feat(docx-mcp): add opt-in fingerprint ordinal disambiguation to read_file

[stevenobiajulu]

Summary

Adds an opt-in, additive duplicate-disambiguation surface to
read_file(format="json") for DOCX sessions, on top of the existing
content_fingerprint. Closes the remaining gap from #205: when the same
normalized paragraph text appears multiple times in one document, every
occurrence shares one fingerprint, so consumers can't reference "the second
occurrence of WHEREAS …" without re-implementing document-order grouping.

When include_fingerprint=true and the new include_fingerprint_ordinal=true
are set with format="json", each paragraph node gains:

• content_fingerprint_ordinal — 1-based document-order position among paragraphs sharing the same content_fingerprint
• content_fingerprint_count_in_document — total paragraphs sharing that fingerprint (document-wide, stable under pagination)
• portable_paragraph_ref — convenience composite "<content_fingerprint>#<ordinal>"

Ordinals/counts are computed over the full document in document order, so a
paginated or node_ids-filtered read still reports stable, document-wide values.

Out of scope / unchanged (per #205)

• _bk_* ids, edit-anchor semantics, and the content_fingerprint algorithm are untouched.
• The ordinal is a read-only disambiguator, never an edit anchor (reordering duplicates may change ordinals).
• No effect without include_fingerprint, on TOON/simple output, or on Google Docs / ODT sessions.

OpenSpec

New capability → added change proposal add-read-file-fingerprint-ordinal
(openspec validate --strict passes) with an mcp-server ADDED requirement and
10 scenarios, all covered by the new traceability test.

Files

• openspec/changes/add-read-file-fingerprint-ordinal/** — proposal, tasks, mcp-server spec delta
• packages/docx-mcp/src/tools/read_file.ts — compute + attach ordinal/count/portable_paragraph_ref
• packages/docx-mcp/src/tool_catalog.ts — include_fingerprint_ordinal schema field
• packages/docx-mcp/src/tools/read_file_fingerprint_ordinal.test.ts — new traceability test (TEST_FEATURE=add-read-file-fingerprint-ordinal)
• regenerated docs/tool-reference.generated.md and SAFE_DOCX_OPENSPEC_TRACEABILITY.md

Gates run (all green by exit code)

• npm run build
• npm run lint:workspaces (0 errors; pre-existing warnings only)
• npm run check:spec-coverage -w @usejunior/docx-mcp -- --strict → PASS add-read-file-fingerprint-ordinal: 10/10
• targeted vitest: read_file* (88 passed) incl. new + existing fingerprint suites (19 passed)
• npm run check:tool-docs (after commit)
• npm run check:conformance-citations, npm run check:conformance-doc
• npm run check:allure-labels, check:allure-filenames, check:allure-quality

Reviewer notes

• New flag is purely additive and default-off; existing JSON/TOON/simple consumers see byte-identical output.
• The Google Docs scenario is exercised via the same mock pattern as the existing fingerprint gdocs test (no real credentials).
• Uses Ref: #205 (not Closes) so issue closure stays under maintainer control.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
site	Ready	Preview, Comment	Jun 26, 2026 5:42am

[stevenobiajulu]

Review verdict: APPROVE (with nits)

Reviewed the diff, spec delta, tests, and issue #205 scope. This is a clean, well-scoped, additive change that matches the (re-scoped, peer-reviewed) ask in #205 exactly. No blocking findings.

