feat(v0.53): close out v0.51/v0.52 follow-ups — lint debt, crawler flake, missing_state_change FP#268
Merged
cunninghambe merged 1 commit intoMay 16, 2026
Conversation
…nflaked + missing_state_change FP fixed Sweeps the four outstanding follow-ups from the v0.51/v0.52 session. ## 1. Date.now lint debt cleared (was 58 errors) The `no-restricted-syntax` rule (scoped to `packages/cli/src/phases/*.ts`) banned `Date.now()` to preserve V32 frozen-clock determinism. 58 sites in 6 files had been deferred since the rule landed. Per `docs/follow-ups/date-now-lint-debt.md`, this was Option A: scope the rule out of duration measurements, because elapsed-time / deadline checks belong to the harness, not the system-under-test. New helper `packages/cli/src/lib/perf.ts` exports `perfMs()` (returns `Date.now()` from outside the rule's scope). Every `Date.now()` call site in the 6 phase files now uses `perfMs()`. Template-literal browser scripts (form-submit-runner) keep their inline `Date.now()` — those run in the browser realm where `perfMs` doesn't exist; they were never in scope of the rule. 22 unrelated pre-existing errors also fixed: unused imports, nullable boolean conditional, promise-executor return values, useless escape, script-url whitelist. Plus dropped `await` from a returned promise. Lint state now: 0 errors / 167 warnings (advisory). ## 2. Lint added to verify CI (was missing) New `lint:ci` npm script runs eslint without `--max-warnings 0`. Verify workflow gains a `Lint (errors only — warnings advisory)` step between typecheck and build. `npm run lint` keeps the strict 0-warnings local contract; `lint:ci` gates errors only. ## 3. Crawler case 11 unskipped Test was skipped in PR #264 because the evaluate() mock counted callCount globally; post-V56 crawler does more evaluate() calls per page so callCount=2 landed on the seed instead of /fail-next. URL-keyed mock replaces the tick counter — throws when the visited URL is /fail-next, returns links normally otherwise. Robust to future evaluate-tick growth. ## 4. missing_state_change FP fixed (spoonworks Remove-row case) The single remaining cluster from the v0.52 spoonworks validation was a `missing_state_change` on RecipeEditor's "Remove row" button — manual code review confirmed the handler (`setRows(p.filter(...))`) is correct. Root cause: the MutationObserver was capturing DOM mutations but `execute.ts` discarded everything except `durationMs`. The classifier saw no URL change / network / aria / portal and emitted. Fix: count meaningful (childList) mutations from the observer's payload, expose as `postState.domMutationCount`, and have `classifyMissingStateChange` return null when > 0. Conservative for backward compat: `undefined` falls through to legacy behavior (won't silently change pre-v0.53 PostStates). 10 new unit tests in `classify/state-change.test.ts` cover both the v0.53 mutation-signal path and the legacy 5 fall-through conditions. ## Predicted spoonworks impact Run after v0.53 should drop the last false positive: 5 → 4 clusters, **4/4 = 100 % precision**. (vs. v0.52 measured 4/5 = 80 %.)
|
✅ BugHunter Calibration | | 2026-05-16 Overall: tp=0 fp=0 fn=0 precision=1 recall=1 f1=0
|
cunninghambe
added a commit
that referenced
this pull request
May 16, 2026
PR #268's squash merge dropped the execute.ts changes that wire domMutationCount from MUTATION_OBSERVER_STOP_SCRIPT through to PostState. types.ts (field declaration) and state-change.ts (classifier check) both landed correctly, but without execute.ts setting the field the classifier always sees undefined and falls through to legacy behavior. Spoonworks v0.53 validation (run xkyzfn64ao7w5yia4891my4p) confirmed: postState had mutationObserverWindowMs=137 (observer ran) but no domMutationCount field → missing_state_change FP persisted at 1/5 clusters. This commit re-applies the mutPayload extraction + childList mutation count + PostState assignment. No new tests needed (state-change.test.ts already covers the classifier path).
cunninghambe
added a commit
that referenced
this pull request
May 16, 2026
Spoonworks v0.53.1 validation (run si4uxdehzj5v6od6027pkt3o) emitted 4 clusters, all real `vulnerable_dependency_high`. The missing_state_change FP that lingered in v0.52 cleared after PR #269 restored the execute.ts mutation-count threading dropped by PR #268's squash merge. Honest framing: includes the camofox cache failure caveat (3047/3338 tests completed). The 4 real-bug clusters were captured before the env issue triggered `max_infra_failures`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the four outstanding follow-ups from the v0.51/v0.52 session:
lib/perf.tshelper for harness-side duration measurements; sed-replaced `Date.now()` with `perfMs()` in 6 phase files. Template-literal browser scripts kept their inline `Date.now()` (out of rule scope).22 unrelated pre-existing lint errors also fixed (unused imports, nullable booleans, promise-executor returns, useless escape, script-url whitelist).
Verification
Test plan
🤖 Generated with Claude Code