fraqtal/agentic-dev
Template
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
90341ff47591dc27f188bf66b26f49a700f78dbf
agentic-dev/docs/work
History
Danijel Martinek 90341ff475 docs: introduce CI security + supply-chain stack (ADR-023 + PRD) 
- ADR-023 codifies the four-pillar enforcement stack: Renovate for
  bumps + Action SHA pinning via pinGitHubActionDigests, Socket.dev
  as a 9th hard filter in evaluate-library (free App + self-hosted
  socket-cli + reviewer-prompt enforcement), weekly trace
  revalidation cron with two-tier divergence action (rolling
  dashboard issue + per-dep re-evaluation issues), and the baseline
  GitHub-native gates (CodeQL, pnpm audit signatures, gitleaks
  pre-commit + native push protection). Failure-mode hierarchy is
  the single source of truth referenced by the sandcastle reviewer.
- Section 6 amends ADR-022 in place: major-bump re-evaluation
  trigger (minor/patch bumps skip), last-revalidated frontmatter
  field (preserves original date for adoption provenance), and
  Socket as the 9th hard filter. ADR-022 stays unedited; both ADRs
  read as a composed policy.
- PRD at docs/work/prds/2026-05-14-ci-security-and-supply-chain.prd.md
  seeds the implementation epic; explicit sequencing -- depends on
  the in-flight library-evaluation epic's stories 01/02/04/06
  landing first.
- Glossary gains "Trace revalidation" + "Major-bump re-evaluation"
  entries referenced by both ADRs.

Catalyst: 2026-05-14 audit confirmed zero security tooling in the
repo + GitHub Actions pinned to major-version tags (the tj-actions/
changed-files attack class). ADR-022 closes the adoption-time gate;
ADR-023 closes the post-adoption drift gate.
2026-05-14 18:47:25 +02:00
..
2026-05-13-binder-wrap-helper
chore(work): finish epic 2026-05-13-binder-wrap-helper
2026-05-13 20:41:18 +02:00
2026-05-14-library-evaluation-policy
chore(work): finish epic 2026-05-14-library-evaluation-policy
2026-05-14 12:14:21 +02:00
prds
docs: introduce CI security + supply-chain stack (ADR-023 + PRD)
2026-05-14 18:47:25 +02:00
template-reset-v1
chore(work): close out template-reset-v1 epic — all 12 tasks done
2026-05-13 10:18:29 +02:00
_state.json
docs: introduce CI security + supply-chain stack (ADR-023 + PRD)
2026-05-14 18:47:25 +02:00
README.md
feat(work): pnpm work prd-ship + auto-flip integration in sandcastle
2026-05-13 16:51:48 +02:00

README.md

docs/work — the local task system

Filesystem-backed Epic/Story/Task hierarchy used by AI agents and humans alike. See docs/architecture/agent-first-workflow-and-conformance.md for the full design. Until the work-system-v1 epic ships orchestration tooling, this folder is human-driven — agents read the files for context, humans flip checkboxes.

Layout

  • prds/<date>-<slug>.prd.md — source PRDs
  • <epic-slug>/_epic.md — one folder per epic
  • <epic-slug>/<story-slug>/_story.md — one folder per story
  • <epic-slug>/<story-slug>/<task-slug>.task.md — one file per task
  • _templates/ — copy-paste templates (added in work-system-v1)
  • _state.json — derived index (added in work-system-v1)

PRD lifecycle

PRD status frontmatter field: draft → in-review → approved → shipped.

  • draft → in-review — author flips when ready for review (manual)
  • in-review → approved — human reviewer flips on acceptance (manual)
  • approved → shipped — auto-flipped by pnpm work prd-ship <prd-id> when the seed epic finishes. The state-builder surfaces this signal under _state.jsonneeds_prd_ship[] so the orchestrator (or a reviewer running the sandcastle workflow) can act on it.

The decomposer refuses to run on draft PRDs. Once approved, the seed epic is generated; once the epic completes, the PRD is automatically flipped to shipped along with its commit list.