v1.6.0: self-correcting design, OSCAL compliance, credible cost, exporter hardening#68
Merged
Merged
Conversation
…rter hardening Closes the defensibility + relevance gaps from the June 2026 product audit. Moat: - generate -> critique -> repair loop in Architect.design() (wires the existing scorer/linter/validator back into generation); offline `cloudwright review` - OSCAL 1.1.2 component-definition export (`compliance --oscal`) + control traceability (`--traceability`) - compliance-gated component patterns (suggest_compliant_patterns) Relevance: - agentic drift -> remediation (drift --remediate): diff -> cost delta -> quality delta -> plan preview, read-only - cost credibility: region-aware pricing, egress, carbon (--carbon), FOCUS CSV (--focus), per-line pricing confidence - OpenTofu export alias + tofu-aware planner Credibility fixes: - Terraform exporter injection hardening (numeric coercion + validator) - `cloudwright plan` no longer carries the LLM key into the IaC subprocess; redacts secret-shaped values from output - compliance now overrides workload profile (sandbox + framework forces encryption/HA); WAF export is deployable; cost region is applied; LLM parse failures keep the full response Surfaces/docs: frontend structured-error contract + usage telemetry; docs/ getting-started, cli-reference, troubleshooting, mcp-reference; What's new + review demo GIF. Versions bumped to 1.6.0 (4 packages + extras + server.json). Co-Authored-By: Xavier Puspus
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the defensibility + relevance gaps from the June 2026 product audit (8-dimension audit + competitive research). The recurring theme: the defensible engine work was already in the tree but not wired together, not exposed, and undercut by credibility holes. This release fixes that.
Moat (compliance-at-design-time + a self-correcting architect)
Architect.design()runs the deterministic critics that already existed (scorer, linter, validator) against every spec and, on blocking findings, repairs once before returning — bounded, fails safe, records acritiqueblock inspec.metadata. Exposed offline ascloudwright review <spec>(no API key).compliance --oscal) and control traceability (--traceability): design intent -> component -> Terraform resource -> control ID -> status.suggest_compliant_patterns).Relevance (move upstream)
drift --remediate): drift -> cost delta -> quality delta -> plan preview, read-only.cost --carbon), FOCUS CSV (--focus), per-line pricing confidence.export --format opentofu+ tofu-awareplan.Credibility fixes (verified against source)
_hcl_num, validator rejects newlines/braces (closed a string-typed-numeric ->local-execpath). Pulumi/CFN were already safe.cloudwright planno longer carries the LLM key into the IaC subprocess; redacts secret-shaped values from output.production.default_action.regionis applied; the silent$10fallback is marked low-confidence.Surfaces / docs
{code, message, suggestion}error contract (was readingdata.detail) + usage telemetry.docs/(getting-started, cli-reference, troubleshooting, mcp-reference), README "What's new", and a reproduciblecloudwright reviewdemo GIF.Tests
New: critique/repair (7), OSCAL (11), patterns (14), traceability (2), remediation (8), cost credibility (30), exporter hardening + OpenTofu (15). CI-replica green: core 1367 passed / 83% coverage, web 99 passed, CLI 99, MCP 6, ruff clean.
Known latent (not in scope)
The terraform/e2e tests that need terraform/an API key skip in CI (no binary / no key) and are unchanged.
Reviewed by Xavier Puspus