Skip to content

fix(foreman): scope-overlap check catches Go files in new directories#962

Open
Defilan wants to merge 2 commits into
defilantech:mainfrom
Defilan:foreman/run-20260702-201215/issue-907
Open

fix(foreman): scope-overlap check catches Go files in new directories#962
Defilan wants to merge 2 commits into
defilantech:mainfrom
Defilan:foreman/run-20260702-201215/issue-907

Conversation

@Defilan

@Defilan Defilan commented Jul 3, 2026

Copy link
Copy Markdown
Member

What

Fixes the coder gate's scope-overlap check so it sees a Go file created in a brand-new untracked directory.

Why

Fixes #907

The scope-overlap check enumerated the coder's changed Go files via git status --porcelain. Porcelain lists untracked files in already-tracked directories fine, but it collapses a brand-new untracked directory to a single newdir/ entry — which fails the .go suffix filter, so an out-of-scope Go file created in a new directory slipped past the check.

(Note: the original issue described this as the check "diffing committed history" / being "blind pre-commit." On inspection the pre-change code was git status --porcelain, not a base...HEAD diff, so it did see most uncommitted changes — the real, narrower gap is the new-directory collapse above. The fix is the same either way.)

How

Replace the porcelain scan with git add -A followed by git diff --name-only --cached HEAD, which lists each new file individually (including files in new directories). This mirrors the established working-tree-diff approach used by the reference-grounding check (#906).

Safety of git add -A inside the gate: it runs pre-commit, but the executor's commit path (repo.Commit) runs its own git add -A immediately before git commit -s, so the committed file set is identical regardless of what the gate staged — no junk inclusion, no interference. This is the same documented-safe pattern as #906.

The regression test models the actual fixed case (a Go file in a new directory) and the diff drops two flags (--src-prefix/--dst-prefix) that are inert with --name-only.

Authored by Foreman, LLMKube's agentic coder harness (local model on the lab fleet); the maintainer adversarially reviewed the git-side-effect safety, corrected the diagnosis/test, and takes responsibility per the AI-assisted contribution policy.

Checklist

  • Tests added/updated
  • make test passes locally
  • make lint passes locally (+ GOOS=linux golangci-lint, 0 issues)
  • Commit messages follow conventional commits
  • All commits are signed off (git commit -s) per DCO
  • AI assistance (if any) is disclosed above, per CONTRIBUTING.md
  • Documentation updated (if user-facing change) - internal gate check, no user-facing surface

Defilan added 2 commits July 2, 2026 20:18
The scope-overlap check (defilantech#782) called `dirtyPathSet` which used
`git status --porcelain` to enumerate changed files. However, at gate
time the coder's edits are uncommitted and any new file is untracked,
so `git status --porcelain` misses them. The gate runs as
VerifyTerminal before the executor commits, so the check was blind to
new untracked files.

Mirror the fix applied to the reference-grounding check in defilantech#906: stage
everything with `git add -A` and diff against HEAD with
`git diff --name-only --cached`, which surfaces both staged and
unstaged changes including untracked new files. `--src-prefix=a/` and
`--dst-prefix=b/` are forced so the output is a clean path list, not
unified-diff path-prefix output (the `c/`/`i/` gotcha).

A new regression test (`TestCheckScopeOverlap_CatchesUntrackedNewFile`)
confirms the scope-overlap check flags drift when the coder adds a new
file outside the relevant set. Existing tests are updated to use the
new `diffRunner` seam.

Fixes defilantech#907

Signed-off-by: Foreman Bot <chris@mahercode.io>
… diff flags

Review polish. The prior scope-overlap path (git status --porcelain)
already saw untracked files in tracked dirs; the real gap it missed was
a Go file in a brand-new untracked directory, which porcelain collapses
to a single "newdir/" entry that fails the .go suffix filter. Point the
regression test at that actual case and correct its comment. Also drop
--src-prefix/--dst-prefix from the diff: they are inert with --name-only
(the c/i prefix gotcha only affects unified-diff parsers).

Refs defilantech#907

Signed-off-by: Christopher Maher <chris@mahercode.io>
@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 66.66667% with 6 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/foreman/agent/coder_gate.go 66.66% 3 Missing and 3 partials ⚠️

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Coder-gate scope-overlap check is blind pre-commit (diffs committed history, but the gate runs before commit)

1 participant