chore(PolicyStack): lift ahead branch chore/tick26-lift-ahead-20260611#55
Conversation
Adds the standard Phenotype fleet dual-license (MIT + Apache-2.0) per FLEET_100TASK_DAG.md stage 3 (governance). - LICENSE-MIT: 21-line standard MIT license text (Copyright 2026 Koosha Pari) - LICENSE-APACHE: 2-line pointer to https://www.apache.org/licenses/LICENSE-2.0.txt (full text placeholder, matching the pattern used in OmniRoute, KWatch, agslag-docs, PhenoMCP, Tracera) This brings PolicyStack in line with the rest of the fleet and unblocks any downstream consumers that check for a top-level LICENSE presence.
- Add grade.sh for stack-based grading (fast/full mode) - Add lefthook.yml for git hook enforcement - Add grade tasks to Taskfile.yml - Create docs/acceptance-contracts/ directory
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (9)
📝 WalkthroughSummaryThis PR lifts ahead work from a feature branch by introducing fleet-wide grading and git hook infrastructure to PolicyStack. It adds:
The changes enable automated quality gates consistent with fleet-wide practices and should merge. Must FixNone identified. The PR is a straightforward infrastructure/chore update with no blocking issues. Should Fixgrade.sh script improvements:
lefthook.yml improvements:
Consider
Approve✅ Approved for merge. This is a solid infrastructure update that aligns with fleet practices. The issues flagged above are improvements, not blockers. Once the should-fix items are addressed in a follow-up, the review is complete. WalkthroughThis PR adds a comprehensive automated grading and git-hooks system. It defines ChangesDeveloper Workflow Automation
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
codeant-ai
Bot
added
the
size:L
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| if [ -f "$dir/Cargo.toml" ]; then | ||
| cd "$dir" && cargo fmt -- --check && cargo clippy -- -D warnings | ||
| elif [ -f "$dir/package.json" ]; then | ||
| cd "$dir" && npx eslint --ext .ts,.tsx . 2>/dev/null || true |
There was a problem hiding this comment.
Suggestion: Remove the unconditional success fallback for the ESLint command, or replace it with an explicit inline justification comment that names the suppressed rule and why bypassing it is required. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
This line suppresses ESLint failures with 2>/dev/null || true and provides no inline justification naming a specific rule or explaining why the suppression is necessary. That matches the custom rule against undocumented lint suppressions.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** lefthook.yml
**Line:** 22:22
**Comment:**
*Custom Rule: Remove the unconditional success fallback for the ESLint command, or replace it with an explicit inline justification comment that names the suppressed rule and why bypassing it is required.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| elif [ -f "$dir/package.json" ]; then | ||
| cd "$dir" && npx eslint --ext .ts,.tsx . 2>/dev/null || true | ||
| elif [ -f "$dir/pyproject.toml" ]; then | ||
| cd "$dir" && ruff check . 2>/dev/null || true |
There was a problem hiding this comment.
Suggestion: Make the Ruff check fail normally, or add an inline justification that explicitly names the suppression target and the necessity for this exception. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
The Ruff invocation is silenced and forced to succeed via 2>/dev/null || true, but there is no justification comment explaining a specific rule exception. This is a real undocumented suppression under the provided rule.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** lefthook.yml
**Line:** 24:24
**Comment:**
*Custom Rule: Make the Ruff check fail normally, or add an inline justification that explicitly names the suppression target and the necessity for this exception.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| elif [ -f "$dir/pyproject.toml" ]; then | ||
| cd "$dir" && ruff check . 2>/dev/null || true | ||
| elif [ -f "$dir/go.mod" ]; then | ||
| cd "$dir" && go vet ./... 2>/dev/null || true |
There was a problem hiding this comment.
Suggestion: Remove the || true suppression on the go vet command, or add a precise inline comment that names the specific rule suppression and explains why it is unavoidable. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
The go vet command is suppressed with 2>/dev/null || true without any inline justification. Since the rule flags new lint suppressions lacking a clear reason, this is a genuine violation.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** lefthook.yml
**Line:** 26:26
**Comment:**
*Custom Rule: Remove the `|| true` suppression on the `go vet` command, or add a precise inline comment that names the specific rule suppression and explains why it is unavoidable.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
| # SSOT — PolicyStack | ||
|
|
||
| ## State | ||
| - Default branch: main | ||
| - Last verified: 2026-06-08 | ||
| - CI status: green | ||
| - Open PRs: 0 | ||
| - Open branches: 1 (main) | ||
| - Stashes: 0 | ||
|
|
||
| ## Dependencies | ||
| - Rust: N/A | ||
| - Node: 20 | ||
| - Python: N/A | ||
|
|
||
| ## Architecture | ||
| - Hexagonal: in progress | ||
| - Ports: N/A | ||
| - Adapters: N/A | ||
| - Domain: N/A | ||
|
|
||
| ## Next Steps | ||
| 1. [x] P0: State unification | ||
| 2. [x] P1: Tooling + governance | ||
| 3. [ ] P2: Hexagonal refactor | ||
| 4. [ ] P3: Add tests | ||
| 5. [ ] P4: Add CI | ||
|
|
||
| ## Fleet Links | ||
| - Parent: Phenotype | ||
| - Related: N/A | ||
| - Consumes: N/A | ||
| - Merged into: N/A |
There was a problem hiding this comment.
Suggestion: Move this tracker document from docs/SSOT.md into the appropriate designated docs/ subdirectory (for example docs/reference/ or another tracker-specific folder) so it is not created at the top level of docs/. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
The file is a tracker-style Markdown document (state, next steps, fleet links) and it lives directly under docs/ instead of a designated subdirectory. The rule says trackers and other Markdown docs should be placed under docs/ in the appropriate subdirectory, so this is a real location violation.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** docs/SSOT.md
**Line:** 1:33
**Comment:**
*Custom Rule: Move this tracker document from `docs/SSOT.md` into the appropriate designated `docs/` subdirectory (for example `docs/reference/` or another tracker-specific folder) so it is not created at the top level of `docs/`.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 7 potential issues.
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Reviewed by Cursor Bugbot for commit 48a9306. Configure here.
| conventional: | ||
| run: | | ||
| # Validate conventional commit format | ||
| MSG=$(cat "$1") |
There was a problem hiding this comment.
Commit-msg hook wrong argument
High Severity
The commit-msg hook reads the message with cat "$1", but Lefthook inline run blocks expect the {1} template for the commit message file path. $1 is not substituted, so validation reads the wrong input and conventional-commit enforcement is unreliable.
Reviewed by Cursor Bugbot for commit 48a9306. Configure here.
| cd "$dir" && ruff check . 2>/dev/null || true | ||
| elif [ -f "$dir/go.mod" ]; then | ||
| cd "$dir" && go vet ./... 2>/dev/null || true | ||
| fi |
There was a problem hiding this comment.
Pre-commit lint skips test dirs
Medium Severity
The lint hook resolves dirname of each staged file and only runs checks when that directory contains Cargo.toml, package.json, pyproject.toml, or go.mod. Changes under tests/ (and most subfolders) never match, so pre-commit lint silently skips the bulk of this repo’s Python tests.
Reviewed by Cursor Bugbot for commit 48a9306. Configure here.
| if [[ -f "Cargo.toml" ]]; then STACK="rust"; fi | ||
| if [[ -f "package.json" ]]; then STACK="node"; fi | ||
| if [[ -f "pyproject.toml" || -f "setup.py" ]]; then STACK="python"; fi | ||
| if [[ -f "go.mod" ]]; then STACK="go"; fi |
There was a problem hiding this comment.
Stack detection last file wins
Medium Severity
grade.sh sets STACK with independent if statements, so later markers overwrite earlier ones. This repo has both package.json and pyproject.toml, so grading runs only the Python suite with hardcoded src/ paths and pip install -e '.[dev]', which do not match PolicyStack’s layout or pyproject.toml.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 48a9306. Configure here.
| elif [ -f "$dir/pyproject.toml" ]; then | ||
| cd "$dir" && ruff check . 2>/dev/null || true | ||
| elif [ -f "$dir/go.mod" ]; then | ||
| cd "$dir" && go vet ./... 2>/dev/null || true |
There was a problem hiding this comment.
Pre-commit ignores lint failures
Medium Severity
Several pre-commit commands append || true (eslint, ruff, go vet, and task grade-fast), so those steps always exit successfully even when lint or fast grade fails. The hook cannot block bad commits despite appearing to run checks.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 48a9306. Configure here.
| cmds: | ||
| - lefthook install | ||
| status: | ||
| - test -f .git/hooks/lefthook |
There was a problem hiding this comment.
Wrong lefthook install probe
Low Severity
The install-lefthook task’s status checks for .git/hooks/lefthook, but lefthook install installs standard hook entrypoints like pre-commit and commit-msg, not a file named lefthook. The status check never succeeds, so the task always reruns install.
Reviewed by Cursor Bugbot for commit 48a9306. Configure here.
| if [ -f "Justfile" ]; then | ||
| just grade | ||
| elif [ -f "Taskfile.yml" ]; then | ||
| task grade |
There was a problem hiding this comment.
Justfile name case mismatch
Medium Severity
Hooks test for Justfile (capital J), but this repository’s runner file is justfile. On case-insensitive filesystems the check matches and runs just grade, which has no grade recipe, instead of task grade from Taskfile.yml.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 48a9306. Configure here.
| parallel: true | ||
| commands: | ||
| editorconfig: | ||
| run: git diff --cached --name-only | xargs -n1 test -f && echo "Checking editorconfig..." |
There was a problem hiding this comment.
Editorconfig hook is noop
Low Severity
The editorconfig pre-commit command only runs test -f on staged paths and prints “Checking editorconfig…”. It never invokes EditorConfig or any formatter, so it cannot detect EditorConfig violations.
Reviewed by Cursor Bugbot for commit 48a9306. Configure here.
|
| run_check "install" "pip install -e '.[dev]'" 1 | ||
| run_check "test-unit" "pytest -v" 3 | ||
| run_check "lint" "ruff check src" 2 | ||
| run_check "fmt" "ruff format --check src" 2 | ||
| run_check "typecheck" "mypy src" 2 | ||
| run_check "test-fuzz" "pytest -v --fuzz" 1 true | ||
| run_check "test-mutation" "mutmut run" 1 true | ||
| run_check "test-perf" "pytest -v --perf" 1 true | ||
| run_check "coverage" "pytest --cov=src --cov-report=term-missing --cov-fail-under=85" 2 true | ||
| run_check "security" "bandit -r src" 1 | ||
| run_check "audit" "pip-audit" 1 true |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The Python grading path assumes a pip-installed .[dev] extra and a top-level src/ package, but this repo's Python workflow is uv/Taskfile-based with no dev extra and no src/ directory, so task grade (and the pre-push hook that runs it) will consistently fail for environment/layout reasons rather than actual project quality.
Suggestion: Align the Python checks with this repository's existing contract (uv/Taskfile commands, real package paths, and declared extras), or make Python stack detection adaptive/opt-out for this repo so pre-push only blocks on checks that match the current Python toolchain and layout.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** grade.sh
**Line:** 97:107
**Comment:**
*HIGH: The Python grading path assumes a pip-installed `.[dev]` extra and a top-level `src/` package, but this repo's Python workflow is uv/Taskfile-based with no `dev` extra and no `src/` directory, so `task grade` (and the pre-push hook that runs it) will consistently fail for environment/layout reasons rather than actual project quality.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
| if [[ "$FAST" == true && "$fast_skip" == true ]]; then | ||
| CHECKS+=("{\"name\":\"$name\",\"status\":\"skipped\",\"score\":0,\"max\":$weight,\"detail\":\"skipped in fast mode\"}") | ||
| return 0 | ||
| fi | ||
|
|
||
| MAX=$((MAX + weight)) | ||
| if eval "$cmd" 2>&1 | tee "$REPORT_DIR/${name}.log" >"$REPORT_DIR/${name}.raw" 2>&1; then |
There was a problem hiding this comment.
Suggestion: In fast mode, skipped checks keep their original max value in per-check records but are excluded from global MAX, so report totals become inconsistent and percentages are not comparable to the check table. Set skipped check max to 0 or include skipped weights in global totals consistently. [logic error]
Severity Level: Major ⚠️
- ⚠️ `grade-fast` summaries inconsistent with per-check weights and scores.
- ⚠️ Developers misjudge quality when skipped checks inflated aggregate percentage.Steps of Reproduction ✅
1. Run fast grading through `task grade-fast` (Task defined at
`/workspace/PolicyStack/Taskfile.yml:217-220`, executing `./grade.sh --fast`) or via the
lefthook `pre-commit.test-fast` command at `/workspace/PolicyStack/lefthook.yml:35-44`,
which calls `task grade-fast` when source files change.
2. With `--fast`, `grade.sh` sets `FAST=true` in its argument parsing (lines `15-22`), and
then processes checks for the detected stack (e.g., Python at `grade.sh:96-108` or Go at
`70-79`), some of which are marked as heavy by passing `true` as the `fast_skip` argument.
3. For any heavy check (such as Python coverage at `grade.sh:66` or Go race tests at `76`)
where `fast_skip=true`, the `if` block at `grade.sh:46-48` executes: it appends a JSON
record with `"status":"skipped","score":0,"max":$weight` to `CHECKS` and returns early
without executing the command.
4. Because these skipped checks return before line `51`, their weights are not added to
the global `MAX` accumulator, so the summary percentage computed at `grade.sh:127-132`
uses a denominator that excludes skipped checks, while the per-check records in JSON/HTML
(constructed at `141-157` and `162-193`) still display the original `max` values for
skipped checks, making the aggregate `SCORE/MAX` percentage inconsistent with the detailed
check weights developers see in reports.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** grade.sh
**Line:** 46:52
**Comment:**
*Logic Error: In fast mode, skipped checks keep their original `max` value in per-check records but are excluded from global `MAX`, so report totals become inconsistent and percentages are not comparable to the check table. Set skipped check `max` to `0` or include skipped weights in global totals consistently.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| local detail="$(head -5 "$REPORT_DIR/${name}.raw" | tr '\n' ' ')" | ||
| CHECKS+=("{\"name\":\"$name\",\"status\":\"fail\",\"score\":0,\"max\":$weight,\"detail\":\"$detail\"}") |
There was a problem hiding this comment.
Suggestion: Failed command output is injected into JSON strings without escaping, so any quote or backslash in command output can produce invalid JSON in reports. Escape detail properly (or build JSON with a serializer) before appending to CHECKS. [type error]
Severity Level: Major ⚠️
- ❌ `task grade-json` may emit invalid JSON grade report files.
- ⚠️ Downstream JSON consumers break parsing on errorful grade runs.Steps of Reproduction ✅
1. Invoke JSON grading via `task grade-json` from the project root (Task `grade-json` is
defined at `/workspace/PolicyStack/Taskfile.yml:222-225` and runs `./grade.sh --json`),
which sets `JSON=true` in `grade.sh` argument parsing at lines `15-22`.
2. Ensure at least one check fails; for example, because there is no `src/` directory, the
Python lint/typecheck/security checks at `grade.sh:99-101,105-106` fail when
`STACK="python"`, writing error output into `.grade-reports/<name>.raw`.
3. On each failure, `run_check` at `grade.sh:57-58` reads the first five lines of the
command's raw output into `detail` using `head -5 "$REPORT_DIR/${name}.raw" | tr '\n' '
'`, then interpolates `$detail` directly into a JSON-like string appended to the `CHECKS`
array, without escaping embedded quotes or backslashes from the tool output.
4. When the JSON block at `grade.sh:142-157` writes `$REPORT_DIR/grade.json`, it inlines
`$(IFS=,; echo "${CHECKS[*]}")` into the `"checks"` array; any `detail` containing
characters such as `"` or `\` (common in CLI error messages) produces syntactically
invalid JSON, so the generated `grade.json` cannot be parsed reliably by downstream tools.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** grade.sh
**Line:** 57:58
**Comment:**
*Type Error: Failed command output is injected into JSON strings without escaping, so any quote or backslash in command output can produce invalid JSON in reports. Escape `detail` properly (or build JSON with a serializer) before appending to `CHECKS`.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| run_check "audit" "npm audit --audit-level=moderate" 1 | ||
| ;; | ||
| python) | ||
| run_check "install" "pip install -e '.[dev]'" 1 |
There was a problem hiding this comment.
Suggestion: The Python install step calls pip install -e '.[dev]', but this repository's pyproject.toml does not define a dev extra, so the install check will fail immediately and force the whole grade to fail. Use the project's actual dependency workflow (the repo already uses uv in Taskfile) or install without a nonexistent extra. [api mismatch]
Severity Level: Major ⚠️
- ❌ Python install check always fails due to missing 'dev' extra.
- ⚠️ Grade summary includes avoidable failure, reducing trust in tool.Steps of Reproduction ✅
1. From the repository root `/workspace/PolicyStack`, note that `pyproject.toml` exists
(verified at `/workspace/PolicyStack/pyproject.toml:1-8`), so `grade.sh` will detect
`STACK=\"python\"` via the stack detection logic at `grade.sh:26-31`.
2. Run `task grade` (Taskfile target defined at
`/workspace/PolicyStack/Taskfile.yml:212-215`), which executes `./grade.sh` and therefore
enters the `python)` case in `grade.sh` at lines `96-108`.
3. Inside the Python case, the install check at `grade.sh:97` runs `run_check "install"
"pip install -e '.[dev]'" 1`, invoking `pip install -e '.[dev]'` in the project root.
4. Inspect `pyproject.toml` at `/workspace/PolicyStack/pyproject.toml:5-32` and observe
there is no `[project.optional-dependencies]` or `dev` extra defined, so `pip install -e
'.[dev]'` fails on every run; `run_check` treats the non-zero exit as a failed check, and
`grade.sh` always records the Python install step as `[FAIL] install` for this repository.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** grade.sh
**Line:** 97:97
**Comment:**
*Api Mismatch: The Python install step calls `pip install -e '.[dev]'`, but this repository's `pyproject.toml` does not define a `dev` extra, so the install check will fail immediately and force the whole grade to fail. Use the project's actual dependency workflow (the repo already uses `uv` in Taskfile) or install without a nonexistent extra.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| run_check "lint" "ruff check src" 2 | ||
| run_check "fmt" "ruff format --check src" 2 | ||
| run_check "typecheck" "mypy src" 2 | ||
| run_check "test-fuzz" "pytest -v --fuzz" 1 true | ||
| run_check "test-mutation" "mutmut run" 1 true | ||
| run_check "test-perf" "pytest -v --perf" 1 true | ||
| run_check "coverage" "pytest --cov=src --cov-report=term-missing --cov-fail-under=85" 2 true | ||
| run_check "security" "bandit -r src" 1 |
There was a problem hiding this comment.
Suggestion: These Python checks are hardcoded to src, but this repo has no top-level src/ directory, so lint/typecheck/security/coverage checks fail due to wrong paths rather than real quality issues. Point checks at the real Python locations used by the project. [incorrect variable usage]
Severity Level: Critical 🚨
- ❌ Pre-push `task grade` fails from ruff,mypy,bandit on src.
- ⚠️ Developers blocked pushing despite healthy tests and real sources.Steps of Reproduction ✅
1. List the project root (`/workspace/PolicyStack`) and observe there is no top-level
`src/` directory (confirmed by `ls` output), while Python sources live in files like
`policy_lib.py`, `resolve.py`, and under `cli/src/policy_federation` (see
`/workspace/PolicyStack/cli/src/policy_federation/*.py` from the Glob results).
2. Confirm the project is Python-based via `Taskfile.yml:8-29`, where `PROJECT_LANG`
chooses `python` when `pyproject.toml` exists, and note the Python build/test tasks set
`PYTHONPATH` to include `cli/src` (e.g., `Taskfile.yml:52-56` and `100-104`), reinforcing
that the real source tree is not `src/`.
3. Run `task grade` (defined at `/workspace/PolicyStack/Taskfile.yml:212-215`) or trigger
the pre-push hook defined in `/workspace/PolicyStack/lefthook.yml:63-73`, which both
execute `./grade.sh` and cause `grade.sh` to detect `STACK="python"` (lines `26-31`) and
enter the Python case at `grade.sh:96-108`.
4. In the Python case, `grade.sh` runs several checks against `src` at lines `99-101` and
`105-106`: `ruff check src`, `ruff format --check src`, `mypy src`, `pytest --cov=src
--cov-report=term-missing --cov-fail-under=85`, and `bandit -r src`; because `src/` does
not exist in this repo, these commands fail due to bad paths, causing multiple checks to
be marked as failed and pushing the overall grade percentage (computed at
`grade.sh:127-132`) below the configured pass threshold even when the actual Python
sources and tests are healthy.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** grade.sh
**Line:** 99:106
**Comment:**
*Incorrect Variable Usage: These Python checks are hardcoded to `src`, but this repo has no top-level `src/` directory, so lint/typecheck/security/coverage checks fail due to wrong paths rather than real quality issues. Point checks at the real Python locations used by the project.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
1 participant
User description
Lifts ahead work via squash.
Note
Medium Risk
Pre-push runs full grade with generic stack checks that may not match this repo’s uv/Taskfile Python workflow and can block pushes; lefthook coexists with existing
.githooksuntil developers switch installs.Overview
Introduces fleet-wide project grading via new
grade.sh(stack detection for Rust/Node/Python/Go, weighted checks,--fast/--json/--html, fail below 85%) and wires it through Taskfile (grade,grade-fast,grade-json,grade-html,install-lefthook).Adds
lefthook.ymlwith pre-commit lint/test-fast on changed files, conventional commit validation on commit-msg, and fulltask gradeon pre-push (replacing or overlapping existing.githooksbehavior once lefthook is installed).Governance and hygiene: PR template simplified to Summary/Changes/Testing/Related;
.gitignoreignores.grade-reports/; MIT license added and Apache-2.0 placeholder;docs/SSOT.mddocuments PolicyStack state and roadmap; emptydocs/acceptance-contracts/.gitkeepplaceholder.Reviewed by Cursor Bugbot for commit 48a9306. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add project grading, git hooks, and repository governance files
What Changed
Impact
✅ Clearer pre-push checks✅ Faster local verification✅ Easier report review💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.