fix: remove dead kernel entropy gate + hash-pin Docker deps#9
Closed
New1Direction wants to merge 5 commits into
Closed
fix: remove dead kernel entropy gate + hash-pin Docker deps#9New1Direction wants to merge 5 commits into
New1Direction wants to merge 5 commits into
Conversation
added 5 commits
June 1, 2026 13:53
STEP-6 ran only 'if artifact is not None', but every production caller (PipelineDriver) passes artifact=None, so the gate never fired — dead code presented as an enforced guard. Entropy regression IS enforced by the separate EntropyAnalysisValidator in the pipeline, so removing the dead block changes no behaviour and stops advertising enforcement that didn't happen. entropy_monitor (still used for entropy_history) and the artifact param (API compat) are kept.
The Dockerfile installed pydantic/fastapi/uvicorn/httpx with unpinned >=
specifiers (no lockfile, no hashes) — non-reproducible across build dates and a
supply-chain risk (a tampered/yanked release installs silently), ironic for a
'deterministic' platform. Added docker/requirements.{in,txt}: a fully-resolved,
hash-pinned lock (uv pip compile --generate-hashes, targeted at the image's
linux/py3.11), and switched the builder to pip install --require-hashes.
NOTE: lock generated off-target (macOS host); validate the actual linux build
('docker build') in CI / on GCP before merge.
The committed tree did not import on a clean checkout: consensus.py and the console/event-fabric layers imported modules that existed only in the local working tree (never git-added). Computed the exact import+test closure — 17 valid, parseable files (the rest of the ~135 untracked files, incl. 55 broken stubs, are NOT needed). With these, all core packages import, the console app/CLI/production API import, and the whole committed test suite collects on a clean checkout. Includes genuinely load-bearing code that was never committed: the event-fabric replay engine, the console transparency router, and the semantic-radius consensus breaker. Files committed as-is from the working tree.
git ls-files fails (exit 128) in a non-git checkout (tarball / git archive). Fall back to globbing src/**/*.py there so the gate runs anywhere, not just in a git repo.
…ross checkouts Without known-first-party, ruff inferred first-party from present packages, so I001 import-sort results differed between a full working tree and a clean checkout/CI (e.g. tests importing the untracked pi_agent_interceptor). Declaring the pi_* namespaces makes 'ruff check src tests' deterministic.
Owner
Author
|
Consolidated. All commits from this PR are now in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The last two actionable MEDIUM items. Stacked on #8; base is
fix/medium-tier-2.Fixed
if artifact is not None, but every production caller (PipelineDriver) passesartifact=None, so it never fired: dead code presented as an enforced guard. Entropy regression is already enforced by the separateEntropyAnalysisValidatorin the pipeline, so removing the block changes no behaviour and stops advertising enforcement that didn't happen. (entropy_monitorand theartifactparam are retained.) Per your call: remove, not wire.pip install pydantic>=… fastapi>=… …with a fully-resolved, hash-pinned lock (docker/requirements.{in,txt}, generated viauv pip compile --generate-hashestargeting the image'slinux/py3.11) installed with--require-hashes. Builds are now reproducible across dates and a tampered/yanked release fails the hash check instead of installing silently.Verification
ruff check: clean.uvfor the linux/py3.11 target, but I could not run the actualdocker buildhere. Please validate the Linux build on your GCP before merging (as we discussed).Remaining MEDIUM item (large — scope separately)
🤖 Generated with Claude Code