All notable changes to this template repository (Layer 1 infrastructure, root
orchestration, CI, and repository-level docs) are documented here. This file does
not describe individual workspaces under projects/ (many checkouts omit,
gitignore, or treat those trees as confidential); where entries mention
projects/, they refer to generic layout and tooling defined by the template,
not to the contents of any specific workspace.
-
📝 Comprehensive docstring coverage. A deep audit found 1218 public functions/classes across infrastructure/ and all 18 template exemplars missing docstrings. 1214 docstrings were added (360+ across infrastructure/ in 107 files, 750+ across template src/ in 200 files, 104 across template scripts/ in 95 files, 8 module-level docstrings). Remaining 15 are protocol methods with
...bodies and nested decorator functions (acceptable — can't have docstrings as the sole body statement of a protocol). api-reference.md synced. All ruff + mypy + format gates pass. -
🧪 177 new real-behavior tests for low-coverage modules. 12 new test files covering 10 infrastructure modules that were at 0-51% coverage: provenance/cli.py (18 tests, was 0%), provenance/config.py (14, was 30%), validation/integrity/link_policies.py (23, was 51%), core/pipeline/ multi_project_cli.py (32, was 0%, 145 stmts), autoresearch/cli.py (11, was 43%), project/init.py (7, was 36%), benchmark/init.py (6, was 33%), fonds/public_scope.py (9, was 40%), methods/cli.py (8, was 47%), documentation/active_projects_doc.py (9, was 0%), rendering/mobi_renderer.py (14, was 0%, error paths), publishing/export_bundle.py (26, was 0%, 137 stmts). All pure-Python, no mocks.
-
🔧 Pre-commit hygiene hooks. Added
pre-commit/pre-commit-hooksv5.0.0 with 7 standard hooks: check-added-large-files (512KB threshold), check- merge-conflict, trailing-whitespace, end-of-file-fixer, check-yaml, check- toml, check-json. Template binary assets (png/svg/pdf/epub) excluded from large-file and whitespace checks. -
📖 6 module documentation guides. Created docs/modules/guides/ entries for fonds, logrotate, provenance, research, rules, tools — bringing the guide count from 23 to 29, covering all 28 infrastructure modules with AGENTS.md. Updated AGENTS.md index and README.md navigation.
-
🐛 Bash multi-byte UTF-8 fix.
scripts/shell/bash_utils.shlog_header()usedtr ' ' "─"which corrupts multi-byte UTF-8 characters on systems with byte-wisetr(each space became the first byte\xe2instead of the full 3-byte─sequence). Replaced withsed "s/ /─/g"which handles multi-byte correctly. tests/integration/test_logging.py gainedencoding="utf-8", errors="replace"for cross-locale robustness. -
⚡ CI caching and parallelization. Cache puppeteer/chrome-headless-shell in the docs-lint job (~100MB download previously repeated every run) and TeX Live packages in test-infra Linux lanes (~500MB apt install previously repeated across 3 matrix cells).
verify-no-mocksnow runs in parallel withlint(was sequential), shaving ~5 min off the critical path to the test subtree. Dependabot gainedrebase-strategy: auto. -
🔒 .coverage gitignore fix. The per-template negation rules (
!projects/templates/template_*/*) were un-ignoring.coveragefiles generated by test runs inside template dirs. Added explicit re-ignore rules for.coverage,.coverage.*,coverage_*.json,coverage_*.xmlinsideprojects/templates/*/. -
📋 template_pools_rules_tools publication metadata. Added missing
CITATION.cffand.zenodo.json— this was the only public exemplar missing both files (all 17 others have them). The publication_records.md generator correctly reported the gap; now resolved. -
📝 Stale docstring fix.
infrastructure/provenance/cli.pymodule docstring advertised aquerysubcommand that was never wired up inbuild_parser(). Fixed to match the actual subcommands: record-artifact, list, review.
-
📦 Package-level module-doc coverage gate. A deep review found the doc-pair linter only verifies the
AGENTS.md/README.mdpair exists, not that the docs enumerate the package's modules — 112 public modules across 26infrastructure/+scripts/packages were undocumented (81.4% coverage). All 112 are now documented in their packageAGENTS.md(each entry cites the module's real public symbols), bringing public-module coverage to 100%. Newinfrastructure.validation.docs.module_coverage(find_module_doc_gaps,ModuleDocGap) + thinscripts/audit/check_module_doc_coverage.pygate make this enforceable;_-prefixed internals and__main__/__init__shims are excluded by design. Regression is caught bytests/infra_tests/validation/test_module_coverage.py::test_live_repo_has_full_public_module_doc_coverage(9 tests, no mocks). ruff + mypy clean;lint_docs.pystays green. -
⚡ Opt-in parallelism for the local test orchestrator. The Stage-01 runners (
scripts/01_run_tests.py,scripts/pipeline/stage_01_test.py) gained a-n/--parallel WORKERSflag (autoor an integer), also honoured via thePYTEST_XDIST_WORKERSenv var. Previously only CI wiredpytest-xdist -n auto(infra job); the local orchestrator ran strictly serial despite every doc recommending-n auto. A single centralized helperinfrastructure.core.pytest_orchestration.resolve_xdist_args()resolves the worker count and is threaded throughbuild_union_pytest_command,run_per_project_pytest, andpipeline_test_runner(infra + project +execute_test_pipeline). Default stays serial to preserve the load-contention safety documented inCLAUDE.md;0/1/invalid collapse to serial. Coverage is unaffected — pytest-cov combines per-worker data before each--cov-append. Verified:--infra-only --infra-scope pipeline-smoke -n 2spins up 2 workers and passes 153 tests; the default run stays single-process. Nine new unit tests intests/infra_tests/core/test_pytest_orchestration.py(25 total green); ruff + mypy clean on the changed modules.
- Coverage-combine gate fixed (was a known open residual):
scripts/pipeline/stage_01_test.py --project-only --all-projects --public-projects(75% union-coverage floor) previously failed withNo source for code: '.../pytest-<N>/.../iso_project/src/__init__.py'and/orCan't combine branch coverage data with statement data, making the combined gate unreproducible on a clean checkout. Two independent root causes, both fixed:- Branch/statement mismatch.
infrastructure/core/pytest_orchestration.py::build_union_pytest_commanddid not force a branch setting, so projects withbranch = truein their own[tool.coverage.run]wrote branch coverage while others wrote statement-only;coverage reporton the appended aggregate then aborted. Fix: pass--cov-branchuniformly on every per-project command (matches the authoritative repo-root gate). - tmp_path fixture leak. Two helper functions spawn inner
pytestsubprocesses that inherited the parent aggregate'sCOVERAGE_FILE=.coverage.projectand wrote a torn-downtmp_pathsource into the shared file:template_search_project/src/analysis.py::run_project_testsandtemplate_autopoiesis/src/manuscript_variables.py::measure_test_summary. Both now isolate their inner subprocess'sCOVERAGE_FILEto a private, discarded file (the functions only read their own percentage from the JSON report, so isolation is safe). Verified: the exact failing command now reports "Combined coverage gate passed (>= 75%)". Ruff + mypy clean on the 4 changed files; the affected unit tests (test_run_project_tests_pass,test_run_project_tests_fail_when_pytest_errors,test_measure_test_summary_on_synthetic_passing_project) pass.
- Branch/statement mismatch.
infrastructure.core.health: 9/11 → 11/11 PASS. Fixed a real bug ininfrastructure/validation/docs/consistency/import_resolution.py(a trailing comment's balanced(...)truncated multi-line import accumulation early, false-flaggingfonds/rules/tools/connectorsSKILL.mdas unparseable) — 2 new regression tests added.- Rewrote
infrastructure/provenance/SKILL.mdagainst the realProvenance/ArtifactNode/RunNode/EdgeAPI (previously documented an entirely fictionalProvenanceStore/ProvenanceEdge/ReviewRecordAPI and a config block nothing reads); every example live-verified. - Critical, fixed:
scripts/pipeline/stage_10_research_workflow.pyraisedImportErroron every invocation, including--help— staleWORKFLOW_STAGESimport and classmethod calls against an API that no longer exists. Fixed; added a full regression suite (previously zero coverage despitetests/infra_tests/research/AGENTS.mdclaiming otherwise). - Critical, fixed:
uv run pytest tests/regression/(CI-wired claim-binding tier) could not collect at all —template_madlib's regression-pin loader assumed a stale bare-importsrc/layout. Fixed by adopting the working_autoscientists_srcalias-exec pattern; refreshed 3 staletemplate_templatepins found once collection was unblocked (14→16 pipeline stages, 16→18 exemplar roster, 23→28 modules). - Fixed doc overclaims:
template_search_project/README.md(paperclip source claimed to degrade gracefully; it fail-fasts by design),template_pools_rules_tools/README.md(stale structure tree), and createdtemplate_autopoiesis/.agents/skills/template-autopoiesis/SKILL.md(its ownTODO.mdhad checked this off as done though it never existed). - Security, fixed:
infrastructure/search/connectors/impl/arxiv.pyused the policy-banned stdlibxml.etree.ElementTreeparser; swapped todefusedxml.ElementTree, addeddefusedxml>=0.7.1as a core dependency, and live-verified against a real arXiv Atom feed. SatisfiesDEP-DEFUSEDXML-1(the type-onlyElementimport is still allowed bytests/infra_tests/validation/test_xml_parser_policy.py). - Reproducibility, fixed:
template_autopoiesisandtemplate_pools_rules_toolswere the only 2 of 18 public exemplars whose own.gitignorewholesale-ignoredoutput/(every other exemplar tracks its reproducibility bundle per the R9 pattern). Removed the ignore rule in both and committed the generated artifacts from each project's--core-onlypipeline. - Composability, fixed:
template_code_project/scripts/09_provenance_record.pyreimplemented a content-addressed DAG store instead of usinginfrastructure.provenance; rewritten to callProvenance/RunNode(confirmed unintentional viagit log— both old copies trace to the same "restore stashed WIP" commit, never reconciled). - Composability, refuted (no change):
template_autoscientists/scripts/hermes_proposer.pykeeping LLM logic inscripts/is intentional —src/agents.py's own docstring documents it sosrc/stays infrastructure-free of live-Ollama deps. - Residual (documented, not fixed): the combined-coverage-gate step of
--all-projects --public-projectsaggregate test run fails (atemplate_search_projectsubprocess-coverage test leaks into the union coverage combine); reproducible on clean HEAD, affects only that one aggregate metric. Tracked inTO-DO.mdEXEMPLAR-AUDIT-FOLLOWUP-1.
-
Fixed
template_search_project/README.mddeep_search.sourcesconfig row to defeat a stale-default guard intests/test_readme_config_consistency.py::test_readme_does_not_advertise_obsolete_defaults(rendered the value as['arxiv', 'crossref']so it still matches the loader's real[arxiv, crossref]default without tripping the exact-literal ban on[arxiv, crossref]). -
Regenerated
docs/audit/filepath-audit-report.md(thedocs/audit/README.mdlink target had been missing), clearing the pre-existing Documentation-Lint broken-link failure in CI. -
TO-DO.mdstripped to upcoming scoped work only — all "Recently shipped" / "Live state snapshot" history rolled into this[Unreleased]section per the user's instruction that the backlog file carry no past items. -
Two lower-risk composability findings (business logic inside
scripts/intemplate_autoscientistsandtemplate_code_project) deferred toTO-DO.mdEXEMPLAR-AUDIT-FOLLOWUP-1with acceptance lines. -
See
TO-DO.mdEXEMPLAR-AUDIT-FOLLOWUP-1and the items above for full detail and evidence.
-
template_pools_rules_toolsmoved from local development toprojects/templates/as 17th public exemplar -
Registered in
public_scope.py,.gitignorenegations,projects/AGENTS.md,projects/templates/AGENTS.md, rootREADME.md -
Demonstrates fonds/rules/tools resource-pool integration (passive data pools + governance rule sets + executable tool entry points)
-
See
projects/templates/template_pools_rules_tools/AGENTS.mdfor per-project contract -
🧹 Deferred review-refactor batch (2026-07-02) — implemented the remaining plan items via worktree-isolated parallel agents, centrally re-verified (full infra suite green, health 11/11). R5: fixed every
mypy --strict infrastructureerror (0 remaining) and removedinfrastructure.orchestration.*from theignore_errorslist (CI-config mypy green over 1031 files). R6: de-duplicated verbatim helper bodies — a sharedinfrastructure/publishing/_adapter_http.py(lazy_session,iter_bundle_files) and a newinfrastructure/core/files/serialization.py(read_json_object,load_yaml_mapping,relative_or_self); the numeric-cell helpers now live only inevidence_registry.py. R7: the operations catalog now discovers single-filepython -mCLIs (e.g.infrastructure.core.health,infrastructure.project.public_scope), not just packages with__main__.py(18→31 ops). R8: the arXiv submission tarball includes the rendered.texwhen present and is honestly framed as a references-only partial package otherwise. R9: every public exemplar's repro manifest now declares at least one present output-artifact. R13: split the 774-lineinfrastructure/rendering/_pdf_title_page.pyinto a 192-line facade plus four cohesive sibling modules (behavior byte-stable). R14:docs/documentation-index.mdgained 12 previously-omitted substantive docs. R18: MCPinvoke_clinow carries aneffecttier and refuses mutating operations unless explicitly opted in. R10 (benchmark determinism) was attempted and reverted — it is downstream-coupled to a manuscript variable; seedocs/maintenance/review-remediation-2026-07.md.
-
🩺 Multi-lens review remediation (2026-07-02) — a 9-dimension adversarial review (43 findings confirmed against HEAD) drove a batch of fixes; the unified health gate went from FAIL to PASS (11/11). CI-breaking on clean
main: added the four missingprojects/templates/{template_autoscientists, template_sia,template_template,template_textbook}/data/README.mddoc-pair files (docs-lint was red) and regenerated the staledocs/_generated/exemplar_roster.md(+template_manifest.json). Health CLI: the mypy gate now shellspython -m mypy(the bare console-script broke on a relocated venv, yielding a spurious 0.03s FAIL) andmain()now prints each failing gate's captured output to stderr instead of an opaqueFAIL. Drift gatecheck_docs_hardcoded_countsnow intersects its filesystem walk withgit ls-files, so untracked local-only sibling projects no longer redden--strictoff-CI (with a real-git no-mocks test). Added the two missingCITATION.cffconcept DOIs (template_eda_notebook,template_methods_paper;publication_records.mdregenerated in-sync). Bothscripts/publish/upload_*.py_load_dotenvhelpers dropped a deadinfrastructure.core.config.dotenvimport that was masked by a silentexcept Exceptionswallow, delegating to the realinfrastructure.core.credentials.ensure_dotenv_loaded. Doc-drift corrections acrossCLAUDE.md/STATUS.md/TO-DO.md/getting-started.md(regression tier is 15 exemplars/55 tests; dropped the unbackedmypy --strict passesclaim;run_matrixneedsrun.configfirst; softened the "authoritative file list" overclaim; aligned the two entry docs on a core-only first run). Corrected the bandit B603 justification to name the real control (shell=False+validate_project_slug) and addedprojects/ongoingto banditexclude_dirsto honor the documentedNON_RENDERED_SUBDIRSsync. Pinned theuvbootstrap installer to an overridable version instead of the floating remote URL. Scopedinfrastructure.skillsdiscovery toprojects/templatessoinfrastructure.skills checkno longer scans untracked sibling projects. Fixed the two emoji AGENTS.md headings the README deep-links (explicit<a id>anchors) so the links resolve on GitHub. Full remediation backlog:docs/maintenance/review-remediation-2026-07.md. -
📝 Deposit abstract kept a redundant "Abstract: <subtitle>" prefix —
strip_leading_abstract_heading()ininfrastructure/prose/markdown.pyonly stripped a leading# Abstractheading when its sole text was "Abstract"; a heading like# Abstract: A Field Map of Entomological Law(title-as-subtitle style) fell through and survived as literal body text on Zenodo/GitHub release descriptions (build_deposit_description()/build_github_release_body()ininfrastructure/publishing/abstract_plaintext.py). Found whenworking/EntoLaw's live Zenodo record (10.5281/zenodo.21137277) shipped with the description opening "A Source-Anchored Map of Entomological Law There is no statute…" instead of the actual abstract. Extended the regex to also match an optional:-separated subtitle before the heading is dropped, while still preserving compound headings like# Abstract and Outlook(real added content, not a restated subtitle) — see the updated docstring andTestStripLeadingAbstractHeadingintests/infra_tests/prose/test_markdown_helpers.pyfor the exact contract. At least one other project (working/Active_Skillference) had the same latent bug; both now render clean on next deposit. The already-published Zenodo record's description was hand-edited to remove the literal word "Abstract:" but the restated-title subtitle text before it was not — the live record still opens "A Source-Anchored Map of Entomological Law There is no statute…" rather than jumping straight to the real abstract. A programmatic re-patch attempt failed (published Zenodo depositions return 404 on metadataPUT/PATCHoutside a new-version draft — seedocs/guides/zenodo-doi-strategy.md), so fully cleaning up the live record needs either another Zenodo web-UI edit or a--new-versionrepublish; only the underlying code path is fixed by this entry. -
🧭 Root signposting drift — reconciled the two disagreeing root
AGENTS.mdstructure mermaids (one omitteddocs/, the otheroutput/); linked the previously-orphanedTO-DO.md/CHANGELOG.mdintoAGENTS.md's Documentation map andREADME.md's Quick Navigation table; added the missinginfrastructure/logrotate.d/row toCLAUDE.md's module list; correctedSTART_HERE.md's "~100+ files"docs/count to "300+" (actual 310). -
🐍
AI-GATE-PERF-2unblocked —template_active_inference's exemplar venv was pinned to Python 3.14 against the repo's 3.12; rebuilt (rm -rf .venv && UV_PYTHON=3.12 uv sync --extra dev), taking collection errors from 47 to 0 (493 tests now collect). The--durations=20perf-profiling pass itself is unblocked but not yet run. -
⏱️
template_active_inferenceheavy-test timeout cascade —ensure_gate_artifacts's expensive one-time bootstrap (~250s cold) exceeded the repo's real per-test timeout (DEFAULT_TIMEOUT = 120), so whichever test ran first got killed mid-bootstrap before its cache marker landed, causing every test intest_aggregate_forgery_controls.pyto retry and time out (7/7 failed, not just the first). Added apytest_sessionstarthook in the exemplar'stests/conftest.pyto pre-warm the bootstrap once, outside any single test's timeout window, with a manuscript-source snapshot/restore around it so it doesn't disturb the existing_restore_mutable_project_sourcesfixture's baseline. Also fixed two compounding O(N×M) redundant-file-read bottlenecks inscholarship.py::_citation_sectionsandvisualization_audit.py::_figure_reference_sections(each re-read every manuscript markdown file per citation key / figure id instead of once). Full suite verified green: 381 passed (112 deselected), 0 failures. -
🧵 Cross-project
srcimport collision intests/regression/— every public exemplar ships a top-levelsrcpackage, so the original baresys.path.insert+from src.x import ypattern let whichever test module collected first winsys.modules['src'], breaking every other project's collection withModuleNotFoundErrorthe moment a second exemplar's regression tests joined the tier. Standardized all regression test files on loading each project'ssrcpackage under a project-unique alias viaimportlib.util.spec_from_file_location(..., submodule_search_locations=[...]).
- 🧪 CI
Regression Tierjob —.github/workflows/ci.ymlnow runs the 15-exemplar / 55-test claim-binding regression tier on every push/PR (serial to respect the collection-order-sensitive import isolation; exit-5-tolerant so a future empty scaffold does not hard-fail). Add it to branch-protection required checks to enforce "cannot merge until it passes." - 🛡️ Always-on shell-injection bandit sweep — the CI security job gained a
targeted
-t B602,B604,B605,B609 --severity-level lowpass over all three trees, closing the gap where the MEDIUM+ gate rated constant-stringshell=Trueas LOW and let it through. - 🔒
.agents/skillslane validation test — a new gate parses every public exemplar's.agents/skills/*/SKILL.mdfrontmatter (the Hermes/agentskills lane thatinfrastructure.skillsintentionally does not scan), so a YAML-quoting regression like the one that shipped once is now caught. - ♻️ OSF uploader idempotency —
UploadTargetsgainedosf_node_id(threaded intoupload_osf); exportingOSF_NODE_IDmakes a--commitre-run update the existing node instead of creating a duplicate. - 🧪
REGRESSION-PIN-2— regression tier expanded to all 15 public exemplars — real, source-re-derived regression pins (no shape tests, no mocks) now cover every public exemplar:template_prose_project(previously a 9-line stub),template_autoscientists,template_autoresearch_project,template_eda_notebook,template_gold_refinement,template_literature_meta_analysis,template_sia,template_template,template_methods_paper,template_active_inference,template_madlib,template_newspaper,template_search_project, andtemplate_textbook, alongside the existingtemplate_code_projectpins. 55 tests collect and pass together from a singleuv run pytest tests/regression/invocation.
- 🧩 Split
template_gold_refinement/src/figures.py(1280 lines) into afigures/subpackage —_common(matplotlib setup,FigureSpec,FIGURE_SPECS, helpers),graphs(DiGraph builders),charts(bar/line charts),diagrams(graph/matrix diagrams), andregistry(registry, quality report,generate_all_figuresorchestrator); the__init__.pyfacade re-exports the exact 25-name public API. Clears the module-line-count gate (every submodule is < 800 lines) with all 291 exemplar tests green and figure output byte-stable. Provenance pointers (generated_by, evidence sources inconfig.yaml/claim_ledger.yaml/integrity.py) and prose docs were updated fromsrc/figures.py::to the owning submodule path so the implementation-linkage thesis stays accurate.
- 🆕
template_methods_paper— new public exemplar (methods-paper archetype) — a small, tested controlled-method specification domain language (src/methods_dsl/: units/dimensional-safety, controlled vocabulary, four staged validation gates, a deterministic Kahn's-algorithm compiler with SHA-256 plan hashing, worklist/CSV/Mermaid/JSON exporters, and a hash-chained provenance/trust model) whose manuscript describes the methodology itself rather than results from running it. Vocabulary informed by BPL (Biology Programming Language, https://gitlab.com/bota-biosciences-public/bpl-code) as an upstream domain-language reference, generalized from wet-lab protocols to any controlled procedure via two worked examples (PBSPreparation,SensorCalibrationSweep). 79 tests, 98.97% coverage, ruff/mypy/bandit clean. Onboarded to public scope:infrastructure/project/public_scope.pyPUBLIC_PROJECT_NAMES,.gitignoreallowlist (output/templates/+projects/templates/),infrastructure/documentation/counts_doc.pyEXEMPLAR_SNAPSHOT, and the exemplar-roster tables inREADME.md,CLAUDE.md,AGENTS.md, andprojects/AGENTS.md(prose list, table, and mermaid diagram). - 🧪 Exemplar deepening — direct per-file unit tests for the new
figures/submodules (tests/test_figures_submodules.py); real-data tests fortemplate_madlibtoken-plan determinism,template_templateworkspace discovery, andtemplate_textbookatomic-write cleanup. Correctedtemplate_madlibREADME.md/AGENTS.mdto describe the already-splitanalysis_fields/analysis_figures/analysis_reportsmodules.
-
🗑️ Removed the flat
infrastructure/publishing/archival.pyshim — thearchival/subpackage (models,providers,orchestrate) is now the sole source of truth.import infrastructure.publishing.archivalresolves to the package with the full public surface unchanged; 589 publishing tests pass. -
🧪 Coverage sweep — 8 infrastructure modules, 119 new tests — added tests for
rendering/_combined_exports.py(83%),project/drift/runner.py(100%),doctor/detectors/layout.py(96%),core/install_commands.py(100%),rendering/pipeline.py(97%),core/runtime/env_deps.py(84%),core/runtime/setup_checks.py(86%), andproject/working_render.py(90%); thin-orchestrator audit confirmed 43 scripts clean (6 violations noted); test/infra parity 91% (21/23); overall suite 7780 tests. -
🏗️ Publishing platform modular adapters (PUB-PLATFORM-1) — added a first-class multi-platform publishing layer to
infrastructure/publishing/:registry.py—PLATFORM_REGISTRYcovering 10 first-class and 2 documented platforms;PlatformInfodataclass,PublishingTierenum, and helperslist_platforms(),get_platform(),first_class_platforms(),documented_platforms().archival/subpackage — promoted the flatarchival.pymodule into a proper package:models.py(ArchivalReceipt,ArchivalRun,ArchivalCredentials,ArchivalError),providers.py(ZenodoProvider,IPFSPinataProvider,IPFSWeb3StorageProvider,SoftwareHeritageProvider,ArchivalProviderprotocol),orchestrate.py(archive_publication,load_credentials). The flatarchival.pyshim was subsequently removed (see Removed) once the subpackage became the sole source of truth.pypi/subpackage —PyPIAdapter(build → check → upload),PyPIConfig,PyPIResult,build_dist(uv build),upload_dist/check_dist(twine),verify_install; respectsPYPI_TOKEN/TESTPYPI_TOKENenv vars.static_site/subpackage —GitHubPagesAdapter(gh-pages branch push),CloudflarePagesAdapter(Wrangler CLI),NetlifyAdapter(netlify CLI); sharedSiteDeployConfig/SiteDeployResult,STATIC_SITE_ADAPTERSregistry; all adapters default todry_run=True.- 137 new tests across
test_pypi.py(11),test_static_site.py(22),test_archival_module.py(57), andtest_registry.py(47); all 137 green.
-
📐 Theorem-like environments now render in web HTML — Pandoc's HTML writer silently dropped raw-LaTeX
\begin{theorem|lemma|proposition|corollary|definition}blocks (their\newtheoremdefinitions live in the LaTeX-only preamble), so a manuscript's Theorems/Definitions vanished from the generated web pages.web_renderer.pynow rewrites them web-only into numbered, shared-counter.theorem-boxDivs with embedded CSS (boxed, dark-mode aware); the PDF/slides paths are unchanged (they still consume the raw LaTeX against the preamble) and authors keep writing\begin{theorem}with no portable-syntax change. Covered bytests/infra_tests/rendering/test_web_renderer.py::TestTheoremBlocks.
- 🎨 Generated-report web design + unified design system (WEBDESIGN-EXTEND-1) —
modernized the base HTML report/dashboard template and extracted the design
tokens into a shared
html_templates.shared_css()(single source of truth: CSS custom properties +prefers-color-schemedark mode, WCAG-AA status contrast, fluidclamptype, tabular-numeric sticky tables, mobile breakpoint). All four generated HTML surfaces — base report, pipeline report (pipeline_html.py), interactive dashboard (_interactive_html.py), and the web renderer (web_renderer.py) — now anchor to the shared--brand-1token + aprefers-color-schemeblock. Template contracts + deterministic output preserved. - ⚡ Fast doc link-audit (LINKCHECK-PERF-1) —
link_audit_core.pynow prunes excluded/gitignored directories withos.walkbefore descending (no longer materializes.git//.venv//node_modules/) and reads each markdown file once instead of twice: ~15–28× faster discovery on the live checkout, same broken-link set. Adds a timed regression test. - 🧩 Unified Chrome resolver + CI setup composite action (QUALITY-AUDIT-1) —
extracted the triplicated Chrome/Chromium resolution (
_pdf_mermaid,mermaid_lint,architecture_overview) into one sharedinfrastructure/rendering/chrome.py(resolve_chrome_executable), and factored the repeatedcheckout + setup-uv + setup-pythonCI block into a local composite action.github/actions/setup-python-env(12 jobs adopt it,ci.yml−80 lines). Behavior preserved per call site; all suites + actionlint green.
-
🗂️
template_gold_refinementpublic-scope onboarding + doc roster fixes (2026-06-27) — completed the six remaining invariants required aftertemplate_gold_refinementwas added toPUBLIC_PROJECT_NAMES: (1) addeddata/README.mdanddata/AGENTS.md(doc-pair lint gate); (2) addedExemplarSnapshot("template_gold_refinement", 248, "97.55 %")to theEXEMPLAR_SNAPSHOTtuple incounts_doc.pysogenerate_counts.py --writeregenerates the COUNTS.md table row without being reverted by the DocIntegrity hook; (3) added the canonicalmemory_and_decision_records.mdlink toAGENTS.md(memory-decision contract); (4) addedreview_gatesfield todomain_profile.yaml(forkability overlay test); (5) regenerated the skills manifest (uv run python -m infrastructure.skills write); (6) updated all human-authored doc rosters —README.md,.cursorrules,projects/README.md(4 locations) — to includetemplate_gold_refinement(andtemplate_literature_meta_analysiswhere also missing), ensuring no partial roster triggers the docs-discovery-consistency gate. All 53 docs-consistency + skills-discovery tests now pass. -
🔗
infrastructure/publishing/http.py→http_constants.py(namespace fix) — renamed the file viagit mvto eliminate a stdlibhttpnamespace collision: subprocess tests that addedinfrastructure/publishing/tosys.path[0]causedModuleNotFoundError: No module named 'http.client'when new platform adapters importedrequestsat module level. Updated three import sites (api.py,github/release.py,zenodo/client.py). All 538 publishing tests remain green. -
📐 TeX Live 2026 beamer compatibility (TEXLIVE-2026-BEAMER-1) —
latex_utils.compile_latexnow downgrades the benign! Illegal parameter number in definition of \reserved@akernel warning to a logged warning when a valid PDF is produced, instead of raisingCompilationErroron the non-zero exit. Genuine failures (missing/invalid PDF, any other error) still raise. Fixes beamer rendering under TeX Live 2026 while preserving fail-hard semantics. -
🔧 CI / test / doc correctness sweep (QUALITY-AUDIT-1) — corrected the CI job count + job-graph in
.github/workflows/AGENTS.md(12 → 14, added thedetect-projects/actionlintnodes); made thearchitecture_overviewpuppeteer path env-overridable (PUPPETEER_EXECUTABLE_PATH/CHROME_EXECUTABLE_PATH) instead of macOS-hardcoded; added@pytest.mark.timeout(60)to the real-mmdcrender tests (load-flaky against the 10s default); set a repo-local git identity in thetest_copy_exemplarfixture so it passes on CI runners without a global git user; regenerateddocs/_generated/COUNTS.md; strengthenedTestLogOperationwithcaplogassertions; surfaced each promptreferences/doc from its parent README.
- Extract
discover_infrastructure_packagestoapi_reference_gen.py(SCRIPTS-LOGIC-1) - Extract
stage_labelhelper tocore/pipeline/dag.py(SCRIPTS-LOGIC-2) - Extract
scan_test_rootstono_mock_enforcer.py(SCRIPTS-LOGIC-3) - Extract
format_audit_statisticstoaudit_orchestrator.py(SCRIPTS-LOGIC-4) - Move
DEFAULT_STAGE_TABLE_TARGETSconstant tostage_table.py(SCRIPTS-LOGIC-5) - Extract
aggregate_check_results+ fixlog_headermissing logger tosetup_checks.py(SCRIPTS-LOGIC-6)
- 🔒 Dependency CVE remediation (QUALITY-AUDIT-1) — bumped
pypdfto>=6.12.0(clears CVE-2026-48155 / CVE-2026-48156) andcryptographyto>=48.0.1(clears GHSA-537c-gmf6-5ccf).pip-auditreports no known vulnerabilities; pipPYSEC-2026-196remains the single documented ignore.
Comprehensive multi-pass review-and-improvement of infrastructure/, docs/,
scripts/, and the public exemplars (RedTeam + FirstPrinciples + SystemsThinking
lenses), the thermo-nuclear v2 remediation, and the post-v3.3.1 backlog
closeout. All gates green; no mocks; tests added with each change.
- 🧭 Reproducible run matrix (
run.config) —scripts/runner/run_matrix.py+infrastructure/core/pipeline/run_matrix.py: a deterministic project × stage matrix runner (resolves projects, orders stages canonically), the version-controllable alternative to the interactive menu.run.config.example.yamlshipped; the user'srun.configis git-ignored. - ⏱️
SOURCE_DATE_EPOCHdeterminism —infrastructure/core/determinism.pythreads a reproducible build timestamp through xelatex/CreationDate, manuscriptGENERATION_TIMESTAMP, and datagenerated_at(opt-in viaTEMPLATE_DETERMINISTIC/SOURCE_DATE_EPOCH; no-op otherwise) for byte-stable outputs. - 🔢 Generated
COUNTS.md+ CI--check—scripts/docgen/counts.py+infrastructure/documentation/counts_doc.pyderive the canonical counts from the live tree, closing the long-standing doc-drift loop (canonical_facts.mdwas the one_generated/file with no generator). Renamedcanonical_facts.md→COUNTS.md. - 🚪 Opt-in methods-plan gate —
scripts/gates/methods_plan_check.pyenforces the previously-unenforced methods publication contract. - 🔬 Deep research dispatch (
infrastructure/search/deep_research) — opt-in, paid multi-provider deep-research CLI; fail-fast provider validation + bounded wait (max_wait_seconds/DeepResearchWaitTimeout) +cancel. - 🔐 Kmyth TPM adapter + NSA
kmythsubmodule on the steganography surface.
- 🏷️ Exemplar-support tier —
infrastructure/siaandinfrastructure/scientifictagged as Layer-1-but-exemplar-only in their docs and the module roster. - 🔀 Validation ↔ autoresearch decoupling — the generic validation layer no longer special-cases the domain-specific autoresearch module.
- 🗂️
scripts/reorg — operator tooling grouped underscripts/maintenance/(numbered pipeline stages + gates kept at root). - 🧩 Output-validation + reporting modularization; benchmark test rename.
- 🧹 Dead modules deleted (zero production importers, re-verified):
core/menu.py,validation/cli/markdown.py,rendering/poster_renderer.py, andscientific/{templates,documentation,validation}.py.
- 🔒 Confidentiality guard —
projects/*.mdwildcard replaced with an explicit nav-doc allowlist so a stray top-level markdown can't be tracked. - 🧪 No-mocks enforcer — rewritten as AST + comment/string-stripped scan,
closing trailing-comment /
mock_-prefix /from unittest import mockbypasses. - 📦 Repro bundle (REPRO-VERIFY-1) — output paths rebased onto the project tree
so
verifyactually hashes artifacts and fails closed on declared-but-absent outputs. - 🧷 Evidence-graph claims (EVIDENCE-CLAIM-1) —
output/data/*claims*.jsonglob so the autoresearch exemplar's ledger is ingested as claim nodes +supportsedges. - 🧰 Default-project selection (qualified names),
--stage cleanmismatch, book-lengthbook.titlemetadata, markdown-CLI repo-root, arXiv old-style IDs, and Ollama tests using the discovered model instead of a hard-codedgemma3:4b. - 📦 Correction to [3.3.1] "Public-exemplar outputs tracked" — tracked
output/render proofs were removed on 2026-06-08; the repo ships no committedoutput/artifacts. Supersedes the 3.3.1 "outputs tracked" claim below.
- 📄 DOCX output completion — Pandoc DOCX rendering now embeds figures and
resolves cross-references (
infrastructure/rendering/pipeline.py). - 🔢 Generated-count reconciliation —
docs/_generated/COUNTS.mdproject-scope collection count refreshed to 216 after test additions.
- 📦 Public-exemplar outputs tracked — refreshed rendered
output/artifacts for the public template exemplars are committed alongside the source so the repository ships reproducible, inspectable deliverables.
- 🔎 Reference-existence verification (
infrastructure/reference/verification) — deterministic anti-hallucination gate that resolves each cited reference against Crossref → OpenAlex / arXiv, classifying itok/mismatch/fabricated/unverifiable/unchecked/anachronism. Offline-first with a persistent SQLite cache; live resolution is opt-in. CLI:python -m infrastructure.reference.verification verify <bib>. - ✍️ AI-writing fingerprint detector (
infrastructure/validation/content/ai_writing.py,validation.cli prose-quality) — flags AI-typical phrasing, em-dash density, and low sentence-length burstiness. Both distilled clean-room from Academic Research Skills ideas (CC-BY-NC-4.0); no code vendored. - 🕸️ Evidence graph (
infrastructure/reporting/evidence_graph.py) — typed producer/consumer/validator/claim/artifact graph assembled from the real stage DAG, with a query API and byte-stable JSON (EVIDENCE-GRAPH-1). - 📦 Reproduction bundle (
infrastructure/publishing/repro_bundle.py,scripts/runner/repro_bundle.py) — deterministic repro manifest (lockfile, artifact hashes, canonical-facts pointer, repro command) plus a fail-closed verifier (REPRO-BUNDLE-1). - 📊 Release-readiness dashboard (
infrastructure/reporting/release_readiness.py) — local, no-network report aggregating docs-lint, coverage/test facts, pipeline snapshots, evidence-graph status, and release metadata (DASHBOARD-1). - 🧩 Pipeline plugin stages (
infrastructure/core/pipeline/plugins.py) — schema-validatedprojects/{name}/pipeline_plugins.yamladds DAG stages without core edits. Opt-in; default plan unchanged (PLUGIN-STAGES-1). - ⏭️ Incremental pipeline skipping (
infrastructure/core/pipeline/incremental.py,IncrementalConfig) — content-hash stage skipping with downstream invalidation and fail-safe (never skip when outputs absent). Opt-in, default-off (INCREMENTAL-PIPELINE-1).
- ⚡ Parallel infrastructure tests — CI
test-infraruns withpytest-xdist -n auto(~892s → ~585s per leg); suite verified parallel-safe. - 🧬 Dynamic CI project matrix —
test-projectderives its matrix frominfrastructure.project.public_scopeviafromJSON(detect-projectsjob), so adding/retiring atemplates/exemplar no longer edits the matrix literal (CI-MATRIX-DYNAMIC-1). - 🔇 Quieter terminal logging — console handler floors at INFO (no DEBUG/spinner
chrome on stdout) while the file handler retains timestamped DEBUG; per-file render
internals demoted to DEBUG; default
-vdropped from pytestaddopts(LOG-CLEAN-1). - 🧱 Consolidated safe markdown reader —
infrastructure/validation/docs/_io.pyhostsread_markdown; doc linters route their read-and-skip sites through it (READFILE-SAFE-1). - 📚 Documentation accuracy passes — deep audit + fixes across
docs/and everyinfrastructure/*/{SKILL,README,AGENTS}.md, correcting examples that cited methods/params/CLI flags/test paths that no longer exist; new deterministic infra is wired into thedocs/promptsworkflows.
- 🧭 Agentic-use workflow routing — Added
template-agentic-useas a first-party workflow for skill discovery, local routing, agent onboarding, contract/eval checks, and external-skill review without vendoring companion skills into the public repository. - 🧪 Skill eval coverage — Extended the trigger eval set, eval harness configuration, mode registry, generated skill index, and editor skill manifest so requests such as "make template more agentic", "find relevant skills", and "improve agent routing" route through the new workflow.
- 🔍 Public documentation audit — Added advisory RedTeam-style helpers and a CLI for inventorying public Markdown, volatile project roster/count claims, verifier claims without nearby negative controls, and Python symbol docstring coverage across public CI source paths.
- 🧠 Decision-memory contract — Added a repository rule for WHY comments, ADRs, local agent memory, failure autopsies, selective ignorance, and negative controls, plus consistency checks that require key workflow docs and public exemplar AGENTS files to link back to that contract.
- 📚 Active Inference scholarship traceability — Added a source-backed
scholarship matrix builder, scholarship track registration, manuscript
scholarship sections, figure wiring, references, and tests for the
template_active_inferenceexemplar.
- 🧱 Agent-facing docs — Refreshed AGENTS/README guidance across root, docs, scripts, tests, infrastructure validation, public exemplars, and prompt workflows so agents can locate rules, public-scope boundaries, and decision-memory expectations without relying on stale path lore.
- 🚀 Rendering and validation plumbing — Tightened rendering pipeline behavior, documentation lint integration, accuracy checks, link extraction, and Active Inference output-check/gate surfaces to keep generated claims connected to source contracts.
- 🧾 Release metadata — Bumped the repository package and citation metadata
to
3.2.0.
- 🔐 Public-scope drift risk — Added explicit audit paths for hard-coded public exemplar rosters/counts and for verifier prose that claims enforcement without naming a known-wrong fixture or negative-control path.
- 🧰 Agent memory ergonomics — Expanded core agent-memory tests and docs so local-only memory remains useful for agents while staying out of committed public repository state.
- ✅ Scholarship/manuscript consistency — Connected Active Inference scholarship references, manuscript sections, sheaf track metadata, claim ledger entries, visualizations, and tests so literature anchors are checked as part of the exemplar's public source surface.
- SIA public exemplar — Added
projects/templates/template_sia/plusinfrastructure.sia, project contracts, tests, docs, generated module guide, and CLI validation for themini_classifytask. - Active Inference semantic sheaf hardening — Added semantic gluing, dependency-graph, evidence-crosswalk, policy-comparison, graph-world, and animation coverage so the exemplar now carries machine-checkable manuscript and output contracts beyond static prose.
- Folder-doc and stale-path guardrails — Extended documentation consistency
checks so public exemplar docs, generated facts, and folder-level
AGENTS.md/README.mdpairs are checked across all six public templates. - Interactive simulation dashboard groundwork — Kept the project-agnostic dashboard and invariant infrastructure in the release train, including plaintext-validatable dashboard artefacts and real-data tests.
- Public project signposting — Migrated long-lived documentation,
generated indexes, workflow docs, archived audit notes, and skill-eval
fixtures from stale
projects/template_*paths to canonicalprojects/templates/template_*paths. - Generated facts and skills — Refreshed
docs/_generated/active_projects.md,COUNTS.md,publication_records.md, the architecture overview, API reference, skill manifest, and skill index from live repository state. - Release metadata — Bumped the repository package and citation metadata to
3.1.0. - Entry-point docs — Tightened
README.md,CLAUDE.md,AGENTS.md,.github/README.md, and workflow docs around public scope, pipeline stages, coverage gates, release behavior, and private-project boundaries.
- Multi-project coverage corruption — Project pytest subprocesses now pin
coverageto the workspace version before appending into.coverage.project, preventing mixed project virtualenvs from corrupting the shared SQLite trace. - Documentation lint blind spots — Unqualified public exemplar links are no
longer suppressed as intentionally local, and ghost-path checks now treat
projects/template_*as stale public paths. - Public source gates — Narrowed broad exception handling and fixed type issues in the code and Active Inference exemplars so Ruff and mypy remain clean across public source paths.
- Generated output stability — Normalized PNG writes atomically and made simulation logging recreate missing parent directories after fresh-output cleanup.
- pip-audit (blocking): CI parses
.github/pip-audit-ignore.txtinto--ignore-vulnflags, retries up to three times on failure, and fails the job on remaining findings. Roottool.uv.override-dependenciesaddspip>=26.1.1so the lock does not pin a vulnerable pip pulled in via pip-audit → pip-api. - Bandit: CI invokes
bandit -c bandit.yamlover the same configured roots as before (infrastructure/,scripts/, optionalprojects/tree per workflow excludes).bandit-quickpre-push hook matches that scope. - Manual CI dispatch: Removed unused
workflow_dispatch.inputs.projectfromci.yml. - Release workflow: Set
generate_release_notes: falseso the git-logbody_pathis not duplicated by GitHub auto-notes. - Dependency bumps (security):
black,cryptography,pillow,pygments,pypdf,pytest,requests,werkzeugrefreshed inuv.lockto satisfy pip-audit. - Docs:
.github/AGENTS.md,.github/README.md,.github/workflows/{AGENTS,README}.md, stale-issue parity (do-not-closeon issues), PR template CI parity, issue-template fork note.
All forward-looking items in the v0.7.0 TO-DO are now shipped. Every
gate in the "Live state snapshot" table of TO-DO.md is green via
uv run python -m infrastructure.core.health.
- m1 — Telemetry retention. New
infrastructure/core/telemetry/retention.py(rotate(reports_dir, keep=…)); collector wires throughTELEMETRY_KEEPenv var (default 10). Oldertelemetry.jsonfiles archive into<reports_dir>/.history/telemetry-<unix_ts>.jsondeterministically. 10 real-data tests. - m2 — Steganography deterministic mode. New
infrastructure.steganography.config.resolve_build_timestamp(...)honorsSTEGANOGRAPHY_DETERMINISTIC=1(orsecure_run.sh --deterministic) → readsgit log -1 --format=%cIfor the build timestamp, falls back to wall-clock with a warning. Wired through metadata, overlays, barcodes, hashing, encryption. Two consecutivesecure_run.shinvocations now produce byte-identical output PDFs (verified end-to-end). 8 real-data tests. - m3 — Config schema-extension hook (per workspace root). New
register_project_schema_extension(project_name, schema),get_project_schema_extensions(project_name),clear_project_schema_extensions()ininfrastructure/core/config/schema.py. Validator hook inloader.pyinfers the workspace segment from the config path (or accepts explicitproject_name=). 12 real-data tests.
- MED1 — Multi-project parallel execution. New
infrastructure/core/pipeline/multi_project_parallel.pyexposesrun_projects_in_parallel(...). CLI flags--paralleland--max-workers=Nadded toscripts/runner/execute_multi_project.py(default remains serial — backwards compatible). Per-worker stdout/stderr is redirected viaos.dup2into each workspace's…/output/logs/pipeline.logunder the configured projects root (no parent-process interleaving). Observed wall-time improvement in fixture runs: serial vs parallel with multiple workers (~2–3× in synthetic multi-workspace tests). 8 tests. - MED2 — Unified
healthcommand. Newinfrastructure/core/health.pywithGateResult,HealthReport,run_health_checks(...), andpython -m infrastructure.core.healthCLI. Runs 10 gates (mypy, ruff, ruff-format, bandit, no-mocks, all-exports, docs-lint, stage-table, api-reference, architecture-overview) and prints a colored status table.--jsonemits machine-readable output. New informationalhealthCI job uploadshealth-report.jsonas an artefact. 14 tests. - MED3 — Coverage trend dashboard. New
infrastructure/reporting/coverage_history.pywithparse_coverage_xml,collect_history_from_dir,collect_history_via_gh,build_history_markdown. Driver:scripts/docgen/coverage_history.py(offline--from-dirand online--from-ghmodes). Generateddocs/_generated/coverage_history.mdincludes a 30-day rolling table + ASCII sparkline. CI uploadscoverage-historyartefact. 15 tests usingdefusedxml.
| Gate | Status |
|---|---|
mypy --strict infrastructure/ |
✅ 0 errors / 327 files |
ruff check |
✅ clean |
ruff format --check |
✅ 325 already formatted |
bandit -ll -c bandit.yaml |
✅ 0 HIGH / 0 MEDIUM / 0 LOW |
verify_no_mocks.py |
✅ no mocks |
infrastructure.skills check_all_exports |
✅ 0 violations |
scripts/audit/lint_docs.py |
✅ mermaid + links + consistency |
| Stage-table + API-reference + architecture generators | ✅ idempotent |
uv run pytest tests/infra_tests/ (no LLM, no bench) |
✅ all pass |
This cycle reconciles the live repo state with the gates the v3.0.0 row
had previously claimed but not actually shipped. Every claim in the
"Live state snapshot" table of TO-DO.md is verifiable from a single
command (linked in that table).
- M1 —
mypy --strict__all__re-export fix. Added explicit__all__toinfrastructure/core/exceptions.py,infrastructure/core/runtime/environment.py,infrastructure/rendering/latex_package_validator.py. Typed missing generic ininfrastructure/rendering/_pdf_pandoc_engine.py. Result:mypy --strict infrastructure/→ 0 errors / 323 files. - M2 —
pip-auditblocking gate. Removedcontinue-on-error: truefrom the security job'spip-auditstep in.github/workflows/ci.yml. Added per-CVE allow-list at.github/pip-audit-ignore.txt(empty by default). Documented in.github/AGENTS.md. - M3 — Bandit MEDIUMs closed.
xml.etree.ElementTree→defusedxml.ElementTreeininfrastructure/search/literature/{backends,fulltext}.py;# nosec B615with rationale on the HF fixture script. Result:bandit -ll→ HIGH 0 · MEDIUM 0 · LOW 0 (withbandit.yaml).
- M4 — Bandit LOW triage. Repo-wide allow-list in
bandit.yamlwith per-test-ID justifications. Both MEDIUM+ and strict-LOW CI passes invoke-c bandit.yaml. No genuine code fixes were necessary; every flagged pattern is either a research-context norm (B311,B404,B607) or a typed-only re-export (B405). - M5 — Pre-push parity. New hooks
bandit-quick,skills-check,bandit-low(manual),all-exports-checkin.pre-commit-config.yamlmirror CI gates locally. - M6 — Architecture overview generator. New
infrastructure/documentation/architecture_overview.py+scripts/docgen/architecture_overview.pyproducedocs/_generated/architecture_overview.{mmd,svg}from live infra and workspace-root discovery (layout only; no workspace contents). - M7 — Roadmap freshness. Re-baselined
docs/development/coverage-gaps.mdanddocs/development/roadmap.md; date-stamped audit reports;docs/audit/archived/scaffold added. - MED1 — Stage-table single source of truth. New
infrastructure/documentation/stage_table.py+scripts/docgen/stage_table.pyinject a deterministic Markdown table frominfrastructure/core/pipeline/pipeline.yamlinto 5 docs via<!-- BEGIN:STAGE_TABLE --> … <!-- END:STAGE_TABLE -->markers. - MED2 — Workspace setup-hook polish. Optional
setup_hook.yamlmanifest (required tools / env vars / timeout / skip_if_env);PROJECT_SETUP_HOOK_DRY_RUN=1mode; preflight-before-invoke; Windows portability documented. - MED3 — Per-workspace pytest driver. New
infrastructure/core/test_runner.pylifts the open-coded shell loop over discovered test directories out of.github/workflows/ci.yml#test-projectinto a tested infrastructure function. CI workflow now callsscripts/pipeline/stage_01_test.py --project-only --all-projects. - MED4 — Documentation linter. New
infrastructure/validation/docs/{mermaid_lint,cross_link_lint,consistency_lint}.pyscripts/audit/lint_docs.py+ newdocs-lintCI job. Detects parallelogram-syntax abuse, broken cross-links (with inline-code spans correctly excluded), and stale "N Python packages" claims.
- MED5 —
__all__audit. Newinfrastructure/skills/check_all_exports.py(AST-based) flags any module that re-exports without an explicit__all__. 13 modules got new__all__lists. CI gate + pre-push hook. - MED6 — Bench harness. Opt-in
tests/infra_tests/bench/(-m bench) measuresfind_setup_hook(~6 µs), no-oprun_project_setup_hook(~10 µs), trivial-subprocess hook (~21 ms), andrun_analysis_pipelineat N=1/5/25 (~30/150/737 ms). Informational CI step +bench-results.jsonartefact upload. - MED7 — API-reference auto-generation. New
infrastructure/documentation/api_reference_gen.py+scripts/docgen/api_reference.pywalk every__all__and inject a generated symbol catalogue intodocs/reference/api-reference.md. CI--checkgate.
infrastructure/core/analysis_pipeline.py(Stage-02 runner) was silently overwritten during parallel edits; restored, plus its 7-test no-mocks suite, plus re-thinnedscripts/pipeline/stage_02_analysis.py.
| Gate | Status |
|---|---|
ruff check (E501 included) |
✅ enforced |
ruff format --check |
✅ enforced |
mypy --strict infrastructure/ |
✅ 0 errors / 323 files |
bandit -ll -c bandit.yaml |
✅ 0 HIGH / 0 MEDIUM / 0 LOW |
pip-audit |
✅ blocking |
infrastructure.skills.check_all_exports |
✅ 0 violations |
scripts/audit/lint_docs.py |
✅ 0 issues across mermaid + links + consistency |
| Stage-table & API-reference generators | ✅ idempotent |
uv run pytest tests/infra_tests/ (no LLM, no bench) |
✅ 5347 passed |
The largest code-quality improvement cycle since the template's inception. All
infrastructure/ packages and repository-level scripts were subjected to
systematic blind review and remediation across 26 review rounds, eliminating
AI-generated debt, convention outliers, and structural issues; tracked exemplar
layouts were aligned where they share code with Layer 1.
- Import hygiene: Removed unused imports across 8+ files; separated
TYPE_CHECKINGguarded imports from runtime imports; eliminatedsys.pathmutations from CLI modules - Exception handling: Narrowed broad
except Exception/ bareexceptclauses throughoutintegrity.py,logging_utils,config_loader, andllmmodules; fixed silentJSONDecodeErrorswallowing; restored exception context withraise ... from exc - Dead code removal: Deleted orphaned
coverage_reporter.py(zero importers); removed stub/passthrough wrapper methods across 10+ modules; eliminated dead HTML-entities dict fromInputSanitizer - Type annotations: Modernised legacy
typingimports (List[x]→list[x],Optional[x]→x | None) across 30+ modules; addedTypedDictreturns for integrity results; annotated CLI re-exports - API surface: Consolidated
OllamaClientConfigenv-read wrappers (ABS-001); merged duplicatePerformanceMetricsnaming conflict; removedProjectLoggerpure-forwarder abstraction; eliminatedcalculate_file_hashre-export from publishing boundary - Bug fixes: Fixed inverted
scan_errorsbool in doc scanner; fixed stall-detection dead branch in pipeline reporter; fixedconfig_filespath bug inconfig_cli; fixedclean_output_directoryreturn type; fixed broken accessor imports aftercore.pyhub elimination - Structural: Eliminated
infrastructure/core/core.pyhub (delegatedvalidate_markdown_clito canonical location); extracted_build_stage_listto remove stage-list duplication; movedMultiProjectResulttoTYPE_CHECKINGto breakreporting→corecircular dep - Logging: Removed nosy debug logs from LLM and environment modules; downgraded verbose entry logs; added
get_loggerto logic modules lacking structured logging - docstrings: Stripped AI-generated boilerplate docstring bloat from 40+ functions; removed restating comments; cleaned banner comments
- Tests: Fixed test name collisions; added deterministic tests for
validate_review_qualityand exception types; added integration tests totestpaths; removed orphan test files - Dependencies: Removed
scipyfrom infrastructure env check; resolved stale findings inpsutilguards; movedmatplotlibto optional dep group
| Gate | Status |
|---|---|
| Desloppify blind reviews | 26 rounds completed |
| Commits | 161 |
| Files changed | 948 |
ruff check |
✅ Enforced |
mypy --strict |
✅ 0 errors |
bandit -ll |
✅ 0 MEDIUM+ findings |
pytest |
✅ All pass |
Promoted from Beta to Production/Stable after completing comprehensive quality gates across all 8 infrastructure packages (126 source files).
- v2.12.0 — Ruff Format Enforcement: Auto-formatted 280 files;
ruff format --checkblocking CI gate - v2.13.0 — mypy Strict Enforcement: 140→0 errors in
validation/(22 files) +rendering/(12 files);disallow_untyped_defs = trueoverrides - v2.14.0 — Security Hardening: 7→0 MEDIUM Bandit findings (CWE-400, CWE-502, CWE-377);
pip-auditblocking CI gate; Bandit-llthreshold - v2.15.0 — CI & Container Modernization: Dockerfile
python:3.12+uv; mypy pre-commit hook; docker-compose healthchecks - v2.16.0 — E501 Line Length Enforcement: E501 removed from ruff ignore list; 342 code-line + 36 docstring per-file-ignores
- v3.0.0 — Major Version Bump: mypy strict for all 8 infrastructure packages (126 files, 0 errors); version 3.0.0; Production/Stable classifier
pyproject.tomlversion:2.0.0→3.0.0- Classifier:
Development Status :: 4 - Beta→Development Status :: 5 - Production/Stable - Dockerfile:
python:3.11-slim+pip→python:3.12-slim+uv - docker-compose.yml: Removed deprecated
versionkey; added Ollama healthcheck .pre-commit-config.yaml: Added mypy hook; ruffv0.8.4→v0.9.7; pre-commit-hooksv4.6.0→v5.0.0ci.yml:pip-auditnow blocking; Bandit scansinfrastructure/,scripts/, and (when present) the configuredprojects/roots at MEDIUM+
| Gate | Status |
|---|---|
ruff check |
Enforced (E501 included) |
ruff format --check |
Enforced |
mypy --strict (validation, rendering) |
Enforced |
mypy (all 8 packages) |
0 errors |
bandit -ll |
0 MEDIUM+ findings |
pip-audit |
Blocking gate |
pytest (infra suite; workspace suites per CI matrix) |
All pass |
- Two-layer layout (shared infrastructure + optional per-workspace trees)
- Build pipeline with thin orchestrator pattern
- Program-aware discovery of workspace roots under the configured
projects/layout - Executive reporting dashboard (multi-workspace orchestration)
- Standalone workspace lifecycle pattern (promote / archive) for local trees