Skip to content

fix: deep audit PR B — API-gate bypass, broken-stack conflation, duplicated import walls#37

Merged
Jammy2211 merged 1 commit into
mainfrom
feature/assistant-deep-audit-tooling
Jul 8, 2026
Merged

fix: deep audit PR B — API-gate bypass, broken-stack conflation, duplicated import walls#37
Jammy2211 merged 1 commit into
mainfrom
feature/assistant-deep-audit-tooling

Conversation

@Jammy2211

Copy link
Copy Markdown
Collaborator

Part of #35 (deep audit, phase B of C — do not auto-close). Tooling robustness: fixes the three gate/audit bugs confirmed during the phase-A skill review.

What changed

  1. Gate bypass fixedPYAUTO_SKIP_API_GATE=1 as a command prefix now works. The hook only read its own process env, so the escape hatch documented in AGENTS.md and the gate skill could never fire per-command. The prefix is now detected in the command text (.claude/hooks/validate_pyauto_code.py).
  2. Broken stack ≠ symbol drift — when the stack fails to import (e.g. the workspace version check), validate_source now separates import-failed roots (reported once, truncated to 200 chars) from genuine staleness; --code/--file exit 3 (INSTALL_IMPORT_FAILED) instead of 2, and the hook fails open on exit 3 — the command surfaces the same import error itself. Previously every symbol was marked STALE with the full multi-paragraph error repeated per symbol.
  3. Deduplicated import walls--check-install / --check-version group identical errors: one message naming all affected modules, instead of the same wall three times.
  4. Makefile gains audit / test targets; al_audit_skill_apis.md documents the exit-3 contract and both bypass forms.

Validation

  • Full tooling suite: 39 passed (3 new regression tests: command-prefix bypass, broken-stack-once-not-stale, grouped-error rendering).
  • Both failure modes re-verified live against the currently version-mismatched stack (grouped single wall; --code exit 3 with the concise environment message).

Deliberately not changed

  • version.txt pin (2026.5.29.4 vs installed 2026.7.6.649, the standing Heart finding) — release-owned; PyAutoBuild stamps it when a release regenerates the baseline. Hand-bumping against a main dev build would fake a release state. The mismatch error itself documents the workspace_version_check: False remedy for main-tracking users.
  • activate.sh, config/ — reviewed, sound.

🤖 Generated with Claude Code

…walls

Three confirmed tooling bugs from the phase-A audit (issue #35):

1. The documented per-command bypass (PYAUTO_SKIP_API_GATE=1 as a
   command prefix) could never work — the hook read only its own
   process env. The hook now also detects the prefix in the command
   text.
2. A stack that fails to import (e.g. the workspace version check)
   marked every symbol STALE and repeated the full multi-paragraph
   import error once per symbol. validate_source now separates
   import-failed roots (truncated, reported once) from genuine
   staleness; the gate exits 3 (INSTALL_IMPORT_FAILED) instead of 2
   and the hook fails open on it — the command surfaces the same
   import error itself, and a broken env is not API drift.
3. --check-install/--check-version printed the identical import wall
   once per library (3x for a version mismatch); identical errors are
   now grouped and printed once, naming all affected modules.

Also: Makefile gains audit/test targets; the gate skill documents the
exit-3 contract and both bypass forms. Three new regression tests pin
the fixes; full tooling suite 39 passed. The version pin
(2026.5.29.4 vs installed dev build) is deliberately untouched —
version.txt is release-owned and hand-bumping it would fake a release
state.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Jammy2211 Jammy2211 marked this pull request as ready for review July 8, 2026 17:25
@Jammy2211 Jammy2211 merged commit b0ff0f1 into main Jul 8, 2026
1 check passed
@Jammy2211 Jammy2211 deleted the feature/assistant-deep-audit-tooling branch July 8, 2026 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant