Skip to content

feat(meta): interactive meta-pipeline orchestrator (wave run wave)#246

Open
nextlevelshit wants to merge 3 commits intomainfrom
245-interactive-meta-pipeline
Open

feat(meta): interactive meta-pipeline orchestrator (wave run wave)#246
nextlevelshit wants to merge 3 commits intomainfrom
245-interactive-meta-pipeline

Conversation

@nextlevelshit
Copy link
Collaborator

@nextlevelshit nextlevelshit commented Mar 4, 2026

Summary

  • Add wave run wave meta-orchestrator command with parallel health checks, intelligent pipeline proposal, and codebase auto-tuning
  • New internal/meta package: health check runner, dependency installer, proposal engine, sequence composer, and tuning advisor
  • New internal/platform package: hosting platform detection (GitHub, GitLab, Bitbucket, Gitea) via git remote URL analysis
  • New TUI components: health report renderer, interactive proposal selector, pipeline browser, run selector, and shared theme
  • Clean up legacy workspace paths and template variable fallbacks in pipeline internals

Spec

See specs/245-interactive-meta-pipeline/spec.md for full feature specification.

Test plan

  • All new packages have comprehensive table-driven tests (6,600+ lines of test code)
  • go test -race ./... passes with 0 failures
  • Health checks tested with mocked filesystem and command execution
  • Platform detection tested against real git remote URL patterns for all 4 supported platforms
  • Proposal engine tested for context-aware pipeline recommendations
  • Sequence composition tested for dependency ordering and conflict detection
  • TUI components tested for rendering and interaction model correctness
  • Pipeline workspace scanning updated to handle timestamped run dirs, tested via existing pipeline test suite

Known limitations

  • Auto-installation (internal/meta/install.go) shells out to package managers — requires sandbox configuration for production use
  • Tuning advisor generates recommendations but does not yet auto-apply them
  • Interactive selection requires a TTY — non-interactive fallback uses --proposal flag

Closes #245

@nextlevelshit
feat(meta): add interactive meta-pipeline orchestrator for wave run wave
d219984 
Implement the core infrastructure for the `wave run wave` meta-orchestrator
that provides parallel health checks, intelligent pipeline proposals with
interactive selection, and codebase auto-tuning.

New packages:
- internal/meta: health checks, dependency installation, pipeline proposal
  engine, sequence composition, and codebase tuning
- internal/platform: hosting platform detection (GitHub, GitLab, Bitbucket,
  Gitea) via git remote URL analysis
- internal/tui: health report renderer, proposal selector, pipeline browser,
  run selector, and shared theme

CLI integration:
- Reserve "wave" keyword in `wave run` to dispatch to meta-orchestrator
- Add --proposal flag for non-interactive proposal auto-selection
- New wave.go command handler with health→propose→execute flow

Pipeline cleanup:
- Remove legacy workspace path resolution (exact-name dirs without hash)
- Remove legacy YAML extraction fallback in meta-pipeline output parsing
- Remove legacy template variable placeholders from context resolution
- Fix workspace scanning to search across timestamped run dirs

Closes #245
@nextlevelshit
fix(meta): adapt health checks to pipeline-scoped skills
7c734c3 
Update checkDependencies to accept skills as a parameter instead of
reading from manifest.Skills (removed in pipeline-scoped skills refactor).
Add collectSkillsFromPipelines() to scan pipeline YAML for skill configs.
Update wave.go auto-install to source skills from pipelines.
@nextlevelshit
Copy link
Collaborator Author

nextlevelshit commented Mar 4, 2026

Code Review (Wave Pipeline)

Verdict: REQUEST_CHANGES

PR #246 (interactive meta-pipeline) and #244 (pre-merge change summary) introduce a well-structured orchestration layer with clean interface-based design, ~2,200 lines of tests, and proper separation of concerns. However, the review uncovered 1 critical security vulnerability, 3 critical quality defects, and several high-severity issues that must be addressed before merge.

All existing tests pass with -race enabled.

Critical Issues (must fix)

1. Arbitrary file write via adapter-supplied schema paths

internal/pipeline/meta.go:637-689extractSchemaDefinitions() parses SCHEMA: <path> directives from raw adapter stdout and writes to the path with no containment check. A compromised adapter can write arbitrary JSON to any writable path (e.g., /etc/cron.d/backdoor). The codebase already has the correct mitigation in executor.go:1813-1815 — apply the same filepath.Clean + strings.HasPrefix check here.

2. ConcurrencyValidator has no synchronization — data race on shared maps

internal/pipeline/validation.go:330-367workspaceLocks and runningPipelines are bare map types accessed without any mutex. Go maps are not safe for concurrent use. Sequential tests mask this, but any real multi-pipeline execution will corrupt state or panic. Add sync.Mutex protection around all map access.

3. Nil pointer dereference in ProposalEngine.GenerateProposals

internal/meta/proposal.go:55 — Passing a nil *HealthReport to NewProposalEngine causes an immediate panic on e.report.Platform.PipelineFamily. Add a nil guard.

4. Workspace path resolution hardcoded in three locations

internal/pipeline/resume.go:205, internal/pipeline/validation.go:48,135 — All three hardcode .wave/workspaces instead of reading from manifest runtime.workspace_root. Pipelines with custom workspace roots will fail to resume, validate phases, or detect stale artifacts. Centralize into a single helper with manifest fallback.

High-Severity Issues (should fix before merge)

# Issue Location Summary
H1 Credential leakage via git remote URLs internal/platform/detect.go:265-301, cmd/wave/commands/wave.go:76-78 Raw URLs with embedded tokens (ghp_xxxxx@) are serialized to stdout in non-interactive mode. Strip userinfo before storing.
H2 Path traversal in loadPipeline cmd/wave/commands/run.go:438-473 User-supplied pipeline names are used in filesystem paths without validation. The third candidate (name directly) accepts raw user input as a path. Sibling commands already have containment checks.
H3 Shell injection via YAML-sourced commands internal/meta/health.go:279, internal/meta/install.go:26-27 sh -c invoked with unvalidated strings from pipeline YAML. Mitigated by version control, but still a supply-chain risk for untrusted repos. Add command validation or audit logging.
H4 Goroutine leak on timeout in RunHealthChecks internal/meta/health.go:423-501 Inner goroutines spawned inside errgroup don't respect context cancellation; they continue running after timeout.
H5 Glob errors silently discarded resume.go:210, validation.go:49,136 filepath.Glob errors are swallowed with _, masking permission errors and malformed patterns.
H6 Glob results assumed sorted resume.go:208-210 filepath.Glob order is filesystem-dependent, not guaranteed lexicographic. Add explicit sort.Strings().

Suggested Improvements

  • Second-order template injectioninternal/pipeline/context.go:52-96 performs multi-pass substitution allowing branch names like feat/{{artifacts.credentials}} to resolve artifact paths. Switch to single-pass substitution.
  • Bitbucket personas missing PUT/PATCH deny ruleswave.yaml denies POST and DELETE but not PUT/PATCH for three Bitbucket personas. The bitbucket-analyst persona already has the correct pattern.
  • GH_TOKEN exposed to all personaswave.yaml passes GH_TOKEN to the sandbox environment globally. Restrict to personas that need GitHub access.
  • Five personas with empty deny lists — Multiple personas have deny: [] with unrestricted Bash(*). Apply least-privilege deny rules.
  • Code duplication in skill collectioninternal/meta/health.go:510-541 and cmd/wave/commands/list.go:1386-1426 both scan pipeline YAML for skills with different behavior (.yml accepted in one, not the other). Extract shared implementation.
  • Phase validation hardcoded for "prototype" pipelinevalidation.go:86-111 and resume.go:465-493 are coupled to specific artifact names and a single pipeline name. Drive from manifest configuration.
  • Workspace lock release API mismatchAcquireWorkspaceLock takes (pipelineID, workspaceID) but ReleaseWorkspaceLock takes only (pipelineID), allowing mismatched releases.
  • errgroup.Wait() result discardedhealth.go:504 uses _ = g.Wait(), silently dropping any future errors.

Breaking Changes to Document

  1. Legacy template variables removed (pipeline_idpipeline_context.pipeline_id) — external YAML using old format silently fails. No migration warning emitted.
  2. extractYAMLLegacy() deleted — meta-pipeline output without --- PIPELINE --- marker now hard-fails.
  3. Old workspace naming no longer found — workspaces without hash-suffix naming lose resume capability.
  4. wave reserved as pipeline name — existing wave.yaml pipeline files will be blocked.

These should be mentioned in release notes.

Positive Observations

  • Clean interface design: GitRunner, PipelineRunner, CommandRunner, HealthChecker interfaces enable thorough testing and dependency injection throughout.
  • Comprehensive test coverage: ~2,200 lines of tests across internal/meta, with table-driven patterns and edge case coverage. Platform detection and TUI packages also well-tested.
  • Functional options pattern consistently applied across all new types for clean configuration.
  • Fresh-memory principle correctly enforced — no chat history leakage between pipeline steps.
  • Good error classification in the recovery system with structured error types.
  • Parallel health checks with proper timeout handling (modulo the goroutine leak).
  • All tests pass with -race across all affected packages.

Test Gaps to Address

  • No negative security tests: Path traversal, command injection, and credential leakage prevention are not tested.
  • cmd/wave/commands coverage is thin: Only getWaveVersion/emitMetaEvent tested (49 lines). runWave() has zero coverage.
  • No concurrent ConcurrencyValidator tests: Sequential tests mask the data race.
  • No symlink or TOCTOU tests for workspace resolution.

Generated by Wave gh-pr-review pipeline

@nextlevelshit nextlevelshit mentioned this pull request Mar 4, 2026
Open
6 tasks
@nextlevelshit
feat(tui): add guided workflow orchestrator with health→proposals→fle…
60aed8f 
…et flow

Implement #248 guided workflow: wave starts with a health phase showing
system checks, auto-transitions to proposals view on completion, then
Tab toggles to fleet monitoring. Replaces dashboard-first architecture.

Key changes:
- ViewHealthPhase → ViewProposals → ViewFleet guided state machine
- Embedded huh forms replace broken form.Run() goroutines that fought
  the parent bubbletea program for terminal control (#250)
- Proposals promoted from overlay to full-screen view with Tab toggle
- Health phase renders spinner-per-check progress during startup
- OverlayForm replaces OverlayProposals for pipeline selector/modify
@nextlevelshit nextlevelshit force-pushed the 245-interactive-meta-pipeline branch from deda796 to 60aed8f Compare March 5, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Interactive meta-pipeline orchestrator (wave run wave) with health checks, parallel execution, and guided workflow proposals

1 participant

@nextlevelshit