fix: resolve multiple CI failures

[Copilot]

Summary

Diagnoses and resolves CI failures on the main branch across multiple platforms and targets.

Failures & Fixes

1. Doctest failure (ubuntu stable / beta / nightly)

Root cause: StrDoc::root_node() is a method from the Doc trait, but the trait wasn't imported in the doctest scope.
Fix: Added # use thread_ast_engine::Doc; to the doctest hidden preamble.

2. thread-flow doctest failures (all platforms)

Root cause: Fixing the thread-ast-engine doctest exposed 5 pre-existing doc-compilation errors in thread-flow: a RapishSet typo (should be RapidSet), three uses of RapidSet::from([...]) which doesn't work with the custom rapidhash::RandomState, and a std::collections::HashSet passed to a method that expects &RapidSet<PathBuf>.
Fix: Removed the typo import; changed array-init to [...].into_iter().collect(); replaced std::collections::HashSet with RapidSet in the affected doctests.

3. macOS postgres tests (macos-latest stable)

Root cause: incremental_postgres_tests uses testcontainers to spin up Docker containers. macOS GitHub Actions runners do not include Docker.
Fix: Split the nextest step into two conditional steps. On macOS, pass -E "not (package(thread-flow) and binary(incremental_postgres_tests))" to skip the Docker-dependent tests by binary name. Linux and Windows runners continue to run the full suite.

4. License compliance (REUSE)

Root cause: 35 files in .claude/plugins/ctx/, ctx-plugin/, .vscode/, crates/flow/benches/, get_comments.js, and specs/ were missing SPDX copyright/license headers. REUSE.toml glob annotations fixed .claude/plugins/ctx/ and .vscode/ paths, but the ctx-plugin/** glob annotation was not honoured by fsfe/reuse-action@v2.
Fix: Added [[annotations]] entries to REUSE.toml for the paths that work, and added .license sidecar files (the project's established pattern) for the 19 remaining non-compliant files.

5. WASM build failure

Root cause: tree-sitter 0.25.10 C sources include multiple standard C library headers (stdio.h, stdlib.h, string.h, time.h, ctype.h, wctype.h, assert.h). The wasm32-unknown-unknown target has no OS and therefore no libc headers.
Fix: Added a CI step that uses Python to generate minimal stubs for all 7 required headers and sets CFLAGS_wasm32_unknown_unknown to include them alongside clang's built-in resource headers. Functions like malloc/free/memcpy are declared (not stubbed out) so the wasm runtime provides real implementations at link time.

6. Security audit permission error

Root cause: rustsec/audit-check@v1.4.1 needs checks: write to post annotations back to GitHub. The workflow's global permissions: contents: read was too restrictive.
Fix: Added a job-level permissions block to security_audit with checks: write.

Changes

• crates/ast-engine/src/tree_sitter/mod.rs — add Doc import to doctest
• crates/flow/src/incremental/graph.rs — fix RapidSet::from([...]) in two doctests
• crates/flow/src/incremental/invalidation.rs — remove RapishSet typo import
• crates/flow/src/incremental/mod.rs — replace HashSet with RapidSet in doctest
• crates/flow/src/incremental/types.rs — fix RapidSet::from([...]) in doctest
• REUSE.toml — add [[annotations]] blocks for paths where glob matching works
• crates/flow/benches/bench_graph_traversal.rs.license + 18 other .license sidecar files — REUSE compliance for remaining non-compliant files
• .github/workflows/ci.yml — conditional nextest steps (macOS binary filter), comprehensive WASM C header stubs, security_audit permissions

[sourcery-ai]

Reviewer's Guide

Resolves multiple CI failures and a license compliance issue by adjusting doctest imports, splitting nextest runs by OS to avoid macOS Docker limitations, stubbing C stdio for wasm32 builds in CI, granting additional permissions to the security audit job, and extending REUSE annotations to cover previously unannotated files.

Flow diagram for OS-specific nextest runs and WASM stdio stub setup

flowchart TD
  A["Start tests job"] --> B{runner.os}

  B -->|runner.os != macOS| C["Run cargo nextest run --workspace --exclude thread-language --all-features --no-fail-fast"]
  C --> D["Run cargo nextest run -p thread-language --features all-parsers,matching --no-fail-fast"]

  B -->|runner.os == macOS| E["Run cargo nextest run --workspace --exclude thread-language --all-features --no-fail-fast -E not (package(thread-flow) and test(postgres))"]
  E --> F["Run cargo nextest run -p thread-language --features all-parsers,matching --no-fail-fast"]

  subgraph wasm_build["WASM build job"]
    G["Install clang"] --> H["Compute CLANG_RES = clang --print-resource-dir"]
    H --> I["Create /tmp/wasm-stubs directory"]
    I --> J["Write minimal stdio.h stub\n(FILE typedef, stdin/stdout/stderr, fprintf, vfprintf, printf no-ops)"]
    J --> K["Append CFLAGS_wasm32_unknown_unknown=-I/tmp/wasm-stubs -I${CLANG_RES}/include to GITHUB_ENV"]
    K --> L["Install wasm-pack"]
    L --> M["Build WASM artifacts using wasm-pack"]
  end

Loading

File-Level Changes

Change	Details	Files
Adjust nextest test execution in CI to avoid macOS Docker limitations while preserving full coverage on Linux/Windows.	Gate the existing nextest step to only run on non-macOS runners Add a macOS-specific nextest step that excludes Docker-dependent Postgres tests via a nextest filter expression while still running the thread-language suite	.github/workflows/ci.yml
Add WASM-specific C stdio header stubbing in CI to unblock wasm32-unknown-unknown builds with newer tree-sitter.	Install clang in the wasm-pack job to obtain resource headers and compiler tooling Create a minimal stdio.h stub under /tmp/wasm-stubs that defines FILE and no-op printf family functions for wasm Export CFLAGS_wasm32_unknown_unknown with include paths for the stub and clang resource headers via GITHUB_ENV	.github/workflows/ci.yml
Grant the security audit workflow the permissions needed to publish check annotations.	Add a job-level permissions block to the security_audit job granting contents: read and checks: write	.github/workflows/ci.yml
Bring various plugin, editor, bench, script, and spec files under REUSE license compliance without modifying each file.	Add aggregate SPDX annotations covering Claude plugin and context plugin paths Add aggregate SPDX annotations for the .vscode configuration directory Annotate the flow bench file, get_comments.js script, and specs directory with appropriate SPDX copyright and license identifiers	REUSE.toml
Fix a doctest compilation failure by importing the Doc trait in the tree-sitter doctest example.	Extend the doctest preamble to import thread_ast_engine::Doc alongside StrDoc so that StrDoc::root_node is available in the doctest scope	crates/ast-engine/src/tree_sitter/mod.rs

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR addresses multiple CI failures by updating workflow logic, ensuring Rust doctests compile, and expanding REUSE license annotations to cover previously unannotated paths/files.

Changes:

• Fix a doctest compilation failure by importing the Doc trait in the doctest preamble.
• Adjust CI to handle macOS runner limitations (Docker unavailable) and to unblock WASM builds by providing a minimal stdio.h stub for wasm32-unknown-unknown.
• Extend REUSE.toml annotations to cover additional directories/files missing SPDX headers.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
REUSE.toml	Adds aggregate SPDX annotations for additional paths/files to satisfy REUSE compliance without editing each file.
crates/ast-engine/src/tree_sitter/mod.rs	Updates doctest preamble to import the Doc trait so root_node() resolves.
.github/workflows/ci.yml	Splits nextest execution by OS (macOS vs others), adds WASM C header stub setup, and grants checks: write to the security audit job.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bashandbone]

@copilot we still have quite a few failures across the board here: https://github.com/knitli/thread/actions/runs/23946130256/job/69844387826?pr=140 -- please resolve

[Copilot]

@copilot we still have quite a few failures across the board here: https://github.com/knitli/thread/actions/runs/23946130256/job/69844387826?pr=140 -- please resolve

Addressed in commit 3875b43. The remaining failures were:

1. thread-flow doctests (all platforms) – Fixing the thread-ast-engine doctest exposed 5 pre-existing doc-compilation errors in thread-flow: a RapishSet typo, three RapidSet::from([...]) calls that don't work with the custom rapidhash::RandomState, and a std::collections::HashSet passed where RapidSet is required. Fixed with [...].into_iter().collect().

2. REUSE compliance (19 remaining files) – The ctx-plugin/** REUSE.toml glob annotation wasn't being honoured by the tool. Switched to .license sidecar files (the project's established pattern) for all 19 still-failing paths.

3. WASM build – My stdio.h stub worked but tree-sitter/alloc.h also includes stdlib.h, and lexer.c/parser.c/subtree.c/query.c need string.h, time.h, ctype.h, wctype.h, and assert.h. Expanded the CI step to generate stubs for all 7 headers via a Python script (avoids heredoc indentation issues).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/tree-sitter/tree-sitter/contents/lib/build.rs
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[bashandbone]

Beautiful. Nice work.