feat(ci): rivet-driven verification gate + sticky PR comment (#221)

avrabe · claude · web-flow · commit ba329f3d44da · 2026-05-15T08:35:50.000Z
* feat(ci): rivet-driven verification gate + sticky PR comment Makes artifacts/verification.yaml *executable* rather than purely descriptive. A new CI job iterates every `type: feature` artifact, runs its `fields.steps[].run` commands via the existing rivet CLI, aggregates per- artifact pass/fail, and upserts a single marker-tagged PR comment with the counts and failed artifact IDs. Same script runs locally: tools/run_verification.py --filter '(and (= type "feature") (has-tag "v093"))' Per-PR override: add `Verify-Filter: <sexp>` to the PR body to scope what runs. What landed: - tools/run_verification.py — Python (stdlib only). Calls `rivet list`+ `rivet get`, executes each step under `bash -c`, writes a verification-results.json with passed/failed/skipped lists. - tools/post_verification_comment.py — finds the marker comment via `gh api` and PATCHes the body; creates a new comment only on first run. PR-comment markdown shows N/M passed, a table, and a `<details>` block of failed IDs. - .github/workflows/verification-gate.yml — new CI job on PRs. Pulls PR body via env (avoiding script-injection on `${{ ... }}` interpolation). - artifacts/verification.yaml: quote `cargo test ... enumerate::` step commands (line ~1615) — unquoted trailing `::` made rivet's YAML parser silently skip the entire file. Required for any rivet command to see the verification artifacts at all. - artifacts/{requirements,verification}.yaml: REQ-VERIFY-GATE-001 + TEST-VERIFY-GATE-RUNNER documenting the new gate. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(ci): specify package for rivet install (rivet repo has multiple binary packages) The rivet workspace ships `rivet-cli` (the user-facing CLI binary `rivet`) and `rivet-fuzz` side-by-side. `cargo install --git ... --bin rivet` fails because cargo can't disambiguate which package owns the binary; add `--package rivet-cli` to select the right one. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(ci): use positional crate arg for cargo install (not --package) cargo install rejects --package; the crate name is the positional argument. Switch from `--package rivet-cli` to the trailing positional `rivet-cli`, which is the form cargo's error message itself suggests. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(ci): install rivet v0.7.0 (b7a17be) — the SHA I used was etch's, not rivet's The 4c06709 SHA I pinned earlier is etch's revision (the layout-engine sibling crate in the rivet workspace). It pre-dates rivet's `--filter` flag, so the verification gate ran against an old CLI that errored on `--filter`. Switch to b7a17be — rivet v0.7.0, the first release that ships `rivet list --filter <sexp>` (verified locally: `rivet --version` reports `0.7.0 (b7a17bef main 2026-04-30)`). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(ci): use valid rivet filter operator + narrow default scope to current milestone Two corrections to the verification gate's default filter: 1. `has-status` is not a rivet operator — rivet v0.7.0 supports the family and/or/not/implies/excludes/=/!=/>/</has-tag/has-field/in/matches/contains/ linked-*. Use `(= status "passing")` semantics where needed. 2. Running every `type: feature` artifact is 124 entries — they invoke `cargo test -p <crate>` across the whole workspace and easily exceed the 30-minute job timeout. Narrow the default to the current-milestone scope (v093 + v0100 tags = ~12 artifacts), which runs in minutes. Per-PR override via `Verify-Filter: <sexp>` in the PR body is unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(ci): drop gh CLI dependency + correct TEST-BINDING-NESTED-PATH step name Two end-to-end fixes surfaced by the gate's first real run on PR #221: 1. The post-comment script used the `gh` CLI which is not installed on the self-hosted runners. Rewrote `post_verification_comment.py` to call the GitHub REST API directly via stdlib `urllib.request` — no external deps. Same sticky-comment behavior (marker lookup, PATCH or POST). 2. TEST-BINDING-NESTED-PATH's second step was `cargo test -p spar-cli applies_to_nested`, but the spar-cli crate's *package* name is `spar`, not `spar-cli`. The step never matched anything until the gate started actually executing it. Corrected to `cargo test -p spar --test applies_to_nested` — runs the 3 integration tests cleanly. This is exactly the drift the gate is built to catch: the YAML claimed a test was passing, but the test invocation was wrong all along. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/.github/workflows/verification-gate.yml b/.github/workflows/verification-gate.yml
@@ -0,0 +1,99 @@
+name: Verification Gate
+
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  rivet-verification:
+    name: Verification Gate (rivet-driven)
+    runs-on: [self-hosted, linux, x64, rust-cpu]
+    timeout-minutes: 30
+    env:
+      CARGO_TERM_COLOR: always
+      RUSTFLAGS: -D warnings
+      CARGO_INCREMENTAL: 0
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Install rivet
+        run: |
+          # Pin to rivet v0.7.0 (commit b7a17be) — the release that first ships
+          # `rivet list --filter <sexp>`, which this gate depends on. (The
+          # 4c06709 SHA I tried first is *etch*'s rev — etch is a sibling crate
+          # in the rivet workspace but unrelated to the CLI.)
+          # The rivet repo is a multi-package workspace; the trailing positional
+          # `rivet-cli` selects which crate owns the `rivet` binary, otherwise
+          # cargo errors with "multiple packages with binaries found:
+          # rivet-cli, rivet-fuzz".
+          cargo install --locked --git https://github.com/pulseengine/rivet \
+            --rev b7a17bef \
+            --bin rivet \
+            rivet-cli
+
+      - name: Pick verification filter (per-PR override via body)
+        id: pick
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          # Default: every `type: feature` artifact whose status is currently
+          # `passing`. PRs may override by adding a single line to the body:
+          #     Verify-Filter: (and (= type "feature") (has-tag "v093"))
+          # Default scope: current-milestone artifacts only (v0.9.x bug
+          # closeout + v0.10.x work).  Running every `(= type "feature")`
+          # artifact would re-run ~124 cargo test invocations and blow the
+          # 30-minute job timeout.  Per-PR override via `Verify-Filter:` line.
+          # rivet v0.7.0 supports: and/or/not/implies/excludes/=/!=/>/</has-tag/
+          # has-field/in/matches/contains/linked-* (no `has-status`).
+          DEFAULT='(and (= type "feature") (or (has-tag "v093") (has-tag "v0100")))'
+          OVERRIDE=$(printf '%s' "$PR_BODY" | grep -m1 -E '^Verify-Filter:' | sed 's/^Verify-Filter:[[:space:]]*//' || true)
+          if [ -n "${OVERRIDE:-}" ]; then
+            printf 'filter=%s\n' "$OVERRIDE" >>"$GITHUB_OUTPUT"
+          else
+            printf 'filter=%s\n' "$DEFAULT" >>"$GITHUB_OUTPUT"
+          fi
+
+      - name: Run rivet verification gate
+        id: verify
+        continue-on-error: true
+        env:
+          FILTER: ${{ steps.pick.outputs.filter }}
+        run: |
+          tools/run_verification.py \
+            --filter "$FILTER" \
+            --results-json verification-results.json
+
+      - name: Upload results artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: verification-results
+          path: verification-results.json
+          if-no-files-found: warn
+
+      - name: Post sticky PR comment
+        if: github.event_name == 'pull_request' && always()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          tools/post_verification_comment.py "$PR_NUMBER"
+
+      - name: Fail job if any verification artifact failed
+        if: steps.verify.outcome != 'success'
+        run: |
+          echo "::error::One or more verification artifacts failed; see PR comment for details"
+          exit 1
diff --git a/artifacts/requirements.yaml b/artifacts/requirements.yaml
@@ -2021,4 +2021,20 @@ artifacts:
     status: implemented
     tags: [mermaid, emission, v0100]
 
+  # ── CI / Verification gate ──────────────────────────────────────────────
+
+  - id: REQ-VERIFY-GATE-001
+    type: requirement
+    title: Rivet-driven verification gate executes artifact steps in CI
+    description: >
+      A CI workflow shall iterate every `type: feature` artifact (filtered by
+      s-expression), execute each artifact's `fields.steps[].run` commands,
+      aggregate per-artifact pass/fail, and post a sticky PR comment listing
+      counts and failed artifact IDs.  Same script (`tools/run_verification.py`)
+      runs locally for fast feedback.  This makes `artifacts/verification.yaml`
+      executable rather than purely descriptive, catching drift between what
+      the YAML claims and what's actually green.
+    status: implemented
+    tags: [ci, rivet, verification, v0100]
+
   # Research findings tracked separately in research/findings.yaml
diff --git a/artifacts/verification.yaml b/artifacts/verification.yaml
@@ -1612,8 +1612,8 @@ artifacts:
       method: automated-test
       steps:
         - run: cargo test -p spar --test moves_enumerate_objectives
-        - run: cargo test -p spar-solver enumerate::
-        - run: cargo test -p spar moves::enumerate_tests
+        - run: "cargo test -p spar-solver enumerate::"
+        - run: "cargo test -p spar moves::enumerate_tests"
     status: passing
     tags: [migration, track-e, v080, cli, solver]
     links:
@@ -2519,7 +2519,7 @@ artifacts:
       method: automated-test
       steps:
         - run: cargo test -p spar-hir-def overlay
-        - run: cargo test -p spar-cli applies_to_nested
+        - run: cargo test -p spar --test applies_to_nested
     status: passing
     tags: [binding, hir-def, v093]
     links:
@@ -2627,3 +2627,23 @@ artifacts:
     links:
       - type: satisfies
         target: REQ-MERMAID-001
+
+  # ── CI / Verification gate ──────────────────────────────────────────────
+
+  - id: TEST-VERIFY-GATE-RUNNER
+    type: feature
+    title: Verification gate runner executes a tag-filtered subset and emits JSON
+    description: >
+      Smoke-test of `tools/run_verification.py`: filter to the
+      classifier-match tag (1 artifact), verify that the runner exits 0 and
+      writes a verification-results.json with passed_count=1, failed_count=0.
+    fields:
+      method: automated-test
+      steps:
+        - run: "tools/run_verification.py --filter '(and (= type \"feature\") (has-tag \"classifier-match\"))' --results-json /tmp/verify-smoke.json"
+        - run: "python3 -c 'import json,sys; d=json.load(open(\"/tmp/verify-smoke.json\")); sys.exit(0 if d[\"passed_count\"]==1 and d[\"failed_count\"]==0 else 1)'"
+    status: passing
+    tags: [ci, rivet, verification, v0100]
+    links:
+      - type: satisfies
+        target: REQ-VERIFY-GATE-001
diff --git a/tools/post_verification_comment.py b/tools/post_verification_comment.py
@@ -0,0 +1,171 @@
+#!/usr/bin/env python3
+"""Post (or update) a sticky PR comment summarising rivet verification results.
+
+Reads the JSON written by `tools/run_verification.py` and calls the GitHub
+REST API directly to upsert a single marker-tagged comment on the PR.
+Re-running on the same PR replaces the prior body rather than appending
+another comment. Pure stdlib (urllib) — no `gh` CLI dependency.
+
+Usage:
+    tools/post_verification_comment.py <pr-number> [--results-json PATH] [--repo OWNER/NAME]
+
+Required env:
+    GH_TOKEN (or GITHUB_TOKEN) with `pull-requests: write`.
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import sys
+import urllib.error
+import urllib.request
+from pathlib import Path
+
+MARKER = "<!-- rivet-verification-gate -->"
+API = "https://api.github.com"
+
+
+def github_request(
+    method: str, path: str, token: str, body: dict | None = None
+) -> tuple[int, bytes]:
+    url = f"{API}{path}"
+    data = json.dumps(body).encode("utf-8") if body is not None else None
+    req = urllib.request.Request(
+        url,
+        data=data,
+        method=method,
+        headers={
+            "Accept": "application/vnd.github+json",
+            "Authorization": f"Bearer {token}",
+            "X-GitHub-Api-Version": "2022-11-28",
+            "User-Agent": "spar-verification-gate",
+            "Content-Type": "application/json" if data else "application/octet-stream",
+        },
+    )
+    try:
+        with urllib.request.urlopen(req) as resp:
+            return resp.status, resp.read()
+    except urllib.error.HTTPError as e:
+        return e.code, e.read()
+
+
+def render_body(results: dict) -> str:
+    passed = results["passed_count"]
+    failed = results["failed_count"]
+    skipped = results["skipped_count"]
+    total = results["total"]
+    failed_ids = results["failed"]
+    flt = results["filter"]
+
+    if failed == 0:
+        status = f"✅ **{passed}/{total}** passed"
+    else:
+        status = f"❌ **{passed}/{total}** passed — **{failed}** failed"
+
+    failed_section = (
+        "\n".join(f"- `{i}`" for i in failed_ids) if failed_ids else "_(none)_"
+    )
+
+    return f"""{MARKER}
+## Rivet verification gate
+
+{status}
+
+| | count |
+|---|---:|
+| Passed  | {passed} |
+| Failed  | {failed} |
+| Skipped (no steps) | {skipped} |
+
+**Filter:** `{flt}`
+
+<details><summary>Failed artifacts</summary>
+
+{failed_section}
+
+</details>
+
+<sub>Updated automatically by `tools/post_verification_comment.py`. Source of truth: `artifacts/verification.yaml`.</sub>"""
+
+
+def find_marker_comment(repo: str, pr: int, token: str) -> int | None:
+    """Page through PR comments looking for the marker. Returns comment id or None."""
+    page = 1
+    while True:
+        status, body = github_request(
+            "GET",
+            f"/repos/{repo}/issues/{pr}/comments?per_page=100&page={page}",
+            token,
+        )
+        if status != 200:
+            print(f"GET comments failed: {status} {body[:200]}", file=sys.stderr)
+            return None
+        comments = json.loads(body)
+        if not comments:
+            return None
+        for c in comments:
+            if MARKER in (c.get("body") or ""):
+                return c["id"]
+        if len(comments) < 100:
+            return None
+        page += 1
+
+
+def upsert_comment(repo: str, pr: int, body: str, token: str) -> None:
+    existing = find_marker_comment(repo, pr, token)
+    if existing is not None:
+        print(f"updating comment {existing}", file=sys.stderr)
+        status, resp = github_request(
+            "PATCH",
+            f"/repos/{repo}/issues/comments/{existing}",
+            token,
+            {"body": body},
+        )
+    else:
+        print("creating new comment", file=sys.stderr)
+        status, resp = github_request(
+            "POST",
+            f"/repos/{repo}/issues/{pr}/comments",
+            token,
+            {"body": body},
+        )
+    if status not in (200, 201):
+        print(f"comment upsert failed: {status} {resp[:300]}", file=sys.stderr)
+        sys.exit(2)
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("pr", type=int, help="pull-request number")
+    parser.add_argument(
+        "--results-json",
+        default="verification-results.json",
+        type=Path,
+        help="path to the JSON summary (default: %(default)s)",
+    )
+    parser.add_argument(
+        "--repo",
+        default=os.environ.get("GH_REPO", "pulseengine/spar"),
+        help="OWNER/NAME (default: %(default)s)",
+    )
+    args = parser.parse_args()
+
+    token = os.environ.get("GH_TOKEN") or os.environ.get("GITHUB_TOKEN")
+    if not token:
+        print("GH_TOKEN or GITHUB_TOKEN required", file=sys.stderr)
+        return 2
+
+    if not args.results_json.is_file():
+        print(f"no {args.results_json} found; nothing to post", file=sys.stderr)
+        return 0
+
+    results = json.loads(args.results_json.read_text())
+    body = render_body(results)
+    upsert_comment(args.repo, args.pr, body, token)
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/tools/run_verification.py b/tools/run_verification.py
