chore: CI security hardening, CLI improvements, conformance tests, docs housekeeping#415
Merged
Conversation
…ISTORY The Stage 9 entry for v0.0.102 conflated compiler fixes with tooling/website changes. Split them correctly: - Stage 9 now contains only the three compiler bug fixes (#335, #360, #326) - CLI typed argument passing (#263) moved to Editor and tooling section, alongside vera fmt / vera test / conformance suite (same category) - Agent discovery metadata (#400) moved to Editor and tooling section, alongside the earlier AI discoverability entry (20 Mar) Also remove the hardcoded "30 development days" from ROADMAP.md references to HISTORY.md -- the count will change and the link speaks for itself. Fix stale test count 3,120 -> 3,121 in ROADMAP completed-phases summary line. Co-Authored-By: Claude <noreply@anthropic.invalid>
📝 WalkthroughWalkthroughBumps release to v0.0.103; adds Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #415 +/- ##
==========================================
- Coverage 90.31% 90.30% -0.01%
==========================================
Files 49 49
Lines 19147 19163 +16
Branches 220 220
==========================================
+ Hits 17292 17306 +14
- Misses 1851 1853 +2
Partials 4 4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@ROADMAP.md`:
- Line 219: Update the test count in the ROADMAP.md summary so the two
occurrences match: replace the outdated "**3,120**" entry with "**3,121**" (the
same value used in the header "**3,121** tests") to keep project metrics
consistent; locate the string "**3,120**" and change it to "**3,121**".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: eabb06d8-c7b7-4e12-af0c-2df76ab256d1
📒 Files selected for processing (2)
HISTORY.mdROADMAP.md
Co-Authored-By: Claude <noreply@anthropic.invalid>
Co-Authored-By: Claude <noreply@anthropic.invalid>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@ROADMAP.md`:
- Line 11: Update the ROADMAP entry for Phase 3b to resolve the inconsistency
with issue `#400`: inspect the referenced issue (`#400`) and determine whether it
covers "Multi-layer agent discovery metadata" only or also the UI task "Move
'For Agents' section above the fold"; then either remove the Phase 3b bullet
that references "[`#400`] Move 'For Agents' section above the fold" if `#400` is
fully complete, or replace that bullet with a new distinct issue reference (or
clarify the text) that explicitly describes the pending website/layout task so
Phase 3b and v0.0.102 remain consistent with the CHANGELOG and release notes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: edcf6363-8ba1-480f-ad3f-7bd03977f5ca
📒 Files selected for processing (2)
HISTORY.mdROADMAP.md
…384) Add `ruff check --select S vera/` to the lint CI job (#388). All 32 S-rule findings audited and annotated with # noqa where suppression is appropriate: - S310 (urlopen): intentional HTTPS calls to Anthropic/OpenAI/Moonshot APIs and the <Http> effect handler (user-supplied URLs are the entire point) - S101 (assert): internal compiler invariants in wasmtime host callbacks and monomorphizer -- never reachable via normal execution if the compiler is correct; suppression is explicit acknowledgement, not avoidance - S105 (hardcoded password): false positives on `token == "{"` parse-token comparisons in errors.py Add `dependency-audit` CI job running `pip-audit --strict` (#384). Checks all installed packages against the OSV vulnerability database on every push and PR, catching CVEs in lark, z3-solver, wasmtime, or transitive deps. Update TESTING.md: lint row notes ruff S rules, new dependency-audit row, "five" -> "six" parallel jobs. Co-Authored-By: Claude <noreply@anthropic.invalid>
Fix two zizmor finding categories in ci.yml: - artipacked: add `persist-credentials: false` to all checkout steps so the temporary GITHUB_TOKEN is never baked into .git/config where a compromised subsequent step could use it to push - excessive-permissions: replace implicit default permissions with explicit per-job `permissions: contents: read` blocks; the security job additionally gets `security-events: write` so Gitleaks can post results to the Security tab The remaining zizmor findings (unpinned-uses, secrets-outside-env) are intentionally deferred: unpinned-uses requires SHA-pinning every action reference and ongoing Dependabot maintenance (tracked in #390); CODECOV_TOKEN outside a named environment is low risk and would require GitHub environment setup for minimal gain. Also remove closed issues #397 and #399 from Phase 3b in ROADMAP.md (both shipped in v0.0.102). Reopen #400 — the "For Agents above the fold" layout change was not done in v0.0.102 (only the metadata layers were); keep in Phase 3b. Co-Authored-By: Claude <noreply@anthropic.invalid>
All three shipped in v0.0.102. #400 (agent discovery metadata / For Agents section) is done per the discoverability work in that release. Co-Authored-By: Claude <noreply@anthropic.invalid>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 105-106: The CI step named "Security lint (ruff S rules)" calls
the ruff CLI (`ruff check --select S vera/`) but Ruff isn't installed by the
workflow; either add Ruff to dev dependencies in pyproject.toml or ensure the
workflow installs it before this step (e.g., a separate `pip install ruff` or
include it in the `pip install -e ".[dev]"` target). Update the workflow so the
step that runs `ruff check --select S vera/` has the ruff binary available, and
keep the step name "Security lint (ruff S rules)" and command `ruff check
--select S vera/` unchanged.
In `@vera/codegen/api.py`:
- Around line 1967-1968: The urllib.request.urlopen calls in the Http effect are
missing explicit timeouts; update both occurrences (the one using "with
urllib.request.urlopen(url) as resp:" at ~1967 and the second similar call at
~1995) to pass timeout=_INFERENCE_TIMEOUT so they behave like other callers
using _INFERENCE_TIMEOUT (60s); ensure you add the timeout keyword to each
urlopen(...) invocation and keep using the existing _INFERENCE_TIMEOUT constant.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: be91df04-1392-406b-ad25-a8d864293335
⛔ Files ignored due to path filters (1)
docs/sitemap.xmlis excluded by!docs/**
📒 Files selected for processing (7)
.github/workflows/ci.ymlTESTING.mdvera/codegen/api.pyvera/codegen/monomorphize.pyvera/errors.pyvera/wasm/calls.pyvera/wasm/markdown.py
…TP timeouts - Add ruff>=0.9 to pyproject.toml dev deps so the lint job can run `ruff check --select S vera/` without an extra install step (#388) - Switch pip-audit from `--strict` to `--skip-editable` so the dependency-audit job succeeds despite vera being a local editable install; suppress CVE-2026-4539 in pygments 2.19.2 (transitive via pytest/rich, no fix release available yet) (#384) - Add `timeout=_INFERENCE_TIMEOUT` to both urlopen calls in the Http effect host functions (http_get, http_post) for consistency with the Inference effect, which already set a 60 s timeout Co-Authored-By: Claude <noreply@anthropic.invalid>
Add paragraph explaining scoped per-job permissions, persist-credentials:false on all checkouts, and the deferred SHA-pinning (#390). Co-Authored-By: Claude <noreply@anthropic.invalid>
New `sbom` job runs on every push/PR: installs `cyclonedx-bom`, generates a CycloneDX JSON SBOM of the full installed dependency tree via `cyclonedx-py environment`, and uploads it as a 90-day CI artifact. Closes #389 Co-Authored-By: Claude <noreply@anthropic.invalid>
--output-format and --outfile are not valid; correct flags are --of <format> and -o <file>. Co-Authored-By: Claude <noreply@anthropic.invalid>
This was referenced Mar 29, 2026
…ntent-Type Add vera version / --version / -V CLI command; prints 'vera X.Y.Z' (#381). Thin wrapper around vera.__version__, handled before the len(args) < 2 guard. Improve vera test skip messages to name unsupported types (#383): SKIPPED (cannot generate String inputs (see #169)) Http POST now sends Content-Type: application/json in both the Python host function (urllib.request.Request headers) and browser runtime (setRequestHeader). Strict JSON APIs previously rejected POST bodies without this header (#354). Closes #354 Closes #381 Closes #383 Co-Authored-By: Claude <noreply@anthropic.invalid>
This was referenced Mar 29, 2026
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@vera/cli.py`:
- Around line 973-975: Remove the unreachable duplicate version dispatch in the
CLI command dispatch: delete the redundant "if command in (\"version\",
\"--version\", \"-V\"): sys.exit(cmd_version())" branch found near the dispatch
that precedes "elif command == 'parse'"; ensure you only remove that duplicate
block (leaving the earlier, correct version handling intact) so the command
variable is dispatched once.
- Around line 877-883: The help text is stale — update the USAGE string so the
new "version" command and its aliases ("--version", "-V") are listed and
discoverable; modify the USAGE constant (USAGE) to include a short line for
"version" and ensure the existing args handling block (the if not args or
args[0] in ("version", "--version", "-V") branch) still calls cmd_version() for
those tokens so the behavior and help text match.
In `@vera/codegen/api.py`:
- Around line 1992-1996: The POST implementation currently hardcodes the header
"Content-Type: application/json" (see the urllib.request.Request creation in
Http.post), which prevents sending non-JSON bodies; either make the Content-Type
header configurable by accepting headers or a content_type parameter in
Http.post and pass that through to urllib.request.Request, or—if the JSON-only
restriction is intentional to match runtime.mjs—add a clear comment and update
the Http effect specification and conformance test comments to document that
Http.post only supports application/json payloads. Ensure references to
Http.post and runtime.mjs are updated so future readers know this is a
deliberate constraint or how to change it.
In `@vera/tester.py`:
- Around line 246-253: Extract the duplicated comprehension that builds
unsupported_names into a single helper function (e.g.,
get_unsupported_type_names(param_types)) and call it from both sites instead of
repeating the comprehension; the helper should accept param_types, compute
sorted({ t.name if isinstance(t, PrimitiveType) else type(t).__name__ for pt in
param_types for t in (base_type(pt),) if t not in _Z3_SUPPORTED }), and return
the list used to form skip_reason and other messages, then update references
where unsupported_names is constructed (locations around the current block and
the other occurrence near lines 435-444) to call this helper and keep
summary.skipped increment and skip_reason construction unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: cd06ec48-b2dc-412d-bb5c-99a678254ddf
📒 Files selected for processing (9)
.github/workflows/ci.ymlTESTING.mdpyproject.tomltests/test_cli.pytests/test_tester.pyvera/browser/runtime.mjsvera/cli.pyvera/codegen/api.pyvera/tester.py
- SECURITY.md: add CI Security Practices section documenting ruff S rules, pip-audit, CycloneDX SBOM, Gitleaks, workflow hardening (persist-credentials, per-job permissions, deferred SHA-pinning #390) - KNOWN_ISSUES.md: remove #354 Http POST Content-Type (fixed) - CLAUDE.md, AGENTS.md, SKILL.md, README.md: add vera version / --version / -V to CLI command lists - SKILL.md: update Http.post table entry to note Content-Type: application/json; add vera test skip message note (names specific unsupported type, see #169) - vera/README.md: update cli.py line count (977 -> 1,006) - Regenerated site assets; updated SKILL.md allowlist line numbers Co-Authored-By: Claude <noreply@anthropic.invalid>
…Content-Type comment, extract helper cli.py: remove unreachable version dispatch block in the routing table — the early guard in main() already intercepts version/--version/-V before reaching that point. Add --version and -V to the USAGE string so all aliases are discoverable. api.py: add inline comment on Http.post documenting that JSON-only Content-Type is an intentional constraint of the Vera-level API, not an oversight. Custom headers require #351. tester.py: extract duplicated unsupported-type-name comprehension into a private helper _unsupported_type_names(param_types) and call it from both sites (run_tests fallback path and _classify_functions). Co-Authored-By: Claude <noreply@anthropic.invalid>
Owner
Author
|
@CodeRabbit You asked whether vera --version and HTTP Content-Type fixes should be split into separate PRs or are accepted as incidental improvements alongside the primary CI/security work. This is a general housekeeping PR, a lot of things getting cleaned up. Fine here. |
|
Tip For best results, initiate chat on the files or code changes.
✏️ Learnings added
🧠 Learnings used |
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
vera/cli.py (1)
879-885:⚠️ Potential issue | 🟡 MinorSynchronise
USAGEhelp text with the new version aliases.Line 882/Line 1001 can print
USAGE, but that block still omitsversion,--version, and-V, so CLI help is now incomplete.🛠 Suggested fix
Commands: + version Print the installed Vera version + --version, -V Same as version parse Parse a .vera file and print the parse tree check [--json] Parse and type-check a .vera file🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@vera/cli.py` around lines 879 - 885, The USAGE help text is missing the new version aliases; update the USAGE string constant so it lists the new commands "version", "--version", and "-V" (matching the handler in the args check that calls cmd_version()), and ensure any help printing that uses USAGE (e.g., the early-exit branch that prints USAGE before calling cmd_version() and the other print site) will now show these aliases to users.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@TESTING.md`:
- Around line 385-388: Update the TESTING.md entries to match the actual CI
invocations: change the lint line referencing `ruff check --select S` to target
the vera package directory (`vera/`) and change the dependency-audit line to
include the pip-audit flag `--ignore-vuln CVE-2026-4539` so the documented
commands mirror the workflows (update the rows describing `lint` and
`dependency-audit` accordingly).
---
Duplicate comments:
In `@vera/cli.py`:
- Around line 879-885: The USAGE help text is missing the new version aliases;
update the USAGE string constant so it lists the new commands "version",
"--version", and "-V" (matching the handler in the args check that calls
cmd_version()), and ensure any help printing that uses USAGE (e.g., the
early-exit branch that prints USAGE before calling cmd_version() and the other
print site) will now show these aliases to users.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: a11ef3ba-37e5-4a2a-b1fc-d1b09848b19a
⛔ Files ignored due to path filters (1)
docs/llms-full.txtis excluded by!docs/**
📒 Files selected for processing (17)
.github/workflows/ci.ymlAGENTS.mdCLAUDE.mdKNOWN_ISSUES.mdREADME.mdSECURITY.mdSKILL.mdTESTING.mdpyproject.tomlscripts/check_skill_examples.pytests/test_cli.pytests/test_tester.pyvera/README.mdvera/browser/runtime.mjsvera/cli.pyvera/codegen/api.pyvera/tester.py
💤 Files with no reviewable changes (1)
- KNOWN_ISSUES.md
…LL.md Known Limitations, docs - Bump version to 0.0.103 across __init__.py, pyproject.toml, docs/index.html, README.md - Add --quiet flag to vera check / vera verify (#382) - Add vera version / --version / -V to USAGE string - Add Known Limitations table to SKILL.md (#404) - Add ch03_slot_let_chains.vera and ch03_slot_noncommutative.vera conformance tests (#393, #394) - Add CHANGELOG [0.0.103] entry with Added/Fixed/Security sections - Delete completed issues from ROADMAP.md; add v0.0.103 row to HISTORY.md - Add skipped-tests table to TESTING.md documenting all 6 skips by category - Update CLAUDE.md: completed issues go to HISTORY not ROADMAP strikethroughs - Fix TESTING.md: ruff target vera/, pip-audit --ignore-vuln in dependency-audit row - Add secrets-outside-env Codecov acknowledgement to SECURITY.md - Add LGPL to license checker compatible patterns (chardet via cyclonedx-bom) - Update doc counts: 3138 tests, 67 conformance programs, 104 releases Co-Authored-By: Claude <noreply@anthropic.invalid>
Generated locally by pytest --cov, consumed by Codecov in CI. Build artefact — should not be committed. Co-Authored-By: Claude <noreply@anthropic.invalid>
This was referenced Mar 29, 2026
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
HISTORY.md (1)
3-3:⚠️ Potential issue | 🟡 MinorUpdate the version boundary in the subtitle.
The subtitle claims the history runs "from initial commit to v0.0.102", but the document now includes a v0.0.103 entry (line 218) and the "By the numbers" table extends through v0.0.103 (line 245). Update line 3 to read "to v0.0.103" to match the actual content scope.
As per coding guidelines, "
**/*.md: Review Markdown files for factual accuracy against the codebase, broken links, and outdated information."📝 Proposed fix
-How the Vera compiler was built, from initial commit to v0.0.102, across 30 development days. +How the Vera compiler was built, from initial commit to v0.0.103, across 30 development days.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@HISTORY.md` at line 3, Update the subtitle string "How the Vera compiler was built, from initial commit to v0.0.102, across 30 development days." to end with v0.0.103 so it matches the document entries (there is a v0.0.103 entry and the "By the numbers" table extends through v0.0.103); locate and change the subtitle text in HISTORY.md to "How the Vera compiler was built, from initial commit to v0.0.103, across 30 development days." so the header accurately reflects the content.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pyproject.toml`:
- Line 37: The ruff dependency is too loosely constrained ("ruff>=0.9"), which
allows breaking 0.x minor updates into CI; change the spec to include an upper
bound such as ">=0.9,<0.10" (or equivalent caret/compatible range) so the
package is pinned to the 0.9.x series and prevents automatic upgrades to 0.10+;
update the dependency string "ruff>=0.9" accordingly in pyproject.toml.
In `@SECURITY.md`:
- Around line 33-38: The SBOM statement is inaccurate: update SECURITY.md to
reflect that the "CycloneDX SBOM" step (generated via `cyclonedx-py environment`
in the sbom job) is gated to the main branch in `.github/workflows/ci.yml`
(`refs/heads/main`) and therefore does not run on every push/PR; change the
wording to state SBOMs are generated and uploaded for CI runs on the main branch
(or specify exact branch/trigger conditions) and keep the rest of the list
unchanged so it matches the actual `sbom` job behavior.
In `@SKILL.md`:
- Around line 1755-1758: The documentation table row stating "CLI only accepts
`Int` arguments" is outdated; remove or update that row to reflect the current
type-aware CLI argument support introduced in version 0.0.102 and align the text
with the existing command examples in this file that show non-Int usage. Replace
the incorrect limitation text with a brief note that CLI supports typed
arguments since 0.0.102 (or remove the row), ensure the examples and
changelog/version mention are consistent, and keep the `vera test` limitation
about Z3-generated types as-is if still accurate.
In `@tests/test_cli.py`:
- Around line 2695-2748: Add dispatch-level tests that exercise the actual CLI
entrypoint instead of the helper functions cmd_check/cmd_verify so parsing
regressions for the --quiet flag are caught; create new tests that invoke the
program entry (e.g., call main() or the top-level CLI runner used by tests) or
run the real subprocess command "vera check --quiet" and "vera verify --quiet"
and assert the same outcomes as the existing TestCmdQuiet tests (rc/exit code
and that stdout is empty while stderr still emits on failures), mirroring the
assertions in test_check_quiet_suppresses_ok,
test_check_quiet_still_prints_errors, and test_verify_quiet_suppresses_ok but at
the dispatch/main level. Ensure you reference the same temp file setup as in the
current tests and contrast with cmd_check/cmd_verify to validate argument
wiring.
---
Outside diff comments:
In `@HISTORY.md`:
- Line 3: Update the subtitle string "How the Vera compiler was built, from
initial commit to v0.0.102, across 30 development days." to end with v0.0.103 so
it matches the document entries (there is a v0.0.103 entry and the "By the
numbers" table extends through v0.0.103); locate and change the subtitle text in
HISTORY.md to "How the Vera compiler was built, from initial commit to v0.0.103,
across 30 development days." so the header accurately reflects the content.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 19712a08-bfb1-4f64-98b9-221d25775710
⛔ Files ignored due to path filters (6)
docs/index.htmlis excluded by!docs/**docs/index.mdis excluded by!docs/**docs/llms-full.txtis excluded by!docs/**docs/llms.txtis excluded by!docs/**tests/conformance/ch03_slot_let_chains.verais excluded by!**/*.veratests/conformance/ch03_slot_noncommutative.verais excluded by!**/*.vera
📒 Files selected for processing (16)
.gitignoreCHANGELOG.mdCLAUDE.mdHISTORY.mdREADME.mdROADMAP.mdSECURITY.mdSKILL.mdTESTING.mdpyproject.tomlscripts/check_licenses.pyscripts/check_skill_examples.pytests/conformance/manifest.jsontests/test_cli.pyvera/__init__.pyvera/cli.py
…fix CodeRabbit findings Conformance tests (70 programs, was 67): - ch07_nested_handlers.vera (check level): nested algebraic effect handler composition with State, IO, and Exceptions (#395) - ch07_cross_module_contracts.vera + ch07_cross_module_contracts_lib.vera (verify level): postcondition chains enforced across module boundaries (#396) Serve SKILL.md from veralang.dev (#398): - build_site.py now generates docs/SKILL.md from root SKILL.md (source of truth stays at repo root; docs/ copy is a generated artefact) - check_site_assets.py verifies docs/SKILL.md is up-to-date - docs/index.html: all raw GitHub SKILL.md hrefs replaced with /SKILL.md; JSON-LD TechArticle URL updated to https://veralang.dev/SKILL.md - docs/SKILL.md added to sitemap.xml (priority 0.9, changefreq weekly) CodeRabbit fixes: - SKILL.md Known Limitations: remove stale "CLI only accepts Int" row (issue #263 closed in v0.0.102) - HISTORY.md subtitle: v0.0.102 to v0.0.103 - tests/test_cli.py: add TestMainQuiet dispatch-level tests for --quiet flag that exercise the CLI entry point via subprocess (mirrors TestCmdQuiet) Documentation updates: - TESTING.md: 3138 to 3156 tests; 67 to 70 conformance; level counts updated (check 2 to 3, verify 2 to 3, run 63 to 64); skips table 6 to 8 - CHANGELOG.md: add #395, #396, #398 entries; update #404 limitation count - ROADMAP.md: remove completed #395, #396, #398 entries; update narrative - HISTORY.md: update conformance count to 70 in v0.0.103 table Co-Authored-By: Claude <noreply@anthropic.invalid>
spec/00-introduction.md (§0.8 Future Features): - Remove implemented features from the table: Http (#57, v0.0.99), JSON (#58, v0.0.98), Async (#59, v0.0.82), Abilities (#60, v0.0.90), Inference (#61, v0.0.101), Collections (#62, v0.0.96), Markdown (#147, v0.0.84), String interpolation (#230, v0.0.80). Only genuinely future items remain: Typed holes (#226), Timeout/cancellation (#227), Date/time (#233). - Add reference to HISTORY.md (completed features) and ROADMAP.md (planned). spec/09-standard-library.md: - Http limitations: mark #354 (POST Content-Type header) as fixed in v0.0.103 - Inference limitations: add #372 issue link to user-defined handlers note - §9.6.18 similarity: update stale #61 reference — complete was implemented in v0.0.101 but similarity requires embed (#371), which is separate Co-Authored-By: Claude <noreply@anthropic.invalid>
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@HISTORY.md`:
- Around line 217-218: The Stage 9 heading/subtitle in HISTORY.md no longer
matches the entries because v0.0.103 (29 Mar) was added; update the Stage 9
heading or subtitle to reflect the expanded date range (e.g., change “(28
March)” / “One day” to “(28–29 March)” or similar) so the stage label
encompasses both v0.0.102 and v0.0.103; adjust any adjacent parenthetical
timeline text to remain consistent with the new range and ensure the stage
description still reads correctly.
In `@ROADMAP.md`:
- Line 11: Update the summary line for v0.0.103 in ROADMAP.md to correct the
conformance test count: either change "five new conformance tests" to "four new
conformance tests" or add the missing fifth issue number to the list
(`#393`–`#396`) so the text and the list match; edit the line that begins with
"**v0.0.103** —" to keep the version string and other items unchanged while
ensuring the conformance test count accurately reflects the listed issue IDs.
In `@scripts/build_site.py`:
- Around line 387-394: build_skill_md currently returns the SKILL.md file
verbatim (reading via ROOT / "SKILL.md") which can re-publish
raw.githubusercontent.com self-links; change build_skill_md to read the file,
run a normalization pass that replaces raw GitHub raw URLs pointing to SKILL.md
(e.g., patterns like raw.githubusercontent.com/.../SKILL.md) with the canonical
on-domain path (e.g., "/SKILL.md" or "https://veralang.dev/SKILL.md"), then
return the normalized text so docs/SKILL.md never contains raw-GitHub
self-links; update references in the function that reads ROOT / "SKILL.md"
(build_skill_md) to perform this string replacement before returning.
