Skip to content

Harden Coding PR Delivery production profile#18

Open
hnic wants to merge 67 commits into
mainfrom
codex/coding-pr-delivery-hardening-phase1
Open

Harden Coding PR Delivery production profile#18
hnic wants to merge 67 commits into
mainfrom
codex/coding-pr-delivery-hardening-phase1

Conversation

@hnic

@hnic hnic commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Context

Hardens Coding PR Delivery production readiness so reviewers can audit typed-tool, provider, reconciliation, and execution-plan gates before production writes.

TL;DR

Adds deterministic production-profile gates, preflight/status tooling, and provider evidence handoff packets.

Summary

  • Add production-profile validators for provider matrix, exceptions, claims, and packets.
  • Add review, enablement, apply, observation, decision, and status projections.
  • Enforce backend scrubbing rules, singleton readiness, and CNB shadow/no-write boundaries.
  • Expose Phase 2 evidence plans for Linear + GitHub, TAPD + CNB, and Linear + CNB.
  • Add read-only provider preflight commands with env/auth/target prerequisites.
  • Validate Phase 2 preflight reports as bounded blocker metadata without raw output.
  • Collect read-only Phase 2 preflight reports through workflow.command.
  • Project bounded production-profile status from plans, blockers, and preflight reports.
  • Project provider-owner evidence requests from Phase 2 plans for handoff.
  • Project Phase 2 evidence bundles from requests, preflight reports, and packets.
  • Package Phase 2 provider handoff state and next commands into one bounded packet.
  • Require Phase 4 review plans to cite preflight reports before completed evidence.
  • Require final review packets to include passed preflight reports covering providers.
  • Harden evidence, preflight, observation, and claim refs to bounded prefixes.
  • Add workflow.command exports, validators, collectors, requests, bundles, and templates.
  • Keep production gates blocked until evidence, rollback, retention, and sign-off exist.

Alternatives

  • Keep hardening as docs only, but reviewers need deterministic admission checks.
  • Store raw provider smoke output, but that would weaken the no-secret boundary.
  • Enable production writes during validation, but gates must stay disabled until sign-off.

Test Plan

  • make -C elixir all
  • mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands test/symphony_elixir/workflow/extension/runtime_test.exs
  • mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_handoff_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_handoff_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
  • mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_bundle_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_bundle_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
  • mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_request_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_request_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
  • mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/preflight_report_collector_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_preflight_collect_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
  • mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/status_report_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_status_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_evidence_handoff -- --plan tiered_reference --json | jq ...blocked handoff...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_evidence_bundle -- --plan linear_cnb_shadow --json | jq ...blocked bundle...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_evidence_request -- --plan tiered_reference --json | jq ...bounded request...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_preflight_collect -- --plan tiered_reference --repo joosure/Maestro --pr 18 --json | jq ...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_status -- --plan tiered_reference --json | jq ...blocked status...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_validate -- --kind preflight_report --file <metadata-json> --json | jq ...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_validate -- --kind evidence_packet --file <metadata-json> --json | jq ...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_validate -- --kind review_packet --file <metadata-json> --json | jq ...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_template -- --kind preflight_report_template --file <phase2-plan-json> --json | jq ...bounded refs...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_template -- --kind observation_status_template --file <apply-record-json> --json | jq ...bounded refs...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_validate -- --kind observation_status --file <metadata-json> --json | jq ...bounded refs...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_validate -- --kind claim --file <phase2-reference-claim-json> --json | jq ...bounded refs...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_plan -- --phase phase2 --plan tiered_reference --json | jq ...read_only_preflight...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_plan -- --phase phase4 --plan tiered_reference --json | jq ...provider_preflight_reports...
  • mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_plan -- --phase phase4 --plan linear_cnb_shadow --linear-cnb-shadow-run-id smoke-shadow-run --json
  • mise exec -- mix tracker.smoke --template linear/github/opencode --json fails read-only without Linear credentials
  • mise exec -- mix tracker.smoke --template tapd/cnb/opencode --json fails read-only without TAPD credentials
  • mise exec -- mix repo_provider.smoke --provider cnb --json reaches current-kind and fails without CNB_TOKEN
  • detect-secrets scan <changed production-profile evidence-handoff source and test files>
  • detect-secrets scan <changed production-profile evidence-bundle source and test files>
  • detect-secrets scan <changed production-profile evidence-request source and test files>
  • detect-secrets scan <changed production-profile status source and test files>
  • detect-secrets scan <changed preflight collector source and test files>
  • detect-secrets scan <changed preflight/prod-profile source and test files>
  • detect-secrets scan <changed observation-status source and test files>
  • detect-secrets scan <changed provider-matrix/governance/typed-exception files>
  • detect-secrets scan elixir/test/symphony_elixir/workflow/structured_execution_plan/store_test.exs

hnic and others added 30 commits June 25, 2026 13:55
Summary:
- Add a Coding PR Delivery production-profile validator for scoped
  non-typed tool exception records.
- Cover accepted records and rejection of broad passthrough, weak schema,
  missing evidence, missing expiry, invalid scope, and unsafe rollback.

Rationale:
- Production should remain typed-tool first by default. Exception records
  need deterministic admission checks before a production enablement packet
  can cite them.
- The validator is pure and does not enable raw provider execution.

Tests:
- mise exec -- mix format --check-formatted
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/typed_tool_exception_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/provider_matrix_test.exs test/symphony_elixir/dynamic_tool_execution_guard_test.exs test/symphony_elixir/repo_architecture_test.exs
- mise exec -- mix test

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a Coding PR Delivery production-profile claim validator that composes
  provider matrix, structured-plan governance, and optional typed-tool
  exception evidence.
- Cover accepted Phase 2 packets and rejection of missing governance,
  invalid nested evidence, unmatched exceptions, and malformed exceptions.

Rationale:
- Phase 2 review packets need a single deterministic admission boundary
  before any scoped production claim is accepted.
- The validator is pure and does not enable providers, gates, or workflow
  side effects.

Tests:
- mise exec -- mix format --check-formatted
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/claim_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/provider_matrix_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/typed_tool_exception_test.exs test/symphony_elixir/workflow/structured_execution_plan/production_profile/governance_test.exs test/symphony_elixir/repo_architecture_test.exs
- mise exec -- mix test

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a production-profile evidence runbook builder for Coding PR
  Delivery Phase 2 provider evidence collection.
- Cover ready-to-land and shadow/no-write provider entries, evidence
  destinations, typed-tool exceptions, topology non-claims, rollback,
  and claim validation failure paths.

Rationale:
- Phase 2 needs a deterministic handoff artifact that translates an
  accepted production claim into provider-specific evidence work without
  calling live providers or enabling production gates.
- The projection keeps TAPD + CNB shadow evidence boundaries explicit
  while preserving the existing claim validator as the admission source.

Tests:
- mise exec -- mix format --check-formatted
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_runbook_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/claim_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/provider_matrix_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/typed_tool_exception_test.exs test/symphony_elixir/workflow/structured_execution_plan/production_profile/governance_test.exs test/symphony_elixir/repo_architecture_test.exs
- mise exec -- mix test

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a Coding PR Delivery production-profile facade for provider-matrix,
  typed-tool exception, production-claim, and evidence-runbook checks.
- Cover the facade with TAPD + CNB shadow/no-write admission and
  diagnostic runbook tests.

Rationale:
- Phase 2 tooling and reviewers need a stable pure entrypoint instead of
  binding directly to internal admission modules.
- The facade delegates to the owning validators, preserving fail-closed
  behavior while avoiding provider calls, workflow mutation, or production
  gate changes.

Tests:
- mise exec -- mix format --check-formatted
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_runbook_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/claim_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/provider_matrix_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/typed_tool_exception_test.exs test/symphony_elixir/workflow/structured_execution_plan/production_profile/governance_test.exs test/symphony_elixir/repo_architecture_test.exs
- mise exec -- mix test

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a production-profile end-to-end smoke test for the TAPD + CNB
  shadow path.
- Exercise the public facade from Phase 2 claim templates through
  evidence, review, enablement, operator apply, observation status, and
  observation decision boundaries.

Rationale:
- Phase 1 needs deterministic evidence that the shadow production-profile
  packet chain preserves no-write, scrubbing, retention, manual operator,
  raw-evidence, and non-enablement boundaries.
- The test stays metadata-only and does not collect live provider evidence
  or enable production gates.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/end_to_end_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile
- mise exec -- mix format --check-formatted

Co-authored-by: Codex <codex@openai.com>
hnic and others added 30 commits June 25, 2026 19:59
Summary:
- Add a deterministic Phase 2 evidence-plan builder for the Coding PR
  Delivery production profile.
- Expose tiered Linear + GitHub, TAPD + CNB shadow, and Linear + CNB
  shadow evidence plans through the production profile facade.
- Keep generated plans explicitly bounded to planning metadata, with no
  live evidence collection, provider calls, workflow mutation, or production
  enablement.

Rationale:
- The hardening plan needs a reviewable bridge from accepted provider
  claim templates to the concrete Phase 2 evidence packets reviewers must
  fill before Phase 4.
- Keeping this layer pure preserves the production switch boundary while
  making the provider matrix and CNB shadow evidence expectations auditable.
- Small type, lint, and architecture-rule cleanups keep the full Elixir gate
  green for this batch.

Tests:
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a deterministic Phase 4 review-plan projection for Coding PR
  Delivery production hardening.
- Project review-packet requirements, completed-evidence blockers,
  rollback mapping, scrubbing expectations, operator-inspection bounds,
  authority boundaries, and explicit non-claims from Phase 2 evidence plans.
- Expose the projection through the production profile facade with tests for
  Linear + GitHub, TAPD + CNB shadow, and Linear + CNB shadow planning paths.

Rationale:
- The hardening plan needs a reviewer-facing bridge from Phase 2 evidence
  planning to the Phase 4 packet without pretending live provider evidence or
  owner sign-offs already exist.
- Keeping this projection blocked and side-effect free preserves the production
  gate boundary while making the remaining approval blockers explicit.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/phase4_review_plan_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile
- mise exec -- mix lint
- mise exec -- mix test test/symphony_elixir/repo_architecture_test.exs
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Split the structured-plan evidence-ref fake secret fixture across string
  fragments while preserving the same runtime validation payload.
- Keep the scrubber assertion coverage intact without introducing a new
  detect-secrets baseline candidate.

Rationale:
- GitHub secret-scan failed because detect-secrets saw the intentionally fake
  LINEAR_API_KEY fixture as a new secret keyword candidate.
- Constructing the fixture at runtime keeps the test meaningful while avoiding
  source-level false positives in the secret scanner.

Tests:
- mise exec -- mix format --check-formatted test/symphony_elixir/workflow/structured_execution_plan/store_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/structured_execution_plan/store_test.exs
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Build the metadata key/value fixture at runtime in the evidence scrubber
  storage test.
- Keep the assertion that sensitive metadata is redacted before persisted
  payloads can be inspected.

Rationale:
- CI secret scanning flags static fake credential-looking literals even when
  they are test-only scrubber fixtures.
- The test still exercises the same redaction path while avoiding a new
  detect-secrets candidate outside the repository baseline.

Tests:
- python3 -m detect_secrets scan elixir/test/symphony_elixir/workflow/structured_execution_plan/store_test.exs
- mise exec -- mix format --check-formatted test/symphony_elixir/workflow/structured_execution_plan/store_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/structured_execution_plan/store_test.exs
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a Coding PR Delivery operator command that exports Phase 2 evidence
  plans and Phase 4 review plans as JSON.
- Register the command through the workflow extension command registry and
  cover phase, shadow run id, registration, and error-scrubbing behavior.

Rationale:
- Phase 2 provider evidence collection needs a stable machine-readable plan
  generated from the same production-profile validators used by reviewers.
- Keeping this behind the generic workflow.command host preserves the platform
  boundary and avoids direct Mix task coupling to the concrete extension.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_plan_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs test/symphony_elixir/repo_architecture_test.exs
- mise exec -- mix specs.check
- mise exec -- mix credo --strict lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_plan.ex test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_plan_test.exs
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a Coding PR Delivery operator command for bounded
  production-profile packet validation and review or observation
  decision projection.
- Register the command and cover metadata-file validation, bounded
  summaries, raw packet suppression, and registry exposure.

Rationale:
- Phase 2 and Phase 4 handoff need an operator-facing way to submit
  collected evidence and review metadata through the same validators
  used by the production-profile tests.
- Keeping the entrypoint behind generic workflow.command preserves
  extension boundaries and avoids provider calls or production side
  effects.

Tests:
- mise exec -- mix format --check-formatted lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_validate.ex
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_plan_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_validate_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs test/symphony_elixir/repo_architecture_test.exs
- mise exec -- mix credo --strict lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_validate.ex test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_validate_test.exs
- mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_validate -- --kind review_decision --file <metadata-json> --json
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a Coding PR Delivery operator command for bounded
  production-profile packet template generation.
- Register the command and cover evidence, review, enablement,
  operator apply, and observation template handoffs.

Rationale:
- Phase 2 and Phase 4 evidence collection still require external
  provider evidence and owner sign-off, but operators need a
  deterministic way to generate the next packet shape from accepted
  metadata.
- Keeping the entrypoint behind workflow.command preserves extension
  boundaries and avoids provider calls, evidence-file reads, production
  approval, and gate enablement.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_plan_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_validate_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_template_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs test/symphony_elixir/repo_architecture_test.exs
- mise exec -- mix credo --strict lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_template.ex test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_template_test.exs
- mise exec -- mix specs.check
- mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_template -- --kind evidence_packet_template --file <metadata-json> --json
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Correct Phase 4 review-plan source spec citations for typed tools and
  review handoff readiness.
- Add deterministic coverage that rejects the stale extension-scoped
  citation paths in generated review packet requirements.

Rationale:
- Phase 4 review packets need to point reviewers at the source-of-truth
  specs from the hardening plan, not stale paths under the Coding PR
  Delivery extension tree.
- Keeping these citations exact makes the generated review packet easier
  to audit before live provider evidence and owner sign-off are attached.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/phase4_review_plan_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_plan_test.exs
- mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_plan -- --phase phase4 --plan tiered_reference --json | jq ...
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add required scrubbing pattern-rule categories to production governance
  packets.
- Require Coding PR Delivery Phase 4 review packets and templates to
  carry those rules with catalog version, fail-closed behavior,
  boundaries, and test results.

Rationale:
- The production hardening plan requires Phase 4 review packets to cite
  concrete scrubber rules, not only catalog versions and pass/fail
  summaries.
- Failing closed on missing rule categories keeps evidence packets
  auditable before live provider evidence and owner sign-off are attached.

Tests:
- mise exec -- mix format ...
- targeted production_profile and operator command mix test suites
- workflow.command production_profile_plan scrubber rule jq smoke
- mise exec -- mix specs.check
- mise exec -- mix credo --strict ...
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add read-only provider preflight commands to Phase 2 evidence plans.
- Surface Linear, TAPD, GitHub, and CNB credential prerequisites and
  no-write flags through production-profile plan JSON.

Rationale:
- Phase 2 live evidence is currently blocked by missing provider
  credentials and concrete issue or PR targets.
- Emitting preflight commands in the deterministic evidence plan gives
  provider owners an auditable first step without calling providers or
  enabling production gates.

Tests:
- targeted phase2 evidence-plan, operator-command, and architecture tests
- workflow.command Phase 2 preflight JSON jq smoke
- mise exec -- mix specs.check
- mise exec -- mix credo --strict ...
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add preflight-report admission for Phase 2 read-only provider checks.
- Require Phase 4 review plans to cite validated preflight reports before
  completed provider evidence.

Rationale:
- Linear, TAPD, and CNB evidence collection can be blocked by missing
  credentials and concrete provider targets.
- Capturing those blockers as bounded metadata keeps provider-evidence gaps
  auditable without storing raw provider output or enabling production gates.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/preflight_report_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_validate_test.exs
- workflow.command preflight_report and Phase 2/4 jq smokes
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Require final production review packets to include validated provider
  preflight reports.
- Reject blocked or provider-matrix-mismatched preflight reports before ready
  review decisions can be projected.

Rationale:
- Phase 4 review plans already require preflight reports before completed
  provider evidence is reviewed.
- Enforcing the same boundary in final review-packet admission prevents a
  ready review decision from bypassing Phase 2 preflight evidence.

Tests:
- targeted production_profile and operator command tests
- workflow.command review_packet jq smoke
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Reject raw provider output and token-like fields in completed Phase 2
  evidence packets.
- Require completed evidence references to be bounded repository evidence
  paths or HTTP(S) links, and expose that boundary in generated templates.

Rationale:
- Phase 2 packets should carry auditable evidence references, not raw
  provider output, environment snapshots, or token material.
- Failing closed on placeholder, temp, file, and non-evidence refs keeps
  Phase 4 review packets reviewable before live provider evidence is
  accepted.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet_template_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands
- mise exec -- mix specs.check
- mise exec -- mix credo --strict lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet.ex lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet_template.ex test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet_template_test.exs
- mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_validate -- --kind evidence_packet --file <metadata-json> --json | jq ...
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Replace a raw-payload test fixture key that looked like a secret with a
  neutral provider-output key.

Rationale:
- The evidence-packet validator still rejects raw provider payload fields.
- The fixture should exercise that boundary without creating new
  detect-secrets candidates in CI.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet_template_test.exs
- detect-secrets scan elixir/test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_packet_test.exs

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a Phase 2 preflight-report fill template over evidence plans.
- Expose the template through the production-profile facade and generic
  production_profile_template operator command.

Rationale:
- Provider evidence collection should start from bounded metadata shapes
  rather than hand-written preflight report JSON.
- The template enumerates planned read-only preflight commands, prerequisite
  fields, pass/block fields, no-write flags, and raw-output boundaries without
  calling providers or enabling production.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/preflight_report_template_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/preflight_report_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_template_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands
- mise exec -- mix specs.check
- mise exec -- mix credo --strict lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/preflight_report_template.ex lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile.ex lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_template.ex test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/preflight_report_template_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_template_test.exs
- detect-secrets scan elixir/lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/preflight_report_template.ex elixir/test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/preflight_report_template_test.exs elixir/test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_template_test.exs
- mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_template -- --kind preflight_report_template --file <metadata-json> --json | jq ...
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Require passed provider preflight reports to cite bounded evidence
  references.
- Add evidence reference placeholders and allowed prefixes to generated
  preflight report templates.

Rationale:
- Phase 2 preflight status should be auditable before final review packets can
  become ready.
- Blocked preflight reports can still capture missing prerequisites while any
  provided evidence references are checked with the same bounded rules.

Tests:
- Targeted production-profile preflight/report/template tests: passed.
- Full production-profile and operator-command suites: passed.
- mix specs.check and targeted credo strict: passed.
- detect-secrets scan over changed source and test files: empty results.
- workflow.command preflight template and validation JSON smokes: passed.
- git diff --check: passed.
- make -C elixir all: passed.

Co-authored-by: Codex <codex@openai.com>
Summary:
- Require observation-window criterion evidence to use bounded references.
- Add allowed evidence-reference prefixes and repository evidence placeholders
  to generated observation-status templates.

Rationale:
- Observation-window evidence is part of the production handoff and should use
  the same bounded reference contract as Phase 2 evidence and preflight reports.
- Templates should not emit placeholder evidence strings that later fail the
  production-profile validator.

Tests:
- Targeted observation status/template/decision/end-to-end tests: passed.
- Full production-profile and operator-command suites: passed.
- mix specs.check and targeted credo strict: passed.
- detect-secrets scan over changed observation files: empty results.
- workflow.command observation-status template and validation JSON smokes:
  passed.
- git diff --check: passed.
- make -C elixir all: passed.

Co-authored-by: Codex <codex@openai.com>
Summary:
- Require provider-matrix and typed-tool exception evidence refs to be
  bounded.
- Require structured-plan governance evidence refs to use the same bounded
  ref contract.

Rationale:
- Phase 2 runbooks should not be built from claim-input evidence metadata
  that points at placeholders, temp files, file URLs, or arbitrary
  non-evidence refs.
- This aligns production-claim inputs with the already hardened evidence,
  preflight, and observation packet boundaries.

Tests:
- Targeted provider-matrix, typed-tool exception, governance, claim, and
  evidence-runbook tests passed.
- Full production-profile, operator-command, and structured-governance suites
  passed.
- mix specs.check and targeted credo strict passed.
- detect-secrets scan over changed source and test files returned empty
  results.
- workflow.command claim validation JSON smoke passed.
- git diff --check passed.
- make -C elixir all passed.

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a Phase 2 read-only preflight-report collector and workflow command.
- Record missing env/auth/target prerequisites as bounded blocked preflight
  metadata, and run only planned read-only smoke probes when prerequisites are
  present.
- Keep raw stdout/stderr out of report metadata and register the new command in
  the Coding PR Delivery operator-command surface.

Rationale:
- Phase 2 provider evidence collection should be reproducible instead of
  relying on hand-filled preflight reports.
- The collector moves real-environment evidence gathering forward while keeping
  write/destructive flags, workflow mutation, production approval, and gate
  enablement out of scope.

Tests:
- Production-profile and operator-command suites passed: 190 tests.
- Runtime registry and collector tests passed.
- workflow.command preflight collection smoke for PR 18 passed with GitHub
  read-only preflight passed and Linear/TAPD/CNB prerequisite blockers
  captured.
- mix specs.check, targeted credo strict, detect-secrets, and git diff --check
  passed.
- make -C elixir all passed: 2448 tests, 0 failures, 19 skipped; coverage
  73.00%; Dialyzer total errors 0.

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a bounded production-profile status report that combines a Phase 2
  evidence plan, Phase 4 blockers, and optional preflight metadata.
- Expose the status projection through the ProductionProfile facade and a
  workflow.command operator command.
- Add deterministic tests for missing, blocked, passed, and invalid preflight
  status handling plus command registry coverage.

Rationale:
- Reviewers need one bounded packet that explains why Phase 4 remains blocked
  without manually reconciling preflight reports with review-plan blockers.
- The projection stays read-only: it does not read referenced evidence files,
  call providers, mutate workflow state, approve production, or enable gates.

Tests:
- make -C elixir all
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/status_report_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_status_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands test/symphony_elixir/workflow/extension/runtime_test.exs
- mise exec -- mix specs.check
- mise exec -- mix credo --strict lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/status_report.ex lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_status.ex test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/status_report_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_status_test.exs
- detect-secrets scan elixir/lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/status_report.ex elixir/lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_status.ex elixir/test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/status_report_test.exs elixir/test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_status_test.exs
- mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_status -- --plan tiered_reference --json | jq ...

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a bounded production evidence request projection over Phase 2
  evidence plans.
- Expose the projection through the Coding PR Delivery facade and a
  workflow.command operator command.
- Register the command and cover provider prerequisites, CNB shadow
  boundaries, file-based plan input, and raw-input redaction behavior.

Rationale:
- Phase 2 still needs external provider-owned evidence for Linear,
  TAPD, CNB, and CNB shadow paths. This gives operators a deterministic
  handoff packet before any live provider calls are made.
- The projection preserves the existing no-provider-call and
  no-production-enable boundary while making remaining credentials,
  targets, preflight commands, and evidence files explicit.

Tests:
- make -C elixir all
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_request_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_request_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands test/symphony_elixir/workflow/extension/runtime_test.exs
- mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_evidence_request -- --plan tiered_reference --json | jq ...
- mise exec -- mix specs.check
- mise exec -- mix credo --strict <changed evidence request files>
- detect-secrets scan <changed evidence request files>
- mise exec -- mix dialyzer --format short

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a bounded Phase 2 evidence bundle readiness projection that
  reconciles evidence requests, provider preflight reports, and completed
  evidence packet metadata.
- Expose the projection through the production-profile facade and a new
  operator command registered with the Coding PR Delivery extension.
- Add deterministic unit and command coverage for ready, missing,
  mismatched, duplicate, and invalid bundle states.

Rationale:
- Phase 2 provider evidence needs a deterministic handoff artifact before
  Phase 4 review, especially for CNB shadow/no-write evidence boundaries.
- The projection intentionally stays read-only: it does not read referenced
  evidence files, call providers, mutate workflow state, approve production,
  or enable gates.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_bundle_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_bundle_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands test/symphony_elixir/workflow/extension/runtime_test.exs
- mise exec -- mix format --check-formatted
- mise exec -- mix specs.check
- mise exec -- mix credo --strict lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_bundle.ex lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_bundle.ex test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_bundle_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_bundle_test.exs
- mise exec -- mix dialyzer --format short
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Summary:
- Add a bounded Phase 2 evidence handoff projection that combines the
  evidence plan, provider-owner request, status, and evidence-bundle
  readiness into one provider-owner packet.
- Expose the projection through the production-profile facade and a new
  workflow.command operator command.
- Register the command and add deterministic unit, command, and runtime
  registry coverage.

Rationale:
- The remaining hardening work needs external provider owners to supply
  credentials, targets, preflight reports, and completed evidence packets.
- A single bounded handoff packet reduces manual assembly risk while keeping
  production blocked until provider evidence and Phase 4 sign-off exist.
- The projection remains read-only: it does not read evidence refs, call
  providers, mutate workflow state, approve production, or enable gates.

Tests:
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_handoff_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_handoff_test.exs test/symphony_elixir/workflow/extension/runtime_test.exs
- mise exec -- mix test test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands test/symphony_elixir/workflow/extension/runtime_test.exs
- mise exec -- mix workflow.command --id symphony.workflow.extension.coding_pr_delivery.production_profile_evidence_handoff -- --plan tiered_reference --json | jq -e ...
- mise exec -- mix format --check-formatted
- mise exec -- mix specs.check
- mise exec -- mix credo --strict lib/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_handoff.ex lib/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_handoff.ex test/symphony_elixir/workflow/extensions/coding_pr_delivery/production_profile/evidence_handoff_test.exs test/symphony_elixir/workflow/extensions/coding_pr_delivery/operator_commands/production_profile_evidence_handoff_test.exs
- detect-secrets scan <changed evidence handoff files>
- mise exec -- mix dialyzer --format short
- make -C elixir all

Co-authored-by: Codex <codex@openai.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant