Skip to content

fix: FULL_HINTS coverage, cross-org tracking, and onboard 14 untracked repos#5

Open
sparkling wants to merge 7 commits into
stuinfla:mainfrom
sparkling:fix/full-hints-registry-gap
Open

fix: FULL_HINTS coverage, cross-org tracking, and onboard 14 untracked repos#5
sparkling wants to merge 7 commits into
stuinfla:mainfrom
sparkling:fix/full-hints-registry-gap

Conversation

@sparkling

@sparkling sparkling commented Jul 6, 2026

Copy link
Copy Markdown

Summary

FULL_HINTS in scripts/self-update.mjs only recorded ruflo, but the shipped v0.5.0-dev bundle's kb/*.passages.jsonl already contains substantial full-body source indexing for 13 other repos. First pass of this PR found 4 (via spot-checking); a full audit across every repo in the bundle found 9 more.

Repo Full-body entries in the shipped bundle
ruvector 1302
ruv-fann 340
agentic-flow 300
qudag 401
agent-harness-generator 201
daa 198
agentdb 178
safla 133
ruview 116
rulake 93
open-claude-code 69
ruv-dev 22
agenticow 20

None of these were in FULL_HINTS. This isn't hypothetical — I confirmed it happens in practice: rebuilding agent-harness-generator via self-update.mjs --apply (before this fix) took it from 201 full-body entries to 0, in this session.

The fix

Added all 13 missing entries. agentdb/rulake reduce to a single clean prefix each (src, crates). The rest are genuinely scattered multi-crate/multi-package workspaces — their entries are the exhaustive, empirically-derived minimal prefix set that reproduces every full-body path currently in the shipped bundle, extracted directly from each repo's own kb/<name>.passages.jsonl.

A structural observation, not implemented here: most of these repos' full-body paths span nearly every crate/package in the repo (e.g. ruvector's 126 prefixes are essentially its entire crate list). That strongly suggests the original bulk build simply used --full over the whole tree for T0-T2 tier repos, rather than a hand-curated subset per repo — which would argue for a tier-based default (any T0-T2 repo without an explicit, narrower FULL_HINTS override defaults to full-tree) rather than an ever-growing enumerated list. I didn't implement that here — it changes forge-build.mjs's core matching semantics, which felt like a bigger design change to propose without your input, especially mid-way through the active security-hardening pass on this repo. Happy to take a swing at it if you'd rather have that than the enumerated list.

Honest caveat, unchanged from the original PR: the original build command that produced the shipped bundle isn't recorded anywhere I could find, so these prefix lists are reconstructed from evidence, not confirmed against original intent. Please correct if the authoritative list (or the tier-based approach) is preferred.

Verification

  • node --check scripts/self-update.mjs — clean.
  • Parsed the resulting FULL_HINTS object programmatically to confirm all 14 repos are present with no transcription errors.
  • Rebuilt agent-harness-generator locally with the corrected hint and confirmed it restores full-body indexing (was 0 after the pre-fix rebuild).

Related

Related to #4.


Update — cross-org owner support + onboarding 14 previously-untracked repos

While verifying the freshness loop after this fix landed, found a second, related gap: 14 repos had built content in the shipped bundle but no manifest.json stamp, so self-update.mjs's own freshness loop classified them as build (new) and would silently skip them forever (new-repo builds are intentionally gated behind --include-new, correctly so — but these 10 already had content, they just weren't recognized as "built"):

agentdb, agentic-flow, daa, qudag, fact, ruv-fann, dspy.ts, rulake, ruv-dev, rupixel

Verified each against live GitHub history: zero commits since before the shipped bundle's snapshot, so no content was actually missing — just cloned each (shallow, no rebuild needed) and stamped manifest.json with the real current SHA so the nightly job can now detect genuine future drift instead of leaving them permanently unmonitored.

Also onboarded 4 new repos to registry.tiers.json (T2): agenticow, CVE-bench, and cognitum-cogs/cognitum-support. The latter two surfaced a real architectural gap: remoteHead() and the clone step both hardcoded https://github.com/ruvnet/${name}, so the tool structurally couldn't track any repo outside the ruvnet org. Added an optional owner/repo field to the registry schema (defaults to ruvnet/<name> — fully backward compatible with every existing entry) so cross-org repos can be tracked too.

agenticow, cognitum-cogs, and cognitum-support had drifted since the shipped snapshot, so they were rebuilt. cognitum-cogs needed a FULL_HINTS entry first — its existing full-body coverage was thin and scattered (e.g. crates/fxnn 91/507) rather than a clean whole-directory pass like the other repos, so I used every top-level dir with any full-body content today as a safe superset prefix (guarantees no regression, at the cost of slightly broader-than-strictly-necessary indexing). Verified post-rebuild: exactly 784 full-body entries, matching the pre-rebuild baseline sum precisely.

Verification

  • node --check scripts/self-update.mjs — clean.
  • --repo ruflo dry-run confirms zero regression for existing ruvnet-org entries (no owner field → still resolves correctly).
  • All 14 target repos confirmed up-to-date with built == live SHA in a full dry-run.
  • forge-guard.mjs PASS on both rebuilt variants (agent-harness-generator from the original fix, cognitum-cogs from this update).

FULL_HINTS only recorded ruflo, but the shipped v0.5.0-dev bundle's
kb/*.passages.jsonl already contains substantial full-body source
indexing for agentdb (159 entries), rulake (80), daa (198), and qudag
(401) -- proving these were built with --full at some point, even
though nothing recorded it. Without a hint, the first time
self-update.mjs ever rebuilds one of these repos (the moment it
actually drifts), it silently downgrades that content from full
source bodies to doc-comment-only snippets.

agentdb/rulake reduce to one clean prefix each (src/, crates/
respectively -- every full-body path in the shipped bundle falls
under them). daa/qudag are genuinely scattered multi-crate
workspaces with no single clean prefix, so their entries are the
exhaustive, empirically-derived minimal prefix set extracted directly
from kb/{daa,qudag}.passages.jsonl -- reconstructed from evidence,
not the original build command (which isn't recorded anywhere), so
please correct if the authoritative list differs.

Fixes stuinfla#4
The initial fix only covered agentdb/rulake/daa/qudag (found by
auditing the shipped bundle). A full audit across every repo in the
bundle found 9 more with the same gap: ruvector (1302 full-body
entries -- the largest), ruv-fann (340), agentic-flow (300),
agent-harness-generator (201), safla (133), ruview (116),
open-claude-code (69), ruv-dev (22), agenticow (20).

Confirmed this isn't hypothetical: rebuilding agent-harness-generator
via self-update.mjs --apply (before this fix) actually took it from
201 full-body entries to 0 in this session.

Most of these repos' full-body paths span nearly every crate/package
in the repo, which strongly suggests the original bulk build simply
used --full over the whole tree for T0-T2 tier repos, rather than a
hand-curated subset per repo. Noted this observation in the comment
in case a tier-based default is preferred over an ever-growing
enumerated list -- did not implement that here since it changes
forge-build.mjs's core matching semantics, which felt like a bigger
change to propose without your input on the design, especially
mid-way through an active security-hardening pass on this repo.

Fixes stuinfla#4
@sparkling sparkling changed the title fix: add missing FULL_HINTS entries (agentdb, rulake, daa, qudag) fix: add missing FULL_HINTS entries (14 repos found via full bundle audit, not just 4) Jul 6, 2026
…tracked repos

self-update.mjs hardcoded https://github.com/ruvnet/${name} in two places
(remoteHead + clone step), so it could only ever track repos under the ruvnet
org. Add an optional owner/repo field to the registry schema (defaults to
ruvnet/<name> for full backward compat) so repos living in other orgs can be
tracked too.

Onboard 4 new repos to registry.tiers.json (T2): agenticow, CVE-bench (both
ruvnet), and cognitum-cogs/cognitum-support (cognitum-one org — the first
repos to use the new owner override). The two cognitum-one repos and
agenticow had drifted since the shipped bundle's snapshot, so they were
rebuilt (cognitum-cogs additionally needed a FULL_HINTS entry first, derived
as a safe superset of its existing scattered full-body coverage, to avoid
regressing to snippet-only content).

Separately, 10 repos already had built content in the shipped bundle but no
manifest.json stamp, so self-update.mjs's freshness loop classified them as
"new" and would silently skip them forever (agentdb, agentic-flow, daa,
qudag, fact, ruv-fann, dspy.ts, rulake, ruv-dev, rupixel). Verified each has
had zero upstream commits since before the snapshot (no content drift), then
cloned + stamped them with their real current SHA so the nightly job can now
detect real drift going forward instead of leaving them permanently
unmonitored.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@sparkling sparkling changed the title fix: add missing FULL_HINTS entries (14 repos found via full bundle audit, not just 4) fix: FULL_HINTS coverage, cross-org tracking, and onboard 14 untracked repos Jul 6, 2026
…etaharness)

ruvnet/agent-harness-generator was renamed to ruvnet/metaharness upstream
(confirmed via HTTP 301 redirect + the repo's own package.json still
referencing the old name internally). git/gh follow the redirect
transparently today, so nothing was actually broken, but relying on a
GitHub redirect indefinitely is fragile -- it can break if the old name is
ever reclaimed. Uses the owner/repo override added in the previous commit
to point future clone/fetch operations at the current canonical name
directly. No re-indexing needed: same repo, same content, already covered
under the agent-harness-generator kb-store name.

Verified: `self-update.mjs --repo agent-harness-generator` still resolves
correctly post-patch (up-to-date, same SHA).
@sparkling

Copy link
Copy Markdown
Author

Small addendum: `ruvnet/agent-harness-generator` was renamed upstream to `ruvnet/metaharness` (confirmed via 301 redirect + the repo's own package.json still referencing the old name — same repo, not a new one). Added `repo: "metaharness"` to its registry entry using this PR's owner/repo override, so future clone/fetch targets the canonical name directly instead of relying on the redirect indefinitely. No re-indexing involved. Latest commit on this branch.

sparkling added 3 commits July 6, 2026 23:32
…etaharness)

isNamed() matched the query text against the exact kb-store name only, so a
query naming "metaharness" (the repo's current, more commonly-used name after
the ruvnet/agent-harness-generator -> ruvnet/metaharness GitHub rename) never
triggered the name-boost tie-breaker -- it would only win a tie via plain
vector similarity, not the explicit-name signal.