What I verified

• Correctness of the document-wide claim. Ordinals/counts iterate over the full nodes view (read_file.ts:327, built before any windowing) rather than the post-window enriched slice, so the "stable under pagination / node_ids" contract actually holds. The counts are document-wide across paginated windows test (reads only paraIds[4] and asserts ordinal 3 / count 3) is a genuine THEN-observable assertion of that behavior, not tag-stuffing.
• Grouping vs. emission fingerprints agree. Both the grouping loop and enriched.map use computeContentFingerprint(getParagraphText(paragraphEl)) against the same paragraphElementsById map, so no derivation drift (Check 15 territory) — same canonical helper, same source element.
• Gating is sound. Fields only emit under include_fingerprint && include_fingerprint_ordinal && format==='json'; the ordinal fields require include_fingerprint, default JSON omits, and TOON ignores tests each assert absence. gdocs path is structurally separate and the mock test confirms no ordinal leakage.
• Conventions. Branch 205-...-20260626 matches {issue}-{desc}-{YYYYMMDD}; conventional commit scope feat(docx-mcp); Ref: #205 (no Closes footer); OpenSpec proposal present and validated; single-line .openspec() tags with a TEST_FEATURE const in a new dedicated test file. spec-coverage, allure-labels, tool-docs-freshness all green.

Nits (non-blocking)

1. Spec text claims format="simple" no-op but no scenario covers it (spec.md requirement body mentions simple alongside TOON; only a TOON scenario/test exists). It's structurally safe since the whole block is gated on format==='json', but the requirement asserts coverage it doesn't have. Consider either a one-line simple-format test or dropping the explicit simple claim.
2. Summary phrasing "Closes the remaining gap from Add opt-in duplicate-disambiguation metadata alongside content_fingerprint in read_file #205". This won't trigger GitHub auto-close (the keyword isn't immediately adjacent to #205), and the body correctly uses Ref: #205 — just flagging given the prior check:spec-coverage never passes --strict to validate_openspec_coverage.mjs, so the docx-core matrix gate is WARN-only in CI #469 auto-close incident.
3. Fingerprint computed twice per windowed node when ordinal is on (once in the grouping loop via fingerprintByNodeId, again in enriched.map). fingerprintByNodeId already holds it; reusing it would avoid the recompute. Negligible perf, purely a cleanup.

[github-actions]

LLM-Based Quality Gate

Overall: ✅ PASS (8 pass · 0 warn · 9 skipped · 17 total)

	Check	Verdict
✅	read_file response metadata parity	Both successful return paths in packages/docx-mcp/src/tools/read_file.ts (lines 506 and 520) consistently preserve the additive diagnostic fields comment_load_error and footnote_load_error along with paginationMeta.
⏭️ SKIPPED	Live DOM namespace-safe OOXML writes	paths not touched by this PR
✅	Deleted field markup keeps w:fldChar outside w:del	The PR does not touch field atomization, validateFieldStructure, hasFldCharInsideDel, w:fldChar, w:instrText, w:delInstrText, or collapsed field comparison logic, as it only adds fingerprint duplicate-disambiguation metadata to read_file.
⏭️ SKIPPED	Field validation per story, not global	paths not touched by this PR
⏭️ SKIPPED	Revision IDs seeded from all revision-bearing side parts	paths not touched by this PR
✅	Accept/reject sweep side parts and caches	The PR does not touch acceptChanges, rejectChanges, REVISION_STORY_PART_PATHS, or side-part revision markup, as it only adds duplicate-disambiguation metadata to read_file in packages/docx-mcp/src/tools/read_file.ts.
⏭️ SKIPPED	DocumentViewNode.heading stays canonical	paths not touched by this PR
⏭️ SKIPPED	AI-author parity across entry points	paths not touched by this PR
⏭️ SKIPPED	Property-change wrapper discipline	paths not touched by this PR
⏭️ SKIPPED	SUPPORT.md Table A drift vs. implementation	paths not touched by this PR
⏭️ SKIPPED	Table A / Table B boundary on side-part revisions	paths not touched by this PR
✅	Canonical-emission surface completeness	The PR only modifies the read_file tool to add fingerprint ordinal disambiguation, which is a read-only navigation utility and does not add or change any tracked-edit surface.
⏭️ SKIPPED	Lean predicate drift against engine semantics (asymmetric)	paths not touched by this PR
✅	Unit-test quality (avoid tautological / change-detector tests)	The added test file packages/docx-mcp/src/tools/read_file_fingerprint_ordinal.test.ts uses concrete, independent assertions with expected values (such as exact ordinals 1, 2, 3 and counts) derived from first principles. Mocks are appropriately restricted to the external google-docs-core boundary rather than the system under test.
✅	Re-derived facts vs canonical sources	The PR consumes the canonical computeContentFingerprint and getParagraphText from @usejunior/docx-core in packages/docx-mcp/src/tools/read_file.ts (lines 425 and 442) to compute fingerprints and ordinals, avoiding any re-derivation of text walks or hashing logic.
✅	.openspec tag ↔ test-assertion drift	Every added .openspec tag in the newly created packages/docx-mcp/src/tools/read_file_fingerprint_ordinal.test.ts has a dedicated test body that fully exercises the scenario's specified GIVEN/WHEN/THEN criteria with explicit, covering assertions rather than generic or stuffed tags.
✅	Library stays general (no downstream-domain leakage)	The PR adds general-purpose paragraph disambiguation and referencing metadata (include_fingerprint_ordinal, content_fingerprint_ordinal, and portable_paragraph_ref) in packages/docx-mcp/src/tools/read_file.ts:299 and tool_catalog.ts:59, maintaining domain generality and avoiding downstream leakage.

