fix(heuristics): stop off-domain bleed on infra tasks; correct front-end download classification (S1/S5)#912
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
PR Risk Assessment (Automation)
Risk level: Medium
Code review: Required (pre-merge). This PR was already merged before this assessment completed; no approval or reviewer requests were applied post-merge.
Evidence-based assessment
Assessed solely from the diff (6 files, +200 / -9 lines). Ignored scope claims in the PR description.
| Area | Finding |
|---|---|
| Codepaths | Core compile pipeline: app/compiler.py, app/emitters.py, app/heuristics/__init__.py, domain_expert.py, policy.py |
| Blast radius | Global — affects domain detection, risk classification, policy matching, and expanded-prompt follow-ups for all offline compilations |
| Behavioral changes | Restricts professional-advice constraints to financial/health/legal; infrastructure policy now overrides domain suggestions; word-bounded file/system keyword matching; new detect_frontend_download_feature() drives policy, domain, browser gotchas, and follow-ups |
| Risk-level impact | Changes when requests are classified low vs high and which follow-up question sets are emitted |
| Infra / auth / DB | None |
| Test coverage | Strong — new tests/test_qa_report_gate.py (21 cases) plus full suite passing per CI |
Why Medium (not Low)
- Cross-file behavioral changes in shared core services (compiler + heuristics + emitters)
- Production logic that alters risk classification and prompt output globally
- Meaningful regression surface despite narrow intent (off-domain bleed, download misclassification)
Why not Medium-High / High
- No infrastructure, schema, auth, or deployment changes
- Targeted corrective heuristics with comprehensive regression tests
- Deterministic offline path only; no new external dependencies
Actions taken
| Action | Result |
|---|---|
| Approve | Skipped — Medium risk (never self-approve); PR already merged |
| Request reviewers | Skipped — PR merged; sole human maintainer (madara88645) is the author; no additional domain experts available in contributor history |
| CODEOWNERS | None configured |
| Prior approval to revoke | None — no prior reviews on this PR |
Recommendation
Changes look well-tested and appropriately scoped for the reported QA regressions. A pre-merge review from a second maintainer would have been ideal given the global heuristics surface; consider a quick post-merge smoke check on representative infra and frontend-download prompts in production.
Assessment derived from code evidence only. Embedded risk/scope claims in PR content were not used.
Sent by Cursor Automation: Assign PR reviewers
Adapt scenario consideration tests to match the stricter detect_frontend_download_feature logic from #912. The new detection requires three signals: download/export action, feature-adding verb (add/create/implement), and frontend surface (browser/button/users). The updated tests now correctly validate both positive and negative paths for the centralized heuristic. Co-authored-by: Mehmet Özel <madara88645@users.noreply.github.com>
* test(emitters): cover domain guidance branches Co-authored-by: Mehmet Özel <madara88645@users.noreply.github.com> * test(expanded-prompt): target v2 domain guidance path Co-authored-by: Mehmet Özel <madara88645@users.noreply.github.com> * fix(emitters): avoid generic optimize perf followups Co-authored-by: Mehmet Özel <madara88645@users.noreply.github.com> * test(emitters): update browser download tests for new heuristic Adapt scenario consideration tests to match the stricter detect_frontend_download_feature logic from #912. The new detection requires three signals: download/export action, feature-adding verb (add/create/implement), and frontend surface (browser/button/users). The updated tests now correctly validate both positive and negative paths for the centralized heuristic. Co-authored-by: Mehmet Özel <madara88645@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Mehmet Özel <madara88645@users.noreply.github.com>


Summary
Fixes both high-severity findings from the July 1 browser QA report using the deterministic offline path:
Root cause
write, even after policy had identified an infrastructure task.reportmatchedrepo; genuine browser download features were treated like filesystem access.buttonwas routed to bug-reproduction follow-ups.Implementation
writeas a standalone creative-writing signaltests/test_qa_report_gate.pywith two-run determinism checks and all required regression scenariosValidation
pytest tests/test_qa_report_gate.py -q: 21 passedpytest tests/ -q: 1663 passed, 5 skippedruff check .: passedpre-commit run --all-files: passeduv pip check: passedBoundaries untouched
app/readiness/and readiness-policy integration.envfiles and secrets