claude-code-parity-apr/.github/workflows/ci.yml at ace180e4db466522257a6b9096a71c7541c3e988 · paiml/claude-code-parity-apr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
name: CI

on:
  push:
    branches: [main]
  pull_request:

env:
  CARGO_TERM_COLOR: always
  RUSTFLAGS: "-D warnings"
  RUST_BACKTRACE: 1
  RUST_MIN_STACK: 8388608   # 8 MiB — clap/serde-json deep recursion
  PROPTEST_CASES: 256

# Single, monolithic `gate` job. Branch protection on `main` requires this
# check (see FALSIFY-CCPA-009). Failing any step fails the gate.

jobs:
  gate:
    name: ci/gate
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          # Full history needed by check-doc-drift.sh § #15 which scans
          # `git log origin/main` to enumerate merged docs(M<NN>):
          # commits — without this CI's depth-1 checkout misses M-ids
          # other than the most-recent merge (M116).
          fetch-depth: 0

      - name: Install Rust toolchain (stable + llvm-tools-preview)
        uses: dtolnay/rust-toolchain@stable
        with:
          components: llvm-tools-preview, rustfmt, clippy

      - name: Cache cargo
        uses: Swatinem/rust-cache@v2
        with:
          cache-on-failure: true

      # cargo-binstall fetches prebuilt binaries when crates publish them,
      # falls back to `cargo install` only when none exist. Drops cold-cache
      # tool install from ~30 min (compile from source) to ~30 s.
      - name: Install cargo-binstall
        uses: cargo-bins/cargo-binstall@main

      - name: Install pmat / pv / cargo-llvm-cov (binstall)
        run: |
          cargo binstall --no-confirm --locked cargo-llvm-cov
          cargo binstall --no-confirm --locked pmat                   || cargo install --locked pmat
          cargo binstall --no-confirm --locked aprender-contracts-cli || cargo install --locked aprender-contracts-cli

      # ── FALSIFY-CCPA-012 — pv contract gate ──
      # `pv validate` is the dogfooded gate per CLAUDE.md § "DOGFOOD pv,
      # NEVER bash". Bash workarounds are forbidden.
      - name: pv validate (FALSIFY-CCPA-012)
        run: pv validate contracts/claude-code-parity-apr-v1.yaml

      # ── M6 deliverable — pv lint sweep ──
      # Cross-contract gates: enforcement level, composition, etc.
      - name: pv lint (M6 deliverable)
        run: pv lint contracts/

      # ── FALSIFY-CCPA-012 (b) — pin freshness ──
      # Bytes-only integrity check — NOT a re-implementation of pv.
      - name: pin-check (FALSIFY-CCPA-012)
        run: bash scripts/pin-check.sh contracts/pin.lock

      # ── FALSIFY-CCPA-012 (c) — companion ↔ aprender round-trip (M22) ──
      # Closes the M21 drift class: refuses companion-side contract bumps
      # whose bytes don't byte-match the aprender-side at the pinned
      # commit. Requires `contents:read` on paiml/aprender — the default
      # GITHUB_TOKEN is sufficient if aprender is in the same org or
      # public; otherwise the workflow needs an explicit token override.
      - name: pin-check-roundtrip (M22 — companion ↔ aprender drift guard)
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bash scripts/pin-check-roundtrip.sh contracts/pin.lock

      # ── M22 step 4 — human-readable roll-up drift guard (M38) ──
      # Asserts spec header / status snapshot / README / CONTRIBUTING
      # M-counts all match the sub-milestones table tail, plus stated
      # gate count matches FALSIFY-CCPA-NNN row marker count. Codifies
      # the drift class M22 step 4 added on 2026-05-01 ("These are NOT
      # mechanically guarded by pin-check; a kaizen sweep is the
      # backstop"). M37 alone produced 6 drift-fix commits this catches.
      - name: check-doc-drift (M22 step 4 — kaizen backstop)
        run: bash scripts/check-doc-drift.sh

      # ── M46 — meta-test for the drift detector itself ──
      # Verifies every drift class in check-doc-drift.sh is correctly
      # caught by deliberately corrupting each, asserting the detector
      # exits 1 with the expected message, then restoring. Catches the
      # silent-regression class where a refactor breaks an assert.
      - name: test-doc-drift (M46 — drift-detector self-test)
        run: bash scripts/test-doc-drift.sh

      # ── Build + lint ──
      - name: cargo fmt --check
        run: cargo fmt --all -- --check

      - name: cargo clippy --all-targets
        run: cargo clippy --workspace --all-targets --all-features -- -D warnings

      - name: cargo build
        run: cargo build --workspace --all-features

      - name: cargo test
        run: cargo test --workspace --all-features

      # ── FALSIFY-CCPA-011 — coverage gate ──
      # cargo-tarpaulin is forbidden per CLAUDE.md § "Prohibited Tools".
      # Contract v0.4.0 § FALSIFY-CCPA-011: >=99% function AND >=99% line
      # coverage. Both have a 1% slack to absorb the llvm-cov reporting
      # artifact for generic monomorphizations — inner-closure mangled
      # instantiations created from outside the source unit (e.g. from
      # `bin/ccpa-arena-bench.rs` via `SubprocessDriver::new<String>`)
      # count as separate uncovered "functions" even when the source-side
      # function is fully exercised by tests. The 1% slack treats this
      # as a tooling artifact rather than uncovered behavior.
      # `--ignore-filename-regex '/bin/'` excludes operator-dispatch CLI
      # binaries (e.g. ccpa-arena-bench, ccpa-trace-subproc) whose runtime
      # path is a thin Cli::parse + delegate-to-library wrapper covered
      # end-to-end by the outer bash dispatcher scripts, not by unit tests.
      # Mirrors Makefile § cov.
      - name: function + line coverage gate (FALSIFY-CCPA-011)
        run: |
          cargo llvm-cov --workspace --all-features \
            --ignore-filename-regex '/bin/' \
            --fail-under-functions 99 \
            --fail-under-lines 99

      # ── FALSIFY-CCPA-013 runtime evidence — bidirectional sensitivity test ──
      # Canonical corpus MUST pass; regression corpus MUST fail.
      # If regression somehow passes the meter is broken (false negatives).
      - name: install ccpa CLI (binary needed for next steps)
        run: cargo install --path crates/ccpa-cli --locked

      - name: canonical corpus PASSES (FALSIFY-CCPA-013 runtime evidence)
        run: ccpa corpus fixtures/canonical/

      - name: regression corpus FAILS (meter sensitivity bidirectional)
        run: |
          set +e
          ccpa corpus fixtures/regression/
          code=$?
          set -e
          if [ "$code" -eq 0 ]; then
            echo "ERROR: regression corpus passed — meter NOT detecting drift!"
            exit 1
          fi
          echo "OK: regression corpus correctly exited $code (drift detected)"

      # ── FALSIFY-CCPA-007 — corpus_coverage HARD-BLOCKING (M16) ──
      # Reachable rows = SHIPPED+PARTIAL apr-code-parity-v1 rows MINUS
      # the contract-declared OOS list. As of M15 contract v1.3.0,
      # OOS at trace boundary = {keyboard-shortcuts, status-line}.
      # See contract status_history M15 § remaining_uncovered_classification.
      # CI requires we sync the parity-matrix yaml from a known
      # aprender commit; a fork checkout would diverge.
      - name: checkout aprender for canonical apr-code-parity-v1.yaml
        uses: actions/checkout@v4
        with:
          repository: paiml/aprender
          ref: main
          path: aprender-upstream
          sparse-checkout: |
            contracts/apr-code-parity-v1.yaml

      - name: corpus_coverage hard-blocking gate (FALSIFY-CCPA-007)
        run: |
          ccpa coverage \
            --apr-code-parity-yaml aprender-upstream/contracts/apr-code-parity-v1.yaml \
            --fixtures-dir fixtures/canonical/ \
            --oos-rows keyboard-shortcuts,status-line

      # ── FALSIFY-CCPA-010 — pmat comply (is_compliant=true, no Fail-status checks) ──
      # `--strict` exits 2 on ANY Warn-status check (incl. advisory ones like
      # "Bronze reproducibility" or "missing memory profiler"). The contract's
      # gate is `is_compliant=true` — i.e. zero Fail-status checks. Warnings
      # are advisory and tracked separately in the contract's status_history.
      - name: pmat comply check (FALSIFY-CCPA-010)
        run: |
          pmat comply check --format json > comply.json
          jq -e '.is_compliant == true and ([.checks[] | select(.status == "Fail")] | length == 0)' comply.json
          warns=$(jq '[.checks[] | select(.status == "Warn")] | length' comply.json)
          echo "is_compliant=true, 0 Fails, ${warns} advisory Warns (tracked, not gating)"

      # ── FALSIFY-CCPA-009 ──
      # Enforced by GitHub branch protection, NOT by this job. After this
      # job lands on main once, follow scripts/install-branch-protection.sh
      # to require `ci/gate` as a status check on main.
      - name: Note FALSIFY-CCPA-009
        run: |
          echo "FALSIFY-CCPA-009 (ci_main_branch_green) is asserted by"
          echo "GitHub branch protection — see scripts/install-branch-protection.sh"