Skip to content

fix(learning): harden validators against false passes on network and DB checks#67

Merged
OthmaneZ05 merged 1 commit into
mainfrom
fix/learning-validators-hardening
Jul 17, 2026
Merged

fix(learning): harden validators against false passes on network and DB checks#67
OthmaneZ05 merged 1 commit into
mainfrom
fix/learning-validators-hardening

Conversation

@OthmaneZ05

Copy link
Copy Markdown
Collaborator

Summary of Changes

Several learning-engine validators could report a false ✓ — the worst failure mode for an auto-graded roadmap. This PR hardens them and rebuilds their tests on realistic security-group configs:

  • port_denied: no longer passes on a project with no applied network config (or when either node sits outside a subnet) — in that state nothing is enforced and containers talk freely on the shared bridge, so the check now fails with a pedagogical message telling the learner to place the nodes in subnets first.
  • edge_exists / port_denied: DENY rules are now honored with the same first-match-wins semantics as the Network Simulator and the real iptables enforcement (shared helpers in validators/shared.ts). An early DENY blocks the port even when a broader ALLOW sits below it.
  • table_exists: requires the probe query to output exactly 1 — psql WARNING noise merged into the output no longer counts as proof.
  • redis_key_exists: redis-cli server errors ((error) LOADING …, (error) NOAUTH …) are treated as not-ready instead of "a key exists".
  • asg_replicas: resolves its node through the shared type-checked resolver (a same-named non-ASG node no longer passes with count: 0) and rejects negative/fractional count as invalid params.
  • Test debt: the edge_exists/port_denied unit tests no longer inject hand-built semantic rules (the self-confirming seam that hid these bugs) — they derive rules from realistic configs (default deny-all-inbound/allow-all-outbound security group per node, learner rules prepended) through the real NetworkService.computeSemanticRules. The integration fixture now uses the same realistic security groups and covers the default-SG and DENY-shadow scenarios.

docs/roadmap-format.md documents the connectivity semantics and the new port_denied behavior.

Types of Changes

  • New feature / node type addition
  • Bug fix (non-breaking change resolving an issue)
  • Refactoring / structural cleanup
  • Documentation update

Verification & Testing

Automated Checks

  • Run npm run lint successfully with no errors
  • Run npm run build successfully with no compilation errors
  • Run npm test successfully (all tests pass)

Manual Verification

Ran the integration suite (npm run test:integration) against a real Docker daemon 3 consecutive times, all green — it exercises every touched validator pass and fail against real containers, including the new scenarios: default security group only (edge_exists fails, port_denied passes), a DENY rule shadowing a broader ALLOW (edge_exists fails / port_denied passes on the denied port, edge_exists passes on another port), and a node outside any subnet (port_denied fails). Also verified the ASG type-check by the fixture itself: the previous fixture created the ASG boundary as a plain ubuntu node and the hardened validator correctly rejected it until the fixture used a real autoscalinggroup node.

Checklist

  • My code follows the repository's code style and lint standards
  • I have updated the documentation or instructions if necessary
  • All unit and integration tests are passing

@OthmaneZ05
OthmaneZ05 requested a review from Derssa as a code owner July 17, 2026 01:45
@OthmaneZ05
OthmaneZ05 merged commit 2792162 into main Jul 17, 2026
3 checks passed
@OthmaneZ05
OthmaneZ05 deleted the fix/learning-validators-hardening branch July 17, 2026 01:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants