audit remediation: test extraction, panic elimination, deduplication, doc sync

[sf19-97]

Summary

Final v1 audit remediation — 69 files, 898 tests passing, 0 warnings.

Phase 5: Test Extraction (AGENTS.md §4B)

• Extract 11 inline test blocks to separate files (~7,800 lines moved out of production code)
• Restore lost manifest_usecases/tests.rs from prior commit

Phase 6: Panic Elimination

• cluster.rs E.3: debug_assert!(unreachable!()) to ExpandError::InvariantViolation
• execute.rs R.7: unreachable!() to ExecError::ActionSkipViolation
• catalog.rs X.10: unreachable!() to Result return
• demo_1.rs: panic!() to Result with backward-compat wrappers
• SDK: .expect() to lifecycle_violation error returns

Phase 7: Logic Consolidation

• Deduplicate is_valid_id (4 to 1), json_type_name (2 to 1), SHA256 hashing (2 to 1), duplicate-detection pattern (3 to 1)
• Rename ValidationError to GraphValidationError with pub type alias for compatibility

Phase 8: Compliance & Tooling

• Add file headers to 25+ files
• Expand boundary checks: LAYER-2 to all prod crates, add LAYER-4 + LAYER-5 guards
• Fix HostRuleViolation exemption bypass in boundary script
• Synchronize docs for E.3, R.7, and GraphValidationError rename across 10 doc files
• Correct validate.rs header invariant mappings

Verification

• 898 tests, 0 failures
• cargo fmt --check clean
• verify_layer_boundaries.sh passes

[augmentcode]

This pull request is abnormally large and would use a significant amount of tokens to review. If you still wish to review it, comment augment review and we will review it.

[greptile-apps]

Greptile Summary

This PR completes a v1 audit remediation across 69 files with four phases of work: test extraction (~7,800 lines of inline tests moved to dedicated tests.rs siblings), systematic panic elimination (converting unreachable!()/debug_assert!/.expect() to typed Result returns at E.3, R.7, X.10, demo_1, and SDK lifecycle sites), deduplication of four redundant utility patterns (is_valid_id, json_type_name, SHA256, duplicate-detection), and the ValidationError → GraphValidationError rename with a backward-compatible type alias.

Key changes:

• Phase 5: Inline #[cfg(test)] blocks extracted to */tests.rs across 11 crates — purely mechanical, no logic changed
• Phase 6: All targeted panics now return typed errors (ExpandError::InvariantViolation, ExecError::ActionSkipViolation, lifecycle_violation()), each with correct rule_id() and structured diagnostic fields
• Phase 7: is_valid_id consolidated to ergo_runtime::common, json_type_name to ergo_adapter::common; find_first_duplicate replaces three copy-paste loops in validate.rs
• Phase 8: 25+ files receive module-doc headers; verify_layer_boundaries.sh gains LAYER-2 Python rewrite (fixing HostRuleViolation exemption bypass), LAYER-4, and LAYER-5 checks
• Docs: 03-expansion.md, 05-validation.md, 06-execution.md, 12-compute-registration.md, 14-action-registration.md, and closure-register.md all updated to reflect renamed types and strengthened error paths

One minor design concern: ExpandError::InvariantViolation has a hardcoded rule_id() = "E.3" and path() = "$.edges", despite its generic name suggesting it could cover future invariants beyond E.3 — see inline comment.

Confidence Score: 4/5

• Safe to merge after addressing the InvariantViolation rule_id design concern; all panic eliminations are correct and well-tested.
• 898 tests pass with 0 failures. All four phases of work are mechanical or low-risk: test extraction preserves test logic unchanged, panic-to-error conversions introduce proper typed variants with correct rule IDs, deduplication uses identical implementations, and the ValidationError rename includes a backward-compat alias. The one P2 concern — InvariantViolation's hardcoded "E.3" rule_id on a generically-named variant — is a maintainability smell rather than a current bug. Prior review concerns (V-number label contradictions, validate.rs header) are resolved in this revision.
• crates/kernel/runtime/src/cluster.rs — the InvariantViolation variant's hardcoded rule_id/path metadata

Important Files Changed

Filename	Overview
crates/kernel/runtime/src/cluster.rs	E.3 panic eliminated — debug_assert!(unreachable!()) replaced with ExpandError::InvariantViolation. New variant's rule_id() is hardcoded to "E.3" despite generic name; fragile if reused for other invariants.
crates/kernel/runtime/src/runtime/execute.rs	R.7 panic eliminated — unreachable!() in map_to_action_value() replaced with ExecError::ActionSkipViolation { node, port }. Correctly uses node/port context (previously unused _node/_port parameters).
crates/kernel/runtime/src/runtime/types.rs	Clean ValidationError → GraphValidationError rename with pub type ValidationError = GraphValidationError alias; new ExecError::ActionSkipViolation variant with correct rule_id() "R.7" and message.
crates/kernel/runtime/src/runtime/validate.rs	New module-doc header with corrected V-number → function → error-type table (resolves prior review's V.3/V.4 swap concern). All ValidationError references updated to GraphValidationError.
crates/kernel/runtime/src/catalog.rs	X.10 panic eliminated — map_compute_param_value now returns Result; Series default value returns Err propagated as ValidationError::UnsupportedParameterType. Misleading comment about String being unreachable is corrected.
crates/kernel/runtime/src/common/mod.rs	Canonical is_valid_id extracted from four duplicate per-registry copies; identical implementation, now importable as crate::common::is_valid_id across source, compute, trigger, and action registries.
crates/kernel/adapter/src/validate.rs	Three copy-paste duplicate-detection loops replaced by find_first_duplicate helper; deferred ADP-15/ADP-16 comment expanded with actionable guidance. Module-doc header added.
crates/prod/clients/sdk-rust/src/lib.rs	Two .expect() calls in ProfileRunner replaced with lifecycle_violation(...) error returns; both correctly use ? propagation. Minor formatting normalizations for LivePrepOptions::for_fixture calls.
crates/kernel/supervisor/src/demo/demo_1.rs	Panics in number_output/action_output/compute_summary replaced with Result-returning try_* variants; original public API preserved via wrapper functions that .expect() — acceptable for demo/test utilities.
tools/verify_layer_boundaries.sh	LAYER-2 check rewritten in Python to correctly exempt HostRuleViolation while blocking raw RuleViolation in clients; new LAYER-4 (primitive ontology) and LAYER-5 (loader semantic enforcement) guards added. strip_cfg_test_modules brace-counting fix prevents false positives from braces in string literals.
crates/kernel/adapter/src/common.rs	New file extracting json_type_name from adapter/lib.rs; correctly scoped as pub(crate). Removes the duplicate from lib.rs.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[cluster.rs::expand] -->|ExpandedGraph| B{E.3 check\nExternalInput as edge sink?}
    B -->|Yes| C[ExpandError::InvariantViolation\nrule_id = E.3]
    B -->|No| D[validate.rs::validate]
    D -->|GraphValidationError| E{Validation\nfailed?}
    E -->|V.1 cycle| F[GraphValidationError::CycleDetected]
    E -->|V.8 missing prim| G[GraphValidationError::MissingPrimitive]
    E -->|V.3/V.4/V.5/V.7| H[GraphValidationError::*]
    E -->|Pass| I[execute.rs::execute]
    I --> J{R.7 check\nNotEmitted reaches\naction value conversion?}
    J -->|Yes| K[ExecError::ActionSkipViolation\nnode + port]
    J -->|No| L[ExecutionReport]
    M[catalog.rs::register_compute] --> N{X.10 check\nSeries default value?}
    N -->|Yes| O[ValidationError::UnsupportedParameterType]
    N -->|No| P[ParameterMetadata registered]
    style C fill:#f9a,stroke:#c66
    style F fill:#f9a,stroke:#c66
    style G fill:#f9a,stroke:#c66
    style H fill:#f9a,stroke:#c66
    style K fill:#f9a,stroke:#c66
    style O fill:#f9a,stroke:#c66
    style L fill:#9f9,stroke:#696
    style P fill:#9f9,stroke:#696

Loading

_{Reviews (3): Last reviewed commit: "fix: correct boundary-outputs error vari..." | Re-trigger Greptile}