MVP pipeline simplification:
- render_rollups() now produces ONLY summary.md + AUDIT_REPORT.md
- run_audit() now produces only per-aggregate .md (no .dsl/.tree)
- New src/code_path_audit_gen.py generates the single coherent report
Stale artifacts moved to _stale/ subdirectory (preserved for history):
- 13 per-aggregate .dsl files (redundant with .md)
- 13 per-aggregate .tree files (redundant with .md)
- 9 old top-level rollups (cross_audit_summary, decomposition_matrix,
candidates, field_usage, call_graph, hot_paths, dead_fields,
ssdl_analysis, organization_deductions - all superseded by sections
inlined in AUDIT_REPORT.md)
- _stale/README.md explains what happened
Meta-audit updated to check .md files (14 required H2 sections per
aggregate) instead of .dsl files. 0 violations on 10 real profiles.
Tests: 131 passing. New MVP report: 5000+ lines.
Three real bugs fixed:
1. FunctionRef always used line=0. Now passes node.lineno from AST.
2. P3_pass results were discarded with bare pass. Now stored in
ProducerConsumerGraph.field_accesses.
3. Field-access detector only saw entry['key']; missed entry.get('key')
which is the dominant pattern in this codebase. Now handles both.
Plus _extract_type_name() helper handles Optional[T], dict[str, T],
list[T], Result[T], Union[T, ...], and T | None (PEP 604) so P1/P2
catch more annotation patterns.
Real numbers (Metadata aggregate):
- producers: 77 -> 117
- consumers: 35 -> 66
- field-access sites: 130 -> 173
- line numbers: all real (line 1281, 1746, etc.)
AUDIT_REPORT.md grew 2009 -> 3140 lines with real evidence.
Total audit output: 5176 lines / 50 files (was 2415 / 49).
All 131 tests still passing.
fqname, file, line, role. Used in ProducerConsumerGraph edges
and per-aggregate producer/consumer lists. Per error_handling.md
Pattern 1 (immutability for cross-thread safety).
2 unit tests passing.
Phase 0 of any_type_componentization_20260621. Extends src/type_aliases.py
with two recursive-friendly TypeAliases for JSON wire format (used by
Phase 5 api_hooks WebSocketMessage):
- JsonPrimitive: str | int | float | bool | None
- JsonValue: JsonPrimitive | list['JsonValue'] | dict[str, 'JsonValue']
The forward-ref 'JsonValue' strings work because from __future__ import
annotations is at the top of the module (PEP 563 + PEP 613 TypeAlias).
Tests added (4 new, 14 total):
- test_json_primitive_alias_resolves_to_union: hints exposes JsonPrimitive
- test_json_value_alias_resolves_to_recursive_union: hints exposes JsonValue
- test_json_value_accepts_primitive_dict: dict[str, JsonValue] runtime use
- test_json_value_accepts_nested_structures: nested dict+list round-trip
Verification:
uv run pytest tests/test_type_aliases.py --timeout=30
14 passed in 2.97s
AggregateKind (4 values), MemoryDim (7), AccessPattern (5),
Frequency (7), RecommendedDirection (4). All Literal types
for stable postfix DSL output (string-valued, no enum-name
lookup table needed in the parser).
5 unit tests passing. The 9 supporting dataclasses + the
AggregateProfile central artifact go in Tasks 1.2-1.10.
audit_tier2_leaks bug: when test fixtures (tmp_path) are inside the
parent git repo, git's git diff and git ls-files look UP for a
parent .git/ directory and report the PARENT's modified files. This
made tests/test_audit_tier2_leaks.py fail because the audit reported
mcp_paths.toml + opencode.json as 'modified' even though those are in
the parent repo, not in the clean tmp_path fixture.
Fix: set GIT_DIR to a non-existent path (repo_root/.git) in the env
passed to git subprocesses. This forces git to fail, which the audit
treats as 'no modifications' / 'no tracked files'.
test_palette_starts_hidden hardening: live_gui is session-scoped so
other tests may leave the palette open. Pre-toggle the palette before
asserting it's hidden - converts a 'depends on test ordering' test
into a 'palette is closable' test.
Verification:
- tier-1-unit-core: ALL 5 batches PASS (was 5 failures)
- tier-3-live_gui: test_gui2_custom_callback_hook_works now PASSES
(was FAILED); other live_gui flakes surface non-deterministically
per batch run (pre-existing issue, not caused by this fix)
The phase2_4_5_call_site_completion_20260621 track's end-of-track report
documented 5 pre-existing tier-1-unit-core failures as 'not caused by
this track' and deferred them to a future track. The user explicitly
called this out as a process mistake - even pre-existing failures must
be fixed for the track to be 'done'.
Fixed 3 of 5 (the other 2 are sandbox-pollution audit_tier2_leaks tests
that require infrastructure changes):
1. test_logging_e2e::test_logging_e2e ('Session' object does not support
item assignment): Phase 4 of the parent track migrated LogRegistry
data from dict to frozen Session dataclass; test_logging_e2e.py was
missed in the migration. Fix: add LogRegistry.set_session_start_time()
method (mirrors update_session_metadata's pattern of replacing the
frozen Session with a new one); update test to use the new method.
2. test_no_temp_writes::test_no_script_emits_to_temp (scripts/generate_type_registry.py
uses tempfile): The --check mode was using tempfile.TemporaryDirectory
which the audit forbids. Fix: refactor --check mode to use a path
under tests/artifacts/_type_registry_check/ instead (cleaned up in
a finally block).
3. test_gui2_parity::test_gui2_custom_callback_hook_works (custom
callback not executed within 1.5s): The test used time.sleep(1.5) +
assert, the documented race condition anti-pattern. Fix: replace
with a 10s poll loop that waits for the file to exist AND have the
correct content (per workflow's polling pattern guidance).
Verification: tier-1-unit-core now has only 3 remaining failures, all
are pre-existing test_audit_tier2_leaks sandbox-pollution tests
(deferred to infrastructure track per metadata.json).
Phase 5 of any_type_componentization_20260621 changed
WebSocketServer.broadcast(channel, payload) -> broadcast(message: WebSocketMessage)
but did not update internal callers in src/app_controller.py + src/events.py.
This adds 4 tests that pin the contract:
- test_websocket_server_broadcast_signature: asserts (self, message) signature
- test_websocket_server_broadcast_rejects_legacy_2arg_call: asserts legacy raises TypeError
- test_websocket_server_broadcast_accepts_websocket_message_instance: smoke test
- test_internal_callers_use_websocket_message_signature: structural grep over src/
The 4th test currently FAILS (red phase), identifying 2 legacy sites:
- src/app_controller.py:1849: self.event_queue.websocket_server.broadcast('telemetry', metrics)
- src/events.py:115: self.websocket_server.broadcast('events', {...})
The structural assertion is reused by code_path_audit_20260607.
Phase 5 of any_type_componentization_20260621 changed
WebSocketServer.broadcast(channel, payload) -> broadcast(message: WebSocketMessage)
but did not update internal callers in src/app_controller.py + src/events.py.
This adds 4 tests that pin the contract:
- test_websocket_server_broadcast_signature: asserts (self, message) signature
- test_websocket_server_broadcast_rejects_legacy_2arg_call: asserts legacy raises TypeError
- test_websocket_server_broadcast_accepts_websocket_message_instance: smoke test
- test_internal_callers_use_websocket_message_signature: structural grep over src/
The 4th test currently FAILS (red phase), identifying 2 legacy sites:
- src/app_controller.py:1849: self.event_queue.websocket_server.broadcast('telemetry', metrics)
- src/events.py:115: self.websocket_server.broadcast('events', {...})
The structural assertion is reused by code_path_audit_20260607.
Phase 2 deferred t2_6: update src/ai_client.py _send_grok + _send_minimax +
_send_llama + _send_gemini_cli (4 functions) to use the new
dataclass API after NormalizedResponse was refactored to
(text, tool_calls: tuple[ToolCall, ...], usage: UsageStats, raw_response).
These 4 callers were left with the old keyword args
(usage_input_tokens, usage_output_tokens, ...) which broke at
runtime: ai_client.send() raised
TypeError: NormalizedResponse.__init__() got an unexpected keyword
argument 'usage_input_tokens'.
FIXES:
- src/ai_client.py L2054: gemini_cli 'adapter unavailable' branch
- src/ai_client.py L2088: gemini_cli normal response branch
- Added: from src.openai_schemas import UsageStats (module level)
- Added backward-compat in src/openai_compatible.py:
messages_dicts = [m.to_dict() if hasattr(m, 'to_dict') else m for m in request.messages]
(accepts both ChatMessage dataclass and dict for backward compat
with existing tests that pass raw dicts)
TEST FIXES:
- tests/test_ai_client_tool_loop.py: _make_normalized_response helper
uses UsageStats instead of usage_*_tokens kwargs
- tests/test_ai_client_tool_loop_builder.py: same
- tests/test_ai_client_tool_loop_send_func.py: same
- tests/test_openai_compatible.py: NormalizedResponse(text=..., usage=UsageStats(...))
+ tool_calls[0].function.name (attribute access) instead of ['function']['name']
- tests/test_auto_whitelist.py: use update_session_metadata() instead of
dict subscript assignment (Session dataclass doesn't support item assignment)
VERIFIED:
uv run pytest tests/test_ai_client_*.py tests/test_openai_*.py \
tests/test_auto_whitelist.py --timeout=30
56 passed in 4.49s (19 previously failing tests now pass)
uv run python scripts/audit_weak_types.py --strict
STRICT OK: 115 weak sites <= baseline 115
uv run python scripts/audit_dataclass_coverage.py --strict
STRICT OK: 200 weak sites <= baseline 207
This commit closes the t2_6 deferred task. The 41-site Phase 3 call-site
migration remains deferred (separate provider_state_migration track).
youtube-transcript-api v1.2.4 returns XML parse error on empty response for ALL videos in this campaign. yt-dlp's --write-auto-subs reliably returns 1000s of segments per video. Switched to yt-dlp as the primary path.
Tests updated to mock _fetch_via_ytdlp instead of _fetch_raw_transcript. 8/8 tests passing.
Phase 0 of any_type_componentization_20260621. Extends src/type_aliases.py
with two recursive-friendly TypeAliases for JSON wire format (used by
Phase 5 api_hooks WebSocketMessage):
- JsonPrimitive: str | int | float | bool | None
- JsonValue: JsonPrimitive | list['JsonValue'] | dict[str, 'JsonValue']
The forward-ref 'JsonValue' strings work because from __future__ import
annotations is at the top of the module (PEP 563 + PEP 613 TypeAlias).
Tests added (4 new, 14 total):
- test_json_primitive_alias_resolves_to_union: hints exposes JsonPrimitive
- test_json_value_alias_resolves_to_recursive_union: hints exposes JsonValue
- test_json_value_accepts_primitive_dict: dict[str, JsonValue] runtime use
- test_json_value_accepts_nested_structures: nested dict+list round-trip
Verification:
uv run pytest tests/test_type_aliases.py --timeout=30
14 passed in 2.97s
RED phase for Phase 0. Mirrors tests/test_audit_weak_types.py structure:
- test_audit_script_exists: AUDIT_SCRIPT.is_file() sanity
- test_audit_help_runs: --help exits 0
- test_audit_json_mode_emits_valid_json: --json emits valid JSON with expected fields
- test_audit_default_mode_emits_human_report: default mode prints a report
- test_audit_strict_mode_against_existing_baseline_passes: --strict exits 0 when current <= baseline
- test_audit_strict_mode_fails_when_baseline_is_zero: --strict exits 1 when current > baseline=0
- test_audit_baseline_field_shape: --json output has expected baseline-shape fields
7 tests total. Run with: uv run pytest tests/test_audit_dataclass_coverage.py --timeout=30
NOTE: 6 of 7 tests fail at this commit (audit script not yet implemented).
This is the RED phase; GREEN comes in the next commit.
Per FR1 of test_sandbox_hardening_20260619 spec, all writes must be under
<project_root>/tests/. Tests that create an AppController + call init_state()
trigger session_logger.open_session() at src/session_logger.py:85 which
writes to paths.get_logs_dir() - by default logs/ at project root, outside
tests/. This was triggered by tests/test_context_composition_decoupled.py
and surfaced in the latest batched test run.
Add a function-scoped autouse fixture in tests/conftest.py that monkeypatches
src.paths.get_logs_dir to return a per-run tests/-allowed path. Per-run
subdirectory prevents log_registry.toml collisions across test runs.
Skips test_paths.py, test_test_sandbox.py, and test_app_controller_offloading.py
which directly assert on paths.get_logs_dir() behavior or set up their own
session via tmp_session_dir (overriding get_logs_dir at the module level
breaks those tests' assertions). No production code is modified.
ed