Full checklist questions

1. read_file response metadata parity: If this PR touches packages/docx-mcp/src/tools/read_file.ts, budgeted pagination returns, or additive response metadata like warnings / comment_load_error, do every successful return path (default budgeted early return, non-budget fallthrough, explicit limit/node_ids) preserve the same additive diagnostic fields? read_file has multiple success exits; diagnostics have already disappeared on one path before. Reference: fix(docx-core): declare xmlns:w14/w15 on comments root before writing prefixed attributes (#154) #180 surfaced comment_load_error, fix(docx-mcp): warn when read_file budget is exceeded by a single node (closes #184) #186 added an early budget return + warnings, fix(docx-mcp): surface comment_load_error on the default budgeted read path (closes #189) #191 fixed the missing comment_load_error on the default budgeted path.

2. Live DOM namespace-safe OOXML writes: If this PR touches packages/docx-core/src/primitives/comments.ts or writes prefixed OOXML attributes/elements (w14:*, w15:*, xmlns:*, comments.xml, commentsExtended.xml, people.xml), are prefixed OOXML names written with namespace-aware APIs — root aliases bound with setAttributeNS(XMLNS_NS, ...), prefixed attributes with setAttributeNS(W14_NS/W15_NS, ...), and is there a test that proves the live DOM works before serialization/reparse? String-prefixed attributes can serialize plausibly while the live DOM still throws namespace errors. Reference: fix(docx-core): declare xmlns:w14/w15 on comments root before writing prefixed attributes (#154) #180 (xmlns:w14/w15 declared on comments root before writing prefixed attrs).

3. Deleted field markup keeps w:fldChar outside w:del: If this PR touches field atomization, validateFieldStructure, hasFldCharInsideDel, w:fldChar, w:instrText, w:delInstrText, or collapsed field comparison logic, does deleted field output stay ECMA-376-conformant — w:fldChar sibling-level (never inside w:del), deleted instructions use w:delInstrText only inside valid delete wrappers, accept/reject safety checks still reject malformed combined output? Word treats deleted field-state markup in the wrong container as document-corrupting. References: fix(docx-core): validate w:delInstrText placement and reject w:fldChar inside <w:del> #211, fix(docx-core): partition field-closure validation by ECMA-376 story (#212) #225, fix(docx-core): fragment w:fldChar outside w:del per ECMA-376 Part 4 #228.

4. Field validation per story, not global: If this PR touches packages/docx-core/src/baselines/atomizer/pipeline.ts, splitStories, validateFieldStructure, side-part merge logic, or footnote/endnote field handling, is field validation run independently per ECMA story (document.xml, each footnote, each endnote), with sidecars from both original and revised archives considered, and global counter balance not treated as sufficient? A document can be globally balanced but have an invalid field sequence inside one story. References: fix(docx-core): partition field-closure validation by ECMA-376 story (#212) #225, fix(docx-core): fragment w:fldChar outside w:del per ECMA-376 Part 4 #228, feat(docx-core): sweep side-part revisions on accept/reject #218.

