Skip to content

Add phase-1 QSL compatibility manifest and checks#151

Merged
Pigbibi merged 4 commits into
mainfrom
codex/qsl-compat-manifest-v1
Jul 3, 2026
Merged

Add phase-1 QSL compatibility manifest and checks#151
Pigbibi merged 4 commits into
mainfrom
codex/qsl-compat-manifest-v1

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add central QSL manifests under compat/
  • Add scripts/check_qsl_compat.py for compatibility policy checks
  • Add scripts/render_qsl_dependency_graph.py for markdown/text graph output
  • Add qsl.toml for QuantRuntimeSettings (tier=ops/tooling, bundle=2026.07.0)
  • Add docs/qsl_compat_upgrade.md integration notes
  • Fix internal dependency matrix checker for migrated repos that switched from requirements files to pyproject.toml

Validation

  • python3 scripts/check_qsl_compat.py --repo-root . --non-strict
  • python3 scripts/render_qsl_dependency_graph.py --repo-root . --format md
  • python3 -m ruff check scripts/check_qsl_compat.py scripts/render_qsl_dependency_graph.py
  • python3 -m unittest discover -s python/tests -v
  • python3 python/scripts/check_internal_dependency_matrix.py --projects-root .. --json --strict --require-consumer-files
  • python3 -m unittest python/tests/test_internal_dependency_matrix.py -v
  • docker run --rm -i -v "$PWD":/repo -w /repo rhysd/actionlint:1.7.12

Validation Result

  • check_internal_dependency_matrix now passes against local workspace (no issues).
  • python/tests/test_internal_dependency_matrix.py added regression test for pyproject fallback.
  • python/tests/test_internal_dependency_matrix.py and full python/tests discovery pass.
  • git diff --check clean.

Co-Authored-By: Codex <noreply@openai.com>
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Codex PR Review

⚠️ Review skipped: The Codex review could not be completed.

No Codex service URL or API key configured. Set CODEX_AUDIT_SERVICE_URL, ANTHROPIC_API_KEY, or OPENAI_API_KEY.

Please ensure a human reviewer checks this PR before merging.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b6f7fcd561

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +31 to +35
re.compile(
r"git\+https://github\.com/" + re.escape(GITHUB_OWNER) + r"/(?P<repo>[A-Za-z0-9_.-]+)\.git@(?P<ref>[A-Za-z0-9_.-]+)"
),
re.compile(
r"https://github\.com/" + re.escape(GITHUB_OWNER) + r"/(?P<repo>[A-Za-z0-9_.-]+)\.git\?rev=(?P<ref>[A-Za-z0-9_.-]+)"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Parse uv source tables before passing checks

For repos that use uv's pyproject source table ([tool.uv.sources] with git = "https://github.com/QuantStrategyLab/QuantPlatformKit.git", rev = "main"), these patterns do not match because they only recognize git+...@ref or URLs containing ?rev=. When such a repo has no lockfile or a stale lockfile, check_qsl_compat.py --repo-root ... reports ok: true and the graph shows no direct deps even though the pyproject contains a forbidden or mismatched QSL ref, bypassing the policy this checker is meant to enforce.

Useful? React with 👍 / 👎.

created_at = "2026-07-03"

[repos]
QuantPlatformKit = "0063af3b4a974650ea58a7d3f26dd1b94f65d3e8"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Align bundle refs with the current consumer baseline

When this new bundle is used against the current consumers tracked by this repo, it rejects the existing baseline rather than representing it: for example, this sets QuantPlatformKit to 0063af..., while internal_dependency_matrix.json still records active consumers at 6d367..., b0eacd..., d786..., and e86554b. Because this commit does not update those consumers or the existing matrix in the same wave, adding qsl.toml with bundle = "2026.07.0" to any current consumer will immediately produce bundle pin mismatches.

Useful? React with 👍 / 👎.

Comment on lines +121 to +122
refs.extend(_extract_git_refs(repo_root / "pyproject.toml"))
refs.extend(_extract_git_refs(repo_root / "uv.lock"))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Include requirements-lock pins in QSL checks

For repos that keep production pins in requirements-lock.txt (the existing internal matrix already tracks this for BinancePlatform), this scan never reads that file, and the legacy-file loop only considers requirements.txt/constraints.txt. A requirements-lock.txt containing a QuantStrategyLab dependency pinned to main or to the wrong SHA is therefore neither forbidden nor validated, so locked production dependencies can drift while check_qsl_compat.py still reports success.

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a2f5938549

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

r"(?P<source_repo>[A-Za-z0-9_.-]+)\.git@(?P<ref>[A-Za-z0-9_.-]+)"
)
TRACKED_DEPENDENCY_PATHS = ("requirements.txt", "requirements-lock.txt", "pyproject.toml")
LEGACY_DEPENDENCY_PATHS = ("requirements.txt", "requirements-lock.txt")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Do not treat lockfiles as legacy fallbacks

Including requirements-lock.txt here makes _fallback_path_for_legacy_requirements() accept a missing lockfile whenever the repo still has matching pins in pyproject.toml, so the Validate workflow's check_internal_dependency_matrix.py --strict --require-consumer-files step no longer reports that required consumer lockfile as missing. For any consumer that accidentally deletes requirements-lock.txt after migrating direct deps to pyproject, CI would pass while the production lock pins tracked by the matrix have disappeared.

Useful? React with 👍 / 👎.

Comment on lines +189 to +192
for pin in expected_pins
],
actual_pins=fallback_pins,
issues=issues,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Limit pyproject fallbacks to migrated pins

When a repo already has matrix rows for pyproject.toml and a missing legacy file falls back to the same pyproject, this comparison checks the entire pyproject contents against only the legacy file's expected pins. The real pyproject rows are checked separately later, so valid pyproject-only internal dependencies are reported as untracked during the fallback path, causing strict validation to fail for mixed migration repos.

Useful? React with 👍 / 👎.

Pigbibi and others added 2 commits July 3, 2026 16:58
Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
@Pigbibi Pigbibi merged commit 572761a into main Jul 3, 2026
8 checks passed
@Pigbibi Pigbibi deleted the codex/qsl-compat-manifest-v1 branch July 3, 2026 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant