Skip to content

test: make D3 preview evidence tool-agnostic#57

Closed
Pigbibi wants to merge 2 commits into
mainfrom
codex/qar-d3-tool-agnostic-reslice
Closed

test: make D3 preview evidence tool-agnostic#57
Pigbibi wants to merge 2 commits into
mainfrom
codex/qar-d3-tool-agnostic-reslice

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Scope

Fresh reslice after frozen PR #56. Representative-fixture evidence only; no production trust, Pages, publisher, weekly/monthly, legacy, identity, store, or migration behavior.

Contract

  • Ordinary CI remains tool-agnostic: tests do not invoke uv or discover local tools.
  • D3 workflow alone installs the repository's pinned uv with immutable action SHAs and runs uv sync --locked --extra test / uv run --no-sync.
  • pull_request uses deterministic defaults for as_of and frozen generated_at; workflow_dispatch accepts explicit values.
  • Two independent frozen-clock producer/build invocations generate exact three-file private preview bundles.
  • Build/download verification binds the full evidence payload, base SHA, source fixture paths, locked environment, dependency inventory, and file hashes.
  • Artifact upload/download/readback is the required external acceptance; this PR does not claim that evidence until a current workflow run is observed.

Source-of-truth: /Users/lisiyi/Documents/Codex/2026-07-14/ba-2/outputs/qar_d3_tool_agnostic_reslice_design_v1_2026-07-15.md

Co-Authored-By: Codex <noreply@openai.com>
@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown

🤖 Codex PR Review

🚫 Merge blocked: 1 serious issue(s) found in high-risk files

🚫 Blocking Issues

These issues must be fixed before this PR can be merged:

1. 🟠 [HIGH] Logic in scripts/d3_build_daily_preview.py

The builder never verifies that each generated preview workspace contains exactly manifest.json, report.html, and report.json before writing evidence and uploading artifacts. If build_preview_workspace() starts emitting an extra file, this workflow will still pass because _file_hashes() only hashes the three fixed names and the upload step silently drops any additional members, so the job can falsely certify a non-conforming bundle as an exact three-file preview. (line 59)

Suggestion: After each build_preview_workspace() call, assert that set(p.name for p in workspace.iterdir()) == set(FIXED_FILES) and fail closed on any missing or extra entry before computing evidence or uploading artifacts.

ℹ️ Other Findings

1. 🟡 [MEDIUM] Reliability in scripts/d3_verify_daily_preview.py

The download-side verifier hashes artifact members with read_bytes()/stat() but does not re-apply the builder's regular-file and single-link checks (lstat, S_ISREG, st_nlink == 1). That means the external acceptance step can still pass if a downloaded member is a symlink or hardlink whose target bytes match, so the artifact round-trip is not proving the same bundle invariants that were enforced at build time. (line 23)

Suggestion: Factor the builder's file validation into a shared helper and use it in the verifier as well, so downloaded members must also be regular files with st_nlink == 1 before their hashes are accepted.


Review by Codex PR Review bot • PR

Co-Authored-By: Codex <noreply@openai.com>
@Pigbibi

Pigbibi commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

PERMANENT_FREEZE/CLOSE_RESLICE: exact workspace member-set and regular-file invariant was not shared by builder/verifier. Preserving branch, commits, review evidence, Actions artifacts, and tests.

@Pigbibi Pigbibi closed this Jul 15, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 01a6e55fe9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/d3_evidence.py
DEPENDENCY_INVENTORY = [
".github/workflows/qar_d3_daily_preview_artifact.yml", "pyproject.toml", "uv.lock",
"scripts/d3_build_daily_preview.py", "scripts/d3_verify_daily_preview.py", "scripts/d3_evidence.py",
"src/quant_advisor_research/advisory_report.py", "src/quant_advisor_research/artifact_integrity.py",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Bind the package initializer in evidence

When a PR changes src/quant_advisor_research/__init__.py, the D3 producer still executes that file before loading quant_advisor_research.advisory_report/preview_bundle, but this inventory never hashes it. That lets the build and verifier pass with evidence that omits a repository file that can affect imports and report generation, so the claimed dependency binding is incomplete; add the package initializer to DEPENDENCY_INVENTORY.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant