From 558d3509336d57a45599f79ae901b41fdd2c5dd4 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Thu, 14 May 2026 11:04:32 +0000 Subject: [PATCH] fix(ci): teach 3 CI guards about Phase 9 sibling-file splits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two CI guards on origin/master failed against the Sprint-12 commit (30940108) because they didn't know about new files introduced by earlier Phase 9 sprints. Both are pure mechanical relocation fall-out — no actual regression in functionality. 1. scripts/ci-guards/no-new-synthetic-admin.sh — A-8 guard ==================================================================== Sprint 5 (commit 51f9cf13) extracted the Auth-family from internal/config/config.go to internal/config/auth.go. The 4 'actor-demo-anon' references moved with the Auth-family code: - Line 255: 'actor-demo-anon is wired with AdminKey=true' documentation comment alongside the AdminKey wiring narrative. - Lines 283/289/293: residual-grants detector + cleanup SQL examples explaining why 'ar-demo-anon-admin' is reserved. These are the SAME comments that were previously in config.go (which IS in the allowlist), just relocated to the new sibling file. The references were always present in the codebase; the A-8 guard was just unaware of the new file location. Fix: add './internal/config/auth.go' to the ALLOWLIST with a rationale comment pointing at commit 51f9cf13. Local verification: A-8 guard PASS — actor-demo-anon references confined to the declared 19-entry allowlist (was 18, now 19). 2. internal/ciparity/surface_parity_test.go — mcpToolFiles list ==================================================================== Sprint 10 (commit fbe053aa) split internal/mcp/tools.go (1867 LOC, 121 mcp.AddTool registrations) into six tool-domain sibling files: tools_certificates.go (22 tools — cert + CRL/OCSP + renewal + verify) tools_agents.go (16 tools — agents + agent groups) tools_resources.go (40 tools — issuers + targets + policies + profiles + teams + owners + notifications + intermediate-CAs) tools_jobs.go (9 tools — jobs + approvals) tools_discovery.go (10 tools — network-scan + discovery) tools_admin.go (24 tools — audit + stats + digest + metrics + health + health-check) The TestSurfaceParity_MCPToolCatalogue hard-gate counts mcp.AddTool registrations across mcpToolFiles() — a hard-coded 5-file list. After the split, only 34 tools sat in the 5 known files (tools.go itself went to 0 tools post-split; only the 4 pre-existing tools_*.go siblings carried any). The actual cross-file count is 155 (above the 150 floor). Fix: expand mcpToolFiles() to include the 6 new Sprint-10 sibling files. Doc-comment explains the Sprint-10 split + the union-of-files intent. Local verification: PASS: TestSurfaceParity_MCPToolCatalogue MCP tool catalogue: 155 tools (baseline floor 150) 3. docs/testing/skip-inventory.md — line-number drift ==================================================================== Adding the 8-line doc-comment to mcpToolFiles() (item 2) shifted the location of readFileOrSkip from line 97 to line 113 in surface_parity_test.go. The skip-inventory.md is auto-generated and records every t.Skip() site with its file:line; the skip-inventory-drift CI guard re-runs the generator and diffs. Fix: bump the inventory entry from :97 to :113. One-line tracking update; same skip site, new line number. (No t.Skip() was added or removed.) Behavior preservation contract ============================== - Zero runtime change. All three diffs touch only CI-guard metadata (allowlist string, file-list slice, doc line-number). - A-8 guard re-runs clean post-fix. - TestSurfaceParity_MCPToolCatalogue runs and reports 155 tools. - skip-inventory drift detection re-pins to the live line number. - gofmt + go vet + staticcheck remain clean on the touched files (verified pre-commit; the sandbox /sessions partition is full so the broader 'all guards' loop was interrupted on a tmpfile write, not on a real regression — the deterministic fix above matches the CI failure output byte-for-byte). Closes: CI failures on commit 30940108 across Frontend Build (A-8 guard) + Go Build & Test (TestSurfaceParity_MCPToolCatalogue). --- docs/testing/skip-inventory.md | 2 +- internal/ciparity/surface_parity_test.go | 16 ++++++++++++++++ scripts/ci-guards/no-new-synthetic-admin.sh | 1 + 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/testing/skip-inventory.md b/docs/testing/skip-inventory.md index 4c4370b..36b0e5e 100644 --- a/docs/testing/skip-inventory.md +++ b/docs/testing/skip-inventory.md @@ -114,7 +114,7 @@ Re-run inventory with: `./scripts/skip-inventory.sh`. ### `internal/ciparity` -- `internal/ciparity/surface_parity_test.go:97` — // readFileOrSkip reads a file; on ENOENT, calls t.Skipf rather than +- `internal/ciparity/surface_parity_test.go:113` — // readFileOrSkip reads a file; on ENOENT, calls t.Skipf rather than ### `internal/connector/issuer/acme` diff --git a/internal/ciparity/surface_parity_test.go b/internal/ciparity/surface_parity_test.go index 1a30ed4..dd2c909 100644 --- a/internal/ciparity/surface_parity_test.go +++ b/internal/ciparity/surface_parity_test.go @@ -64,14 +64,30 @@ var ( // mcpToolFiles lists the (non-test) Go files expected to register // MCP tools. +// +// Phase 9 Sprint 10 (commit fbe053aa, 2026-05-14): tools.go was split +// into six tool-domain sibling files in the same `mcp` package +// (tools_certificates.go + tools_agents.go + tools_resources.go + +// tools_jobs.go + tools_discovery.go + tools_admin.go). Original +// tools.go now holds only the RegisterTools dispatcher + Bundle-3 +// fence wrappers + paginationQuery helper — zero mcp.AddTool calls. +// This list is the union of pre-Sprint-10 + Sprint-10 sibling files. func mcpToolFiles(repo string) []string { base := filepath.Join(repo, "internal", "mcp") return []string{ + // Pre-Sprint-10 catalogue. filepath.Join(base, "tools.go"), filepath.Join(base, "tools_audit_fix.go"), filepath.Join(base, "tools_auth.go"), filepath.Join(base, "tools_auth_bundle2.go"), filepath.Join(base, "tools_est.go"), + // Phase 9 Sprint 10 sibling files. + filepath.Join(base, "tools_certificates.go"), + filepath.Join(base, "tools_agents.go"), + filepath.Join(base, "tools_resources.go"), + filepath.Join(base, "tools_jobs.go"), + filepath.Join(base, "tools_discovery.go"), + filepath.Join(base, "tools_admin.go"), } } diff --git a/scripts/ci-guards/no-new-synthetic-admin.sh b/scripts/ci-guards/no-new-synthetic-admin.sh index 782f02e..9dc1571 100755 --- a/scripts/ci-guards/no-new-synthetic-admin.sh +++ b/scripts/ci-guards/no-new-synthetic-admin.sh @@ -27,6 +27,7 @@ ALLOWLIST=( "./internal/auth/context.go" # const DemoAnonActorID source-of-truth (canonical) "./internal/auth/middleware.go" # NewDemoModeAuth — injects synthetic actor under Type=none "./internal/cli/auth_scope_down.go" # interactive prompt filter + "./internal/config/auth.go" # Phase 9 Sprint 5 — Auth-family validate-time guard comments + AdminKey wiring narrative (relocated from config.go in commit 51f9cf13; same references, different file) "./internal/config/config.go" # validate-time guard comments + DemoModeResidualStrict env var "./internal/domain/audit.go" # audit-event documentation comment "./internal/domain/auth/validate.go" # const DemoAnonActorID mirror