ci(bridge): {Node, Deno, Bun} matrix — unit suite + MCP boot smoke#212
Merged
Conversation
…ot smoke Lands plan §7 E5 with the matrix widened to include Bun. The bridge's unit tests were not run by any workflow (only the path-claims bench), which is how a bare Deno.* reference shipped and broke both the npx/ Node and Bun install paths at import time (fixed in PR #211; Bun has no Deno global — only the dogfooded Deno runtime was clean). - New bridge-tests job in e2e.yml: 3-leg matrix, each running the full unit suite under its runtime (node --test / deno test / bun test — all three natively execute the node:test files; verified 52/52 each) plus an MCP boot smoke of main.js. - New mcp-bridge/tests/boot_smoke.js: spawns the bridge under a given runtime command, performs a real initialize → notifications/ initialized → tools/list handshake over stdio, asserts serverInfo + non-empty tools + exit 0. Needed because the unit suite imports lib/ but never boots main.js, whose stdio/exit paths are runtime-gated. Verified locally under all three runtimes (68 tools, exit 0). - e2e.yml pull_request paths now include the workflow file itself (push paths already did; workflow-only PRs previously didn't run it). - Plan doc §7 E5 updated to record the landed state and the corrected Bun finding. setup-bun pinned to 0c5077e51419868618aeaa5fe8019c62421857d6 (v2.2.0, SHA verified via git ls-remote against oven-sh/setup-bun). https://claude.ai/code/session_01PRi6uSn6qucCMCCy7mqUr4
🔍 Hypatia Security ScanFindings: 273 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Action ses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886 needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in abi-drift.yml",
"type": "missing_timeout_minutes",
"file": "abi-drift.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in container-publish.yml",
"type": "missing_timeout_minutes",
"file": "container-publish.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🏁 path-claims benchCommit NumbersHost-dependent — compare deltas across commits, not absolute values. |
A panic-attack assail scan of the bridge flagged the deno boot leg's `-A` (all-permissions) grant. Tightened to main.js's own shebang set (--allow-net --allow-env --allow-read). This is a real improvement, not cosmetic: booting under -A could mask a missing-permission bug that a scoped real install would hit, so the smoke now exercises the exact grant a user gets. Re-verified: all three legs boot (68 tools, exit 0) and the assail finding on boot_smoke.js clears. https://claude.ai/code/session_01PRi6uSn6qucCMCCy7mqUr4
🔍 Hypatia Security ScanFindings: 273 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Action ses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886 needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in abi-drift.yml",
"type": "missing_timeout_minutes",
"file": "abi-drift.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in container-publish.yml",
"type": "missing_timeout_minutes",
"file": "container-publish.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this is
Lands plan §7 E5 (from #211's critical-chain doc) with the matrix widened per the follow-up discussion: the bridge is now tested in CI under Node, Deno, and Bun — the three runtimes the README blesses.
Why
The bridge's own unit tests were not run by any CI workflow (only the path-claims bench script), which is how a bare
Deno.*reference shipped and broke the npx/Node install path at import time (fixed in #211). Follow-up investigation corrected one detail: Bun was broken too — Bun implements Node'sprocess.*APIs and has noDenoglobal, so only the dogfooded Deno runtime was ever clean. The fix in #211 repairs both, but nothing prevented recurrence.What's in it
bridge-testsjob ine2e.yml— 3-leg matrix (node/deno/bun),fail-fast: false,timeout-minutes: 10. Each leg runs the full unit suite under its own runtime — all three natively execute thenode:testfiles (node --test,deno test,bun test) — plus a boot smoke ofmain.js.mcp-bridge/tests/boot_smoke.js— spawns the bridge under a given runtime command, performs a realinitialize→notifications/initialized→tools/listhandshake over stdio, assertsserverInfo, a non-empty tool list, and exit 0. This exists because the unit suite importslib/but never bootsmain.js, whose stdin/exit paths are runtime-gated (Deno.stdinvsprocess.stdin) — exactly where a leak would hide from units. No REST backend needed (initialize and tools/list are bridge-local).e2e.ymlpull_request paths now include the workflow file itself (push paths already did — a workflow-only PR previously didn't trigger the workflow).Verification (local, all six legs)
YAML validated by parse (6 jobs, matrix legs confirmed).
setup-bunpinned to0c5077e51419868618aeaa5fe8019c62421857d6(v2.2.0), SHA verified viagit ls-remoteagainstoven-sh/setup-bun; other actions reuse the file's existing pins.Out of scope
The two broken gates catalogued in #199 (Zig download URL in
lsp-dap-bsp.yml, ABI-grep false positive) stay tracked there.https://claude.ai/code/session_01PRi6uSn6qucCMCCy7mqUr4
Generated by Claude Code