docs(arch): core boundaries, governance, doc.go archtest, enterprise extension boundaries (Phase 5 + 7)#112
Conversation
…CI arch-report, enterprise extension boundaries (Phase 5 + 7) Execute Phase 5 (core boundary tightening) and Phase 7 (governance and long-term maintenance): add docs/core-boundaries.md classifying all 35 internal/core/* packages by role (use-case orchestration, policy, state seam, canonical contract, support) with adapter-leakage risk; add the 6-question core admission checklist; require doc.go for every core package via TestCorePackagesHaveDocGo archtest (14 doc.go files added for packages that lacked one); add the architecture PR checklist to docs/architecture-guardrails.md; add CI arch-report artifact upload to .github/workflows/qa.yml (advisory, non-failing); add docs/enterprise-extension-boundaries.md defining allowed (pkg/lipsdk facades, BuildOptions, control-plane ports, hook bus, secure-session authority) and forbidden (editing runtime.Executor, importing deep runtime internals, forking the composition root) enterprise integration points. Co-authored-by: Cursor <cursoragent@cursor.com>
|
Warning Review limit reached
Next review available in: 42 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThis PR adds architecture governance documentation (core-boundaries.md, enterprise-extension-boundaries.md, and updates to architecture-guardrails.md), a new archtest enforcing doc.go presence in internal/core packages, doc.go files for fourteen existing core packages, and a QA workflow step that generates and uploads an architecture report artifact. ChangesCore boundary governance and enforcement
QA Workflow Architecture Report
Estimated code review effort: 2 (Simple) | ~10 minutes Related issues: None specified. Related PRs: None specified. Suggested labels: documentation, architecture, ci Suggested reviewers: matdev83 🐰 A doc.go here, a doc.go there, 🚥 Pre-merge checks | ✅ 8✅ Passed checks (8 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The QA workflow step "Architecture report (advisory artifact)" ran "make arch-report > arch-report.md", writing the generated report into the repo root. The pre-existing TestRootHygiene_MarkdownFiles (internal/qa) only permits AGENTS.md and README.md at root, so the Unit tests step failed in CI with "disallowed markdown in repo root: [arch-report.md]". Redirect the report to the runner temp dir (outside the repo tree) and upload from there; upload-artifact@v4 accepts absolute paths. The hygiene invariant and the advisory artifact upload are both preserved; no check is weakened. Reproduced locally: creating arch-report.md in root -> TestRootHygiene_MarkdownFiles fails with the exact CI message; removing it -> passes. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/qa.yml:
- Line 33: The workflow uses actions/upload-artifact@v4 by tag instead of a
pinned commit SHA, which static analysis flags as an unpinned action reference.
If supply-chain hardening is desired, update the upload-artifact step to use a
specific commit SHA and keep it aligned with the existing pinned-action
convention used in this workflow.
In `@docs/architecture-guardrails.md`:
- Around line 53-57: The admission checklist text overstates the scope of
TestCorePackagesHaveDocGo, since that archtest only applies to immediate
internal/core/* packages with top-level non-test Go files, not nested packages
like internal/core/securesession/app. Update the wording in the architecture
guardrails doc to say “top-level core packages” wherever the test coverage is
described, or broaden the test first if you want to keep claiming all core
packages are covered. Keep the references aligned with docs/core-boundaries.md
and TestCorePackagesHaveDocGo.
In `@docs/core-boundaries.md`:
- Around line 3-17: The package classification table in core-boundaries is
incomplete because it only lists top-level internal/core packages and omits
nested packages, so update the document to either explicitly scope it to
immediate children or add the missing nested entries. Use the existing
classification table in docs/core-boundaries.md and ensure nested symbols such
as internal/core/securesession/app, internal/core/tokenaccounting/app, and
internal/core/runtime/failclosed are covered so the admission checklist includes
them.
