microsoft
diff --git a/‎change-detection-prd.md‎
Lines changed: 297 additions & 0 deletions b/‎change-detection-prd.md‎
Lines changed: 297 additions & 0 deletions
diff --git a/‎docs/user/reference/cli/azldev_component.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/user/reference/cli/azldev_component.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/user/reference/cli/azldev_component_diff-identity.md‎
Lines changed: 53 additions & 0 deletions b/‎docs/user/reference/cli/azldev_component_diff-identity.md‎
Lines changed: 53 additions & 0 deletions
@@ -0,0 +1,297 @@
+# PRD: Component Change Detection for Build Queue Determination
+
+**Related ideas:** bn-c5ae, bn-8bb7 (superseded NEVR approach)
+**Priority:** P0 — Critical
+**Status:** Draft
+
+---
+
+## Problem
+
+When a PR lands, the build pipeline needs to know which components to queue for building and publishing. Today there is no automated way to answer "what changed?" — developers manually track which components they touched.
+
+The original approach (computing NEVR and comparing against Koji) was abandoned because:
+- It requires a mock root and source downloads for every component (slow)
+- `%autorelease` derives release numbers from synthetic git history, making offline NEVR computation fragile
+- Koji already errors on duplicate NEVRs — that error is real signal worth investigating, not something to pre-filter
+
+The better approach: **detect whether a component's build inputs changed between two commits.** Changed inputs = queue for build. Let Koji handle the rest.
+
+## Target Users
+
+- **CI/CD pipelines** — automatically determine the build queue for a PR or merge
+- **Developers** — quickly check which components a change affects before submitting
+- **Release tooling** — audit what changed between releases
+
+## Proposed Solution
+
+Add a `component identity` subcommand that dumps a deterministic fingerprint of every component's build inputs. CI runs it at two commits and diffs the output. Changed fingerprints = changed components = build queue.
+
+---
+
+## Design
+
+### Core Principle: Fingerprint Resolved Inputs, Not Configuration Metadata
+
+The fingerprint must capture the **fully-resolved** build inputs after all config merging, inheritance, and path resolution — not raw config values. This ensures that changes to global/distro/group-level defaults automatically propagate to every component they affect.
+
+### What Goes Into the Fingerprint
+
+The fingerprint for a component is a deterministic hash of all inputs that could change RPM output.
+
+#### 1. Resolved Component Config (from merged `ProjectConfig.Components[name]`)
+
+Fingerprinted using struct reflection with `fingerprint:"-"` tags on excluded fields:
+
+| Field | Included | Rationale |
+|-------|----------|-----------|
+| `Spec` (SpecSource) | Yes | Different spec = different package |
+| `Overlays` (functional fields only) | Yes | Any overlay change mutates output. `Overlay.Description` is excluded (`fingerprint:"-"`) as it is purely documentation. |
+| `Build.With`, `Build.Without`, `Build.Defines`, `Build.Undefines` | Yes | Directly affect rpmbuild macros |
+| `Build.Check.Skip` | Yes | Changes %check behavior |
+| `SourceFiles` (filenames + hashes) | Yes | Different sources = different package |
+| `Name` | No (`fingerprint:"-"`) | Metadata, already the map key |
+| `SourceConfigFile` | No (`fingerprint:"-"`) | Internal reference |
+| `Build.Failure.Expected` | No (`fingerprint:"-"`) | CI decision, not a build input |
+| `Build.Hints.Expensive` | No (`fingerprint:"-"`) | Scheduling hint, not a build input |
+| `Build.Check.SkipReason` | No (`fingerprint:"-"`) | Documentation, not a build input |
+| `Build.Failure.ExpectedReason` | No (`fingerprint:"-"`) | Documentation, not a build input |
+
+**Key design**: new fields default to **included** in the fingerprint. Only explicitly excluded fields are tagged `fingerprint:"-"`. A guard test asserts every field has been consciously categorized.
+
+#### 2. Actual File Content Hashes
+
+Config references files by path. The fingerprint must hash their *content*, not their path:
+
+| File | How to hash |
+|------|-------------|
+| Spec file (`Spec.Path` for local specs) | SHA256 of file content |
+| Overlay source files (patches, added files) | SHA256 of each file referenced by overlay `Source` fields |
+
+#### 3. Resolved Distro Context
+
+| Field | Included | Rationale |
+|-------|----------|-----------|
+| Effective distro name + version | Yes | Different distro = different build env |
+| Distro-level `DefaultComponentConfig` | Yes | Already merged into component config — captured by #1 |
+
+**Mock config is explicitly excluded** from the per-component fingerprint. A mock config change is a distro-level event (new dist tag, mass rebuild) — not something that should trigger individual component rebuilds via change detection. Mock config changes are handled by a separate coordinated mass-rebuild workflow.
+
+#### 4. Upstream Spec Identity (for `SourceType=upstream`)
+
+| Field | Included | Rationale |
+|-------|----------|-----------|
+| `UpstreamCommit` (pinned or resolved hash, included as-is) | Yes | Different commit = different spec |
+| `UpstreamName` | Yes | Different upstream package name |
+| `UpstreamDistro` (name + version) | Yes | Different distro source |
+
+**Floating upstream specs:** For components without a pinned `UpstreamCommit`, the fingerprint resolves the upstream ref to a concrete commit at runtime and includes that commit hash directly as a string input (not double-hashed). If upstream moved between the base and head identity runs, the resolved commit differs → fingerprint changes → rebuild. This is correct behavior. The tool already requires network access for most operations, so online resolution is not a concern.
+
+**Future: global snapshot time.** When a global snapshot timestamp is introduced, the fingerprint should include the **resolved upstream commit hash directly**, not the snapshot timestamp itself. This prevents a snapshot bump from marking all upstream components as changed when only a handful actually got new content.
+
+#### 5. Affects Commit Count (for synthetic history / %autorelease)
+
+| Field | Included | Rationale |
+|-------|----------|-----------|
+| Count of `Affects: <component>` commits in project repo | Yes | Each Affects commit = +1 release in %autorelease |
+
+This count changes when someone adds a commit with `Affects: curl`, which is exactly when the component needs a rebuild.
+
+### What Is Explicitly Excluded
+
+- Source archive contents — already represented by `SourceFiles[].Hash` in config
+- Log/work/output directory paths — runtime choice, not a build input
+- `ComponentGroupConfig.Description` — documentation
+- Image config — irrelevant to component builds
+- System architecture — captured by mock config (platform-specific path already resolved)
+
+### Global Change Propagation
+
+This is the critical correctness property. Changes to shared config must fan out to all affected components.
+
+**How it works:** The fingerprint operates on the **fully-merged** `ProjectConfig`. Config merging happens at load time:
+
+```
+defaults.toml → project azldev.toml → included configs → CLI overrides
+    ↓ merge
+DistroVersion.DefaultComponentConfig → ComponentGroup.DefaultComponentConfig → ComponentConfig
+```
+
+If `defaults.toml` changes a distro's `DefaultComponentConfig.Build.With`, every component inheriting from that distro gets a different resolved config → different fingerprint → queued for rebuild. No special propagation logic needed.
+
+**Guard test:** A unit test verifies that mutating any shared config field (distro default, group default) changes the fingerprint of components that inherit from it.
+
+### `fingerprint:"-"` Tag System
+
+```go
+type ComponentBuildConfig struct {
+    With      []string          `toml:"with"`
+    Without   []string          `toml:"without"`
+    Defines   map[string]string `toml:"defines"`
+    Undefines []string          `toml:"undefines"`
+    Check     CheckConfig       `toml:"check"`
+    Failure   ComponentBuildFailureConfig `toml:"failure" fingerprint:"-"`
+    Hints     ComponentBuildHints         `toml:"hints"   fingerprint:"-"`
+}
+
+type CheckConfig struct {
+    Skip       bool   `toml:"skip"`
+    SkipReason string `toml:"skip-reason" fingerprint:"-"`
+}
+```
+
+**Guard test:** Reflects over all fingerprinted structs. Fails if any field lacks either a `fingerprint:"-"` tag or is implicitly included. Forces a conscious decision on every field.
+
+```go
+func TestAllFieldsHaveFingerprintDecision(t *testing.T) {
+    // For each struct in the fingerprint set:
+    // Walk fields via reflect. If a field has fingerprint:"-", it's excluded.
+    // If it has no fingerprint tag, it's included (default).
+    // Test passes if all fields are accounted for.
+    // When a new field is added without a tag, the test still passes (included by default).
+    // Optional: maintain an explicit allowlist of excluded fields to catch accidental tag removal.
+}
+```
+
+### CLI Design
+
+#### `azldev component identity`
+
+Dumps the fingerprint for selected components.
+
+```bash
+# All components, JSON output for CI
+azldev component identity -a -O json > identity.json
+
+# Single component, table output for dev
+azldev component identity -p curl
+
+# Output:
+# COMPONENT   FINGERPRINT
+# curl        sha256:a1b2c3d4...
+```
+
+Uses standard component filter flags (`-p`, `-g`, `-a`, `-s`).
+
+**JSON output structure:**
+```json
+{
+  "curl": {
+    "fingerprint": "sha256:a1b2c3d4e5f6...",
+    "inputs": {
+      "config_hash": "sha256:...",
+      "spec_content_hash": "sha256:...",
+      "overlay_file_hashes": {
+        "patches/fix.patch": "sha256:...",
+        "patches/build.patch": "sha256:..."
+      },
+      "affects_commit_count": 3,
+      "distro": "azl3",
+      "distro_version": "3.0"
+    }
+  }
+}
+```
+
+The `inputs` breakdown is for debugging — the top-level `fingerprint` is the single hash for comparison.
+
+#### `azldev component diff-identity`
+
+Compares two identity dumps and outputs changed components.
+
+```bash
+azldev component diff-identity base.json head.json
+```
+
+**Output (table):**
+```
+COMPONENT   STATUS    DETAIL
+curl        changed   spec_content_hash, overlay_file_hashes
+wget        added     (new component)
+libfoo      removed   (component removed)
+openssl     unchanged
+```
+
+**Output (JSON, for CI):**
+```json
+{
+  "changed": ["curl"],
+  "added": ["wget"],
+  "removed": ["libfoo"],
+  "unchanged": ["openssl"]
+}
+```
+
+CI builds the queue from `changed` + `added`.
+
+### CI Workflow
+
+```bash
+# At PR gate:
+git checkout $BASE_REF
+azldev component identity -a -O json > /tmp/base-identity.json
+
+git checkout $HEAD_REF
+azldev component identity -a -O json > /tmp/head-identity.json
+
+# Diff
+CHANGED=$(azldev component diff-identity /tmp/base-identity.json /tmp/head-identity.json -O json | jq -r '.changed[]')
+
+# Queue builds
+for component in $CHANGED; do
+  koji-build queue "$component"
+done
+```
+
+---
+
+## Scope
+
+### In Scope
+
+1. `component identity` subcommand — dump deterministic fingerprints
+2. `component diff-identity` subcommand — compare two identity files
+3. `fingerprint:"-"` struct tag system with guard tests
+4. Fingerprint library function callable outside CLI
+5. Content hashing for spec files and overlay sources
+6. Affects commit count integration (from PR #17 synthetic history work)
+
+### Out of Scope
+
+- Git-aware diffing within the tool (Option B from earlier discussion) — CI does the checkout
+- Transitive build dependency detection (if B changed and A `BuildRequires: B`) — periodic checks handle this
+- MCP integration
+- NEVR computation (deprioritized, separate backlog item)
+- Global snapshot time resolution (future feature — PRD notes the design constraint)
+
+---
+
+## Implementation Plan
+
+1. **Add `fingerprint:"-"` tags** to existing config structs + guard test — small, self-contained
+2. **Implement fingerprint computation** — walk resolved config, hash fields, hash referenced files
+3. **Add `component identity` subcommand** — standard CLI pattern, returns fingerprint struct
+4. **Add `component diff-identity` subcommand** — reads two JSON files, computes diff
+5. **Integration test** — scenario test that modifies config and verifies fingerprint changes
+6. **CI pipeline integration** — documentation/example for PR gate workflow
+
+### Dependencies
+
+- PR #17 (synthetic history / Affects commits) for `affects_commit_count` — can stub with 0 until merged
+- Existing config loading and component resolution infrastructure
+
+---
+
+## Success Criteria
+
+- Changing any build-relevant config field changes the fingerprint of all affected components
+- Changing a distro default propagates to all inheriting components
+- Adding a new struct field without deciding on fingerprint inclusion causes a test failure
+- `diff-identity` correctly identifies added, removed, changed, and unchanged components
+- CI can determine the build queue in <30s for a typical project (no mock root, no source downloads)
+- No false negatives (missed rebuilds) for any config-driven change
+
+## Risks
+
+- **Floating upstream specs** (no pinned commit): upstream ref is resolved at runtime. If upstream moves between identity runs, the component is flagged as changed. This is correct but means the fingerprint is not reproducible without network access — acceptable since the tool is inherently online.
+- **External changes outside config** (e.g., upstream repo force-push changing a pinned commit's content): extremely unlikely and not worth defending against.