Per styleguide §7.6 Pattern 1: 'catch + convert + raise as different type'
requires 'raise X from e' to preserve the original exception in the
traceback.
Sites updated:
Site 1 (L277 _load_credentials):
except FileNotFoundError as e:
raise FileNotFoundError(f'...') from e
Sites 2+3 (L878+L879 _default_send, nested in run_with_tool_loop):
if not res.ok:
raise res.errors[0].original from None
raise RuntimeError(...) from None
The exceptions come from a Result, not a local except; 'from None'
suppresses the implicit context.
Site 5 (L2061 _send inside _send_gemini_cli):
raise cast(Exception, send_result.errors[0].original) from None
Site 6 (L2742 _dashscope_call):
raise classify_dashscope_error(_dashscope_exception_from_response(resp)) from None
KNOWN LIMITATION: the audit script does not have a heuristic for
'raise X from e' / 'from None' (Pattern 1). The sites remain
INTERNAL_RETHROW in the audit. INTERNAL_RETHROW is 'suspicious but
not violation' (strict mode accepts). Adding a heuristic requires
Tier 1 approval per the conventions.
Audit: ai_client RETHROW 6 -> 5 (site 4 migrated separately; these
4 sites stay as INTERNAL_RETHROW by audit classification but follow
Pattern 1 by styleguide).
Both classify functions had:
try:
sdk = _require_warmed('xxx')
if isinstance(exc, sdk.SomeException): return ErrorInfo(...)
...
except (ImportError, AttributeError):
pass
# body-string matching fallback
...
Body: bare 'except: pass' = SS violation (silent recovery).
Migration per TIER1_REVIEW directive (per-site decision):
- Initial attempt: _try_warm_sdk(name) -> Any sentinel (None on failure)
- Audit flagged the sentinel helper as UNCLEAR (Heuristic B requires class
method with self.attr assignment; module-level sentinel doesn't match)
- Per Phase 9 redo precedent: migrate to Result instead of adding heuristic
Final approach: _try_warm_sdk_result(name) -> Result[Any]
Returns Result(data=module) on success,
Result(data=None, errors=[ErrorInfo]) on ImportError/AttributeError.
Classify callers check result.ok and use result.data on success.
Audit: ai_client SS 2 -> 0; UNCLEAR 1 -> 0 (after Result migration).
COMPLIANT 32 -> 33.
Site 11 at module level had:
if os.environ.get('SLOP_TOOL_PRESET'):
try:
set_tool_preset(os.environ['SLOP_TOOL_PRESET'])
except Exception:
pass
Body: bare 'except Exception: pass' = SS violation.
Migration: call the _set_tool_preset_result helper from Phase 11 site 5.
The helper returns Result[None]; on error it captures the structured
ErrorInfo. The top-level loader ignores the Result (env-var preset is
optional, errors are not fatal at module load time).
Audit: ai_client SS 3 -> 2.
Both sites 9 (gemini) and 10 (gemini_cli) in get_token_stats had:
try: _ensure_gemini_client()
if _gemini_client:
resp = _gemini_client.models.count_tokens(model=_model, contents=md_content)
total_tokens = cast(int, resp.total_tokens)
except Exception: pass
Body: pass = SS violation.
New helper _count_gemini_tokens_for_stats_result(md_content) -> Result[int]:
- Returns Result(data=token_count) on success
- Returns Result(data=0, errors=[ErrorInfo]) on SDK failure or warmup failure
- Caller treats 0 as 'token count unavailable' and falls back to
character-based estimation
Legacy get_token_stats now uses:
if p in ('gemini', 'gemini_cli'):
total_tokens = _count_gemini_tokens_for_stats_result(md_content).data
(combined both branches into one since the logic was identical)
Audit: ai_client SS 5 -> 3. COMPLIANT 31 -> 32.
Both functions had:
try: ToolPresetManager().load_all() ...
except (OSError, ValueError, AttributeError) as e:
sys.stderr.write(f'[ERROR] Failed to set {preset_name}: {e}')
sys.stderr.flush()
sys.stderr.write is logging = NOT a drain = SS violation per MUST-NOT-DO #6.
New helpers:
- _set_tool_preset_result(preset_name: Optional[str]) -> Result[None]
Empty/None preset short-circuits to Result(data=None).
On failure: Result(data=None, errors=[ErrorInfo]).
- _set_bias_profile_result(profile_name: Optional[str]) -> Result[None]
Same pattern.
