From f185af7a96ea00875b1b9b6cd610ebd059823211 Mon Sep 17 00:00:00 2001 From: jordyamoedo Date: Sun, 14 Jun 2026 23:04:09 -0300 Subject: [PATCH 1/2] docs(governance): propose no-work-loss-protection FrameworkProposal --- ...PROP-20260614-no-work-loss-protection.yaml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 governance/proposals/PROP-20260614-no-work-loss-protection.yaml diff --git a/governance/proposals/PROP-20260614-no-work-loss-protection.yaml b/governance/proposals/PROP-20260614-no-work-loss-protection.yaml new file mode 100644 index 0000000000..86cb6eda20 --- /dev/null +++ b/governance/proposals/PROP-20260614-no-work-loss-protection.yaml @@ -0,0 +1,51 @@ +framework_proposal: + version: "1.0" + id: "PROP-20260614-no-work-loss-protection" + date: "2026-06-14" + proposer: "external-contributor (consumer-project audit)" + source_finding: "AF-20260614-no-work-loss-protection" + + target: + layer: "L2" + artifact_type: "rule" + artifact_path: ".claude/rules/git-sync-safety.md (NEW) + optional advisory worktree-cleanup guard" + operation: "create" + + generalization: + pattern_name: "Durability = on the remote, not on disk" + when_to_apply: | + Any project where contributors commit locally and/or use git worktrees. + Committed-but-unpushed work and unpublished worktrees are at risk from + `gc`, `reset --hard`, or a worktree cleanup. The framework already gates + quality and secrets, but not the irreversible risk class of LOST WORK. + examples_from_other_domains: + - "Multi-branch team: a worktree removed before publishing loses local commits" + - "Solo dev on a long-running task: reset --hard wipes uncommitted/unpushed work" + - "Agentic/CI flows: an automated cleanup removes a worktree the human never pushed" + + migration_path: + breaking_change: false + affected_consumers: [] + rollout_plan: | + Additive. Adds a process rule and (optionally) an advisory cleanup guard. + No existing behavior changes. Projects opt into the guard via config. + + deprecation_plan: + deprecates: [] + sunset_window: "n/a" + + cost_benefit: + cost: "~1 documentation rule; optional advisory hook (~50 LOC)" + benefit: "Prevents an irreversible failure mode (lost work) framework-wide. Battle-tested in a production consumer fork, then generalized." + risk: "low — additive; advisory by default" + + approval: + eliel_decision: "PENDING" + eliel_decision_at: null + eliel_decision_rationale: "" + revision_request: [] + + implementation: + pr_url: "" + merged_at: "" + distributed_to: [] From c385d90fc03d1998fca9c184cf5ba6ec00e11add Mon Sep 17 00:00:00 2001 From: jordyamoedo Date: Sun, 14 Jun 2026 23:10:43 -0300 Subject: [PATCH 2/2] docs(governance): add source AuditFinding for no-work-loss-protection --- .../AF-20260614-no-work-loss-protection.yaml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 audits/promoted/AF-20260614-no-work-loss-protection.yaml diff --git a/audits/promoted/AF-20260614-no-work-loss-protection.yaml b/audits/promoted/AF-20260614-no-work-loss-protection.yaml new file mode 100644 index 0000000000..28cc794010 --- /dev/null +++ b/audits/promoted/AF-20260614-no-work-loss-protection.yaml @@ -0,0 +1,37 @@ +audit_finding: + version: "1.0" + id: "AF-20260614-no-work-loss-protection" + date: "2026-06-14" + auditor: "external-contributor (@aiox-master in a consumer project)" + source_session: "Comparative audit of a hardened consumer fork against aiox-core v5.2.9" + + context: + project: "a production consumer project (anonymized)" + epic: "framework learning-loop audit" + triggered_by: "Repeated near-loss of committed-but-unpushed work and removed worktrees during day-to-day and agentic git operations" + + finding: + summary: "The framework gates quality and secrets but has no rule covering the irreversible risk class of LOST WORK (committed-but-unpushed commits, unpublished worktrees)." + evidence: + - "No rule defines durability as 'present on the remote' vs merely 'present on disk'" + - "No guard prevents cleanup/removal of a worktree whose commits were never pushed" + - "No standard 'backup bundle before a destructive op' (branch -D, worktree remove, reset --hard, push --force)" + impact_observed: + blast_radius: "high" + affected_artifacts: ["any local commit", "any git worktree"] + cost: "Near-permanent loss of work; recovery only via `git fsck` dangling-commit archaeology" + + framework_candidate: true + framework_candidate_rationale: | + The failure mode is project-agnostic: any project where contributors commit + locally and/or use git worktrees faces it. The fix is a generic process rule + (plus an optional advisory cleanup guard), not project-specific logic. + + references: + - kind: pattern + path: "Durability = on the remote, not on disk" + + proposed_disposition: + - "Add a git-sync-safety process rule (durability test, branch hygiene, base-via-PR)" + - "Optionally add an advisory worktree-cleanup guard that refuses to remove unpublished work" + - "Standardize 'backup bundle (git bundle) before any destructive git op'"