Install gate output polish: honest tokenless warning, progress line, collapsed outage noise#106
Conversation
…d outage noise - Tokenless note becomes a warning that states the consequence: known-vulnerable packages will NOT be blocked (recency-only). - verdict_pool prints 'checking N packages against Corgea vuln-api…' to stderr when more than 8 jobs run, so big tree passes don't look hung. - print_text collapses >3 unverifiable findings sharing an error-prefix (the vuln-api outage case) into one line; counts and exit codes unchanged.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| // One line per collapsed outage group instead of one per package. | ||
| for (_, count, first_error) in &collapsed { | ||
| println!( | ||
| " ⚠ {count} packages could not be verified (vuln-api unreachable: {first_error})" |
There was a problem hiding this comment.
This collapsed line is too broad for production. Evidence: the collapse key comes from error_prefix(), which strips everything after the first (, while check_package_version() emits actionable parenthesized errors for authz/authn such as vuln-api rejected the Corgea token (run corgea login to refresh) and vuln-api access denied (check your Corgea plan/permissions), plus per-status 5xx errors like vuln-api unavailable (HTTP 503). Once more than three packages hit one of those paths, the per-package lines are suppressed and this always renders them as vuln-api unreachable: .... Impact: a multi-package install with an expired token or missing permissions is now reported as an outage, which sends users to debug the wrong failure mode and hides the most actionable remediation in the headline collapsed message. Concrete fix: do not hard-code vuln-api unreachable; either group/render by the full actionable error, or preserve the error class/status in the grouping and print a neutral message such as same verification error: {first_error}. Add an e2e case for four 401/403 responses so this cannot regress.
1 participant
Unit 4 of the install-vuln-gate dogfood-friction batch. Output-only changes —
should_block_installsemantics, counts, exit codes, and the JSON report are untouched.Changes (
src/precheck/mod.rs)warning: no Corgea token — known-vulnerable packages will NOT be blocked (recency-only). Run 'corgea login' for the full gate.verdict_poolprintschecking N packages against Corgea vuln-api…to stderr when more than 8 jobs run, so a big tree pass doesn't look hung.print_text, when >3 unverifiable findings share the same error-prefix (text before the first(, which strips per-package URLs/status codes), they render as one line:⚠ N packages could not be verified (vuln-api unreachable: <first error>)Named and transitive findings collapse together; ≤3 stay per-line.
Tests
tests/cli_verdict.rs: strengthened the tokenless test (asserts the consequence wording), addedprogress_line_prints_only_above_eight_verdict_jobs(9 jobs → line, 2 jobs → quiet) andoutage_noise_collapses_above_three_unverifiable(4 findings → one collapsed line + unchanged counts/exit 1; 3 findings → per-line). The pypi registry stub now serves any single-segment/pypi/<name>/json(always 1.0.0, published 2020).error_prefixandcollapsed_unverifiable_groups(threshold boundary, transitive+named grouping)../harness checkgreen (fmt, clippy -D warnings, 256 tests, deps-skill drift).Live staging smoke
cve-worker-staging.corgea.workers.dev: warning prints tokenless. Note: the recipe'sunset CORGEA_TOKENis not enough on a logged-in dev box —config.get_token()falls back to the stored login token, so the smoke needs an isolatedHOME.CORGEA_VULN_API_URL=https://invalid.invalid.test corgea npm install express:checking 66 packages against Corgea vuln-api…, exactly one⚠ 66 packages could not be verified (vuln-api unreachable: …)line, zero per-package noise, still blocks fail-closed (exit 1).