Skip to content

fix: align scaffold output with current ecosystem patterns#45

Merged
TMHSDigital merged 1 commit intomainfrom
fix/scaffold-drift-dtd41
Apr 26, 2026
Merged

fix: align scaffold output with current ecosystem patterns#45
TMHSDigital merged 1 commit intomainfrom
fix/scaffold-drift-dtd41

Conversation

@TMHSDigital
Copy link
Copy Markdown
Owner

@TMHSDigital TMHSDigital commented Apr 26, 2026

Aligns scaffold output with current ecosystem patterns and adds CI regression protection so this drift cannot recur silently.

Scope

Eight named gaps from #41 plus two surfaced during the Blender v0.1.1 compliance fix.

From #41

Gap Resolution
validate.yml validate-counts Added; mirrors Plaid's pattern (skill/rule directory counts vs README)
drift-check.yml New template, pinned to drift-check@v1.9, mode: self
release.yml release-doc-sync@v1 Added; uses default meta-repo-ref: v1 (DTD#42 fixed the default)
release.yml initial-release branch Added per Blender; first release is cut at scaffolded VERSION instead of bumping
release.yml floating tag automation Added; tags v$new_version, v$major, v$major.$minor on every release
label-sync.yml New template; self-healing per-label gh label create --force pattern (DTD#4)
dependabot.yml New template; github-actions ecosystem plus pip for mcp-server/ when applicable
CLAUDE.md.j2 / ROADMAP.md.j2 **Version:** 0.1.0 and **Current:** v0.1.0 lines added so release-doc-sync can rewrite them; ROADMAP gains <!-- standards-version: --> marker; AGENTS.md.j2 already had its marker

Beyond #41

Gap 9, LICENSE template. Verified the scaffold's CC-BY-NC-ND-4.0 default branch. Two issues found and fixed:

  • Copyright line used {{ author_name }} defaulting to TMHSDigital; corrected to TM Hospitality Strategies (the ecosystem entity name used by every existing tool repo).
  • Text differed slightly from Plaid's canonical version and the SPDX-License-Identifier was missing. Now byte-for-byte identical to Plaid's LICENSE.

Gap 10, CONTRIBUTING.md DCO. Verified DCO is documented in standards/licensing.md and standards/security.md. The standard mandates a verbatim inbound grant paragraph in every CONTRIBUTING.md plus DCO sign-off guidance. The scaffold now emits this section. Existing tool repos that predate this change need backfill PRs per repo, tracked separately.

Pre-existing scaffold bugs surfaced and fixed

While verifying the dry-run output, three pre-existing Jinja2 / YAML bugs in scaffolded files turned up. Each rendered output that strict YAML parsers reject. They were never caught because the meta-repo's validate-scaffold job only did test -f. Fixed in the same diff to keep scaffold output usable.

  • pages.yml.j2: per-line {% raw %}${{ }}{% endraw %} pattern collapses adjacent lines under trim_blocks=True, producing invalid YAML at the environment.url / runs-on boundary.
  • release.yml.j2: same collapse pattern across many steps; rewritten with multi-line {% raw %} blocks.
  • validate.yml.j2: three steps used a broken plain-scalar run: python3 -c "..." form spanning multiple lines (an inner : becomes a YAML mapping separator). Rewritten as block-scalar python3 << 'PYEOF' heredocs to match Plaid's pattern.

CI regression protection

.github/workflows/validate.yml validate-scaffold job:

  • Installs PyYAML alongside Jinja2.
  • After the dry-run, runs yaml.safe_load on every emitted .yml file. Catches any future trim_blocks escaping bug at PR time.
  • New Scaffold regression checks for DTD#41 patterns step greps for each named pattern (validate-counts, drift-check@v1.9, release-doc-sync@v1, initial-release branch, floating major tag, self-healing labels, github-actions ecosystem, **Version:** line, **Current:** line, standards-version markers, TM Hospitality Strategies copyright, SPDX identifier, DCO).
  • Existence list extended to release.yml, stale.yml, drift-check.yml, label-sync.yml, dependabot.yml.

Verification

Local dry-run with --mcp-server --skills 2 --rules 1 and again without --mcp-server. Both pass yaml.safe_load for all generated .yml files and all 15 regression-check patterns.

Impact

  • Existing tool repos: unaffected.
  • New scaffold-generated repos: land at current standards from creation, no post-creation compliance fixes required.
  • Backfill follow-up: standards/licensing.md mandates DCO grant text in CONTRIBUTING.md across the ecosystem, but no existing tool repo carries it. A separate issue tracks backfilling each repo.

Closes #41.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 26, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/validate.yml

PackageVersionLicenseIssue Type
actions/checkout5.*.*NullUnknown License
actions/setup-python5.*.*NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 5.*.* 🟢 5.7
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/setup-python 5.*.* 🟢 5.2
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9

Scanned Files

  • .github/workflows/validate.yml

@TMHSDigital
fix: align scaffold output with current ecosystem patterns
58bd127 
The scaffold under scaffold/templates/ drifted from the patterns adopted
across the 9 existing tool repos. New tool repos created from the scaffold
required substantial post-creation fixes to reach current standards. This
change brings scaffold output forward to current and adds CI regression
protection.

Per DTD#41, eight named gaps:

- validate.yml.j2: add validate-counts job that compares skills/ and
  rules/ directory counts against README.md (DTD#39 pattern from Plaid).
- drift-check.yml.j2: new template, pinned to drift-check@v1.9 with
  mode: self and gh-summary format.
- release.yml.j2: now consumes release-doc-sync@v1, adopts Blender's
  initial-release version-handling branch (holds version at current
  manifest value when no prior tag exists), and adds floating major and
  major.minor tag automation (git tag -f then push --force).
- label-sync.yml.j2: new template using Home-Lab's self-healing per-label
  gh label create --force pattern (DTD#4).
- dependabot.yml.j2: new template with github-actions ecosystem entry
  plus pip ecosystem for the mcp-server directory when --mcp-server is
  set.
- CLAUDE.md.j2: add **Version:** 0.1.0 / **License:** / **Author:** lines
  so release-doc-sync can rewrite the version line on every release.
- ROADMAP.md.j2: add <!-- standards-version: --> marker and
  **Current:** v0.1.0 line so release-doc-sync can update it.
- AGENTS.md.j2: confirmed already carries the standards-version marker;
  no change needed.

Two additional gaps from the Blender v0.1.1 compliance fix:

- LICENSE.j2 (gap 9): the cc-by-nc-nd-4.0 default branch is now aligned
  byte-for-byte with Plaid's LICENSE: copyright "TM Hospitality Strategies"
  (the ecosystem entity name, not the GitHub org), the canonical CC text,
  and a trailing SPDX-License-Identifier: CC-BY-NC-ND-4.0 line. The
  previous text used {{ author_name }} (defaulting to "TMHSDigital") and
  was missing the SPDX identifier.
- CONTRIBUTING.md.j2 (gap 10): standards/licensing.md mandates the
  inbound DCO + license grant in every CONTRIBUTING.md (verbatim grant
  paragraph plus Signed-off-by guidance). The scaffold now emits this
  section. Existing tool repos that predate this change need a backfill
  PR per repo, tracked separately.

Pre-existing scaffold bugs surfaced and fixed in the same diff so the
scaffold output actually parses as valid YAML now:

- pages.yml.j2 used a per-line {% raw %}${{ }}{% endraw %} pattern that
  Jinja2's trim_blocks=True collapsed onto adjacent lines, producing
  invalid YAML at the environment.url / runs-on boundary.
- release.yml.j2 had the same trim_blocks collapse pattern on every
  ${{ }} reference and additionally used the broken plain-scalar
  python3 -c "..." form in the version-update step.
- validate.yml.j2 used the same broken plain-scalar python3 -c "..."
  form across three steps; rewritten as block-scalar python3 << 'PYEOF'
  heredocs which match Plaid's pattern.

CI regression protection (.github/workflows/validate.yml):

- validate-scaffold now installs PyYAML alongside Jinja2, and after the
  dry-run runs yaml.safe_load on every emitted .yml file. This catches
  any future trim_blocks-style escaping bug at PR time.
- validate-scaffold gained a Scaffold regression checks for DTD#41
  patterns step that greps for each named pattern (validate-counts,
  drift-check@v1.9, release-doc-sync@v1, initial-release branch,
  floating major tag, self-healing labels, github-actions ecosystem,
  **Version:** line, **Current:** line, standards-version markers,
  TM Hospitality Strategies copyright, SPDX identifier, DCO).
- File-existence list extended to cover release.yml, stale.yml,
  drift-check.yml, label-sync.yml, dependabot.yml.

Existing tool repos are unaffected by this change. Future scaffold-
generated repos land at current standards from creation, with no
post-creation cleanup required.

Closes #41

Made-with: Cursor
@TMHSDigital TMHSDigital force-pushed the fix/scaffold-drift-dtd41 branch from c359f2d to 58bd127 Compare April 26, 2026 16:24
@TMHSDigital TMHSDigital merged commit 90572b0 into main Apr 26, 2026
13 checks passed
@TMHSDigital TMHSDigital deleted the fix/scaffold-drift-dtd41 branch April 26, 2026 16:26
@TMHSDigital TMHSDigital mentioned this pull request Apr 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci scaffold

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

scaffold drift: emitted output not aligned with current ecosystem patterns

1 participant

@TMHSDigital