Skip to content

chore: GA-readiness fixes (F1–F6) + Specter 100% structural-coverage gate#602

Merged
remyluslosius merged 9 commits into
mainfrom
chore/ga-readiness
Jun 19, 2026
Merged

chore: GA-readiness fixes (F1–F6) + Specter 100% structural-coverage gate#602
remyluslosius merged 9 commits into
mainfrom
chore/ga-readiness

Conversation

@remyluslosius

@remyluslosius remyluslosius commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

GA-readiness review fixes (F1–F6) + Specter 100% structural-coverage gate

Addresses the six GA-readiness findings and adds an enforced 100% structural
Specter coverage gate. Off main, separate from the remediation feature
branches. Eight focused commits.

What landed

# Area Change
F6 Hygiene Removed a stray 34 MB root openwatch build artifact; gitignored the root-level /openwatch path; stripped placeholder credentials from the prototype login.html.
F2 Lint make lint now warns when the locally installed golangci-lint differs from the version CI pins (1.64.8), so local runs reproduce CI.
F1 Test isolation SPA static-delivery tests build their handler from a self-contained in-memory fstest.MapFS fixture (newSPAHandlerFS) instead of a magic staged asset filename — they pass against a real vite build, the Makefile stub, or no staged tree. Native package-build tests (make rpm/deb) now skip unless OPENWATCH_PACKAGING_BUILD=1; CI sets it so coverage is unchanged, local go test ./... no longer triggers a multi-minute build.
F5 CI A failing frontend Vitest suite now hard-fails the build (deferred past specter ingest so coverage is still reported, then a dedicated enforcement step aborts).
F4 Release signing A v* tag-push release fails closed when no GPG key is configured rather than publishing unsigned packages. Manual workflow_dispatch trial builds stay permissive.
F3 Version/docs Operator guides referenced 0.2.0-rc.5 while version.env is 0.2.0-rc.10; all guides reconciled, CHANGELOG [Unreleased] entry added.
Specter Enforced 100% structural AC coverage in CI: every acceptance criterion must carry a test annotation; any spec below 100% fails the build. Fixed 3 ACs that had passing t.Run subtests but were missing the // @ac comment (system-connection-profile/AC-08, frontend-settings/AC-25, AC-26). All 108 specs now at 100%.

Two deliberate judgment calls

  1. No GA version cut. F3 was framed as "GA promotion," but declaring 0.2.0
    final on main signals production-final intent while the headline
    remediation feature is still on unmerged branches and GA-beta items are
    unstarted. This PR fixes the concrete defect (version inconsistency) and
    leaves the GA-promotion decision to a maintainer.

  2. Specter coverage is gated structurally (100%), not by zero-tolerance
    outcome.     Zero-tolerance was measured to fail on 6 ACs: 4 are local
    DB-saturation false-negatives (CI's dedicated Postgres service passes them;
    the F1 SPA fix makes two of them robust), and 2 are legitimately
    environment-gated     t.Skip() tests (real Kensa corpus via
    OPENWATCH_KENSA_RULES_DIR; the native-package boot harness). A skip is not
    a coverage gap. Forcing zero-tolerance would push those valuable hermetic
    tests to either always run (heavy, wrong lane) or drop their skip guards.
    The two-layer gate — structural 100% (every AC has a test) + threshold
    outcome     (the tests that run must pass) — is documented in specter.yaml.

Verification

  • gofmt/go vet clean on all touched packages; all workflow + specter.yaml
    YAML parse; specter check passes (108/108).
  • SPA tests pass against the real vite build staged on disk (proving F1).
  • Packaging build-tests skip locally without the opt-in; the edited
    settings.test.ts passes 26/26.
  • Structural gate dry-run: all 108 specs at 100%.

Note: the untracked design prototypes under
docs/engineering/prototypes/openwatch-v1/ are intentionally not included
here (separate concern); the F6 credential strip was applied to the local copy.

@remyluslosius
chore(hygiene): gitignore stray root-level openwatch binary
77242ce 
A 34MB ad-hoc `go build -o openwatch` artifact had been left at the repo
root. `make build` writes to dist/ (already ignored); anchor-ignore a
root-level /openwatch so such a build can never be committed.
@remyluslosius
build(lint): pin golangci-lint version to match CI
2ed4418 
`make lint` now warns when the locally installed golangci-lint differs from
the version CI pins (1.64.8), so a local lint reproduces CI instead of
surfacing/hiding lints the gate won't enforce. Bump GOLANGCI_VERSION and the
go-ci.yml install pin together.
@remyluslosius
test(server): make SPA static-delivery tests self-contained
257c059 
The gzip/cache tests hardcoded /assets/app-abc123.js, a filename only the
Makefile stub stages — so a raw `go test ./internal/server/` against a real
`vite build` (different content-hashed names) failed. Add newSPAHandlerFS so
those tests build their handler from an in-memory fstest.MapFS fixture,
asserting identically against the stub, a real build, or no staged tree.
@remyluslosius
ci: hard-fail the build on frontend vitest failures
52d2d20 
Vitest failures previously only emitted a ::warning::. Defer the failure
past specter ingest (so coverage is still reported), then a dedicated
enforcement step aborts the build on a real frontend test failure — a
frontend regression that doesn't map to a spec AC no longer slips through.
@remyluslosius
ci(release): fail closed on unsigned tag-push releases
92042e6 
A v* tag push is an intentional release cut; publishing it without a
configured GPG key shipped packages operators can't verify. Fail the release
when GPG_PRIVATE_KEY is absent on a tag push. Manual workflow_dispatch trial
builds stay permissive (warn + publish unsigned).
@remyluslosius
docs: reconcile guide version strings to 0.2.0-rc.10
81b0798 
Operator guides referenced 0.2.0-rc.5 while packaging/version.env is
0.2.0-rc.10. Align all guides and add a CHANGELOG [Unreleased] entry for the
GA-readiness fixes. (GA promotion to 0.2.0 final is a separate decision,
deliberately not made here while remediation is unmerged.)
@remyluslosius
test(packaging): gate native package-build tests behind opt-in
d379958 
The tests that shell out to `make rpm`/`make deb` take minutes and write
into dist/, so a plain `go test ./...` on a dev machine (which may have
dpkg-deb/rpmbuild) should not silently trigger a full package build. They now
skip unless OPENWATCH_PACKAGING_BUILD=1; CI sets it in the ingest step so AC
coverage there is unchanged. Completes F1 (the SPA-fixture half landed
separately).
@remyluslosius
ci(specter): enforce 100% structural AC coverage
591aca2 
Add a hard CI gate: every acceptance criterion in every spec must carry a
test annotation (// @ac for Go, // @ac for frontend). Any spec below 100%
structural coverage fails the build, so no AC can silently lose its test.

Three ACs had passing t.Run subtests but were missing the // @ac source
comment the annotation walker counts (system-connection-profile/AC-08,
frontend-settings/AC-25, AC-26) — annotations added; all 108 specs now at
100% structural coverage.

The gate runs in annotation strictness (no ingest), independent of which
tests run in the hermetic lane. The outcome gate stays at threshold: a few
ACs are covered by legitimately env-gated tests (real Kensa corpus,
native-package boot harness) that correctly t.Skip() here, and a skip is not
a coverage gap. Documented the two-layer rationale in specter.yaml.
@github-actions github-actions Bot added size/L ci/cd documentation Improvements or additions to documentation frontend tests labels Jun 19, 2026
@remyluslosius
ci(specter): raise all coverage tiers to 100% and run the env-gated t…
1ec3576 
…ests

Set tier1/tier2/tier3 = 100 so the OUTCOME gate requires every AC's test to
pass in CI, not just meet 80%/50% thresholds. This needs the formerly
environment-gated tests to run in CI instead of skipping:

- Boot test (release-admin-signoff/AC-14): freshTestDB now DROP/CREATEs its
  isolated DB via pgx against the maintenance database, removing the
  `docker exec openwatch-db` dependency. It runs in any lane that can reach
  the Postgres in OPENWATCH_TEST_DSN — CI's service container included. Also
  fixed a latent bug the skip had masked: the cookie-authenticated create-host
  call now sends the CSRF double-submit token (XSRF-TOKEN cookie + matching
  X-CSRF-Token header). Verified end-to-end locally (build + boot + login +
  create host).
- Kensa catalog test (api-system-scan-config/AC-08): CI now exports
  OPENWATCH_KENSA_RULES_DIR from the kensa module's bundled rule corpus
  (`go list -m`) so it exercises the real corpus instead of skipping.

OPENWATCH_PACKAGING_BUILD=1 (already set) opts the boot + package-build tests
into the ingest run. Documented the two-layer 100% gate + the flaky-test
caveat in specter.yaml.
@remyluslosius remyluslosius merged commit dd921b2 into main Jun 19, 2026
21 checks passed
@remyluslosius remyluslosius deleted the chore/ga-readiness branch June 19, 2026 13:49
remyluslosius added a commit that referenced this pull request Jun 19, 2026
@remyluslosius
chore: merge main into feat/remediation-governance
fdd7316 
Pick up the GA-readiness changes (#602): Specter gate raised to 100% across
all tiers + the structural-coverage gate. specter.yaml auto-merged (remediation
spec registrations + the new tier config are in different regions).
remyluslosius added a commit that referenced this pull request Jun 19, 2026
@remyluslosius
chore: merge main into feat/remediation-core
1732d12 
Pick up GA-readiness (#602): Specter 100% gate + structural gate, hardened
CI/release, SPA test fixture, packaging-test opt-in. Brings the full
remediation stack (governance + admin + execution) current with main for a
single consolidated landing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci/cd documentation Improvements or additions to documentation frontend size/L tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@remyluslosius