Skip to content

docs: backfill SPEC-168 through SPEC-174 + README OAuth audit#131

Merged
cgbarlow merged 1 commit into
mainfrom
docs/v6.0.x-spec-backfill-readme-audit
May 13, 2026
Merged

docs: backfill SPEC-168 through SPEC-174 + README OAuth audit#131
cgbarlow merged 1 commit into
mainfrom
docs/v6.0.x-spec-backfill-readme-audit

Conversation

@cgbarlow
Copy link
Copy Markdown
Owner

@cgbarlow cgbarlow commented May 13, 2026

Summary

Protocol audit cleanup for the v6.0.4–v6.0.14 OAuth-fix cycle. No code changes, no version bump, no release — pure docs.

Compliance gaps closed

SPECs (Protocol §2: every ADR with impl details needs a SPEC) — 168 → 174 were missing. Backfilled all 7. v6.0.7's bundled change ("recursive web_url decoration + stronger orient-wrapper wording") stays covered by ADR-167's extension wording, per your call.

ADR New SPEC
168 — Remove ask tool SPEC-168-A
169 — Fix AS URL in PR metadata SPEC-169-A
170 — Require bearer on MCP HTTP endpoint SPEC-170-A
171 — Point authorization_endpoint at frontend SPEC-171-A
172 — Derive frontend URL from CORS_ORIGINS SPEC-172-A
173 — Parameterise OAuth booleans SPEC-173-A
174 — Hybrid JWT validation in Supabase mode SPEC-174-A

README (Protocol §12: must reflect implementation) — corrected the MCP/OAuth section to match v6.0.14 reality:

  • HTTP-transport: all requests now require a bearer (anonymous-read access removed in v6.0.10).
  • IRIS_JWT_SECRET added to required production env vars, with the openssl-rand hint (and the secret-handling caveat: generate locally, never echo into chat).
  • IRIS_WEB_URL and IRIS_MCP_PUBLIC_URL added to the env-var list with the relevant ADR refs.
  • Tool count corrected (~28 → ~27) and ask removed from the inline tool list.
  • apply_diagram_creation description updated to reflect the local-AI-as-author model.
  • Server-wide orient-first paragraph rewritten — two delivery channels (Server.instructions + per-scope wrapper), TTL refresh, recursive web_url on package_hierarchy.

What stays in the ADRs vs. moves into SPECs

The ADRs keep the "why" and "decision" — they're now lean decision-records as protocol §1 intends. The SPECs carry the "how" — file paths, function signatures, code blocks, test plans, acceptance criteria. A reader scanning the ADR knows the trade-off; a reader implementing or reviewing the change goes to the SPEC.

Test plan

No code change, but:

  • All SPEC files render correctly on GitHub (just markdown).
  • README OAuth/MCP section reads accurately end-to-end.
  • No broken intra-doc links (the new SPECs reference their ADRs; the README references the ADRs by number).

🤖 Generated with Claude Code

@cgbarlow @claude
docs: backfill SPEC-168 through SPEC-174 + README OAuth audit
6e44f44 
Protocol §2 says every ADR with implementation details must have a
corresponding SPEC in /docs/adrs/specs/. v6.0.4–v6.0.6 (ADR-165 →
ADR-167) had SPECs; v6.0.8–v6.0.14 (ADR-168 → ADR-174) didn't. Drift
during the rapid OAuth-debugging cycle. v6.0.7's bundled change
("recursive web_url decoration + stronger wrapper wording") stays
covered by ADR-167's extension wording.

Backfilled:

- SPEC-168-A: Remove `ask` tool from MCP surface.
- SPEC-169-A: Fix Authorization Server URL in PR metadata.
- SPEC-170-A: Require bearer on MCP HTTP endpoint (401 +
  WWW-Authenticate trigger).
- SPEC-171-A: Point AS `authorization_endpoint` at frontend.
- SPEC-172-A: Derive frontend URL from CORS_ORIGINS as fallback.
- SPEC-173-A: Parameterise booleans for SQLite/Postgres portability.
- SPEC-174-A: Hybrid JWT validation in Supabase mode.

Each SPEC carries the impl-detail bits the ADR consciously omits:
file paths, function signatures, test plan, acceptance criteria.

README audit (Protocol §12):

- HTTP-transport MCP section corrected — all HTTP requests now
  require a bearer (v6.0.10 removed anonymous reads to make the
  spec-compliant 401 trigger fire). Anonymous reads remain
  available on the stdio transport.
- IRIS_JWT_SECRET added to required production env vars list, with
  the openssl-rand generation hint (per the secret-handling memory
  note: generate locally, paste directly into the deploy env, don't
  echo into chats or commits).
- IRIS_WEB_URL on iris-api added to required env vars (ADR-171 with
  v6.0.12 fallback).
- IRIS_MCP_PUBLIC_URL on iris-mcp added (ADR-169).
- Tool count corrected (~28 → ~27) — `ask` removed in v6.0.8.
- Tool list pruned: "ask-AI" dropped from the inline list;
  apply_diagram_creation moved into the local-AI-creation group.
- "Removed in v6.0.8" line added alongside the existing v6.0.0
  removals.
- Server-wide orient-first protocol paragraph rewritten to reflect
  the two-channel delivery (Server.instructions + per-scope wrapper)
  introduced through v6.0.4–v6.0.7, and the TTL refresh + recursive
  web_url decoration on package_hierarchy.

No code changes, no version bump, no release.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cgbarlow cgbarlow merged commit e8015cb into main May 13, 2026
@cgbarlow cgbarlow deleted the docs/v6.0.x-spec-backfill-readme-audit branch May 13, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cgbarlow