CI: fail build when audit-harness citation markers leak into compiled output#1678
Open
marcin-kordas-hoc wants to merge 4 commits into
Open
CI: fail build when audit-harness citation markers leak into compiled output#1678marcin-kordas-hoc wants to merge 4 commits into
marcin-kordas-hoc wants to merge 4 commits into
Conversation
… output Adds a post-build scan step to `.github/workflows/build.yml` that greps `dist/`, `commonjs/`, and `es/` for two internal-only marker patterns: - `\[V[0-9]+\]` — audit-harness citation markers used in spec drafts - `§[[:space:]]*Sources` — section heading used in audit-harness footers Both are conventions from the audit-harness tooling and belong in internal docs/prompts only. If they ever appear in compiled JS it means a comment or string literal slipped through from a spec draft into shipped output — the scan fails the workflow with the offending file path and line number. The step runs after `npm run bundle-all` (which produces the three output directories) and skips gracefully if a directory is missing, so unrelated build failures aren't masked by this guardrail. Manual verification: - Synthesized `dist/foo.js` containing both markers — grep matched both lines and exited 1 with a clear message. - Repeated with clean JS — grep exited 0. - Repeated with no output dirs — step exited 0 (skip path).
✅ Deploy Preview for hyperformula-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for hyperformula-dev-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Performance comparison of head (b9a7ba2) vs base (508d78f) |
Bugbot review #3296952334 flagged that the `if grep ...` form treats grep's exit code 2 (scan/IO error) identically to exit code 1 (no matches) — so a permission or read error on dist/, commonjs/, or es/ would silently green- light the step. Split the rc into 0/1/other and fail the step explicitly on any non-zero, non-1 result.
Validates the build.yml marker-scan step against synthetic fixtures: clean
build, marker in dist/*.js, marker in dist/*.js.map (sourcesContent), marker
in commonjs/*.js, marker in es/*.mjs. Wired as a single self-test step in
build.yml that runs once per OS (node 22, ci install).
Empirically confirmed (probed by planting a marker in src/index.ts and
running `npm run bundle-all`) that source comments survive into:
- commonjs/index.js and es/index.mjs (babel preserves comments)
- dist/hyperformula{,.full}.js (webpack development build preserves comments)
- dist/hyperformula.js.map (`sourcesContent` embeds full original source)
All three surfaces are inside the existing `grep -rn dist commonjs es` scope,
so the scan already covers source-maps. The new self-test pins this behavior
so a future bundler/comment-stripping change cannot silently erode coverage.
Collaborator
Author
Tier-2 hardening: integration test for marker scan + source-map coverageAdded Empirical answer to the SFDIPOT P0 question — do source-maps carry source comments? Yes. Probed by planting
The existing Also added an inline comment block in Verification (local):
New head SHA: |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 1083965. Configure here.
…test cannot drift The verify step in build.yml previously inlined the audit-marker grep logic while scripts/test-marker-scan.sh kept its own duplicate copy. A workflow-only edit could silently desynchronize the live scan from the self-test fixtures that are supposed to guard it. Move the scan into scripts/marker-scan.sh as a single parameterized entry point (accepts paths as $@, exit 0=clean, 1=dirty, 2+=error). The workflow step now invokes `bash scripts/marker-scan.sh dist commonjs es`, and the self-test drives the SAME script against synthetic fixture roots.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #1678 +/- ##
========================================
Coverage 97.16% 97.16%
========================================
Files 175 175
Lines 15319 15319
Branches 3356 3356
========================================
Hits 14884 14884
Misses 427 427
Partials 8 8 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a defensive post-build scan to
.github/workflows/build.ymlthat fails the workflow if internal audit-harness markers leak into compiled JS output.The markers (
[V<n>]citation tags and§Sourcesfooters) are an internal convention used in spec drafts and agent prompts. They must never appear in shipped JS — if they do, something slipped from a comment/string literal in source into bundled output.What changed
.github/workflows/build.yml: newVerify no audit-harness markers leaked into build outputstep, placed immediately after the existingBuild(npm run bundle-all) step.dist/,commonjs/,es/for the patterns and exits 1 with the offending path and line number on hit.Patterns
\[V[0-9]+\][V1],[V12]§[[:space:]]*Sources§Sources(or§ Sources)Why
Tiny, self-contained guardrail. No new dependency on external repos or npm packages — just a few lines of bash with
grep -rnE. Fires on the same matrix as the existing build (Node 20/22/24 across Linux/Windows/macOS), but since the step usesshell: bashit runs identically everywhere.Test plan
dist/foo.jscontaining[V3]and§Sourcestriggers exit 1 with line-numbered outputNote
Low Risk
Changes only CI workflow and bash verification scripts; no runtime library or auth/data paths are modified.
Overview
Adds a post-build CI gate so internal audit-harness tokens (
[V<n>]citations and§Sourcesfooters) cannot ship in compiled artifacts.After
npm run bundle-all, Verify no audit-harness markers leaked into build output runsscripts/marker-scan.shoverdist,commonjs, andes, failing the job whengrepfinds those patterns (including in*.js.mapviasourcesContent). A follow-up step runsscripts/test-marker-scan.shon one matrix slice (Node 22 +npm ci) so the live scan and synthetic fixtures stay aligned.scripts/marker-scan.shcentralizes the scan (skips missing dirs, distinguishes grep “no match” vs I/O errors).scripts/test-marker-scan.shasserts clean vs dirty fixtures across webpack dist, source maps, CommonJS, and ESM outputs.Reviewed by Cursor Bugbot for commit b9a7ba2. Bugbot is set up for automated code reviews on this repo. Configure here.