feat: V2 spec batches 3-5b — security, policy, recipes, experiment tracking by noahgift · Pull Request #11 · paiml/forjar

noahgift · 2026-03-03T21:02:53Z

Summary

Batch 3 (FJ-1384): Stack extraction, proof obligation taxonomy, chain hashing
Batch 4 (FJ-1386): Generational snapshots, compliance framework, proptest handlers, rollback-on-failure
Batch 5a (FJ-1389-1391): Stack diff CLI, security scanner (10 rules from arXiv:2509.18761), policy-as-code gates, drift forensics with operator attribution
Batch 5b (FJ-1392-1393): Recipe version conflict detection, experiment tracking metadata (param_count), refactored recipe expansion for complexity compliance
Spec scorecard: 98 → 105/166

Test plan

7,302 lib tests pass
Pre-commit complexity gates pass (refactored recipes.rs)
Security scanner: 30 tests covering all 10 rules
Stack diff: 7 tests
All new ProvenanceEvent fields backward-compatible (serde defaults)

🤖 Generated with Claude Code

Add devices, group_add, and env fields to ContainerConfig for multi-vendor GPU passthrough — supporting apr-model-qa-playbook workflows across CUDA, ROCm, and Intel accelerators. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add dogfood-multi-gpu.yaml (2 machines, 5 resources) exercising NVIDIA CUDA and AMD ROCm container transport with device passthrough, group access, and env vars. Add Priority 0 section to spec §8 with FJ-738 (done), FJ-739 (GPU integration tests), FJ-740 (apr-model-qa-playbook integration). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add tests/gpu_container_transport.rs with 7 feature-gated tests: CUDA lifecycle/nvidia-smi/env, ROCm lifecycle/device-access/env, cross-vendor same-config deployment. Add gpu_container_transport.rs example. Update spec §10.5 GPU test matrix, mark FJ-739 done. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…nfigs) Add apr-model-qa recipe (5 resources: workspace, model dir, playbook, runner, results) and dogfood-apr-qa.yaml deploying it to CUDA + ROCm containers (2 machines, 10 resources). Mark FJ-740 done, all Priority 0 tickets complete. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Ch02: GPU Container Transport section with field reference, NVIDIA CUDA example, AMD ROCm example, multi-vendor fleet pattern. Ch10: GPU Container Testing section with test matrix, CI job, dogfood verification commands. Update CI table (30 configs, 20 examples). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- FJ-730: ntfy.sh notification channel for apply events - FJ-731: validate --check-cron-syntax (field-level cron validation) - FJ-732: status --resource-health (per-resource health listing) - FJ-733: dry-run-json already existed (FJ-440), deduplicated - FJ-734: graph --breadth-first (BFS topological traversal) - FJ-736: apply --only-machine (single machine targeting) - FJ-737: status --machine-health-summary (per-machine health overview) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Spec: all 8 tickets Planned→Done Book: add --breadth-first, --check-cron-syntax, --resource-health, --machine-health-summary, --notify-ntfy, --only-machine examples Dogfood: 30/30 configs validate, 20/20 examples run, 2188 tests pass Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- FJ-741: validate --check-env-refs (verify {{env.*}} references) - FJ-743: graph --subgraph-stats (connected component analysis) - FJ-744: apply --notify-webhook-headers (custom webhook headers) - FJ-745: validate --check-resource-names (kebab-case/prefix enforcement) - FJ-746: status --last-apply-status (per-machine apply history) - FJ-747: graph --dependency-count (in-degree/out-degree metrics) - FJ-748: status --resource-staleness (time since last apply) Spec: Phase 60 defined and marked Planned Book: updated CLI reference with Phase 59 examples Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

All Phase 60 tickets: Planned→Done 30/30 dogfood configs validate, 20/20 examples run, 2202 tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Graph: root-resources, edge-list. Validate: resource-count, duplicate-paths. Status: convergence-percentage, failed-count, drift-count. 18 new tests. Split status_resource_detail.rs → status_counts.rs (500-line limit). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Validate: circular-deps, machine-refs. Graph: connected-components, adjacency-matrix. Status: resource-duration, machine-resource-map. 17 new tests. New modules: validate_safety, status_diagnostics. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Validate: provider-consistency, state-values. Graph: longest-path, in-degree. Status: fleet-convergence, resource-hash, machine-drift-summary. 18 new tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…2274) New CLI flags: - validate --check-unused-machines: detect machines with no resource refs - validate --check-tag-consistency: verify kebab-case tag naming - graph --out-degree: show dependency count per resource - graph --density: compute edge density ratio - status --apply-history-count: total applies per machine from event log - status --lock-file-count: count lock files across fleet - status --resource-type-distribution: resource type breakdown - apply --notify-json: JSON notification output (arg wiring) 19 new tests (2255→2274), all passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… book Phase 64 (FJ-773→FJ-780): 8/8 tickets Done — governance & audit intelligence. Phase 65 defined: operational readiness & deep analysis. Book updated with validate, graph, status Phase 64 examples. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…(2274→2292) New CLI flags: - validate --check-dependency-exists: verify depends_on targets exist - validate --check-path-conflicts-strict: detect same file path on same machine - graph --topological-sort: output valid execution order (Kahn's algorithm) - graph --critical-path-resources: show resources on longest chain - status --resource-apply-age: time since last apply per resource - status --machine-uptime: time since first apply per machine - status --resource-churn: apply frequency per resource from event log - apply --notify-slack-webhook: Slack webhook notification (arg wiring) 18 new tests (2274→2292), all passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… book Phase 65 (FJ-781→FJ-788): 8/8 tickets Done — operational readiness. Phase 66 defined: fleet intelligence & compliance. Book updated with validate, graph, status Phase 65 examples. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…2311) New CLI flags: - validate --check-duplicate-names: detect duplicate base names across groups - validate --check-resource-groups: verify resource groups are non-empty - graph --sink-resources: show resources with no dependents (leaf nodes) - graph --bipartite-check: check if dependency graph is bipartite (2-coloring) - status --last-drift-time: show timestamp of last drift per resource - status --machine-resource-count: show resource count per machine - status --convergence-score: weighted convergence score across fleet - apply --notify-telegram: Telegram notification (arg wiring) New file: status_fleet_detail.rs. 19 new tests (2292→2311), all passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… book Phase 66 (FJ-789→FJ-796): 8/8 tickets Done — fleet intelligence. Phase 67 defined: advanced graph analysis & monitoring. Book updated with validate, graph, status Phase 66 examples. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…J-804, 2329 tests) Validate: --check-orphan-resources (FJ-797), --check-machine-arch (FJ-801) Graph: --strongly-connected via Tarjan SCC (FJ-799), --dependency-matrix-csv (FJ-803) Status: --apply-success-rate (FJ-800), --error-rate (FJ-802), --fleet-health-summary (FJ-804) Split graph_export.rs → graph_advanced.rs to stay under 500-line limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…812, 2329→2350) Validate: --check-resource-health-conflicts (FJ-805), --check-resource-overlap (FJ-809) Status: --machine-convergence-history (FJ-806), --drift-history (FJ-810), --resource-failure-rate (FJ-812) Graph: --resource-weight (FJ-807), --dependency-depth-per-resource (FJ-811) Apply: Wire --notify-pagerduty into NotifyOpts with PagerDuty Events v2 API (FJ-808) Split validate_safety.rs -> validate_advanced.rs, tests_graph_core 1/2 -> core_6. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…50→2373) - validate --check-resource-tags (FJ-813): tag convention enforcement - status --machine-last-apply (FJ-814): last apply timestamp per machine - graph --resource-fanin (FJ-815): fan-in count per resource - apply --notify-discord-webhook (FJ-816): Discord rich embed notifications - validate --check-resource-state-consistency (FJ-817): state/type validation - status --fleet-drift-summary (FJ-818): aggregated drift across fleet - graph --isolated-subgraphs (FJ-819): disconnected subgraph detection - status --resource-apply-duration (FJ-820): avg apply duration per type - Split status_fleet_detail.rs → status_operational.rs (500-line limit) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…→2396) - validate --check-resource-dependencies-complete (FJ-821): dep target existence - status --machine-resource-health (FJ-822): per-machine health breakdown - graph --resource-dependency-chain (FJ-823): full chain from root to leaf - apply --notify-teams-webhook (FJ-824): MS Teams adaptive card notifications - validate --check-machine-connectivity (FJ-825): address format validation - status --fleet-convergence-trend (FJ-826): convergence % across fleet - graph --bottleneck-resources (FJ-827): high fan-in + fan-out detection - status --resource-state-distribution (FJ-828): state counts across fleet Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…al paths (2396→2419) Validate: --check-resource-naming-pattern, --check-resource-provider-support Status: --machine-apply-count, --fleet-apply-history, --resource-hash-changes Graph: --critical-dependency-path, --resource-depth-histogram Apply: --notify-slack-blocks Split graph_advanced.rs → graph_paths.rs (FJ-823/827/831/835) to stay under 500-line limit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Work-Item: PMAT-031 TDG-Score: 0.0/100 Repo-Score: 0.0/100 Rust-Score: 0.0/134 Metrics: .pmat-metrics/commit-*-meta.json

Work-Item: PMAT-032 TDG-Score: 0.0/100 Repo-Score: 0.0/100 Rust-Score: 0.0/134 Metrics: .pmat-metrics/commit-*-meta.json

…AT-033) Work-Item: PMAT-033 TDG-Score: 0.0/100 Repo-Score: 0.0/100 Rust-Score: 0.0/134 Metrics: .pmat-metrics/commit-*-meta.json

…034) Work-Item: PMAT-034 TDG-Score: 0.0/100 Repo-Score: 0.0/100 Rust-Score: 0.0/134 Metrics: .pmat-metrics/commit-*-meta.json

Includes: nix-compatible store model (12 phases), 4 store examples, 204 spec falsification tests, task field expansion, GPU training recipe. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… (Refs FJ-1376) - panic=abort saves 3MB binary size (23→20MB), appropriate for CLI tool - Fix /state/ exclude to not catch src/core/state/ during cargo publish Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…Refs FJ-1376) Root cause (five-whys): 1. Tests fail after cargo update 2. bashrs 6.64→6.65 added SC1035 (done keyword) and SC1100 (unicode dash) 3. service.rs SYSTEMD_GUARD and network.rs UFW_GUARD contained U+2014 em-dash 4. Scripts written against bashrs 6.64, never validated against newer versions 5. cargo update ran without full test suite verification Fixes: - Replace unicode em-dash with ASCII hyphen in service.rs and network.rs - Avoid 'done' at quote boundary in test hook script - Bump rust-toolchain.toml 1.87→1.88, MSRV 1.87→1.88 (home@0.5.12 compat) - Bump version to 1.1.1 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Bootstrap merge — clean-room gate workflow deployment. Generated by machines/clean-room/deploy-workflows.sh Spec: sovereign-stack-protected-branch-strategy.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…eness, reconstruction, proptest Implements 8 features from the v2 quality improvement specification: - #116: Output persistence to GlobalLock for cross-stack data flow - #117: Cross-stack data flow via forjar-state data source - #131: Cross-stack staleness detection with max_staleness field - #133: State integrity verification via BLAKE3 sidecars on apply - #127: Event-sourced state reconstruction (forjar state-reconstruct) - #50: Property-based idempotency tests (hash, serde, converged-noop) - #155: pforge MCP server deployment recipe (cookbook) - #156: Agent deployment recipe pattern (cookbook) 42 new tests, all 7176 tests pass. Book updates for state management, testing, and cookbook chapters. Refs PMAT-035, PMAT-036, PMAT-037, PMAT-038, PMAT-039, PMAT-040 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…onfig-merge (Refs PMAT-035) PMAT-041: Drift-aware deployment blocking (#21) — pre-apply drift check PMAT-042: --why change explanation (#106) — plan --why shows reasons PMAT-043: Convergence budget enforcement (#85) — policy.convergence_budget PMAT-044: Pre-apply state snapshots (#129) — policy.snapshot_generations PMAT-045: Reversibility classification (#130) — classify destroy actions PMAT-046: Config merge CLI (#121) — forjar config-merge 22 new tests, 7198 passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…Refs PMAT-035) Features marked ✅: #21 drift gate, #50 proptest, #85 budget, #106 --why, #116 output persistence, #117 cross-stack, #121 config-merge, #127 reconstruct, #129 snapshots, #130 reversibility, #131 staleness, #133 integrity. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…PMAT-036) PMAT-047: Stack extraction (#120) — forjar extract --tags/--group/--glob PMAT-050: Tamper-evident transparency log (#32) — BLAKE3 chain hashing PMAT-052: Proof obligation taxonomy (#52) — idempotent/monotonic/convergent/destructive 29 new tests, 7226 total passing. Scorecard 96→98/166. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… handlers, rollback-on-failure - generation.rs: Nix-style numbered state generations with atomic symlink swap - create_generation(), rollback_to_generation(), gc_generations(), list_generations() - forjar generation list/gc CLI commands; forjar rollback --generation N - Auto-generation creation during apply; 11 tests - compliance.rs: Structured compliance benchmark evaluation framework - CIS (6.1.1, 1.1.5, 5.2.1, 6.2.1), NIST 800-53 (AC-3, AC-6, CM-6, SC-28, SI-7) - SOC2 (CC6.1, CC7.2), HIPAA (164.312a, 164.312e); 22 tests - tests_proptest_handlers.rs: 6 property-based tests with arb_resource() strategy - Hash determinism, type-affects-hash, converged=noop, codegen no-panic - Proof obligation totality, chain hash determinism; covers 8 resource types - apply.rs: Generation-based rollback on failure via maybe_rollback_generation() - Fix: gc_old_snapshots() now uses snapshots_dir() consistently (was .snapshots) Score: 98 → 102/166 (#22 ⚠→✅, #75 ⚠→✅, #77 ⚠→✅, #83 ⚠→✅, #126 ❌→✅) (Refs PMAT-037) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…drift forensics (Refs PMAT-038) - #124 Stack diff: `forjar stack-diff` compares resources/machines/params/outputs between configs - #37 Security scanner: 10-rule IaC scanner (SS-1 through SS-10) with `forjar security-scan` CLI - #35 Policy-as-code: `policy.security_gate` blocks apply on findings above severity threshold - #20 Drift forensics: `operator` and `config_hash` fields on ApplyStarted events for attribution - Book: security scanning section with rule table and policy gate examples - Score: 98 → 101/166 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…efs PMAT-038) - #18 Continuous drift monitoring: forjar watch + drift --auto-remediate - #19 Self-healing drift remediation: already fully implemented in drift.rs - #62 Timeout enforcement: resource timeout + convergence_budget working - Score: 101 → 103/166 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… metadata (Refs PMAT-038) - Recipe expansion detects version conflicts (same recipe at different versions) - ApplyStarted event now includes param_count for experiment tracking - Refactored expand_recipes() into 7 helper functions for complexity compliance - Updated spec scorecard: 105/166 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…s, ISO export, brownfield import, cross-machine deps (Refs PMAT-039) - FJ-1420 (#76): forjar fault-inject — fault scenario generation per resource - FJ-1421 (#78): forjar invariants — runtime invariant monitors from policies - FJ-1422 (#91): forjar iso-export — offline deployment bundles with BLAKE3 manifest - FJ-1423 (#25): forjar import-brownfield — scan dpkg/systemd/config for state import - FJ-1424 (#11): forjar cross-deps — cross-machine dependency analysis + execution waves - 33 new tests (7448 total), spec scorecard 145→150/166 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

noahgift and others added 30 commits February 27, 2026 22:57

docs: Mark Phase 60 Done, define Phase 61 (FJ-749→FJ-756)

25dcc28

All Phase 60 tickets: Planned→Done 30/30 dogfood configs validate, 20/20 examples run, 2202 tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs: Mark Phase 61 Done, define Phase 62 (FJ-757→FJ-764), update CLI…

f115a0d

… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs: Mark Phase 62 Done, define Phase 63 (FJ-765→FJ-772), update CLI…

f33ddaf

… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs: Mark Phase 63 Done, define Phase 64 (FJ-773→FJ-780), update CLI…

b08c53c

… book Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs: Phase 67 Done, define Phase 68 (FJ-805→FJ-812), update book

0cf22bf

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs: Mark Phase 68 Done, define Phase 69 (FJ-813→FJ-820), update book

a19a964

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs: Mark Phase 69 Done, define Phase 70 (FJ-821→FJ-828), update book

6d02e59

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs: Mark Phase 70 Done, define Phase 71 (FJ-829→FJ-836), update book

122fb81

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

noahgift and others added 17 commits March 3, 2026 14:44

feat: FJ-1373: Store FAR archive example + book section (Refs PMAT-031)

04a561f

Work-Item: PMAT-031 TDG-Score: 0.0/100 Repo-Score: 0.0/100 Rust-Score: 0.0/134 Metrics: .pmat-metrics/commit-*-meta.json

feat: FJ-1374: Store secret scan example + book section (Refs PMAT-032)

32f9695

Work-Item: PMAT-032 TDG-Score: 0.0/100 Repo-Score: 0.0/100 Rust-Score: 0.0/134 Metrics: .pmat-metrics/commit-*-meta.json

feat: FJ-1375: Store bash provability example + book section (Refs PM…

de1bec5

…AT-033) Work-Item: PMAT-033 TDG-Score: 0.0/100 Repo-Score: 0.0/100 Rust-Score: 0.0/134 Metrics: .pmat-metrics/commit-*-meta.json

feat: FJ-1376: Store benchmarks example + cookbook update (Refs PMAT-…

942a1d2

…034) Work-Item: PMAT-034 TDG-Score: 0.0/100 Repo-Score: 0.0/100 Rust-Score: 0.0/134 Metrics: .pmat-metrics/commit-*-meta.json

chore: bump version to 1.1.0 for crates.io release (Refs FJ-1376)

e2c7332

Includes: nix-compatible store model (12 phases), 4 store examples, 204 spec falsification tests, task field expansion, GPU training recipe. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ci: add clean-room gate CI + release workflows

9b951cd

Bootstrap merge — clean-room gate workflow deployment. Generated by machines/clean-room/deploy-workflows.sh Spec: sovereign-stack-protected-branch-strategy.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ci: use @main ref for reusable workflow (testing cross-repo gate)

c29dc7b

noahgift mentioned this pull request Mar 3, 2026

feat: FJ-1420–1424: fault injection, invariants, ISO export, brownfield import, cross-machine deps #17

Open

3 tasks

noahgift force-pushed the main branch from 3ed272c to e707e73 Compare March 20, 2026 14:34

noahgift force-pushed the main branch 3 times, most recently from 8cf6817 to f100dab Compare March 21, 2026 18:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: V2 spec batches 3-5b — security, policy, recipes, experiment tracking#11

feat: V2 spec batches 3-5b — security, policy, recipes, experiment tracking#11
noahgift wants to merge 308 commits into
mainfrom
feat/v2-batch-5b-recipe-experiment

noahgift commented Mar 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

noahgift commented Mar 3, 2026

Summary

Test plan

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant