chore: recall consolidate defense-in-depth hardening (child re-clamp, NULL-lineage guard, timeout count accuracy)#184
Merged
Conversation
- Child re-clamps the demote target via MAX(1, MIN(importance, ...)) so a directly-piped payload can only lower importance, never raise it, and the absolute floor of 1 is re-pinned regardless of the supplied value. - Fail loudly when loa_entries lacks provenance/source_ids columns instead of silently writing NULL lineage on an unmigrated schema (guaranteed by #140). - Child emits cumulative progress to stderr after each committed cluster; the parent recovers committed counts on subprocess timeout so the summary no longer under-reports work that landed before SIGTERM. Closes #145
This was referenced Jun 25, 2026
Open
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Optional defense-in-depth hardening surfaced by the #141 (PR #144) review + RedTeam gate. None blocked the merge; all three tracked items addressed.
risk:low, surgical, no behavior change on the legit path.What shipped
Child re-clamps
newImportance(chore: recall consolidate defense-in-depth hardening (child re-clamp, NULL-lineage guard, timeout count accuracy) #145.1) — the demoteUPDATEnow usesSET importance = MAX(1, MIN(importance, CAST(? AS INTEGER))). A demote can only ever lower importance, so a directly-piped payload can't raise a record; the absolute floor of 1 is re-pinned regardless of the supplied value. On the legit path (planner always sends the floor) the result is identical to before.NULL-lineage guard (chore: recall consolidate defense-in-depth hardening (child re-clamp, NULL-lineage guard, timeout count accuracy) #145.2) —
applyConsolidationnow throws loudly ifloa_entriesis missing theprovenance/source_idscolumns (guaranteed by migration 13, feat(db): migration 12→13 — source-lineage column for derived consolidation summaries (Phase B prereq of #53) #140) instead of silently writing NULL lineage on an unmigrated/corrupt schema. Themain()catch surfaces it as a clean error; the conditional column branching is gone.Timeout count accuracy (chore: recall consolidate defense-in-depth hardening (child re-clamp, NULL-lineage guard, timeout count accuracy) #145.3) — the child emits cumulative
{written, demoted}to stderr after each committed cluster (unique marker prefix). On subprocess timeout the parent recovers the last marker from captured stderr, so the summary reports work actually committed before SIGTERM instead of0/0.runConsolidateprints a "Partial progress before failure" line when counts are non-zero. Degrades gracefully to the old0/0if no marker is captured.DRY / conventions
src/; the stderr marker contract is restated on both sides with cross-referencing comments, following the existingConsolidateApplyResultrestatement precedent.Verification
bun run lint(tsc --noEmit) clean.bun testgreen: 1182 pass / 0 fail.onProgressemits cumulative per-cluster totals;parseConsolidateProgress(last-marker, prefixed-line, malformed/none); parent surfaces partial progress on apply error.Closes #145