Conversation
Runs govulncheck ./... on every PR touching Go code. Reachability-based scan catches High/Critical CVEs in the call graph before tests run; aligns CI with ~/.claude/rules/security.md policy. Installs the tool on-the-fly since it's a first-party golang.org/x module and dependabot can bump the install target as needed. Local dogfood: "No vulnerabilities found". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds npm audit --audit-level=moderate between npm ci and typecheck in the UI job. Short-circuits the rest of the job on a failing audit so CVE-introducing dep bumps surface immediately. Matches the rule-book policy in ~/.claude/rules/security.md. Local dogfood: "found 0 vulnerabilities". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two new fuzz targets wired into the existing fuzz (smoke) CI job: - FuzzSearchTokenize exercises Store.SearchNotes against arbitrary FTS5-grammar inputs; asserts no "malformed MATCH expression" leaks, which would indicate missing pre-sanitisation at the HTTP boundary. - FuzzMCPToolArgs exercises stringArg/intArg/projectArg against any JSON payload an MCP client might send; asserts no helper panics on unexpected types. Each runs 30s on every PR. Local 15s smoke: both targets PASS with new-interesting counts of 31 and 171 respectively; ~84k and ~554k execs in 15s. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Annotates the 8 existing t.Skip() sites with TODO(#N) references and adds a CI grep gate (in the test job) that fails if any future t.Skip or test.skip lacks an adjacent TODO(#N): comment. Issues filed: - #62 large-tar import test under -short - #63 1000-note scale test under -short - #64 10k HNSW benchmarks (-short, -race) - #65 environmental skips (platform/tool availability) Converts silent skips into a queryable backlog without changing test behaviour. Fuzz-callback skips (*_fuzz_test.go) are excluded: those are input filtering, not flake-register entries. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three high-risk flows get dedicated specs: - 404.spec.ts (2 tests): unknown and deep-nested unknown routes render the NotFound component while keeping the Shell mounted. Guards against react-router catch-all regressions. - auth.spec.ts (2 tests, .fixme): asserts a visible auth-required affordance when /api/* returns 401. Today the UI has no such affordance (apiFetch throws into React Query error states with no recognisable copy) so the tests are .fixme'd with TODO(#66): tracked in flake-register. - upload.spec.ts (1 test): opens DocumentsList > Upload, attaches a fixture markdown to the <input type=file>, stubs POST /api/upload, asserts the dialog closes on success. Mirrors the real UploadModal flow (onChange auto-submit, no explicit submit button). Local run: 10 specs, 8 pass + 2 fixme. Playwright job grows from 5 to 10; regressions in any of the three flows now fail CI in ~10s. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
internal/llm/mock implements llm.Provider with: - Complete: substring-matched canned JSON for entity/relationship/claim extraction prompts and a TITLE:/SUMMARY: formatted response for community summarisation prompts. Schema matches internal/extractor and internal/community exactly so parsing succeeds. - Embed/EmbedBatch: SHA-256-derived L2-normalised vectors, 128-dim by default. Equal text yields equal vectors; determinism is the only semantic contract. Intended for integration tests; not exposed outside internal/. No network, no API keys, no external processes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New integration test drives pipeline.New().IndexPath().Finalize() over
5 small markdown files with the mock LLM provider, then asserts:
- Document count is exactly 5.
- Chunk count is in the 5..50 band.
- Embedding count equals chunk count (Phase 2 invariant).
- Entity count is in the 2..2*chunks band (mock returns 2 entities
per extraction prompt; dedup collapses duplicates).
- Relationship count is >=1.
- LocalSearch("Apollo program", topK=5) returns >=1 chunk containing
"Apollo".
Gated by //go:build integration && sqlite_fts5 so the default
`go test ./...` path is unaffected. The test-integration CI job picks
it up automatically via its existing -tags "sqlite_fts5 integration"
invocation. No CI workflow change needed.
Local run: 0.05s without -race, 1.07s with -race.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Block 6's new govulncheck gate flagged two crypto/tls CVEs (GO-2026-4340, GO-2026-4337) in the 1.25.5 stdlib. 1.25.7 carries both fixes. Bump go.mod directive so setup-go picks the patched toolchain in CI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Second govulncheck sweep surfaced crypto/x509 + archive/tar + os + net/url fixes landed in 1.25.8 and 1.25.9. Jump straight to 1.25.9 to close every known-reachable stdlib vuln in one commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
aksOps
force-pushed
the
feat/block6-testing-ci
branch
from
944eb1e to
86f2e6a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Block 6 of the docsiq production-polish roadmap: six independent CI and testing hardening tasks.
testjob runsgovulncheck -tags sqlite_fts5 ./...on every PR. Local dogfood: No vulnerabilities found.uijob fails on moderate+ advisories. Local dogfood: 0 vulnerabilities.FuzzSearchTokenize(internal/store) andFuzzMCPToolArgs(internal/mcp) to the existing 30s-per-target fuzz-smoke workflow. Both pass locally under 15s smokes.t.Skipsites withTODO(#N):references (issues flake-register: skip large-tar test in -short mode #62, flake-register: skip 1000-note scale test in -short mode #63, flake-register: skip 10k HNSW benchmarks in -short/-race #64, flake-register: environmental skips (platform/tool availability) #65 filed) and adds a grep-based CI gate that fails on any future unannotated skip..fixme+ issue flake-register: add unauthed UI affordance + re-enable auth.spec.ts #66 tracking the missing UI affordance), upload happy-path (1 test). Existing 5 smokes preserved; all 10 specs run to 8 pass + 2 fixme locally.//go:build integration && sqlite_fts5end-to-end test drivespipeline.New().IndexPath().Finalize()over 5 markdown files via a newinternal/llm/mockdeterministic provider. Completes in 1s under -race.Related issues
Test plan
CGO_ENABLED=1 go test -tags sqlite_fts5 -timeout 300s ./...— all passCGO_ENABLED=1 go test -tags "sqlite_fts5 integration" -race -timeout 1200s ./...— all pass (new integration test: 3.4s under race)CGO_ENABLED=1 go test -tags sqlite_fts5 -fuzz FuzzSearchTokenize -fuzztime 15s ./internal/store/— PASS (531k execs, 55 interesting)CGO_ENABLED=1 go test -tags sqlite_fts5 -fuzz FuzzMCPToolArgs -fuzztime 15s ./internal/mcp/— PASS (672k execs, 48 interesting)govulncheck -tags sqlite_fts5 ./...— No vulnerabilities foundcd ui && npm audit --audit-level=moderate— 0 vulnerabilitiescd ui && npm test -- --run— 54 tests / 18 files passcd ui && CI=1 npx playwright test— 8 pass + 2 fixmeRobot generated with Claude Code