fix(ci): triage Tests + Dogfood Gate failures (Refs #77)#87
Merged
Conversation
Tests
-----
The Shared Tests runner only console.log'd failures — it never exited
nonzero — so the only thing reddening CI was an *uncaught* exception:
`PhoenixSocket.nextRef is not a function`. That crash aborted the run
mid-suite and masked 18 pre-existing real failures behind it.
- PhoenixSocket: `allocRef` → `nextRef` (test + tests/unit both expect
`nextRef`; the int field of the same name is unaffected — distinct
namespace).
- PlayerPhysics applyFriction: float-safe assertion (100.0*0.55 ===
55.00000000000001, not 55.0).
- test_all.res.js: gate CI — `Deno.exit(1)` when any test fails. This
un-masks the 18; all are fixed below (canonical side chosen per the
source's documented intent):
* Multiplayer ×3: role variant was deliberately renamed Hacker→Q
across 5 source files (incl. user-facing ObserverScreen) — tests
were stale. Updated tests to Q/"q".
* LevelConfig ×10 + Functional F06/F15 + Regression R09: source is a
dated, commented gameplay rebalance ("Counts updated 2026-03-16",
"Balance v2: reduced from 4… Win rate was 0%"). Tests encoded the
old numbers. Updated to the balanced values; F06 now asserts
non-decreasing + overall span (the curve intentionally plateaus).
* CompanionMole getCarryCapacity: mock used the old multi-slot
`equipment{head,body}`; source refactored to single
`equipped: option<equipment>`. Migrated the mock.
* DLC bundle round-trip: wire form is lowercase `"expert"`
(difficultyToString); test wrongly expected `"Expert"`.
Result: 988/988 shared tests pass; runner now fails CI on regressions.
Dogfood Gate
------------
Both sub-jobs were red on stale SHA pins (2026-04-11):
- a2ml-validate-action: bumped to 59145c7. 15 errors → 0. Root cause
was an over-strict identity check flagging the canonical
`.machine_readable/` tree (rsr-template-repo itself fails the old
check) — fixed at source in a2ml-validate-action#12 (merged), which
this pin adopts.
- k9-validate-action: bumped to 2d96f43 (un-drift). The 6 remaining K9
errors are real but rooted in the `k9iser` code generator emitting
contracts without the `K9!` magic line + pedigree block — tracked
upstream as k9iser#8. The K9 sub-job stays red until that lands;
not masked here.
RSR Anti-Pattern Check already returned to green via #82.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 52 issues detected
View findings[
{
"reason": "No permissions declaration -- add permissions: read-all",
"type": "missing_permissions",
"file": "serviceworker-check.yml",
"action": "add_permissions",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/idaptik/idaptik/dlc/idaptik-dlc-reversible/robot-repo-bot/_modules/robot_repo.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Deno -A grants all permissions -- use specific --allow-* flags (3 occurrences, CWE-250)",
"type": "js_deno_all_perms",
"file": "/home/runner/work/idaptik/idaptik/run.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/idaptik/idaptik/configs/config.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "getExn on external data -- use pattern matching (2 occurrences, CWE-754)",
"type": "getexn_on_external",
"file": "/home/runner/work/idaptik/idaptik/src/app/devices/VMBridge.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "JSON decode without validation (2 occurrences, CWE-20)",
"type": "json_decode_no_validation",
"file": "/home/runner/work/idaptik/idaptik/src/app/proven/SafeJson.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "JSON decode without validation (1 occurrences, CWE-20)",
"type": "json_decode_no_validation",
"file": "/home/runner/work/idaptik/idaptik/src/app/screens/BalanceAnalyserModel.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Obj.magic bypassing type safety (1 occurrences, CWE-704)",
"type": "obj_magic",
"file": "/home/runner/work/idaptik/idaptik/src/app/verisimdb/VeriSimDrift.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Obj.magic bypassing type safety (1 occurrences, CWE-704)",
"type": "obj_magic",
"file": "/home/runner/work/idaptik/idaptik/src/app/verisimdb/VeriSimVcl.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Obj.magic bypassing type safety (1 occurrences, CWE-704)",
"type": "obj_magic",
"file": "/home/runner/work/idaptik/idaptik/src/app/verisimdb/VeriSimSearch.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
May 18, 2026
) ## Summary PR #87 merged with a known-red **Dogfood Gate → "Validate K9 contracts"** job. The root cause was upstream: k9iser's codegen did not emit the `K9!` magic line or a `pedigree` block, so idaptik's generated contracts failed the canonical `hyperpolymath/k9-validate-action`. **k9iser#9 has since merged** (squash `c7626ca` on `hyperpolymath/k9iser` main): the codegen now emits the `K9!` magic line and a `pedigree` block as required by `hyperpolymath/k9-validate-action`. This PR regenerates idaptik's three K9 contracts from `k9iser.toml` using the merged generator: - `generated/k9iser/container-build.k9` - `generated/k9iser/deno-workspace.k9` - `generated/k9iser/prod-compose-overrides.k9` Each now carries, as produced by the fixed generator: - `K9!` as the first non-empty line (magic number) - an SPDX header (`# SPDX-License-Identifier: PMPL-1.0-or-later`) - a `pedigree` block: `schema_version`, `metadata.name`/`metadata.version`, `security.leash = "yard"`, `signature_required = false` This is a real regeneration from source — not a hand-patch / paper-over. No workflow pin change is needed: the Dogfood Gate pins the *validator* (`hyperpolymath/k9-validate-action@2d96f43`, unchanged by k9iser#9); only the *generated contracts* needed regeneration. ## Verification Validated against the exact validator the Dogfood Gate pins (`hyperpolymath/k9-validate-action@2d96f43c538964b097d159ed3a56ba5b5ceca227`, `validate-k9.sh`), traced check-by-check over all three contracts: | Check | Result | |-------|--------| | 1. `K9!` magic on first non-empty line | PASS (line 1 in all 3) | | 2. SPDX header in first 10 lines | PASS (line 2) | | 3. `pedigree` block + `name` + `version`/`schema_version` | PASS (correct brace-depth detection) | | 4. Security level (`leash`) is `kennel`/`yard`/`hunt` | PASS (`yard`) | | 5. Hunt-level signature requirement | N/A (level is `yard`) | Expected gate result: **3 files scanned, 0 errors, 0 warnings, exit 0** — the "Validate K9 contracts" job goes green. The Dogfood Gate runs on `pull_request`, so opening this PR exercises the gate directly. Refs #77 — does not close; #77 is the open CI-triage / requirements-target issue and stays open pending explicit sign-off. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Triage of the three workflows in #77.
Tests — fixed (988/988)
Root cause of the red was a single uncaught exception (
PhoenixSocket.nextRef is not a function) that aborted the run mid-suite. The runner onlyconsole.log'd failures and never exited nonzero, so that crash was the only thing failing CI — and it masked 18 pre-existing real failures.PhoenixSocket:allocRef→nextRef(API drift; both test suites expectnextRef).applyFriction: float-safe assertion (100.0*0.55 !== 55.0in IEEE-754).Deno.exit(1)on failure) — this un-masks the 18; all fixed, choosing the canonical side per the source's documented intent:Hacker→Qwas a deliberate rename across 5 source files; tests were stale.getCarryCapacity— mock used the old multi-slot equipment model; source refactored to singleequipped."expert"; test wrongly expected"Expert".The gating is the important durable fix: silent test rot is no longer possible.
Dogfood Gate — A2ML fixed at source; K9 tracked
Both sub-jobs were pinned to stale (2026-04-11) action SHAs.
.machine_readable/tree — an over-strict identity check that rsr-template-repo itself fails. Fixed at source in fix(validate-a2ml): treat whole .machine_readable/ tree as structural-identity a2ml-validate-action#12 (merged); this PR adopts the new pin59145c7. idaptik A2ML: 0 errors.2d96f43. The 6 remaining errors are real but rooted in thek9isergenerator emitting contracts without theK9!magic line + pedigree block — tracked as codegen emits K9 files without K9! magic line + pedigree block (fails canonical k9-validate-action) k9iser#8. The K9 sub-job stays red until that lands (not masked).RSR Anti-Pattern Check
Already returned to green via #82 — no action needed.
Status vs #77
Not using
Closes #77— Dogfood Gate is only fully green once k9iser#8 lands.🤖 Generated with Claude Code