feat: cross-repository artifact linking

.github/workflows/ci.yml

@@ -146,6 +146,61 @@ jobs:
         env:
           PROPTEST_CASES: "1000"
 
+  # ── Mutation testing ────────────────────────────────────────────────
+  mutants:
+    name: Mutation Testing
+    needs: [test]
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: Install cargo-mutants
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-mutants
+      - name: Run cargo-mutants on rivet-core
+        run: cargo mutants -p rivet-core --lib --timeout 120 --jobs 4 --output mutants-out
+      - name: Upload mutants report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: mutants-report
+          path: mutants-out/
+
+  # ── Fuzz testing (main only — too slow for PRs) ───────────────────
+  fuzz:
+    name: Fuzz Testing
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@nightly
+      - uses: Swatinem/rust-cache@v2
+      - name: Install cargo-fuzz
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-fuzz
+      - name: Run fuzz targets (30s each)
+        run: |
+          if [ ! -d fuzz ]; then
+            echo "::notice::No fuzz directory found — skipping"
+            exit 0
+          fi
+          cd fuzz
+          TARGETS=$(cargo +nightly fuzz list 2>/dev/null || true)
+          if [ -z "$TARGETS" ]; then
+            echo "::notice::No fuzz targets defined — skipping"
+            exit 0
+          fi
+          for target in $TARGETS; do
+            echo "::group::Fuzzing $target"
+            cargo +nightly fuzz run "$target" -- -max_total_time=30 || true
+            echo "::endgroup::"
+          done
+
   # ── Supply chain verification ───────────────────────────────────────
   supply-chain:
     name: Supply Chain (cargo-vet)

.gitignore

@@ -1,4 +1,7 @@
 /target/
+/fuzz/target/
+/fuzz/corpus/
+/fuzz/artifacts/
 *.swp
 *.swo
 .DS_Store

.pre-commit-config.yaml

@@ -61,6 +61,40 @@ repos:
         files: '(Cargo\.toml|Cargo\.lock)$'
         stages: [pre-push]
 
+      # ── Dogfood validation ─────────────────────────────────────
+      - id: rivet-validate
+        name: rivet validate (dogfood)
+        entry: rivet validate --strict
+        language: system
+        pass_filenames: false
+        files: '(artifacts/.*\.yaml|schemas/.*\.yaml|safety/.*\.yaml|rivet\.yaml)$'
+
+      # ── Commit-message traceability check ────────────────────
+      - id: rivet-commit-msg
+        name: rivet commit-msg check
+        entry: rivet commit-msg-check
+        language: system
+        stages: [commit-msg]
+        always_run: true
+
+      # ── Benchmarks (compile check only — not full run) ────────
+      - id: cargo-bench-check
+        name: cargo bench --no-run
+        entry: cargo bench --no-run
+        language: system
+        types: [rust]
+        pass_filenames: false
+        stages: [pre-push]
+
+      # ── Security: known vulnerabilities (RustSec advisory DB) ──────
+      - id: cargo-audit
+        name: cargo audit
+        entry: cargo audit
+        language: system
+        pass_filenames: false
+        files: '(Cargo\.toml|Cargo\.lock)$'
+        stages: [pre-push]
+
       # ── Security: license compliance, bans, sources, advisories ────
       - id: cargo-deny
         name: cargo deny check
@@ -69,3 +103,12 @@ repos:
         pass_filenames: false
         files: '(Cargo\.toml|Cargo\.lock|deny\.toml)$'
         stages: [pre-push]
+
+      # ── Mutation testing (pre-push, slow) ─────────────────────
+      - id: cargo-mutants
+        name: cargo mutants (smoke)
+        entry: bash -c 'cargo mutants --timeout 60 --jobs 4 -p rivet-core -- --lib 2>&1 | tail -5'
+        language: system
+        pass_filenames: false
+        stages: [pre-push]
+        verbose: true

Cargo.toml

@@ -41,7 +41,7 @@ tower-http = { version = "0.6", features = ["cors", "fs"] }
 urlencoding = "2"
 
 # XML (ReqIF)
-quick-xml = { version = "0.37", features = ["serialize"] }
+quick-xml = { version = "0.37", features = ["serialize", "overlapped-lists"] }
 
 # WASM component model
 wasmtime = { version = "42", features = ["component-model"] }
@@ -51,5 +51,5 @@ wasmtime-wasi = "42"
 criterion = { version = "0.5", features = ["html_reports"] }
 
 # AADL (spar) — parser, HIR, analysis
-spar-hir = { git = "https://github.com/pulseengine/spar.git", rev = "21a5411" }
-spar-analysis = { git = "https://github.com/pulseengine/spar.git", rev = "21a5411" }
+spar-hir = { git = "https://github.com/pulseengine/spar.git", rev = "5073591" }
+spar-analysis = { git = "https://github.com/pulseengine/spar.git", rev = "5073591" }

artifacts/decisions.yaml

@@ -48,7 +48,7 @@ artifacts:
       alternatives: >
         Custom adjacency list implementation. Rejected because graph
         algorithms are subtle and petgraph is well-proven.
-      source-ref: rivet-core/src/graph.rs:1
+      source-ref: rivet-core/src/links.rs:1
 
   - id: DD-003
     type: design-decision
@@ -227,3 +227,142 @@ artifacts:
         Keep old test terminology for backward compatibility. Rejected
         because the schema is pre-1.0 and alignment with the standard
         is more valuable than backward compatibility at this stage.
+
+  - id: DD-011
+    type: design-decision
+    title: Git trailers over inline regex for commit-artifact references
+    status: approved
+    description: >
+      Use standard git trailers (footer key-value pairs) for linking
+      commits to artifacts, rather than inline regex parsing of commit
+      message bodies (e.g., [FEAT-007] Jira-style).
+    tags: [architecture, git, traceability]
+    links:
+      - type: satisfies
+        target: REQ-017
+    fields:
+      rationale: >
+        Git trailers are a well-supported standard, parseable via
+        git log --format='%(trailers)', git interpret-trailers, and
+        programmatic APIs. They separate traceability metadata from
+        the commit description. Inline regex is fragile and ambiguous
+        (brackets in code snippets, prose references).
+      alternatives: >
+        Inline regex parsing of [ARTIFACT-ID] patterns (Jira-style).
+        Rejected because regex is fragile and cannot distinguish
+        intentional references from incidental mentions.
+
+  - id: DD-012
+    type: design-decision
+    title: Runtime graph integration over materialized commit YAML
+    status: approved
+    description: >
+      Commit data is injected as ephemeral nodes into the petgraph link
+      graph at analysis time, rather than materializing commit artifacts
+      as YAML files on disk.
+    tags: [architecture, git, traceability]
+    links:
+      - type: satisfies
+        target: REQ-017
+    fields:
+      rationale: >
+        Git is the single source of truth for commit data. Materializing
+        commits to YAML creates a redundant data store that drifts from
+        git history. The link graph is already rebuilt from scratch on
+        each rivet invocation, so ephemeral commit nodes fit naturally.
+      alternatives: >
+        rivet sync-commits writing commit YAML files to a commits/
+        directory. Rejected because it creates thousands of redundant
+        files and requires ongoing sync discipline.
+
+  - id: DD-013
+    type: design-decision
+    title: Dual opt-out for commit traceability enforcement
+    status: approved
+    description: >
+      Non-essential commits opt out of trailer requirements via two
+      mechanisms: conventional-commit type exemption (configurable list
+      of types like chore, style, ci, docs, build) and an explicit
+      Trace-skip trailer for edge cases.
+    tags: [architecture, git, traceability]
+    links:
+      - type: satisfies
+        target: REQ-018
+      - type: satisfies
+        target: REQ-019
+    fields:
+      rationale: >
+        Type-based exemption handles the 80% case (dependency bumps,
+        formatting, CI tweaks) with zero friction. The explicit skip
+        trailer handles edge cases where a normally-traced type (like
+        feat) genuinely has no artifact mapping, forcing developers to
+        consciously acknowledge the gap.
+      alternatives: >
+        No exemption mechanism (all commits must reference artifacts).
+        Rejected because it creates excessive friction for routine
+        maintenance commits that have no traceability value.
+
+  - id: DD-014
+    type: design-decision
+    title: Prefixed IDs over URI-style references
+    status: accepted
+    description: >
+      Cross-repo links use prefix:ID syntax (e.g., rivet:REQ-001) rather than
+      full URIs. Simpler to type, more readable in YAML.
+    links:
+      - type: satisfies
+        target: REQ-020
+    tags: [cross-repo]
+    fields:
+      decision: Use prefix:ID syntax with prefix declared in rivet.yaml
+      rationale: >
+        Simpler and more readable than URIs. Prefix is a local alias
+        configured per project, matching sphinx-needs id_prefix pattern.
+
+  - id: DD-015
+    type: design-decision
+    title: Mesh topology over hub-and-spoke
+    status: accepted
+    description: >
+      Any repo can link to any other repo directly. No central authority required.
+    links:
+      - type: satisfies
+        target: REQ-020
+    tags: [cross-repo]
+    fields:
+      decision: Any repo can link to any other repo directly
+      rationale: >
+        Avoids central authority requirement. Matches distributed team
+        workflows. Transitive resolution handles indirect dependencies.
+
+  - id: DD-016
+    type: design-decision
+    title: Distributed baselining over centralized manifest
+    status: accepted
+    description: >
+      Repos tag themselves with baseline/* tags; consistency verified not enforced.
+    links:
+      - type: satisfies
+        target: REQ-021
+    tags: [cross-repo, baseline]
+    fields:
+      decision: Repos tag themselves with baseline/* tags; consistency verified not enforced
+      rationale: >
+        No platform repo required. Each repo joins baselines independently.
+        Matches OSLC global configuration model where contributions are optional.
+
+  - id: DD-017
+    type: design-decision
+    title: Transitive dependency resolution
+    status: accepted
+    description: >
+      Declare direct dependencies only; discover transitive deps automatically.
+    links:
+      - type: satisfies
+        target: REQ-020
+    tags: [cross-repo]
+    fields:
+      decision: Declare direct dependencies only; discover transitively
+      rationale: >
+        Scales naturally. Avoids redundant declarations. Similar to cargo/npm
+        dependency resolution.