fix: harden trustworthy green checks

[djm81]

Description

Harden CI, local review gates, and docs so required checks stay trustworthy and green checks actually mean the underlying validation passed.

Fixes #465

New Features #406

Contract References: No public API contract changes. This change hardens workflow, hook, review, and docs-validation behavior.

Type of Change

Please check all that apply:

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• 🔒 Contract enforcement (adding/updating @icontract decorators)
• 🧪 Test enhancement (scenario tests, property-based tests)
• 🔧 Refactoring (code improvement without functionality change)

Contract-First Testing Evidence

Required for all changes affecting CLI commands or public APIs:

This change does not modify CLI command behavior or public API contracts. Contract evidence below reflects repo gate execution relevant to this branch.

Contract Validation

• Runtime contracts added/updated (@icontract decorators on public APIs)
• Type checking enforced (@beartype decorators applied)
• CrossHair exploration completed: hatch run contract-test-exploration
• Contract violations reviewed and addressed

Test Execution

• Contract validation: hatch run contract-test-contracts ✅
• Contract exploration: hatch run contract-test-exploration ✅
• Scenario tests: hatch run contract-test-scenarios ✅
• Full test suite: targeted workflow/doc-frontmatter suite plus hatch run contract-test ✅

Test Quality

• CLI commands tested with typer test client
• Edge cases covered with Hypothesis property tests
• Error handling tested with invalid inputs
• Rich console output verified manually or with snapshots

How Has This Been Tested?

Contract-First Approach: Verified the workflow/review surfaces with targeted unit and integration tests, strict OpenSpec validation, and repo quality gates. Failing-first evidence is captured in openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md.

Manual Testing

• Tested CLI commands manually
• Verified rich console output
• Tested with different input scenarios
• Checked error messages for clarity

Automated Testing

• Contract validation passes
• Property-based tests cover edge cases
• Scenario tests cover user workflows
• All existing tests still pass

Test Environment

• Python version: 3.12
• OS: Ubuntu/Linux

Checklist

• My code follows the style guidelines (PEP 8, ruff format, isort)
• I have performed a self-review of my code
• I have added/updated contracts (@icontract, @beartype)
• I have added/updated docstrings (Google style)
• I have made corresponding changes to documentation
• My changes generate no new warnings (basedpyright, ruff, pylint)
• All tests pass locally
• I have added tests that prove my fix/feature works
• Any dependent changes have been merged

Quality Gates Status

• Type checking ✅ (hatch run type-check)
• Linting ✅ (hatch run lint)
• Contract validation ✅ (hatch run contract-test)
• Contract exploration ✅ (hatch run contract-test-exploration)
• Scenario tests ✅ (hatch run contract-test-scenarios)

Screenshots/Recordings (if applicable)

Not applicable.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ecbc7cda-d83e-4706-84d8-96fd0d188931

📥 Commits

Reviewing files that changed from the base of the PR and between fb5fe70 and 74da858.

📒 Files selected for processing (2)

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• tests/unit/workflows/test_trustworthy_green_checks.py

---

📝 Walkthrough

Summary: CI Infrastructure & Quality Gates Hardening (ci-02-trustworthy-green-checks)

User-visible CLI impact

• None to CLI commands, options, or defaults. No public CLI surface changes.

Contract / API impact

• No public API, Pydantic model, or package-boundary breaking changes.
• Internal behavior: bootstrap_local_bundle_sources() (src/specfact_cli/modules/_bundle_import.py) now also honors SPECFACT_MODULES_REPO in addition to SPECFACT_CLI_MODULES_REPO when discovering local module repos; no signature change.

Testing and quality gates

• CI/workflow orchestration (.github/workflows/pr-orchestrator.yml) hardened:
  • Removed workflow-level paths-ignore for docs/Markdown so required checks emit statuses for docs-only commits.
  • Added explicit workflow_changed output and a workflow-lint job that runs hatch run lint-workflows/actionlint when .github/workflows/** changes.
  • Replaced the naive dev→main fast-path with commit-parity proof using git rev-parse/merge-base; skip_tests_dev_to_main is an explicit changes-job output and downstream jobs check it.
  • Downstream jobs (compat, contract-first, cli-validation, type-checking, linting, tests) conditioned to require code_changed == 'true' and skip_tests_dev_to_main != 'true'.
  • Failure-masking constructs removed from required job steps (no more || echo ... fallbacks); pipelines now fail-fast and propagate primary exit codes.
• Actionlint runner (scripts/run_actionlint.sh) behavior changed:
  • Prefer globally installed actionlint binary; fall back to Docker only when docker daemon is reachable; otherwise exit non-zero with install guidance. Removed repo-local binary download/installation fallback.
  • scripts/yaml-tools.sh delegates to run_actionlint.sh to align local/CI lint paths.
• Local pre-commit / contributor hooks:
  • .pre-commit-config.yaml now exposes a single repo-owned always-run wrapper hook id: specfact-smart-checks (entry: scripts/pre-commit-smart-checks.sh, language: script, pass_filenames: false, always_run: true).
  • The local hooks that previously attempted repository-local signature verification and a separate code-review gate were consolidated under the smart wrapper; the wrapper conditionally invokes the legacy code-review helper when staged Python files exist.
  • The smart wrapper enforces module signature checks, formatter safety, Markdown/YAML checks, workflow lint for staged workflow changes, and contract-test fast feedback consistent with CI semantics.
• Tests added/updated:
  • tests/unit/workflows/test_trustworthy_green_checks.py — comprehensive assertions enforcing orchestrator semantics: trigger shapes, no paths-ignore, required jobs fail-closed, parity-proof skip logic, advisory job naming, canonical "Verify Module Signatures" naming across workflows, contract-first CI uses hatch run contract-test, pre-commit smart-hook presence, .coderabbit auto-review covers both ^dev$ and ^main$, and actionlint runner behavior.
  • tests/unit/scripts/test_doc_frontmatter/test_validation.py — ensures malformed doc frontmatter yields failure with actionable stderr.
  • tests/unit/modules/test_bundle_import.py — verifies SPECFACT_MODULES_REPO env is honored by bootstrap_local_bundle_sources().
  • TDD evidence and verification runs are documented at openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md.
• Contract-first CI behavior: contract-first job uses hatch run contract-test (avoids depending on a bundled CLI repro invocation that could be unavailable).
• Type-checking and linting gates enforced; TDD notes indicate some exploratory/property-test items remain unchecked.

OpenSpec, CHANGELOG, docs tracking

• OpenSpec change ID: ci-02-trustworthy-green-checks (parent feature #406; addresses issue #465). Spec, tasks, and TDD evidence added/updated under openspec/changes/ci-02-trustworthy-green-checks; tasks checklist marked completed and entry set to implemented (archive pending).
• Documentation updates:
  • CONTRIBUTING.md, docs/modules/code-review.md, docs/contributing/docs-sync.md updated to document the smart pre-commit wrapper, repository gate taxonomy (merge-blocking vs advisory), docs gating rules, and actionlint install guidance.
  • CHANGELOG.md minor formatting edits.
• CodeRabbit config (.coderabbit.yaml) extended to include "^main$" in reviews.auto_review.base_branches so automated reviews cover both dev and main PR targets.

Module signing / version bump notes

• Module signature verification remains a canonical required check with canonical display name "Verify Module Signatures" (sign-modules workflow job display name casing aligned). The orchestrator invokes the verified flow; local pre-commit delegates enforcement to the smart wrapper which runs signature checks. No automatic version-bump behavior introduced here.

Net effect for maintainers

• No public API or CLI changes. This PR tightens CI and local-gate semantics so required checks reliably fail closed and report on every PR head commit, aligns local pre-commit semantics with CI, standardizes canonical check naming, enforces workflow linting on workflow changes, hardens actionlint handling, and documents the behavioral taxonomy (required vs advisory). Tests and TDD evidence accompany the changes to validate the hardened behavior.

Walkthrough

Updated CI, pre-commit, review, scripts, docs, and tests to harden “trustworthy green checks”: extend CodeRabbit auto-review to main, tighten pr-orchestrator workflow failure semantics and workflow-lint gating, replace local pre-commit hooks with a smart wrapper, change actionlint runner behavior, and add tests validating these policies.

Changes

Cohort / File(s)	Summary
Orchestrator workflow \.github/workflows/pr-orchestrator.yml	Removed docs-only paths-ignore, added workflow_changed output, changed release fast-path to prove commit parity via git merge-base, tightened job run conditions to require code_changed=='true' and skip_tests_dev_to_main!='true', added workflow-lint job, and made several pipelines fail-fast (removed `
Workflows UI text \.github/workflows/sign-modules.yml	Job display name updated to Verify Module Signatures (UI text only).
Pre-commit config .pre-commit-config.yaml	Removed verify-module-signatures and specfact-code-review-gate hooks; added specfact-smart-checks local hook (scripts/pre-commit-smart-checks.sh, pass_filenames: false, always_run: true).
Actionlint runner & YAML helper scripts/run_actionlint.sh, scripts/yaml-tools.sh	run_actionlint.sh now prefers an installed actionlint, falls back to Docker only if daemon reachable, and fails with guidance otherwise; removed repo-local binary fallback. yaml-tools.sh delegates to scripts/run_actionlint.sh.
Docs & contributor guidance CONTRIBUTING.md, docs/*, CHANGELOG.md, openspec/*	Documented smart pre-commit wrapper behavior, clarified gating semantics (merge-blocking vs advisory), adjusted headings, lint comment, and updated openspec entries and TDD/task evidence.
CodeRabbit config .coderabbit.yaml	Extended reviews.auto_review.base_branches to include ^main$ alongside ^dev$.
Tests — workflow & tooling validations tests/unit/workflows/test_trustworthy_green_checks.py, tests/unit/scripts/test_doc_frontmatter/test_validation.py	New tests asserting orchestrator triggers/no paths-ignore, fail-closed job patterns, release parity proof, canonical job naming, pre-commit hook presence, actionlint runner behavior, and doc frontmatter YAML parse error handling.
Bundle import changes & tests src/specfact_cli/modules/_bundle_import.py, tests/unit/modules/test_bundle_import.py, tests/unit/migration/test_module_migration_07_cleanup.py	Bootstrap now honors SPECFACT_MODULES_REPO in addition to SPECFACT_CLI_MODULES_REPO; added test validating env handling; allowed test file exception in migration cleanup test.
Pre-commit-smart-checks script scripts/pre-commit-smart-checks.sh (referenced)	New smart wrapper referenced by pre-commit config (script added/modified elsewhere in repo).

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
participant Contributor as Contributor (local)
participant PreCommit as pre-commit hook
participant Repo as GitHub Actions (pr-orchestrator)
participant Runner as workflow-lint job
participant Actionlint as scripts/run_actionlint.sh
Contributor->>PreCommit: commit / pre-commit run
PreCommit->>PreCommit: run scripts/pre-commit-smart-checks.sh
PreCommit-->>Contributor: block on FAIL, PASS_WITH_ADVISORY allowed
Contributor->>Repo: open PR (push / pull_request)
Repo->>Repo: changes job computes code_changed, workflow_changed, PR_BASE_SHA/HEAD SHA, merge-base parity
alt workflow_changed == 'true'
Repo->>Runner: run workflow-lint (hatch/actionlint)
Runner->>Actionlint: invoke scripts/run_actionlint.sh
Actionlint->>Actionlint: prefer installed actionlint, else Docker, else fail with guidance
end
Repo->>Repo: downstream jobs require code_changed=='true' and skip_tests_dev_to_main!='true' to run
Repo->>Repo: jobs fail-fast on tool failures (no '|| echo' fallbacks)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix: harden trustworthy green checks #469 — Overlapping CI/review tooling hardening; similar changes to pr-orchestrator, actionlint handling, and CodeRabbit config.
• feat: doc frontmatter validation, v0.43.2 review JSON gate, and pre-commit review UX #463 — Prior change introducing/altering .coderabbit.yaml auto_review base_branches that this PR extends to include ^main$.
• Release dev to main: doc frontmatter validation and OpenSpec archive sync #464 — Related edits to CodeRabbit auto-review and CI/testing surfaces; touches similar config and workflows.

Suggested labels

documentation, code-review

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 63.64% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows Conventional Commits style with 'fix:' prefix and clearly summarizes the main hardening objective for trustworthy green checks.
Description check	✅ Passed	The PR description includes required sections (Description, Type of Change, Testing approach, Checklist) and appropriately addresses non-CLI changes by confirming no public API contract modifications while documenting gate behavior hardening.
Linked Issues check	✅ Passed	All coding requirements from #465 are met: required jobs fail-close (pr-orchestrator.yml), explicit blocking/advisory taxonomy (docs, tests), dev→main parity-gated skipping (merge-base logic), workflow-lint CI job, local pre-commit alignment (smart-checks wrapper), and CodeRabbit coverage extended to both dev and main.
Out of Scope Changes check	✅ Passed	All changes align with trustworthy green-check hardening scope: workflow/pre-commit gate semantics, CI job failure handling, documentation, tests, and minor configuration updates stay focused on requirements from #465 and #406.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/ci-02-trustworthy-green-checks

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md`:
- Line 54: Several markdown headings "Pre-Implementation Test Failure
(Expected)" and "Post-Implementation Test Success" are duplicated and trigger
MD024; rename each duplicate heading by appending a short distinguishing suffix
(for example change "Pre-Implementation Test Failure (Expected)" to
"Pre-Implementation Test Failure (Expected) - Workflow Policy" and similar for
other occurrences, and change "Post-Implementation Test Success" to
"Post-Implementation Test Success - Actionlint Fallback" or another meaningful
suffix) so each heading text is unique; update all instances referenced (the
headings at the original "Pre-Implementation Test Failure (Expected)" and the
ones around lines noted in the review) to follow the same disambiguation pattern
for lint compliance and easier navigation.

In `@scripts/run_actionlint.sh`:
- Around line 27-30: The message in run_with_docker() is misleading because
run_installed_binary() already failed if we reached this code; change the echo
to accurately reflect that the Docker daemon is unavailable and we cannot run
actionlint via Docker (e.g., "Docker daemon unavailable for actionlint; cannot
run via Docker.") and keep the existing return 1 so the script proceeds to its
final failure path; reference run_with_docker and run_installed_binary when
making the change.

In `@tests/unit/workflows/test_trustworthy_green_checks.py`:
- Around line 119-121: The current assertions compare exact condition strings in
skip_conditions and will break on formatting changes; modify the test around the
skip_conditions extraction to match more robustly by normalizing each condition
(e.g., strip surrounding quotes, collapse whitespace, and standardize quote
characters) or use a regex/substring check to assert that a condition contains
the key pattern "needs.changes.outputs.skip_tests_dev_to_main" together with "==
'true'" or "!= 'true'"; update the two asserts that reference the raw strings to
instead search the normalized/regex-matched conditions so they pass regardless
of minor spacing or quoting differences.

🪄 Autofix (Beta)

✅ Autofix completed

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8839d9fb-d659-414f-8f6a-f0a302565fe6

📥 Commits

Reviewing files that changed from the base of the PR and between 93b6dee and 35485ef.

📒 Files selected for processing (16)

• .coderabbit.yaml
• .github/workflows/pr-orchestrator.yml
• .github/workflows/sign-modules.yml
• .pre-commit-config.yaml
• CHANGELOG.md
• CONTRIBUTING.md
• docs/contributing/docs-sync.md
• docs/modules/code-review.md
• openspec/CHANGE_ORDER.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md
• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• scripts/run_actionlint.sh
• scripts/yaml-tools.sh
• tests/unit/scripts/test_doc_frontmatter/test_validation.py
• tests/unit/workflows/test_trustworthy_green_checks.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Compatibility (Python 3.11)
• GitHub Check: Tests (Python 3.12)

🧰 Additional context used

📓 Path-based instructions (16)

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

**/*.md: Finish each output by listing which rulesets have been applied (e.g., .cursorrules, AGENTS.md, specific .cursor/rules/*.mdc), confirm Git Worktree Policy compliance if applicable, and state the AI provider and model version being used.
Follow markdown linting rules to avoid markdown linting errors (via markdown-rules).

Files:

• docs/contributing/docs-sync.md
• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/CHANGE_ORDER.md
• CHANGELOG.md
• CONTRIBUTING.md
• docs/modules/code-review.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

docs/**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Preserve all front-matter in documentation files when editing (title, layout, nav_order, permalink, etc.); check docs/_layouts/default.html and docs/index.md before modifying front-matter

Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Update docs in docs/ when commands, options, or behaviour changes; preserve all front-matter on every edit

Files:

• docs/contributing/docs-sync.md
• docs/modules/code-review.md

---

⚙️ CodeRabbit configuration file

docs/**/*.md: User-facing accuracy: CLI examples match current behavior; preserve Jekyll front matter;
call out when README/docs index need sync.

Files:

• docs/contributing/docs-sync.md
• docs/modules/code-review.md

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• docs/contributing/docs-sync.md
• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/CHANGE_ORDER.md
• CHANGELOG.md
• CONTRIBUTING.md
• docs/modules/code-review.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

openspec/**/*.md

⚙️ CodeRabbit configuration file

openspec/**/*.md: Treat as specification source of truth: proposal/tasks/spec deltas vs. code behavior,
CHANGE_ORDER consistency, and scenario coverage. Surface drift between OpenSpec and
implementation.

Files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/CHANGE_ORDER.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Validate GitHub workflow files using hatch run lint-workflows before committing

.github/workflows/*.{yml,yaml}: Use actionlint for semantic validation of GitHub Actions workflows
Format GitHub Actions workflows using hatch run workflows-fmt and lint them with hatch run workflows-lint after editing

Files:

• .github/workflows/sign-modules.yml
• .github/workflows/pr-orchestrator.yml

.github/workflows/!(tests).{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Files:

• .github/workflows/sign-modules.yml
• .github/workflows/pr-orchestrator.yml

.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: CI safety: secrets usage, workflow dependencies, alignment with hatch test / contract-test
gates, and action versions.

Files:

• .github/workflows/sign-modules.yml
• .github/workflows/pr-orchestrator.yml

**/*.py

📄 CodeRabbit inference engine (.cursorrules)

**/*.py: All public APIs must have @icontract decorators and @beartype type checking.
Commands should follow typer patterns with rich console output.
Use Pydantic models for all data structures to ensure data validation.
Write only high-value comments if at all. Avoid talking to the user through comments.
Use GPG-signed commits (git commit -S) when implementing changes in a worktree.

**/*.py: Use snake_case for file and module names
Use PascalCase for class names
Use UPPER_SNAKE_CASE for constants
Use Google-style docstrings
Set line length to 120 characters maximum
All data structures must use Pydantic BaseModel with Field(...) and descriptions
All public APIs must use @icontract decorators (@require, @ensure, @invariant) for contract-first development
All public APIs must use @beartype for runtime type checking
Only write high-value comments; avoid verbose or redundant commentary

**/*.py: No bare except or broad except Exception without re-raising or logging full context - use specific exceptions instead
Enforce consistent return types for public API methods - publishing/IO methods must return bool (True/False), not None
Prefer specific exceptions and re-raise after logging rather than swallowing exceptions
Limit function length to maximum 120 lines and cyclomatic complexity to maximum 12
Avoid filesystem operations with overly permissive modes - do not use 0o777 for mkdir/os.makedirs; use 0o755 or environment-controlled mode
Async / signal safety - signal handlers may only set a flag or call thread-safe routines; do not call asyncio.create_task directly from POSIX signal handlers

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-o...

Files:

• tests/unit/scripts/test_doc_frontmatter/test_validation.py
• tests/unit/workflows/test_trustworthy_green_checks.py

tests/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

tests/**/*.py: Test structure must mirror source with tests/unit/, tests/integration/, tests/e2e/ directories
Use @pytest.mark.asyncio decorator for async test functions
Guard environment-sensitive logic with os.environ.get("TEST_MODE") == "true"

tests/**/*.py: Secure secret redaction guaranteed - LoggerSetup.redact_secrets must be covered by unit tests for nested dicts and strings
Messaging coercion and strict validation - any use of MessagingStandardization.process_standardized_message must have tests validating coercion success/failure and metrics increments

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

tests/**/*.py: Use @pytest.mark.asyncio for async tests
Guard environment-sensitive logic with os.environ.get("TEST_MODE") == "true"
Test structure must mirror source structure: tests/unit/, tests/integration/, tests/e2e/

Files:

• tests/unit/scripts/test_doc_frontmatter/test_validation.py
• tests/unit/workflows/test_trustworthy_green_checks.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/scripts/test_doc_frontmatter/test_validation.py
• tests/unit/workflows/test_trustworthy_green_checks.py

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/scripts/test_doc_frontmatter/test_validation.py
• tests/unit/workflows/test_trustworthy_green_checks.py

{src,tests}/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/session_startup_instructions.mdc)

Apply pylint src tests for linting before committing

Files:

• tests/unit/scripts/test_doc_frontmatter/test_validation.py
• tests/unit/workflows/test_trustworthy_green_checks.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/scripts/test_doc_frontmatter/test_validation.py
• tests/unit/workflows/test_trustworthy_green_checks.py

openspec/changes/*/TDD_EVIDENCE.md

📄 CodeRabbit inference engine (AGENTS.md)

Create/update openspec/changes/<change-id>/TDD_EVIDENCE.md with test command(s), timestamp, and failure/pass summary before and after implementation

Files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

openspec/CHANGE_ORDER.md

📄 CodeRabbit inference engine (CLAUDE.md)

Update openspec/CHANGE_ORDER.md whenever a change lifecycle event occurs (new change created, archived, modified, blocker resolved) in the same commit

Keep openspec/CHANGE_ORDER.md updated as the single source of truth for change sequencing, module grouping, and inter-change dependencies

Files:

• openspec/CHANGE_ORDER.md

CHANGELOG.md

📄 CodeRabbit inference engine (CLAUDE.md)

Keep CHANGELOG.md updated with every meaningful change following Keep a Changelog format: Added, Changed, Fixed, Removed, Security; each version entry must match pyproject.toml version

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Keep CHANGELOG.md updated with every meaningful change in the same commit as version bumps, following Keep a Changelog format with sections for Added, Changed, Fixed, Removed, Security

Files:

• CHANGELOG.md

{CHANGELOG.md,pyproject.toml,setup.py,src/__init__.py}

📄 CodeRabbit inference engine (.cursor/rules/session_startup_instructions.mdc)

When releasing, update CHANGELOG.md, pyproject.toml, setup.py, and src/__init__.py

Files:

• CHANGELOG.md

🧠 Learnings (62)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Enforce pre-commit and CI gating with checks for: black, isort, mypy, flake8 (with B/C plugins), radon complexity, state-machine sync tests, and rejection of PRs lacking test files when src/ is modified

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: When creating implementation plans or OpenSpec tasks.md, explicitly verify and include: worktree creation from `origin/dev`, `hatch env create` in the worktree, pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), and worktree cleanup steps post-merge.

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Always work on feature/bugfix/hotfix branches and submit PRs; protect `dev` and `main` branches from direct commits

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to docs/**/*.md : Update docs in `docs/` when commands, options, or behaviour changes; preserve all front-matter on every edit

Applied to files:

• docs/contributing/docs-sync.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to docs/**/*.md : Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Applied to files:

• docs/contributing/docs-sync.md
• docs/modules/code-review.md

📚 Learning: 2026-03-25T21:31:47.109Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Code changes modifying public API, state machine YAMLs, or generated state machine outputs MUST include unit tests, update docs/ and CHANGELOG.md, and include 'BREAKING' section in PR if public API changed

Applied to files:

• docs/contributing/docs-sync.md
• tests/unit/scripts/test_doc_frontmatter/test_validation.py
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.md : Finish each output by listing which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), confirm Git Worktree Policy compliance if applicable, and state the AI provider and model version being used.

Applied to files:

• docs/contributing/docs-sync.md
• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• CHANGELOG.md
• CONTRIBUTING.md
• docs/modules/code-review.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:38.156Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-03-25T21:32:38.156Z
Learning: Review `docs/README.md` to understand current development phase and priorities before proceeding with work

Applied to files:

• docs/contributing/docs-sync.md

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to openspec/CHANGE_ORDER.md : Keep `openspec/CHANGE_ORDER.md` updated as the single source of truth for change sequencing, module grouping, and inter-change dependencies

Applied to files:

• docs/contributing/docs-sync.md
• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/CHANGE_ORDER.md
• docs/modules/code-review.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

📚 Learning: 2026-03-25T21:31:22.997Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-25T21:31:22.997Z
Learning: Applies to docs/**/*.md : Preserve all front-matter in documentation files when editing (title, layout, nav_order, permalink, etc.); check `docs/_layouts/default.html` and `docs/index.md` before modifying front-matter

Applied to files:

• docs/contributing/docs-sync.md

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: When creating implementation plans or OpenSpec tasks.md, explicitly verify and include: worktree creation from `origin/dev`, `hatch env create` in the worktree, pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), and worktree cleanup steps post-merge.

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/CHANGE_ORDER.md
• .pre-commit-config.yaml
• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Ensure an OpenSpec change (new or delta) exists for any code modification in specfact-cli (`src/`, `tools/`, tests, or significant docs) unless user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or similar

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/CHANGE_ORDER.md
• .pre-commit-config.yaml
• CONTRIBUTING.md
• docs/modules/code-review.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to openspec/changes/*/TDD_EVIDENCE.md : Create/update `openspec/changes/<change-id>/TDD_EVIDENCE.md` with test command(s), timestamp, and failure/pass summary before and after implementation

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:22.997Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-25T21:31:22.997Z
Learning: Implement strict TDD order: update/add spec deltas first → add/modify tests mapped to spec scenarios → run tests and capture failing result → only then modify production code → re-run tests and quality gates until passing; record evidence in `openspec/changes/<change-id>/TDD_EVIDENCE.md`

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Before executing any workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform a pre-execution checklist: verify Git Worktree creation, TDD evidence documentation, user-facing documentation updates, module signing verification, and confirm AGENTS.md compliance.

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to TDD_EVIDENCE.md : For tasks involving behavior changes, create and update `TDD_EVIDENCE.md` per AGENTS.md 'Hard Gate: Strict TDD Order', recording failing test evidence before implementation and passing test evidence after implementation.

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: After implementing code changes in specfact-cli, run quality gates: `hatch run format`, `hatch run type-check`, `hatch run contract-test`, `hatch test` (or `hatch run smart-test`)

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/CHANGE_ORDER.md
• .pre-commit-config.yaml
• CONTRIBUTING.md
• docs/modules/code-review.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• scripts/yaml-tools.sh
• .pre-commit-config.yaml
• CONTRIBUTING.md
• docs/modules/code-review.md
• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: After code implementation in specfact-cli, create or update corresponding GitHub issue with title `[Change] <Brief Description>`, labels `enhancement` and `change-proposal` if targeting public repo, and update `proposal.md` Source Tracking section with issue number, URL, repository, and status

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/CHANGE_ORDER.md
• CONTRIBUTING.md
• docs/modules/code-review.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

📚 Learning: 2026-03-25T21:31:47.109Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Enforce pre-commit and CI gating with checks for: black, isort, mypy, flake8 (with B/C plugins), radon complexity, state-machine sync tests, and rejection of PRs lacking test files when src/ is modified

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/tasks.md
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• .pre-commit-config.yaml
• CONTRIBUTING.md
• docs/modules/code-review.md
• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Always work on feature/bugfix/hotfix branches and submit PRs; protect `dev` and `main` branches from direct commits

Applied to files:

• .coderabbit.yaml
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: All changes must be made via Pull Requests to `dev` or `main`. Direct commits to protected branches are not allowed.

Applied to files:

• .coderabbit.yaml
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: All commits must be made via Pull Requests to dev or main branches; no direct commits allowed

Applied to files:

• .coderabbit.yaml

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to src/specfact_cli/modules/*/module-package.yaml : Increment module version using semver (major/minor/patch) before signing changed module contents; do not keep the same module version when module files or signatures change

Applied to files:

• .github/workflows/sign-modules.yml
• .pre-commit-config.yaml

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Sign modules using `hatch run python scripts/sign-modules.py --key-file <private-key.pem>` and verify with `hatch run ./scripts/verify-modules-signature.py --require-signature` before PR creation

Applied to files:

• .github/workflows/sign-modules.yml
• .pre-commit-config.yaml
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: For new code in specfact-cli using OpenSpec workflow, follow TDD discipline: write tests first, then implementation code

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/CHANGE_ORDER.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Verify that an active OpenSpec change in `openspec/changes/` explicitly covers any requested code modification before applying edits

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.{py} : After any code changes, apply linting and formatting using `hatch run format`, perform type checking with `hatch run type-check` (basedpyright), run contract validation with `hatch run contract-test`, and run full test suite with `hatch test --cover -v`. Verify all tests pass and contracts are satisfied before committing.

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• scripts/yaml-tools.sh
• .pre-commit-config.yaml
• CONTRIBUTING.md
• docs/modules/code-review.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• .pre-commit-config.yaml
• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:22.997Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-25T21:31:22.997Z
Learning: Applies to openspec/CHANGE_ORDER.md : Update `openspec/CHANGE_ORDER.md` whenever a change lifecycle event occurs (new change created, archived, modified, blocker resolved) in the same commit

Applied to files:

• openspec/CHANGE_ORDER.md
• CONTRIBUTING.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Use actionlint for semantic validation of GitHub Actions workflows

Applied to files:

• scripts/yaml-tools.sh
• scripts/run_actionlint.sh
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Install actionlint locally, download to ./bin, or rely on Docker fallback for GitHub Actions workflow validation

Applied to files:

• scripts/yaml-tools.sh
• scripts/run_actionlint.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

Applied to files:

• scripts/yaml-tools.sh
• .pre-commit-config.yaml
• docs/modules/code-review.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• scripts/yaml-tools.sh
• .pre-commit-config.yaml
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Use yamllint with the repo .yamllint configuration (line-length 140, trailing spaces and final newline enforced) to lint non-workflow YAML files

Applied to files:

• scripts/yaml-tools.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Use Prettier to fix whitespace, indentation, and final newline across YAML files

Applied to files:

• scripts/yaml-tools.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Applied to files:

• scripts/yaml-tools.sh
• .pre-commit-config.yaml
• docs/modules/code-review.md
• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to **/*.{yml,yaml} : Validate YAML configuration files locally using `hatch run yaml-lint` before committing

Applied to files:

• scripts/yaml-tools.sh
• .pre-commit-config.yaml
• docs/modules/code-review.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to CHANGELOG.md : Keep `CHANGELOG.md` updated with every meaningful change in the same commit as version bumps, following Keep a Changelog format with sections for `Added`, `Changed`, `Fixed`, `Removed`, `Security`

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md with all code changes as part of version control requirements.

Applied to files:

• CHANGELOG.md
• CONTRIBUTING.md

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.md : Follow markdown linting rules to avoid markdown linting errors (via markdown-rules).

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:31:22.997Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-25T21:31:22.997Z
Learning: Applies to CHANGELOG.md : Keep `CHANGELOG.md` updated with every meaningful change following Keep a Changelog format: `Added`, `Changed`, `Fixed`, `Removed`, `Security`; each version entry must match `pyproject.toml` version

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Headers should increment by one level at a time (MD001: Header Increment)

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to CHANGELOG.md : Include new version entries at the top of CHANGELOG.md when updating versions

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Keep line length under 120 characters in markdown files

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: When creating OpenSpec changes for specfact-cli, use unique verb-led `change-id` and scaffold `proposal.md`, `tasks.md`, optional `design.md`, and spec deltas in `changes/<id>/specs/<capability>/spec.md`

Applied to files:

• CHANGELOG.md
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• .pre-commit-config.yaml
• CONTRIBUTING.md
• docs/modules/code-review.md

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to .specfact/code-review.json : Re-run `.specfact/code-review.json` when spec, tasks, design, or code changes; invalidate if the file is stale relative to recent edits in `src/`, `scripts/`, `tools/`, `tests/`, or `openspec/changes/<change-id>/`

Applied to files:

• .pre-commit-config.yaml
• CONTRIBUTING.md
• docs/modules/code-review.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to **/*.yaml : YAML files must pass linting using: hatch run yaml-lint with relaxed policy.

Applied to files:

• .pre-commit-config.yaml

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to {README.md,docs/index.md} : Keep `README.md` and the docs landing page in sync with actual CLI interface and command list; lead with value and USP for new-user perspective

Applied to files:

• CONTRIBUTING.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/!(tests).{yml,yaml} : Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/{quality-gates,contract-enforcement,contracts,no-escape-gating,integrated-ci}.{yml,yaml} : Dependent workflows must download the coverage.xml artifact from the Tests workflow and fail early if it is missing

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Run `openspec validate <change-id> --strict` before implementing any code changes in specfact-cli to validate the OpenSpec change

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/specs/trustworthy-green-checks/spec.md
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Use `hatch test` command for running tests instead of direct pytest usage to ensure proper Python matrix, dependency resolution, environment variables, and coverage reports

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Read and apply `openspec/config.yaml` for project context (tech stack, constraints, architecture, SDD+TDD discipline) before any code modification in specfact-cli

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run type checking with basedpyright on all Python files

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Type checking must pass with no errors using: mypy .

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run linting with ruff and pylint on all Python files

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(src|tests)/**/*.py : Linting must pass with no errors using: pylint src tests

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:38.156Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-03-25T21:32:38.156Z
Learning: Applies to {src,tests}/**/*.py : Apply `pylint src tests` for linting before committing

Applied to files:

• .github/workflows/pr-orchestrator.yml

🪛 LanguageTool

openspec/changes/ci-02-trustworthy-green-checks/tasks.md

[uncategorized] ~43-~43: The official name of this software platform is spelled with a capital “H”.
Context: ...mandatory workflow validation in CI for .github/workflows/** changes. - [x] 4.4 Rework...

(GITHUB)

🪛 markdownlint-cli2 (0.22.0)

openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

[warning] 54-54: Multiple headings with the same content

(MD024, no-duplicate-heading)

---

[warning] 82-82: Multiple headings with the same content

(MD024, no-duplicate-heading)

---

[warning] 103-103: Multiple headings with the same content

(MD024, no-duplicate-heading)

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

nold-ai/specfact-cli-modules

• .pre-commit-config.yaml still contains a local hook entry with id verify-module-signatures (verify-module-signatures hook invoking scripts/verify-modules-signature.py). [::nold-ai/specfact-cli-modules::.pre-commit-config.yaml:1-200]

• .github/workflows/pr-orchestrator.yml is present and contains:

  • pull_request and push triggers that use paths-ignore for "/*.md" and "docs/" (the PR intends to remove these ignores). [::nold-ai/specfact-cli-modules::.github/workflows/pr-orchestrator.yml:1-40]
  • a changes job that sets outputs code_changed and skip_tests_dev_to_main and implements a dev->main fast-path skip when PR base=head are dev→main (the PR tightens this logic to use commit/merge-base parity). [::nold-ai/specfact-cli-modules::.github/workflows/pr-orchestrator.yml:40-140]
  • a verify-module-signatures job wired into the workflow (needs: [changes], if: needs.changes.outputs.code_changed == 'true') — this job still exists here. [::nold-ai/specfact-cli-modules::.github/workflows/pr-orchestrator.yml:60-110]

• Tests and scripts reference module-signature hooks and verify logic:

  • tests/unit/test_pre_commit_quality_parity.py asserts presence of "verify-module-signatures" in hook ids. [::nold-ai/specfact-cli-modules::tests/unit/test_pre_commit_quality_parity.py:1-60]
  • scripts/verify-modules-signature.py and scripts/sign-modules.py exist in the repo and are referenced from docs and workflows. [::nold-ai/specfact-cli-modules::scripts/verify-modules-signature.py:1-500] [::nold-ai/specfact-cli-modules::scripts/sign-modules.py:1-200]

• scripts/run_actionlint.sh and scripts/pre-commit-smart-checks.sh were not found at the paths attempted (sed failed to read them), indicating they are not present in this repo copy at those locations. (Search output shows no matching files for those names.) This matters because the PR changes reference a run_actionlint script behavior and a new specfact-smart-checks hook; those specific files are not present here. [::nold-ai/specfact-cli-modules::(search results)]

Summary assessment:

• This repository contains the primary workflow and signing scripts the PR touches (pr-orchestrator.yml, verify-module-signatures job and scripts/verify-modules-signature.py). Tests reference the verify-module-signatures hook. The PR's intended changes (removing paths-ignore, tightening dev→main skip logic, replacing verify-module-signatures hook with specfact-smart-checks, run_actionlint behavior) will directly affect these files and tests here. The absence of run_actionlint.sh and pre-commit-smart-checks.sh at the expected paths is notable and may require aligning file locations or test expectations.

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 3 file(s) based on 3 unresolved review comments.

Files modified:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• scripts/run_actionlint.sh
• tests/unit/workflows/test_trustworthy_green_checks.py

Commit: e75a94c0e12ffac5aeff951cc177c1455d447deb

The changes have been pushed to the feature/ci-02-trustworthy-green-checks branch.

Time taken: 4m 48s

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/specfact_cli/modules/_bundle_import.py (1)

16-17: ⚠️ Potential issue | 🟡 Minor

Missing @beartype decorator on public API.

Per coding guidelines, all public APIs must have both @icontract decorators and @beartype runtime type checking. The @require is present, but @beartype is absent.

🛡️ Proposed fix to add `@beartype`

 from icontract import require
+from beartype import beartype
 
 
 def _anchor_file_nonempty(anchor_file: str) -> bool:
     return anchor_file.strip() != ""
 
 
+@beartype
 `@require`(_anchor_file_nonempty, "anchor_file must not be empty")
 def bootstrap_local_bundle_sources(anchor_file: str) -> None:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/specfact_cli/modules/_bundle_import.py` around lines 16 - 17, The public
function bootstrap_local_bundle_sources is missing run-time type checking: add
the `@beartype` decorator immediately above the function definition (above the
existing `@require`(_anchor_file_nonempty, "anchor_file must not be empty")) to
satisfy the guideline; if beartype is not yet imported in this module, import
beartype.beartype at the top of the file so the decorator resolves. Ensure the
decorator is applied to the bootstrap_local_bundle_sources function (the same
symbol referenced by `@require`) and run tests/lint to confirm no import/name
errors.

.github/workflows/pr-orchestrator.yml (1)

541-547: ⚠️ Potential issue | 🟠 Major

Brace group exit status only reflects the last command.

When multiple commands run inside { ... }, the exit status is that of the final command (pylint). If ruff format or ruff check fails but pylint succeeds, the job will incorrectly pass. Consider using set -e within the group or explicitly chaining with &&.

🔧 Proposed fix to fail on any lint tool failure

       - name: Run linting
         run: |
           echo "🔍 Running linting checks..."
           mkdir -p logs/lint
           LINT_LOG="logs/lint/lint_$(date -u +%Y%m%d_%H%M%S).log"
           {
-            ruff format . --check
-            python -m basedpyright --pythonpath "$(python -c 'import sys; print(sys.executable)')"
-            ruff check .
-            pylint src tests tools
+            set -e
+            ruff format . --check
+            python -m basedpyright --pythonpath "$(python -c 'import sys; print(sys.executable)')"
+            ruff check .
+            pylint src tests tools
           } 2>&1 | tee "$LINT_LOG"
           exit "${PIPESTATUS[0]:-$?}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-orchestrator.yml around lines 541 - 547, The brace
group running multiple linters currently only returns the last command's exit
code (the `{ ... }` block ending in `pylint`), so failures in earlier commands
like `ruff format` or `ruff check` are ignored; fix it by making the group fail
fast—either add `set -e` at the start of the group (`{ set -e; ruff format .
--check; python -m basedpyright ...; ruff check .; pylint src tests tools; }
2>&1 | tee "$LINT_LOG"`) or change to explicit chaining with `&&` between the
commands so any failure stops the pipeline, and ensure the `exit
"${PIPESTATUS[0]:-$?}"` logic still captures the correct non-zero status if
using the tee pipeline.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/unit/modules/test_bundle_import.py`:
- Line 16: Update the test function signature to use the precise
pytest.MonkeyPatch type rather than object: change the parameter annotation in
test_bootstrap_local_bundle_sources_honors_specfact_modules_repo_env from
monkeypatch: object to monkeypatch: pytest.MonkeyPatch and ensure pytest is
imported (or referenced) so the type resolves; this gives proper IDE/static
analysis support for the monkeypatch fixture.
- Around line 25-30: Test mutates global sys.path (via
bootstrap_local_bundle_sources and expected_src) without restoring it, causing
cross-test pollution; update the test to restore sys.path after the assertion by
either using pytest's monkeypatch.syspath_prepend(expected_src) before calling
bootstrap_local_bundle_sources(str(anchor)) so it auto-cleans, or capture a copy
of sys.path and wrap the call/assert in try/finally and restore the original
list in finally to ensure no leakage to other tests.

In `@tests/unit/workflows/test_trustworthy_green_checks.py`:
- Around line 48-60: The _load_hooks() helper currently assumes repos[0] is the
local repo; change it to find the repo mapping whose "repo" key equals "local"
(i.e., filter repos for entry.get("repo") == "local"), validate that such an
entry exists and is a dict, then extract its "hooks" list (hooks =
local_repo.get("hooks")) and keep the existing type/assert checks (typed_hooks,
cast, etc.); if no local repo is found, raise an assertion or descriptive error
so tests fail loudly instead of using the wrong repo.
- Around line 177-186: The test
test_legacy_actionlint_runner_does_not_mask_docker_failures uses a fragile
multi-line exact string match against LEGACY_ACTIONLINT_RUNNER; replace that
assertion with resilient semantic checks: read raw =
LEGACY_ACTIONLINT_RUNNER.read_text(...) and assert the presence of the docker
run invocation ("docker run --rm") and the docker healthcheck ("docker info
>/dev/null 2>&1"), assert that "tools/bin" is not present, and instead of exact
multiline matching ensure there is no unconditional "return 0" immediately
following the docker run by either using a regex that asserts "docker run" is
not followed later by "return 0" or by splitting raw and verifying the
sequence/relative order (docker run appears and any "return 0" does not occur
after it); update the assertions in
test_legacy_actionlint_runner_does_not_mask_docker_failures accordingly.

---

Outside diff comments:
In @.github/workflows/pr-orchestrator.yml:
- Around line 541-547: The brace group running multiple linters currently only
returns the last command's exit code (the `{ ... }` block ending in `pylint`),
so failures in earlier commands like `ruff format` or `ruff check` are ignored;
fix it by making the group fail fast—either add `set -e` at the start of the
group (`{ set -e; ruff format . --check; python -m basedpyright ...; ruff check
.; pylint src tests tools; } 2>&1 | tee "$LINT_LOG"`) or change to explicit
chaining with `&&` between the commands so any failure stops the pipeline, and
ensure the `exit "${PIPESTATUS[0]:-$?}"` logic still captures the correct
non-zero status if using the tee pipeline.

In `@src/specfact_cli/modules/_bundle_import.py`:
- Around line 16-17: The public function bootstrap_local_bundle_sources is
missing run-time type checking: add the `@beartype` decorator immediately above
the function definition (above the existing `@require`(_anchor_file_nonempty,
"anchor_file must not be empty")) to satisfy the guideline; if beartype is not
yet imported in this module, import beartype.beartype at the top of the file so
the decorator resolves. Ensure the decorator is applied to the
bootstrap_local_bundle_sources function (the same symbol referenced by `@require`)
and run tests/lint to confirm no import/name errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 49441021-17ac-41c7-98d2-ef5892672ac1

📥 Commits

Reviewing files that changed from the base of the PR and between 35485ef and 2cd07a3.

📒 Files selected for processing (4)

• .github/workflows/pr-orchestrator.yml
• src/specfact_cli/modules/_bundle_import.py
• tests/unit/modules/test_bundle_import.py
• tests/unit/workflows/test_trustworthy_green_checks.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Tests (Python 3.12)
• GitHub Check: Compatibility (Python 3.11)

🧰 Additional context used

📓 Path-based instructions (10)

**/*.py

📄 CodeRabbit inference engine (.cursorrules)

**/*.py: All public APIs must have @icontract decorators and @beartype type checking.
Commands should follow typer patterns with rich console output.
Use Pydantic models for all data structures to ensure data validation.
Write only high-value comments if at all. Avoid talking to the user through comments.
Use GPG-signed commits (git commit -S) when implementing changes in a worktree.

**/*.py: Use snake_case for file and module names
Use PascalCase for class names
Use UPPER_SNAKE_CASE for constants
Use Google-style docstrings
Set line length to 120 characters maximum
All data structures must use Pydantic BaseModel with Field(...) and descriptions
All public APIs must use @icontract decorators (@require, @ensure, @invariant) for contract-first development
All public APIs must use @beartype for runtime type checking
Only write high-value comments; avoid verbose or redundant commentary

**/*.py: No bare except or broad except Exception without re-raising or logging full context - use specific exceptions instead
Enforce consistent return types for public API methods - publishing/IO methods must return bool (True/False), not None
Prefer specific exceptions and re-raise after logging rather than swallowing exceptions
Limit function length to maximum 120 lines and cyclomatic complexity to maximum 12
Avoid filesystem operations with overly permissive modes - do not use 0o777 for mkdir/os.makedirs; use 0o755 or environment-controlled mode
Async / signal safety - signal handlers may only set a flag or call thread-safe routines; do not call asyncio.create_task directly from POSIX signal handlers

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-o...

Files:

• src/specfact_cli/modules/_bundle_import.py
• tests/unit/modules/test_bundle_import.py
• tests/unit/workflows/test_trustworthy_green_checks.py

src/specfact_cli/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

Use from specfact_cli.common import get_bridge_logger for logging in production command paths; avoid print() in production code

Use from specfact_cli.common import get_bridge_logger for logging instead of print() in production command paths

Files:

• src/specfact_cli/modules/_bundle_import.py

---

⚙️ CodeRabbit configuration file

src/specfact_cli/**/*.py: Focus on modular CLI architecture: lazy module loading, registry/bootstrap patterns, and
dependency direction. Flag breaking changes to public APIs, Pydantic models, and resource
bundling. Verify @icontract + @beartype on public surfaces; prefer centralized logging
(get_bridge_logger) over print().

Files:

• src/specfact_cli/modules/_bundle_import.py

src/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/clean-code-principles.mdc)

src/**/*.py: No direct print() calls in library modules - use LoggerSetup for structured logs and session IDs instead
Use centralized logging via LoggerSetup.get_logger or setup_logger - avoid module-level printing and ad-hoc log formatting
No side-effects at import time - avoid heavy I/O, network calls, or thread spawning on module import; only allow idempotent directory creation if documented

src/**/*.py: All code changes must be followed by running the full test suite using the smart test system.
All Python files in src/ and tools/ directories must have corresponding test files in tests/ directory. If you modify src/common/logger_setup.py, you MUST have tests/unit/common/test_logger_setup.py. NO EXCEPTIONS - even small changes require tests.
All new Python runtime code files must have corresponding test files created BEFORE committing the code. NO EXCEPTIONS - no code without tests.
Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.
All components must support TEST_MODE=true environment variable with test-specific behavior defined as: if os.environ.get('TEST_MODE') == 'true': # test-specific behavior
Use src/common/logger_setup.py for all logging via: from common.logger_setup import get_logger; logger = get_logger(name)
Use src/common/redis_client.py with fallback for Redis operations via: from common.redis_client import get_redis_client; redis_client = get_redis_client()
Type checking must pass with no errors using: mypy .
Test coverage must meet or exceed 80% total coverage. New code must have corresponding tests. Modified code must maintain or improve coverage. Critical paths must have 100% coverage.
Use Pydantic v2 validation for all context and data schemas.

Add/update contracts on new or modified public APIs, stateful classes and adapters using icontract decorators and beartype runtime type checks...

Files:

• src/specfact_cli/modules/_bundle_import.py

{src,tests}/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/session_startup_instructions.mdc)

Apply pylint src tests for linting before committing

Files:

• src/specfact_cli/modules/_bundle_import.py
• tests/unit/modules/test_bundle_import.py
• tests/unit/workflows/test_trustworthy_green_checks.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• src/specfact_cli/modules/_bundle_import.py
• tests/unit/modules/test_bundle_import.py
• tests/unit/workflows/test_trustworthy_green_checks.py

tests/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

tests/**/*.py: Test structure must mirror source with tests/unit/, tests/integration/, tests/e2e/ directories
Use @pytest.mark.asyncio decorator for async test functions
Guard environment-sensitive logic with os.environ.get("TEST_MODE") == "true"

tests/**/*.py: Secure secret redaction guaranteed - LoggerSetup.redact_secrets must be covered by unit tests for nested dicts and strings
Messaging coercion and strict validation - any use of MessagingStandardization.process_standardized_message must have tests validating coercion success/failure and metrics increments

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

tests/**/*.py: Use @pytest.mark.asyncio for async tests
Guard environment-sensitive logic with os.environ.get("TEST_MODE") == "true"
Test structure must mirror source structure: tests/unit/, tests/integration/, tests/e2e/

Files:

• tests/unit/modules/test_bundle_import.py
• tests/unit/workflows/test_trustworthy_green_checks.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/modules/test_bundle_import.py
• tests/unit/workflows/test_trustworthy_green_checks.py

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/modules/test_bundle_import.py
• tests/unit/workflows/test_trustworthy_green_checks.py

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Validate GitHub workflow files using hatch run lint-workflows before committing

.github/workflows/*.{yml,yaml}: Use actionlint for semantic validation of GitHub Actions workflows
Format GitHub Actions workflows using hatch run workflows-fmt and lint them with hatch run workflows-lint after editing

Files:

• .github/workflows/pr-orchestrator.yml

.github/workflows/!(tests).{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Files:

• .github/workflows/pr-orchestrator.yml

.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: CI safety: secrets usage, workflow dependencies, alignment with hatch test / contract-test
gates, and action versions.

Files:

• .github/workflows/pr-orchestrator.yml

🧠 Learnings (33)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: When creating implementation plans or OpenSpec tasks.md, explicitly verify and include: worktree creation from `origin/dev`, `hatch env create` in the worktree, pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), and worktree cleanup steps post-merge.

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Record the contract or property that supersedes a removed test in the PR description

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Enforce pre-commit and CI gating with checks for: black, isort, mypy, flake8 (with B/C plugins), radon complexity, state-machine sync tests, and rejection of PRs lacking test files when src/ is modified

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Use actionlint for semantic validation of GitHub Actions workflows

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Install actionlint locally, download to ./bin, or rely on Docker fallback for GitHub Actions workflow validation

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Before executing any workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform a pre-execution checklist: verify Git Worktree creation, TDD evidence documentation, user-facing documentation updates, module signing verification, and confirm AGENTS.md compliance.

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Use lazy-loaded module registry in `src/specfact_cli/modules/` with `module-package.yaml` metadata files and deferred imports until command invocation

Applied to files:

• src/specfact_cli/modules/_bundle_import.py
• tests/unit/modules/test_bundle_import.py

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to {pyproject.toml,setup.py,src/specfact_cli/__init__.py} : Sync version updates across `pyproject.toml`, `setup.py`, and `src/specfact_cli/__init__.py`

Applied to files:

• src/specfact_cli/modules/_bundle_import.py

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/test_*.py : Organize Python imports in tests using unittest.mock for Mock and patch

Applied to files:

• tests/unit/modules/test_bundle_import.py

📚 Learning: 2026-03-25T21:31:47.109Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Enforce pre-commit and CI gating with checks for: black, isort, mypy, flake8 (with B/C plugins), radon complexity, state-machine sync tests, and rejection of PRs lacking test files when src/ is modified

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/!(tests).{yml,yaml} : Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Before executing any workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform a pre-execution checklist: verify Git Worktree creation, TDD evidence documentation, user-facing documentation updates, module signing verification, and confirm AGENTS.md compliance.

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:47.109Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Code changes modifying public API, state machine YAMLs, or generated state machine outputs MUST include unit tests, update docs/ and CHANGELOG.md, and include 'BREAKING' section in PR if public API changed

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/{quality-gates,contract-enforcement,contracts,no-escape-gating,integrated-ci}.{yml,yaml} : Dependent workflows must download the coverage.xml artifact from the Tests workflow and fail early if it is missing

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: When creating implementation plans or OpenSpec tasks.md, explicitly verify and include: worktree creation from `origin/dev`, `hatch env create` in the worktree, pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), and worktree cleanup steps post-merge.

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.md : Finish each output by listing which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), confirm Git Worktree Policy compliance if applicable, and state the AI provider and model version being used.

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Always work on feature/bugfix/hotfix branches and submit PRs; protect `dev` and `main` branches from direct commits

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: All changes must be made via Pull Requests to `dev` or `main`. Direct commits to protected branches are not allowed.

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Use actionlint for semantic validation of GitHub Actions workflows

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.{py} : After any code changes, apply linting and formatting using `hatch run format`, perform type checking with `hatch run type-check` (basedpyright), run contract validation with `hatch run contract-test`, and run full test suite with `hatch test --cover -v`. Verify all tests pass and contracts are satisfied before committing.

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Use `hatch test` command for running tests instead of direct pytest usage to ensure proper Python matrix, dependency resolution, environment variables, and coverage reports

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: After implementing code changes in specfact-cli, run quality gates: `hatch run format`, `hatch run type-check`, `hatch run contract-test`, `hatch test` (or `hatch run smart-test`)

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Run `openspec validate <change-id> --strict` before implementing any code changes in specfact-cli to validate the OpenSpec change

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Read and apply `openspec/config.yaml` for project context (tech stack, constraints, architecture, SDD+TDD discipline) before any code modification in specfact-cli

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: For new code in specfact-cli using OpenSpec workflow, follow TDD discipline: write tests first, then implementation code

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Ensure an OpenSpec change (new or delta) exists for any code modification in specfact-cli (`src/`, `tools/`, tests, or significant docs) unless user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or similar

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run type checking with basedpyright on all Python files

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Type checking must pass with no errors using: mypy .

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run linting with ruff and pylint on all Python files

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(src|tests)/**/*.py : Linting must pass with no errors using: pylint src tests

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:38.156Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-03-25T21:32:38.156Z
Learning: Applies to {src,tests}/**/*.py : Apply `pylint src tests` for linting before committing

Applied to files:

• .github/workflows/pr-orchestrator.yml

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

nold-ai/specfact-cli-modules

• .pre-commit-config still configures the local hook verify-module-signatures that runs the verifier script:

  • [.pre-commit-config.yaml:1-50] [::nold-ai/specfact-cli-modules::.pre-commit-config.yaml:1-50]

• pr-orchestrator workflow currently uses paths-ignore for docs-only changes (the PR removes these ignores) and contains the verify-module-signatures job referenced by the orchestrator:

  • [.github/workflows/pr-orchestrator.yml:1-220] — triggers include:
    • pull_request / push with paths-ignore "/*.md" and "docs/"
  • [.github/workflows/pr-orchestrator.yml: changes job and outputs] — sets outputs code_changed and skip_tests_dev_to_main using branch-name logic (PR tightens this to commit/merge-base parity)
  • [.github/workflows/pr-orchestrator.yml: verify-module-signatures job] — job named verify-module-signatures, runs scripts/verify-modules-signature.py and is required (needed by quality job) [::nold-ai/specfact-cli-modules::.github/workflows/pr-orchestrator.yml:changes..verify-module-signatures]

• The verifier script exists and is exercised by workflows and docs:

  • [scripts/verify-modules-signature.py] — referenced by workflow and docs; workflow runs it with --require-signature and --enforce-version-bump [::nold-ai/specfact-cli-modules::scripts/verify-modules-signature.py]
  • docs and docs/authoring reference the exact command expected by CI (several files under docs/authoring and docs/reference) [::nold-ai/specfact-cli-modules::docs/authoring/module-signing.md]

• Tests and tooling reference the verify hook and SPECFACT_MODULES_REPO:

  • tests/unit/test_pre_commit_quality_parity.py asserts presence of "verify-module-signatures" in hook ids [::nold-ai/specfact-cli-modules::tests/unit/test_pre_commit_quality_parity.py:1-80]
  • tests/conftest.py/pyproject.toml set or expect SPECFACT_MODULES_REPO in test environment (conftest sets default) — relevant to the bootstrap_local_bundle_sources change (PR adds honoring SPECFACT_MODULES_REPO in addition to SPECFACT_CLI_MODULES_REPO) [::nold-ai/specfact-cli-modules::tests/conftest.py:80-100] [::nold-ai/specfact-cli-modules::pyproject.toml:40-60]

• No .coderabbit.yaml present in this repo (so PR change to .coderabbit.yaml applies to other repo(s)) [repo root]

Potentially affected areas (from PR changes):

• Removing paths-ignore in pr-orchestrator will change when workflows run for docs-only PRs here.
• Reworking skip_tests_dev_to_main logic in orchestrator will affect the existing branch-name fast-path in this workflow (present now).
• Replacing/adding a local pre-commit hook specfact-smart-checks (and removing verify-module-signatures hook) will require updating .pre-commit-config.yaml and tests that assert the old hook id.
• scripts/verify-modules-signature.py is present and used; any changes to how module-signature verification is invoked or required check naming must remain consistent with this script and docs/tests.

🔇 Additional comments (13)

src/specfact_cli/modules/_bundle_import.py (1)

22-28: Well-structured dual-env-var discovery with deduplication—good cross-repo alignment.

The iteration over both SPECFACT_CLI_MODULES_REPO and SPECFACT_MODULES_REPO with explicit deduplication (if candidate not in candidates) ensures backward compatibility while enabling parity with the linked specfact-cli-modules repo (which uses SPECFACT_MODULES_REPO in its test fixtures). The early-continue on empty/unset vars is clean. This change strengthens the module bundling contract across repositories.

tests/unit/modules/test_bundle_import.py (1)

1-30: 🧹 Nitpick | 🔵 Trivial

Consider additional test scenarios for comprehensive coverage.

This test validates the SPECFACT_MODULES_REPO happy path well, but the contract surface includes several edge cases worth covering:

1. Both env vars set – verify precedence (SPECFACT_CLI_MODULES_REPO first) and deduplication when pointing to same repo
2. Invalid/non-existent path – confirm graceful fallback without crash
3. Empty string env var – verify it's treated as unset (the if not env_repo guard)

These would strengthen confidence in the cross-repo bootstrap contract, especially as the linked specfact-cli-modules repo depends on this behavior.

Would you like me to generate additional test cases covering these scenarios?

⛔ Skipped due to learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: When creating implementation plans or OpenSpec tasks.md, explicitly verify and include: worktree creation from `origin/dev`, `hatch env create` in the worktree, pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), and worktree cleanup steps post-merge.

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: For new code in specfact-cli using OpenSpec workflow, follow TDD discipline: write tests first, then implementation code

tests/unit/workflows/test_trustworthy_green_checks.py (5)

119-121: Exact condition string matching remains fragile.

The assertions check for exact strings like "needs.changes.outputs.skip_tests_dev_to_main == 'true'". This was flagged in a previous review as susceptible to breakage from minor formatting changes (spaces, quote style). Consider using substring or normalized matching.

---

63-72: Correct validation of "fails closed" trigger semantics.

This test ensures required checks emit statuses on every commit, including docs-only changes. The removal of paths-ignore is critical for branch protection—GitHub requires status checks to exist before they can block merges.

---

75-101: Comprehensive "fails closed" enforcement across required jobs.

This test serves as an architectural guardrail—it prevents future contributors from accidentally reintroducing failure-masking patterns. The check for both YAML-level continue-on-error and shell-level || echo patterns covers the common escape hatches.

---

124-138: Advisory naming convention and CLI command path validation.

These tests enforce two important architectural contracts: (1) advisory jobs advertise their non-blocking nature in the check name, preventing confusion in GitHub's merge UI; (2) the specfact code repro command path reflects the Typer group hierarchy, ensuring the CLI surface area remains coherent.

---

141-151: Cross-repo check name consistency is critical for branch protection.

GitHub branch protection rules match on exact check names. This test ensures both pr-orchestrator.yml and sign-modules.yml emit "Verify Module Signatures" identically—preventing silent branch protection bypasses when one workflow runs but not the other.

.github/workflows/pr-orchestrator.yml (6)

28-64: Well-structured output separation for workflow vs. code changes.

The introduction of workflow_changed as a distinct signal from code_changed enables conditional workflow linting without triggering unnecessary code validation. The shell-level normalization (${VAR:-}) ensures robust handling across event types where PR context may be absent.

---

65-86: Parity proof hardens the dev→main fast-path with commit-level verification.

This is a strong architectural improvement. The previous branch-name-only check could skip validation when dev and main had diverged. The merge-base parity proof ensures the skip only activates when main is a strict ancestor of dev—the only scenario where tests genuinely passed on identical code.

---

325-328: Correct failure propagation through pipeline.

Using exit "${PIPESTATUS[0]:-$?}" after piping to tee ensures the job fails when hatch fails, rather than silently succeeding because tee succeeded. This aligns with the "fails closed" requirement for required checks.

---

381-383: Stable grouped repro command path with proper failure propagation.

The command path specfact code repro aligns with the CLI's Typer group structure, and the --crosshair-required flag ensures contract validation doesn't silently degrade. Combined with PIPESTATUS propagation, this ensures CrossHair failures block the pipeline.

---

419-423: CLI validation simplified to essential smoke test.

The validation now cleanly verifies the CLI is installable and responds to --help without masking failures. This is the appropriate scope for a smoke test—deeper validation belongs in the test suite.

---

146-150: Go 1.24 is a valid, released version and will work with the setup-go action. However, as of March 2026, Go 1.26.1 is the current stable release. Consider updating to go-version: "1.26" to maintain current actionlint compatibility and receive the latest security patches, unless there's a specific reason to pin to 1.24.

			> Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

tests/unit/workflows/test_trustworthy_green_checks.py (2)

48-60: 🧹 Nitpick | 🔵 Trivial

Hook loader assumes first repo is the local repo—fragile to config reordering.

The _load_hooks() function assumes repos[0] contains the local hooks. If .pre-commit-config.yaml is restructured (e.g., a remote repo is added first), this test will silently validate the wrong hooks without failing.

For long-term maintainability and contract clarity, filter by repo: local explicitly:

♻️ More robust hook extraction

 def _load_hooks() -> list[dict[str, Any]]:
     config = _load_yaml(PRE_COMMIT_CONFIG)
     repos = config.get("repos")
     assert isinstance(repos, list) and repos, "Expected repos list in .pre-commit-config.yaml"
-    local_repo = repos[0]
-    assert isinstance(local_repo, dict), "Expected first pre-commit repo entry to be a mapping"
+    local_repos = [r for r in repos if isinstance(r, dict) and r.get("repo") == "local"]
+    assert local_repos, "Expected local repo entry in .pre-commit-config.yaml"
+    local_repo = local_repos[0]
     hooks = local_repo.get("hooks")
     assert isinstance(hooks, list), "Expected hooks list in .pre-commit-config.yaml"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/workflows/test_trustworthy_green_checks.py` around lines 48 - 60,
The _load_hooks() helper currently picks repos[0] which is fragile; update
_load_hooks() to search the loaded config's repos list for an entry where repo
== "local" (or repo field equals "local") instead of assuming index 0, raise a
clear assertion/error if no local repo is found, then extract and validate its
"hooks" exactly as before (keep the typed_hooks creation and casts) so tests
always operate on the explicit local repo from PRE_COMMIT_CONFIG.

---

188-198: 🧹 Nitpick | 🔵 Trivial

Multi-line exact string matching is fragile to whitespace changes.

The assertion on lines 192-195 checks for an exact multi-line string including newlines and indentation. Any formatting change to run_actionlint.sh (e.g., reformatting, different indentation) will break this test even if behavior is preserved.

Consider checking semantic invariants separately rather than exact string matching:

♻️ More resilient Docker failure-masking check

 def test_legacy_actionlint_runner_does_not_mask_docker_failures() -> None:
     """The legacy actionlint wrapper must fail cleanly when Docker is unusable."""
     raw = LEGACY_ACTIONLINT_RUNNER.read_text(encoding="utf-8")
     assert "docker run --rm \\" in raw
-    assert (
-        'docker run --rm \\\n      -v "$REPO_ROOT":/repo \\\n      -w /repo \\\n      "$DOCKER_IMAGE" -no-color\n    return 0'
-        not in raw
-    )
+    # Ensure docker run is not immediately followed by unconditional return 0 (failure masking)
+    import re
+    docker_then_return = re.search(r'docker run.*?\n\s*return 0', raw, re.DOTALL)
+    assert docker_then_return is None, "Docker failures must not be masked with unconditional return 0"
     assert "docker info >/dev/null 2>&1" in raw
     assert "tools/bin" not in raw
     assert "go install github.com/rhysd/actionlint/cmd/actionlint@latest" in raw

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/workflows/test_trustworthy_green_checks.py` around lines 188 -
198, The test test_legacy_actionlint_runner_does_not_mask_docker_failures uses
an exact multi-line string match on LEGACY_ACTIONLINT_RUNNER.read_text(), which
is fragile to whitespace/indent changes; instead, read the content into a single
string and assert semantic invariants separately (e.g., check for the docker run
invocation fragment "docker run --rm", the presence of the docker-info check
"docker info >/dev/null 2>&1", absence of "tools/bin", and presence of the go
install line) or normalize whitespace (collapse sequences of
whitespace/newlines) before doing an equality/contains check; update the
assertions around LEGACY_ACTIONLINT_RUNNER and the multi-line block to use
either multiple substring assertions or a regex that tolerates varying
indentation so the test verifies behavior not exact formatting.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md`:
- Line 159: The file TDD_EVIDENCE.md is missing a final newline (violates
MD047); open the file and add a single trailing newline character after the last
line containing "**Status:** ✅ Actionlint installation strategy aligned with
repo expectations and re-verified." so the file ends with a blank line, save and
commit the change to satisfy the markdownlint rule.

---

Duplicate comments:
In `@tests/unit/workflows/test_trustworthy_green_checks.py`:
- Around line 48-60: The _load_hooks() helper currently picks repos[0] which is
fragile; update _load_hooks() to search the loaded config's repos list for an
entry where repo == "local" (or repo field equals "local") instead of assuming
index 0, raise a clear assertion/error if no local repo is found, then extract
and validate its "hooks" exactly as before (keep the typed_hooks creation and
casts) so tests always operate on the explicit local repo from
PRE_COMMIT_CONFIG.
- Around line 188-198: The test
test_legacy_actionlint_runner_does_not_mask_docker_failures uses an exact
multi-line string match on LEGACY_ACTIONLINT_RUNNER.read_text(), which is
fragile to whitespace/indent changes; instead, read the content into a single
string and assert semantic invariants separately (e.g., check for the docker run
invocation fragment "docker run --rm", the presence of the docker-info check
"docker info >/dev/null 2>&1", absence of "tools/bin", and presence of the go
install line) or normalize whitespace (collapse sequences of
whitespace/newlines) before doing an equality/contains check; update the
assertions around LEGACY_ACTIONLINT_RUNNER and the multi-line block to use
either multiple substring assertions or a regex that tolerates varying
indentation so the test verifies behavior not exact formatting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3f1e04cf-99c8-414f-b944-a6d4e4633ac7

📥 Commits

Reviewing files that changed from the base of the PR and between 2cd07a3 and e75a94c.

📒 Files selected for processing (3)

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md
• scripts/run_actionlint.sh
• tests/unit/workflows/test_trustworthy_green_checks.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Tests (Python 3.12)

🧰 Additional context used

📓 Path-based instructions (9)

**/*.py

📄 CodeRabbit inference engine (.cursorrules)

**/*.py: All public APIs must have @icontract decorators and @beartype type checking.
Commands should follow typer patterns with rich console output.
Use Pydantic models for all data structures to ensure data validation.
Write only high-value comments if at all. Avoid talking to the user through comments.
Use GPG-signed commits (git commit -S) when implementing changes in a worktree.

**/*.py: Use snake_case for file and module names
Use PascalCase for class names
Use UPPER_SNAKE_CASE for constants
Use Google-style docstrings
Set line length to 120 characters maximum
All data structures must use Pydantic BaseModel with Field(...) and descriptions
All public APIs must use @icontract decorators (@require, @ensure, @invariant) for contract-first development
All public APIs must use @beartype for runtime type checking
Only write high-value comments; avoid verbose or redundant commentary

**/*.py: No bare except or broad except Exception without re-raising or logging full context - use specific exceptions instead
Enforce consistent return types for public API methods - publishing/IO methods must return bool (True/False), not None
Prefer specific exceptions and re-raise after logging rather than swallowing exceptions
Limit function length to maximum 120 lines and cyclomatic complexity to maximum 12
Avoid filesystem operations with overly permissive modes - do not use 0o777 for mkdir/os.makedirs; use 0o755 or environment-controlled mode
Async / signal safety - signal handlers may only set a flag or call thread-safe routines; do not call asyncio.create_task directly from POSIX signal handlers

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-o...

Files:

• tests/unit/workflows/test_trustworthy_green_checks.py

tests/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

tests/**/*.py: Test structure must mirror source with tests/unit/, tests/integration/, tests/e2e/ directories
Use @pytest.mark.asyncio decorator for async test functions
Guard environment-sensitive logic with os.environ.get("TEST_MODE") == "true"

tests/**/*.py: Secure secret redaction guaranteed - LoggerSetup.redact_secrets must be covered by unit tests for nested dicts and strings
Messaging coercion and strict validation - any use of MessagingStandardization.process_standardized_message must have tests validating coercion success/failure and metrics increments

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

tests/**/*.py: Use @pytest.mark.asyncio for async tests
Guard environment-sensitive logic with os.environ.get("TEST_MODE") == "true"
Test structure must mirror source structure: tests/unit/, tests/integration/, tests/e2e/

Files:

• tests/unit/workflows/test_trustworthy_green_checks.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/workflows/test_trustworthy_green_checks.py

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/workflows/test_trustworthy_green_checks.py

{src,tests}/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/session_startup_instructions.mdc)

Apply pylint src tests for linting before committing

Files:

• tests/unit/workflows/test_trustworthy_green_checks.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/workflows/test_trustworthy_green_checks.py

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

**/*.md: Finish each output by listing which rulesets have been applied (e.g., .cursorrules, AGENTS.md, specific .cursor/rules/*.mdc), confirm Git Worktree Policy compliance if applicable, and state the AI provider and model version being used.
Follow markdown linting rules to avoid markdown linting errors (via markdown-rules).

Files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

openspec/changes/*/TDD_EVIDENCE.md

📄 CodeRabbit inference engine (AGENTS.md)

Create/update openspec/changes/<change-id>/TDD_EVIDENCE.md with test command(s), timestamp, and failure/pass summary before and after implementation

Files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

openspec/**/*.md

⚙️ CodeRabbit configuration file

openspec/**/*.md: Treat as specification source of truth: proposal/tasks/spec deltas vs. code behavior,
CHANGE_ORDER consistency, and scenario coverage. Surface drift between OpenSpec and
implementation.

Files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

🧠 Learnings (25)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Enforce pre-commit and CI gating with checks for: black, isort, mypy, flake8 (with B/C plugins), radon complexity, state-machine sync tests, and rejection of PRs lacking test files when src/ is modified

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Use actionlint for semantic validation of GitHub Actions workflows

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Install actionlint locally, download to ./bin, or rely on Docker fallback for GitHub Actions workflow validation

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Before executing any workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform a pre-execution checklist: verify Git Worktree creation, TDD evidence documentation, user-facing documentation updates, module signing verification, and confirm AGENTS.md compliance.

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Install actionlint locally, download to ./bin, or rely on Docker fallback for GitHub Actions workflow validation

Applied to files:

• scripts/run_actionlint.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Use actionlint for semantic validation of GitHub Actions workflows

Applied to files:

• scripts/run_actionlint.sh

📚 Learning: 2026-03-25T21:31:47.109Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Enforce pre-commit and CI gating with checks for: black, isort, mypy, flake8 (with B/C plugins), radon complexity, state-machine sync tests, and rejection of PRs lacking test files when src/ is modified

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/!(tests).{yml,yaml} : Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Before executing any workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform a pre-execution checklist: verify Git Worktree creation, TDD evidence documentation, user-facing documentation updates, module signing verification, and confirm AGENTS.md compliance.

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.{py} : After any code changes, apply linting and formatting using `hatch run format`, perform type checking with `hatch run type-check` (basedpyright), run contract validation with `hatch run contract-test`, and run full test suite with `hatch test --cover -v`. Verify all tests pass and contracts are satisfied before committing.

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: When creating implementation plans or OpenSpec tasks.md, explicitly verify and include: worktree creation from `origin/dev`, `hatch env create` in the worktree, pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), and worktree cleanup steps post-merge.

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py
• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/{quality-gates,contract-enforcement,contracts,no-escape-gating,integrated-ci}.{yml,yaml} : Dependent workflows must download the coverage.xml artifact from the Tests workflow and fail early if it is missing

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Applies to openspec/changes/*/TDD_EVIDENCE.md : Create/update `openspec/changes/<change-id>/TDD_EVIDENCE.md` with test command(s), timestamp, and failure/pass summary before and after implementation

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to TDD_EVIDENCE.md : For tasks involving behavior changes, create and update `TDD_EVIDENCE.md` per AGENTS.md 'Hard Gate: Strict TDD Order', recording failing test evidence before implementation and passing test evidence after implementation.

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:22.997Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-25T21:31:22.997Z
Learning: Implement strict TDD order: update/add spec deltas first → add/modify tests mapped to spec scenarios → run tests and capture failing result → only then modify production code → re-run tests and quality gates until passing; record evidence in `openspec/changes/<change-id>/TDD_EVIDENCE.md`

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Ensure an OpenSpec change (new or delta) exists for any code modification in specfact-cli (`src/`, `tools/`, tests, or significant docs) unless user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or similar

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: For new code in specfact-cli using OpenSpec workflow, follow TDD discipline: write tests first, then implementation code

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:55.908Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/estimation-bias-prevention.mdc:0-0
Timestamp: 2026-03-25T21:31:55.908Z
Learning: Use TDD with quality gates (contract-driven, test-driven implementation, quality gate validation, documentation) as the standard development pattern

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.md : Finish each output by listing which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), confirm Git Worktree Policy compliance if applicable, and state the AI provider and model version being used.

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Headers should increment by one level at a time (MD001: Header Increment)

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: After implementing code changes in specfact-cli, run quality gates: `hatch run format`, `hatch run type-check`, `hatch run contract-test`, `hatch test` (or `hatch run smart-test`)

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

🪛 markdownlint-cli2 (0.22.0)

openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md

[warning] 159-159: Files should end with a single newline character

(MD047, single-trailing-newline)

🔀 Multi-repo context nold-ai/specfact-cli-modules

nold-ai/specfact-cli-modules

• .pre-commit-config.yaml defines a local hook id verify-module-signatures that runs the verifier script (entry: hatch run ./scripts/verify-modules-signature.py ...) — this will conflict with the PR's change that removes/renames that hook to specfact-smart-checks. [::nold-ai/specfact-cli-modules::.pre-commit-config.yaml:1-20]

• .github/workflows/pr-orchestrator.yml currently includes paths-ignore for "/*.md" and "docs/" on pull_request and push triggers; the PR removes those ignores so this repo will start receiving CI runs on docs-only changes. The workflow also contains the verify-module-signatures job and quality job that depend on it and on changes.outputs.* (skip_tests_dev_to_main logic present). PR tightens skip_tests_dev_to_main behavior — expect behavior differences for dev→main fast-paths here. [::nold-ai/specfact-cli-modules::.github/workflows/pr-orchestrator.yml:1-240]

• scripts/verify-modules-signature.py is present and used directly by the workflow (with --require-signature --enforce-version-bump). Any workflow/hook renames must keep this invocation consistent. [::nold-ai/specfact-cli-modules::scripts/verify-modules-signature.py:1-240]

• tests reference the verify-module-signatures hook:

  • tests/unit/test_pre_commit_quality_parity.py asserts presence of "verify-module-signatures" in hook_ids — this test will fail if the hook id is removed/renamed without updating the test. [::nold-ai/specfact-cli-modules::tests/unit/test_pre_commit_quality_parity.py:1-80]

• tests/conftest.py sets/uses SPECFACT_MODULES_REPO (os.environ.setdefault("SPECFACT_MODULES_REPO", ...)) — PR change in core repo that makes bootstrap_local_bundle_sources honor SPECFACT_MODULES_REPO is relevant (consumers/tests here already rely on that env var). [::nold-ai/specfact-cli-modules::tests/conftest.py:1-140]

• docs/authoring/module-signing.md documents the verify-module-signatures job/command — documentation and workflow/test naming must remain aligned. [::nold-ai/specfact-cli-modules::docs/authoring/module-signing.md:129]

Summary: This repo still uses the verify-module-signatures pre-commit hook and workflow job, has paths-ignore in pr-orchestrator (which the PR removes), and its tests/docs expect the current hook/job naming and SPECFACT_MODULES_REPO behavior. These are direct cross-repo touchpoints the PR will affect; update tests/docs/workflows here if hook/job names or workflow trigger behavior change.

🔇 Additional comments (6)

openspec/changes/ci-02-trustworthy-green-checks/TDD_EVIDENCE.md (1)

53-132: TDD evidence structure is well-documented and traceable.

The new evidence blocks follow the spec-first → test-first → implementation sequence required by the project's TDD discipline. The pre-implementation expected failures (workflow policy, actionlint fallback) and post-implementation success (remediation slice) provide the audit trail necessary for OpenSpec traceability.

The inclusion of explicit commit-parity proof expectations and the dev→main skip logic hardening aligns with the trustworthy green-check specification. This documentation will be valuable for future maintainers understanding why these gates exist.

scripts/run_actionlint.sh (1)

1-51: Clean control flow with explicit failure semantics—well-aligned with trustworthy green-check goals.

The three-tier fallback (run_installed_binary → run_with_docker → hard failure) implements "fail closed" behavior correctly:

1. Binary check (lines 14-20): Fast path when actionlint is globally installed
2. Docker check (lines 22-36): Validates daemon reachability before attempting container execution—this addresses the previous silent bypass issue
3. Hard failure (lines 46-51): Exit code 2 with actionable install guidance

The exit code propagates cleanly through scripts/yaml-tools.sh (which calls this without error suppression), ensuring CI gates fail visibly rather than silently passing.

Cross-repo consideration: The linked repository nold-ai/specfact-cli-modules may need aligned tooling expectations if contributors run workflow linting locally. Based on learnings, actionlint installation should be documented in contributor guides for both repositories.

tests/unit/workflows/test_trustworthy_green_checks.py (4)

63-102: Well-structured workflow policy assertions with clear failure semantics.

The tests for paths-ignore removal (lines 71-72) and fail-closed behavior (lines 75-101) directly enforce the trustworthy green-check specification. The iteration over required_jobs with explicit assertions against continue-on-error and || echo patterns provides comprehensive coverage of failure-swallowing anti-patterns.

This test design makes it impossible to accidentally re-introduce failure masking without test failures—exactly the kind of contract enforcement needed for CI gate integrity.

---

104-132: Parity proof verification is appropriately rigorous.

The test validates that dev→main release skips are gated by commit-parity proof (git merge-base or git rev-parse) rather than naive branch-name matching. The normalized condition matching (lines 121-132) addresses the previous fragility concern about exact string format matching.

This ensures the fast-path optimization cannot be exploited to bypass validation when commits diverge.

---

152-162: Canonical naming check prevents check-name drift between workflows.

The assertion that both pr-orchestrator.yml and sign-modules.yml emit identical check names ("Verify Module Signatures") is critical for branch protection rule consistency. GitHub's required status checks match on exact name strings, so any casing or naming drift would silently break merge gates.

Cross-repo note: The linked repository nold-ai/specfact-cli-modules also references verify-module-signatures in tests and workflows. If the canonical name changes, tests in that repository will need updates. Based on linked repositories context, tests/unit/test_pre_commit_quality_parity.py in the modules repo asserts presence of "verify-module-signatures" in hook_ids.

---

21-34: YAML 1.1 on coercion handling is a subtle but necessary detail.

The _workflow_on_block() helper correctly handles the YAML 1.1 quirk where on: is parsed as boolean True. This is the kind of defensive coding that prevents mysterious test failures when PyYAML's default loader encounters GitHub Actions workflow files.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/unit/migration/test_module_migration_07_cleanup.py (1)

20-27: ⚠️ Potential issue | 🟠 Major

Narrow the exception instead of exempting the entire test file

At Line 26, adding test_bundle_import.py to allowed_files bypasses all legacy-import checks for that file. That weakens this migration gate and can hide unrelated regressions later. Please keep the file scanned and allow only specfact_cli.modules._bundle_import in removed_module_pattern.

Suggested patch

@@
     allowed_files = {
         root / "tests" / "unit" / "registry" / "test_cross_bundle_imports.py",
         root / "tests" / "unit" / "test_core_module_isolation.py",
         root / "tests" / "unit" / "models" / "test_module_package_metadata.py",
         root / "tests" / "unit" / "migration" / "test_module_migration_07_cleanup.py",
         root / "tests" / "unit" / "specfact_cli" / "test_module_migration_compatibility.py",
-        root / "tests" / "unit" / "modules" / "test_bundle_import.py",
     }
-    removed_module_pattern = re.compile(r"specfact_cli\.modules\.(?!init\.|module_registry\.|upgrade\.)")
+    removed_module_pattern = re.compile(
+        r"specfact_cli\.modules\.(?!init\.|module_registry\.|upgrade\.|_bundle_import\.)"
+    )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/migration/test_module_migration_07_cleanup.py` around lines 20 -
27, The test currently weakens the migration gate by adding
"test_bundle_import.py" to allowed_files which exempts the entire file from
legacy-import checks; instead remove that file from the allowed_files set and
keep it scanned, and update the removed_module_pattern to permit only the
specific legacy symbol "specfact_cli.modules._bundle_import" (not the whole
file) so other legacy imports in test_bundle_import.py still fail the gate;
locate the allowed_files set and the removed_module_pattern variable in this
test (and adjust the pattern to exactly match
specfact_cli.modules._bundle_import).

♻️ Duplicate comments (2)

tests/unit/workflows/test_trustworthy_green_checks.py (2)

48-60: 🧹 Nitpick | 🔵 Trivial

Hook loader assumes first repo is the local repo.

The _load_hooks() function assumes repos[0] contains the local hooks. If the .pre-commit-config.yaml structure changes (e.g., adds a remote repo first), this will silently test the wrong hooks. Consider filtering by repo: local instead.

♻️ More robust hook extraction

 def _load_hooks() -> list[dict[str, Any]]:
     config = _load_yaml(PRE_COMMIT_CONFIG)
     repos = config.get("repos")
     assert isinstance(repos, list) and repos, "Expected repos list in .pre-commit-config.yaml"
-    local_repo = repos[0]
-    assert isinstance(local_repo, dict), "Expected first pre-commit repo entry to be a mapping"
+    local_repos = [r for r in repos if isinstance(r, dict) and r.get("repo") == "local"]
+    assert local_repos, "Expected local repo entry in .pre-commit-config.yaml"
+    local_repo = local_repos[0]
     hooks = local_repo.get("hooks")
     assert isinstance(hooks, list), "Expected hooks list in .pre-commit-config.yaml"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/workflows/test_trustworthy_green_checks.py` around lines 48 - 60,
The _load_hooks() helper currently uses repos[0] which can pick a non-local
repo; instead locate the entry where repo == "local" (filter the repos list for
dict entries with repo key equal to "local") and use its "hooks" value; update
references to local_repo and hooks accordingly and raise a clear assertion/error
if no local repo is found or if its hooks are missing to avoid silently testing
the wrong hooks.

---

188-198: 🧹 Nitpick | 🔵 Trivial

Multi-line exact string matching remains fragile.

The assertion on lines 192-195 checks for an exact multi-line string including newlines and indentation. Any whitespace change to run_actionlint.sh will break this test even if the behavior is preserved. Consider checking for the semantic invariants separately.

♻️ More resilient Docker failure-masking check

 def test_legacy_actionlint_runner_does_not_mask_docker_failures() -> None:
     """The legacy actionlint wrapper must fail cleanly when Docker is unusable."""
     raw = LEGACY_ACTIONLINT_RUNNER.read_text(encoding="utf-8")
     assert "docker run --rm \\" in raw
-    assert (
-        'docker run --rm \\\n      -v "$REPO_ROOT":/repo \\\n      -w /repo \\\n      "$DOCKER_IMAGE" -no-color\n    return 0'
-        not in raw
-    )
+    # Ensure docker run is not followed by unconditional return 0 (failure masking)
+    import re
+    docker_then_return = re.search(r'docker run[^\n]*\n\s*return 0', raw)
+    assert docker_then_return is None, "Docker failures must not be masked with unconditional return 0"
     assert "docker info >/dev/null 2>&1" in raw
     assert "tools/bin" not in raw
     assert "go install github.com/rhysd/actionlint/cmd/actionlint@latest" in raw

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/workflows/test_trustworthy_green_checks.py` around lines 188 -
198, The test uses a fragile exact multi-line string match; change
test_legacy_actionlint_runner_does_not_mask_docker_failures to assert the
semantic invariants instead of matching exact whitespace: read
LEGACY_ACTIONLINT_RUNNER into raw, then check for presence/absence of smaller,
stable substrings (e.g. assert "docker run --rm \\" in raw, assert '-v
"$REPO_ROOT":/repo' in raw or use a regex like r'docker run
--rm\s*\\.*-v\s*"\$REPO_ROOT":/repo' to tolerate whitespace, and replace the
long multi-line negative assertion with checks that '"$DOCKER_IMAGE" -no-color'
is not present together with the specific combined volume/workdir flags); keep
using LEGACY_ACTIONLINT_RUNNER and
test_legacy_actionlint_runner_does_not_mask_docker_failures to locate the
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@tests/unit/migration/test_module_migration_07_cleanup.py`:
- Around line 20-27: The test currently weakens the migration gate by adding
"test_bundle_import.py" to allowed_files which exempts the entire file from
legacy-import checks; instead remove that file from the allowed_files set and
keep it scanned, and update the removed_module_pattern to permit only the
specific legacy symbol "specfact_cli.modules._bundle_import" (not the whole
file) so other legacy imports in test_bundle_import.py still fail the gate;
locate the allowed_files set and the removed_module_pattern variable in this
test (and adjust the pattern to exactly match
specfact_cli.modules._bundle_import).

---

Duplicate comments:
In `@tests/unit/workflows/test_trustworthy_green_checks.py`:
- Around line 48-60: The _load_hooks() helper currently uses repos[0] which can
pick a non-local repo; instead locate the entry where repo == "local" (filter
the repos list for dict entries with repo key equal to "local") and use its
"hooks" value; update references to local_repo and hooks accordingly and raise a
clear assertion/error if no local repo is found or if its hooks are missing to
avoid silently testing the wrong hooks.
- Around line 188-198: The test uses a fragile exact multi-line string match;
change test_legacy_actionlint_runner_does_not_mask_docker_failures to assert the
semantic invariants instead of matching exact whitespace: read
LEGACY_ACTIONLINT_RUNNER into raw, then check for presence/absence of smaller,
stable substrings (e.g. assert "docker run --rm \\" in raw, assert '-v
"$REPO_ROOT":/repo' in raw or use a regex like r'docker run
--rm\s*\\.*-v\s*"\$REPO_ROOT":/repo' to tolerate whitespace, and replace the
long multi-line negative assertion with checks that '"$DOCKER_IMAGE" -no-color'
is not present together with the specific combined volume/workdir flags); keep
using LEGACY_ACTIONLINT_RUNNER and
test_legacy_actionlint_runner_does_not_mask_docker_failures to locate the
change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 55fa1ca6-0536-4cb8-b697-984fd5f19225

📥 Commits

Reviewing files that changed from the base of the PR and between e75a94c and fb5fe70.

📒 Files selected for processing (3)

• .github/workflows/pr-orchestrator.yml
• tests/unit/migration/test_module_migration_07_cleanup.py
• tests/unit/workflows/test_trustworthy_green_checks.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Compatibility (Python 3.11)
• GitHub Check: Tests (Python 3.12)

🧰 Additional context used

📓 Path-based instructions (8)

**/*.py

📄 CodeRabbit inference engine (.cursorrules)

**/*.py: All public APIs must have @icontract decorators and @beartype type checking.
Commands should follow typer patterns with rich console output.
Use Pydantic models for all data structures to ensure data validation.
Write only high-value comments if at all. Avoid talking to the user through comments.
Use GPG-signed commits (git commit -S) when implementing changes in a worktree.

**/*.py: Use snake_case for file and module names
Use PascalCase for class names
Use UPPER_SNAKE_CASE for constants
Use Google-style docstrings
Set line length to 120 characters maximum
All data structures must use Pydantic BaseModel with Field(...) and descriptions
All public APIs must use @icontract decorators (@require, @ensure, @invariant) for contract-first development
All public APIs must use @beartype for runtime type checking
Only write high-value comments; avoid verbose or redundant commentary

**/*.py: No bare except or broad except Exception without re-raising or logging full context - use specific exceptions instead
Enforce consistent return types for public API methods - publishing/IO methods must return bool (True/False), not None
Prefer specific exceptions and re-raise after logging rather than swallowing exceptions
Limit function length to maximum 120 lines and cyclomatic complexity to maximum 12
Avoid filesystem operations with overly permissive modes - do not use 0o777 for mkdir/os.makedirs; use 0o755 or environment-controlled mode
Async / signal safety - signal handlers may only set a flag or call thread-safe routines; do not call asyncio.create_task directly from POSIX signal handlers

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-o...

Files:

• tests/unit/migration/test_module_migration_07_cleanup.py
• tests/unit/workflows/test_trustworthy_green_checks.py

tests/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

tests/**/*.py: Test structure must mirror source with tests/unit/, tests/integration/, tests/e2e/ directories
Use @pytest.mark.asyncio decorator for async test functions
Guard environment-sensitive logic with os.environ.get("TEST_MODE") == "true"

tests/**/*.py: Secure secret redaction guaranteed - LoggerSetup.redact_secrets must be covered by unit tests for nested dicts and strings
Messaging coercion and strict validation - any use of MessagingStandardization.process_standardized_message must have tests validating coercion success/failure and metrics increments

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

tests/**/*.py: Use @pytest.mark.asyncio for async tests
Guard environment-sensitive logic with os.environ.get("TEST_MODE") == "true"
Test structure must mirror source structure: tests/unit/, tests/integration/, tests/e2e/

Files:

• tests/unit/migration/test_module_migration_07_cleanup.py
• tests/unit/workflows/test_trustworthy_green_checks.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/migration/test_module_migration_07_cleanup.py
• tests/unit/workflows/test_trustworthy_green_checks.py

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/migration/test_module_migration_07_cleanup.py
• tests/unit/workflows/test_trustworthy_green_checks.py

{src,tests}/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/session_startup_instructions.mdc)

Apply pylint src tests for linting before committing

Files:

• tests/unit/migration/test_module_migration_07_cleanup.py
• tests/unit/workflows/test_trustworthy_green_checks.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/migration/test_module_migration_07_cleanup.py
• tests/unit/workflows/test_trustworthy_green_checks.py

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Validate GitHub workflow files using hatch run lint-workflows before committing

.github/workflows/*.{yml,yaml}: Use actionlint for semantic validation of GitHub Actions workflows
Format GitHub Actions workflows using hatch run workflows-fmt and lint them with hatch run workflows-lint after editing

Files:

• .github/workflows/pr-orchestrator.yml

.github/workflows/!(tests).{yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Files:

• .github/workflows/pr-orchestrator.yml

.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: CI safety: secrets usage, workflow dependencies, alignment with hatch test / contract-test
gates, and action versions.

Files:

• .github/workflows/pr-orchestrator.yml

🧠 Learnings (32)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: When creating implementation plans or OpenSpec tasks.md, explicitly verify and include: worktree creation from `origin/dev`, `hatch env create` in the worktree, pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), and worktree cleanup steps post-merge.

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Ensure an OpenSpec change (new or delta) exists for any code modification in specfact-cli (`src/`, `tools/`, tests, or significant docs) unless user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or similar

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: After implementing code changes in specfact-cli, run quality gates: `hatch run format`, `hatch run type-check`, `hatch run contract-test`, `hatch test` (or `hatch run smart-test`)

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: After code implementation in specfact-cli, create or update corresponding GitHub issue with title `[Change] <Brief Description>`, labels `enhancement` and `change-proposal` if targeting public repo, and update `proposal.md` Source Tracking section with issue number, URL, repository, and status

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Enforce pre-commit and CI gating with checks for: black, isort, mypy, flake8 (with B/C plugins), radon complexity, state-machine sync tests, and rejection of PRs lacking test files when src/ is modified

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Ensure an OpenSpec change (new or delta) exists for any code modification in specfact-cli (`src/`, `tools/`, tests, or significant docs) unless user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or similar

Applied to files:

• tests/unit/migration/test_module_migration_07_cleanup.py
• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Use lazy-loaded module registry in `src/specfact_cli/modules/` with `module-package.yaml` metadata files and deferred imports until command invocation

Applied to files:

• tests/unit/migration/test_module_migration_07_cleanup.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/!(tests).{yml,yaml} : Do not re-run the full test suite in other CI workflows; tests are enforced only in the dedicated Tests workflow (.github/workflows/tests.yml)

Applied to files:

• .github/workflows/pr-orchestrator.yml
• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:31:47.109Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Code changes modifying public API, state machine YAMLs, or generated state machine outputs MUST include unit tests, update docs/ and CHANGELOG.md, and include 'BREAKING' section in PR if public API changed

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-30T00:25:28.054Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-30T00:25:28.054Z
Learning: Always work on feature/bugfix/hotfix branches and submit PRs; protect `dev` and `main` branches from direct commits

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: All changes must be made via Pull Requests to `dev` or `main`. Direct commits to protected branches are not allowed.

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Applied to files:

• .github/workflows/pr-orchestrator.yml
• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Before executing any workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform a pre-execution checklist: verify Git Worktree creation, TDD evidence documentation, user-facing documentation updates, module signing verification, and confirm AGENTS.md compliance.

Applied to files:

• .github/workflows/pr-orchestrator.yml
• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/{quality-gates,contract-enforcement,contracts,no-escape-gating,integrated-ci}.{yml,yaml} : Dependent workflows must download the coverage.xml artifact from the Tests workflow and fail early if it is missing

Applied to files:

• .github/workflows/pr-orchestrator.yml
• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• .github/workflows/pr-orchestrator.yml
• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Use actionlint for semantic validation of GitHub Actions workflows

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.md : Finish each output by listing which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), confirm Git Worktree Policy compliance if applicable, and state the AI provider and model version being used.

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: When creating implementation plans or OpenSpec tasks.md, explicitly verify and include: worktree creation from `origin/dev`, `hatch env create` in the worktree, pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), and worktree cleanup steps post-merge.

Applied to files:

• .github/workflows/pr-orchestrator.yml
• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:01.827Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-03-25T21:31:01.827Z
Learning: Applies to **/*.{py} : After any code changes, apply linting and formatting using `hatch run format`, perform type checking with `hatch run type-check` (basedpyright), run contract validation with `hatch run contract-test`, and run full test suite with `hatch test --cover -v`. Verify all tests pass and contracts are satisfied before committing.

Applied to files:

• .github/workflows/pr-orchestrator.yml
• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Use `hatch test` command for running tests instead of direct pytest usage to ensure proper Python matrix, dependency resolution, environment variables, and coverage reports

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• .github/workflows/pr-orchestrator.yml
• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: After implementing code changes in specfact-cli, run quality gates: `hatch run format`, `hatch run type-check`, `hatch run contract-test`, `hatch test` (or `hatch run smart-test`)

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Run `openspec validate <change-id> --strict` before implementing any code changes in specfact-cli to validate the OpenSpec change

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: Read and apply `openspec/config.yaml` for project context (tech stack, constraints, architecture, SDD+TDD discipline) before any code modification in specfact-cli

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:33.886Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-03-25T21:31:33.886Z
Learning: For new code in specfact-cli using OpenSpec workflow, follow TDD discipline: write tests first, then implementation code

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run type checking with basedpyright on all Python files

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Type checking must pass with no errors using: mypy .

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Run linting with ruff and pylint on all Python files

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(src|tests)/**/*.py : Linting must pass with no errors using: pylint src tests

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:32:38.156Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-03-25T21:32:38.156Z
Learning: Applies to {src,tests}/**/*.py : Apply `pylint src tests` for linting before committing

Applied to files:

• .github/workflows/pr-orchestrator.yml

📚 Learning: 2026-03-25T21:31:47.109Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/clean-code-principles.mdc:0-0
Timestamp: 2026-03-25T21:31:47.109Z
Learning: Enforce pre-commit and CI gating with checks for: black, isort, mypy, flake8 (with B/C plugins), radon complexity, state-machine sync tests, and rejection of PRs lacking test files when src/ is modified

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• tests/unit/workflows/test_trustworthy_green_checks.py

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

nold-ai/specfact-cli-modules

• .pre-commit-config.yaml — local hook id verify-module-signatures is defined and invoked (entry: hatch run ./scripts/verify-modules-signature.py --require-signature --payload-from-filesystem --enforce-version-bump). PR renames/removes that hook in core repo; this repo will need its pre-commit config aligned if core changes land. [::nold-ai/specfact-cli-modules::.pre-commit-config.yaml]

• .github/workflows/pr-orchestrator.yml — workflow currently has paths-ignore for "/*.md" and "docs/" on pull_request/push and defines a verify-module-signatures job that runs python scripts/verify-modules-signature.py .... The PR removes those ignores and changes skip/skip_tests_dev_to_main logic and job gating; expect behavioral changes here (docs-only PRs will trigger CI; skip fast-path logic differs). [::nold-ai/specfact-cli-modules::.github/workflows/pr-orchestrator.yml]

• scripts/verify-modules-signature.py — verifier script exists in this repo and is directly invoked by the orchestrator workflow and by the pre-commit hook; any renaming of hook IDs or workflow job names in the core repo must preserve this invocation or update callers. [::nold-ai/specfact-cli-modules::scripts/verify-modules-signature.py]

• tests/unit/test_pre_commit_quality_parity.py — test asserts presence of "verify-module-signatures" in hook ids; changing/removing that hook id in the core repo will cause this test to fail here until updated. [::nold-ai/specfact-cli-modules::tests/unit/test_pre_commit_quality_parity.py:29]

• tests/conftest.py — test suite sets/uses SPECFACT_MODULES_REPO and contains logic to locate a sibling specfact-cli repo; core PR change that makes bootstrap honor SPECFACT_MODULES_REPO is relevant and compatible with tests here. [::nold-ai/specfact-cli-modules::tests/conftest.py]

• docs/authoring/module-signing.md — documents the verify-module-signatures job and the exact verifier command; documentation will need updating if workflow/job/hook names or invocations change. [::nold-ai/specfact-cli-modules::docs/authoring/module-signing.md: CI Enforcement section]

Summary: This repository directly uses the verify-module-signatures hook/job/script and has tests/docs that assert the hook/job name and invocation. The PR's removal/rename of the pre-commit hook id and tightened workflow trigger/skip semantics will require corresponding updates here to keep tests, workflows, and docs consistent.

🔇 Additional comments (11)

.github/workflows/pr-orchestrator.yml (6)

65-86: Solid parity-proof gating for release fast-path — architecturally sound.

The merge-base identity check (PR_BASE_REV = PR_HEAD_REV && MERGE_BASE = PR_HEAD_REV) ensures skip-tests-dev-to-main only fires when commits are provably identical across branches. This eliminates the previous risk of silent skips when dev and main have diverged.

The defensive || true on git commands prevents job failures from missing refs while still preserving the "fail-closed" default (SKIP_TESTS=false). This is the right contract: skip only on proven parity, validate otherwise.

---

123-164: New workflow-lint job design is well-structured for conditional execution.

The gating logic (workflow_changed == 'true' || workflow_dispatch) correctly ensures lint runs only when needed while preserving manual override capability. The early-exit skip step with informational message maintains green-check semantics without wasted compute.

One architectural consideration: the job unconditionally checks out the repo even when skipping. Consider adding if: to the checkout step as well for marginal efficiency, though the current design is functionally correct.

---

286-286: Fail-fast propagation using PIPESTATUS is the correct pattern.

The exit "${PIPESTATUS[0]:-$?}" idiom correctly captures the exit code of the piped command (before tee) rather than the always-successful tee. Combined with the tightened if: condition requiring both code_changed and non-skip, this ensures required jobs fail visibly when tools fail.

The removal of || echo fallbacks across required jobs (compat-py311, contract-first-ci, linting, type-checking) aligns with the PR objective of making green checks trustworthy.

Also applies to: 325-328

---

419-423: CLI validation simplified appropriately.

The streamlined validation (specfact --help only) is sufficient for smoke-testing CLI entrypoint availability. More extensive validation belongs in the dedicated test suite, not in a validation job that runs on every PR.

---

88-121: Cross-repo impact: verify-module-signatures naming preserved — linked repo compatibility maintained.

The verify-module-signatures job retains its canonical name "Verify Module Signatures" (line 89), which the linked nold-ai/specfact-cli-modules repository depends on. This preserves compatibility with:

• .pre-commit-config.yaml hook id verify-module-signatures
• tests/unit/test_pre_commit_quality_parity.py assertions
• .github/workflows/pr-orchestrator.yml in the modules repo

The job semantics are unchanged — only execution conditions were tightened. This is a safe change for cross-repo consumers.

---

146-158: Go 1.24 is available — the version will not cause setup-go@v5 to fail. However, with Go 1.26.1 now stable, consider whether pinning to Go 1.24 (two major versions behind) is intentional or represents maintenance drift that could affect long-term CI stability and compatibility with actionlint.

			> Likely an incorrect or invalid review comment.

tests/unit/workflows/test_trustworthy_green_checks.py (5)

1-24: Well-structured policy test module — enforces CI configuration contracts.

This test module provides architectural guardrails that prevent CI policy drift. By parsing the actual workflow files rather than mocking, these tests catch real configuration regressions. The YAML 1.1 on coercion handling in _workflow_on_block (checking both "on" and True keys) is a nice touch for robustness.

The helper functions (_load_yaml, _load_jobs, _load_hooks) establish a clean separation between file loading and test assertions.

---

104-132: Normalized condition matching is resilient — addresses prior feedback.

The skip-condition assertions now use normalized whitespace and quote handling (lines 121-132) rather than exact string matching. This makes the test resilient to minor formatting changes in the workflow file while still validating the semantic contract: both == 'true' and != 'true' conditions must exist for the skip logic.

The raw text assertions (lines 107-108) for merge-base/rev-parse presence complement the structured parsing nicely — they catch implementation details that structured parsing might miss.

---

152-162: Cross-workflow naming consistency test — good architectural guardrail.

This test ensures the verify-module-signatures job emits the same check name ("Verify Module Signatures") across both the orchestrator and dedicated sign-modules workflows. This prevents GitHub required-check configuration drift and maintains branch protection integrity.

Per the relevant snippet from .github/workflows/sign-modules.yml:27-59, the verify job's name: field at line 28 matches exactly.

---

75-101: Required-jobs fail-closed test is comprehensive and well-designed.

The test validates both structural (continue-on-error) and behavioral (|| echo patterns) failure-masking. The explicit enumeration of required jobs (lines 77-86) serves as documentation of the contract: these jobs must fail visibly when tools fail.

This test will catch any regression where someone adds advisory fallbacks to required jobs — exactly the class of bug the PR objectives target.

---

165-172: Pre-commit hook validation ensures local/CI parity.

Testing that the smart-check wrapper has pass_filenames: false and language: script ensures the pre-commit hook invokes the same gate semantics as CI. This is critical for the PR objective of aligning local pre-commit behavior with core CI gates.

Per the relevant snippet from .pre-commit-config.yaml:4-9, the hook configuration matches exactly.