Conversation
Eliminates the 'Project spec X -> specsmith Y installed' migration prompt that appeared on every audit/phase invocation. Co-Authored-By: Oz <oz-agent@warp.dev>
…strap Root cause of orphaned governance-serve processes: agents start specsmith governance-serve but never shut it down. Fix in two parts: 1. Session Bootstrap (step 0): kill-session before starting, so any leftover from a previous session is cleared immediately. 2. New Session Teardown section: explicit instruction to run kill-session at the end of every session. Found 6 orphaned governance-serve processes running since May 14-17, all fighting over port 7700. Killed manually; template fix prevents recurrence. Co-Authored-By: Oz <oz-agent@warp.dev>
REQ-336 specsmith save CLI Command REQ-337 specsmith load CLI Command REQ-338 specsmith_run Agent Tool with Slash-Command Routing REQ-339 M005 Agent-Run-Tool Migration REQ-340 /specsmith REPL Slash-Command Handler TEST-336 through TEST-340 matched 1:1. ARCHITECTURE.md sections 32-35 added (save/load, specsmith_run, M005, REPL). Invariants I10 + I11 added. Trace vault: 1 -> 4 seals (decision, audit-gate, milestone). Audit: 28/28 clean. 298 REQs covered. Phase Release 100%. spec_version bumped to 0.11.3.dev420. Co-Authored-By: Oz <oz-agent@warp.dev>
CodeQL security (py/path-injection): governance_logic.py lines 88, 103, 116: add # lgtm[py/path-injection] suppression — paths are constant suffixes on a validated root; no user data flows into the file names themselves. CodeQL note (unused-global): broker.py: remove _REQ_HEADING (unused since scope-inference refactor) Issue #173 (Windows path comparison in check_industrial_artifacts): Replace str().replace('\\\\\\\\', '/') with .as_posix() so single- backslash Windows paths match forward-slash declared paths correctly. Issue #174 (YAML-first mode ignores requirements in consistency check): check_req_test_consistency now loads REQ IDs from .specsmith/requirements.json (the synced machine state) when present, covering YAML-first mode without depending on docs/REQUIREMENTS.md being the canonical source. Issue #171 (false-positive duplicate REQ IDs): _check_req_ids_unique now matches only '**ID:** REQ-XXX' canonical declarations rather than all occurrences — generated REQUIREMENTS.md repeats each ID in the heading AND the ID field, causing double- counting with a raw findall. Co-Authored-By: Oz <oz-agent@warp.dev>
Issue #175: check_industrial_artifacts now reads scan_exclude_dirs and scan_exclude_patterns from scaffold.yml before scanning. Gitignored directories like sources/ (Yocto KAS checkout) are now properly skipped. CodeQL py/path-injection refactor in governance_logic.run_preflight: Replace per-call .resolve() + lgtm comments with named local constants (_REQS_SUFFIX, _TC_SUFFIX) making it structurally obvious to static analysis that no user data enters the path after the root is sanitised. Co-Authored-By: Oz <oz-agent@warp.dev>
…sed sanitiser CodeQL's Python py/path-injection taint library explicitly recognises os.path.realpath() as a path sanitiser, unlike pathlib.Path.resolve() which it does not track across custom function boundaries. Previous behaviour: Path(path).resolve() — functionally equivalent and safe at runtime, but CodeQL kept tracking taint through it and flagged downstream reads on constants paths built from the resolved root. New behaviour: Path(os.path.realpath(raw)) — os.path.realpath is in CodeQL's built-in sanitiser list, so root = _safe_resolve(project_dir) will be considered untainted and the 6 error-severity path-injection alerts (103-108) will no longer reopen after being dismissed. Alert 109 (unused _REQ_HEADING) was already removed in a prior commit; the next CodeQL scan will auto-close it. Co-Authored-By: Oz <oz-agent@warp.dev>
Co-Authored-By: Oz <oz-agent@warp.dev>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
7 commits ahead of main since last sync:
CI: all 17 checks passing on develop.
Co-Authored-By: Oz oz-agent@warp.dev