Load default protect patterns from config#173
Conversation
Trigger: WORK-AGT-325 drift audit for Ruya-AI/cozempic PR Ruya-AI#122 found the CLI protect-pattern flag landed on upstream main, but the config-level protect_patterns default promised by the handoff was still absent. Change: add Config.protect_patterns from ~/.cozempic/config.json, combine config defaults with explicit CLI --protect-pattern values, dedupe compiled patterns, fail soft for invalid config regexes while preserving exit(2) for invalid explicit flags, and document the config snippet. Verification: git diff --check; /Users/wax/.venv/bin/python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.py --rootdir /Users/wax/coding/ai-coding-agents/.codex/tmp/work-agt-325-cozempic-audit (71 passed).
eggrollofchaos
left a comment
There was a problem hiding this comment.
Review verdict: LGTM — approve. 0/0/0/0/0.
Design verified
- Config defaults fail soft: Bad regex in
~/.cozempic/config.jsonemits a warning to stderr, does not block CLI flags or daemon startup. - CLI flags fail loud: Bad regex passed via
--protect-patternstill exits 2. - Combined + deduped: Config defaults and CLI flags merge with dedup by pattern string.
- Config shape safety: Non-list
protect_patternsvalues silently ignored; non-string list items silently filtered. Cannot crash config load.
Test quality
71 tests pass. New tests cover: config-only patterns, config+flag combination, config+flag dedup, invalid config pattern not blocking valid CLI pattern, non-list config ignored.
PR context
- Head
a2995ac, basefd41e95, mergeable CLEAN - No prior reviews/comments
- No formatter pass was run (upstream contribution rule respected)
eggrollofchaos
left a comment
There was a problem hiding this comment.
Reviewed at head a2995ac (base fd41e95, base==merge-base). Config protect_patterns now flow into the prune guard with a fail-soft-config / fail-loud-CLI split, dedup by pattern string, and non-list/non-str config coerced to empty.
Verdict: LGTM. 0 Critical / 0 High / 0 Medium / 1 Low / 1 Nit. Merge blocker: none.
PR context checked: head a2995ac; SonarCloud Quality Gate passed; 1 prior review (LGTM); 0 inline comments; 0 unresolved review threads.
Low — src/cozempic/cli.py _compile_protect_patterns_or_exit: helpers.py:456 compile_protect_patterns builds its list eagerly and raises ValueError on the first invalid/non-string/over-long pattern, so the config try/except drops all config protect_patterns when any single one is malformed — valid patterns ahead of the bad one are lost too. Because these patterns grant prune immunity, one typo in ~/.cozempic/config.json silently reduces config-defined protection to zero (a stderr warning is emitted, but a daemon context may not surface it). This is fail-soft by design and warned, so it does not block; consider compiling config patterns per-item (skip only the invalid one, keep the valid) to preserve partial protection. CLI --protect-pattern correctly stays fail-loud (exit(2)).
Nit — config resolution granularity: config.py:_resolve_protect_patterns_with filters non-string items per-item (partial keep), while the later helpers.py compile is all-or-nothing on regex validity. Cosmetic inconsistency between the two filter stages.
Verification: pytest tests/test_protect_pattern.py tests/test_prune_safety.py → 71 passed (incl. test_invalid_config_pattern_does_not_block_cli_pattern, test_cli_combines_config_default_and_flag_patterns, test_cli_dedupes_config_and_flag_patterns). git diff --check clean.
## Review feedback addressed - Low: preserve valid config protect_patterns when a sibling config regex is invalid instead of dropping the whole config list. - Nit: make config handling granular consistently with non-string config filtering. ## Verification - git diff --check - /Users/wax/.venv/bin/python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.py --rootdir /Users/wax/coding/ai-coding-agents/.codex/tmp/work-agt-325-cozempic-audit (71 passed) This commit will be squashed into the PR base commit at merge time.
|
Pushed 8e14064 addressing review feedback: valid config |
|
eggrollofchaos
left a comment
There was a problem hiding this comment.
v2 re-review. Verdict: LGTM — 0 Critical / 0 High / 0 Medium / 0 Low / 0 Nit. Merge blocker: none.
PR context: head 8e14064; state OPEN; non-draft; mergeStateStatus CLEAN; no required checks pending. Both v1 findings resolved, verified at head; pytest tests/test_protect_pattern.py tests/test_prune_safety.py → 71 passed.
- v1 Low (all-or-nothing config compile) — fixed. Config
protect_patternsnow compile per-item: a bad regex printsWarning: ignoring config protect_pattern …to stderr andcontinues, so valid patterns still compile and are deduped via theseenset.test_invalid_config_pattern_does_not_block_cli_patternnow asserts that config(GOOD_CONFIG, (unclosed, ALSO_GOOD)yields[GOOD_CONFIG, ALSO_GOOD, FROM_FLAG]— both valid config patterns survive the invalid sibling, which was the specific regression the prior review flagged as untested. The CLI path stays fail-loud (compile_protect_patterns(cli_raw)→except ValueError→exit 2), so explicit--protect-patterntypos are not silently dropped. - v1 Nit (granularity mismatch) — resolved.
config._resolve_protect_patterns_withfilters non-str items per-item (test_config_default_protect_patternsproves[SPR-, control-file, 12]→(SPR-, control-file)), and the compile stage is now likewise per-item, so both stages have consistent partial-keep granularity. Non-list config →()(fail-soft) is covered.
Focused diff (cli/config + tests + README, +115/-7); no formatter noise. Config fail-soft / CLI fail-loud split is the right contract for a prune-immunity feature. Clean.
eggrollofchaos
left a comment
There was a problem hiding this comment.
Review verdict: LGTM. 0 Critical / 0 High / 0 Medium / 0 Low / 0 Nit.
PR context checked at head 8e1406419ac7b8feb4049442e89c5157e752d11b: open, non-draft, mergeable clean, SonarCloud successful, no inline comments, no unresolved review threads, and no current-head bot findings.
Verified:
- Config
protect_patternsnow fail soft per item: invalid config regexes warn and are skipped while valid config patterns and CLI patterns remain active. - Explicit CLI
--protect-patternvalues still fail loud via exit 2 on invalid regexes. - Config shape handling remains fail-soft for non-list values and non-string list entries.
- Treat, reload, and guard call paths all route through the shared compiler and pass compiled patterns into pruning/guard code.
- No formatter noise in the diff.
Checks run:
git diff --check fd41e95b85f283286eaca9419c19825abb6d053b...8e1406419ac7b8feb4049442e89c5157e752d11b/Users/wax/.venv/bin/python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.py --rootdir /Users/wax/coding/ai-coding-agents/.codex/tmp/work-agt-325-cozempic-audit -q-> 71 passed.



Summary
protect_patternssupport to~/.cozempic/config.json.--protect-patternvalues for treat, reload, and guard flows.Tests
python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.pyFollow-up to #122, which was implemented
feat(prune): --protect-pattern(617758d) + hardening (64d9650).@junaidtitan