Status: open (not started) · PR: 3 of 3 · Effort: S–M
Orchestrator:
security-hardening-orchestrator.mdMotivator: Codify one-root-per-process constraint; stop silent
initCodemaproot bleed in tests; fail-fast invalid config at load. Maintainer-heavy; small user-visible API change (createCodemapsecond root throws).
Blocked until PR 1 merges (PR 2 optional beforehand).
| File | What |
|---|---|
src/runtime-swap.ts |
Audit worktree root bracket (new) |
src/runtime.ts |
Throw on root switch |
src/resolver.ts |
Resolver reset / guard |
src/test-helpers/runtime-reset.ts |
resetCodemapForTest, installCodemapTestTeardown |
src/application/audit-engine.ts |
makeWorktreeReindex bracket |
src/config.ts / state-config.ts |
loadUserConfig validation |
src/api.ts |
Doc: throws vs last-wins |
churn-ingest.test.ts, context-engine.test.ts, trace-engine.test.ts, worker-pool.dist.test.ts, cmd-affected tests, recipe-recency.test.ts, benchmark-config.test.ts, agents-init.test.ts, … — complete list in PR diff.
| ID | Task | Status | Verify |
|---|---|---|---|
| 5.1 | runtime-swap.ts + audit worktree bracket |
pending | bun test src/runtime.test.ts |
| 5.2 | initCodemap / configureResolver throw on root switch |
pending | runtime tests |
| 5.3 | resetCodemapForTest + installCodemapTestTeardown |
pending | — |
| 5.4 | Teardown rollout on initCodemap test suites |
pending | affected *.test.ts |
| 5.5 | loadUserConfig → parseCodemapUserConfig at load |
pending | bun test src/config.test.ts |
| 5.6 | api.ts + architecture: throws-on-root-switch |
pending | — |
| 5.s | Commit + PR + CI | pending | bun run check |
| # | Decision |
|---|---|
| P3.1 | Audit --base worktree reindex is the only exempt root switch (swap bracket). |
| P3.2 | createCodemap({ root: B }) after root A throws — document breaking tighten. |
| P3.3 | Teardown helper is maintainer-only; not a consumer surface. |
- Second
initCodemapwith different root throws (audit exempt) - Invalid explicit config fails at
loadUserConfig - Teardown on all
initCodemapsuites touched in PR - PR merged to
main
bun test src/runtime.test.ts src/config.test.ts
bun run checkClose when: PR merged. Delete this file; lift to docs/architecture.md; update orchestrator session log.