mirror of
https://github.com/Kpa-clawbot/meshcore-analyzer.git
synced 2026-07-13 00:19:05 +00:00
f0d85bdcab29c968bdd11fcd4e2d0c2f08fd1f44
2788 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
f0d85bdcab | Merge branch 'master' into fix/1724-recut | ||
|
|
bdf5f647d4 |
fix(ci): freshen all e2e-fixture observation timestamps (unblocks #1630 reach e2e) (#1747)
## Problem
`test-issue-1630-reach-mobile-e2e.js` has been failing on `master` since
~2026-06-16, in its precondition `pickRepeaterWithReach` ("no repeater
with reach links found in fixture") — not in any of its actual
assertions. The same SHA passed on 06-15 and failed on 06-16 with no
code change, i.e. it tracks the wall clock, not the tree.
## Root cause
`tools/freshen-fixture.sh` shifts `nodes`, `transmissions`, `observers`
and `neighbor_edges` timestamps to ~now, but for
`observations.timestamp` it only rewrote rows where `timestamp = 0 OR
timestamp IS NULL`. Real-timestamped observations stayed frozen at
fixture-capture time.
Per-node reach (`/api/nodes/{pk}/reach?days=N` → `scanReachRows`,
`cmd/server/node_reach.go`) windows on `observations.timestamp >=
sinceEpoch`. ~30 days after the fixture was captured, the newest
observation aged out of the 30-day window, so reach returned no links
and the test could find no repeater with reach.
## Fix
Shift all non-zero `observations.timestamp` forward by the same offset
(preserving relative order), mirroring the other tables in the script.
The offset subquery is uncorrelated, so SQLite evaluates `MAX` once on
the pre-update state (same idiom the existing blocks rely on).
## Verification
Ran the updated script against `test-fixtures/e2e-fixture.db`:
```
BEFORE: newest observation 31 days old → outside the 30-day reach window
AFTER : newest observation 0 days old, all 500 observations within 30 days
```
CI Playwright on this PR is the end-to-end confirmation. Scope is the CI
fixture helper only — no application code, schema, or runtime behaviour
changes.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Erwin Fiten <erwin.fiten@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|
|
5c10e11293 |
test(#1735): annotate test ALTER probes for preflight
The PREFLIGHT migration-scale gate flags every ALTER TABLE statement in the repo unless it carries the async=true annotation. The new TestIsDuplicateColumnErr_DriverStringPinned test runs ALTER on an in-memory DB to provoke and pin the driver's duplicate-column error wording — surgical addition to keep the gate green. |
||
|
|
8e15637bf3 |
feat(#1735): warm-up banner — dismiss + auto-dismiss failed migrations
Group B from PR #1735 round-1 review (must-fix #2). Previously a failed async migration pinned the banner forever: isSteadyState returned false as long as any migration was in 'failed' status, with no path to clear. Operators lost trust in the banner; real new failures got lost in the noise. Fix: - FAILED_AUTO_DISMISS_MS = 10 min from endedAt — past that window the failed entry auto-clears from the banner. The failure is still visible via /api/perf/async-migrations and /api/healthz; only the banner stops blocking. - Per-line × button: explicit user ack immediately removes the failure from the banner. - Fail closed: if endedAt is missing or unparseable, the failure does NOT auto-dismiss (operator must see it). - isSteadyState gets an optional nowMs param (defaults to Date.now) for testability and to make the auto-dismiss math re-render-deterministic. CSS additions: .warmup-banner__item--failed coloring + .warmup-banner__dismiss button styling using existing CSS variable patterns. Tests added: test-warmup-banner-failed-dismiss-1735.js pins: - within window: failure still blocks steady state + appears in messages - past window: failure auto-clears from both - explicit dismiss: immediate removal - missing/malformed endedAt: fails closed (no auto-dismiss) |
||
|
|
6d8709be51 |
test(#1735): /api/perf/async-migrations handler tests + tighter reader-yield assertion + orphan-tx test doc
Group F from PR #1735 round-1 review (must-fix #11, #12, #13). #11 — Add cmd/server/async_migrations_handler_test.go covering the four states of /api/perf/async-migrations: - success with rows: 200 + JSON array - empty list: 200 + '[]' (not 'null', so warmup-banner.js can iterate) - readAsyncMigrations error: HTTP 500 + JSON error body (not silently empty — that was the round-1 must-fix) - nil db (server pre-DB-init): 200 + '[]' #13 (kent-beck BLOCKER) — TestChunkedBackfill_YieldsToReaderBetweenBatches: the original threshold (12K rows, 500ms reader-latency bound) was loose enough that a single-tx fake whose total wall time was <500ms could pass. Tightened to: - sample BASELINE reader latency BEFORE backfill starts (avg of 5 probes) - sample BEST reader latency during backfill - assert bestDuring < 80ms absolute AND ratio < 5x baseline (with 5ms floor to avoid sub-ms flakiness) A single-tx implementation that holds the writer the entire wall time would push the during-latency ratio into the 50-100x range and fail deterministically. Comment in the test body explains why. #12 — TestChunkedBackfill_OrphanTxTerminates: doc-only — explain why the orphan insert and seedTransmissions run in separate transactional contexts (orphan has no observation row; can't share seed's tx; the backfill loop is committed-state-only so the split has no effect on what's being asserted). |
||
|
|
63ac2df1c8 |
fix(#1735): backfill correctness — suppress redundant terminal fire + recover panicking progress callback
Group E from PR #1735 round-1 review (must-fix #10, #14). - chunkedTxLastSeenBackfill: track lastFired (p, total) and skip the final terminal callback when it would re-fire identical counts already reported by the last in-loop fire. Previously, when the last batch was exactly batchSize-sized, the next chunk returned n=0 and we fired (processed,total) a second time. Operators saw duplicate progress events. - Wrap the progress callback in defer-recover. A panicking callback (operator-supplied or buggy bookkeeping write) is converted to an error and returned, NOT propagated to the ingestor goroutine. RunAsyncMigration already converts a returned error to status=failed with the message in the error column, so end-to-end the migration is properly marked failed with the recovered panic text. Tests added: TestChunkedBackfill_TerminalSuppressedWhenRedundant TestChunkedBackfill_PanicInCallbackRecovered TestChunkedBackfill_PanicViaRunAsyncMigrationMarksFailed |
||
|
|
905cf32fc9 |
fix(#1735): schema-setup robustness — sync.Once for ALTER storm, rate-limited warn log, pinned driver-string test
Group D from PR #1735 round-1 review (must-fix #8, #9). - ensureAsyncMigrationProgressColumns: guard with sync.Once so a process that runs many async migrations doesn't re-run 3 ALTER TABLE statements every call. The column set is fixed at build time, so once-per-process is the correct scope. - Remove progressSchemaWarnOnce (sync.Once) for the per-write warn log. Replace with a wall-clock rate-limiter (1/min). sync.Once silenced all future errors — destroying observability of an ongoing problem. The rate-limited approach lets every error remain visible without flooding the log on rapid retries. - isDuplicateColumnErr: the modernc.org/sqlite driver does not expose a typed sentinel for duplicate-column ADD COLUMN failures. Document why the substring match is correct AND add TestIsDuplicateColumnErr_DriverStringPinned which provokes the actual driver error so a future driver upgrade that changes the wording fails CI loudly. - Add TestEnsureAsyncMigrationProgressColumns_RunsOncePerProcess pinning the sync.Once behavior + a resetEnsureColumnsOnceForTest helper for test isolation. |
||
|
|
0eab5f8f0e |
fix(#1735): surface async-migration errors on healthz/perf + propagate progress write failures
Group A from PR #1735 round-1 review (must-fix #1, #5, #6, #7). - cmd/server/healthz.go: on readAsyncMigrations error, include the message in the JSON body as async_migrations_error AND keep async_migrations_running=true. Fail closed for warm-up: if we can't read the bookkeeping table, treat the system as possibly still warming up rather than declaring 'all clear'. - cmd/server/async_migrations.go handlePerfAsyncMigrations: return HTTP 500 with the error body on readAsyncMigrations failure instead of silently returning an empty list. (Empty list is a meaningful operator signal; a query failure must be visible.) - cmd/server/routes.go /api/perf: log the readAsyncMigrations error and surface it via X-Async-Migrations-Error response header so the rest of the perf payload still flows. - cmd/server/async_migrations.go: delete the unread asyncMigrationsCacheErr field (finding #5). - cmd/server/async_migrations.go parseAsyncTime: propagate parse errors to the caller; readAsyncMigrationsRaw now appends them to ErrorMessage so unparseable timestamps don't silently produce 0s. - cmd/ingestor/async_migration_progress.go recordAsyncMigrationProgressEx: check RowsAffected(); 0 rows updated -> error (bookkeeping row missing). cmd/ingestor/db.go: track in-loop progress write failures, log them, and treat a failed TERMINAL progress write as a failed migration (counts are no longer trustworthy). |
||
|
|
847964656a |
chore(preflight): annotate small _async_migrations schema ops
The pr-preflight async-migration gate flags any new ALTER TABLE / CREATE TABLE in a migration-shaped file without an explicit annotation. Two sites are legitimately safe-at-scale but lacked the annotation: - cmd/ingestor/async_migration_progress.go ADD COLUMN on the bookkeeping table _async_migrations (single-digit rows; ADD COLUMN is O(rows)). - cmd/server/async_migrations_test.go CREATE TABLE on a fresh in-memory test DB (test setup, not a real schema migration). Annotation-only — no behavior change. Both call sites already had runtime safeguards (duplicate-column tolerance, test isolation). cross-stack: justified — annotations only; no functional change. PR #1735 already declares the frontend+backend coupling. |
||
|
|
6fbe5f0d81 | feat(ui): warm-up banner stays up while migrations run; surfaces failed state | ||
|
|
f5bf605604 | feat(api): /api/perf and /api/healthz expose async migration progress | ||
|
|
f149993473 |
feat(async-migration): progress columns + rate-limited writes + retry reset
Adds an observational progress surface to _async_migrations so a long-running async migration (in particular tx_last_seen_backfill_v1 on operator-scale cold-load) is no longer opaque to readers. Schema changes (additive on legacy DBs): - _async_migrations.rows_processed (INTEGER NOT NULL DEFAULT 0) - _async_migrations.rows_total (INTEGER NOT NULL DEFAULT 0) - _async_migrations.last_update_at (TEXT) ensureAsyncMigrationProgressColumns runs ADD COLUMN per column and ONLY swallows the SQLite "duplicate column" error — every other ALTER failure propagates so a real schema problem doesn't get hidden. The CREATE TABLE body carries the same columns for fresh installs. recordAsyncMigrationProgress rate-limits writes to <=1/sec per migration name via a per-name time.Time cache; the rate limit is intentionally NOT a sync.Map so the bookkeeping table doesn't see a write per backfill batch (which on a SetMaxOpenConns(1) DB would compete with the migration's own UPDATE for the writer lock). recordAsyncMigrationProgressTerminal forces a write past the limiter — used to pin final stable counts on both success and failure paths so observers see the final point at which the migration stopped, not stale intermediate data. Retry path (RunAsyncMigration on an existing pending_async or failed row) resets rows_processed / rows_total / last_update_at to zero AND clears the in-memory rate-limit cache, so the next run starts with an honest denominator and no suppressed first write. A single sync.Once guards the warn log for the legacy "progress columns missing" path so a misconfigured DB doesn't generate one log line per batch. db.go wires both the periodic and terminal progress writes into the tx_last_seen_backfill_v1 migration. Failures still propagate to the RunAsyncMigration goroutine (status flips to 'failed' with the error message); the terminal write captures the partial counts at the failure point. |
||
|
|
915b10119f |
fix(#1724): chunk tx_last_seen_backfill with bounded reader yield
Replaces the single correlated UPDATE used by tx_last_seen_backfill_v1 (introduced in #1690) with a chunked loop that yields the single SQLite writer between batches. Symptom (pre-fix, operator scale ~71K tx / 1.5M obs / 2GB DB): - backgroundLoadComplete=true fires. - The async migration starts the single full-table UPDATE under SetMaxOpenConns(1), holds the writer for 10-15 minutes. - Every /api/healthz, /api/packets, /api/stats request queues behind sqlite_busy_timeout. UI appears frozen long after warm-up clears. Fix (this commit): - cmd/ingestor/tx_last_seen_backfill.go (new): chunkedTxLastSeenBackfill snapshots MAX(id), counts eligible rows (last_seen=0 AND has observations AND id<=maxID), then loops bounded UPDATEs (batchSize=5000) with time.NewTimer-based sleeps (no Timer leak via time.After) between batches (yieldDelay=100ms). EXISTS gate skips orphan transmissions so the loop terminates. maxID snapshot keeps concurrent INSERTs out of scope (those are handled inline by stmtBumpTxLastSeen on the writer fast path). Ctx cancellation between batches returns context.Canceled with partial counts; partial commits are visible (migration does NOT flip to done). All errors propagate (snapshot, count, UPDATE, RowsAffected) — the migration cannot silently mark itself done. Progress callback fires per non-empty batch + once terminal with final stable counts; never on a stale n=0 batch. - cmd/ingestor/db.go: wire the helper into the tx_last_seen_backfill_v1 async migration, explicit batchSize=5000, yieldDelay=100ms. Math reality-check: ~71K tx / 5000 ≈ 15 batches × (~50ms exec + 100ms yield) ≈ ~2.5s wall time with readers slotted in at most every 150ms. PR #1725's description claimed ~300 batches × 150ms ≈ 45s — that confused observations (1.5M) with transmissions (71K); real number is ~20x smaller. Indexes idx_tx_last_seen (transmissions(last_seen)) and idx_observations_transmission_id already exist (see internal/dbschema and cmd/ingestor/db.go base schema) — no additional index work required at this commit. Tests: cmd/ingestor/tx_last_seen_backfill_test.go (added in prior commit) pin all the contract points reviewers flagged on PR #1725. Cancel-mid-loop test timing widened from 30ms to 250ms to give the real chunked impl room to commit a batch before the cancel fires; assertion semantics unchanged (partial commits + context.Canceled + no full completion). |
||
|
|
cb6bab577f |
test(#1724): RED — chunked tx_last_seen backfill behavior + edges
Adds the failing test suite for the new chunkedTxLastSeenBackfill helper that will replace the single-statement #1690 backfill in the next commit. Tests pin the contract reviewers flagged on the prior attempt: - Reader yields between batches (concurrent reader latency bounded — a single-tx fake would NOT satisfy this). - With seedN=12000 + batchSize=5000, progress callback fires >=3 times. - ctx cancel mid-loop -> context.Canceled + partial commits visible. - Concurrent INSERT of new last_seen=0 rows does not trap the loop (maxID snapshot bounds the scan). - Orphan transmissions (no observations) are skipped via EXISTS so the loop terminates deterministically. - Param validation: batchSize<=0 and negative yieldDelay are rejected (no <0 sentinel). - Error propagation: closed DB surfaces -> migration cannot silently report success. Includes a minimal stub of chunkedTxLastSeenBackfill (returns zero/nil) so the file compiles and the tests run to their assertions. The GREEN commit replaces the stub with the real chunked implementation. |
||
|
|
1476b857d9 |
fix(#1716): drop rf-health a11y allowlist entry — subsumed by #1720 (#1731)
Fixes #1716. PR #1720 (merged 2026-06-13) consolidated `.rf-range-btn.active` — along with `.clock-filter-btn.active`, `.subpath-jump-nav a`, `.node-filter-option.node-filter-active`, `.subpath-selected`, and `.analytics-time-range button.active` — into the shared `.btn-active-accent` rule that paints `background: var(--accent-strong)` (`#2563eb`) + `color: var(--text-on-accent)` (`#f9fafb`) = **4.95:1**, WCAG AA pass in both themes. That makes the `#1716` axe allowlist entry obsolete: the underlying violation no longer reproduces. This PR drops the entry and adds a dedicated per-issue regression gate so a future refactor that only breaks `.rf-range-btn.active` (without touching the other consolidated selectors covered by `#1719`) trips with a clear `#1716` citation. ## Strict TDD red→green ### RED — `bce51a60` (test-only) Adds `test-a11y-1716-rf-range-btn-active.js`, a pure-CSS probe with three assertions: - **A1** — `.rf-range-btn.active` is routed through a rule whose body sets `background: var(--accent-strong)` + `color: var(--text-on-accent)`. - **A2** — the legacy `var(--accent)` + `#fff` pair (2.75:1) does NOT reappear on any block listing `.rf-range-btn.active`. - **A3** — numeric contrast on the resolved tokens is ≥ 4.5:1 in both light and dark themes. Locally verified the test FAILS when the consolidated active-button block is reverted to `background: var(--accent); color: #fff`: ``` PASS A3[light]: 4.95:1 (fg=#f9fafb bg=#2563eb) PASS A3[dark]: 4.95:1 (fg=#f9fafb bg=#2563eb) FAIL A1: .rf-range-btn.active is NOT routed through the consolidated (--accent-strong / --text-on-accent) pair — PR #1720 regression FAIL A2: legacy 2.75:1 pair re-emerged on .rf-range-btn.active (bg=var(--accent) fg=#fff) FAIL: 2 assertion(s) tripped on .rf-range-btn.active (issue #1716) ``` Then restored CSS — test passes green on the consolidated state from master. ### GREEN — `eea79791` Removes from `tests/a11y-allowlist.yaml`: ```yaml - route: '/analytics?tab=rf-health' selector: 'button[data-range="24h"]' rule: color-contrast issue: 1716 expires_at: 2026-09-11 ``` ### CI wiring — `b300ce6d` Hooks the new probe into the same `.github/workflows/deploy.yml` step that already runs `test-a11y-axe-1668-selftest.js` and `test-issue-1705-subpath-contrast.js`, so the gate runs on every PR. ## Gate output (after green) ``` $ node test-a11y-1716-rf-range-btn-active.js PASS A1: .rf-range-btn.active routes to var(--accent-strong) + var(--text-on-accent) PASS A2: no legacy var(--accent) + #fff pair on .rf-range-btn.active PASS A3[light]: 4.95:1 (fg=#f9fafb bg=#2563eb) PASS A3[dark]: 4.95:1 (fg=#f9fafb bg=#2563eb) PASS: .rf-range-btn.active gated by consolidated --accent-strong / --text-on-accent pair (issue #1716) ``` The umbrella `#1719` probe also still passes (`PASS: all 4 root-cause patterns ≥ 4.5:1 in both themes`). ## Scope Only the `rf-health` / `.rf-range-btn.active` line. The sibling allowlist entries for `#1714` (nodes), `#1715` (neighbor-graph), and `#1718` (prefix-tool) are out of scope — separate issues, separate PRs. No production CSS touched (PR #1720 did the substantive fix). ## Files changed - `tests/a11y-allowlist.yaml` (−5 lines: drop `#1716` entry) - `test-a11y-1716-rf-range-btn-active.js` (+177 lines: new regression gate) - `.github/workflows/deploy.yml` (+1 line: wire the new gate) ## Preflight All hard gates clean (PII, branch scope, red commit, CSS-var defined, CSS self-fallback, LIKE-on-JSON, sync migration, async migration, XSS sinks). All warnings clean. --------- Co-authored-by: openclaw-bot <bot@openclaw.local> |
||
|
|
b695aec4ec |
fix(#1714): drop nodes a11y allowlist entry — subsumed by #1720 (#1730)
## Summary PR #1720 (commit `a344ae0a`, merged 2026-06-13) introduced `--status-green-text=#15803d` (5.02:1 on white) and routed the `/analytics?tab=nodes` stat-card text usage to the new token. The remaining contrast violation that issue #1714 tracked is gone, so the allowlist entry is stale. ## Change Drop the single allowlist entry tagged `issue: 1714` from `tests/a11y-allowlist.yaml`: ```yaml - route: '/analytics?tab=nodes' selector: '.analytics-stat-card:nth-child(1) > div:nth-child(1)' rule: color-contrast issue: 1714 expires_at: 2026-09-11 ``` No other tabs touched (#1715/#1716/#1718 remain — separate issues, separate PRs). ## Verification The CI a11y gate (`test-a11y-axe-1668.js`) is the authoritative check. It re-renders `/analytics?tab=nodes` in dark+light × desktop+mobile and asserts zero net violations against the trimmed allowlist. With this PR, the entry is gone — if PR #1720's fix were ever reverted, the gate fails immediately (nothing left to mask it). Local repro was not attempted: prior PR #1723 (same allowlist-drop shape, same upstream PR #1720) documented sandbox chromium failures (musl/glibc + Vulkan/EGL); CI is the source of truth for this gate. Before (current `master`, with entry present): CI a11y gate green (the allowlist masks the now-fixed selector). After (this PR, entry removed): CI a11y gate must remain green because the underlying contrast was actually fixed by PR #1720. ## TDD note Config-change exemption per workspace AGENTS.md: - No test files modified. - No production code modified. - Config-only allowlist trim; CI must stay green without test edits. - The gate itself is the test — adding a duplicate assertion file would not catch anything CI does not already catch. Mirrors the exact pattern accepted in PR #1723 (subpaths allowlist drop, same upstream PR #1720 fix). ## Preflight `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` → all hard gates pass, all warnings pass. ("Red commit" gate notes this is a config-change with no test commits, justified above.) Partial fix for #1714 (will switch to `Fixes #1714` once CI a11y gate confirms zero net violations on `/analytics?tab=nodes`). Refs PR #1720, PR #1723. |
||
|
|
92e001c093 |
chore(a11y): drop subsumed subpaths allowlist entries (#1713) (#1723)
## Summary PR #1720 merged (commit `a344ae0a`) and introduced the shared `.btn-active-accent` color-contrast rule, which subsumes the per-link allowlist entries for the subpaths tab pills on `/analytics?tab=subpaths`. This PR removes the 4 now-stale allowlist entries tagged `issue: 1713`: - `a[href$="#sp-pairs"]` - `a[href$="#sp-triples"]` - `a[href$="#sp-quads"]` - `a[href$="#sp-long"]` All four were `rule: color-contrast` exemptions on `/analytics?tab=subpaths`. ## Verification CI a11y gate (`test-a11y-axe-1668.js`) is the authoritative check — it re-renders the route in dark+light × desktop+mobile and asserts zero net violations against the trimmed allowlist. Local repro was attempted but blocked by sandbox chromium issues (musl/glibc relocations on bundled playwright chromium; host chromium hits Vulkan/EGL init failures). Relying on CI a11y job for the green signal. ## TDD note Config exemption per workspace AGENTS.md: - No test files modified. - Config-only allowlist trim; CI must stay green without test edits. Partial fix for #1713 (will switch to `Fixes #1713` once CI a11y gate confirms zero net violations on `/analytics?tab=subpaths`). Co-authored-by: corescope-bot <bot@corescope> |
||
|
|
ae88d38b12 |
chore(a11y): drop subsumed clock-health allowlist entries (#1717) (#1722)
## Summary
Drops the two stale `issue: 1717` entries from
`tests/a11y-allowlist.yaml`. Both were subsumed by PR #1720 (merged at
|
||
|
|
cbe6e94b1a |
fix(#1706): expand axe route coverage to remaining analytics tabs (#1707)
Adds an anti-drift coverage selftest that fails CI if a future analytics tab is added to `public/analytics.js` but not registered in `test-a11y-axe-1668.js` `ROUTES`. Wires it into the `.github/workflows/deploy.yml` axe job alongside the existing reciprocity selftest. ## Relationship to #1706 / #1711 Follow-up to #1706 / #1711 — #1711 already added the 8 missing analytics tabs to `ROUTES` (`subpaths`, `nodes`, `distance`, `neighbor-graph`, `rf-health`, `clock-health`, `scopes`, `prefix-tool`). This PR locks that in: a future tab added to `analytics.js` without a corresponding `ROUTES` entry now breaks CI on this assertion. NOT closing #1706 — that issue is already closed by #1711. ## What the gate does (headline) `test-a11y-axe-routes-coverage.js` scrapes `<button class="tab-btn" data-tab="...">` declarations from `public/analytics.js` and asserts every declared tab is exercised by `test-a11y-axe-1668.js` `ROUTES` as `/analytics?tab=<tab>`. Asymmetry vs the existing selftest, intentional: - `test-a11y-axe-1668-selftest.js` — checks `REGISTERED_ANALYTICS_TABS ⊆ analytics.js` dispatch arms (no dead registrations). - `test-a11y-axe-routes-coverage.js` (new) — checks `analytics.js data-tab buttons ⊆ ROUTES` (no axe-blind tabs). Together they keep the axe matrix honest in both directions. ## Diff scope Only two files vs merge base: - `.github/workflows/deploy.yml` (+1 line — wires the new test into the deploy-job batch) - `test-a11y-axe-routes-coverage.js` (+74 lines, new file) No production code changes, no `ROUTES` changes (those landed in #1711). ## TDD framing Net-new drift gate — no prior assertions to break, no behavior change in shipped UI. Per workspace `AGENTS.md` net-new-test exemption ("net-new UI surfaces … test must land in the SAME PR but doesn't need to be the FIRST commit"), this analogous net-new gate ships green from commit 1. A red→green pair would require a synthetic regression in `analytics.js` or `ROUTES`, which isn't appropriate for an anti-drift guard. ## Local run Local Alpine chromium 136 crashes under Playwright's CDP probe (`posix_fallocate64: symbol not found`) — affects the axe runner generally, not this selftest. The coverage assertion itself is pure Node (file read + regex + set diff) and runs locally clean. Real verdict comes from CI's Playwright-bundled chromium. --------- Co-authored-by: Kpa-clawbot <bot@openclaw.local> |
||
|
|
9b8b613832 |
fix(#1705): WCAG AA contrast on .subpath-selected .hop-prefix (#1712)
## Summary **Regression guard for an already-fixed bug.** The WCAG AA contrast BLOCKER on `.subpath-selected .hop-prefix` called out in #1705 was already resolved by PR #1708 (commit `293efdb6`), which is an ancestor of this branch's base. This PR adds the missing automated test that locks the fix in — it does **not** ship a CSS change. ### Why this is not a TDD red→green sequence Test commit `0d58d1d5` is **green-on-arrival**: the fix it asserts against had already landed days earlier on master. There is no red commit on this branch — running the test at any point on this branch passes. This PR therefore claims the **net-new-test exemption** per `~/.openclaw/workspace-meshcore/AGENTS.md`: bug fixes on EXISTING UI normally require red→green, but where the fix shipped first and the test is a *post-hoc regression guard*, the test lands in the same PR series but does not need to be the first commit. No production behavior is changed by anything in this branch. (The earlier revisions of this body presented a misleading red→green table; that framing was wrong and has been removed.) ## What this PR actually ships Two test files plus CI wiring — all test-only / config-only: 1. `test-issue-1705-subpath-contrast.js` — parses `public/style.css`, extracts `--accent-strong` / `--text-on-accent` per theme, sRGB-composites any `rgba()` foreground against the resolved background, asserts WCAG AA ≥4.5:1 on `.subpath-selected .hop-prefix` in both themes. 2. `test-issue-1705-subpath-contrast-e2e.js` — Playwright/headless-Chromium variant that loads the real `public/style.css` into a DOM mirroring `analytics.js` `renderSubpathsTable`, then asserts `getComputedStyle` contrast on a live `tr.subpath-selected > .hop-prefix`. Catches specificity/cascade regressions the static parser cannot. 3. `.github/workflows/deploy.yml` PR test stage wiring — runs both tests on every PR. ## The bug (historical, already fixed) For context: `.subpath-selected .hop-prefix` measured ~1.87:1 in dark theme (`rgba(255,255,255,0.6)` composited against `var(--accent)` = `#4a9eff`). #1708 (`293efdb6`) swapped `.subpath-selected` background to `var(--accent-strong)` (`#2563eb`) and color to `var(--text-on-accent)` (`#f9fafb`), yielding **4.95:1** in both themes. The child `.hop-prefix` color was set to `inherit` so the prefix cannot be decoratively muted below AA again. ## Parser test — hardening (review r1) Round-1 review pass surfaced 7 must-fix items on the parser test; all addressed: | # | Concern | Fix | |---|---------|-----| | MF3 | Parser asserted declared cascade, not computed style | Added the Playwright E2E variant; `getComputedStyle` resolves specificity natively | | MF4 | CSS comment cited "4.83:1+" while measured value is 4.95:1 | Comment updated to `#f9fafb on #2563eb = 4.95:1` | | MF5 | `extractBlockTokens` silently returned `{}` when the regex didn't match | Throws with selector label; defensive assertion verifies `:root` declares the three tokens | | MF6 | `'inherit'` on the child color fell back to `#ffffff` silently | Now throws; callers either declare the parent color or use the Playwright variant where `inherit` resolves natively | | MF7 | `extractDecl` picked the last regex match across rules with no specificity model | Now throws on N>1 distinct values; warns on N>1 identical values | ## E2E test — hardening (polish v2) - M2: removed dead `<link rel="stylesheet" href="file://...">` element from the test HTML template — `setContent` runs against `about:blank` origin and cannot fetch `file://`, so the link was dead. CSS is injected inline via `page.evaluate` (unchanged). Removed the now-unused `cssHref` declaration. - M3: fixed misleading class comment — the production table uses `.analytics-table` (see `analytics.js` `renderSubpathsTable`), so the fixture's `class="analytics-table subpaths-table"` was misleading. Stripped `.subpaths-table` from the fixture and corrected the comment to cite the real production class. ## Acceptance criteria - [x] `.subpath-selected .hop-prefix` ≥4.5:1 in both themes — verified by both tests (parser + E2E) - [x] Regression test added covering the selected state, wired into PR CI Partial fix for #1705 — leaves the issue open for the audit-probe alpha-compositing work (private tooling, out of scope here). ## Local test results - `node test-issue-1705-subpath-contrast.js` (parser): **PASS** — `light 4.95:1 / dark 4.95:1` - `node test-issue-1705-subpath-contrast-e2e.js` (Playwright): **SKIP** in dev sandbox (chromium relocation error — musl/arm sandbox-in-sandbox); CI installs the Playwright-bundled binary via `npx playwright install chromium` and runs with `CHROMIUM_REQUIRE=1` --------- Co-authored-by: CoreScope Bot <bot@corescope.local> Co-authored-by: Kpa-clawbot <bot@openclaw.local> Co-authored-by: clawbot <clawbot@users.noreply.github.com> |
||
|
|
a344ae0a12 |
fix(#1719): contrast root causes — active-btn / skew-badge / role-swatch / status-green (#1720)
## Summary Fixes the four recurring color-contrast root causes #1719 identifies behind ~320 axe violations on PR #1707's expanded gate. All fixes are token-based; no hardcoded hex introduced. ## TDD - **Red:** `151db732` — `test-a11y-1719-contrast-root-causes-e2e.js` asserts WCAG AA on all 4 patterns; failed with 12 sub-threshold probes. - **Green:** `dd26554e` — fixes below; test now reports 11/11 PASS. ## Patterns + measured contrast (before → after) | # | Surface | Before | After | Note | |---|---|---|---|---| | P1 | `.rf-range-btn.active` / `.clock-filter-btn.active` / `.subpath-jump-nav a` / `#ptCheckBtn` / `#ptGenBtn` | `#fff` on `--accent` (#4a9eff) = **2.75:1** | `--text-on-accent` on `--accent-strong` = **4.95:1** | Consolidated into ONE grouped `.btn-active-accent, ...` rule; inline buttons now use the shared class | | P2 | `.skew-badge--no_clock` (dark theme) | `#fff` on `--text-muted` (#d1d5db) = **1.47:1** | `#fff` on `--skew-badge-no-clock-bg` (#4b5563) = **7.56:1** | New dedicated token, both themes | | P3 | Neighbor-graph role swatches, light theme on white | room 3.30:1 / sensor 3.19:1 / observer 4.23:1 | room **5.02** / sensor **5.02** / observer **5.70** | `customize.js` defaults bumped to palette-{green/amber/purple}-700 | | P4 | `.analytics-stat-card` text in `--status-green` on white | **2.28:1** | new `--status-green-text` = #15803d → **5.02:1** | `--status-green` background token unchanged (still #22c55e); inline text usages routed to the new token | ## Why this unblocks #1707 #1707's 320 axe color-contrast hits decompose into: - 137× single-rule `.skew-badge--no_clock` → P2. - ~N×4 active-button surfaces (rf-health / clock-health / subpaths / prefix-tool) → P1. - Role-swatch text on `/#/analytics?tab=neighbor-graph` (light) → P3. - `.analytics-stat-card` text on `/#/analytics?tab=nodes` (light) → P4. After this merges, the next CI run on #1707 should see the expanded gate go green (or down to a small ≤5 residual the operator can triage separately per the issue's acceptance criteria). ## Local axe gate `BASE_URL=… node test-a11y-axe-1668.js` was **NOT** run locally — the sandbox's bundled chromium fails to boot Playwright (known issue). CI on this PR runs the same gate against the staging fixture; relying on that. The dedicated test `test-a11y-1719-contrast-root-causes-e2e.js` is CSS+JS-parse-driven (no browser) and runs in <100ms — it's the regression net for these 4 patterns specifically. ``` $ node test-a11y-1719-contrast-root-causes-e2e.js PASS [P1] theme=light .rf-range-btn.active fg=#f9fafb bg=#2563eb ratio=4.95:1 PASS [P1] theme=light .clock-filter-btn.active fg=#f9fafb bg=#2563eb ratio=4.95:1 PASS [P1] theme=light .subpath-jump-nav a fg=#f9fafb bg=#2563eb ratio=4.95:1 PASS [P1] theme=dark .rf-range-btn.active fg=#f9fafb bg=#2563eb ratio=4.95:1 PASS [P1] theme=dark .clock-filter-btn.active fg=#f9fafb bg=#2563eb ratio=4.95:1 PASS [P1] theme=dark .subpath-jump-nav a fg=#f9fafb bg=#2563eb ratio=4.95:1 PASS [P2] theme=light .skew-badge--no_clock fg=#fff bg=#4b5563 ratio=7.56:1 PASS [P2] theme=dark .skew-badge--no_clock fg=#fff bg=#4b5563 ratio=7.56:1 PASS [P3] theme=light nodeColors.room on white fg=#15803d bg=#ffffff ratio=5.02:1 PASS [P3] theme=light nodeColors.sensor on white fg=#b45309 bg=#ffffff ratio=5.02:1 PASS [P3] theme=light nodeColors.observer on white fg=#7c3aed bg=#ffffff ratio=5.70:1 PASS [P4] theme=light .analytics-stat-card text color (--status-green-text) fg=#15803d bg=#ffffff ratio=5.02:1 PASS [P4] theme=dark .analytics-stat-card text color (--status-green-text) fg=#22c55e bg=#232340 ratio=6.65:1 PASS: all 4 root-cause patterns ≥ 4.5:1 in both themes (issue #1719) ``` ## Out-of-scope (intentional) - Other text-on-light `var(--status-green)` usages in `nodes.js` (Critical/Valuable labels): different surface, not the analytics-stat-card pattern #1719 calls out. Tracked under analytics audit umbrella. - Hardcoded `var(--status-green, #2ecc71)` fallback in `nodes.js` lines 648/666: same scope deferral. - Allowlist entries: none added per the issue's acceptance criteria. Fixes #1719. --------- Co-authored-by: clawbot <clawbot@kpa.local> Co-authored-by: Kpa-clawbot <bot@openclaw.local> |
||
|
|
4d2033da0f |
fix(#1709): restore Live map viewport from lat/lon/zoom hash params (#1721)
## Summary Fixes #1709 — implements deep-link viewport restoration on the Live page so `#/live?lat=43.0731&lon=-89.4012&zoom=12` (and the `node=` combo) center+zoom the map identically to how `/#/map?lat=...&lon=...&zoom=...` already worked. ## Approach Extracted a shared `parseViewportHash(hashOrSearch, opts)` helper in `public/app.js` (next to existing `getHashParams()`) and wired it into BOTH call sites — Live and Map — so the parse/validate logic is DRY and unit-testable. ### `parseViewportHash` contract - Accepts a full hash (`#/live?lat=...`) OR a bare query string (`lat=...&lon=...`). - Returns `{lat, lon, zoom}` only if BOTH `lat` and `lon` parse to finite numbers within bounds (`lat ∈ [-90, 90]`, `lon ∈ [-180, 180]`). Partial lat-only or lon-only is rejected — the issue explicitly forbids partial application of a center. - `zoom` defaults to 12 when missing, must be numeric when present, and is clamped to `[minZoom, maxZoom]` (defaults `[1, 20]` — sensible Leaflet fallback when the tile-provider config isn't supplied). - Returns `null` for any null/empty/invalid input. ### Precedence chain (Live) 1. **URL hash `lat`/`lon`/`zoom`** — highest priority. Applied BEFORE the initial `setView()` so the very first render lands at the requested viewport (no visible recenter from default → URL), AND in the localStorage-restore block so URL overrides `live-map-view`. 2. `live-map-view` localStorage (existing fallback, preserved). 3. `/api/config/map` defaults (existing default, preserved). ### Node-filter URL preservation The existing node-filter URL update logic at `public/live.js:1634` / `1650` already seeds `params` from `getHashParams()`, so unrelated keys (including `lat`/`lon`/`zoom`) already survive node filter changes. Added two source-grep regression tests to guard against future regressions (catches the anti-pattern `const params = new URLSearchParams(); params.set('node', ...)` which would silently clobber the viewport). ## Files changed - `public/app.js` — `+47/-0` — new `parseViewportHash()` helper + window expose. - `public/map.js` — `+8/-4` — replaces inline `parseFloat`/`parseInt` block with helper call. - `public/live.js` — `+22/-3` — applies helper at init (`setView` line) AND in the localStorage-restore block so URL overrides both fallbacks. - `test-frontend-helpers.js` — `+105/-0` — 14 `parseViewportHash` unit tests + 2 live.js source-grep regression tests for the node-filter URL flow. ## TDD red→green - **Red commit** `e6baf935` (FIRST commit on branch): adds tests + a stub `parseViewportHash` returning `null`. 10 of the 14 unit tests fail on assertion (not import error); 2 live.js source-grep tests already pass against current master (regression guards). - **Green commit** `43b3cb5f`: implements the helper + wires both call sites. All 16 new tests pass. ## Test output (`node test-frontend-helpers.js`, last 15 lines) ``` ✅ #825: deep link to unencrypted #channel falls through to REST and renders messages ✅ deriveKey: SHA256("#test")[:16] matches known value ✅ deriveKey: returns 16 bytes ✅ #815 preserved: deep link to #channel with stored key triggers decrypt path (no lock) ✅ invalidateApiCache causes api to re-fetch after cache bust ✅ computeChannelHash: SHA256(key)[0] ✅ verifyMAC: valid MAC passes ✅ verifyMAC: invalid MAC fails ✅ invalidateApiCache with no prefix busts all entries ✅ invalidateApiCache with prefix only busts matching ════════════════════════════════════════ Frontend helpers: 625 passed, 2 failed ════════════════════════════════════════ ``` The 2 failures (`favStar returns filled star for favorite`, `favStar returns empty star for non-favorite`) are **pre-existing on master** and unrelated to this PR — confirmed by running on `origin/master` before any changes. ## Acceptance criteria (issue #1709) 1. ✅ `#/live?lat=43.0731&lon=-89.4012&zoom=12` centers Live map at that lat/lon/zoom. 2. ✅ `#/live?node=ABC123&lat=43.0731&lon=-89.4012&zoom=12` applies BOTH node filter AND viewport (`getHashParams().get('node')` already feeds `setNodeFilter`; helper independently parses lat/lon/zoom). 3. ✅ URL viewport params override `live-map-view` localStorage (URL check runs first AND overrides the savedView branch). 4. ✅ Invalid viewport params ignored safely (`parseViewportHash` returns `null` on any out-of-range / NaN input). 5. ✅ Missing `lat` or `lon` does NOT partially apply a center (helper requires both). 6. ✅ Live node-filter URL update preserves unrelated params — existing `getHashParams()` seeding + new regression tests. 7. ✅ No backend endpoint changes (`grep -l '\.go$' diff` → empty). ## Preflight `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` → **clean** (all 12 gates pass, no warnings). --------- Co-authored-by: Kpa-clawbot <bot@kpabap.dev> Co-authored-by: Kpa-clawbot <bot@openclaw.local> |
||
|
|
69fba8032d |
test(a11y): expand axe CI gate to all 14 analytics tabs + prefix-tool (#1706) (#1711)
## Summary Closes #1706. Expands the axe-core a11y CI gate (`test-a11y-axe-1668.js`) to cover the 7 missing analytics tabs plus the `prefix-tool` utility surface. Before this PR, only 7 of 14 analytics tabs were gated; the other 7 could regress on contrast/aria without CI noticing. ## Changes **`test-a11y-axe-1668.js`** — adds 8 hash-routes to `ROUTES`: - `/analytics?tab=subpaths` - `/analytics?tab=nodes` - `/analytics?tab=distance` - `/analytics?tab=neighbor-graph` - `/analytics?tab=rf-health` - `/analytics?tab=clock-health` - `/analytics?tab=scopes` - `/analytics?tab=prefix-tool` The `prefix-tool` route was verified by greppping `public/analytics.js`: the dispatch arm is `case 'prefix-tool':` (line 292), the nav button uses `data-tab="prefix-tool"` (line 132), and existing UI cross-links use `#/analytics?tab=prefix-tool` (lines 1467, 1469, 1795, 3064). It lives in the analytics tab strip, not a separate `/tools/...` route. `REGISTERED_ANALYTICS_TABS` already lists all 15 tabs (the selftest's reciprocity check kept the constant honest), so no sibling slug-list at line ~82 needed updating beyond the existing list. **`test-a11y-axe-1668-selftest.js`** — adds a meta-assertion that loops over `REGISTERED_ANALYTICS_TABS` and asserts each `tab` has a matching `/analytics?tab=<tab>` entry in `ROUTES`. This locks the gate forever: any new analytics tab added to `analytics.js` will fail the selftest unless its route is also gated. ## TDD shape (red → green) - **Red commit** `a1d9aa8e` — adds the meta-assertion to the selftest. Selftest fails with `#1706: ROUTES missing analytics tab coverage for "/analytics?tab=subpaths"` (asserted, not a build error). - **Green commit** `501d9572` — adds the 8 missing entries to `ROUTES`. Selftest passes: `routes=24 themes=2 allowlist=0`. Cell count: 24 routes × 2 themes × 2 viewports = **96 cells** (was 64). ## Allowlist / tracking issues None yet. The 7 new analytics tabs and `prefix-tool` have not yet been exercised by the full axe browser run in CI — that happens when this PR runs. Per the M5 policy embedded in the gate's header, if any of the new routes fails axe on first run, a follow-up tracking issue + per-policy allowlist entry will be filed (the violations will NOT be silenced in this PR, and the routes will NOT be removed). I'll watch CI and report back. ## Out of scope Per the issue: - No keyboard-nav / focus-visible coverage (separate gap). - No modal / slideover open-state scans (separate gap). - No tufte / density work. - No source-code modifications to any analytics tab (contrast/aria fixes happen in follow-up PRs, not here). ## Preflight Ran `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` — all hard gates pass, no warnings. ## Verification ``` $ node test-a11y-axe-1668-selftest.js PASS: a11y-axe-1668 selftest — routes=24 themes=2 allowlist=0 ``` --------- Co-authored-by: clawbot <bot@kpa-clawbot.local> Co-authored-by: Kpa-clawbot <bot@openclaw.local> Co-authored-by: openclaw-bot <bot@openclaw> |
||
|
|
293efdb647 |
fix(#1705): subpath-selected hop-prefix contrast BLOCKER (dark, 1.87:1 → ≥4.5:1) (#1708)
## Summary Fixes the BLOCKER half of #1705: `.subpath-selected .hop-prefix` contrast in `public/style.css`. | | Before | After | |---|---|---| | background | `var(--accent)` = `#4a9eff` | `var(--accent-strong)` = `#2563eb` | | color (primary) | `#fff` | `var(--text-on-accent)` = `#f9fafb` | | color (hop-prefix) | `rgba(255,255,255,0.6)` | `var(--text-on-accent)` | | measured contrast (hop-prefix) | **1.87:1** (composite over `--accent`, dark) | **4.95:1** (light + dark) | Pure token swap onto the existing `--accent-strong` / `--text-on-accent` pair already used by `.badge-selected`, `.filter-bar .btn.active`, `.dropdown-item:hover` etc. No new hex literals. Light and dark themes both pass WCAG AA body text (≥4.5:1). ## TDD trail - Red: `033f8e4c` — `test-a11y-1705-subpath-hop-prefix-e2e.js`. Parses `public/style.css`, resolves the relevant tokens per theme, composites the alpha-bearing text over the rendered background, asserts WCAG contrast ≥ 4.5:1. Failed with `ratio=1.87:1` on both themes — the exact value cited in #1705. - Green: `db6b9dd0` — CSS fix. Test now reports `composite=#f9fafb, ratio=4.95:1` on both themes. Why a dedicated test (not just `test-a11y-axe-1668.js`): `.subpath-selected` is a click-state class, so the umbrella axe gate never sees it during initial-paint scans. This is the canonical "state-only" a11y regression class — the umbrella gate is structurally blind to it. ## Out of scope (documented in #1705 for separate follow-up) - The **a11y audit probe correctness fix** (alpha-composite + parent-bg walk) lives in workspace tooling (`workspace-meshcore/a11y-audit/audit.py`), not in this repo. The probe-correctness write-up is captured in #1705 itself; this PR is exclusively the CSS BLOCKER + regression test. - "Other rgba-based dark-mode contrast surfaces" — per the issue's Out-of-scope section, those get filed separately if discovered. ## Local verification ``` $ node test-a11y-1705-subpath-hop-prefix-e2e.js PASS theme=dark bg=#2563eb text=#f9fafb ratio=4.95:1 PASS theme=light bg=#2563eb text=#f9fafb ratio=4.95:1 ``` The full `test-a11y-axe-1668.js` gate could not be exercised on this sandbox (Chromium SIGTRAPs against the host kernel — unrelated to this change). CI runs it on Ubuntu where the umbrella ruleset already enforces the 0-violation policy. ## Browser verified CSS-only change in a CSS-variable swap. Computed values are deterministic from the stylesheet and asserted by the new test; no JS / DOM / render-path is touched. ## Preflight `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` — all gates clean. Fixes #1705 --------- Co-authored-by: clawbot <bot@clawbot.local> Co-authored-by: Kpa-clawbot <bot@clawbot> |
||
|
|
97833c523b |
fix(post-packets): use v3 observations schema (closes #1196) (#1704)
## Summary `POST /api/packets` is broken on every v3-schema install — which is the default since #1289. The handler issues two writes against legacy v2 column names and silently swallows the observation insert's error, returning `200 OK` with `id>0` while persisting zero observation rows. ## Root cause `cmd/server/routes.go:1225-1235` (pre-fix) used the v2 schema shape: ```go INSERT INTO transmissions (... path_json ...) // path_json removed in v3 INSERT INTO observations (transmission_id, observer_id, observer_name, snr, rssi, timestamp) // v2 columns // timestamp written as RFC3339 text; v3 wants unix INTEGER // second Exec's error was discarded ``` v3 schema (`cmd/ingestor/db.go:289-304`): `observations.observer_idx INTEGER` (FK `observers.rowid`), `observations.timestamp INTEGER` (unix epoch), `path_json` lives here not on `transmissions`. Reporter [@EldoonNemar](https://github.com/EldoonNemar) called this out precisely in #1196 — both the schema mismatch and the divergence between the test harness (which uses the v3 shape) and the handler (v2 shape). ## Fix `cmd/server/routes.go`: - `transmissions` insert: drop `path_json` column. - Observer resolution: `INSERT OR IGNORE INTO observers (id, name, ...)` then `SELECT rowid` — mirrors the ingestor resolver at `cmd/ingestor/db.go:778,906`. - `observations` insert: write `observer_idx INTEGER` + `timestamp = time.Now().Unix()`; `path_json` moved here. - **Propagate both insert errors** (transmission + observation) as `500` instead of swallowing them. ## TDD | Step | Commit | Result | | ----- | ------- | ------ | | RED | `46d25389` | Test fails on master: `id=0` because the transmissions insert references a column not present in v3. | | GREEN | `dae57d67` | Test passes; round-trip persists the observation with `observer_idx` resolved from the seeded `obs1` row and a unix-epoch `timestamp`. | Local repro: ``` # RED on the test commit alone: $ go test -run TestPostPacketPersistsV3Schema -count=1 . --- FAIL: TestPostPacketPersistsV3Schema (0.03s) routes_test.go:4755: expected transmission id > 0, got 0 (body: {"id":0,"decoded":{...}}) FAIL # GREEN on HEAD: $ go test -run TestPostPacketPersistsV3Schema -count=1 . ok github.com/corescope/server 0.037s ``` ## Scope Two files, both in `cmd/server/`: - `cmd/server/routes.go` (+38/-12) — handler rewrite - `cmd/server/routes_test.go` (+66) — round-trip regression test No public API signature changes. No DB schema changes (consumes the existing v3 schema correctly). Closes #1196 |
||
|
|
76e130b313 |
fix(#1702): grant actions: write to release-fast-path workflow (#1703)
## Summary Fixes the missing `actions: write` permission on `.github/workflows/release-fast-path.yml` so the fallback `gh workflow run deploy.yml` dispatch no longer returns HTTP 403. ## Triage verdict From issue #1702 root-cause section: > Fast-path workflow YAML likely lacks: > ```yaml > permissions: > contents: read > packages: write > actions: write # MISSING — required to dispatch other workflows > ``` > ## Fix > One-line addition to `.github/workflows/release-fast-path.yml` permissions block. ## Root cause `.github/workflows/release-fast-path.yml` lines 16-18 (before this change) only granted `contents: read` and `packages: write`. The fallback step (`gh workflow run deploy.yml` when `:edge`'s `org.opencontainers.image.revision` label doesn't match the tag SHA) calls the GitHub Actions REST API, which requires `actions: write` on `GITHUB_TOKEN`. Without it, the dispatch fails with `Resource not accessible by integration` and the release stalls until an operator manually re-runs the fast-path job after `:edge` rebuilds. ## Change - `.github/workflows/release-fast-path.yml`: add `actions: write` to the workflow-level `permissions:` block. - `cmd/server/release_fast_path_workflow_test.go`: extend the existing config-gate test (issue #1677) to require `actions: write` alongside the previously asserted `contents: read` and `packages: write`. Two commits, red→green: 1. `test(#1702): assert release-fast-path.yml requires actions: write` — extends the assertion. Verified to fail on this commit (`release-fast-path.yml: missing required permission "actions: write"`). 2. `fix(#1702): grant actions: write to release-fast-path workflow` — adds the permission. Test green. ## TDD posture The repo already had a YAML-config gate at `cmd/server/release_fast_path_workflow_test.go` (parses the workflow as text and asserts required permission strings). Strict TDD applied: red commit extends the test, green commit fixes the workflow. No exemption needed. ## Acceptance criteria (from #1702) - [x] `permissions.actions: write` added to the fast-path workflow - [ ] Manual test: tag a scratch SHA where `:edge` is stale; confirm fallback dispatches deploy.yml without 403 — by-design out of CI scope (would require a throwaway tag + race condition); covered by next real release. - [ ] Operator-felt: next release where notes-commit lands AFTER `:edge` build completes works in one pass without manual rerun — verifiable only on next release; in-scope of `Closes #1702` because bullet 1 (the structural defect) is the cause of bullets 2 and 3. ## Preflight `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` → **clean** (all hard gates pass, no warnings). Closes #1702 --------- Co-authored-by: Kpa-clawbot <kpa-clawbot@users.noreply.github.com> |
||
|
|
eaac816280 |
feat(#1668): M6 — expanded axe ruleset (mobile + image-alt + label) (#1700)
# M6 — expanded axe ruleset (#1668) **Closes #1668.** M1-M5 already merged: M2 palette/contrast, M3 typography, M4 per-route polish, M5 axe gate + 443→0 fixes. ## What this PR adds ### Expanded axe ruleset - New rules: image-alt, label, aria-required-attr, aria-valid-attr (12 total, verified 0 violations on master after one fix) - Mobile viewport (375×812) added alongside existing 1200×900 desktop - TDD: RED commit `d3e4309e` expands the rule/viewport set deliberately to fail; GREEN commit `5599068f` adds the one needed aria-label fix on audio-lab BPM + Volume sliders ## What this PR does NOT include The letsmesh A/B verification artifact (initially scoped for M6) is split out to a follow-up issue. The capture script needs more work to reliably navigate post-onboarding state on both sites. Tracked separately so the gate-expansion work isn't held up by tooling. ## Test plan - `test-a11y-axe-1668.js` runs new ruleset across both viewports — 0 violations baseline (on master pre-merge AND post-merge) - `test-a11y-axe-1668-selftest.js` unchanged (allowlist semantics still apply) - Anti-tautology: reverting `5599068f` produces 8 net violations on `#alabBPM`/`#alabVol` × 2 themes × 2 viewports ## Notes - Allowlist still empty (per M5 policy — issue# + expires_at required) - M5 token work covered all color-contrast surfaces; M6's image/aria additions only required one fix (audio-lab sliders) --------- Co-authored-by: Kpa-clawbot <bot@openclaw.local> |
||
|
|
3c440c0049 | docs(v3.9.2): release notes v3.9.2 | ||
|
|
d954ea7444 |
feat(#1668): axe-core CI gate for WCAG AA color-contrast (M5) (#1696)
Partial fix for #1668 (M5 of 6). After M1 (audit), M2 (color tokens, #1676), M3 (typography floor, #1679), and M4 (per-route polish, #1681) cleared ~95% of contrast/typography violations, M5 **locks in the wins** by adding an axe-core CI gate that fails the build on any new WCAG AA color-contrast regression. ## What's in the box - `test-a11y-axe-1668.js` — Playwright + `@axe-core/playwright`. Runs every major CoreScope route × `{dark, light}` at 1200×900 desktop, injects axe, runs only the `color-contrast` rule, asserts net violations === 0. - `test-a11y-axe-1668-selftest.js` — fast, deterministic, browser-free unit test that exercises the YAML allowlist parser, the `violationAllowed` matcher, and the route/theme metadata. Runs in the JS unit block (no browser needed). - `tests/a11y-allowlist.yaml` — operator-flagged false-positive allowlist. **0 entries at M5 baseline.** ## Allowlist format Each entry MUST cite a GH issue # and an `expires_at` date. Missing fields = refused. Expired `expires_at` = refused (warning logged). This **forces a periodic revisit** — no permanent suppressions. ```yaml - route: /analytics?tab=channels selector: ".some-known-stale-element" rule: color-contrast issue: 1234 expires_at: 2026-09-01 ``` ## Routes covered (19 × 2 themes = 38 cells) `/`, `/packets`, `/nodes`, `/channels`, `/live`, `/map`, `/observers`, `/compare`, `/analytics?tab={overview,rf,topology,channels,hashsizes,collisions,roles,airtime}`, `/audio-lab`, `/customize`, `/replay`. ## TDD red→green - **RED** (`08adafdb`) — adds the gate + deliberately regresses `--text-muted` from `palette-gray-700` (~10:1) to `#9ca3af` (~2.4:1). axe-core fails on every light-theme cell. - **GREEN** (`f62fb1e0`) — restores the M2 token. Net violations = 0 across all 38 cells. ## Scope discipline - Only `color-contrast` (matches M2/M3/M4 scope). M6 owns `image-alt`, `aria-required-attr`, `label`, mobile viewports, and letsmesh A/B. - No new design tokens. - M2-M4 tokens untouched. ## CI wiring - `.github/workflows/deploy.yml:155` — selftest in JS unit block. - `.github/workflows/deploy.yml:367` — real axe browser run in the Playwright E2E block after the fixture server is up. ## Deps `@axe-core/playwright@4.11.3` + `axe-core@4.12.1` added to `devDependencies`. Pinned versions. --------- Co-authored-by: openclaw-bot <bot@openclaw.local> Co-authored-by: clawbot <clawbot@users.noreply.github.com> |
||
|
|
e96f0f9f9f |
fix(#1694): port extended ACK decoder to server (ackLen/ackAttempt/ackRand parity) (#1695)
## Summary Ports the firmware-1.16.0 extended ACK decoding from the ingestor (PR #1618, issue #1610) into the server-side re-decoder. Previously `cmd/server/decoder.go` silently dropped `ackLen`, `ackAttempt`, and `ackRand` (and the multipart inner equivalents) — the server emitted plain 4-byte ACKs even when the wire carried the 5/6-byte extended form. Now both decoders agree byte-for-byte. Closes #1694. ## What changed - `cmd/server/decoder.go::decodeAck`: sets `AckLen` (capped at 6), `AckAttempt` (`buf[4]` when `len>=5`), `AckRand` (`buf[5]` when `len>=6`). Mirrors `cmd/ingestor/decoder.go:279-305`. - `cmd/server/decoder.go::decodeMultipart` ACK branch: sets `InnerAckLen = len(buf)-1` (capped at 6), `InnerAckAttempt`, `InnerAckRand`. Mirrors `cmd/ingestor/decoder.go:696-714`. - `Payload` struct gains six `*int` fields tagged `omitempty`: `AckLen`, `AckAttempt`, `AckRand`, `InnerAckLen`, `InnerAckAttempt`, `InnerAckRand`. Backward-compatible JSON — legacy 4-byte ACKs leave attempt/rand nil and the fields are omitted from the output. No other decoder consumer is touched. Routes / store auto-surface the new fields via JSON marshaling. ## Test layout `cmd/server/decoder_ack_extended_test.go` drives `decodeAck` table-driven across the three wire shapes: | Buffer | AckLen | AckAttempt | AckRand | |---|---|---|---| | `EF BE AD DE` (CRC only) | 4 | nil | nil | | `EF BE AD DE 07` | 5 | 7 | nil | | `EF BE AD DE 07 42` | 6 | 7 | 0x42 | Plus `TestDecodeMultipartAckExtendedInner` for a 7-byte multipart buffer (`0x33` header + 6-byte inner ACK), asserting `InnerAckLen=6`, `InnerAckAttempt=7`, `InnerAckRand=0x42`. ## TDD trail - **Red commit** (test + struct stubs only, `decodeAck`/`decodeMultipart` unchanged) → assertions fail on `AckLen=nil`. - **Green commit** (port implementation) → all assertions pass. Full `cd cmd/server && go test ./...` passes locally. ## Firmware refs - `firmware/src/helpers/BaseChatMesh.cpp:218-234` (extended ACK layout) - firmware commit `f6e6fdaa` (attempt counter) - firmware commit `a130a95a` (RNG byte) --------- Co-authored-by: Kpa-clawbot <bot@kpa-clawbot> |
||
|
|
547b141530 |
fix(#1697): MQTT sources panel — mobile card layout at ≤640px (#1698)
## Fix
At ≤640px viewports, `public/mqtt-status-panel.js::renderPanel` now
emits a stacked
card per source instead of the 7-column desktop table that overflowed
375px screens
and ran `connected`/`never` together. Desktop (≥641px) keeps the
original table verbatim.
Each mobile card surfaces all 7 data points:
```
[●] gomesh connected 27s ago
wss://mqtt.gomesh.dev
5m: 27 Total: 1247 Disc: 0
```
## Implementation
- `renderTable(sources, now)` — extracted desktop layout (no behavior
change)
- `renderCards(sources, now)` — new mobile card layout, M2 tokens + M3
typography
- `renderPanel` reads `window.innerWidth` and picks one
- Debounced (150ms) `resize` listener flips layout when crossing the
640px bucket
- All colors via `var(--status-green/-red/-yellow)`,
`var(--text-muted)`,
`var(--border)`, `var(--card-bg)` — no inline hex
- All type via `var(--fs-sm)` + `var(--fw-medium)` — no hardcoded px
font sizes in cards
- Broker URL wraps with `word-break: break-all`
- No width ≥400px declared anywhere — eliminates 375px horizontal
overflow
## TDD — red→green visible
- Red commit: `d127d08f` (test only — fails on master with assertion
errors)
- Green commit: `816afc9b` (implementation — all 5 tests pass)
- Wired into `.github/workflows/deploy.yml` JS unit-test block.
## Browser verification (staging 375×812, dark + light)
Overflow probe results (staging, real fixture):
| | scrollWidth | clientWidth | overflow? |
|---|---|---|---|
| BEFORE (master) | 517 | 335 | YES (+182px) |
| AFTER (this PR) | 335 | 335 | no |
Staging URL: http://analyzer-stg.00id.net/#/observers (hot-patched with
the new file).
E2E assertion added: `test-issue-1697-mqtt-mobile-e2e.js:60` ("mobile
375px: renders cards (no desktop table)").
Browser verified: screenshots at
`workspace-meshcore/a11y-audit/operator-reports/1697-{before,after}-{dark,light}-375.png`.
## Preflight gates
All hard gates pass — PII / branch scope / red-commit / CSS-var / CSS
self-fallback /
LIKE-on-JSON / sync-migration / async-migration / XSS sinks (false
positive on
`innerHTML='str'` literal — string is hard-coded constant in empty-state
branch,
no payload data).
Fixes #1697.
---------
Co-authored-by: openclaw-bot <bot@openclaw.local>
|
||
|
|
a4af0285fd |
fix(#1692): parallelize loadObservers + loadPackets in /packets init() (#1693)
## Summary Fixes #1692 — `public/packets.js::init()` serialized `loadObservers()` and `loadPackets()`, blocking `/api/packets` behind `/api/observers`. On loaded CI runners the cumulative wait pushed first-row render to 25–40s, which is the root cause of the persistent #1662 slideover flake and a real operator-felt latency on slow links. ## Fix (Option B — `Promise.all`) ```js // before await loadObservers(); loadPackets(); // after await Promise.all([loadObservers(), loadPackets()]); ``` Option B chosen over fire-and-forget (Option A) because `renderLeft()` synchronously iterates `observers` to build the observer-filter dropdown (`for (const o of observers)` at packets.js:1636). With Option A the menu would render empty on first paint and not refresh until the next user-triggered render. Promise.all preserves the existing render contract while halving worst-case latency — the two fetches now run in parallel and the slower one gates `renderLeft()`. ## TDD - **RED `c7184188`** — `test-issue-1692-packets-init-parallel-e2e.js` stubs `/api/observers` with a 4s delay via `page.route()`, asserts first `tr[data-hash]` < 3000ms. Fails on serial init (blocked at 4s). - **GREEN `903020c5`** — init refactor + wire test into `.github/workflows/deploy.yml` deploy job. ## Out of scope (separate PR per #1692 acceptance #2/#3) The 30s row-wait timeout and 3-iter flake-gate in `test-slideover-1056-e2e.js` + `deploy.yml` were stop-gaps for the underlying serialization. They stay in this PR — they should be reverted in a follow-up after operators confirm the latency fix holds in production. ## Preflight `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` → all gates pass (PII, branch scope, red commit, CSS vars, LIKE-on-JSON, sync/async migration, XSS). ## Browser verification Local headless chromium on this sandbox crashes on the heavy `/packets` page (small `/dev/shm`, ARM constraints documented in AGENTS.md). Test is gated on CI runner where the harness runs. --------- Co-authored-by: CoreScope Bot <bot@corescope.local> Co-authored-by: clawbot <clawbot@users.noreply.github.com> Co-authored-by: Kpa-clawbot <bot@kpa-clawbot> |
||
|
|
6dfe589b57 |
fix(#1668): per-route polish — hash cells, badges, /live, modals (M4) (#1681)
Partial fix for #1668 (M4 of 6). After M2 (color tokens, PR #1676, ~85% BLOCKER) and M3 (typography floor, PR #1679, ~87% MAJOR), what's left are route-specific structural issues that token/floor passes can't reach. M4 closes those with surgical carve-outs — no new top-level tokens, no semantic encoding flattened. ## Route × selector × fix | Route | Selector | Before | After | |---|---|---|---| | `/analytics?tab=hashsizes` `/analytics?tab=collisions` | `td.hash-cell` + `-collision/-taken/-possible` (302+ M1 violations) | 11px/400; collision-fg 3.61, taken-fg 2.5, possible-fg 1.9 on respective bg | 12px base, 12px/700 on semantic cells. Bg palette preserved (green/yellow/orange still distinct). Inline style in analytics.js bumped 11→12. | | `/packets` `/live` `/nodes` (everywhere `<span class="badge badge-*">`) | All 14 TYPE_COLORS badges (ADVERT, REQUEST, RESPONSE, …) | `${color}20` translucent wash with `color: ${color}` — ratio **1.0–4.25, all BLOCKER** | `syncBadgeColors` rewritten: pick readable fg by luminance, darken bg in 8% steps until AA (≥4.5:1). All 14 PASS (4.57–7.94). TYPE_COLORS itself unchanged — map dots / live-feed dots keep full hue. | | `/live` | `.vcr-live-btn` ("LIVE") | `rgba(239,68,68,0.2)` + status-red fg = **1.0:1** | Solid `--status-red` + #fff = 5.25:1; 12px/700 | | `/live` | `.vcr-scope-btn.active` (1h/6h/12h/24h selected) | `--accent-bg` wash + `--text` = 2.98:1 BLOCKER | `--accent-strong` + `--text-on-accent` (M2 tokens, AA) | | `/live` | `.vcr-btn` `.vcr-scope-btn` | 0.9rem/400, 0.75rem/400 (thin-small) | 14px/500, 12px/500 desktop; 12px/600 ≤640px | | `/live` | `.live-feed-empty` | 12px/400 (thin-small) | 12px/500 | | `/packets` (path hops) | `.path-hops .hop-named` | font-size inherited (variable) | explicit 12px/600 | ## TDD & gating - **RED** `341f47f1` — 23 assertion failures (9 typography + 14 badge-contrast). New gate `test-issue-1668-m4-per-route.js` executes `syncBadgeColors` in a VM sandbox and asserts each emitted `.badge-*` rule clears WCAG AA; also checks rule-level font-size/font-weight floors. - **GREEN** `6ef17491` — both axes 0/0. - Test wired into `.github/workflows/deploy.yml:144` alongside M3. - Anti-tautology proven locally: `git stash public/roles.js` returns the test to FAIL with the badge assertions; pop restores GREEN. ## Re-scan findings `a11y-audit/m4-rescan.jsonl` — `/live` (timed out in M1) now probes cleanly: 29 dark / 39 light residuals all caught by this PR. Channel-add and customize modals probed clean (M2 tokens already cover; nothing chip-level needed). ## Out of scope M5 (axe CI gate) and M6 (letsmesh side-by-side A/B) are next milestones. --------- Co-authored-by: agent <agent@openclaw.local> Co-authored-by: meshcore-bot <bot@meshcore> Co-authored-by: Kpa-clawbot <bot@kpa-clawbot> Co-authored-by: openclaw-bot <bot@openclaw> |
||
|
|
79cf453660 |
feat(#1633): customizer toggle to hide 1-byte path hops everywhere (#1689)
## What Customize-v2 toggle **Hide 1-byte path hops** (Display tab). Default OFF — operators opt in. When ON, 1-byte path-hash prefixes are filtered at every render site without touching what's stored or what the firmware does. Render sites wired: - **Packets list / detail** (`packets.js renderPath`) — group header, child observations, detail dt/dd, BYOP overlay. Empty result renders `(1-byte filtered)`. - **Map polylines** (`map.js drawPacketRoute`) — intermediate hops tagged `_hopHex`; origin/destination (from payload, no `_hopHex`) always survive. - **Route view** (`route-view.js`) — unique-paths picker + group counts key on the filtered hop list, so routes that only differ by 1-byte hops collapse. - **Analytics route patterns** (`analytics.js`) — filters INPUT rows whose `rawHops` contain any 1-byte token; header reports filtered/total. ## Why 1-byte hashes collide ~8-way at ~2k relay nodes (Cascadia scale). The collisions inflate polyline noise, route-pattern row counts, and chip clutter without adding signal. See #1633 for the full hypothesis. ## How (pure render-time) New `public/hop-filter.js`: - `MC_getHide1ByteHops()` / `MC_setHide1ByteHops(on)` — localStorage `meshcore-hide-1byte-hops`, default OFF. - `MC_isVisibleHop(hop, opts)` — predicate. - `MC_filterPathHops(hops, opts)` — non-mutating array filter. Nothing in the ingest / store / decode path changes. The hop hex stays in `path_json`; only the render iterators drop it. ## Tests `test-issue-1633-hide-1byte-hops.js` — 8 assertions: - Default OFF (back-compat). - `hopByteLen` semantics. - `isVisibleHop` ON drops 1-byte, keeps 2/3-byte. - `filterPathHops` non-mutating. - `HopDisplay.renderPath` chip set after filter. - Map polyline positions[] filter preserves origin/destination. - Analytics route-pattern aggregation key collapses on filtered hops. Wired into `.github/workflows/deploy.yml`. Red commit: `6baa3f13` (5/8 ON-branch assertions failed on stubs). Green commit: `5c0bbdba` (8/8 pass). ## Browser verify Staging deploy of changed files. Packet `99ef781f42eb7249` (all 1-byte path): - BEFORE (toggle OFF): `3 HOPS — Station Rat → KO6IFX-R5 → little russia`. - AFTER (toggle ON): `3 HOPS — (1-byte filtered)`. Customizer toggle visible + working in Display tab. Fixes #1633. --------- Co-authored-by: openclaw-bot <bot@openclaw.dev> Co-authored-by: clawbot <bot@openclaw.local> |
||
|
|
dd2b3d2e21 | ci(#1662): cut slideover flake-gate from 20× to 3× — 5% per-iter flake = 64% per-run fail at N=20 | ||
|
|
a8c99c61fd |
fix(#1659): block analytics endpoint until first pass complete (503 Retry-After) (#1688)
## Summary Fixes #1659 — analytics cards no longer show the post-restart slice when "All data" is selected. ## Root cause After server restart, `s.recompRF` / `s.recompTopology` / `s.recompChannels` cache the FIRST computation, which is the small in-RAM observations slice (background chunk-loader has not yet backfilled history). The recomputer serves that slice through `GetAnalyticsRFWithWindow`'s default shortcut for an entire recompute interval, while the client pins it via `CLIENT_TTL.analyticsRF`. UX: cards show a tiny window even when the user selects "All data". ## Fix shape (option B from the issue body) Server-side per-recomputer warm-up gate: - `cmd/server/analytics_warmup_1659.go` adds a per-recomputer `firstPassDoneNs` atomic timestamp, set ONLY by the first successful `runOnce()` (CAS-guarded for idempotency). `IsWarmingUp_1659()` / `FirstPassDoneAt_1659()` are lock-free reads. - `cmd/server/analytics_recomputer.go` `runOnce()` calls `markFirstPassDone_1659()` after every successful compute. - `cmd/server/routes.go` handlers for RF / Topology / Channels: when the request is the default shape (`region=="" && area=="" && window.IsZero()`) AND the matching recomputer is still warming up, return `503` + `Retry-After: 5` + `{"error":"analytics warming up","retry_after_s":5}`. Windowed / region-filtered requests bypass the gate (they already bypass the recomputer cache, so they are unaffected by the warm-up bug). Client-side: - `public/app.js` `api()` helper retries any 503 response, honoring `Retry-After`, with exponential backoff capped at 30s, max 6 attempts (~63s total). - Small "Computing analytics…" banner appears while any warm-up retry is in flight, dismissed once the request resolves. Pages can override via `window.onWarmup_1659`. ## Tests RED commit `8b2b2d7` ships failing-on-assertion tests + a stub. GREEN commit `2716c23` lands the fix and flips them green. - `cmd/server/analytics_warmup_1659_test.go` — 3 cases: 503 during warmup, 200 after first pass, windowed request bypasses gate. - `test-1659-analytics-warmup.js` — 3 cases: Retry-After honored, retry cap bounded, non-503 errors not retried. Wired into `.github/workflows/deploy.yml`. ## Preflight overrides - cross-stack: justified — server-side 503 contract MUST be paired with client-side retry-and-banner handling; splitting across two PRs would land a half-working fix. Fixes #1659. --------- Co-authored-by: corescope-bot <bot@corescope.local> Co-authored-by: openclaw <openclaw@local> |
||
|
|
e4be735e02 | fix(#1662): bump row-wait to 30s — CI slideover keeps timing out at 20s on slow runs | ||
|
|
048143f54f |
fix(#1690): cold-load uses last_seen (effective recency) instead of first_seen (#1691)
## #1690 — cold-load uses wrong time axis (RED → GREEN) The on-disk DB has thousands of long-lived hashes with recent traffic. Prod's cold-load filter (`transmissions.first_seen >= cutoff`) is bound to a column that is set once at insert time and never updated — so re-observation of an old hash does not move it into the hot window. Result: prod cold-loaded ~0.3% of the on-disk rows and flipped `backgroundLoadComplete=true` without ever walking the retention window (the `retentionHours - hotStartupHours <= 0` short-circuit at line 1353 of `cmd/server/store.go`). ### Three sub-fixes **A) Denormalize `transmissions.last_seen`** so cold-load can window on effective recency. - `internal/dbschema/dbschema.go::ensureTransmissionsLastSeenColumn` adds the column + `idx_tx_last_seen` (single-column INTEGER ALTER + index; both PREFLIGHT-annotated as cheap metadata-only ops). - `cmd/ingestor/db.go::OpenStoreWithInterval` schedules `tx_last_seen_backfill_v1` via `Store.RunAsyncMigration` — `UPDATE transmissions SET last_seen = MAX(observations.timestamp) WHERE last_seen = 0` — non-blocking on boot (1.9M+ obs row scan in prod). - Writer-side: `InsertTransmission` seeds `last_seen` on initial insert, and every observation insert bumps `last_seen = ?` via prepared statement `stmtBumpTxLastSeen` (conditional `last_seen < ?` so out-of-order ingest never goes backwards). - Reader-side: `cmd/server/store.go::Load`, `loadChunk`, and `cmd/server/chunked_load.go::LoadChunked` switch the WHERE/ORDER-BY clauses to `t.last_seen` when the column is present (PRAGMA-detected via `DB.hasLastSeen`). Test/legacy DBs without the column fall back to `first_seen` so existing fixtures stay green. **B) Honest `backgroundLoadComplete` gating.** - Drop the `retentionHours - hotStartupHours <= 0` short-circuit. Prod runs with both at 12h, which flipped Done=true immediately. - After the chunk loop, query `SELECT COUNT(*) FROM transmissions WHERE last_seen >= retentionFloor` and compute `loadCoverageRatio = inMem / inDB`. Done=true only when `ratio >= 0.90` AND no chunk errors. `backgroundLoadFailed=true` + `backgroundLoadError` populated otherwise (e.g. `"loaded 20.0% of 5000 rows (1000 in memory)"`). - `bgErrMu`-guarded `loadCoverageRatio` + `backgroundLoadErr` so the perf endpoint can read them without blocking the writer. **C) Perf exposure.** `PerfPacketStoreStats` gains `RetentionHours`, `OldestLoaded`, `LoadCoverageRatio`, `BackgroundLoadError` — surfaces what fraction of the on-disk DB the in-memory store currently reflects, so operators can see the 0.3% case in `/api/perf` without reading the logs. ### TDD trail - **RED**: `05f0c6dd2bea6dc37324c548a49564d739aca920` — failing tests + 21-line store.go scaffolding. CI on this commit failed on assertions (intended). - **GREEN**: this PR's HEAD commit (8 files, +271/-24). Targeted suite: `Test1690_ColdLoad_TimeAxis`, `Test1690_BackgroundLoadHonesty`, `Test1690_PerfStats_NewFields`, `TestHotStartup_*`, `TestIssue1690_LastSeenUpdatedOnObservation` — all pass. Anti-tautology: locally reverted the `if !s.backgroundLoadFailed.Load()` guard around `backgroundLoadDone.Store(true)` — `Test1690_BackgroundLoadHonesty` fails on the assertion `"backgroundLoadDone=true with only 1000/5000 packets loaded; must be false until coverage ≥ 90%"`. Restored. ### Async-migration preflight - `ensureTransmissionsLastSeenColumn` — ALTER + CREATE INDEX both `// PREFLIGHT: async=true reason="..."` annotated. - `tx_last_seen_backfill_v1` — wrapped in `Store.RunAsyncMigration`. - `stmtBumpTxLastSeen` prepared statement — annotated; it is a row-level UPDATE BY PRIMARY KEY, not a migration. ### Preflight overrides PREFLIGHT-MIGRATION-SCALE: <30s N=5K - check-async-migration: justified for `cmd/server/issue1690_cold_load_test.go` CREATE TABLE/INDEX statements — these build an in-memory test fixture DB (≤5000 rows, runs in <1s in CI), not a prod migration. Fixes #1690. --------- Co-authored-by: meshcore-bot <bot@meshcore.local> Co-authored-by: bot <bot@example.com> |
||
|
|
d910ea0208 |
feat(#1638): confidence rating weighted by hash mode (#1687)
Fixes #1638. ## Problem `getConfidenceIndicator` in `public/nodes.js` treats every observation as equal evidence, so a node seen 5 times via 1-byte hash prefixes (which collide ~8-way across a typical mesh) scores the same as a node seen 5 times via 6-byte prefixes (effectively unambiguous). The user asked for confidence to respect ambiguity. ## Change - `cmd/server/neighbor_graph.go` — new `CountsByMode map[int]int` on `NeighborEdge`, bumped in `upsertEdge` / `upsertEdgeWithCandidates` based on the observation's hash-prefix byte length (1/2/4/6). Merged in `resolveEdge` when ambiguous→resolved edges collapse. - `cmd/server/neighbor_api.go` — `NeighborEntry.counts_by_mode` exposed (omitempty), and `dedupPrefixEntries` merges per-mode counts when an unresolved prefix entry collapses into a resolved one. Flat `Count` field preserved for back-compat. - `public/nodes.js::getConfidenceIndicator` — weights observations by mode: 1-byte=0.125, 2-byte=0.5, 4/6-byte=1.0. A single 6-byte sighting counts ~8× a raw 1-byte one. HIGH triggers when EITHER the legacy heuristic clears OR weighted count ≥3. Legacy entries without `counts_by_mode` keep working (default weight 0.5). - Tooltip now shows the per-mode breakdown (e.g. "Observations: 5 (1-byte: 3, 6-byte: 2)"). ## TDD - RED: `cmd/server/neighbor_graph_test.go::TestBuildNeighborGraph_CountsByMode` — fixture with 1/2/4-byte sightings asserts per-mode tally (commit `838965f3`). - RED: `test-confidence-indicator.js` — 6-byte mostly-sighted neighbor must outrank 1-byte mostly-sighted neighbor at equal flat count (commit `4bd5e18e`). - GREEN: implementation in commit `7511606d`. All 4 JS tests pass; new Go test passes; full Go suite passes (two pre-existing flakes unrelated, both pass when isolated). ## Browser verification Synthetic side-by-side of OLD vs NEW classifier against representative inputs — see screenshot. 1-byte-only and 6-byte-only at the same flat count diverge from MEDIUM/MEDIUM to MEDIUM/HIGH, and 3 6-byte sightings now upgrade where 20 1-byte sightings stay MEDIUM. ## Preflight overrides - check-branch-scope: cross-stack: justified — backend exposes the new `counts_by_mode` field and the frontend consumes it; the whole point of the change. ## Compat - `Count` field unchanged in shape and value. - `counts_by_mode` is `omitempty`; legacy persisted edges (loaded from `neighbor_edges` via `neighbor_persist.go`) get no per-mode breakdown and fall back to the default weight (0.5) — no UI regression. --------- Co-authored-by: bot <bot@local> Co-authored-by: corescope-bot <bot@corescope.local> |
||
|
|
a2004351d3 |
fix(#1684): staging disk monitor + cleanup cron (#1686)
## Summary Adds a staging VM disk-usage monitor + daily cleanup cron, fixing the gap surfaced by #1684 (staging hit 100% disk during a hot-patch, no alert, no cleanup). ## What landed - **`scripts/staging/disk-monitor.sh`** — parses `df -P <mount>`, classifies usage `<80 ok / >=80 warn / >=90 error / >=95 alert`, emits to stderr + journald via `logger -p`, exits non-zero on `error|alert` so the systemd unit surfaces as failed. - **`scripts/staging/disk-cleanup.sh`** — daily prune of `/tmp` snapshot patterns (`*.db`, `staging-snap.*`, `cs-*`, `node-compile-cache`) older than 7d + `docker builder/image prune --filter until=72h --filter label!=keep`. Honors `CORESCOPE_CLEANUP_DRY_RUN=1`. - **`scripts/staging/test-disk-monitor.sh`** — pure-bash unit tests for the testable helpers (22 cases covering threshold boundaries, df parsing, invalid input, severity→priority mapping). - **`DEPLOY.md`** — install one-liner with full inline systemd unit + timer content (15-min monitor, daily 03:30 cleanup). Uses `<STAGING_HOST>` placeholder. - **`.github/workflows/deploy.yml`** — wires `test-disk-monitor.sh` into the Go build & test job. ## TDD - Commit `26185967` (RED): tests against stub helpers — `PASS=5 FAIL=17` on assertions. - Commit `d31a1082` (GREEN): real helpers — `PASS=22 FAIL=0`. ## Phase 3 — `staging-snap.db` root cause `grep -rn staging-snap.db cmd/ public/ scripts/` → **zero hits**. The 4.4 GB orphan was a manual debug artifact, not committed code. The cleanup retention rule prevents recurrence. Partial fix for #1684 — leaves issue open for operator to verify install on staging and confirm alert fires at 85%. --------- Co-authored-by: corescope-bot <bot@corescope.local> Co-authored-by: clawbot <bot@openclaw.dev> |
||
|
|
6aa5146b93 |
fix(#1660): FE warm-up banner reads X-Corescope-Load-Status + polls /api/healthz (#1683)
## Summary Partial fix for #1660 — adds an FE-only global warm-up banner that surfaces server-side load state to users instead of letting "data may be incomplete" look like silent breakage. Implements sub-deliverables **(1)** and **(3)** from the triage. Sub-deliverable (2) (per-card "recomputing" pill) is deferred — it depends on a new server-side `recomputer.first_pass_done` flag that pairs with #1659. ## What it does - New `public/warmup-banner.js` mounts a sticky `role="status"` live region at the top of `<body>`. Pure helper `getWarmupMessages()` is fully unit-tested in isolation. - Consumes both signals the server already exposes: - `X-Corescope-Load-Status` response header (set by `cmd/server/chunked_load.go:446` on every API response) — captured via a thin `window.fetch` wrapper. - `GET /api/healthz` — polled every 30s while not in steady-state, torn down once `ready=true` AND `from_pubkey_backfill.done=true`. - Messages per acceptance criteria: - `loading` → "⏳ Loading historical data — counts may be incomplete." - `from_pubkey_backfill.done=false` → "Backfilling pubkey index: 12,400 / 87,500 (14%)" - `ingest_liveness.<src>.lastReceiptUnix` older than 5 min → "No packets from `<src>` in N min." - Banner fades out (opacity + max-height transition) once steady-state is reached. ## Files - `public/warmup-banner.js` — new module (pure helpers + DOM mount + poll + fetch interceptor). - `public/style.css` — `.warmup-banner` rules; all colors via existing `--warn-bg` / `--warn-text` / `--warning` CSS variables (customizer-safe, no inline hexes). - `public/index.html` — loads `warmup-banner.js` immediately before `app.js` so the fetch wrapper is installed before other modules issue requests. - `test-warmup-banner.js` — 8 tests: 6 pure-helper + 2 vm-DOM E2E that stub `/api/healthz` returning `ready:false` → asserts banner visible, then flips to `ready:true` → asserts the `warmup-banner--hidden` class is applied (sub-deliverable 3). ## TDD red → green - **Red:** `ca5f9837` — `test(#1660): RED — failing tests for warmup banner message derivation` — stub `getWarmupMessages` returns `[]`; CI fails on 3 assertion failures (compiles cleanly, fails on `assert.ok(msgs.length >= 1)` etc — not on import/build). - **Green:** `0d07efdf` — `feat(#1660): GREEN — warmup banner reads X-Corescope-Load-Status + polls /api/healthz` — implementation lands; all 8 tests pass. ## Test output ``` warmup-banner.js (#1660): ✅ exports getWarmupMessages and shouldShowBanner ✅ loading header alone produces a "historical data" message ✅ from_pubkey_backfill.done=false produces a progress message with pct ✅ stale ingest source >5min produces a "No packets from" message ✅ steady-state ready=true + backfill done + fresh ingest → no banner ✅ isSteadyState reflects ready+backfill predicate ✅ E2E: stub /api/healthz ready=false → banner visible ✅ E2E: flip /api/healthz to ready=true → banner fades (hidden class) passed=8 failed=0 ``` ## Preflight `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` — **clean** (PII / branch scope / red commit / CSS-var defined / CSS self-fallback / LIKE-on-JSON / sync migration / async-migration gate / XSS sinks all PASS, no warnings). ## Performance - Poll runs every 30s and only while `ready=false || from_pubkey_backfill.done=false`. Stops immediately on steady state. No hot-path impact. - Fetch wrapper adds one `.then()` per response to read a single header — O(1). - Banner DOM is one `<div>` with a `<ul>` of ≤3 `<li>`s. Re-render is a single innerHTML set. ## Out of scope (explicit) - Sub-deliverable (2) — per-card "↻ Recomputing…" pill. Requires a new `recomputer.first_pass_done` field on `/api/healthz` (small `cmd/server/analytics_recomputer.go` addition) and is grouped with the #1659 recomputer redesign. Not in this PR. - No backend code changed. Partial fix for #1660. --------- Co-authored-by: Kpa-clawbot <bot@kpa-clawbot> Co-authored-by: corescope-bot <bot@corescope.local> |
||
|
|
efd66ea3f5 |
feat(mqtt): per-source status endpoint + Observers panel (#1682)
## Summary Adds MQTT source status visibility per #1043 acceptance criteria: - **Ingestor:** per-source counter registry (`cmd/ingestor/source_status.go`) tracking `connected`, `lastConnectUnix`, `lastDisconnectUnix`, `lastPacketUnix`, `connectCount`, `disconnectCount`, `packetsTotal`, `packetsLast5m` (sliding 5-min window via per-second buckets keyed by unix second — no stale-leak), `lastError`. Wired at the existing OnConnect / ConnectionLost / DefaultPublish callsites alongside the liveness watchdog. Idempotent registration so counters survive reconnects. Snapshot emitted in the existing stats file under `source_statuses` (additive, `omitempty`). - **Backend:** new `GET /api/mqtt/status` handler reads the ingestor stats file and returns the per-source list. **Broker passwords are masked** via a regex over the `scheme://user:pass@host` form (covers mqtt/mqtts/tcp/ssl/ws/wss). Mask is also applied to `lastError` as defense-in-depth (broker libs occasionally quote the failing URL). OpenAPI completeness gate satisfied with a `routeDescriptions` entry. - **Frontend:** small self-contained panel (`public/mqtt-status-panel.js`) mounted above the Observers table. Auto-refreshes every 10s, color-codes each row (green = connected + recent packet, yellow = connected idle, red = disconnected), and tears down its timer on SPA route change. ## TDD - Red commit `f19a93b5` — stub `/api/mqtt/status` handler + assertion test that the broker password is `****`-redacted. Test fails on the assertion (handler passes the URL through verbatim). Compile-clean — assertion-fail, not build-fail. - Green commit `77042e41` — `maskBrokerURL` helper + table-driven unit tests across all schemes + handler rewires to mask both `Broker` and `LastError`. - Subsequent commits land the ingestor wiring and the frontend panel. ## Tests ``` $ cd cmd/server && go test -run 'TestMqttStatus|TestMaskBrokerURL' -v ./... PASS: TestMqttStatus_MasksBrokerPassword PASS: TestMqttStatus_EmptyWhenNoStatsFile PASS: TestMaskBrokerURL_Patterns (10 subtests) $ cd cmd/ingestor && go test -run 'TestSourceStatus|TestSnapshotSourceStatuses' -v ./... PASS: TestSourceStatus_BasicLifecycle PASS: TestSourceStatus_Disconnect PASS: TestSnapshotSourceStatuses_ReturnsAll $ node test-mqtt-status-panel.js 7 passed, 0 failed ``` Full `go test ./...` clean in both `cmd/server` and `cmd/ingestor`. ## Preflight overrides - `cross-stack`: justified — issue #1043 is intrinsically full-stack (ingestor stats → server endpoint → observers panel). Per-stack split would land an unreachable endpoint or a fetch with no backend. - `check-xss-sinks` (public/mqtt-status-panel.js:55): justified — the flagged `innerHTML=` is a fully-static literal (empty-state placeholder, no payload data interpolated). All payload-bearing `innerHTML=` sites in this file run through `escapeHTML` (defined in the same file); the test `renderPanel never echoes a plaintext password (defense-in-depth)` exercises the rendered HTML against payload strings. ## Acceptance criteria - [x] `/api/mqtt/status` returns per-source connection state — `cmd/server/mqtt_status.go` - [x] UI panel shows all configured sources with live status — `public/mqtt-status-panel.js` - [x] Connection state updates on reconnect/disconnect events — `MarkConnect` / `MarkDisconnect` wired in `cmd/ingestor/main.go` - [x] Broker URLs don't expose passwords in the API response — `maskBrokerURL` + 13 test cases - [x] Works with 1-N sources — registry is keyed per-source, snapshot iterates the map **Partial fix for #1043** — per-packet `mqtt_source` attribution (the issue's "Follow-up" section) is **deferred** per the `mc-bot-triaged:v1` triage and the autofix comment ("Per-packet attribution deferred to follow-up issue"). That work requires a new observation-row column and DB schema migration, both explicitly out of scope for this PR. Refs #1043 --------- Co-authored-by: openclaw-bot <bot@openclaw.local> |
||
|
|
2ef7d2437d |
fix(ci): release fast-path re-tag :edge → :vX.Y.Z when SHA matches (Fixes #1677) (#1680)
## Summary Adds `.github/workflows/release-fast-path.yml`: a metadata-only re-tag workflow that fires on `push.tags: v[0-9]+.[0-9]+.[0-9]+` and, when `:edge`'s `org.opencontainers.image.revision` label matches the tag SHA, applies `:vX.Y.Z`, `:vX.Y`, `:vX`, `:latest` to the existing edge manifest via `crane tag`. No rebuild, no test re-run — ~seconds vs ~30 min today. If the SHA doesn't match (tag points to an older commit, or `:edge` wasn't built yet), it dispatches the existing `deploy.yml` pipeline as a fallback so validated bytes always ship. To prevent double-fire, `deploy.yml`'s top-level `on:` block drops `tags: ['v*']` — `release-fast-path.yml` is now the sole consumer of `push.tags`. Edge publishing on master push is untouched. ## TDD Red commit adds `cmd/server/release_fast_path_workflow_test.go` (two tests: one asserts the new workflow exists with the required trigger/permissions/markers; the other asserts `deploy.yml`'s `on:` block no longer mentions `tags:`). Both fail on assertions in the red commit. Green commit adds the workflow file + edits `deploy.yml`; both pass. ## Acceptance criteria (from #1677) - Tag-CI completes in <2 min when tag SHA == `:edge` revision → fast-path is metadata-only, single short job - Falls back to full pipeline on SHA mismatch → `gh workflow run deploy.yml --ref ${{ github.ref }}` - `:vX.Y.Z` has same digest as `:edge` → `crane tag` copies the manifest, bytes are byte-identical - No regression on older-SHA tags → fallback path runs the unchanged full validation Fixes #1677 --------- Co-authored-by: Kpa-clawbot <bot@corescope.local> |
||
|
|
626900a22a |
fix(#1668): typography pass — 14px body / 12px+500 chip floor (M3) (#1679)
Red commit:
|
||
|
|
653d47e03c |
test(openapi): add CI completeness gate for /api routes (Phase 1 of #1670) (#1678)
## Summary Partial fix for #1670 — **Phase 1 only** (CI completeness gate). Phase 2 (backfilling the 18 currently-undocumented routes into `openapi.go`) is deferred to a separate issue per the triage on #1670 and is explicitly out of scope here. ## What this adds - `cmd/server/openapi_completeness_test.go` — AST-walks every non-`_test.go` file in `cmd/server/`, finds string-literal first args to `*.HandleFunc(...)` calls beginning with `/api/`, and diffs against the paths declared in `routeDescriptions()` in `cmd/server/openapi.go`. - `cmd/server/openapi_known_gaps.json` — seeded allowlist of the **18** `/api/` routes currently registered via `HandleFunc` but not yet documented in `openapi.go`. ## Ratchet pattern From this branch forward, `TestOpenAPICompleteness` fails when: 1. A new `HandleFunc("/api/...")` is added without a matching entry in `openapi.go` **or** the allowlist (regression gate — the main goal of Phase 1). 2. A route in the allowlist is *also* documented in `openapi.go` — the allowlist must shrink as Phase 2 backfills land, never go stale. The two-commit history (red → green) demonstrates the gate works: - **Red commit**: adds only the test. Fails on master with the 18 missing routes listed. - **Green commit**: adds the allowlist seeded with that exact 18-route set. Test passes at the current baseline. ## Local verification - `go test ./cmd/server/ -run TestOpenAPICompleteness -v` → PASS at baseline (`44/62 covered; 18 in allowlist; 18 gaps remain`). - Ratchet validation: temporarily inserted `r.HandleFunc("/api/ratchet-test-route", ...)` into `routes.go` → test FAILED with that exact route name; reverted → test PASSES again. ## Files changed - `cmd/server/openapi_completeness_test.go` (+203 / new) - `cmd/server/openapi_known_gaps.json` (+24 / new) ## Preflight `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` → all hard gates pass; no warnings. ## Out of scope - Backfilling the 18 allowlisted routes into `openapi.go` (Phase 2 — tracked separately). - Schema validation of the spec against OpenAPI 3.0 (Phase 3 per the issue). - PR template checkbox update (Phase 2 follow-up). Issue #1670 stays open for Phase 2. --------- Co-authored-by: clawbot <bot@corescope.local> |
||
|
|
2d59f15a07 | docs(v3.9.1): release notes | ||
|
|
edc6d5da02 |
fix(#1107): content-drive Live PACKET TYPES legend + dock toggles bottom-right (#1669)
Fixes #1107 Per triage fix path (#1107 comment 4672137236): the Live view PACKET TYPES legend was oversized (>60% whitespace per tufte review) and the activate/hide toggle buttons were scattered and cramped at the bottom of the map. ## Changes `public/live.css`: - `.live-legend` — added `height: max-content` + `max-width: 260px`. Panel now hugs its content instead of dominating the map. - `.legend-toggle-btn` — switched from `position:absolute; bottom:82px; right:12px` to `position:fixed; bottom:1rem; right:1rem` (the conventional map-control corner-dock per mesh-operator review). - `.feed-show-btn` — switched from scattered `position:absolute; bottom:12px; left:12px` to `position:fixed; bottom:1rem; right:1rem` with `margin-bottom:56px` so it stacks above the legend toggle. Activate/hide controls now dock together as one tidy bottom-right cluster. All colors via existing CSS variables (no hex tokens added). `test-issue-1107-live-layout.js` (new) — source-invariant assertions following the `test-issue-1532-live-fullscreen.js` pattern. Wired into the JS unit-test gate in `.github/workflows/deploy.yml`. ## TDD trace - Red commit: `c86073f68e30bb3c1c9f3880b39f4239cb681905` — test added asserting the layout invariants. Verified locally: 8 assertion failures on master CSS (exit 1). - Green commit: `4bd29f9b87ad0a1b214f60ec55ae17d6c9f2d819` — CSS fix. All 14 assertions pass. Reverting `public/live.css` returns 8 failures (test gates behavior, not tautology). ## E2E / browser verification E2E assertion added: `test-issue-1107-live-layout.js:48` (`.live-legend` height/max-width invariants) and `:72-90` (toggle button group pinned bottom-right). This is a CSS-only layout fix; the assertions are source-invariant on `public/live.css` (same pattern the codebase uses for #1532 / #1234 layout fixes — runs in the JS unit-test gate without needing a live server). Browser visual verification of the docked cluster can be done at the staging URL `http://analyzer-stg.00id.net/#/live` once the deploy runs. ## Preflight `bash ~/.openclaw/skills/pr-preflight/scripts/run-all.sh origin/master` — clean (all gates pass, no warnings to ack). --------- Co-authored-by: clawbot <bot@kpa-clawbot.local> Co-authored-by: meshcore-bot <bot@meshcore.dev> |
||
|
|
f0addfdabf |
fix(#1668): palette indirection + WCAG AA token bumps (M2 + #1671) (#1676)
Red commit:
v3.9.1
|
||
|
|
f06359d739 | fix(#1662): bump row-wait to 20s — packets table data fetch slow on single-pass run | ||
|
|
b0996047ef |
fix(#1662): rename stray rows.length → candidates.length in click-step diag (followup to ef13b222)
|