Promote dev to main: flat command doc alignment

[djm81]

Summary

Promotes dev to main, carrying the flat command documentation alignment from #318 and the follow-up automated registry publish from #319:

• update module command examples away from removed flat command shims (specfact sync → specfact project sync, specfact generate → specfact spec generate, flat specfact sdd constitution → specfact spec constitution)
• namespace the remaining flat command hints in runtime help/remediation text flagged by PR docs: align flat command references #318 review annotations
• add CLI reality-check operating guidance to source files that embed executable examples
• refresh official module package manifests via the signature/version hooks
• remove test-only beartype wrappers that block pytest fixture discovery on Python 3.14
• automated publish of changed modules to the registry (chore(registry): publish changed modules #319)

Related to nold-ai/specfact-cli#605 and nold-ai/specfact-cli v0.47.6.

Validation

• PR docs: align flat command references #318 CI fully green on Python 3.11/3.12/3.13 quality matrix, module signature verification, prompt-command validation, and contract-first gates
• All docs: align flat command references #318 review annotations addressed (see PR threads)

🤖 Generated with Claude Code

[strix-security]

Strix is installed on this repository, but we could not run this PR security review because this workspace does not have an active plan. If you'd like to continue receiving code reviews, you can add a payment method or manage billing here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f8f10962-be96-426a-9734-aa0e6aa4ab5d

📥 Commits

Reviewing files that changed from the base of the PR and between 6fa853e and f73b7d7.

📒 Files selected for processing (1)

• tests/unit/docs/test_llms_overview_freshness.py

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• nold-ai/specfact-cli (manual)

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (python)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{js,ts,tsx,jsx,py,java,cs,go,rb,php,cpp,c,h}

📄 CodeRabbit inference engine (CLAUDE.md)

Preserve the clean-code compliance gate and its category references (naming, kiss, yagni, dry, and solid)

Files:

• tests/unit/docs/test_llms_overview_freshness.py

tests/**/*.py

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first and integration tests: migration suites, bundle validation, and flakiness.
Ensure changes to adapters or bridges have targeted coverage.

Files:

• tests/unit/docs/test_llms_overview_freshness.py

🪛 ast-grep (0.43.0)

tests/unit/docs/test_llms_overview_freshness.py

[error] 34-41: Command coming from incoming request
Context: subprocess.run(
[sys.executable, str(GENERATOR), "--check"],
cwd=REPO_ROOT,
capture_output=True,
text=True,
check=False,
timeout=300,
)
Note: [CWE-20].

(subprocess-from-request)

---

[error] 34-41: Use of unsanitized data to create processes
Context: subprocess.run(
[sys.executable, str(GENERATOR), "--check"],
cwd=REPO_ROOT,
capture_output=True,
text=True,
check=False,
timeout=300,
)
Note: [CWE-78].

(os-system-unsanitized-data)

🔀 Multi-repo context nold-ai/specfact-cli

nold-ai/specfact-cli

• CLI shims / mapping:

  • src/specfact_cli/cli.py:122-123 — top-level mapping preserves flat names ("repro" → "specfact code repro", "sync" → "specfact project sync"). [::nold-ai/specfact-cli::src/specfact_cli/cli.py:122-123]
  • src/specfact_cli/cli.py and src/specfact_cli/utils/suggestions.py — multiple user-facing suggestion strings still reference both namespaced and flat forms (e.g., "specfact repro", "specfact code repro", "specfact project sync ..."). [::nold-ai/specfact-cli::src/specfact_cli/utils/suggestions.py:68,99,134]

• Prompt/validator mappings:

  • tools/validate_prompts.py:50,53 — validator maps include legacy flat-command entries ("specfact sync bridge", "specfact repro") that must align with added MODULE_APP_MOUNTS changes in the PR. [::nold-ai/specfact-cli::tools/validate_prompts.py:50,53]

• Runtime discovery / smoke tests:

  • scripts/runtime_discovery_smoke.py:360-372 — assertions check presence/absence of both specfact project sync bridge --help and specfact sync bridge --help. These tests may need to reflect intended backward-compat shim behavior. [::nold-ai/specfact-cli::scripts/runtime_discovery_smoke.py:360-372]

• Tests referencing flat commands (potentially impacted):

  • tests/unit/workflows/test_trustworthy_green_checks.py:213 — asserts absence of a "specfact repro" invocation string. [::nold-ai/specfact-cli::tests/unit/workflows/test_trustworthy_green_checks.py:213]
  • tests/integration/commands/test_repro_command.py:320 — expects "specfact repro" in output. [::nold-ai/specfact-cli::tests/integration/commands/test_repro_command.py:320]
  • tests/integration/commands/test_repro_sidecar.py — integration tests for repro usage. [::nold-ai/specfact-cli::tests/integration/commands/test_repro_sidecar.py:18]
  • tests/unit/migration/test_module_migration_07_cleanup.py:43 — looks for patterns including "specfact sync ". [::nold-ai/specfact-cli::tests/unit/migration/test_module_migration_07_cleanup.py:43]
  • tests/unit/docs/test_docs_validation_scripts.py:173,192,197 — templates and checks referencing specfact sync bridge --help and similar. [::nold-ai/specfact-cli::tests/unit/docs/test_docs_validation_scripts.py:173,192,197]

• Scripts and tooling using flat commands:

  • scripts/export-change-to-github.py: docstring and builder still reference specfact sync bridge. [::nold-ai/specfact-cli::scripts/export-change-to-github.py:2,33,80]
  • resources/templates/github-action.yml.j2, resources/templates/pr-template.md.j2 — CI/template snippets referencing repro and code repro invocation forms. [::nold-ai/specfact-cli::resources/templates/github-action.yml.j2:98,105][::nold-ai/specfact-cli::resources/templates/pr-template.md.j2:23]

• OpenSpec, docs, and generated-overviews containing legacy forms (widespread):

  • openspec/* and docs/* — many spec and docs files reference specfact sync bridge, specfact repro, specfact generate ..., and specfact sdd constitution; examples include openspec/specs/bridge-adapter/spec.md, openspec/specs/devops-sync/spec.md, openspec/specs/generated-command-overview/spec.md, llms.txt, and numerous docs/guides/. These are consumers of the CLI naming that the PR updates. (Representative hits: openspec/specs/bridge-adapter/spec.md:201; openspec/specs/devops-sync/spec.md:212; openspec/specs/generated-command-overview/spec.md:31; llms.txt:53-112; docs/guides/). [::nold-ai/specfact-cli::openspec/specs/bridge-adapter/spec.md:201][::nold-ai/specfact-cli::openspec/specs/devops-sync/spec.md:212][::nold-ai/specfact-cli::openspec/specs/generated-command-overview/spec.md:31][::nold-ai/specfact-cli::llms.txt:53-112][::nold-ai/specfact-cli::docs/guides/ai-ide-workflow.md:81]

• Prompt/command index and generated artifacts:

  • openspec/specs/generated-command-overview/spec.md and llms.txt capture declared command surfaces (both flat and namespaced). These generated artifacts may need regeneration after the PR changes. [::nold-ai/specfact-cli::openspec/specs/generated-command-overview/spec.md:31][::nold-ai/specfact-cli::llms.txt:53-112]

Implication summary:

• The repository contains many consumers (validators, tests, docs, OpenSpec specs, templates) that reference legacy flat command forms. The PR's changes (renaming to namespaced commands and adding prompt-validator mounts) will affect these areas unless preserved via top-level shims/mappings (e.g., src/specfact_cli/cli.py entries) or updated/generated artifacts. Tests and runtime-discovery checks are particularly likely to fail if mappings/shims are removed or not aligned.

🔇 Additional comments (1)

tests/unit/docs/test_llms_overview_freshness.py (1)

1-50: LGTM!

---

📝 Walkthrough

Bundle and Module Surface: Commands, Adapters, Runtime Behavior

• Promotes dev→main carrying flat-command documentation alignment and automated registry publish.
• Replaces legacy flat-command shims in embedded examples, runtime help and remediation text:
  • specfact sync → specfact project sync
  • specfact generate → specfact spec generate
  • specfact sdd constitution → specfact spec constitution
• Reinforces namespaced workflows (e.g., specfact code import, specfact code analyze, specfact code drift, specfact code repro, specfact code review). Adds module docstring “Operating guidance” that embedded examples are illustrative and CLI --help is authoritative.
• Standardises --bundle help text and missing-bundle remediation to reference an “active project bundle configuration” (removes prior specfact plan select / “active plan” wording).
• Changes limited to docstrings, help text, prompt templates, console remediation messages and embedded examples — no command function signatures, public APIs, adapter interfaces, or ModuleIO behavior changed.
• Primary modules affected: specfact-codebase (analyze, drift, import_cmd, repro), specfact-project (import_cmd, sync, sync_runtime), specfact-spec (generate, sdd, spec), specfact-govern (enforce). Largest content delta in specfact-spec generate prompt/workflow templates.

Manifest and Integrity: module-package.yaml, SemVer, Signatures, Registry

• Bundle/version bumps performed and integrity metadata refreshed as part of automated publish:
  • specfact-backlog → 0.41.32
  • specfact-code-review → 0.47.48
  • specfact-codebase → 0.41.15
  • specfact-govern → 0.40.27
  • specfact-project → 0.41.27
  • specfact-spec → 0.40.25
• Registry updates:
  • registry/index.json advanced latest_version / download_url / checksum_sha256 for affected modules.
  • registry/modules/*.sha256 files added/updated.
  • registry/signatures/*.tar.sig files added/updated (single-line base64 signatures).
• Impact: changes appear to be patch/minor bumps with no breaking API changes indicated. Reviewers must validate checksums and signatures in CI and confirm registry artifacts match the published build outputs.

Cross-Repo: specfact-cli Alignment and Dev-Deps

• No required changes to specfact-cli runtime APIs or adapter contracts — import/contract shapes remain intact.
• scripts/check-prompt-commands.py now mounts specfact_spec.sdd.commands so the prompt-command validator covers specfact spec sdd paths.
• Test maintenance: removal of test-only beartype decorators in two unit tests to restore pytest discovery on Python 3.14. Review whether beartype should remain in dev-deps or be removed intentionally.

Docs, Registry and Release Notes

• In-repo prompt templates, module docstrings and prompt workflows updated to namespaced commands and include CLI reality-check guidance; embedded examples explicitly non-authoritative versus --help.
• Automated registry publish artifacts present in the diff; maintainers should ensure external docs (modules.specfact.io / GitHub Pages) and documentation-url contracts reflect namespaced command forms and updated examples.
• No explicit CHANGELOG entries in this diff — recommend adding release notes summarising help-text/namespace alignment and the automated publish.

Tests, Risk and Review Notes

• Risk: low-to-medium — primarily documentation and metadata changes plus registry artifacts; small test cleanup.
• Tests changed: removal of @beartype from tests/unit/sync_runtime/test_bridge_sync.py and tests/unit/sync_runtime/test_drift_detector.py.
• Key reviewer actions:
  • verify registry/index.json, .sha256 and .tar.sig values match CI/artifact outputs and signature verification gates;
  • sweep runtime help and remediation text to ensure no remaining legacy flat-command references;
  • confirm scripts/check-prompt-commands inclusion covers specfact spec sdd validation as intended;
  • run full CI across supported Python versions (3.11–3.14) to detect regressions.

Fileset & Review Effort

• Doc/help/prompt edits across multiple modules (notable: specfact-spec generate).
• Manifest updates: six module-package.yaml files.
• Registry artifacts updated: registry/index.json plus numerous .sha256 and .tar.sig files for the six modules.
• Tests modified: 2 unit test files (beartype removal).
• Script updated: scripts/check-prompt-commands.py (added sdd mount).

Estimated review effort: Low–Medium. Prioritize integrity/signature verification, a sweep for leftover legacy flat-command references in runtime help/remediation outputs, and CI across supported Python versions.

Walkthrough

Bumps multiple SpecFact module versions and integrity metadata, updates registry checksums/signatures, harmonizes CLI help/examples to new namespaces and bundle wording, removes beartype decorators from tests, and adds specfact_spec.sdd.commands to prompt-command validation.

Changes

Module release, docs, registry, and tooling

Layer / File(s)	Summary
Package manifest version bumps and integrity updates packages/specfact-backlog/module-package.yaml, packages/specfact-code-review/module-package.yaml, packages/specfact-codebase/module-package.yaml, packages/specfact-govern/module-package.yaml, packages/specfact-project/module-package.yaml, packages/specfact-spec/module-package.yaml	Package version fields were bumped and integrity.checksum/integrity.signature values replaced to match new releases (signatures remain present, values updated).
Registry index and artifact checksums/signatures registry/index.json, registry/modules/*.sha256, registry/signatures/*.tar.sig	registry/index.json entries advanced to new release versions and corresponding .sha256 checksum files and .tar.sig signature files were added or updated for those artifacts.
specfact-codebase CLI docs and messaging packages/specfact-codebase/src/specfact_codebase/analyze/commands.py, .../drift/commands.py, .../import_cmd/commands.py, .../repro/commands.py	Docstrings and help text updated to state --help is authoritative, use “active project bundle configuration” as the --bundle default source, and switch example invocations to the specfact code ... namespace; missing-bundle hints updated.
specfact-govern CLI messaging packages/specfact-govern/src/specfact_govern/enforce/commands.py	Module docstring and enforce sdd help/errors updated to reference --help as authoritative, use active project bundle wording, and change HASH_MISMATCH remediation messaging to recommend updating the SDD manifest.
specfact-project CLI messaging and sync flow packages/specfact-project/src/specfact_project/import_cmd/commands.py, packages/specfact-project/src/specfact_project/sync/commands.py, packages/specfact-project/src/specfact_project/sync_runtime/sync_perform_operation_impl.py	Docstrings, examples, and next-step messaging updated to specfact spec/specfact code/specfact project namespaces; removed legacy specfact plan select guidance and adjusted constitution bootstrap hints and missing-structure messaging.
specfact-spec prompt/generate CLI updates packages/specfact-spec/src/specfact_spec/generate/commands.py, packages/specfact-spec/src/specfact_spec/sdd/commands.py, packages/specfact-spec/src/specfact_spec/spec/commands.py	Extensive updates aligning generated prompts, docstrings, examples, and verification steps to the specfact spec ... namespace; --bundle help strings updated; validation/next-step commands updated to specfact code ... where applicable.
beartype decorator removal from sync_runtime tests tests/unit/sync_runtime/test_bridge_sync.py, tests/unit/sync_runtime/test_drift_detector.py	Removed from beartype import beartype and all @beartype decorators from tests; test bodies unchanged.
Prompt-command validator mount scripts/check-prompt-commands.py	Added specfact_spec.sdd.commands to MODULE_APP_MOUNTS so prompt-command references under specfact spec sdd are validated against the mounted Typer/Click app.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• nold-ai/specfact-cli-modules#268: Related changes to prompt-command validator mounts and command-index coverage.
• nold-ai/specfact-cli-modules#318: Overlapping CLI documentation harmonization and manifest/signature updates.

Suggested labels

module

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title uses descriptive language (flat command doc alignment) but does not follow the Conventional Commits format (feat:, fix:, docs:, etc.) specified in requirements.	Revise title to use Conventional Commits prefix, e.g., 'docs: Promote dev to main—flat command doc alignment' or 'chore: Promote dev to main—flat command doc alignment'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	Description covers most required sections: Summary with detailed explanation, scope coverage noted, bundle impact documented, and CI validation evidence provided; however, required checklist items and signature verification checkboxes lack explicit confirmation.
Docstring Coverage	✅ Passed	Docstring coverage is 85.19% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fc93135637

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/specfact-codebase/src/specfact_codebase/analyze/commands.py (1)

97-97: 📐 Maintainability & Code Quality | ⚡ Quick win

Incomplete namespace harmonization across three modules: "Using active plan:" should be "Using active project bundle."

The PR harmonizes CLI documentation to replace "active plan" language with "active project bundle configuration," but three console output statements escaped the refactoring:

• analyze/commands.py L97
• drift/commands.py L110
• import_cmd/commands.py L2537

These are user-visible debug outputs that should match the pattern established elsewhere in each file (help text, error messages). Update all three to say "Using active project bundle:" for consistent messaging.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/specfact-codebase/src/specfact_codebase/analyze/commands.py` at line
97, Update the user-facing debug strings to match the harmonized wording:
replace the console.print call that currently prints "Using active plan:
{bundle}" in analyze/commands.py (the console.print invocation around active
plan messaging) and the equivalent console.print/print statements in
drift/commands.py and import_cmd/commands.py so they read "Using active project
bundle: {bundle}" (preserve the surrounding formatting/variables and any [dim]
styling). Ensure you change the exact literal text only and leave the variable
interpolation and styling intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/specfact-govern/src/specfact_govern/enforce/commands.py`:
- Around line 285-286: The user-facing hint in
packages/specfact-govern/src/specfact_govern/enforce/commands.py currently tells
users to "Use --bundle" which is wrong for this command that expects a
positional bundle argument; update the console.print message (the line printing
"[yellow]→[/yellow] Use --bundle option or configure an active project bundle")
to instead instruct using the positional form (e.g., "Use <bundle> argument or
configure an active project bundle") so it matches the command's signature;
apply the same fix in
packages/specfact-project/src/specfact_project/sync/commands.py where a similar
message references "--bundle".

---

Nitpick comments:
In `@packages/specfact-codebase/src/specfact_codebase/analyze/commands.py`:
- Line 97: Update the user-facing debug strings to match the harmonized wording:
replace the console.print call that currently prints "Using active plan:
{bundle}" in analyze/commands.py (the console.print invocation around active
plan messaging) and the equivalent console.print/print statements in
drift/commands.py and import_cmd/commands.py so they read "Using active project
bundle: {bundle}" (preserve the surrounding formatting/variables and any [dim]
styling). Ensure you change the exact literal text only and leave the variable
interpolation and styling intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fd8e0bad-b5de-4868-aaeb-3db80dac51f9

📥 Commits

Reviewing files that changed from the base of the PR and between ed11fdd and fc93135.

⛔ Files ignored due to path filters (6)

• registry/modules/specfact-backlog-0.41.30.tar.gz is excluded by !**/*.gz
• registry/modules/specfact-code-review-0.47.46.tar.gz is excluded by !**/*.gz
• registry/modules/specfact-codebase-0.41.13.tar.gz is excluded by !**/*.gz
• registry/modules/specfact-govern-0.40.25.tar.gz is excluded by !**/*.gz
• registry/modules/specfact-project-0.41.25.tar.gz is excluded by !**/*.gz
• registry/modules/specfact-spec-0.40.23.tar.gz is excluded by !**/*.gz

📒 Files selected for processing (32)

• packages/specfact-backlog/module-package.yaml
• packages/specfact-code-review/module-package.yaml
• packages/specfact-codebase/module-package.yaml
• packages/specfact-codebase/src/specfact_codebase/analyze/commands.py
• packages/specfact-codebase/src/specfact_codebase/drift/commands.py
• packages/specfact-codebase/src/specfact_codebase/import_cmd/commands.py
• packages/specfact-codebase/src/specfact_codebase/repro/commands.py
• packages/specfact-govern/module-package.yaml
• packages/specfact-govern/src/specfact_govern/enforce/commands.py
• packages/specfact-project/module-package.yaml
• packages/specfact-project/src/specfact_project/import_cmd/commands.py
• packages/specfact-project/src/specfact_project/sync/commands.py
• packages/specfact-project/src/specfact_project/sync_runtime/sync_perform_operation_impl.py
• packages/specfact-spec/module-package.yaml
• packages/specfact-spec/src/specfact_spec/generate/commands.py
• packages/specfact-spec/src/specfact_spec/sdd/commands.py
• packages/specfact-spec/src/specfact_spec/spec/commands.py
• registry/index.json
• registry/modules/specfact-backlog-0.41.30.tar.gz.sha256
• registry/modules/specfact-code-review-0.47.46.tar.gz.sha256
• registry/modules/specfact-codebase-0.41.13.tar.gz.sha256
• registry/modules/specfact-govern-0.40.25.tar.gz.sha256
• registry/modules/specfact-project-0.41.25.tar.gz.sha256
• registry/modules/specfact-spec-0.40.23.tar.gz.sha256
• registry/signatures/specfact-backlog-0.41.30.tar.sig
• registry/signatures/specfact-code-review-0.47.46.tar.sig
• registry/signatures/specfact-codebase-0.41.13.tar.sig
• registry/signatures/specfact-govern-0.40.25.tar.sig
• registry/signatures/specfact-project-0.41.25.tar.sig
• registry/signatures/specfact-spec-0.40.23.tar.sig
• tests/unit/sync_runtime/test_bridge_sync.py
• tests/unit/sync_runtime/test_drift_detector.py

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• nold-ai/specfact-cli (manual)

💤 Files with no reviewable changes (2)

• tests/unit/sync_runtime/test_drift_detector.py
• tests/unit/sync_runtime/test_bridge_sync.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: quality (3.12)
• GitHub Check: quality (3.13)

🧰 Additional context used

📓 Path-based instructions (4)

registry/**

⚙️ CodeRabbit configuration file

registry/**: Registry and index consistency: bundle listings, version pins, and compatibility with
published module artifacts.

Files:

• registry/modules/specfact-govern-0.40.25.tar.gz.sha256
• registry/modules/specfact-code-review-0.47.46.tar.gz.sha256
• registry/modules/specfact-backlog-0.41.30.tar.gz.sha256
• registry/signatures/specfact-project-0.41.25.tar.sig
• registry/modules/specfact-spec-0.40.23.tar.gz.sha256
• registry/signatures/specfact-code-review-0.47.46.tar.sig
• registry/signatures/specfact-backlog-0.41.30.tar.sig
• registry/signatures/specfact-govern-0.40.25.tar.sig
• registry/signatures/specfact-codebase-0.41.13.tar.sig
• registry/modules/specfact-codebase-0.41.13.tar.gz.sha256
• registry/signatures/specfact-spec-0.40.23.tar.sig
• registry/modules/specfact-project-0.41.25.tar.gz.sha256
• registry/index.json

packages/**/module-package.yaml

⚙️ CodeRabbit configuration file

packages/**/module-package.yaml: Validate metadata: name, version, commands, dependencies, and parity with packaged src.
Call out semver and signing implications when manifests or payloads change.

Files:

• packages/specfact-codebase/module-package.yaml
• packages/specfact-govern/module-package.yaml
• packages/specfact-spec/module-package.yaml
• packages/specfact-code-review/module-package.yaml
• packages/specfact-backlog/module-package.yaml
• packages/specfact-project/module-package.yaml

**/*.{js,ts,tsx,jsx,py,java,cs,go,rb,php,cpp,c,h}

📄 CodeRabbit inference engine (CLAUDE.md)

Preserve the clean-code compliance gate and its category references (naming, kiss, yagni, dry, and solid)

Files:

• packages/specfact-codebase/src/specfact_codebase/import_cmd/commands.py
• packages/specfact-codebase/src/specfact_codebase/repro/commands.py
• packages/specfact-codebase/src/specfact_codebase/drift/commands.py
• packages/specfact-codebase/src/specfact_codebase/analyze/commands.py
• packages/specfact-project/src/specfact_project/sync_runtime/sync_perform_operation_impl.py
• packages/specfact-spec/src/specfact_spec/sdd/commands.py
• packages/specfact-project/src/specfact_project/import_cmd/commands.py
• packages/specfact-project/src/specfact_project/sync/commands.py
• packages/specfact-govern/src/specfact_govern/enforce/commands.py
• packages/specfact-spec/src/specfact_spec/generate/commands.py
• packages/specfact-spec/src/specfact_spec/spec/commands.py

packages/**/src/**/*.py

⚙️ CodeRabbit configuration file

packages/**/src/**/*.py: Focus on adapter and bridge patterns: imports from specfact_cli (models, runtime, validators),
Typer/Rich command surfaces, and clear boundaries so core upgrades do not silently break bundles.
Flag breaking assumptions about registry loading, lazy imports, and environment/mode behavior.

Files:

• packages/specfact-codebase/src/specfact_codebase/import_cmd/commands.py
• packages/specfact-codebase/src/specfact_codebase/repro/commands.py
• packages/specfact-codebase/src/specfact_codebase/drift/commands.py
• packages/specfact-codebase/src/specfact_codebase/analyze/commands.py
• packages/specfact-project/src/specfact_project/sync_runtime/sync_perform_operation_impl.py
• packages/specfact-spec/src/specfact_spec/sdd/commands.py
• packages/specfact-project/src/specfact_project/import_cmd/commands.py
• packages/specfact-project/src/specfact_project/sync/commands.py
• packages/specfact-govern/src/specfact_govern/enforce/commands.py
• packages/specfact-spec/src/specfact_spec/generate/commands.py
• packages/specfact-spec/src/specfact_spec/spec/commands.py

🧠 Learnings (1)

📚 Learning: 2026-04-02T21:49:07.435Z

Learnt from: djm81
Repo: nold-ai/specfact-cli-modules PR: 136
File: registry/modules/specfact-spec-0.40.17.tar.gz.sha256:1-1
Timestamp: 2026-04-02T21:49:07.435Z
Learning: In nold-ai/specfact-cli-modules, module tarball signature files under registry/signatures/*.tar.sig are produced by the publish-modules GitHub Actions runner during the publish workflow (not committed to the branch). During PR pre-merge review, do not flag missing *.tar.sig files as blockers; treat signatures as publish-time artifacts.

Applied to files:

• registry/signatures/specfact-project-0.41.25.tar.sig
• registry/signatures/specfact-code-review-0.47.46.tar.sig
• registry/signatures/specfact-backlog-0.41.30.tar.sig
• registry/signatures/specfact-govern-0.40.25.tar.sig
• registry/signatures/specfact-codebase-0.41.13.tar.sig
• registry/signatures/specfact-spec-0.40.23.tar.sig

🔀 Multi-repo context nold-ai/specfact-cli

Linked repositories findings

nold-ai/specfact-cli

• Remaining flat-command occurrences in code, docs, and specs that this PR intends to replace (examples; each path contains one or more references to old flat forms like specfact sync, specfact generate, specfact sdd constitution, specfact repro):

  • tools/validate_prompts.py — contains "specfact sync" and "specfact repro" usages [::nold-ai/specfact-cli::tools/validate_prompts.py]
  • scripts/export-change-to-github.py — builds specfact sync bridge command for GitHub export [::nold-ai/specfact-cli::scripts/export-change-to-github.py]
  • scripts/runtime_discovery_smoke.py — asserts "specfact sync bridge --help still resolves as a root command" (runtime-smoke detection) [::nold-ai/specfact-cli::scripts/runtime_discovery_smoke.py]
  • docs/migration/migration-cli-reorganization.md — migration guide still documents specfact sdd constitution replacements and related notes (migration context) [::nold-ai/specfact-cli::docs/migration/migration-cli-reorganization.md]
  • docs/reference/commands.md and docs/migration/migration-guide.md — tables mapping specfact sync ... → specfact project sync ..., etc. (update surface) [::nold-ai/specfact-cli::docs/reference/commands.md] [::nold-ai/specfact-cli::docs/migration/migration-guide.md]
  • many openspec/specs and openspec/changes/* documents reference specfact sync bridge, specfact repro, specfact generate, and specfact import from-bridge (numerous spec files — potential doc/test surface to re-check) [::nold-ai/specfact-cli::openspec/specs/] [::nold-ai/specfact-cli::openspec/changes/]

• Tests & tooling implications:

  • tests/integration and tests/unit reference specfact repro and related commands (e.g., tests/integration/commands/test_repro_command.py) — ensure these tests align with namespaced command changes or that test expectations were updated in the PR [::nold-ai/specfact-cli::tests/integration/commands/test_repro_command.py]
  • scripts and validation tooling (tools/validate_prompts.py, docs validation scripts referenced in tests) look for obsolete command strings; updating embedded examples may require adjusting these validators to accept the new canonical forms [::nold-ai/specfact-cli::tools/validate_prompts.py] [::nold-ai/specfact-cli::tests/unit/docs/test_docs_validation_scripts.py]

• Registry / published manifests:

  • No registry directory present in the working tree (ls reported "No such file or directory"). If the PR updates registry artifacts elsewhere, confirm CI/publish steps and registry consumers are aligned — but no local registry files to inspect here [::nold-ai/specfact-cli::(repo root)]

Notes on scope: the grep output shows many doc/spec files referencing old flat commands across the repo (openspec and docs). Those are the primary consumer surfaces to re-check for consistency after the rename; tests and scripts that construct or assert CLI invocations are also affected.

🔇 Additional comments (19)

packages/specfact-backlog/module-package.yaml (1)

2-2: LGTM!

Also applies to: 30-31

packages/specfact-code-review/module-package.yaml (1)

2-2: LGTM!

Also applies to: 26-27

packages/specfact-codebase/module-package.yaml (1)

2-2: LGTM!

Also applies to: 27-28

packages/specfact-govern/module-package.yaml (1)

2-2: LGTM!

Also applies to: 22-23

packages/specfact-project/module-package.yaml (1)

2-2: LGTM!

Also applies to: 30-31

packages/specfact-spec/module-package.yaml (1)

2-2: LGTM!

Also applies to: 24-25

registry/index.json (1)

5-7: LGTM!

Also applies to: 19-21, 33-35, 49-51, 65-67, 81-83

registry/modules/specfact-backlog-0.41.30.tar.gz.sha256 (1)

1-1: LGTM!

registry/modules/specfact-code-review-0.47.46.tar.gz.sha256 (1)

1-1: LGTM!

registry/modules/specfact-codebase-0.41.13.tar.gz.sha256 (1)

1-1: LGTM!

registry/modules/specfact-govern-0.40.25.tar.gz.sha256 (1)

1-1: LGTM!

registry/modules/specfact-project-0.41.25.tar.gz.sha256 (1)

1-1: LGTM!

registry/modules/specfact-spec-0.40.23.tar.gz.sha256 (1)

1-1: LGTM!

registry/signatures/specfact-backlog-0.41.30.tar.sig (1)

1-1: LGTM!

registry/signatures/specfact-code-review-0.47.46.tar.sig (1)

1-1: LGTM!

registry/signatures/specfact-codebase-0.41.13.tar.sig (1)

1-1: LGTM!

registry/signatures/specfact-govern-0.40.25.tar.sig (1)

1-1: LGTM!

registry/signatures/specfact-project-0.41.25.tar.sig (1)

1-1: LGTM!

registry/signatures/specfact-spec-0.40.23.tar.sig (1)

1-1: LGTM!

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/specfact-code-review/module-package.yaml (1)

25-27: 🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

Root cause: signing metadata was dropped across module manifests, breaking release integrity gates.

packages/specfact-code-review/module-package.yaml, packages/specfact-codebase/module-package.yaml, packages/specfact-govern/module-package.yaml, packages/specfact-project/module-package.yaml, and packages/specfact-spec/module-package.yaml all rotate checksums but omit integrity.signature; CI already confirms this with deterministic module-signature verification failures. Reintroduce signature fields for each bumped module manifest generated by the signing hook so manifest metadata and published payload signatures remain in parity.

As per coding guidelines, packages/**/module-package.yaml must validate metadata and call out signing implications when manifests or payloads change.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/specfact-code-review/module-package.yaml` around lines 25 - 27, The
module manifests (the module-package.yaml entries that contain an
integrity.checksum field) were updated to rotate checksums but dropped the
corresponding integrity.signature metadata; restore an integrity.signature field
in each bumped manifest (e.g., the integrity block in the module-package.yaml
for the specfact-* modules) so the manifest includes both checksum and
signature, and ensure the signing hook or validation step is invoked to
regenerate and embed the correct signature after any payload or manifest change
so deterministic module-signature verification passes.

Sources: Coding guidelines, Pipeline failures

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/specfact-code-review/module-package.yaml`:
- Around line 25-27: The module manifests (the module-package.yaml entries that
contain an integrity.checksum field) were updated to rotate checksums but
dropped the corresponding integrity.signature metadata; restore an
integrity.signature field in each bumped manifest (e.g., the integrity block in
the module-package.yaml for the specfact-* modules) so the manifest includes
both checksum and signature, and ensure the signing hook or validation step is
invoked to regenerate and embed the correct signature after any payload or
manifest change so deterministic module-signature verification passes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 632f95cb-e8d3-4c93-b7da-5f6242cae79b

📥 Commits

Reviewing files that changed from the base of the PR and between fc93135 and e911ae0.

📒 Files selected for processing (12)

• packages/specfact-backlog/module-package.yaml
• packages/specfact-code-review/module-package.yaml
• packages/specfact-codebase/module-package.yaml
• packages/specfact-govern/module-package.yaml
• packages/specfact-govern/src/specfact_govern/enforce/commands.py
• packages/specfact-project/module-package.yaml
• packages/specfact-project/src/specfact_project/import_cmd/commands.py
• packages/specfact-project/src/specfact_project/sync/commands.py
• packages/specfact-project/src/specfact_project/sync_runtime/sync_perform_operation_impl.py
• packages/specfact-spec/module-package.yaml
• packages/specfact-spec/src/specfact_spec/sdd/commands.py
• scripts/check-prompt-commands.py

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• nold-ai/specfact-cli (manual)

✅ Files skipped from review due to trivial changes (4)

• packages/specfact-project/src/specfact_project/sync_runtime/sync_perform_operation_impl.py
• packages/specfact-project/src/specfact_project/sync/commands.py
• packages/specfact-spec/src/specfact_spec/sdd/commands.py
• packages/specfact-govern/src/specfact_govern/enforce/commands.py

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/specfact-backlog/module-package.yaml
• packages/specfact-project/src/specfact_project/import_cmd/commands.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: quality (3.12)
• GitHub Check: quality (3.13)
• GitHub Check: quality (3.11)

🧰 Additional context used

📓 Path-based instructions (3)

packages/**/module-package.yaml

⚙️ CodeRabbit configuration file

packages/**/module-package.yaml: Validate metadata: name, version, commands, dependencies, and parity with packaged src.
Call out semver and signing implications when manifests or payloads change.

Files:

• packages/specfact-spec/module-package.yaml
• packages/specfact-codebase/module-package.yaml
• packages/specfact-code-review/module-package.yaml
• packages/specfact-project/module-package.yaml
• packages/specfact-govern/module-package.yaml

**/*.{js,ts,tsx,jsx,py,java,cs,go,rb,php,cpp,c,h}

📄 CodeRabbit inference engine (CLAUDE.md)

Preserve the clean-code compliance gate and its category references (naming, kiss, yagni, dry, and solid)

Files:

• scripts/check-prompt-commands.py

scripts/**/*.py

⚙️ CodeRabbit configuration file

scripts/**/*.py: Deterministic tooling: signing, publishing, docs generation; subprocess and path safety.

Files:

• scripts/check-prompt-commands.py

🪛 GitHub Actions: pr-orchestrator / 1_verify-module-signatures.txt

packages/specfact-spec/module-package.yaml

[error] 1-1: Module signature verification failed: missing integrity.signature

packages/specfact-codebase/module-package.yaml

[error] 1-1: Module signature verification failed: missing integrity.signature

packages/specfact-code-review/module-package.yaml

[error] 1-1: Module signature verification failed: missing integrity.signature

packages/specfact-project/module-package.yaml

[error] 1-1: Module signature verification failed: missing integrity.signature

packages/specfact-govern/module-package.yaml

[error] 1-1: Module signature verification failed: missing integrity.signature

🪛 GitHub Actions: pr-orchestrator / verify-module-signatures

packages/specfact-spec/module-package.yaml

[error] 1-1: Verify modules signature step failed: missing integrity.signature

packages/specfact-codebase/module-package.yaml

[error] 1-1: Verify modules signature step failed: missing integrity.signature

packages/specfact-code-review/module-package.yaml

[error] 1-1: Verify modules signature step failed: missing integrity.signature

packages/specfact-project/module-package.yaml

[error] 1-1: Verify modules signature step failed: missing integrity.signature

packages/specfact-govern/module-package.yaml

[error] 1-1: Verify modules signature step failed: missing integrity.signature

🔀 Multi-repo context nold-ai/specfact-cli

Linked repositories findings

nold-ai/specfact-cli

• Tests calling or asserting flat commands (may need updates or are intentionally keeping old forms for compatibility):

  • tests/integration/commands/test_repro_command.py:320 — asserts "specfact repro" present in output. [::nold-ai/specfact-cli::tests/integration/commands/test_repro_command.py:320]
  • tests/integration/commands/test_repro_sidecar.py:18 — integration test for specfact repro --sidecar. [::nold-ai/specfact-cli::tests/integration/commands/test_repro_sidecar.py:18]
  • tests/unit/docs/test_docs_validation_scripts.py:173,192–197 — templates and validation expect specfact project sync bridge --help but also detect stale templates referencing specfact sync bridge --help. [::nold-ai/specfact-cli::tests/unit/docs/test_docs_validation_scripts.py:173][::nold-ai/specfact-cli::tests/unit/docs/test_docs_validation_scripts.py:192-197]
  • tests/unit/migration/test_module_migration_07_cleanup.py:43 — looks for legacy patterns including "specfact sync ". [::nold-ai/specfact-cli::tests/unit/migration/test_module_migration_07_cleanup.py:43]
  • tests/unit/workflows/test_trustworthy_green_checks.py:213 — checks for absence of specific repro invocation string. [::nold-ai/specfact-cli::tests/unit/workflows/test_trustworthy_green_checks.py:213]

• CLI helpers, suggestions, and prompt validators that reference flat commands:

  • tools/validate_prompts.py: mappings include "specfact sync bridge" and "specfact repro". These are used to validate embedded prompt/command strings. [::nold-ai/specfact-cli::tools/validate_prompts.py:50-53]
  • src/specfact_cli/utils/suggestions.py:99,134 — suggestion strings include "specfact repro" and "specfact generate contracts". [::nold-ai/specfact-cli::src/specfact_cli/utils/suggestions.py:99][::nold-ai/specfact-cli::src/specfact_cli/utils/suggestions.py:134]
  • scripts/runtime_discovery_smoke.py:360,372 — runtime smoke checks expect canonical specfact project sync bridge --help and assert if legacy specfact sync bridge --help still resolves. [::nold-ai/specfact-cli::scripts/runtime_discovery_smoke.py:360][::nold-ai/specfact-cli::scripts/runtime_discovery_smoke.py:372]
  • scripts/export-change-to-github.py — wrapper/description builds specfact sync bridge invocation for GitHub export. [::nold-ai/specfact-cli::scripts/export-change-to-github.py:2,33,80]

• Extensive spec/docs references to flat commands that likely need review for consistency:

  • Many openspec spec files reference specfact sync bridge, specfact repro, specfact generate, and constitution commands; examples include openspec/specs/devops-sync/spec.md, openspec/specs/sidecar-validation/spec.md, openspec/specs/codebase-validation-depth/spec.md, and numerous files under openspec/changes and openspec/parking-lot. (Multiple locations: e.g., openspec/specs/devops-sync/spec.md:212–314,684; openspec/specs/sidecar-validation/spec.md:382–387). [::nold-ai/specfact-cli::openspec/specs/devops-sync/spec.md:212-314][::nold-ai/specfact-cli::openspec/specs/sidecar-validation/spec.md:382-387][::nold-ai/specfact-cli::openspec/specs/codebase-validation-depth/spec.md:19-106]
  • docs/reference/commands.md and docs/migration/migration-guide.md include mappings and migration guidance (e.g., specfact sync ... → specfact project sync ...). [::nold-ai/specfact-cli::docs/reference/commands.md:147][::nold-ai/specfact-cli::docs/migration/migration-guide.md:33,86,90]

• CI / workflow references:

  • docs/plans/ci-pr-orchestrator-log-artifacts.md and many CHANGELOG entries reference repro invocations (e.g., hatch run specfact repro --verbose --crosshair-required --budget 120). Tests and CI steps that capture repro output are relevant to the change. [::nold-ai/specfact-cli::docs/plans/ci-pr-orchestrator-log-artifacts.md:25][::nold-ai/specfact-cli::CHANGELOG.md]

Summary assessment:

• The repository contains many consumers (tests, scripts, prompt validators, docs, and openspec specs) referencing both legacy flat commands (specfact sync/generate/repro/sdd constitution) and their namespaced replacements. These are directly relevant to the PR’s changes that rename embedded examples and help text. Reviewers should verify tests, prompt validators (tools/validate_prompts.py), runtime smoke scripts (scripts/runtime_discovery_smoke.py), and openspec/doc artifacts were updated consistently and that any remaining legacy references are intentional (back-compat checks) or scheduled for separate migration.

🔇 Additional comments (1)

scripts/check-prompt-commands.py (1)

45-45: LGTM!