Last updated: 2026-06-25
This matrix helps agents choose focused validation before broader tests. It is not a replacement for judgment: run more when a change crosses boundaries.
Always run git diff --check before committing. Before public-sharing or
release cleanup, also run pre-commit run --all-files so ruff check, ruff
format, whitespace, staged public-safety, and Markdown link hooks all execute.
| Touched area | Read first | Focused validation |
|---|---|---|
docs/** only |
docs/README.md, changed doc |
git diff --check; python3 scripts/check_markdown_links.py when links change |
| Active docs routing/baseline | docs/codex-handoff.md, docs/public-documentation-boundary.md, docs/code-map.md |
python3 scripts/check_active_docs.py; python3 scripts/audit_public_docs.py; python3 scripts/check_markdown_links.py |
| Agent operating docs | AGENTS.md, docs/agent-quickstart.md, docs/agent-playbook.md, docs/public-documentation-boundary.md |
python3 scripts/check_active_docs.py; python3 scripts/audit_public_docs.py; python3 scripts/check_markdown_links.py; python3 -m pytest -q tests/test_agent_preflight.py tests/test_check_active_docs.py tests/test_check_staged_public_safety.py tests/test_audit_public_docs.py |
query_doctor/web/ui/** |
docs/safety-contract.md, docs/code-audit.md |
python3 -m pytest -q tests/test_web_ui_home.py tests/test_web_ui_help.py tests/test_web_ui_readme.py tests/test_web_server.py |
| Web routes/jobs | docs/codex-handoff.md, docs/code-audit.md |
python3 -m pytest -q tests/test_web_server.py tests/test_web_optimizer.py |
| Browser safety text | docs/safety-contract.md |
python3 -m pytest -q tests/test_web_display_safety.py tests/test_web_server.py |
| Owner-raw D3 viewer identity, front-door contract, dev SSO harness, or isolated raw source surface | docs/safety-contract.md, docs/owner-raw-d3-deployment.md, docs/dev-sso-keycloak.md, docs/codex-handoff.md |
python3 scripts/owner_raw_front_door_smoke.py --compact; python3 scripts/audit_owner_raw_live_front_door_review.py --template-json <raw-free-front-door-review.json> to create a fail-closed raw-free template, and python3 scripts/audit_owner_raw_live_front_door_review.py --review-json <raw-free-front-door-review.json> when retained live proxy evidence is available; python3 scripts/audit_owner_raw_staging_preflight.py --config <ignored-local-web-config.json> --allow-nonlocal-web-bind before live proxy work over a planned staging config; python3 scripts/audit_owner_raw_d3_readiness.py --config <ignored-local-web-config.json> --allow-nonlocal-web-bind --front-door-review-json <raw-free-front-door-review.json> before enabling raw source reveal; python3 scripts/audit_owner_raw_d3_rehearsal.py --config <ignored-local-web-config.json> --allow-nonlocal-web-bind --front-door-review-json <raw-free-front-door-review.json> when the dev SSO stack is running and an aggregate D3 rehearsal summary is needed; python3 scripts/audit_owner_raw_d3_source_enable.py --config <ignored-local-source-enabled-config.json> --rehearsal-summary-json <raw-free-d3-rehearsal-summary.json> --allow-nonlocal-web-bind --confirm-source-enable-canary --confirm-no-disable-owner-raw-source --confirm-no-front-door-or-header-change --confirm-kill-switch-rollback-plan before a controlled canary raw-source enablement; python3 scripts/audit_owner_raw_d3_post_enable.py --source-enable-summary-json <raw-free-source-enable-summary.json> --post-enable-review-json <raw-free-post-enable-review.json> after the canary window to validate raw-free runtime allow/deny evidence and final source-state closure; python3 scripts/build_owner_raw_d3_launch_closure_manifest.py --redaction-reviewed --front-door-review-summary-json <raw-free-front-door-review-audit-summary.json> --readiness-summary-json <raw-free-d3-readiness-summary.json> --rehearsal-summary-json <raw-free-d3-rehearsal-summary.json> --source-enable-summary-json <raw-free-source-enable-summary.json> --post-enable-summary-json <raw-free-post-enable-summary.json> --out <raw-free-d3-launch-closure-manifest.json> to retain safe relative manifest references; python3 scripts/audit_owner_raw_d3_launch_closure.py --front-door-review-summary-json <raw-free-front-door-review-audit-summary.json> --readiness-summary-json <raw-free-d3-readiness-summary.json> --rehearsal-summary-json <raw-free-d3-rehearsal-summary.json> --source-enable-summary-json <raw-free-source-enable-summary.json> --post-enable-summary-json <raw-free-post-enable-summary.json> or python3 scripts/audit_owner_raw_d3_launch_closure.py --launch-closure-manifest <raw-free-d3-launch-closure-manifest.json> after the post-enable gate to validate the raw-free launch closure chain; python3 scripts/prepare_owner_raw_d3_artifacts.py --artifact-dir <ignored-local-d3-artifact-dir> --confirm-local-ignored-artifact-dir --allow-nonlocal-web-bind --confirm-source-enable-canary --confirm-no-disable-owner-raw-source --confirm-no-front-door-or-header-change --confirm-kill-switch-rollback-plan to create or preserve local fail-closed D3 artifact templates, run the deployment bundle, and run the support-readiness gate by default without printing paths; add --skip-support-readiness only for explicit scaffold or bundle-only preparation; python3 scripts/audit_owner_raw_d3_deployment_bundle.py --config <ignored-local-web-config.json> --source-enable-config <ignored-local-source-enabled-config.json> --front-door-review-json <raw-free-front-door-review.json> --post-enable-review-json <raw-free-post-enable-review.json> --allow-nonlocal-web-bind --confirm-source-enable-canary --confirm-no-disable-owner-raw-source --confirm-no-front-door-or-header-change --confirm-kill-switch-rollback-plan when one raw-free aggregate deployment verdict is needed; python3 scripts/owner_raw_policy_simulator.py --source-visibility owner_raw --host 0.0.0.0 --allow-nonlocal-web-bind --viewer-identity-header-configured --viewer-header-value sample_owner --query-user sample_owner --fail-on-deny; docker compose -f dev/sso/compose.yaml config when the dev Keycloak compose harness changes; python3 scripts/dev_sso_keycloak_smoke.py --compact when the dev Keycloak compose stack is running; python3 -m pytest -q tests/test_owner_raw_front_door_smoke.py tests/test_audit_owner_raw_live_front_door_review.py tests/test_audit_owner_raw_staging_preflight.py tests/test_audit_owner_raw_d3_readiness.py tests/test_audit_owner_raw_d3_rehearsal.py tests/test_audit_owner_raw_d3_source_enable.py tests/test_audit_owner_raw_d3_post_enable.py tests/test_audit_owner_raw_d3_launch_closure.py tests/test_build_owner_raw_d3_launch_closure_manifest.py tests/test_audit_owner_raw_d3_deployment_bundle.py tests/test_prepare_owner_raw_d3_artifacts.py tests/test_owner_raw_d3_contract.py tests/test_viewer_identity.py tests/test_owner_raw_policy.py tests/test_web_app.py tests/test_web_server.py -k "owner_raw or viewer_identity_header"; python3 -m pytest -q tests/test_dev_sso_keycloak.py tests/test_dev_sso_keycloak_smoke.py; for UI/error wording changes, also run python3 -m pytest -q tests/test_web_server.py tests/test_web_ui_home.py tests/test_web_ui_help.py; add python3 scripts/check_staged_public_safety.py --changed and python3 scripts/audit_public_docs.py when public docs or browser-visible safety text change |
| Owner-raw trusted SSO/auth proxy support wording | docs/safety-contract.md, docs/owner-raw-d3-deployment.md, docs/dev-sso-keycloak.md, docs/codex-handoff.md |
python3 scripts/audit_owner_raw_sso_proxy_support_readiness.py --deployment-bundle-summary-json <raw-free-d3-deployment-bundle-summary.json> before release-facing docs claim support for deployment behind a trusted SSO/auth proxy via viewer_identity_header; python3 scripts/prepare_owner_raw_d3_artifacts.py --artifact-dir <ignored-local-d3-artifact-dir> --confirm-local-ignored-artifact-dir --allow-nonlocal-web-bind --confirm-source-enable-canary --confirm-no-disable-owner-raw-source --confirm-no-front-door-or-header-change --confirm-kill-switch-rollback-plan when using the local D3 artifact workspace to produce the bundle and support-readiness summaries in one raw-free operator flow; python3 -m pytest -q tests/test_audit_owner_raw_sso_proxy_support_readiness.py tests/test_prepare_owner_raw_d3_artifacts.py; add python3 scripts/check_staged_public_safety.py --changed and python3 scripts/audit_public_docs.py when public docs or browser-visible safety text change |
| Trusted artifacts | docs/code-audit.md, docs/query-optimizer-contract.md |
python3 -m pytest -q tests/test_web_trusted_artifacts.py tests/test_web_optimizer.py |
query_doctor/report/** |
docs/safety-contract.md, docs/code-audit.md |
python3 -m pytest -q tests/test_report_sanitizer.py tests/test_web_ui_report.py |
| Optimizer parser/validator | docs/query-optimizer-contract.md |
python3 -m pytest -q tests/test_query_optimizer.py tests/test_optimizer_sql.py |
| Optimizer recipes/fixtures | docs/query-optimizer-contract.md, docs/model-bakeoff.md |
python3 -m pytest -q tests/test_optimizer_sql.py tests/test_optimizer_benchmark_fixtures.py; for representative no-recipe calibration, run python3 scripts/audit_optimizer_funnel.py <batch_summary.json> --fail-on-repeated-no-recipe-readiness-gaps so repeated groups require one safe review track or the explicit mixed query-shape review track, plus mapped review area, change direction, workload metric, compare/rerun verification, an explicit no-trusted-draft/manual-review contract, and raw-free retained candidate reasons; add --summary-json <raw-free-optimizer-funnel-summary.json> when retained machine evidence is needed |
| Pasted-SQL optimizer web page | docs/query-optimizer-contract.md, docs/safety-contract.md |
python3 -m pytest -q tests/test_web_optimizer.py tests/test_query_optimizer.py |
query_doctor/cm/** |
docs/safety-contract.md, docs/codex-handoff.md |
python3 -m pytest -q tests/test_cm_* |
| Cloudera Manager metrics/events | docs/codex-handoff.md, docs/code-audit.md |
python3 -m pytest -q tests/test_cm_* tests/test_analyzer_* |
query_doctor/impala/** |
docs/safety-contract.md |
python3 -m pytest -q tests/test_impala_* tests/test_metadata_* |
| Analyzer facts/scoring | docs/code-audit.md, docs/analyzer-audit.md |
python3 -m pytest -q tests/test_stats_optimization_score.py tests/test_query_optimization_score.py tests/test_analyzer_cli.py tests/test_batch_recent_cli.py tests/test_web_ui_recent_scan.py tests/test_web_ui_recent_scan_presenter.py; add python3 scripts/audit_stats_diagnostics.py <batch_summary.json> --fail-on-stats-readiness-gaps when stats candidate tiering changes |
| Trino compact intake/local web support | docs/engines/trino-diagnostic-contract.md, docs/safety-contract.md, docs/engines/trino-private-preview-release.md |
python3 -m pytest -q tests/test_trino_*.py tests/test_web_trino_compact.py tests/test_web_trino_beta_query.py tests/test_audit_trino_compact_readiness.py tests/test_audit_trino_evidence_handoff.py tests/test_audit_trino_product_surface_boundary.py tests/test_audit_trino_browser_report_regression.py tests/test_audit_trino_production_closure_gates.py tests/test_audit_trino_product_metadata_collection.py tests/test_audit_trino_report_optimizer_safety.py tests/test_audit_trino_production_collector_contracts.py tests/test_audit_trino_query_linked_fact_coverage.py tests/test_audit_trino_representative_evidence.py tests/test_audit_trino_support_gap_matrix.py tests/test_build_trino_evidence_package_script.py tests/test_validate_trino_evidence_package_script.py tests/test_demo_trino_evidence_package_script.py tests/test_trino_one_query_live_handoff_script.py tests/test_build_trino_handoff_suite_manifest_script.py tests/test_build_trino_evidence_handoff_suite_manifest_script.py tests/test_trino_evidence_package_requirements_script.py tests/test_engine_fact_boundary_payload.py tests/test_web_display_safety.py tests/test_web_ui_home.py::test_web_render_page_sets_brand_favicon tests/test_web_server.py::test_web_server_declares_intentional_facade_exports; this includes the local web retained-list Recent, One Query ID, raw-free materialized Details, deterministic Python Report, and optimizer guidance local production paths, dev-only Kerberos/SPNEGO smoke summary guard, package-to-boundary handoff audit, product-surface boundary audit, browser/report regression audit, broader production closure gate audit, product metadata collection audit, report optimizer safety audit, production collector contract audit with optional retained representative-evidence summary handoff checks, query-linked fact coverage audit, representative retained-evidence audit, support-gap matrix audit, one-query live handoff wrapper guard, Trino handoff-suite manifest builder/gate, the one-query handoff Kerberos/SPNEGO fetch guard, and Trino preview/import docs tests. Before planning operator case labels for sanitized evidence packages, run python3 scripts/trino_evidence_package_requirements.py --json to print the Python-owned accepted sample cases, package/sample source types, known fixture contract/version labels, redaction classes, rejection reasons, sentinel tests, boundary assertions, and size limits without contacting Trino or claiming support. For sanitized evidence packages, run python3 scripts/audit_trino_evidence_handoff.py <sanitized-package.json> --summary-json <raw-free-trino-package-handoff-summary.json> to validate the package, convert accepted samples to raw-free boundary payloads in memory, run the compact readiness suite, and write only raw-free machine evidence without paths, raw payloads, SQL, URLs, Query IDs, or a production support claim. For retained package-level handoff sets, build local metadata with python3 scripts/build_trino_evidence_handoff_suite_manifest.py --redaction-reviewed --handoff-summary-json <summary-a.json> --handoff-summary-json <summary-b.json> --out <trino-evidence-handoff-suite.json>, then run python3 scripts/audit_trino_evidence_handoff.py --handoff-suite-manifest <trino-evidence-handoff-suite.json> --require-min-inputs <minimum-retained-package-count> --summary-json <raw-free-trino-evidence-handoff-suite-summary.json> so already raw-free handoff summaries can be retained and audited without reopening packages or raw exports. For accepted raw-free boundary JSON, run python3 scripts/audit_trino_compact_readiness.py <boundary-json> --require-supported-attention; for one-query Trino boundaries written by query-doctor-trino-coordinator-query-info-pruned-import --boundary-out <boundary-json>, also add --require-one-query-boundary and --require-source-version trino_coordinator_query_info_target_v1 so aggregate query_list_* evidence or an unexpected source contract cannot count as one-query readiness, pass --diagnosis-json <diagnosis-json> when the same run wrote --diagnosis-out, and pass --smoke-summary <trino_smoke_summary.json> --require-executed-smoke when an executed Kerberos/SPNEGO smoke summary is part of the handoff; strict executed-smoke mode requires every smoke check to finish with the known ok status. Before any broader product-surface promotion decision, run python3 scripts/audit_trino_product_surface_boundary.py <boundary-json> --diagnosis-json <diagnosis-json> --summary-json <raw-free-trino-product-surface-summary-json>, or pass --handoff-suite-manifest <trino-one-query-handoff-suite.json> for retained one-query suites, so retained compact artifacts keep live_known_query_diagnosis=one_query_pruned_query_info_local_production and live_recent_scan=retained_query_list_local_production, the allowed Trino web registry stays limited to the compact preview page plus local Recent/One Query ID/materialized Details/Python Report/optimizer guidance local production surfaces, Trino CLI remains preview/dev-only, unsupported LLM report and Query Optimizer job source imports stay blocked outside the explicitly allowed Trino surfaces, and output remains path-free with only the local production support claim, with retained product-surface summaries checked when referenced; before broader support-surface decisions, run python3 scripts/audit_trino_production_collector_contracts.py --summary-json <raw-free-trino-production-collector-contracts-summary-json>, and when retained representative evidence is part of collector promotion review, run python3 scripts/audit_trino_production_collector_contracts.py --representative-evidence-summary-json <raw-free-trino-representative-evidence-summary-json> --require-representative-evidence-summary --summary-json <raw-free-trino-production-collector-contracts-summary-json> so only the already raw-free representative-evidence summary contract is checked, production_review_breadth_v1 with breadth_profile_status=ready is required, and retained artifacts are not reopened, Trino is not collected, and SQL is not executed; then run python3 scripts/audit_trino_query_linked_fact_coverage.py --summary-json <raw-free-trino-query-linked-fact-coverage-summary-json>, python3 scripts/audit_trino_product_metadata_collection.py --summary-json <raw-free-trino-product-metadata-collection-summary-json>, python3 scripts/audit_trino_report_optimizer_safety.py --summary-json <raw-free-trino-report-optimizer-safety-summary-json>, python3 scripts/audit_trino_browser_report_regression.py --summary-json <raw-free-trino-browser-report-regression-summary-json>, python3 scripts/audit_trino_representative_evidence.py --summary-input-json <raw-free-retained-summary-json> --require-min-summary-inputs <minimum-retained-summary-count> --require-breadth-profile production_review_breadth_v1 --summary-json <raw-free-trino-representative-evidence-summary-json>, python3 scripts/audit_trino_support_gap_matrix.py --summary-json <raw-free-trino-support-gap-summary-json>, and python3 scripts/audit_trino_production_closure_gates.py --summary-input-json <raw-free-trino-production-collector-contracts-summary-json> --summary-input-json <raw-free-trino-representative-evidence-summary-json> --summary-input-json <raw-free-trino-query-linked-fact-coverage-summary-json> --summary-input-json <raw-free-trino-product-metadata-collection-summary-json> --summary-input-json <raw-free-trino-report-optimizer-safety-summary-json> --summary-input-json <raw-free-trino-browser-report-regression-summary-json> --summary-input-json <raw-free-trino-shared-deployment-summary-json> --summary-input-json <raw-free-trino-support-gap-summary-json> --require-current-tracking-summaries --summary-json <raw-free-trino-production-closure-summary-json> so existing local lanes, preview readers, contract-only sources, bounded compact query-linked facts, metadata allowlist/dev-only aggregate CLI/local aggregate import blocks, materialized Python Report/optimizer guidance safety blocks, browser/report regression coverage blocks, open collector/query-linked/product-metadata/report-optimizer/browser-report blockers, retained real-cluster evidence breadth through production_review_breadth_v1, collector-to-representative-evidence linkage with raw-free current_tracking_summary_status, invalid_current_tracking_summary_count, representative_evidence_linkage_status, representative_evidence_linkage_invalid_summary_count, and representative_evidence_linkage_missing_summary_count plus matching path-free CLI status labels, product-metadata/report-optimizer/browser-report/shared-deployment guard summaries, registered Trino fact-family coverage, neutral no_* gaps, blocked product adapter flags, and the broader closure gate list stay aligned with the support-gap matrix. python3 scripts/trino_one_query_live_handoff.py bundles the one-query pruned import, direct boundary/diagnosis writes, source-version readiness gate, optional executed-smoke gate, optional local --query-id-file input, optional raw-free readiness summary output, optional raw-free one-query handoff summary output, optional product-surface summary audit, and path-free safe output for real-cluster handoff work, but remains dev-only and is not a standalone product support surface. For retained sets of one-query handoff outputs, first build local metadata with python3 scripts/build_trino_handoff_suite_manifest.py --redaction-reviewed --boundary-json <boundary-1.json> --diagnosis-json <diagnosis-1.json> --smoke-summary <trino_smoke_summary.json> --readiness-summary-json <readiness-summary-1.json> --handoff-summary-json <one-query-handoff-summary-json> --product-surface-summary-json <product-surface-summary-json> --out <trino-one-query-handoff-suite.json>; the builder and suite audit require safe relative *.json artifact references and reject duplicate boundary/diagnosis/readiness-summary/handoff-summary/product-surface-summary references while still allowing one shared smoke summary. Then run python3 scripts/audit_trino_compact_readiness.py --handoff-suite-manifest <trino-one-query-handoff-suite.json> --require-diagnosis-json --require-executed-smoke --require-readiness-summary-json --require-handoff-summary-json --require-product-surface-summary-json --require-one-query-boundary --require-source-version trino_coordinator_query_info_target_v1 --fail-on-unknown-parser-coverage --require-supported-attention --require-min-inputs <minimum-retained-query-count> --summary-json <raw-free-trino-suite-summary.json>; pass multiple boundary JSON paths only for raw-free boundary suite coverage that does not include per-entry diagnosis/smoke/readiness-summary/handoff-summary/product-surface-summary artifacts |
| Spark compact intake/diagnosis | docs/engines/spark-architecture-spike.md, docs/engines/spark-test-cluster-evidence-checklist.md, docs/safety-contract.md |
python3 -m pytest -q tests/test_spark_fixture_schema.py tests/test_spark_fixture_facts.py tests/test_spark_history_server.py tests/test_spark_compact_diagnosis.py tests/test_spark_compact_diagnosis_cli.py tests/test_web_spark_compact.py tests/test_audit_spark_compact_readiness.py tests/test_audit_spark_product_surface_boundary.py tests/test_audit_spark_evidence_handoff.py tests/test_audit_spark_support_boundary.py tests/test_spark_evidence_package_intake.py tests/test_spark_evidence_package_requirements_script.py tests/test_build_spark_evidence_package_script.py tests/test_build_spark_handoff_suite_manifest_script.py tests/test_build_spark_one_application_handoff_suite_manifest_script.py tests/test_build_spark_evidence_package_from_one_application_suite_script.py tests/test_spark_one_application_handoff_script.py tests/test_export_spark_evidence_fixtures_script.py tests/test_spark_test_cluster_evidence_checklist_doc.py tests/test_spark_support_boundary_docs.py tests/test_engine_fact_contract.py tests/test_engine_fact_consumer_probe.py tests/test_cli_commands.py tests/test_installed_cli_contract.py; before planning operator case labels, run python3 scripts/spark_evidence_package_requirements.py --json to print the Python-owned accepted sample cases, synthetic rejection cases, source contracts, diagnostic signal groups, redaction classes, sentinel tests, and boundary assertions without contacting Spark or claiming support; for accepted compact JSON, run python3 scripts/audit_spark_compact_readiness.py tests/fixtures/engine_facts/spark_history_eventlog_compact.json --require-supported-attention; for suite breadth, run python3 scripts/audit_spark_compact_readiness.py tests/fixtures/engine_facts/spark_history_eventlog_compact.json tests/fixtures/engine_facts/spark_history_server_compact_source_warning.json --require-min-inputs 2 --require-source-contract spark_history_eventlog_compact_v1 --require-source-contract spark_history_server_compact_v1; before broadening any Spark support surface with operator-reviewed retained evidence, add --require-min-spark-version-families 2 --require-spark-version-family spark_2_4 --require-spark-version-family spark_4_1 to the retained suite audit so safe version-family breadth is proven without raw Spark version strings; for one operator-reviewed explicit History Server application, run python3 scripts/spark_one_application_handoff.py --redaction-reviewed --history-server-url <spark-history-server-url> --application-id <spark-application-id> --application-attempt-id <spark-application-attempt-id> --compact-out <raw-free-spark-compact.json> --diagnosis-out <raw-free-spark-compact-diagnosis.json> --boundary-facts-out <raw-free-spark-boundary.json> --summary-json <raw-free-spark-one-application-handoff-summary.json> --require-supported-attention --fail-on-source-warnings when the operator knows the attempt selector, or omit --application-attempt-id for application-only handoff; the attempt selector is only a bounded request selector and must not appear in output, including summary JSON; for retained one-application handoff triples, run python3 scripts/build_spark_one_application_handoff_suite_manifest.py --redaction-reviewed --compact-json <raw-free-spark-compact.json> --diagnosis-json <raw-free-spark-compact-diagnosis.json> --boundary-facts-json <raw-free-spark-boundary.json> --handoff-summary-json <raw-free-spark-one-application-handoff-summary.json> --out <spark-one-application-handoff-suite.json>, then run python3 scripts/audit_spark_compact_readiness.py --one-application-handoff-suite-manifest <spark-one-application-handoff-suite.json> --require-supported-attention --fail-on-source-warnings --require-source-contract spark_history_server_compact_v1 --summary-json <raw-free-spark-one-application-suite-summary.json> so retained real handoff artifacts are checked for compact/diagnosis/boundary/summary consistency and can write path-free machine readiness evidence without path echo or support claims; before product-surface promotion decisions over retained Spark artifacts, run python3 scripts/audit_spark_product_surface_boundary.py <raw-free-spark-compact.json> --diagnosis-json <raw-free-spark-compact-diagnosis.json> --summary-json <raw-free-spark-product-surface-summary-json>, or pass --one-application-handoff-suite-manifest <spark-one-application-handoff-suite.json> for retained suites, so compact diagnosis artifacts keep live_known_query_diagnosis=not_wired, the isolated Spark preview route stays the only Spark web POST surface, static support boundary checks still block Details/trusted report/optimizer/Recent imports, and output remains path-free and support-claim-free; to convert accepted retained one-application suites into sanitized package wrappers, run python3 scripts/build_spark_evidence_package_from_one_application_suite.py --handoff-suite-manifest <spark-one-application-handoff-suite.json> --sample-case <spark-evidence-sample-case> --out <sanitized-spark-package.json> --package-id <safe_package_label> --prepared-date-utc YYYY-MM-DD --redaction-reviewed --sentinel-tests-passed --partial-ok so package building rechecks suite consistency, uses explicit safe case labels, and avoids path echo or support claims; before changing Spark product exposure, run python3 scripts/audit_spark_support_boundary.py and python3 scripts/audit_spark_product_surface_boundary.py --registry-only to keep the Spark adapter compact-only, Spark CLI roles aligned with compact/evidence-package surfaces, docs support status below production, isolated preview route registry bounded, and Details/report/optimizer/recent imports out of Spark; for operator-reviewed compact evidence wrappers, use query-doctor-build-spark-evidence-package ... --redaction-reviewed --sentinel-tests-passed --require-promotion-candidate, run query-doctor-validate-spark-evidence-package --summary-json --require-promotion-candidate <sanitized-spark-package.json>, and then use query-doctor-export-spark-evidence-fixtures <sanitized-spark-package.json> --out-dir <fixture-ready-dir> to produce fixture-ready compact samples plus spark_fixture_export_manifest.json without path echo; after export, run python3 scripts/audit_spark_compact_readiness.py --fixture-export-manifest <fixture-ready-dir>/spark_fixture_export_manifest.json --require-min-inputs 2 --require-source-contract spark_history_server_compact_v1 --require-source-contract spark_history_eventlog_compact_v1 so the audited files match the safe manifest; for the strict package handoff gate, run python3 scripts/audit_spark_evidence_handoff.py <sanitized-spark-package.json> --summary-json <raw-free-spark-handoff-summary.json> to validate, temporary-export, manifest-audit, write a path-free machine summary, and delete fixture-ready output without path echo; for retained package handoff sets, build local metadata with python3 scripts/build_spark_handoff_suite_manifest.py --redaction-reviewed --handoff-summary-json <summary-a.json> --handoff-summary-json <summary-b.json> --out <spark-handoff-suite.json>, then run python3 scripts/audit_spark_evidence_handoff.py --handoff-suite-manifest <spark-handoff-suite.json> --require-min-inputs <minimum-retained-package-count> --summary-json <raw-free-spark-handoff-suite-summary.json> so retained raw-free summaries are gated without path echo or support claims; keep --partial-ok limited to early dry runs |
| Batch/recent scan | docs/codex-handoff.md, docs/code-audit.md |
python3 -m pytest -q tests/test_batch_recent_cli.py tests/test_web_ui_recent_scan.py tests/test_web_ui_recent_scan_presenter.py tests/test_web_server.py; for real smoke summaries, run the aggregate strict gate python3 scripts/audit_impala_diagnostic_loop.py <batch_summary.json>, which includes Details, trusted-report artifact state plus current strict report revalidation, optimizer artifact state, profile evidence, diagnostic coverage, workload, stats, and optimizer readiness; add --summary-json <raw-free-impala-loop-summary.json> when retained machine-readable readiness evidence is needed, including safe Details/trusted-artifact safety breakdown counters, safe profile-evidence gate breakdown counters, safe diagnostic coverage/source/provenance breakdown counters plus direct-source readiness counters, strict unknown-primary reason/category counters, full unknown-primary reason/category counters and unknown-primary resolution counters, safe workload/action-outcome breakdown counters for repeated-workload calibration including comparable-rerun verification, tracked-family requirement counters, incomplete-fingerprint field, and field-source buckets, and safe stats/optimizer breakdown counters for metadata/detail/verification and no-recipe guidance readiness; add --require-workload-groups when a representative run must prove repeated-workload coverage, add --action-outcomes <action_outcomes.jsonl> --require-action-outcomes for representative raw-free comparable-rerun-verified action-outcome calibration, add --require-direct-source-readiness for direct Impala representative summaries, including raw-free source-provenance validation, and add --use-current-classifier-primary only when retained summaries must be checked against the current deterministic analysis.json primary classifier while still reporting safe persisted-label drift counters; for component drilldown, run python3 scripts/audit_recent_details.py <batch_summary.json> with --fail-on-stats-detail-gaps --fail-on-comparable-rerun-gaps for Details raw-free action-card detail, comparable rerun, and overclaim wording, python3 scripts/audit_profile_evidence_gates.py <batch_summary.json> --fail-on-issues for profile-derived gate and primary-classifier parity, python3 scripts/audit_workload_diagnostics.py <batch_summary.json> --fail-on-workload-readiness-gaps --require-workload-groups for derived or materialized repeated row-fingerprint grouping, representative workload baselines, and compare/rerun verification readiness, adding --summary-json <raw-free-workload-diagnostics-summary.json> when retained component-level workload/action-outcome evidence is needed, including explicit tracked-family comparable-rerun feedback requirements, python3 scripts/audit_stats_diagnostics.py <batch_summary.json> --fail-on-stats-readiness-gaps for stats action strength plus metadata/detail/verification readiness, adding --summary-json <raw-free-stats-diagnostics-summary.json> when retained component-level stats diagnosis evidence is needed, and python3 scripts/audit_impala_coverage_gaps.py <batch_summary.json> --fail-on-diagnostic-coverage-gaps for diagnostic coverage, adding --use-current-classifier-primary only for retained-summary current-classifier calibration and --summary-json <raw-free-impala-coverage-summary.json> when retained component-level coverage/direct-source evidence is needed; its strict primary-coverage rates use analyzed non-clean cases and exclude explicit out-of-scope unknown reasons, while strict-only unknown reason counters remain separate from the full unknown/gap breakdown, and retained coverage JSON includes primary_gate thresholds, full-batch rates, strict eligible rates, out-of-scope counts, unknown reason/resolution/category counts, top category closure labels, and pass/fail booleans |
| CLI command building | docs/development-practices.md |
python3 -m pytest -q tests/test_cli_* tests/test_web_server.py |
| Config behavior | docs/development-practices.md, docs/credentials.md |
python3 -m pytest -q tests/test_config* tests/test_*config* |
| Agent tooling scripts | docs/agent-playbook.md, docs/test-matrix.md |
python3 -m pytest -q tests/test_agent_preflight.py tests/test_check_active_docs.py tests/test_check_staged_public_safety.py tests/test_audit_public_docs.py tests/test_worktree_status.py tests/test_audit_impala_diagnostic_loop.py tests/test_audit_impala_north_star_gate.py tests/test_build_impala_north_star_suite_manifest_script.py tests/test_audit_recent_details.py tests/test_audit_optimizer_funnel.py tests/test_audit_profile_evidence_gates.py tests/test_audit_impala_coverage_gaps.py tests/test_audit_workload_diagnostics.py tests/test_audit_stats_diagnostics.py tests/test_audit_trino_compact_readiness.py tests/test_audit_trino_product_surface_boundary.py tests/test_audit_trino_support_gap_matrix.py tests/test_audit_spark_compact_readiness.py tests/test_audit_spark_product_surface_boundary.py |
Trino production closure validation should also check that
scripts/audit_trino_production_closure_gates.py writes raw-free per-gate
gate_tracking entries and aggregate gate_tracking counts for accepted,
missing, invalid, and not-required retained tracking inputs, and that the CLI
prints the same path-free gate_tracking counts. With the full retained
tracking bundle and collector-to-representative-evidence linkage accepted, the
closure summary should report
broader_production_closure_status=bounded_production_claim_ready; without
that bundle it remains not_closed. This claim remains limited to bounded
local production support and does not promote Running, query-history crawling,
product metadata collection, LLM reports, Query Optimizer jobs, generated SQL,
SQL execution, or broader/shared Trino expansion.
Trino production collector validation should also check that
scripts/audit_trino_production_collector_contracts.py writes raw-free
source_requirement_tracking entries and aggregate
source_requirement_tracking counts for accepted, missing, and invalid
collector source requirements, plus auth-reference policy, source-schema gate,
retry-policy, fail-closed policy, reader-status, reader-scope, CLI-role,
capability, and forbidden-reader counters, and that the CLI prints the same
path-free source-requirement tracking, policy, and reader counts while the
collector gate remains not_closed.
Trino representative evidence validation should also check that
scripts/audit_trino_representative_evidence.py writes raw-free
breadth_requirement_tracking entries and aggregate
breadth_requirement_tracking counts for accepted, insufficient, and
not-required retained breadth requirements, including retained summary-kind mix
and accepted input-status requirements for the production-review profile, and
that the CLI prints the same path-free summary-kind and breadth-requirement
counts while the representative evidence gate remains not_closed.
Trino query-linked fact coverage validation should also check that
scripts/audit_trino_query_linked_fact_coverage.py writes raw-free
query_linked_requirement_tracking entries and aggregate
query_linked_requirement_tracking counts for accepted, missing, and invalid
fact/source requirements, source-granularity counts, and
production_review_query_linked_v1 coverage-profile tracking for required
core fact families, query-linked scopes, one-query source granularities, and
retained operator/split-detail/telemetry blockers. It should also record
operator_connector_telemetry_decision_v1, with connector metric signal as
bounded-supported and operator-level, split-detail, and telemetry linkage as
deliberate unsupported gaps until raw-free source contracts exist. The CLI
should print the same path-free query-linked requirement, coverage-profile, and
operator/connector/telemetry decision counts while the query-linked coverage
gate remains not_closed.
Trino product metadata collection validation should also check that
scripts/audit_trino_product_metadata_collection.py writes raw-free
product_metadata_requirement_tracking entries and aggregate
product_metadata_requirement_tracking counts for accepted, missing, and
invalid fact/source/product-surface requirements, plus
production_review_metadata_v1 tracking for allowlist/source lanes,
aggregate-only metadata boundary, metadata fact namespace, bounded sources,
redaction blocks, explicit metadata SQL policy, product-surface blocks, and the
retained product-metadata open blocker. The CLI should print the same path-free
product-metadata requirement and production-review counts while product
metadata collection remains unsupported.
Trino report and optimizer safety validation should also check that
scripts/audit_trino_report_optimizer_safety.py writes raw-free
report_optimizer_requirement_tracking entries and aggregate
report_optimizer_requirement_tracking_counts for accepted, missing, and
invalid capability/policy/validator/product-surface requirements, plus
production_review_report_optimizer_v1 tracking for report/guidance families,
materialized capabilities, raw-source policy fields, validator sentinel matrix,
and blocked product-surface requirements. The CLI should print the same
path-free report-optimizer requirement and production-review counts while the
report optimizer safety gate remains not_closed.
Trino browser/report regression validation should also check that
scripts/audit_trino_browser_report_regression.py writes raw-free
browser_report_requirement_tracking entries and aggregate
browser_report_requirement_tracking_counts for accepted, missing, and invalid
test/route/product-surface requirements, plus
production_review_browser_report_v1 tracking for regression families, test
files, materialized route capabilities, raw-output blocks, unsupported-surface
blocks, download regressions, and public-claim regressions. The CLI should
print the same path-free browser/report requirement and production-review
counts while the browser/report regression gate remains not_closed.
For retained Trino one-query handoff suites that include a Kerberos/SPNEGO
smoke summary, strict executed-smoke readiness requires every smoke check to
finish with the known ok status and the summary to retain
statement-count/check-count consistency, known safe error categories,
internally consistent planned/executed counters, explicit not_written
redaction assertions, and dev-only/no-product-support limitations.
Retained one-query handoff manifests may share one smoke summary across entries,
but the builder and suite audit reject any smoke summary artifact that overlaps
boundary, diagnosis, readiness-summary, handoff-summary, or product-surface
summary artifacts.
For Trino metadata CLI summary smoke changes, run
python3 -m pytest -q tests/test_trino_metadata_cli_summary_smoke_script.py tests/test_trino_metadata_cli_summary.py tests/test_trino_beta_release_readiness_script.py tests/test_engine_capabilities.py.
The smoke gate must keep dry-run execution-free, pass statement text on stdin
only, round-trip through the local metadata-summary importer, reject output
overlap, and avoid printing statement text, object identifiers, endpoint URLs,
local paths, raw metadata values, or CLI stdout/stderr.
For Trino shared/non-local deployment hardening changes, read
trino-shared-deployment-hardening.md
and run
python3 -m pytest -q tests/test_audit_trino_shared_deployment_preflight.py tests/test_audit_trino_shared_deployment_boundary.py tests/test_trino_shared_deployment_hardening_doc.py tests/test_trino_beta_release_readiness_script.py tests/test_engine_capabilities.py. Also run
python3 scripts/audit_trino_shared_deployment_preflight.py for static
preflight drift and add --config <ignored-local-web-config.json> only for an
operator-reviewed local config. For shared/non-local Trino configs, also add
--trusted-front-door-reviewed only after the operator verifies trusted
front-door header stripping and exactly-one normalized viewer injection, or use
--front-door-review-summary <raw-free-front-door-review.json> after validating
that retained live proxy evidence through
scripts/audit_owner_raw_live_front_door_review.py --require-trino-shared-hardening.
The preflight and underlying boundary audit must keep output path-free and must
not print header names, users, Query IDs, coordinator URLs, auth references,
source-contract paths, raw payloads, child stdout/stderr, or product support
claims beyond the local Trino lanes. The shared boundary summary must keep
shared_deployment_requirement_tracking entries and
shared_deployment_requirement_tracking_counts raw-free, include
production_review_shared_deployment_v1 with
production_review_tracking_counts for review-family, deployment-config,
product-boundary, capability, release, doc, and unsupported-surface coverage,
and CLI output must print matching path-free shared_deployment_requirements
and production-review counts for accepted,
missing, invalid, and not-required deployment-config, product-boundary,
capability, release-gate, and documentation requirements.
For retained Trino package-level handoff suites, add repeated
--require-source-contract <safe-source-contract>,
--require-source-granularity <safe-source-granularity>, and
--require-verification-scope <safe-verification-scope> to
python3 scripts/audit_trino_evidence_handoff.py --handoff-suite-manifest <trino-evidence-handoff-suite.json> when operator-reviewed retained evidence
must prove selected source contracts, diagnostic-lane source granularities, or
verification scopes without reopening packages or raw exports. Source-contract
requirements accept safe source-contract labels such as
synthetic_trino_event_listener_v1; accepted source-granularity labels are
one_query_boundary and aggregate_query_list; accepted scope labels are
comparable_one_query_rerun, representative_query_selection, and
source_contract_review.
For dev-only handoff artifact helper changes, run
python3 -m pytest -q tests/test_handoff_artifacts.py tests/test_trino_one_query_live_handoff_script.py tests/test_spark_one_application_handoff_script.py tests/test_audit_trino_evidence_handoff.py tests/test_audit_spark_evidence_handoff.py
so path overlap checks, safe JSON output, and path-redaction guarantees stay
covered across Trino and Spark handoff paths.
For Spark one-application handoff changes, include
--product-surface-summary-out <raw-free-spark-product-surface-summary-json>
in at least one focused wrapper test or retained handoff smoke. The summary must
stay raw-free/path-free, keep spark_product_surface_boundary_audit_v1,
live_known_query_diagnosis=not_wired, blocked Spark product routes,
diagnostic-lane readiness/source-granularity/verification-scope counters, and
fact-state counters, and must not weaken the readiness exit status.
For retained one-application suite changes, include
--product-surface-summary-json <raw-free-spark-surface-boundary-summary-json>
in the manifest builder/readiness/product-surface audit tests. The suite audit
must protect that retained summary from overwrite, keep it raw-free/path-free,
and make scripts/audit_spark_product_surface_boundary.py --one-application-handoff-suite-manifest reject deterministic summary drift.
For Spark compact-readiness summary changes, require
spark_compact_readiness_summary_v1 to retain diagnostic-lane readiness,
source-granularity, verification-scope, and fact-state counters while staying
path-free and support-claim-free. For retained compact suite breadth changes,
include --require-source-granularity <granularity-label> and
--require-verification-scope <scope-label> in focused tests and require the
suite summary JSON to record selected source-granularity and verification-scope
requirements.
For Spark product-surface summary changes, require retained
spark_product_surface_boundary_audit_v1 summaries to keep those same
diagnostic-lane and fact-state counters so no-product-surface evidence drift is
machine-checkable without reopening Spark.
For Spark package handoff-summary changes, require
spark_evidence_handoff_summary_v1 to retain diagnostic-lane checked,
readiness, source-granularity, verification-scope, and fact-state counters.
The retained handoff suite audit must reject summaries that lose required
compact_attention_ready evidence, accepted source-granularity counters, or
accepted verification-scope counters while staying path-free and
support-claim-free. For retained suite breadth changes, include
--require-source-granularity <granularity-label> and
--require-verification-scope <scope-label> in focused tests and require the
suite summary JSON to record selected source-granularity and verification-scope
requirements.
For Spark support-boundary changes, run
python3 scripts/audit_spark_support_boundary.py --summary-json <raw-free-spark-support-boundary-summary-json>. The retained
spark_support_boundary_audit_v1 summary must contain only boundary labels,
check statuses, safe counts, and safe issue categories/messages without path
echo or support claims.
Trino support-gap audit expectations include registered fact-family coverage,
source-type registry coverage, engine fact promotion-policy coverage, neutral
no_* gaps, and blocked product adapter flags. Keep
tests/test_engine_fact_promotion_policy.py in the focused set whenever a
Trino-visible shared, distributed-SQL-family, source-boundary, or
support-boundary fact changes.
Spark evidence handoff --partial-ok is only for early incomplete-package dry
runs that need a rejected raw-free blocker summary. Do not use it for
promotion-candidate handoff gates or support decisions.
If a listed test file does not exist in a future checkout, run the nearest existing focused tests and record the gap in the final note.
Impala synthetic primary coverage gate changes must run
python3 scripts/audit_impala_synthetic_coverage_gate.py and
python3 -m pytest -q tests/test_impala_synthetic_coverage_gate.py. The gate
uses the committed raw-free synthetic fixture aggregate and fails if the
full-batch unknown rate is not below 20%, the medium-or-better rate is below
70%, unknown-primary reason buckets contain unsafe_reason, or the committed
aggregate is stale. The committed aggregate also includes unknown resolution
counts and safe unknown-primary category closure labels, so clean
short/no-action cases stay separate from missing-evidence gaps and raw-like
reason hygiene stays in its own closure bucket.
Impala synthetic action-outcome gate changes must run
python3 scripts/audit_impala_synthetic_outcome_gate.py and
python3 -m pytest -q tests/test_impala_synthetic_outcome_gate.py. The gate
generates the raw-free synthetic demo pack in a temporary directory, audits its
local synthetic action outcomes with the default comparable-rerun sample
threshold, and compares only the committed raw-free aggregate. The committed
aggregate includes measured-result counters and a short trend; it must not store
workload fingerprints, case IDs, SQL, local paths, or raw outcome records.
Impala synthetic north-star gate changes must run
python3 scripts/audit_impala_synthetic_north_star_gate.py and
python3 -m pytest -q tests/test_impala_synthetic_north_star_gate.py. The gate
joins the committed synthetic primary-coverage aggregate and synthetic
measured-outcome aggregate into one raw-free pass/fail artifact, so a CI run
cannot protect primary coverage without also protecting measured outcome
feedback. It stores only aggregate rates, counters, and safe recommendation
labels, including the unknown-primary unsafe-reason count, safe unknown-primary
category counts and closure labels, and the resolution class split that keeps
no-action and out-of-scope boundaries out of the deterministic evidence
backlog.
Impala retained north-star gate changes must run
python3 -m pytest -q tests/test_audit_impala_north_star_gate.py tests/test_build_impala_north_star_suite_manifest_script.py. For
representative raw-free retained loop summaries written by
scripts/audit_impala_diagnostic_loop.py --summary-json, run the retained
north-star gate after the strict loop audit:
python3 scripts/audit_impala_north_star_gate.py <raw-free-impala-loop-summary.json> --summary-json <raw-free-impala-north-star-summary.json>For local retained representative suites, first build local metadata with
python3 scripts/build_impala_north_star_suite_manifest.py --redaction-reviewed --loop-summary-json <raw-free-impala-loop-summary-a.json> --loop-summary-json <raw-free-impala-loop-summary-b.json> --out <impala-north-star-suite.json>, then run python3 scripts/audit_impala_north_star_gate.py --suite-manifest <impala-north-star-suite.json> --require-min-inputs <minimum-retained-batch-count> --summary-json <raw-free-impala-north-star-suite-summary.json>.
The gate reads only impala_diagnostic_loop_audit_v1 aggregate counters,
requires the unknown primary rate to stay below 30%, medium-or-better primary
coverage to stay at or above 70%, and the measured action-outcome gate to pass;
coverage also requires unknown-primary reason buckets to exclude
unsafe_reason. Manifest mode also keeps a safe per-entry trend, and the
aggregate includes safe top unknown-primary categories, including a dedicated
unsafe-reason hygiene category, unknown-primary resolution classes, and
closure-track labels so follow-up work can close evidence gaps by contribution
while keeping no-action/out-of-scope boundaries and raw-like retained-text
hygiene separate. The retained output must stay path-free and must not include
raw cases, SQL, profiles, workload fingerprints, action-outcome records, local
paths, or artifact filenames.
Batch/recent scan retained workload summary JSON also includes an
action_outcome_gate block with comparable-rerun thresholds, action-outcome
source/raw-free state, required family-group coverage, open missing or
below-threshold or unmeasured-result groups, measured result outcome counters,
and pass/fail booleans. The aggregate Impala loop summary carries the same safe
values as action_outcome_gate_counts and action_outcome_result_counts in the
workload component breakdown. Comparable reruns recorded only as unsure remain
visible as aggregate feedback, but they do not satisfy the measured-result gate.
Impala coverage strict readiness also rejects strict unknown-primary reason
buckets that contain unsafe_reason; retained coverage summaries must keep
raw-like source text collapsed to aggregate safe counters, category counts, and
closure labels only.
Stats diagnostics strict readiness also rejects actionable stats candidates whose retained candidate text contains raw-like SQL, metadata identifiers, paths, URLs, or secrets. The stats audit summary must keep this as aggregate issue/counter evidence only, without retaining raw candidate text.
Run python3 -m pytest when:
- a safety boundary moves;
- trusted report or optimizer marker semantics change;
- collector/analyzer/report/web contracts change together;
- a shared helper used by several workflows changes;
- focused tests fail in a way that suggests cross-module risk;
- before a release or demo baseline if time allows.
Update docs/changelog.md for:
- user-facing workflow changes;
- safety/trust-boundary changes;
- LLM report or optimizer behavior changes;
- collector/analyzer behavior changes;
- major documentation baseline changes.
Do not add changelog entries for minor copy edits, CSS polish, tests, or internal refactors unless they change behavior or safety.
Any new browser-visible dynamic text must be checked for:
- raw SQL;
- raw profile text;
- raw metadata;
- local paths or
case_dir; - raw artifact filenames;
- subprocess output;
- secrets or environment values;
- model names or runtime internals;
- unsupported root-cause wording.
Prefer presenter/view-model helpers and query_doctor.safety.browser_display
over ad hoc escaping.