feat(arena): Season 0 Worldsmith Trials submission scaffold + entry validator#80
feat(arena): Season 0 Worldsmith Trials submission scaffold + entry validator#80frankxai wants to merge 4 commits into
Conversation
…alidator Adds challenges/season-0/ (rules pointer README, entry-template with SKILL.md + entry.json manifest + world/ layer stubs, entries/ intake dir) and a zero-dependency validator (structure, manifest schema, license acceptance, injection lint) wired to a GitHub Action that runs on entry PRs. Companion to arcanea-ai-app#185 (Arena strategy, spec, ledger, judge pipeline). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A62YAfcPvfLzYn163Mu7dN
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request sets up the infrastructure for Arcanea Arena Season 0, adding a README, an entry template with placeholder world files, and a Python validation script to enforce submission constraints and check for prompt injections. The review feedback suggests enhancing the validation script's robustness by defensively handling malformed JSON structures to prevent crashes and using utf-8-sig encoding to safely strip UTF-8 Byte Order Marks (BOM) during file parsing.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
…pes, BOM-safe reads entrant/skill non-dict values no longer crash validation (reported as errors instead); all read_text calls use utf-8-sig so Windows BOMs don't break frontmatter parsing. Fixtures re-verified: template-derived entry passes, sabotaged entry fails with specific errors. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A62YAfcPvfLzYn163Mu7dN
|
Review + CI status:
Companion PR with the strategy/spec/rubric/ledger/judge pipeline: frankxai/arcanea-ai-app#185. Generated by Claude Code |
Review: Season 0 Worldsmith Trials submission scaffoldReviewed .github/workflows/validate-entries.yml, challenges/season-0/scripts/validate_entry.py, and the template/README files. Critical: the validation Action silently no-ops instead of validating entriesIn .github/workflows/validate-entries.yml, the "Find changed entry directories" step only runs: git fetch --no-tags --depth=1 origin "BASE_SHA" and then feeds "git diff --name-only BASE_SHA HEAD_SHA -- challenges/season-0/entries/" through awk and sort -u, capturing the result into a shell variable "dirs". Two compounding issues:
Net effect: the workflow currently validates nothing, ever, and reports success regardless of what's in the submitted entry -- including the injection-lint check that's supposed to catch judge-manipulation attempts. Since this is the actual gate for community PRs into challenges/season-0/entries/, this needs a fix before entries start flowing in. Two changes needed: (a) fetch both BASE_SHA and HEAD_SHA in the git fetch call, not just BASE_SHA, and (b) add "set -euo pipefail" at the top of the run block so any future failure here fails the job loudly instead of silently passing. Security posture (good)
Minor/optional: actions/checkout@v4 is pinned to a floating tag rather than a commit SHA. Given the read-only permissions here the blast radius is small, but worth being consistent if other workflows in this repo pin third-party actions to SHAs. validate_entry.pyOverall clean, zero-dependency, and readable. A couple of minor notes, none blocking:
Test coverageThe PR description says the validator was "verified locally" against fixture entries, but no fixtures or automated test (e.g. a tests/ dir with a pytest or a plain assert-based script) are committed. Since this script is the actual gate for community submissions, I'd suggest committing the pass/fail fixtures used for that manual verification (including the injection-attempt case) as a small regression test. An end-to-end test that exercises the Action's shell logic (not just the Python script in isolation) would also have caught the fetch/pipefail issue above. Nit.github/workflows/validate-entries.yml's comment about deleted entries needing no validation, attached to the directory-existence check, is also silently true for the .gitkeep placeholder path, since awk treats it as a pseudo-entry-dir (challenges/season-0/entries/.gitkeep has the same path depth as a real entry dir). Harmless since it's skipped by the directory check, but the comment doesn't quite describe why it's being skipped in that case. Everything else (README, entry-template, .gitkeep) looks straightforward and matches the stated scope -- no lore/canon changes, no TS/build impact. The workflow fetch bug is the one thing I'd want fixed before this gate starts being relied on for real submissions. 🤖 Generated with Claude Code |
…tests Per review: the Action fetched only BASE_SHA, so git diff against the unfetched HEAD_SHA failed — and without pipefail that failure was swallowed, leaving dirs empty and the gate green while validating nothing. Now fetches both endpoints and runs every step under set -euo pipefail so a broken diff fails loudly. Also adds test_validate_entry.py (5 scenarios built from the committed entry-template: valid pass, BOM pass, sabotage fail, author mismatch, double-hyphen dir rejection) wired as the workflow's first step, plus the tighter GitHub-handle regex and a not-general-YAML warning comment. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A62YAfcPvfLzYn163Mu7dN
|
The critical finding was confirmed and is fixed in 954fbb2: the Action fetched only Also landed from the review: Generated by Claude Code |
Running challenges/season-0/scripts/test_validate_entry.py imports the validator and leaves bytecode caches behind; keep them out of entry PRs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A62YAfcPvfLzYn163Mu7dN
Summary
Adds the public submission surface for Arcanea Arena — Season 0: The Worldsmith Trials: contributors enter the competition by PRing a Claude Code skill (an agentic world-creation workflow) + manifest + sample world into
challenges/season-0/entries/, validated automatically by a zero-dependency script wired to a GitHub Action. Companion to frankxai/arcanea-ai-app#185 (strategy, spec, rubric, ledger, judge pipeline).Changes
challenges/season-0/README.md— season front door: what to submit, how to enter, canon constraints, prize (recognition + plugin distribution; no invented figures)challenges/season-0/entry-template/— copyable entry skeleton (SKILL.md,entry.jsonmanifest with license-acceptance field,world/five-layer stubs)challenges/season-0/entries/— intake directory (one dir per entry,<handle>--<skill-name>)challenges/season-0/scripts/validate_entry.py— validates directory naming/author match, SKILL.md frontmatter rules, manifest schema, world files, plus an injection lint for judge-manipulation attempts.github/workflows/validate-entries.yml— runs the validator on changed entries in PRs (contents: readonly)Type
Checklist
CANON_LOCKED.mdanytypes (no TypeScript in this change)pnpm builduntouched by these paths)🤖 Generated with Claude Code
https://claude.ai/code/session_01A62YAfcPvfLzYn163Mu7dN
Generated by Claude Code