feat(implement-task): add description digest verification step

[ruromero]

Summary

• Add Step 1.5 – Verify Description Integrity to implement-task, which reads Jira comments to locate the digest posted by plan-feature, computes SHA-256 of the current description, and compares them
• Handle three scenarios: no digest (warn, proceed), matching digest (proceed silently), mismatched digest (alert user, pause)
• Add REST API fallback for comment retrieval in Step 0.5
• Add eval assertions: one no-digest assertion to eval 1, plus new evals 6 (matching digest) and 7 (mismatched digest)
• Disambiguate multiple digest comment handling: when multiple comments match the marker, select the most recent by created timestamp (TC-4566)

Implements TC-4286

Test plan

• Run evals for implement-task skill (/sdlc-workflow:run-evals implement-task)
• Verify eval 1 passes with the new digest assertion
• Verify eval 6 (matching digest) produces correct plan output
• Verify eval 7 (mismatched digest) produces pause-and-ask behavior
• Manual smoke test: run /sdlc-workflow:implement-task on a task with a digest comment

🤖 Generated with Claude Code

Summary by Sourcery

Add a description digest integrity verification step to the implement-task workflow and document the digest consumption protocol, including handling of multiple digest comments and REST fallbacks for Jira access.

New Features:

• Introduce a Step 1.5 in implement-task to verify Jira issue description integrity against a stored SHA-256 digest before continuing the workflow.

Enhancements:

• Document REST API fallback support for retrieving Jira issue comments in the implement-task skill.
• Clarify the shared description digest protocol to support deterministic selection of the most recent matching digest comment when multiple are present.

Tests:

• Extend implement-task evals with new cases and assertions to cover missing, matching, and mismatched description digest scenarios.

[sourcery-ai]

Reviewer's Guide

Adds a description digest verification step to the implement-task skill, including Jira comment retrieval with REST API fallback, protocol updates for digest selection, and new eval cases to cover no-digest, matching, and mismatched-digest scenarios.

Sequence diagram for description digest verification in implement-task

sequenceDiagram
    actor User
    participant ImplementTaskSkill
    participant Jira

    User->>ImplementTaskSkill: run implement-task
    ImplementTaskSkill->>Jira: jira.get_issue(<jira-issue-id>)
    ImplementTaskSkill->>Jira: jira.get_issue_comments(<jira-issue-id>)
    Jira-->>ImplementTaskSkill: comments

    alt [no comment body starts with marker]
        ImplementTaskSkill-->>ImplementTaskSkill: log warning "No description digest found"
        ImplementTaskSkill-->>User: proceed with normal task implementation
    else [one or more comments match marker]
        ImplementTaskSkill-->>ImplementTaskSkill: select most recent by created
        ImplementTaskSkill-->>ImplementTaskSkill: parse sha256 hex digest
        ImplementTaskSkill-->>ImplementTaskSkill: compute SHA-256 of current description
        alt [digests match]
            ImplementTaskSkill-->>User: proceed silently with implementation
        else [digests mismatch]
            ImplementTaskSkill-->>User: display expected vs actual digest
            ImplementTaskSkill-->>User: ask proceed or stop
            Note over ImplementTaskSkill: stop execution until user responds
        end
    end

Loading

Flow diagram for Step 1.5 description integrity verification

flowchart TD
    A[Start Step 1.5<br/>Verify Description Integrity] --> B[Retrieve issue comments<br/>jira.get_issue_comments]
    B --> C[Filter comments whose body starts with marker]
    C --> D{Any matching<br/>digest comments?}
    D -- No --> E[Log warning<br/>&quot;No description digest found&quot;]
    E --> F[Proceed with normal execution]

    D -- Yes --> G[Select most recent comment<br/>by created timestamp]
    G --> H{updated > created?}
    H -- Yes --> I[Warn: digest comment was edited]
    H -- No --> J[Skip edit warning]
    I --> K[Extract sha256 hex digest]
    J --> K
    K --> L[Compute SHA-256 of current description]
    L --> M{Digests match?}
    M -- Yes --> F
    M -- No --> N[Alert user with expected and actual digests]
    N --> O[Ask user: Proceed or Stop]
    O --> P[Stop execution until user responds]

Loading

File-Level Changes

Change	Details	Files
Introduce Step 1.5 in implement-task to verify Jira issue description integrity using the description digest protocol.	Document a new Step 1.5 in the implement-task SKILL, executed after fetching the task and before dependency checks. Specify retrieval of all Jira comments for the issue and selection of the most recent digest comment by created timestamp when multiple matches exist. Define behavior for cases with no digest (warn and continue), edited digest comments (warn but still compare), matching digests (proceed silently), and mismatched digests (alert user, pause and wait for decision to proceed or stop). Detail how to extract the stored sha256 digest from the digest comment, compute the current SHA-256 over a whitespace-trimmed description, and compare them.	plugins/sdlc-workflow/skills/implement-task/SKILL.md
Extend Jira access initialization and REST API fallback documentation to support comment retrieval for digest verification.	Update the JIRA access initialization step to include the new Step 1.5 among the operations requiring access method selection. Add a REST API equivalent command for retrieving Jira issue comments via jira-client.py get_comments.	plugins/sdlc-workflow/skills/implement-task/SKILL.md
Clarify the description-digest protocol to define handling when multiple digest comments are present.	Change consumer behavior description from finding a single digest comment to scanning all matching comments. Add a requirement to select the most recent matching digest comment by created timestamp to support re-planning and deterministic behavior.	plugins/sdlc-workflow/shared/description-digest-protocol.md
Add and adjust evals to cover description digest presence, matching, and mismatched scenarios for implement-task.	Introduce or update eval cases so that eval 1 asserts no-digest behavior, eval 6 covers matching digest behavior, and eval 7 verifies mismatched digest pause-and-ask behavior.	evals/implement-task/evals.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• In Step 1.5, please clarify how to handle multiple digest comments on the same Jira issue (e.g., choose the most recent, or one tied to a specific run) so the implementation is deterministic.
• The REST fallback command jira.get_issue_comments(id) → python3 scripts/jira-client.py get_comments <id> should be checked to ensure the CLI output format matches what the MCP-based comment parsing logic expects (e.g., timestamps and body fields).
• Consider explicitly specifying in Step 1.5 that the user-facing warnings/prompts (no digest, edited digest comment, mismatch decision) should use the same logging/prompt mechanisms as other steps, to keep UX consistent and avoid ad-hoc messaging in the implementation.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In Step 1.5, please clarify how to handle multiple digest comments on the same Jira issue (e.g., choose the most recent, or one tied to a specific run) so the implementation is deterministic.
- The REST fallback command `jira.get_issue_comments(id) → python3 scripts/jira-client.py get_comments <id>` should be checked to ensure the CLI output format matches what the MCP-based comment parsing logic expects (e.g., timestamps and body fields).
- Consider explicitly specifying in Step 1.5 that the user-facing warnings/prompts (no digest, edited digest comment, mismatch decision) should use the same logging/prompt mechanisms as other steps, to keep UX consistent and avoid ad-hoc messaging in the implementation.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-actions]

Eval Results

Eval Results: implement-task

Eval	Passed	Failed	Pass Rate
eval-1	10/10	0	100%
eval-2	5/5	0	100%
eval-3	6/6	0	100%
eval-4	6/6	0	100%
eval-5	7/7	0	100%
eval-6	4/4	0	100%
eval-7	5/5	0	100%

Pass rate: 100% · Tokens: 40,085 · Duration: 101s

Baseline (0cdded7): 100% · 25,398 tokens · 91s

Delta from baseline

Metric	Baseline	Current	Delta
Pass rate	100%	100%	—
Evals	5	7	+2 new
Assertions	33	49	+16
Tokens (mean)	25,398	40,085	+57.8%
Duration (mean)	91s	101s	+10.9%

New evals

• eval-6 (digest match): Tests Step 1.5 description digest verification when the digest matches — verifies the skill proceeds silently without user prompt (4 assertions, all pass)
• eval-7 (digest mismatch): Tests Step 1.5 description digest verification when the digest does not match — verifies the skill alerts the user, displays expected vs actual digests, and stops execution (5 assertions, all pass)

Notes

• Eval 1 gained 1 new assertion (10 vs baseline's 9): the description digest backward-compatibility check (Step 1.5 — no digest found, proceed with warning)
• Token increase is expected: 2 new evals added to the suite, and eval 6 includes a full implementation plan alongside the digest verification output
• Duration increase is modest (+10s mean) despite 40% more evals, indicating efficient parallel execution

---

Generated by sdlc-workflow/run-evals v0.9.1

[ruromero]

Verification Report for TC-4286 (commit 8abcbf1)

Check	Result	Details
Review Feedback	PASS	Body-level suggestions from sourcery-ai; no code change requests
Root-Cause Investigation	N/A	No sub-tasks created
Scope Containment	PASS	PR files exactly match task-specified files (2/2)
Diff Size	PASS	77 lines across 2 files — proportionate to task scope
Commit Traceability	PASS	All commits reference TC-4286
Sensitive Patterns	PASS	No secrets or sensitive patterns in diff
CI Status	PASS	All 4 CI checks pass
Acceptance Criteria	PASS	6/6 criteria met
Test Quality	N/A	No traditional test files in PR (eval JSON config only)
Test Change Classification	ADDITIVE	2 new evals added, 1 assertion appended; no removals
Verification Commands	N/A	None specified

Overall: PASS

All checks pass. The PR adds Step 1.5 (Verify Description Integrity) to implement-task with correct handling of all three digest scenarios, references the shared protocol, and includes eval coverage for each scenario. CI passes at 100% eval pass rate.

---

This comment was AI-generated by sdlc-workflow/verify-pr v0.9.1.

[ruromero]

Body-Level Review Comment Classification

The previous /verify-pr run processed only inline (file-anchored) review comments. This supplemental pass classifies the body-level review comments from sourcery-ai[bot] (review ID 4373606054).

Classified Comments

#	Comment Summary	Classification	Action
1	Clarify handling of multiple digest comments on the same Jira issue	Code change request	Sub-task TC-4566 created
2	REST fallback CLI output format should match MCP parsing expectations	Suggestion	No sub-task — skill describes semantic operations, not raw output parsing
3	Consider specifying that Step 1.5 warnings use same logging/prompt mechanisms as other steps	Suggestion	No sub-task — other steps don't prescribe exact mechanisms either; this is consistent

Classification Reasoning

Comment 1 — "please clarify" is directive language requesting a specific code change. Step 1.5 item 2 says "search for a comment" (singular) without specifying behavior when multiple digest comments exist. The description-digest-protocol.md also uses "searches for one" without disambiguation. This is a real determinism gap that needs to be addressed.

Comment 2 — "should be checked" is advisory. The skill documents the semantic operation (jira.get_issue_comments), and the LLM implementation adapts to whatever format the API or CLI returns. No actionable code change to the skill definition.

Comment 3 — "Consider" is explicit suggestion language. No other step in the skill prescribes exact logging/prompt mechanisms. The current approach (describe what to display, let the implementation handle formatting) is consistent with the rest of the skill.

---

Supplemental body-level review classification by sdlc-workflow/verify-pr v0.9.1.

[ruromero]

@sourcery-ai review

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[mrizzi]

@ruromero I'm just concerned by the Eval Results: plan-feature report because, AFAIK, that skill should be fine with digest management.
WDYT?

[mrizzi]

@ruromero thanks 👍