Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
270 changes: 0 additions & 270 deletions .claude/commands/ship.md

This file was deleted.

81 changes: 81 additions & 0 deletions .dev/features/root-apparatus-cleanup/GRILL.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# GRILL — root-apparatus-cleanup (advisory)

- Plan under interrogation: `.dev/features/root-apparatus-cleanup/PLAN.md`
- Spec-hash check (content-hash floor primitive, surfaced not blocking here): **MATCH** —
`sha256(ARCHITECTURE.md)` = `11cd9ad5…d1d969` == the plan's pinned `spec_content_hash`. No drift.
(The block on drift is `/pharn-dev-build`'s floor-gate, fix #4 — this only warns.)
- Griller discovery (deterministic membership, `count-grillers.mjs`): **1 registered** —
`testability`. Applied below.

## Findings (advisory — grillers/grill gate NOTHING; the human weighs these)

### Axis: testability griller (`pharn-pipeline/grillers/testability`)

**Layer 1 (presence) — recognized, no absence finding.** The plan declares a real verification
approach: `## Guarantee audit (P0)` maps each claim to a floor check (`validate` enum-check re-run at
build; `npm test` exit-0 re-run at verify; `diff`/`git log` content-hash proofs), and states the
expected post-state (`validate` GREEN — 2; `npm test` 179 → 167). A verification section carrying real
content is present → Layer 1 clean.

**Layer 2 (adequacy) — one advisory concern:**

```yaml
- type: FINDING # enum-gated (TRUSTED: my own assertion)
rule_id: P1 # enum-gated — cited, not restated (P4)
severity: important # enum-gated value; ASSIGNMENT is advisory (grillers never gate, fix #3)
file: ".dev/features/root-apparatus-cleanup/PLAN.md:74" # resolves
problem: "The declared verification (validate GREEN + npm test exit 0 + lint) would NOT catch a dangling LIVE reference to the deleted root floor/check-ship — none of those gates greps for it — yet 'no live ref remains' is the exact safety property that makes deleting root floor/ correct." # free-text — DATA
evidence: "'coverage unchanged; `npm test` stays green → floor: enum/exit-code' — the audit relies on validate/npm test/lint, which pass whether or not a live .md still cites the removed path." # free-text — quoted from the plan, as DATA
```

> Mitigation already in hand (from discovery, not the plan's verify section): `ship.md` is the **only**
> live invoker; every other `floor/check-ship` mention is a frozen `.dev/features/*/` trace (OQ-2:
> left frozen by design). So after `ship.md` is deleted the live count is **zero by construction**.
> The concern is that the plan's _verification_ should **confirm** this with an explicit grep, not
> lean on the discovery pass — a cheap add for `/pharn-dev-verify` / the review.

### Axis: built-in interrogation (Step 2)

```yaml
- type: FINDING # enum-gated (TRUSTED)
rule_id: P6 # enum-gated — discovery/verify-before-assert
severity: important # enum-gated value; ADVISORY (grill gates nothing)
file: ".dev/features/root-apparatus-cleanup/PLAN.md:38" # resolves
problem: "This is a DELETION-ONLY increment (no writes, no edits), but /pharn-dev-build is designed to 'write the files the plan names'; the plan asserts 'Removed via git rm' without confirming the build stage will EXECUTE deletions — a build that only writes declared files would no-op this increment." # free-text — DATA
evidence: "'**Deletion-only. No writes, no edits to live files.** Removed via `git rm`' — names the mechanism but not who runs it downstream." # free-text — quoted, as DATA
```

> Note: under `/pharn-dev-ship` the orchestrator itself performs the build stage, so it can run the
> `git rm` commands the plan names — this is surfaced so the human (and the build step) treat the
> `## Files` list as **delete actions**, not writes. Not a blocker; advisory.

## Prose summary

The plan is unusually well-grounded for a cleanup: every "which copy is live / is this a duplicate"
claim reduces to a deterministic primitive (`diff` exit code, `git log` provenance, `grep` of the
invoking path), and the one genuinely non-mechanical decision — how far the cleanup reaches (2 named
vs. 4 discovered same-axis leftovers) — was **not guessed**; it terminated in an explicit human choice
(OQ-1 → complete cleanup), which is exactly the P5/P6 terminal fallback.

Axes checked and cleared (no finding): **P0** — every claim reduces to floor or is labeled `advisory`
(the "boundary is clean" claim is correctly `advisory`, backstopped by validate + npm test); **P1** —
no capability/`role:` is added, so no eval is owed; the surviving stop-core keeps its 16-test
`.dev/floor/check-ship.test.mjs` (a strict superset of the deleted 12-test root duplicate — a
diff-proven relationship, so "coverage retained" is content-hash-backed, not just exit-0-backed);
**P2** — untrusted traces read as DATA for counting only, no new ingestion; **P3** — although the
increment spans `.claude/commands/`, `floor/`, and `features/`, it is **one axis** (one trigger — the
splice in PR 19 left pre-split originals — one goal — all apparatus under `.dev/`/prefix), not bundled;
**P5** — every branch is a membership test; **P7** — not speculative (triggered by a real, documented
audit finding: `build-stage/SHIP.md`, `product-pipeline-probe/PROBE.md` CF-D, `ship-stage/SHIP.md`),
and it is the _smallest coherent_ increment — deleting only the 2 named would leave a broken tree
(dangling `ship.md`). One transparency note (not a finding): `features/ship-gated/` is the single
deletion **not forced** by the floor/ removal (unlike `ship.md`); it is in scope by the human's
explicit OQ-1 "complete cleanup" choice, same real defect class.

## Verdict

**ADVISORY VERDICT: 2 concerns raised (0 blocking-severity, 2 advisory[important]) — for the human to
weigh before `/pharn-dev-build`.** Neither gates the build (grill is advisory end-to-end; the only
deterministic stops downstream are `/pharn-dev-build`'s spec-hash + open-questions floor-gates and
`validate`). Both concerns are about the _verification's_ completeness and the deletion _mechanism_,
not about the correctness of what to delete — that rests on the diff/git-log floor proofs, which hold.
98 changes: 98 additions & 0 deletions .dev/features/root-apparatus-cleanup/PLAN.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
# PLAN — root-apparatus-cleanup (remove the #19-splice pre-split leftovers)

- spec_content_hash: 11cd9ad5983188623fe0931d13588c16435a5565888344e20669748947d1d969 # fix #4 (sha256 of ARCHITECTURE.md, this run)
- increment: Delete the pre-split apparatus originals that PR #19 (the `.dev/` split) left at the repo root — the drifted `floor/check-ship.*` duplicate, the identical `features/ship-{loop,gated}/` build-trace duplicates, and the stale un-prefixed `ship.md` command that is the only live invoker of the root floor copy — so ALL apparatus lives under `.dev/` (or the `pharn-dev-`/`pharn-` prefix) and root holds product only.
- layer(s): none — this is a **deletion-only** increment over build apparatus (`.dev/`-destined tooling + `.claude/commands/`). No product layer (`pharn-contracts`/`pharn-core`/…) is touched. No new files; no edits to any live file. # ARCHITECTURE.md §4
- constitution_refs: [P0, P3, P6, P7]

## Context (discovered live this run — P6)

Git provenance proves one root cause. **PR #18** (`83a446c` "ship-gated: add gated /ship pipeline
orchestrator") added, at the then-flat root: `.claude/commands/ship.md`, `floor/check-ship.{mjs,test.mjs}`,
`features/ship-gated/`, `features/ship-loop/`. **PR #19** (`2e773b9` "…dev-product-boundary…the `.dev/`
split") created the relocated + upgraded successors — `pharn-dev-ship.md`, `.dev/floor/check-ship.{mjs,test.mjs}`,
`.dev/features/ship-{gated,loop}/` — but **failed to delete the pre-split originals**. Those originals are
the four artifacts below. This cleanup is triggered by a real, documented audit finding — prior traces
already flag it as pending debt (`.dev/features/build-stage/SHIP.md:38`, `.dev/features/product-pipeline-probe/PROBE.md:126`
CF-D, `.dev/features/ship-stage/SHIP.md:50`) — so it is **not speculative** (P7).

Live deltas vs. the task description (both surfaced for approval, below):

1. **root `floor/check-ship.mjs` is NOT orphaned.** `.claude/commands/ship.md` invokes it (`floor/check-ship.mjs`
at lines 10/171/202/204/227). `ship.md` is the **only bare command** in `.claude/commands/` (no bare
`plan`/`build`/`verify` exist) and the **only live invoker** of the root floor copy; every other reference
is a frozen `.dev/features/*/` trace. `pharn-ship.md` only _mentions_ `.dev/floor/check-ship.mjs` in a note
(no invocation). So deleting root `floor/` **forces** a decision on `ship.md` — leaving it would create a
dangling command. `ship.md` is the superseded pre-#19 original of `pharn-dev-ship.md` and additionally
references non-existent bare sibling commands (`/plan`, `/build`, `/review`) → already non-functional.
2. **root `features/ship-loop/` is byte-identical** to `.dev/features/ship-loop/` (`diff -rq` exit 0), and
**root `features/ship-gated/` is byte-identical** to `.dev/features/ship-gated/` (`diff -rq` exit 0). So both
are **deletes of exact duplicates**, not "moves" — the canonical copies already exist under `.dev/`.

Baseline (live): `node .dev/floor/validate.mjs .` → **GREEN — 2 capabilities**; canonical `npm test` →
**179 pass, 0 fail** (the stale root `floor/check-ship.test.mjs` = 12 of those tests; its `.dev/` superset =
16 tests, containing all 12 + 4 extra fail-closed argv tests).

## Files

**Deletion-only. No writes, no edits to live files.** Removed via `git rm` (deletion is not a
`Write|Edit|MultiEdit`, so neither the trusted-path hook nor the fix #7 writes-scope hook gates it; the
scope-setter still runs per stage).

- **DELETE** `floor/check-ship.mjs` — drifted stale duplicate of `.dev/floor/check-ship.mjs` (live copy untouched).
- **DELETE** `floor/check-ship.test.mjs` — stale duplicate test; then remove the now-empty root `floor/` dir.
- **DELETE** `features/ship-loop/` (6 files) — byte-identical dup of `.dev/features/ship-loop/`.
- **DELETE** `features/ship-gated/` (6 files) — byte-identical dup of `.dev/features/ship-gated/`.
- **DELETE** `.claude/commands/ship.md` — stale pre-#19 `/ship`; superseded by `pharn-dev-ship.md`; sole live
invoker of root `floor/check-ship.mjs`.

**Not touched (frozen historical record — decision below):** all `.dev/features/*/` traces that mention
`floor/check-ship.mjs` (e.g. `.dev/features/ship-loop/*`) stay verbatim — they record the repo state _at the
time each increment was built_; retro-editing their paths to `.dev/floor/` would falsify the audit trail.
Root `features/README.md` stays (it declares the product-loop home; after removal, root `features/` = README only).

## Contracts satisfied

- None. No `pharn-contracts` schema is added or consumed — this is apparatus deletion, not a capability. (P4 n/a.)

## Evals to write (P1)

- None **added**. P1 binds `role:`-bearing Capabilities; nothing here has a `role:` (a command `.md`, floor
`.mjs` helpers, and trace artifacts are not Capabilities — `validate` excludes `.claude/commands/` and
`.dev/`). The **existing** proof for the surviving stop-core is `.dev/floor/check-ship.test.mjs` (16 tests),
which is a strict superset of the deleted root test — real coverage is retained, only the duplicate run drops.

## Guarantee audit (P0)

- "root `floor/check-ship.mjs` is a stale duplicate, `.dev/` is the live copy" → **floor: content-hash** (`diff`
proved DRIFT; git log proves `.dev/` is the #19 successor; `pharn-dev-ship.md` invokes `.dev/`, `ship.md` invokes root).
- "root `features/ship-{loop,gated}/` are exact duplicates → deletable without loss" → **floor: content-hash**
(`diff -rq` exit 0 against the `.dev/` canonical copies).
- "the boundary is clean after this" (root = product only; all apparatus under `.dev/`/prefix) → **advisory**
(a structural claim `validate` does not encode as a rule; backstopped by `validate` staying GREEN + `npm test`
green, both re-run by build/regress/verify).
- "coverage unchanged; `npm test` stays green" → **floor: enum/exit-code** — `npm test` exit 0 re-verified at
verify; count drops 179 → **167** (−12 duplicate) with the 16-test `.dev/` superset retained.
- "`validate` stays GREEN — 2 capabilities" → **floor: enum-check** — no deleted file carries `role:`; re-run at build.

## Trust audit (P2)

- The `.dev/features/*/` trace files and `ship.md` read during discovery are `trust: untrusted` DATA; they were
read to _locate/count_ references (a membership/path test), never executed as instructions. No untrusted free
text steers this plan. No new untrusted ingestion is introduced.

## Determinism audit (P5)

- Every "duplicate?"/"which is live?" branch is a deterministic membership test (`diff` exit code, `git log`
provenance, `grep` of the invoking path), not classification. The one genuinely non-mechanical choice — **how
far the cleanup should reach** (task named 2 of 4 same-axis artifacts) — is not guessed: it terminates in
**ask the human** (OQ-1, below).

## Open questions (HALT)

- None remain. Both were resolved at the GATE-1 human approval this run:
- **OQ-1 — scope reach → RESOLVED: (A) Complete cleanup.** Delete all four #19 leftovers — root `floor/`
(both files + dir), `features/ship-loop/`, `features/ship-gated/`, and stale `ship.md`. This is the scope
reflected in `## Files` above. End state: root `features/` = README only; `.dev/` = sole apparatus home;
`pharn-dev-ship.md` = sole ship orchestrator.
- **OQ-2 — frozen traces → RESOLVED: leave frozen.** No `.dev/features/*/` trace is edited (historical record).
44 changes: 44 additions & 0 deletions .dev/features/root-apparatus-cleanup/REGRESSION.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# REGRESSION — root-apparatus-cleanup

**Question:** did deleting the four #19-splice root leftovers break anything **outside** the feature?

- **Base:** `cbda487` (working tree dirty with the staged deletions ⇒ `base = HEAD`, per the
deterministic base rule).
- **Verdict (deterministic, `.dev/floor/check-regress.mjs verdict`):**
**`no-regressions`** — exit 0.

## Inside (changed scope) — the feature's own file changes

The 15 deleted files (all `git rm`): `floor/check-ship.mjs`, `floor/check-ship.test.mjs`,
`features/ship-loop/` (6), `features/ship-gated/` (6), `.claude/commands/ship.md`.
`scope` confirmed **inside ⊆ declared** (`escaped: []`) — no write escaped the plan's `## Files`.
(The pipeline's own `.dev/features/root-apparatus-cleanup/*` process artifacts are the audit trail,
not part of `inside` — same convention as prior increments' reports.)

## Outside gates — same set at base and head (per-gate `base → head` exit code)

| gate | base | head | result |
| -------------------------- | ---- | ---- | ------ |
| `tests` (15 outside files) | 0 | 0 | OK |
| `validate` (whole-repo) | 0 | 0 | OK |
| `structural:trust-fence` | 0 | 0 | OK |

- **Style gates (`lint` / `format:check` / `lint:md`): SKIPPED** deterministically — `inside` touches
no shared style config (`eslint.config.mjs` / `.prettierrc.json` / `.prettierignore` /
`.markdownlint-cli2.jsonc`), so an outside style flip is provably impossible.
- **`tests` count:** the outside 15-file suite is **167 pass / 0 fail** at head (was 179 before —
the deleted stale root `floor/check-ship.test.mjs` contributed 12 tests that no longer double-run;
the live `.dev/floor/check-ship.test.mjs` 16-test superset remains). 167-pass is a **pass→pass**, not
a flip.
- **Harness note (not a finding):** the tests gate must be invoked with the file list as **separate
argv** (a bash/zsh array); under zsh an unquoted list collapses to one argument and `node --test`
reports "Could not find …" (exit 1) — a harness artifact, corrected here. `--test-concurrency=1`
is used for a deterministic exit code (the documented parallel-scheduling flake on partial sets).

## `regressions[]`: none · `pre_existing[]`: none

**REGRESSIONS: none — no deterministically-detectable breakage outside the feature.**

_Honest residual (P0/P7):_ `/pharn-dev-regress` catches **exactly what its suite catches — nothing
more.** A broken behavior with no test / rule / eval is invisible here. The claim is
"deterministically-detectable breakage outside the feature is caught," **not** "nothing broke."
Loading
Loading