diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 44c529e..1a27406 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -5,7 +5,9 @@ - **Local deterministic boundary**: Rust CLI/library code under `src/`, fixture evaluation under `tests/`, and JSON contracts under `docs/`. - **Repository input boundary**: `inspect`, `impact`, `symbols`, `source-evidence`, and `source-context` read local repository files and must treat malformed or unsupported input as structured warnings. - **LSP process boundary**: `lsp-diagnostics` may start `rust-analyzer` and must keep requests read-only, bounded, path-contained, and unavailable-safe. -- **Research Radar boundary**: `research-radar/bin/` may collect public-source metadata and must write only normalized reports/state, not raw payload dumps or runtime code. +- **Research Radar archive boundary**: `research-radar/bin/` is deprecated as + active intake. Legacy reproduction runs must be explicit and may write only + normalized reports/state, not raw payload dumps or runtime code. ## Sensitive Surfaces @@ -15,7 +17,7 @@ | `src/core/lsp_bridge.rs` | Starts and communicates with an external language-server process. | | `src/core/repo_graph.rs` | Reads manifests and workflow files from arbitrary repositories. | | `src/core/source_evidence.rs` | Assembles evidence candidates that downstream users could overinterpret as localization. | -| `research-radar/bin/run_daily.py` | Performs public-source collection and records license/terms notes. | +| `research-radar/bin/run_daily.py` | Deprecated legacy collector; refuses normal runs unless explicitly invoked for historical reproduction. | | `research-radar/bin/validate_reports.py` | Guards generated reports/state against raw payloads, oversized files, and obvious secret patterns. | | `.github/workflows/` | Controls automated validation on repository changes. | @@ -26,7 +28,7 @@ - `where-to-edit` remains `insufficient_evidence` until a dedicated localization gate passes. - SourceContext refuses path traversal, ignored/generated paths, symlinks, missing files, non-UTF8 files, and oversized slices with structured warnings. - LSP diagnostics has deterministic unavailable/path-safety eval cases and does not expose mutation-capable LSP methods. -- Research Radar validation checks changed-path allowlists, JSON/JSONL validity, file size, and obvious secret patterns. +- Research Radar validation checks changed-path allowlists, JSON/JSONL validity, file size, and obvious secret patterns for archived/generated reports. ## Secrets and Data Handling @@ -40,7 +42,7 @@ - Any change to path handling, ignored-path logic, symlink handling, or source slicing. - Any change to `src/core/lsp_bridge.rs` process lifecycle, timeout, request, or parsing behavior. - Any change that makes `where-to-edit`, SourceEvidence, SourceContext, or LSP output more localization-like. -- Any change to Research Radar collection, validation, source config, or generated report/state boundaries. +- Any change that re-enables Research Radar collection, validation, source config, or generated report/state boundaries. - Any CI workflow, dependency, install script, or public API change. ## Minimum Security Evidence for Sensitive Changes diff --git a/research-radar/README.md b/research-radar/README.md index ddf93ea..cfa2077 100644 --- a/research-radar/README.md +++ b/research-radar/README.md @@ -1,8 +1,29 @@ # Research Radar -Research Radar is a documentation/config-first intake loop for external code-intelligence research. +> Deprecated as an active intake loop. +> +> Canonical workspace research intake now lives in `heurema/lab/radar` and uses +> `heurema/shared-intake-governance` for fetch/sanitize/projection. This +> directory remains as a historical archive and for reproducing old +> code-intel-kernel radar artifacts only. -It is not a crawler, scheduler, scraper, implementation bot, or feature backlog. Its job is to produce a small daily digest that a human can review before any experiment proposal is written. +Research Radar was a documentation/config-first intake loop for external +code-intelligence research. + +It is not a crawler, scheduler, scraper, implementation bot, or feature backlog. +Its job was to produce a small daily digest that a human could review before any +experiment proposal was written. + +## Deprecation status + +- Active intake owner: `heurema/lab/radar`. +- Shared engine: `heurema/shared-intake-governance`. +- This directory: read-only historical archive plus legacy reproduction tools. +- Scheduled automation: should be disabled or redirected to the lab/SIG flow. +- Historical reports under `research-radar/reports/` are intentionally kept. + +`research-radar/bin/run_daily.py` now refuses