Skip to content

Commit 2a6129e

Browse files
start v10
1 parent 51ebdf8 commit 2a6129e

11 files changed

Lines changed: 2775 additions & 156 deletions

ENGI_SPEC_V10.md

Lines changed: 330 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,330 @@
1+
# ENGI Spec V10
2+
3+
Status: draft
4+
Scope: ENGI v1 / V10 upgrade draft
5+
Canonical pointer: `/Users/garrettmaring/Developer/ENGI/ENGI_SPEC.txt` remains `V8` until V10 is explicitly promoted
6+
Baseline: `/Users/garrettmaring/Developer/ENGI/ENGI_SPEC_V9.md`
7+
8+
---
9+
10+
# 1. Executive summary
11+
12+
V10 is the **artifact-intake and identity/auth finalization** spec.
13+
14+
V9 closed major finality gaps around prompt completeness, static receipts, projection enforcement, proof witness closure, accounting precision, and scenario realism.
15+
16+
V10 keeps that V9 closure work.
17+
V10 does not invalidate V9.
18+
19+
V10 upgrades the surfaces that remain too weak at the repo boundary:
20+
21+
1. artifact intake must stop being effectively textarea-first,
22+
2. all artifact kinds must be first-class at intake time,
23+
3. intake should move toward authenticated repo-bound artifact selection,
24+
4. identity/auth must become a coherent cluster of:
25+
- addressing,
26+
- signing,
27+
- GitHub App auth payloads,
28+
- installation-scoped authorization semantics.
29+
30+
The central V10 rule is:
31+
32+
> If ENGI claims that repository-bound engineering artifacts are the subject of selection, proof, and settlement, then the intake and auth surfaces MUST begin from repository-addressable artifact inventory and MUST carry explicit address + signing + GitHub App auth structure.
33+
34+
---
35+
36+
# 2. Why V10 exists
37+
38+
An audit of the current V9 local demo shows that the remaining weakness is not in ranking or proof closure.
39+
It is at the intake and authority boundary.
40+
41+
The strongest V9-to-V10 gaps are:
42+
43+
- deposit UX is still centered on freeform form fields plus pasted content,
44+
- artifact kinds exist, but they are not all equally selection-first at intake time,
45+
- GitHub-bound metadata is present, but repo artifact inventory is not yet a first-class surface,
46+
- signer state is visible, but addressing and signing are not canonically separated,
47+
- installation id exists, but GitHub App auth payload structure is still too shallow,
48+
- identity/auth proofs do not yet bind the full address + signing + installation-scoped auth cluster.
49+
50+
V10 exists to close those gaps without undoing V9.
51+
52+
---
53+
54+
# 3. Source-of-truth and versioning rule
55+
56+
V10 preserves the ENGI versioning rule:
57+
58+
- each new spec version is written as a new versioned file,
59+
- previous versions remain in place,
60+
- `ENGI_SPEC.txt` is the only canonical pointer,
61+
- V10 implementation work may land while the canonical pointer remains on `V8`.
62+
63+
Therefore:
64+
65+
- V10 lives in `ENGI_SPEC_V10.md`,
66+
- V9 remains in place,
67+
- V8 remains the canonical pointer until explicit promotion.
68+
69+
---
70+
71+
# 4. Normative language
72+
73+
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, **SHOULD NOT**, and **MAY** are to be interpreted as normative requirements for V10 conformance.
74+
75+
---
76+
77+
# 5. Conformance profiles
78+
79+
## 5.1 Profile A — local deterministic V10 prototype
80+
81+
Profile A remains the local deterministic repository-contained prototype.
82+
83+
Profile A MAY locally model:
84+
85+
- authenticated GitHub App repo sessions,
86+
- installation-scoped permissions,
87+
- repo artifact inventory,
88+
- artifact addressing surfaces,
89+
- signing payload surfaces,
90+
- GitHub App auth payloads.
91+
92+
Profile A MUST NOT:
93+
94+
- fake live token minting,
95+
- fake live repository fetches,
96+
- fake live GitHub writes,
97+
- represent modeled auth payloads as if they were live network-backed tokens.
98+
99+
## 5.2 Profile B — external production-boundary intent
100+
101+
Profile B remains the live external boundary profile.
102+
103+
Profile B is where:
104+
105+
- real GitHub App installation auth happens,
106+
- real repo artifact inventory is fetched,
107+
- real repository actions are authorized,
108+
- real signer/org verification occurs.
109+
110+
V10 requires Profile B payload shapes to be explicit even when Profile A models them locally.
111+
112+
---
113+
114+
# 6. V10 intake model
115+
116+
V10 introduces a stronger intake rule:
117+
118+
```ts
119+
type ArtifactIntakeMode =
120+
| 'repo-artifact-selection'
121+
| 'repo-artifact-selection-plus-note'
122+
| 'raw-fallback'
123+
```
124+
125+
The preferred V10 intake order is:
126+
127+
1. select from authenticated repo-bound artifact inventory,
128+
2. optionally append operator note or raw supplement,
129+
3. use raw-only intake only as an explicit fallback.
130+
131+
The demo UX MUST NOT effectively stop at a raw textarea deposit flow.
132+
133+
---
134+
135+
# 7. Required V10 artifact-inventory surfaces
136+
137+
```ts
138+
type RepoArtifactInventoryEntry = {
139+
inventoryEntryId: string
140+
repo: string
141+
artifactKind: string
142+
artifactType: string
143+
originKind:
144+
| 'workflow-artifact'
145+
| 'benchmark-output'
146+
| 'commit-file'
147+
| 'pull-request-comment'
148+
| 'incident-document'
149+
| 'proof-log'
150+
| 'config-snapshot'
151+
| 'attestation-bundle'
152+
title: string
153+
summary: string
154+
sourceCommit?: string
155+
sourcePath?: string
156+
workflowRunId?: string
157+
workflowJobName?: string
158+
checkSuiteId?: string
159+
artifactName?: string
160+
tags: string[]
161+
declaredStacks: string[]
162+
declaredConstraints: string[]
163+
previewSurface: string
164+
content: string
165+
}
166+
```
167+
168+
V10 requirements:
169+
170+
1. The local demo MUST expose a repo-bound artifact inventory surface.
171+
2. The inventory MUST cover all artifact kinds present in the V10 demo surface, not only pasted freeform text.
172+
3. Intake manifests MUST record which inventory entries were selected.
173+
4. The intake surface MUST preserve enough repo/workflow/file addressing data to replay selection provenance.
174+
175+
---
176+
177+
# 8. Required V10 identity/auth cluster
178+
179+
V10 replaces vague identity/auth language with four explicit surfaces:
180+
181+
## 8.1 Addressing surface
182+
183+
```ts
184+
type AddressingSurface = {
185+
addressingScope:
186+
| 'repo'
187+
| 'repo-commit'
188+
| 'repo-file'
189+
| 'workflow-run'
190+
| 'workflow-artifact'
191+
| 'multi-artifact-selection'
192+
repo: string
193+
ref?: string
194+
commit?: string
195+
workflowRunId?: string
196+
workflowPath?: string
197+
workflowJobName?: string
198+
sourcePaths: string[]
199+
selectedInventoryEntryIds: string[]
200+
}
201+
```
202+
203+
## 8.2 Signing surface
204+
205+
```ts
206+
type SigningSurface = {
207+
signerAddress: string
208+
signerClass: string
209+
signingAlgorithm: string
210+
keySource: string
211+
attestationHash: string
212+
payloadHash: string
213+
signatureChecksPass: boolean
214+
signedPayloadHashMatchesContentRoot: boolean
215+
}
216+
```
217+
218+
## 8.3 GitHub App auth surface
219+
220+
```ts
221+
type GitHubAppAuthSurface = {
222+
authMechanism: 'github-app-installation'
223+
appId: string
224+
appSlug: string
225+
installationId: string
226+
installationAccountLogin: string
227+
installationAccountType: 'Organization' | 'User'
228+
repositoryId: string
229+
repositoryNodeId: string
230+
repositorySelection: 'selected' | 'all'
231+
permissions: Record<string, string>
232+
profileABoundary: string
233+
profileBBoundary: string
234+
}
235+
```
236+
237+
## 8.4 Artifact selection surface
238+
239+
```ts
240+
type ArtifactSelectionSurface = {
241+
intakeMode: ArtifactIntakeMode
242+
authSessionId?: string
243+
selectedInventoryEntryIds: string[]
244+
selectedArtifactKinds: string[]
245+
selectedOriginKinds: string[]
246+
rawFallbackUsed: boolean
247+
appendedOperatorNote: boolean
248+
}
249+
```
250+
251+
V10 requirements:
252+
253+
1. Every selected candidate asset MUST carry all four surfaces.
254+
2. Installation id MUST be part of the GitHub App auth surface, not just a stray field.
255+
3. Addressing and signing MUST be distinct surfaces, even when linked.
256+
4. Intake manifests MUST preserve selection/auth/address/signing closure together.
257+
258+
---
259+
260+
# 9. Required V10 manifest and branch-artifact behavior
261+
262+
When V10 surfaces are claimed, the implementation MUST materialize them in branch artifacts or equivalent manifest payloads.
263+
264+
At minimum V10 branch materialization MUST expose:
265+
266+
- artifact upload/intake manifest with selected inventory refs,
267+
- identity bindings with installation-scoped GitHub App principals when present,
268+
- GitHub boundary/auth surface with installation-scoped payload fields,
269+
- candidate-level address + signing surfaces inside the selected upload/intake manifest.
270+
271+
V10 MAY emit additional dedicated artifacts for:
272+
273+
- repo artifact selection manifest,
274+
- addressing manifest,
275+
- signing manifest,
276+
- GitHub App auth manifest.
277+
278+
---
279+
280+
# 10. Required V10 proofs
281+
282+
V10 extends the existing identity/auth proof requirements.
283+
284+
An identity/auth proof is V10-conformant only if it can show:
285+
286+
1. selected artifacts are bound to explicit addressing surfaces,
287+
2. selected artifacts are bound to explicit signing surfaces,
288+
3. GitHub App auth payloads are installation-scoped and repository-scoped,
289+
4. installation/auth principals referenced in authorization decisions are represented in the identity bindings or equivalent auth surface,
290+
5. Profile A modeled auth payloads are marked as modeled rather than live.
291+
292+
---
293+
294+
# 11. Demo UX requirements
295+
296+
The V10 demo UI MUST:
297+
298+
1. present authenticated repo selection/inventory before raw fallback content,
299+
2. make all artifact kinds visible in the repo inventory surface,
300+
3. allow raw/operator note fallback without pretending it is equivalent to repo-bound selection,
301+
4. display address + signing + GitHub App auth surfaces clearly,
302+
5. keep the implementation understandable rather than over-designed.
303+
304+
---
305+
306+
# 12. Required V10 artifacts and files
307+
308+
This V10 draft requires versioned repo artifacts:
309+
310+
- `/Users/garrettmaring/Developer/ENGI/ENGI_V10_PREP_MEMO.md`
311+
- `/Users/garrettmaring/Developer/ENGI/ENGI_SPEC_V10.md`
312+
- `/Users/garrettmaring/Developer/ENGI/ENGI_SPEC_V10_NOTES.md`
313+
- `/Users/garrettmaring/Developer/ENGI/engi-demo/SPEC_V10_IMPLEMENTATION_MATRIX.md`
314+
315+
---
316+
317+
# 13. First-pass implementation guidance
318+
319+
The recommended first V10 implementation slice is:
320+
321+
1. add modeled authenticated repo sessions and seeded repo artifact inventory,
322+
2. upgrade the deposit UX to inventory-first selection,
323+
3. extend asset/manifests with:
324+
- artifact selection surface,
325+
- addressing surface,
326+
- signing surface,
327+
- GitHub App auth surface,
328+
4. update identity bindings/proofs/tests accordingly.
329+
330+
This is sufficient for a meaningful first V10 pass even if live GitHub auth remains out of scope locally.

0 commit comments

Comments
 (0)