fix(review): virtual workspace 커버리지와 Python 환경 정합성 복구#565
Conversation
Problem: Required OpenCode coverage could not validate fast-mlsirm even after its Rust suite compiled and passed. The Python evidence command collected 21 import errors for dependencies already installed by uv, and the Rust gate forced the 100% central default because the target is a virtual Cargo workspace. Reproduction/Evidence: fast-mlsirm PR #160 coverage-evidence job 87244269792 installed the optional dev environment, then executed configured pytest outside .venv and failed to import numpy. Its root Cargo.toml has only [workspace], while rust_coverage_fail_under_lines inspected only [package.metadata] and therefore ran cargo llvm-cov with --fail-under-lines 100 despite the repository-owned baseline facility. Root cause: The trusted pytest executor preserved the system PATH after uv sync created <project>/.venv, so direct pytest/python argv did not resolve in the synchronized environment. The inline TOML parser modeled package manifests only and omitted the valid metadata namespace for virtual workspaces. Change: - Prepend an existing project .venv/bin to PATH while preserving shell=False and validated argv execution. - Move Rust threshold resolution into a trusted, tested parser. - Resolve package metadata first and workspace metadata as the virtual-workspace fallback. - Keep invalid booleans, types, and values outside 0..100 fail-closed. - Extend workflow, security-boundary, and quick-gate contracts for both paths. Validation: - python3 -m pytest -q: 622 passed - targeted security/coverage/agent contracts: 72 passed - parser against fast-mlsirm virtual workspace Cargo.toml: emitted 90 - git diff --check: passed - long Strix quick-gate launched and continued through its expected negative fixtures; repository CI remains the authoritative complete shell-gate run Security: No PR-controlled shell is introduced. Commands remain allowlisted pytest argv executed with shell=False, and coverage metadata is parsed by trusted default-branch code with numeric range validation.
There was a problem hiding this comment.
Pull request overview
OpenCode cannot approve yet because required coverage evidence did not pass.
Review outcome
1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence
-
Problem: The required coverage-evidence job result was
failure, so OpenCode cannot establish approval sufficiency for this head. -
Root cause: Automated approval is only valid when the same-head coverage-evidence job proves supported repository test suites passed and configured docstring gates passed or were advisory, or reports not applicable because no supported source files or package manifests exist. Missing, failed, skipped, unavailable, or unsupported-tooling test evidence is a blocker.
-
Fix: Install or configure the repository test/docstring evidence tooling when source files or package manifests exist, rerun the current-head coverage-evidence job, and approve only after it reports
successwith required evidence or explicit no-source not-applicable evidence. -
Regression test: Keep the approval branch checking
needs.coverage-evidence.result == successbefore posting APPROVE, and publish REQUEST_CHANGES when coverage-evidence blocker states such as cancelled, skipped, failed, unsupported-tooling, or below-100 evidence are present. -
Result: REQUEST_CHANGES
-
Reason: coverage-evidence result was
failure, so required test/docstring evidence was not proven for current head40df799bece855efe37b2d99be78cd881d6fe15c. -
Head SHA:
40df799bece855efe37b2d99be78cd881d6fe15c -
Workflow run: 29382025123
-
Workflow attempt: 1
Coverage evidence
Coverage Decision
- Result: FAIL
- Test evidence: not proven passing
- Docstring evidence: not proven passing when configured
- Failure count: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: opencode-review.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: opencode-review.yml"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["CI script (3 files)"]
S2 --> I2["review and security gate shell path"]
I2 --> R2["Review risk: CI script (3 files)"]
R2 --> V2["bash -n plus Strix self-test"]
Evidence --> S3["Test (3 files)"]
S3 --> I3["regression suite"]
I3 --> R3["Review risk: Test (3 files)"]
R3 --> V3["targeted test run"]
OpenCode Review Overview
Pull request overviewOpenCode cannot approve yet because required coverage evidence did not pass. Review outcome1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence
Coverage evidenceCoverage Decision
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: opencode-review.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: opencode-review.yml"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["CI script (3 files)"]
S2 --> I2["review and security gate shell path"]
I2 --> R2["Review risk: CI script (3 files)"]
R2 --> V2["bash -n plus Strix self-test"]
Evidence --> S3["Test (3 files)"]
S3 --> I3["regression suite"]
I3 --> R3["Review risk: Test (3 files)"]
R3 --> V3["targeted test run"]
|
Problem: The central repository enforces 100% Python coverage. PR #565 first ran under the previous trusted workflow and reported rust_coverage_threshold.py at 76%, leaving its argparse, error-reporting, and __main__ paths unproven even though the parser logic tests passed. Evidence: Required coverage-evidence job 87247543719 reported 5,533 statements, 11 missed statements, 99% total coverage, with all misses at rust_coverage_threshold.py lines 55-64 and 68. Change: Add end-to-end tests for normalized CLI output, invalid metadata diagnostics and exit status, and the executable __main__ entrypoint when no repository baseline is declared. Validation: - parser test module: 10 passed - python3 -m coverage run -m pytest -q: 625 passed - python3 -m coverage report --show-missing: 5,533 statements, 0 missed, 100% - git diff --check: passed
문제
fast-mlsirmPR #160의 current-headcoverage-evidence에서 두 독립적인 중앙 계약 오류가 재현됐습니다.uv sync가 프로젝트.venv에 NumPy/pytest를 설치했지만, 신뢰 실행기는 시스템PATH의pytest를 실행하여 21개 수집 오류가 발생했습니다.[package.metadata.opencode.coverage]만 읽어, 가상 Cargo workspace의[workspace.metadata.opencode.coverage]를 표현할 수 없었습니다. 그 결과 중앙 기본값 100%가 강제됐습니다.변경
shell=False경계를 유지하면서, 존재하는<project>/.venv/bin을PATH앞에 둡니다.검증
python3 -m pytest -q: 622 passedfast-mlsirm실제 virtual workspace manifest 파싱:90git diff --check: 통과보안
PR이 지정한 셸을 실행하지 않습니다. 기존 allowlist를 통과한 pytest argv만
shell=False로 실행하며, 기준 파싱은 중앙 default-branch의 신뢰 코드에서 수행합니다.