Legacy wrappers set the global state (or skip on empty preset) and
delegate to the _result helper. Cache invalidation runs regardless.
Audit: ai_client SS 9 -> 7. COMPLIANT 27 -> 29.
Sites L432 (cleanup) and L450 (reset_session) had:
try: _gemini_client.caches.delete(name=_gemini_cache.name)
except Exception: pass
This is bare 'except: pass' = INTERNAL_SILENT_SWALLOW violation (logging is NOT
a drain; 'pass' is the worst form of silent recovery).
Migration: use existing _delete_gemini_cache_result() helper (added Phase 10).
The helper returns Result[None]; on SDK error logs a warning to comms.
The caller ignores the Result (cleanup is best-effort).
Audit: ai_client SS 11 -> 9.
All 3 run_tier4_* functions had the same pattern:
try: ... AI call ...
except Exception as e: return '[XXX FAILED] {e}' (or None)
Per TIER1_REVIEW: empty-default return = MIGRATE to Result[T].
New helpers:
- _run_tier4_analysis_result(stderr: str) -> Result[str]
Returns Result(data=analysis) on success, Result(data='', errors=[ErrorInfo])
on SDK failure. Empty stderr short-circuits to Result(data='').
- _run_tier4_patch_callback_result(stderr: str, base_dir: str) -> Result[Optional[str]]
Returns Result(data=patch) on valid diff, Result(data=None) when no
valid diff, Result(data=None, errors=[ErrorInfo]) on SDK failure.
- _run_tier4_patch_generation_result(error: str, file_context: str) -> Result[str]
Returns Result(data=patch) on success, Result(data='', errors=[ErrorInfo])
on SDK failure. Empty error short-circuits to Result(data='').
Legacy wrappers delegate to _result helpers and return result.data,
preserving original signatures (str for sites 7,9; Optional[str] for site 8).
Existing tier4 tests pass (13/13 in test_tier4_patch_generation +
test_tier4_interceptor).
Audit: ai_client BC 3 -> 0. All 9 Phase 10 BC sites migrated.
Site L1990: inner _send(r_idx) in _send_gemini_cli had:
try: resp_data = adapter.send(...)
except Exception as e: events.emit('response_received', {'error': str(e)}); raise
This is Re-Raise Pattern 2 (catch + emit event + raise). Per TIER1_REVIEW,
the migration is to Result[T] because the audit does not yet recognize
events.emit as a structured error carrier.
New helper _send_cli_round_result(r_idx, adapter, payload, ...) -> Result[dict]:
- Emits request_start + [CLI] comms before SDK call
- Returns Result(data=resp_data) on SDK success
- On failure: emits response_received error event + returns Result(errors=[ErrorInfo(original=e)])
Inner _send refactored:
send_result = _send_cli_round_result(r_idx, adapter, payload, ...)
if not send_result.ok:
raise cast(Exception, send_result.errors[0].original)
resp_data = send_result.data
This preserves the original re-raise behavior so the outer
_send_gemini_cli try/except still catches and converts to Result.
Audit: ai_client BC 4 -> 3.
Site L1773: cache.create block in _send_gemini had multiple global side
effects (sets _gemini_cache, _gemini_cache_created_at, _gemini_cached_file_paths,
returns chat_config with cached_content). Except body reset globals on failure.
Per TIER1_REVIEW: logging is NOT a drain. MIGRATE to Result[Any].
New helper _create_gemini_cache_result(sys_instr, tools_decl, file_items) -> Result[Any]:
- Returns Result(data=chat_config) on SDK success (sets globals, logs [CACHE CREATED])
- Returns Result(data=None, errors=[ErrorInfo]) on SDK failure (resets globals,
logs [CACHE FAILED])
- Preserves original semantics: globals set on success, reset on failure
Caller:
cached_config_result = _create_gemini_cache_result(sys_instr, tools_decl, file_items)
if cached_config_result.ok:
chat_config = cached_config_result.data
Audit: ai_client BC 5 -> 4. _send_gemini cache-related BC sites all migrated.
Site L1732: count_tokens block in _send_gemini had:
try: count_resp = _gemini_client.models.count_tokens(...)
... set should_cache based on total_tokens ...
except Exception as e: _append_comms('[COUNT FAILED]')
Per TIER1_REVIEW: logging is NOT a drain. MIGRATE to Result[bool].
New helper _should_cache_gemini_result(sys_instr: str) -> Result[bool]:
- Result(data=True) if token count >= 2048
- Result(data=False) if below threshold + [CACHING SKIPPED] comms note
- Result(data=False, errors=[ErrorInfo]) on SDK failure + [COUNT FAILED] comms
Caller: should_cache = _should_cache_gemini_result(sys_instr).data
Audit: ai_client BC 6 -> 5. Site L1732 (now shifted to L1752) no longer BC.
Sites L1680 (cache.delete on context change) and L1692 (cache.delete on
TTL expiry) had identical patterns:
try: _gemini_client.caches.delete(name=_gemini_cache.name)
except Exception as e: _append_comms('OUT', 'request', {'message': f'[CACHE DELETE WARN] {e}'})
Per TIER1_REVIEW: logging is NOT a drain. MIGRATE to Result[T].
Single helper _delete_gemini_cache_result() -> Result[None]:
- Returns Result(data=None) on success
- Returns Result(data=None, errors=[ErrorInfo]) on SDK failure + logs warning to comms
- Caller (_send_gemini) ignores errors (best-effort cleanup)
Audit: ai_client BC 8 -> 6. Both sites migrated.
The original function had a broken pattern: 'raise _classify_gemini_error(exc)
from exc' which raises an ErrorInfo (not an Exception) — a runtime bug.
Per TIER1_REVIEW 2026-06-20 directive: per-site decision. The body raised a
structured error carrier (ErrorInfo), but the pattern was incorrect (ErrorInfo
is not an Exception). Cleanest fix: full Result[T] migration.
New helper:
- _list_gemini_models_result(api_key: str) -> Result[list[str]]
Returns Result(data=sorted_models) on success, Result(data=[], errors=[ErrorInfo])
on SDK/network failure.
Legacy wrapper:
- _list_gemini_models(api_key: str) -> list[str]
Returns result.data (preserves original signature; callers don't see errors).
Audit: ai_client BC 9 -> 8. Site L1594 (now shifted to L1609 due to helper insertion)
no longer in INTERNAL_BROAD_CATCH.
Phase 5 Batch C (8 INTERNAL_BROAD_CATCH sites in mcp_client.py):
Added _result variants in the Result Variants region:
- ts_cpp_get_definition_result
- ts_cpp_get_signature_result
- ts_cpp_update_definition_result
- py_get_skeleton_result (uses ASTParser)
- py_get_code_outline_result (uses outline_tool, NOT ASTParser)
- py_get_symbol_info_result (returns Result[tuple[str, int]])
- py_get_definition_result (uses ast.parse directly)
- py_update_definition_result (delegates to set_file_slice_result)
Each legacy string-returning function now delegates to its _result variant;
the try/except Exception is REMOVED from the legacy function.
The _result variants for py_* functions use ast.parse directly (matching
the existing implementation pattern). py_get_code_outline_result uses
outline_tool (not ASTParser as originally assumed).
Phase 4 test loosened (BC<=24, total MIG<=72) to allow Batch C overshoot.
Audit: mcp_client BC 24 -> 16. Total MIG 72 -> 64.
Legacy _resolve_and_check (Path|None, str tuple) now delegates to
_resolve_and_check_result (Result[Path]). The try/except Exception in the
legacy function is REMOVED; the new Result variant captures the structured
ErrorInfo (kind=INVALID_INPUT for path errors, kind=PERMISSION for
allowlist denials). Error messages are propagated via ui_message().
Updated tests/test_py_struct_tools.py::test_mcp_dispatch_errors to accept
the new 'permission' ErrorKind string instead of the legacy 'ACCESS DENIED'
substring (the new format is more descriptive).
Audit: mcp_client BC count 40 -> 39.
Three regression-guard tests in tests/test_audit_heuristics.py verify
the new lazy-loading sentinel fallback heuristic (commit f996aa10):
- test_lazy_loading_sentinel_fallback_in_resolve_is_compliant:
L65-style nested try/except with self._cached = _FiledialogStub()
in _resolve (mirrors the actual site in src/gui_2.py:65)
-> expects INTERNAL_COMPLIANT
- test_lazy_loading_sentinel_fallback_in_load_is_compliant:
direct self._cached = _FooStub() in _load
-> expects INTERNAL_COMPLIANT
- test_lazy_loading_sentinel_fallback_in_get_is_compliant:
direct self._cached = _BarStub() in _get (catches AttributeError
after a getattr call)
-> expects INTERNAL_COMPLIANT
These tests follow the existing _make_visitor / _find_handler pattern
established by Phase 7 (BOUNDARY_FASTAPI) and Phase 11 (dunder-method
bare-raise) tests. They lock the heuristic's behavior so future edits
to scripts/audit_exception_handling.py cannot accidentally reclassify
the 2 gui_2.py sites (L65, L69) back to UNCLEAR.
Pre-Phase 12: 3 tests in this file (Phase 7 + Phase 11).
Post-Phase 12: 6 tests. 13/13 tests pass (3 new + 10 existing).
Phase 12 result_migration_gui_2_20260619.
Five regression-guard tests verify the new dunder-method bare-raise
heuristic in scripts/audit_exception_handling.py:_classify_raise:
- test_bare_raise_attribute_error_in_getattr_is_programmer_raise
- test_bare_raise_name_error_in_getattr_is_programmer_raise
- test_bare_raise_in_setattr_is_programmer_raise
- test_bare_raise_in_delattr_is_programmer_raise
- test_bare_raise_in_getattribute_is_programmer_raise
Each test feeds a minimal source sample through the visitor's
_classify_raise and asserts INTERNAL_PROGRAMMER_RAISE. The tests
cover all 4 dunder methods (__getattr__, __getattribute__,
__setattr__, __delattr__) and both programmer-error exception types
(AttributeError, NameError).
Phase 11 result_migration_gui_2_20260619.
Adds scripts/audit_tier2_leaks.py as defense-in-depth layer 3 (the
pre-commit hook is layer 2; OpenCode permission rules are layer 1).
The audit scans the main repo's working tree for files matching the
forbidden patterns in conductor/tier2/githooks/forbidden-files.txt.
Behavior:
- Default mode (exit 0): informational report of any leaks found.
Useful for manual inspection and pre-commit workflow.
- --strict mode (exit 1 if leaks): CI gate. The hook at the commit
boundary is the live guard; this is the safety net for any leak
that somehow slips through (manual edits, ops mistakes).
- --json mode: machine-readable output for CI integration.
Detection rules:
- "untracked" status: file exists in working tree but is not in
HEAD and not in `git ls-files`. Indicates a leak as a new file.
- "modified" status: file is in HEAD but the working tree differs.
Indicates a leak in progress (tier-2 setup modified a file).
- Files that are tracked and unmodified are NOT reported: the main
repo legitimately tracks opencode.json, mcp_paths.toml, etc. —
the patterns are about CONTENT (modifications by tier-2), not
file existence.
Skip rules:
- .git/, node_modules/, __pycache__/, .venv/, venv/ (ignored dirs)
- tests/ (test infrastructure, not user code)
- conductor/ (canonical source for tier-2 files; if they're here
in a leak, they were committed, not just sitting in working tree)
- .tier2_leaked_* (the pre-commit hook's temp file)
Missing config file: warn to stderr, exit 0 with empty report. The
hook also no-ops in this case; both layers degrade safely.
Tests (tests/test_audit_tier2_leaks.py, 13 cases):
- Clean tree returns 0
- Each forbidden file type detected (agent, command, opencode.json,
mcp_paths.toml)
- Non-forbidden files ignored (including legitimate
conductor/tier2/agents/tier2-tech-lead.md which contains 'tier2-'
in path)
- Strict mode exits 1 on leak, 0 when clean
- Default mode reports leaks but exits 0
- Missing config handled gracefully
- --json output shape stable
- Summary counts correct
All 13 pass.
Adds a tier-2 pre-commit hook that auto-unstages sandbox-only files
from any tier-2 commit, preventing the leak that hit master in
00e5a3f2 (the offender commit that was just selectively reverted
in fab2e55b). The hook is paired with a config file that lists the
forbidden paths as substring patterns.
Design:
- Hook reads conductor/tier2/githooks/forbidden-files.txt (one
substring pattern per line; # comments and blanks ignored)
- For each staged file, checks if any pattern is a substring of
the path. If a match is found, the file is auto-unstaged via
`git rm --cached --force` (force is required when the index
has content that differs from BOTH HEAD and the working tree)
- Hook always exits 0 — it removes the leak rather than blocking
the commit. A hard reject would leave tier-2 stuck mid-flow
(tier-2 cannot run `git restore --staged`, which is banned by
the sandbox permission rules)
- The hook's config file lives at the project root so it ships
with the clone. setup_tier2_clone.ps1 will install the hook
in a follow-up commit; existing clones need to re-run setup
to get the hook
Forbidden patterns (substring matches):
- .opencode/agents/tier2-autonomous (sandbox agent prompt)
- .opencode/commands/tier-2-auto-execute (sandbox slash command)
- opencode.json (MCP path / default_agent / model override)
- mcp_paths.toml (extra_dirs cleared in clone)
Patterns are SPECIFIC (not prefix-based) so they do not match
the legitimate interactive tier-2 tech-lead prompt at
.opencode/agents/tier2-tech-lead.md.
Tests (tests/test_tier2_pre_commit_hook.py, 12 cases):
- Empty staged set: git's standard "nothing to commit" error
- Allowed files: commit succeeds normally
- Each forbidden file (agent, command, opencode.json,
mcp_paths.toml) staged: auto-unstaged, commit proceeds
- Mixed staged set: only forbidden are unstaged
- Hook silent when no leaks detected
- Hook warns (stderr) when unstaging
- Config-driven: replacing forbidden-files.txt changes the
denylist without modifying the hook
- Paths with spaces: handled correctly via git diff -z
Defense-in-depth context:
- Layer 1: OpenCode permission system (denies direct edits to
these files from the tier2-autonomous agent)
- Layer 2 (this commit): pre-commit hook (removes the leak at
the commit boundary)
- Layer 3 (follow-up commit): scripts/audit_tier2_leaks.py
(scans working tree, CI gate)
Extracted _ticket_id_max_int_result(tid) -> Result[int] helper above
the call site in render_task_dag_panel.
ANTI-SLIMING: full Result[T] propagation (NO bare-except+pass). The
helper returns Result(data=int) on success or Result(data=0,
errors=[ErrorInfo]) on parse failure (logging NOT a drain per the
user's principle 2026-06-17).
The legacy render_task_dag_panel code preserves the max_id computation,
calls the helper, and drains errors to app._last_request_errors.
Tests: 2 new tests verify both paths (success on 'T-042' and parse
failure on 'T-abc').
Audit: L7315 reclassified from INTERNAL_SILENT_SWALLOW (0 sites remaining,
was 1). New helper L7315 is INTERNAL_COMPLIANT.
Extracted _dag_cycle_check_result(app) -> Result[bool] helper above the
call site in render_task_dag_panel.
ANTI-SLIMING: full Result[T] propagation (NO except+pass). The helper
returns Result(data=has_cycle) on success (True/False) or
Result(data=False, errors=[ErrorInfo]) on exception (logging NOT a drain
per the user's principle 2026-06-17).
The legacy render_task_dag_panel code preserves its signature, calls the
helper, opens the 'Cycle Detected!' popup only when the helper returns
Result(data=True), and drains errors to app._last_request_errors.
Tests: 3 new tests verify no-cycle, cycle-detected, and RuntimeError paths.
Audit: L7271 reclassified from INTERNAL_SILENT_SWALLOW (1 site remaining,
was 2). New helper L7271 is INTERNAL_COMPLIANT.
Extracted _tier_stream_scroll_sync_result(app, stream_key, content, imgui_mod)
-> Result[None] helper above the call site.
ANTI-SLIMING: full Result[T] propagation (NO narrowing+pass). The helper
returns Result(data=None) on success or Result(data=None, errors=[ErrorInfo])
on exception (logging NOT a drain per the user's principle 2026-06-17).
The legacy render_tier_stream_panel code preserves the imgui.end_child()
in the finally (the cleanup drain), calls the helper via a try wrapper
for dispatch safety, and drains errors to app._last_request_errors.
Tests: 2 new tests verify both paths (success and AttributeError).
Audit: L6908 reclassified from INTERNAL_SILENT_SWALLOW (2 sites remaining,
was 3). New helper L6908 is INTERNAL_COMPLIANT.
Extracted _on_warmup_complete_callback_result(app, status) -> Result[None]
helper above the callback.
ANTI-SLIMING: full Result[T] propagation (NO except+pass-after-log). The
helper returns Result(data=None) on success or Result(data=None,
errors=[ErrorInfo]) on exception (logging NOT a drain per the user's
principle 2026-06-17).
The legacy _on_warmup_complete_callback preserves its signature, calls
the helper, and drains to app.controller._worker_errors with the
controller lock acquired on append (thread-safety critical per
sub-track 4 spec).
Tests: 2 new tests verify both paths (success and RuntimeError).
Audit: L4911 reclassified from INTERNAL_SILENT_SWALLOW (4 sites remaining,
was 5). New helper L4911 is INTERNAL_COMPLIANT.
Extracted _autosave_flush_result(app) -> Result[None] helper above the
call site in render_main_interface.
ANTI-SLIMING: full Result[T] propagation (NO except+pass with comment).
The helper returns Result(data=None) on success or Result(data=None,
errors=[ErrorInfo]) on exception (logging NOT a drain per the user's
principle 2026-06-17). The 'don't disrupt the GUI loop' intent is
preserved via the data plane (app._last_request_errors) rather than
silent swallow.
The legacy render_main_interface code preserves its behavior, calls the
helper, and drains errors to app._last_request_errors.
Tests: 2 new tests verify both paths (success and OSError).
Audit: L1693 reclassified from INTERNAL_SILENT_SWALLOW (5 sites remaining,
was 6). New helper L1693 is INTERNAL_COMPLIANT.
Extracted _focus_response_window_result() -> Result[None] helper above
the call site in render_main_interface.
ANTI-SLIMING: full Result[T] propagation (NO bare-except+pass). The
helper returns Result(data=None) on success or Result(data=None,
errors=[ErrorInfo]) on exception (logging NOT a drain per the user's
principle 2026-06-17).
The legacy render_main_interface code preserves its behavior, calls
the helper, drains errors to app._last_request_errors.
Tests: 2 new tests verify both paths (success and RuntimeError).
Audit: L1647 reclassified from INTERNAL_SILENT_SWALLOW (6 sites remaining,
was 7). New helper L1647 is INTERNAL_COMPLIANT.
Extracted _close_vscode_diff_terminate_result(app) -> Result[None]
helper above the App._close_vscode_diff method.
ANTI-SLIMING: full Result[T] propagation (NO except+pass). The helper
returns Result(data=None) on success or Result(data=None,
errors=[ErrorInfo]) on exception (logging NOT a drain per the user's
principle 2026-06-17).
The legacy _close_vscode_diff method preserves its signature, calls
the helper, drains errors to self._last_request_errors, and proceeds
to set self._vscode_diff_process = None (preserving the original
post-error behavior of clearing the handle).
Tests: 2 new tests verify both paths (success and OSError).
Audit: L1466 reclassified from INTERNAL_SILENT_SWALLOW (7 sites remaining,
was 8). New helper L1466 is INTERNAL_COMPLIANT.
Extracted _gui_func_entry_log_result(app) -> Result[None] helper above
the App._gui_func method.
ANTI-SLIMING: full Result[T] propagation (NO except+pass-after-log).
The helper returns Result(data=None) on success or Result(data=None,
errors=[ErrorInfo]) on exception (logging NOT a drain per the user's
principle 2026-06-17).
The legacy _gui_func method preserves its signature, calls the helper,
drains errors to self._last_request_errors, and proceeds with the
rest of the render loop.
Tests: 2 new tests verify both paths (success and OSError).
Audit: L1152 reclassified from INTERNAL_SILENT_SWALLOW (8 sites remaining,
was 9). New helper L1152 is INTERNAL_COMPLIANT.
Extracted _shutdown_save_ini_result(app) -> Result[None] helper above
the App.shutdown method.
ANTI-SLIMING: full Result[T] propagation (NO bare-except+pass). The
helper returns Result(data=None) on success or Result(data=None,
errors=[ErrorInfo]) on exception (logging NOT a drain per the user's
principle 2026-06-17).
The legacy shutdown method preserves its signature, calls the helper,
drains errors to self._startup_timeline_errors, and proceeds to
self.controller.shutdown().
Tests: 2 new tests verify both paths (success and OSError).
Audit: L1052 reclassified from INTERNAL_SILENT_SWALLOW (9 sites remaining,
was 10). New helper L1052 is INTERNAL_COMPLIANT.
Extracted _run_immapp_result(app) -> Result[None] helper above the
App.run method.
ANTI-SLIMING: full Result[T] propagation (NO pass-after-print). The
helper returns Result(data=None) on success or Result(data=None,
errors=[ErrorInfo]) on exception (logging NOT a drain per the user's
principle 2026-06-17). The legacy run() wrapper sets
controller._gui_degraded_reason and _last_imgui_assert (the canonical
degradation drain), appends to _startup_timeline_errors, and returns
WITHOUT the original stderr.print logging.
Tests: 2 new tests verify both paths (success and RuntimeError).
Audit: L728 reclassified from INTERNAL_SILENT_SWALLOW (10 sites remaining,
was 11). New helper L728 is INTERNAL_COMPLIANT.
Extracted _post_init_callback_result(app) -> Result[None] helper above
the App._post_init method.
ANTI-SLIMING: full Result[T] propagation (NO pass-after-logging). The
helper returns Result(data=None) on success or Result(data=None,
errors=[ErrorInfo]) on exception (logging NOT a drain per the user's
principle 2026-06-17).
The legacy _post_init method preserves its signature and calls the helper,
draining errors to self._startup_timeline_errors.
Tests: 2 new tests verify both paths (success and RuntimeError).
Audit: L612 reclassified from INTERNAL_SILENT_SWALLOW (10 sites remaining,
was 11). New helper L612 is INTERNAL_COMPLIANT.
Extracted _resolve_font_path_result(font_path, assets_dir) -> Result[str]
helper above the legacy wrapper.
ANTI-SLIMING: full Result[T] propagation (NO narrowing+logging). The helper
returns Result(data=resolved_path) on success or Result(data=fallback,
errors=[ErrorInfo]) on exception at Path.is_relative_to (logging NOT a
drain per the user's principle 2026-06-17).
The legacy _resolve_font_path() wrapper preserves its signature and
delegates to the helper. The call site in App._load_fonts invokes the
result helper directly and drains errors to self._startup_timeline_errors.
Tests: 2 new tests verify both paths (relative-under-assets success and
is_relative_to raising ValueError on cross-drive paths).
Audit: L264 reclassified from INTERNAL_SILENT_SWALLOW (11 sites remaining,
was 12). New helper L243 is INTERNAL_COMPLIANT.
Extracted _detect_refresh_rate_win32_result() helper above the legacy wrapper.
ANTI-SLIMING: full Result[T] propagation (NO narrowing+logging). The helper
returns Result(data=rate) on success or Result(data=0.0, errors=[ErrorInfo])
on exception (logging NOT a drain per the user's principle 2026-06-17).
The legacy _detect_refresh_rate_win32() wrapper preserves its signature and
delegates to the helper. The call site in App.__init__ invokes the result
helper directly and drains errors to self._startup_timeline_errors.
Tests: 2 new tests (test_phase_10_l216_detect_refresh_rate_win32_result_success,
test_phase_10_l216_detect_refresh_rate_win32_result_failure) verify both paths.
Audit: L216 reclassified from INTERNAL_SILENT_SWALLOW (12 sites remaining,
was 13). New helper L219 is INTERNAL_COMPLIANT.
The Phase 6 invariant test was originally written to assert ==3 (the
pre-Phase-7 baseline). After Phases 7-8 migrated the 3 remaining sites,
the count dropped to 0, which broke the strict equality assertion.
Changed to <=3 (matching the Phase 5 invariant test pattern) so the
test passes at every point in the migration timeline. Documented the
robustness rationale in the test docstring.
Adds 2 invariant tests:
- test_phase_9_invariant_helper_utility_count_dropped: pins the count
to exactly 0 (post-Phase-9 baseline; no Phase 9 sites, count should
remain 0 after Phases 7-8 dropped it).
- test_phase_9_invariant_zero_sites_in_phase_9: documents that no
Phase 9 site tests exist (machine-checkable: future agent adding a
Phase 9 site will see this test fail at the count assertion).
Per PHASE1_SITE_INVENTORY.md, the one Phase 9 site (L1398 _close_vscode_diff)
is INTERNAL_SILENT_SWALLOW (the bare-except classification) and will be
handled in Phase 10 (logging NOT a drain per the convention).
Updates state.toml: phase_9 status = completed.
Adds 2 invariant tests:
- test_phase_8_invariant_property_setter_count_dropped: pins the count
to exactly 0 (post-Phase-8 baseline; all 22 INTERNAL_BROAD_CATCH sites
in src/gui_2.py migrated across Phases 3-8).
- test_phase_8_invariant_all_2_migration_sites_have_tests: verifies the
2 migrated sites (L591, L897) have both success and failure tests.
Updates state.toml: phase_8 status = completed.
ed