Skip to content

feat(wfctl): dns-policy + OnBeforeAction hook + relocate dns packages (Phase 3a)#787

Merged
intel352 merged 8 commits into
mainfrom
feat/wfctl-dns-policy-2026-05-26T1900
May 27, 2026
Merged

feat(wfctl): dns-policy + OnBeforeAction hook + relocate dns packages (Phase 3a)#787
intel352 merged 8 commits into
mainfrom
feat/wfctl-dns-policy-2026-05-26T1900

Conversation

@intel352
Copy link
Copy Markdown
Contributor

@intel352 intel352 commented May 27, 2026

Summary

Phase 3a of the cross-repo DNS provider cascade. Six commits across seven tasks (19-25 of the locked plan):

  1. OnBeforeAction hook (Task 19) — adds a FATAL pre-dispatch hook to wfctlhelpers.ApplyPlanHooks. Fires after ctx.Err() and before JIT/driver/cloud-side mutation. Non-nil return aborts the whole apply. Per cycle-3.5 I-NEW-2: hard-stop semantics, not best-effort.

  2. dns/policy relocate (Task 20) — moves workflow-plugin-infra/internal/dnspolicy/workflow/dns/policy/. Package renamed dnspolicypolicy. Import paths swept. All tests preserved.

  3. dns/gate relocate + ResourceDriver adapter (Task 21) — moves dnsgate → dns/gate/. New DriverReader struct adapts interfaces.ResourceDriver.Read to satisfy policy.DNSPolicyReader. Tolerates both []map[string]any and []any records-slice variants. Includes UpsertTXT write half for the dns-policy mutating commands (Read current zone → modify TXT records → driver.Update). CachingGate per-apply caching preserved.

  4. dns/audit relocate + migration (Task 22) — moves dnsaudit → dns/audit/. Path migrated: ${XDG_STATE_HOME}/wfctl/plugins/workflow-plugin-infra/dns-policy-audit.jsonl${XDG_STATE_HOME}/wfctl/plugins/wfctl/dns-audit.jsonl. One-time migration on first append (additive — legacy file retained for one release cycle).

  5. wfctl dns-policy commands (Task 23) — four subcommands as a cross-cutting orchestrator builtin per design-guidance §CLI:

    • show — pretty-print parsed policy (read-only; supports --raw)
    • set — upsert a policy entry (owner / patterns / types / default)
    • transfer-ownership — move a pattern from one owner to another, dropping the old entry if it becomes empty
    • drift — compare configured vs live policy; non-zero exit on drift

    Mutating commands append a LogPolicyEdit audit-trail entry with SHA-256 short digests of prior + new policy (order-invariant). dns-policy registered in main.go commands map AND plugin_cli_commands.go reservedCLICommands AND wfctl.yaml workflow surface.

  6. dns-gate OnBeforeAction wiring (Task 24)wireDNSGateIntoHooks attaches a gate.CachingGate-backed OnBeforeAction to the hooks struct in runInfraApply. For each infra.dns action, iterates Config["records"] and gate-checks each (record_name, record_type, owner) tuple. Owner comes from WORKFLOW_DNS_OWNER env; unset → warning + pass-through (so legacy applies still work). Per-apply scope: one CachingGate per apply, garbage-collected with the hooks struct.

  7. Runtime validation (Task 25) — verified wfctl dns-policy --help, wfctl dns-policy show (errors with required-flag messages), wfctl dns-policy (usage banner). All flag-gate errors fire pre-plugin-load.

Verification

```
GOWORK=off go test ./cmd/wfctl/... ./dns/... ./iac/wfctlhelpers/... -timeout 300s
```

All green (137s).

Runtime smoke against built binary:
```
$ /tmp/wfctl-phase3a dns-policy
Usage: wfctl dns-policy [flags]
...
$ /tmp/wfctl-phase3a dns-policy show
error: --provider required
$ /tmp/wfctl-phase3a dns-policy show --provider stub
error: --zone required
```

Rollback

Revert this PR. workflow-plugin-infra still has its admincli + internal/dnspolicy + dnsgate + dnsaudit packages intact pre-Phase-3b — the system continues to function via the old plugin cliCommand surface. No state migration to undo (audit-trail migration is additive; legacy path retained).

Part of cross-repo cascade

`docs/plans/2026-05-26-dns-provider-contract.md` (workflow-plugin-infra). PR 7 of 9. Pairs with PR 8 (workflow-plugin-infra strip) — Phase 3b.

Test plan

  • GOWORK=off go test ./cmd/wfctl/... ./dns/... ./iac/wfctlhelpers/... — green
  • Runtime smoke: dns-policy command + subcommand flag-gates
  • E2E with a real DO/CF/NC/Hover provider + a real zone (env-gated; reviewer can run)

🤖 Generated with Claude Code

intel352 added 7 commits May 26, 2026 22:08
@intel352
feat(iac): add OnBeforeAction FATAL hook to ApplyPlanHooks
7f2f34f
@intel352
feat(dns): relocate dns/policy + dns/audit from workflow-plugin-infra…
5d7789c 
…/internal
@intel352
feat(dns/gate): relocate; adapt to ResourceDriver.Read for TXT scanning
4cd5727
@intel352
feat(wfctl): add dns-policy command (show/set/transfer-ownership/drift)
c2fa88b
@intel352
feat(wfctl): wire dns-gate as OnBeforeAction for infra.dns during apply
bde6703
@intel352
feat(wfctl): register dns-policy in wfctl.yaml command surface
66c983e
@intel352
fix(dns/gate): add DriverReader.UpsertTXT so it satisfies policy.DNSP…
d9ff695 
…olicyReader

PR 7's first push left this method out — spec-reviewer caught a broken
build: cmd/wfctl/dns_policy.go and cmd/wfctl/infra_apply_dns_gate.go both
pass *gate.DriverReader where a policy.DNSPolicyReader is expected, but
the production adapter only implemented GetTXT. The package tests pass in
isolation because gate_test.go's test fakes (fakeReader, countingReader)
implement both halves, masking the regression.

Adds UpsertTXT mirroring the design: Read current zone → rewrite records
slice replacing TXT entries at the target name → Driver.Update with a
synthesized ResourceSpec. Includes the recordsToMaps + upsertTXTInRecords
helpers needed for the slice transform.

Pins the regression with a compile-time interface assertion:
  var _ policy.DNSPolicyReader = (*DriverReader)(nil)

Verified:
- GOWORK=off go build ./...
- GOWORK=off go test ./cmd/wfctl/... ./dns/... ./iac/wfctlhelpers/...
  all green (128s)
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 27, 2026
edited
Loading

⏱ Benchmark Results

No significant performance regressions detected.

benchstat comparison (baseline → PR) 
## benchstat: baseline → PR
baseline-bench.txt:282: parsing iteration count: invalid syntax
baseline-bench.txt:332251: parsing iteration count: invalid syntax
baseline-bench.txt:771959: parsing iteration count: invalid syntax
baseline-bench.txt:1084035: parsing iteration count: invalid syntax
baseline-bench.txt:1384465: parsing iteration count: invalid syntax
baseline-bench.txt:1648199: parsing iteration count: invalid syntax
benchmark-results.txt:288: parsing iteration count: invalid syntax
benchmark-results.txt:363499: parsing iteration count: invalid syntax
benchmark-results.txt:730787: parsing iteration count: invalid syntax
benchmark-results.txt:1126071: parsing iteration count: invalid syntax
benchmark-results.txt:1567453: parsing iteration count: invalid syntax
benchmark-results.txt:1912763: parsing iteration count: invalid syntax
goos: linux
goarch: amd64
pkg: github.com/GoCodeAlone/workflow/dynamic
cpu: AMD EPYC 7763 64-Core Processor                
                            │ baseline-bench.txt │
                            │       sec/op       │
InterpreterCreation-4               8.171m ± 62%
ComponentLoad-4                     3.661m ±  2%
ComponentExecute-4                  1.945µ ±  1%
PoolContention/workers-1-4          1.097µ ±  2%
PoolContention/workers-2-4          1.093µ ±  4%
PoolContention/workers-4-4          1.094µ ±  1%
PoolContention/workers-8-4          1.098µ ±  0%
PoolContention/workers-16-4         1.104µ ±  2%
ComponentLifecycle-4                3.675m ±  1%
SourceValidation-4                  2.330µ ±  1%
RegistryConcurrent-4                790.6n ±  5%
LoaderLoadFromString-4              3.732m ±  2%
geomean                             19.08µ

                            │ baseline-bench.txt │
                            │        B/op        │
InterpreterCreation-4               2.027Mi ± 0%
ComponentLoad-4                     2.180Mi ± 0%
ComponentExecute-4                  1.203Ki ± 0%
PoolContention/workers-1-4          1.203Ki ± 0%
PoolContention/workers-2-4          1.203Ki ± 0%
PoolContention/workers-4-4          1.203Ki ± 0%
PoolContention/workers-8-4          1.203Ki ± 0%
PoolContention/workers-16-4         1.203Ki ± 0%
ComponentLifecycle-4                2.183Mi ± 0%
SourceValidation-4                  1.984Ki ± 0%
RegistryConcurrent-4                1.133Ki ± 0%
LoaderLoadFromString-4              2.182Mi ± 0%
geomean                             15.25Ki

                            │ baseline-bench.txt │
                            │     allocs/op      │
InterpreterCreation-4                15.68k ± 0%
ComponentLoad-4                      18.02k ± 0%
ComponentExecute-4                    25.00 ± 0%
PoolContention/workers-1-4            25.00 ± 0%
PoolContention/workers-2-4            25.00 ± 0%
PoolContention/workers-4-4            25.00 ± 0%
PoolContention/workers-8-4            25.00 ± 0%
PoolContention/workers-16-4           25.00 ± 0%
ComponentLifecycle-4                 18.07k ± 0%
SourceValidation-4                    32.00 ± 0%
RegistryConcurrent-4                  2.000 ± 0%
LoaderLoadFromString-4               18.06k ± 0%
geomean                               183.3

cpu: AMD EPYC 9V74 80-Core Processor                
                            │ benchmark-results.txt │
                            │        sec/op         │
InterpreterCreation-4                 3.804m ± 124%
ComponentLoad-4                       2.709m ±  10%
ComponentExecute-4                    1.403µ ±   1%
PoolContention/workers-1-4            773.8n ±   2%
PoolContention/workers-2-4            774.9n ±   1%
PoolContention/workers-4-4            774.5n ±   1%
PoolContention/workers-8-4            777.6n ±   1%
PoolContention/workers-16-4           775.4n ±   1%
ComponentLifecycle-4                  2.720m ±   2%
SourceValidation-4                    1.616µ ±   0%
RegistryConcurrent-4                  591.2n ±   3%
LoaderLoadFromString-4                2.737m ±   1%
geomean                               13.23µ

                            │ benchmark-results.txt │
                            │         B/op          │
InterpreterCreation-4                  2.027Mi ± 0%
ComponentLoad-4                        2.180Mi ± 0%
ComponentExecute-4                     1.203Ki ± 0%
PoolContention/workers-1-4             1.203Ki ± 0%
PoolContention/workers-2-4             1.203Ki ± 0%
PoolContention/workers-4-4             1.203Ki ± 0%
PoolContention/workers-8-4             1.203Ki ± 0%
PoolContention/workers-16-4            1.203Ki ± 0%
ComponentLifecycle-4                   2.183Mi ± 0%
SourceValidation-4                     1.984Ki ± 0%
RegistryConcurrent-4                   1.133Ki ± 0%
LoaderLoadFromString-4                 2.182Mi ± 0%
geomean                                15.25Ki

                            │ benchmark-results.txt │
                            │       allocs/op       │
InterpreterCreation-4                   15.68k ± 0%
ComponentLoad-4                         18.02k ± 0%
ComponentExecute-4                       25.00 ± 0%
PoolContention/workers-1-4               25.00 ± 0%
PoolContention/workers-2-4               25.00 ± 0%
PoolContention/workers-4-4               25.00 ± 0%
PoolContention/workers-8-4               25.00 ± 0%
PoolContention/workers-16-4              25.00 ± 0%
ComponentLifecycle-4                    18.07k ± 0%
SourceValidation-4                       32.00 ± 0%
RegistryConcurrent-4                     2.000 ± 0%
LoaderLoadFromString-4                  18.06k ± 0%
geomean                                  183.3

pkg: github.com/GoCodeAlone/workflow/middleware
cpu: AMD EPYC 7763 64-Core Processor                
                                  │ baseline-bench.txt │
                                  │       sec/op       │
CircuitBreakerDetection-4                  287.6n ± 3%
CircuitBreakerExecution_Success-4          21.54n ± 0%
CircuitBreakerExecution_Failure-4          66.87n ± 0%
geomean                                    74.55n

                                  │ baseline-bench.txt │
                                  │        B/op        │
CircuitBreakerDetection-4                 144.0 ± 0%
CircuitBreakerExecution_Success-4         0.000 ± 0%
CircuitBreakerExecution_Failure-4         0.000 ± 0%
geomean                                              ¹
¹ summaries must be >0 to compute geomean

                                  │ baseline-bench.txt │
                                  │     allocs/op      │
CircuitBreakerDetection-4                 1.000 ± 0%
CircuitBreakerExecution_Success-4         0.000 ± 0%
CircuitBreakerExecution_Failure-4         0.000 ± 0%
geomean                                              ¹
¹ summaries must be >0 to compute geomean

cpu: AMD EPYC 9V74 80-Core Processor                
                                  │ benchmark-results.txt │
                                  │        sec/op         │
CircuitBreakerDetection-4                     230.9n ± 3%
CircuitBreakerExecution_Success-4             17.59n ± 0%
CircuitBreakerExecution_Failure-4             55.15n ± 0%
geomean                                       60.73n

                                  │ benchmark-results.txt │
                                  │         B/op          │
CircuitBreakerDetection-4                    144.0 ± 0%
CircuitBreakerExecution_Success-4            0.000 ± 0%
CircuitBreakerExecution_Failure-4            0.000 ± 0%
geomean                                                 ¹
¹ summaries must be >0 to compute geomean

                                  │ benchmark-results.txt │
                                  │       allocs/op       │
CircuitBreakerDetection-4                    1.000 ± 0%
CircuitBreakerExecution_Success-4            0.000 ± 0%
CircuitBreakerExecution_Failure-4            0.000 ± 0%
geomean                                                 ¹
¹ summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/module
cpu: AMD EPYC 7763 64-Core Processor                
                                 │ baseline-bench.txt │
                                 │       sec/op       │
IaCStateBackend_InProcess-4              314.2n ± 30%
IaCStateBackend_GRPC-4                   9.640m ±  3%
JQTransform_Simple-4                     680.6n ± 35%
JQTransform_ObjectConstruction-4         1.539µ ±  1%
JQTransform_ArraySelect-4                3.632µ ±  2%
JQTransform_Complex-4                    40.94µ ±  1%
JQTransform_Throughput-4                 1.889µ ±  1%
SSEPublishDelivery-4                     68.27n ±  3%
geomean                                  3.963µ

                                 │ baseline-bench.txt │
                                 │        B/op        │
IaCStateBackend_InProcess-4             416.0 ±  0%
IaCStateBackend_GRPC-4                5.794Mi ± 11%
JQTransform_Simple-4                  1.273Ki ±  0%
JQTransform_ObjectConstruction-4      1.773Ki ±  0%
JQTransform_ArraySelect-4             2.625Ki ±  0%
JQTransform_Complex-4                 16.31Ki ±  0%
JQTransform_Throughput-4              1.984Ki ±  0%
SSEPublishDelivery-4                    0.000 ±  0%
geomean                                             ¹
¹ summaries must be >0 to compute geomean

                                 │ baseline-bench.txt │
                                 │     allocs/op      │
IaCStateBackend_InProcess-4              2.000 ± 0%
IaCStateBackend_GRPC-4                  6.845k ± 0%
JQTransform_Simple-4                     10.00 ± 0%
JQTransform_ObjectConstruction-4         15.00 ± 0%
JQTransform_ArraySelect-4                30.00 ± 0%
JQTransform_Complex-4                    328.0 ± 0%
JQTransform_Throughput-4                 17.00 ± 0%
SSEPublishDelivery-4                     0.000 ± 0%
geomean                                             ¹
¹ summaries must be >0 to compute geomean

cpu: AMD EPYC 9V74 80-Core Processor                
                                 │ benchmark-results.txt │
                                 │        sec/op         │
IaCStateBackend_InProcess-4                 225.8n ± 29%
IaCStateBackend_GRPC-4                      7.926m ±  1%
JQTransform_Simple-4                        501.0n ± 27%
JQTransform_ObjectConstruction-4            1.179µ ±  2%
JQTransform_ArraySelect-4                   2.778µ ±  1%
JQTransform_Complex-4                       33.89µ ±  1%
JQTransform_Throughput-4                    1.416µ ±  1%
SSEPublishDelivery-4                        50.79n ±  2%
geomean                                     3.033µ

                                 │ benchmark-results.txt │
                                 │         B/op          │
IaCStateBackend_InProcess-4                416.0 ±  0%
IaCStateBackend_GRPC-4                   5.725Mi ± 12%
JQTransform_Simple-4                     1.273Ki ±  0%
JQTransform_ObjectConstruction-4         1.773Ki ±  0%
JQTransform_ArraySelect-4                2.625Ki ±  0%
JQTransform_Complex-4                    16.31Ki ±  0%
JQTransform_Throughput-4                 1.984Ki ±  0%
SSEPublishDelivery-4                       0.000 ±  0%
geomean                                                ¹
¹ summaries must be >0 to compute geomean

                                 │ benchmark-results.txt │
                                 │       allocs/op       │
IaCStateBackend_InProcess-4                 2.000 ± 0%
IaCStateBackend_GRPC-4                     6.864k ± 0%
JQTransform_Simple-4                        10.00 ± 0%
JQTransform_ObjectConstruction-4            15.00 ± 0%
JQTransform_ArraySelect-4                   30.00 ± 0%
JQTransform_Complex-4                       328.0 ± 0%
JQTransform_Throughput-4                    17.00 ± 0%
SSEPublishDelivery-4                        0.000 ± 0%
geomean                                                ¹
¹ summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/schema
cpu: AMD EPYC 7763 64-Core Processor                
                                    │ baseline-bench.txt │
                                    │       sec/op       │
SchemaValidation_Simple-4                    1.107µ ± 2%
SchemaValidation_AllFields-4                 1.684µ ± 4%
SchemaValidation_FormatValidation-4          1.600µ ± 1%
SchemaValidation_ManySchemas-4               1.827µ ± 3%
geomean                                      1.528µ

                                    │ baseline-bench.txt │
                                    │        B/op        │
SchemaValidation_Simple-4                   0.000 ± 0%
SchemaValidation_AllFields-4                0.000 ± 0%
SchemaValidation_FormatValidation-4         0.000 ± 0%
SchemaValidation_ManySchemas-4              0.000 ± 0%
geomean                                                ¹
¹ summaries must be >0 to compute geomean

                                    │ baseline-bench.txt │
                                    │     allocs/op      │
SchemaValidation_Simple-4                   0.000 ± 0%
SchemaValidation_AllFields-4                0.000 ± 0%
SchemaValidation_FormatValidation-4         0.000 ± 0%
SchemaValidation_ManySchemas-4              0.000 ± 0%
geomean                                                ¹
¹ summaries must be >0 to compute geomean

cpu: AMD EPYC 9V74 80-Core Processor                
                                    │ benchmark-results.txt │
                                    │        sec/op         │
SchemaValidation_Simple-4                      845.1n ± 15%
SchemaValidation_AllFields-4                   1.254µ ±  1%
SchemaValidation_FormatValidation-4            1.219µ ±  2%
SchemaValidation_ManySchemas-4                 1.247µ ±  3%
geomean                                        1.126µ

                                    │ benchmark-results.txt │
                                    │         B/op          │
SchemaValidation_Simple-4                      0.000 ± 0%
SchemaValidation_AllFields-4                   0.000 ± 0%
SchemaValidation_FormatValidation-4            0.000 ± 0%
SchemaValidation_ManySchemas-4                 0.000 ± 0%
geomean                                                   ¹
¹ summaries must be >0 to compute geomean

                                    │ benchmark-results.txt │
                                    │       allocs/op       │
SchemaValidation_Simple-4                      0.000 ± 0%
SchemaValidation_AllFields-4                   0.000 ± 0%
SchemaValidation_FormatValidation-4            0.000 ± 0%
SchemaValidation_ManySchemas-4                 0.000 ± 0%
geomean                                                   ¹
¹ summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/store
cpu: AMD EPYC 7763 64-Core Processor                
                                   │ baseline-bench.txt │
                                   │       sec/op       │
EventStoreAppend_InMemory-4                1.177µ ± 22%
EventStoreAppend_SQLite-4                  1.385m ±  4%
GetTimeline_InMemory/events-10-4           13.51µ ±  2%
GetTimeline_InMemory/events-50-4           75.38µ ±  1%
GetTimeline_InMemory/events-100-4          150.4µ ± 17%
GetTimeline_InMemory/events-500-4          633.0µ ±  1%
GetTimeline_InMemory/events-1000-4         1.292m ±  1%
GetTimeline_SQLite/events-10-4             107.2µ ±  1%
GetTimeline_SQLite/events-50-4             249.4µ ±  1%
GetTimeline_SQLite/events-100-4            423.2µ ±  1%
GetTimeline_SQLite/events-500-4            1.815m ±  1%
GetTimeline_SQLite/events-1000-4           3.495m ±  1%
geomean                                    222.4µ

                                   │ baseline-bench.txt │
                                   │        B/op        │
EventStoreAppend_InMemory-4                  824.0 ± 7%
EventStoreAppend_SQLite-4                  1.985Ki ± 1%
GetTimeline_InMemory/events-10-4           7.953Ki ± 0%
GetTimeline_InMemory/events-50-4           46.62Ki ± 0%
GetTimeline_InMemory/events-100-4          94.48Ki ± 0%
GetTimeline_InMemory/events-500-4          472.8Ki ± 0%
GetTimeline_InMemory/events-1000-4         944.3Ki ± 0%
GetTimeline_SQLite/events-10-4             16.74Ki ± 0%
GetTimeline_SQLite/events-50-4             87.14Ki ± 0%
GetTimeline_SQLite/events-100-4            175.4Ki ± 0%
GetTimeline_SQLite/events-500-4            846.1Ki ± 0%
GetTimeline_SQLite/events-1000-4           1.639Mi ± 0%
geomean                                    67.58Ki

                                   │ baseline-bench.txt │
                                   │     allocs/op      │
EventStoreAppend_InMemory-4                  7.000 ± 0%
EventStoreAppend_SQLite-4                    53.00 ± 0%
GetTimeline_InMemory/events-10-4             125.0 ± 0%
GetTimeline_InMemory/events-50-4             653.0 ± 0%
GetTimeline_InMemory/events-100-4           1.306k ± 0%
GetTimeline_InMemory/events-500-4           6.514k ± 0%
GetTimeline_InMemory/events-1000-4          13.02k ± 0%
GetTimeline_SQLite/events-10-4               382.0 ± 0%
GetTimeline_SQLite/events-50-4              1.852k ± 0%
GetTimeline_SQLite/events-100-4             3.681k ± 0%
GetTimeline_SQLite/events-500-4             18.54k ± 0%
GetTimeline_SQLite/events-1000-4            37.29k ± 0%
geomean                                     1.162k

cpu: AMD EPYC 9V74 80-Core Processor                
                                   │ benchmark-results.txt │
                                   │        sec/op         │
EventStoreAppend_InMemory-4                  758.9n ±  12%
EventStoreAppend_SQLite-4                    1.411m ± 168%
GetTimeline_InMemory/events-10-4             8.104µ ±   2%
GetTimeline_InMemory/events-50-4             44.85µ ±   1%
GetTimeline_InMemory/events-100-4            89.65µ ±   1%
GetTimeline_InMemory/events-500-4            456.5µ ±   1%
GetTimeline_InMemory/events-1000-4           930.3µ ±   3%
GetTimeline_SQLite/events-10-4               65.43µ ±   2%
GetTimeline_SQLite/events-50-4               172.9µ ±   0%
GetTimeline_SQLite/events-100-4              300.6µ ±   1%
GetTimeline_SQLite/events-500-4              1.322m ±   1%
GetTimeline_SQLite/events-1000-4             2.577m ±   1%
geomean                                      153.5µ

                                   │ benchmark-results.txt │
                                   │         B/op          │
EventStoreAppend_InMemory-4                    863.0 ± 13%
EventStoreAppend_SQLite-4                    1.983Ki ±  1%
GetTimeline_InMemory/events-10-4             7.953Ki ±  0%
GetTimeline_InMemory/events-50-4             46.62Ki ±  0%
GetTimeline_InMemory/events-100-4            94.48Ki ±  0%
GetTimeline_InMemory/events-500-4            472.8Ki ±  0%
GetTimeline_InMemory/events-1000-4           944.3Ki ±  0%
GetTimeline_SQLite/events-10-4               16.74Ki ±  0%
GetTimeline_SQLite/events-50-4               87.14Ki ±  0%
GetTimeline_SQLite/events-100-4              175.4Ki ±  0%
GetTimeline_SQLite/events-500-4              846.1Ki ±  0%
GetTimeline_SQLite/events-1000-4             1.639Mi ±  0%
geomean                                      67.84Ki

                                   │ benchmark-results.txt │
                                   │       allocs/op       │
EventStoreAppend_InMemory-4                     7.000 ± 0%
EventStoreAppend_SQLite-4                       53.00 ± 0%
GetTimeline_InMemory/events-10-4                125.0 ± 0%
GetTimeline_InMemory/events-50-4                653.0 ± 0%
GetTimeline_InMemory/events-100-4              1.306k ± 0%
GetTimeline_InMemory/events-500-4              6.514k ± 0%
GetTimeline_InMemory/events-1000-4             13.02k ± 0%
GetTimeline_SQLite/events-10-4                  382.0 ± 0%
GetTimeline_SQLite/events-50-4                 1.852k ± 0%
GetTimeline_SQLite/events-100-4                3.681k ± 0%
GetTimeline_SQLite/events-500-4                18.54k ± 0%
GetTimeline_SQLite/events-1000-4               37.29k ± 0%
geomean                                        1.162k

Benchmarks run with go test -bench=. -benchmem -count=6.
Regressions ≥ 20% are flagged. Results compared via benchstat.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 54.49190% with 309 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
cmd/wfctl/dns_policy.go 47.09% 172 Missing and 10 partials ⚠️
dns/gate/gate.go 45.79% 54 Missing and 4 partials ⚠️
cmd/wfctl/infra_apply_dns_gate.go 21.05% 30 Missing ⚠️
dns/policy/policy.go 71.11% 10 Missing and 3 partials ⚠️
dns/audit/audit.go 76.00% 8 Missing and 4 partials ⚠️
dns/policy/match.go 55.55% 9 Missing and 3 partials ⚠️
dns/policy/serialize.go 91.66% 1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@intel352
fix(dns/audit): nilerr — propagate non-NotExist legacy-read errors
6e8ad7b 
Lint nilerr fired at audit.go:65: `legacyData, err := os.ReadFile(legacy);
if err != nil { return nil }`. Swallowing all errors is wrong — only the
NotExist case represents "no legacy file, nothing to migrate"; permission
denied / IO errors should propagate so operators see them rather than
silently losing the migration on a transient problem.

Wrap propagated errors so the caller knows it came from the legacy-read
path specifically.
github-code-quality[bot]
github-code-quality Bot found potential problems May 27, 2026
View reviewed changes
Comment thread dns/audit/audit.go
if err != nil {
return err
}
defer f.Close()
@intel352 intel352 merged commit 4429c91 into main May 27, 2026
28 checks passed
@intel352 intel352 deleted the feat/wfctl-dns-policy-2026-05-26T1900 branch May 27, 2026 02:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@intel352