In `@internal/archtest/core_docgo_test.go`:
- Around line 24-40: Handle the per-directory os.ReadDir failure in
core_docgo_test.go instead of discarding it. In the loop that builds dir and
reads subEntries, capture the error from os.ReadDir(dir) and fail the test with
t.Fatal/t.Fatalf so unreadable directories do not get silently skipped. Keep the
change localized to the directory scan logic around the subEntries read and the
hasNonTestGo check.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 9ce03eeb-1f41-4f17-9656-abba649d8417
📒 Files selected for processing (19)
.github/workflows/qa.ymldocs/architecture-guardrails.mddocs/core-boundaries.mddocs/enterprise-extension-boundaries.mdinternal/archtest/core_docgo_test.gointernal/core/accounting/doc.gointernal/core/affinity/doc.gointernal/core/auxreq/doc.gointernal/core/execbackend/doc.gointernal/core/interleavedstate/doc.gointernal/core/interleavedthinking/doc.gointernal/core/jsonpresence/doc.gointernal/core/leglifecycle/doc.gointernal/core/lineage/doc.gointernal/core/modelregistry/doc.gointernal/core/policy/doc.gointernal/core/streamrecovery/doc.gointernal/core/traffic/doc.gointernal/core/workspace/doc.go
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
- GitHub Check: qa
🧰 Additional context used
📓 Path-based instructions (5)
**/*.go
📄 CodeRabbit inference engine (Custom checks)
**/*.go: For server, CLI, worker, or network Go code, ensurecontext.Contextis propagated correctly, cancellation is respected, and new goroutines cannot leak indefinitely.
Do not make accidental public API breaks in Go code: underpkg/**or anywhere exported Go identifiers are changed, warn if the PR changes exported types, function signatures, error behavior, JSON fields, CLI flags, config keys, or documented behavior without clearly explaining the compatibility impact.
Files:
internal/core/lineage/doc.gointernal/core/streamrecovery/doc.gointernal/core/interleavedstate/doc.gointernal/core/leglifecycle/doc.gointernal/core/policy/doc.gointernal/core/execbackend/doc.gointernal/core/modelregistry/doc.gointernal/core/accounting/doc.gointernal/core/traffic/doc.gointernal/core/workspace/doc.gointernal/core/jsonpresence/doc.gointernal/core/auxreq/doc.gointernal/core/affinity/doc.gointernal/core/interleavedthinking/doc.gointernal/archtest/core_docgo_test.go
⚙️ CodeRabbit configuration file
**/*.go: Review as production Go code. Prioritize correctness, race conditions, goroutine leaks, context cancellation, timeout handling, error wrapping, nil-pointer risks, resource cleanup, defer placement, API compatibility, interface design, dependency boundaries, and testability. Avoid generic style comments when gofmt/golangci-lint already covers the issue.
Files:
internal/core/lineage/doc.gointernal/core/streamrecovery/doc.gointernal/core/interleavedstate/doc.gointernal/core/leglifecycle/doc.gointernal/core/policy/doc.gointernal/core/execbackend/doc.gointernal/core/modelregistry/doc.gointernal/core/accounting/doc.gointernal/core/traffic/doc.gointernal/core/workspace/doc.gointernal/core/jsonpresence/doc.gointernal/core/auxreq/doc.gointernal/core/affinity/doc.gointernal/core/interleavedthinking/doc.gointernal/archtest/core_docgo_test.go
**/*
📄 CodeRabbit inference engine (Custom checks)
Do not introduce hardcoded credentials, API keys, tokens, private keys, passwords, production secrets, or sensitive internal URLs.
Files:
internal/core/lineage/doc.gointernal/core/streamrecovery/doc.gointernal/core/interleavedstate/doc.godocs/enterprise-extension-boundaries.mdinternal/core/leglifecycle/doc.gointernal/core/policy/doc.gointernal/core/execbackend/doc.gointernal/core/modelregistry/doc.gointernal/core/accounting/doc.gointernal/core/traffic/doc.gointernal/core/workspace/doc.gointernal/core/jsonpresence/doc.godocs/core-boundaries.mdinternal/core/auxreq/doc.gointernal/core/affinity/doc.gointernal/core/interleavedthinking/doc.gointernal/archtest/core_docgo_test.godocs/architecture-guardrails.md
internal/**
⚙️ CodeRabbit configuration file
internal/**: Focus on package boundaries, hidden coupling, unexported API design, concurrency safety, deterministic behavior, and whether logic belongs in this internal package.
Files:
internal/core/lineage/doc.gointernal/core/streamrecovery/doc.gointernal/core/interleavedstate/doc.gointernal/core/leglifecycle/doc.gointernal/core/policy/doc.gointernal/core/execbackend/doc.gointernal/core/modelregistry/doc.gointernal/core/accounting/doc.gointernal/core/traffic/doc.gointernal/core/workspace/doc.gointernal/core/jsonpresence/doc.gointernal/core/auxreq/doc.gointernal/core/affinity/doc.gointernal/core/interleavedthinking/doc.gointernal/archtest/core_docgo_test.go
.github/workflows/**
⚙️ CodeRabbit configuration file
.github/workflows/**: Review CI changes for Go version consistency, caching correctness, reproducibility, permissions minimization, race detector usage where appropriate, and whether tests/linting actually run on pull requests.
Files:
.github/workflows/qa.yml
**/*_test.go
⚙️ CodeRabbit configuration file
**/*_test.go: Review tests for meaningful assertions, table-driven coverage, race-prone tests, t.Parallel misuse, nondeterminism, leaked goroutines, real network or filesystem dependencies, fragile sleeps, and missing edge cases. Prefer testing observable behavior over implementation details.
Files:
internal/archtest/core_docgo_test.go
🧠 Learnings (1)
📚 Learning: 2026-07-01T22:57:42.953Z
Learnt from: matdev83
Repo: matdev83/go-llm-interactive-proxy PR: 101
File: pkg/lipsdk/scope/context.go:0-0
Timestamp: 2026-07-01T22:57:42.953Z
Learning: In this repository, when defining unexported Go `context` key constants of type `ctxKey int` (e.g., `const ( kFoo ctxKey = iota + N )`), preserve the `iota + <offset>` pattern and keep the existing `<offset>` values rather than simplifying to plain `iota`. These per-package offsets are part of the repo-wide convention to avoid key collisions across packages, and each such constant set should include a short explanatory comment (for example: “offset avoids collision with other packages' context keys”).
Applied to files:
internal/core/lineage/doc.gointernal/core/streamrecovery/doc.gointernal/core/interleavedstate/doc.gointernal/core/leglifecycle/doc.gointernal/core/policy/doc.gointernal/core/execbackend/doc.gointernal/core/modelregistry/doc.gointernal/core/accounting/doc.gointernal/core/traffic/doc.gointernal/core/workspace/doc.gointernal/core/jsonpresence/doc.gointernal/core/auxreq/doc.gointernal/core/affinity/doc.gointernal/core/interleavedthinking/doc.gointernal/archtest/core_docgo_test.go
🪛 LanguageTool
docs/enterprise-extension-boundaries.md
[grammar] ~34-~34: Ensure spelling is correct
Context: ...ildOptions.Extensions.CompletionGates; BuildOptions.Policy.PolicyTimeoutBudgetSource`. | | Custom backends | Backend plugin v...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
🪛 zizmor (1.26.1)
.github/workflows/qa.yml
[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔇 Additional comments (13)
.github/workflows/qa.yml (1)
25-38: Advisory report/upload logic is sound.The
continue-on-error: trueon the generation step plusif: always()and the defaultif-no-files-found: warnbehavior onactions/upload-artifact@v4together ensure this stays non-failing even ifmake arch-reporterrors out or produces no file, matching the PR's stated advisory intent.docs/architecture-guardrails.md (1)
58-71: LGTM!docs/enterprise-extension-boundaries.md (1)
1-46: LGTM!internal/core/streamrecovery/doc.go (1)
1-2: LGTM!internal/core/traffic/doc.go (1)
1-2: LGTM!internal/core/workspace/doc.go (1)
1-2: LGTM!internal/core/accounting/doc.go (1)
1-1: 📐 Maintainability & Code Quality | ⚡ Quick winGarbled package comment.
// Package accounting Usage accounting price catalog and cost estimation.reads as broken English (redundant "accounting"/"Usage" mid-sentence), unlike the siblingdoc.gofiles (e.g. leglifecycle, lineage, modelregistry, policy) which use clean noun-phrase descriptions. Since this PR's purpose is documentation quality, this comment should be cleaned up.✏️ Proposed fix
-// Package accounting Usage accounting price catalog and cost estimation. +// Package accounting provides usage accounting, price catalog, and cost estimation. package accountinginternal/core/affinity/doc.go (1)
1-2: LGTM!internal/core/auxreq/doc.go (1)
1-2: LGTM!internal/core/execbackend/doc.go (1)
1-2: LGTM!internal/core/interleavedstate/doc.go (1)
1-2: LGTM!internal/core/interleavedthinking/doc.go (1)
1-2: LGTM!internal/core/jsonpresence/doc.go (1)
1-2: LGTM!
Resolve 3 of 4 CodeRabbit review comments (the 4th, pinning upload-artifact to a SHA, is a pre-existing repo-wide convention and out of scope for this docs/arch PR; dismissed with reasoning on the thread). - internal/archtest/core_docgo_test.go: handle the per-directory os.ReadDir error instead of discarding it. An unreadable internal/core/* subdirectory would otherwise be silently treated as having no non-test .go files and skipped, defeating the doc.go enforcement the test exists to guarantee. - docs/architecture-guardrails.md, docs/core-boundaries.md: clarify that TestCorePackagesHaveDocGo and the package classification table cover top-level internal/core/* packages; nested sub-packages inherit their parent's classification. This aligns the docs with the test's actual scope (it iterates immediate children of internal/core only). Verified: go test -tags=precommit ./internal/archtest/ passes; full repo golangci-lint v2.11.4 run -> 0 issues; go build ./... OK. Co-authored-by: Cursor <cursoragent@cursor.com>
Reconcile PR #114 with PR #111's pluginreg -> standardplugins/featurebundle refactor (now on main) plus PR #112's docs/archtest and the executor characterization tests. PR #114's native FeatureBundle + per-frontend mounts supersede main's moved featurebundle.go and frontends_install.go. Conflict resolutions: - internal/standardplugins/types.go (add/add): take main's gofumpt-fixed type-alias group. - internal/featurebundle/featurebundle.go and internal/standardplugins/ frontends_install.go (rename/delete + modify/delete): deleted, honoring PR #114's native FeatureBundle and per-frontend mount.go design which replaces them. - internal/standardplugins/standard_table.go and three test files (custom_registry_hooks_test.go, feature_merge_test.go, registry_zero_test.go): take PR #114's direct FeatureFactory registration (factories return lipfeature.FeatureBundle directly; no featurebundle.FeatureFactoryFromHooks wrapping). - testdata/architecture/hexagonal_migration_baseline.json: take PR #114's evolved classifications (pluginreg and standardplugins reclassified to aligned; featurebundle holds the MergedFeatureSurface merge surface; FeatureFactoryFromHooks bridge retired). Verified locally: go build ./... OK; golangci-lint v2.11.4 run -> 0 issues; full go test -tags=precommit,integration ./... passes (includes the hexagonal baseline archtest and root hygiene checks). Co-authored-by: Cursor <cursoragent@cursor.com>
Summary
docs/core-boundaries.mdclassifies all 35internal/core/*packages by role (use-case orchestration / policy / state seam / canonical contract / support) with adapter-leakage risk. The 6-question core admission checklist is included.TestCorePackagesHaveDocGoarchtest requires every core package to havedoc.go(14 added for packages that lacked one).docs/architecture-guardrails.md. CIarch-reportartifact upload added to.github/workflows/qa.yml(advisory, non-failing,continue-on-error).docs/enterprise-extension-boundaries.mddefines allowed (pkg/lipsdkfacades,BuildOptions, control-plane ports, hook bus, secure-session authority) and forbidden (editingruntime.Executor, importing deep runtime internals, forking the composition root) enterprise integration points.Test plan
TestCorePackagesHaveDocGopasses (all 33 core packages with .go files have doc.go)make quality-checks(gofmt, tidy, build, vet, goroutine allowlist, regex hotpath, archtest)make test-unit(zero failing packages)