Skip to content

Load default protect patterns from config#173

Open
eggrollofchaos wants to merge 2 commits into
Ruya-AI:mainfrom
eggrollofchaos:codex-agt/config-protect-patterns-default
Open

Load default protect patterns from config#173
eggrollofchaos wants to merge 2 commits into
Ruya-AI:mainfrom
eggrollofchaos:codex-agt/config-protect-patterns-default

Conversation

@eggrollofchaos

@eggrollofchaos eggrollofchaos commented Jul 7, 2026

Copy link
Copy Markdown

Summary

  • Add protect_patterns support to ~/.cozempic/config.json.
  • Apply config defaults alongside explicit --protect-pattern values for treat, reload, and guard flows.
  • Ignore invalid config regex defaults with a warning while preserving hard failures for invalid CLI flags.

Tests

  • python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.py

Follow-up to #122, which was implemented feat(prune): --protect-pattern (617758d) + hardening (64d9650).

@junaidtitan

Trigger: WORK-AGT-325 drift audit for Ruya-AI/cozempic PR Ruya-AI#122 found the CLI protect-pattern flag landed on upstream main, but the config-level protect_patterns default promised by the handoff was still absent.

Change: add Config.protect_patterns from ~/.cozempic/config.json, combine config defaults with explicit CLI --protect-pattern values, dedupe compiled patterns, fail soft for invalid config regexes while preserving exit(2) for invalid explicit flags, and document the config snippet.

Verification: git diff --check; /Users/wax/.venv/bin/python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.py --rootdir /Users/wax/coding/ai-coding-agents/.codex/tmp/work-agt-325-cozempic-audit (71 passed).

@eggrollofchaos eggrollofchaos left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review verdict: LGTM — approve. 0/0/0/0/0.

Design verified

  • Config defaults fail soft: Bad regex in ~/.cozempic/config.json emits a warning to stderr, does not block CLI flags or daemon startup.
  • CLI flags fail loud: Bad regex passed via --protect-pattern still exits 2.
  • Combined + deduped: Config defaults and CLI flags merge with dedup by pattern string.
  • Config shape safety: Non-list protect_patterns values silently ignored; non-string list items silently filtered. Cannot crash config load.

Test quality

71 tests pass. New tests cover: config-only patterns, config+flag combination, config+flag dedup, invalid config pattern not blocking valid CLI pattern, non-list config ignored.

PR context

  • Head a2995ac, base fd41e95, mergeable CLEAN
  • No prior reviews/comments
  • No formatter pass was run (upstream contribution rule respected)

@eggrollofchaos eggrollofchaos left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed at head a2995ac (base fd41e95, base==merge-base). Config protect_patterns now flow into the prune guard with a fail-soft-config / fail-loud-CLI split, dedup by pattern string, and non-list/non-str config coerced to empty.

Verdict: LGTM. 0 Critical / 0 High / 0 Medium / 1 Low / 1 Nit. Merge blocker: none.

PR context checked: head a2995ac; SonarCloud Quality Gate passed; 1 prior review (LGTM); 0 inline comments; 0 unresolved review threads.

Low — src/cozempic/cli.py _compile_protect_patterns_or_exit: helpers.py:456 compile_protect_patterns builds its list eagerly and raises ValueError on the first invalid/non-string/over-long pattern, so the config try/except drops all config protect_patterns when any single one is malformed — valid patterns ahead of the bad one are lost too. Because these patterns grant prune immunity, one typo in ~/.cozempic/config.json silently reduces config-defined protection to zero (a stderr warning is emitted, but a daemon context may not surface it). This is fail-soft by design and warned, so it does not block; consider compiling config patterns per-item (skip only the invalid one, keep the valid) to preserve partial protection. CLI --protect-pattern correctly stays fail-loud (exit(2)).

Nit — config resolution granularity: config.py:_resolve_protect_patterns_with filters non-string items per-item (partial keep), while the later helpers.py compile is all-or-nothing on regex validity. Cosmetic inconsistency between the two filter stages.

Verification: pytest tests/test_protect_pattern.py tests/test_prune_safety.py → 71 passed (incl. test_invalid_config_pattern_does_not_block_cli_pattern, test_cli_combines_config_default_and_flag_patterns, test_cli_dedupes_config_and_flag_patterns). git diff --check clean.

## Review feedback addressed

- Low: preserve valid config protect_patterns when a sibling config regex is invalid instead of dropping the whole config list.

- Nit: make config handling granular consistently with non-string config filtering.

## Verification

- git diff --check

- /Users/wax/.venv/bin/python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.py --rootdir /Users/wax/coding/ai-coding-agents/.codex/tmp/work-agt-325-cozempic-audit (71 passed)

This commit will be squashed into the PR base commit at merge time.
@eggrollofchaos

Copy link
Copy Markdown
Author

Pushed 8e14064 addressing review feedback: valid config protect_patterns now survive a sibling invalid config regex, while invalid CLI flags still fail loudly.\n\nVerification: python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.py (71 passed). Ready for re-review.

@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

@eggrollofchaos eggrollofchaos left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v2 re-review. Verdict: LGTM — 0 Critical / 0 High / 0 Medium / 0 Low / 0 Nit. Merge blocker: none.

PR context: head 8e14064; state OPEN; non-draft; mergeStateStatus CLEAN; no required checks pending. Both v1 findings resolved, verified at head; pytest tests/test_protect_pattern.py tests/test_prune_safety.py → 71 passed.

  • v1 Low (all-or-nothing config compile) — fixed. Config protect_patterns now compile per-item: a bad regex prints Warning: ignoring config protect_pattern … to stderr and continues, so valid patterns still compile and are deduped via the seen set. test_invalid_config_pattern_does_not_block_cli_pattern now asserts that config (GOOD_CONFIG, (unclosed, ALSO_GOOD) yields [GOOD_CONFIG, ALSO_GOOD, FROM_FLAG] — both valid config patterns survive the invalid sibling, which was the specific regression the prior review flagged as untested. The CLI path stays fail-loud (compile_protect_patterns(cli_raw)except ValueErrorexit 2), so explicit --protect-pattern typos are not silently dropped.
  • v1 Nit (granularity mismatch) — resolved. config._resolve_protect_patterns_with filters non-str items per-item (test_config_default_protect_patterns proves [SPR-, control-file, 12](SPR-, control-file)), and the compile stage is now likewise per-item, so both stages have consistent partial-keep granularity. Non-list config → () (fail-soft) is covered.

Focused diff (cli/config + tests + README, +115/-7); no formatter noise. Config fail-soft / CLI fail-loud split is the right contract for a prune-immunity feature. Clean.

@eggrollofchaos eggrollofchaos left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review verdict: LGTM. 0 Critical / 0 High / 0 Medium / 0 Low / 0 Nit.

PR context checked at head 8e1406419ac7b8feb4049442e89c5157e752d11b: open, non-draft, mergeable clean, SonarCloud successful, no inline comments, no unresolved review threads, and no current-head bot findings.

Verified:

  • Config protect_patterns now fail soft per item: invalid config regexes warn and are skipped while valid config patterns and CLI patterns remain active.
  • Explicit CLI --protect-pattern values still fail loud via exit 2 on invalid regexes.
  • Config shape handling remains fail-soft for non-list values and non-string list entries.
  • Treat, reload, and guard call paths all route through the shared compiler and pass compiled patterns into pruning/guard code.
  • No formatter noise in the diff.

Checks run:

  • git diff --check fd41e95b85f283286eaca9419c19825abb6d053b...8e1406419ac7b8feb4049442e89c5157e752d11b
  • /Users/wax/.venv/bin/python -m pytest tests/test_protect_pattern.py tests/test_prune_safety.py --rootdir /Users/wax/coding/ai-coding-agents/.codex/tmp/work-agt-325-cozempic-audit -q -> 71 passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant