Skip to content

fix: harden validate CLI + scrub registry path leaks#3

Merged
zenprocess merged 1 commit into
mainfrom
ci-harden-validate
Apr 8, 2026
Merged

fix: harden validate CLI + scrub registry path leaks#3
zenprocess merged 1 commit into
mainfrom
ci-harden-validate

Conversation

@zenprocess

@zenprocess zenprocess commented Apr 8, 2026

Copy link
Copy Markdown
Owner

Summary

Follow-up to #2 after a leak/CI audit. Three things:

1. Hardened `validate` CLI

  • Accepts files OR directories (recursed for `.yaml`/`.yml`)
  • Accepts multiple paths in one invocation
  • `exists=True`/`file_okay`/`dir_okay` on the typer Argument — typos fail before the function body runs
  • Always loud about results: prints "N/M valid" summary
  • Exit codes: `0` all valid, `1` validation failure, `2` no .yaml/.yml found in given paths
  • This kills the silent-literal-glob failure mode that hid the original CI breakage on `main`

2. validate-registry CI step collapses to one invocation

```yaml

  • name: Validate all registry configs
    run: python -m servingcard validate registry/
    ```
    No more bash glob fragility.

3. Registry path leak scrub

4 YAMLs were publishing absolute `/home//models/...` paths in `serving.engine_args.model`. Replaced with `${MODEL_DIR}/...` convention:

  • registry/deepseek-coder-v2-lite/gb10-fp8-baseline.yaml
  • registry/devstral-small-24b/gb10-baseline.yaml
  • registry/qwen3-coder/gb10-fp8-baseline.yaml
  • registry/qwen3-coder/gb10-fp8-eagle3-spec3.yaml

All 6 registry cards still validate.

Test plan

  • `pytest tests/test_validate.py` — 16/16 (4 new regression tests)
  • `ruff check servingcard/ tests/` — clean
  • `python -m servingcard validate registry/` — 6/6 valid
  • CI test (3.10/3.11/3.12) green
  • CI validate-registry green

fix(validate): harden CLI + scrub registry leaks
3501ba6 
Two related fixes after the audit on PR #2:

1. validate CLI accepts files, multiple paths, and directories (recursed
   for *.yaml/*.yml). exists=True/file_okay/dir_okay on the typer Argument
   so a typo or missing path fails before reaching the function body.
   Always loud about what was found ("N/M valid"); exits 2 if no .yaml
   files matched (distinct from validation failure exit 1) so the CI
   can't ever silently iterate a literal glob again.

2. .github/workflows/ci.yml validate-registry collapses to one
   invocation: 'python -m servingcard validate registry/'. No more
   bash-glob fragility.

3. Registry leak scrub: 4 YAMLs published absolute /home/<user>/models/
   paths in serving.engine_args.model. Replaced with \${MODEL_DIR}/...
   convention. All 6 registry cards still validate.

4. Tests: 4 new regression tests covering missing path, directory recurse,
   empty directory (exit 2), and multi-path. 16/16 passing.
@codecov-commenter

codecov-commenter commented Apr 8, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 80.00000% with 4 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
packages/python/servingcard/cli.py 80.00% 4 Missing ⚠️

📢 Thoughts on this report? Let us know!

@zenprocess zenprocess merged commit 8972f6e into main Apr 8, 2026
4 checks passed
@zenprocess zenprocess deleted the ci-harden-validate branch April 8, 2026 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zenprocess @codecov-commenter