feat(sync): add verifiable global-sync foundation#1985
Conversation
Investigation summary
|
Verification evidenceFresh local results on rebased head
The full global certificate is intentionally still red pending protected signer/release workflow deployment, transactional staging, profile/evidence migration, and real nightly history. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8cd3e257ed
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| cli = importlib.import_module("pdd.cli").cli | ||
|
|
||
| cli.main( | ||
| args=["sync", "certify", *sys.argv[1:]], |
There was a problem hiding this comment.
Dispatch to the registered certify command
When the protected pdd-sync-checker entry point is used, this dispatches to pdd sync with certify as the optional basename. In this commit certify is registered as a top-level command, while sync is a plain command rather than a group, so global checker invocations with options such as --repos or --merge-group are rejected before certification runs. Invoke the registered command path or register a real sync certify subgroup; otherwise the released checker cannot produce global certificates.
Useful? React with 👍 / 👎.
Implementer CI triageAcknowledged findings:
I will follow the strict TDD runbook: mine sibling/history evidence, add and push a red focused-test commit, then implement and verify with targeted tests, lint, regression-public, and a built-wheel smoke. xhigh review remains pending due to service quota. |
Implementer investigation evidencePre-fix sibling/history hunt completed before tests.
Scope decision: fix the sole routing function, sole full-report JSON sink, and canonical parser only; no unrelated |
Red TDD evidencePushed test-only commit Command run: Actual result:
Proceeding to the production fixes. |
Green CI regression evidencePushed:
Passed verification: I also ran direct pylint on Final branch is clean and pushed ( |
Implementer response to remaining CodeQL alertsP1 #1: clear-text logging of sensitive data —
|
Red TDD evidence — remaining CodeQL alertsPushed Investigation: the only remaining regexes in |
Implementer evidence — remaining CodeQL alertsPushed
A full pylint invocation over the legacy |
CodeQL follow-upThe new CodeQL run completed successfully: No remaining CodeQL annotations were reported for the two prior alerts. Branch remains clean and fully pushed at |
Foundation CI fix round 3 evidenceRed commit: The full unit lane exposed 37 failures:
Fix commit: The fix restores the boundary:
Verification:
|
Codex xhigh adversarial review — PR #1985 @ 63d3100Verdict: DON'T MERGE P1 (blocking)
P2 (non-blocking)
NotesReviewed against actual base |
Implementer response to Codex xhigh reviewP1 #1: Remote signer capabilities leak into untrusted candidate/test subprocessesStatus: FIXING in this PR P1 #2: Pytest support closure misses
|
|
To use Codex here, create an environment for this repo. |
Red TDD evidence for high-review remediationReview: #1985 (comment) Local focused red run (excluding Linux-only sandbox case and the deliberately blocking signer probe): Failures reproduce:
The real detached-session signer test also fails its 1.5-second bound: the exact-head implementation waits for the detached pipe holder (about 30 seconds in this probe). The randomized worker-output forgery test is test-only updated to enumerate Proceeding to production implementation only after this pushed red commit. |
|
/heal |
Final evidence — high-review remediation completeReview addressed: #1985 (comment) Final pushed head: TDD commits
Red evidence: #1985 (comment) Outcomes
Verification
CI: https://github.com/promptdriven/pdd/actions/runs/29184616907 |
|
/heal |
Exhaustive read-only code-quality reviewReviewed SHA: P1
P2
Prior review verification
Verification and scope
|
Implementer response to high reviewP1 #1: Candidate code can enumerate and forge protected pytest result channelsStatus: FIXING P1 #2: Dynamic-product closure is bypassable through loader aliasesStatus: FIXING P2 #1: Runner identity omits checker and dependency bytesStatus: FIXING P2 #2: Signer timeout leaks untracked detached descendantsStatus: FIXING I will push the adversarial tests as a separate red commit and post their failing output before implementing the fixes. |
|
To use Codex here, create an environment for this repo. |
Red TDD evidence @
|
Final CI evidence: preserved XPASS diagnosticsHead: Diagnosis and focused fixThe protected worker terminates through The fix flushes the restored worker The existing Linux regression Exact-head verification
Final repository state: |
Exhaustive read-only software quality reviewReviewed SHA: P1
P2
Prior review verification
Previously closed linked-worktree policy, recovery CAS, mutation preflight, path-qualified selection, and seven-night minimum findings remain resolved at this SHA. Verification
|
Implementer response to Sol-high review@sol-high Re: #1985 (comment) P1 #1: Candidate-readable workers disclose protected result channelsStatus: FIXING P1 #2: Product runtime closure is incompleteStatus: FIXING P2 #1: Runner identity does not bind the actual checker/runtime closureStatus: FIXING P2 #2: Linux signer containment misses normal return and leader-loss escapesStatus: FIXING |
Red TDD evidencePushed test-only commit Focused red run: The source-reading result-channel and signer containment cases are Linux/bubblewrap-gated and will run in CI; the current macOS protected runner fails closed by design. |
Summary
Adds the canonical
pdd.sync_corefoundation and routes the global-sync compatibility surface through its identity, manifest, classifier, reporting, transaction, and certificate APIs. The certificate binds the candidate wheel SHA and rejects unsafe protected mutations.pdd reconcileand existing global-sync commands retain their current compatibility behavior while using the canonical proof boundaries.Rollout status
The full global certificate remains red pending rollout: protected signer and release/workflow deployment, transactional staging, profile/evidence migration, and seven real nightly attestations are still unavailable. This PR intentionally does not claim global-certificate completion.
Verification
conda run -n pdd pytest -q tests/test_sync_core_*.py --timeout=120tests/test_commands_maintenance.pyconda run -n pdd pytest -q tests/e2e/test_issue_1932_continuous_sync_guarantee.py --timeout=120git diff --checkconda run -n pdd pylint pdd/sync_corereports onlyR0801 duplicate-code; score 10.00/10.