Skip to content

[Extension]: Update DocGuard — CDD Enforcement (v0.27.0) #3093

Closed
#3094
Closed
[Extension]: Update DocGuard — CDD Enforcement (v0.27.0)#3093
#3094
Assignees
mnriem
Labels
enhancementextension-submissionvalidation-passed

Description

@raccioly
raccioly
opened on Jun 22, 2026

Extension ID

docguard

Extension Name

DocGuard — CDD Enforcement

Version

0.27.0

Description

Canonical-Driven Development enforcement. Validates, scores, and traces project documentation with automated checks, AI-driven workflows, and spec-kit hooks. One pinned runtime dependency; pure Node.js otherwise.

Author

raccioly

Repository URL

https://github.com/raccioly/docguard

Download URL

https://github.com/raccioly/docguard/releases/download/v0.27.0/spec-kit-docguard-v0.27.0.zip

License

MIT

Homepage (optional)

https://www.npmjs.com/package/docguard-cli

Documentation URL (optional)

https://github.com/raccioly/docguard/blob/main/extensions/spec-kit-docguard/README.md

Changelog URL (optional)

https://github.com/raccioly/docguard/blob/main/CHANGELOG.md

Required Spec Kit Version

=0.1.0

Required Tools (optional)

- node (>=18.0.0) - required
- npx - required
- specify - optional (auto-initializes the SDD workflow during docguard init)

Number of Commands

6

Number of Hooks (optional)

3

Tags

documentation, validation, quality, cdd, traceability, ai-agents, enforcement, spec-kit

Key Features

  • 19-validator quality gate with severity triage and a remediation plan
  • AI-driven documentation repair with codebase research and validation loops
  • Cross-document semantic consistency analysis (read-only review)
  • CDD maturity score with an ROI-based improvement roadmap
  • Reverse-engineers canonical docs from an existing codebase
  • spec-kit workflow hooks (after_implement, before_tasks, after_tasks)

Testing Checklist

  • Extension installs successfully via download URL
  • All commands execute without errors
  • Documentation is complete and accurate
  • No security vulnerabilities identified
  • Tested on at least one real project

Submission Requirements

  • Valid extension.yml manifest included
  • README.md with installation and usage instructions
  • LICENSE file included
  • GitHub release created with version tag
  • All command files exist and are properly formatted
  • Extension ID follows naming conventions (lowercase-with-hyphens)

Testing Details

Tested on: Linux + macOS with the spec-kit CLI.

Install:

specify extension add docguard --from https://github.com/raccioly/docguard/releases/download/v0.27.0/spec-kit-docguard-v0.27.0.zip

Scenarios verified:

  1. Extension installs from the release ZIP without manifest validation errors.
  2. All six speckit.docguard.* commands resolve and run.
  3. The three workflow hooks register against spec-kit's lifecycle.

Example Usage

# Install the extension
specify extension add docguard --from https://github.com/raccioly/docguard/releases/download/v0.27.0/spec-kit-docguard-v0.27.0.zip

# Run the documentation quality gate
/speckit.docguard.guard

Proposed Catalog Entry

json
{
  "docguard": {
    "name": "DocGuard \u2014 CDD Enforcement",
    "id": "docguard",
    "description": "Canonical-Driven Development enforcement. Validates, scores, and traces project documentation with automated checks, AI-driven workflows, and spec-kit hooks. One pinned runtime dependency; pure Node.js otherwise.",
    "author": "raccioly",
    "version": "0.27.0",
    "download_url": "https://github.com/raccioly/docguard/releases/download/v0.27.0/spec-kit-docguard-v0.27.0.zip",
    "repository": "https://github.com/raccioly/docguard",
    "homepage": "https://www.npmjs.com/package/docguard-cli",
    "documentation": "https://github.com/raccioly/docguard/blob/main/extensions/spec-kit-docguard/README.md",
    "changelog": "https://github.com/raccioly/docguard/blob/main/CHANGELOG.md",
    "license": "MIT",
    "requires": {
      "speckit_version": ">=0.1.0",
      "tools": [
        {
          "name": "node",
          "version": ">=18.0.0",
          "required": true
        }
      ]
    },
    "provides": {
      "commands": 6,
      "hooks": 3
    },
    "tags": [
      "documentation",
      "validation",
      "quality",
      "cdd",
      "traceability",
      "ai-agents",
      "enforcement",
      "spec-kit"
    ],
    "verified": false,
    "downloads": 0,
    "stars": 0
  }
}

Additional Context

This is an update to an existing catalog entry (docguard) for a new release — please bump the version and download URL on the current entry rather than adding a duplicate.

Release notes (v0.27.0):

Acting on a third end-to-end LLM field report (a coding agent ran DocGuard on a
Vite+Vitest WhatsApp-inbox repo). The headline is architectural: DocGuard is a
tool for LLMs, so every run should end with a suggested next action and every
finding it surfaces should be addressable, suppressible, and — when uncertain —
reportable. This release introduces structured findings (stable codes +
confidence + a built-in suggestion), wires them through guard/explain, adds a
local-first feedback loop, and fixes the group-A false positives the report
flagged.

Added

  • Structured findings with stable codes (cli/findings.mjs) — a validator
    can now emit Finding[] (code like SEC001, high/low confidence, and a
    machine-readable suggestion) via resultFromFindings(...). Fully
    backward-compatible: the legacy {errors,warnings,passed,total} shape is
    derived from the same array, so non-migrated validators are unchanged. Security
    is the first fully-migrated validator.
  • Every guard run ends with a suggested next step — issues render with an
    inline → suggestion (fix command or suppression pragma); a clean run points
    at the next workflow step. guard --format json now carries a stable
    findings / reportable / nextStep contract for agents in hooks/CI.
  • docguard feedback — collects the low-confidence findings of a guard run
    (likely false positives, and anything DocGuard flagged uncertainly), writes a
    full local record under .docguard/feedback/, and prints a 1-click,
    prefilled, redacted, length-capped     GitHub issue URL (zero typing; no source
    code or secret values; capped well under GitHub's ~8 KB URL limit — the failure
    mode of commit 3b600fd).
  • docguard explain <CODE>explain now resolves a finding code
    (docguard explain SEC001) to its meaning, inline-suppression snippet, and the
    feedback path, alongside the existing validator/warning lookup.
  • Inline secret suppression// docguard:ignore SEC001 — reason (or
    // docguard:ignore-secret, or docguard:ignore SEC*) on the flagged line or
    the line above silences a single finding, instead of blinding the whole file
    via securityIgnore. (field report chore: Fix typo #8)
  • Read-only skills nudge — when an agent has no /docguard.* commands
    installed, guard suggests docguard init (it never writes — scaffolding
    stays on init).

Fixed

  • Natural-language values no longer flagged as hardcoded passwords — a
    password-style key whose value reads like prose (a validation message / UI
    copy) is downgraded from a blocking error to a low-confidence, suppressible,
    reportable warning. Still surfaced (no false-green); a genuine single-token
    secret like "SuperSecretPassword!" stays a blocking error. (field report Add John Lam as contributor and release badge #1)
  • score recognises modern test-runner config — Vitest configured inside
    vite.config.* (vitest/config import or a test: block), a scripts.test
    that runs a known runner (vitest/jest/mocha/ava/…), and runner configs
    in workspace subdirs (backend/, frontend/, …). A fully-tested Vite+Vitest
    repo is no longer docked 15 points and told to "add a test runner". (field
    report Update README.md #3)
  • TODO-Tracking scans docs-canonical/{ROADMAP,CURRENT-STATE,BACKLOG,TODO}.md
    — a TODO tracked in the canonical roadmap is no longer reported as untracked.
    (field report shell scripts in the scripts directory fail to execute #6)
  • Env validator ignores runner/CI/SDK varsVITEST, CI, GITHUB_*,
    RUNNER_*, JEST_*, AWS_SESSION_TOKEN, etc. are no longer reported as
    undocumented (they're injected by the runner, not product config). NODE_ENV
    is deliberately still treated as app config. (field report adding executable permission to the scripts so they execute when the … #7)
  • Doc-Quality passive-voice has a per-doc override — parity with
    negation-load: <!-- docguard:quality passive-voice off — reason --> (or a
    numeric threshold) silences the warning on legitimately passive sequence/flow
    docs. (field report Support Cursor CLI #9)

Notes

  • Tests 794 → 813 (new tests/field-report-3.test.mjs, each fix paired with a
    non-vacuous control).
  • The detection-gap items from the report (semantic number/enum drift verify --semantic, dynamic-import cycle breaks, spec-declares-but-no-route, sync --tests, freshness precedence) are deliberately deferred — each is its own
    design and would bloat this release.

Metadata

Metadata

Assignees

Labels

enhancementextension-submissionvalidation-passed

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions