Add phase-1 QSL compatibility manifest and checks#151
Conversation
Co-Authored-By: Codex <noreply@openai.com>
🤖 Codex PR ReviewPlease ensure a human reviewer checks this PR before merging. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b6f7fcd561
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| re.compile( | ||
| r"git\+https://github\.com/" + re.escape(GITHUB_OWNER) + r"/(?P<repo>[A-Za-z0-9_.-]+)\.git@(?P<ref>[A-Za-z0-9_.-]+)" | ||
| ), | ||
| re.compile( | ||
| r"https://github\.com/" + re.escape(GITHUB_OWNER) + r"/(?P<repo>[A-Za-z0-9_.-]+)\.git\?rev=(?P<ref>[A-Za-z0-9_.-]+)" |
There was a problem hiding this comment.
Parse uv source tables before passing checks
For repos that use uv's pyproject source table ([tool.uv.sources] with git = "https://github.com/QuantStrategyLab/QuantPlatformKit.git", rev = "main"), these patterns do not match because they only recognize git+...@ref or URLs containing ?rev=. When such a repo has no lockfile or a stale lockfile, check_qsl_compat.py --repo-root ... reports ok: true and the graph shows no direct deps even though the pyproject contains a forbidden or mismatched QSL ref, bypassing the policy this checker is meant to enforce.
Useful? React with 👍 / 👎.
| created_at = "2026-07-03" | ||
|
|
||
| [repos] | ||
| QuantPlatformKit = "0063af3b4a974650ea58a7d3f26dd1b94f65d3e8" |
There was a problem hiding this comment.
Align bundle refs with the current consumer baseline
When this new bundle is used against the current consumers tracked by this repo, it rejects the existing baseline rather than representing it: for example, this sets QuantPlatformKit to 0063af..., while internal_dependency_matrix.json still records active consumers at 6d367..., b0eacd..., d786..., and e86554b. Because this commit does not update those consumers or the existing matrix in the same wave, adding qsl.toml with bundle = "2026.07.0" to any current consumer will immediately produce bundle pin mismatches.
Useful? React with 👍 / 👎.
| refs.extend(_extract_git_refs(repo_root / "pyproject.toml")) | ||
| refs.extend(_extract_git_refs(repo_root / "uv.lock")) |
There was a problem hiding this comment.
Include requirements-lock pins in QSL checks
For repos that keep production pins in requirements-lock.txt (the existing internal matrix already tracks this for BinancePlatform), this scan never reads that file, and the legacy-file loop only considers requirements.txt/constraints.txt. A requirements-lock.txt containing a QuantStrategyLab dependency pinned to main or to the wrong SHA is therefore neither forbidden nor validated, so locked production dependencies can drift while check_qsl_compat.py still reports success.
Useful? React with 👍 / 👎.
Co-Authored-By: Codex <noreply@openai.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a2f5938549
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| r"(?P<source_repo>[A-Za-z0-9_.-]+)\.git@(?P<ref>[A-Za-z0-9_.-]+)" | ||
| ) | ||
| TRACKED_DEPENDENCY_PATHS = ("requirements.txt", "requirements-lock.txt", "pyproject.toml") | ||
| LEGACY_DEPENDENCY_PATHS = ("requirements.txt", "requirements-lock.txt") |
There was a problem hiding this comment.
Do not treat lockfiles as legacy fallbacks
Including requirements-lock.txt here makes _fallback_path_for_legacy_requirements() accept a missing lockfile whenever the repo still has matching pins in pyproject.toml, so the Validate workflow's check_internal_dependency_matrix.py --strict --require-consumer-files step no longer reports that required consumer lockfile as missing. For any consumer that accidentally deletes requirements-lock.txt after migrating direct deps to pyproject, CI would pass while the production lock pins tracked by the matrix have disappeared.
Useful? React with 👍 / 👎.
| for pin in expected_pins | ||
| ], | ||
| actual_pins=fallback_pins, | ||
| issues=issues, |
There was a problem hiding this comment.
Limit pyproject fallbacks to migrated pins
When a repo already has matrix rows for pyproject.toml and a missing legacy file falls back to the same pyproject, this comparison checks the entire pyproject contents against only the legacy file's expected pins. The real pyproject rows are checked separately later, so valid pyproject-only internal dependencies are reported as untracked during the fallback path, causing strict validation to fail for mixed migration repos.
Useful? React with 👍 / 👎.
Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
Summary
pyproject.tomlValidation
Validation Result
check_internal_dependency_matrixnow passes against local workspace (no issues).python/tests/test_internal_dependency_matrix.pyadded regression test for pyproject fallback.python/tests/test_internal_dependency_matrix.pyand fullpython/testsdiscovery pass.git diff --checkclean.