arc new goal auth-refresh --title "Fix auth refresh"arc.toml:
version = 2
contract_version = 1
id = "auth-refresh"
title = "Fix auth refresh"
mode = "goal"
risk = "medium"
[limits]
max_turns = 12
max_minutes = 90
max_same_failure = 3
[paths]
allow = ["src/**", "tests/**", "Cargo.toml", "Cargo.lock"]
deny = [".env*", ".agent/contracts/*/arc.toml"]
[commands]
allow = ["cargo test auth_refresh", "cargo test", "git diff --name-only"]
deny_patterns = ["rm -rf", "git reset --hard", "git clean -fd"]
[[done]]
id = "tests-pass"
description = "Auth refresh tests pass"
proof = "command"
required = true
cmd = "cargo test auth_refresh"
required_exit_code = 0
timeout_seconds = 600
[[done]]
id = "scope-clean"
description = "No forbidden files changed"
proof = "diff_scope"
required = true
[[pause]]
id = "schema-change"
description = "Pause before changing persistence or auth schema"
paths = ["migrations/**"]
patterns = ["schema migration", "new auth provider"]Use this when a run must produce a file:
[[done]]
id = "report-exists"
description = "The release report exists"
proof = "artifact_exists"
required = true
path = ".agent/contracts/release/artifacts/report.txt"Use this when a file must contain or avoid a pattern:
[[done]]
id = "report-has-version"
description = "The report includes the release version"
proof = "regex_present"
required = true
path = ".agent/contracts/release/artifacts/report.txt"
pattern = "version = \"[0-9]+\\.[0-9]+\\.[0-9]+\""[[done]]
id = "no-todo-left"
description = "The touched file has no TODO marker"
proof = "regex_absent"
required = true
path = "src/auth.rs"
pattern = "TODO|FIXME"arc lint auth-refresh --strict
arc launch --agent codex auth-refresh --printRun the printed command. After Codex stops:
arc validate auth-refresh
arc report auth-refreshclaude --plugin-dir .
arc launch --agent claude auth-refresh --printRun the printed command. Claude Stop hooks should block early completion while required proofs remain unverified.