feat(work-package): DCO policy compatibility

work-package/activities/01-start-work-package.toon

@@ -1,5 +1,5 @@
 id: start-work-package
-version: 3.3.0
+version: 3.4.0
 name: Start Work Package
 description: "Initialize the work package: verify or create an issue, set up feature branch and draft PR, and create planning folder. Establishes traceability from requirements through implementation."
 problem: User needs to initialize a work package with issue tracking, branch, and PR
@@ -19,7 +19,7 @@ entryActions[1]:
     message: Starting issue management
 skills:
   primary: meta/activity-worker
-steps[20]:
+steps[21]:
   - id: detect-review-mode
     name: Detect Review Mode
     description: "Check if user request indicates review of existing PR. If detected, set is_review_mode=true and prompt for PR reference."
@@ -45,6 +45,14 @@ steps[20]:
     name: Initialize Target Directory
     description: "cd into target_path. Fetch origin and checkout the default branch (main/master). Pull latest. This ensures the target is at HEAD before creating a feature branch."
     skill: manage-git
+  - id: detect-merge-strategy
+    name: Detect Merge Strategy
+    description: "Detect whether the target repo permits squash merges. Sets squash_merge_available for downstream DCO merge path routing."
+    skill: manage-git
+    actions[1]:
+      - action: set
+        target: squash_merge_available
+        description: "true if allow_squash_merge=true in repo settings, false otherwise"
   - id: detect-project-type
     name: Detect Project Type
     description: "Auto-detect project type inside target_path: Check for Cargo.toml with Substrate dependencies (sp-*, frame-*, pallet-*). Set project_type to 'rust-substrate' if found, otherwise 'other'."
@@ -484,7 +492,7 @@ outcome[5]:
   - Feature branch created from main
   - Draft PR created and linked to issue
   - Planning folder initialized
-context_to_preserve[16]:
+context_to_preserve[17]:
   - issue_number - The associated issue number (GitHub #N or Jira KEY-N)
   - issue_platform - github or jira
   - issue_type - Type of issue (feature, bug, task, enhancement, epic)
@@ -501,3 +509,4 @@ context_to_preserve[16]:
   - jira_cloud_id - Atlassian cloud ID for subsequent Jira operations
   - github_issue_found - Whether a GitHub issue linked to the Jira ticket was found
   - github_issue_number - GitHub issue number linked to the Jira ticket (if found or created)
+  - squash_merge_available - Whether target repo allows squash merges (drives DCO merge path)

work-package/activities/04-research.toon

@@ -1,5 +1,5 @@
 id: research
-version: 2.3.2
+version: 2.4.0
 name: Research
 description: "Research the knowledge base and external sources to discover best practices, patterns, and resources to inform the plan-prepare activity."
 problem: User needs to research best practices before planning
@@ -11,7 +11,7 @@ required: false
 estimatedTime: 20-45m
 skills:
   primary: meta/activity-worker
-steps[9]:
+steps[10]:
   - id: kb-research
     name: Knowledge base research
     description: "Call get_guidance before making concept-rag MCP tool calls. Search for relevant patterns and practices."
@@ -48,6 +48,15 @@ steps[9]:
     actions[1]:
       - action: message
         message: "**Resolved Assumptions** — the following assumptions were resolved through code analysis during this phase."
+  - id: declare-context-scope
+    name: Declare Context Scope
+    description: "Classify the provenance scope of this work package's research sources. Sets context_scope for the provenance log and PR description."
+    skill: dco-provenance
+    checkpoint: context-scope-declaration
+    actions[1]:
+      - action: set
+        target: context_scope
+        description: "repo-only | web-retrieval | mixed based on research sources used"
   - id: interview-open-assumptions
     name: Interview open assumptions
     description: "For each open (stakeholder-dependent) assumption, present it individually to the user via the research-assumption-interview checkpoint. The user can resolve it inline or defer it to stakeholder review. Update the assumptions log after each response."
@@ -88,7 +97,7 @@ artifacts[1]:
   - id: research-document
     name: kb-research.md
     location: planning
-checkpoints[3]:
+checkpoints[4]:
   - id: research-findings
     name: Research Findings Checkpoint
     message: "Here are the combined findings from knowledge base and web research. Proceeding in 30s unless you want changes."
@@ -149,6 +158,31 @@ checkpoints[3]:
         effect:
           setVariable:
             assumption_deferred: true
+  - id: context-scope-declaration
+    name: Context Scope Declaration
+    message: "Did research use external web sources (web search, documentation URLs, external references)? This determines the provenance scope recorded in commit trailers and the provenance log."
+    blocking: false
+    defaultOption: repo-only
+    autoAdvanceMs: 15000
+    options[3]:
+      - id: repo-only
+        label: "Repository only — no external web sources used"
+        description: All research was based on codebase and local knowledge (default)
+        effect:
+          setVariable:
+            context_scope: repo-only
+      - id: web-retrieval
+        label: "External web sources used for design decisions"
+        description: Web search, external docs, or third-party references informed the approach
+        effect:
+          setVariable:
+            context_scope: web-retrieval
+      - id: mixed
+        label: "Both repository and external sources used"
+        description: Mix of codebase analysis and external references
+        effect:
+          setVariable:
+            context_scope: mixed
 transitions[1]:
   - to: implementation-analysis
     isDefault: true

work-package/activities/08-implement.toon

@@ -1,5 +1,5 @@
 id: implement
-version: 2.6.2
+version: 2.7.0
 name: Implement Tasks
 description: "Execute the implementation plan task by task. Each task follows a cycle of implement → test → commit. Assumptions are collected during each task, reconciled through code analysis after all tasks complete, and only unresolvable assumptions are presented to the user."
 problem: User needs to implement the planned tasks
@@ -11,12 +11,17 @@ required: true
 estimatedTime: 1-4h
 rules[1]:
   - "SYMBOL VERIFICATION: Every symbol introduced or referenced in code or documentation MUST have provenance — exists in codebase, in a declared dependency, or is newly created by the current task. Never fabricate symbols."
-artifacts[1]:
+artifacts[2]:
   - id: assumptions-log
     name: assumptions-log.md
     location: planning
     description: "Log of assumptions - continues from earlier phases (design-philosophy, requirements, research, analysis, planning)"
     action: update
+  - id: provenance-log
+    name: provenance-log.md
+    location: planning
+    description: "AI assistance provenance record. One row per task: task ID, model ID, prompt class (code-generation|refactoring|test-writing|docs), context_scope, and a one-line description of what was generated. Created on first task, appended on each subsequent task. Linked from PR description."
+    action: create
 entryActions[1]{action,target,message}:
   validate,branch,Verify on correct feature branch before any code changes
 skills:
@@ -27,7 +32,7 @@ loops[3]:
     type: forEach
     variable: current_task
     over: plan.tasks
-    steps[5]:
+    steps[6]:
       - id: implement-task
         name: Implement task
         skill: implement-task
@@ -38,6 +43,10 @@ loops[3]:
       - id: commit
         name: Commit changes
         skill: manage-git
+      - id: log-provenance
+        name: Log AI provenance
+        description: "Append a provenance record for this task to provenance-log.md."
+        skill: dco-provenance
       - id: self-review
         name: Self-review
         description: "Perform task completion review: (1) Symbol verification — confirm all new/referenced symbols have provenance in codebase or dependencies; (2) Quality checks — code follows patterns, tests pass, no debug prints, no untracked TODOs. Use attached resource 14 for verification checklist."
@@ -167,10 +176,12 @@ transitions[1]:
     isDefault: true
 exitActions[1]{action,message}:
   message,README PROGRESS: Update planning folder README.md — set Status to In Progress and mark implementation artifacts.
-outcome[2]:
+outcome[3]:
   - All tasks implemented
   - Changes committed
-context_to_preserve[3]:
+  - Provenance log created (provenance-log.md)
+context_to_preserve[4]:
   - completed_tasks - Tasks completed during implementation
   - assumptions - Assumptions made during implementation
   - commits - Commits created
+  - provenance_log_path - Path to provenance-log.md

work-package/activities/09-post-impl-review.toon

@@ -1,5 +1,5 @@
 id: post-impl-review
-version: 1.7.1
+version: 1.8.0
 name: Post-Implementation Review
 description: "Review implementation quality regardless of whether code was newly written or adopted. Ensures code review, test suite review, and architecture summary are completed before validation."
 problem: User needs to review implementation quality before validation
@@ -106,21 +106,45 @@ steps[7]:
       - action: set
         target: recommended_review_option
         description: "Set to the recommended review-findings option based on severity analysis"
-checkpoints[3]:
+checkpoints[4]:
   - id: file-index-table
     name: File Index Checkpoint
-    message: "File index written to {change_block_index_path}. Please review the diff in your side-by-side app using the index for reference, then provide row numbers for any files with issues (e.g., '24, 31, 106') or 'none' if all looks good."
+    message: "File index written to {change_block_index_path}. The index includes a rationale paragraph for each change block written by the agent. Please review the diff in your side-by-side app. Then: (1) confirm the rationale paragraphs are accurate (or note corrections), and (2) provide row numbers for any blocks with issues (e.g., '24, 31, 106') or 'none'. Your confirmation of the rationale serves as your provenance attestation for each change."
     blocking: true
-    options[2]:
+    options[3]:
+      - id: rationale-confirmed
+        label: "Rationale confirmed — no issues"
+        description: "Agent rationale paragraphs are accurate. All changes understood. Proceed with automated reviews."
+      - id: rationale-confirmed-with-issues
+        label: "Rationale confirmed (with corrections) — issues found"
+        description: "Provide corrections to any rationale paragraphs and comma-separated block indices with issues"
+        effect:
+          setVariable:
+            has_flagged_blocks: true
       - id: has-issues
-        label: Issues found - provide indices
-        description: Enter comma-separated list of block indices with issues
+        label: Issues found — rationale not yet reviewed
+        description: Enter comma-separated list of block indices with issues; rationale review deferred
         effect:
           setVariable:
             has_flagged_blocks: true
-      - id: no-issues
-        label: No issues found
-        description: All changes look good, proceed with automated reviews
+  - id: rationale-amendment
+    name: Rationale Amendment Checkpoint
+    condition:
+      type: simple
+      variable: has_flagged_blocks
+      operator: "=="
+      value: false
+    message: "Please provide any corrections to the agent rationale paragraphs in change-block-index.md, or confirm they are all accurate. Corrections are recorded in manual-diff-review-report.md as your provenance statement."
+    blocking: false
+    defaultOption: all-accurate
+    autoAdvanceMs: 20000
+    options[2]:
+      - id: all-accurate
+        label: "All rationale paragraphs are accurate (default)"
+        description: No corrections needed — rationale confirmed as written
+      - id: provide-corrections
+        label: "Provide corrections to specific blocks"
+        description: Amend rationale paragraphs for one or more blocks
   - id: block-interview
     name: Block Interview Checkpoint
     condition:

work-package/activities/10-validate.toon

@@ -1,5 +1,5 @@
 id: validate
-version: 2.5.0
+version: 2.6.0
 name: Verify & Validate Design
 description: "Validate the implementation through testing and build verification. Test suite quality was already reviewed in implement phase."
 problem: User needs to validate the implementation passes all tests
@@ -11,7 +11,7 @@ required: true
 estimatedTime: 15-30m
 skills:
   primary: meta/activity-worker
-steps[9]:
+steps[8]:
   - id: run-tests
     name: Run all tests
     description: "Execute unit, integration, e2e tests. Observe and record results."
@@ -73,17 +73,6 @@ steps[9]:
           variable: has_failures
           operator: ==
           value: true
-  - id: scan-commit-signatures-for-strategic
-    name: Scan PR commit signatures (preflight)
-    description: "In target_path, resolve MERGE_BASE against the default branch (try origin/main, origin/master, main, master in order). Run git log --format='%h %G? %s' MERGE_BASE..HEAD. If ANY line has %G? of N (no signature) or B (bad), set unsigned_commits_in_pr to true and populate unsigned_commit_list_summary with a concise list of affected commits; otherwise set unsigned_commits_in_pr to false and clear the summary. Review mode uses the same branch/PR under review. This runs before strategic-review so the orchestrator can resolve the unsigned-commits checkpoint with accurate state."
-    skill: manage-git
-    actions[2]:
-      - action: set
-        target: unsigned_commits_in_pr
-        message: "true if any commit in range has G? N or B; false if all commits good (G/U) or range empty"
-      - action: set
-        target: unsigned_commit_list_summary
-        message: "Comma-separated short lines (hash + subject) for unsigned/bad commits, or empty string if none"
 loops[1]:
   - id: fix-revalidate-cycle
     name: Fix and Revalidate Cycle
@@ -115,10 +104,7 @@ exitActions[1]{action,message}:
 outcome[2]:
   - All tests passing
   - Build successful
-context_to_preserve[6]:
+context_to_preserve[3]:
   - test_results - Test execution results
   - build_status - Build success/failure status
   - validation_passed - Whether all validation checks passed
-  - unsigned_commits_in_pr - Whether unsigned/bad GPG commits exist in PR range
-  - unsigned_commit_list_summary - Summary for strategic-review checkpoint messaging
-  - resign_unsigned_commits_requested - Filled when user opts to re-sign at strategic review

work-package/activities/11-strategic-review.toon

@@ -1,7 +1,7 @@
 id: strategic-review
-version: 2.5.1
+version: 2.6.0
 name: Strategic Review
-description: "Review the implementation to ensure changes are minimal and focused. Validates that the final PR contains only the changes required for the solution. Confirms GPG signatures on PR commits (with user consent before history rewrite) and ensures a changelog fragment exists when the target repo uses a root-level changes/ convention."
+description: "Review the implementation to ensure changes are minimal and focused. Validates that the final PR contains only the changes required for the solution. Ensures a changelog fragment exists when the target repo uses a root-level changes/ convention."
 problem: User needs to ensure changes are minimal and focused
 recognition[3]:
   - strategic review
@@ -20,21 +20,11 @@ artifacts[2]:
     name: "architecture-summary.md"
     location: planning
     description: "High-level architecture summary for management stakeholders. Uses UML-style diagrams (system context, package, sequence) to visualize changes. See architecture-summary resource for template."
-steps[9]:
+steps[8]:
   - id: diff-review
     name: Review diff
     description: "Examine all changes in the PR for scope and relevance"
     skill: review-strategy
-    checkpoint: unsigned-commits-prompt
-  - id: resign-unsigned-pr-commits
-    name: Re-sign unsigned commits
-    description: "Only when resign_unsigned_commits_requested is true. In target_path, rebase onto MERGE_BASE (same resolution as validate scan) and re-sign each commit: e.g. git rebase --exec 'git commit --amend --no-edit -S' MERGE_BASE (or equivalent interactive rebase) so every commit in MERGE_BASE..HEAD ends with a good GPG signature. Then git log --format='%h %G?' MERGE_BASE..HEAD to confirm no N/B remains. If push is required, use git push --force-with-lease. Set unsigned_commits_in_pr to false and resign_unsigned_commits_requested to false on success; document any failure in strategic-review-{n}.md."
-    skill: manage-git
-    condition:
-      type: simple
-      variable: resign_unsigned_commits_requested
-      operator: ==
-      value: true
   - id: identify-artifacts
     name: Identify artifacts
     description: "Find investigation artifacts, over-engineering, orphaned infrastructure"
@@ -77,29 +67,7 @@ steps[9]:
       - action: set
         target: recommended_strategic_option
         description: "Set to the recommended strategic review option based on findings analysis"
-checkpoints[2]:
-  - id: unsigned-commits-prompt
-    name: Unsigned or unverified commits
-    message: "Preflight scan reports one or more commits without a valid GPG signature in this PR range: {unsigned_commit_list_summary}. Re-sign all unsigned commits now? This rewrites branch history and may require force-with-lease push."
-    condition:
-      type: simple
-      variable: unsigned_commits_in_pr
-      operator: ==
-      value: true
-    blocking: true
-    options[2]:
-      - id: resign-all
-        label: Yes — re-sign all unsigned commits
-        description: Rewrites commits with GPG signatures using git rebase; confirm signing key is available
-        effect:
-          setVariable:
-            resign_unsigned_commits_requested: true
-      - id: decline-resign
-        label: No — proceed without re-signing
-        description: Keep history as-is; note unsigned commits in strategic-review documentation
-        effect:
-          setVariable:
-            resign_unsigned_commits_requested: false
+checkpoints[1]:
   - id: review-findings
     name: Strategic Review Findings Checkpoint
     message: "Strategic review complete. Based on findings analysis, the recommended action is {recommended_strategic_option}. Auto-advancing in 30s."
@@ -145,16 +113,13 @@ transitions[3]:
     isDefault: true
 exitActions[1]{action,message}:
   message,README PROGRESS: Update planning folder README.md — mark strategic review artifacts as ✅ Complete.
-outcome[6]:
+outcome[4]:
   - Changes validated as minimal and focused
   - Investigation artifacts and over-engineering removed
   - Review findings documented in strategic-review-{n}.md
   - Architecture summary created in architecture-summary.md for stakeholder communication
-  - PR commit GPG signature expectations addressed (resign completed or user declined with documentation)
   - Changelog fragment added when target repo uses root changes/ and none existed for this work
-context_to_preserve[5]:
+context_to_preserve[3]:
   - review_findings - Findings from strategic review
   - review_passed - Whether review passed
   - items_removed - List of items removed during cleanup
-  - unsigned_commits_in_pr - Whether any unsigned commits remained after strategic review
-  - resign_unsigned_commits_requested - Whether user requested resign at checkpoint