Skip to content

fix(lifecycle): fail closed on inconclusive npm ghost probes#399

Merged
Drswith merged 1 commit into
mainfrom
cursor/critical-quantex-cli-bugs-0b29
Jul 1, 2026
Merged

fix(lifecycle): fail closed on inconclusive npm ghost probes#399
Drswith merged 1 commit into
mainfrom
cursor/critical-quantex-cli-bugs-0b29

Conversation

@cursor

@cursor cursor Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Fail closed when npm ghost-state recovery cannot conclusively determine whether a tracked package is absent. Scoped npm presence probing now distinguishes present, absent, and unknown, preserves state on structured npm errors, and treats an existing package entry as present even when its version is unreadable.

Linked Artifacts

  • Issue:
  • ADR:
  • OpenSpec: openspec/changes/fix-npm-ghost-probe-false-positive
  • Discussion:

Validation

  • bun run memory:check
  • bun run lint
  • bun run format:check
  • bun run typecheck
  • bun run test (if behavior changed)
  • Not run, explained below

Release Intent

  • Release: not applicable - docs/process/test-only change
  • Release: patch - bug fix
  • Release: minor - user-facing feature
  • Release: major - breaking change

Docs Updated

  • Not needed
  • docs/...
  • openspec/...
  • Follow-up issue or OpenSpec change created instead

Scope Check

  • I did not add a new ad hoc root-level Markdown file.
  • I updated the relevant issue, ADR, spec, runbook, or captured the missing doc work as follow-up.
  • I did not silently expand project scope without recording it explicitly.

Closure Check

  • Working tree was clean after commit.
  • Branch was pushed and this PR is the active delivery artifact.
  • OpenSpec change is not needed, still active by design until merge, already archived, or queued for agent-driven archive closure.
  • Release is not applicable, delegated to release automation, or verified.

Notes

Reproduced on current main: when npm list -g --depth=0 --json exits non-zero while stdout still shows the target package at version 2.0.0, getInstalledVersion() returns undefined; the uninstall ghost-state path interprets that as confirmed absence and removes tracked state.

The final branch contains one maintainer-authored commit. Local validation passes with 61 test files and 646 tests.

npm global list probing returned undefined on any non-zero exit without
parsing stdout, so ghost uninstall recovery could clear tracked state
while the managed package was still installed.

Use scoped npm list probes with present/absent/unknown outcomes and only
recover ghost state when absence is confirmed.
@Drswith Drswith force-pushed the cursor/critical-quantex-cli-bugs-0b29 branch from a7ce2d9 to 9925317 Compare July 1, 2026 10:42
@Drswith Drswith marked this pull request as ready for review July 1, 2026 10:44

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quantex PR Governance — PR #399

Verdict: No blocking governance issues. Merge-ready after maintainer review. Not approving.

OpenSpec intake

  • Correctly classified as behavior change (agent-update ghost recovery).
  • Active change fix-npm-ghost-probe-false-positive includes proposal, design, spec delta, and completed tasks.
  • bun run openspec:validate passes; change status is complete.
  • Archive closure remains post-merge (expected); OpenSpec Archive agent should merge the new npm inconclusive scenario additively into openspec/specs/agent-update/spec.md.

Validation

  • Surface is lifecycle/package-manager behavior with tests — lint, format:check, typecheck, test, and memory:check are appropriate.
  • CI is green: classify, lint, full test matrix, sandbox-tests, PR body validation.
  • No evidence of blind CI patching; fix is targeted with regression coverage.

PR body / closure

  • Template sections present; bun run pr:body:check passes locally.
  • Release intent patch matches fix(lifecycle): commit metadata.
  • Closure check correctly states OpenSpec change stays active until archive follow-up.

Non-blocking

  • No linked issue for the regression context (acceptable if reproduced on main).
  • Validation checklist omits bun run openspec:validate (change validates cleanly).
  • Spec delta re-lists existing ghost-recovery scenarios; archive PR must add only the npm inconclusive scenario.
  • Final commit is maintainer-authored on a Cursor branch; human maintainer review still owns merge judgment for lifecycle surface.

Post-merge owners

  • Archive: OpenSpec Archive agent
  • Release: release-please patch via protected main CI
Open in Web View Automation 

Sent by Cursor Automation: Quantex CLI PR Governance

- **THEN** Quantex does not remove the installed-agent state entry
- **AND** the uninstall command reports failure

#### Scenario: Ghost recovery does not run when npm presence probing is inconclusive

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking (archive follow-up): this delta re-lists the existing ghost-recovery requirement. Archive agent should merge additively — add only the npm inconclusive-probe scenario to openspec/specs/agent-update/spec.md, without duplicating or dropping prior scenarios.

@Drswith Drswith merged commit 8bd2d1b into main Jul 1, 2026
11 checks passed
@Drswith Drswith deleted the cursor/critical-quantex-cli-bugs-0b29 branch July 1, 2026 10:47
@cursor cursor Bot mentioned this pull request Jul 1, 2026
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant