build(deps): bump pymdown-extensions from 10.21 to 10.21.3 in /site in the uv group across 1 directory#3
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
Bumps the uv group with 1 update in the /site directory: [pymdown-extensions](https://github.com/facelessuser/pymdown-extensions). Updates `pymdown-extensions` from 10.21 to 10.21.3 - [Release notes](https://github.com/facelessuser/pymdown-extensions/releases) - [Commits](facelessuser/pymdown-extensions@10.21...10.21.3) --- updated-dependencies: - dependency-name: pymdown-extensions dependency-version: 10.21.3 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
richardgeico
pushed a commit
that referenced
this pull request
May 28, 2026
* docs(plans): PR D design + implementation plan
Design: docs/plans/2026-05-12-spgr-rwrp-pr-d-cursor-rules-design.md
Plan: docs/plans/2026-05-12-spgr-rwrp-pr-d-implementation-plan.md
Tracks spgr-rwrp.2 (PR D — Cursor rule files via embed-and-write).
Two adversarial-review passes applied; ready for TDD-style execution.
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* refactor(managedfiles): extract manifest invariants into testable validateManifestEntry
Move the inline checks from init() into validateManifestEntry() so future
invariant rules can be unit-tested without crashing the test binary on bad
fixtures. init() now calls the function and panics on error — observable
behavior at package load is unchanged.
Also adds Strategy.String() so error messages emit "JSONKeyMerge" /
"MarkdownBlock" / "WholeFile" instead of integer enum values, with
test coverage for all three branches plus an unknown-value fallback.
Refs: spgr-rwrp PR D scaffolding
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* feat(managedfiles): drop `:start` suffix from RenderSentinel CommentHTML output
The `:start`/`:end` markers carry meaning only in MarkdownBlock context
(where they bracket a managed region). For standalone whole-file sentinels,
the suffix is misleading — there's no matching `:end`. RenderSentinel's
only non-test caller is wholefile.go:132; markdownblock.go writes its
inline `:start` markers via string concatenation, unaffected by this
change. ParseSentinel accepts both forms (init(?::start)?) so on-disk
back-compat is free.
Refs: spgr-rwrp PR D §3 framework change
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* feat(managedfiles): add HashExcludingSentinelAfterFrontmatter
Sibling to HashExcludingSentinel for files with leading YAML frontmatter.
Splits the frontmatter off, removes the sentinel on the first post-frontmatter
line if present, and hashes (front + remaining-body). Returns
ErrFrontmatterMissing on malformed/unclosed frontmatter.
Used by the WholeFile strategy on entries with HasFrontmatter==true (added
in the next commit). Existing HashExcludingSentinel and its call sites
are unchanged.
Refs: spgr-rwrp PR D §2 framework change
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* feat(managedfiles): frontmatter-aware WholeFile strategy
Adds HasFrontmatter bool to ManagedFile. When true, the WholeFile strategy
positions the sentinel after a leading YAML frontmatter block instead of on
line 1, so Cursor's .mdc rule format (which requires --- on line 1) can be
managed end-to-end. classify and render both branch on the flag; existing
HasFrontmatter==false entries are byte-for-byte unchanged.
Includes a test-only embedded mdc fixture (embedded/cursor/test-rule.mdc)
exercised by five new wholefile tests covering Missing/Synced/Stale/
Drifted-on-frontmatter-edit/Drifted-on-frontmatter-missing.
Refs: spgr-rwrp PR D §2 framework change
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* feat(managedfiles): embed pre-rename cursor-rule bytes for supersedes cleanup
Adds vestigialCursorSpecgraphMD and vestigialCursorPostStageMD (byte-exact
copies of pre-PR-D plugin/cursor/.cursor/rules/{specgraph,post-stage}.md)
and a vestigialCursorRulePriorHash helper that maps SupersedesPath values
to the expected prior-canonical hash. Mirrors computePriorCanonical's role
in markdownblock.go for the new WholeFile supersedes path.
Also relocates the canonical sources to internal/config/managedfiles/
embedded/cursor/{specgraph,specgraph-post-stage}.mdc — the production
managed files will reference these paths via the manifest entries added
in the next commit.
Hash-pinning test locks the pre-rename bytes; updating them breaks
SupersedesPath cleanup and fails CI loudly.
Refs: spgr-rwrp PR D §SupersedesPath
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* feat(managedfiles): manage .cursor/rules/specgraph{,-post-stage}.mdc
Adds two WholeFile manifest entries for the Cursor rule files, plus the
SupersedesPath integration in wholeFileStrategy.Sync that hash-guards the
deletion of pre-rename .md user copies. Detail string format matches
markdownblock.go's so doctor (PR G) can find both flavors of orphan with
one regex.
Two tests (TestWholeFileMdcSupersedes_DeletesVerbatim and
TestWholeFileMdcSupersedes_PreservesEditedAndAddsDetail) cover the
verbatim-delete and edited-preserve paths against the vestigial bytes.
Manifest entry-count assertions still fail (6→8 not yet bumped) — fixed
in the next commit.
Refs: spgr-rwrp PR D §3 manifest entries, §SupersedesPath, §Where supersedes is invoked
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* test(managedfiles): bump manifest count to 8, add HasFrontmatter invariants
- TestManifestShape and TestManifest_AllHarnesses bumped 6 → 8 with the
two new cursor .mdc paths in the expected path map.
- validateManifestEntry enforces two new HasFrontmatter invariants
(requires WholeFile, requires non-CommentNone). TestValidateManifestEntry
grows three cases: two violating each rule plus one valid HasFrontmatter
entry.
- TestNoLegacyWholeFileHTMLSentinels pins the back-compat reasoning for
the RenderSentinel CommentHTML change: no shipped WholeFile+HTML entry
may exist without HasFrontmatter.
- TestEmbeddedMdcCanonicalSplitsCleanly broadened from the test fixture
alone to iterate every HasFrontmatter==true manifest entry, locking
the invariant that renderWholeFile never panics at runtime on canonical
input.
Refs: spgr-rwrp PR D §Tests
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* feat(plugin/cursor): reverse-symlink rule files to embedded canonical
plugin/cursor/.cursor/rules/{specgraph,specgraph-post-stage}.mdc are now
symlinks to internal/config/managedfiles/embedded/cursor/{specgraph,
specgraph-post-stage}.mdc. Mirrors the PR C pattern for OpenCode: a single
authoring source (under embedded/) plus reverse-symlinks under plugin/
for developer convenience. //go:embed reads from embedded/ at compile
time — the symlinks are not in the build path.
A new TestPluginCursorSymlinksResolve unit test fails CI on a dangling
symlink.
Refs: spgr-rwrp PR D §Filesystem moves, §Risks #3
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* test(managedfiles): integration scenarios for cursor mdc supersedes
Three SyncAll-driven scenarios covering the verbatim-supersedes,
edited-preserve, and idempotency contracts for .cursor/rules/specgraph.mdc
and specgraph-post-stage.mdc. Seeds the .md from the testdata fixture
(cross-validated against the embedded vestigial bytes in
TestVestigialBytesMatchTestdataFixtures).
Refs: spgr-rwrp PR D §Tests / Integration
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* docs(plugin/cursor): SMOKE_TEST.md + README updates for new .mdc rules
- plugin/cursor/README.md: update file-name table to .mdc paths and note
init-managed status for specgraph.mdc / specgraph-post-stage.mdc.
- plugin/specgraph/README.md: update Cursor row path.
- plugin/cursor/SMOKE_TEST.md: new manual end-to-end procedure mirroring
PR C's OpenCode SMOKE_TEST shape.
- CLAUDE.md: update Cursor shim path references to .mdc.
- .gitignore: cover new init-written .mdc files and broaden *.mdc.lock pattern.
- Lint fixes surfaced by task check (gocritic hugeParam, gosec G703,
errcheck on splitFrontmatter error path, MD025 propagation in vestigial
body and golden fixtures).
- Adds TestWholeFileMdc_ForceKeepEdits_NoSentinelPreservesAllPostFrontmatterContent
covering the .mdc + no-sentinel + KeepEdits branch.
Refs: spgr-rwrp PR D §Documentation updates, §Tests / E2E, §Tests / Unit
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
* test(managedfiles): fold in comprehensive PR review findings
Five findings from the multi-agent code review on PR specgraph#945:
- Add test for corrupt-sentinel-in-mdc-body (covers the ErrCorruptedSentinel
propagation path through classifyMdcWholeFile that was previously
unexercised).
- Preserve splitFrontmatter's specific error message in
StateDrifted.Detail via the new driftDetailFrontmatterBroken prefix —
users now see whether the frontmatter is unopened vs. unclosed instead
of a single collapsed message. Sync's keep-edits arm pattern-matches on
the prefix.
- Add TestWholeFileMdc_ForceRestoresCanonical: mirror of the
non-frontmatter Force test, locks the canonical-restore behavior for
.mdc files.
- Add TestWholeFileMdc_ForceKeepEditsAlsoFiresSupersedes: covers the
Mdc × KeepEdits × SupersedesPath combo. Verifies that supersedes
cleanup runs on ActionForced too, not just Created/Refreshed.
- validateManifestEntry now rejects WholeFile entries whose SupersedesPath
isn't registered in vestigialCursorRulePriorHash, so a future PR adding
a new supersedes path fails at package init rather than at runtime
during the first Sync.
Refs: spgr-rwrp PR D — multi-agent review fold-in
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
---------
Signed-off-by: Sean Brandt <4678+seanb4t@users.noreply.github.com>
richardgeico
pushed a commit
that referenced
this pull request
May 28, 2026
docs(plans): identity RBAC & audit designs approved + Cedar adoption Five designs approved across four tracks of the Identity, RBAC & Audit epic (spgr-rjrt). Designs are at design-level (properties, constraints, architectural shape) — implementation details deferred to plans and the code. Tracks: - Identity Storage (spgr-e82m, closed) — entities, lifecycle, and persistence. Adds users.Store interface as the canonical cross-domain seam. - Identity Authn (spgr-n2rw, closed) — single-resolver pattern; OIDC verify split from user materialization; JIT default-on with per-issuer rate limit and optional email-domain allowlist; explicit error categorization (credential / backend / cancellation). Permission computation section superseded by the Cedar design below. - Identity Policy Engine Adoption (spgr-rjrt.1, closed) — new design, replaces the retired Self-Service Authz spec. Cedar (cedar-go) as embedded policy engine, wrapped behind auth.PolicyEngine. PolicySource interface for composable policy origins (built-in + filesystem ship; DB/URL land as later PolicySource implementations without engine changes). Stable action names decoupled from RPC method names. Existing static rpcPermissions table migrated to policies in one commit. Cedar decision logs become the audit emission source story #1 consumes. - Identity Bootstrap & UX (spgr-g90r, closed) — bootstrap user is a system identity (display_name='admin', no OS-user seeding); eliminates bootstrap-vs-JIT collision class. Two paths: local-mode (specgraph init with DB access writes credentials file) and hosted (server first-start prints key to logs). Credentials file is client-only and supports multiple server URLs from day one. Force-flag-protected bootstrap mutations; last-credential protection on UnbindOIDC. Self-Service Authz design retired (spgr-qe74, closed as superseded); its mechanism (skip-and-defer + handler-checks + runtime registry) collapses into Cedar policies. The standalone doc was deleted. Stories #3 (project-scoped RBAC) and specgraph#4 (resource ownership rules) land on top as policy authoring stories rather than new authz code paths. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the uv group with 1 update in the /site directory: pymdown-extensions.
Updates
pymdown-extensionsfrom 10.21 to 10.21.3Release notes
Sourced from pymdown-extensions's releases.
Commits
4262841Fix spelling63b7835Merge commit from fork3d18550Docs: update js depsa4fdd73Skip tag 10.21.1 has we accidentally already used it8afb4cdDocs: Update JS deps7bf5b29Pygments needs a non-None value for code block title (#2863)20b11ebFix some spelling and formattingc9edba3Docs: strengthen Snippets warning and add security considerationsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.