fix: repair ci coverage lint and security steps

flyingrobots · flyingrobots · commit ea7295f1ef59 · 2025-10-19T20:33:57.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -42,7 +42,10 @@ jobs:
           cmake ninja-build \
           clang-tidy-${{ env.LLVM_VERSION }} \
           clang-format-${{ env.LLVM_VERSION }} \
-          valgrind
+          valgrind \
+          python3-pip
+        python3 -m pip install --user semgrep
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
 
     - name: Configure CMake
       env:
@@ -167,8 +170,8 @@ jobs:
 
     - name: Test
       run: |
-        LLVM_PROFILE_FILE="coverage-%p.profraw" ctest --test-dir build --output-on-failure
-        llvm-profdata-18 merge -sparse coverage-*.profraw -o coverage.profdata
+        LLVM_PROFILE_FILE="build/coverage-%p.profraw" ctest --test-dir build --output-on-failure
+        llvm-profdata-18 merge -sparse build/coverage-*.profraw -o coverage.profdata
         llvm-cov-18 report ./build/bin/* -instr-profile=coverage.profdata
         # Export LCOV for Codecov
         llvm-cov-18 export ./build/bin/* -instr-profile=coverage.profdata -format=lcov > coverage.lcov
diff --git a/AGENTS.md b/AGENTS.md
@@ -90,3 +90,5 @@ See [docs/guides/DEBRIEF_FORMAT.md](docs/guides/DEBRIEF_FORMAT.md) for the JSONL
 {"date":"2025-10-15","time":"20:15","summary":"Imported the Phase 1 structural scaffolding for DPOI/QCA while keeping the placeholder runtime intact and lint-ready.","topics":[{"topic":"Phase 1 structural imports","what":"Added port direction enums, interface signatures, attachment update scaffolding, and dual epochs to headers","why":"Phase 1 requires structural types in place before integrating matcher and commit behavior","context":"docs/dpoi-qca-integration-plan.md prescribes typed ports and epochs from the XTRA drop","issue":"Runtime headers lacked the data needed to express typed ports and attachment epochs","resolution":"Extended rmg/rule headers with the new structs and ensured constructors zero-initialize them for future phases","future_work":"Consume the new definitions in matcher and commit logic during Phases 2-4","time_percent":40},{"topic":"Test and build updates","what":"Updated rule helpers and unit tests to initialize and assert defaults for the new fields","why":"Need verification that the placeholder runtime stays consistent until behavior is wired in","context":"Existing tests only covered baseline matching and ticks","issue":"Without checks the new structs could regress unnoticed","resolution":"Initialized port caps to UINT16_MAX, asserted zeroed interface data, and left runtime logic untouched","future_work":"Add behavior-driven tests once matcher and commit pathways read these fields","time_percent":35},{"topic":"Verification constraints","what":"Rebuilt, ran ctest, and attempted clang-tidy under STRICTNESS_GOD_TIER","why":"Maintain the tidy→integrate→tidy workflow","context":"Phase 1 acceptance requires a lint pass","issue":"Local environment is missing the clang-tidy binary","resolution":"Captured the failure after confirming build and test success","future_work":"Re-run clang-tidy -p build once the tool is installed or available in CI","time_percent":25}],"key_decisions":["Retain UINT16_MAX defaults for new node port caps until matcher enforcement lands","Defer GitHub issue creation to the next agent while noting the requirement"],"action_items":[{"task":"Run clang-tidy -p build after installing clang-tidy to validate STRICTNESS_GOD_TIER compliance","owner":"Next agent"},{"task":"Create live GitHub issues for Phase 0/1 trackers when repository access permits","owner":"Next agent"}]}
 
 {"date": "2025-10-20", "time": "20:17", "summary": "Removed the committed build-asan artifacts, reran build/test/clang-tidy with the LLVM toolchain on PATH, and recorded results for PR #70 cleanup.", "topics": [{"topic": "Build artifact purge", "what": "Deleted tracked build-asan CTest files and ensured the ignore patterns cover all generated build directories.", "why": "Reviewer flagged the committed build outputs as critical noise in PR #70.", "context": "Phase 0 baseline must stay lint-clean without generated artefacts in version control.", "issue": "build-asan/CTestTestfile.cmake files remained tracked despite .gitignore entries.", "resolution": "Removed the files via script, confirmed git now shows deletions, and verified .gitignore patterns with ripgrep.", "future_work": "Commit the deletions once the review batch is finalized.", "time_percent": 45}, {"topic": "STRICTNESS_GOD_TIER verification", "what": "Reconfigured CMake build, ran ctest, and executed the clang-tidy wrapper with the Homebrew LLVM binaries in PATH.", "why": "Need to answer reviewer questions about the GNU-GON-CRY-GOD-TIER-SUPERSTRICT\u2122 job and ensure lint/build stay green.", "context": "Earlier CI logs showed clang-tidy failures due to reserved identifiers and missing headers.", "issue": "Local shell lacked clang-tidy on PATH so the wrapper aborted silently.", "resolution": "Prepended /opt/homebrew/opt/llvm/bin to PATH, reran the script, and observed zero actionable diagnostics (only suppressed system warnings).", "future_work": "Document the PATH requirement for macOS developers if it keeps recurring.", "time_percent": 55}], "key_decisions": ["Keep relying on the existing .gitignore patterns and treat PATH adjustments as the preferred local fix for clang-tidy access."], "action_items": [{"task": "Stage and commit the build-asan deletions alongside the lint toolchain notes when preparing the next PR update.", "owner": "James"}]}
+
+{"date": "2025-10-20", "time": "20:33", "summary": "Patched CI coverage, clang-tidy, and security audit regressions introduced after the last cleanup push.", "topics": [{"topic": "Coverage pipeline", "what": "Directed LLVM_PROFILE_FILE output into build/ so profraw files survive the merge step.", "why": "Codecov job aborted because it could not find coverage-*.profraw after ctest finished in the build directory.", "context": "ctest runs inside build/, while merge commands executed from repo root.", "issue": "The glob coverage-*.profraw looked in the wrong directory and matched nothing.", "resolution": "Updated ci.yml to write and merge build/coverage-*.profraw before generating LCOV.", "future_work": "Verify Codecov receives data on the next CI run.", "time_percent": 35}, {"topic": "STRICTNESS_GOD_TIER fixes", "what": "Replaced the digits static_assert with _Static_assert and trimmed the timeval fallback that needed <sys/time.h>.", "why": "GNU-GON-CRY-GOD-TIER-SUPERSTRICT\u2122 flagged readability-implicit-bool-conversion and missing header usage in src/error.c and src/qca.c.", "context": "CI caught regressions after the previous lint-friendly refactor removed _POSIX_C_SOURCE.", "issue": "static_assert was expanded via macro and triggered implicit bool conversion; the timeval fallback required headers rejected by clang-tidy.", "resolution": "Used the keyword _Static_assert and simplified the monotonic timer fallback to rely on timespec_get, eliminating the disputed include.", "future_work": "Restore a portable fallback only if a real-world target lacks TIME_UTC support.", "time_percent": 40}, {"topic": "Security audit tooling", "what": "Ensured semgrep is installed in the Quality Matrix workflow before invoking scripts/security-audit.sh.", "why": "Release configuration failed because Semgrep was missing on GitHub runners.", "context": "scripts/security-audit.sh expects semgrep on PATH and aborts when absent.", "issue": "The workflow only provisioned LLVM/cmake/valgrind, not Semgrep.", "resolution": "Added python3-pip plus a user-level install of semgrep and exported ~/.local/bin to PATH.", "future_work": "Monitor the Release matrix to confirm semgrep stays available and adjust if we move to pipx.", "time_percent": 25}], "key_decisions": ["Accept the simpler monotonic timer fallback (timespec_get only) to avoid reintroducing platform-specific headers."], "action_items": [{"task": "Watch the next CI cycle and confirm coverage + security jobs succeed with the updated workflow.", "owner": "James"}]}
diff --git a/src/error.c b/src/error.c
@@ -207,8 +207,8 @@ metagraph_builder_append_unsigned(metagraph_message_builder_t *builder,
         base = 10U;
     }
     char digits[64];
-    static_assert(sizeof(digits) >= 64,
-                  "digits buffer must accommodate 64-bit conversion");
+    _Static_assert(sizeof digits >= 64U,
+                   "digits buffer must accommodate 64-bit conversion");
     const char *alphabet = "0123456789abcdef";
     if (uppercase) {
         alphabet = "0123456789ABCDEF";
diff --git a/src/qca.c b/src/qca.c
@@ -5,8 +5,6 @@
 #include <time.h>
 #ifdef __APPLE__
 #include <mach/mach_time.h>
-#else
-#include <sys/time.h>
 #endif
 
 #include "metagraph/qca.h"
@@ -181,13 +179,7 @@ static bool metagraph_monotonic_now(struct timespec *out) {
         return true;
     }
 
-    struct timeval wall_time;
-    if (gettimeofday(&wall_time, NULL) != 0) {
-        return false;
-    }
-    out->tv_sec = wall_time.tv_sec;
-    out->tv_nsec = (long)wall_time.tv_usec * 1000L;
-    return true;
+    return false;
 #endif
 }
 
