From 81e4c2385a8bd8e7b29cd2725075a6128be0e8b8 Mon Sep 17 00:00:00 2001
From: Noah Gift <noah.gift@gmail.com>
Date: Mon, 20 Apr 2026 15:28:12 +0200
Subject: [PATCH 1/2] ci(sovereign): cargo test --workspace --lib (PMAT-159)

F11 falsifier blind-spot from PMAT-155 investigation (paiml/infra#70):
cargo nextest run --lib at repo root only tests the root package, leaving
workspace-member libs silent.

Per-pilot impact (pre-fix):
  copia    - 227 tests (valid, single-crate repo)
  bashrs   - 5 tests   (root only; specs/runtime/oracle/wasm silent)
  aprender - 0 tests   (root lib.rs is a stub; all 60 workspace crates silent)

Fix: primary invocation now cargo nextest run --workspace --lib TEST_ARGS.
Coverage updated to match. The -p REPO_NAME fallback is retained for harness
quirks. Callers that need to skip workspace members (e.g. aprender's GPU crates)
pass test_args: --exclude X --exclude Y.

Blast radius: every repo's ci / test and ci / coverage will start running
workspace-member lib tests that were previously silent. May surface real bugs.

Recommended canary: merge, watch copia (no workspace effect), bashrs (4 new
members surface), aprender (requires test_args exclusions first).

Refs paiml/infra#70, PMAT-155, PMAT-159.
---
 .github/workflows/sovereign-ci.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sovereign-ci.yml b/.github/workflows/sovereign-ci.yml
index e398dca..c4c205c 100644
--- a/.github/workflows/sovereign-ci.yml
+++ b/.github/workflows/sovereign-ci.yml
@@ -196,16 +196,20 @@ jobs:
           # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
           # Phase 2 §4.3 — nextest drops ~35% off test-job wall-clock on large suites.
-          # Fallback to cargo test if nextest fails for any reason (e.g. test harness quirks).
+          # PMAT-159 (2026-04-20): `--workspace --lib` so workspace-member lib tests are
+          # exercised, not just the root package. For repos with workspace members that
+          # don't build in the container (e.g. aprender-gpu/cuda-edge/compute), pass
+          # `test_args: "--exclude aprender-gpu --exclude aprender-cuda-edge ..."` from the
+          # caller to skip them here. Fallback to `cargo test` kept for harness quirks.
           if [ "$USE_NEXTEST" = "true" ]; then
-            cargo nextest run --lib $TEST_ARGS 2>&1 || \
+            cargo nextest run --workspace --lib $TEST_ARGS 2>&1 || \
             cargo nextest run --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
             { echo "::warning::nextest failed — falling back to cargo test"; \
-              cargo test --lib $TEST_ARGS 2>&1 || \
+              cargo test --workspace --lib $TEST_ARGS 2>&1 || \
               cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
               { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }; }
           else
-            cargo test --lib $TEST_ARGS 2>&1 || \
+            cargo test --workspace --lib $TEST_ARGS 2>&1 || \
             cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
             { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }
           fi
@@ -476,7 +480,9 @@ jobs:
         run: |
           # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          cargo llvm-cov test --lib --no-cfg-coverage --no-cfg-coverage-nightly --lcov --output-path lcov.info $TEST_ARGS 2>&1 || \
+          # PMAT-159 (2026-04-20): `--workspace --lib` so coverage reflects all workspace
+          # members, not just the root package (otherwise aprender reports 0 tests covered).
+          cargo llvm-cov test --workspace --lib --no-cfg-coverage --no-cfg-coverage-nightly --lcov --output-path lcov.info $TEST_ARGS 2>&1 || \
           cargo llvm-cov test --lib --no-cfg-coverage --no-cfg-coverage-nightly -p "$REPO_NAME" --lcov --output-path lcov.info 2>&1 || \
           { echo "::error::Coverage failed — check workspace path dependencies"; exit 1; }
       - name: Record sccache stats

From a69dbb20d88c9fd4db1da202779e58a60a3e7647 Mon Sep 17 00:00:00 2001
From: Noah Gift <noah.gift@gmail.com>
Date: Mon, 20 Apr 2026 16:13:43 +0200
Subject: [PATCH 2/2] ci(sovereign): gate --workspace --lib behind opt-in
 test_workspace input
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The initial PMAT-159 change force-switched every caller to `--workspace --lib`.
That breaks any repo whose workspace members don't build in the sovereign-ci
container (e.g. aprender-gpu needs cuBLAS, aprender-cuda-edge needs CUDA).

Switch to an opt-in `test_workspace` input (default false → current behavior).
Callers that want workspace-wide coverage pair it with `test_args` exclusions:

    with:
      test_workspace: true
      test_args: "--exclude aprender-gpu --exclude aprender-cuda-edge"

Refs paiml/infra#33
---
 .github/workflows/sovereign-ci.yml | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/sovereign-ci.yml b/.github/workflows/sovereign-ci.yml
index c4c205c..0667845 100644
--- a/.github/workflows/sovereign-ci.yml
+++ b/.github/workflows/sovereign-ci.yml
@@ -62,6 +62,11 @@ on:
         required: false
         default: false
         type: boolean
+      test_workspace:
+        description: 'PMAT-159: test all workspace members with `--workspace --lib` (not just root). Opt-in because workspace members may not build in the sovereign-ci container (e.g. aprender-gpu needs cuBLAS). Pair with test_args exclusions as needed.'
+        required: false
+        default: false
+        type: boolean
 
 # HD-02: Least-privilege token — only escalate where needed
 permissions:
@@ -192,24 +197,24 @@ jobs:
           RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'rustc-sccache' || '' }}
           SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
           USE_NEXTEST: ${{ inputs.use_nextest }}
+          TEST_SCOPE: ${{ inputs.test_workspace && '--workspace --lib' || '--lib' }}
         run: |
           # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
           # Phase 2 §4.3 — nextest drops ~35% off test-job wall-clock on large suites.
-          # PMAT-159 (2026-04-20): `--workspace --lib` so workspace-member lib tests are
-          # exercised, not just the root package. For repos with workspace members that
-          # don't build in the container (e.g. aprender-gpu/cuda-edge/compute), pass
-          # `test_args: "--exclude aprender-gpu --exclude aprender-cuda-edge ..."` from the
-          # caller to skip them here. Fallback to `cargo test` kept for harness quirks.
+          # PMAT-159 (2026-04-20): `test_workspace: true` opts into `--workspace --lib` so
+          # workspace-member lib tests are exercised. Default stays `--lib` (root only) for
+          # back-compat: many repos have workspace members that don't build in the sovereign-ci
+          # container. Opt-in callers pair this with `test_args` exclusions as needed.
           if [ "$USE_NEXTEST" = "true" ]; then
-            cargo nextest run --workspace --lib $TEST_ARGS 2>&1 || \
+            cargo nextest run $TEST_SCOPE $TEST_ARGS 2>&1 || \
             cargo nextest run --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
             { echo "::warning::nextest failed — falling back to cargo test"; \
-              cargo test --workspace --lib $TEST_ARGS 2>&1 || \
+              cargo test $TEST_SCOPE $TEST_ARGS 2>&1 || \
               cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
               { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }; }
           else
-            cargo test --workspace --lib $TEST_ARGS 2>&1 || \
+            cargo test $TEST_SCOPE $TEST_ARGS 2>&1 || \
             cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
             { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }
           fi
@@ -477,12 +482,14 @@ jobs:
           REPO_NAME: ${{ inputs.repo }}
           RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'rustc-sccache' || '' }}
           SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
+          TEST_SCOPE: ${{ inputs.test_workspace && '--workspace --lib' || '--lib' }}
         run: |
           # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          # PMAT-159 (2026-04-20): `--workspace --lib` so coverage reflects all workspace
-          # members, not just the root package (otherwise aprender reports 0 tests covered).
-          cargo llvm-cov test --workspace --lib --no-cfg-coverage --no-cfg-coverage-nightly --lcov --output-path lcov.info $TEST_ARGS 2>&1 || \
+          # PMAT-159 (2026-04-20): `test_workspace: true` opts into `--workspace --lib` so
+          # coverage reflects all workspace members. Default stays `--lib` (root only) — see
+          # test job comment for back-compat rationale.
+          cargo llvm-cov test $TEST_SCOPE --no-cfg-coverage --no-cfg-coverage-nightly --lcov --output-path lcov.info $TEST_ARGS 2>&1 || \
           cargo llvm-cov test --lib --no-cfg-coverage --no-cfg-coverage-nightly -p "$REPO_NAME" --lcov --output-path lcov.info 2>&1 || \
           { echo "::error::Coverage failed — check workspace path dependencies"; exit 1; }
       - name: Record sccache stats