Skip to content

fix: correct SEARCH_TITLE quoting and unsafe conditions in default-workflow#4207

Closed
rysweet wants to merge 8 commits intomainfrom
fix/issue-4206-adaptive-smart-orchestratordefault-workflow-failed
Closed

fix: correct SEARCH_TITLE quoting and unsafe conditions in default-workflow#4207
rysweet wants to merge 8 commits intomainfrom
fix/issue-4206-adaptive-smart-orchestratordefault-workflow-failed

Conversation

@rysweet
Copy link
Copy Markdown
Owner

@rysweet rysweet commented Apr 3, 2026

Fixes #4206 — adaptive smart-orchestrator/default-workflow failed due to broken SEARCH_TITLE quoting and unsafe not in [...] conditions.

Changes

  • Fix SEARCH_TITLE single-quote escaping in step-03-create-issue: ''' -> '' for WIQL-safe ADO search titles
  • Rewrite 4 unsafe not in [...] conditions to explicit != ... and ... != ... checks
  • Add regression coverage in tests/recipes/test_step03_bash_quoting.py
  • Add regression coverage in tests/recipes/test_default_workflow_no_unsafe_conditions.py
  • Add gadugi outside-in scenario tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml
  • Refresh generated atlas metadata in docs/atlas/ast-lsp-bindings/index.md

Merge readiness

QA-team evidence

  • Scenario files: tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml
  • Validation command: npx gadugi-test validate -f tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml
  • Validation result: passed
  • Run command: npx gadugi-test run -d tests/gadugi -s pr-4207-default-workflow-quoting-and-conditions
  • Run target: local PR worktree
  • Run result: passed
  • Evidence location: outputs/sessions/session_9538752d-6c59-490a-9ffd-e262f50f57d3_2026-04-03T15-52-14-686Z.json (1 passed, 0 failed)

Documentation

  • User-facing docs impact: yes (generated atlas refresh only)
  • Updated docs: docs/atlas/ast-lsp-bindings/index.md
  • PR description links added: n/a
  • Rationale if not applicable: workflow and regression-test surfaces are internal-only; the atlas file is generated metadata already carried by the PR diff, so no additional narrative docs update was needed

Quality-audit

  • Cycle 1 summary: found 1 medium issue in the new gadugi scenario (grep -c 'not in [' produced a false-positive pass path); replaced it with a literal Python count and reran gadugi validate/run
  • Cycle 2 summary: found 1 medium issue in the new gadugi scenario (the SEARCH_TITLE check could not distinguish the fixed form from the buggy 3-char form); replaced it with a behavioral check that executes the recipe's actual SEARCH_TITLE assignment and asserts doubled quotes
  • Cycle 3 summary: final clean cycle via 3 independent PR-scoped reviews (pr4207-clean-a, pr4207-clean-b, pr4207-clean-c) reported no medium/high/critical findings
  • Additional cycles: none
  • Final clean cycle: 3
  • Fixes followed default-workflow: partial — the core workflow fix in this PR already existed; merge-ready QA artifact corrections were applied manually after branch-scoped orchestration produced flawed QA output
  • Convergence summary: two real medium QA-evidence defects were fixed; direct gadugi validate/run passes and the final three-reviewer clean cycle all converged on no remaining medium+ issues in the scoped PR surfaces

CI

  • Checks command: gh pr checks 4207
  • Result: all green
  • Skipped checks: Atlas Staleness Gate, Scheduled Full Atlas Rebuild, Invisible Character Scan/scan, Bot Detection/activation, Bot Detection/agent, Bot Detection/conclusion, Bot Detection/safe_outputs (normal skipped jobs for this PR)
  • Flaky reruns performed: none
  • Real failures fixed: none

Scope

  • Changed files reviewed: amplifier-bundle/recipes/default-workflow.yaml, docs/atlas/ast-lsp-bindings/index.md, tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml, tests/recipes/test_default_workflow_no_unsafe_conditions.py, tests/recipes/test_step03_bash_quoting.py
  • Unrelated changes: none

Verdict

  • Merge-ready: yes
  • Remaining blockers: none

Copilot and others added 4 commits April 3, 2026 13:00
…default-workflow

- Fix SEARCH_TITLE 3-char bash replacement bug (#4206): change
  3-char replacement (produces ''') to 2-char SQL-safe replacement ('')
- Fix 4 parser-unsafe 'not in [...]' conditions in step-07, step-08,
  step-08b, checkpoint-after-implementation: rewrite to != / and conjunctions
- Add test_step03_bash_quoting.py: 13 regression tests for SEARCH_TITLE
  escaping, ISSUE_TITLE normalisation, heredoc injection safety, ADO WIQL safety
- Add test_default_workflow_no_unsafe_conditions.py: 15 tests covering
  no-unsafe-conditions invariant, semantic equivalence, and YAML validity

All 28 tests pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Expand test_step03_bash_quoting.py with three new test classes:

TestGitHubSearchPath (3 tests):
- Verify GitHub path uses double-quoted --search "$SEARCH_QUERY"
- Verify SEARCH_QUERY has no SQL single-quote escaping (gh CLI differs from WIQL)
- Verify SEARCH_QUERY is set from ISSUE_TITLE:0:100 only (truncation, no escaping)

TestSearchTitleExactPattern (2 tests):
- Byte-level exact literal check for the correct 2-char replacement pattern
- Byte-level exact literal check confirming buggy 3-char pattern is absent

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… parse in TestYamlValidity

- test_step03_bash_quoting: move 'import os' from inside function body to
  module-level imports (avoids repeated module lookup per test invocation)
- test_default_workflow_no_unsafe_conditions: TestYamlValidity.test_recipe_yaml_is_valid
  now accepts the module-scoped 'recipe' fixture instead of calling _load_recipe()
  directly, eliminating a redundant yaml.safe_load() of the 2675-line recipe file

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Automatic checkpoint to preserve review-addressed changes.
Saved before running pre-commit hooks and tests.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Repo Guardian - Passed

All 3 changed files are durable project artifacts. No ephemeral content detected.

File Type Assessment
amplifier-bundle/recipes/default-workflow.yaml Configuration Core workflow recipe — condition syntax fix (not in [...]!= … and …). Durable tooling.
tests/recipes/test_default_workflow_no_unsafe_conditions.py Test Regression tests for parser-safe condition expressions (issue #4206). Durable test code.
tests/recipes/test_step03_bash_quoting.py Test Regression tests for step-03 shell quoting safety (issue #4206). Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 ·

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Repo Guardian - Passed

All 5 changed files are durable project artifacts. No ephemeral content detected.

File Type Assessment
.claude/context/PROJECT.md Configuration Project metadata update (name and language list). Classified as documentation/configuration per project rules.
.secrets.baseline Tooling Auto-regenerated detect-secrets baseline — line number and timestamp update. Standard project tooling.
amplifier-bundle/recipes/default-workflow.yaml Configuration Core workflow recipe — condition syntax fix (not in [...]!= … and …). Durable tooling.
tests/recipes/test_default_workflow_no_unsafe_conditions.py Test Regression tests for parser-safe condition expressions (issue #4206). Durable test code.
tests/recipes/test_step03_bash_quoting.py Test Regression tests for step-03 shell quoting safety (issue #4206). Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 ·

Remove accidental `.claude/context/PROJECT.md` and `.secrets.baseline`
changes introduced by the adaptive workflow run so PR #4207 contains
only the intended recipe and regression-test fixes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Repo Guardian - Passed

All 3 changed files are durable project artifacts. No ephemeral content detected.

File Type Assessment
amplifier-bundle/recipes/default-workflow.yaml Configuration Core workflow recipe — condition syntax fix (not in [...]!= … and …) for Rust runner compatibility. Durable tooling.
tests/recipes/test_default_workflow_no_unsafe_conditions.py Test Regression tests (222 lines) guarding parser-safe condition expressions (issue #4206). Properly structured in tests/. Durable test code.
tests/recipes/test_step03_bash_quoting.py Test Regression tests (369 lines) for step-03 shell quoting safety and SQL injection prevention (issue #4206). Properly structured in tests/. Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 ·

Refresh the Layer 2 atlas page after the new recipe regression tests changed
AST binding totals, so PR #4207 carries the required atlas artifact update for
the staleness gate.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Repo Guardian - Passed

All 4 changed files are durable project artifacts. No ephemeral content detected.

File Type Assessment
amplifier-bundle/recipes/default-workflow.yaml Configuration Core workflow recipe — condition syntax fix (not in [...]!= … and …) for Rust runner compatibility, and bash quoting fix. Durable tooling.
docs/atlas/ast-lsp-bindings/index.md Generated Docs Auto-generated code atlas metrics, intentionally refreshed as part of this PR (docs(atlas): refresh commit). Part of a formal docs/atlas/ documentation system — durable by design.
tests/recipes/test_default_workflow_no_unsafe_conditions.py Test Regression tests (222 lines) guarding parser-safe condition expressions (issue #4206). Properly structured in tests/. Durable test code.
tests/recipes/test_step03_bash_quoting.py Test Regression tests (369 lines) for step-03 shell quoting safety and SQL injection prevention (issue #4206). Properly structured in tests/. Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 ·

@rysweet rysweet mentioned this pull request Apr 3, 2026
Add a real gadugi scenario for the default-workflow quoting and condition fixes so merge-ready evidence uses validate/run output instead of hand-wavy claims.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

Repo Guardian - Passed

All 5 changed files are durable project artifacts. No ephemeral content detected.

File Type Assessment
amplifier-bundle/recipes/default-workflow.yaml Configuration Core workflow recipe — bash quoting fix and condition syntax rewrite (not in [...]!= … and …) for Rust runner compatibility. Durable tooling.
docs/atlas/ast-lsp-bindings/index.md Generated Docs Auto-generated code atlas metrics, refreshed as part of this PR. Part of the formal docs/atlas/ documentation system — durable by design.
tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml Test Regression test verifying durable behavioral invariants (no not in [...] conditions, 2-char SQL-safe quoting). The pr-4207 prefix in the filename is a naming convention note only — the test content is permanent and won't become stale. Structured with version, steps, cleanup, and metadata consistent with the project's permanent test infrastructure.
tests/recipes/test_default_workflow_no_unsafe_conditions.py Test Regression tests (222 lines) guarding parser-safe condition expressions (issue #4206). Properly structured in tests/. Durable test code.
tests/recipes/test_step03_bash_quoting.py Test Regression tests (369 lines) for step-03 shell quoting safety and SQL injection prevention (issue #4206). Properly structured in tests/. Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 ·

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 3, 2026

PR Triage Report

Risk: Low | Priority: High | Verdict: Needs Review | CI: All green

Summary

Targeted fix for broken SEARCH_TITLE quoting and unsafe not in [...] conditions in default-workflow. Fixes issue #4206.

Scope Assessment

Area Files Notes
Core recipe amplifier-bundle/recipes/default-workflow.yaml Fix SEARCH_TITLE single-quote escaping; rewrite 4 unsafe not in [...] conditions to != ... and ... != ...
Atlas docs/atlas/ast-lsp-bindings/index.md Generated metadata refresh
Tests 2 new regression test files test_step03_bash_quoting.py, test_default_workflow_no_unsafe_conditions.py
Outside-in tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml Gadugi scenario validates and passes

Risk Factors

  • Workflow control-flow condition changes (fixing unsafe constructs → strictly an improvement)
  • Quality audit: 3 cycles, converged on no medium+ findings
  • GitGuardian: passed (no secret exposure)

CI Status

All checks passed: Validate Code, Check Version Bump, MkDocs Navigation, Documentation Policy, Link Validation (Local), Code Examples, GitGuardian Security — all green.

Recommendation

Low-risk, high-priority. Fixes real behavioral issues (broken WIQL search titles causing ADO failures, unsafe not in conditions). All checks pass, quality audit complete. Expedited review recommended — this unblocks ADO-dependent workflows.

Generated by PR Triage Agent ·

@rysweet
Copy link
Copy Markdown
Owner Author

rysweet commented Apr 17, 2026

Superseded by PRs #4367-4370 (merged) which fixed SEARCH_TITLE quoting and conditions in default-workflow.

@rysweet rysweet closed this Apr 17, 2026
@rysweet rysweet deleted the fix/issue-4206-adaptive-smart-orchestratordefault-workflow-failed branch April 17, 2026 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

default-workflow infrastructure failure: step-03-create-issue unmatched quote

1 participant