normal runs. To reproduce legacy +artifacts intentionally, pass `--allow-legacy-run`. ## Flow @@ -16,9 +37,9 @@ core runtime paused -> Agent Bench Lab run/compare when the benchmark layer is ready ``` -## Current Scope +## Historical Scope -Research Radar v0.1 tracks public sources that may affect `code-intel-kernel`: +Research Radar v0.1 tracked public sources that may affect `code-intel-kernel`: - structural retrieval and repo intelligence; - LSP diagnostics, references, and disambiguation; @@ -26,9 +47,12 @@ Research Radar v0.1 tracks public sources that may affect `code-intel-kernel`: - code intelligence benchmarks and Agent Bench Lab evaluation handoff; - Codebase-Memory, RIG/SPADE, SWE-bench, and adjacent systems. -The v0.1 scaffold is config and docs only. R2-A adds a bounded collector for reports/state only; it still does not modify runtime code or implement ideas. +The v0.1 scaffold was config and docs only. R2-A added a bounded collector for +reports/state only; it still does not modify runtime code or implement ideas. + +## Legacy Manual Run -## Manual Daily Run +Use this only for historical reproduction: 1. Read `research-radar/sources.yaml`. 2. Read `research-radar/scoring.md`. @@ -44,17 +68,16 @@ The v0.1 scaffold is config and docs only. R2-A adds a bounded collector for rep For local manual runs, use dry-run first: ```bash -python3 research-radar/bin/run_daily.py --dry-run -python3 research-radar/bin/run_daily.py --write +python3 research-radar/bin/run_daily.py --dry-run --allow-legacy-run +python3 research-radar/bin/run_daily.py --write --allow-legacy-run python3 research-radar/bin/validate_reports.py ``` ## Shared Intake Shadow -`research-radar/bin/run_daily.py` is still the scheduled daily collector. The -shared-intake path is a manual shadow path for checking whether this project can -consume the shared collector/governance repo without changing daily report -output yet. +The shared-intake shadow path is superseded by the lab-owned radar profile. It +is retained only to document how this project evaluated the shared +collector/governance repo before deprecation. The shared-intake consumer contract is repo-owned here: @@ -88,7 +111,9 @@ silently change this project while the lock is enforced. ## Codex App Automation -The bounded weekday automation is configured in Codex App, not as a repository workflow. Details are documented in `research-radar/automation.md`. +The old bounded weekday automation is deprecated and should be disabled or +redirected to `heurema/lab/radar`. Details are documented in +`research-radar/automation.md`. It may write only: diff --git a/research-radar/automation.md b/research-radar/automation.md index b3e10eb..c4cde99 100644 --- a/research-radar/automation.md +++ b/research-radar/automation.md @@ -1,31 +1,40 @@ # Research Radar Automation -Research Radar automation is a bounded collector. It may collect, score, report, and persist Research Radar state. It must not implement ideas. +> Deprecated as active automation. +> +> Canonical workspace intake now lives in `heurema/lab/radar` and uses +> `heurema/shared-intake-governance`. This document remains to describe the +> retired code-intel-kernel automation boundary and how to reproduce legacy +> artifacts if needed. + +Research Radar automation was a bounded collector. It could collect, score, +report, and persist Research Radar state. It must not implement ideas. ## Schedule -Scheduling is managed outside the repository by Codex App Automation. +Scheduling was managed outside the repository by Codex App Automation. -- Weekday target: about 08:17 Europe/Moscow. -- Automation type: Codex App scheduled workspace run. -- Workspace: this repository checkout. +- Status: deprecated; disable or redirect to the lab/SIG radar flow. +- Previous weekday target: about 08:17 Europe/Moscow. +- Previous automation type: Codex App scheduled workspace run. +- Previous workspace: this repository checkout. The repository contains the deterministic collector and validator only. It does not contain a GitHub Actions workflow, cron script, or platform scheduler. ## Local Run ```bash -python3 research-radar/bin/run_daily.py --dry-run -python3 research-radar/bin/run_daily.py --write -python3 research-radar/bin/run_daily.py --write --date YYYY-MM-DD +python3 research-radar/bin/run_daily.py --dry-run --allow-legacy-run +python3 research-radar/bin/run_daily.py --write --allow-legacy-run +python3 research-radar/bin/run_daily.py --write --date YYYY-MM-DD --allow-legacy-run python3 research-radar/bin/validate_reports.py ``` ## Shared Intake Shadow -The scheduled automation still uses `research-radar/bin/run_daily.py`. The -shared-intake integration is manual shadow/preflight only until a separate -cutover changes the scheduled command. +The old scheduled automation must not use `research-radar/bin/run_daily.py` +for active intake. The shared-intake integration below is retained as historical +preflight documentation; active intake belongs to `heurema/lab/radar`. Before using a shared-intake checkout for this project, run: @@ -52,17 +61,17 @@ To adopt a newer shared-intake version: runtime root and inspect the JSON summary. 6. Commit the consumer lock/config/docs change in this repository. -Do not point automation at a new shared-intake commit until that bump is -reviewed in this repository. +Do not point this deprecated automation at a new shared-intake commit. Use the +lab-owned radar profile instead. ## Sources -Automation reads: +Legacy automation read: - `research-radar/sources.automation.json` - `research-radar/state/seen.jsonl` -Supported v0.1 source types: +Supported v0.1 source types were: - `github_repo` - `github_search` @@ -82,7 +91,7 @@ Unsupported sources must be added explicitly. There is no recursive crawling, br ## Files Written -Codex App Automation may write only: +Legacy Codex App Automation may write only: - `research-radar/reports/YYYY-MM-DD.md` - `research-radar/reports/YYYY-MM-DD.json` @@ -97,7 +106,8 @@ Allowed changed paths: - `research-radar/reports/**` - `research-radar/state/**` -The scheduled job must not commit by default. A human can review and commit generated reports later. +The retired scheduled job must not commit by default. A human can review and +commit generated reports later if reproducing historical artifacts. ## Failure Behavior diff --git a/research-radar/bin/run_daily.py b/research-radar/bin/run_daily.py index 9ba109e..4249c19 100644 --- a/research-radar/bin/run_daily.py +++ b/research-radar/bin/run_daily.py @@ -1,5 +1,5 @@ #!/usr/bin/env python3 -"""Deterministic Research Radar collector. +"""Legacy deterministic Research Radar collector. This script collects public research signals and writes normalized reports. It does not import external code, create prototypes, or modify runtime files. @@ -29,10 +29,23 @@ MAX_ARCHIVE_ITEMS = 10 MAX_SOURCE_ITEMS = 10 PROTOTYPE_THRESHOLD = 85 +DEPRECATION_NOTICE = """\ +code-intel-kernel/research-radar is deprecated as an active intake loop. +Canonical workspace intake now lives in heurema/lab/radar and uses +heurema/shared-intake-governance for fetch/sanitize/projection. + +This legacy collector is retained only for historical report reproduction. +Re-run it explicitly with --allow-legacy-run if you are intentionally +reproducing old code-intel radar artifacts. +""" def main() -> int: args = parse_args() + if not args.allow_legacy_run: + print(DEPRECATION_NOTICE, file=sys.stderr) + return 2 + radar_root = args.radar_root.resolve() run_date = parse_date(args.date) context = RunContext(radar_root=radar_root, run_date=run_date) @@ -66,6 +79,11 @@ def parse_args() -> argparse.Namespace: default=Path(__file__).resolve().parents[1], help="Research Radar root; intended for tests and local dry runs.", ) + parser.add_argument( + "--allow-legacy-run", + action="store_true", + help="Intentionally run the deprecated legacy collector for historical reproduction.", + ) return parser.parse_args() diff --git a/scripts/run-deterministic-tests.sh b/scripts/run-deterministic-tests.sh index c2a63f1..cd931bb 100755 --- a/scripts/run-deterministic-tests.sh +++ b/scripts/run-deterministic-tests.sh @@ -6,6 +6,7 @@ cargo test cargo clippy -- -D warnings cargo run --quiet -- eval-fixtures --json python3 research-radar/bin/validate_reports.py +python3 -m unittest tests.test_research_radar_deprecation python3 -m unittest tests.test_research_radar_experiment_proposal_contract python3 -m unittest tests.test_research_radar_shared_intake_dependency git diff --check diff --git a/tests/test_research_radar_deprecation.py b/tests/test_research_radar_deprecation.py new file mode 100644 index 0000000..f238bd5 --- /dev/null +++ b/tests/test_research_radar_deprecation.py @@ -0,0 +1,28 @@ +import subprocess +import sys +import unittest +from pathlib import Path + + +ROOT = Path(__file__).resolve().parents[1] +SCRIPT = ROOT / "research-radar" / "bin" / "run_daily.py" + + +class ResearchRadarDeprecationTests(unittest.TestCase): + def test_run_daily_refuses_without_legacy_flag(self): + result = subprocess.run( + [sys.executable, str(SCRIPT), "--dry-run"], + cwd=ROOT, + text=True, + capture_output=True, + check=False, + ) + + self.assertEqual(result.returncode, 2) + self.assertIn("deprecated as an active intake loop", result.stderr) + self.assertIn("heurema/lab/radar", result.stderr) + self.assertIn("--allow-legacy-run", result.stderr) + + +if __name__ == "__main__": + unittest.main()