Added a small ALIASES map checked alongside the exact name, rather than
renaming the kb-store name/files (which would require re-keying FULL_HINTS
and every served-cache filename for no real benefit -- the content itself
already surfaces fine via vector similarity; only the explicit-name-tie
signal was missing).

Not committing kb/SOURCE.json in this commit -- it's being actively written
by an in-progress rebuild of ruflo/agentdb/ruvector in this same checkout.
…y (metaharness)

Rather than a raw file rename (which would have left stale internal
metadata -- meta.json's clone path, embed.json's builtFrom -- pointing at
the old name), fully wiped the repo's kb store (11 files, both the fork
checkout and the served cache) and re-imported it fresh under the name
metaharness, using the same FULL_HINTS prefix list (still valid, same
repo/same structure). Picked up a newer HEAD in the process (38284c8, up
from de12ed8) since the source repo moves very fast (10 commits landed the
day I did this rebuild alone).

- registry.tiers.json: name -> metaharness, drops the now-redundant
  owner/repo override from the prior commit (name === repo now).
- FULL_HINTS key renamed to match.
- forge-ask-all.mjs: flipped the alias direction (metaharness ->
  [agent-harness-generator]) so a query naming the OLD name still gets the
  search name-boost tie-breaker, now that the kb store's canonical name is
  the new one.

Verified: forge-guard PASS (8857/8857, parity/idmap/truncation all OK),
brain-stamp shows `T1 metaharness @ 38284c8c4950` with no stale
agent-harness-generator entry, and a live search_ruvnet query confirms
repo=metaharness now appears correctly in results.

Not committing kb/SOURCE.json -- still being actively written by an
in-progress parallel rebuild of ruflo/agentdb/ruvector in this same
checkout (closing the docs/plugins/etc. coverage gap from issue stuinfla#6).


Full re-crawl of all 3 flagged repos, using the current (already-correct)
forge-build.mjs against fresh clones:

- ruflo: real gap, now closed. docs/=553, plugins/=694, scripts/=88,
  verification/=30, data/=5 chunks — all previously absent, now indexed.
  12971 total chunks (up from the old 9648).
- agentdb, ruvector: investigated further and found the originally-flagged
  "gaps" (packages/bench-data/data for agentdb, external/ for ruvector) were
  FALSE POSITIVES from the top-level-directory-name diff heuristic used to
  find them -- these are git submodule mount points (packages/ruvector-upstream
  -> the ruvector repo itself; external/ruqu, external/rvdna -> their own
  separately-tracked repos) or empty .gitkeep placeholders, not missing
  content. Shallow clones don't initialize submodules by design, and
  re-indexing a submodule's target here would just duplicate that repo's own
  separately-maintained KB store. ruvector's real gap (harnesses/, 22 entries)
  did close correctly.

All 3: forge-guard PASS (parity/idmap/truncation), synced to the served
cache (old files backed up, not overwritten silently), re-stamped, and
verified via self-update dry-run -- all three now report up-to-date with
real (non-unknown) SHAs.

Closes stuinfla#6.
stuinfla added a commit that referenced this pull request Jul 7, 2026
tests-ci #1 (the biggest self-inflicted finding — CI was GREEN but
MISLEADING): on a fresh runner the 512MB brain is absent, so npm test's
core capability battery silently SKIPPED while still exiting 0 — green
masqueraded as "the brain works." Fixed:
- run-tests.mjs now makes the skip LOUD: prints "⚠️ CORE CAPABILITY
  BATTERY SKIPPED" in the section AND the summary line, so a reader can
  never mistake structure/hook/guard-only for the full guarantee.
- Added REQUIRE_BRAIN=1: a runner that restores a brain (nightly/release)
  treats a skipped battery as FAILURE. Verified: fresh runner → loud skip,
  exit 0; REQUIRE_BRAIN=1 + no brain → exit 1.
- CI comment updated to state the fast job is brain-independent by design.

deps #5: added a CI `npm audit --audit-level=high` step in kb/ (via
`npm ci` against the shipped lockfile) so a re-introduced CVE
(protobufjs etc.) fails the build. Verified it passes today (exit 0,
0 high+ vulns).

docs #4: added SECURITY.md — private-disclosure path (GitHub advisories
+ email), the verify-first fix discipline, honest known-posture
(unsigned bundle, unpinned model weights, POSIX-hooks-on-Windows), and
a pointer to ADR-0010 as the review-record format. Fitting after a
responsible-disclosure review left no policy for the next reporter.

version:check green (1.9.6-dev).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Y16qCXnXoFhoGh8AKuMiV2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant