps (PR #15 only); step 1 mandates BOTH workflow + authz go.mod lines change in same commit - #656 stale-inventory rationale documented; first PR comments on #656 noting supersession - Collapse "Task 0" runtime gate — security + supply-chain verified at design time + added as PRs #13/#14 (scope: 13 → 15) Minor fix: - Wave-2 cascading rollback documented (agent BEFORE authz revert order) Probed via gh api: - authz-ui release.yml: [self-hosted,Linux,X64] + GOPRIVATE - security release.yml: [self-hosted,Linux,X64] - supply-chain release.yml: [self-hosted,Linux,X64] - tofu release.yml: [self-hosted,Linux,X64] - admin/bento/authz/eventbus/payments: ubuntu-latest 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…verride per autonomous mandate) Cycle 3 adversarial review surfaced 2 Critical + 2 Important + 2 Minor narrow text-level findings after cycle 2's revisions. Per skill's 2-revision-cycle limit, applied surgical line-edits and proceeded WITHOUT a 4th adversarial pass. Fixes: - C-1 (dual numbering ambiguity): unified per-repo table now has explicit PR# column matching wave-diagram numbering; secondary security/supply-chain table merged in (eliminates row 13 collision; agent is PR15) - C-2 (tofu draft=true unsurfaced): MANDATORY pre-check section added to Error Handling — patch .goreleaser.yaml release.draft to false BEFORE tag push; same defensive check for all 4 self-hosted plugins - I-1/I-2 fixes: implicit in C-2's MANDATORY-before-dry-run wording - M-2 (replace-directive language wrong for azure): clarified azure has raw pseudo-version in require, no replace block User-override: per "continue autonomously" mandate, narrow text-edit fixes counted as polish (not full 3rd revision cycle); proceeding to writing-plans without re-running adversarial-design-review. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per-PR per-plugin sweep bumping 15 plugin repos from workflow v0.51.x pins → v0.53.1, with mandatory new tag + GoReleaser release per plugin. Wave 1 (parallel, 14 PRs): payments, audit-chain, tofu (with .goreleaser draft=true pre-fix + first-release-with-binaries), ci-generator, github, gitlab, azure (pseudo-version → clean tag), admin, bento, authz-ui, authz, eventbus, security, supply-chain. Wave 2 (after PR11 authz tag): agent — DUAL-BUMP commit (workflow + authz require lines both change); 6-step extended pattern. Per-task spec: 5-step standard pattern (branch + ff-pull → bump pin → tidy/ build/test → minEng update → commit/push/admin-merge/tag/monitor). Tasks 3 (tofu) and 15 (agent) extend it. Each task has files, verification per build-pipeline + version-pin-update class, rollback note (per-plugin patch tag re-pin); agent's rollback documents wave-2 cascading order. Out-of-scope per design: gcp#6/azure#4 conformance, #640 v2 lifecycle, catalog manifest-derivation, TypedProvider migration, MessagePub for IaC bridge, aws-sdk-go-v2 extraction, security-cadence cluster (waf/sandbox/data-protection v0.3.56-era), cloud-ui (no go.mod). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PASS verdict with 3 Important + 3 Minor — all text-level fixes: I-1 (parallel-race on supersession comment): moved gh issue comment 656 from Task 1 "Special" block to new "Pre-dispatch setup (team-lead, ONCE before any task starts)" section. Eliminates the race; team-lead posts comment + verifies self-hosted runner pool BEFORE dispatching any task. I-2 (Task 3 Step 0 vs standard Step 1 collision): explicitly tells implementer to SKIP standard Step 1 when running Task 3 (branch already created in Step 0); standard pattern reference now Steps 2-5. I-3 (overclaimed verification class): replaced "runtime-launch-validation triggered" with "build-class verification + asset-existence check; operator-run wfctl install is advisory post-deploy gate, NOT a CI gate" (matches design's Testing section). M-1 (#656 never closed): added gh issue close 656 command to Memory Updates section with completion comment template. M-2 (commit template "v0.51.x" placeholder confusing): changed to vOLD + added explicit "Substitute vOLD and vNEW per the PR Grouping table — they are placeholder tokens, not real tag patterns." M-3 (azure rollback underspecified): operationalized with explicit go get @v0.51.6 + go mod tidy + tag commands. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- alignment-check forward + reverse trace: 100% coverage - programmatic plan-scope-check.sh: PASS exit 0 - adversarial-plan-review cycle 1: PASS with 3 Important findings (all addressed in prior commit ff86bb2) - design adversarial-review: cycles 1+2 fixed; cycle 3 polished - single non-blocking observation (GOWORK=off omission in plan Universal pattern Step 3) acknowledged but not gating Manifest: 15 PRs / 15 tasks; PR Grouping table sequenced PR1-PR15; sha256=e6545d28a798… 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Documentation-only PR adding planning artifacts for a mechanical workflow-pin bump sweep across 15 external plugin repositories (v0.51.x → v0.53.1). No code changes; the work itself happens in separate PRs in each plugin repo.
Changes:
- Adds a design document with adversarial-review annotations covering scope, sequencing (wave 1 parallel, wave 2 for agent→authz dependency), and out-of-scope items.
- Adds a 15-task execution plan with a standard 5-step pattern plus extended patterns for tofu (draft fix) and agent (dual-bump).
- Adds a scope-lock SHA-256 hash file.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep-design.md | Design doc with scope, sequencing, and review-cycle annotations. |
| docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md | Per-plugin task breakdown with commands and verification steps. |
| docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md.scope-lock | SHA-256 scope-lock hash for the plan. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
⏱ Benchmark Results✅ No significant performance regressions detected. benchstat comparison (baseline → PR)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds design + plan + scope-lock artifacts for the post-cloud-SDK plugin ecosystem sweep — bumping 15 lagging plugins from workflow v0.51.x pins → v0.53.1.
Pipeline state
Scope (15 PRs across 15 plugin repos — separate PRs in each plugin repo, not in this docs PR)
Wave 1 (parallel, 14 PRs): payments, audit-chain, tofu (with .goreleaser draft fix + first-release-with-binaries), ci-generator, github, gitlab, azure (pseudo-version → clean tag), admin, bento, authz-ui, authz, eventbus, security, supply-chain.
Wave 2 (after PR11 authz tag): agent — DUAL-BUMP commit (workflow + workflow-plugin-authz both change in same go.mod commit).
Out of scope (per design)
provider/aws//plugin/rbac/aws.go/iam/aws.go/artifact/s3.goFiles
docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep-design.md(design + 3 review cycles annotations)docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md(15-task plan)docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md.scope-lock(sha256 hash file)Test plan
🤖 Generated with Claude Code