feat(health): constraints_wellformed signal (parse-only, hermetic)

[njhensley]

Summary

Adds the third graded health signal, constraints_wellformed, to pkg/health. It grades every leaf recipe on parse-only constraint well-formedness — fully hermetic (no snapshot, no cluster, no network).

Motivation / Context

ADR-009 (Recipe Health Tracking, V1) calls for a graded constraints_wellformed signal. The ADR's original phrasing ("inline replay under --no-cluster is clean") is not achievable offline: the only evaluator (constraints.Evaluate) extracts a snapshot value before parsing and rejects a nil snapshot, so with no snapshot there is no clean replay to run. The V1 signal is therefore parse-only well-formedness; snapshot-dependent constraint replay is explicitly deferred to the validation/evidence axis (coverage_declared_vs_run).

Fixes: #1227
Related: #1224 (epic), #1225 / #1226 (deps), #1228 / #1229 (consumers)

Type of Change

• New feature (non-breaking change that adds functionality)
• Documentation update

Component(s) Affected

• Recipe engine / data (pkg/recipe)
• Docs/examples (docs/, examples/)
• Other: pkg/health (structural health scoring)

Implementation Notes

• Primary (graded fail): for every merged Constraint, classifyConstraintsWellformed calls the exported, snapshot-free parsers directly — constraints.ParseConstraintPath(c.Name) and constraints.ParseConstraintExpression(c.Value). Any parse failure is fail, naming the offending constraint and parser error in Detail. A malformed constraint is never a silent pass.
• Secondary (graded warn): the leaf is resolved through BuildFromCriteriaWithEvaluator with an injected satisfied-stub evaluator (satisfiedEvaluator) so the constraint-aware path executes with no cluster data; any resulting ConstraintWarnings/ExcludedOverlays surface as warn. NOTE: those fields are only populated on a non-passing verdict, so under the satisfied stub the warn branch does not fire today — composition problems surface instead as resolve errors. The branch is the correct reading of a resolved result, is forward-compatible with a future evaluator wired into this path, and is unit-tested via direct injection. This is documented honestly in the code/doc comments.
• Single build: computeCombo now resolves once via BuildFromCriteriaWithEvaluator(satisfiedEvaluator). With every constraint satisfied this merges exactly the overlays BuildFromCriteria would (no cluster-dependent exclusions), so the existing resolves/chart_pinned grades are unchanged while the result additionally carries the merged constraints and any warnings the new signal reads.
• Seam: no pkg/validator import — acyclic integration is pkg/health → pkg/constraints → pkg/recipe.
• Drive-by (separate commit): fixed a stale pkg/recipe/builder.go doc comment that referenced a non-existent validator.EvaluateConstraint; the real mechanism is constraints.Evaluate (see pkg/client/v1). Flagged in the issue.
• Docs: updated pkg/health/doc.go and synced the now-inaccurate ADR-009 spec-table row + compute-budget premise (the ADR still described the superseded --no-cluster replay design).

This change went through a four-persona agent review (architect/correctness, determinism, test/QA, docs/consistency); their convergent finding — that the warn branch is inert under the satisfied stub while the comments overclaimed it — was addressed by making every comment honest and keeping the (correct, forward-compatible, unit-tested) wiring.

Testing

CGO_ENABLED=1 go test -race ./pkg/health/...      # ok
golangci-lint run -c .golangci.yaml ./pkg/health/... ./pkg/recipe/...   # 0 issues
go vet ./pkg/health/... && go build ./...          # clean

• All pkg/health tests pass under -race (new: table-driven TestClassifyConstraintsWellformed, end-to-end TestComputeConstraintsWellformedFailThroughBuilder, four-signal TestComputeAllDimensionsCoexistAndRollUpClean).
• Coverage pkg/health: 97.6% → 98.0% (+0.4%); all new functions at 100%.

Risk Assessment

• Low — Additive structural signal in an offline scoring package not yet wired into CLI/API (consumers are aicr recipe list: add structural-health + coverage columns #1228/tools/health generator + make targets + public recipe-health matrix #1229). Existing graded dimensions verified unchanged. Easy to revert.

Rollout notes: N/A — no user-facing surface changes; hermetic and deterministic.

Checklist

• Tests pass locally (make test with -race)
• Linter passes (make lint)
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality
• I updated docs if user-facing behavior changed
• Changes follow existing patterns in the codebase
• Commits are cryptographically signed (git commit -S)

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements the constraints_wellformed graded dimension for recipe health scoring as specified in ADR-009, adding parse-only, snapshot-free constraint validation to the health compute pipeline. The implementation introduces a stub satisfiedEvaluator to drive hermetic constraint-aware resolution without cluster dependency, then classifies constraints by inspecting parsed expressions, merge paths, and resolution-produced warnings or exclusions. The dimension integrates into the existing rollup with fail/warn/pass precedence. Supporting documentation is updated across the ADR, package docs, and builder comments, while comprehensive unit and builder integration tests validate both failure modes (malformed constraints) and warning scenarios (resolution metadata).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• #1227 (pkg/health: constraints_wellformed signal) – This PR directly implements the acceptance criteria: adds parse-only well-formedness checks via snapshot-free parsers, uses stub evaluator for hermetic resolution, surfaces warnings/exclusions as warn grade, never silently passes malformed constraints, and validates the four-dimension rollup end-to-end.
• #1225 (health rollup) – The new dimension is folded into the existing rollup logic, so this PR depends on the rollup framework being in place and validates correct precedence ordering.

Possibly related PRs

• NVIDIA/aicr#1291 – Extends the core resolves signal implementation in pkg/health by modifying computeCombo and adding new constraint-wellformed grading that integrates with the existing dimension classification.
• NVIDIA/aicr#1293 – Both PRs add new structural dimensions computed on successful resolution within computeCombo/StructureHealth and update the associated rollup logic.

Suggested labels

theme/recipes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(health): constraints_wellformed signal (parse-only, hermetic)' clearly summarizes the main feature addition: a new health signal dimension for constraint well-formedness that is parse-only and hermetic, matching the primary change across all modified files.
Description check	✅ Passed	The PR description is detailed and directly related to the changeset, explaining the motivation for parse-only constraint checking, implementation approach, testing, and risk assessment, all aligned with the code changes shown in the summary.
Linked Issues check	✅ Passed	The PR fully addresses issue #1227's requirements: implements parse-only hermetic constraints_wellformed signal via snapshot-free parsers [primary], resolves with injected stub evaluator [secondary], maintains acyclic seam without pkg/validator import, and includes comprehensive table-driven and end-to-end tests validating fail/warn/pass cases hermetically.
Out of Scope Changes check	✅ Passed	All changes are in scope: core implementation in pkg/health/health.go, test additions in pkg/health/health_test.go, documentation updates in pkg/health/doc.go and docs/design/009-recipe-health-tracking.md, and a targeted drive-by fix to pkg/recipe/builder.go doc comment addressing a non-existent symbol reference flagged in the issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/design/009-recipe-health-tracking.md`:
- Around line 208-218: Update the ADR so its tense/state is consistent: either
change the ADR status block from "Proposed — design-only; not implemented." to
reflect that behavior is "shipped" or reword the "Compute budget." paragraph
(the sentence beginning "As shipped, V1's `constraints_wellformed`...") to
clearly mark it as intended/design-only; for example prepend "As designed for
V1," or "Intended behavior (V1):" and keep `constraints_wellformed` referenced
as design intent; ensure the ADR status text and the `Compute budget.` paragraph
use matching language so readers can tell current behavior from future intent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 597a3c00-741a-4217-89be-4baabe14662c

📥 Commits

Reviewing files that changed from the base of the PR and between 6c14530 and 3041229.

📒 Files selected for processing (5)

• docs/design/009-recipe-health-tracking.md
• pkg/health/doc.go
• pkg/health/health.go
• pkg/health/health_test.go
• pkg/recipe/builder.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/design/009-recipe-health-tracking.md (1)

5-5: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update ADR status to reflect implementation in this PR.

Line 5 marks this ADR as "Proposed — 2026-05-30 (design-only; not implemented)," but this PR implements the constraints_wellformed dimension (per the PR summary: "Adds a third graded health signal, constraints_wellformed, to pkg/health"). The body language at lines 208-220 and 176 describes the feature as current behavior using present tense ("is specified," "is therefore").

Update the status block to reflect that V1 structural signals (including constraints_wellformed) are now implemented, while the deferred validation axis remains design intent. This ensures readers can distinguish current behavior from future intent.

📝 Suggested status block update

-**Proposed** — 2026-05-30 (design-only; not implemented).
+**Accepted** — 2026-05-30. V1 structural signals (§2) implemented; validation axis (§3) deferred.

Then update Line 7-12 to clarify what is implemented vs. deferred:

 This Architecture Decision Record (ADR) specifies the V1 contract for
 computing, recording, and publishing
-recipe health across every supported criteria combination. The package
-layout, CLI surface, generator, and CI workflow described below are intent,
-not current behavior. Implementation will be tracked under a follow-on epic
-once this ADR is accepted.
+recipe health across every supported criteria combination. V1 structural
+soundness signals (§2) are implemented; the validation-posture axis (§3),
+generator (§5), and publication workflow (§5) remain design intent pending
+first evidence attestation.

Based on learnings, documentation should "Clearly distinguish current behavior from future intent in documentation."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/design/009-recipe-health-tracking.md` at line 5, Update the ADR status
block to mark the V1 structural health signals as implemented: change the
"Proposed — 2026-05-30" status to indicate "Implemented" (or "Implemented —
2026-05-30") and explicitly state that the new constraints_wellformed signal
(implemented in pkg/health) and the other V1 structural signals are now live;
also clarify that the separate "validation" axis remains a design
intent/deferred item so readers can distinguish current behavior from future
work. Reference the constraints_wellformed signal and pkg/health in the status
text and adjust surrounding present-tense wording to consistently reflect
implemented behavior versus deferred intent.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/design/009-recipe-health-tracking.md`:
- Line 5: Update the ADR status block to mark the V1 structural health signals
as implemented: change the "Proposed — 2026-05-30" status to indicate
"Implemented" (or "Implemented — 2026-05-30") and explicitly state that the new
constraints_wellformed signal (implemented in pkg/health) and the other V1
structural signals are now live; also clarify that the separate "validation"
axis remains a design intent/deferred item so readers can distinguish current
behavior from future work. Reference the constraints_wellformed signal and
pkg/health in the status text and adjust surrounding present-tense wording to
consistently reflect implemented behavior versus deferred intent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: fa789684-6b08-44e0-b9cf-7e1e964caa22

📥 Commits

Reviewing files that changed from the base of the PR and between 3041229 and 45ad126.

📒 Files selected for processing (1)

• docs/design/009-recipe-health-tracking.md