Skip to content

fix(intelligence): discover nested workspace dependencies#129

Merged
SHAURYAKSHARMA24 merged 2 commits into
Second-Origin:devfrom
parthrohit22:fix/124-nested-workspace-manifests
Jul 18, 2026
Merged

fix(intelligence): discover nested workspace dependencies#129
SHAURYAKSHARMA24 merged 2 commits into
Second-Origin:devfrom
parthrohit22:fix/124-nested-workspace-manifests

Conversation

@parthrohit22

@parthrohit22 parthrohit22 commented Jul 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes dependency inventories for monorepos whose supported manifests live below the repository root. The dependency graph now discovers parser-approved nested manifests, retains every direct-declaration provenance record, bounds each manifest read to the source-size budget, and reports malformed or oversized manifests as explicit diagnostics instead of a false successful zero.

Linked issue

Closes #124

What changed

  • Extended the canonical DependencyManifestExtractor (producer dependency-manifest@1.2.0) to retain each declaration’s ecosystem, declared version/specifier, dependency section/type, normalized manifest/workspace path, and exact line span.
  • Changed RepositoryIntelligenceEngine to derive supported manifest candidates from RepositoryParser’s accepted file inventory, in deterministic path order, then size-check and process each candidate independently with a bounded read and the canonical extractor.
  • Oversized manifests now produce RI-LIMIT-SKIP with the configured and reported byte counts; candidate source bytes are never accumulated across the inventory.
  • Preserved URL fragments in requirements.txt direct-reference specifiers while continuing to recognize whitespace-delimited comments.
  • Aggregated logical dependencies deterministically while retaining all declarations; conflicting versions or types are represented truthfully through declaration records rather than silently choosing one.
  • Kept DependencyGraphBuilder as a Repository Intelligence consumer. Dependency graph relations target the aggregated nodes and retain every declaring manifest as evidence.
  • Exposed manifest count, declaration provenance, and safe extraction diagnostics through backend schemas/OpenAPI and frontend API types. No frontend fallback data was added.
  • Modeled dependency-version conflicts in AI context and renders them as explicit conflicting declarations rather than None.
  • Extended accepted parser exclusions for caches, vendor, and generated directories.
  • Updated current-behaviour documentation and regression coverage for nested npm/PyPI manifests, ignored paths, malformed JSON/TOML, oversized manifests, direct-reference fragments, deterministic aggregation, AI conflict rendering, route-level output, and OpenAPI.

Acceptance criteria completed

  • Supported root and nested package.json, pyproject.toml, and requirements.txt files are discovered from accepted workspace paths; ignored/vendor directories remain excluded.
  • npm and PyPI declarations retain exact normalized manifest/workspace paths, declaration spans, extractor identity/version, ecosystem, version/specifier, and dependency type.
  • Manifest reads are individually bounded by the existing source-size budget; oversized candidates emit RI-LIMIT-SKIP.
  • Requirements direct-reference URL fragments are preserved as declared specifiers.
  • Multiple manifests aggregate deterministically without dropping declarations; conflicting versions are retained as distinct declarations and the aggregate version is null rather than arbitrary.
  • PARTHA-like nested npm and Python fixtures return non-zero dependencies with correct graph targets/evidence.
  • Nested malformed JSON and TOML emit safe RI-SRC-MALFORMED diagnostics without erasing valid declarations; empty valid manifests remain distinct.
  • Dependency conflicts render truthfully in AI context without a None version value.
  • The dependency route and OpenAPI surface provenance/diagnostics, while vulnerability and outdated-version assessments remain explicit not_computed.
  • No new manifest parser, consumer filesystem read, lockfile support, transitive resolution, vulnerability scanning, outdated-version scanning, or fabricated frontend data was introduced.

Testing performed

npm run test:backend                         # passed: 513 tests, 3 skipped
npm run lint:frontend                        # passed
npm --prefix apps/frontend run test          # passed: 40 tests
npm run build:frontend                       # passed
git diff --check                             # passed

Screenshots

Not applicable — no visible UI change.

Security and data considerations

  • Manifest candidates come only from the parser-approved repository inventory, which excludes dependency/install directories, build output, virtual environments, caches, vendor paths, and generated paths.
  • Paths are normalized by the existing canonical rules before extraction.
  • Per-manifest size checks and bounded reads prevent the dependency inventory from retaining unbounded source content.
  • Malformed/unreadable inputs yield safe structured diagnostics containing no raw manifest contents, credentials, absolute host paths, or exception dumps.
  • The dependency route remains authenticated and owner-scoped through AnalysisService; no migrations or secret-bearing data are introduced.

Dependencies and blocked work

Scope changes or remaining work

None. Lockfiles, transitive resolution, vulnerability scanning, and outdated-version scanning remain intentionally unsupported.

Contributor checklist

  • This PR targets dev
  • I claimed the issue and had it assigned or acknowledged before starting substantial work
  • The branch was created from an up-to-date upstream/dev
  • The branch is rebased on the latest upstream/dev
  • This PR addresses one clearly scoped issue
  • Every acceptance criterion I claim as complete is actually complete
  • Relevant tests pass
  • Documentation is updated for any user-visible change
  • No secrets, credentials, local env files, or generated artifacts are included
  • No unrelated files were changed
  • Closing syntax (Closes) is used only because the issue is fully resolved
  • Dependencies and follow-up work are linked

@parthrohit22 parthrohit22 self-assigned this Jul 18, 2026

@SHAURYAKSHARMA24 SHAURYAKSHARMA24 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes before approval. I found three issues that the current tests do not cover:
Manifest size limits are applied after unbounded reads. Every candidate manifest is fully loaded and retained before ExtractionPipeline applies its 512 KiB limit. Large or numerous manifests could exhaust worker memory. Please use bounded reads or pre-check sizes, emit RI-LIMIT-SKIP, and preferably process manifests individually.

Requirements URL fragments are discarded. Splitting each line at the first # truncates valid direct references such as pkg @ https://host/archive.whl#sha256=.... This loses part of the declared specifier and can cause distinct references to aggregate as identical. Please preserve URL fragments and add regression coverage.

Conflicting versions render as None in AI prompts. A nullable aggregate version is appropriate for the dependency API, but RepositoryContextBuilder passes it into DependencyContext.version: str, and PromptBuilder renders it directly—for example, requests None. Please model and render the conflict explicitly, with a regression test.

CI is green, but these cases should be addressed before merging.

@parthrohit22
parthrohit22 force-pushed the fix/124-nested-workspace-manifests branch from ab6a190 to a595dc6 Compare July 18, 2026 19:49
@parthrohit22

Copy link
Copy Markdown
Collaborator Author

Addressed the three requested changes in a595dc6 and re-requested review from @SHAURYAKSHARMA24.

  • Manifest inventory now size-checks each parser-approved candidate and reads it individually with a 512 KiB bound. Oversized manifests return RI-LIMIT-SKIP without accumulating source bytes.
  • requirements.txt preserves URL fragments in direct references (including #sha256=...) while still handling whitespace-delimited comments.
  • AI dependency context now carries declared-version conflicts and renders them explicitly instead of producing None in prompts.

Added regression coverage for all three cases.

Validation:

  • npm run test:backend — 513 passed, 3 skipped
  • npm run lint:frontend — passed
  • npm --prefix apps/frontend run test — 40 passed
  • npm run build:frontend — passed
  • git diff --check — passed

@SHAURYAKSHARMA24
SHAURYAKSHARMA24 merged commit 5433646 into Second-Origin:dev Jul 18, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: discover dependencies from nested workspace manifests instead of returning zero

2 participants