5. Revision IDs seeded from all revision-bearing side parts: If this PR touches packages/docx-mcp/src/session/manager.ts (especially getRevisionContextForSession or FIXED_REVISION_ID_SEED_PARTS), createRevisionContext, revision-ID allocation, or MCP tools that create tracked changes/comments/footnotes, does revision-ID allocation scan all relevant package parts before issuing new IDs — comments, footnotes, endnotes, glossary, headers, footers — ignore non-revision w:id values (comment IDs, bookmarks), and handle malformed optional parts gracefully? Revision IDs are package-wide; document-only seeding collides with existing side-part revisions. Reference: fix(docx-mcp): seed revision ids from side parts #216 (seed revision ids from side parts).

6. Accept/reject sweep side parts and caches: If this PR touches DocxDocument.acceptChanges, DocxDocument.rejectChanges, REVISION_STORY_PART_PATHS, accept_changes, reject_changes, or side-part revision markup, does accept/reject process every revision-bearing story — updating document.xml + footnotes.xml + endnotes.xml + comments.xml, writing back only changed side parts while refreshing cached XML, and pruning orphan footnotes without deleting reserved separator entries? Accepting only in the main document leaves stale revisions and dangling references in the package. References: feat(docx-core): sweep side-part revisions on accept/reject #218, fix(docx-mcp): seed revision ids from side parts #216, fix(docx-core): partition field-closure validation by ECMA-376 story (#212) #225.

7. DocumentViewNode.heading stays canonical: If this PR touches packages/docx-core/src/primitives/document_view.ts, HeadingValue, heading heuristics, ListMetadata.header_style, or Google Docs document-view heading normalization, does node.heading remain a structural heading signal — exact Word styles Heading1–Heading6 win, heuristic sources suppressed inside table cells while real Word heading styles still pass, ordinary body paragraphs omit the heading key? Consumers use node.heading != null as a structural test; heuristic false positives break downstream navigation. References: fix(docx-core): harden heading detection (#157 Phase 1) #178, fix(docx-core): suppress non-sectional false-positive headings (closes #187) #188, feat(docx-core): add derived heading object to DocumentViewNode (closes #179) #190.

8. AI-author parity across entry points: If this PR touches packages/docx-mcp/src/server.ts, packages/docx-mcp/src/cli/tool_runner.ts, packages/docx-mcp/src/cli/commands/**, or adds any new new SessionManager(...) call site in docx-mcp, does every entry point that constructs a SessionManager resolve SAFE_DOCX_AI_AUTHOR with the same three-way semantics (set → use it; empty string → opt out to untracked; unset → defaultAiAuthor), or has a new entry path silently bypassed tracked emission? Each entry path looks locally correct while diverging from another; tracked emission has gone dark in one path before anyone noticed. References: feat(docx-mcp): wire configurable AI author through MCP layer (#142) #172 (production MCP wiring would have kept tracked emission dark), fix(docx-mcp): honor SAFE_DOCX_AI_AUTHOR in CLI entry points (#181) #182 (CLI runners constructing bare SessionManager() silently produced untracked edits).

9. Property-change wrapper discipline: If this PR touches packages/docx-core/src/primitives/layout.ts, packages/docx-core/src/primitives/text.ts, packages/docx-mcp/src/tools/clear_formatting.ts, or packages/docx-core/src/primitives/track-changes-emitter.ts, do tracked formatting/property edits emit exactly one correct *PrChange wrapper (pPrChange / rPrChange / trPrChange / tcPrChange) carrying a snapshot of the prior live properties — not stacking stale wrappers, not stripping valid historical children (cellIns/cellDel/cellMerge), and not omitting the snapshot when the operation is formatting-aware? Emitted OOXML is visually plausible but subtle snapshot mistakes only surface during later accept/reject or in Word's tracked-changes UI. References: feat(docx-core): emit pPrChange/trPrChange/tcPrChange from layout setters (#140) #167 (duplicate pPrChange/trPrChange/tcPrChange stacking + over-broad tcPr exclusion), feat(docx-mcp): emit rPrChange from clear_formatting MCP tool (#141) #170 (clear_formatting failing to strip stale rPrChange), feat(docx-core): emit rPrChange for formatted paragraph replacements #215 (rPrChange for formatted paragraph replacements + filtering nested stale records).

10. SUPPORT.md Table A drift vs. implementation: If this PR modifies OOXML revision emission behavior (w:ins, w:del, w:rPrChange, etc.) in packages/docx-core/src/primitives/**, or touches packages/docx-core/SUPPORT.md, does the PR symmetrically update Table A in SUPPORT.md when the supported revision-emission surface in primitives changed — added, removed, or weakened — or is the documented contract now lying about what's supported? Reviewers focus on TS AST correctness and golden tests; Markdown contract tables get treated as an afterthought, so the documented surface drifts from the actual surface. Reference: [120.8] Regression suite for canonical revision emission across the surface #143 review caught replaceParagraphTextRange should emit w:rPrChange when run formatting changes #173 (formatting mismatch in Table A) and addCommentReply should emit body revision markup OR SUPPORT.md should be softened #174 (comment body revision omission forcing a Table A softening) late in peer review.

11. Table A / Table B boundary on side-part revisions: If this PR touches packages/docx-core/src/primitives/comments.ts, packages/docx-core/src/primitives/footnotes.ts, or other side-part primitives, and adds/changes revision markup (w:ins, w:del), does tracked-change revision logic stay scoped to Table A (document-body content inside the side part) without leaking revision markup into Table B (the side-part package bootstrap — comments.xml/footnotes.xml element registration itself)? Body runs and side-part package elements share nearly identical XML namespace schemas; revisions emitted in the wrong table corrupt the package contract while looking plausible. References: [120.3] Emit w:ins/w:del for comment body anchors #138 (comment-body straddle constraints), [120.4] Emit w:ins/w:del for footnote reference and text #139 (footnote-reference straddle constraints).

12. Canonical-emission surface completeness: If this PR adds or changes a tracked-edit surface in packages/docx-core/src/primitives/** or packages/docx-mcp/src/tools/**, are the paired artifacts updated together — packages/docx-core/src/integration/canonical-emission-regression.test.ts, packages/docx-mcp/src/integration/canonical-emission-mcp.test.ts, and the documented emitter surface (Table A) — or is the rollout only partially wired? The primitive change looks done before the MCP path, regression matrix, and documented contract are wired through; partial rollouts ship undocumented surface that drifts. References: feat(docx-mcp): wire configurable AI author through MCP layer (#142) #172 (RevisionContext threaded through every Table A MCP tool), test(docx-core,docx-mcp): final regression suite for canonical emission (#143) #175 (24-test regression suite + verified write-time emitter rows), feat(docx-core): emit rPrChange for formatted paragraph replacements #215 (re-enabled rPrChange regression + updated support surface for replaceParagraphTextRange).

13. Lean predicate drift against engine semantics (asymmetric): If this PR changes field-wrapper semantics, the proof boundary, or atomizer behavior — packages/docx-core/src/baselines/atomizer/**, verification/lean/LeanSpike/Spec.lean, verification/lean/Tier2/**, or packages/docx-core/src/integration/lean-spec-bridge.test.ts — and if the TS engine semantics shifted, did the PR also update the Lean residual predicate and bridge tests, or is the proof now pinned to a stale stronger/weaker assumption? Asymmetric: a TS change without a corresponding Lean update is WARN; a Lean-only change without a TS update should not fire. The Lean side can still compile while the abstraction boundary is subtly wrong for the next engine refactor. References: feat(verification): close inv_field_001 with Tier 2 OoxmlDoc subset #208 (closed inv_field_001 using stronger recursivelyWellformed), refactor(verification): weaken inv_field_001 axiom to document-level preservationFriendly (rebased follow-up to #208) #220 (weakened the axiom to document-level preservationFriendly to avoid breakage when field fragmentation lands).

14. Unit-test quality (avoid tautological / change-detector tests): If this PR adds or modifies any **/*.test.ts (or other test files), are the test assertions independent of the system under test — expected values constructed from first principles rather than re-derived from the function under test, mocks limited to external boundaries (filesystem, network, clocks) rather than mocking the SUT itself, assertions making concrete semantic claims rather than just snapshotting current behavior or asserting non-null, and any test added alongside a bug fix actually exercising the bug? Tests that re-implement the production code as the "expected" value, or mock out the system under test, pass green while providing no regression protection.

15. Re-derived facts vs canonical sources: If this PR adds logic that re-computes a fact the codebase already derives elsewhere — another fldChar begin/separate/end visible-content walk (canonical: getParagraphRuns in packages/docx-core/src/primitives/text.ts), a second footnote display-number map (buildFootnoteDisplayMap vs getFootnotes().displayNumber), or any sibling re-implementation of an existing helper instead of importing or exporting it — does the PR consume the canonical source, or explicitly justify the new derivation and add a test pinning the copies in agreement? Independent derivations of the same fact drift apart; read_file renders every footnote marker twice in text/tagged_text ([^N][^N]) #382's doubled footnote markers were two passes disagreeing about one fact, and the fix initially added a fifth copy of the field-state walk. References: read_file renders every footnote marker twice in text/tagged_text ([^N][^N]) #382, fix(docx-mcp): render each footnote marker exactly once in read_file output #386, refactor: expose footnote references as document-view node metadata — one derivation of "visible footnote refs", not five fldChar walks #393.

16. .openspec tag ↔ test-assertion drift: If this PR adds, moves, or changes any .openspec('[ID] …') tag on a test(...)/it(...), does the tagged test body actually exercise that scenario's GIVEN/WHEN/THEN — establishing the scenario's precondition and asserting its THEN observable — or is the tag attached without a covering assertion (tag-stuffing)? Judge each added/changed [ID] independently against the body of the test it sits on. Pay special attention to (a) tags moved onto generic clean/round-trip/property tests that never set up the scenario's specific precondition, (b) a single test absorbing several distinct scenario IDs it does not separately assert, and (c) "empirical proxy" / repo-convention justifications standing in for a real covering assertion. Deterministic coverage checks confirm the tag exists and (with the THEN-keyword guard) that a scenario token is mentioned; they cannot judge whether the assertion actually covers the scenario — this asymmetric, oversells-coverage drift is exactly what the gate is for. References: test(docx-core): raise docx-comparison spec coverage to 68/69 and split coverage scripts #513 (first pass tag-stuffed multiple docx-comparison scenarios onto tests that didn't assert them; only peer review caught it), check:spec-coverage never passes --strict to validate_openspec_coverage.mjs, so the docx-core matrix gate is WARN-only in CI #469.

17. Library stays general (no downstream-domain leakage): If this PR adds or renames public API, types, recipes, functions, or identifiers in packages/*/src/**, does it avoid baking in names or concepts specific to a single downstream consumer's domain — agreements especially (signature, signatory, party, coverTerms, print-name/title/date signing semantics, or other agreement field names)? safe-docx is a general OOXML library: its surface should be Word/OOXML vocabulary (table, row, cell, border, run) plus a small allowlist of genuinely LLM-driven affordances that are not in Word but exist because LLMs are the primary consumers (e.g. an outline/TOC view sized for a context window). Domain-shaped composition (a "signature block" is just a w:tbl built from TableSpec/BorderSpec/RunProps) belongs in the consumer, not here. WARN if a new symbol is named for, or shaped around, one product rather than the general OOXML/LLM surface. See CONTRIBUTING "Library scope & domain boundaries". Reference: remove-agreement-domain-recipes removed coverTermsTable/signatureBlock for this reason.

Estimated cost (this run): $0.0215 — 67,226 input + 509 output tokens (≈4 chars/token) on gemini-3.5-flash. Char-count estimate, not provider telemetry.

[codecov]

Codecov Report

❌ Patch coverage is 91.66667% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
packages/docx-mcp/src/tools/read_file.ts	91.66%	0 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!