Memory Core v2 stabilization and independent review#6
Conversation
Builds canonical memory state through semantics, PLIR, allocation planning, lowering evidence, optimizer proofs, runtime domains, backend events, and projection-only reports. Adds Memory Core v2 validators, docs, release subgate, and v0.4 gate fixes so implementation and smoke checks can run through the release pipeline. Constraint: Preserve direct Memory Core v2 solution without report-only or mock paths. Rejected: Fake security signoff and release-state bypass. Confidence: high for implementation gates; blocked for final release signoff. Scope-risk: broad compiler/runtime/release surface. Directive: Memory Core v2 /goal. Tested: go test -buildvcs=false ./cli/... ./tools/... -count=1; go test -buildvcs=false ./... -count=1; go test -buildvcs=false ./compiler/... -count=1; focused race slice; bash scripts/release/memory/memory-core-v2-gate.sh; go run ./tools/cmd/verify-docs --manifest docs/generated/manifest.json; git diff --check. Not-tested: final v0.4 release gate with authentic TETRA_SECURITY_REVIEW_SIGNOFF.
Clarify Memory Core v2 evidence so implementation completion is distinct from the v0.4.0 human security review gate. The release signoff remains a tracked pending/approved status plus artifact path, while legacy final_signoff is accepted only as a validator compatibility alias. Constraint: Do not mint or imply human security approval from automation. Rejected: Treating a missing v0.4.0 security signoff as Memory Core v2 implementation failure. Confidence: high Scope-risk: limited to Memory Core v2 validator, gate evidence, fixtures, and docs. Directive: Human security signoff is release-only and must match exact final HEAD before release approval. Tested: go test -buildvcs=false ./tools/validators/memorycorev2 ./tools/cmd/validate-memory-core-v2 -run 'MemoryCoreV2|Memory|Claim|Validate' -count=1 Tested: bash scripts/release/memory/memory-core-v2-gate.sh --report-dir reports/memory-core-v2-gate-20260623-084100 Tested: git diff --check Not-tested: full v0.4.0 release approval path because no human TETRA_SECURITY_REVIEW_SIGNOFF was provided.
Record Memory Core v2 as an implementation-complete milestone while keeping final v0.5.0 RC security review pending. Constraint: do not move v0.4.0 or create v0.5.0 tags. Rejected: release_security_signoff_status=not_required. Tested: GOTELEMETRY=off GOCACHE="/home/tetra/.codex/worktrees/62974d84-e930-43d8-94fa-d4950563c06f/Tetra_Language-memory-core-v2/.cache/go-build-memory-core-v2-check" GOTMPDIR="/home/tetra/.codex/worktrees/62974d84-e930-43d8-94fa-d4950563c06f/Tetra_Language-memory-core-v2/.cache/go-tmp-memory-core-v2-check" go test -buildvcs=false ./compiler/cmd/validate-memory-report ./tools/cmd/validate-memory-core-v2 ./tools/validators/memorycorev2 -run 'Memory|Claim|Validate' -count=1. Tested: bash -n scripts/release/memory/memory-core-v2-gate.sh. Tested: git diff --check. Confidence: high. Scope-risk: Memory Core v2 release evidence schema and gate only.
Record independent compiler, runtime, optimizer, and integration review artifacts for the Memory Core v2 stabilization branch. Constraint: no code, release approval, or tag changes. Directive: base_commit=8f7529505a13b5da72fbc0c34c5bb110541c020f. Tested: git diff --check. Tested: required review fields grep across docs/reviews/memory-core-v2/*-review.md. Confidence: high. Scope-risk: documentation-only review artifacts.
Finding: A-001. Before: compiler.LowerModules delegated to lower.LowerModules, bypassing Memory Core v2 graph, allocation plan, lowering evidence, and validator handoff. After: compiler.LowerModules builds the canonical memorypipeline state, lowers with LowerPlannedProgram, applies lowering evidence, and returns module functions from the planned result. Regression-test: TestLowerModulesMatchesCanonicalMemoryPipeline. Tested: GOTELEMETRY=off GOCACHE="/home/tetra/.codex/worktrees/Tetra_Language-stabilize-memory-core-v2/.cache/go-build-a001" GOTMPDIR="/home/tetra/.codex/worktrees/Tetra_Language-stabilize-memory-core-v2/.cache/go-tmp-a001" go test -buildvcs=false ./compiler/tests/lowering -run 'TestLowerModulesMatchesCanonicalMemoryPipeline|TestLowerPublicAPIVerifiesRepresentativeIR' -count=1. Tested: GOTELEMETRY=off GOCACHE="/home/tetra/.codex/worktrees/Tetra_Language-stabilize-memory-core-v2/.cache/go-build-a001" GOTMPDIR="/home/tetra/.codex/worktrees/Tetra_Language-stabilize-memory-core-v2/.cache/go-tmp-a001" go test -buildvcs=false ./compiler ./compiler/tests/lowering ./compiler/tests/semantics -run 'LowerModules|LowerPublicAPI|CrossModule|Protocol|EnumPayload' -count=1. Constraint: no new language feature, optimizer pass, memory domain, API redesign, release approval, or tag. Confidence: high. Scope-risk: public lowering API now follows existing canonical Lower/LowerModule path.
Finding: B-001. Before: Memory Core v2 release evidence marked wasm32-wasi reserve unsupported while runtime ABI supports wasm reserve/commit. After: release evidence and fixtures record wasm reserve/commit support and keep wasm release as the unsupported nonclaim row; validator supports that partial matrix. Regression-test: TestMemoryCoreV2ValidateReportAcceptsPartialWasmBackendSupport. Tested: GOTELEMETRY=off GOCACHE="/home/tetra/.codex/worktrees/Tetra_Language-stabilize-memory-core-v2/.cache/go-build-b001" GOTMPDIR="/home/tetra/.codex/worktrees/Tetra_Language-stabilize-memory-core-v2/.cache/go-tmp-b001" go test -buildvcs=false ./tools/validators/memorycorev2 ./tools/cmd/validate-memory-core-v2 -run 'Memory|Claim|Validate|PartialWasm' -count=1. Tested: GOTELEMETRY=off GOCACHE="/home/tetra/.codex/worktrees/Tetra_Language-stabilize-memory-core-v2/.cache/go-build-b001" GOTMPDIR="/home/tetra/.codex/worktrees/Tetra_Language-stabilize-memory-core-v2/.cache/go-tmp-b001" go test -buildvcs=false ./compiler/internal/runtimeabi/... -run 'MemoryBackend|RuntimeMemoryBackend|Wasm|Unsupported' -count=1. Tested: bash -n scripts/release/memory/memory-core-v2-gate.sh. Constraint: no new language feature, optimizer pass, memory domain, API redesign, release approval, or tag. Confidence: high. Scope-risk: release evidence schema and validator policy only.
Route proof-sensitive optimizer decisions through canonical MemoryFacts validation when RunWithOptions supplies the Memory Core snapshot. Keep Manager.Run documented as a noncanonical legacy/test entry point so existing callers cannot be mistaken for release evidence. Finding: C-001, C-002 Before: a proof-sensitive rewrite could report an arbitrary proof id when a canonical snapshot was present. After: RunWithOptions rejects noncanonical rewrite proof ids and requires the canonical proof fact id in the decision evidence. Constraint: no new optimizer passes, no language features, no API redesign Rejected: changing legacy Manager.Run semantics in this stabilization pass Tested: go test -buildvcs=false ./compiler/internal/opt -run 'TestT13ManagerRejectsMemoryRewriteDecisionWithNoncanonicalProofID|TestT13ManagerRunIsNoncanonicalForMemoryProofResolution|TestT13ProofSensitiveRewriteRecordsCanonicalProofID|TestT13LoopCanonicalizationRequiresCanonicalBoundsProof|TestT13ProofSensitiveRewriteSkipsInvalidatedAndUnsafeProofs' -count=1 Tested: go test -buildvcs=false ./compiler/internal/opt ./compiler/internal/memoryfacts/... ./compiler/internal/validation -run 'T13|Proof|Optimizer|LoopCanonicalization|LICM|Memory' -count=1 Confidence: high Scope-risk: optimizer proof evidence validation only
Record the stabilization fix commits for confirmed Memory Core v2 review findings while preserving the original review findings and severity grouping. Finding: A-001, B-001, C-001, C-002, D-001 Constraint: documentation traceability only; no release approval and no v0.5.0 tag Rejected: editing reviewer source documents after the independent review Tested: git diff --check Confidence: high Scope-risk: review documentation only
Allow full-platform UI runtime Windows jobs to checkout the stabilization branch when tracked report evidence contains paths beyond the default Git for Windows limit. Finding: D-002 Before: GitHub Actions windows-2025 full-platform UI runtime jobs failed during actions/checkout with 'Filename too long' before any tests or artifact upload could run. After: Windows target-host jobs set core.longpaths before checkout, with workflow tests asserting the ordering in both standalone and mirrored CI workflows. Constraint: CI-only stabilization fix; no Memory Core runtime/compiler behavior changes Rejected: deleting or rewriting existing committed evidence paths during this stabilization pass Tested: go test -buildvcs=false ./tools/scriptstest/workflows -run 'TestFullPlatformUIRuntimeWorkflowEnablesWindowsLongPathsBeforeCheckout|TestMainCIWorkflowEnablesWindowsLongPathsBeforeFullPlatformCheckout|TestFullPlatformUIRuntimeWorkflowProducesTargetHostReports|TestMainCIWorkflowRunsFullPlatformUIRuntimeFanIn' -count=1 Tested: go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.7 Confidence: medium Scope-risk: GitHub Actions checkout behavior on Windows only
Add D-002 to the Memory Core v2 stabilization findings after post-push CI exposed a Windows checkout blocker for committed report evidence paths. Finding: D-002 Constraint: documentation traceability only; no release approval and no v0.5.0 tag Rejected: modifying independent reviewer source documents after review close Tested: git diff --check Confidence: high Scope-risk: review documentation only
Record the unresolved CI diagnostic split before continuing root-cause work. D-003 tracks the linux-x32 unsupported reason contract mismatch, and D-004 tracks the v0.4 readiness WASM UI guide path failure. Constraint: documentation-only; no code, production test, release gate, Memory Core schema, runtime, optimizer, tag, PR readiness, merge, or push changes. Rejected: combining D-003 and D-004, reopening D-001 without direct shared-state evidence, and claiming a root cause before focused diagnostics. Tested: git diff --check Confidence: medium Scope-risk: docs-only diagnostic classification
Use the production linux-x32 unsupported-reason constructor as the test source of truth and force the affected metadata tests through the unsupported host branch. Before: CI-only linux/amd64 hosts emitted a host-qualified reason that stale CLI metadata assertions rejected. After: TestTargetMetadataCheck and TestTargetsCommandJSON assert the canonical exact reason while diagnostics reuse the same expected value. Constraint: no target support-level change; no Memory Core semantics, runtime, or optimizer changes. Rejected: substring-only acceptance, arbitrary non-empty reason matching, and GitHub Actions hardcoding. Directive: D-003 Tested: go test -buildvcs=false ./cli/cmd/tetra -run '^(TestTargetMetadataCheck|TestTargetsCommandJSON|TestRunCommandJSONDiagnosticsForLinuxX32HostUnsupported|TestTestCommandJSONDiagnosticsForBuildOnlyRuntimeUnsupported)$' -count=20 -v Confidence: high Scope-risk: low
Copy the required WASM UI guide into the native UI runtime readiness fixture so path validation does not accidentally depend on the test temp directory being inside the repository checkout. Before: TestValidateReadinessAcceptsNativeUIRuntimeEvidenceShape failed with docs/user/surface/wasm_ui_guide.md is not readable when TMPDIR was outside the repo, matching CI. After: the copied fixture contains every path referenced by nativeUIRuntimeEvidence. Constraint: no validator requirement was optionalized; docs/user/surface/wasm_ui_guide.md content unchanged. Rejected: chmod, cwd fallback, skipping validation, retry, and hardcoded runner paths. Directive: D-004 Tested: go test -buildvcs=false ./tools/cmd/validate-v0-4-readiness -run '^TestValidateReadinessAcceptsNativeUIRuntimeEvidenceShape$' -count=100 -v Tested: go test -buildvcs=false ./tools/cmd/validate-v0-4-readiness -count=50 -v Confidence: high Scope-risk: low
Record confirmed root causes, CI run IDs, code fix SHAs, regression evidence, before/after behavior, and post-fix merge recommendation for the independent D-003 and D-004 findings. D-003: linux-x32 unsupported reason assertion drift resolved by 7e9184a. D-004: native UI readiness fixture omitted docs/user/surface/wasm_ui_guide.md, resolved by f28953d. Constraint: diagnostic documentation only; primary independent review files unchanged. Directive: D-003 D-004 Tested: git diff --check Confidence: high Scope-risk: low
Record that the cli/cmd/tetra -count=50 timeout is a cumulative suite deadline, not an EcoLock fixture hang or repository defect. Keep D-003 and D-004 resolved as candidate fixes and document the corrected validation protocol. Constraint: Do not modify D-003 or D-004 fixes; do not create D-005 without direct hang evidence.\nRejected: Treating TestEcoLockFixtureRejectsGraphHashMismatch as failing based only on the timeout snapshot.\nConfidence: high for CLI timeout classification; lower for overall stabilization closure because scriptstest count=20 still times out under its requested command.\nScope-risk: docs-only.\nDirective: PR #6 remains Draft; no push, merge, or Ready transition in this step.\nTested: go test -buildvcs=false ./cli/cmd/tetra -run '^TestEcoLockFixtureRejectsGraphHashMismatch$' -count=100 -timeout=20m -json; go test -buildvcs=false ./cli/cmd/tetra -run '^TestEcoLockFixtureRejectsGraphHashMismatch$' -count=20 -race -timeout=20m -v; five independent go test -buildvcs=false ./cli/cmd/tetra -count=1 -timeout=20m -json; go test -buildvcs=false ./cli/cmd/tetra -count=5 -timeout=30m -json; go run ./tools/cmd/verify-docs --manifest docs/generated/manifest.json.\nNot-tested: full stabilization validation and push, blocked by tools/scriptstest/workspace -count=20 timing out at the default 10m package timeout.
Record that the tools/scriptstest workspace count=20 validation timeout is cumulative suite runtime under the default Go package deadline, not a specific workspace test hang or repository defect. Document the corrected scriptstest acceptance protocol without changing workspace code. Constraint: Do not modify tools/scriptstest/workspace; do not create D-005, D-006, or a new finding.\nRejected: Repeating workspace -count=20 under the 10m default timeout or masking it with retries, skips, sleeps, -p 1, timeout=0, or production CI timeout changes.\nConfidence: high for workspace timeout classification based on count=1/2/5 near-linear PASS evidence.\nScope-risk: docs-only.\nDirective: Continue with corrected local validation before any push; PR #6 remains Draft until exact-head CI is green.\nTested: go run ./tools/cmd/verify-docs --manifest docs/generated/manifest.json; git diff --check.\nNot-tested: corrected scriptstest acceptance, broad fan-in, full suite, Memory Core gate, temporary merge validation, external CI.
Pin the Windows platform UI probe to a single OS thread for the full User32 lifecycle and add fail-closed deadlines around the nested build and child runtime process. Constraint: keep real Win32 probe, matrix targets, and 45-minute workflow timeout unchanged. Rejected: retry, skip, synthetic report, optional Windows job, workflow timeout increase. Tested: go test -buildvcs=false ./tools/cmd/platform-ui-runtime-smoke ./tools/validators/platformui -count=20; GOOS=windows GOARCH=amd64 go test -buildvcs=false -c ./tools/cmd/platform-ui-runtime-smoke; GOOS=windows GOARCH=amd64 go build ./tools/cmd/platform-ui-runtime-smoke; go test -buildvcs=false ./tools/scriptstest/workflows -run 'FullPlatformUIRuntime|WindowsUI|ThreadAffinity' -count=20; actionlint; go test -buildvcs=false ./compiler/... ./cli/... ./tools/... -count=1; go test -buildvcs=false ./... -count=1. Not-tested: live Windows GitHub Actions rerun for the new SHA; deferred until after docs commit and push. Confidence: high. Scope-risk: Windows UI runtime smoke lifecycle and bounded process execution.
Record the D-005 root-cause review, failed CI run/job IDs, code fix SHA, before/after behavior, and resolved-pending-external-CI status. Constraint: documentation only; keep PR #6 draft and merge-blocking until new Windows push/PR CI is green. Rejected: release approval, human security signoff, workflow rerun, or timeout increase. Tested: go run ./tools/cmd/verify-docs --manifest docs/generated/manifest.json; git diff --check. Not-tested: external CI for final D-005 SHA, pending push. Confidence: high. Scope-risk: Memory Core v2 stabilization review metadata.
Prevent ambient test-only TETRA_FAKE_* and TETRA_FAIL_* environment variables from leaking into fake test-all subprocesses while preserving explicit per-test controls. Constraint: Do not change D-003, D-004, D-005, production test-all behavior, or workflow timeouts. Rejected: D-006 creation; this is the existing D-001 test-infrastructure shared-state class. Tested: go test ./tools/scriptstest/test_all -run '^TestTestAllQuickFailsWhenUnsafePromotionBlockerSuiteMissing$' -count=100 -shuffle=on -timeout=30m Tested: go test ./tools/scriptstest/test_all -count=20 -shuffle=on -timeout=30m Confidence: high Scope-risk: test harness only
Record the PR fan-in baseline root cause, 2x2 matrix, rejected dump/VCS dimensions, and reopened D-001 resolution pending external CI. Constraint: Do not reopen D-005 or create D-006; D-001 is the matching shared-state test-infrastructure class. Directive: PR #6 remains Draft until new push/PR CI and controlled runs are green. Tested: go test ./tools/scriptstest/test_all -run '^TestTestAllQuickFailsWhenUnsafePromotionBlockerSuiteMissing$' -count=100 -shuffle=on -timeout=30m Tested: go test ./tools/scriptstest/test_all -count=20 -shuffle=on -timeout=30m Confidence: high Scope-risk: documentation only
Replace the inherit-all-minus-denylist subprocess environment with a constructed test harness environment for fake test-all repositories. Keep explicit negative controls available only through the per-test env allowlist and cover ambient shell, Go/Git, fan-in report path, and concurrent run isolation. Constraint: Do not alter production test-all scripts or D-003/D-004/D-005 fixes. Rejected: More TETRA_* prefix filtering, retries, sleeps, weakened FailedCount assertions, and CI timeout changes. Tested: go test -buildvcs=false ./tools/scriptstest/test_all -run '^(TestTestAllHermeticEnvRejectsAmbientControlMatrix|TestTestAllExplicitFailureControlsAreIsolated|TestTestAllFakeRepoIgnoresAmbientTargetHostReports|TestTestAllHermeticRunsDoNotCrossContaminate|TestTestAllHermeticEnvHasUniqueDeterministicKeys|TestTestAllQuickFailsWhenHostLeakBlockerSuiteMissing|TestTestAllFullRunsDocsManifestDiffStep|TestTestAllFullValidatesCrossTargetSmokeReports)$' -count=100 -shuffle=on -timeout=30m Tested: go test -race -buildvcs=false ./tools/scriptstest/test_all -run 'Hermetic|Ambient|ExplicitFailureControls|CrossContaminate' -count=10 -timeout=30m Tested: go test ./tools/scriptstest/test_all -count=20 -shuffle=on -timeout=30m Confidence: high Scope-risk: test harness only
Record the post-fix CI evidence that the previous D-001 commit was only a partial mitigation, and document the final hermetic test-all subprocess contract. Constraint: Do not create D-006; the new failures remain D-001 witnesses. Rejected: Symptom patches for the three failing tests and broader prefix denylisting. Tested: go test -buildvcs=false ./tools/scriptstest/test_all -run '^(TestTestAllHermeticEnvRejectsAmbientControlMatrix|TestTestAllExplicitFailureControlsAreIsolated|TestTestAllFakeRepoIgnoresAmbientTargetHostReports|TestTestAllHermeticRunsDoNotCrossContaminate|TestTestAllHermeticEnvHasUniqueDeterministicKeys|TestTestAllQuickFailsWhenHostLeakBlockerSuiteMissing|TestTestAllFullRunsDocsManifestDiffStep|TestTestAllFullValidatesCrossTargetSmokeReports)$' -count=100 -shuffle=on -timeout=30m Tested: go test -race -buildvcs=false ./tools/scriptstest/test_all -run 'Hermetic|Ambient|ExplicitFailureControls|CrossContaminate' -count=10 -timeout=30m Tested: go test ./tools/scriptstest/test_all -count=20 -shuffle=on -timeout=30m Confidence: high Scope-risk: documentation only
Record bounded failure evidence for unexpected fake-repo test-all blocker failures without changing gate semantics. Constraint: diagnostic-only; no production script, workflow, D-003, D-004, or D-005 changes. Rejected: retries, timeout changes, FailedCount relaxation, ambient env inheritance, and root-cause fix before instrumented evidence. Tested: go test -buildvcs=false ./tools/scriptstest/test_all -run '^(TestTestAllUnexpectedFailureEvidenceIncludesBlockerLog|TestTestAllNormalFakeGoTraceShowsNoSkipControls|TestTestAllFailureEvidenceRejectsEscapingLogPath|TestTestAllFailureEvidenceDoesNotExposeAmbientSecret)$' -count=100 -shuffle=on -timeout=30m Tested: go test -buildvcs=false ./tools/scriptstest/test_all -run '^(TestTestAllStabilizationRunsFocusedGates|TestTestAllFakeRepoIgnoresAmbientTargetHostReports|TestTestAllStabilizationToolingSummaryRequiresFocusedArtifacts)$' -count=100 -shuffle=on -timeout=45m Tested: go test -race -buildvcs=false ./tools/scriptstest/test_all -run 'FailureEvidence|FakeGoTrace|Hermetic|CrossContaminate' -count=10 -timeout=30m Tested: go test ./tools/scriptstest/test_all -count=20 -shuffle=on -timeout=30m Tested: go test ./compiler/... ./cli/... ./tools/... -count=1 Tested: go test -buildvcs=false ./... -count=1 Not-tested: Memory Core gate on clean tree before this commit; pre-commit run stopped at dirty_worktree guard. Confidence: medium-high Scope-risk: low; test harness diagnostics only
Diagnostic-only coverage for the ambient matrix normal-pass assertion path. The helper now emits the existing test-all failure collector output before temp fixture cleanup, and collector output includes bounded report artifact metadata for silent test -s failures. Constraint: Do not change testAllHermeticEnv, scripts/ci/test-all.sh, workflows, production code, D-003, D-004, or D-005. Rejected: retries, timeout increases, assertion relaxation, root-cause fix, D-006 creation, and documentation updates in this commit. Tested: go test -buildvcs=false ./tools/scriptstest/test_all -run '^TestTestAllNormalPassAssertionEmitsFailureEvidence$' -count=100 -shuffle=on -timeout=30m Tested: go test -buildvcs=false ./tools/scriptstest/test_all -run '^TestTestAllHermeticEnvRejectsAmbientControlMatrix/ambient_controls$' -count=200 -shuffle=on -timeout=45m Tested: go test -race -buildvcs=false ./tools/scriptstest/test_all -run 'AmbientControlMatrix|FailureEvidence|FakeGoTrace' -count=10 -timeout=30m Tested: go test ./tools/scriptstest/test_all -count=20 -shuffle=on -timeout=30m Tested: go test ./compiler/... ./cli/... ./tools/... -count=1 Tested: go test -buildvcs=false ./... -count=1 Tested: go run ./tools/cmd/verify-docs --manifest docs/generated/manifest.json Not-tested: Memory Core gate before commit reached dirty_worktree check and will be rerun after this commit. Confidence: high Scope-risk: test diagnostics only
Centralize diagnostic collection at the test-all subprocess boundary so every wrapper records failure evidence before temp fixture cleanup. The change keeps production behavior and assertions intact while preserving step logs, fake-go traces, report manifests, invocation metadata, and non-JSON failure previews for later assertion failures. Constraint: diagnostic-only test harness change; no scripts/ci/test-all.sh, workflow, production, D-003, D-004, or D-005 changes. Rejected: adding collectors to individual failing tests, relaxing FailedCount assertions, changing testAllHermeticEnv or environment allowlist, retries, and timeout changes. Tested: go test -buildvcs=false ./tools/scriptstest/test_all -run 'RunnerObservation' -count=100 -shuffle=on -timeout=45m; go test -buildvcs=false ./tools/scriptstest/test_all -run '^(TestTestAllQuickWritesTOONSummaryMirror|TestTestAllQuickFailsWhenBoundsProofBlockerSuiteMissing|TestTestAllFullRunsDocsManifestDiffStep|TestTestAllStabilizationRunsFocusedGates|TestTestAllFakeRepoIgnoresAmbientTargetHostReports|TestTestAllStabilizationToolingSummaryRequiresFocusedArtifacts|TestTestAllHermeticEnvRejectsAmbientControlMatrix)$' -count=100 -shuffle=on -timeout=60m; go test -race -buildvcs=false ./tools/scriptstest/test_all -run 'RunnerObservation|Hermetic|CrossContaminate' -count=10 -timeout=30m; go test ./tools/scriptstest/test_all -count=20 -shuffle=on -timeout=30m; go test ./compiler/... ./cli/... ./tools/... -count=1; go test -buildvcs=false ./... -count=1; go run ./tools/cmd/verify-docs --manifest docs/generated/manifest.json. Not-tested: external GitHub Actions root-cause capture until this diagnostic SHA is pushed. Confidence: high for runner-level observability coverage; root cause remains unconfirmed. Scope-risk: test harness diagnostics only.
Replace the grep -q membership pipeline with an in-process Bash exact-line scan so a successful early match cannot be inverted by upstream SIGPIPE under pipefail. Constraint: Do not change test-all environment isolation, workflows, or blocker assertions. Rejected: retry, timeout increase, broader grep rewrites, and harness redesign. Tested: go test -buildvcs=false ./tools/scriptstest/test_all -run '^TestTestAllRequiredNameMembershipIsPipefailSafe$' -count=1 -timeout=5m. Confidence: high. Scope-risk: low; limited to blocker test-name membership checks and focused regression.
Record D-006 as resolved_pending_external_ci with the confirmed grep -q/pipefail SIGPIPE root cause and fix commit. Constraint: Keep review trail separate from the code fix commit. Rejected: D-001 reopening and additional findings without a separate compiler/runtime defect. Tested: documentation-only change; full requested validation follows this commit. Confidence: high. Scope-risk: low; docs-only stabilization finding update.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cf20bf9d69
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if hasNegation(lower) { | ||
| return false |
There was a problem hiding this comment.
Не пропускайте forbidden claims через unrelated negation
Коли будь-який рядок у файлі з --claim-path містить маркер на кшталт no або without , containsForbiddenClaim одразу повертає false, не перевіряючи заборонені фрази далі. Через це рядок на кшталт no blockers remain; Memory Core v2 has universal memory safety пройде claim scanner, хоча саме такі broad claims цей gate має блокувати перед release evidence validation.
Useful? React with 👍 / 👎.
Summary
Stabilization branch for Memory Core v2 independent review, starting from accepted milestone commit
8f7529505a13b5da72fbc0c34c5bb110541c020f.Scope
Release Security
release_security_review_status=pending_final_rc; no human security review is performed in this PR.Initial Validation
Branch created from exact base commit. Full stabilization validation will be added after independent review and fixes.