Conversation
README advertised MIT while all three manifests said ISC and no LICENSE file existed (VR-hyg-01; D3 ruled MIT). Copies in cli/sdk so both npm tarballs ship the license text.
'partial' (some reverts failed) exited 0 with an info-level summary, so CI proceeded past a botched rewind. Match sibling batch commands: status !== 'success' exits 2 with an error-level log, per the documented headless contract.
SDK JSDoc, tutorials, example README, and skill file referenced APIs that never existed (ctx.exportTable, ctx.reset, noorm/sdk imports, db create --name, noorm help). v1-audit VR-api-03, VR-docs-02/03/04/05.
Unescaped names from config could break out of the identifier and inject DDL against system databases (QL-sec-01). Names now route through dialect quoting; config save rejects quote, bracket, and semicolon characters in server-dialect database names.
All zero-reference per v1 audit (AP-dead-01/03/05/06, AP-yagni-01, QL-sec-03, QL-xrepo-02). Spec: docs/spec/v1-09-dead-purge.md.
A mid-truncate failure skipped the enable-FK bookend, leaving MSSQL's per-table NOCHECK persistently off. Enable statements now always run; the original error still surfaces. TransferResult gains fkChecksRestored so a swallowed FK restore failure is visible in CLI/JSON output. (QL-safe-01, QL-safe-05)
--yes never reached checkProtectedConfig, so operator-role configs failed headless despite the documented flag. Threads yes through CreateContextOptions and unifies NOORM_YES truthiness in isEnvTruthy.
A misconfigured TEST_* env var pointed the destructive integration suite at whatever it resolved to. Non-test-looking database names now fail before any statement runs (QL-safe-06).
Plaintext-credential exports and the encrypted state file landed at umask default (0644, world-readable). chmod-after-write mirrors saveKeyPair: covers platforms where writeFile mode is unreliable and fixes pre-existing files. QL-sec-05, QL-sec-06.
Agents can connect/disconnect but had no way to check what they're currently connected to. Adds a read-only status command returning connected configs and the active config, giving hasConnection/ listConnections their production callers (closes AP-yagni-06, D9).
Bare --passphrase flag leaked via ps/shell history and accepted 1-character passphrases. Adds MIN_PASSPHRASE_LENGTH (12) enforced on encrypt only, and a masked @clack/prompts fallback when the flag is omitted on a TTY; --passphrase remains the documented CI escape hatch.
meta.version held a dead 0.0.0 literal; --define replaces identifiers, not strings, so compiled binaries reported 0.0.0.
A ./sql-style settings value was seeded verbatim into the directory list but compared against relative() paths, rendering a phantom "./sql — 0 files" row that runs nothing when selected.
Entries carried a sql/ prefix that never matches the documented contract (docs/guide/sql-files/organization.md), so Run Build filtered every file out.
Headless builds (SDK/CLI/MCP, db.reset) ran every discovered file, ignoring the settings.build include/exclude and rules the TUI applies. BEHAVIOR: callers relying on unfiltered headless builds now get the documented filtered set.
Example showed baseDir '/project' with sql/-prefixed patterns, contradicting the sql-dir-relative contract both call sites follow.
Eager discoverFiles threw on a missing sql dir where runBuild resolves a failed BatchResult — db reset crashed to exit 1.
Deleting an applied change also removes its DB tracking row, so admin gets confirm (not allow) — same posture as config:rm and db:destroy. Closes the v1-44 UAT policy bypass at the model layer; TUI/CLI/SDK gates follow.
Mirrors ChangeRevertScreen's checkConfigPolicy + SmartConfirm pattern. Viewer is denied outright; operator/admin both hit the confirm cell (deleting an applied change also drops its DB tracking row).
Mirrors config rm: viewer denied before any prompt, operator/admin confirm via --yes/NOORM_YES (isYesMode), no TTY prompt substitute. Also fixes NOORM_YES not being honored by the old ad-hoc confirm.
Mirrors apply/revert/ff/rewind checkProtectedConfig call shape. Admin is not frictionless here (confirm cell, not allow) since deleting an applied change also drops its DB tracking row.
Implementation-time contracts; the durable audit trail lives in the realm repo (tickets/v1, research/v1-audit). The five inbound references were made self-contained. config-access-roles.md stays — matrix.ts cites it as source of truth.
appliedAt is second-precision and ties are routine (change ff applies several changes in one process tick). The unbroken sort preserved list() insertion order on ties, reverting oldest-first and truncating rewind(name)'s slice early. Break ties on the history row's autoincrement id, the only true apply-order key.
A comment-rewrite regex in b971f2f over-matched and swallowed the whole test. Restored un-skipped — the v1-45 tiebreak is its fix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v1 readiness audit — integrated worklist
Integrates 45 verified tickets from the v1 audit (
tickets/v1/in the realm repo) onto one branch. Every ticket was implemented TDD-first, gated by an independent reviewer, and separately verified (live-DB where relevant). This branch was then re-verified as a whole:Full CI on the merged result — all green (@
a4e55d2):What's in it (by theme)
change rewindexit code (01),--yesconfirmation gates (02), DDL identifier quoting (04),--helpbreadcrumbs (05),--jsondocs sweep + dead-surface removal (06), SDK/docs drift (07), dangerous-path tests (08), MIT license (27), headless config parity: honest exit-1 stubs + realconfig rm <name> --yesthrough the locked-stage guard (28), FK re-enable guarantee (03), SQLite rewind date-hydration crash (34), createDb SQLite flag (35),.dtzbad-path reader hang fix (41).attempt()+ native#privatein state/lock managers (15), binary checksum verification (16), change-retry resume-from-failed-file (17), test-db guard (18), lazy CLI startup ~4x (19), secret-file hardening (20), repo hygiene + release-engine docs (21+31), trim unused surfaces (22), formatting/voca consolidation (23), polish batch: ConflictStrategy reuse, one NOORM_DEBUG truthiness rule, camelCase citty args, MCP stack-leak removal (24), error-doc alignment (26), observer relocation →noormObserver(33), hooks-order fix (36), field follow-ups (39, 40), SDK-boundary live-DB throw-contract coverage (38).Merge-conflict resolutions (3)
manager.test.ts(08↔34): kept 08's comprehensive suite, un-skipped the two#34-deferred rewind tests (now valid with 34's fix).types.ts(07↔25): took 25's throw-contract JSDoc.policy/index.ts(12↔23): unionedisVisibleToChannel+formatAccessTag..dtzxtest passphrase to satisfy 20's 12-char floor.UAT-discovered fixes (post-bundle)
--versionin compiled binaries reported0.0.0— dead literal, now wired to the build define../sql — 0 filesrow (42).run.buildignoredbuild.include/exclude/rules entirely — headless build now matches the TUI's effective file set, preserving runBuild's discovery-failure contract (43).examples/llm-memory-db-pgbuild include paths corrected to the documented sql-dir-relative contract.change rmwas ungated on all three surfaces (TUI even deleted the DB tracking record) — a viewer-role config could delete changesets. Newchange:rmpermission (deny/confirm/confirm), gated everywhere, spec + docs in lockstep (44).rewindhad no tiebreaker onappliedAt— same-second applies (routine underchange ff; structural on SQLite) reverted in dependency-violating order andrewind(name)could stop early. Tiebroken by history id (45).docs/spec/v1-*.mdimplementation contracts removed (42 files) — audit trail lives in the realm repo; the five inbound references made self-contained.Known behavior changes (for UAT)
config add/editnow exit 1 (were false-success 0);config rm <name> --yesdeletes headlessly, refusing locked-stage configs.NOORM_DEBUG=0now disables debug on all paths (previously enabled two of three).noorm run build(anddb reset's rebuild) now honorsbuild.include/exclude/rules like the TUI.change rmnow requires operator+--yesor admin+--yesheadlessly; viewer denied (was: no gate at all)..dtzpath now rejects promptly instead of hanging 15s+.Open questions filed as followups
config rmof the active config deletes silently (TUI courtesy-blocks) — needs a UX ruling.--no-fk/--no-identitynever worked (--no-Xnegation collision) — behavior unchanged by this PR; followup filed.Full per-ticket detail, evidence, and decision memo:
tickets/v1/+research/v1-audit/in the realm repo.