Skip to content

fix: add droplet reality check to all cataractae#504

Merged
MichielDean merged 7 commits into
mainfrom
fix/cataractae-migration-gates
May 11, 2026
Merged

fix: add droplet reality check to all cataractae#504
MichielDean merged 7 commits into
mainfrom
fix/cataractae-migration-gates

Conversation

@MichielDean
Copy link
Copy Markdown
Owner

@MichielDean MichielDean commented May 11, 2026

Summary

Building on PR #503 (mechanical migration/dependency gates), this adds a droplet reality check to every cataractae in the pipeline.

The core problem: every cataractae treated the architect's brief as the source of truth. But the brief is a translation of the droplet, and translations lose information — especially implicit requirements like "existing data must work" or "the plugin interface must stay the same."

This PR adds a "Droplet Reality Check" section to all six cataractae:

  • Architect: Extract implicit requirements from the droplet before writing the brief. If the droplet says "rewrite," include migration compatibility even if the droplet doesn't spell it out.
  • Implementer: Compare the brief against the droplet before coding. If the brief omits something the droplet asked for, file an issue BEFORE implementing.
  • Reviewer: Flag gaps between the droplet and implementation even if the brief was followed correctly. The brief can be wrong.
  • QA: Test against what the droplet asked for, not just what tests cover. Verify CLI compatibility, data compatibility, dependency imports.
  • Security: Check security surface from migration paths in rewrites.
  • Docs: Document breaking changes and migration paths for rewrites.

The key insight: "follows the brief" and "delivers what was requested" are different metrics. The pipeline was only measuring the first one. Now every cataractae measures both.

Combined with #503's mechanical gates (migration compatibility test, dependency cross-reference, deploy-and-verify, 30s test timeout), this should prevent the class of bugs where the pipeline faithfully implements the wrong requirements.

Lobsterdog Contributors added 7 commits May 9, 2026 22:27
feat: replace ct filter direct-exec with tmux-based spawning
548893b 
The previous ct filter implementation used a direct-exec approach
(opencode run --format json) which doesn't work because opencode run
requires an existing session ID and doesn't produce output on stdout.

The new implementation spawns opencode in a tmux session, mirroring
how cataractae work:

1. Create temp workdir with CONTEXT.md + AGENTS.md + agent identity
2. Spawn opencode run in tmux with --dangerously-skip-permissions --agent filter
3. Use pipe-pane to capture PTY output to a log file
4. Wait for session exit (poll with 10min timeout)
5. Read log, strip ANSI, extract agent response
6. Clean up tmux session and temp files

Key changes:
- filter.go: Replaced callFilterAgent with filterAgentTmux/filterAgentResume
- filter_agent.go: New file with tmux-based spawning logic
- preset.go: Removed FormatArgs (was --format json, doesn't work with opencode)
- dashboard_web.go: Updated filterResume to use invokeFilterNew
- filter_test.go: Kept structural tests, callFilterAgent now returns error

Also unset OPENCODE_SERVER_* env vars in tmux sessions to prevent
'session not found' errors (same fix as cataractae).

Replaces the incomplete FormatArgs fix (PR #500) with a proper
architectural solution.
fix: replace PTY log parsing with RESPONSE.md file redirect for ct fi…
3b3c348 
…lter

The PTY log approach for extracting agent responses was fundamentally
broken — pipe-pane captures raw terminal output mixed with TUI chrome,
and the heuristic extraction (cleanANSI + isTUICrome) consistently
truncated responses or captured TUI artifacts.

Solution: instruct the filter agent to write its response to RESPONSE.md
in the workdir. After the tmux session exits, read the file directly.
No ANSI stripping, no extraction heuristics, no truncated paragraphs.

Changes:
- filterAgentsMD() now instructs the agent to write RESPONSE.md
- filterAgentTmux() reads RESPONSE.md instead of PTY log
- filterAgentResume() uses tmux display-message to find workdir,
  then reads RESPONSE.md instead of polling PTY log for size changes
- Removed cleanANSI(), extractFilterResponse(), isTUICrome() functions
- Removed pipe-pane log setup and PTY parsing logic
- Added tmuxSessionWorkdir() helper for --resume path
- Added dropVec0Objects() to prevent 'no such module: vec0' errors
- Updated fakeagent to write RESPONSE.md when --agent filter is present
- Updated tests: removed deprecated callFilterAgent tests, updated
  FormatArgs test for empty (removed) format args, simplified
  integration tests
fix: replace tmux+file-redirect with opencode run --format json
7ec69c4 
The root cause of all previous failures was OPENCODE_SERVER_* env vars
causing 'Session not found' errors. Unsetting those vars allows
opencode run to work correctly as a direct subprocess.

opencode run --format json produces NDJSON output with:
- type:'text' events containing the agent's response
- sessionID for --resume support

This is dramatically simpler and more reliable than the tmux approach:
- No PTY log parsing, no ANSI stripping
- No RESPONSE.md file redirect with timing issues
- No tmux session management
- Direct JSON parsing of stdout, just like the original design intended

The tmux approach was a workaround for 'Session not found' errors that
turned out to be caused by OPENCODE_SERVER_* vars leaking into the
tmux session. Now that we know the root cause, the direct-exec approach
works correctly.

Changes:
- filter_agent.go: complete rewrite from tmux to direct-exec
  - filterAgentRun() runs opencode as subprocess, parses NDJSON
  - filterAgentRunResume() uses -s flag for session continuation
  - buildFilterRunCommand() constructs args and env
  - Env vars OPENCODE_SERVER_*, OPENCODE_PID, OPENCODE are unset
  - --format json flag captures output programmatically
  - Removed tmux, pipe-pane, RESPONSE.md, cleanANSI, extractFilterResponse
  - Removed isSessionAlive, shellQuote, homeDir, minimalTmuxEnv
- filter.go: updated invokeFilterNew/Resume to use new functions
  - callFilterAgent deprecated stub now references filterAgentRun
- filter_test.go: updated for new architecture
  - Replaced tmux-based tests with direct-exec tests
  - Added unsetEnvPrefix, buildFilterRunCommand tests
  - Removed ResponseFileName test (no longer applicable)
- fakeagent: added --agent filter detection for test mode
docs: update skill docs for direct-exec filter, remove tmux wrapper p…
0b1bb57 
…attern

- Remove stale --file flag reference (flag was removed)
- Replace tmux wrapper pattern with direct ct droplet add --filter
- Note that ct filter now uses opencode run --format json
docs: add troubleshooting section for ct filter to skill docs
3a31e3b 
Codifies the env var pollution root cause and fixes that were discovered
through the PR #500#502 → direct-exec arc. Includes:
- Session not found: OPENCODE_SERVER_* env var pollution
- Empty response: missing --dangerously-skip-permissions or invalid model
- Timeout: CT_FILTER_TIMEOUT env var
fix: add mechanical migration and dependency verification gates to ca…
c62a60c 
…taractae

Post-incident fix after LLMem Go rewrite shipped with vec0 migration
bug, missing dependency import, test timeouts, and CLI flag incompat.

Architect INSTRUCTIONS.md:
- Add Migration Surface Analysis section (mandatory for rewrites)
- Require enumeration of every migration scenario (existing DBs, config,
  CLI invocations, plugins/hooks)
- Require specific verification commands for each scenario
- Require dependency verification: brief dependency → go.mod/package.json
- Require breaking change matrix with callers

Reviewer INSTRUCTIONS.md:
- Add migration compatibility check to migration_safety rubric
- Add dependency verification check (brief mentions X, is X imported?)
- Add test timeout discipline check (30s max for I/O tests)

QA INSTRUCTIONS.md:
- Add migration compatibility test requirement for rewrites
- Add dependency verification check
- Add test timeout discipline check
- Add deploy-and-verify gate for rewrites: MUST run core commands
  against existing data, not just test suite
fix: add droplet reality check to all cataractae
63f4582 
Every cataractae now reads the original droplet AND the architect brief,
then cross-references them. The brief is a contract, but the droplet is
the source of truth. Key additions:

- Architect: extract implicit requirements from droplet (migration,
  dependency viability, interface compatibility)
- Implementer: file issues for gaps between droplet and brief before
  implementing
- Reviewer: flag gaps between droplet and implementation even if brief
  is followed
- QA: test against what the droplet asked for, not just what the brief
  specified. Verify CLI compat, data compat, dependency imports
- Security: check security surface from rewrite migration paths
- Docs: document breaking changes and migration paths for rewrites

This closes the gap where the pipeline checked code against briefs but
never checked briefs against reality.
@MichielDean MichielDean merged commit 490cd1a into main May 11, 2026
3 checks passed
@MichielDean MichielDean deleted the fix/cataractae-migration-gates branch May 11, 2026 04:11
@MichielDean MichielDean mentioned this pull request May 11, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MichielDean