From 8fca79e968ead4165c2b0349d78c651bd7d29fb7 Mon Sep 17 00:00:00 2001 From: Elizabeth W Date: Tue, 26 May 2026 19:49:10 -0600 Subject: [PATCH] doing individual items not entire groups --- .../03-core-sketch.md | 50 +++++++------- .../04-blueprint.fs | 69 ++++++++++--------- 2 files changed, 63 insertions(+), 56 deletions(-) diff --git a/design/workflows/dependency-recovery/identify-vendored-packages/03-core-sketch.md b/design/workflows/dependency-recovery/identify-vendored-packages/03-core-sketch.md index 0ebd67a..c15b8e6 100644 --- a/design/workflows/dependency-recovery/identify-vendored-packages/03-core-sketch.md +++ b/design/workflows/dependency-recovery/identify-vendored-packages/03-core-sketch.md @@ -5,8 +5,8 @@ ## Command -- `IdentifyVendoredPackages` -- Meaning: evaluate deterministic ingest artifacts to decide which bundled code should be treated as a `Vendored Package` and recorded as accepted, rejected, or unresolved for later `Externalization`. +- `IdentifyVendoredPackage` +- Meaning: evaluate one recovered vendored candidate boundary against deterministic evidence so this context can record a single `Dependency Decision` for later `Externalization`. ## Required State @@ -32,45 +32,47 @@ State owned by `dependency-recovery` and required to decide this workflow: Snapshots or handoffs read but not owned by this context: -- `Run Manifest` from `ingest-snapshot` -- `Segment Record` set and canonical source projection from `ingest-snapshot` -- optional runtime traces used only as additional or tie-break evidence -- optional registry, tarball, or CDN package evidence used to compare candidate matches +- one recovered `Vendored Package` candidate boundary derived from `ingest-snapshot` artifacts by outer orchestration +- the relevant `Run Manifest` facts and canonical source projection from `ingest-snapshot` for that candidate boundary +- optional runtime traces for that candidate boundary used only as additional or tie-break evidence +- optional registry, tarball, or CDN package evidence used to compare matches for that candidate boundary ## Policy Signature (Pseudo) ```text -identifyCandidateBoundaries : - RunManifest -> SegmentRecords -> CandidateDiscoveryRules -> NonEmptyList - scoreVendoredCandidate : - VendoredCandidate -> EvidenceSources -> ConfidenceScoringRules -> RankedCandidateMatches + VendoredCandidateBoundary + -> CandidateEvidenceSources + -> ConfidenceScoringRules + -> RankedCandidateMatches decideDependencyDecision : - RankedCandidateMatches + VendoredCandidateBoundary + -> RankedCandidateMatches -> AcceptanceThresholdPolicy -> DependencyDecision -validateDecisionManifest : - DependencyDecisionSet -> DependencyDecisionRequirements -> Result +validateDecisionRecord : + DependencyDecision + -> DependencyDecisionRequirements + -> Result performVendoredPackageIdentification : - IdentifyVendoredPackages + IdentifyVendoredPackage -> DependencyRecoveryState - -> Result + -> Result ``` ## Events ### Success Event -- `VendoredPackagesIdentified` +- `VendoredPackageIdentified` - run identity reference - - accepted dependency decisions - - rejected dependency decisions - - unresolved dependency decisions - - emitted decision manifest reference - - evidence artifact references + - evaluated candidate boundary reference + - emitted single dependency decision + - emitted decision record reference + - evidence artifact references for that candidate ### Failure Event @@ -81,9 +83,9 @@ performVendoredPackageIdentification : ## Boundary Notes -- The `dependency-recovery` context decides package candidacy, confidence ranking, and dependency decision state only for this slice. +- The `dependency-recovery` context decides one candidate boundary's package candidacy, confidence ranking, and dependency decision state per workflow invocation. +- Outer orchestration is responsible for discovering, selecting, and iterating across multiple candidate boundaries; this slice must not batch those decisions itself. - This slice does not externalize accepted packages; that belongs to `dependency-recovery/externalize-accepted-dependencies`. - `ingest-snapshot` remains the source of truth for run manifest, segment boundaries, and canonical projection; this slice must not reopen ingest decisions. - Optional runtime traces and package-source comparisons act only as evidence inputs here and must not turn this slice into cross-context orchestration. -- Feature-level orchestration decides whether unresolved or review-needed outcomes slow later phases; this slice only records accepted, rejected, and unresolved decisions with audit-ready evidence. -- Threshold tuning and scoring-weight configuration stay inside this context's policy setup, but later feature phases consume only the emitted decisions and artifacts. +- Feature-level orchestration decides whether unresolved or review-needed outcomes slow later phases; this slice only records one audit-ready dependency decision at a time. diff --git a/design/workflows/dependency-recovery/identify-vendored-packages/04-blueprint.fs b/design/workflows/dependency-recovery/identify-vendored-packages/04-blueprint.fs index c7668d2..ff2ba0e 100644 --- a/design/workflows/dependency-recovery/identify-vendored-packages/04-blueprint.fs +++ b/design/workflows/dependency-recovery/identify-vendored-packages/04-blueprint.fs @@ -90,20 +90,24 @@ type AuditabilityRule = // 2. Commands (Inputs) -type IdentifyVendoredPackages = { +type TaintedCandidateBoundaryReference = TaintedCandidateBoundaryReference of string + +type TrustedCandidateBoundaryReference = TrustedCandidateBoundaryReference of string + +type IdentifyVendoredPackage = { runManifest: TaintedRunManifestReference - segmentRecords: TaintedSegmentRecordReference canonicalProjection: TaintedCanonicalProjectionReference + candidateBoundary: TaintedCandidateBoundaryReference runtimeTraces: TaintedRuntimeTraceReference option } // 3. Observed inputs and owned state -type TrustedIngestArtifacts = { +type TrustedCandidateInput = { runIdentity: RunIdentity runManifest: TrustedRunManifestReference - segmentRecords: TrustedSegmentRecordReference canonicalProjection: TrustedCanonicalProjectionReference + candidateBoundary: TrustedCandidateBoundaryReference runtimeTraces: TrustedRuntimeTraceReference option } @@ -139,24 +143,31 @@ type DependencyRecoveryState = { // 4. Events (Facts) -type VendoredPackagesIdentified = { +type DecisionRecordReference = DecisionRecordReference of string + +type VendoredPackageIdentified = { runIdentity: RunIdentity - acceptedDecisions: DependencyDecision list - rejectedDecisions: DependencyDecision list - unresolvedDecisions: DependencyDecision list - decisionManifest: EvidenceReference + candidateBoundary: TrustedCandidateBoundaryReference + dependencyDecision: DependencyDecision + decisionRecord: DecisionRecordReference evidenceArtifacts: EvidenceReference list } +type VendoredPackageIdentificationStage = + | CandidateInputParsingStage + | CandidateScoringStage + | DependencyDecisionStage + | DecisionRecordValidationStage + type VendoredPackageIdentificationFailureReason = | MissingIngestArtifacts | InvalidIngestArtifactReference - | NoCandidateBoundariesRecovered - | InvalidDecisionManifestRequirements + | InvalidCandidateBoundaryReference + | InvalidDecisionRecordRequirements type VendoredPackageIdentificationHardStopped = { runIdentity: RunIdentity option - failedStage: string + failedStage: VendoredPackageIdentificationStage reason: VendoredPackageIdentificationFailureReason } @@ -164,46 +175,40 @@ type VendoredPackageIdentificationHardStopped = { type DependencyIdentificationState = | AwaitingVendoredPackageIdentification of DependencyRecoveryState - | VendoredPackageDecisionsRecorded of VendoredPackagesIdentified + | VendoredPackageDecisionRecorded of VendoredPackageIdentified // 6. Parse and decision contracts -val parseIngestArtifacts : - IdentifyVendoredPackages - -> Result - -val identifyCandidateBoundaries : - TrustedIngestArtifacts - -> VendoredCandidateDiscoveryRules - -> Result +val parseCandidateInput : + IdentifyVendoredPackage + -> Result val scoreCandidateMatches : - CandidateBoundary - -> TrustedIngestArtifacts + TrustedCandidateInput -> ConfidenceScoringRules -> Result val decideDependencyDecision : AcceptanceThresholdPolicy - -> CandidateBoundary + -> TrustedCandidateBoundaryReference -> CandidateMatch list -> Result -val validateDecisionManifest : +val validateDecisionRecord : DependencyDecisionRequirements - -> DependencyDecision list - -> Result + -> DependencyDecision + -> Result val decide : DependencyIdentificationState - -> IdentifyVendoredPackages - -> Result + -> IdentifyVendoredPackage + -> Result val apply : DependencyIdentificationState - -> VendoredPackagesIdentified + -> VendoredPackageIdentified -> DependencyIdentificationState val workflow : - IdentifyVendoredPackages - -> Effect.Effect> + IdentifyVendoredPackage + -> Effect.Effect>