|
| 1 | +# ENGI Spec V10 |
| 2 | + |
| 3 | +Status: draft |
| 4 | +Scope: ENGI v1 / V10 upgrade draft |
| 5 | +Canonical pointer: `/Users/garrettmaring/Developer/ENGI/ENGI_SPEC.txt` remains `V8` until V10 is explicitly promoted |
| 6 | +Baseline: `/Users/garrettmaring/Developer/ENGI/ENGI_SPEC_V9.md` |
| 7 | + |
| 8 | +--- |
| 9 | + |
| 10 | +# 1. Executive summary |
| 11 | + |
| 12 | +V10 is the **artifact-intake and identity/auth finalization** spec. |
| 13 | + |
| 14 | +V9 closed major finality gaps around prompt completeness, static receipts, projection enforcement, proof witness closure, accounting precision, and scenario realism. |
| 15 | + |
| 16 | +V10 keeps that V9 closure work. |
| 17 | +V10 does not invalidate V9. |
| 18 | + |
| 19 | +V10 upgrades the surfaces that remain too weak at the repo boundary: |
| 20 | + |
| 21 | +1. artifact intake must stop being effectively textarea-first, |
| 22 | +2. all artifact kinds must be first-class at intake time, |
| 23 | +3. intake should move toward authenticated repo-bound artifact selection, |
| 24 | +4. identity/auth must become a coherent cluster of: |
| 25 | + - addressing, |
| 26 | + - signing, |
| 27 | + - GitHub App auth payloads, |
| 28 | + - installation-scoped authorization semantics. |
| 29 | + |
| 30 | +The central V10 rule is: |
| 31 | + |
| 32 | +> If ENGI claims that repository-bound engineering artifacts are the subject of selection, proof, and settlement, then the intake and auth surfaces MUST begin from repository-addressable artifact inventory and MUST carry explicit address + signing + GitHub App auth structure. |
| 33 | +
|
| 34 | +--- |
| 35 | + |
| 36 | +# 2. Why V10 exists |
| 37 | + |
| 38 | +An audit of the current V9 local demo shows that the remaining weakness is not in ranking or proof closure. |
| 39 | +It is at the intake and authority boundary. |
| 40 | + |
| 41 | +The strongest V9-to-V10 gaps are: |
| 42 | + |
| 43 | +- deposit UX is still centered on freeform form fields plus pasted content, |
| 44 | +- artifact kinds exist, but they are not all equally selection-first at intake time, |
| 45 | +- GitHub-bound metadata is present, but repo artifact inventory is not yet a first-class surface, |
| 46 | +- signer state is visible, but addressing and signing are not canonically separated, |
| 47 | +- installation id exists, but GitHub App auth payload structure is still too shallow, |
| 48 | +- identity/auth proofs do not yet bind the full address + signing + installation-scoped auth cluster. |
| 49 | + |
| 50 | +V10 exists to close those gaps without undoing V9. |
| 51 | + |
| 52 | +--- |
| 53 | + |
| 54 | +# 3. Source-of-truth and versioning rule |
| 55 | + |
| 56 | +V10 preserves the ENGI versioning rule: |
| 57 | + |
| 58 | +- each new spec version is written as a new versioned file, |
| 59 | +- previous versions remain in place, |
| 60 | +- `ENGI_SPEC.txt` is the only canonical pointer, |
| 61 | +- V10 implementation work may land while the canonical pointer remains on `V8`. |
| 62 | + |
| 63 | +Therefore: |
| 64 | + |
| 65 | +- V10 lives in `ENGI_SPEC_V10.md`, |
| 66 | +- V9 remains in place, |
| 67 | +- V8 remains the canonical pointer until explicit promotion. |
| 68 | + |
| 69 | +--- |
| 70 | + |
| 71 | +# 4. Normative language |
| 72 | + |
| 73 | +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, **SHOULD NOT**, and **MAY** are to be interpreted as normative requirements for V10 conformance. |
| 74 | + |
| 75 | +--- |
| 76 | + |
| 77 | +# 5. Conformance profiles |
| 78 | + |
| 79 | +## 5.1 Profile A — local deterministic V10 prototype |
| 80 | + |
| 81 | +Profile A remains the local deterministic repository-contained prototype. |
| 82 | + |
| 83 | +Profile A MAY locally model: |
| 84 | + |
| 85 | +- authenticated GitHub App repo sessions, |
| 86 | +- installation-scoped permissions, |
| 87 | +- repo artifact inventory, |
| 88 | +- artifact addressing surfaces, |
| 89 | +- signing payload surfaces, |
| 90 | +- GitHub App auth payloads. |
| 91 | + |
| 92 | +Profile A MUST NOT: |
| 93 | + |
| 94 | +- fake live token minting, |
| 95 | +- fake live repository fetches, |
| 96 | +- fake live GitHub writes, |
| 97 | +- represent modeled auth payloads as if they were live network-backed tokens. |
| 98 | + |
| 99 | +## 5.2 Profile B — external production-boundary intent |
| 100 | + |
| 101 | +Profile B remains the live external boundary profile. |
| 102 | + |
| 103 | +Profile B is where: |
| 104 | + |
| 105 | +- real GitHub App installation auth happens, |
| 106 | +- real repo artifact inventory is fetched, |
| 107 | +- real repository actions are authorized, |
| 108 | +- real signer/org verification occurs. |
| 109 | + |
| 110 | +V10 requires Profile B payload shapes to be explicit even when Profile A models them locally. |
| 111 | + |
| 112 | +--- |
| 113 | + |
| 114 | +# 6. V10 intake model |
| 115 | + |
| 116 | +V10 introduces a stronger intake rule: |
| 117 | + |
| 118 | +```ts |
| 119 | +type ArtifactIntakeMode = |
| 120 | + | 'repo-artifact-selection' |
| 121 | + | 'repo-artifact-selection-plus-note' |
| 122 | + | 'raw-fallback' |
| 123 | +``` |
| 124 | +
|
| 125 | +The preferred V10 intake order is: |
| 126 | +
|
| 127 | +1. select from authenticated repo-bound artifact inventory, |
| 128 | +2. optionally append operator note or raw supplement, |
| 129 | +3. use raw-only intake only as an explicit fallback. |
| 130 | +
|
| 131 | +The demo UX MUST NOT effectively stop at a raw textarea deposit flow. |
| 132 | +
|
| 133 | +--- |
| 134 | +
|
| 135 | +# 7. Required V10 artifact-inventory surfaces |
| 136 | +
|
| 137 | +```ts |
| 138 | +type RepoArtifactInventoryEntry = { |
| 139 | + inventoryEntryId: string |
| 140 | + repo: string |
| 141 | + artifactKind: string |
| 142 | + artifactType: string |
| 143 | + originKind: |
| 144 | + | 'workflow-artifact' |
| 145 | + | 'benchmark-output' |
| 146 | + | 'commit-file' |
| 147 | + | 'pull-request-comment' |
| 148 | + | 'incident-document' |
| 149 | + | 'proof-log' |
| 150 | + | 'config-snapshot' |
| 151 | + | 'attestation-bundle' |
| 152 | + title: string |
| 153 | + summary: string |
| 154 | + sourceCommit?: string |
| 155 | + sourcePath?: string |
| 156 | + workflowRunId?: string |
| 157 | + workflowJobName?: string |
| 158 | + checkSuiteId?: string |
| 159 | + artifactName?: string |
| 160 | + tags: string[] |
| 161 | + declaredStacks: string[] |
| 162 | + declaredConstraints: string[] |
| 163 | + previewSurface: string |
| 164 | + content: string |
| 165 | +} |
| 166 | +``` |
| 167 | +
|
| 168 | +V10 requirements: |
| 169 | +
|
| 170 | +1. The local demo MUST expose a repo-bound artifact inventory surface. |
| 171 | +2. The inventory MUST cover all artifact kinds present in the V10 demo surface, not only pasted freeform text. |
| 172 | +3. Intake manifests MUST record which inventory entries were selected. |
| 173 | +4. The intake surface MUST preserve enough repo/workflow/file addressing data to replay selection provenance. |
| 174 | +
|
| 175 | +--- |
| 176 | +
|
| 177 | +# 8. Required V10 identity/auth cluster |
| 178 | +
|
| 179 | +V10 replaces vague identity/auth language with four explicit surfaces: |
| 180 | +
|
| 181 | +## 8.1 Addressing surface |
| 182 | +
|
| 183 | +```ts |
| 184 | +type AddressingSurface = { |
| 185 | + addressingScope: |
| 186 | + | 'repo' |
| 187 | + | 'repo-commit' |
| 188 | + | 'repo-file' |
| 189 | + | 'workflow-run' |
| 190 | + | 'workflow-artifact' |
| 191 | + | 'multi-artifact-selection' |
| 192 | + repo: string |
| 193 | + ref?: string |
| 194 | + commit?: string |
| 195 | + workflowRunId?: string |
| 196 | + workflowPath?: string |
| 197 | + workflowJobName?: string |
| 198 | + sourcePaths: string[] |
| 199 | + selectedInventoryEntryIds: string[] |
| 200 | +} |
| 201 | +``` |
| 202 | +
|
| 203 | +## 8.2 Signing surface |
| 204 | +
|
| 205 | +```ts |
| 206 | +type SigningSurface = { |
| 207 | + signerAddress: string |
| 208 | + signerClass: string |
| 209 | + signingAlgorithm: string |
| 210 | + keySource: string |
| 211 | + attestationHash: string |
| 212 | + payloadHash: string |
| 213 | + signatureChecksPass: boolean |
| 214 | + signedPayloadHashMatchesContentRoot: boolean |
| 215 | +} |
| 216 | +``` |
| 217 | +
|
| 218 | +## 8.3 GitHub App auth surface |
| 219 | +
|
| 220 | +```ts |
| 221 | +type GitHubAppAuthSurface = { |
| 222 | + authMechanism: 'github-app-installation' |
| 223 | + appId: string |
| 224 | + appSlug: string |
| 225 | + installationId: string |
| 226 | + installationAccountLogin: string |
| 227 | + installationAccountType: 'Organization' | 'User' |
| 228 | + repositoryId: string |
| 229 | + repositoryNodeId: string |
| 230 | + repositorySelection: 'selected' | 'all' |
| 231 | + permissions: Record<string, string> |
| 232 | + profileABoundary: string |
| 233 | + profileBBoundary: string |
| 234 | +} |
| 235 | +``` |
| 236 | +
|
| 237 | +## 8.4 Artifact selection surface |
| 238 | +
|
| 239 | +```ts |
| 240 | +type ArtifactSelectionSurface = { |
| 241 | + intakeMode: ArtifactIntakeMode |
| 242 | + authSessionId?: string |
| 243 | + selectedInventoryEntryIds: string[] |
| 244 | + selectedArtifactKinds: string[] |
| 245 | + selectedOriginKinds: string[] |
| 246 | + rawFallbackUsed: boolean |
| 247 | + appendedOperatorNote: boolean |
| 248 | +} |
| 249 | +``` |
| 250 | +
|
| 251 | +V10 requirements: |
| 252 | +
|
| 253 | +1. Every selected candidate asset MUST carry all four surfaces. |
| 254 | +2. Installation id MUST be part of the GitHub App auth surface, not just a stray field. |
| 255 | +3. Addressing and signing MUST be distinct surfaces, even when linked. |
| 256 | +4. Intake manifests MUST preserve selection/auth/address/signing closure together. |
| 257 | +
|
| 258 | +--- |
| 259 | +
|
| 260 | +# 9. Required V10 manifest and branch-artifact behavior |
| 261 | +
|
| 262 | +When V10 surfaces are claimed, the implementation MUST materialize them in branch artifacts or equivalent manifest payloads. |
| 263 | +
|
| 264 | +At minimum V10 branch materialization MUST expose: |
| 265 | +
|
| 266 | +- artifact upload/intake manifest with selected inventory refs, |
| 267 | +- identity bindings with installation-scoped GitHub App principals when present, |
| 268 | +- GitHub boundary/auth surface with installation-scoped payload fields, |
| 269 | +- candidate-level address + signing surfaces inside the selected upload/intake manifest. |
| 270 | +
|
| 271 | +V10 MAY emit additional dedicated artifacts for: |
| 272 | +
|
| 273 | +- repo artifact selection manifest, |
| 274 | +- addressing manifest, |
| 275 | +- signing manifest, |
| 276 | +- GitHub App auth manifest. |
| 277 | +
|
| 278 | +--- |
| 279 | +
|
| 280 | +# 10. Required V10 proofs |
| 281 | +
|
| 282 | +V10 extends the existing identity/auth proof requirements. |
| 283 | +
|
| 284 | +An identity/auth proof is V10-conformant only if it can show: |
| 285 | +
|
| 286 | +1. selected artifacts are bound to explicit addressing surfaces, |
| 287 | +2. selected artifacts are bound to explicit signing surfaces, |
| 288 | +3. GitHub App auth payloads are installation-scoped and repository-scoped, |
| 289 | +4. installation/auth principals referenced in authorization decisions are represented in the identity bindings or equivalent auth surface, |
| 290 | +5. Profile A modeled auth payloads are marked as modeled rather than live. |
| 291 | +
|
| 292 | +--- |
| 293 | +
|
| 294 | +# 11. Demo UX requirements |
| 295 | +
|
| 296 | +The V10 demo UI MUST: |
| 297 | +
|
| 298 | +1. present authenticated repo selection/inventory before raw fallback content, |
| 299 | +2. make all artifact kinds visible in the repo inventory surface, |
| 300 | +3. allow raw/operator note fallback without pretending it is equivalent to repo-bound selection, |
| 301 | +4. display address + signing + GitHub App auth surfaces clearly, |
| 302 | +5. keep the implementation understandable rather than over-designed. |
| 303 | +
|
| 304 | +--- |
| 305 | +
|
| 306 | +# 12. Required V10 artifacts and files |
| 307 | +
|
| 308 | +This V10 draft requires versioned repo artifacts: |
| 309 | +
|
| 310 | +- `/Users/garrettmaring/Developer/ENGI/ENGI_V10_PREP_MEMO.md` |
| 311 | +- `/Users/garrettmaring/Developer/ENGI/ENGI_SPEC_V10.md` |
| 312 | +- `/Users/garrettmaring/Developer/ENGI/ENGI_SPEC_V10_NOTES.md` |
| 313 | +- `/Users/garrettmaring/Developer/ENGI/engi-demo/SPEC_V10_IMPLEMENTATION_MATRIX.md` |
| 314 | +
|
| 315 | +--- |
| 316 | +
|
| 317 | +# 13. First-pass implementation guidance |
| 318 | +
|
| 319 | +The recommended first V10 implementation slice is: |
| 320 | +
|
| 321 | +1. add modeled authenticated repo sessions and seeded repo artifact inventory, |
| 322 | +2. upgrade the deposit UX to inventory-first selection, |
| 323 | +3. extend asset/manifests with: |
| 324 | + - artifact selection surface, |
| 325 | + - addressing surface, |
| 326 | + - signing surface, |
| 327 | + - GitHub App auth surface, |
| 328 | +4. update identity bindings/proofs/tests accordingly. |
| 329 | +
|
| 330 | +This is sufficient for a meaningful first V10 pass even if live GitHub auth remains out of scope locally. |
0 commit comments