feat: add type-map config to ReqIF adapter

.github/workflows/ci.yml

@@ -146,6 +146,61 @@ jobs:
         env:
           PROPTEST_CASES: "1000"
 
+  # ── Mutation testing ────────────────────────────────────────────────
+  mutants:
+    name: Mutation Testing
+    needs: [test]
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: Install cargo-mutants
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-mutants
+      - name: Run cargo-mutants on rivet-core
+        run: cargo mutants -p rivet-core --timeout 120 --jobs 4 --output mutants-out -- --lib
+      - name: Upload mutants report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: mutants-report
+          path: mutants-out/
+
+  # ── Fuzz testing (main only — too slow for PRs) ───────────────────
+  fuzz:
+    name: Fuzz Testing
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@nightly
+      - uses: Swatinem/rust-cache@v2
+      - name: Install cargo-fuzz
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-fuzz
+      - name: Run fuzz targets (30s each)
+        run: |
+          if [ ! -d fuzz ]; then
+            echo "::notice::No fuzz directory found — skipping"
+            exit 0
+          fi
+          cd fuzz
+          TARGETS=$(cargo +nightly fuzz list 2>/dev/null || true)
+          if [ -z "$TARGETS" ]; then
+            echo "::notice::No fuzz targets defined — skipping"
+            exit 0
+          fi
+          for target in $TARGETS; do
+            echo "::group::Fuzzing $target"
+            cargo +nightly fuzz run "$target" -- -max_total_time=30 || true
+            echo "::endgroup::"
+          done
+
   # ── Supply chain verification ───────────────────────────────────────
   supply-chain:
     name: Supply Chain (cargo-vet)

.gitignore

@@ -1,4 +1,7 @@
 /target/
+/fuzz/target/
+/fuzz/corpus/
+/fuzz/artifacts/
 *.swp
 *.swo
 .DS_Store

.pre-commit-config.yaml

@@ -61,6 +61,40 @@ repos:
         files: '(Cargo\.toml|Cargo\.lock)$'
         stages: [pre-push]
 
+      # ── Dogfood validation ─────────────────────────────────────
+      - id: rivet-validate
+        name: rivet validate (dogfood)
+        entry: rivet validate --strict
+        language: system
+        pass_filenames: false
+        files: '(artifacts/.*\.yaml|schemas/.*\.yaml|safety/.*\.yaml|rivet\.yaml)$'
+
+      # ── Commit-message traceability check ────────────────────
+      - id: rivet-commit-msg
+        name: rivet commit-msg check
+        entry: rivet commit-msg-check
+        language: system
+        stages: [commit-msg]
+        always_run: true
+
+      # ── Benchmarks (compile check only — not full run) ────────
+      - id: cargo-bench-check
+        name: cargo bench --no-run
+        entry: cargo bench --no-run
+        language: system
+        types: [rust]
+        pass_filenames: false
+        stages: [pre-push]
+
+      # ── Security: known vulnerabilities (RustSec advisory DB) ──────
+      - id: cargo-audit
+        name: cargo audit
+        entry: cargo audit
+        language: system
+        pass_filenames: false
+        files: '(Cargo\.toml|Cargo\.lock)$'
+        stages: [pre-push]
+
       # ── Security: license compliance, bans, sources, advisories ────
       - id: cargo-deny
         name: cargo deny check
@@ -69,3 +103,12 @@ repos:
         pass_filenames: false
         files: '(Cargo\.toml|Cargo\.lock|deny\.toml)$'
         stages: [pre-push]
+
+      # ── Mutation testing (pre-push, slow) ─────────────────────
+      - id: cargo-mutants
+        name: cargo mutants (smoke)
+        entry: bash -c 'cargo mutants --timeout 60 --jobs 4 -p rivet-core -- --lib 2>&1 | tail -5'
+        language: system
+        pass_filenames: false
+        stages: [pre-push]
+        verbose: true

Cargo.toml

@@ -41,7 +41,7 @@ tower-http = { version = "0.6", features = ["cors", "fs"] }
 urlencoding = "2"
 
 # XML (ReqIF)
-quick-xml = { version = "0.37", features = ["serialize"] }
+quick-xml = { version = "0.37", features = ["serialize", "overlapped-lists"] }
 
 # WASM component model
 wasmtime = { version = "42", features = ["component-model"] }
@@ -51,5 +51,5 @@ wasmtime-wasi = "42"
 criterion = { version = "0.5", features = ["html_reports"] }
 
 # AADL (spar) — parser, HIR, analysis
-spar-hir = { git = "https://github.com/pulseengine/spar.git", rev = "21a5411" }
-spar-analysis = { git = "https://github.com/pulseengine/spar.git", rev = "21a5411" }
+spar-hir = { git = "https://github.com/pulseengine/spar.git", rev = "84a7363" }
+spar-analysis = { git = "https://github.com/pulseengine/spar.git", rev = "84a7363" }

artifacts/decisions.yaml

@@ -48,7 +48,7 @@ artifacts:
       alternatives: >
         Custom adjacency list implementation. Rejected because graph
         algorithms are subtle and petgraph is well-proven.
-      source-ref: rivet-core/src/graph.rs:1
+      source-ref: rivet-core/src/links.rs:1
 
   - id: DD-003
     type: design-decision
@@ -227,3 +227,77 @@ artifacts:
         Keep old test terminology for backward compatibility. Rejected
         because the schema is pre-1.0 and alignment with the standard
         is more valuable than backward compatibility at this stage.
+
+  - id: DD-011
+    type: design-decision
+    title: Git trailers over inline regex for commit-artifact references
+    status: approved
+    description: >
+      Use standard git trailers (footer key-value pairs) for linking
+      commits to artifacts, rather than inline regex parsing of commit
+      message bodies (e.g., [FEAT-007] Jira-style).
+    tags: [architecture, git, traceability]
+    links:
+      - type: satisfies
+        target: REQ-017
+    fields:
+      rationale: >
+        Git trailers are a well-supported standard, parseable via
+        git log --format='%(trailers)', git interpret-trailers, and
+        programmatic APIs. They separate traceability metadata from
+        the commit description. Inline regex is fragile and ambiguous
+        (brackets in code snippets, prose references).
+      alternatives: >
+        Inline regex parsing of [ARTIFACT-ID] patterns (Jira-style).
+        Rejected because regex is fragile and cannot distinguish
+        intentional references from incidental mentions.
+
+  - id: DD-012
+    type: design-decision
+    title: Runtime graph integration over materialized commit YAML
+    status: approved
+    description: >
+      Commit data is injected as ephemeral nodes into the petgraph link
+      graph at analysis time, rather than materializing commit artifacts
+      as YAML files on disk.
+    tags: [architecture, git, traceability]
+    links:
+      - type: satisfies
+        target: REQ-017
+    fields:
+      rationale: >
+        Git is the single source of truth for commit data. Materializing
+        commits to YAML creates a redundant data store that drifts from
+        git history. The link graph is already rebuilt from scratch on
+        each rivet invocation, so ephemeral commit nodes fit naturally.
+      alternatives: >
+        rivet sync-commits writing commit YAML files to a commits/
+        directory. Rejected because it creates thousands of redundant
+        files and requires ongoing sync discipline.
+
+  - id: DD-013
+    type: design-decision
+    title: Dual opt-out for commit traceability enforcement
+    status: approved
+    description: >
+      Non-essential commits opt out of trailer requirements via two
+      mechanisms: conventional-commit type exemption (configurable list
+      of types like chore, style, ci, docs, build) and an explicit
+      Trace-skip trailer for edge cases.
+    tags: [architecture, git, traceability]
+    links:
+      - type: satisfies
+        target: REQ-018
+      - type: satisfies
+        target: REQ-019
+    fields:
+      rationale: >
+        Type-based exemption handles the 80% case (dependency bumps,
+        formatting, CI tweaks) with zero friction. The explicit skip
+        trailer handles edge cases where a normally-traced type (like
+        feat) genuinely has no artifact mapping, forcing developers to
+        consciously acknowledge the gap.
+      alternatives: >
+        No exemption mechanism (all commits must reference artifacts).
+        Rejected because it creates excessive friction for routine
+        maintenance commits that have no traceability value.

artifacts/features.yaml

@@ -441,3 +441,76 @@ artifacts:
         target: REQ-007
     fields:
       phase: phase-2
+
+  - id: FEAT-029
+    type: feature
+    title: "rivet commit-msg-check subcommand"
+    status: draft
+    description: >
+      Pre-commit hook entry point that validates a single commit message
+      file. Parses conventional-commit type for exemption, checks for
+      skip trailer, extracts artifact IDs from git trailers, and
+      validates they exist in the artifact store. Provides fuzzy-match
+      suggestions on typos.
+    tags: [cli, git, traceability, phase-3]
+    links:
+      - type: satisfies
+        target: REQ-017
+      - type: satisfies
+        target: REQ-018
+    fields:
+      phase: phase-3
+
+  - id: FEAT-030
+    type: feature
+    title: "rivet commits subcommand"
+    status: draft
+    description: >
+      History analysis command that parses git log trailers, classifies
+      commits (linked, orphan, exempt, broken-ref), and produces five
+      reports: linked commits, broken references, orphan commits,
+      artifact commit coverage, and unimplemented artifacts. Supports
+      --since, --range, --json, and --strict flags.
+    tags: [cli, git, traceability, phase-3]
+    links:
+      - type: satisfies
+        target: REQ-017
+      - type: satisfies
+        target: REQ-019
+    fields:
+      phase: phase-3
+
+  - id: FEAT-031
+    type: feature
+    title: Configurable trailer-to-link-type mapping
+    status: draft
+    description: >
+      Configuration in rivet.yaml that maps git trailer keys (Implements,
+      Fixes, Verifies, Satisfies, Refs) to existing schema link types.
+      Includes exempt-types list, skip-trailer token, traced-paths for
+      orphan detection, and trace-exempt-artifacts whitelist.
+    tags: [config, git, traceability, phase-3]
+    links:
+      - type: satisfies
+        target: REQ-017
+    fields:
+      phase: phase-3
+
+  - id: FEAT-032
+    type: feature
+    title: Ephemeral commit node injection into link graph
+    status: draft
+    description: >
+      At analysis time, parsed commit data is injected as ephemeral
+      nodes into the petgraph link graph, wired to referenced artifacts
+      via the configured link types. Enables coverage computation,
+      reachability queries, and dashboard visualization without
+      materializing commit YAML files.
+    tags: [core, git, traceability, phase-3]
+    links:
+      - type: satisfies
+        target: REQ-017
+      - type: implements
+        target: DD-012
+    fields:
+      phase: phase-3