fix(#2574): embed provenance headers in shim template#2578
fix(#2574): embed provenance headers in shim template#2578fullsend-ai-coder[bot] wants to merge 2 commits into
Conversation
The reconciliation bot's shim output included two provenance-comment lines (managed-by header and upstream URL) that were not present in the template at templates/shim-workflow-call.yaml. This caused the review agent to flag template-drift on reconciliation PRs whose descriptions claimed exact sync. Root cause: the Go install path (PrependManagedHeader) added provenance headers at deploy time, but the template itself did not contain them. The reconciliation script preserved these headers from the remote file, producing output that diverged from the template. Changes: - Add provenance headers to shim-workflow-call.yaml so the template is the single source of truth for the full generated output - Make PrependManagedHeader idempotent — skip prepending when the content already starts with the managed header - Strip provenance headers from preserved user headers in shim_with_header_b64() to avoid duplication when updating shims that already have them - Update tests: relax YAML document-start marker check to allow comment headers before ---, add idempotency test for PrependManagedHeader, update reconciliation test template Closes #2574
E2E tests did not runE2E tests run automatically for org/repo members and collaborators on pull requests. For other contributors, a maintainer must add the See E2E testing guide for details. |
|
🤖 Finished Review · ✅ Success · Started 5:32 PM UTC · Completed 5:44 PM UTC |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
ReviewFindingsMedium
Previous runReviewFindingsHigh
Medium
Labels: PR modifies scaffold templates and reconciliation scripts in the install/scaffold component |
| @@ -1,3 +1,5 @@ | |||
| # This file is managed by fullsend. Do not edit it directly. | |||
There was a problem hiding this comment.
[high] architectural-divergence
Embedding provenance headers directly in the template contradicts ADR 43's explicit design decision. ADR 43 states: 'The upstream scaffold source files remain header-free so that agents editing templates are not confused by self-referential headers' and 'Header injection is invisible to the scaffold source tree, keeping the embedded templates clean for direct editing and testing.' The template should remain header-free, with headers added only at install/deploy time by PrependManagedHeader.
Suggested fix: Revert the template to header-free state. Fix the reconciliation drift issue by ensuring reconcile-repos.sh applies PrependManagedHeader when comparing or deploying the shim, rather than embedding headers in the template. The idempotent PrependManagedHeader change is correct and should be kept, but applied consistently at deploy time.
| local header | ||
| header=$(printf '%s\n' "$remote_raw" | extract_user_header) | ||
|
|
||
| # Strip provenance headers that the template now includes natively. |
There was a problem hiding this comment.
[medium] scope-divergence
The new logic strips provenance headers from user content because the template now includes them natively. This stripping logic is a workaround for the architectural violation. If the template remained header-free per ADR 43, this complexity would be unnecessary.
Suggested fix: Remove the provenance-stripping logic. Instead, ensure reconcile-repos.sh calls PrependManagedHeader (or equivalent header injection) when building the final deployed content.
|
/fs-fix |
|
🤖 Finished Fix · ✅ Success · Started 9:48 AM UTC · Completed 9:59 AM UTC |
Revert embedded provenance headers from the shim template to restore the header-free state required by ADR 43. Instead, add deploy-time header injection in reconcile-repos.sh via a PROVENANCE_HEADER variable prepended by shim_content_b64() and shim_with_header_b64(). Keep the provenance-stripping logic in shim_with_header_b64 to prevent header duplication from existing deployed shims that already have provenance headers from the Go installer. Update Go and shell tests to reflect header-free template and deploy-time provenance injection. Addresses review feedback on #2578
🔧 Fix agent — iteration 1 (human-triggered)Addressed both review findings. Reverted template to header-free state per ADR 43 and added deploy-time provenance header injection in reconcile-repos.sh. Retained provenance-stripping logic to prevent duplication from existing deployed shims. Fixed (2):
Tests: passed Decision points
Updated by fullsend fix agent |
Site previewPreview: https://3a52860d-site.fullsend-ai.workers.dev Commit: |
|
🤖 Finished Review · ✅ Success · Started 10:03 AM UTC · Completed 10:15 AM UTC |
|
@ralphbean I think you implemented this in the first place, could you take a look to check if your original intent is preserved? |
The reconciliation bot's shim output included two provenance-comment lines (managed-by header and upstream URL) that were not present in the template at templates/shim-workflow-call.yaml. This caused the review agent to flag template-drift on reconciliation PRs whose descriptions claimed exact sync.
Root cause: the Go install path (PrependManagedHeader) added provenance headers at deploy time, but the template itself did not contain them. The reconciliation script preserved these headers from the remote file, producing output that diverged from the template.
Changes:
is the single source of truth for the full generated output
content already starts with the managed header
shim_with_header_b64() to avoid duplication when updating shims
that already have them
comment headers before ---, add idempotency test for
PrependManagedHeader, update reconciliation test template
Closes #2574
Post-script verification
agent/2574-template-provenance-headers)21cc2c25f3fc43d52321b3c58deb1326e17d666c..HEAD)