Skip to content

Add runtime type checks#1016

Open
simple-agent-manager[bot] wants to merge 7 commits into
mainfrom
sam/look-through-codebase-find-01krne
Open

Add runtime type checks#1016
simple-agent-manager[bot] wants to merge 7 commits into
mainfrom
sam/look-through-codebase-find-01krne

Conversation

@simple-agent-manager
Copy link
Copy Markdown
Contributor

@simple-agent-manager simple-agent-manager Bot commented May 15, 2026
edited
Loading

Summary

  • Replaced the audited runtime type assumptions at JSON/request/response/storage/WebSocket/tool boundaries with Valibot schemas or local runtime validators.
  • Added reusable runtime validation helpers for API, web, ACP client, and terminal packages.
  • Added focused tests for API runtime validation and shared trial event parsing.

Validation

  • Runtime assumption scanner: COUNT 0
  • pnpm typecheck
  • pnpm lint (passes; existing warnings remain)
  • pnpm test
  • pnpm build

Staging Verification (REQUIRED for all code changes — merge-blocking)

  • Staging deployment green — not run in this local PR pass
  • Live app verified via Playwright — not run; no visual UI behavior was intentionally changed
  • Existing workflows confirmed working — covered by repo-wide typecheck/lint/test/build
  • New feature/fix verified on staging — local verification only; runtime scanner confirms audited patterns are removed
  • Infrastructure verification completed — no Pulumi resource changes; infra unit tests passed through pnpm test
  • Mobile and desktop verification notes added for UI changes — N/A: touched web parsing code/components, no visual layout change

Staging Verification Evidence

No staging deployment was performed from this session. Local verification completed:

  • Runtime scanner over apps/api/src, apps/web/src, packages, scripts, infra, and experiments: COUNT 0
  • pnpm typecheck: passed
  • pnpm lint: passed with existing warnings
  • pnpm test: passed
  • pnpm build: passed

UI Compliance Checklist (Required for UI changes)

  • Mobile-first layout verified — N/A: no layout/style change
  • Accessibility checks completed — N/A: no interaction/markup change
  • Shared UI components used or exception documented — N/A: no UI components added
  • Playwright visual audit run locally — not run; no visual surface changed

End-to-End Verification (Required for multi-component changes)

  • Data flow traced from user input to final outcome with code path citations
  • Capability test exercises the complete happy path across system boundaries
  • All spec/doc assumptions about existing behavior verified against code
  • If any gap exists between automated test coverage and full E2E, manual verification steps documented below

Data Flow Trace

Runtime validation now happens at trust boundaries before typed use: API request/response helpers in apps/api/src/lib/runtime-validation.ts, web response/storage/WebSocket helpers in apps/web/src/lib/runtime-validation.ts, package helpers in packages/acp-client/src/runtime-validation.ts and packages/terminal/src/runtime-validation.ts, plus shared trial event validation in packages/shared/src/trial.ts.

Untested Gaps

No staging/browser manual pass was run. The change is parsing/validation hardening rather than visual UI behavior.

Post-Mortem (Required for bug fix PRs)

N/A: hardening task, not a specific bug fix.

Specialist Review Evidence (Required for agent-authored PRs)

  • All dispatched reviewers completed and findings addressed before merge
  • If any reviewer did NOT complete: needs-human-review label added and merge deferred to human
Reviewer Status Outcome
task-completion-validator PASS Checklist items are checked, represented in diff, and verified by scanner/tests/typecheck/lint/build.
security-auditor PASS No new credential logging or auth bypass found; changes validate OAuth/GCP/trial/event payload shapes before use.
constitution-validator PASS No new internal hardcoded URLs/timeouts/limits introduced; GCP URLs touched are existing external API constants.
test-engineer PASS Added focused API/shared runtime validation tests and ran full suite.

Exceptions (If any)

  • Scope: staging/Playwright visual verification not run
  • Rationale: no visual UI surface was intentionally changed; local automated verification passed
  • Expiration: before merge if maintainers require live staging evidence

Agent Preflight (Required)

  • Preflight completed before code changes

Classification

  • external-api-change
  • cross-component-change
  • business-logic-change
  • public-surface-change
  • docs-sync-change
  • security-sensitive-change
  • ui-change
  • infra-change

External References

N/A: using existing repo Valibot/runtime validation patterns.

Codebase Impact Analysis

Affected components include API routes/services/Durable Objects, web/client runtime JSON handling, shared trial events, ACP/terminal package helpers, scripts, infra tests, and experiments.

Documentation & Specs

Task checklist added and completed at tasks/active/2026-05-15-runtime-type-checks.md.

Constitution & Risk Check

Checked Principle XI risk: validation helpers avoid new configurable business values. Main risk was changing permissive fallback behavior at runtime boundaries; full tests were run and schemas were adjusted to validate only the fields consumers actually require.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 15, 2026

Quality Gate Passed Quality Gate passed

Issues
19 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.3% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raphaeltm