Skip to content

QVAC-13562 feat: add @qvac/diagnostics package with BaseInference integration#796

Merged
olyasir merged 2 commits into
mainfrom
feat/QVAC-13562-diagnostics-package
Mar 10, 2026
Merged

QVAC-13562 feat: add @qvac/diagnostics package with BaseInference integration#796
olyasir merged 2 commits into
mainfrom
feat/QVAC-13562-diagnostics-package

Conversation

@olyasir

@olyasir olyasir commented Mar 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • New @qvac/diagnostics package (v0.1.0) with structured DiagnosticReport schema
  • Addon registration via contributor pattern (registerAddon/unregisterAddon)
  • Environment and hardware auto-detection via bare-os with Node.js fallback
  • Optional integration wired into BaseInference (load/destroy lifecycle)
  • CI/CD publishing workflow following qvac-lib-langdetect-text pattern

What changed

New package: packages/qvac-lib-diagnostics/

  • index.js: Singleton diagnostic system with JSDoc typedefs, runtime detection, report generation
  • APIs: registerAddon, unregisterAddon, registerExtension, collectEnvironment, collectHardware, generateReport, serializeReport, reset
  • 13 unit tests (44 assertions) via brittle

Modified: packages/qvac-lib-infer-base/

  • Optional @qvac/diagnostics require with try/catch (no hard dependency)
  • Auto-register addon in load(), unregister in destroy()
  • getDiagnostics delegates to subclass _getDiagnosticsJSON() if implemented

New: .github/workflows/trigger-reusable-lib-qvac-lib-diagnostics.yml

  • CI/CD workflow for GPR dev builds and npm releases

Test plan

  • npx standard index.js — lint passes
  • npx tsc — generates valid index.d.ts
  • npm test — 13/13 tests pass, 44/44 assertions
  • Existing infer-base tests unaffected (92/92 pass)
  • Workflow validated via workflow_dispatch

Asana: https://app.asana.com/0/0/1213438112051005

@olyasir
feat: add @qvac/diagnostics package with BaseInference integration an…
d986f73 
…d CI

- New @qvac/diagnostics package (v0.1.0) with DiagnosticReport schema,
  addon registration, environment/hardware collection, report generation
- Wire BaseInference for optional diagnostics addon registration
- Add CI/CD publishing workflow for diagnostics package
- 13 unit tests, 44 assertions
@olyasir olyasir requested review from a team as code owners March 10, 2026 13:37
@github-actions

github-actions Bot commented Mar 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Tier-based Approval Status

**PR Tier:** TIER1

**Current Status:** ✅ APPROVED

**Requirements:**
- 1 Team Member approval ✅ (2/1)
- 1 Team Lead OR Management approval ✅ (1/1)



---
*This comment is automatically updated when reviews change.*

@olyasir

olyasir commented Mar 10, 2026

Copy link
Copy Markdown
Contributor Author

/review

@olyasir

olyasir commented Mar 10, 2026

Copy link
Copy Markdown
Contributor Author

/review

@olyasir

olyasir commented Mar 10, 2026

Copy link
Copy Markdown
Contributor Author

/review

@olyasir olyasir merged commit 56cbfac into main Mar 10, 2026
8 checks passed
@olyasir olyasir deleted the feat/QVAC-13562-diagnostics-package branch March 10, 2026 14:03
@olyasir olyasir mentioned this pull request Mar 10, 2026
Merged
7 tasks
olyasir added a commit that referenced this pull request Mar 11, 2026
@olyasir
feat: add @qvac/diagnostics package with BaseInference integration an…
27fe893 
…d CI (#796)

- New @qvac/diagnostics package (v0.1.0) with DiagnosticReport schema,
  addon registration, environment/hardware collection, report generation
- Wire BaseInference for optional diagnostics addon registration
- Add CI/CD publishing workflow for diagnostics package
- 13 unit tests, 44 assertions
GustavoA1604 added a commit that referenced this pull request May 7, 2026
@GustavoA1604 @cursoragent
Pin mobile prebuild downloads to current run-id (CodeQL artifact pois…
7983ae0 
…oning)

Addresses CodeQL alert #796 (`actions/artifact-poisoning`) on PR #1946
flagged on the two `Download {Android,iOS} prebuilds (from artifacts)`
steps in integration-mobile-test-tts-ggml.yml.

The rule fires because the workflow has a `workflow_dispatch` entry
point and downloads an artifact via `actions/download-artifact@v8`
without an explicit `run-id`.  Without that input, CodeQL has to
assume the artifact could come from any prior run on the branch
(including one uploaded by a fork PR's prebuild step) — which is the
poisoning surface we are explicitly NOT exposing.

Setting `run-id: ${{ github.run_id }}` (the action's existing default)
plus `github-token: ${{ secrets.GITHUB_TOKEN }}` makes the trust
boundary explicit at the call site so the analyzer can see the
artifact is current-run only.  No behavioural change: in `workflow_call`
from on-pr-tts-ggml the parent workflow already produced the artifact
in the same run, and `workflow_dispatch` falls into the
`!inputs.package_spec` -> npm-pack branch since `package_spec`
defaults to `@qvac/tts-ggml@latest` for that trigger.

The four `actions/missing-workflow-permissions` findings on the
benchmark stubs are addressed by the previous commit (ef8d4e2).

Co-authored-by: Cursor <cursoragent@cursor.com>
GustavoA1604 added a commit that referenced this pull request May 7, 2026
@GustavoA1604 @cursoragent
Add tts-ggml workflows (#1946)
1c9a8d1 
* Add tts-ggml workflows

* Add explicit file-level permissions to tts-ggml workflows

Addresses GitHub Advanced Security findings on PR #1946 flagging the
4 benchmark stubs and the two integration workflows for the CodeQL
actions/missing-workflow-permissions rule: every workflow file should
declare a least-privilege `permissions:` block at the top so that any
job added later inherits read-only by default instead of the implicit
read/write GITHUB_TOKEN.

- benchmark-{chatterbox,performance,rtf,supertonic}-tts-ggml.yml: add
  top-level `permissions: contents: read` plus a job-level mirror on the
  noop body (which only writes to stdout).
- integration-test-tts-ggml.yml: add top-level
  `permissions: contents: read; packages: read` matching the existing
  job-level scope on `run-integration-tests`.
- integration-mobile-test-tts-ggml.yml: add top-level
  `permissions: contents: read`; the existing `build-and-test` job
  continues to widen this to packages:read + pull-requests:write +
  id-token:write for the prebuild artifact pull and Device Farm hooks.

The other six tts-ggml workflows (cpp-test-coverage, create-github-release,
on-merge, on-pr, on-pr-close, prebuilds) already had top-level
permissions declared and are untouched.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Pin mobile prebuild downloads to current run-id (CodeQL artifact poisoning)

Addresses CodeQL alert #796 (`actions/artifact-poisoning`) on PR #1946
flagged on the two `Download {Android,iOS} prebuilds (from artifacts)`
steps in integration-mobile-test-tts-ggml.yml.

The rule fires because the workflow has a `workflow_dispatch` entry
point and downloads an artifact via `actions/download-artifact@v8`
without an explicit `run-id`.  Without that input, CodeQL has to
assume the artifact could come from any prior run on the branch
(including one uploaded by a fork PR's prebuild step) — which is the
poisoning surface we are explicitly NOT exposing.

Setting `run-id: ${{ github.run_id }}` (the action's existing default)
plus `github-token: ${{ secrets.GITHUB_TOKEN }}` makes the trust
boundary explicit at the call site so the analyzer can see the
artifact is current-run only.  No behavioural change: in `workflow_call`
from on-pr-tts-ggml the parent workflow already produced the artifact
in the same run, and `workflow_dispatch` falls into the
`!inputs.package_spec` -> npm-pack branch since `package_spec`
defaults to `@qvac/tts-ggml@latest` for that trigger.

The four `actions/missing-workflow-permissions` findings on the
benchmark stubs are addressed by the previous commit (ef8d4e2).

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Proletter pushed a commit that referenced this pull request May 24, 2026
@olyasir
feat: add @qvac/diagnostics package with BaseInference integration an…
4c1a3c2 
…d CI (#796)

- New @qvac/diagnostics package (v0.1.0) with DiagnosticReport schema,
  addon registration, environment/hardware collection, report generation
- Wire BaseInference for optional diagnostics addon registration
- Add CI/CD publishing workflow for diagnostics package
- 13 unit tests, 44 assertions
Proletter pushed a commit that referenced this pull request May 24, 2026
@GustavoA1604 @cursoragent
Add tts-ggml workflows (#1946)
bc8b2ae 
* Add tts-ggml workflows

* Add explicit file-level permissions to tts-ggml workflows

Addresses GitHub Advanced Security findings on PR #1946 flagging the
4 benchmark stubs and the two integration workflows for the CodeQL
actions/missing-workflow-permissions rule: every workflow file should
declare a least-privilege `permissions:` block at the top so that any
job added later inherits read-only by default instead of the implicit
read/write GITHUB_TOKEN.

- benchmark-{chatterbox,performance,rtf,supertonic}-tts-ggml.yml: add
  top-level `permissions: contents: read` plus a job-level mirror on the
  noop body (which only writes to stdout).
- integration-test-tts-ggml.yml: add top-level
  `permissions: contents: read; packages: read` matching the existing
  job-level scope on `run-integration-tests`.
- integration-mobile-test-tts-ggml.yml: add top-level
  `permissions: contents: read`; the existing `build-and-test` job
  continues to widen this to packages:read + pull-requests:write +
  id-token:write for the prebuild artifact pull and Device Farm hooks.

The other six tts-ggml workflows (cpp-test-coverage, create-github-release,
on-merge, on-pr, on-pr-close, prebuilds) already had top-level
permissions declared and are untouched.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Pin mobile prebuild downloads to current run-id (CodeQL artifact poisoning)

Addresses CodeQL alert #796 (`actions/artifact-poisoning`) on PR #1946
flagged on the two `Download {Android,iOS} prebuilds (from artifacts)`
steps in integration-mobile-test-tts-ggml.yml.

The rule fires because the workflow has a `workflow_dispatch` entry
point and downloads an artifact via `actions/download-artifact@v8`
without an explicit `run-id`.  Without that input, CodeQL has to
assume the artifact could come from any prior run on the branch
(including one uploaded by a fork PR's prebuild step) — which is the
poisoning surface we are explicitly NOT exposing.

Setting `run-id: ${{ github.run_id }}` (the action's existing default)
plus `github-token: ${{ secrets.GITHUB_TOKEN }}` makes the trust
boundary explicit at the call site so the analyzer can see the
artifact is current-run only.  No behavioural change: in `workflow_call`
from on-pr-tts-ggml the parent workflow already produced the artifact
in the same run, and `workflow_dispatch` falls into the
`!inputs.package_spec` -> npm-pack branch since `package_spec`
defaults to `@qvac/tts-ggml@latest` for that trigger.

The four `actions/missing-workflow-permissions` findings on the
benchmark stubs are addressed by the previous commit (ef8d4e2).

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mialso mialso mialso approved these changes

@DmitryMalishev DmitryMalishev DmitryMalishev approved these changes

@GustavoA1604 GustavoA1604 GustavoA1604 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@olyasir @mialso @DmitryMalishev @GustavoA1604