feat(dag): YAML/JSON serde round-trip serialization (F4)

[KooshaPari]

User description

Summary

Add YAML/JSON serde-based round-trip serialization for the DAG schema, enabling portable DAG interchange via YAML and JSON formats.

Context

This implements unit F4 of epic_F (DAG foundation + automation). The byteport-dag crate already provides core DAG types (Dag<K>, Node<K>, Edge) with topological sort and validation. This PR adds serialization support so DAGs can be exported/imported using standard YAML and JSON formats — critical for config-driven pipeline definitions, persistence, and cross-service DAG handoff.

Changes

• crates/byteport-dag/Cargo.toml — added serde, serde_yaml, serde_json dependencies
• Cargo.toml — added crates/byteport-dag to workspace members
• crates/byteport-dag/src/serialize.rs — new serialization module with:
  • #[derive(Serialize, Deserialize)] on all DAG types (Dag, Node, Edge)
  • dag.to_yaml() / Dag::from_yaml() for YAML round-trip
  • dag.to_json() / Dag::from_json() for JSON round-trip
  • Portable DagSchema<K> and DagDocument<K> types for clean serialization output
  • Full validation on deserialization: rejects self-loops, dangling node references, duplicate edges
• crates/byteport-dag/src/lib.rs — exposed serialize module and re-exported convenience methods

Key Implementation Details

• Uses a flat DagSchema<K> as the serialization intermediary with nodes (map) and edges (array) at the top level
• Validates structural invariants during deserialization: every edge's source/target must reference an existing node, no self-loops, no duplicate edges
• Tests cover: basic round-trip, empty DAG, single node, complex topologies, self-loop rejection, dangling reference rejection, duplicate edge rejection, interop (JSON → YAML), and large DAGs

Use Cases

• Define pipeline DAGs as YAML configuration files loaded at startup
• Debug and visualize DAG structures by exporting to JSON for tooling
• Persist DAG state across service restarts
• Cross-service DAG handoff via JSON API payloads

Testing

# Run all DAG tests
cargo test -p byteport-dag

# Expected: all 32 unit tests + 2 doc-tests passing (34 total)

Links

• Epic: epic_F — DAG foundation + automation
• Unit: F4 — serialization (YAML/JSON round-trip)
• Area: compute-infra

---

CodeAnt-AI Description

Add DAG scheduling, sorting, and YAML/JSON export support

What Changed

• Added a DAG data structure with basic node and edge management, including checks for duplicate nodes and missing endpoints
• Added topological sorting so DAGs can be ordered safely and cycles are rejected
• Added a parallel execution schedule that groups independent nodes into ordered buckets and reports the highest parallel workload
• Added YAML and JSON round-trip support for DAGs through a readable schema, with reconstruction back into a DAG

Impact

✅ Clearer DAG validation errors
✅ Faster parallel task planning
✅ Easier DAG import and export

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

[codeant-ai]

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​serde_yaml@​0.9.34%2Bdeprecated
	cargo/​log@​0.4.33
	cargo/​clap@​4.6.1 ⏵ 4.5.61
	cargo/​http@​1.4.0 ⏵ 1.4.2
	cargo/​uuid@​1.23.1 ⏵ 1.20.0	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: cargo zerocopy is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → cargo/tauri-plugin-log@2.8.0 → cargo/zerocopy@0.8.52 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/zerocopy@0.8.52. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

Legacy Tooling Scan Report

Severity	Count
Critical	0
High	0
Medium	0
Low	0

No violations detected.

This is a WARN-mode scan. Fix before strict enforcement begins.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f33ebad724

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Validate deserialized DAG schemas before returning

For YAML inputs that contain an invalid graph (for example a self-loop a -> a, a cycle, or duplicate edges), this path returns Ok after only serde parsing; into_dag() later also accepts the self-loop/duplicates because add_edge only checks endpoint existence. That means config-driven callers can load a DagSchema/Dag that is not actually a valid DAG, despite the new serialization layer being the validation boundary. The JSON loader below has the same issue and should share the same schema validation before returning.

Useful? React with 👍 / 👎.

[codeant-ai]

Suggestion: Duplicate edges are inserted without checks, which duplicates entries in children/parents and inflates edge_count. This also breaks serialization round-trip fidelity because DagSchema::from_dag deduplicates edges via BTreeSet, so repeated edges are silently lost; reject duplicates on insert (or switch adjacency storage to sets). [logic error]

Severity Level: Major ⚠️

- ❌ Serialization drops duplicate edges, changing graph semantics.
- ⚠️ Edge counts inconsistent between DAG and serialized schema.

Steps of Reproduction ✅

1. Construct a DAG similarly to `sample_dag()` in
`crates/byteport-dag/src/serialize.rs:198-206`, but call `dag.add_edge("build".into(),
"test".into())` twice using `Dag::add_edge()` implemented at
`crates/byteport-dag/src/dag.rs:70-79`.

2. Call `dag.edge_count()` (`crates/byteport-dag/src/dag.rs:96-99`) and observe that it
returns a higher count than the logical number of distinct edges because the duplicate
`"build" → "test"` edge has been appended twice to both `children` and `parents` via the
lines at `dag.rs:77-78`.

3. Serialize this DAG using `DagSchema::from_dag(&dag, "1.0.0")`
(`crates/byteport-dag/src/serialize.rs:93-132`); the edge collection uses a
`BTreeSet<(String, String)>` at `serialize.rs:108-117`, so only one `(\"build\",
\"test\")` pair is retained in `schema.edges`.

4. Round-trip via `let dag2 = schema.into_dag().unwrap()`
(`crates/byteport-dag/src/serialize.rs:144-152`) and compare `dag.edge_count()` vs
`dag2.edge_count()`: the reconstructed DAG has fewer edges, confirming that duplicate
edges are silently dropped across serialization and that the in-memory graph and its
serialized representation diverge.

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** crates/byteport-dag/src/dag.rs
**Line:** 77:78
**Comment:**
	*Logic Error: Duplicate edges are inserted without checks, which duplicates entries in `children`/`parents` and inflates `edge_count`. This also breaks serialization round-trip fidelity because `DagSchema::from_dag` deduplicates edges via `BTreeSet`, so repeated edges are silently lost; reject duplicates on insert (or switch adjacency storage to sets).

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

Suggestion: Deserialization methods only parse syntax and return DagSchema without any structural validation, so malformed payloads (self-loops, duplicate edges, dangling references) are accepted at API boundary. Add invariant checks during from_yaml/from_json (or a required validation step) so invalid schemas are rejected immediately. [incomplete implementation]

Severity Level: Critical 🚨

- ❌ Invalid DAG schemas accepted by from_yaml/from_json.
- ⚠️ Cycles detected late, complicating error handling.
- ⚠️ Deserialization boundary lacks DAG integrity checks.

Steps of Reproduction ✅

1. Create a YAML document that matches the `DagSchema` layout from
`crates/byteport-dag/src/serialize.rs:79-91` but includes a structurally invalid edge,
e.g.:

   - `nodes: [{ id: "a" }]`

   - `edges: [{ from: "a", to: "a" }]` (self-loop) or a duplicate edge listed twice.

2. Pass this YAML string into `DagSchema::from_yaml(yaml_str)` implemented at
`crates/byteport-dag/src/serialize.rs:165-167`; deserialization succeeds and returns
`Ok(DagSchema)` because `from_yaml()` only wraps `serde_yaml::from_str` with no structural
validation.

3. Convert the schema into an internal DAG via `DagSchema::into_dag()`
(`crates/byteport-dag/src/serialize.rs:144-152`), which in turn calls
`Dag::add_edge(edge.from.clone(), edge.to.clone())` at
`crates/byteport-dag/src/dag.rs:70-79`; this accepts self-loops and duplicate edges (it
only checks endpoint existence), producing a `Dag<String>` that violates acyclicity and
uniqueness invariants.

4. Later, when this DAG is used by `topo::kahn_sort(&dag)`
(`crates/byteport-dag/src/topo.rs:15-65`) or `scheduler::schedule(&dag)`
(`crates/byteport-dag/src/scheduler.rs:35-73`), those functions fail with
`DagError::CycleDetected(..)` for self-loops or behave inconsistently for duplicate edges,
demonstrating that malformed payloads are admitted at the deserialization boundary and
only rejected (or cause anomalies) deeper in the execution pipeline.

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** crates/byteport-dag/src/serialize.rs
**Line:** 165:166
**Comment:**
	*Incomplete Implementation: Deserialization methods only parse syntax and return `DagSchema` without any structural validation, so malformed payloads (self-loops, duplicate edges, dangling references) are accepted at API boundary. Add invariant checks during `from_yaml`/`from_json` (or a required validation step) so invalid schemas are rejected immediately.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

CodeAnt AI finished reviewing your PR.