feat(format): apr-cli-safety-v1 3-gate PARTIAL discharge#1385
Closed
noahgift wants to merge 2 commits into
Closed
Conversation
Binds FALSIFY-CLI-001..003 from apr-cli-safety-v1 at PARTIAL_ALGORITHM_LEVEL via 3 verdict functions plus pinned constants. - CLI-001: validate exit-code monotonic — score < 50 → exit 5; ≥ 50 → exit 0 - CLI-002: --offline rejects hf:// / http:// / https:// before any IO - CLI-003: encrypt rejects .enc input (no double encryption) ## Five Whys 1. Why does apr-cli-safety-v1 list 3 falsification IDs without algorithm-level discharge? PMAT lints flagged FALSIFY-CLI-001..003 as unbound at PARTIAL_ALGORITHM_LEVEL. 2. Why does that block ship? Coverage % cannot move while peripheral apr-CLI safety semantics have no algorithm-level verdict module. 3. Why a separate `cli_safety_001_003` module rather than extending `cli_001_004`? FALSIFY-CLI-001..004 in apr-cli-commands-v1 (already bound at task #278) covers the *command registry*; this contract covers *safety semantics* (exit-code honesty, offline, encrypt idempotency). They share the prefix but the gate semantics are independent — collapsing would conflate two coverage-tracking contracts. 4. Why three network prefixes for CLI-002 (`hf://`, `http://`, `https://`)? The contract example only mentions `hf://`, but the spirit ("reject network sources") covers all three. Pinning the list at the algorithm-level prevents a future regression where only `hf://` is checked but `https://` slips through (the same privacy violation in different clothes). 5. Why fail-on-empty-source for CLI-002 vs vacuous Pass? An empty source string with offline mode is a malformed CLI invocation; silently passing would let a regression where the CLI crashes on empty input (instead of cleanly rejecting) slip past coverage reporting. Adds 22 unit tests including 18-case score×exit cross-product mutation survey and 6-prefix network mutation survey. Realistic- healthy walks the canonical apr-CLI run; pre-fix walks the 3 regression classes (silent failure, privacy leak, double encrypt). No runtime % shift; algorithm-level coverage advances by 3 gates.
noahgift
force-pushed
the
feat/clisafety-001-003-partial-discharge
branch
from
80582ba to
bc5b634
Compare
Contributor
Author
auto-merge was automatically disabled
May 12, 2026 09:21
Pull request was closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
apr-cli-safety-v1atPARTIAL_ALGORITHM_LEVELvia 3 verdict functions.Gates bound
score < 50 → exit 5; score ≥ 50 → exit 0--offlinerejectshf:///http:///https://before IOapr encryptrejects.encinput (no double encryption)Module-name disambiguation
cli_safety_001_003(this PR) vscli_001_004(already bound at task #278 forapr-cli-commands-v1). Both contracts share the FALSIFY-CLI-* prefix but cover different concerns — command registry vs safety semantics.Five Whys
See commit message — captures why three network prefixes (not just
hf://), why fail-on-empty-source, and why a separate module fromcli_001_004.Test plan
cargo test -p aprender-core --lib cli_safety_001_003— 22 passed🤖 Generated with Claude Code