From c4a82c70677ca36eace1eee7109168a2304f94ad Mon Sep 17 00:00:00 2001 From: Michael Czechowski Date: Mon, 6 Apr 2026 18:38:16 +0200 Subject: [PATCH] fix(pipeline): chain wave-validate steps sequentially for graph walker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The graph walker's evaluateEdges() picks only the first matching edge (routing, not fan-out), so steps 3–7 were silently skipped. Chain check-config → sub-pipeline-test → run-tests via explicit edges, and route test-gate/diagnose-failure to approval-gate instead of directly to generate-report. Also add opencode-patched to the bwrap sandbox allowed binaries. Co-Authored-By: Claude Opus 4.6 --- .wave/pipelines/wave-validate.yaml | 11 +++++++---- flake.nix | 4 +++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.wave/pipelines/wave-validate.yaml b/.wave/pipelines/wave-validate.yaml index d1865a46..1ccb2211 100644 --- a/.wave/pipelines/wave-validate.yaml +++ b/.wave/pipelines/wave-validate.yaml @@ -57,17 +57,21 @@ steps: source: .wave/output/config-check.json schema_path: .wave/contracts/hello-world-result.schema.json on_failure: retry + edges: + - target: sub-pipeline-test # Step 2: Sub-pipeline composition — validates child pipeline invocation - id: sub-pipeline-test type: pipeline pipeline: ops-hello-world dependencies: [check-config] + edges: + - target: run-tests # Step 3: Command step — validates shell execution without adapter - id: run-tests type: command - dependencies: [check-config] + dependencies: [sub-pipeline-test] workspace: mount: - source: ./ @@ -80,7 +84,7 @@ steps: type: conditional dependencies: [run-tests] edges: - - target: generate-report + - target: approval-gate condition: "outcome=success" - target: diagnose-failure @@ -105,7 +109,7 @@ steps: type: non_empty_file source: .wave/output/diagnosis.md edges: - - target: generate-report + - target: approval-gate # Step 6: Human gate — validates approval workflow (auto-approved) - id: approval-gate @@ -121,7 +125,6 @@ steps: target: _fail default: "a" timeout: "10s" - dependencies: [test-gate, diagnose-failure] # Step 7: LLM-as-judge — validates subjective quality assessment - id: generate-report diff --git a/flake.nix b/flake.nix index 00d1908f..5e1d6ce3 100644 --- a/flake.nix +++ b/flake.nix @@ -112,6 +112,7 @@ mkdir -p "$HOME/.local/share/uv" mkdir -p "$HOME/notes" touch -a "$HOME/.local/bin/wave" + touch -a "$HOME/.local/bin/opencode-patched" touch -a "$HOME/.claude.json" BWRAP_ARGS=( @@ -163,6 +164,7 @@ # Read-only: local tools --ro-bind-try "$HOME/.local/bin/notesium" "$HOME/.local/bin/notesium" --ro-bind-try "$HOME/.local/bin/claudit" "$HOME/.local/bin/claudit" + --ro-bind-try "$HOME/.local/bin/opencode-patched" "$HOME/.local/bin/opencode-patched" # Writable: wave binary (go build target) --bind-try "$HOME/.local/bin/wave" "$HOME/.local/bin/wave" @@ -255,7 +257,7 @@ echo " Read-only: / (entire root)" echo " ~/.ssh, ~/.gitconfig, ~/.config/git" echo " ~/.config/gh, ~/.npmrc, ~/.config/nvm" - echo " ~/.local/notesium, ~/.local/claudit" + echo " ~/.local/bin/{notesium,claudit,opencode-patched}" echo "" exec wave-sandbox ${pkgs.bash}/bin/bash --rcfile <(cat << 'WAVE_BASHRC' PS1="[sandbox] \w \$ "