In `@SKILL.md`:
- Around line 1753-1761: The Known Limitations intro claims all entries are
tracked but the map_new()/set_new() row shows “—”; either create a tracking
issue for map_new()/set_new() and add its link to that Issue cell, or soften the
intro sentence to say “most are tracked as open issues” and change the Issue
cell to “not tracked” (or similar). Edit the SKILL.md Known Limitations section
accordingly, updating the table row for map_new() / set_new() and the opening
sentence, and ensure the row references the exact symbols map_new() and
set_new() so the change is clear.
In `@TESTING.md`:
- Line 76: The test count mismatch: open test_conformance.py to determine the
current number of parametrized tests, then reconcile the documentation by
updating the table row that references `test_conformance.py` and the “Running
the conformance suite” snippet so they show the same, correct value;
specifically edit the table entry for `test_conformance.py` and the snippet text
that currently says 325 to reflect the verified count from `test_conformance.py`
(or rerun the conformance run command to confirm the runtime count) so both
places match.
- Around line 402-413: The header stating "seven parallel jobs" is inconsistent
with the table that lists eight jobs; update the header to the correct count
(change "seven" to "eight") or collapse the duplicate "test" entries into a
single combined row so the number matches, and ensure the listed GitHub Actions
job names (test, test (coverage), typecheck, lint, security, dependency-audit,
sbom, browser-parity) reflect the actual matrix in ci.yml; make the minimal edit
to TESTING.md to keep the summary and table consistent.
- Line 11: Update the inconsistent conformance count so all in-file references
match: change the heading line containing "**Conformance programs** | 70
programs..." and the later "Conformance Suite" intro that currently says "65" so
they both state the same total (use 70 as indicated in the headline), and scan
the rest of TESTING.md for any other occurrences of "65" or the conformance
total and make them consistent; ensure any related descriptive text or totals
that depend on the number are updated accordingly.
In `@tests/test_cli.py`:
- Around line 2729-2748: Add a failure-path assertion to
test_verify_quiet_suppresses_ok: create a variant of the input that fails
verification, call cmd_verify(str(fail_file), quiet=True), assert the return
code is non-zero, assert captured.out is empty (quiet suppresses stdout) and
assert captured.err contains verification diagnostics (e.g., "Verification:" or
other error messages); update the same test function
(test_verify_quiet_suppresses_ok) to perform both the success case using the
existing file and a failure case using a deliberately-broken file, referencing
cmd_verify, captured.out and captured.err to locate the relevant assertions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: e41adbc2-5a88-4e46-9c1e-320d4d837d0a
⛔ Files ignored due to path filters (9)
docs/SKILL.mdis excluded by!docs/**docs/index.htmlis excluded by!docs/**docs/index.mdis excluded by!docs/**docs/llms-full.txtis excluded by!docs/**docs/llms.txtis excluded by!docs/**docs/sitemap.xmlis excluded by!docs/**tests/conformance/ch07_cross_module_contracts.verais excluded by!**/*.veratests/conformance/ch07_cross_module_contracts_lib.verais excluded by!**/*.veratests/conformance/ch07_nested_handlers.verais excluded by!**/*.vera
📒 Files selected for processing (11)
CHANGELOG.mdCLAUDE.mdHISTORY.mdREADME.mdROADMAP.mdSKILL.mdTESTING.mdscripts/build_site.pyscripts/check_site_assets.pytests/conformance/manifest.jsontests/test_cli.py
…ixed items CLAUDE.md: add explicit rule that docs use past/future split only — no <del> or ~~strikethrough~~ anywhere. Completed items are deleted from wherever they appear as future work; fixed limitations are deleted from limitation tables (not struck through). HISTORY.md and CHANGELOG.md are the record of what shipped. spec/09-standard-library.md Http limitations: remove #354 (POST Content-Type header) — fixed in v0.0.103, no longer a current limitation. Duplicate lines from edit error also cleaned up. Co-Authored-By: Claude <noreply@anthropic.invalid>
Valid fixes: - HISTORY.md: Stage 9 heading '(28 March)' -> '(28-29 March)' with subtitle updated to reflect both v0.0.102 and v0.0.103 - ROADMAP.md: 'five new conformance tests' -> 'four new conformance tests' (4 distinct issues; #396 adds two files but closes one issue) - SKILL.md Known Limitations: soften intro from 'all are tracked' to 'most are tracked as open issues' - TESTING.md: '65 programs' -> '70 programs' in conformance suite intro - TESTING.md: job count stays 'seven' (7 YAML job keys, not 8; the table splits 'test' into two rows but the CI has one 'test' job key) - tests/test_cli.py: add test_verify_quiet_still_prints_errors to TestCmdQuiet - failure-path assertion verifying --quiet still emits errors on stderr - README.md, ROADMAP.md, HISTORY.md: test count 3,138 -> 3,157 (now includes dispatch-level quiet tests and verify failure test) Not fixed (invalid findings): - build_site.py: SKILL.md has no raw.githubusercontent.com self-links - TESTING.md line 76: test_conformance.py count already shows 350 - TESTING.md 'seven parallel jobs': CI has 7 jobs, CodeRabbit incorrectly suggested 'eight' (the table has 8 rows splitting one matrix job) Co-Authored-By: Claude <noreply@anthropic.invalid>
The code comment in 'Running the conformance suite' still said 325 (65 programs × 5 stages). Updated to 350 (70 programs × 5 stages) to match the table row. Co-Authored-By: Claude <noreply@anthropic.invalid>
KNOWN_ISSUES.md: add two new bug entries discovered while writing ch07_nested_handlers.vera conformance test: - #416: Exn<String> handler tag fails — String is i32_pair, not a valid WASM exception tag parameter type - #417: Nested handle[State<T>] of the same type share a global state cell — inner handler corrupts outer handler's state SKILL.md Known Limitations: add the same two entries with workaround guidance so agents writing Vera code know to avoid the patterns. Co-Authored-By: Claude <noreply@anthropic.invalid>
This was referenced Mar 29, 2026
Closed
This was referenced Mar 29, 2026
7 tasks
This was referenced Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CI security hardening, new CLI features, bug fixes, conformance tests, and documentation/discoverability improvements for v0.0.103.
CI security hardening
ruff check --select SBandit-equivalent lint rules (#388)pip-auditdependency CVE scanning (#384)zizmorCI workflow hardening:persist-credentials: false, per-jobpermissions:(#385)secrets-outside-envCodecov finding in SECURITY.md (not actionable)coverage.xmladded to.gitignoreCLI improvements
vera version/--version/-Vcommand (#381)--quietflag forvera check/vera verify(#382)Bug fixes
Http.postmissingContent-Type: application/jsonheader (#354)vera testskip messages now name the unsupported type (#383)timeoutparameterConformance tests (70 programs, was 65)
ch03_slot_let_chains.vera— verify-level: deep let-chain slot correctness (#393)ch03_slot_noncommutative.vera— verify-level: non-commutative De Bruijn ordering (#394)ch07_nested_handlers.vera— check-level: nested algebraic effect handler composition (#395)ch07_cross_module_contracts.vera+ch07_cross_module_contracts_lib.vera— verify-level: postcondition chains across module boundaries (#396)Discoverability / documentation
veralang.dev/SKILL.md— generated artefact viabuild_site.py, on-domain and cacheable (#398)chardetLGPL compatibility note added to README andcheck_licenses.pyCloses
Closes #354
Closes #381
Closes #382
Closes #383
Closes #384
Closes #385
Closes #388
Closes #389
Closes #393
Closes #394
Closes #395
Closes #396
Closes #398
Closes #404
Also touches
Exn<String>handler tag bug documented in KNOWN_ISSUES.md and SKILL.md (not fixed here)State<T>handler sharing bug documented in KNOWN_ISSUES.md and SKILL.md (not fixed here)Test plan
pytest tests/ -v)python scripts/check_conformance.py)python scripts/check_examples.py)python scripts/check_doc_counts.py)python scripts/check_version_sync.py)python scripts/check_site_assets.py)mypy vera/clean🤖 Generated with Claude Code