Skip to content

Scope-leash audit: declared blast radius vs. actual touched files #118

Description

@rdbruhn

Problem

vine-coder derives its blast radius by reasoning — "the reasoned set, not a raw grep" — and holds to it by hand, leaving no breadcrumb. So vine-reviewer has to re-derive the leash from scratch to check the agent stayed in bounds. That re-derivation is the expensive, error-prone part of a cold review, and a scope breach (the agent touched a file outside its reasoned set) is exactly the high-stakes thing a reviewer most wants to catch mechanically.

#90 (journal schema fields) is adjacent but distinct — it's about parse-stable route/actor/gear fields for calibration, not scope-vs-actual auditing.

Suggestion

Make the leash auditable with one declared field + one mechanical check:

  1. vine-coder records a declared scope in its NAVIGATION.md handoff (the reasoned touched-file set, derived from SPEC.md's "Files likely touched" + its reasoning).
  2. vine-reviewer runs git diff --name-only for the slice's commits against that declared set; any file touched outside it is an automatic finding (breach or under-declared scope — either way worth surfacing).

Cheap, mechanical, and turns the most subjective part of cold review into a diff. Format lands in references/STATE.md alongside the other journal fields; backward-compatible (no declared field → reviewer falls back to today's manual derivation).

Metadata

Metadata

Assignees

No one assigned

    Labels

    ideaNew behavior, hook pattern, or workflow improvement

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions