Audit cycle: line-by-line + cross-platform (Debian/Ubuntu/WSL/Termux/ADB) #1

New issue

Closed

opened 2026-05-19 04:42:46 +00:00 by foravo_admin · 0 comments

foravo_admin commented

2026-05-19 04:42:46 +00:00

Owner

Imported from GitHub issue M00C1FER/mesh-review#14.

Source: https://github.com/M00C1FER/mesh-review/issues/14
Original author: @M00C1FER
Original state: closed

Senior-developer cycle: line-by-line audit + cross-platform verification

You are operating as a senior GitHub developer auditing this repo end-to-end. Stay in autopilot — do not ask permission per step.

Goals

Line-by-line audit — read every source file end-to-end. Fix what's wrong: dead code, swallowed errors, off-by-one, missing edge-case handling, inconsistent naming, stale comments, docstring↔implementation drift.
Doc↔code truthfulness — verify README claims actually match what the code does. If the README says "X" and the code does "Y", fix one of them. Update CLAUDE.md / AGENTS.md / GEMINI.md / COPILOT.md (if any) similarly.
Cross-platform functionality matrix — the project must work cleanly on:
- Debian 12 / 13 (Trixie)
- Ubuntu 22.04 LTS / 24.04 LTS
- Arch (rolling) and Fedora (latest stable) — best-effort, document caveats
- Alpine (musl libc) — flag any glibc-only assumptions
- WSL2 (Windows Subsystem for Linux, Ubuntu base) — verify no Linux-only /proc, /sys, or systemd assumptions break it
- Termux (Android, arm64) — pkg install-able dependencies; no /etc/passwd-style assumptions; document install in README
- ADB-WiFi for modern Android — only if the repo's purpose intersects mobile-device operations (most don't — skip if not applicable)
CI matrix expansion — add platform jobs to .github/workflows/ci.yml covering: ubuntu-22.04, ubuntu-24.04, ubuntu-latest, debian (via container), and alpine (via container). For repos with cross-platform CLI: also a macOS runner.
Termux smoke — write scripts/install-termux.sh (if pkg-installable deps suffice) and a smoke test that runs in Termux's busybox-ish environment. Document running it in README under a "Termux" section.

Workflow

Reconnaissance: read README + every source file. List discrepancies in a /tmp/audit-<repo>.md notes file.
Reference comparison: gh search repos for 3-5 mature peers (≥100 stars). Note one cross-platform pattern from each in REFERENCES.md (extend the existing one if present).
Implement fixes per category: correctness > cross-platform > docs > polish. One conventional-commit per logical change. Branch: copilot/audit-cycle-2026-05-02.
After each commit: run the test suite. After all commits: run gitleaks (no secrets pushed).
Open ONE PR with sections: Audit findings (per file or category), Cross-platform changes, CI matrix added, Termux notes, Test results before/after, Known follow-ups.

Hard constraints

Email: 243271903+M00C1FER@users.noreply.github.com on every commit. Verify with git config user.email before committing.
Never force-push, never commit secrets, gitleaks before push.
Don't change the public CLI/API surface without a very clear justification in the PR body (and consider deprecation aliases instead).
Don't add heavy runtime deps. Optional integrations live behind extras (pip install -e .[platform] style).
Resource awareness: the user's CI runner is GitHub-hosted (free tier); avoid jobs >10 min, avoid full-matrix expansions that 5x runtime.

Specific scope for this repo

Python — vendor-neutral by design.

Python matrix: 3.10/3.11/3.12 across ubuntu-22.04/24.04, alpine, macos-latest.
The CLI registry in 'mesh-review.yaml' must work cross-platform — verify no shell-specific quoting in the example configs (today they assume bash; check zsh + fish + cmd.exe paths).
Termux: where applicable, document running with a local Ollama as the falsifier (the OpenAI SDK falsifier added in #13 supports custom base_url).
WSL: the GitHub Action wrapper should detect WSL via 'uname -r' containing 'microsoft' and emit a warning if the user is running it locally rather than as an Action.
Audit every '.py' file. The Sigma falsification gate logic is the highest-risk surface (subtle off-by-one in confidence comparisons can make false positives or false negatives). Add property tests via Hypothesis covering the threshold edge cases.

Stop conditions

If a cross-platform claim is fundamentally infeasible (e.g. a daemon can'''t run in Termux due to bionic-libc limits), document it in the PR body as a known gap and continue.
If you spend >3 hours without shipping a PR, post a draft with what you have + the audit notes file and stop.

Imported from GitHub issue `M00C1FER/mesh-review#14`. Source: https://github.com/M00C1FER/mesh-review/issues/14 Original author: @M00C1FER Original state: closed  --- ## Senior-developer cycle: line-by-line audit + cross-platform verification You are operating as a senior GitHub developer auditing this repo end-to-end. Stay in autopilot — do not ask permission per step. ## Goals 1. **Line-by-line audit** — read every source file end-to-end. Fix what's wrong: dead code, swallowed errors, off-by-one, missing edge-case handling, inconsistent naming, stale comments, docstring↔implementation drift. 2. **Doc↔code truthfulness** — verify README claims actually match what the code does. If the README says "X" and the code does "Y", fix one of them. Update CLAUDE.md / AGENTS.md / GEMINI.md / COPILOT.md (if any) similarly. 3. **Cross-platform functionality matrix** — the project must work cleanly on: - Debian 12 / 13 (Trixie) - Ubuntu 22.04 LTS / 24.04 LTS - Arch (rolling) and Fedora (latest stable) — best-effort, document caveats - Alpine (musl libc) — flag any glibc-only assumptions - **WSL2** (Windows Subsystem for Linux, Ubuntu base) — verify no Linux-only `/proc`, `/sys`, or systemd assumptions break it - **Termux** (Android, arm64) — `pkg install`-able dependencies; no `/etc/passwd`-style assumptions; document install in README - **ADB-WiFi for modern Android** — only if the repo's purpose intersects mobile-device operations (most don't — skip if not applicable) 4. **CI matrix expansion** — add platform jobs to `.github/workflows/ci.yml` covering: ubuntu-22.04, ubuntu-24.04, ubuntu-latest, debian (via container), and alpine (via container). For repos with cross-platform CLI: also a macOS runner. 5. **Termux smoke** — write `scripts/install-termux.sh` (if `pkg`-installable deps suffice) and a smoke test that runs in Termux's busybox-ish environment. Document running it in README under a "Termux" section. ## Workflow 1. Reconnaissance: read README + every source file. List discrepancies in a `/tmp/audit-<repo>.md` notes file. 2. Reference comparison: `gh search repos` for 3-5 mature peers (≥100 stars). Note one cross-platform pattern from each in `REFERENCES.md` (extend the existing one if present). 3. Implement fixes per category: correctness > cross-platform > docs > polish. One conventional-commit per logical change. Branch: `copilot/audit-cycle-2026-05-02`. 4. After each commit: run the test suite. After all commits: run gitleaks (no secrets pushed). 5. Open ONE PR with sections: *Audit findings* (per file or category), *Cross-platform changes*, *CI matrix added*, *Termux notes*, *Test results before/after*, *Known follow-ups*. ## Hard constraints - Email: `243271903+M00C1FER@users.noreply.github.com` on every commit. Verify with `git config user.email` before committing. - Never force-push, never commit secrets, gitleaks before push. - Don't change the public CLI/API surface without a *very* clear justification in the PR body (and consider deprecation aliases instead). - Don't add heavy runtime deps. Optional integrations live behind extras (`pip install -e .[platform]` style). - Resource awareness: the user's CI runner is GitHub-hosted (free tier); avoid jobs >10 min, avoid full-matrix expansions that 5x runtime. ## Specific scope for this repo Python — vendor-neutral by design. - Python matrix: 3.10/3.11/3.12 across ubuntu-22.04/24.04, alpine, macos-latest. - The CLI registry in 'mesh-review.yaml' must work cross-platform — verify no shell-specific quoting in the example configs (today they assume bash; check zsh + fish + cmd.exe paths). - Termux: where applicable, document running with a local Ollama as the falsifier (the OpenAI SDK falsifier added in #13 supports custom base_url). - WSL: the GitHub Action wrapper should detect WSL via 'uname -r' containing 'microsoft' and emit a warning if the user is running it locally rather than as an Action. - Audit every '.py' file. The Sigma falsification gate logic is the highest-risk surface (subtle off-by-one in confidence comparisons can make false positives or false negatives). Add property tests via Hypothesis covering the threshold edge cases. ## Stop conditions - If a cross-platform claim is fundamentally infeasible (e.g. a daemon can'\''t run in Termux due to bionic-libc limits), document it in the PR body as a known gap and continue. - If you spend >3 hours without shipping a PR, post a draft with what you have + the audit notes file and stop.

foravo_admin closed this issue

Rows
Columns