Context
Surfaced during PR #225 (per-story field-closure check, #212) peer review by Codex.
In `packages/docx-core/src/baselines/atomizer/pipeline.ts`, `evaluateRoundTripSafety` (and therefore the entire safety-check suite: text round-trip equality, bookmark diagnostics, field structure) only runs when `reconstructionMode === 'inplace'` is requested. When a caller explicitly passes `reconstructionMode: 'rebuild'`, the direct rebuild branch invokes `runComparisonPass` and returns the result without ever evaluating safety.
Concretely (line numbers as of `b1f0cc4`):
- The `inplace` request path threads attempts through `evaluateRoundTripSafety` and falls back to rebuild if any safety check fails.
- The else-branch direct `rebuild` path (~`pipeline.ts:884`) runs `runComparisonPass(..., 'rebuild')` and immediately returns the candidate XML — no safety evaluation.
Why this matters
PR #225 adds a per-story field-closure check to defend against cross-story field issues that would break Word's field state machine. That defense never executes in direct rebuild mode. The same is true for the pre-existing text round-trip and bookmark checks — a caller who requests rebuild explicitly gets zero safety screening on the output.
This is broader than #212's scope (which was specifically about partitioning the existing safety check) but is now an obvious latent gap: if/when the `add-footnote-support` change lands and starts emitting field-bearing footnote XML in rebuild output, malformed output can ship unchecked.
What needs to change
Route the direct-rebuild path through `evaluateRoundTripSafety` (or a rebuild-specific equivalent), so the field-structure / text-equality / bookmark checks apply uniformly. Decide what to do on failure — there's no further fallback available, so options are:
- Return the result anyway but surface `failedChecks` in the diagnostics (caller-visible warning).
- Throw an error.
- Add a `safetyCheckMode` option so callers can opt in/out.
Recommend (1) for back-compat: callers that explicitly choose rebuild may be doing so deliberately and shouldn't have output hard-blocked.
Acceptance
Sources
🤖 Generated with Claude Code
Context
Surfaced during PR #225 (per-story field-closure check, #212) peer review by Codex.
In `packages/docx-core/src/baselines/atomizer/pipeline.ts`, `evaluateRoundTripSafety` (and therefore the entire safety-check suite: text round-trip equality, bookmark diagnostics, field structure) only runs when `reconstructionMode === 'inplace'` is requested. When a caller explicitly passes `reconstructionMode: 'rebuild'`, the direct rebuild branch invokes `runComparisonPass` and returns the result without ever evaluating safety.
Concretely (line numbers as of `b1f0cc4`):
Why this matters
PR #225 adds a per-story field-closure check to defend against cross-story field issues that would break Word's field state machine. That defense never executes in direct rebuild mode. The same is true for the pre-existing text round-trip and bookmark checks — a caller who requests rebuild explicitly gets zero safety screening on the output.
This is broader than #212's scope (which was specifically about partitioning the existing safety check) but is now an obvious latent gap: if/when the `add-footnote-support` change lands and starts emitting field-bearing footnote XML in rebuild output, malformed output can ship unchecked.
What needs to change
Route the direct-rebuild path through `evaluateRoundTripSafety` (or a rebuild-specific equivalent), so the field-structure / text-equality / bookmark checks apply uniformly. Decide what to do on failure — there's no further fallback available, so options are:
Recommend (1) for back-compat: callers that explicitly choose rebuild may be doing so deliberately and shouldn't have output hard-blocked.
Acceptance
Sources
🤖 Generated with Claude Code