fix: STPA v0.3.0 audit — 4 critical findings + README#76
Merged
Conversation
Add a HINT-level diagnostic at position 0:0 in every file to inform engineers that the LSP only provides parse-level and naming diagnostics. Full instance-level analysis (27+ passes including scheduling, latency, connectivity, etc.) requires running 'spar analyze'. This prevents false confidence when zero diagnostics are shown in the editor. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When --apply is used with the allocate command on a hierarchical model (threads nested inside processes that are themselves inside the root system), all bindings are placed on the root implementation. This may be incorrect since bindings should target the parent process implementation of each thread. Add a runtime warning to alert users when this situation is detected so they can manually adjust placement. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewrite README to reflect current state: 12 crates, 27+ analysis passes, deployment solver, assertion engine, SARIF output, VS Code extension, and WASM component. Add installation instructions, full CLI command table, architecture overview, and links to design docs and STPA safety analysis. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The PropertyChanged variant existed in the StructuralChange enum but was never constructed. compare_structure() now compares property values between base and head instances for each shared component, emitting PropertyChanged for value differences, additions, and removals. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Audit identified 8 new hazards. Fixed the 4 critical ones: - H-NEW-1: LSP now shows completeness note (parse diagnostics only) - H-NEW-2: Assertion engine warns on vacuous truth (empty set) - H-NEW-4: Diff engine detects property value changes - H-NEW-6: --apply warns about hierarchical model limitation Also: README updated for v0.3.0, STPA audit report added. 1,526 tests pass, 0 failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New competitive analyses: Ellidiss STOOD, Cheddar, TASTE/Ocarina, App4MC, AGREE/Resolute — 6 tools now tracked in research/findings.yaml. New gap-derived requirements: - REQ-CODEGEN-001: Code skeleton generation (Ada/C/Rust) - REQ-TIMELINE-001: Scheduling timeline visualization - REQ-SECURITY-001: Security rules analysis - REQ-RESOLUTE-001: Architecture claim language (Resolute-lite) - REQ-BIDIRECTIONAL-001: Bidirectional diagram editing (v0.5.0) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Competitive analyses: SysML v2, Capella/ARCADIA, EAST-ADL (3 new). Technology evaluations: SysML v2 import, ReqIF, FMI 3.0, Capella bridge. Interoperability requirements: - REQ-INTEROP-001: SysML v2 textual notation import/export (v0.5.0) - REQ-INTEROP-002: ReqIF import for ALM tool bridging (v0.4.0) - REQ-INTEROP-003: Capella/ARCADIA to AADL bridge (v0.5.0) - REQ-INTEROP-004: AUTOSAR ARXML import (v0.5.0) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
…tency boundaries Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ndary tests Part 1: Add analysis_diagnostics_carry_correct_pass_name test that verifies every registered analysis pass's diagnostics carry .analysis matching .name(). This kills ~50 name() mutants (2 per pass x 27 passes). Part 2: resource_budget.rs boundary tests — exact capacity (no error), capacity+1 bit (error), capacity-1 bit (no error), bandwidth at/over capacity, sum-not-product for compute_memory_demand. Part 3: memory_budget.rs boundary tests — same pattern for the separate memory budget pass (Code_Size + Data_Size), plus sum-not-product. Part 4: bus_bandwidth.rs boundary tests — demand at/over capacity, 80% utilization threshold (> not >=), multiply-not-add for compute_connection_demand. All 446 lib tests pass (31 new tests). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…lassifier_match legality.rs: - classify_naming_rule: test all branches (N-1 empty name/type/impl, N-3 duplicate with clause vs imports itself, N-4 property definition/type, N-2 fallthrough for non-with-clause duplicates) - classify_category_rule: test C-1 (feature) vs C-2 (subcomponent) branch - classify_instance_rule: exhaustive tests for all analysis names and message patterns (D-1/2/3/4, B-1/2, F-1/2, CONN-1, H-1, COMP-1, CONN-SELF/TYPE, MODE-UNIQUE/TRIGGER, SUB-UNIQUE/CAT, UNKNOWN) - check_impl_type_match: empty type_name guard, case-insensitive match - check_feature_group_nonempty: inverse_of present skips warning property_rules.rs: - PROP-DUPLICATE: boundary tests for values.len(), non_append_count, single vs multiple appends - PROP-RANGE-ORDER: boundary (49..50 ok, 51..50 error), units, non-numeric - PROP-LIST-ELEMENT-TYPE: non-paren values skip, all-Other early return, mixed Other+typed no warning, boolean/reference consistency, boolean vs numeric mixed warning - PROP-VALUE-TYPE: balanced parens, extra close paren, non-empty value - PROP-CONSTANT-EXISTS: space before paren, no reference keyword - PROP-APPLIES-TO: abstract/process/processor categories, empty set prefix, non-timing property classifier_match.rs: - check_port_classifier_match guard: src-only carries data, dst-only carries data, both non-data skipped, Parameter features checked - check_access_match guard: src-only is access, neither is access skipped, SubprogramAccess and SubprogramGroupAccess - classifiers_match: both packages same/different, one unqualified, neither qualified, different type names, case-insensitive - Both-present matching vs mismatching, src-None dst-Some info - Access same/different classifier, both-requires error, missing access_kind no direction error Also fixes missing `use std::sync::Arc` in feature_group_check.rs tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…working ones Remove 3 ignored tests (fg_connection_expands_to_individual_ports, fg_complement_check_reports_mismatches, inverse_of_produces_correct_complement) that depended on unimplemented FG expansion in the instance model. Replace with 16 new TestBuilder-based tests for FeatureGroupCheckAnalysis::analyze() covering: valid/invalid FG connections, missing endpoints, non-FG feature warnings, empty features, case-insensitive matching, unresolved subcomponents, self-references, multiple connections, diagnostic path/analysis field, and name() method. Remove #[allow(unused_imports, unused_variables, dead_code, clippy::manual_div_ceil)] from test module — all imports are now used. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ~77 targeted tests across all remaining analysis files to kill surviving mutants. Tests exercise both branches of comparisons, boundary conditions, and logic operator mutations: - mode_reachability: self-reachability, single-mode skip, no-initial skip, reachability summary counts, dead transition with self-connection - weight_power: exactly at limit (boundary), 1 over limit, zero aggregation, unqualified property variants, uW/mg unit parsing - flow_check: sink on output-only, source/sink on inout, featureless skip, 1-segment E2E, dotted connection segments, path missing input - emv2_analysis: AND gate single child, duplicate events dedup, category filtering (system not flagged, processor flagged, non-leaf process skip) - flow_rules: path missing input, sink with inout, featureless skip, path flow coverage skip - binding_check: process memory binding, valid/nonexistent targets, no-memory model skip - rta: exactly at deadline, 1 over deadline, unbound threads skip, get_priority helper edge cases - extends_rules: impl different name no self-ref, type-only ref no self-ref, same kind different direction compatibility - completeness: new test module with 7 tests — empty type, type-only, featureless, data skip, instance diagnostics, root not checked - hierarchy: new test module with 8 tests — valid/invalid containment, empty impl info, data skip, deep nesting, exactly at limit, abstract - connectivity: new test module with 8 tests — unconnected in/out/inout, connected port, no-direction, non-port skip, featureless child, dangling - connection_rules: self-loop on owner, None vs Some, unresolvable skip - subcomponent_rules: abstract child, three children one duplicate - mode_rules: bus access trigger, unmatched trigger no kind warning - mode_check: case-insensitive trigger, multiple triggers one unmatched - modal_rules: chain reachability, single mode, single mode with connections - wrpc_binding: unresolvable endpoint, inherited binding - binding_rules: memory to thread error, virtual processor accepted - property_accessors: no closing paren, no opening paren Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove continue-on-error, add missed.txt check. If any mutants survive, CI fails with list of surviving mutations. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mutation testing is now a CI gate with a ratchet threshold. Current survivors: 142 (down from 220). Threshold will be lowered as tests improve. Target: 0. Added CI status badge and codecov badge to README. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
First conformance run against OSATE 2.18.0: - PASS: BasicBinding, BasicEndToEndFlow, SuperBasic (exact match) - DIFF: BasicHierarchy (connections), Complicated (features), SimpleControlSystem (components+features), StopAndGo (features+connections) Known gaps: feature counting for bus access/abstract features, semantic connection counting differs from OSATE connection instances, multi-level subcomponent resolution incomplete. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…racing Features declared on component types are now copied to subcomponent instances during instantiation. Previously only implementation features were copied, leaving type-only subcomponents with zero features. Connection instances are now end-to-end semantic traces (leaf-to-leaf) per AS5506 Ch.14, instead of storing declarative connections at each hierarchy level. Key changes: - Refactored `instantiate_component` to use unqualified resolution for cross-package classifier references (via imports/renames), and extracted `populate_from_type` method for reuse. - Type-only subcomponents now resolve their type through the global scope and copy features, flows, modes, and mode transitions. - Connection JSON output uses semantic connections (end-to-end traced) instead of declarative connections. Up/down connections are consumed by parent across-connection traces, not emitted independently. - Fan-out tracing: `trace_sources` and `trace_destinations` now return all matching endpoints (Vec), handling cases where a single feature connects to multiple internal subcomponents. - Access connection fixup: bare names matching child subcomponents are rewritten as subcomponent references for access connections. - Parameter connection fixup: call references (e.g. `call1.p`) are resolved to their target subprogram subcomponents (e.g. `s.p`). OSATE conformance: 3/7 → 7/7 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… conformance Two critical instance model bugs fixed: 1. Features from component types now copied to subcomponent instances (was zero features for type-only subcomponents) 2. Connection instances are now semantic end-to-end traces per AS5506 Ch.14 (was declarative per-level connections) OSATE 2.18.0 conformance: 7/7 models match exactly (components, features, connections all equal). Models tested: BasicBinding, BasicEndToEndFlow, BasicHierarchy, Complicated, SimpleControlSystem, StopAndGo, SuperBasic. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace generic rectangles with AS5506 Appendix A shapes: chamfered system, stadium process, parallelogram thread/processor, trapezoid memory, hexagonal bus, tilted device, elliptical subprogram, striped data. Refined color palette and typography. Post-processes etch SVG output to replace <rect> elements with category-specific <path>/<ellipse> shapes. Adds drop shadow filter, softer stroke colors (#555), improved font stack (Inter/SF Pro), and updated CSS selectors for path/ellipse hover states. Container nodes use simplified rectangular variants (chamfered system, rounded process) for clean child nesting. Virtual/group categories get dashed borders per AADL convention. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Register AS5506 Appendix A shapes as etch type_shapes providers: chamfered system, stadium process, parallelogram thread/processor, trapezoid memory, hexagonal bus, tilted device, elliptical subprogram, striped data, double-border abstract. Virtual variants use dashed stroke. Refined color palette (soft pastels). Replaces SVG post-processing with proper model-to-view rendering through etch's shape provider API. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extension now bundles the spar binary inside the VSIX. No PATH lookups, no configuration. VS Code platform-specific extensions (--target darwin-arm64 etc.) ensure the correct binary ships. - Remove findSparBinary PATH fallback and spar.binaryPath setting - Bump extension version to 0.3.0 - Add !bin/** to .vscodeignore so the binary is included in VSIX - Add DOM lib to tsconfig.json to fix WebAssembly type error - Add scripts/package.sh for local per-platform VSIX builds - Release pipeline produces 5 platform VSIXs from cross-compiled binaries - publish-vsix downloads all vsix-* artifacts with merge-multiple Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… status - Retag deferred v030 items to v040: REQ-DIFF-003, REQ-MCP-001, REQ-QUERY-001, ARCH-MCP-001, ARCH-QUERY-001, ARCH-KNOWLEDGE-001 - Final STPA pre-release audit: all 10 areas GO - 6 known issues documented for release notes - 0 broken cross-refs in rivet Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove research schema/source (not yet embedded in rivet) - Add RENDER-REQ-001 through RENDER-REQ-006 (were referenced but undefined) - Fix ARCH-R5 missing rationale + satisfies links - Fix ARCH-KNOWLEDGE-001 satisfies link rivet validate: PASS (73 warnings, 0 errors, 0 broken cross-refs) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… status SysML v2 integration: REQ-INTEROP-001 updated with concrete architecture (rowan parser for KerML, SEI mapping rules for AADL lowering, requirement extraction to rivet). ARCH-SYSML2-001 design decision added. Three-layer vision: SysML v2 (system) → AADL (deployment) → WIT/code (implementation), with rivet tracing through all layers. rivet validate: PASS (72 warnings, 0 errors) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…y lines Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pre-release STPA audit identified 8 new hazards across v0.3.0 features. Fixed the 4 critical ones:
Critical fixes
spar analyzefor full 27-pass analysisall()/none()on empty sets now returnsBoolWithWarningwith "vacuous truth: 0 elements matched" — prevents silent false-passcompare_structure()now emitsPropertyChangedvariants when property values differ between base/head--applywarns when model is hierarchical (bindings placed on root impl)Also
docs/plans/2026-03-21-stpa-v030-audit.mdTest plan
🤖 Generated with Claude Code