chore(pre-commit): modular hooks + branch-aware module verify

[djm81]

Summary

Align local pre-commit with specfact-cli-modules (modular hooks, fail_fast, staged gates, hatch run lint when Python is staged, Block 2 review + contract tests) while keeping CLI-only stages (Markdown, workflows, version hook).

Follow-up: Branch-aware module verification (marketplace-06 policy) via scripts/pre-commit-verify-modules.sh and scripts/git-branch-module-signature-flag.sh — skip when no staged module tree paths; --allow-unsigned off main, --require-signature on main; --payload-from-filesystem + --enforce-version-bump when run.

Commits

• chore(pre-commit): modular hooks aligned with specfact-cli-modules
• fix(pre-commit): branch-aware module verify hook (marketplace-06 policy)

Quality gates (local)

• hatch run format, hatch run type-check, hatch run lint, hatch run contract-test
• Targeted pytest: pre-commit / trustworthy green checks

Notes

• Downstream repos can keep a single hook specfact-smart-checks → pre-commit-smart-checks.sh shim (pre-commit-quality-checks.sh all).
• Block 2 code review still requires the codebase module bundle where applicable.

Made with Cursor

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Refactors pre-commit into a modular, fail-fast pipeline driven by scripts/pre-commit-quality-checks.sh (Block1/Block2), adds branch-aware module-signature verification via scripts/git-branch-module-signature-flag.sh and scripts/pre-commit-verify-modules.sh (require on main, omit elsewhere), converts the old smart-checks wrapper into a shim, and bumps version to 0.46.1.

Changes

Cohort / File(s)	Summary
Version & packaging pyproject.toml, setup.py, src/__init__.py, src/specfact_cli/__init__.py	Bumped project version to 0.46.1; updated hatch pre-commit command to call scripts/pre-commit-quality-checks.sh all.
Pre-commit config .pre-commit-config.yaml	Set fail_fast: true; replaced single specfact-smart-checks hook with ordered hooks: verify-module-signatures, check-version-sources, multiple cli-block1-* hooks (scoped by files), and cli-block2.
Quality pipeline & shim scripts/pre-commit-quality-checks.sh, scripts/pre-commit-smart-checks.sh	Added pre-commit-quality-checks.sh implementing Block1 (format/yaml/markdown/workflows/lint) and Block2 (code-review + contract tests) with subcommands and all; made pre-commit-smart-checks.sh a shim delegating to it.
Branch-aware verify scripts/git-branch-module-signature-flag.sh, scripts/pre-commit-verify-modules.sh	New flag script emits require for main, omit otherwise; verify wrapper skips when no staged module paths and runs verify-modules-signature.py with --payload-from-filesystem --enforce-version-bump, adding --require-signature only for require.
Setup helper scripts/setup-git-hooks.sh	Enhanced messaging to recommend pre-commit install and note shim fallback.
Tests tests/unit/scripts/test_pre_commit_smart_checks_docs.py, tests/unit/scripts/test_pre_commit_verify_modules.py, tests/unit/workflows/test_trustworthy_green_checks.py	Updated tests to expect modular hook layout and shim delegation; added tests for branch-flag behavior and verify-wrapper hatch invocations; workflow test validates fail_fast and new hooks configuration.
Docs & changelog CHANGELOG.md, CONTRIBUTING.md, README.md, docs/..., openspec/...	Documented modular pre-commit pipeline, Block1/Block2 behavior, branch-aware module-signature policy and CI wiring; updated install/setup guidance and release notes.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Git as Git (staged)
    participant PreCommit as .pre-commit hook
    participant Verify as pre-commit-verify-modules.sh
    participant Flag as git-branch-module-signature-flag.sh
    participant Version as check-version-sources / hatch
    participant Quality as pre-commit-quality-checks.sh
    participant Commit as Commit

    Dev->>Git: stage files
    Git->>PreCommit: trigger hooks
    PreCommit->>Verify: run verify-module-signatures
    Verify->>Flag: resolve branch policy
    alt policy == require (main)
        Verify->>Verify: exec verifier with --require-signature --enforce-version-bump --payload-from-filesystem
    else policy == omit (non-main/detached)
        Verify->>Verify: exec verifier without --require-signature (checksum-only) + --enforce-version-bump --payload-from-filesystem
    end
    PreCommit->>Version: run check-version-sources if version files staged
    PreCommit->>Quality: run Block1 gates (format/yaml/markdown/workflows/lint)
    Quality->>Quality: run Block2 (code review + contract tests) or skip if safe-change
    Quality-->>Commit: allow or block commit

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related issues

• [Change] CI-Driven Module Signing On PR Approval specfact-cli-modules#185 — Implements branch-aware module-signature policy consistent with this PR’s git-branch-module-signature-flag.sh and verify-wrapper changes.
• [Change] CI-Driven Module Signing On PR Approval #500 — Addresses branch-scoped signature enforcement and CI wiring that this PR implements.

Possibly related PRs

• release: merge dev into main (governance + hierarchy) #495 — Related pre-commit/docs governance changes touching the same areas (hooks and docs).
• docs & tooling: new user onboarding + smart-test and pre-commit review fixes #477 — Modifies pre-commit tooling and wrapper behavior overlapping with these script changes.
• fix: assert hook id stability and cd to repo root for local actionlint #473 — Adjusts tests and shim behavior similar to the test updates in this PR.

Suggested labels

QA, code-review, module-system

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.47% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows Conventional Commits style with 'chore:' prefix and clearly describes the main changes: modular hooks and branch-aware module verification.
Description check	✅ Passed	The PR description provides a substantive summary, specifies follow-up implementation details, lists quality gates, and notes downstream compatibility, though it omits the formal template sections like 'Type of Change' checkboxes and contract-first test evidence.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pre-commit-modular-parity

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8c497c668b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Around line 15-26: The changelog currently groups new hook entrypoints and
scripts under "Changed"; split these into an "Added" subsection listing the
net-new capabilities (mentioning scripts/pre-commit-quality-checks.sh,
scripts/pre-commit-smart-checks.sh shim behavior, new modular hook layout and
fail_fast parity), and keep behavioral/policy adjustments (Module verify
pre-commit policies like scripts/pre-commit-verify-modules.sh,
scripts/git-branch-module-signature-flag.sh, branch-aware signature flags,
--payload-from-filesystem and --enforce-version-bump semantics) under "Changed"
so the version bump remains auditable and consistent with release-note policy.

In `@scripts/pre-commit-quality-checks.sh`:
- Around line 46-48: The staged_files() helper currently returns all cached
names including deletions which breaks downstream tools (e.g., markdownlint
--fix and subsequent git add); update staged_files() to filter out deleted
entries by using git diff --cached --name-only --diff-filter=ACMR so only
Added/Copied/Modified/Renamed files are returned, ensuring callers like the
markdownlint invocation and git add only receive existing files.
- Around line 221-222: The script uses GNU-only xargs -r with md_files (and
similarly in other spots) which breaks on BSD/macOS; update each place using
"echo \"${md_files}\" | xargs -r ..." to first check for non-empty input or
convert to a bash array and invoke markdownlint/git directly: for example, test
[ -n "${md_files}" ] before piping to xargs or use readarray -t md_array <<<
"${md_files}" and call markdownlint --fix --config .markdownlint.json
"${md_array[@]}" and git add -- "${md_array[@]}" (apply the same pattern
wherever xargs -r is used).
- Line 14: Replace the single "set -e" with stricter shell flags ("set -euo
pipefail") and then audit and update the script's uses of unset-variable
expansions and pipeline commands: ensure intentional `${1:-all}` usages remain
safe (keep or explicitly default where needed), and add explicit guards like "||
true" or conditional checks around grep-in-pipeline patterns (e.g., any
occurrences of "grep ... || true" or pipelines like "staged_files | grep -E
...") so a failing pipeline doesn't abort unexpectedly; adjust any places that
rely on unset variables to provide safe defaults or explicit checks to satisfy
-u.
- Line 113: The loop uses unquoted expansion ("for file in ${files}; do") which
splits filenames on whitespace and corrupts counts like other_changes; replace
it with a null-delimited read loop that preserves spaces: produce a
null-delimited list (e.g., git diff --name-only -z or similar) and consume it
with while IFS= read -r -d '' file; do ... done, and ensure you always reference
"${file}" when counting or processing so other_changes increments correctly for
files with spaces.

In `@scripts/pre-commit-verify-modules.sh`:
- Around line 24-26: The script currently forwards sig_flag unconditionally to
the verifier causing an error when sig_flag is "--allow-unsigned"; update the
invocation so the flag is only passed when it equals "--require-signature".
Specifically, in scripts/pre-commit-verify-modules.sh check the value of
sig_flag (the variable set by flag_script) and only include it in the exec call
to run verify-modules-signature.py when sig_flag == "--require-signature";
otherwise call the verifier without that argument so it defaults to lenient
mode. Ensure you update the exec line that runs verify-modules-signature.py and
keep the other fixed args (--enforce-version-bump, --payload-from-filesystem)
unchanged.

In `@tests/unit/scripts/test_pre_commit_verify_modules.py`:
- Around line 58-71: The parameterized test test_git_branch_signature_flag
currently checks only named branches; add a case covering detached HEAD to
exercise the fallback path by initializing a repo via
_git_init_with_commit(repo), creating a commit, then detaching HEAD (e.g.,
subprocess.run(["git", "checkout", "--detach", "<commit>"], cwd=repo, ...)) and
assert _run_flag(cwd=repo) returns the expected fallback flag (likely
"--allow-unsigned" or the contract-specified value); update the
pytest.mark.parametrize tuple to include a ("detached", "<expected>") entry and
ensure the helper functions _git_init_with_commit and _run_flag are used to set
up and evaluate the detached scenario.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0d2ec450-d5f2-4b22-908a-d66b29e32ec3

📥 Commits

Reviewing files that changed from the base of the PR and between 6096c3c and 8c497c6.

📒 Files selected for processing (18)

• .pre-commit-config.yaml
• CHANGELOG.md
• CONTRIBUTING.md
• README.md
• docs/agent-rules/70-release-commit-and-docs.md
• docs/modules/code-review.md
• pyproject.toml
• scripts/git-branch-module-signature-flag.sh
• scripts/pre-commit-quality-checks.sh
• scripts/pre-commit-smart-checks.sh
• scripts/pre-commit-verify-modules.sh
• scripts/setup-git-hooks.sh
• setup.py
• src/__init__.py
• src/specfact_cli/__init__.py
• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py
• tests/unit/workflows/test_trustworthy_green_checks.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Type Checking (basedpyright)
• GitHub Check: Contract-First CI
• GitHub Check: Linting (ruff, pylint, safe-write guard)
• GitHub Check: Tests (Python 3.12)
• GitHub Check: Compatibility (Python 3.11)

🧰 Additional context used

📓 Path-based instructions (15)

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• setup.py
• src/specfact_cli/__init__.py
• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• src/__init__.py
• tests/unit/workflows/test_trustworthy_green_checks.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

{src/__init__.py,pyproject.toml,setup.py}

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

{src/__init__.py,pyproject.toml,setup.py}: Update src/init.py first as primary source of truth for package version, then pyproject.toml and setup.py
Maintain version synchronization across src/init.py, pyproject.toml, and setup.py

Files:

• setup.py
• pyproject.toml
• src/__init__.py

{pyproject.toml,setup.py,src/__init__.py}

📄 CodeRabbit inference engine (.cursor/rules/testing-and-build-guide.mdc)

Manually update version numbers in pyproject.toml, setup.py, and src/init.py when making a formal version change

Files:

• setup.py
• pyproject.toml
• src/__init__.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• setup.py
• src/specfact_cli/__init__.py
• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• src/__init__.py
• tests/unit/workflows/test_trustworthy_green_checks.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

src/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

src/**/*.py: All code changes must be followed by running the full test suite using the smart test system.
All Python files in src/ and tools/ directories must have corresponding test files in tests/ directory. If you modify src/common/logger_setup.py, you MUST have tests/unit/common/test_logger_setup.py. NO EXCEPTIONS - even small changes require tests.
All new Python runtime code files must have corresponding test files created BEFORE committing the code. NO EXCEPTIONS - no code without tests.
Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.
All components must support TEST_MODE=true environment variable with test-specific behavior defined as: if os.environ.get('TEST_MODE') == 'true': # test-specific behavior
Use src/common/logger_setup.py for all logging via: from common.logger_setup import get_logger; logger = get_logger(name)
Use src/common/redis_client.py with fallback for Redis operations via: from common.redis_client import get_redis_client; redis_client = get_redis_client()
Type checking must pass with no errors using: mypy .
Test coverage must meet or exceed 80% total coverage. New code must have corresponding tests. Modified code must maintain or improve coverage. Critical paths must have 100% coverage.
Use Pydantic v2 validation for all context and data schemas.

Add/update contracts on new or modified public APIs, stateful classes and adapters using icontract decorators and beartype runtime type checks

src/**/*.py: Meaningful Naming — identifiers reveal intent; avoid abbreviations. Identifiers in src/ must use snake_case (modules/functions), PascalCase (classes), UPPER_SNAKE_CASE (constants). Avoid single-letter names outside short loop variables.
KISS — keep functions and modules small and single-purpose. Maximum function length: 120 lines (Phase A error threshold). Maximum cyclomati...

Files:

• src/specfact_cli/__init__.py
• src/__init__.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• src/specfact_cli/__init__.py
• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• src/__init__.py
• tests/unit/workflows/test_trustworthy_green_checks.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

src/specfact_cli/**/*.py

⚙️ CodeRabbit configuration file

src/specfact_cli/**/*.py: Focus on modular CLI architecture: lazy module loading, registry/bootstrap patterns, and
dependency direction. Flag breaking changes to public APIs, Pydantic models, and resource
bundling. Verify @icontract + @beartype on public surfaces; prefer centralized logging
(get_bridge_logger) over print().

Files:

• src/specfact_cli/__init__.py

pyproject.toml

📄 CodeRabbit inference engine (.cursorrules)

When updating the version in pyproject.toml, ensure it's newer than the latest PyPI version. The CI/CD pipeline will automatically publish to PyPI only if the new version is greater than the published version

Files:

• pyproject.toml

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• docs/agent-rules/70-release-commit-and-docs.md
• README.md
• CONTRIBUTING.md
• docs/modules/code-review.md
• CHANGELOG.md

docs/**/*.md

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Files:

• docs/agent-rules/70-release-commit-and-docs.md
• docs/modules/code-review.md

---

⚙️ CodeRabbit configuration file

docs/**/*.md: User-facing accuracy: CLI examples match current behavior; preserve Jekyll front matter;
call out when README/docs index need sync.

Files:

• docs/agent-rules/70-release-commit-and-docs.md
• docs/modules/code-review.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• docs/agent-rules/70-release-commit-and-docs.md
• README.md
• CONTRIBUTING.md
• docs/modules/code-review.md
• CHANGELOG.md

@(README.md|AGENTS.md)

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Check README.md and AGENTS.md for current project status and development guidelines. Review .cursor/rules/ for detailed development standards and testing procedures.

Files:

• README.md

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/workflows/test_trustworthy_green_checks.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/workflows/test_trustworthy_green_checks.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/workflows/test_trustworthy_green_checks.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

CHANGELOG.md

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Files:

• CHANGELOG.md

🧠 Learnings (41)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(pyproject.toml|setup.py|src/__init__.py|src/specfact_cli/__init__.py) : Maintain synchronized versions across pyproject.toml, setup.py, src/__init__.py, and src/specfact_cli/__init__.py.

Applied to files:

• setup.py
• src/specfact_cli/__init__.py
• pyproject.toml
• src/__init__.py

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to {src/__init__.py,pyproject.toml,setup.py} : Update src/__init__.py first as primary source of truth for package version, then pyproject.toml and setup.py

Applied to files:

• src/specfact_cli/__init__.py
• pyproject.toml
• src/__init__.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to {pyproject.toml,setup.py,src/__init__.py} : Manually update version numbers in pyproject.toml, setup.py, and src/__init__.py when making a formal version change

Applied to files:

• pyproject.toml
• src/__init__.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• pyproject.toml
• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• docs/modules/code-review.md
• .pre-commit-config.yaml
• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• pyproject.toml
• CONTRIBUTING.md
• tests/unit/workflows/test_trustworthy_green_checks.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to pyproject.toml : When updating the version in `pyproject.toml`, ensure it's newer than the latest PyPI version. The CI/CD pipeline will automatically publish to PyPI only if the new version is greater than the published version

Applied to files:

• pyproject.toml

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Applied to files:

• pyproject.toml
• README.md
• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• .pre-commit-config.yaml

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• pyproject.toml
• README.md
• scripts/pre-commit-smart-checks.sh
• scripts/pre-commit-verify-modules.sh
• CONTRIBUTING.md
• .pre-commit-config.yaml
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

Applied to files:

• pyproject.toml
• README.md
• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• .pre-commit-config.yaml
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to **/*.{yml,yaml} : Validate YAML configuration files locally using `hatch run yaml-lint` before committing

Applied to files:

• pyproject.toml
• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• .pre-commit-config.yaml

📚 Learning: 2026-04-10T22:41:34.504Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-10T22:41:34.504Z
Learning: Treat the canonical rule docs in docs/agent-rules/INDEX.md as the source of truth for worktree policy, OpenSpec gating, GitHub completeness checks, TDD order, quality gates, versioning, and documentation rules

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: Treat `docs/agent-rules/` as the canonical location for repository governance rather than relying on inline reminders or other documentation

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: For large frontmatter file changes in `docs/agent-rules/`, run `cd ../specfact-cli-internal && python3 scripts/wiki_rebuild_graph.py` from the sibling repo after merging

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to docs/**/*.md : Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md
• README.md
• CONTRIBUTING.md
• docs/modules/code-review.md

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: The full governance rules live in docs/agent-rules/; do not treat this file as a complete standalone handbook

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md
• README.md
• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md with all code changes as part of version control requirements.

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md
• README.md
• CONTRIBUTING.md
• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Always finish each output by listing: (1) Which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), (2) Confirmation of Git Worktree Policy compliance (if applicable), (3) Which AI (LLM) provider and model version you are using

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Read docs/agent-rules/INDEX.md before implementation

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md
• scripts/git-branch-module-signature-flag.sh
• scripts/pre-commit-verify-modules.sh
• CONTRIBUTING.md
• tests/unit/scripts/test_pre_commit_verify_modules.py
• CHANGELOG.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: For OpenSpec changes when a sibling `specfact-cli-internal/` checkout exists, read internal wiki guidance in `docs/agent-rules/40-openspec-and-tdd.md` and consult `wiki/hot.md`, `wiki/graph.md`, and relevant `wiki/concepts/*.md` files

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md
• README.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md
• scripts/pre-commit-smart-checks.sh
• scripts/pre-commit-verify-modules.sh
• CONTRIBUTING.md
• .pre-commit-config.yaml
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md
• README.md
• scripts/pre-commit-verify-modules.sh
• CONTRIBUTING.md
• docs/modules/code-review.md
• .pre-commit-config.yaml
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(README.md|AGENTS.md) : Check README.md and AGENTS.md for current project status and development guidelines. Review .cursor/rules/ for detailed development standards and testing procedures.

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: `AGENTS.md` is the **authoritative source** for development workflow and **OVERRIDES** any skill, command, or OpenSpec workflow instructions. When there is a conflict between AGENTS.md and any other source, **ALWAYS follow AGENTS.md**

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Before designing or scoping a new OpenSpec change, read the wiki paths listed in docs/agent-rules/40-openspec-and-tdd.md#internal-wiki-and-strategic-context using absolute paths to sibling internal repository files

Applied to files:

• docs/agent-rules/70-release-commit-and-docs.md

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• README.md
• scripts/pre-commit-smart-checks.sh
• scripts/pre-commit-verify-modules.sh
• CONTRIBUTING.md
• docs/modules/code-review.md
• .pre-commit-config.yaml
• tests/unit/workflows/test_trustworthy_green_checks.py
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• README.md
• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: After merges shipping OpenSpec- or GitHub-related work with a sibling `specfact-cli-internal` checkout present, run wiki scripts from that sibling repo's working directory (e.g., `cd ../specfact-cli-internal && python3 scripts/wiki_openspec_gh_status.py`), not from `specfact-cli` or other directories

Applied to files:

• README.md
• docs/modules/code-review.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• README.md
• scripts/pre-commit-smart-checks.sh
• scripts/pre-commit-verify-modules.sh
• .pre-commit-config.yaml
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Use actionlint for semantic validation of GitHub Actions workflows

Applied to files:

• README.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• README.md
• CONTRIBUTING.md
• docs/modules/code-review.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

Applied to files:

• scripts/git-branch-module-signature-flag.sh
• scripts/pre-commit-verify-modules.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• scripts/pre-commit-smart-checks.sh
• scripts/pre-commit-verify-modules.sh
• CONTRIBUTING.md
• docs/modules/code-review.md
• .pre-commit-config.yaml
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• CONTRIBUTING.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Run the required verification and quality gates for the touched scope before finalization

Applied to files:

• CONTRIBUTING.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to **/*.yaml : YAML files must pass linting using: hatch run yaml-lint with relaxed policy.

Applied to files:

• .pre-commit-config.yaml

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to {src/__init__.py,pyproject.toml,setup.py} : Maintain version synchronization across src/__init__.py, pyproject.toml, and setup.py

Applied to files:

• src/__init__.py

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/test_*.py : Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Applied to files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: After implementation, run quality gates (hatch run format, hatch run type-check, hatch run contract-test, hatch test or hatch run smart-test) to ensure all tests pass and contracts are satisfied

Applied to files:

• scripts/pre-commit-quality-checks.sh

🪛 LanguageTool

docs/agent-rules/70-release-commit-and-docs.md

[uncategorized] ~43-~43: The official name of this software platform is spelled with a capital “H”.
Context: ...it__.pydisagree. The **Tests** job in.github/workflows/pr-orchestrator.yml` runs the...

(GITHUB)

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

specfact-cli-modules [::nold-ai/specfact-cli-modules::]

• .pre-commit-config.yaml references the modular entries and the new script entrypoints:

  • .pre-commit-config.yaml: lines with entries:
    • entry: ./scripts/pre-commit-quality-checks.sh block1-format
    • entry: ./scripts/pre-commit-quality-checks.sh block1-yaml
    • entry: ./scripts/pre-commit-quality-checks.sh block1-bundle
    • entry: ./scripts/pre-commit-quality-checks.sh block1-lint
    • entry: ./scripts/pre-commit-quality-checks.sh block2
      [::nold-ai/specfact-cli-modules::]

• The repository contains scripts and docs that match the new modular pre-commit layout and will consume the changed hooks:

  • scripts/pre-commit-quality-checks.sh (exists and referenced) — script guard and subcommand behavior referenced in repo docs/tests. [::nold-ai/specfact-cli-modules::]
  • docs/agent-rules/50-quality-gates-and-review.md documents Block 1/Block 2 behavior and staged path lists that align with the PR’s Block 2 path filtering. [::nold-ai/specfact-cli-modules::]
  • README.md documents the code review gate and Block 2 invocation that mirror the PR changes. [::nold-ai/specfact-cli-modules::]

• Tests and tooling in this repo expect the modular script and config:

  • tests/unit/test_pre_commit_quality_parity.py loads .pre-commit-config.yaml and references scripts/pre-commit-quality-checks.sh. [::nold-ai/specfact-cli-modules::]
  • tools/contract_first_smart_test.py mentions the shell guard in pre-commit-quality-checks.sh and contract-test triggering logic. [::nold-ai/specfact-cli-modules::]

• Specification / openspec artifacts assert parity with the modular pre-commit layout and signature/version checks:

  • openspec/specs/modules-pre-commit-quality-parity/spec.md and related TDD_EVIDENCE describe required behavior (signature verification, formatter safety, staged gating). [::nold-ai/specfact-cli-modules::]

Conclusion: specfact-cli-modules already references and expects the modular pre-commit script and Block 1/Block 2 behavior introduced by the PR; its docs, tests, and openspec artifacts are consumers/validators of the new hook layout and will be affected if the entrypoints or arguments (e.g., require-signature / payload flags, hook ids, or pass_filenames behavior) change.

🔇 Additional comments (28)

src/specfact_cli/__init__.py (1)

48-48: Version synchronization confirmed across all canonical locations.

The 0.46.1 bump is correctly aligned with src/__init__.py, pyproject.toml, and setup.py. The bootstrap logic for sibling specfact-cli-modules bundle paths remains intact, ensuring local development can load marketplace packages without installed wheels.

src/__init__.py (1)

5-6: Primary version source of truth correctly updated.

The explicit sync comment is helpful documentation. Version 0.46.1 matches pyproject.toml, setup.py, and src/specfact_cli/__init__.py as required by the repository's versioning policy.

setup.py (1)

10-10: Version synchronized with package configuration.

The 0.46.1 version in setup.py matches the primary source (src/__init__.py) and the other version declarations. Dependency list remains unchanged—no supply chain concerns introduced.

scripts/setup-git-hooks.sh (1)

48-50: Clear guidance on the two-tier hook architecture.

The updated messaging correctly steers developers toward the modular .pre-commit-config.yaml layout while explaining the fallback behavior. This matches the PR's architectural intent: the copied shim (pre-commit-smart-checks.sh) delegates to pre-commit-quality-checks.sh all, preserving backward compatibility for environments where pre-commit install isn't feasible.

pyproject.toml (2)

288-288: Pre-commit entry point aligned with modular pipeline.

The pre-commit-checks script now delegates to scripts/pre-commit-quality-checks.sh all, matching the architecture established by the shim (pre-commit-smart-checks.sh) and the linked specfact-cli-modules repository. This ensures hatch run pre-commit-checks exercises the same pipeline as both the modular hook layout and the backward-compatible shim.

---

7-7: Version 0.46.1 correctly synchronized across all four locations and ready for publication.

Verified: version = "0.46.1" is synchronized in pyproject.toml, setup.py, src/init.py, and src/specfact_cli/init.py. Version increment (0.46.0 → 0.46.1) exceeds the latest PyPI publication, so CI/CD will publish successfully.

docs/agent-rules/70-release-commit-and-docs.md (1)

38-43: Hook reference updated to match modular pre-commit layout.

The versioning section now correctly references the check-version-sources hook in .pre-commit-config.yaml instead of the legacy scripts/pre-commit-smart-checks.sh. This aligns with the PR's architectural shift to modular hooks.

The header hierarchy change from # to ## appears intentional for Jekyll page composition. The static analysis hint about "GitHub" capitalization is a false positive—.github/workflows/pr-orchestrator.yml is a filesystem path, not a brand reference.

README.md (3)

30-30: Version in sample output updated to match release.

The v0.46.1 version in the sample output aligns with the package version bump. The capture metadata note (line 60) references the reproducibility path for this output.

---

83-98: Pre-commit documentation accurately reflects the modular architecture.

The two-tier approach is clearly documented:

1. Modular layout (preferred): Copy .pre-commit-config.yaml + pre-commit install — enables fail_fast, staged gates, and granular Block 1/Block 2 hooks
2. Single-hook fallback: The stable specfact-smart-checks id delegates via shim to scripts/pre-commit-quality-checks.sh all

This aligns with specfact-cli-modules parity expectations and maintains backward compatibility for downstream repos pinned to earlier revisions.

---

100-105: GitHub Actions section structure preserved.

The workflow snippet remains unchanged and correctly demonstrates the minimal govern enforce stage gate. The heading format change (### GitHub Actions) maintains consistency with the new ### Pre-commit section.

scripts/pre-commit-smart-checks.sh (1)

1-5: Backward-compatible delegation shim maintains stable hook contract.

The architecture is sound: exec replaces the shell process with pre-commit-quality-checks.sh all "$@", avoiding subshell overhead while preserving arguments. The dirname "$0" idiom ensures correct path resolution regardless of working directory.

This maintains the stable specfact-smart-checks hook id for downstream repos (as documented in specfact-cli-modules parity specs) while routing all execution through the new modular pipeline. The target script exists, is executable, and supports the all subcommand, ensuring the delegation will succeed at runtime.

scripts/git-branch-module-signature-flag.sh (1)

6-15: Branch-aware signature flag logic looks correct.

This is clean and deterministic for both normal branches and detached-head fallback behavior.

docs/modules/code-review.md (1)

105-116: Pre-commit gate documentation is aligned with the modular pipeline.

The Block 2 invocation, staged scope, and shim guidance match the current hook/script layout.

As per coding guidelines, this correctly updates configuration guidance in docs/**/*.md for architecture/config changes.

CONTRIBUTING.md (1)

81-97: Pre-commit contributor guidance now matches the modular gate flow.

The updated sequence and manual invocation guidance are consistent with the current hook architecture.

Also applies to: 114-116

.pre-commit-config.yaml (1)

1-71: Modular, fail-fast pre-commit layout is well-structured.

The hook ordering and staged scoping cleanly enforce Block 1 before Block 2 and preserve the intended gate semantics.

tests/unit/workflows/test_trustworthy_green_checks.py (1)

168-202: Strong policy regression coverage for the new pre-commit topology.

This test pins the critical hook IDs and execution model, which reduces config drift risk.

tests/unit/scripts/test_pre_commit_smart_checks_docs.py (1)

6-52: Test updates correctly track the new quality-checks entrypoint and shim contract.

The ordering checks and all "$@" delegation assertion are useful compatibility guards.

tests/unit/scripts/test_pre_commit_verify_modules.py (1)

16-35: Good baseline coverage for wrapper wiring and required verifier flags.

This effectively protects the wrapper contract from accidental argument drift.

scripts/pre-commit-quality-checks.sh (10)

84-101: LGTM — solid safety guard for partial-fix prevention.

This correctly detects when a staged Markdown file has unstaged hunks, preventing the auto-fixer from modifying content that wasn't intended for the commit. The heredoc pattern handles filenames with spaces correctly.

---

131-157: Version synchronization check is well-integrated.

The conditional logic correctly triggers hatch run check-version-sources only when version-declaring files are staged. This aligns with the learnings about enforcing version bumps. The same word-splitting concern from Line 113 applies at Line 137, but I've already flagged that pattern above.

---

159-173: Clean delegation to branch-aware module verification.

This correctly delegates to pre-commit-verify-modules.sh, which implements the marketplace-06 policy (signature enforcement on main, unsigned allowed elsewhere). The wrapper handles staged-path gating internally, keeping this function simple. Based on learnings, this enforces module signatures when signed module assets are affected.

---

175-191: LGTM — robust formatter safety gate.

Capturing binary diffs before and after hatch run format ensures any working-tree mutation is detected, preventing commits with unstaged formatter changes. This aligns with the contract-first quality gate expectations.

---

297-317: Path-scoped code review gate aligns with cross-repo contracts.

The scoping to src/, scripts/, tools/, tests/, and openspec/changes/ matches the documented behavior in specfact-cli-modules and provides appropriate granularity for the review gate. The array handling correctly preserves paths with spaces.

---

319-334: Contract-first testing flow correctly implemented.

The two-phase approach (status check → conditional run) optimizes the pre-commit experience while maintaining contract guarantees. Based on learnings, this ensures contract tests run before PRs when relevant inputs change.

---

367-381: Block 2 handler has proper gating and pre-flight checks.

The safe-change early exit provides good developer UX for doc-only commits, and the file existence check prevents cryptic errors if the repo is in an incomplete state.

---

383-406: Full pipeline ordering places module verification early — intentional for all mode.

Running module signature verification before formatting (Line 386) ensures signature issues are caught first when running manually or in CI. This differs from the hook-by-hook order in .pre-commit-config.yaml but is appropriate for the all subcommand's use case.

The Block 1 → Block 2 separation with safe-change gating is well-structured.

---

419-454: LGTM — clean dispatch with sensible defaults.

Defaulting to all maintains backward compatibility with the shim wrapper and provides a reasonable behavior for direct invocation. The case statement is exhaustive and maintainable.

---

7-12: Cross-repo contract divergence is well-documented.

The header clearly explains that specfact-cli lacks the packages/ tree (hence no block1-bundle), and CLI-specific stages (Markdown fix/lint, workflow checks) are additions. This maintains architectural parity with specfact-cli-modules while accommodating repo-specific needs. The linked repository's tests and specs should remain valid since they reference the core entrypoints.

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Around line 26-34: The changelog bullets under the “Module verify
(pre-commit)” and “scripts/pre-commit-quality-checks.sh” entries exceed the
120-char markdown limit; reflow/wrap those long lines in CHANGELOG.md so each
markdown line is <=120 chars while preserving the same wording and list
structure, splitting sentences between logical boundaries and keeping referenced
symbols intact (e.g., verify-modules-signature.py,
scripts/pre-commit-verify-modules.sh,
scripts/git-branch-module-signature-flag.sh,
scripts/pre-commit-quality-checks.sh, and the flags like --require-signature,
--payload-from-filesystem, --enforce-version-bump).

In `@scripts/pre-commit-quality-checks.sh`:
- Around line 345-360: In run_contract_tests_visible, add an inline comment
above the `hatch run contract-test-status >/dev/null 2>&1` invocation explaining
that stderr and stdout are intentionally discarded so transient status-check
errors (e.g., missing deps) don't surface to the user and instead fall back to
running the full `hatch run contract-test`; keep the existing redirection
behavior but document the intent and trade-off in the comment so future
maintainers understand why errors are suppressed.
- Around line 402-405: Extract the duplicate file-existence check for
"tools/contract_first_smart_test.py" into a single helper (e.g.,
check_contract_script_exists) and call it from both run_block2 and run_all to
remove the duplicated if-block. The helper should perform the [ -f ] test and
call error with the existing message ("❌ Contract-first test script not found.
Please run: hatch run contract-test-full") and exit 1 on failure; update
run_block2 and run_all to invoke check_contract_script_exists instead of
repeating the if statement.

In `@scripts/pre-commit-verify-modules.sh`:
- Around line 24-30: The script currently treats any non-"require" sig_policy as
checksum-only, which can weaken enforcement; update the logic around sig_policy
(the variable set from bash "${flag_script}") to explicitly accept only
"require" and "omit" (or the documented valid values), using an if/elif (or
case) that runs hatch ./scripts/verify-modules-signature.py with
--require-signature for "require" and with checksum-only flags for "omit", and
add an else branch that prints a clear error mentioning sig_policy and
flag_script and exits non-zero to fail closed on unexpected outputs; ensure the
calls referencing verify-modules-signature.py and the existing flags
(--enforce-version-bump, --payload-from-filesystem) remain unchanged for the
accepted branches.

In `@tests/unit/scripts/test_pre_commit_smart_checks_docs.py`:
- Around line 20-23: The current test compares global string indices which can
be correct even if the runtime order inside the orchestrator differs; extract
the text of the orchestrating function (e.g., locate the "run_all()" block) and
search within that substring for "run_markdown_autofix_if_needed" and
"run_markdown_lint_if_needed" (use the existing variable names idx_fix and
idx_lint) and then assert 0 <= idx_fix < idx_lint to ensure the autofix step is
defined before lint in the execution block rather than elsewhere in the file.

In `@tests/unit/scripts/test_pre_commit_verify_modules.py`:
- Around line 27-37: The test helper _run_flag uses subprocess.run to execute
FLAG_SCRIPT with a 30s timeout; reduce the timeout to a shorter value (e.g.,
5–10 seconds) in the subprocess.run call to get faster test feedback and fail
faster on hangs—update the timeout argument passed to subprocess.run in
_run_flag accordingly, leaving the rest of the invocation (["bash",
str(FLAG_SCRIPT)], cwd=cwd, capture_output=True, text=True, check=False)
unchanged.
- Around line 16-25: The test
test_verify_wrapper_invokes_branch_flag_and_payload_from_filesystem uses brittle
literal string asserts against VERIFY_WRAPPER content; replace these fragile
checks by moving the expected tokens (e.g.,
"git-branch-module-signature-flag.sh", "--payload-from-filesystem",
"--enforce-version-bump", "verify-modules-signature.py", 'sig_policy=$(bash
"${flag_script}")', '[[ "${sig_policy}" == "require" ]]', "--require-signature")
into module-level constants and assert against those constants, or better, run
the wrapper in a controlled subprocess/mock environment to verify it invokes the
flag script and passes the required flags (checking stdout/exit code or mocking
the flag script) rather than asserting raw source substrings; update
test_verify_wrapper_invokes_branch_flag_and_payload_from_filesystem to use the
chosen approach and replace the direct string literals with references to the
constants or runtime behavior checks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 14cf7d49-5425-4fe7-b63d-1dbf2008c76e

📥 Commits

Reviewing files that changed from the base of the PR and between 8c497c6 and 8dba304.

📒 Files selected for processing (16)

• CHANGELOG.md
• CONTRIBUTING.md
• docs/agent-rules/50-quality-gates-and-review.md
• docs/guides/module-signing-and-key-rotation.md
• docs/guides/publishing-modules.md
• docs/reference/module-security.md
• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• scripts/git-branch-module-signature-flag.sh
• scripts/pre-commit-quality-checks.sh
• scripts/pre-commit-smart-checks.sh
• scripts/pre-commit-verify-modules.sh
• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Tests (Python 3.12)

🧰 Additional context used

📓 Path-based instructions (12)

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• docs/agent-rules/50-quality-gates-and-review.md
• docs/guides/publishing-modules.md
• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• CONTRIBUTING.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• docs/guides/module-signing-and-key-rotation.md
• docs/reference/module-security.md
• CHANGELOG.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

docs/**/*.md

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Files:

• docs/agent-rules/50-quality-gates-and-review.md
• docs/guides/publishing-modules.md
• docs/guides/module-signing-and-key-rotation.md
• docs/reference/module-security.md

---

⚙️ CodeRabbit configuration file

docs/**/*.md: User-facing accuracy: CLI examples match current behavior; preserve Jekyll front matter;
call out when README/docs index need sync.

Files:

• docs/agent-rules/50-quality-gates-and-review.md
• docs/guides/publishing-modules.md
• docs/guides/module-signing-and-key-rotation.md
• docs/reference/module-security.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• docs/agent-rules/50-quality-gates-and-review.md
• docs/guides/publishing-modules.md
• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• CONTRIBUTING.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• docs/guides/module-signing-and-key-rotation.md
• docs/reference/module-security.md
• CHANGELOG.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

openspec/changes/**/*.md

📄 CodeRabbit inference engine (.cursorrules)

For /opsx:archive (Archive change): Include module signing and cleanup in final tasks. Agents MUST run openspec archive <change-id> from repo root (no manual mv under openspec/changes/archive/)

Files:

• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

openspec/**/{proposal.md,tasks.md,design.md,spec.md}

📄 CodeRabbit inference engine (.cursor/rules/automatic-openspec-workflow.mdc)

openspec/**/{proposal.md,tasks.md,design.md,spec.md}: Apply openspec/config.yaml project context and per-artifact rules (for proposal, specs, design, tasks) when creating or updating any OpenSpec change artifact in the specfact-cli codebase
After implementation, validate the change with openspec validate <change-id> --strict; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Files:

• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

openspec/**/*.md

⚙️ CodeRabbit configuration file

openspec/**/*.md: Treat as specification source of truth: proposal/tasks/spec deltas vs. code behavior,
CHANGE_ORDER consistency, and scenario coverage. Surface drift between OpenSpec and
implementation.

Files:

• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

CHANGELOG.md

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Files:

• CHANGELOG.md

🧠 Learnings (42)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• scripts/git-branch-module-signature-flag.sh
• docs/agent-rules/50-quality-gates-and-review.md
• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• CONTRIBUTING.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• scripts/pre-commit-quality-checks.sh
• CHANGELOG.md
• tests/unit/scripts/test_pre_commit_verify_modules.py
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

Applied to files:

• scripts/git-branch-module-signature-flag.sh
• docs/agent-rules/50-quality-gates-and-review.md
• docs/guides/publishing-modules.md
• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• scripts/pre-commit-verify-modules.sh
• docs/guides/module-signing-and-key-rotation.md
• docs/reference/module-security.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

Applied to files:

• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• scripts/pre-commit-verify-modules.sh
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Applied to files:

• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• scripts/pre-commit-smart-checks.sh
• docs/agent-rules/50-quality-gates-and-review.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• CONTRIBUTING.md
• docs/guides/module-signing-and-key-rotation.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• scripts/pre-commit-smart-checks.sh
• docs/agent-rules/50-quality-gates-and-review.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• scripts/pre-commit-verify-modules.sh
• docs/guides/module-signing-and-key-rotation.md
• scripts/pre-commit-quality-checks.sh
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to **/*.{yml,yaml} : Validate YAML configuration files locally using `hatch run yaml-lint` before committing

Applied to files:

• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• scripts/pre-commit-smart-checks.sh
• docs/agent-rules/50-quality-gates-and-review.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• CONTRIBUTING.md
• scripts/pre-commit-verify-modules.sh
• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• scripts/pre-commit-smart-checks.sh
• docs/agent-rules/50-quality-gates-and-review.md
• CONTRIBUTING.md
• scripts/pre-commit-verify-modules.sh
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• scripts/pre-commit-verify-modules.sh
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• scripts/pre-commit-smart-checks.sh
• CONTRIBUTING.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md
• docs/guides/publishing-modules.md
• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• CONTRIBUTING.md
• openspec/changes/marketplace-06-ci-module-signing/proposal.md
• scripts/pre-commit-verify-modules.sh
• docs/guides/module-signing-and-key-rotation.md
• docs/reference/module-security.md
• CHANGELOG.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-04-10T22:41:34.504Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-10T22:41:34.504Z
Learning: Treat the canonical rule docs in docs/agent-rules/INDEX.md as the source of truth for worktree policy, OpenSpec gating, GitHub completeness checks, TDD order, quality gates, versioning, and documentation rules

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Read docs/agent-rules/05-non-negotiable-checklist.md before implementation

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to @(README.md|AGENTS.md) : Check README.md and AGENTS.md for current project status and development guidelines. Review .cursor/rules/ for detailed development standards and testing procedures.

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: The full governance rules live in docs/agent-rules/; do not treat this file as a complete standalone handbook

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: Treat `docs/agent-rules/` as the canonical location for repository governance rather than relying on inline reminders or other documentation

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Read docs/agent-rules/INDEX.md before implementation

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Read AGENTS.md file as the mandatory bootstrap governance surface for coding agents working in this repository

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to openspec/**/{proposal.md,tasks.md,design.md,spec.md} : After implementation, validate the change with `openspec validate <change-id> --strict`; fix validation errors in proposal, specs, design, or tasks and re-validate until passing before considering the change complete

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Run the required verification and quality gates for the touched scope before finalization

Applied to files:

• docs/agent-rules/50-quality-gates-and-review.md
• CONTRIBUTING.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to pyproject.toml : When updating the version in `pyproject.toml`, ensure it's newer than the latest PyPI version. The CI/CD pipeline will automatically publish to PyPI only if the new version is greater than the published version

Applied to files:

• docs/guides/publishing-modules.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to docs/**/*.md : Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• CONTRIBUTING.md
• docs/reference/module-security.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/design.md
• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• CONTRIBUTING.md
• scripts/pre-commit-verify-modules.sh
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:apply` (Implementation): OPSX provides task iteration and progress tracking. AGENTS.md requires verification before each task: Confirm you are IN a worktree (not primary checkout) before modifying code, Record failing test evidence in `TDD_EVIDENCE.md` BEFORE implementing, Record passing test evidence AFTER implementation, Run quality gates from worktree (format, type-check, contract-test), GPG-signed commits (`git commit -S`), PR to `dev` branch (never direct push)

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: For OpenSpec changes when a sibling `specfact-cli-internal/` checkout exists, read internal wiki guidance in `docs/agent-rules/40-openspec-and-tdd.md` and consult `wiki/hot.md`, `wiki/graph.md`, and relevant `wiki/concepts/*.md` files

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Before implementing code changes, run `openspec validate <change-id> --strict` to validate the OpenSpec change and optionally run `/wf-validate-change <change-id>` for breaking-change and dependency analysis; do not proceed to implementation until validation passes or user explicitly overrides

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/tasks.md
• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Perform `spec -> tests -> failing evidence -> code -> passing evidence` in that order for behavior changes

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/tasks.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md with all code changes as part of version control requirements.

Applied to files:

• CONTRIBUTING.md
• CHANGELOG.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• CONTRIBUTING.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: After implementation, run quality gates (hatch run format, hatch run type-check, hatch run contract-test, hatch test or hatch run smart-test) to ensure all tests pass and contracts are satisfied

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.md : Avoid markdown linting errors (refer to markdown-rules)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Ensure proper escaping of special characters in markdown files

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Lines should not have trailing spaces (MD009: No Trailing Spaces)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to {src,tools}/**/*.{js,ts,jsx,tsx,py},**/*.test.{js,ts,jsx,tsx,py},**/*.spec.{js,ts,jsx,tsx,py} : Do not add, modify, or delete any application code in src/, tools/, tests, or significant docs until an OpenSpec change (new or delta) is created and validated, unless the user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or 'just fix it'

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: When implementation is complete and merged, run `openspec archive <change-id>` from the repository root to merge delta specs into openspec/specs/ and move the change under openspec/changes/archive/; do not manually move folders or use --skip-specs or --no-validate without explicit user confirmation

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Create feature, bugfix, or hotfix branches for changes; do not commit directly to dev or main branches

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: All commits must be made via Pull Requests to dev or main branches; no direct commits allowed

Applied to files:

• openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md

🪛 LanguageTool

openspec/changes/marketplace-06-ci-module-signing/tasks.md

[uncategorized] ~36-~36: The official name of this software platform is spelled with a capital “H”.
Context: ...t verify by target branch - [ ] 4.1 In .github/workflows/pr-orchestrator.yml, in the ...

(GITHUB)

---

[uncategorized] ~37-~37: The official name of this software platform is spelled with a capital “H”.
Context: ... add branch-target detection: extract github.event.pull_request.base.ref (for PR ev...

(GITHUB)

---

[uncategorized] ~37-~37: The official name of this software platform is spelled with a capital “H”.
Context: ...l_request.base.ref(for PR events) and github.ref` (for push events). - [ ] 4.2 For e...

(GITHUB)

🪛 Shellcheck (0.11.0)

scripts/pre-commit-smart-checks.sh

[warning] 13-13: Remove space after = if trying to assign a value (for empty string, use var='' ... ).

(SC1007)

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

specfact-cli-modules [::nold-ai/specfact-cli-modules::]

• .pre-commit-config.yaml — defines modular hooks that call the new script entrypoints and require signatures on main:

  • fail_fast: true (top-level)
  • Hook id verify-module-signatures: entry includes "hatch run ./scripts/verify-modules-signature.py --require-signature --payload-from-filesystem --enforce-version-bump" [::nold-ai/specfact-cli-modules::]. (See .pre-commit-config.yaml top block)

• scripts/ — contains verifier and quality scripts referenced by the PR:

  • scripts/pre-commit-quality-checks.sh — present and referenced by multiple hooks and docs; implements block1/block2/all subcommands expected by the PR [::nold-ai/specfact-cli-modules::].
  • scripts/verify-modules-signature.py — existing verifier used by hooks and docs; many docs/tests reference running it with --require-signature / --payload-from-filesystem / --enforce-version-bump [::nold-ai/specfact-cli-modules::].
  • scripts/pre_commit_code_review.py — used by Block 2 per README/docs [::nold-ai/specfact-cli-modules::].

• Tests and tooling that consume the changed hooks:

  • tests/unit/test_pre_commit_quality_parity.py — expects scripts/pre-commit-quality-checks.sh to exist and be used by pre-commit config [::nold-ai/specfact-cli-modules::].
  • tests/unit/tools/test_contract_first_smart_test.py and tests/unit/test_verify_modules_signature_script.py — reference verify-modules-signature.py and verify wrapper behavior; test expectations around payload/signature flags are present [::nold-ai/specfact-cli-modules::].

• Documentation consumers:

  • README.md and docs/agent-rules/50-quality-gates-and-review.md — document Block 1/Block 2 behavior and explicitly reference pre-commit-quality-checks.sh block2 and staged path lists forwarded to pre_commit_code_review.py [::nold-ai/specfact-cli-modules::].
  • docs/reference/module-security.md and multiple authoring docs — instruct running verify-modules-signature.py with --require-signature and related flags; these will need to align with branch-aware wrapper semantics introduced by the PR [::nold-ai/specfact-cli-modules::].

Summary: specfact-cli-modules already expects and consumes the modular pre-commit layout and the verify-modules-signature tooling. The PR’s changes (new pre-commit-quality-checks.sh entrypoints, branch-aware verify wrapper and git-branch-module-signature-flag behavior) align with this repo’s scripts, tests, and docs — but any change to hook IDs, required flags, or entry arguments (e.g., whether pre-commit invokes --require-signature on non-main) would affect its tests/docs and invoked verifier calls. [::nold-ai/specfact-cli-modules::]

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

CHANGELOG.md (1)

30-33: ⚠️ Potential issue | 🟡 Minor

Wrap remaining long bullet lines to satisfy markdown lint.

A few lines in this block still appear to exceed the 120-char markdown limit; please reflow these lines to avoid docs lint failures.

As per coding guidelines, “Keep line length under 120 characters in markdown files”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG.md` around lines 30 - 33, The markdown block that documents
`scripts/pre-commit-quality-checks.sh` contains bullet lines that exceed the
120-character limit; reflow those long lines so each line is <=120 characters
(wrap at logical boundaries like commas or after flags such as
`--payload-from-filesystem` and `--enforce-version-bump`), preserving the bullet
structure and punctuation, and ensure the sentence fragments remain readable and
grammatically correct to satisfy the markdown linter.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/pre-commit-quality-checks.sh`:
- Around line 137-141: The case branch that matches files for Block 2 wrongly
exempts the new pre-commit wrapper scripts: locate the case "${file}" in ...
pattern and remove the token group
"scripts/pre-commit-quality-checks.sh|scripts/pre-commit-smart-checks.sh|scripts/pre-commit-verify-modules.sh|scripts/git-branch-module-signature-flag.sh)"
so those scripts are no longer treated as safe/ignored and will fall through
into the normal Block 2 checks; ensure the remaining file exemptions stay
unchanged.

In `@scripts/pre-commit-verify-modules.sh`:
- Around line 13-17: The git staged-files discovery masks failures by appending
"|| true" to the git diff command that sets staged_files; remove the "|| true"
fallback and instead detect errors from the git command (the git diff --cached
--name-only --diff-filter=ACMR invocation used to populate staged_files) and if
it fails, print a clear error (e.g., "Error discovering staged files") and exit
non-zero so the subsequent grep check on staged_files does not silently skip
verification; ensure the script still proceeds to the existing grep -qE
'^(src/specfact_cli/modules|modules)/' check only when staged_files was
populated successfully.

In `@tests/unit/scripts/test_pre_commit_verify_modules.py`:
- Around line 67-107: Add a new unit test that covers the "no-module-tree fast
path": create a repo using the existing helper _repo_with_verify_scripts but do
NOT stage modules (don’t run git add on modules/pkg.yaml or add a flag to
_repo_with_verify_scripts to skip staging), then invoke the wrapper script the
same way other tests do and assert it exits successfully and that the fake hatch
log (log_path created by _write_fake_hatch) contains no invocation of the verify
script (no "verify-modules-signature.py" / no hatch run entry). Reference
_repo_with_verify_scripts, _write_fake_hatch and the hatch log assertion used in
the other tests so the new test follows the same invocation/inspection pattern
as the existing tests.

---

Duplicate comments:
In `@CHANGELOG.md`:
- Around line 30-33: The markdown block that documents
`scripts/pre-commit-quality-checks.sh` contains bullet lines that exceed the
120-character limit; reflow those long lines so each line is <=120 characters
(wrap at logical boundaries like commas or after flags such as
`--payload-from-filesystem` and `--enforce-version-bump`), preserving the bullet
structure and punctuation, and ensure the sentence fragments remain readable and
grammatically correct to satisfy the markdown linter.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 80bc08a0-7c79-4f27-bf90-be172bfe18ea

📥 Commits

Reviewing files that changed from the base of the PR and between 8dba304 and 1eee45d.

📒 Files selected for processing (5)

• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• scripts/pre-commit-verify-modules.sh
• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Tests (Python 3.12)
• GitHub Check: Contract-First CI
• GitHub Check: Compatibility (Python 3.11)
• GitHub Check: Type Checking (basedpyright)

🧰 Additional context used

📓 Path-based instructions (8)

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• CHANGELOG.md

CHANGELOG.md

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Files:

• CHANGELOG.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• CHANGELOG.md

🧠 Learnings (30)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

Applied to files:

• scripts/pre-commit-verify-modules.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• scripts/pre-commit-verify-modules.sh
• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• scripts/pre-commit-verify-modules.sh
• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• scripts/pre-commit-verify-modules.sh
• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Before implementing code changes, run `openspec validate <change-id> --strict` to validate the OpenSpec change and optionally run `/wf-validate-change <change-id>` for breaking-change and dependency analysis; do not proceed to implementation until validation passes or user explicitly overrides

Applied to files:

• scripts/pre-commit-verify-modules.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• scripts/pre-commit-verify-modules.sh
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• scripts/pre-commit-verify-modules.sh
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.md : Avoid markdown linting errors (refer to markdown-rules)

Applied to files:

• tests/unit/scripts/test_pre_commit_smart_checks_docs.py
• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md with all code changes as part of version control requirements.

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to docs/**/*.md : Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Keep line length under 120 characters in markdown files

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Always finish each output by listing: (1) Which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), (2) Confirmation of Git Worktree Policy compliance (if applicable), (3) Which AI (LLM) provider and model version you are using

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: After implementation, run quality gates (hatch run format, hatch run type-check, hatch run contract-test, hatch test or hatch run smart-test) to ensure all tests pass and contracts are satisfied

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Ensure proper escaping of special characters in markdown files

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Lines should not have trailing spaces (MD009: No Trailing Spaces)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Record the contract or property that supersedes a removed test in the PR description

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Extract common patterns to avoid code duplication (DRY principle)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/test_*.py : Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Applied to files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

nold-ai/specfact-cli-modules

• .pre-commit-config.yaml defines modular hooks that call the new scripts:

  • verify-module-signatures entry invokes verify-modules-signature.py with --require-signature --payload-from-filesystem --enforce-version-bump [::nold-ai/specfact-cli-modules::].
  • Block 1/Block 2 hooks call ./scripts/pre-commit-quality-checks.sh with subcommands (block1-format, block1-yaml, block1-bundle, block1-lint, block2) [::nold-ai/specfact-cli-modules::].
  • Top-level fail_fast: true present [::nold-ai/specfact-cli-modules::].

• scripts/pre-commit-quality-checks.sh exists and implements the block1/block2/all pipeline:

  • Implements staged-file detection, format safety check (hatch run format), YAML lint, bundle import checks, and lint when Python staged [::nold-ai/specfact-cli-modules::].
  • Block 2 collects staged paths under packages/, registry/, scripts/, tools/, tests/, openspec/changes/ and runs pre_commit_code_review.py and contract-test/status as described in the PR summary [::nold-ai/specfact-cli-modules::].
  • check_safe_change logic and staged path filtering present (skips Block 2 for docs-only/allowlisted changes) [::nold-ai/specfact-cli-modules::].

• verify-modules-signature.py is referenced widely across docs and CI:

  • README, multiple docs (docs/agent-rules, docs/authoring/module-signing.md), and .github/pr-orchestrator.yml all reference running verify-modules-signature.py with --require-signature --payload-from-filesystem --enforce-version-bump [::nold-ai/specfact-cli-modules::].
  • pyproject.toml contains a hatch script entry for verify-modules-signature [::nold-ai/specfact-cli-modules::].

• Tests and tooling reference the new scripts:

  • tests/unit/test_pre_commit_quality_parity.py expects scripts/pre-commit-quality-checks.sh to exist and be used by pre-commit config [::nold-ai/specfact-cli-modules::].
  • Other unit tests and TDD docs reference verify-modules-signature and contract-first test expectations [::nold-ai/specfact-cli-modules::].

Notes on missing files in this repo run

• The shell run could not read scripts/pre-commit-verify-modules.sh, scripts/git-branch-module-signature-flag.sh, or scripts/pre-commit-smart-checks.sh (sed reported they were not present). However, the repo does contain verify-modules-signature.py and pre-commit-quality-checks.sh and the pre-commit config already wired to the modular hooks above [::nold-ai/specfact-cli-modules::].

Conclusion

• specfact-cli-modules already expects and exercises the modular pre-commit layout and the verify-modules-signature tooling. The PR’s changes (new pre-commit-quality-checks.sh entrypoints and branch-aware verify wrapper) align with artifacts in this repo and will affect CI/docs/tests that validate invocation flags and hook wiring (notably presence or omission of --require-signature depending on branch). Existing docs/tests in this repo reference strict --require-signature usage in CI/README; the PR’s branch-aware wrapper needs to preserve those invocations on main while omitting on non-main as intended.

🔇 Additional comments (3)

scripts/pre-commit-verify-modules.sh (1)

27-39: Policy case-split is well hardened.

Explicit require|omit handling with a non-zero fallback for unknown output is the right trust-boundary behavior for long-term cross-repo policy parity.

CHANGELOG.md (1)

15-42: Release-note structure now matches auditability requirements.

Nice improvement: net-new capabilities are separated into Added and behavior/policy shifts are in Changed, which keeps the 0.46.1 entry traceable for downstream module repos and pre-commit parity checks.

Based on learnings, “Applies to CHANGELOG.md : Update CHANGELOG.md with all code changes as part of version control requirements” and “Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change”.

tests/unit/scripts/test_pre_commit_smart_checks_docs.py (1)

16-27: Good hardening of the orchestration-order checks.

Scoping these assertions to run_all() and run_block2() removes the old false positives from global string ordering and makes the tests match the runtime contract much more closely.

Also applies to: 41-59

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

CHANGELOG.md (1)

20-20: ⚠️ Potential issue | 🟡 Minor

Reflow overlong lines to satisfy markdown lint (<=120).

A few modified bullets still exceed the line-length rule; wrap at natural phrase boundaries.

As per coding guidelines, "Keep line length under 120 characters in markdown files."

Also applies to: 28-28, 33-34, 40-40

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG.md` at line 20, Several bullet lines in CHANGELOG.md (including the
line mentioning `scripts/pre-commit-smart-checks.sh` and the bullets around
lines 28, 33-34, and 40) exceed the markdown max line length; reflow those long
bullets so no line is longer than 120 characters by wrapping at natural phrase
boundaries (after commas or between logical phrases) and preserving words and
Markdown punctuation, ensuring each wrapped line remains a valid list item and
keeps the original meaning and emphasis.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Around line 40-43: The changelog bullet describing "Pre-commit follow-ups" is
fix-oriented and should be moved from the "Changed" section into a new or
existing "### Fixed" subsection under the 0.46.1 entry; locate the bullet
referencing pre-commit-verify-modules.sh, pre-commit-quality-checks.sh, the
suppressed contract-test-status output, and the contract-first script existence
check, and relocate that entire bullet text into "### Fixed" (or create that
subsection if missing) so the fix-related behavior (fail closed, git diff
--cached handling, script test changes) is correctly classified.

In `@scripts/pre-commit-quality-checks.sh`:
- Around line 200-216: The run_format_safety function currently masks git diff
failures by using "git diff --binary -- . || true" for before_unstaged and
after_unstaged; change this so git diff errors are detected and cause the hook
to fail instead of producing empty strings—remove the "|| true" (or explicitly
check the exit code) when capturing before_unstaged and after_unstaged, and if
git diff returns a non-zero status, call error with a clear message and exit 1;
keep the existing comparison of before_unstaged and after_unstaged and the hatch
run format logic unchanged.

In `@tests/unit/scripts/test_pre_commit_verify_modules.py`:
- Around line 123-198: Add a new unit test that verifies the wrapper propagates
a failing `git diff --cached` (instead of swallowing it): use
_repo_with_verify_scripts(tmp_path) to build the repo, create a fake git
executable in tmp_path/"bin" that inspects its argv and returns non-zero only
when invoked as `git diff --cached` (otherwise delegates to the real git), make
it executable, run the wrapper (bash scripts/pre-commit-verify-modules.sh) with
env PATH pointing to tmp_path/"bin", and assert the process exit is non-zero and
that TOKEN_VERIFY_SCRIPT is not present in the log (ensuring hatch was not
invoked); follow the pattern from existing tests (env construction,
subprocess.run params) and name the test e.g.
test_verify_wrapper_propagates_git_diff_cached_failure.
- Around line 103-114: When stage_module_paths is False the test currently
creates and commits README.md which leaves the index empty and doesn't verify
the fast-path behavior for a staged non-module file; change the branch in
tests/unit/scripts/test_pre_commit_verify_modules.py so that instead of
committing README.md you create a non-module file (e.g., "docs/notes.txt" or
"non_module.txt"), write content to it, and run git add on that file only (no
commit) so the index contains a staged non-module path; update the logic around
the existing subprocess.run(["git", "add", "README.md"]) / git commit calls to
add but not commit the non-module file to prove the wrapper skips when a
non-module path is staged.

---

Duplicate comments:
In `@CHANGELOG.md`:
- Line 20: Several bullet lines in CHANGELOG.md (including the line mentioning
`scripts/pre-commit-smart-checks.sh` and the bullets around lines 28, 33-34, and
40) exceed the markdown max line length; reflow those long bullets so no line is
longer than 120 characters by wrapping at natural phrase boundaries (after
commas or between logical phrases) and preserving words and Markdown
punctuation, ensuring each wrapped line remains a valid list item and keeps the
original meaning and emphasis.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b9ce4376-1538-415b-9bd8-1961be1ae465

📥 Commits

Reviewing files that changed from the base of the PR and between 1eee45d and 31a6e95.

📒 Files selected for processing (4)

• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• scripts/pre-commit-verify-modules.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Compatibility (Python 3.11)
• GitHub Check: Linting (ruff, pylint, safe-write guard)
• GitHub Check: Tests (Python 3.12)

🧰 Additional context used

📓 Path-based instructions (8)

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• CHANGELOG.md

CHANGELOG.md

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Files:

• CHANGELOG.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• CHANGELOG.md

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

🧠 Learnings (35)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• scripts/pre-commit-verify-modules.sh
• CHANGELOG.md

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

Applied to files:

• scripts/pre-commit-verify-modules.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• scripts/pre-commit-verify-modules.sh
• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• scripts/pre-commit-verify-modules.sh
• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Before implementing code changes, run `openspec validate <change-id> --strict` to validate the OpenSpec change and optionally run `/wf-validate-change <change-id>` for breaking-change and dependency analysis; do not proceed to implementation until validation passes or user explicitly overrides

Applied to files:

• scripts/pre-commit-verify-modules.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• scripts/pre-commit-verify-modules.sh
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• scripts/pre-commit-verify-modules.sh
• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• scripts/pre-commit-verify-modules.sh
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:apply` (Implementation): OPSX provides task iteration and progress tracking. AGENTS.md requires verification before each task: Confirm you are IN a worktree (not primary checkout) before modifying code, Record failing test evidence in `TDD_EVIDENCE.md` BEFORE implementing, Record passing test evidence AFTER implementation, Run quality gates from worktree (format, type-check, contract-test), GPG-signed commits (`git commit -S`), PR to `dev` branch (never direct push)

Applied to files:

• scripts/pre-commit-verify-modules.sh

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md with all code changes as part of version control requirements.

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Keep line length under 120 characters in markdown files

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.md : Avoid markdown linting errors (refer to markdown-rules)

Applied to files:

• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Always finish each output by listing: (1) Which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), (2) Confirmation of Git Worktree Policy compliance (if applicable), (3) Which AI (LLM) provider and model version you are using

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to docs/**/*.md : Update architecture documentation in docs/ for architecture changes, state machine documentation for FSM modifications, interface documentation for API changes, and configuration guides for configuration changes. DO NOT create internal docs in specfact-cli repo folder that should not be visible to end users; use the respective internal repository instead.

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:42:04.362Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/session_startup_instructions.mdc:0-0
Timestamp: 2026-04-10T22:42:04.362Z
Learning: After merges shipping OpenSpec- or GitHub-related work with a sibling `specfact-cli-internal` checkout present, run wiki scripts from that sibling repo's working directory (e.g., `cd ../specfact-cli-internal && python3 scripts/wiki_openspec_gh_status.py`), not from `specfact-cli` or other directories

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Ensure proper escaping of special characters in markdown files

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Lines should not have trailing spaces (MD009: No Trailing Spaces)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Record the contract or property that supersedes a removed test in the PR description

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: After implementation, run quality gates (hatch run format, hatch run type-check, hatch run contract-test, hatch test or hatch run smart-test) to ensure all tests pass and contracts are satisfied

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Extract common patterns to avoid code duplication (DRY principle)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to {src,tools}/**/*.{js,ts,jsx,tsx,py},**/*.test.{js,ts,jsx,tsx,py},**/*.spec.{js,ts,jsx,tsx,py} : Do not add, modify, or delete any application code in src/, tools/, tests, or significant docs until an OpenSpec change (new or delta) is created and validated, unless the user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or 'just fix it'

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:34.504Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-10T22:41:34.504Z
Learning: Treat clean-code regressions as blocking until they are fixed or explicitly justified

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Fix SpecFact code review findings, including warnings, unless a rare explicit exception is documented

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/test_*.py : Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Applied to files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

nold-ai/specfact-cli-modules

• .pre-commit config uses a modular, fail-fast layout and wires the verify-module-signatures hook to a shell wrapper:
  • .pre-commit-config.yaml — hook id verify-module-signatures → entry ./scripts/pre-commit-verify-modules-signature.sh [::nold-ai/specfact-cli-modules::.pre-commit-config.yaml:7]
• pre-commit-quality-checks.sh is present and referenced by multiple Block 1/Block 2 hooks (format/yaml/bundle/lint/code-review):
  • scripts/pre-commit-quality-checks.sh exists and is invoked from .pre-commit-config.yaml entries (modules-block1-*, modules-block2) [::nold-ai/specfact-cli-modules::scripts/pre-commit-quality-checks.sh; .pre-commit-config.yaml:17,24,30,37,43]
• The repository contains the verifier and related scripts; verifier supports payload-from-filesystem + enforce-version-bump and is referenced in docs/CI:
  • scripts/verify-modules-signature.py — full verifier implementation; docs and workflows reference calling it with --payload-from-filesystem and --enforce-version-bump, and conditionally with --require-signature for main [::nold-ai/specfact-cli-modules::scripts/verify-modules-signature.py; .github/workflows/pr-orchestrator.yml:99; docs/reference/module-security.md:49]
• Wrapper naming: the repo's verify wrapper is named pre-commit-verify-modules-signature.sh (note the "-signature" suffix) and delegates to verify-modules-signature.py:
  • scripts/pre-commit-verify-modules-signature.sh present and referenced in tests and .pre-commit-config.yaml [::nold-ai/specfact-cli-modules::scripts/pre-commit-verify-modules-signature.sh; .pre-commit-config.yaml:7]
• Tests and docs already expect the branch-aware policy: CI/spec and docs require omitting --require-signature off-main and enforcing it on main — the repo asserts parity with that behavior:
  • openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md and related docs/test files assert the same branch rule and pre-commit behavior [::nold-ai/specfact-cli-modules::openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md; docs/authoring/module-signing.md]

Implication for the PR under review:

• The PR's new scripts and modular hook layout align with artifacts already present in specfact-cli-modules: pre-commit-quality-checks.sh, verify-modules-signature.py, and CI/docs expecting branch-aware --require-signature behavior. Reviewers should ensure naming/entrypoints match (e.g., pre-commit-verify-modules-signature.sh vs pre-commit-verify-modules.sh) and that the PR preserves the documented flags (--payload-from-filesystem, --enforce-version-bump) and branch policy (require on main, omit elsewhere) as exercised by tests/docs in this repo.

🔇 Additional comments (6)

scripts/pre-commit-verify-modules.sh (1)

1-43: LGTM — branch-aware module verification is well-structured.

This wrapper correctly implements the marketplace-06 policy with proper fail-closed semantics:

• Strict mode (set -euo pipefail) ensures pipeline failures surface immediately.
• Git repo root and staged file discovery now fail explicitly rather than masking errors (addresses prior feedback).
• The case dispatch on require/omit with an explicit * fallback ensures unknown policy values don't silently degrade enforcement.
• CR/LF sanitization (lines 28-29) is good defensive coding for cross-platform flag script output.

The design aligns with the linked specfact-cli-modules repo's branch-aware behavior: --require-signature on main, checksum-only elsewhere, and --enforce-version-bump always present per the learnings about enforcing module signatures and version bumps.

scripts/pre-commit-quality-checks.sh (5)

130-154: LGTM — Block 2 skip logic now correctly includes pre-commit scripts in the review surface.

The prior exemption for scripts/pre-commit-quality-checks.sh, scripts/pre-commit-smart-checks.sh, scripts/pre-commit-verify-modules.sh, and scripts/git-branch-module-signature-flag.sh has been removed, ensuring these trust-boundary scripts now trigger the code review and contract test gates when staged. This aligns with the linked specfact-cli-modules repo where staged scripts/ changes are part of the Block 2 surface.

The remaining exemptions (version metadata, docs, workflows, test tooling infrastructure) are reasonable for a "safe change" classification that skips the heavier Block 2 gates.

---

46-102: LGTM — staged file helpers now use robust iteration patterns.

The staged_files() function correctly uses --diff-filter=ACMR to exclude deleted files (addressing the prior feedback about downstream failures when passing non-existent paths to tools).

All iteration over staged files uses while IFS= read -r line loops, which correctly handles filenames with spaces, special characters, and empty lines. The staged_markdown_files() and staged_review_gate_files() functions follow the same safe pattern.

---

232-291: LGTM — Markdown handling uses portable array patterns.

The switch from xargs -r to mapfile -t with direct array expansion ("${md_files[@]}") addresses the prior portability concern for BSD/macOS environments. The fail_if_markdown_has_unstaged_hunks() guard (line 244) is a thoughtful safety check before auto-fixing.

The npx --yes markdownlint-cli fallback (lines 254, 284) provides developer convenience at the cost of first-run latency, with a helpful hint at line 259 to install globally for faster subsequent runs. This is a reasonable trade-off for a pre-commit hook.

---

414-434: LGTM — run_all pipeline ordering is architecturally sound.

The execution order correctly prioritizes trust-boundary checks:

1. Module signature verification first — ensures bundled module integrity before any code transformation.
2. Version sources synchronization — catches version drift early when version files are staged.
3. Block 1 stages — format, lint, and validation gates that are fast and file-type scoped.
4. Block 2 gates — heavier code review and contract tests, with safe-change skip logic applied only after Block 1 completes.

The check_contract_script_exists() helper extraction (line 432) centralizes the existence check as suggested in prior feedback, improving maintainability.

This design provides good incremental feedback during commit preparation while ensuring the trust-critical checks run unconditionally.

---

322-368: LGTM — Block 2 gates are well-implemented.

The run_code_review_gate() function correctly:

• Builds an array of staged paths matching the review-eligible prefixes (src/, scripts/, tools/, tests/, openspec/changes/).
• Passes the array to scripts/pre_commit_code_review.py which handles Python-file filtering internally.
• Provides actionable error messages on failure.

The run_contract_tests_visible() function now includes the explanatory comment (lines 346-347) clarifying why contract-test-status output is suppressed — transient environmental noise shouldn't alarm developers when the fallback to full hatch run contract-test will surface real failures.

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Around line 34-39: The rename of
scripts/pre-commit-verify-modules-signature.sh to
scripts/pre-commit-verify-modules.sh breaks downstream specfact-cli-modules
references (check .pre-commit-config.yaml) and tests
test_pre_commit_verify_modules_signature_script.py and
test_pre_commit_quality_parity.py; either restore the original canonical wrapper
name or create a compatibility shim (a symlink or small delegating script named
pre-commit-verify-modules-signature.sh that invokes
pre-commit-verify-modules.sh) and then update specfact-cli-modules to
consistently reference pre-commit-verify-modules.sh across its
.pre-commit-config.yaml, docs, and tests so unit tests and hook entries remain
valid.

In `@scripts/pre-commit-quality-checks.sh`:
- Around line 72-102: The markdown file matchers only check for “.md” and thus
miss “.mdc” files; update has_staged_markdown, has_staged_python (if
applicable), and staged_markdown_files to treat both .md and .mdc (e.g., change
the regex from \.md$ to \.(md|mdc)$), and update any user-facing skip/skip-text
messages and the safe-change allowlist pattern to reference both extensions
(e.g., /*.{md,mdc}) and ensure special characters are properly escaped in those
patterns/strings; use the function names has_staged_markdown and
staged_markdown_files to locate the changes and also update the docs-only
safe-change allowlist entry that mentions “no staged *.md” to include “*.mdc”.
- Around line 137-139: The script scripts/pre-commit-quality-checks.sh currently
treats "pyproject.toml" and "setup.py" as safe-change-only files in the case
"${file}" allowlist (and the duplicate allowlists at the other occurrences),
which skips Block 2 checks; remove "pyproject.toml" and "setup.py" from those
case patterns (and any identical allowlist blocks at the other occurrences
referenced) so edits to those files run the full checks, or alternatively make
the fast-path logic diff-aware if you intend to keep them on the fast path.
- Around line 184-197: The run_module_signature_verification function currently
calls only scripts/pre-commit-verify-modules.sh which breaks compatibility with
older parity entrypoints; update the function to try the primary script and if
missing/fails, fall back to scripts/pre-commit-verify-modules-signature.sh (or
look for either and run the first existing one), and log which script was
executed; reference the function name run_module_signature_verification and the
two script names so the change locates the call site and adds the fallback/shim
behavior and appropriate success/error messages.
- Around line 248-249: The pre-commit hook uses the Bash-only builtin mapfile
(in run_markdown_autofix_if_needed and run_markdown_lint_if_needed) which breaks
on Bash 3.2; replace each mapfile usage that populates md_files with a
POSIX/Bash‑3.2 compatible loop: read the output of staged_markdown_files using
the same pattern already used elsewhere (while IFS= read -r line || [[ -n
"$line" ]]; do md_files+=("$line"); done < <(staged_markdown_files)) so both
functions match the staged_markdown_files implementation and avoid mapfile.

In `@tests/unit/scripts/test_pre_commit_verify_modules.py`:
- Around line 16-17: Add a unit test that verifies the legacy entrypoint
delegates to the new wrapper: create a test (e.g.,
test_pre_commit_verify_modules_legacy_entrypoint) that locates the legacy script
path (REPO_ROOT / "scripts" / "pre-commit-verify-modules-signature.sh") and
asserts it exists and either is a symlink to VERIFY_WRAPPER or, when executed
(via subprocess.run or by invoking the script's shell), produces the same exit
code/output as calling VERIFY_WRAPPER (or explicitly calls VERIFY_WRAPPER by
mocking subprocess.run to capture calls); update existing tests around
FLAG_SCRIPT and VERIFY_WRAPPER to include this compatibility assertion so
downstream repos relying on the legacy path are covered.
- Around line 84-138: _repo_with_verify_scripts currently always stages only
"modules/pkg.yaml" so tests miss the bundled-tree path under
src/specfact_cli/modules/; update _repo_with_verify_scripts to accept a
parameter (e.g., staged_module_root or module_root_path) and use it to stage
either "modules/" or "src/specfact_cli/modules/" as requested, create the
corresponding directory and a pkg.yaml in that root, and adjust callers in the
test file to run parameterized cases that cover on-main and off-main behavior
for both roots so pre-commit-verify-modules.sh is exercised for the bundled-tree
path as well as the top-level modules path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0e987e7f-ef38-4d0b-a17c-1746fd4686ce

📥 Commits

Reviewing files that changed from the base of the PR and between 31a6e95 and 24d17d7.

📒 Files selected for processing (3)

• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Compatibility (Python 3.11)
• GitHub Check: Tests (Python 3.12)

🧰 Additional context used

📓 Path-based instructions (8)

**/*.{md,mdc}

📄 CodeRabbit inference engine (.cursor/rules/markdown-rules.mdc)

**/*.{md,mdc}: Do not use more than one consecutive blank line anywhere in the document (MD012: No Multiple Consecutive Blank Lines)
Fenced code blocks should be surrounded by blank lines (MD031: Fenced Code Blocks)
Lists should be surrounded by blank lines (MD032: Lists)
Files must end with a single empty line (MD047: Files Must End With Single Newline)
Lines should not have trailing spaces (MD009: No Trailing Spaces)
Use asterisks (**) for strong emphasis, not underscores (__) (MD050: Strong Style)
Fenced code blocks must have a language specified (MD040: Fenced Code Language)
Headers should increment by one level at a time (MD001: Header Increment)
Headers should be surrounded by blank lines (MD022: Headers Should Be Surrounded By Blank Lines)
Only one top-level header (H1) is allowed per document (MD025: Single H1 Header)
Use consistent list markers, preferring dashes (-) for unordered lists (MD004: List Style)
Nested unordered list items should be indented consistently, typically by 2 spaces (MD007: Unordered List Indentation)
Use exactly one space after the list marker (e.g., -, *, +, 1.) (MD030: Spaces After List Markers)
Use incrementing numbers for ordered lists (MD029: Ordered List Item Prefix)
Enclose bare URLs in angle brackets or format them as links (MD034: Bare URLs)
Don't use spaces immediately inside code spans (MD038: Spaces Inside Code Spans)
Use consistent indentation (usually 2 or 4 spaces) throughout markdown files
Keep line length under 120 characters in markdown files
Use reference-style links for better readability in markdown files
Use a trailing slash for directory paths in markdown files
Ensure proper escaping of special characters in markdown files

Files:

• CHANGELOG.md

CHANGELOG.md

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

Include new version entries at the top of CHANGELOG.md when updating versions

Update CHANGELOG.md with all code changes as part of version control requirements.

Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Files:

• CHANGELOG.md

**/*.md

📄 CodeRabbit inference engine (.cursorrules)

Avoid markdown linting errors (refer to markdown-rules)

Files:

• CHANGELOG.md

**/test_*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/test_*.py: Write tests first in test-driven development (TDD) using the Red-Green-Refactor cycle
Ensure each test is independent and repeatable with no shared state between tests
Organize Python imports in tests using unittest.mock for Mock and patch
Use setup_method() for test initialization and Arrange-Act-Assert pattern in test files
Use @pytest.mark.asyncio decorator for async test functions in Python
Organize test files in structure: tests/unit/, tests/integration/, tests/e2e/ by module

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/python-github-rules.mdc)

**/*.py: Maintain minimum 80% test coverage, with 100% coverage for critical paths in Python code
Use clear naming and self-documenting code, preferring clear names over comments
Ensure each function/class has a single clear purpose (Single Responsibility Principle)
Extract common patterns to avoid code duplication (DRY principle)
Apply SOLID object-oriented design principles in Python code
Use type hints everywhere in Python code and enable basedpyright strict mode
Use Pydantic models for data validation and serialization in Python
Use async/await for I/O operations in Python code
Use context managers for resource management in Python
Use dataclasses for simple data containers in Python
Enforce maximum line length of 120 characters in Python code
Use 4 spaces for indentation in Python code (no tabs)
Use 2 blank lines between classes and 1 blank line between methods in Python
Organize imports in order: Standard library → Third party → Local in Python files
Use snake_case for variables and functions in Python
Use PascalCase for class names in Python
Use UPPER_SNAKE_CASE for constants in Python
Use leading underscore (_) for private methods in Python classes
Use snake_case for Python file names
Enable basedpyright strict mode with strict type checking configuration in Python
Use Google-style docstrings for functions and classes in Python
Include comprehensive exception handling with specific exception types in Python code
Use logging with structured context (extra parameters) instead of print statements
Use retry logic with tenacity decorators (@retry) for operations that might fail
Use Pydantic BaseSettings for environment-based configuration in Python
Validate user input using Pydantic validators in Python models
Use @lru_cache and Redis-based caching for expensive calculations in Python
Run code formatting with Black (120 character line length) and isort in Python
Run type checking with basedpyright on all Python files
Run linting with ruff and pylint on all Pyth...

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

tests/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Tests must be meaningful and test actual functionality, cover both success and failure cases, be independent and repeatable, and have clear, descriptive names. NO EXCEPTIONS - no placeholder or empty tests.

tests/**/*.py: Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)
Delete tests that only assert input validation, datatype/shape enforcement, or raises on negative conditions now guarded by contracts and runtime typing
Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Secret redaction via LoggerSetup.redact_secrets must be covered by unit tests

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

---

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first testing: meaningful scenarios, not redundant assertions already covered by
contracts. Flag flakiness, environment coupling, and missing coverage for changed behavior.

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

@(src|tests)/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/spec-fact-cli-rules.mdc)

Linting must pass with no errors using: pylint src tests

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

**/*.{py,pyi}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{py,pyi}: After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: hatch run format, (2) Type checking: hatch run type-check (basedpyright), (3) Contract-first approach: Run hatch run contract-test for contract validation, (4) Run full test suite: hatch test --cover -v, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass
All public APIs must have @icontract decorators and @beartype type checking
Use Pydantic models for all data structures with data validation
Only write high-value comments if at all. Avoid talking to the user through comments

Files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

🧠 Learnings (32)

📓 Common learnings

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Enforce module signatures and version bumps when signed module assets or manifests are affected

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md with all code changes as part of version control requirements.

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md to document all significant changes under Added, Fixed, Changed, or Removed sections when making a version change

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:ff` (Fast-Forward Change Creation): OPSX provides change scaffolding and artifact templates. AGENTS.md requires explicitly adding: Worktree creation task as Step 1 in tasks.md (not just 'create branch'), TDD_EVIDENCE.md tracking task in section 2 (Tests), Documentation research task per `openspec/config.yaml`, Module signing quality gate if applicable, Worktree cleanup steps in final section

Applied to files:

• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to openspec/changes/**/*.md : For `/opsx:archive` (Archive change): Include module signing and cleanup in final tasks. Agents MUST run `openspec archive <change-id>` from repo root (no manual `mv` under `openspec/changes/archive/`)

Applied to files:

• CHANGELOG.md
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Keep line length under 120 characters in markdown files

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Before executing ANY workflow command (`/opsx:ff`, `/opsx:apply`, `/opsx:continue`, etc.), perform the Pre-Execution Checklist: (1) Git Worktree - create if task creates branches/modifies code, (2) TDD Evidence - create `TDD_EVIDENCE.md` if behavior changes, (3) Documentation - include documentation research if changes affect user-facing behavior, (4) Module Signing - include signature verification if changes modify bundled modules, (5) Confirmation - state clearly that pre-execution checklist is complete and AGENTS.md compliance is confirmed

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.md : Avoid markdown linting errors (refer to markdown-rules)

Applied to files:

• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: When creating implementation plans, task lists, or OpenSpec tasks.md, ALWAYS explicitly verify and include: (1) Worktree creation from `origin/dev` (not `git checkout -b`), (2) `hatch env create` in the worktree, (3) Pre-flight checks (`hatch run smart-test-status`, `hatch run contract-test-status`), (4) Worktree cleanup steps post-merge, (5) Self-check: 'Have I followed AGENTS.md Git Worktree Policy section?'

Applied to files:

• CHANGELOG.md
• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Always finish each output by listing: (1) Which rulesets have been applied (e.g., `.cursorrules`, `AGENTS.md`, specific `.cursor/rules/*.mdc`), (2) Confirmation of Git Worktree Policy compliance (if applicable), (3) Which AI (LLM) provider and model version you are using

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-10T22:41:26.519Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-10T22:41:26.519Z
Learning: Enforce the clean-code review gate through `hatch run specfact code review run --json --out .specfact/code-review.json`

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: Applies to **/*.{py,pyi} : After any code changes, follow these steps in order: (1) Apply linting and formatting to ensure code quality: `hatch run format`, (2) Type checking: `hatch run type-check` (basedpyright), (3) Contract-first approach: Run `hatch run contract-test` for contract validation, (4) Run full test suite: `hatch test --cover -v`, (5) Verify all tests pass and contracts are satisfied, (6) Fix any issues and repeat steps until all tests pass

Applied to files:

• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Run `hatch run yaml-check-all` in CI and before pull requests to validate all YAML and workflow files

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to **/*.{yml,yaml} : Format all YAML and workflow files using `hatch run yaml-fix-all` before committing

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Before making a pull request, locally run format, lint, contract tests, and full test suite: `hatch run format`, `hatch run lint`, `hatch run contract-test`, `hatch test --cover -v`

Applied to files:

• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: After implementation, run quality gates (hatch run format, hatch run type-check, hatch run contract-test, hatch test or hatch run smart-test) to ensure all tests pass and contracts are satisfied

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: All development work MUST use git worktrees per AGENTS.md Git Worktree Policy. Never create branches with `git checkout -b` in the primary checkout. Create worktree from origin/dev: `git worktree add ../specfact-cli-worktrees/<type>/<slug> -b <branch-name> origin/dev` where allowed types are: `feature/`, `bugfix/`, `hotfix/`, `chore/`. Forbidden in worktrees: `dev`, `main`. After creating worktree: `cd ../specfact-cli-worktrees/<type>/<slug>`. Bootstrap Hatch in worktree: `hatch env create`. Run pre-flight checks: `hatch run smart-test-status` and `hatch run contract-test-status`. Do all implementation work from the worktree, never from primary checkout. After PR merge: cleanup with `git worktree remove`, `git branch -d`, `git worktree prune`

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Validate GitHub workflow files using `hatch run lint-workflows` before committing

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Ensure proper escaping of special characters in markdown files

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:08.987Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/markdown-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:08.987Z
Learning: Applies to **/*.{md,mdc} : Lines should not have trailing spaces (MD009: No Trailing Spaces)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Run contract-first validation locally before committing: `hatch run contract-test-contracts`, `hatch run contract-test-exploration`, and `hatch run contract-test-scenarios`

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Record the contract or property that supersedes a removed test in the PR description

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:57.944Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/spec-fact-cli-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:57.944Z
Learning: Applies to src/**/*.py : Test Coverage Validation: Run hatch run smart-test-unit for modified files, hatch run smart-test-folder for modified directories, and hatch run smart-test-full before committing. ALL TESTS MUST PASS.

Applied to files:

• scripts/pre-commit-quality-checks.sh
• tests/unit/scripts/test_pre_commit_verify_modules.py

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Trim low-value unit tests when a contract covers the same assertion (type/shape/raises on negative checks)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to tests/**/*.py : Convert repeated edge-case permutations into one Hypothesis property with contracts acting as oracles

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:32:29.182Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/python-github-rules.mdc:0-0
Timestamp: 2026-03-25T21:32:29.182Z
Learning: Applies to **/*.py : Extract common patterns to avoid code duplication (DRY principle)

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:54.419Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/automatic-openspec-workflow.mdc:0-0
Timestamp: 2026-04-10T22:41:54.419Z
Learning: Applies to {src,tools}/**/*.{js,ts,jsx,tsx,py},**/*.test.{js,ts,jsx,tsx,py},**/*.spec.{js,ts,jsx,tsx,py} : Do not add, modify, or delete any application code in src/, tools/, tests, or significant docs until an OpenSpec change (new or delta) is created and validated, unless the user explicitly opts out with 'skip openspec', 'direct implementation', 'simple fix', or 'just fix it'

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:34.504Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-10T22:41:34.504Z
Learning: Treat clean-code regressions as blocking until they are fixed or explicitly justified

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:42:21.849Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-10T22:42:21.849Z
Learning: Fix SpecFact code review findings, including warnings, unless a rare explicit exception is documented

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:15.296Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/testing-and-build-guide.mdc:0-0
Timestamp: 2026-03-25T21:33:15.296Z
Learning: Applies to **/*.{yml,yaml} : Validate YAML configuration files locally using `hatch run yaml-lint` before committing

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-03-25T21:33:22.650Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursor/rules/yaml-and-workflows.md:0-0
Timestamp: 2026-03-25T21:33:22.650Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Format GitHub Actions workflows using `hatch run workflows-fmt` and lint them with `hatch run workflows-lint` after editing

Applied to files:

• scripts/pre-commit-quality-checks.sh

📚 Learning: 2026-04-10T22:41:19.077Z

Learnt from: CR
Repo: nold-ai/specfact-cli PR: 0
File: .cursorrules:0-0
Timestamp: 2026-04-10T22:41:19.077Z
Learning: For `/opsx:apply` (Implementation): OPSX provides task iteration and progress tracking. AGENTS.md requires verification before each task: Confirm you are IN a worktree (not primary checkout) before modifying code, Record failing test evidence in `TDD_EVIDENCE.md` BEFORE implementing, Record passing test evidence AFTER implementation, Run quality gates from worktree (format, type-check, contract-test), GPG-signed commits (`git commit -S`), PR to `dev` branch (never direct push)

Applied to files:

• tests/unit/scripts/test_pre_commit_verify_modules.py

🔀 Multi-repo context nold-ai/specfact-cli-modules

Linked repositories findings

nold-ai/specfact-cli-modules

• .pre-commit config uses the modular, fail-fast layout and invokes the verify hook via:

  • .pre-commit-config.yaml: entry: ./scripts/pre-commit-verify-modules-signature.sh [::nold-ai/specfact-cli-modules::.pre-commit-config.yaml:9]

• The canonical verifier and wrapper scripts exist and are exercised in tests/docs:

  • scripts/verify-modules-signature.py — verifier implementation supporting --payload-from-filesystem and --enforce-version-bump (present) [::nold-ai/specfact-cli-modules::scripts/verify-modules-signature.py]
  • scripts/pre-commit-verify-modules-signature.sh — wrapper that decides whether to add --require-signature (uses GITHUB_BASE_REF / branch detection) and execs verifier with or without --require-signature [::nold-ai/specfact-cli-modules::scripts/pre-commit-verify-modules-signature.sh]

• The repo contains the Block 1/Block 2 quality pipeline and hook entrypoints:

  • scripts/pre-commit-quality-checks.sh — implements block1-format, block1-yaml, block1-bundle, block1-lint, block2, and all [::nold-ai/specfact-cli-modules::scripts/pre-commit-quality-checks.sh]
  • .pre-commit-config.yaml hooks call pre-commit-quality-checks.sh for block1-* and block2 (see entries) [::nold-ai/specfact-cli-modules::.pre-commit-config.yaml:17,24,30,37,43]

• Policy parity and docs/tests:

  • The repository docs and openspec require the branch-aware policy: omit --require-signature off-main; require on main (CI and pre-commit mirror this) [::nold-ai/specfact-cli-modules::docs/reference/module-security.md; ::openspec/changes/marketplace-06-ci-module-signing/specs/ci-integration/spec.md]
  • Tests reference the modular quality layout and the verify wrapper name pre-commit-verify-modules-signature.sh (unit tests and workflow tests expect that name) [::nold-ai/specfact-cli-modules::tests/unit/test_pre_commit_quality_parity.py; ::tests/unit/test_pre_commit_verify_modules_signature_script.py]

Potential cross-repo issue to surface in review

• Naming/entrypoint mismatch risk: this PR adds scripts named pre-commit-verify-modules.sh and scripts/git-branch-module-signature-flag.sh (per PR description), while specfact-cli-modules uses pre-commit-verify-modules-signature.sh and references verify-modules-signature.py. Ensure the PR preserves the expected wrapper name or provides compatible shim/updates downstream repos/tests that reference pre-commit-verify-modules-signature.sh so they still find the hook entrypoint and flags (--payload-from-filesystem, --enforce-version-bump) [::nold-ai/specfact-cli-modules::.pre-commit-config.yaml; ::nold-ai/specfact-cli-modules::scripts/pre-commit-verify-modules-signature.sh; ::nold-ai/specfact-cli-modules::scripts/verify-modules-signature.py]

Conclusion: relevant cross-repo artifacts found (verifier script, quality pipeline, pre-commit config, tests/docs asserting branch-aware --require-signature). Review should verify hook filenames/entrypoints and preserved flags/branch policy to avoid breaking consumers/tests. [::nold-ai/specfact-cli-modules::]

🔇 Additional comments (3)

tests/unit/scripts/test_pre_commit_verify_modules.py (1)

159-179: Good edge-path coverage here.

The git diff --cached hard-failure case and detached-HEAD fallback are exactly the branches that tend to regress first; keeping both in this file materially strengthens the wrapper contract.

Also applies to: 257-268

CHANGELOG.md (2)

13-33: Release-note taxonomy is now correctly structured for 0.46.1.

Good split into Added / Fixed / Changed with concrete script-level traceability; this is auditable and release-friendly.

---

40-48: Scope and behavior notes are clear and sufficiently specific.

The staged-file gating and docs/OpenSpec alignment callouts are precise and useful for operator/developer traceability.