feat(doctor): Phase 5 — doctor §11 + test-debt closure (0.8.0)#36
Merged
Conversation
…ETTED (0.8.0)
Implements §6 Phase 5 of substrate completion spec (BRO-1157 under epic
BRO-1148). Closes the technical debt the VETTED allowlist was carrying
since v0.2.3.
Doctor extension:
scripts/doctor.sh — new Section 11: gate enforcement type validation.
For every blocking/governed gate in .control/policy.yaml, verifies
the gate has either a `pattern`, `enforcement.spec`, or `measurement`.
Advisory / soft / warn severities exempt. Catches gates declared
blocking with no mechanism behind them (Gap 4.2.1).
Live against this workspace: all 12 declared gates pass §11.
Test fixes (both pre-existing failures since v0.2.3):
tests/template_lockstep.test.sh — assert_contains now case-insensitive
(grep -iqF). SKILL.md description naturally starts with capitalized
"Twenty irreducible primitives" — the lockstep contract only cares
the token + count are consistent across files, not casing. 15/15
now passing.
tests/onboard.test.sh — run_onboard sets BSTACK_SKIP_SKILLS=1 so
bootstrap.sh short-circuits the network-bound `npx skills add` loop.
Without it, T3+ would hang on per-skill install. 8/8 now passing.
scripts/bootstrap.sh — honors BSTACK_SKIP_SKILLS=1 env to skip the
npx skill-install loop. Used by the onboard test and by workspace
operators wanting a governance-only bootstrap.
CI:
.github/workflows/ci.yml — drops the VETTED allowlist. The
`tests/*.test.sh` glob runs every test file on every PR. Removes the
technical debt the allowlist was carrying since v0.2.3 (when Phase 4
shipped the tests job with two known-broken tests excluded).
Local run all-tests-no-allowlist:
metrics-pipeline: 7/7 ✓
onboard: 8/8 ✓ (previously hung)
repair-merge-hooks: 5/5 ✓
schema-validation: 8/8 ✓
skills-roster: 8/8 ✓
status-surface: 8/8 ✓
template_lockstep: 15/15 ✓ (previously 14/15)
Total: 60 tests passing.
Out of scope (deferred to 0.8.1 / Phase 5.1):
Doctor §12 reflexive-primitive compliance sampling
Doctor §13 skill roster lockstep
scripts/control-gate-hook.sh moved into bstack (Gap 4.2.5)
~/.bstack/gate-audit.jsonl bypass log (Gap 4.2.4)
SLOs.md consolidated latency budgets
auto_merge p20_score >= 7 requirement (Gap 4.2.3)
Phase 5 0.8.0 cut focuses on test-debt closure since that gates
everything downstream — Phase 6 canary suite needs the full
tests/*.test.sh running first.
Closes gaps from substrate completion spec §4:
4.2.1 — soft gates advisory without enforcement → doctor §11
makes the requirement machine-checkable
4.6.3 — vetted test allowlist → full suite runs now
SLO targets (introduced):
bstack doctor (full 11 sections): p50 < 1s, p99 < 3s
Section 11 (12-gate fixture): p50 < 100ms, p99 < 500ms
Files:
- EDIT scripts/doctor.sh — Section 11 added (~55 LOC)
- EDIT scripts/bootstrap.sh — BSTACK_SKIP_SKILLS env support
- EDIT tests/template_lockstep.test.sh — case-insensitive assert_contains
- EDIT tests/onboard.test.sh — run_onboard sets BSTACK_SKIP_SKILLS
- EDIT .github/workflows/ci.yml — drop VETTED allowlist
- EDIT VERSION → 0.8.0
- EDIT CHANGELOG.md — 0.8.0 entry
Linear: BRO-1157 (Phase 5, parent epic BRO-1148).
Spec: §6 Phase 5 of specs/2026-05-18-substrate-completion.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
broomva
pushed a commit
that referenced
this pull request
May 18, 2026
The original portable T1 fix (PR #36 commit a2bd9b9) was orphaned in the v0.8.0 squash merge — same race condition that lost the v0.2.2 SC2034 exclude. CI's Ubuntu strips '# ' from --help via GNU sed; macOS keeps it via BSD sed. The grep '^# Usage:' anchor passes locally and fails in CI. Asserting the un-prefixed 'Usage:' token works on both. Including in Phase 6 PR since CI was blocking on it.
broomva
added a commit
that referenced
this pull request
May 18, 2026
…0) (#37) * feat(upgrade,canary): Phase 6 — vendored upgrade + canary suite (0.9.0) Implements §6 Phase 6 of substrate completion spec (BRO-1158 under epic BRO-1148). Closes two v1.0 blockers: §4.3.2 (vendored installs can't auto-upgrade) and §4.6.2 (no canary suite verifying substrate invariants on fresh installs). # Vendored upgrade path bstack upgrade for installs without .git (the npx skills add path) now downloads a release tarball + sha256, verifies, and atomically swaps into ~/.agents/skills/bstack. bin/bstack: new bstack_upgrade_vendored function 1. curl bstack-vX.Y.Z.tar.gz + .sha256 from GitHub Release 2. Verify sha256 (mandatory — no --skip flag, fail-closed) 3. tar -xzf into temp dir 4. mv current → .bak, mv new → install (atomic swap) 5. Restore .bak on swap failure 6. Write ~/.bstack/just-upgraded-from for JUST_UPGRADED next session 7. Structured log at ~/.bstack/auto-upgrade.log .github/workflows/release.yml: new packaging step - Builds bstack-vX.Y.Z.tar.gz from in-repo skill payload - Excludes .git, .github, tests, worktree dirs - tar --sort=name for byte-deterministic sha256 - Uploads tarball + sha256 sidecar via gh release upload Falls back to manual 'npx skills add -g broomva/bstack' guidance if the tarball is missing (pre-0.9.0 releases without the new job). # Canary suite Four canary tests verify load-bearing substrate contracts on a fresh install (no companion skills, no workspace state, no prior bstack state). Each canary covers one phase's deliverables: tests/canary/01-fresh-bootstrap.test.sh (Plant Contract) - bootstrap.sh exits 0 - governance files scaffold (CLAUDE, AGENTS, .control/policy.yaml) - .claude/settings.json wires SessionStart + Stop + PreToolUse - doctor produces expected summary + exits 0 (HC-1: never block) (10 assertions) tests/canary/02-metrics-pipeline.test.sh (Phase 1 v0.4.0) - collect produces valid JSON with ≥4 setpoints - latest.json on disk with generated_at timestamp - observe single setpoint returns id-matched JSON (3 assertions) tests/canary/03-status-surface.test.sh (Phase 2 v0.5.0) - 7 core sections render in text mode - --json shape: bstack_version + workspace + profile + setpoints + summary - --setpoint S11 --json returns id-matched deep view - --aggregate exits 3 (Phase 8 placeholder) (4 assertions) tests/canary/04-schemas-validate.test.sh (Phase 3 v0.6.0) - 4 schemas valid draft-07 - primitives.yaml validates against primitives.v1.json (20 entries) - companion-skills.yaml validates against companion-skills.v1.json (31) - policy.yaml.template structural shape + flat-schema parts valid (4 assertions) Total: 21 assertions across 4 canary tests, ~5s combined runtime. .github/workflows/ci.yml: new 'canary' job gated on lint + doctor; installs jq + jsonschema + PyYAML; runs tests/canary/*.test.sh. # Out of scope (deferred to v0.9.1) - Cosign signature verification (sha256 covers principal integrity; cosign adds publisher identity proof — staged for v0.9.1) - bstack reproduce subcommand (drift detection vs fresh-install ref) - Canary tests 05-08 (skills install, gates audit, release pipeline E2E) — ship as Phase 4-6 deliverables stabilize further # Validation Local lint: shellcheck OK (bin/bstack + 4 canaries) Local canary suite: 21/21 assertions pass Tarball packaging: tested via dry-run path; CI publishes on next bump # SLO targets (introduced) bstack upgrade --self (vendored, cold network): p50 < 30s, p99 < 60s Canary suite (4 tests, sequential): p99 < 30s Linear: BRO-1158 (Phase 6, parent epic BRO-1148). Spec: §6 Phase 6 of specs/2026-05-18-substrate-completion.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(test): re-apply portable onboard T1 assertion (BSD/GNU sed) The original portable T1 fix (PR #36 commit a2bd9b9) was orphaned in the v0.8.0 squash merge — same race condition that lost the v0.2.2 SC2034 exclude. CI's Ubuntu strips '# ' from --help via GNU sed; macOS keeps it via BSD sed. The grep '^# Usage:' anchor passes locally and fails in CI. Asserting the un-prefixed 'Usage:' token works on both. Including in Phase 6 PR since CI was blocking on it. --------- Co-authored-by: Carlos D. Escobar-Valbuena <devteam@getstimulus.ai> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 5 of substrate completion (BRO-1157 under epic BRO-1148). Closes the test-debt the VETTED allowlist was carrying since v0.2.3.
What ships
Doctor §11 — Gate enforcement type validation
scripts/doctor.shextended with Section 11. For every blocking/governed gate in.control/policy.yaml, verifies it has apattern,enforcement.spec, ormeasurement. Catches gates declared blocking with no mechanism behind them (Gap 4.2.1).Live:
all 12 declared gates have enforcement type (pattern / runtime_check / measurement).Pre-existing test fixes — both passing now
tests/template_lockstep.test.shassert_contains→ case-insensitive (grep -iqF)tests/onboard.test.shnpx skills addloop)run_onboardsetsBSTACK_SKIP_SKILLS=1;bootstrap.shhonors the env to short-circuitCI suite — full glob runs
.github/workflows/ci.ymldrops the VETTED allowlist. Thetests/*.test.shglob runs every test file on every PR.Closes gaps from substrate completion spec §4
Out of scope (deferred to 0.8.1 / Phase 5.1)
The original Phase 5 spec listed six more deliverables. This PR focuses on the test-debt closure since that gates Phase 6 (canary suite needs full
tests/*.test.shrunning first). Deferred:scripts/control-gate-hook.shmoved into bstack (Gap 4.2.5)~/.bstack/gate-audit.jsonlbypass log (Gap 4.2.4)SLOs.mdconsolidated latency budgetsauto_mergep20_score >= 7requirement (Gap 4.2.3)Test plan
Stack position
PR 9 of N in substrate completion. Spec: §6 Phase 5.
🤖 Generated with Claude Code