cleveragents/cleveragents-core
cleveragents/cleveragents-core
4
0
Fork 3
Code Issues 6.1k Pull requests 489 Projects Releases Packages Wiki Activity Actions

feat(service): add decision recording and snapshot store #433

Merged
hamza.khyari merged 9 commits from feature/m4-decision-service into master 2026-03-03 12:58:17 +00:00
Conversation 2 Commits 9 Files changed 20 +3059 -352
hamza.khyari commented 2026-02-25 13:12:31 +00:00
Member
Copy link

Summary

Implements DecisionService with record/list/tree helpers and SnapshotStore for Forgejo issue #172.

What

  • DecisionService — dual-mode (in-memory / DB-backed) service with:
    • record_decision() with auto-sequencing, auto-snapshot capture, string-to-enum coercion
    • get_decision(), list_decisions(), list_by_type() retrieval
    • get_tree() (BFS), get_path_to_root() tree navigation
    • mark_superseded(), get_superseded() supersession support
    • delete_decision() with snapshot cleanup
    • count_decisions(), get_next_sequence() statistics
  • SnapshotStore — hash-based deduplication index for ContextSnapshot objects
  • Custom exceptionsDuplicateDecisionError, DecisionNotFoundError, SequenceConflictError

Tests

  • Behave: 37 scenarios / 168 steps in features/decision_recording.feature (all passing)
  • Robot: 7 smoke tests in robot/decision_recording.robot with helper script
  • ASV: 6 benchmarks for record throughput, list, tree, and snapshot operations

Docs

  • docs/reference/decision_service.md covering all public API, dual-mode persistence, and exceptions

Note on cherry-picked commits

This branch includes 2 cherry-picked commits from PR #131 (decision persistence) to provide DecisionRepository for the UoW code paths. When #131 merges to master, a rebase will make these cherry-picks disappear cleanly.

Closes #172

Dependencies

  • Blocks issue #172 (this PR must be merged before the issue can be closed)
## Summary Implements `DecisionService` with record/list/tree helpers and `SnapshotStore` for Forgejo issue #172. ### What - **`DecisionService`** — dual-mode (in-memory / DB-backed) service with: - `record_decision()` with auto-sequencing, auto-snapshot capture, string-to-enum coercion - `get_decision()`, `list_decisions()`, `list_by_type()` retrieval - `get_tree()` (BFS), `get_path_to_root()` tree navigation - `mark_superseded()`, `get_superseded()` supersession support - `delete_decision()` with snapshot cleanup - `count_decisions()`, `get_next_sequence()` statistics - **`SnapshotStore`** — hash-based deduplication index for `ContextSnapshot` objects - **Custom exceptions** — `DuplicateDecisionError`, `DecisionNotFoundError`, `SequenceConflictError` ### Tests - **Behave**: 37 scenarios / 168 steps in `features/decision_recording.feature` (all passing) - **Robot**: 7 smoke tests in `robot/decision_recording.robot` with helper script - **ASV**: 6 benchmarks for record throughput, list, tree, and snapshot operations ### Docs - `docs/reference/decision_service.md` covering all public API, dual-mode persistence, and exceptions ### Note on cherry-picked commits This branch includes 2 cherry-picked commits from PR #131 (decision persistence) to provide `DecisionRepository` for the UoW code paths. When #131 merges to master, a rebase will make these cherry-picks disappear cleanly. Closes #172 ## Dependencies - Blocks issue #172 (this PR must be merged before the issue can be closed)
freemo added this to the v3.2.0 milestone 2026-02-25 18:13:28 +00:00
hamza.khyari force-pushed feature/m4-decision-service from cd5ad39642
All checks were successful
CI / lint (pull_request) Successful in 23s
Details
CI / typecheck (pull_request) Successful in 52s
Details
CI / security (pull_request) Successful in 50s
Details
CI / quality (pull_request) Successful in 27s
Details
CI / integration_tests (pull_request) Successful in 5m9s
Details
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / build (pull_request) Successful in 23s
Details
CI / unit_tests (pull_request) Successful in 24m9s
Details
CI / docker (pull_request) Successful in 1m8s
Details
CI / benchmark-regression (pull_request) Successful in 22m20s
Details
CI / coverage (pull_request) Successful in 1h30m28s
Details
to 0f4b8a967f
Some checks failed
CI / lint (pull_request) Successful in 20s
Details
CI / typecheck (pull_request) Failing after 34s
Details
CI / coverage (pull_request) Has been skipped
Details
CI / security (pull_request) Successful in 29s
Details
CI / quality (pull_request) Successful in 29s
Details
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / benchmark-regression (pull_request) Has been skipped
Details
CI / build (pull_request) Successful in 15s
Details
CI / integration_tests (pull_request) Failing after 2m44s
Details
CI / unit_tests (pull_request) Has been cancelled
Details
CI / docker (pull_request) Has been cancelled
Details
2026-02-27 12:35:41 +00:00 Compare
CoreRasurae commented 2026-02-27 17:36:23 +00:00
Member
Copy link

Code Review — PR #433 / Issue #172: feat(service): add decision recording and snapshot store

Branch: feature/m4-decision-service
Reviewed commit: cd641a8 (last by Hamza, 7-commit chain from 5539fd0..cd641a8)
Scope: 15 files changed, ~2600 insertions, ~160 deletions
Review focus: bugs, security, performance, test coverage/quality, spec conformance

1. Issue #172 Acceptance Criteria Compliance

Subtask Status Notes
Implement DecisionService with record/list/tree helpers + snapshot storage Done Full API in decision_service.py
Add docs/reference/decision_service.md Done 148-line doc file
Behave: features/decision_recording.feature Done 37 scenarios
Robot: robot/decision_recording.robot Done 7 test cases
ASV: benchmarks/decision_recording_bench.py Done 5 benchmark classes
Coverage >= 97% via nox -s coverage_report Not verified No evidence the coverage gate was run/checked in the commit chain
Run nox (all sessions), fix any errors Not verified No evidence a full nox pass was performed in the commit chain

2. Bugs

BUG-1 [HIGH] — Sequence numbers not rehydrated from DB on restart

File: decision_service.py:203, 622-626

_plan_sequence is an in-memory dict initialized to {}. In persisted mode, if the service restarts against an existing database with decisions already recorded, _next_sequence() starts from 0 again, causing sequence_number collisions. The spec (line 18398, 18470) requires sequence_number to be monotonically increasing per plan.

BUG-2 [HIGH] — SequenceConflictError defined but never raised

File: decision_service.py:74-82

This exception is defined, exported in __all__, and whitelisted in vulture — but never actually raised anywhere. If BUG-1 causes a collision, there is no guard to catch it. The error exists as dead code suggesting uniqueness enforcement was intended but never implemented.

BUG-3 [MEDIUM] — delete_decision inconsistent between modes

File: decision_service.py:537-560

In persisted mode, if the underlying repository's delete() silently succeeds for a non-existent ID (does not raise), the method returns True without error. In in-memory mode, it correctly raises DecisionNotFoundError. The behavior diverges depending on the backend.

BUG-4 [MEDIUM] — mark_superseded does not validate new_decision_id exists

File: decision_service.py:483-523

The spec (line 18196) states "the original and all its descendants are marked superseded_by = <new_decision_id>." The service only marks the single targeted decision but never verifies the replacement decision actually exists — this can create dangling references.

BUG-5 [MEDIUM] — get_tree silently drops orphaned subtrees

File: decision_service.py:383-425

If a decision's parent_decision_id references a deleted parent, BFS from roots never reaches it. The if not roots fallback only triggers when there are zero roots. Orphaned subtrees are silently omitted from the returned tree, violating the spec's "Reachability" invariant (spec line 18203).

BUG-6 [LOW] — SnapshotStore is purely in-memory, lost on restart

File: decision_service.py:90-164

Snapshots stored in SnapshotStore (the hash-indexed secondary store) are never persisted to the database. After a service restart, get_snapshot() and get_snapshots_for_plan() return None/empty even though the decisions (with embedded snapshots) still exist in the DB. The spec (line 18421-18425) describes the context snapshot as a replay-critical artifact.

BUG-7 [LOW] — Dead code in PlanLifecycleService

File: plan_lifecycle_service.py:177-188

_decision_seq dict and _next_seq() method are never called anywhere in the service. _try_record_decision delegates sequence numbering to DecisionService.record_decision(). These are dead code, masked by vulture whitelist entries at vulture_whitelist.py:339-340.

3. Security Issues

SEC-1 [MEDIUM] — No size limits on actor_reasoning field

File: decision_service.py:249

Raw LLM reasoning traces can be arbitrarily large. No bounds are enforced before storage or logging. This creates risk for log injection and storage exhaustion attacks.

SEC-2 [LOW] — Truncated SHA-256 hash with misleading prefix

File: decision_service.py:672

_auto_capture_snapshot truncates the SHA-256 to 16 hex chars (64 bits) but prefixes it with sha256:, implying a full cryptographic hash. If any downstream code relies on this for integrity verification, the collision resistance is far lower than expected.

SEC-3 [LOW] — SnapshotStore._hash_index grows without bound

File: decision_service.py:99

No eviction policy. A caller generating many unique snapshots causes unbounded memory growth.

SEC-4 [LOW] — tempfile.mktemp usage in test step file

File: features/steps/decision_recording_steps.py:966

tempfile.mktemp is deprecated due to a TOCTOU race condition. This is test-only but is a pattern repeated across 17 places in the test suite.

4. Performance Issues

PERF-1 [MEDIUM] — count_decisions loads all objects just to count them

File: decision_service.py:593-602

count_decisions(plan_id) calls list_decisions(plan_id) which deserializes every decision from the DB, builds a Python list, then takes len(). Should delegate to COUNT(*) in persisted mode.

PERF-2 [MEDIUM] — No pagination on any list method

Files: decision_service.pylist_decisions, list_by_type, get_tree, get_superseded, get_snapshots_for_plan

None of these support limit/offset. For plans with hundreds or thousands of decisions, this returns unbounded result sets.

PERF-3 [LOW] — get_tree and get_superseded load full decision set

File: decision_service.py:395, 476

Both call list_decisions() to load the entire plan's decisions into memory, then perform in-memory filtering/traversal.

PERF-4 [LOW] — SnapshotStore._hash_index uses list instead of set

File: decision_service.py:99, 145

list.remove(decision_id) is O(n) for each removal. Using a set would be O(1).

5. Test Coverage and Quality Issues

TEST-1 [HIGH] — BFS order not actually verified in tree tests

Files: features/decision_recording.feature:103, robot/helper_decision_recording.py:99

The "Get tree returns BFS order from root" scenario asserts count and root-first, but never verifies actual BFS ordering. The level-order property (all depth-1 children before depth-2 grandchildren) is not checked. A broken BFS that returns DFS order would pass.

TEST-2 [HIGH] — No test for sequence rehydration after restart

Files: All test files

No test creates decisions, destroys the service, recreates it against the same DB, and verifies that sequence numbers continue from where they left off. This is exactly the scenario where BUG-1 manifests.

TEST-3 [HIGH] — MagicMock() without spec= hides bugs

Files: decision_di_wiring_steps.py:111, helper_decision_di.py:87, decision_di_bench.py:153

All use MagicMock() for settings without spec=Settings. This silently creates auto-attributes on access, meaning code that reads settings.nonexistent_property gets a silent mock object instead of failing. Should use create_autospec(Settings).

TEST-4 [MEDIUM] — UnitOfWork.__new__() anti-pattern in 4 places

Files: decision_di_wiring_steps.py:82, helper_decision_di.py:37, decision_di_bench.py:67, decision_recording_bench.py

All bypass UnitOfWork.__init__() to directly set private attributes. If __init__ changes, all 4 break silently. Should be a shared fixture factory.

TEST-5 [MEDIUM] — DI wiring assertions are too weak (>= 1)

Files: decision_di_wiring_steps.py:145, 194

len(strategy_decisions) >= 1 passes even if 100 spurious decisions are recorded. Should assert the exact expected count.

TEST-6 [MEDIUM] — No test for invalid decision_type string

No scenario passes an invalid string like "garbage" to record_decision(decision_type=...) and asserts a ValueError is raised.

TEST-7 [MEDIUM] — confidence_score boundary values never tested

Tests only use 0.85. Never exercises 0.0, 1.0, negative, or >1.0. The domain model has ge=0.0, le=1.0 validators — untested at boundaries.

TEST-8 [LOW] — get_decision return not validated beyond decision_id

File: decision_recording_steps.py:652

step_match_recorded only compares decision_id, not question, chosen_option, decision_type, or any other field. A buggy get_decision returning a corrupted object would pass.

TEST-9 [LOW] — Robot tests are strict subset of Behave tests

File: robot/decision_recording.robot

7 Robot test cases duplicate existing Behave scenarios with no unique coverage. No error-path, persisted-mode, or negative tests in Robot.

TEST-10 [LOW] — No benchmarks for persisted (DB-backed) mode

Files: benchmarks/decision_recording_bench.py, benchmarks/decision_di_bench.py

All benchmarks use in-memory DecisionService(). The DB-backed path (with SQLAlchemy overhead, transactions, and serialization) has fundamentally different performance characteristics and is not benchmarked.

6. Specification Conformance Issues

SPEC-1 [MEDIUM] — Missing uniqueness enforcement per spec schema

The spec (line 18470) defines sequence_number INTEGER NOT NULL in the decisions table. The existence of SequenceConflictError in the codebase implies uniqueness enforcement was planned. It is not implemented, and BUG-1 makes collisions possible.

SPEC-2 [LOW] — __init__.py missing SequenceConflictError export

File: src/cleveragents/application/services/__init__.py

SequenceConflictError is in decision_service.__all__ but not re-exported from the services package __init__.py. Also, PlanLifecycleService and its exceptions are absent from __init__.py despite being a peer service.

SPEC-3 [LOW] — Doc claim that retrieval methods raise DecisionNotFoundError

File: docs/reference/decision_service.md:75

States "All raise DecisionNotFoundError when the target decision does not exist (where applicable)." However, list_decisions and list_by_type return empty lists, not exceptions.

SPEC-4 [LOW] — artifacts_produced typed as list[Any] vs spec's list[ArtifactRef]

File: decision_service.py:230

The record_decision method accepts list[Any] for artifacts_produced, but the spec (line 18442) and domain model both define it as list[ArtifactRef]. The loose typing defeats compile-time checks.

7. Last Commit Review (cd641a8)

The final commit ("fix(service): align test and doc refs with DecisionService API") is a clean-up commit that fixes stale references to old method names (get_decisions_for_plan -> list_decisions, get_decision_tree -> get_tree) across 4 files. The diff is correct and no stale references remain.

One note: the commit message contains ISSUES CLOSED: #172, which will auto-close the issue on merge, but the issue's acceptance criteria (coverage >= 97%, full nox pass) are not confirmed in the commit chain.

Summary — Priority Ranking

# Severity Category Finding
BUG-1 HIGH Bug _plan_sequence not rehydrated from DB — sequence collisions after restart
BUG-2 HIGH Bug SequenceConflictError dead code — no uniqueness guard exists
TEST-1 HIGH Test Flaw BFS order not actually verified in tree tests
TEST-2 HIGH Test Gap No test for sequence rehydration after service restart
TEST-3 HIGH Test Flaw MagicMock() without spec= silently hides bugs in 3 files
BUG-3 MEDIUM Bug delete_decision behavior diverges between persisted/in-memory modes
BUG-4 MEDIUM Bug mark_superseded doesn't validate replacement decision exists
BUG-5 MEDIUM Bug get_tree silently drops orphaned decisions
SEC-1 MEDIUM Security No size limit on actor_reasoning (log injection / storage exhaustion)
PERF-1 MEDIUM Performance count_decisions loads all objects just to count
PERF-2 MEDIUM Performance No pagination on any list method
TEST-4 MEDIUM Test Flaw UnitOfWork.__new__() anti-pattern in 4 places
TEST-5 MEDIUM Test Flaw DI assertions use >= 1 instead of exact counts
TEST-6 MEDIUM Test Gap Invalid decision_type string never tested
TEST-7 MEDIUM Test Gap confidence_score boundaries never tested
SPEC-1 MEDIUM Spec Gap Sequence uniqueness enforcement missing per spec schema
BUG-6 LOW Bug SnapshotStore lost on restart (not persisted)
BUG-7 LOW Bug Dead code _decision_seq / _next_seq in PlanLifecycleService
SEC-2-4 LOW Security Truncated hash, unbounded hash index, tempfile.mktemp
SPEC-2-4 LOW Spec Missing exports, doc inaccuracies, loose typing
TEST-8-10 LOW Test Weak assertions, Robot subset, no DB-mode benchmarks

Recommendation: The HIGH-severity items (BUG-1, BUG-2, TEST-1, TEST-2, TEST-3) should be addressed before merge. BUG-1 in particular is a data integrity risk in any deployment that restarts the service, and the lack of a test for it (TEST-2) means it would go undetected until production.

# Code Review — PR #433 / Issue #172: `feat(service): add decision recording and snapshot store` **Branch:** `feature/m4-decision-service` **Reviewed commit:** `cd641a8` (last by Hamza, 7-commit chain from `5539fd0..cd641a8`) **Scope:** 15 files changed, ~2600 insertions, ~160 deletions **Review focus:** bugs, security, performance, test coverage/quality, spec conformance --- ## 1. Issue #172 Acceptance Criteria Compliance | Subtask | Status | Notes | |---|---|---| | Implement `DecisionService` with record/list/tree helpers + snapshot storage | Done | Full API in `decision_service.py` | | Add `docs/reference/decision_service.md` | Done | 148-line doc file | | Behave: `features/decision_recording.feature` | Done | 37 scenarios | | Robot: `robot/decision_recording.robot` | Done | 7 test cases | | ASV: `benchmarks/decision_recording_bench.py` | Done | 5 benchmark classes | | Coverage >= 97% via `nox -s coverage_report` | **Not verified** | No evidence the coverage gate was run/checked in the commit chain | | Run `nox` (all sessions), fix any errors | **Not verified** | No evidence a full nox pass was performed in the commit chain | --- ## 2. Bugs ### BUG-1 [HIGH] — Sequence numbers not rehydrated from DB on restart **File:** `decision_service.py:203, 622-626` `_plan_sequence` is an in-memory `dict` initialized to `{}`. In persisted mode, if the service restarts against an existing database with decisions already recorded, `_next_sequence()` starts from 0 again, causing `sequence_number` collisions. The spec (line 18398, 18470) requires `sequence_number` to be monotonically increasing per plan. ### BUG-2 [HIGH] — `SequenceConflictError` defined but never raised **File:** `decision_service.py:74-82` This exception is defined, exported in `__all__`, and whitelisted in vulture — but never actually raised anywhere. If BUG-1 causes a collision, there is no guard to catch it. The error exists as dead code suggesting uniqueness enforcement was intended but never implemented. ### BUG-3 [MEDIUM] — `delete_decision` inconsistent between modes **File:** `decision_service.py:537-560` In persisted mode, if the underlying repository's `delete()` silently succeeds for a non-existent ID (does not raise), the method returns `True` without error. In in-memory mode, it correctly raises `DecisionNotFoundError`. The behavior diverges depending on the backend. ### BUG-4 [MEDIUM] — `mark_superseded` does not validate `new_decision_id` exists **File:** `decision_service.py:483-523` The spec (line 18196) states "the original and all its descendants are marked `superseded_by = <new_decision_id>`." The service only marks the single targeted decision but never verifies the replacement decision actually exists — this can create dangling references. ### BUG-5 [MEDIUM] — `get_tree` silently drops orphaned subtrees **File:** `decision_service.py:383-425` If a decision's `parent_decision_id` references a deleted parent, BFS from roots never reaches it. The `if not roots` fallback only triggers when there are zero roots. Orphaned subtrees are silently omitted from the returned tree, violating the spec's "Reachability" invariant (spec line 18203). ### BUG-6 [LOW] — `SnapshotStore` is purely in-memory, lost on restart **File:** `decision_service.py:90-164` Snapshots stored in `SnapshotStore` (the hash-indexed secondary store) are never persisted to the database. After a service restart, `get_snapshot()` and `get_snapshots_for_plan()` return `None`/empty even though the decisions (with embedded snapshots) still exist in the DB. The spec (line 18421-18425) describes the context snapshot as a replay-critical artifact. ### BUG-7 [LOW] — Dead code in `PlanLifecycleService` **File:** `plan_lifecycle_service.py:177-188` `_decision_seq` dict and `_next_seq()` method are never called anywhere in the service. `_try_record_decision` delegates sequence numbering to `DecisionService.record_decision()`. These are dead code, masked by vulture whitelist entries at `vulture_whitelist.py:339-340`. --- ## 3. Security Issues ### SEC-1 [MEDIUM] — No size limits on `actor_reasoning` field **File:** `decision_service.py:249` Raw LLM reasoning traces can be arbitrarily large. No bounds are enforced before storage or logging. This creates risk for log injection and storage exhaustion attacks. ### SEC-2 [LOW] — Truncated SHA-256 hash with misleading prefix **File:** `decision_service.py:672` `_auto_capture_snapshot` truncates the SHA-256 to 16 hex chars (64 bits) but prefixes it with `sha256:`, implying a full cryptographic hash. If any downstream code relies on this for integrity verification, the collision resistance is far lower than expected. ### SEC-3 [LOW] — `SnapshotStore._hash_index` grows without bound **File:** `decision_service.py:99` No eviction policy. A caller generating many unique snapshots causes unbounded memory growth. ### SEC-4 [LOW] — `tempfile.mktemp` usage in test step file **File:** `features/steps/decision_recording_steps.py:966` `tempfile.mktemp` is deprecated due to a TOCTOU race condition. This is test-only but is a pattern repeated across 17 places in the test suite. --- ## 4. Performance Issues ### PERF-1 [MEDIUM] — `count_decisions` loads all objects just to count them **File:** `decision_service.py:593-602` `count_decisions(plan_id)` calls `list_decisions(plan_id)` which deserializes every decision from the DB, builds a Python list, then takes `len()`. Should delegate to `COUNT(*)` in persisted mode. ### PERF-2 [MEDIUM] — No pagination on any list method **Files:** `decision_service.py` — `list_decisions`, `list_by_type`, `get_tree`, `get_superseded`, `get_snapshots_for_plan` None of these support `limit`/`offset`. For plans with hundreds or thousands of decisions, this returns unbounded result sets. ### PERF-3 [LOW] — `get_tree` and `get_superseded` load full decision set **File:** `decision_service.py:395, 476` Both call `list_decisions()` to load the entire plan's decisions into memory, then perform in-memory filtering/traversal. ### PERF-4 [LOW] — `SnapshotStore._hash_index` uses `list` instead of `set` **File:** `decision_service.py:99, 145` `list.remove(decision_id)` is O(n) for each removal. Using a `set` would be O(1). --- ## 5. Test Coverage and Quality Issues ### TEST-1 [HIGH] — BFS order not actually verified in tree tests **Files:** `features/decision_recording.feature:103`, `robot/helper_decision_recording.py:99` The "Get tree returns BFS order from root" scenario asserts count and root-first, but never verifies actual BFS ordering. The level-order property (all depth-1 children before depth-2 grandchildren) is not checked. A broken BFS that returns DFS order would pass. ### TEST-2 [HIGH] — No test for sequence rehydration after restart **Files:** All test files No test creates decisions, destroys the service, recreates it against the same DB, and verifies that sequence numbers continue from where they left off. This is exactly the scenario where BUG-1 manifests. ### TEST-3 [HIGH] — `MagicMock()` without `spec=` hides bugs **Files:** `decision_di_wiring_steps.py:111`, `helper_decision_di.py:87`, `decision_di_bench.py:153` All use `MagicMock()` for `settings` without `spec=Settings`. This silently creates auto-attributes on access, meaning code that reads `settings.nonexistent_property` gets a silent mock object instead of failing. Should use `create_autospec(Settings)`. ### TEST-4 [MEDIUM] — `UnitOfWork.__new__()` anti-pattern in 4 places **Files:** `decision_di_wiring_steps.py:82`, `helper_decision_di.py:37`, `decision_di_bench.py:67`, `decision_recording_bench.py` All bypass `UnitOfWork.__init__()` to directly set private attributes. If `__init__` changes, all 4 break silently. Should be a shared fixture factory. ### TEST-5 [MEDIUM] — DI wiring assertions are too weak (`>= 1`) **Files:** `decision_di_wiring_steps.py:145, 194` `len(strategy_decisions) >= 1` passes even if 100 spurious decisions are recorded. Should assert the exact expected count. ### TEST-6 [MEDIUM] — No test for invalid `decision_type` string No scenario passes an invalid string like `"garbage"` to `record_decision(decision_type=...)` and asserts a `ValueError` is raised. ### TEST-7 [MEDIUM] — `confidence_score` boundary values never tested Tests only use `0.85`. Never exercises `0.0`, `1.0`, negative, or `>1.0`. The domain model has `ge=0.0, le=1.0` validators — untested at boundaries. ### TEST-8 [LOW] — `get_decision` return not validated beyond `decision_id` **File:** `decision_recording_steps.py:652` `step_match_recorded` only compares `decision_id`, not `question`, `chosen_option`, `decision_type`, or any other field. A buggy `get_decision` returning a corrupted object would pass. ### TEST-9 [LOW] — Robot tests are strict subset of Behave tests **File:** `robot/decision_recording.robot` 7 Robot test cases duplicate existing Behave scenarios with no unique coverage. No error-path, persisted-mode, or negative tests in Robot. ### TEST-10 [LOW] — No benchmarks for persisted (DB-backed) mode **Files:** `benchmarks/decision_recording_bench.py`, `benchmarks/decision_di_bench.py` All benchmarks use in-memory `DecisionService()`. The DB-backed path (with SQLAlchemy overhead, transactions, and serialization) has fundamentally different performance characteristics and is not benchmarked. --- ## 6. Specification Conformance Issues ### SPEC-1 [MEDIUM] — Missing uniqueness enforcement per spec schema The spec (line 18470) defines `sequence_number INTEGER NOT NULL` in the decisions table. The existence of `SequenceConflictError` in the codebase implies uniqueness enforcement was planned. It is not implemented, and BUG-1 makes collisions possible. ### SPEC-2 [LOW] — `__init__.py` missing `SequenceConflictError` export **File:** `src/cleveragents/application/services/__init__.py` `SequenceConflictError` is in `decision_service.__all__` but not re-exported from the services package `__init__.py`. Also, `PlanLifecycleService` and its exceptions are absent from `__init__.py` despite being a peer service. ### SPEC-3 [LOW] — Doc claim that retrieval methods raise `DecisionNotFoundError` **File:** `docs/reference/decision_service.md:75` States "All raise `DecisionNotFoundError` when the target decision does not exist (where applicable)." However, `list_decisions` and `list_by_type` return empty lists, not exceptions. ### SPEC-4 [LOW] — `artifacts_produced` typed as `list[Any]` vs spec's `list[ArtifactRef]` **File:** `decision_service.py:230` The `record_decision` method accepts `list[Any]` for `artifacts_produced`, but the spec (line 18442) and domain model both define it as `list[ArtifactRef]`. The loose typing defeats compile-time checks. --- ## 7. Last Commit Review (`cd641a8`) The final commit ("fix(service): align test and doc refs with DecisionService API") is a clean-up commit that fixes stale references to old method names (`get_decisions_for_plan` -> `list_decisions`, `get_decision_tree` -> `get_tree`) across 4 files. The diff is correct and no stale references remain. One note: the commit message contains `ISSUES CLOSED: #172`, which will auto-close the issue on merge, but the issue's acceptance criteria (coverage >= 97%, full `nox` pass) are not confirmed in the commit chain. --- ## Summary — Priority Ranking | # | Severity | Category | Finding | |---|---|---|---| | BUG-1 | **HIGH** | Bug | `_plan_sequence` not rehydrated from DB — sequence collisions after restart | | BUG-2 | **HIGH** | Bug | `SequenceConflictError` dead code — no uniqueness guard exists | | TEST-1 | **HIGH** | Test Flaw | BFS order not actually verified in tree tests | | TEST-2 | **HIGH** | Test Gap | No test for sequence rehydration after service restart | | TEST-3 | **HIGH** | Test Flaw | `MagicMock()` without `spec=` silently hides bugs in 3 files | | BUG-3 | **MEDIUM** | Bug | `delete_decision` behavior diverges between persisted/in-memory modes | | BUG-4 | **MEDIUM** | Bug | `mark_superseded` doesn't validate replacement decision exists | | BUG-5 | **MEDIUM** | Bug | `get_tree` silently drops orphaned decisions | | SEC-1 | **MEDIUM** | Security | No size limit on `actor_reasoning` (log injection / storage exhaustion) | | PERF-1 | **MEDIUM** | Performance | `count_decisions` loads all objects just to count | | PERF-2 | **MEDIUM** | Performance | No pagination on any list method | | TEST-4 | **MEDIUM** | Test Flaw | `UnitOfWork.__new__()` anti-pattern in 4 places | | TEST-5 | **MEDIUM** | Test Flaw | DI assertions use `>= 1` instead of exact counts | | TEST-6 | **MEDIUM** | Test Gap | Invalid `decision_type` string never tested | | TEST-7 | **MEDIUM** | Test Gap | `confidence_score` boundaries never tested | | SPEC-1 | **MEDIUM** | Spec Gap | Sequence uniqueness enforcement missing per spec schema | | BUG-6 | LOW | Bug | `SnapshotStore` lost on restart (not persisted) | | BUG-7 | LOW | Bug | Dead code `_decision_seq` / `_next_seq` in `PlanLifecycleService` | | SEC-2-4 | LOW | Security | Truncated hash, unbounded hash index, `tempfile.mktemp` | | SPEC-2-4 | LOW | Spec | Missing exports, doc inaccuracies, loose typing | | TEST-8-10 | LOW | Test | Weak assertions, Robot subset, no DB-mode benchmarks | --- **Recommendation:** The HIGH-severity items (BUG-1, BUG-2, TEST-1, TEST-2, TEST-3) should be addressed before merge. BUG-1 in particular is a data integrity risk in any deployment that restarts the service, and the lack of a test for it (TEST-2) means it would go undetected until production.
hamza.khyari force-pushed feature/m4-decision-service from cd641a8931
All checks were successful
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / lint (pull_request) Successful in 17s
Details
CI / quality (pull_request) Successful in 18s
Details
CI / build (pull_request) Successful in 28s
Details
CI / security (pull_request) Successful in 37s
Details
CI / typecheck (pull_request) Successful in 59s
Details
CI / integration_tests (pull_request) Successful in 3m43s
Details
CI / unit_tests (pull_request) Successful in 10m18s
Details
CI / docker (pull_request) Successful in 1m0s
Details
CI / benchmark-regression (pull_request) Successful in 21m22s
Details
CI / coverage (pull_request) Successful in 1h22m59s
Details
to 2a9606cb72
All checks were successful
CI / security (pull_request) Successful in 36s
Details
CI / typecheck (pull_request) Successful in 37s
Details
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / build (pull_request) Successful in 20s
Details
CI / lint (pull_request) Successful in 1m20s
Details
CI / quality (pull_request) Successful in 1m22s
Details
CI / unit_tests (pull_request) Successful in 2m37s
Details
CI / integration_tests (pull_request) Successful in 2m58s
Details
CI / docker (pull_request) Successful in 40s
Details
CI / coverage (pull_request) Successful in 4m19s
Details
CI / benchmark-regression (pull_request) Successful in 24m9s
Details
2026-03-03 03:17:39 +00:00 Compare
aditya approved these changes 2026-03-03 08:41:32 +00:00
Dismissed
hamza.khyari force-pushed feature/m4-decision-service from 2a9606cb72
All checks were successful
CI / security (pull_request) Successful in 36s
Details
CI / typecheck (pull_request) Successful in 37s
Details
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / build (pull_request) Successful in 20s
Details
CI / lint (pull_request) Successful in 1m20s
Details
CI / quality (pull_request) Successful in 1m22s
Details
CI / unit_tests (pull_request) Successful in 2m37s
Details
CI / integration_tests (pull_request) Successful in 2m58s
Details
CI / docker (pull_request) Successful in 40s
Details
CI / coverage (pull_request) Successful in 4m19s
Details
CI / benchmark-regression (pull_request) Successful in 24m9s
Details
to c2f8bc0eaf
Some checks failed
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / lint (pull_request) Successful in 15s
Details
CI / build (pull_request) Successful in 16s
Details
CI / quality (pull_request) Successful in 18s
Details
CI / security (pull_request) Successful in 32s
Details
CI / typecheck (pull_request) Failing after 34s
Details
CI / coverage (pull_request) Has been skipped
Details
CI / benchmark-regression (pull_request) Has been skipped
Details
CI / unit_tests (pull_request) Successful in 2m16s
Details
CI / docker (pull_request) Has been skipped
Details
CI / integration_tests (pull_request) Successful in 2m51s
Details
2026-03-03 12:20:26 +00:00 Compare
hamza.khyari dismissed aditya's review 2026-03-03 12:20:26 +00:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

hamza.khyari scheduled this pull request to auto merge when all checks succeed 2026-03-03 12:21:15 +00:00
hamza.khyari force-pushed feature/m4-decision-service from c2f8bc0eaf
Some checks failed
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / lint (pull_request) Successful in 15s
Details
CI / build (pull_request) Successful in 16s
Details
CI / quality (pull_request) Successful in 18s
Details
CI / security (pull_request) Successful in 32s
Details
CI / typecheck (pull_request) Failing after 34s
Details
CI / coverage (pull_request) Has been skipped
Details
CI / benchmark-regression (pull_request) Has been skipped
Details
CI / unit_tests (pull_request) Successful in 2m16s
Details
CI / docker (pull_request) Has been skipped
Details
CI / integration_tests (pull_request) Successful in 2m51s
Details
to 33a9d1e7d8
Some checks failed
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / lint (pull_request) Successful in 14s
Details
CI / build (pull_request) Successful in 14s
Details
CI / quality (pull_request) Successful in 27s
Details
CI / security (pull_request) Successful in 29s
Details
CI / typecheck (pull_request) Successful in 32s
Details
CI / docker (pull_request) Has been skipped
Details
CI / integration_tests (pull_request) Successful in 4m0s
Details
CI / coverage (pull_request) Successful in 4m6s
Details
CI / unit_tests (pull_request) Failing after 2m8s
Details
CI / benchmark-regression (pull_request) Successful in 24m16s
Details
2026-03-03 12:25:07 +00:00 Compare
hamza.khyari force-pushed feature/m4-decision-service from 33a9d1e7d8
Some checks failed
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / lint (pull_request) Successful in 14s
Details
CI / build (pull_request) Successful in 14s
Details
CI / quality (pull_request) Successful in 27s
Details
CI / security (pull_request) Successful in 29s
Details
CI / typecheck (pull_request) Successful in 32s
Details
CI / docker (pull_request) Has been skipped
Details
CI / integration_tests (pull_request) Successful in 4m0s
Details
CI / coverage (pull_request) Successful in 4m6s
Details
CI / unit_tests (pull_request) Failing after 2m8s
Details
CI / benchmark-regression (pull_request) Successful in 24m16s
Details
to 0e36755db9
All checks were successful
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / lint (pull_request) Successful in 14s
Details
CI / build (pull_request) Successful in 14s
Details
CI / quality (pull_request) Successful in 16s
Details
CI / security (pull_request) Successful in 31s
Details
CI / typecheck (pull_request) Successful in 43s
Details
CI / unit_tests (pull_request) Successful in 2m18s
Details
CI / integration_tests (pull_request) Successful in 2m53s
Details
CI / docker (pull_request) Successful in 39s
Details
CI / coverage (pull_request) Successful in 3m58s
Details
CI / benchmark-regression (pull_request) Successful in 24m44s
Details
2026-03-03 12:53:31 +00:00 Compare
Sign in to join this conversation.
Reviewers
No reviewers
CoreRasurae
Labels
Clear labels   
auto/needs-reevaluation
Controller deferred this PR; awaiting Phase 6+ scope-evaluator or operator re-enablement.

  
controller-managed
Auto-agents controller manages this PR/issue (see tools/controller/deploy/RUNBOOK.md). Remove this label to abandon controller management.

  
auto/blocked-by-deps
PR blocked by an open issue dependency. Operator must close the dep (or remove the dependency link) before the merge driver can act. Auto-cleared by merge_drive when no open deps remain.

  
auto/ci-timeout
Most recent merge cycle hit CI timeout. Driver excludes this PR while last merge_cycle row is < 30 min old; label persists thereafter as visible history.

  
auto/claimed-implementer
Currently being processed by an implementer worker.

  
auto/claimed-merge
Currently being processed by the merge driver.

  
auto/claimed-reviewer
Currently being processed by a reviewer worker.

  
auto/driver-down
Merge driver heartbeat stale; pipeline halted. Closed automatically on next clean tick.

  
auto/invariant-violation
Detected master commit violating the strict merge invariant. Tracked as an issue (not a PR label); kept here for label completeness.

  
auto/last-attempt-tier-0
In-cycle escalation: most recent attempt ran at the Tier 0 slot (`tier-0`). Slot's model defined in .opencode/models/tiers.yaml.

  
auto/last-attempt-tier-1
In-cycle escalation: most recent attempt ran at the Tier 1 slot (`tier-1`). Slot's model defined in .opencode/models/tiers.yaml.

  
auto/last-attempt-tier-2
In-cycle escalation: most recent attempt ran at the Tier 2 slot (`tier-2`). Slot's model defined in .opencode/models/tiers.yaml. Gated behind IMPLEMENTER_ESCALATION_TIER2_ENABLED.

  
auto/last-attempt-tier-min
In-cycle escalation: most recent attempt ran at the Tier -1 slot (`tier-min`). Slot's model defined in .opencode/models/tiers.yaml. Suffix is ``-min`` (not ``--1``) so the Forgejo UI reads naturally.

  
Automation Tracking
Tracking issues used by the AI Automation system for agents to communicate and report.

  
auto/needs-conflict-resolution
Rebase conflict needs LLM conflict-resolver.

  
auto/needs-implementer
Failing CI needs implementer attention.

  
auto/postmortem
Documenting a driver incident or rollback.

  
auto/ready-to-merge
Reviewer has APPROVED this PR and no later REQUEST_CHANGES is outstanding. The merge driver requires this label to even consider a PR for merging. Set by the reviewer worker on APPROVE; cleared on REQUEST_CHANGES.

  
auto/restart-throttled
Train repeatedly lost master-tempo races. Driver excludes via merge_cycle until cooldown elapses; label persists as visible history.

  
auto/revert
Revert PR backing out an invariant violation. Fast-tracked through the merge driver.

  
auto/sentinel
Sentinel PR duplicated from upstream into a personal fork by tools/duplicate_prs_to_fork.py for pipeline testing. Lives only in the fork; the canonical pipeline never sees it.

  
auto/stale-inactivity
No implementer activity for N days. Flagged for human review. Auto-cleared on next push to head branch.

  
auto/unstable
Repeatedly fails on current master (>= 3 ci-fail-on-rebased-sha releases in 12 h). Excluded from driver until human triage.

  
Blocked
A ticket in a blocked state and unable to complete until some other task is completed first.

  
Bounty
$100
 A bounty of $100 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$1000
 A bounty of $1000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$10000
 A bounty of $10000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$20
 A bounty of $20 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$2000
 A bounty of $2000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$250
 A bounty of $250 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$50
 A bounty of $50 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$500
 A bounty of $500 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$5000
 A bounty of $5000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$750
 A bounty of $750 for any open-source contributor who provides a MR that solves this issue

  
MoSCoW
Could have
 Could have feature in order to satisfy the epic/legendary.

  
MoSCoW
Must have
 Must have feature in order to satisfy the epic/legendary.

  
MoSCoW
Should have
 Should have feature in order to satisfy the epic/legendary.

  
Needs Feedback
There are questions in the ticket that can not be completed until the project owner provides clarity.

  
Points
1
 1 man-hours worth of work for an expert with no learning curve.

  
Points
13
 13 man-hours worth of work for an expert with no learning curve.

  
Points
2
 2 man-hours worth of work for an expert with no learning curve.

  
Points
21
 21 man-hours worth of work for an expert with no learning curve.

  
Points
3
 3 man-hours worth of work for an expert with no learning curve.

  
Points
34
 34 man-hours worth of work for an expert with no learning curve.

  
Points
5
 5 man-hours worth of work for an expert with no learning curve.

  
Points
55
 55 man-hours worth of work for an expert with no learning curve.

  
Points
8
 8 man-hours worth of work for an expert with no learning curve.

  
Points
88
 88 man-hours worth of work for an expert with no learning curve.

  
Priority
Backlog
 This ticket has backlogged priority and is not to be worked on yet

  
Priority
CI Blocker
 Critical priority issue that blocks CI/CD pipeline and prevents PR merges

  
Priority
Critical
 The priority is critical

  
Priority
High
 The priority is high

  
Priority
Low
 The priority is low

  
Priority
Medium
 The priority is medium

  
Signed-off: Owner
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Scrum Master
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Tech Lead
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Spike
A ticket for learning a tool or technology that is needed to be able to do future planning and design.

  
State
Completed
 The ticket has been fully implemented, completed, and merged with the source code. This label should only be applied once a ticket is closed.

  
State
Duplicate
 A ticket that represents the same content as an existing ticket.

  
State
In Progress
 A ticket that is actively being developed.

  
State
In Review
 A ticket that has had some code completed to implement but is waiting to pass peer review and is not yet merged in.

  
State
Paused
 This ticket's work started but wasn't finished. It's on hold (likely in a feature branch) and will be resumed later, either due to a blocker or a delay.

  
State
Unverified
 All new tickets start in this state. A developer may set it to show the ticket is unverified. This means we haven't agreed to work on it. It will either move to a verified state or be closed as wontdo.

  
State
Verified
 The issue has been verified by a developer as legitimate. It will be worked on and verified tickets are now considered part of the backlog.

  
State
Wont Do
 This ticket has been decided it wont be done. This may mean the bug has been determined to not be real (cant verify) or the feature is one we have decided we dont want to adopt.

  
Type
Automation
 Any edits or discussion about the AI automated coding system.

  
Type
Bug
 Something that doesnt work as intended.

  
Type
Discussion
 Anytime a ticket represents a discussion about a subject and doesnt fall into one of the other categories.

  
Type
Documentation
 An error or improvement needed in the documentation.

  
Type
Epic
 Any first tier epic. That is, an epic which contains only issues as children and will not have sub-epics.

  
Type
Feature
 Some new functionality not present.

  
Type
Legendary
 A type of Epic which will contain other Epics.

  
Type
Refactor
 A code change that restructures existing code without changing its external behavior.

  
Type
Support
 Someone needs help using the project.

  
Type
Task
 A generic task that doesnt fit into the other type categories.

  
Type
Testing
 Work exclusively focusing on fixing or expanding testing.

No labels
auto/needs-reevaluation
controller-managed
auto/blocked-by-deps
auto/ci-timeout
auto/claimed-implementer
auto/claimed-merge
auto/claimed-reviewer
auto/driver-down
auto/invariant-violation
auto/last-attempt-tier-0
auto/last-attempt-tier-1
auto/last-attempt-tier-2
auto/last-attempt-tier-min
Automation Tracking
auto/needs-conflict-resolution
auto/needs-implementer
auto/postmortem
auto/ready-to-merge
auto/restart-throttled
auto/revert
auto/sentinel
auto/stale-inactivity
auto/unstable
Blocked
Bounty
$100
Bounty
$1000
Bounty
$10000
Bounty
$20
Bounty
$2000
Bounty
$250
Bounty
$50
Bounty
$500
Bounty
$5000
Bounty
$750
MoSCoW
Could have
MoSCoW
Must have
MoSCoW
Should have
Needs Feedback
Points
1
Points
13
Points
2
Points
21
Points
3
Points
34
Points
5
Points
55
Points
8
Points
88
Priority
Backlog
Priority
CI Blocker
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Signed-off: Owner
Signed-off: Scrum Master
Signed-off: Tech Lead
Spike
State
Completed
State
Duplicate
State
In Progress
State
In Review
State
Paused
State
Unverified
State
Verified
State
Wont Do
Type
Automation
Type
Bug
Type
Discussion
Type
Documentation
Type
Epic
Type
Feature
Type
Legendary
Type
Refactor
Type
Support
Type
Task
Type
Testing
Milestone
Clear milestone
No items
No milestone
v3.2.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
hamza.khyari
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
#172 feat(service): add decision recording and snapshot store
cleveragents/cleveragents-core
Reference
cleveragents/cleveragents-core!433
No description provided.